/** BEGIN COPYRIGHT BLOCK
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
*
* Additional permission under GPLv3 section 7:
*
* In the following paragraph, "GPL" means the GNU General Public
* License, version 3 or any later version, and "Non-GPL Code" means
* code that is governed neither by the GPL nor a license
* compatible with the GPL.
*
* You may link the code of this Program with Non-GPL Code and convey
* linked combinations including the two, provided that such Non-GPL
* Code only links to the code of this Program through those well
* defined interfaces identified in the file named EXCEPTION found in
* the source code files (the "Approved Interfaces"). The files of
* Non-GPL Code may instantiate templates or use macros or inline
* functions from the Approved Interfaces without causing the resulting
* work to be covered by the GPL. Only the copyright holders of this
* Program may make changes or additions to the list of Approved
* Interfaces.
*
* Authors:
* Nathaniel McCallum
*
* Copyright (C) 2013 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK **/
#ifdef HAVE_CONFIG_H
# include
#endif
#include "../libotp/otp_token.h"
#include
#include "util.h"
#define PLUGIN_NAME "ipa-otp-lasttoken"
#define OTP_CONTAINER "cn=otp,%s"
static struct otp_config *otp_config;
static bool entry_is_token(Slapi_Entry *entry)
{
char **ocls;
ocls = slapi_entry_attr_get_charray(entry, SLAPI_ATTR_OBJECTCLASS);
for (size_t i = 0; ocls != NULL && ocls[i] != NULL; i++) {
if (strcasecmp(ocls[i], "ipaToken") == 0) {
slapi_ch_array_free(ocls);
return true;
}
}
return false;
}
static bool sdn_in_otp_container(Slapi_DN *sdn)
{
const Slapi_DN *base;
Slapi_DN *container;
bool result;
char *dn;
base = slapi_get_suffix_by_dn(sdn);
if (base == NULL)
return false;
dn = slapi_ch_smprintf(OTP_CONTAINER, slapi_sdn_get_dn(base));
if (dn == NULL)
return false;
container = slapi_sdn_new_dn_passin(dn);
result = slapi_sdn_issuffix(sdn, container);
slapi_sdn_free(&container);
return result;
}
static bool sdn_is_only_enabled_token(Slapi_DN *target_sdn, const char *user_dn)
{
struct otp_token **tokens;
bool result = false;
tokens = otp_token_find(otp_config, user_dn, NULL, true, NULL);
if (tokens != NULL && tokens[0] != NULL && tokens[1] == NULL) {
const Slapi_DN *token_sdn = otp_token_get_sdn(tokens[0]);
if (token_sdn != NULL)
result = slapi_sdn_compare(token_sdn, target_sdn) == 0;
}
otp_token_free_array(tokens);
return result;
}
static bool is_pwd_enabled(const char *user_dn)
{
char *attrs[] = { "ipaUserAuthType", NULL };
Slapi_Entry *entry = NULL;
uint32_t authtypes;
Slapi_DN *sdn;
sdn = slapi_sdn_new_dn_byval(user_dn);
if (sdn == NULL)
return false;
slapi_search_internal_get_entry(sdn, attrs, &entry,
otp_config_plugin_id(otp_config));
slapi_sdn_free(&sdn);
if (entry == NULL)
return false;
authtypes = otp_config_auth_types(otp_config, entry);
slapi_entry_free(entry);
return authtypes & OTP_CONFIG_AUTH_TYPE_PASSWORD;
}
static bool is_allowed(Slapi_PBlock *pb, Slapi_Entry *entry)
{
Slapi_DN *target_sdn = NULL;
const char *bind_dn;
/* Ignore internal operations. */
if (slapi_op_internal(pb))
return true;
/* Load parameters. */
(void) slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn);
(void) slapi_pblock_get(pb, SLAPI_CONN_DN, &bind_dn);
if (target_sdn == NULL || bind_dn == NULL) {
LOG_FATAL("Missing parameters!\n");
return false;
}
if (entry != NULL
? !entry_is_token(entry)
: !sdn_in_otp_container(target_sdn))
return true;
if (!sdn_is_only_enabled_token(target_sdn, bind_dn))
return true;
if (is_pwd_enabled(bind_dn))
return true;
return false;
}
static inline int send_error(Slapi_PBlock *pb, int rc, const char *errstr)
{
slapi_send_ldap_result(pb, rc, NULL, (char *) errstr, 0, NULL);
if (slapi_pblock_set(pb, SLAPI_RESULT_CODE, &rc)) {
LOG_FATAL("slapi_pblock_set failed!\n");
}
return rc;
}
static int preop_del(Slapi_PBlock *pb)
{
if (is_allowed(pb, NULL))
return 0;
return send_error(pb, LDAP_UNWILLING_TO_PERFORM,
"Can't delete last active token");
}
static int preop_mod(Slapi_PBlock *pb)
{
static const struct {
const char *attr;
const char *msg;
} errors[] = {
{"ipatokenDisabled", "Can't disable last active token"},
{"ipatokenOwner", "Can't change last active token's owner"},
{"ipatokenNotBefore", "Can't change last active token's start time"},
{"ipatokenNotAfter", "Can't change last active token's end time"},
{}
};
const LDAPMod **mods = NULL;
Slapi_Entry *entry = NULL;
(void) slapi_pblock_get(pb, SLAPI_ENTRY_PRE_OP, &entry);
(void) slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods);
if (is_allowed(pb, entry))
return 0;
/* If a protected attribute is modified, deny. */
for (int i = 0; mods != NULL && mods[i] != NULL; i++) {
for (int j = 0; errors[j].attr != NULL; j++) {
if (strcasecmp(mods[i]->mod_type, errors[j].attr) == 0)
return send_error(pb, LDAP_UNWILLING_TO_PERFORM, errors[j].msg);
}
}
return 0;
}
static int preop_init(Slapi_PBlock *pb)
{
int ret = 0;
ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_BE_TXN_PRE_DELETE_FN, preop_del);
ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_BE_TXN_PRE_MODIFY_FN, preop_mod);
return ret;
}
static int update_config(Slapi_PBlock *pb)
{
otp_config_update(otp_config, pb);
return 0;
}
static int intpostop_init(Slapi_PBlock *pb)
{
int ret = 0;
ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_ADD_FN, (void *) update_config);
ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_DELETE_FN, (void *) update_config);
ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_MODIFY_FN, (void *) update_config);
ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_MODRDN_FN, (void *) update_config);
return ret;
}
static int postop_init(Slapi_PBlock *pb)
{
int ret = 0;
ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_POST_ADD_FN, (void *) update_config);
ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_POST_DELETE_FN, (void *) update_config);
ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_POST_MODIFY_FN, (void *) update_config);
ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_POST_MODRDN_FN, (void *) update_config);
return ret;
}
int ipa_otp_lasttoken_init(Slapi_PBlock *pb)
{
static const Slapi_PluginDesc preop_desc = {
PLUGIN_NAME,
"FreeIPA",
"FreeIPA/1.0",
"Protect the user's last active token"
};
Slapi_ComponentId *plugin_id = NULL;
int ret = 0;
ret |= slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY, &plugin_id);
ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01);
ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, (void *) &preop_desc);
ret |= slapi_register_plugin("betxnpreoperation", 1, __func__, preop_init,
PLUGIN_NAME " betxnpreoperation", NULL, plugin_id);
ret |= slapi_register_plugin("postoperation", 1, __func__, postop_init,
PLUGIN_NAME " postoperation", NULL, plugin_id);
ret |= slapi_register_plugin("internalpostoperation", 1, __func__, intpostop_init,
PLUGIN_NAME " internalpostoperation", NULL, plugin_id);
/* NOTE: leak otp_config on process exit. */
otp_config = otp_config_init(plugin_id);
return ret;
}