diff options
author | Sumit Bose <sbose@redhat.com> | 2016-04-08 13:22:24 +0200 |
---|---|---|
committer | Lukas Slebodnik <lslebodn@redhat.com> | 2016-06-09 16:12:25 +0200 |
commit | 2f90ec2e16f0c14c789d9ed20e008e3103337210 (patch) | |
tree | 61657d46abdde701898cf1af8f4997a01ffb660a /src | |
parent | 8822520e6552bbf5ad1b62a4f88dd31a9c8475f1 (diff) | |
download | sssd-2f90ec2e16f0c14c789d9ed20e008e3103337210.tar.gz sssd-2f90ec2e16f0c14c789d9ed20e008e3103337210.tar.xz sssd-2f90ec2e16f0c14c789d9ed20e008e3103337210.zip |
sss_override: add certificate support
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/db/sysdb.h | 1 | ||||
-rw-r--r-- | src/man/sss_override.8.xml | 6 | ||||
-rw-r--r-- | src/tests/intg/ldap_local_override_test.py | 8 | ||||
-rw-r--r-- | src/tools/sss_override.c | 38 |
4 files changed, 42 insertions, 11 deletions
diff --git a/src/db/sysdb.h b/src/db/sysdb.h index e5a0c8dfd..6567e904f 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -215,6 +215,7 @@ SYSDB_PRIMARY_GROUP_GIDNUM, \ SYSDB_SID_STR, \ SYSDB_UPN, \ + SYSDB_USER_CERT, \ SYSDB_OVERRIDE_DN, \ SYSDB_OVERRIDE_OBJECT_DN, \ SYSDB_DEFAULT_OVERRIDE_NAME, \ diff --git a/src/man/sss_override.8.xml b/src/man/sss_override.8.xml index ef73aee98..349bba27c 100644 --- a/src/man/sss_override.8.xml +++ b/src/man/sss_override.8.xml @@ -64,6 +64,8 @@ <optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</optional> + <optional><option>-x,--certificate</option> + BASE64 ENCODED CERTIFICATE</optional> </term> <listitem> <para> @@ -123,7 +125,7 @@ The format is: </para> <para> - original_name:name:uid:gid:gecos:home:shell + original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate </para> <para> where original_name is original name of the user whose @@ -138,7 +140,7 @@ ckent:superman:::::: </para> <para> - ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash + ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash: </para> </listitem> </varlistentry> diff --git a/src/tests/intg/ldap_local_override_test.py b/src/tests/intg/ldap_local_override_test.py index 542527180..046535c77 100644 --- a/src/tests/intg/ldap_local_override_test.py +++ b/src/tests/intg/ldap_local_override_test.py @@ -529,11 +529,11 @@ def test_show_user_override(ldap_conn, env_show_user_override): out = check_output(['sss_override', 'user-show', 'user1']) assert out == "user1@LDAP:ov_user1:10010:20010:Overriden User 1:"\ - "/home/ov/user1:/bin/ov_user1_shell\n" + "/home/ov/user1:/bin/ov_user1_shell:\n" out = check_output(['sss_override', 'user-show', 'user2@LDAP']) assert out == "user2@LDAP:ov_user2:10020:20020:Overriden User 2:"\ - "/home/ov/user2:/bin/ov_user2_shell\n" + "/home/ov/user2:/bin/ov_user2_shell:\n" # Return error on non-existing user ret = subprocess.call(['sss_override', 'user-show', 'nonexisting_user']) @@ -557,9 +557,9 @@ def test_find_user_override(ldap_conn, env_find_user_override): # Expected override of users exp_usr_ovrd = ['user1@LDAP:ov_user1:10010:20010:Overriden User 1:' - '/home/ov/user1:/bin/ov_user1_shell', + '/home/ov/user1:/bin/ov_user1_shell:', 'user2@LDAP:ov_user2:10020:20020:Overriden User 2:' - '/home/ov/user2:/bin/ov_user2_shell'] + '/home/ov/user2:/bin/ov_user2_shell:'] assert set(out.splitlines()) == set(exp_usr_ovrd) diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c index 7e63bdf6e..f911ce880 100644 --- a/src/tools/sss_override.c +++ b/src/tools/sss_override.c @@ -21,6 +21,7 @@ #include <stdlib.h> #include "util/util.h" +#include "util/crypto/sss_crypto.h" #include "db/sysdb.h" #include "tools/common/sss_tools.h" #include "tools/common/sss_colondb.h" @@ -39,6 +40,7 @@ struct override_user { const char *home; const char *shell; const char *gecos; + const char *cert; }; struct override_group { @@ -97,6 +99,7 @@ static int parse_cmdline_user_add(struct sss_cmdline *cmdline, {"home", 'h', POPT_ARG_STRING, &user->home, 0, _("Override home directory"), NULL }, {"shell", 's', POPT_ARG_STRING, &user->shell, 0, _("Override shell"), NULL }, {"gecos", 'c', POPT_ARG_STRING, &user->gecos, 0, _("Override gecos"), NULL }, + {"certificate", 'x', POPT_ARG_STRING, &user->cert, 0, _("Override certificate"), NULL }, POPT_TABLEEND }; @@ -296,7 +299,8 @@ static struct sysdb_attrs *build_attrs(TALLOC_CTX *mem_ctx, gid_t gid, const char *home, const char *shell, - const char *gecos) + const char *gecos, + const char *cert) { struct sysdb_attrs *attrs; errno_t ret; @@ -348,6 +352,13 @@ static struct sysdb_attrs *build_attrs(TALLOC_CTX *mem_ctx, } } + if (cert != NULL) { + ret = sysdb_attrs_add_base64_blob(attrs, SYSDB_USER_CERT, cert); + if (ret != EOK) { + goto done; + } + } + ret = EOK; done: @@ -363,13 +374,13 @@ static struct sysdb_attrs *build_user_attrs(TALLOC_CTX *mem_ctx, struct override_user *user) { return build_attrs(mem_ctx, user->name, user->uid, user->gid, user->home, - user->shell, user->gecos); + user->shell, user->gecos, user->cert); } static struct sysdb_attrs *build_group_attrs(TALLOC_CTX *mem_ctx, struct override_group *group) { - return build_attrs(mem_ctx, group->name, 0, group->gid, 0, NULL, NULL); + return build_attrs(mem_ctx, group->name, 0, group->gid, 0, NULL, NULL, NULL); } static char *get_fqname(TALLOC_CTX *mem_ctx, @@ -1101,6 +1112,7 @@ list_user_overrides(TALLOC_CTX *mem_ctx, size_t i; errno_t ret; const char *attrs[] = SYSDB_PW_ATTRS; + struct ldb_message_element *el; tmp_ctx = talloc_new(NULL); if (tmp_ctx == NULL) { @@ -1136,6 +1148,20 @@ list_user_overrides(TALLOC_CTX *mem_ctx, objs[i].shell = ldb_msg_find_attr_as_string(msgs[i], SYSDB_SHELL, NULL); objs[i].gecos = ldb_msg_find_attr_as_string(msgs[i], SYSDB_GECOS, NULL); + el = ldb_msg_find_element(msgs[i], SYSDB_USER_CERT); + if (el != NULL && el->num_values > 0) { + /* Currently we support only 1 certificate override */ + objs[i].cert = sss_base64_encode(objs, el->values[0].data, + el->values[0].length); + if (objs[i].cert == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_base64_encode failed.\n"); + ret = ERR_INTERNAL; + goto done; + } + } else { + objs[i].cert = NULL; + } + talloc_steal(objs, objs[i].orig_name); talloc_steal(objs, objs[i].name); talloc_steal(objs, objs[i].home); @@ -1249,7 +1275,7 @@ static errno_t user_export(const char *filename, for (i = 0; objs[i].orig_name != NULL; i++) { /** - * Format: orig_name:name:uid:gid:gecos:home:shell + * Format: orig_name:name:uid:gid:gecos:home:shell:certificate */ struct sss_colondb_write_field table[] = { {SSS_COLONDB_STRING, {.str = objs[i].orig_name}}, @@ -1259,6 +1285,7 @@ static errno_t user_export(const char *filename, {SSS_COLONDB_STRING, {.str = objs[i].gecos}}, {SSS_COLONDB_STRING, {.str = objs[i].home}}, {SSS_COLONDB_STRING, {.str = objs[i].shell}}, + {SSS_COLONDB_STRING, {.str = objs[i].cert}}, {SSS_COLONDB_SENTINEL, {0}} }; @@ -1523,7 +1550,7 @@ static int override_user_import(struct sss_cmdline *cmdline, } /** - * Format: orig_name:name:uid:gid:gecos:home:shell + * Format: orig_name:name:uid:gid:gecos:home:shell:certificate */ struct sss_colondb_read_field table[] = { {SSS_COLONDB_STRING, {.str = &obj.input_name}}, @@ -1533,6 +1560,7 @@ static int override_user_import(struct sss_cmdline *cmdline, {SSS_COLONDB_STRING, {.str = &obj.gecos}}, {SSS_COLONDB_STRING, {.str = &obj.home}}, {SSS_COLONDB_STRING, {.str = &obj.shell}}, + {SSS_COLONDB_STRING, {.str = &obj.cert}}, {SSS_COLONDB_SENTINEL, {0}} }; |