diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2011-11-08 17:12:58 +0100 |
---|---|---|
committer | Pavel Březina <pbrezina@redhat.com> | 2011-11-21 16:12:13 +0100 |
commit | f944c5e772b052167fe6ec7b33cefd0652bb8d4a (patch) | |
tree | b0cccf084fb33f281974779f7402a465589b9037 /src/db/sysdb_ops.c | |
parent | fff5efcea89a021fd958918299517c870c7c933a (diff) | |
download | sssd_unused-f944c5e772b052167fe6ec7b33cefd0652bb8d4a.tar.gz sssd_unused-f944c5e772b052167fe6ec7b33cefd0652bb8d4a.tar.xz sssd_unused-f944c5e772b052167fe6ec7b33cefd0652bb8d4a.zip |
sudo sysdb interface: sudo rules
Diffstat (limited to 'src/db/sysdb_ops.c')
-rw-r--r-- | src/db/sysdb_ops.c | 279 |
1 files changed, 279 insertions, 0 deletions
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index 3da41d61..f0e3fa95 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -651,6 +651,35 @@ done: return ret; } +/* =Replace-Attributes-On-Sudo-Rule======================================= */ + +int sysdb_set_sudorule_attr(struct sysdb_ctx *sysdb, + const char *rule, + struct sysdb_attrs *attrs, + int mod_op) +{ + errno_t ret; + struct ldb_dn *dn; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + dn = sysdb_sudorule_dn(sysdb, tmp_ctx, sysdb->domain->name, rule); + if (!dn) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_set_entry_attr(sysdb, dn, attrs, mod_op); + +done: + talloc_free(tmp_ctx); + return ret; +} + /* =Get-New-ID============================================================ */ int sysdb_get_new_id(struct sysdb_ctx *sysdb, @@ -1592,6 +1621,119 @@ done: return ret; } +/* =Add-Basic-Sudo-Rule-NO-CHECKS============================================= */ + +/* + * member LDAP IPA + * ----------------------------------- + * user DN DN + * group DN DN + * host hostname? DN + * hostgroup netgroup DN? DN + * command DN DN + * commandgroup N/A DN + */ +int sysdb_add_basic_sudorule(struct sysdb_ctx *sysdb, + const char *rule) +{ + struct ldb_message *msg; + int ret; + + msg = ldb_msg_new(NULL); + if (!msg) { + return ENOMEM; + } + + /* sudo rule dn */ + msg->dn = sysdb_sudorule_dn(sysdb, msg, sysdb->domain->name, rule); + if (!msg->dn) { + ERROR_OUT(ret, ENOMEM, done); + } + + ret = add_string(msg, LDB_FLAG_MOD_ADD, + SYSDB_OBJECTCLASS, SYSDB_SUDORULE_CLASS); + if (ret) goto done; + + ret = add_string(msg, LDB_FLAG_MOD_ADD, SYSDB_NAME, rule); + if (ret) goto done; + + /* creation time */ + ret = add_ulong(msg, LDB_FLAG_MOD_ADD, SYSDB_CREATE_TIME, + (unsigned long) time(NULL)); + if (ret) goto done; + + ret = ldb_add(sysdb->ldb, msg); + ret = sysdb_error_to_errno(ret); + +done: + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, ("Error: %d (%s)\n", ret, strerror(ret))); + } + talloc_zfree(msg); + return ret; +} + +int sysdb_add_sudorule(struct sysdb_ctx *sysdb, + const char *rule, + struct sysdb_attrs *attrs, + int cache_timeout, + time_t now) +{ + TALLOC_CTX *tmp_ctx; + int ret; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + ret = ldb_transaction_start(sysdb->ldb); + if (ret) { + ret = sysdb_error_to_errno(ret); + talloc_free(tmp_ctx); + return ret; + } + + /* try to add the sudo rule */ + ret = sysdb_add_basic_sudorule(sysdb, rule); + if (ret && ret != EEXIST) goto done; + + if (!attrs) { + attrs = sysdb_new_attrs(tmp_ctx); + if (!attrs) { + ret = ENOMEM; + goto done; + } + } + + if (!now) { + now = time(NULL); + } + + ret = sysdb_attrs_add_time_t(attrs, SYSDB_LAST_UPDATE, now); + if (ret) goto done; + + ret = sysdb_attrs_add_time_t(attrs, SYSDB_CACHE_EXPIRE, + ((cache_timeout) ? + (now + cache_timeout) : 0)); + if (ret) goto done; + + ret = sysdb_set_sudorule_attr(sysdb, rule, attrs, SYSDB_MOD_REP); + +done: + if (ret == EOK) { + ret = ldb_transaction_commit(sysdb->ldb); + ret = sysdb_error_to_errno(ret); + } + + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("Error: %d (%s)\n", ret, strerror(ret))); + ldb_transaction_cancel(sysdb->ldb); + } + talloc_zfree(tmp_ctx); + return ret; +} + /* =Store-Users-(Native/Legacy)-(replaces-existing-data)================== */ /* if one of the basic attributes is empty ("") as opposed to NULL, @@ -2644,6 +2786,58 @@ done: return ret; } +/* =Search-Sudo-Rules-With-Custom-Filter=================================== */ + +int sysdb_search_sudorule(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + const char *sub_filter, + const char **attrs, + size_t *msgs_count, + struct ldb_message ***msgs) +{ + TALLOC_CTX *tmp_ctx; + struct ldb_dn *basedn; + char *filter; + int ret; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + basedn = ldb_dn_new_fmt(tmp_ctx, sysdb->ldb, + SYSDB_TMPL_SUDORULE_BASE, sysdb->domain->name); + if (!basedn) { + DEBUG(SSSDBG_MINOR_FAILURE, ("Failed to build base dn\n")); + ret = ENOMEM; + goto fail; + } + + filter = talloc_asprintf(tmp_ctx, "(&(%s)%s)", + SYSDB_SUDORULEC, sub_filter); + if (!filter) { + DEBUG(SSSDBG_MINOR_FAILURE, ("Failed to build filter\n")); + ret = ENOMEM; + goto fail; + } + + DEBUG(SSSDBG_TRACE_FUNC, ("Search sudo rules with filter: %s\n", filter)); + + ret = sysdb_search_entry(mem_ctx, sysdb, basedn, + LDB_SCOPE_SUBTREE, filter, attrs, + msgs_count, msgs); + if (ret) { + goto fail; + } + + talloc_zfree(tmp_ctx); + return EOK; + +fail: + DEBUG(SSSDBG_OP_FAILURE, ("Error: %d (%s)\n", ret, strerror(ret))); + talloc_zfree(tmp_ctx); + return ret; +} /* ========= Authentication against cached password ============ */ @@ -3202,3 +3396,88 @@ done: talloc_free(msg); return ret; } + +errno_t sysdb_mod_sudorule_member(struct sysdb_ctx *sysdb, + const char *sudorule, + enum sysdb_sudorule_mtype member_type, + const char *member_sudorule, + int mod_op) +{ + errno_t ret; + int lret; + struct ldb_message *msg; + char *member; + const char *template; + + switch (member_type) { + case SYSDB_SUDORULE_MEMBER_USER: + template = SYSDB_TMPL_USER; + break; + case SYSDB_SUDORULE_MEMBER_GROUP: + template = SYSDB_TMPL_GROUP; + break; + case SYSDB_SUDORULE_MEMBER_COMMAND: + template = SYSDB_TMPL_SUDOCMD; + break; + case SYSDB_SUDORULE_MEMBER_HOST: + /* FIXME */ + return ENOSYS; + case SYSDB_SUDORULE_MEMBER_NETGROUP: + template = SYSDB_TMPL_NETGROUP; + break; + default: + DEBUG(SSSDBG_MINOR_FAILURE, ("Wrong sudo rule " + "member type %d\n", member_type)); + return EINVAL; + } + + msg = ldb_msg_new(NULL); + if (!msg) { + ERROR_OUT(ret, ENOMEM, done); + } + + msg->dn = sysdb_sudorule_dn(sysdb, msg, sysdb->domain->name, sudorule); + if (!msg->dn) { + ERROR_OUT(ret, ENOMEM, done); + } + + member = talloc_asprintf(msg, template, + member_sudorule, sysdb->domain->name); + if (!member) { + ret = ENOMEM; + goto done; + } + + ret = add_string(msg, mod_op, SYSDB_MEMBER, member); + if (ret != EOK) { + goto done; + } + + lret = ldb_modify(sysdb->ldb, msg); + ret = sysdb_error_to_errno(lret); + +done: + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, ("Error: %d (%s)\n", ret, strerror(ret))); + } + talloc_free(msg); + return ret; +} + +errno_t sysdb_add_sudorule_member(struct sysdb_ctx *sysdb, + const char *sudorule, + enum sysdb_sudorule_mtype member_type, + const char *member_sudorule) +{ + return sysdb_mod_sudorule_member(sysdb, sudorule, member_type, + member_sudorule, SYSDB_MOD_ADD); +} + +errno_t sysdb_remove_sudorule_member(struct sysdb_ctx *sysdb, + const char *sudorule, + enum sysdb_sudorule_mtype member_type, + const char *member_sudorule) +{ + return sysdb_mod_sudorule_member(sysdb, sudorule, member_type, + member_sudorule, SYSDB_MOD_DEL); +} |