From 7d8b7d82f0a91ed656320577fc781f24a66db9f8 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 27 May 2015 11:22:20 +0200
Subject: sysdb: add sysdb_search_user_by_cert() and
 sysdb_search_object_by_cert()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Related to https://fedorahosted.org/sssd/ticket/2596

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
 Makefile.am                 |  1 +
 src/db/sysdb.h              | 14 ++++++++++++
 src/db/sysdb_ops.c          | 35 +++++++++++++++++++++++++++++
 src/tests/cwrap/Makefile.am |  2 ++
 src/tests/sysdb-tests.c     | 54 +++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 106 insertions(+)

diff --git a/Makefile.am b/Makefile.am
index fa563de0d..1d80c3671 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -816,6 +816,7 @@ libsss_util_la_LIBADD = \
     libsss_debug.la \
     libsss_child.la \
     libsss_crypt.la \
+    libsss_cert.la \
     $(NULL)
 if BUILD_SUDO
     libsss_util_la_SOURCES += src/db/sysdb_sudo.c
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 1ad8d3d0c..4dc382f6f 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -194,6 +194,7 @@
 
 #define SYSDB_SID_FILTER "(&(|("SYSDB_UC")("SYSDB_GC"))("SYSDB_SID_STR"=%s))"
 #define SYSDB_UUID_FILTER "(&(|("SYSDB_UC")("SYSDB_GC"))("SYSDB_UUID"=%s))"
+#define SYSDB_USER_CERT_FILTER "(&("SYSDB_UC")%s)"
 
 #define SYSDB_HAS_ENUMERATED "has_enumerated"
 
@@ -1064,6 +1065,19 @@ errno_t sysdb_search_object_by_uuid(TALLOC_CTX *mem_ctx,
                                     const char **attrs,
                                     struct ldb_result **res);
 
+errno_t sysdb_search_object_by_cert(TALLOC_CTX *mem_ctx,
+                                    struct sss_domain_info *domain,
+                                    const char *cert,
+                                    const char **attrs,
+                                    struct ldb_result **res);
+
+errno_t sysdb_search_user_by_cert(TALLOC_CTX *mem_ctx,
+                                  struct sss_domain_info *domain,
+                                  const char *cert,
+                                  struct ldb_result **res);
+
+
+
 /* === Functions related to GPOs === */
 
 #define SYSDB_GPO_CONTAINER "cn=gpos,cn=ad,cn=custom"
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index d34583787..6d0aede8a 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -24,6 +24,7 @@
 #include "db/sysdb_services.h"
 #include "db/sysdb_autofs.h"
 #include "util/crypto/sss_crypto.h"
+#include "util/cert.h"
 #include <time.h>
 
 int add_string(struct ldb_message *msg, int flags,
@@ -3702,6 +3703,40 @@ errno_t sysdb_search_object_by_uuid(TALLOC_CTX *mem_ctx,
                                            uuid_str, attrs, res);
 }
 
+errno_t sysdb_search_object_by_cert(TALLOC_CTX *mem_ctx,
+                                    struct sss_domain_info *domain,
+                                    const char *cert,
+                                    const char **attrs,
+                                    struct ldb_result **res)
+{
+    int ret;
+    char *user_filter;
+
+    ret = sss_cert_derb64_to_ldap_filter(mem_ctx, cert, SYSDB_USER_CERT,
+                                         &user_filter);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "sss_cert_derb64_to_ldap_filter failed.\n");
+        return ret;
+    }
+
+    ret = sysdb_search_object_by_str_attr(mem_ctx, domain,
+                                          SYSDB_USER_CERT_FILTER,
+                                          user_filter, attrs, res);
+    talloc_free(user_filter);
+
+    return ret;
+}
+
+errno_t sysdb_search_user_by_cert(TALLOC_CTX *mem_ctx,
+                                  struct sss_domain_info *domain,
+                                  const char *cert,
+                                  struct ldb_result **res)
+{
+    const char *user_attrs[] = SYSDB_PW_ATTRS;
+
+    return sysdb_search_object_by_cert(mem_ctx, domain, cert, user_attrs, res);
+}
+
 errno_t sysdb_get_sids_of_members(TALLOC_CTX *mem_ctx,
                                   struct sss_domain_info *dom,
                                   const char *group_name,
diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am
index 46f815ab5..34b5d8bea 100644
--- a/src/tests/cwrap/Makefile.am
+++ b/src/tests/cwrap/Makefile.am
@@ -110,6 +110,7 @@ server_tests_LDADD = \
     $(abs_top_builddir)/libsss_debug.la \
     $(abs_top_builddir)/libsss_crypt.la \
     $(abs_top_builddir)/libsss_test_common.la \
+    $(abs_top_builddir)/libsss_cert.la \
     $(NULL)
 
 usertools_tests_SOURCES = \
@@ -144,6 +145,7 @@ usertools_tests_LDADD = \
     $(abs_top_builddir)/libsss_debug.la \
     $(abs_top_builddir)/libsss_crypt.la \
     $(abs_top_builddir)/libsss_test_common.la \
+    $(abs_top_builddir)/libsss_cert.la \
     $(NULL)
 
 responder_common_tests_SOURCES =\
diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
index 4478e24a6..522a44aa4 100644
--- a/src/tests/sysdb-tests.c
+++ b/src/tests/sysdb-tests.c
@@ -27,6 +27,7 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 #include "util/util.h"
+#include "util/crypto/sss_crypto.h"
 #include "confdb/confdb_setup.h"
 #include "db/sysdb_private.h"
 #include "db/sysdb_services.h"
@@ -5201,6 +5202,56 @@ START_TEST(test_sysdb_search_object_by_uuid)
 }
 END_TEST
 
+/* For simple searches the content of the certificate does not matter */
+#define TEST_USER_CERT_DERB64 "gJznJT7L0aETU5CMk+n+1Q=="
+START_TEST(test_sysdb_search_user_by_cert)
+{
+    errno_t ret;
+    struct sysdb_test_ctx *test_ctx;
+    struct ldb_result *res;
+    struct sysdb_attrs *attrs = NULL;
+    struct ldb_val val;
+
+    /* Setup */
+    ret = setup_sysdb_tests(&test_ctx);
+    fail_if(ret != EOK, "Could not set up the test");
+
+    val.data = sss_base64_decode(test_ctx, TEST_USER_CERT_DERB64, &val.length);
+    fail_unless(val.data != NULL, "sss_base64_decode failed.");
+
+    attrs = sysdb_new_attrs(test_ctx);
+    fail_unless(attrs != NULL, "sysdb_new_attrs failed");
+
+    ret = sysdb_attrs_add_val(attrs, SYSDB_USER_CERT, &val);
+    fail_unless(ret == EOK, "sysdb_attrs_add_val failed with [%d][%s].",
+                ret, strerror(ret));
+
+    ret = sysdb_add_user(test_ctx->domain, "certuser",
+                         234567, 0, "cert user", "/home/certuser", "/bin/bash",
+                         NULL, attrs, 0, 0);
+    fail_unless(ret == EOK, "sysdb_add_user failed with [%d][%s].",
+                ret, strerror(ret));
+
+    ret = sysdb_search_user_by_cert(test_ctx, test_ctx->domain, "ABC", &res);
+    fail_unless(ret == ENOENT,
+                "Unexpected return code from sysdb_search_user_by_cert for "
+                "missing object, expected [%d], got [%d].", ENOENT, ret);
+
+    ret = sysdb_search_user_by_cert(test_ctx, test_ctx->domain,
+                                    TEST_USER_CERT_DERB64, &res);
+    fail_unless(ret == EOK, "sysdb_search_user_by_cert failed with [%d][%s].",
+                ret, strerror(ret));
+    fail_unless(res->count == 1, "Unexpected number of results, " \
+                                 "expected [%u], get [%u].", 1, res->count);
+    fail_unless(strcmp(ldb_msg_find_attr_as_string(res->msgs[0],
+                                                   SYSDB_NAME, ""),
+                      "certuser") == 0, "Unexpected object found, " \
+                      "expected [%s], got [%s].", "certuser",
+                      ldb_msg_find_attr_as_string(res->msgs[0],SYSDB_NAME, ""));
+    talloc_free(test_ctx);
+}
+END_TEST
+
 START_TEST(test_sysdb_delete_by_sid)
 {
     errno_t ret;
@@ -6318,6 +6369,9 @@ Suite *create_sysdb_suite(void)
     /* Test UUID string searches */
     tcase_add_test(tc_sysdb, test_sysdb_search_object_by_uuid);
 
+    /* Test user by certificate searches */
+    tcase_add_test(tc_sysdb, test_sysdb_search_user_by_cert);
+
     /* Test canonicalizing names */
     tcase_add_test(tc_sysdb, test_sysdb_get_real_name);
 
-- 
cgit