MONITOR: Enable an implicit files domain if one is not configured

If SSSD is compiled with --enable-files-domain, the loading of the domains changes such that: * if no domain with id_provider=files exists in the config file, an implicit SSSD files domain is added * this domain is always first in the list The administrator is free to create a files domain in the config file himself and either place it at the end of the list or not enable it at all. Resolves: https://pagure.io/SSSD/sssd/issue/3112 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
author: Jakub Hrozek <jhrozek@redhat.com> 2017-02-21 16:34:45 +0100
committer: Lukas Slebodnik <lslebodn@redhat.com> 2017-02-27 19:14:15 +0100
commit: 78bb3676fe8326e0fe2b60daad8bf524e4625d4e (patch)
tree: 180f873e99228f72b5cfdfbb58cf7b5e1ab240ee /src/confdb
parent: eed5bc53a0c823276523d32e76bc1c264db3837e (diff)
download: sssd-78bb3676fe8326e0fe2b60daad8bf524e4625d4e.tar.gz
sssd-78bb3676fe8326e0fe2b60daad8bf524e4625d4e.tar.xz
sssd-78bb3676fe8326e0fe2b60daad8bf524e4625d4e.zip
2 files changed, 186 insertions, 0 deletions
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index c7afd683d..d82fd98ee 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1643,3 +1643,185 @@ done:
     talloc_free(tmp_ctx);
     return ret;
 }
+
+#ifdef ADD_FILES_DOMAIN
+static int confdb_has_files_domain(struct confdb_ctx *cdb)
+{
+    TALLOC_CTX *tmp_ctx = NULL;
+    struct ldb_dn *dn = NULL;
+    struct ldb_result *res = NULL;
+    static const char *attrs[] = { CONFDB_DOMAIN_ID_PROVIDER, NULL };
+    const char *id_provider = NULL;
+    int ret;
+    unsigned int i;
+
+    tmp_ctx = talloc_new(NULL);
+    if (tmp_ctx == NULL) {
+        return ENOMEM;
+    }
+
+    dn = ldb_dn_new(tmp_ctx, cdb->ldb, CONFDB_DOMAIN_BASEDN);
+    if (dn == NULL) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    ret = ldb_search(cdb->ldb, tmp_ctx, &res, dn, LDB_SCOPE_ONELEVEL,
+                     attrs, NULL);
+    if (ret != LDB_SUCCESS) {
+        ret = EIO;
+        goto done;
+    }
+
+    for (i = 0; i < res->count; i++) {
+        id_provider = ldb_msg_find_attr_as_string(res->msgs[i],
+                                                  CONFDB_DOMAIN_ID_PROVIDER,
+                                                  NULL);
+        if (id_provider == NULL) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "The object [%s] doesn't have a id_provider\n",
+                  ldb_dn_get_linearized(res->msgs[i]->dn));
+            ret = EINVAL;
+            goto done;
+        }
+
+        if (strcasecmp(id_provider, "files") == 0) {
+            break;
+        }
+    }
+
+    ret = i < res->count ? EOK : ENOENT;
+done:
+    talloc_free(tmp_ctx);
+    return ret;
+}
+
+static int create_files_domain(struct confdb_ctx *cdb,
+                               const char *name)
+{
+    TALLOC_CTX *tmp_ctx = NULL;
+    errno_t ret;
+    char *cdb_path = NULL;
+    const char *val[2] = { NULL, NULL };
+
+    tmp_ctx = talloc_new(NULL);
+    if (tmp_ctx == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n");
+        return ENOMEM;
+    }
+
+    cdb_path = talloc_asprintf(tmp_ctx, CONFDB_DOMAIN_PATH_TMPL, name);
+    if (cdb_path == NULL) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    val[0] = "files";
+    ret = confdb_add_param(cdb, true, cdb_path, "id_provider", val);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add id_provider [%d]: %s\n",
+              ret, sss_strerror(ret));
+        goto done;
+    }
+
+    ret = EOK;
+done:
+    talloc_free(tmp_ctx);
+    return ret;
+}
+
+static int activate_files_domain(struct confdb_ctx *cdb,
+                                 const char *name)
+{
+    errno_t ret;
+    TALLOC_CTX *tmp_ctx;
+    char *monitor_domlist;
+    const char *domlist[2] = { NULL, NULL };
+
+    tmp_ctx = talloc_new(NULL);
+    if (tmp_ctx == NULL) {
+        return ENOMEM;
+    }
+
+    ret = confdb_get_string(cdb, tmp_ctx,
+                            CONFDB_MONITOR_CONF_ENTRY,
+                            CONFDB_MONITOR_ACTIVE_DOMAINS,
+                            NULL,
+                            &monitor_domlist);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE, "Fatal error retrieving domains list!\n");
+        goto done;
+    }
+
+    if (monitor_domlist != NULL) {
+        domlist[0] = talloc_asprintf(tmp_ctx, "%s,%s", name, monitor_domlist);
+        if (domlist[0] == NULL) {
+            ret = ENOMEM;
+            goto done;
+        }
+    } else {
+        domlist[0] = name;
+    }
+
+    ret = confdb_add_param(cdb, true,
+                           CONFDB_MONITOR_CONF_ENTRY,
+                           CONFDB_MONITOR_ACTIVE_DOMAINS,
+                           domlist);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Cannot extend the domain list [%d]: %s\n",
+              ret, sss_strerror(ret));
+        return ret;
+    }
+
+    ret = EOK;
+done:
+    talloc_free(tmp_ctx);
+    return ret;
+}
+#endif /* ADD_FILES_DOMAIN */
+
+int confdb_ensure_files_domain(struct confdb_ctx *cdb,
+                               const char *implicit_files_dom_name)
+{
+#ifndef ADD_FILES_DOMAIN
+    return EOK;
+#else
+    errno_t ret;
+    bool enable_files;
+
+    ret = confdb_get_bool(cdb,
+                          CONFDB_MONITOR_CONF_ENTRY,
+                          CONFDB_MONITOR_ENABLE_FILES_DOM,
+                          true, &enable_files);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_MINOR_FAILURE,
+              "Cannot get the value of %s assuming true\n",
+              CONFDB_MONITOR_ENABLE_FILES_DOM);
+        return ret;
+    }
+
+    if (enable_files == false) {
+        DEBUG(SSSDBG_CONF_SETTINGS, "The implicit files domain is disabled\n");
+        return EOK;
+    }
+
+    ret = confdb_has_files_domain(cdb);
+    if (ret == EOK) {
+        DEBUG(SSSDBG_CONF_SETTINGS, "The files domain is already enabled\n");
+        return EOK;
+    } else if (ret != ENOENT) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Error looking up the files domain\n");
+        return ret;
+    }
+
+    /* ENOENT, so let's add a files domain */
+    ret = create_files_domain(cdb, implicit_files_dom_name);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot add an implicit files domain\n");
+        return ret;
+    }
+
+    return activate_files_domain(cdb, implicit_files_dom_name);
+#endif /* ADD_FILES_DOMAIN */
+}
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 353dfd0a9..89b89bf0d 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -73,6 +73,7 @@
 #define CONFDB_MONITOR_USER_RUNAS "user"
 #define CONFDB_MONITOR_CERT_VERIFICATION "certificate_verification"
 #define CONFDB_MONITOR_DISABLE_NETLINK "disable_netlink"
+#define CONFDB_MONITOR_ENABLE_FILES_DOM "enable_files_domain"
 
 /* Both monitor and domains */
 #define CONFDB_NAME_REGEX   "re_expression"
@@ -373,6 +374,9 @@ int confdb_get_domain(struct confdb_ctx *cdb,
 int confdb_get_domains(struct confdb_ctx *cdb,
                        struct sss_domain_info **domains);
 
+int confdb_ensure_files_domain(struct confdb_ctx *cdb,
+                               const char *implicit_files_dom_name);
+
 /**
  * Get a null-terminated linked-list of all domain names
  * @param[in] mem_ctx The parent memory context for the value list
author	Jakub Hrozek <jhrozek@redhat.com>	2017-02-21 16:34:45 +0100
committer	Lukas Slebodnik <lslebodn@redhat.com>	2017-02-27 19:14:15 +0100
commit	78bb3676fe8326e0fe2b60daad8bf524e4625d4e (patch)
tree	180f873e99228f72b5cfdfbb58cf7b5e1ab240ee /src/confdb
parent	eed5bc53a0c823276523d32e76bc1c264db3837e (diff)
download	sssd-78bb3676fe8326e0fe2b60daad8bf524e4625d4e.tar.gz sssd-78bb3676fe8326e0fe2b60daad8bf524e4625d4e.tar.xz sssd-78bb3676fe8326e0fe2b60daad8bf524e4625d4e.zip