From a3cc501e36f5cf1e4a8187d723b53111f5481b36 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 30 Nov 2015 12:14:55 +0100
Subject: [PATCH 08/15] LDAP: always store the certificate from the request
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Store the certificate used to lookup a user as mapped attribute in the
cached user object.

Related to https://pagure.io/SSSD/sssd/issue/3050

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
 src/db/sysdb.h                  |  1 +
 src/db/sysdb_ops.c              |  4 ++--
 src/providers/ldap/ldap_id.c    | 19 ++++++++++++++++++-
 src/tests/cmocka/test_nss_srv.c |  2 +-
 src/tests/cmocka/test_pam_srv.c |  6 +++---
 src/tests/sysdb-tests.c         |  4 ++--
 6 files changed, 27 insertions(+), 9 deletions(-)

diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 098f47f91187aac75c58c02f0af738c344765762..3db22b3689bf6ffd9a48e29c229916e3fac9ca1b 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -139,6 +139,7 @@
 
 #define SYSDB_AUTH_TYPE "authType"
 #define SYSDB_USER_CERT "userCertificate"
+#define SYSDB_USER_MAPPED_CERT "userMappedCertificate"
 #define SYSDB_USER_EMAIL "mail"
 
 #define SYSDB_SUBDOMAIN_REALM "realmName"
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 6c2254df2b75d3d3419528523103ad9cddb40c9d..8ae25764478e522255b177f9e8de1d3ca1ad43fd 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -4660,7 +4660,7 @@ errno_t sysdb_search_object_by_cert(TALLOC_CTX *mem_ctx,
     int ret;
     char *user_filter;
 
-    ret = sss_cert_derb64_to_ldap_filter(mem_ctx, cert, SYSDB_USER_CERT,
+    ret = sss_cert_derb64_to_ldap_filter(mem_ctx, cert, SYSDB_USER_MAPPED_CERT,
                                          &user_filter);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE, "sss_cert_derb64_to_ldap_filter failed.\n");
@@ -4749,7 +4749,7 @@ errno_t sysdb_remove_mapped_data(struct sss_domain_info *domain,
 errno_t sysdb_remove_cert(struct sss_domain_info *domain,
                           const char *cert)
 {
-    struct ldb_message_element el = { 0, SYSDB_USER_CERT, 0, NULL };
+    struct ldb_message_element el = { 0, SYSDB_USER_MAPPED_CERT, 0, NULL };
     struct sysdb_attrs del_attrs = { 1, &el };
     const char *attrs[] = {SYSDB_NAME, NULL};
     struct ldb_result *res = NULL;
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index 898ddb18689d55fcc3fdf021b38df0e574003eb2..a8b4bc2cfc6e9d4e0d74b0e3e036afbcbf7eb26e 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -60,6 +60,7 @@ struct users_get_state {
     int dp_error;
     int sdap_ret;
     bool noexist_delete;
+    struct sysdb_attrs *extra_attrs;
 };
 
 static int users_get_retry(struct tevent_req *req);
@@ -99,6 +100,7 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
     state->conn = conn;
     state->dp_error = DP_ERR_FATAL;
     state->noexist_delete = noexist_delete;
+    state->extra_attrs = NULL;
 
     state->op = sdap_id_op_create(state, state->conn->conn_cache);
     if (!state->op) {
@@ -251,6 +253,21 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
                   "sss_cert_derb64_to_ldap_filter failed.\n");
             goto done;
         }
+
+        state->extra_attrs = sysdb_new_attrs(state);
+        if (state->extra_attrs == NULL) {
+            DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n");
+            ret = ENOMEM;
+            goto done;
+        }
+
+        ret = sysdb_attrs_add_base64_blob(state->extra_attrs,
+                                          SYSDB_USER_MAPPED_CERT, filter_value);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_base64_blob failed.\n");
+            goto done;
+        }
+
         break;
     default:
         ret = EINVAL;
@@ -442,7 +459,7 @@ static void users_get_search(struct tevent_req *req)
                                  state->attrs, state->filter,
                                  dp_opt_get_int(state->ctx->opts->basic,
                                                 SDAP_SEARCH_TIMEOUT),
-                                 lookup_type, NULL);
+                                 lookup_type, state->extra_attrs);
     if (!subreq) {
         tevent_req_error(req, ENOMEM);
         return;
diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c
index 72bbaf9bf35ebb3fc4208afaa3c7af95922afcb0..76b9c6fb05673130de0957e93291919c263a28f3 100644
--- a/src/tests/cmocka/test_nss_srv.c
+++ b/src/tests/cmocka/test_nss_srv.c
@@ -3508,7 +3508,7 @@ static void test_nss_getnamebycert(void **state)
     der = sss_base64_decode(nss_test_ctx, TEST_TOKEN_CERT, &der_size);
     assert_non_null(der);
 
-    ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_CERT, der, der_size);
+    ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size);
     talloc_free(der);
     assert_int_equal(ret, EOK);
 
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index ae2e555f7024027d1c0063031f8882bf81a31905..847419658bb983e6548722d6fa6fb22c63ee86b8 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -1598,7 +1598,7 @@ static int test_lookup_by_cert_cb(void *pvt)
         der = sss_base64_decode(pam_test_ctx, pvt, &der_size);
         assert_non_null(der);
 
-        ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_CERT, der, der_size);
+        ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size);
         talloc_free(der);
         assert_int_equal(ret, EOK);
 
@@ -1630,7 +1630,7 @@ static int test_lookup_by_cert_double_cb(void *pvt)
         der = sss_base64_decode(pam_test_ctx, pvt, &der_size);
         assert_non_null(der);
 
-        ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_CERT, der, der_size);
+        ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size);
         talloc_free(der);
         assert_int_equal(ret, EOK);
 
@@ -1658,7 +1658,7 @@ static int test_lookup_by_cert_wrong_user_cb(void *pvt)
         der = sss_base64_decode(pam_test_ctx, pvt, &der_size);
         assert_non_null(der);
 
-        ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_CERT, der, der_size);
+        ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size);
         talloc_free(der);
         assert_int_equal(ret, EOK);
 
diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
index c343c734a27a335303974b6866a5d9e88d4c307e..5bdd631fbfa1b4463fb169e5f07b65fb2c784096 100644
--- a/src/tests/sysdb-tests.c
+++ b/src/tests/sysdb-tests.c
@@ -5721,7 +5721,7 @@ START_TEST(test_sysdb_search_user_by_cert)
     val.data = sss_base64_decode(test_ctx, TEST_USER_CERT_DERB64, &val.length);
     fail_unless(val.data != NULL, "sss_base64_decode failed.");
 
-    ret = sysdb_attrs_add_val(data->attrs, SYSDB_USER_CERT, &val);
+    ret = sysdb_attrs_add_val(data->attrs, SYSDB_USER_MAPPED_CERT, &val);
     fail_unless(ret == EOK, "sysdb_attrs_add_val failed with [%d][%s].",
                 ret, strerror(ret));
 
@@ -5750,7 +5750,7 @@ START_TEST(test_sysdb_search_user_by_cert)
     data2 = test_data_new_user(test_ctx, 2345671);
     fail_if(data2 == NULL);
 
-    ret = sysdb_attrs_add_val(data2->attrs, SYSDB_USER_CERT, &val);
+    ret = sysdb_attrs_add_val(data2->attrs, SYSDB_USER_MAPPED_CERT, &val);
     fail_unless(ret == EOK, "sysdb_attrs_add_val failed with [%d][%s].",
                 ret, strerror(ret));
 
-- 
2.9.3