From 64497d479e92ebc34717c20c3d017f1823f9e630 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 22 Jun 2016 07:29:00 +0200 Subject: IPA: Save sudoUser qualified in the cache When converting from the native IPA schema to the sysdb sudo schema, qualify sudoUser attributes that contain user and group names. Reviewed-by: Sumit Bose --- src/providers/ipa/ipa_sudo.h | 2 +- src/providers/ipa/ipa_sudo_async.c | 7 ++--- src/providers/ipa/ipa_sudo_conversion.c | 46 +++++++++++++++++++++++---------- 3 files changed, 35 insertions(+), 20 deletions(-) diff --git a/src/providers/ipa/ipa_sudo.h b/src/providers/ipa/ipa_sudo.h index 8b8660019..49b6c561b 100644 --- a/src/providers/ipa/ipa_sudo.h +++ b/src/providers/ipa/ipa_sudo.h @@ -75,7 +75,7 @@ struct ipa_sudo_conv; struct ipa_sudo_conv * ipa_sudo_conv_init(TALLOC_CTX *mem_ctx, - struct sysdb_ctx *sysdb, + struct sss_domain_info *dom, struct sdap_attr_map *map_rule, struct sdap_attr_map *map_cmdgroup, struct sdap_attr_map *map_cmd, diff --git a/src/providers/ipa/ipa_sudo_async.c b/src/providers/ipa/ipa_sudo_async.c index 1e14fdd57..9ed121830 100644 --- a/src/providers/ipa/ipa_sudo_async.c +++ b/src/providers/ipa/ipa_sudo_async.c @@ -363,7 +363,6 @@ done: struct ipa_sudo_fetch_state { struct tevent_context *ev; - struct sysdb_ctx *sysdb; struct sss_domain_info *domain; struct ipa_sudo_ctx *sudo_ctx; struct sdap_options *sdap_opts; @@ -397,7 +396,6 @@ static struct tevent_req * ipa_sudo_fetch_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct sss_domain_info *domain, - struct sysdb_ctx *sysdb, struct ipa_sudo_ctx *sudo_ctx, struct ipa_hostinfo *host, struct sdap_attr_map *map_user, @@ -420,7 +418,6 @@ ipa_sudo_fetch_send(TALLOC_CTX *mem_ctx, } state->ev = ev; - state->sysdb = sysdb; state->domain = domain; state->sudo_ctx = sudo_ctx; state->sdap_opts = sudo_ctx->sdap_opts; @@ -434,7 +431,7 @@ ipa_sudo_fetch_send(TALLOC_CTX *mem_ctx, state->map_cmd = sudo_ctx->sudocmd_map; state->sudo_sb = sudo_ctx->sudo_sb; - state->conv = ipa_sudo_conv_init(state, sysdb, state->map_rule, + state->conv = ipa_sudo_conv_init(state, domain, state->map_rule, state->map_cmdgroup, state->map_cmd, map_user, map_group, map_host, map_hostgroup); @@ -1022,7 +1019,7 @@ ipa_sudo_refresh_host_done(struct tevent_req *subreq) return; } - subreq = ipa_sudo_fetch_send(state, state->ev, state->domain, state->sysdb, + subreq = ipa_sudo_fetch_send(state, state->ev, state->domain, state->sudo_ctx, host, state->sdap_opts->user_map, state->sdap_opts->group_map, diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c index 1286bf351..21186d245 100644 --- a/src/providers/ipa/ipa_sudo_conversion.c +++ b/src/providers/ipa/ipa_sudo_conversion.c @@ -47,7 +47,7 @@ #define MATCHRDN_HOSTGROUP(map) (map)[IPA_AT_HOSTGROUP_NAME].name, "cn", "hostgroups", "cn", "accounts" struct ipa_sudo_conv { - struct sysdb_ctx *sysdb; + struct sss_domain_info *dom; struct sdap_attr_map *map_rule; struct sdap_attr_map *map_cmdgroup; @@ -189,7 +189,7 @@ done: static bool is_ipacmdgroup(struct ipa_sudo_conv *conv, const char *dn) { - if (ipa_check_rdn_bool(conv->sysdb, dn, + if (ipa_check_rdn_bool(conv->dom->sysdb, dn, MATCHRDN_CMDGROUPS(conv->map_cmdgroup))) { return true; } @@ -199,13 +199,13 @@ static bool is_ipacmdgroup(struct ipa_sudo_conv *conv, const char *dn) static bool is_ipacmd(struct ipa_sudo_conv *conv, const char *dn) { - if (ipa_check_rdn_bool(conv->sysdb, dn, + if (ipa_check_rdn_bool(conv->dom->sysdb, dn, MATCHRDN_CMDS(IPA_AT_SUDOCMD_UUID, conv->map_cmd))) { return true; } /* For older versions of FreeIPA than 3.1. */ - if (ipa_check_rdn_bool(conv->sysdb, dn, + if (ipa_check_rdn_bool(conv->dom->sysdb, dn, MATCHRDN_CMDS(IPA_AT_SUDOCMD_CMD, conv->map_cmd))) { return true; } @@ -342,7 +342,7 @@ done: struct ipa_sudo_conv * ipa_sudo_conv_init(TALLOC_CTX *mem_ctx, - struct sysdb_ctx *sysdb, + struct sss_domain_info *dom, struct sdap_attr_map *map_rule, struct sdap_attr_map *map_cmdgroup, struct sdap_attr_map *map_cmd, @@ -359,7 +359,7 @@ ipa_sudo_conv_init(TALLOC_CTX *mem_ctx, return NULL; } - conv->sysdb = sysdb; + conv->dom = dom; conv->map_rule = map_rule; conv->map_cmdgroup = map_cmdgroup; conv->map_cmd = map_cmd; @@ -724,7 +724,7 @@ char * ipa_sudo_conv_cmdgroup_filter(TALLOC_CTX *mem_ctx, struct ipa_sudo_conv *conv) { - return build_filter(mem_ctx, conv->sysdb, conv->cmdgroups, + return build_filter(mem_ctx, conv->dom->sysdb, conv->cmdgroups, conv->map_cmdgroup, get_sudo_cmdgroup_rdn); } @@ -732,7 +732,7 @@ char * ipa_sudo_conv_cmd_filter(TALLOC_CTX *mem_ctx, struct ipa_sudo_conv *conv) { - return build_filter(mem_ctx, conv->sysdb, conv->cmds, + return build_filter(mem_ctx, conv->dom->sysdb, conv->cmds, conv->map_cmd, get_sudo_cmd_rdn); } @@ -752,7 +752,7 @@ convert_host(TALLOC_CTX *mem_ctx, const char *group; errno_t ret; - ret = ipa_get_rdn(mem_ctx, conv->sysdb, value, &rdn, + ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn, MATCHRDN_HOST(conv->map_host)); if (ret == EOK) { return rdn; @@ -762,7 +762,7 @@ convert_host(TALLOC_CTX *mem_ctx, return NULL; } - ret = ipa_get_rdn(mem_ctx, conv->sysdb, value, &rdn, + ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn, MATCHRDN_HOSTGROUP(conv->map_hostgroup)); if (ret == ENOENT) { DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s\n", value); @@ -788,7 +788,7 @@ convert_user(TALLOC_CTX *mem_ctx, const char *group; errno_t ret; - ret = ipa_get_rdn(mem_ctx, conv->sysdb, value, &rdn, + ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn, MATCHRDN_USER(conv->map_user)); if (ret == EOK) { return rdn; @@ -798,7 +798,7 @@ convert_user(TALLOC_CTX *mem_ctx, return NULL; } - ret = ipa_get_rdn(mem_ctx, conv->sysdb, value, &rdn, + ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn, MATCHRDN_GROUP(conv->map_group)); if (ret == ENOENT) { DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s\n", value); @@ -815,6 +815,24 @@ convert_user(TALLOC_CTX *mem_ctx, return group; } +static const char * +convert_user_fqdn(TALLOC_CTX *mem_ctx, + struct ipa_sudo_conv *conv, + const char *value) +{ + const char *shortname = NULL; + char *fqdn = NULL; + + shortname = convert_user(mem_ctx, conv, value); + if (shortname == NULL) { + return NULL; + } + + fqdn = sss_create_internal_fqname(mem_ctx, shortname, conv->dom->name); + talloc_free(discard_const(shortname)); + return fqdn; +} + static const char * convert_group(TALLOC_CTX *mem_ctx, struct ipa_sudo_conv *conv, @@ -823,7 +841,7 @@ convert_group(TALLOC_CTX *mem_ctx, char *rdn; errno_t ret; - ret = ipa_get_rdn(mem_ctx, conv->sysdb, value, &rdn, + ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn, MATCHRDN_GROUP(conv->map_group)); if (ret == ENOENT) { DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s\n", value); @@ -875,7 +893,7 @@ convert_attributes(struct ipa_sudo_conv *conv, const char *value); } table[] = {{SYSDB_NAME, SYSDB_SUDO_CACHE_AT_CN , NULL}, {SYSDB_IPA_SUDORULE_HOST, SYSDB_SUDO_CACHE_AT_HOST , convert_host}, - {SYSDB_IPA_SUDORULE_USER, SYSDB_SUDO_CACHE_AT_USER , convert_user}, + {SYSDB_IPA_SUDORULE_USER, SYSDB_SUDO_CACHE_AT_USER , convert_user_fqdn}, {SYSDB_IPA_SUDORULE_RUNASUSER, SYSDB_SUDO_CACHE_AT_RUNASUSER , convert_user}, {SYSDB_IPA_SUDORULE_RUNASGROUP, SYSDB_SUDO_CACHE_AT_RUNASGROUP , convert_group}, {SYSDB_IPA_SUDORULE_OPTION, SYSDB_SUDO_CACHE_AT_OPTION , NULL}, -- cgit