ipa-kdb: add ipadb_fetch_principals_with_extra_filter()

Additionally make ipadb_find_principal public.

Related to https://pagure.io/freeipa/issue/4905

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>

2 files changed, 56 insertions, 13 deletions

diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 8a3f7d3c0..72f267580 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -198,6 +198,17 @@ krb5_error_code ipadb_put_principal(krb5_context kcontext,
                                     char **db_args);
 krb5_error_code ipadb_delete_principal(krb5_context kcontext,
                                        krb5_const_principal search_for);
+krb5_error_code
+ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
+                                         unsigned int flags,
+                                         const char *principal,
+                                         const char *filter,
+                                         LDAPMessage **result);
+krb5_error_code ipadb_find_principal(krb5_context kcontext,
+                                     unsigned int flags,
+                                     LDAPMessage *res,
+                                     char **principal,
+                                     LDAPMessage **entry);
 #if KRB5_KDB_API_VERSION < 8
 krb5_error_code ipadb_iterate(krb5_context kcontext,
                               char *match_entry,
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 3bd8fb8c7..82c857430 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -37,6 +37,17 @@
                                 "(objectclass=krbprincipal))" \
                               "(krbprincipalname=%s))"
 
+#define PRINC_TGS_SEARCH_FILTER_EXTRA "(&(|(objectclass=krbprincipalaux)" \
+                                          "(objectclass=krbprincipal)" \
+                                          "(objectclass=ipakrbprincipal))" \
+                                        "(|(ipakrbprincipalalias=%s)" \
+                                          "(krbprincipalname:caseIgnoreIA5Match:=%s))" \
+                                         "%s)"
+
+#define PRINC_SEARCH_FILTER_EXTRA "(&(|(objectclass=krbprincipalaux)" \
+                                      "(objectclass=krbprincipal))" \
+                                    "(krbprincipalname=%s)" \
+                                    "%s)"
 static char *std_principal_attrs[] = {
     "krbPrincipalName",
     "krbCanonicalName",
@@ -864,10 +875,12 @@ done:
     return kerr;
 }
 
-static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx,
-                                              unsigned int flags,
-                                              char *principal,
-                                              LDAPMessage **result)
+krb5_error_code
+ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
+                                         unsigned int flags,
+                                         const char *principal,
+                                         const char *filter,
+                                         LDAPMessage **result)
 {
     krb5_error_code kerr;
     char *src_filter = NULL;
@@ -890,11 +903,21 @@ static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx,
         goto done;
     }
 
-    if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
-        ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER,
-                       esc_original_princ, esc_original_princ);
+    if (filter == NULL) {
+        if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
+            ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER,
+                           esc_original_princ, esc_original_princ);
+        } else {
+            ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ);
+        }
     } else {
-        ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ);
+        if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
+            ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA,
+                           esc_original_princ, esc_original_princ, filter);
+        } else {
+            ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA,
+                           esc_original_princ, filter);
+        }
     }
 
     if (ret == -1) {
@@ -913,11 +936,20 @@ done:
     return kerr;
 }
 
-static krb5_error_code ipadb_find_principal(krb5_context kcontext,
-                                            unsigned int flags,
-                                            LDAPMessage *res,
-                                            char **principal,
-                                            LDAPMessage **entry)
+static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx,
+                                              unsigned int flags,
+                                              char *principal,
+                                              LDAPMessage **result)
+{
+    return ipadb_fetch_principals_with_extra_filter(ipactx, flags, principal,
+                                                    NULL, result);
+}
+
+krb5_error_code ipadb_find_principal(krb5_context kcontext,
+                                     unsigned int flags,
+                                     LDAPMessage *res,
+                                     char **principal,
+                                     LDAPMessage **entry)
 {
     struct ipadb_context *ipactx;
     bool found = false;