diff options
| author | Pavel Březina <pbrezina@redhat.com> | 2012-06-26 13:00:10 +0200 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2012-06-29 11:37:18 -0400 |
| commit | 5f73b623fc72e3b9b3590420825f30e618b4d4dd (patch) | |
| tree | 50ee93c69f4420691806750eabb1887eba1ab331 | |
| parent | 9af677f3bae3a7c1386867e4d42970555b3d6b9a (diff) | |
| download | sssd-5f73b623fc72e3b9b3590420825f30e618b4d4dd.tar.gz sssd-5f73b623fc72e3b9b3590420825f30e618b4d4dd.tar.xz sssd-5f73b623fc72e3b9b3590420825f30e618b4d4dd.zip | |
sudo ldap provider: load host filter configuration on init
We need to load host information during provider initialization.
Currently it loads only values from configuration files, but it is
implemented as an asynchrounous request as it will later try to
autodetect these settings (which will need to contact DNS).
| -rw-r--r-- | Makefile.am | 1 | ||||
| -rw-r--r-- | src/providers/ldap/ldap_common.c | 10 | ||||
| -rw-r--r-- | src/providers/ldap/ldap_common.h | 5 | ||||
| -rw-r--r-- | src/providers/ldap/sdap_async_sudo_hostinfo.c | 111 | ||||
| -rw-r--r-- | src/providers/ldap/sdap_sudo.c | 55 | ||||
| -rw-r--r-- | src/providers/ldap/sdap_sudo.h | 9 |
6 files changed, 186 insertions, 5 deletions
diff --git a/Makefile.am b/Makefile.am index 395a00799..1848d73e9 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1186,6 +1186,7 @@ libsss_ldap_common_la_SOURCES += \ src/providers/ldap/sdap_sudo_cache.c \ src/providers/ldap/sdap_async_sudo.c \ src/providers/ldap/sdap_async_sudo_timer.c \ + src/providers/ldap/sdap_async_sudo_hostinfo.c \ src/providers/ldap/sdap_sudo.c endif diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index b578ad749..64c06cd59 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -345,7 +345,10 @@ done: int ldap_get_sudo_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb, const char *conf_path, - struct sdap_options *opts) + struct sdap_options *opts, + bool *use_host_filter, + bool *include_regexp, + bool *include_netgroups) { const char *search_base; int ret; @@ -390,6 +393,11 @@ int ldap_get_sudo_options(TALLOC_CTX *memctx, return ret; } + /* host filter */ + *use_host_filter = dp_opt_get_bool(opts->basic, SDAP_SUDO_USE_HOST_FILTER); + *include_netgroups = dp_opt_get_bool(opts->basic, SDAP_SUDO_INCLUDE_NETGROUPS); + *include_regexp = dp_opt_get_bool(opts->basic, SDAP_SUDO_INCLUDE_REGEXP); + return EOK; } diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h index 8bd2584e1..1a458ec90 100644 --- a/src/providers/ldap/ldap_common.h +++ b/src/providers/ldap/ldap_common.h @@ -126,7 +126,10 @@ int ldap_get_options(TALLOC_CTX *memctx, int ldap_get_sudo_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb, const char *conf_path, - struct sdap_options *opts); + struct sdap_options *opts, + bool *use_host_filter, + bool *include_regexp, + bool *include_netgroups); int ldap_get_autofs_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb, diff --git a/src/providers/ldap/sdap_async_sudo_hostinfo.c b/src/providers/ldap/sdap_async_sudo_hostinfo.c new file mode 100644 index 000000000..0b8f44056 --- /dev/null +++ b/src/providers/ldap/sdap_async_sudo_hostinfo.c @@ -0,0 +1,111 @@ +/* + Authors: + Pavel Březina <pbrezina@redhat.com> + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include <errno.h> +#include <tevent.h> +#include <talloc.h> + +#include "util/util.h" +#include "providers/ldap/sdap.h" +#include "providers/ldap/sdap_id_op.h" +#include "providers/ldap/sdap_sudo.h" + +struct sdap_sudo_get_hostinfo_state { + char **hostnames; + char **ip_addr; +}; + +struct tevent_req * sdap_sudo_get_hostinfo_send(TALLOC_CTX *mem_ctx, + struct sdap_options *opts, + struct be_ctx *be_ctx) +{ + struct tevent_req *req = NULL; + struct sdap_sudo_get_hostinfo_state *state = NULL; + char *conf_hostnames = NULL; + char *conf_ip_addr = NULL; + int ret; + + /* create request */ + req = tevent_req_create(mem_ctx, &state, struct sdap_sudo_get_hostinfo_state); + if (req == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, ("tevent_req_create() failed\n")); + return NULL; + } + + state->hostnames = NULL; + state->ip_addr = NULL; + + /* load info from configuration */ + conf_hostnames = dp_opt_get_string(opts->basic, SDAP_SUDO_HOSTNAMES); + conf_ip_addr = dp_opt_get_string(opts->basic, SDAP_SUDO_IP); + + if (conf_hostnames != NULL) { + ret = split_on_separator(state, conf_hostnames, ' ', true, + &state->hostnames, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Unable to parse hostnames [%d]: %s\n", ret, strerror(ret))); + goto done; + } else { + DEBUG(SSSDBG_CONF_SETTINGS, ("Hostnames set to: %s\n", conf_hostnames)); + } + } + + if (conf_ip_addr != NULL) { + ret = split_on_separator(state, conf_ip_addr, ' ', true, + &state->ip_addr, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Unable to parse IP addresses [%d]: %s\n", ret, strerror(ret))); + goto done; + } else { + DEBUG(SSSDBG_CONF_SETTINGS, ("IP addresses set to: %s\n", conf_ip_addr)); + } + } + + /* auto configuration will be supported later */ + +done: + if (ret != EAGAIN) { + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, be_ctx->ev); + } + + return req; +} + +int sdap_sudo_get_hostinfo_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char ***hostnames, char ***ip_addr) +{ + struct sdap_sudo_get_hostinfo_state *state = NULL; + state = tevent_req_data(req, struct sdap_sudo_get_hostinfo_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *hostnames = talloc_steal(mem_ctx, state->hostnames); + *ip_addr = talloc_steal(mem_ctx, state->ip_addr); + + return EOK; +} diff --git a/src/providers/ldap/sdap_sudo.c b/src/providers/ldap/sdap_sudo.c index 80549bfa5..806c8b3a7 100644 --- a/src/providers/ldap/sdap_sudo.c +++ b/src/providers/ldap/sdap_sudo.c @@ -104,6 +104,7 @@ struct bet_ops sdap_sudo_ops = { .finalize = sdap_sudo_shutdown }; +static void sdap_sudo_get_hostinfo_done(struct tevent_req *req); int sdap_sudo_setup_periodical_refresh(struct sdap_sudo_ctx *sudo_ctx); int sdap_sudo_init(struct be_ctx *be_ctx, @@ -112,6 +113,7 @@ int sdap_sudo_init(struct be_ctx *be_ctx, void **pvt_data) { struct sdap_sudo_ctx *sudo_ctx = NULL; + struct tevent_req *req = NULL; int ret; DEBUG(SSSDBG_TRACE_INTERNAL, ("Initializing sudo LDAP back end\n")); @@ -127,20 +129,67 @@ int sdap_sudo_init(struct be_ctx *be_ctx, *pvt_data = sudo_ctx; ret = ldap_get_sudo_options(id_ctx, be_ctx->cdb, - be_ctx->conf_path, id_ctx->opts); + be_ctx->conf_path, id_ctx->opts, + &sudo_ctx->use_host_filter, + &sudo_ctx->include_regexp, + &sudo_ctx->include_netgroups); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("Cannot get SUDO options [%d]: %s\n", ret, strerror(ret))); return ret; } + req = sdap_sudo_get_hostinfo_send(sudo_ctx, id_ctx->opts, be_ctx); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to retrieve host information - " + "(host filter will be disabled)\n")); + + sudo_ctx->use_host_filter = false; + + ret = sdap_sudo_setup_periodical_refresh(sudo_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + ("Unable to setup periodical refresh" + "of sudo rules [%d]: %s\n", ret, strerror(ret))); + /* periodical updates will not work, but specific-rule update + * is no affected by this, therefore we don't have to fail here */ + } + } else { + tevent_req_set_callback(req, sdap_sudo_get_hostinfo_done, sudo_ctx); + } + + return EOK; +} + +static void sdap_sudo_get_hostinfo_done(struct tevent_req *req) +{ + struct sdap_sudo_ctx *sudo_ctx = NULL; + char **hostnames = NULL; + char **ip_addr = NULL; + int ret; + + sudo_ctx = tevent_req_callback_data(req, struct sdap_sudo_ctx); + + ret = sdap_sudo_get_hostinfo_recv(sudo_ctx, req, &hostnames, &ip_addr); + talloc_zfree(req); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to retrieve host information - " + "(host filter will be disabled) [%d]: %s\n", ret, strerror(ret))); + sudo_ctx->use_host_filter = false; + return; + } + + talloc_zfree(sudo_ctx->hostnames); + talloc_zfree(sudo_ctx->ip_addr); + + sudo_ctx->hostnames = talloc_move(sudo_ctx, &hostnames); + sudo_ctx->ip_addr = talloc_move(sudo_ctx, &ip_addr); + ret = sdap_sudo_setup_periodical_refresh(sudo_ctx); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("Unable to setup periodical refresh" "of sudo rules [%d]: %s\n", ret, strerror(ret))); } - - return EOK; } int sdap_sudo_setup_periodical_refresh(struct sdap_sudo_ctx *sudo_ctx) diff --git a/src/providers/ldap/sdap_sudo.h b/src/providers/ldap/sdap_sudo.h index 252772717..d2c5e80f5 100644 --- a/src/providers/ldap/sdap_sudo.h +++ b/src/providers/ldap/sdap_sudo.h @@ -69,6 +69,15 @@ int sdap_sudo_timer_recv(TALLOC_CTX *mem_ctx, struct tevent_req *req, struct tevent_req **_subreq); +/* host info */ +struct tevent_req * sdap_sudo_get_hostinfo_send(TALLOC_CTX *mem_ctx, + struct sdap_options *opts, + struct be_ctx *be_ctx); + +int sdap_sudo_get_hostinfo_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char ***hostnames, char ***ip_addr); + /* (&(objectClass=sudoRole)(|(cn=defaults)(sudoUser=ALL)%s)) */ #define SDAP_SUDO_FILTER_USER "(&(objectClass=%s)(|(%s=%s)(%s=ALL)%s))" #define SDAP_SUDO_FILTER_CLASS "(objectClass=%s)" |