From 4649f19ea4b11c428ca75803beda8d495a0c9335 Mon Sep 17 00:00:00 2001 From: Pavel Březina Date: Tue, 15 Sep 2015 11:38:40 +0200 Subject: sss_override: support fqn in override name Resolves: https://fedorahosted.org/sssd/ticket/2782 Reviewed-by: Jakub Hrozek --- src/tools/sss_override.c | 111 +++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 93 insertions(+), 18 deletions(-) diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c index ee8351ea9..0d7a46906 100644 --- a/src/tools/sss_override.c +++ b/src/tools/sss_override.c @@ -604,58 +604,133 @@ done: return ret; } +static errno_t override_fqn(TALLOC_CTX *mem_ctx, + struct sss_tool_ctx *tool_ctx, + struct sss_domain_info *domain, + const char *input, + const char **_name) +{ + struct sss_domain_info *dom; + errno_t ret; + + if (input == NULL) { + return EOK; + } + + ret = sss_tool_parse_name(mem_ctx, tool_ctx, input, _name, &dom); + if (ret == EAGAIN) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to find domain from " + "fqn %s\n", input); + fprintf(stderr, _("Changing domain is not allowed!\n")); + ret = EINVAL; + } else if (ret == EOK && dom != NULL && dom != domain) { + DEBUG(SSSDBG_OP_FAILURE, "Trying to change domain from " + "%s to %s, not allowed!\n", domain->name, dom->name); + fprintf(stderr, _("Changing domain is not allowed!\n")); + ret = EINVAL; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse name %s [%d]: %s\n", + input, ret, sss_strerror(ret)); + } + + return ret; +} + static errno_t override_user(struct sss_tool_ctx *tool_ctx, - struct override_user *user) + struct override_user *input_user) { + TALLOC_CTX *tmp_ctx; + struct override_user user; struct sysdb_attrs *attrs; errno_t ret; - ret = prepare_view_msg(user->domain); + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + user = *input_user; + + /* We need to parse the name and ensure that domain did not change. */ + ret = override_fqn(tmp_ctx, tool_ctx, user.domain, user.name, &user.name); if (ret != EOK) { - return ret; + goto done; + } + + ret = prepare_view_msg(user.domain); + if (ret != EOK) { + goto done; } - attrs = build_user_attrs(tool_ctx, user); + attrs = build_user_attrs(tool_ctx, &user); if (attrs == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Unable to build sysdb attrs.\n"); - return ENOMEM; + ret = ENOMEM; + goto done; } - ret = override_object_add(user->domain, SYSDB_MEMBER_USER, attrs, - user->orig_name); + ret = override_object_add(user.domain, SYSDB_MEMBER_USER, attrs, + user.orig_name); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add override object.\n"); - return ret; + goto done; } - return EOK; + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; } static errno_t override_group(struct sss_tool_ctx *tool_ctx, - struct override_group *group) + struct override_group *input_group) { + TALLOC_CTX *tmp_ctx; + struct override_group group; struct sysdb_attrs *attrs; errno_t ret; - ret = prepare_view_msg(group->domain); + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + group = *input_group; + + /* We need to parse the name and ensure that domain did not change. */ + ret = override_fqn(tmp_ctx, tool_ctx, group.domain, group.name, + &group.name); if (ret != EOK) { - return ret; + goto done; } - attrs = build_group_attrs(tool_ctx, group); + ret = prepare_view_msg(group.domain); + if (ret != EOK) { + goto done; + } + + attrs = build_group_attrs(tool_ctx, &group); if (attrs == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Unable to build sysdb attrs.\n"); - return ENOMEM; + ret = ENOMEM; + goto done; } - ret = override_object_add(group->domain, SYSDB_MEMBER_GROUP, attrs, - group->orig_name); + ret = override_object_add(group.domain, SYSDB_MEMBER_GROUP, attrs, + group.orig_name); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add override object.\n"); - return ret; + goto done; } - return EOK; + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; } static errno_t override_object_del(struct sss_domain_info *domain, -- cgit