diff options
author | Simo Sorce <ssorce@redhat.com> | 2009-04-11 00:31:50 -0400 |
---|---|---|
committer | Simo Sorce <ssorce@redhat.com> | 2009-04-13 09:07:10 -0400 |
commit | 943df8483b9f8a43df72121883ca67f17571d214 (patch) | |
tree | a9301004163a7033b4a342057c355da1ea49454b /server/providers | |
parent | f16705ecade500f77b525d1a3df0109196c98ee0 (diff) | |
download | sssd-943df8483b9f8a43df72121883ca67f17571d214.tar.gz sssd-943df8483b9f8a43df72121883ca67f17571d214.tar.xz sssd-943df8483b9f8a43df72121883ca67f17571d214.zip |
Implement credentials caching in pam responder.
Implement credentials caching in pam responder.
Currently works only for the proxy backend.
Also cleanup pam responder code and mode common code in data provider.
(the data provider should never include responder private headers)
Diffstat (limited to 'server/providers')
-rw-r--r-- | server/providers/data_provider.c | 1 | ||||
-rw-r--r-- | server/providers/data_provider.h | 47 | ||||
-rw-r--r-- | server/providers/dp_auth_util.c | 208 | ||||
-rw-r--r-- | server/providers/dp_backend.h | 1 |
4 files changed, 255 insertions, 2 deletions
diff --git a/server/providers/data_provider.c b/server/providers/data_provider.c index 4614250c7..e8f190ea9 100644 --- a/server/providers/data_provider.c +++ b/server/providers/data_provider.c @@ -41,7 +41,6 @@ #include "dp_interfaces.h" #include "monitor/monitor_sbus.h" #include "monitor/monitor_interfaces.h" -#include "responder/pam/pamsrv.h" #define DP_CONF_ENTRY "config/services/dp" diff --git a/server/providers/data_provider.h b/server/providers/data_provider.h index 4b68a0bd7..2c828fab3 100644 --- a/server/providers/data_provider.h +++ b/server/providers/data_provider.h @@ -34,6 +34,7 @@ #include "sbus/sssd_dbus.h" #include "sbus/sbus_client.h" #include "providers/dp_interfaces.h" +#include "../sss_client/sss_cli.h" #define DATA_PROVIDER_VERSION 0x0001 #define DATA_PROVIDER_SERVICE_NAME "dp" @@ -80,4 +81,50 @@ #define BE_REQ_GROUP 2 #define BE_REQ_INITGROUPS 3 +/* AUTH related common data and functions */ + +#define DEBUG_PAM_DATA(level, pd) do { \ + if (level <= debug_level) pam_print_data(level, pd); \ +} while(0); + + +struct response_data { + int32_t type; + int32_t len; + uint8_t *data; + struct response_data *next; +}; + +struct pam_data { + int cmd; + uint32_t authtok_type; + uint32_t authtok_size; + uint32_t newauthtok_type; + uint32_t newauthtok_size; + char *domain; + char *user; + char *service; + char *tty; + char *ruser; + char *rhost; + uint8_t *authtok; + uint8_t *newauthtok; + + int pam_status; + int response_delay; + struct response_data *resp_list; + + bool offline_auth; +}; + +void pam_print_data(int l, struct pam_data *pd); + +int pam_add_response(struct pam_data *pd, enum response_type type, + int len, const uint8_t *data); + +bool dp_pack_pam_request(DBusMessage *msg, struct pam_data *pd); +bool dp_unpack_pam_request(DBusMessage *msg, struct pam_data *pd, DBusError *dbus_error); +bool dp_pack_pam_response(DBusMessage *msg, struct pam_data *pd); +bool dp_unpack_pam_response(DBusMessage *msg, struct pam_data *pd, DBusError *dbus_error); + #endif /* __DATA_PROVIDER_ */ diff --git a/server/providers/dp_auth_util.c b/server/providers/dp_auth_util.c new file mode 100644 index 000000000..99e57e2e8 --- /dev/null +++ b/server/providers/dp_auth_util.c @@ -0,0 +1,208 @@ +/* + SSSD + + Data Provider, auth utils + + Copyright (C) Sumit Bose <sbose@redhat.com> 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "data_provider.h" + +void pam_print_data(int l, struct pam_data *pd) +{ + DEBUG(l, ("command: %d\n", pd->cmd)); + DEBUG(l, ("domain: %s\n", pd->domain)); + DEBUG(l, ("user: %s\n", pd->user)); + DEBUG(l, ("service: %s\n", pd->service)); + DEBUG(l, ("tty: %s\n", pd->tty)); + DEBUG(l, ("ruser: %s\n", pd->ruser)); + DEBUG(l, ("rhost: %s\n", pd->rhost)); + DEBUG(l, ("authtok type: %d\n", pd->authtok_type)); + DEBUG(l, ("authtok size: %d\n", pd->authtok_size)); + DEBUG(l, ("newauthtok type: %d\n", pd->newauthtok_type)); + DEBUG(l, ("newauthtok size: %d\n", pd->newauthtok_size)); +} + +int pam_add_response(struct pam_data *pd, enum response_type type, + int len, const uint8_t *data) +{ + struct response_data *new; + + new = talloc(pd, struct response_data); + if (new == NULL) return ENOMEM; + + new->type = type; + new->len = len; + new->data = talloc_memdup(pd, data, len); + if (new->data == NULL) return ENOMEM; + new->next = pd->resp_list; + pd->resp_list = new; + + return EOK; +} + +bool dp_pack_pam_request(DBusMessage *msg, struct pam_data *pd) +{ + int ret; + + ret = dbus_message_append_args(msg, + DBUS_TYPE_INT32, &(pd->cmd), + DBUS_TYPE_STRING, &(pd->domain), + DBUS_TYPE_STRING, &(pd->user), + DBUS_TYPE_STRING, &(pd->service), + DBUS_TYPE_STRING, &(pd->tty), + DBUS_TYPE_STRING, &(pd->ruser), + DBUS_TYPE_STRING, &(pd->rhost), + DBUS_TYPE_INT32, &(pd->authtok_type), + DBUS_TYPE_ARRAY, DBUS_TYPE_BYTE, + &(pd->authtok), + (pd->authtok_size), + DBUS_TYPE_INT32, &(pd->newauthtok_type), + DBUS_TYPE_ARRAY, DBUS_TYPE_BYTE, + &(pd->newauthtok), + pd->newauthtok_size, + DBUS_TYPE_INVALID); + + return ret; +} + +bool dp_unpack_pam_request(DBusMessage *msg, struct pam_data *pd, DBusError *dbus_error) +{ + int ret; + + ret = dbus_message_get_args(msg, dbus_error, + DBUS_TYPE_INT32, &(pd->cmd), + DBUS_TYPE_STRING, &(pd->domain), + DBUS_TYPE_STRING, &(pd->user), + DBUS_TYPE_STRING, &(pd->service), + DBUS_TYPE_STRING, &(pd->tty), + DBUS_TYPE_STRING, &(pd->ruser), + DBUS_TYPE_STRING, &(pd->rhost), + DBUS_TYPE_INT32, &(pd->authtok_type), + DBUS_TYPE_ARRAY, DBUS_TYPE_BYTE, + &(pd->authtok), + &(pd->authtok_size), + DBUS_TYPE_INT32, &(pd->newauthtok_type), + DBUS_TYPE_ARRAY, DBUS_TYPE_BYTE, + &(pd->newauthtok), + &(pd->newauthtok_size), + DBUS_TYPE_INVALID); + + return ret; +} + +bool dp_pack_pam_response(DBusMessage *msg, struct pam_data *pd) +{ + int ret; + struct response_data *resp; + + ret = dbus_message_append_args(msg, + DBUS_TYPE_UINT32, &(pd->pam_status), + DBUS_TYPE_STRING, &(pd->domain), + DBUS_TYPE_INVALID); + if (!ret) return ret; + + resp = pd->resp_list; + while (resp != NULL) { + ret=dbus_message_append_args(msg, + DBUS_TYPE_UINT32, &(resp->type), + DBUS_TYPE_UINT32, &(resp->len), + DBUS_TYPE_ARRAY, DBUS_TYPE_BYTE, + &(resp->data), + resp->len, + DBUS_TYPE_INVALID); + if (!ret) return ret; + + resp = resp->next; + } + + return true; +} + +bool dp_unpack_pam_response(DBusMessage *msg, struct pam_data *pd, DBusError *dbus_error) +{ + DBusMessageIter iter; + DBusMessageIter sub_iter; + int type; + int len; + int len_msg; + const uint8_t *data; + + if (!dbus_message_iter_init(msg, &iter)) { + DEBUG(1, ("pam response has no arguments.\n")); + return false; + } + + if (dbus_message_iter_get_arg_type(&iter) != DBUS_TYPE_UINT32) { + DEBUG(1, ("pam response format error.\n")); + return false; + } + dbus_message_iter_get_basic(&iter, &(pd->pam_status)); + + if (!dbus_message_iter_next(&iter)) { + DEBUG(1, ("pam response has too few arguments.\n")); + return false; + } + + if (dbus_message_iter_get_arg_type(&iter) != DBUS_TYPE_STRING) { + DEBUG(1, ("pam response format error.\n")); + return false; + } + dbus_message_iter_get_basic(&iter, &(pd->domain)); + + while(dbus_message_iter_next(&iter)) { + if (dbus_message_iter_get_arg_type(&iter) != DBUS_TYPE_UINT32) { + DEBUG(1, ("pam response format error.\n")); + return false; + } + dbus_message_iter_get_basic(&iter, &type); + + if (!dbus_message_iter_next(&iter)) { + DEBUG(1, ("pam response format error.\n")); + return false; + } + + if (dbus_message_iter_get_arg_type(&iter) != DBUS_TYPE_UINT32) { + DEBUG(1, ("pam response format error.\n")); + return false; + } + dbus_message_iter_get_basic(&iter, &len); + + if (!dbus_message_iter_next(&iter)) { + DEBUG(1, ("pam response format error.\n")); + return false; + } + + if (dbus_message_iter_get_arg_type(&iter) != DBUS_TYPE_ARRAY || + dbus_message_iter_get_element_type(&iter) != DBUS_TYPE_BYTE) { + DEBUG(1, ("pam response format error.\n")); + return false; + } + + dbus_message_iter_recurse(&iter, &sub_iter); + dbus_message_iter_get_fixed_array(&sub_iter, &data, &len_msg); + if (len != len_msg) { + DEBUG(1, ("pam response format error.\n")); + return false; + } + + pam_add_response(pd, type, len, data); + + } + + return true; +} + diff --git a/server/providers/dp_backend.h b/server/providers/dp_backend.h index da71e753c..27f79eb7a 100644 --- a/server/providers/dp_backend.h +++ b/server/providers/dp_backend.h @@ -24,7 +24,6 @@ #include "providers/data_provider.h" #include "db/sysdb.h" -#include "responder/pam/pamsrv.h" struct be_ctx; struct be_id_ops; |