|
|
ecf709 |
From a3cc501e36f5cf1e4a8187d723b53111f5481b36 Mon Sep 17 00:00:00 2001
|
|
|
ecf709 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
ecf709 |
Date: Mon, 30 Nov 2015 12:14:55 +0100
|
|
|
ecf709 |
Subject: [PATCH 08/15] LDAP: always store the certificate from the request
|
|
|
ecf709 |
MIME-Version: 1.0
|
|
|
ecf709 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ecf709 |
Content-Transfer-Encoding: 8bit
|
|
|
ecf709 |
|
|
|
ecf709 |
Store the certificate used to lookup a user as mapped attribute in the
|
|
|
ecf709 |
cached user object.
|
|
|
ecf709 |
|
|
|
ecf709 |
Related to https://pagure.io/SSSD/sssd/issue/3050
|
|
|
ecf709 |
|
|
|
ecf709 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
ecf709 |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
ecf709 |
---
|
|
|
ecf709 |
src/db/sysdb.h | 1 +
|
|
|
ecf709 |
src/db/sysdb_ops.c | 4 ++--
|
|
|
ecf709 |
src/providers/ldap/ldap_id.c | 19 ++++++++++++++++++-
|
|
|
ecf709 |
src/tests/cmocka/test_nss_srv.c | 2 +-
|
|
|
ecf709 |
src/tests/cmocka/test_pam_srv.c | 6 +++---
|
|
|
ecf709 |
src/tests/sysdb-tests.c | 4 ++--
|
|
|
ecf709 |
6 files changed, 27 insertions(+), 9 deletions(-)
|
|
|
ecf709 |
|
|
|
ecf709 |
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
|
|
|
ecf709 |
index 098f47f91187aac75c58c02f0af738c344765762..3db22b3689bf6ffd9a48e29c229916e3fac9ca1b 100644
|
|
|
ecf709 |
--- a/src/db/sysdb.h
|
|
|
ecf709 |
+++ b/src/db/sysdb.h
|
|
|
ecf709 |
@@ -139,6 +139,7 @@
|
|
|
ecf709 |
|
|
|
ecf709 |
#define SYSDB_AUTH_TYPE "authType"
|
|
|
ecf709 |
#define SYSDB_USER_CERT "userCertificate"
|
|
|
ecf709 |
+#define SYSDB_USER_MAPPED_CERT "userMappedCertificate"
|
|
|
ecf709 |
#define SYSDB_USER_EMAIL "mail"
|
|
|
ecf709 |
|
|
|
ecf709 |
#define SYSDB_SUBDOMAIN_REALM "realmName"
|
|
|
ecf709 |
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
|
|
|
ecf709 |
index 6c2254df2b75d3d3419528523103ad9cddb40c9d..8ae25764478e522255b177f9e8de1d3ca1ad43fd 100644
|
|
|
ecf709 |
--- a/src/db/sysdb_ops.c
|
|
|
ecf709 |
+++ b/src/db/sysdb_ops.c
|
|
|
ecf709 |
@@ -4660,7 +4660,7 @@ errno_t sysdb_search_object_by_cert(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
int ret;
|
|
|
ecf709 |
char *user_filter;
|
|
|
ecf709 |
|
|
|
ecf709 |
- ret = sss_cert_derb64_to_ldap_filter(mem_ctx, cert, SYSDB_USER_CERT,
|
|
|
ecf709 |
+ ret = sss_cert_derb64_to_ldap_filter(mem_ctx, cert, SYSDB_USER_MAPPED_CERT,
|
|
|
ecf709 |
&user_filter);
|
|
|
ecf709 |
if (ret != EOK) {
|
|
|
ecf709 |
DEBUG(SSSDBG_OP_FAILURE, "sss_cert_derb64_to_ldap_filter failed.\n");
|
|
|
ecf709 |
@@ -4749,7 +4749,7 @@ errno_t sysdb_remove_mapped_data(struct sss_domain_info *domain,
|
|
|
ecf709 |
errno_t sysdb_remove_cert(struct sss_domain_info *domain,
|
|
|
ecf709 |
const char *cert)
|
|
|
ecf709 |
{
|
|
|
ecf709 |
- struct ldb_message_element el = { 0, SYSDB_USER_CERT, 0, NULL };
|
|
|
ecf709 |
+ struct ldb_message_element el = { 0, SYSDB_USER_MAPPED_CERT, 0, NULL };
|
|
|
ecf709 |
struct sysdb_attrs del_attrs = { 1, &el };
|
|
|
ecf709 |
const char *attrs[] = {SYSDB_NAME, NULL};
|
|
|
ecf709 |
struct ldb_result *res = NULL;
|
|
|
ecf709 |
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
|
|
|
ecf709 |
index 898ddb18689d55fcc3fdf021b38df0e574003eb2..a8b4bc2cfc6e9d4e0d74b0e3e036afbcbf7eb26e 100644
|
|
|
ecf709 |
--- a/src/providers/ldap/ldap_id.c
|
|
|
ecf709 |
+++ b/src/providers/ldap/ldap_id.c
|
|
|
ecf709 |
@@ -60,6 +60,7 @@ struct users_get_state {
|
|
|
ecf709 |
int dp_error;
|
|
|
ecf709 |
int sdap_ret;
|
|
|
ecf709 |
bool noexist_delete;
|
|
|
ecf709 |
+ struct sysdb_attrs *extra_attrs;
|
|
|
ecf709 |
};
|
|
|
ecf709 |
|
|
|
ecf709 |
static int users_get_retry(struct tevent_req *req);
|
|
|
ecf709 |
@@ -99,6 +100,7 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
|
|
|
ecf709 |
state->conn = conn;
|
|
|
ecf709 |
state->dp_error = DP_ERR_FATAL;
|
|
|
ecf709 |
state->noexist_delete = noexist_delete;
|
|
|
ecf709 |
+ state->extra_attrs = NULL;
|
|
|
ecf709 |
|
|
|
ecf709 |
state->op = sdap_id_op_create(state, state->conn->conn_cache);
|
|
|
ecf709 |
if (!state->op) {
|
|
|
ecf709 |
@@ -251,6 +253,21 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
|
|
|
ecf709 |
"sss_cert_derb64_to_ldap_filter failed.\n");
|
|
|
ecf709 |
goto done;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ state->extra_attrs = sysdb_new_attrs(state);
|
|
|
ecf709 |
+ if (state->extra_attrs == NULL) {
|
|
|
ecf709 |
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n");
|
|
|
ecf709 |
+ ret = ENOMEM;
|
|
|
ecf709 |
+ goto done;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ ret = sysdb_attrs_add_base64_blob(state->extra_attrs,
|
|
|
ecf709 |
+ SYSDB_USER_MAPPED_CERT, filter_value);
|
|
|
ecf709 |
+ if (ret != EOK) {
|
|
|
ecf709 |
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_base64_blob failed.\n");
|
|
|
ecf709 |
+ goto done;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
break;
|
|
|
ecf709 |
default:
|
|
|
ecf709 |
ret = EINVAL;
|
|
|
ecf709 |
@@ -442,7 +459,7 @@ static void users_get_search(struct tevent_req *req)
|
|
|
ecf709 |
state->attrs, state->filter,
|
|
|
ecf709 |
dp_opt_get_int(state->ctx->opts->basic,
|
|
|
ecf709 |
SDAP_SEARCH_TIMEOUT),
|
|
|
ecf709 |
- lookup_type, NULL);
|
|
|
ecf709 |
+ lookup_type, state->extra_attrs);
|
|
|
ecf709 |
if (!subreq) {
|
|
|
ecf709 |
tevent_req_error(req, ENOMEM);
|
|
|
ecf709 |
return;
|
|
|
ecf709 |
diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c
|
|
|
ecf709 |
index 72bbaf9bf35ebb3fc4208afaa3c7af95922afcb0..76b9c6fb05673130de0957e93291919c263a28f3 100644
|
|
|
ecf709 |
--- a/src/tests/cmocka/test_nss_srv.c
|
|
|
ecf709 |
+++ b/src/tests/cmocka/test_nss_srv.c
|
|
|
ecf709 |
@@ -3508,7 +3508,7 @@ static void test_nss_getnamebycert(void **state)
|
|
|
ecf709 |
der = sss_base64_decode(nss_test_ctx, TEST_TOKEN_CERT, &der_size);
|
|
|
ecf709 |
assert_non_null(der);
|
|
|
ecf709 |
|
|
|
ecf709 |
- ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_CERT, der, der_size);
|
|
|
ecf709 |
+ ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size);
|
|
|
ecf709 |
talloc_free(der);
|
|
|
ecf709 |
assert_int_equal(ret, EOK);
|
|
|
ecf709 |
|
|
|
ecf709 |
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
|
|
|
ecf709 |
index ae2e555f7024027d1c0063031f8882bf81a31905..847419658bb983e6548722d6fa6fb22c63ee86b8 100644
|
|
|
ecf709 |
--- a/src/tests/cmocka/test_pam_srv.c
|
|
|
ecf709 |
+++ b/src/tests/cmocka/test_pam_srv.c
|
|
|
ecf709 |
@@ -1598,7 +1598,7 @@ static int test_lookup_by_cert_cb(void *pvt)
|
|
|
ecf709 |
der = sss_base64_decode(pam_test_ctx, pvt, &der_size);
|
|
|
ecf709 |
assert_non_null(der);
|
|
|
ecf709 |
|
|
|
ecf709 |
- ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_CERT, der, der_size);
|
|
|
ecf709 |
+ ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size);
|
|
|
ecf709 |
talloc_free(der);
|
|
|
ecf709 |
assert_int_equal(ret, EOK);
|
|
|
ecf709 |
|
|
|
ecf709 |
@@ -1630,7 +1630,7 @@ static int test_lookup_by_cert_double_cb(void *pvt)
|
|
|
ecf709 |
der = sss_base64_decode(pam_test_ctx, pvt, &der_size);
|
|
|
ecf709 |
assert_non_null(der);
|
|
|
ecf709 |
|
|
|
ecf709 |
- ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_CERT, der, der_size);
|
|
|
ecf709 |
+ ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size);
|
|
|
ecf709 |
talloc_free(der);
|
|
|
ecf709 |
assert_int_equal(ret, EOK);
|
|
|
ecf709 |
|
|
|
ecf709 |
@@ -1658,7 +1658,7 @@ static int test_lookup_by_cert_wrong_user_cb(void *pvt)
|
|
|
ecf709 |
der = sss_base64_decode(pam_test_ctx, pvt, &der_size);
|
|
|
ecf709 |
assert_non_null(der);
|
|
|
ecf709 |
|
|
|
ecf709 |
- ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_CERT, der, der_size);
|
|
|
ecf709 |
+ ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size);
|
|
|
ecf709 |
talloc_free(der);
|
|
|
ecf709 |
assert_int_equal(ret, EOK);
|
|
|
ecf709 |
|
|
|
ecf709 |
diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
|
|
|
ecf709 |
index c343c734a27a335303974b6866a5d9e88d4c307e..5bdd631fbfa1b4463fb169e5f07b65fb2c784096 100644
|
|
|
ecf709 |
--- a/src/tests/sysdb-tests.c
|
|
|
ecf709 |
+++ b/src/tests/sysdb-tests.c
|
|
|
ecf709 |
@@ -5721,7 +5721,7 @@ START_TEST(test_sysdb_search_user_by_cert)
|
|
|
ecf709 |
val.data = sss_base64_decode(test_ctx, TEST_USER_CERT_DERB64, &val.length);
|
|
|
ecf709 |
fail_unless(val.data != NULL, "sss_base64_decode failed.");
|
|
|
ecf709 |
|
|
|
ecf709 |
- ret = sysdb_attrs_add_val(data->attrs, SYSDB_USER_CERT, &val;;
|
|
|
ecf709 |
+ ret = sysdb_attrs_add_val(data->attrs, SYSDB_USER_MAPPED_CERT, &val;;
|
|
|
ecf709 |
fail_unless(ret == EOK, "sysdb_attrs_add_val failed with [%d][%s].",
|
|
|
ecf709 |
ret, strerror(ret));
|
|
|
ecf709 |
|
|
|
ecf709 |
@@ -5750,7 +5750,7 @@ START_TEST(test_sysdb_search_user_by_cert)
|
|
|
ecf709 |
data2 = test_data_new_user(test_ctx, 2345671);
|
|
|
ecf709 |
fail_if(data2 == NULL);
|
|
|
ecf709 |
|
|
|
ecf709 |
- ret = sysdb_attrs_add_val(data2->attrs, SYSDB_USER_CERT, &val;;
|
|
|
ecf709 |
+ ret = sysdb_attrs_add_val(data2->attrs, SYSDB_USER_MAPPED_CERT, &val;;
|
|
|
ecf709 |
fail_unless(ret == EOK, "sysdb_attrs_add_val failed with [%d][%s].",
|
|
|
ecf709 |
ret, strerror(ret));
|
|
|
ecf709 |
|
|
|
ecf709 |
--
|
|
|
ecf709 |
2.9.3
|
|
|
ecf709 |
|