https://fedorahosted.org/sssd/ticket/2584
If you have any idea how to improve manual page, please, share it.
From 58e7ac9f61c9dcc33e14a255daf026b563f06a8c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Fri, 24 Jul 2015 09:55:28 +0200 Subject: [PATCH 1/3] SYSDB: prepare for LOCAL view Objects doesn't have to have overrideDN specified when using LOCAL view. Since the view is not stored on the server we do not want to contact LDAP therefore we special case LOCAL view saying that it is OK that this attribute is missing. Preparation for: https://fedorahosted.org/sssd/ticket/2584 --- src/db/sysdb.h | 1 + src/db/sysdb_views.c | 7 +++++++ src/tests/cmocka/test_sysdb_views.c | 29 +++++++++++++++++++++++++++++ 3 files changed, 37 insertions(+) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 0f745ccb1a646d77ba4ad3d714d5f4dce0a51211..7b18bbbe3f9249e59c4ffc6ee6ddcacebddf7e9f 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -160,6 +160,7 @@ #define SYSDB_VIEW_CLASS "view" #define SYSDB_VIEW_NAME "viewName" #define SYSDB_DEFAULT_VIEW_NAME "default" +#define SYSDB_LOCAL_VIEW_NAME "LOCAL" #define SYSDB_OVERRIDE_CLASS "overrride" #define SYSDB_OVERRIDE_ANCHOR_UUID "overrideAnchorUUID" #define SYSDB_OVERRIDE_USER_CLASS "userOverride" diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c index aadd6018f4d1e2ca33e2e00dd8b13b55a8c03f3e..f4560344e992d8245e37a5a4e2f74c7b70ce41ec 100644 --- a/src/db/sysdb_views.c +++ b/src/db/sysdb_views.c @@ -1186,9 +1186,16 @@ errno_t sysdb_add_overrides_to_object(struct sss_domain_info *domain, override_dn_str = ldb_msg_find_attr_as_string(obj, SYSDB_OVERRIDE_DN, NULL); if (override_dn_str == NULL) { + if (strcmp(domain->view_name, SYSDB_LOCAL_VIEW_NAME) == 0) { + /* LOCAL view doesn't have to have overrideDN specified. */ + ret = EOK; + goto done; + } + DEBUG(SSSDBG_CRIT_FAILURE, "Missing override DN for objext [%s].\n", ldb_dn_get_linearized(obj->dn)); + ret = ENOENT; goto done; } diff --git a/src/tests/cmocka/test_sysdb_views.c b/src/tests/cmocka/test_sysdb_views.c index 1fb598219e9ee581e465ddbb32ba9f2544600c26..19c04d58e47aa400aee4745dc40f937497081d10 100644 --- a/src/tests/cmocka/test_sysdb_views.c +++ b/src/tests/cmocka/test_sysdb_views.c @@ -275,6 +275,33 @@ void test_sysdb_add_overrides_to_object(void **state) assert_int_equal(ldb_val_string_cmp(&el->values[1], "OVERRIDEKEY2"), 0); } +void test_sysdb_add_overrides_to_object_local(void **state) +{ + int ret; + struct ldb_message *orig; + struct ldb_message_element *el; + char *tmp_str; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + + orig = ldb_msg_new(test_ctx); + assert_non_null(orig); + + tmp_str = talloc_strdup(orig, "ORIGNAME"); + ret = ldb_msg_add_string(orig, SYSDB_NAME, tmp_str); + assert_int_equal(ret, EOK); + + tmp_str = talloc_strdup(orig, "ORIGGECOS"); + ret = ldb_msg_add_string(orig, SYSDB_GECOS, tmp_str); + assert_int_equal(ret, EOK); + + test_ctx->domain->has_views = true; + test_ctx->domain->view_name = "LOCAL"; + + ret = sysdb_add_overrides_to_object(test_ctx->domain, orig, NULL, NULL); + assert_int_equal(ret, EOK); +} + void test_split_ipa_anchor(void **state) { int ret; @@ -917,6 +944,8 @@ int main(int argc, const char *argv[]) test_sysdb_setup, test_sysdb_teardown), cmocka_unit_test_setup_teardown(test_sysdb_add_overrides_to_object, test_sysdb_setup, test_sysdb_teardown), + cmocka_unit_test_setup_teardown(test_sysdb_add_overrides_to_object_local, + test_sysdb_setup, test_sysdb_teardown), cmocka_unit_test_setup_teardown(test_split_ipa_anchor, test_sysdb_setup, test_sysdb_teardown), cmocka_unit_test_setup_teardown(test_sysdb_delete_view_tree, -- 2.1.0
From 5f18058a302c5ac3901dd5694724cc9a38adef36 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Wed, 22 Jul 2015 10:02:02 +0200 Subject: [PATCH 2/3] TOOLS: add common command framework Add general framework to simplify creating "cmd COMMAND [OPTIONS...]" style tools. Preparation for: https://fedorahosted.org/sssd/ticket/2584 --- Makefile.am | 2 + src/tools/common/sss_tools.c | 407 +++++++++++++++++++++++++++++++++++++++++++ src/tools/common/sss_tools.h | 103 +++++++++++ 3 files changed, 512 insertions(+) create mode 100644 src/tools/common/sss_tools.c create mode 100644 src/tools/common/sss_tools.h diff --git a/Makefile.am b/Makefile.am index b8cbc6df23ded1edb945a709b6dbe1c44eb54017..e2c919b9adaf69f1ea6fde7e4a3e1746ccdcbedf 100644 --- a/Makefile.am +++ b/Makefile.am @@ -445,6 +445,7 @@ SSSD_TOOLS_OBJ = \ src/tools/tools_util.c \ src/tools/files.c \ src/tools/selinux.c \ + src/tools/common/sss_tools.c \ src/util/nscd.c SSSD_LCL_TOOLS_OBJ = \ @@ -641,6 +642,7 @@ dist_noinst_HEADERS = \ src/lib/idmap/sss_idmap_private.h \ src/lib/sifp/sss_sifp_private.h \ src/tests/cmocka/test_utils.h \ + src/tools/common/sss_tools.h \ $(NULL) diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c new file mode 100644 index 0000000000000000000000000000000000000000..1c26e3b520743f41ed9376c52e8ac18736d73daa --- /dev/null +++ b/src/tools/common/sss_tools.c @@ -0,0 +1,407 @@ +/* + Authors: + Pavel BÅezina <pbrez...@redhat.com> + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include <talloc.h> +#include <stdlib.h> +#include <string.h> +#include <popt.h> + +#include "config.h" +#include "util/util.h" +#include "confdb/confdb.h" +#include "db/sysdb.h" +#include "tools/common/sss_tools.h" + +static void sss_tool_common_opts(struct sss_tool_ctx *tool_ctx, + int *argc, const char **argv) +{ + poptContext pc; + int debug = SSSDBG_DEFAULT; + int orig_argc = *argc; + int opt; + + struct poptOption options[] = { + {"debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_STRIP, &debug, + 0, _("The debug level to run with"), NULL }, + POPT_TABLEEND + }; + + pc = poptGetContext(argv[0], orig_argc, argv, options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + /* do nothing */ + } + + /* Strip --debug and --config from arguments. We will discard_const here, + * since it is not worth the trouble to convert it back and forth. */ + *argc = poptStrippedArgv(pc, orig_argc, discard_const_p(char *, argv)); + + DEBUG_CLI_INIT(debug); + + poptFreeContext(pc); +} + +static errno_t sss_tool_confdb_init(TALLOC_CTX *mem_ctx, + struct confdb_ctx **_confdb, + char **_path) +{ + struct confdb_ctx *confdb; + char *path; + errno_t ret; + + path = talloc_asprintf(mem_ctx, "%s/%s", DB_PATH, CONFDB_FILE); + if (path == NULL) { + return ENOMEM; + } + + ret = confdb_init(mem_ctx, &confdb, path); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not initialize connection to the confdb\n"); + talloc_free(path); + return ret; + } + + if (_confdb != NULL) { + *_confdb = confdb; + } + + if (_path != NULL) { + *_path = path; + } + + return EOK; +} + +static errno_t sss_tool_domains_init(TALLOC_CTX *mem_ctx, + struct confdb_ctx *confdb, + struct sss_domain_info **_domains) +{ + struct sss_domain_info *domains; + struct sss_domain_info *dom; + errno_t ret; + + ret = confdb_get_domains(confdb, &domains); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup domains [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + ret = sysdb_init(mem_ctx, domains, false); + SYSDB_VERSION_ERROR(ret); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not initialize connection to the sysdb\n"); + return ret; + } + + for (dom = domains; dom != NULL; dom = get_next_domain(dom, false)) { + if (!IS_SUBDOMAIN(dom)) { + /* Update list of subdomains for this domain */ + ret = sysdb_update_subdomains(dom); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to update subdomains for domain %s.\n", + dom->name); + } + } + } + + for (dom = domains; dom != NULL; dom = get_next_domain(dom, false)) { + ret = sss_names_init(mem_ctx, confdb, dom->name, &dom->names); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_names_init() failed\n"); + return ret; + } + } + + *_domains = domains; + + return ret; +} + +struct sss_tool_ctx * sss_tool_init(TALLOC_CTX *mem_ctx, + int *argc, const char **argv) +{ + struct sss_tool_ctx *tool_ctx; + errno_t ret; + + tool_ctx = talloc_zero(mem_ctx, struct sss_tool_ctx); + if (tool_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero() failed\n"); + return NULL; + } + + sss_tool_common_opts(tool_ctx, argc, argv); + + /* Connect to confdb. */ + ret = sss_tool_confdb_init(tool_ctx, &tool_ctx->confdb, + &tool_ctx->confdb_path); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to open confdb [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + /* Setup domains. */ + ret = sss_tool_domains_init(tool_ctx, tool_ctx->confdb, &tool_ctx->domains); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup domains [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = confdb_get_string(tool_ctx->confdb, tool_ctx, + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_DEFAULT_DOMAIN, + NULL, &tool_ctx->default_domain); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot get the default domain [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + + ret = EOK; + +done: + if (ret != EOK) { + talloc_zfree(tool_ctx); + } + + return tool_ctx; +} + +int sss_tool_usage(const char *tool_name, + struct sss_route_cmd *commands) +{ + int i; + + fprintf(stderr, "Usage:\n%s COMMAND COMMAND-ARGS\n\n", tool_name); + fprintf(stderr, "Available commands:\n"); + + for (i = 0; commands[i].command != NULL; i++) { + fprintf(stderr, "* %s\n", commands[i].command); + } + + return EXIT_FAILURE; +} + +int sss_tool_route(int argc, const char **argv, + struct sss_tool_ctx *tool_ctx, + struct sss_route_cmd *commands, + void *pvt) +{ + struct sss_cmdline cmdline; + const char *cmd; + int i; + + if (commands == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: commands can't be NULL!\n"); + return EXIT_FAILURE; + } + + if (argc < 2) { + return sss_tool_usage(argv[0], commands); + } + + cmd = argv[1]; + for (i = 0; commands[i].command != NULL; i++) { + if (strcmp(commands[i].command, cmd) == 0) { + cmdline.exec = argv[0]; + cmdline.command = argv[1]; + cmdline.argc = argc - 2; + cmdline.argv = argv + 2; + + return commands[i].fn(&cmdline, tool_ctx, pvt); + } + } + + return sss_tool_usage(argv[0], commands); +} + +int sss_tool_popt_ex(struct sss_cmdline *cmdline, + struct poptOption *options, + enum sss_tool_opt require_option, + sss_popt_fn popt_fn, + void *popt_fn_pvt, + const char *fopt_name, + const char *fopt_help, + const char **_fopt) +{ + char *help; + poptContext pc; + int ret; + + /* Create help option string. We always need to append command name since + * we use POPT_CONTEXT_KEEP_FIRST. */ + if (fopt_name == NULL) { + help = talloc_asprintf(NULL, "%s %s [OPTIONS...]", + cmdline->exec, cmdline->command); + } else { + help = talloc_asprintf(NULL, "%s %s %s [OPTIONS...]", + cmdline->exec, cmdline->command, fopt_name); + } + if (help == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tallos_asprintf() failed\n"); + goto done; + } + + /* Create popt context. */ + pc = poptGetContext(cmdline->exec, cmdline->argc, cmdline->argv, + options, POPT_CONTEXT_KEEP_FIRST); + + poptSetOtherOptionHelp(pc, help); + + /* Parse options. Invoke custom function if provided. If no parsing + * function is provided, print error on unknown option. */ + while((ret = poptGetNextOpt(pc)) != -1) { + if (popt_fn != NULL) { + ret = popt_fn(pc, ret, popt_fn_pvt); + if (ret != EOK) { + ret = EXIT_FAILURE; + goto done; + } + } else { + fprintf(stderr, "Invalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(ret)); + poptPrintHelp(pc, stderr, 0); + ret = EXIT_FAILURE; + goto done; + } + } + + /* Parse free option which is always required if requested. */ + if (_fopt != NULL) { + *_fopt = poptGetArg(pc); + if (*_fopt == NULL) { + fprintf(stderr, "Missing option: %s\n\n", fopt_help); + poptPrintHelp(pc, stderr, 0); + ret = EXIT_FAILURE; + goto done; + } + + /* No more arguments expected. If something follows it is an error. */ + if (poptGetArg(pc)) { + fprintf(stderr, "Only one free argument is expected!\n\n"); + poptPrintHelp(pc, stderr, 0); + ret = EXIT_FAILURE; + goto done; + } + } + + /* If at least one option is required and not provided, print error. */ + if (require_option == SSS_TOOL_OPT_REQUIRED + && ((_fopt != NULL && cmdline->argc < 2) || cmdline->argc < 1)) { + fprintf(stderr, "At least one option is required!\n\n"); + poptPrintHelp(pc, stderr, 0); + ret = EXIT_FAILURE; + goto done; + } + + ret = EXIT_SUCCESS; + +done: + poptFreeContext(pc); + talloc_free(help); + return ret; +} + +int sss_tool_popt(struct sss_cmdline *cmdline, + struct poptOption *options, + enum sss_tool_opt require_option, + sss_popt_fn popt_fn, + void *popt_fn_pvt) +{ + return sss_tool_popt_ex(cmdline, options, require_option, + popt_fn, popt_fn_pvt, NULL, NULL, NULL); +} + +int sss_tool_main(int argc, const char **argv, + struct sss_route_cmd *commands, + void *pvt) +{ + struct sss_tool_ctx *tool_ctx; + uid_t uid; + int ret; + + uid = getuid(); + if (uid != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Running under %d, must be root\n", uid); + ERROR("%1$s must be run as root\n", argv[0]); + return EXIT_FAILURE; + } + + tool_ctx = sss_tool_init(NULL, &argc, argv); + if (tool_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tool context\n"); + return EXIT_FAILURE; + } + + ret = sss_tool_route(argc, argv, tool_ctx, commands, pvt); + talloc_free(tool_ctx); + + return ret; +} + +int sss_tool_parse_name(TALLOC_CTX *mem_ctx, + struct sss_tool_ctx *tool_ctx, + const char *input, + enum sss_tool_domain require_domain, + const char **_username, + struct sss_domain_info **_domain) +{ + char *username = NULL; + char *domname = NULL; + struct sss_domain_info *domain; + int ret; + + ret = sss_parse_name_for_domains(mem_ctx, tool_ctx->domains, + tool_ctx->default_domain, input, + &domname, &username); + if (ret == EAGAIN) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to find domain. The domain name may " + "be a subdomain that was not yet found.\n"); + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse name [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + domain = find_domain_by_name(tool_ctx->domains, domname, true); + if (domain == NULL && require_domain == SSS_TOOL_DOMAIN_REQUIRED) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown domain %s\n", domname); + ret = ERR_DOMAIN_NOT_FOUND; + goto done; + } + + *_username = username; + *_domain = domain; + + ret = EOK; + +done: + if (ret != EOK) { + talloc_zfree(username); + talloc_zfree(domname); + } + + return ret; +} diff --git a/src/tools/common/sss_tools.h b/src/tools/common/sss_tools.h new file mode 100644 index 0000000000000000000000000000000000000000..ce7f7c66cabd4000be92c0ebe0584f700b9f6c50 --- /dev/null +++ b/src/tools/common/sss_tools.h @@ -0,0 +1,103 @@ +/* + Authors: + Pavel BÅezina <pbrez...@redhat.com> + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef SRC_TOOLS_COMMON_SSS_TOOLS_H_ +#define SRC_TOOLS_COMMON_SSS_TOOLS_H_ + +#include <talloc.h> +#include <popt.h> + +#include "confdb/confdb.h" + +struct sss_tool_ctx { + struct confdb_ctx *confdb; + char *confdb_path; + + char *default_domain; + struct sss_domain_info *domains; +}; + +struct sss_tool_ctx * sss_tool_init(TALLOC_CTX *mem_ctx, + int *argc, const char **argv); + +struct sss_cmdline { + const char *exec; /* argv[0] */ + const char *command; /* command name */ + int argc; /* rest of arguments */ + const char **argv; +}; + +typedef int +(*sss_route_fn)(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt); + +struct sss_route_cmd { + const char *command; + sss_route_fn fn; +}; + +int sss_tool_usage(const char *tool_name, + struct sss_route_cmd *commands); + +int sss_tool_route(int argc, const char **argv, + struct sss_tool_ctx *tool_ctx, + struct sss_route_cmd *commands, + void *pvt); + +typedef int (*sss_popt_fn)(poptContext pc, char option, void *pvt); + +enum sss_tool_opt { + SSS_TOOL_OPT_REQUIRED, + SSS_TOOL_OPT_OPTIONAL +}; + +int sss_tool_popt_ex(struct sss_cmdline *cmdline, + struct poptOption *options, + enum sss_tool_opt require_option, + sss_popt_fn popt_fn, + void *popt_fn_pvt, + const char *free_opt_name, + const char *free_opt_help, + const char **_free_opt); + +int sss_tool_popt(struct sss_cmdline *cmdline, + struct poptOption *options, + enum sss_tool_opt require_option, + sss_popt_fn popt_fn, + void *popt_fn_pvt); + +int sss_tool_main(int argc, const char **argv, + struct sss_route_cmd *commands, + void *pvt); + +enum sss_tool_domain { + SSS_TOOL_DOMAIN_REQUIRED, + SSS_TOOL_DOMAIN_OPTIONAL +}; + +int sss_tool_parse_name(TALLOC_CTX *mem_ctx, + struct sss_tool_ctx *tool_ctx, + const char *input, + enum sss_tool_domain require_domain, + const char **_username, + struct sss_domain_info **_domain); + +#endif /* SRC_TOOLS_COMMON_SSS_TOOLS_H_ */ -- 2.1.0
From f451abca1214d16ed4b80ee7c3db80b8c9eb53b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Fri, 24 Jul 2015 09:58:11 +0200 Subject: [PATCH 3/3] TOOLS: add sss_override for local overrides Resolves: https://fedorahosted.org/sssd/ticket/2584 --- Makefile.am | 9 + src/man/Makefile.am | 1 + src/man/sss_override.8.xml | 106 +++++++ src/tools/sss_override.c | 698 +++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 814 insertions(+) create mode 100644 src/man/sss_override.8.xml create mode 100644 src/tools/sss_override.c diff --git a/Makefile.am b/Makefile.am index e2c919b9adaf69f1ea6fde7e4a3e1746ccdcbedf..722eeb4737250e14745f346c6b809863a33d0f07 100644 --- a/Makefile.am +++ b/Makefile.am @@ -117,6 +117,7 @@ sbin_PROGRAMS = \ sss_groupshow \ sss_cache \ sss_debuglevel \ + sss_override \ sss_seed sssdlibexec_PROGRAMS = \ @@ -1296,6 +1297,14 @@ sss_signal_LDADD = \ $(SSSD_INTERNAL_LTLIBS) \ $(NULL) +sss_override_SOURCES = \ + src/tools/sss_override.c \ + $(SSSD_TOOLS_OBJ) +sss_override_LDADD = \ + $(TOOLS_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) +sss_override_CFLAGS = $(AM_CFLAGS) + if BUILD_SUDO sss_sudo_cli_SOURCES = \ src/sss_client/common.c \ diff --git a/src/man/Makefile.am b/src/man/Makefile.am index 1ef1da48cce74f7d1ad77e3751ee6ac3450f0259..70cadf5951f56b78ff0bfbcb303e255478af5fec 100644 --- a/src/man/Makefile.am +++ b/src/man/Makefile.am @@ -51,6 +51,7 @@ man_MANS = \ sssd-krb5.5 sssd-simple.5 \ sssd_krb5_locator_plugin.8 sss_groupshow.8 \ pam_sss.8 sss_obfuscate.8 sss_cache.8 sss_debuglevel.8 sss_seed.8 \ + sss_override.8 $(NULL) if BUILD_SAMBA diff --git a/src/man/sss_override.8.xml b/src/man/sss_override.8.xml new file mode 100644 index 0000000000000000000000000000000000000000..1ebd5adc18434cccf7f9bfc8e289947dde9bb8f5 --- /dev/null +++ b/src/man/sss_override.8.xml @@ -0,0 +1,106 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd";> +<reference> +<title>SSSD Manual pages</title> +<refentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="include/upstream.xml" /> + + <refmeta> + <refentrytitle>sss_override</refentrytitle> + <manvolnum>8</manvolnum> + </refmeta> + + <refnamediv id='name'> + <refname>sss_override</refname> + <refpurpose>create client-side overrides of user and object attributes</refpurpose> + </refnamediv> + + <refsynopsisdiv id='synopsis'> + <cmdsynopsis> + <command>sss_debuglevel</command> + <arg choice='plain'><replaceable>COMMAND</replaceable></arg> + <arg choice='opt'> + <replaceable>options</replaceable> + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id='description'> + <title>DESCRIPTION</title> + <para> + <command>sss_override</command> enables to create a client-side + view and allows to change selected values of specific user + and groups. This change takes effect only on client machine. + </para> + </refsect1> + + <refsect1 id='commands'> + <title>AVAILABLE COMMANDS</title> + <variablelist remap='IP'> + <cmdsynopsis> + <command>user-add</command> + <arg choice='plain'><replaceable>NAME</replaceable></arg> + <arg choice='opt'> + <replaceable>options</replaceable> + </arg> + </cmdsynopsis> + <varlistentry> + <term> + <option>user-add</option> + <emphasis>NAME</emphasis> + <optional><option>-n,--name</option> NAME</optional> + <optional><option>-u,--uid</option> UID</optional> + <optional><option>-g,--gid</option> GID</optional> + <optional><option>-h,--home</option> HOME</optional> + <optional><option>-s,--shell</option> SHELL</optional> + <optional><option>-c,--gecos</option> GECOS</optional> + </term> + <listitem> + <para> + Override attributes of an user. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>user-del</option> + <emphasis>NAME</emphasis> + </term> + <listitem> + <para> + Remove user overrides. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>group-add</option> + <emphasis>NAME</emphasis> + <optional><option>-n,--name</option> NAME</optional> + <optional><option>-g,--gid</option> GID</optional> + </term> + <listitem> + <para> + Override attributes of a group. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>group-del</option> + <emphasis>NAME</emphasis> + </term> + <listitem> + <para> + Remove group overrides. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="include/seealso.xml" /> + +</refentry> +</reference> diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c new file mode 100644 index 0000000000000000000000000000000000000000..0460737d0428ecd9036f439fe6885a471a21fad0 --- /dev/null +++ b/src/tools/sss_override.c @@ -0,0 +1,698 @@ +/* + Authors: + Pavel BÅezina <pbrez...@redhat.com> + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include <stdlib.h> + +#include "util/util.h" +#include "db/sysdb.h" +#include "tools/common/sss_tools.h" + +#define LOCALVIEW SYSDB_LOCAL_VIEW_NAME + +struct override_user { + const char *input_name; + const char *orig_name; + struct sss_domain_info *domain; + + const char *name; + uid_t uid; + gid_t gid; + const char *home; + const char *shell; + const char *gecos; +}; + +struct override_group { + const char *input_name; + const char *orig_name; + struct sss_domain_info *domain; + + const char *name; + gid_t gid; +}; + +static int parse_cmdline(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + struct poptOption *options, + const char **_input_name, + const char **_orig_name, + struct sss_domain_info **_domain) +{ + enum sss_tool_opt require; + const char *input_name; + const char *orig_name; + struct sss_domain_info *domain; + int ret; + + require = options == NULL ? SSS_TOOL_OPT_OPTIONAL : SSS_TOOL_OPT_REQUIRED; + + ret = sss_tool_popt_ex(cmdline, options, require, + NULL, NULL, "NAME", "Specify name of modified " + "object.", &input_name); + if (ret != EXIT_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n"); + return ret; + } + + ret = sss_tool_parse_name(tool_ctx, tool_ctx, input_name, + SSS_TOOL_DOMAIN_OPTIONAL, + &orig_name, &domain); + if (ret != EOK) { + fprintf(stderr, "Unable to parse name.\n"); + return ret; + } + + *_input_name = input_name; + *_orig_name = orig_name; + *_domain = domain; + + return EXIT_SUCCESS; +} + +static int parse_cmdline_user_add(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + struct override_user *user) +{ + struct poptOption options[] = { + POPT_AUTOHELP + {"name", 'n', POPT_ARG_STRING, &user->name, 0, _("Override name"), NULL }, + {"uid", 'u', POPT_ARG_INT, &user->uid, 0, _("Override uid"), NULL }, + {"gid", 'g', POPT_ARG_INT, &user->gid, 0, _("Override gid"), NULL }, + {"home", 'h', POPT_ARG_STRING, &user->home, 0, _("Override home directory"), NULL }, + {"shell", 's', POPT_ARG_STRING, &user->shell, 0, _("Override shell"), NULL }, + {"gecos", 'c', POPT_ARG_STRING, &user->gecos, 0, _("Override gecos"), NULL }, + POPT_TABLEEND + }; + + return parse_cmdline(cmdline, tool_ctx, options, &user->input_name, + &user->orig_name, &user->domain); +} + +static int parse_cmdline_user_del(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + struct override_user *user) +{ + return parse_cmdline(cmdline, tool_ctx, NULL, &user->input_name, + &user->orig_name, &user->domain); +} + +static int parse_cmdline_group_add(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + struct override_group *group) +{ + struct poptOption options[] = { + POPT_AUTOHELP + {"name", 'n', POPT_ARG_STRING, &group->name, 0, _("Override name"), NULL }, + {"gid", 'g', POPT_ARG_INT, &group->gid, 0, _("Override gid"), NULL }, + POPT_TABLEEND + }; + + return parse_cmdline(cmdline, tool_ctx, options, &group->input_name, + &group->orig_name, &group->domain); +} + +static int parse_cmdline_group_del(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + struct override_group *group) +{ + return parse_cmdline(cmdline, tool_ctx, NULL, &group->input_name, + &group->orig_name, &group->domain); +} + +static errno_t prepare_view(struct sss_domain_info *domain) +{ + char *viewname = NULL; + errno_t ret; + + ret = sysdb_get_view_name(NULL, domain->sysdb, &viewname); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_view_name() failed.\n"); + return ret; + } + + if (ret == EOK) { + if (!is_default_view(viewname)) { + DEBUG(SSSDBG_TRACE_FUNC, "There already exists view %s. " + "Only one view is supported. Nothing to do.\n", viewname); + ret = EEXIST; + goto done; + } else if (strcmp(viewname, LOCALVIEW) == 0) { + DEBUG(SSSDBG_TRACE_FUNC, "%s view is already present.\n", viewname); + ret = EOK; + goto done; + } + } + + DEBUG(SSSDBG_TRACE_FUNC, "Creating %s view.\n", LOCALVIEW); + + ret = sysdb_update_view_name(domain->sysdb, LOCALVIEW); + if (ret == EOK) { + printf("SSSD needs to be restarted for the changes to take effect.\n"); + } + +done: + talloc_free(viewname); + return ret; +} + +static char * build_anchor(TALLOC_CTX *mem_ctx, const char *obj_dn) +{ + char *anchor; + char *safe_dn; + errno_t ret; + + ret = sysdb_dn_sanitize(mem_ctx, obj_dn, &safe_dn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_dn_sanitize() failed\n"); + return NULL; + } + + anchor = talloc_asprintf(mem_ctx, ":%s:%s", LOCALVIEW, safe_dn); + + talloc_free(safe_dn); + + return anchor; +} + +static struct sysdb_attrs * build_attrs(TALLOC_CTX *mem_ctx, + const char *name, + uid_t uid, + gid_t gid, + const char *home, + const char *shell, + const char *gecos) +{ + struct sysdb_attrs *attrs; + errno_t ret; + + attrs = sysdb_new_attrs(mem_ctx); + if (attrs == NULL) { + return NULL; + } + + if (name != NULL) { + ret = sysdb_attrs_add_string(attrs, SYSDB_NAME, name); + if (ret != EOK) { + goto done; + } + } + + if (uid != 0) { + ret = sysdb_attrs_add_uint32(attrs, SYSDB_UIDNUM, uid); + if (ret != EOK) { + goto done; + } + } + + if (gid != 0) { + ret = sysdb_attrs_add_uint32(attrs, SYSDB_GIDNUM, gid); + if (ret != EOK) { + goto done; + } + } + + if (home != NULL) { + ret = sysdb_attrs_add_string(attrs, SYSDB_HOMEDIR, home); + if (ret != EOK) { + goto done; + } + } + + if (shell != NULL) { + ret = sysdb_attrs_add_string(attrs, SYSDB_SHELL, shell); + if (ret != EOK) { + goto done; + } + } + + if (gecos != NULL) { + ret = sysdb_attrs_add_string(attrs, SYSDB_GECOS, gecos); + if (ret != EOK) { + goto done; + } + } + +done: + if (ret != EOK) { + talloc_free(attrs); + return NULL; + } + + return attrs; +} + +static struct sysdb_attrs * build_user_attrs(TALLOC_CTX *mem_ctx, + struct override_user *user) +{ + return build_attrs(mem_ctx, user->name, user->uid, user->gid, user->home, + user->shell, user->gecos); +} + +static struct sysdb_attrs * build_group_attrs(TALLOC_CTX *mem_ctx, + struct override_group *group) +{ + return build_attrs(mem_ctx, group->name, 0, group->gid, 0, NULL, NULL); +} + +static const char * get_object_dn_and_domain(TALLOC_CTX *mem_ctx, + enum sysdb_member_type type, + const char *name, + struct sss_domain_info *domain, + struct sss_domain_info *domains, + struct sss_domain_info **_new_domain) +{ + TALLOC_CTX *tmp_ctx; + struct sss_domain_info *dom; + struct ldb_result *res; + const char *dn; + const char *strtype; + bool check_next; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return NULL; + } + + /* Ensure that the object is in cache. */ + switch (type) { + case SYSDB_MEMBER_USER: + if (getpwnam(name) == NULL) { + ret = ENOENT; + goto done; + } + break; + case SYSDB_MEMBER_GROUP: + if (getgrnam(name) == NULL) { + ret = ENOENT; + goto done; + } + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported member type %d\n", type); + ret = ERR_INTERNAL; + goto done; + } + + /* Find domain if it is unknown. */ + if (domain == NULL) { + check_next = true; + dom = domains; + } else { + check_next = false; + dom = domain; + } + + do { + switch (type) { + case SYSDB_MEMBER_USER: + DEBUG(SSSDBG_TRACE_FUNC, "Trying to find user %s@%s\n", + name, dom->name); + ret = sysdb_getpwnam(tmp_ctx, dom, name, &res); + strtype = "user"; + break; + case SYSDB_MEMBER_GROUP: + DEBUG(SSSDBG_TRACE_FUNC, "Trying to find group %s@%s\n", + name, dom->name); + ret = sysdb_getgrnam(tmp_ctx, dom, name, &res); + strtype = "group"; + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported member type %d\n", type); + ret = ERR_INTERNAL; + goto done; + } + + if (ret == EOK && res->count == 0) { + ret = ENOENT; + + if (check_next) { + dom = dom->next; + continue; + } + } + + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to find %s %s@%s [%d]: %s\n", + strtype, name, dom->name, ret, sss_strerror(ret)); + goto done; + } else if (res->count != 1) { + DEBUG(SSSDBG_CRIT_FAILURE, "More than one %s found?\n", strtype); + ret = ERR_INTERNAL; + goto done; + } + + check_next = false; + } while (check_next && dom != NULL); + + DEBUG(SSSDBG_TRACE_FUNC, "Domain of %s %s is %s\n", + strtype, name, dom->name); + + dn = ldb_dn_get_linearized(res->msgs[0]->dn); + if (dn == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "ldb_dn_get_linearized() failed.\n"); + ret = ENOMEM; + goto done; + } + + talloc_steal(mem_ctx, dn); + *_new_domain = dom; + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + if (ret != EOK) { + return NULL; + } + + return dn; +} + +static const char * get_user_dn_and_domain(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domains, + struct override_user *user) +{ + return get_object_dn_and_domain(mem_ctx, SYSDB_MEMBER_USER, + user->orig_name, user->domain, domains, + &user->domain); +} + +static const char * get_group_dn_and_domain(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domains, + struct override_group *group) +{ + return get_object_dn_and_domain(mem_ctx, SYSDB_MEMBER_GROUP, + group->orig_name, group->domain, domains, + &group->domain); +} + +static errno_t override_object_add(struct sss_domain_info *domain, + enum sysdb_member_type type, + struct sysdb_attrs *attrs, + const char *obj_dn) +{ + TALLOC_CTX *tmp_ctx; + const char *anchor; + struct ldb_dn *ldb_dn; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ldb_dn = ldb_dn_new(tmp_ctx, sysdb_ctx_get_ldb(domain->sysdb), obj_dn); + if (ldb_dn == NULL) { + ret = ENOMEM; + goto done; + } + + anchor = build_anchor(tmp_ctx, obj_dn); + if (anchor == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_add_string(attrs, SYSDB_OVERRIDE_ANCHOR_UUID, anchor); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Creating override for %s\n", obj_dn); + + ret = sysdb_store_override(domain, LOCALVIEW, type, attrs, ldb_dn); + +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t override_object_del(struct sss_domain_info *domain, + const char *obj_dn) +{ + TALLOC_CTX *tmp_ctx; + const char *anchor; + struct ldb_dn *override_dn; + struct ldb_message *msg; + errno_t ret; + int sret; + bool in_transaction; + struct ldb_context *ldb = sysdb_ctx_get_ldb(domain->sysdb); + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + anchor = build_anchor(tmp_ctx, obj_dn); + if (anchor == NULL) { + ret = ENOMEM; + goto done; + } + + override_dn = ldb_dn_new_fmt(tmp_ctx, ldb, + SYSDB_TMPL_OVERRIDE, anchor, LOCALVIEW); + if (override_dn == NULL) { + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Removing override for %s\n", obj_dn); + + ret = sysdb_transaction_start(domain->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_transaction_start() failed.\n"); + goto done; + } + in_transaction = true; + + ret = sysdb_delete_entry(domain->sysdb, override_dn, true); + + msg = ldb_msg_new(tmp_ctx); + if (msg == NULL) { + ret = ENOMEM; + goto done; + } + + msg->dn = ldb_dn_new(msg, ldb, obj_dn); + if (msg->dn == NULL) { + ret = ENOMEM; + goto done; + } + + ret = ldb_msg_add_empty(msg, SYSDB_OVERRIDE_DN, LDB_FLAG_MOD_DELETE, NULL); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_add_empty() failed\n"); + ret = sysdb_error_to_errno(ret); + goto done; + } + + ret = ldb_modify(ldb, msg); + if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_ATTRIBUTE) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_modify() failed: [%s](%d)[%s]\n", + ldb_strerror(ret), ret, ldb_errstring(ldb)); + ret = sysdb_error_to_errno(ret); + goto done; + } + + ret = sysdb_transaction_commit(domain->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); + goto done; + } + in_transaction = false; + + ret = EOK; + +done: + if (in_transaction) { + sret = sysdb_transaction_cancel(domain->sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not cancel transaction\n"); + } + } + + talloc_free(tmp_ctx); + return ret; +} + +static int override_user_add(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + struct override_user user = {NULL}; + struct sysdb_attrs *attrs; + const char *dn; + int ret; + + ret = parse_cmdline_user_add(cmdline, tool_ctx, &user); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command line.\n"); + return EXIT_FAILURE; + } + + dn = get_user_dn_and_domain(tool_ctx, tool_ctx->domains, &user); + if (dn == NULL) { + fprintf(stderr, "Unable to find user %s@%s.\n", + user.orig_name, user.domain->name); + return EXIT_FAILURE; + } + + ret = prepare_view(user.domain); + if (ret == ENOENT) { + fprintf(stderr, "Other than LOCAL view already exist in domain %s.\n", + user.domain->name); + return EXIT_FAILURE; + } + + attrs = build_user_attrs(tool_ctx, &user); + if (attrs == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to build sysdb attrs.\n"); + return EXIT_FAILURE; + } + + ret = override_object_add(user.domain, SYSDB_MEMBER_USER, attrs, dn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add override object.\n"); + return EXIT_FAILURE; + } + + return EXIT_SUCCESS; +} + +static int override_user_del(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + struct override_user user = {NULL}; + const char *dn; + int ret; + + ret = parse_cmdline_user_del(cmdline, tool_ctx, &user); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command line.\n"); + return EXIT_FAILURE; + } + + dn = get_user_dn_and_domain(tool_ctx, tool_ctx->domains, &user); + if (dn == NULL) { + fprintf(stderr, "Unable to find user %s@%s.\n", + user.orig_name, user.domain->name); + return EXIT_FAILURE; + } + + ret = override_object_del(user.domain, dn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add override object.\n"); + return EXIT_FAILURE; + } + + return EXIT_SUCCESS; +} + +static int override_group_add(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + struct override_group group = {NULL}; + struct sysdb_attrs *attrs; + const char *dn; + int ret; + + ret = parse_cmdline_group_add(cmdline, tool_ctx, &group); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command line.\n"); + return EXIT_FAILURE; + } + + dn = get_group_dn_and_domain(tool_ctx, tool_ctx->domains, &group); + if (dn == NULL) { + fprintf(stderr, "Unable to find group %s@%s.\n", + group.orig_name, group.domain->name); + return EXIT_FAILURE; + } + + ret = prepare_view(group.domain); + if (ret == ENOENT) { + fprintf(stderr, "Other than LOCAL view already exist in domain %s.\n", + group.domain->name); + return EXIT_FAILURE; + } + + attrs = build_group_attrs(tool_ctx, &group); + if (attrs == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to build sysdb attrs.\n"); + return EXIT_FAILURE; + } + + ret = override_object_add(group.domain, SYSDB_MEMBER_GROUP, attrs, dn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add override object.\n"); + return EXIT_FAILURE; + } + + return EXIT_SUCCESS; +} + +static int override_group_del(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + struct override_group group = {NULL}; + const char *dn; + int ret; + + ret = parse_cmdline_group_del(cmdline, tool_ctx, &group); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command line.\n"); + return EXIT_FAILURE; + } + + dn = get_group_dn_and_domain(tool_ctx, tool_ctx->domains, &group); + if (dn == NULL) { + fprintf(stderr, "Unable to find group %s@%s.\n", + group.orig_name, group.domain->name); + return EXIT_FAILURE; + } + + ret = override_object_del(group.domain, dn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add override object.\n"); + return EXIT_FAILURE; + } + + return EXIT_SUCCESS; +} + +int main(int argc, const char **argv) +{ + struct sss_route_cmd commands[] = { + {"user-add", override_user_add}, + {"user-del", override_user_del}, + {"group-add", override_group_add}, + {"group-del", override_group_del}, + {NULL, NULL} + }; + + return sss_tool_main(argc, argv, commands, NULL); +} -- 2.1.0
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
