Blame SOURCES/0009-confdb-add-special-handling-for-rules-for-the-files-.patch

71e593
From db2ca398ef66d73bf04d4cf45a327a8472ce834e Mon Sep 17 00:00:00 2001
71e593
From: Sumit Bose <sbose@redhat.com>
71e593
Date: Fri, 6 Jul 2018 15:17:10 +0200
71e593
Subject: [PATCH 09/19] confdb: add special handling for rules for the files
71e593
 provider
71e593
71e593
To make the configuration more simple there are some special assumption
71e593
for local users, i.e. user managed by the files provider.
71e593
71e593
Related to https://pagure.io/SSSD/sssd/issue/3500
71e593
71e593
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
71e593
(cherry picked from commit 9386ef605ffbc03abe2bc273efddbc099441fe3b)
71e593
---
71e593
 src/confdb/confdb.c              | 59 ++++++++++++++++++++++++++++++++++++++++
71e593
 src/confdb/confdb.h              |  1 +
71e593
 src/providers/files/files_init.c | 10 +++++++
71e593
 3 files changed, 70 insertions(+)
71e593
71e593
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
71e593
index 7de0fb3cc7031767d748bd4fb739a3376fd364e3..6370a0411d98b6611dd384e9ab0de1d580be9c2d 100644
71e593
--- a/src/confdb/confdb.c
71e593
+++ b/src/confdb/confdb.c
71e593
@@ -2197,6 +2197,56 @@ done:
71e593
     return ret;
71e593
 }
71e593
 
71e593
+static errno_t certmap_local_check(struct ldb_message *msg)
71e593
+{
71e593
+    const char *rule_name;
71e593
+    const char *tmp_str;
71e593
+    int ret;
71e593
+
71e593
+    rule_name = ldb_msg_find_attr_as_string(msg, CONFDB_CERTMAP_NAME, NULL);
71e593
+    if (rule_name == NULL) {
71e593
+        DEBUG(SSSDBG_CRIT_FAILURE, "Certficate mapping rule [%s] has no name.",
71e593
+                                   ldb_dn_get_linearized(msg->dn));
71e593
+        return EINVAL;
71e593
+    }
71e593
+
71e593
+    tmp_str = ldb_msg_find_attr_as_string(msg, CONFDB_CERTMAP_DOMAINS, NULL);
71e593
+    if (tmp_str != NULL) {
71e593
+        DEBUG(SSSDBG_CONF_SETTINGS,
71e593
+              "Option [%s] is ignored for local certmap rules.\n",
71e593
+              CONFDB_CERTMAP_DOMAINS);
71e593
+    }
71e593
+
71e593
+    tmp_str = ldb_msg_find_attr_as_string(msg, CONFDB_CERTMAP_MAPRULE, NULL);
71e593
+    if (tmp_str != NULL) {
71e593
+        if (tmp_str[0] != '(' || tmp_str[strlen(tmp_str) - 1] != ')') {
71e593
+            DEBUG(SSSDBG_CONF_SETTINGS,
71e593
+                  "Mapping rule must be in braces (...).\n");
71e593
+            return EINVAL;
71e593
+        }
71e593
+        DEBUG(SSSDBG_TRACE_ALL, "Using [%s] mapping rule of [%s].\n",
71e593
+                                tmp_str, ldb_dn_get_linearized(msg->dn));
71e593
+        return EOK;
71e593
+    }
71e593
+
71e593
+    tmp_str = talloc_asprintf(msg, "(%s)", rule_name);
71e593
+    if (tmp_str == NULL) {
71e593
+        DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
71e593
+        return ENOMEM;
71e593
+    }
71e593
+    ret = ldb_msg_add_string(msg, CONFDB_CERTMAP_MAPRULE, tmp_str);
71e593
+    if (ret != LDB_SUCCESS) {
71e593
+        talloc_free(discard_const(tmp_str));
71e593
+        DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_add_string failed.\n");
71e593
+        return EIO;
71e593
+    }
71e593
+
71e593
+    DEBUG(SSSDBG_TRACE_ALL, "Using [%s] as mapping rule for [%s].\n",
71e593
+                            tmp_str, ldb_dn_get_linearized(msg->dn));
71e593
+
71e593
+    return EOK;
71e593
+}
71e593
+
71e593
 static errno_t confdb_get_all_certmaps(TALLOC_CTX *mem_ctx,
71e593
                                        struct confdb_ctx *cdb,
71e593
                                        struct sss_domain_info *dom,
71e593
@@ -2245,6 +2295,15 @@ static errno_t confdb_get_all_certmaps(TALLOC_CTX *mem_ctx,
71e593
     }
71e593
 
71e593
     for (c = 0; c < res->count; c++) {
71e593
+        if (is_files_provider(dom)) {
71e593
+            ret = certmap_local_check(res->msgs[c]);
71e593
+            if (ret != EOK) {
71e593
+                DEBUG(SSSDBG_CONF_SETTINGS,
71e593
+                      "Invalid certificate mapping [%s] for local user, "
71e593
+                      "ignored.\n", ldb_dn_get_linearized(res->msgs[c]->dn));
71e593
+                continue;
71e593
+            }
71e593
+        }
71e593
         ret = sysdb_ldb_msg_attr_to_certmap_info(certmap_list, res->msgs[c],
71e593
                                                  attrs, &certmap_list[c]);
71e593
         if (ret != EOK) {
71e593
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
71e593
index 2aae93a278eb62e9b8a18885f06d66b20f269f60..625d156267ebf5f59e3974663256acfbb5f3b027 100644
71e593
--- a/src/confdb/confdb.h
71e593
+++ b/src/confdb/confdb.h
71e593
@@ -685,6 +685,7 @@ int confdb_get_sub_sections(TALLOC_CTX *mem_ctx,
71e593
  */
71e593
 int confdb_certmap_to_sysdb(struct confdb_ctx *cdb,
71e593
                             struct sss_domain_info *dom);
71e593
+
71e593
 /**
71e593
  * @}
71e593
  */
71e593
diff --git a/src/providers/files/files_init.c b/src/providers/files/files_init.c
71e593
index 746c04af1d766b4da623196d3ff6ebc99ca6efef..c793bed9cc99db958b50ed9f6d69a2f8f337b409 100644
71e593
--- a/src/providers/files/files_init.c
71e593
+++ b/src/providers/files/files_init.c
71e593
@@ -189,6 +189,16 @@ int sssm_files_init(TALLOC_CTX *mem_ctx,
71e593
         goto done;
71e593
     }
71e593
 
71e593
+    ret = confdb_certmap_to_sysdb(be_ctx->cdb, be_ctx->domain);
71e593
+    if (ret != EOK) {
71e593
+        DEBUG(SSSDBG_CRIT_FAILURE,
71e593
+              "Failed to initialize certificate mapping rules. "
71e593
+              "Authentication with certificates/Smartcards might not work "
71e593
+              "as expected.\n");
71e593
+        /* not fatal, ignored */
71e593
+    }
71e593
+
71e593
+
71e593
     *_module_data = ctx;
71e593
     ret = EOK;
71e593
 done:
71e593
-- 
71e593
2.14.4
71e593