summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2015-05-27 11:22:20 +0200
committerJakub Hrozek <jhrozek@redhat.com>2015-06-19 18:48:13 +0200
commit7d8b7d82f0a91ed656320577fc781f24a66db9f8 (patch)
tree2cbf69045645258e3f659262be180c689c9ffce1
parentbf01e8179cbb2be476805340636098deda7e1366 (diff)
downloadsssd-7d8b7d82f0a91ed656320577fc781f24a66db9f8.tar.gz
sssd-7d8b7d82f0a91ed656320577fc781f24a66db9f8.tar.xz
sssd-7d8b7d82f0a91ed656320577fc781f24a66db9f8.zip
sysdb: add sysdb_search_user_by_cert() and sysdb_search_object_by_cert()
Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-rw-r--r--Makefile.am1
-rw-r--r--src/db/sysdb.h14
-rw-r--r--src/db/sysdb_ops.c35
-rw-r--r--src/tests/cwrap/Makefile.am2
-rw-r--r--src/tests/sysdb-tests.c54
5 files changed, 106 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am
index fa563de0d..1d80c3671 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -816,6 +816,7 @@ libsss_util_la_LIBADD = \
libsss_debug.la \
libsss_child.la \
libsss_crypt.la \
+ libsss_cert.la \
$(NULL)
if BUILD_SUDO
libsss_util_la_SOURCES += src/db/sysdb_sudo.c
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 1ad8d3d0c..4dc382f6f 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -194,6 +194,7 @@
#define SYSDB_SID_FILTER "(&(|("SYSDB_UC")("SYSDB_GC"))("SYSDB_SID_STR"=%s))"
#define SYSDB_UUID_FILTER "(&(|("SYSDB_UC")("SYSDB_GC"))("SYSDB_UUID"=%s))"
+#define SYSDB_USER_CERT_FILTER "(&("SYSDB_UC")%s)"
#define SYSDB_HAS_ENUMERATED "has_enumerated"
@@ -1064,6 +1065,19 @@ errno_t sysdb_search_object_by_uuid(TALLOC_CTX *mem_ctx,
const char **attrs,
struct ldb_result **res);
+errno_t sysdb_search_object_by_cert(TALLOC_CTX *mem_ctx,
+ struct sss_domain_info *domain,
+ const char *cert,
+ const char **attrs,
+ struct ldb_result **res);
+
+errno_t sysdb_search_user_by_cert(TALLOC_CTX *mem_ctx,
+ struct sss_domain_info *domain,
+ const char *cert,
+ struct ldb_result **res);
+
+
+
/* === Functions related to GPOs === */
#define SYSDB_GPO_CONTAINER "cn=gpos,cn=ad,cn=custom"
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index d34583787..6d0aede8a 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -24,6 +24,7 @@
#include "db/sysdb_services.h"
#include "db/sysdb_autofs.h"
#include "util/crypto/sss_crypto.h"
+#include "util/cert.h"
#include <time.h>
int add_string(struct ldb_message *msg, int flags,
@@ -3702,6 +3703,40 @@ errno_t sysdb_search_object_by_uuid(TALLOC_CTX *mem_ctx,
uuid_str, attrs, res);
}
+errno_t sysdb_search_object_by_cert(TALLOC_CTX *mem_ctx,
+ struct sss_domain_info *domain,
+ const char *cert,
+ const char **attrs,
+ struct ldb_result **res)
+{
+ int ret;
+ char *user_filter;
+
+ ret = sss_cert_derb64_to_ldap_filter(mem_ctx, cert, SYSDB_USER_CERT,
+ &user_filter);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_cert_derb64_to_ldap_filter failed.\n");
+ return ret;
+ }
+
+ ret = sysdb_search_object_by_str_attr(mem_ctx, domain,
+ SYSDB_USER_CERT_FILTER,
+ user_filter, attrs, res);
+ talloc_free(user_filter);
+
+ return ret;
+}
+
+errno_t sysdb_search_user_by_cert(TALLOC_CTX *mem_ctx,
+ struct sss_domain_info *domain,
+ const char *cert,
+ struct ldb_result **res)
+{
+ const char *user_attrs[] = SYSDB_PW_ATTRS;
+
+ return sysdb_search_object_by_cert(mem_ctx, domain, cert, user_attrs, res);
+}
+
errno_t sysdb_get_sids_of_members(TALLOC_CTX *mem_ctx,
struct sss_domain_info *dom,
const char *group_name,
diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am
index 46f815ab5..34b5d8bea 100644
--- a/src/tests/cwrap/Makefile.am
+++ b/src/tests/cwrap/Makefile.am
@@ -110,6 +110,7 @@ server_tests_LDADD = \
$(abs_top_builddir)/libsss_debug.la \
$(abs_top_builddir)/libsss_crypt.la \
$(abs_top_builddir)/libsss_test_common.la \
+ $(abs_top_builddir)/libsss_cert.la \
$(NULL)
usertools_tests_SOURCES = \
@@ -144,6 +145,7 @@ usertools_tests_LDADD = \
$(abs_top_builddir)/libsss_debug.la \
$(abs_top_builddir)/libsss_crypt.la \
$(abs_top_builddir)/libsss_test_common.la \
+ $(abs_top_builddir)/libsss_cert.la \
$(NULL)
responder_common_tests_SOURCES =\
diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
index 4478e24a6..522a44aa4 100644
--- a/src/tests/sysdb-tests.c
+++ b/src/tests/sysdb-tests.c
@@ -27,6 +27,7 @@
#include <sys/stat.h>
#include <sys/types.h>
#include "util/util.h"
+#include "util/crypto/sss_crypto.h"
#include "confdb/confdb_setup.h"
#include "db/sysdb_private.h"
#include "db/sysdb_services.h"
@@ -5201,6 +5202,56 @@ START_TEST(test_sysdb_search_object_by_uuid)
}
END_TEST
+/* For simple searches the content of the certificate does not matter */
+#define TEST_USER_CERT_DERB64 "gJznJT7L0aETU5CMk+n+1Q=="
+START_TEST(test_sysdb_search_user_by_cert)
+{
+ errno_t ret;
+ struct sysdb_test_ctx *test_ctx;
+ struct ldb_result *res;
+ struct sysdb_attrs *attrs = NULL;
+ struct ldb_val val;
+
+ /* Setup */
+ ret = setup_sysdb_tests(&test_ctx);
+ fail_if(ret != EOK, "Could not set up the test");
+
+ val.data = sss_base64_decode(test_ctx, TEST_USER_CERT_DERB64, &val.length);
+ fail_unless(val.data != NULL, "sss_base64_decode failed.");
+
+ attrs = sysdb_new_attrs(test_ctx);
+ fail_unless(attrs != NULL, "sysdb_new_attrs failed");
+
+ ret = sysdb_attrs_add_val(attrs, SYSDB_USER_CERT, &val);
+ fail_unless(ret == EOK, "sysdb_attrs_add_val failed with [%d][%s].",
+ ret, strerror(ret));
+
+ ret = sysdb_add_user(test_ctx->domain, "certuser",
+ 234567, 0, "cert user", "/home/certuser", "/bin/bash",
+ NULL, attrs, 0, 0);
+ fail_unless(ret == EOK, "sysdb_add_user failed with [%d][%s].",
+ ret, strerror(ret));
+
+ ret = sysdb_search_user_by_cert(test_ctx, test_ctx->domain, "ABC", &res);
+ fail_unless(ret == ENOENT,
+ "Unexpected return code from sysdb_search_user_by_cert for "
+ "missing object, expected [%d], got [%d].", ENOENT, ret);
+
+ ret = sysdb_search_user_by_cert(test_ctx, test_ctx->domain,
+ TEST_USER_CERT_DERB64, &res);
+ fail_unless(ret == EOK, "sysdb_search_user_by_cert failed with [%d][%s].",
+ ret, strerror(ret));
+ fail_unless(res->count == 1, "Unexpected number of results, " \
+ "expected [%u], get [%u].", 1, res->count);
+ fail_unless(strcmp(ldb_msg_find_attr_as_string(res->msgs[0],
+ SYSDB_NAME, ""),
+ "certuser") == 0, "Unexpected object found, " \
+ "expected [%s], got [%s].", "certuser",
+ ldb_msg_find_attr_as_string(res->msgs[0],SYSDB_NAME, ""));
+ talloc_free(test_ctx);
+}
+END_TEST
+
START_TEST(test_sysdb_delete_by_sid)
{
errno_t ret;
@@ -6318,6 +6369,9 @@ Suite *create_sysdb_suite(void)
/* Test UUID string searches */
tcase_add_test(tc_sysdb, test_sysdb_search_object_by_uuid);
+ /* Test user by certificate searches */
+ tcase_add_test(tc_sysdb, test_sysdb_search_user_by_cert);
+
/* Test canonicalizing names */
tcase_add_test(tc_sysdb, test_sysdb_get_real_name);