diff options
| -rw-r--r-- | src/providers/ipa/ipa_hbac_common.c | 6 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_hbac_hosts.c | 109 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_hbac_private.h | 5 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_rules_common.c | 109 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_rules_common.h | 6 |
5 files changed, 118 insertions, 117 deletions
diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c index 941441912..31e53d24d 100644 --- a/src/providers/ipa/ipa_hbac_common.c +++ b/src/providers/ipa/ipa_hbac_common.c @@ -686,9 +686,9 @@ hbac_eval_host_element(TALLOC_CTX *mem_ctx, } for (i = j = 0; i < el->num_values; i++) { - ret = get_ipa_hostgroupname(tmp_ctx, domain->sysdb, - (const char *)el->values[i].data, - &name); + ret = ipa_common_get_hostgroupname(tmp_ctx, domain->sysdb, + (const char *)el->values[i].data, + &name); if (ret != EOK && ret != ERR_UNEXPECTED_ENTRY_TYPE) { DEBUG(SSSDBG_MINOR_FAILURE, "Skipping malformed entry [%s]\n", (const char *)el->values[i].data); diff --git a/src/providers/ipa/ipa_hbac_hosts.c b/src/providers/ipa/ipa_hbac_hosts.c index 74d91e513..f85ce533f 100644 --- a/src/providers/ipa/ipa_hbac_hosts.c +++ b/src/providers/ipa/ipa_hbac_hosts.c @@ -333,112 +333,3 @@ done: talloc_free(tmp_ctx); return ret; } - -errno_t -get_ipa_hostgroupname(TALLOC_CTX *mem_ctx, - struct sysdb_ctx *sysdb, - const char *host_dn, - char **hostgroupname) -{ - errno_t ret; - struct ldb_dn *dn; - const char *rdn_name; - const char *hostgroup_comp_name; - const char *account_comp_name; - const struct ldb_val *rdn_val; - const struct ldb_val *hostgroup_comp_val; - const struct ldb_val *account_comp_val; - - /* This is an IPA-specific hack. It may not - * work for non-IPA servers and will need to - * be changed if SSSD ever supports HBAC on - * a non-IPA server. - */ - *hostgroupname = NULL; - - dn = ldb_dn_new(mem_ctx, sysdb_ctx_get_ldb(sysdb), host_dn); - if (dn == NULL) { - ret = ENOMEM; - goto done; - } - - if (!ldb_dn_validate(dn)) { - ret = ERR_MALFORMED_ENTRY; - goto done; - } - - if (ldb_dn_get_comp_num(dn) < 4) { - /* RDN, hostgroups, accounts, and at least one DC= */ - /* If it's fewer, it's not a group DN */ - ret = ERR_UNEXPECTED_ENTRY_TYPE; - goto done; - } - - /* If the RDN name is 'cn' */ - rdn_name = ldb_dn_get_rdn_name(dn); - if (rdn_name == NULL) { - /* Shouldn't happen if ldb_dn_validate() - * passed, but we'll be careful. - */ - ret = ERR_MALFORMED_ENTRY; - goto done; - } - - if (strcasecmp("cn", rdn_name) != 0) { - /* RDN has the wrong attribute name. - * It's not a host. - */ - ret = ERR_UNEXPECTED_ENTRY_TYPE; - goto done; - } - - /* and the second component is "cn=hostgroups" */ - hostgroup_comp_name = ldb_dn_get_component_name(dn, 1); - if (strcasecmp("cn", hostgroup_comp_name) != 0) { - /* The second component name is not "cn" */ - ret = ERR_UNEXPECTED_ENTRY_TYPE; - goto done; - } - - hostgroup_comp_val = ldb_dn_get_component_val(dn, 1); - if (strncasecmp("hostgroups", - (const char *) hostgroup_comp_val->data, - hostgroup_comp_val->length) != 0) { - /* The second component value is not "hostgroups" */ - ret = ERR_UNEXPECTED_ENTRY_TYPE; - goto done; - } - - /* and the third component is "accounts" */ - account_comp_name = ldb_dn_get_component_name(dn, 2); - if (strcasecmp("cn", account_comp_name) != 0) { - /* The third component name is not "cn" */ - ret = ERR_UNEXPECTED_ENTRY_TYPE; - goto done; - } - - account_comp_val = ldb_dn_get_component_val(dn, 2); - if (strncasecmp("accounts", - (const char *) account_comp_val->data, - account_comp_val->length) != 0) { - /* The third component value is not "accounts" */ - ret = ERR_UNEXPECTED_ENTRY_TYPE; - goto done; - } - - /* Then the value of the RDN is the group name */ - rdn_val = ldb_dn_get_rdn_val(dn); - *hostgroupname = talloc_strndup(mem_ctx, - (const char *)rdn_val->data, - rdn_val->length); - if (*hostgroupname == NULL) { - ret = ENOMEM; - goto done; - } - - ret = EOK; - -done: - talloc_free(dn); - return ret; -} diff --git a/src/providers/ipa/ipa_hbac_private.h b/src/providers/ipa/ipa_hbac_private.h index b11814b83..8ca7d09c9 100644 --- a/src/providers/ipa/ipa_hbac_private.h +++ b/src/providers/ipa/ipa_hbac_private.h @@ -83,11 +83,6 @@ hbac_shost_attrs_to_rule(TALLOC_CTX *mem_ctx, struct sysdb_attrs *rule_attrs, bool support_srchost, struct hbac_rule_element **source_hosts); -errno_t -get_ipa_hostgroupname(TALLOC_CTX *mem_ctx, - struct sysdb_ctx *sysdb, - const char *host_dn, - char **hostgroupname); const char ** hbac_get_attrs_to_get_cached_rules(TALLOC_CTX *mem_ctx); diff --git a/src/providers/ipa/ipa_rules_common.c b/src/providers/ipa/ipa_rules_common.c index 9765bac18..11823476b 100644 --- a/src/providers/ipa/ipa_rules_common.c +++ b/src/providers/ipa/ipa_rules_common.c @@ -344,3 +344,112 @@ done: return ret; } + +errno_t +ipa_common_get_hostgroupname(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + const char *host_dn, + char **_hostgroupname) +{ + errno_t ret; + struct ldb_dn *dn; + const char *rdn_name; + const char *hostgroup_comp_name; + const char *account_comp_name; + const struct ldb_val *rdn_val; + const struct ldb_val *hostgroup_comp_val; + const struct ldb_val *account_comp_val; + + /* This is an IPA-specific hack. It may not + * work for non-IPA servers and will need to + * be changed if SSSD ever supports HBAC on + * a non-IPA server. + */ + *_hostgroupname = NULL; + + dn = ldb_dn_new(mem_ctx, sysdb_ctx_get_ldb(sysdb), host_dn); + if (dn == NULL) { + ret = ENOMEM; + goto done; + } + + if (!ldb_dn_validate(dn)) { + ret = ERR_MALFORMED_ENTRY; + goto done; + } + + if (ldb_dn_get_comp_num(dn) < 4) { + /* RDN, hostgroups, accounts, and at least one DC= */ + /* If it's fewer, it's not a group DN */ + ret = ERR_UNEXPECTED_ENTRY_TYPE; + goto done; + } + + /* If the RDN name is 'cn' */ + rdn_name = ldb_dn_get_rdn_name(dn); + if (rdn_name == NULL) { + /* Shouldn't happen if ldb_dn_validate() + * passed, but we'll be careful. + */ + ret = ERR_MALFORMED_ENTRY; + goto done; + } + + if (strcasecmp("cn", rdn_name) != 0) { + /* RDN has the wrong attribute name. + * It's not a host. + */ + ret = ERR_UNEXPECTED_ENTRY_TYPE; + goto done; + } + + /* and the second component is "cn=hostgroups" */ + hostgroup_comp_name = ldb_dn_get_component_name(dn, 1); + if (strcasecmp("cn", hostgroup_comp_name) != 0) { + /* The second component name is not "cn" */ + ret = ERR_UNEXPECTED_ENTRY_TYPE; + goto done; + } + + hostgroup_comp_val = ldb_dn_get_component_val(dn, 1); + if (strncasecmp("hostgroups", + (const char *) hostgroup_comp_val->data, + hostgroup_comp_val->length) != 0) { + /* The second component value is not "hostgroups" */ + ret = ERR_UNEXPECTED_ENTRY_TYPE; + goto done; + } + + /* and the third component is "accounts" */ + account_comp_name = ldb_dn_get_component_name(dn, 2); + if (strcasecmp("cn", account_comp_name) != 0) { + /* The third component name is not "cn" */ + ret = ERR_UNEXPECTED_ENTRY_TYPE; + goto done; + } + + account_comp_val = ldb_dn_get_component_val(dn, 2); + if (strncasecmp("accounts", + (const char *) account_comp_val->data, + account_comp_val->length) != 0) { + /* The third component value is not "accounts" */ + ret = ERR_UNEXPECTED_ENTRY_TYPE; + goto done; + } + + /* Then the value of the RDN is the group name */ + rdn_val = ldb_dn_get_rdn_val(dn); + *_hostgroupname = talloc_strndup(mem_ctx, + (const char *)rdn_val->data, + rdn_val->length); + if (*_hostgroupname == NULL) { + ret = ENOMEM; + goto done; + } + + ret = EOK; + +done: + talloc_free(dn); + return ret; +} diff --git a/src/providers/ipa/ipa_rules_common.h b/src/providers/ipa/ipa_rules_common.h index 7882ce213..6cf57eb29 100644 --- a/src/providers/ipa/ipa_rules_common.h +++ b/src/providers/ipa/ipa_rules_common.h @@ -80,4 +80,10 @@ ipa_common_save_rules(struct sss_domain_info *domain, struct ipa_common_entries *rules, time_t *last_update); +errno_t +ipa_common_get_hostgroupname(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + const char *host_dn, + char **_hostgroupname); + #endif /* IPA_RULES_COMMON_H_ */ |