IFP: use a list of allowed_uids for authentication

Similar to the PAC responder, the InfoPipe uses a list of UIDs that are
allowed to communicate with the IFP responder.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Stef Walter <stefw@redhat.com>

4 files changed, 75 insertions, 1 deletions

diff --git a/src/responder/ifp/ifp_private.h b/src/responder/ifp/ifp_private.h
index 472d10441..bc476291a 100644
--- a/src/responder/ifp/ifp_private.h
+++ b/src/responder/ifp/ifp_private.h
@@ -56,6 +56,9 @@ errno_t ifp_req_create(struct sbus_request *dbus_req,
                        struct ifp_ctx *ifp_ctx,
                        struct ifp_req **_ifp_req);
 
+/* Returns an appropriate DBus error for specific ifp_req_create failures */
+int ifp_req_create_handle_failure(struct sbus_request *dbus_req, errno_t err);
+
 const char *ifp_path_strip_prefix(const char *path, const char *prefix);
 errno_t ifp_add_ldb_el_to_dict(DBusMessageIter *iter_dict,
                                struct ldb_message_element *el);
diff --git a/src/responder/ifp/ifpsrv.c b/src/responder/ifp/ifpsrv.c
index 2f98cf838..65613b941 100644
--- a/src/responder/ifp/ifpsrv.c
+++ b/src/responder/ifp/ifpsrv.c
@@ -40,6 +40,8 @@
 #include "responder/ifp/ifp_private.h"
 #include "responder/common/responder_sbus.h"
 
+#define DEFAULT_ALLOWED_UIDS "0"
+
 struct mon_cli_iface monitor_ifp_methods = {
     { &mon_cli_iface_meta, 0 },
     .ping = monitor_common_pong,
@@ -201,6 +203,7 @@ int ifp_process_init(TALLOC_CTX *mem_ctx,
     struct be_conn *iter;
     int ret;
     int max_retries;
+    char *uid_str;
 
     ifp_cmds = get_ifp_cmds();
     ret = sss_process_init(mem_ctx, ev, cdb,
@@ -236,6 +239,23 @@ int ifp_process_init(TALLOC_CTX *mem_ctx,
         goto fail;
     }
 
+    ret = confdb_get_string(ifp_ctx->rctx->cdb, ifp_ctx->rctx,
+                            CONFDB_IFP_CONF_ENTRY, CONFDB_SERVICE_ALLOWED_UIDS,
+                            DEFAULT_ALLOWED_UIDS, &uid_str);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE, ("Failed to get allowed UIDs.\n"));
+        goto fail;
+    }
+
+    ret = csv_string_to_uid_array(ifp_ctx->rctx, uid_str, true,
+                                  &ifp_ctx->rctx->allowed_uids_count,
+                                  &ifp_ctx->rctx->allowed_uids);
+    talloc_free(uid_str);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE, ("Failed to set allowed UIDs.\n"));
+        goto fail;
+    }
+
     /* Enable automatic reconnection to the Data Provider */
     ret = confdb_get_int(ifp_ctx->rctx->cdb,
                          CONFDB_IFP_CONF_ENTRY,
diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c
index 4f73342dd..e26bcfa58 100644
--- a/src/responder/ifp/ifpsrv_cmd.c
+++ b/src/responder/ifp/ifpsrv_cmd.c
@@ -39,12 +39,18 @@ int ifp_ping(struct sbus_request *dbus_req, void *data)
     static const char *pong = "PONG";
     const char *request;
     DBusError dberr;
+    errno_t ret;
+    struct ifp_req *ifp_req;
 
     if (ifp_ctx == NULL) {
         DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n");
         return sbus_request_return_and_finish(dbus_req, DBUS_TYPE_INVALID);
     }
 
+    ret = ifp_req_create(dbus_req, ifp_ctx, &ifp_req);
+    if (ret != EOK) {
+        return ifp_req_create_handle_failure(dbus_req, ret);
+    }
 
     if (!sbus_request_parse_or_finish(dbus_req,
                                       DBUS_TYPE_STRING, &request,
diff --git a/src/responder/ifp/ifpsrv_util.c b/src/responder/ifp/ifpsrv_util.c
index e16d36279..2bce20186 100644
--- a/src/responder/ifp/ifpsrv_util.c
+++ b/src/responder/ifp/ifpsrv_util.c
@@ -29,6 +29,7 @@ errno_t ifp_req_create(struct sbus_request *dbus_req,
                        struct ifp_req **_ifp_req)
 {
     struct ifp_req *ireq = NULL;
+    errno_t ret;
 
     if (ifp_ctx->sysbus == NULL) {
         DEBUG(SSSDBG_CRIT_FAILURE, "Responder not connected to sysbus!\n");
@@ -43,8 +44,52 @@ errno_t ifp_req_create(struct sbus_request *dbus_req,
     ireq->ifp_ctx = ifp_ctx;
     ireq->dbus_req = dbus_req;
 
+    if (dbus_req->client == -1) {
+        /* We got a sysbus message but couldn't identify the
+         * caller? Bail out! */
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "BUG: Received a message without a known caller!\n");
+        ret = EACCES;
+        goto done;
+    }
+
+    ret = check_allowed_uids(dbus_req->client,
+                             ifp_ctx->rctx->allowed_uids_count,
+                             ifp_ctx->rctx->allowed_uids);
+    if (ret == EACCES) {
+        DEBUG(SSSDBG_MINOR_FAILURE,
+              "User %"PRIi64" not in ACL\n", dbus_req->client);
+        goto done;
+    } else if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              "Cannot check if user %"PRIi64" is present in ACL\n",
+              dbus_req->client);
+        goto done;
+    }
+
     *_ifp_req = ireq;
-    return EOK;
+    ret = EOK;
+done:
+    if (ret != EOK) {
+        talloc_free(ireq);
+    }
+    return ret;
+}
+
+int ifp_req_create_handle_failure(struct sbus_request *dbus_req, errno_t err)
+{
+    if (err == EACCES) {
+        return sbus_request_fail_and_finish(dbus_req,
+                               sbus_error_new(dbus_req,
+                                              DBUS_ERROR_ACCESS_DENIED,
+                                              "User %"PRIi64" not in ACL\n",
+                                              dbus_req->client));
+    }
+
+    return sbus_request_fail_and_finish(dbus_req,
+                                        sbus_error_new(dbus_req,
+                                            DBUS_ERROR_FAILED,
+                                            "Cannot create IFP request\n"));
 }
 
 const char *ifp_path_strip_prefix(const char *path, const char *prefix)