diff options
author | Sumit Bose <sbose@redhat.com> | 2015-05-26 14:29:17 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-06-19 18:48:13 +0200 |
commit | 827a016a07d5f911cc4195be89896a376fd71f59 (patch) | |
tree | cffbe41134143e97a2a073041e7d760dae1af112 /src/responder/common | |
parent | a99845006f96f9d1e7af871ec67c71cee8408a62 (diff) | |
download | sssd-827a016a07d5f911cc4195be89896a376fd71f59.tar.gz sssd-827a016a07d5f911cc4195be89896a376fd71f59.tar.xz sssd-827a016a07d5f911cc4195be89896a376fd71f59.zip |
IFP: add FindByCertificate method for User objects
Related to https://fedorahosted.org/sssd/ticket/2596
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Diffstat (limited to 'src/responder/common')
-rw-r--r-- | src/responder/common/responder.h | 3 | ||||
-rw-r--r-- | src/responder/common/responder_cache_req.c | 88 | ||||
-rw-r--r-- | src/responder/common/responder_cache_req.h | 19 | ||||
-rw-r--r-- | src/responder/common/responder_dp.c | 11 |
4 files changed, 110 insertions, 11 deletions
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h index 9c7a73809..bd0250d52 100644 --- a/src/responder/common/responder.h +++ b/src/responder/common/responder.h @@ -281,7 +281,8 @@ enum sss_dp_acct_type { SSS_DP_NETGR, SSS_DP_SERVICES, SSS_DP_SECID, - SSS_DP_USER_AND_GROUP + SSS_DP_USER_AND_GROUP, + SSS_DP_CERT }; struct tevent_req * diff --git a/src/responder/common/responder_cache_req.c b/src/responder/common/responder_cache_req.c index 7ba257276..dd81abadf 100644 --- a/src/responder/common/responder_cache_req.c +++ b/src/responder/common/responder_cache_req.c @@ -34,6 +34,7 @@ struct cache_req_input { /* Provided input. */ const char *orig_name; uint32_t id; + const char *cert; /* Data Provider request type resolved from @type. * FIXME: This is currently needed for data provider calls. We should @@ -56,7 +57,8 @@ struct cache_req_input * cache_req_input_create(TALLOC_CTX *mem_ctx, enum cache_req_type type, const char *name, - uint32_t id) + uint32_t id, + const char *cert) { struct cache_req_input *input; @@ -82,6 +84,17 @@ cache_req_input_create(TALLOC_CTX *mem_ctx, goto fail; } break; + case CACHE_REQ_USER_BY_CERT: + if (cert == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: certificate cannot be NULL!\n"); + goto fail; + } + + input->cert = talloc_strdup(input, cert); + if (input->cert == NULL) { + goto fail; + } + break; case CACHE_REQ_USER_BY_ID: case CACHE_REQ_GROUP_BY_ID: if (id == 0) { @@ -108,6 +121,9 @@ cache_req_input_create(TALLOC_CTX *mem_ctx, case CACHE_REQ_INITGROUPS: input->dp_type = SSS_DP_INITGROUPS; break; + case CACHE_REQ_USER_BY_CERT: + input->dp_type = SSS_DP_CERT; + break; } return input; @@ -192,6 +208,17 @@ cache_req_input_set_domain(struct cache_req_input *input, goto done; } break; + case CACHE_REQ_USER_BY_CERT: + /* certificates might be quite long, only use the last 10 charcters + * for logging */ + fqn = talloc_asprintf(tmp_ctx, "CERT:%s@%s", + get_last_x_chars(input->cert, 10), + domain->name); + if (fqn == NULL) { + ret = ENOMEM; + goto done; + } + break; } input->domain = domain; @@ -227,6 +254,9 @@ static errno_t cache_req_check_ncache(struct cache_req_input *input, case CACHE_REQ_GROUP_BY_ID: ret = sss_ncache_check_gid(ncache, neg_timeout, input->id); break; + case CACHE_REQ_USER_BY_CERT: + ret = sss_ncache_check_cert(ncache, neg_timeout, input->cert); + break; } if (ret == EEXIST) { @@ -254,6 +284,7 @@ static void cache_req_add_to_ncache(struct cache_req_input *input, break; case CACHE_REQ_USER_BY_ID: case CACHE_REQ_GROUP_BY_ID: + case CACHE_REQ_USER_BY_CERT: /* Nothing to do. Those types must be unique among all domains so * the don't contain domain part. Therefore they must be set only * if all domains are search and the entry is not found. */ @@ -290,6 +321,9 @@ static void cache_req_add_to_ncache_global(struct cache_req_input *input, case CACHE_REQ_GROUP_BY_ID: ret = sss_ncache_set_gid(ncache, false, input->id); break; + case CACHE_REQ_USER_BY_CERT: + ret = sss_ncache_set_cert(ncache, false, input->cert); + break; } if (ret != EOK) { @@ -338,6 +372,11 @@ static errno_t cache_req_get_object(TALLOC_CTX *mem_ctx, ret = sysdb_initgroups_with_views(mem_ctx, input->domain, input->dom_objname, &result); break; + case CACHE_REQ_USER_BY_CERT: + one_item_only = true; + ret = sysdb_search_user_by_cert(mem_ctx, input->domain, + input->cert, &result); + break; } if (ret != EOK) { @@ -461,6 +500,7 @@ static errno_t cache_req_cache_check(struct tevent_req *req) const char *extra_flag = NULL; uint64_t cache_expire = 0; errno_t ret; + const char *search_str; state = tevent_req_data(req, struct cache_req_cache_state); @@ -479,6 +519,10 @@ static errno_t cache_req_cache_check(struct tevent_req *req) state->cache_refresh_percent, cache_expire); } + search_str = state->input->dom_objname; + if (state->input->type == CACHE_REQ_USER_BY_CERT) { + search_str = state->input->cert; + } switch (ret) { case EOK: DEBUG(SSSDBG_TRACE_FUNC, "Cached entry is valid, returning...\n"); @@ -492,7 +536,7 @@ static errno_t cache_req_cache_check(struct tevent_req *req) subreq = sss_dp_get_account_send(state, state->rctx, state->input->domain, true, state->input->dp_type, - state->input->dom_objname, + search_str, state->input->id, NULL); if (subreq == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory sending out-of-band " @@ -514,7 +558,7 @@ static errno_t cache_req_cache_check(struct tevent_req *req) subreq = sss_dp_get_account_send(state, state->rctx, state->input->domain, true, state->input->dp_type, - state->input->dom_objname, + search_str, state->input->id, extra_flag); if (subreq == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, @@ -890,7 +934,8 @@ cache_req_user_by_name_send(TALLOC_CTX *mem_ctx, { struct cache_req_input *input; - input = cache_req_input_create(mem_ctx, CACHE_REQ_USER_BY_NAME, name, 0); + input = cache_req_input_create(mem_ctx, CACHE_REQ_USER_BY_NAME, name, 0, + NULL); if (input == NULL) { return NULL; } @@ -912,7 +957,31 @@ cache_req_user_by_id_send(TALLOC_CTX *mem_ctx, { struct cache_req_input *input; - input = cache_req_input_create(mem_ctx, CACHE_REQ_USER_BY_ID, NULL, uid); + input = cache_req_input_create(mem_ctx, CACHE_REQ_USER_BY_ID, NULL, uid, + NULL); + if (input == NULL) { + return NULL; + } + + return cache_req_steal_input_and_send(mem_ctx, ev, rctx, ncache, + neg_timeout, cache_refresh_percent, + domain, input); +} + +struct tevent_req * +cache_req_user_by_cert_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int neg_timeout, + int cache_refresh_percent, + const char *domain, + const char *pem_cert) +{ + struct cache_req_input *input; + + input = cache_req_input_create(mem_ctx, CACHE_REQ_USER_BY_CERT, + NULL, 0, pem_cert); if (input == NULL) { return NULL; } @@ -934,7 +1003,8 @@ cache_req_group_by_name_send(TALLOC_CTX *mem_ctx, { struct cache_req_input *input; - input = cache_req_input_create(mem_ctx, CACHE_REQ_GROUP_BY_NAME, name, 0); + input = cache_req_input_create(mem_ctx, CACHE_REQ_GROUP_BY_NAME, name, 0, + NULL); if (input == NULL) { return NULL; } @@ -956,7 +1026,8 @@ cache_req_group_by_id_send(TALLOC_CTX *mem_ctx, { struct cache_req_input *input; - input = cache_req_input_create(mem_ctx, CACHE_REQ_GROUP_BY_ID, NULL, gid); + input = cache_req_input_create(mem_ctx, CACHE_REQ_GROUP_BY_ID, NULL, gid, + NULL); if (input == NULL) { return NULL; } @@ -978,7 +1049,8 @@ cache_req_initgr_by_name_send(TALLOC_CTX *mem_ctx, { struct cache_req_input *input; - input = cache_req_input_create(mem_ctx, CACHE_REQ_INITGROUPS, name, 0); + input = cache_req_input_create(mem_ctx, CACHE_REQ_INITGROUPS, name, 0, + NULL); if (input == NULL) { return NULL; } diff --git a/src/responder/common/responder_cache_req.h b/src/responder/common/responder_cache_req.h index 088e8efe0..84a9dde7d 100644 --- a/src/responder/common/responder_cache_req.h +++ b/src/responder/common/responder_cache_req.h @@ -32,7 +32,8 @@ enum cache_req_type { CACHE_REQ_USER_BY_ID, CACHE_REQ_GROUP_BY_NAME, CACHE_REQ_GROUP_BY_ID, - CACHE_REQ_INITGROUPS + CACHE_REQ_INITGROUPS, + CACHE_REQ_USER_BY_CERT }; struct cache_req_input; @@ -41,7 +42,8 @@ struct cache_req_input * cache_req_input_create(TALLOC_CTX *mem_ctx, enum cache_req_type type, const char *name, - uint32_t id); + uint32_t id, + const char *cert); /** * Currently only SSS_DP_USER and SSS_DP_INITGROUPS are supported. @@ -90,6 +92,19 @@ cache_req_user_by_id_send(TALLOC_CTX *mem_ctx, cache_req_recv(mem_ctx, req, _result, _domain, NULL) struct tevent_req * +cache_req_user_by_cert_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int neg_timeout, + int cache_refresh_percent, + const char *domain, + const char *pem_cert); + +#define cache_req_user_by_cert_recv(mem_ctx, req, _result, _domain, _name) \ + cache_req_recv(mem_ctx, req, _result, _domain, _name) + +struct tevent_req * cache_req_group_by_name_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct resp_ctx *rctx, diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c index 853b3eae3..f752c94c3 100644 --- a/src/responder/common/responder_dp.c +++ b/src/responder/common/responder_dp.c @@ -548,6 +548,9 @@ sss_dp_get_account_msg(void *pvt) case SSS_DP_USER_AND_GROUP: be_type = BE_REQ_USER_AND_GROUP; break; + case SSS_DP_CERT: + be_type = BE_REQ_BY_CERT; + break; } if (info->fast_reply) { @@ -563,6 +566,14 @@ sss_dp_get_account_msg(void *pvt) filter = talloc_asprintf(info, "%s=%s", DP_SEC_ID, info->opt_name); } + } else if (info->type == SSS_DP_CERT) { + if (info->extra) { + filter = talloc_asprintf(info, "%s=%s:%s", DP_CERT, + info->opt_name, info->extra); + } else { + filter = talloc_asprintf(info, "%s=%s", DP_CERT, + info->opt_name); + } } else { if (info->extra) { filter = talloc_asprintf(info, "name=%s:%s", |