From 2dfd383413d1c5bfc031f8396eccd1108c899e68 Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Wed, 5 Nov 2014 15:58:04 +0100

Subject: [PATCH 101/104] IPA: check overrrides for IPA users as well

Currently overrides were only available for sub-domains, e.g. trusted AD

domains. With this patch overrides can be used for IPA users as well.

Related to https://fedorahosted.org/sssd/ticket/2481

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

---

 src/providers/ipa/ipa_id.c            | 405 +++++++++++++++++++++++++++++++++-

 src/providers/ipa/ipa_subdomains_id.c |  16 +-

 src/providers/ipa/ipa_views.c         |  15 ++

 3 files changed, 432 insertions(+), 4 deletions(-)

diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c

index cd65f5b462c102ed502a014789a7232a93389b68..5665a1835e8b0ab18325bfc68a8d8b5650730943 100644

--- a/src/providers/ipa/ipa_id.c

+++ b/src/providers/ipa/ipa_id.c

@@ -56,6 +56,13 @@ static const char *ipa_account_info_error_text(int ret, int *dp_error,

     return default_text;

 }

+static struct tevent_req *

+ipa_id_get_account_info_send(TALLOC_CTX *memctx, struct tevent_context *ev,

+                             struct ipa_id_ctx *ipa_ctx, struct be_req *be_req,

+                             struct be_acct_req *ar);

+

+static int ipa_id_get_account_info_recv(struct tevent_req *req, int *dp_error);

+

 static struct tevent_req *ipa_id_get_netgroup_send(TALLOC_CTX *memctx,

                                                    struct tevent_context *ev,

                                                    struct ipa_id_ctx *ipa_ctx,

@@ -100,7 +107,9 @@ void ipa_account_info_handler(struct be_req *breq)

     } else {

         /* any account request is handled by sdap,

          * any invalid request is caught there. */

-        return sdap_handle_account_info(breq, ctx, ctx->conn);

+

+        req = ipa_id_get_account_info_send(breq, be_ctx->ev, ipa_ctx, breq,

+                                           ar);

     }

     if (!req) {

@@ -115,13 +124,18 @@ static void ipa_account_info_done(struct tevent_req *req)

     struct be_req *breq = tevent_req_callback_data(req, struct be_req);

     struct be_acct_req *ar = talloc_get_type(be_req_get_data(breq),

                                              struct be_acct_req);

+    struct be_ctx *be_ctx = be_req_get_be_ctx(breq);

     const char *error_text;

     int ret, dp_error;

     if ((ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_NETGROUP) {

         ret = ipa_id_get_netgroup_recv(req, &dp_error);

     } else {

-        ret = ipa_subdomain_account_recv(req, &dp_error);

+        if (strcasecmp(ar->domain, be_ctx->domain->name) != 0) {

+            ret = ipa_subdomain_account_recv(req, &dp_error);

+        } else {

+            ret = ipa_id_get_account_info_recv(req, &dp_error);

+        }

     }

     talloc_zfree(req);

@@ -130,6 +144,393 @@ static void ipa_account_info_done(struct tevent_req *req)

     sdap_handler_done(breq, dp_error, ret, error_text);

 }

+struct ipa_id_get_account_info_state {

+    struct tevent_context *ev;

+    struct ipa_id_ctx *ipa_ctx;

+    struct sdap_id_ctx *ctx;

+    struct sdap_id_op *op;

+    struct sysdb_ctx *sysdb;

+    struct sss_domain_info *domain;

+    struct be_req *be_req;

+    struct be_acct_req *ar;

+    const char *realm;

+

+    struct sysdb_attrs *override_attrs;

+    struct ldb_message *obj_msg;

+    int dp_error;

+};

+

+static void ipa_id_get_account_info_connected(struct tevent_req *subreq);

+static void ipa_id_get_account_info_got_override(struct tevent_req *subreq);

+static errno_t ipa_id_get_account_info_get_original_step(struct tevent_req *req,

+                                                        struct be_acct_req *ar);

+static void ipa_id_get_account_info_orig_done(struct tevent_req *subreq);

+static void ipa_id_get_account_info_done(struct tevent_req *subreq);

+

+static struct tevent_req *

+ipa_id_get_account_info_send(TALLOC_CTX *memctx, struct tevent_context *ev,

+                             struct ipa_id_ctx *ipa_ctx, struct be_req *be_req,

+                             struct be_acct_req *ar)

+{

+    int ret;

+    struct tevent_req *req;

+    struct tevent_req *subreq;

+    struct ipa_id_get_account_info_state *state;

+

+    req = tevent_req_create(memctx, &state,

+                            struct ipa_id_get_account_info_state);

+    if (req == NULL) {

+        DEBUG(SSSDBG_OP_FAILURE, "tevent_req_create failed.\n");

+        return NULL;

+    }

+

+    state->ev = ev;

+    state->ipa_ctx = ipa_ctx;

+    state->ctx = ipa_ctx->sdap_id_ctx;

+    state->dp_error = DP_ERR_FATAL;

+

+    state->op = sdap_id_op_create(state, state->ctx->conn->conn_cache);

+    if (state->op == NULL) {

+        DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed.\n");

+        ret = ENOMEM;

+        goto fail;

+    }

+

+    state->domain = find_domain_by_name(state->ctx->be->domain,

+                                        ar->domain, true);

+    if (state->domain == NULL) {

+        DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_name failed.\n");

+        ret = ENOMEM;

+        goto fail;

+    }

+    state->sysdb = state->domain->sysdb;

+    state->be_req = be_req;

+    state->ar = ar;

+    state->realm = dp_opt_get_string(state->ipa_ctx->ipa_options->basic,

+                                     IPA_KRB5_REALM);

+    if (state->realm == NULL) {

+        DEBUG(SSSDBG_CRIT_FAILURE, "No Kerberos realm for IPA?\n");

+        ret = EINVAL;

+        goto fail;

+    }

+

+    /* We can skip the override lookup and go directly to the original object

+     * if

+     * - the lookup is by SID

+     * - there is no view set of it is the default view

+     * - if the EXTRA_INPUT_MAYBE_WITH_VIEW flag is not set

+     */

+    if (state->ipa_ctx->view_name == NULL

+            || state->ar->filter_type == BE_FILTER_SECID

+            || strcmp(state->ipa_ctx->view_name,

+                      SYSDB_DEFAULT_VIEW_NAME) == 0

+            || state->ar->extra_value == NULL

+            || strcmp(state->ar->extra_value,

+                      EXTRA_INPUT_MAYBE_WITH_VIEW) != 0 ) {

+        ret = ipa_id_get_account_info_get_original_step(req, ar);

+        if (ret != EOK) {

+            DEBUG(SSSDBG_OP_FAILURE,

+                  "ipa_subdomain_account_get_original_step failed.\n");

+            goto fail;

+        }

+    } else {

+        subreq = sdap_id_op_connect_send(state->op, state, &ret;;

+        if (subreq == NULL) {

+            DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect_send failed.\n");

+            goto fail;

+        }

+        tevent_req_set_callback(subreq, ipa_id_get_account_info_connected, req);

+    }

+

+    return req;

+

+fail:

+    tevent_req_error(req, ret);

+    tevent_req_post(req, ev);

+    return req;

+}

+

+static void ipa_id_get_account_info_connected(struct tevent_req *subreq)

+{

+    struct tevent_req *req = tevent_req_callback_data(subreq,

+                                                struct tevent_req);

+    struct ipa_id_get_account_info_state *state = tevent_req_data(req,

+                                          struct ipa_id_get_account_info_state);

+    int dp_error = DP_ERR_FATAL;

+    int ret;

+

+    ret = sdap_id_op_connect_recv(subreq, &dp_error);

+    talloc_zfree(subreq);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect request failed.\n");

+        goto fail;

+    }

+

+    subreq = ipa_get_ad_override_send(state, state->ev, state->ctx,

+                                      state->ipa_ctx->ipa_options, state->realm,

+                                      state->ipa_ctx->view_name, state->ar);

+    if (subreq == NULL) {

+        DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_override_send failed.\n");

+        ret = ENOMEM;

+        goto fail;

+    }

+

+    tevent_req_set_callback(subreq, ipa_id_get_account_info_got_override, req);

+

+    return;

+

+fail:

+    state->dp_error = dp_error;

+    tevent_req_error(req, ret);

+    return;

+}

+

+static void ipa_id_get_account_info_got_override(struct tevent_req *subreq)

+{

+    struct tevent_req *req = tevent_req_callback_data(subreq,

+                                                struct tevent_req);

+    struct ipa_id_get_account_info_state *state = tevent_req_data(req,

+                                          struct ipa_id_get_account_info_state);

+    int dp_error = DP_ERR_FATAL;

+    int ret;

+    const char *anchor = NULL;

+    char *anchor_domain;

+    char *ipa_uuid;

+

+    ret = ipa_get_ad_override_recv(subreq, &dp_error, state,

+                                   &state->override_attrs);

+    talloc_zfree(subreq);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_OP_FAILURE, "IPA override lookup failed: %d\n", ret);

+        goto fail;

+    }

+

+    if (state->override_attrs != NULL) {

+        ret = sysdb_attrs_get_string(state->override_attrs,

+                                     SYSDB_OVERRIDE_ANCHOR_UUID,

+                                     &anchor);

+        if (ret != EOK) {

+            DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n");

+            goto fail;

+        }

+

+        ret = split_ipa_anchor(state, anchor, &anchor_domain, &ipa_uuid);

+        if (ret != EOK) {

+            DEBUG(SSSDBG_CRIT_FAILURE,

+                  "Unsupported override anchor [%s].\n", anchor);

+            ret = EINVAL;

+            goto fail;

+        }

+

+        if (strcmp(state->ar->domain, anchor_domain) == 0) {

+

+            ret = get_be_acct_req_for_uuid(state, ipa_uuid,

+                                           state->ar->domain,

+                                           &state->ar);

+            if (ret != EOK) {

+                DEBUG(SSSDBG_OP_FAILURE, "get_be_acct_req_for_sid failed.\n");

+                goto fail;

+            }

+        } else {

+            DEBUG(SSSDBG_MINOR_FAILURE,

+                  "Anchor from a different domain [%s], expected [%s]. " \

+                  "This is currently not supported, continue lookup in " \

+                  "local IPA domain.\n",

+                  anchor_domain, state->ar->domain);

+        }

+    }

+

+    ret = ipa_id_get_account_info_get_original_step(req, state->ar);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_OP_FAILURE,

+              "ipa_subdomain_account_get_original_step failed.\n");

+        goto fail;

+    }

+

+    return;

+

+fail:

+    state->dp_error = dp_error;

+    tevent_req_error(req, ret);

+    return;

+}

+

+static errno_t ipa_id_get_account_info_get_original_step(struct tevent_req *req,

+                                                         struct be_acct_req *ar)

+{

+    struct ipa_id_get_account_info_state *state = tevent_req_data(req,

+                                          struct ipa_id_get_account_info_state);

+    struct tevent_req *subreq;

+

+    subreq = sdap_handle_acct_req_send(state, state->be_req, ar,

+                                       state->ipa_ctx->sdap_id_ctx,

+                                       state->ipa_ctx->sdap_id_ctx->opts->sdom,

+                                       state->ipa_ctx->sdap_id_ctx->conn, true);

+    if (subreq == NULL) {

+        DEBUG(SSSDBG_OP_FAILURE, "sdap_handle_acct_req_send failed.\n");

+        return ENOMEM;

+    }

+    tevent_req_set_callback(subreq, ipa_id_get_account_info_orig_done, req);

+

+    return EOK;

+}

+

+static void ipa_id_get_account_info_orig_done(struct tevent_req *subreq)

+{

+    struct tevent_req *req = tevent_req_callback_data(subreq,

+                                                struct tevent_req);

+    struct ipa_id_get_account_info_state *state = tevent_req_data(req,

+                                          struct ipa_id_get_account_info_state);

+    int dp_error = DP_ERR_FATAL;

+    int ret;

+    const char *uuid;

+    const char *class;

+    enum sysdb_member_type type;

+

+    ret = sdap_handle_acct_req_recv(subreq, &dp_error, NULL, NULL);

+    talloc_zfree(subreq);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_OP_FAILURE, "sdap_handle_acct request failed: %d\n", ret);

+        goto fail;

+    }

+

+    ret = get_object_from_cache(state, state->domain, state->ar,

+                                &state->obj_msg);

+    if (ret == ENOENT) {

+        DEBUG(SSSDBG_MINOR_FAILURE, "Object not found, ending request\n");

+        tevent_req_done(req);

+        return;

+    } else if (ret != EOK) {

+        DEBUG(SSSDBG_OP_FAILURE, "get_object_from_cache failed.\n");

+        goto fail;

+    }

+

+    if (state->override_attrs == NULL) {

+        uuid = ldb_msg_find_attr_as_string(state->obj_msg, SYSDB_UUID, NULL);

+        if (uuid == NULL) {

+            DEBUG(SSSDBG_CRIT_FAILURE, "Cannot find a UUID.\n");

+            ret = EINVAL;

+            goto fail;

+        }

+

+        ret = get_be_acct_req_for_uuid(state, uuid, state->domain->name,

+                                       &state->ar);

+        if (ret != EOK) {

+            DEBUG(SSSDBG_OP_FAILURE, "get_be_acct_req_for_sid failed.\n");

+            goto fail;

+        }

+

+        subreq = ipa_get_ad_override_send(state, state->ev,

+                                          state->ipa_ctx->sdap_id_ctx,

+                                          state->ipa_ctx->ipa_options,

+                                          state->realm,

+                                          state->ipa_ctx->view_name,

+                                          state->ar);

+        if (subreq == NULL) {

+            DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_override_send failed.\n");

+            ret = ENOMEM;

+            goto fail;

+        }

+        tevent_req_set_callback(subreq, ipa_id_get_account_info_done, req);

+        return;

+    } else {

+        class = ldb_msg_find_attr_as_string(state->obj_msg, SYSDB_OBJECTCLASS,

+                                            NULL);

+        if (class == NULL) {

+            DEBUG(SSSDBG_CRIT_FAILURE, "Cannot find an objectclass.\n");

+            ret = EINVAL;

+            goto fail;

+        }

+

+        if (strcmp(class, SYSDB_USER_CLASS) == 0) {

+            type = SYSDB_MEMBER_USER;

+        } else {

+            type = SYSDB_MEMBER_GROUP;

+        }

+

+        ret = sysdb_store_override(state->domain, state->ipa_ctx->view_name,

+                                   type,

+                                   state->override_attrs, state->obj_msg->dn);

+        if (ret != EOK) {

+            DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_override failed.\n");

+            goto fail;

+        }

+    }

+

+    state->dp_error = DP_ERR_OK;

+    tevent_req_done(req);

+    return;

+

+fail:

+    state->dp_error = dp_error;

+    tevent_req_error(req, ret);

+    return;

+}

+

+static void ipa_id_get_account_info_done(struct tevent_req *subreq)

+{

+    struct tevent_req *req = tevent_req_callback_data(subreq,

+                                                struct tevent_req);

+    struct ipa_id_get_account_info_state *state = tevent_req_data(req,

+                                          struct ipa_id_get_account_info_state);

+    int dp_error = DP_ERR_FATAL;

+    int ret;

+    const char *class;

+    enum sysdb_member_type type;

+

+    ret = ipa_get_ad_override_recv(subreq, &dp_error, state,

+                                   &state->override_attrs);

+    talloc_zfree(subreq);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_OP_FAILURE, "IPA override lookup failed: %d\n", ret);

+        goto fail;

+    }

+

+    class = ldb_msg_find_attr_as_string(state->obj_msg, SYSDB_OBJECTCLASS,

+                                        NULL);

+    if (class == NULL) {

+        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot find an objectclass.\n");

+        ret = EINVAL;

+        goto fail;

+    }

+

+    if (strcmp(class, SYSDB_USER_CLASS) == 0) {

+        type = SYSDB_MEMBER_USER;

+    } else {

+        type = SYSDB_MEMBER_GROUP;

+    }

+

+    ret = sysdb_store_override(state->domain, state->ipa_ctx->view_name,

+                               type,

+                               state->override_attrs, state->obj_msg->dn);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_override failed.\n");

+        goto fail;

+    }

+

+    state->dp_error = DP_ERR_OK;

+    tevent_req_done(req);

+    return;

+

+fail:

+    state->dp_error = dp_error;

+    tevent_req_error(req, ret);

+    return;

+}

+

+static int ipa_id_get_account_info_recv(struct tevent_req *req, int *dp_error)

+{

+    struct ipa_id_get_account_info_state *state = tevent_req_data(req,

+                                          struct ipa_id_get_account_info_state);

+

+    if (dp_error) {

+        *dp_error = state->dp_error;

+    }

+

+    TEVENT_REQ_RETURN_ON_ERROR(req);

+

+    return EOK;

+}

 /* Request for netgroups

  * - first start here and then go to ipa_netgroups.c

diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c

index 891fc336483b507fd284b0c84b118534910ed9fc..ce5a6d1a1048eda4d8b7017bd92bc7ee76e66ef9 100644

--- a/src/providers/ipa/ipa_subdomains_id.c

+++ b/src/providers/ipa/ipa_subdomains_id.c

@@ -879,9 +879,21 @@ errno_t get_object_from_cache(TALLOC_CTX *mem_ctx,

         ret = EOK;

         goto done;

-    }

+    } else if (ar->filter_type == BE_FILTER_UUID) {

+        ret = sysdb_search_object_by_uuid(mem_ctx, dom, ar->filter_value, attrs,

+                                          &res;;

+        if (ret != EOK) {

+            DEBUG(SSSDBG_OP_FAILURE,

+                  "Failed to make request to our cache: [%d]: [%s]\n",

+                   ret, sss_strerror(ret));

+            goto done;

+        }

-    if (ar->filter_type == BE_FILTER_IDNUM) {

+        *_msg = res->msgs[0];

+

+        ret = EOK;

+        goto done;

+    } else if (ar->filter_type == BE_FILTER_IDNUM) {

         errno = 0;

         id = strtouint32(ar->filter_value, NULL, 10);

         if (errno != 0) {

diff --git a/src/providers/ipa/ipa_views.c b/src/providers/ipa/ipa_views.c

index ee586894ec61b1b1330816c628bbc9617d58e31e..c768186d7cf5e5a997e2ca27a167b62c8dc99b3f 100644

--- a/src/providers/ipa/ipa_views.c

+++ b/src/providers/ipa/ipa_views.c

@@ -125,6 +125,21 @@ static errno_t be_acct_req_to_override_filter(TALLOC_CTX *mem_ctx,

         }

         break;

+    case BE_FILTER_UUID:

+        if ((ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_BY_UUID) {

+            filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(%s=:IPA:%s:%s))",

+                       ipa_opts->override_map[IPA_OC_OVERRIDE].name,

+                       ipa_opts->override_map[IPA_AT_OVERRIDE_ANCHOR_UUID].name,

+                       dp_opt_get_string(ipa_opts->basic, IPA_DOMAIN),

+                       ar->filter_value);

+        } else {

+            DEBUG(SSSDBG_CRIT_FAILURE,

+                  "Unexpected entry type [%d] for UUID filter.\n",

+                  ar->entry_type);

+            return EINVAL;

+        }

+        break;

+

     default:

         DEBUG(SSSDBG_OP_FAILURE, "Invalid sub-domain filter type.\n");

         return EINVAL;

-- 

1.9.3