URL: https://github.com/SSSD/sssd/pull/43 Author: celestian Title: #43: SUDO: Adding user name alias to sudoRule filter Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/43/head:pr43 git checkout pr43
From aeeee1a754852f58e49e79d9a2e4c375c2025898 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <[email protected]> Date: Fri, 7 Oct 2016 14:40:05 +0200 Subject: [PATCH] SUDO: Adding user name alias to sudoRule filter This patch adds another value to sudoUser attribute of sudoRule filter. The value is 'user alias' which means it is cased version of user (in domains where it matters). Resolves: https://fedorahosted.org/sssd/ticket/3203 --- src/db/sysdb_sudo.c | 28 +++++++++- src/db/sysdb_sudo.h | 3 + src/responder/sudo/sudosrv_get_sudorules.c | 90 +++++++++++++++++++++++++----- src/tests/cmocka/test_sysdb_sudo.c | 11 ++-- 4 files changed, 109 insertions(+), 23 deletions(-) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index 601fb63..1d36ec3 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -218,6 +218,7 @@ errno_t sysdb_sudo_filter_rules_by_time(TALLOC_CTX *mem_ctx, static char * sysdb_sudo_filter_userinfo(TALLOC_CTX *mem_ctx, const char *username, + const char *username_alias, char **groupnames, uid_t uid) { @@ -250,6 +251,20 @@ sysdb_sudo_filter_userinfo(TALLOC_CTX *mem_ctx, goto done; } + if (username_alias != NULL && strcmp(username, username_alias) != 0) { + ret = sss_filter_sanitize(tmp_ctx, username_alias, &sanitized_name); + if (ret != EOK) { + goto done; + } + + filter = talloc_asprintf_append(filter, "(%s=%s)", attr, + sanitized_name); + if (filter == NULL) { + ret = ENOMEM; + goto done; + } + } + if (uid != 0) { filter = talloc_asprintf_append(filter, "(%s=#%"SPRIuid")", attr, uid); if (filter == NULL) { @@ -289,6 +304,7 @@ sysdb_sudo_filter_userinfo(TALLOC_CTX *mem_ctx, char * sysdb_sudo_filter_expired(TALLOC_CTX *mem_ctx, const char *username, + const char *username_alias, char **groupnames, uid_t uid) { @@ -296,7 +312,8 @@ sysdb_sudo_filter_expired(TALLOC_CTX *mem_ctx, char *filter; time_t now; - userfilter = sysdb_sudo_filter_userinfo(mem_ctx, username, groupnames, uid); + userfilter = sysdb_sudo_filter_userinfo(mem_ctx, username, username_alias, + groupnames, uid); if (userfilter == NULL) { return NULL; } @@ -322,16 +339,19 @@ sysdb_sudo_filter_defaults(TALLOC_CTX *mem_ctx) SYSDB_NAME); } +//TODO char * sysdb_sudo_filter_user(TALLOC_CTX *mem_ctx, const char *username, + const char *username_alias, char **groupnames, uid_t uid) { char *userfilter; char *filter; - userfilter = sysdb_sudo_filter_userinfo(mem_ctx, username, groupnames, uid); + userfilter = sysdb_sudo_filter_userinfo(mem_ctx, username, username_alias, + groupnames, uid); if (userfilter == NULL) { return NULL; } @@ -347,13 +367,15 @@ sysdb_sudo_filter_user(TALLOC_CTX *mem_ctx, char * sysdb_sudo_filter_netgroups(TALLOC_CTX *mem_ctx, const char *username, + const char *username_alias, char **groupnames, uid_t uid) { char *userfilter; char *filter; - userfilter = sysdb_sudo_filter_userinfo(mem_ctx, username, groupnames, uid); + userfilter = sysdb_sudo_filter_userinfo(mem_ctx, username, username_alias, + groupnames, uid); if (userfilter == NULL) { return NULL; } diff --git a/src/db/sysdb_sudo.h b/src/db/sysdb_sudo.h index 9c2456c..d9a9c3c 100644 --- a/src/db/sysdb_sudo.h +++ b/src/db/sysdb_sudo.h @@ -99,6 +99,7 @@ errno_t sysdb_sudo_filter_rules_by_time(TALLOC_CTX *mem_ctx, char * sysdb_sudo_filter_expired(TALLOC_CTX *mem_ctx, const char *username, + const char *username_alias, char **groupnames, uid_t uid); @@ -108,12 +109,14 @@ sysdb_sudo_filter_defaults(TALLOC_CTX *mem_ctx); char * sysdb_sudo_filter_user(TALLOC_CTX *mem_ctx, const char *username, + const char *username_alias, char **groupnames, uid_t uid); char * sysdb_sudo_filter_netgroups(TALLOC_CTX *mem_ctx, const char *username, + const char *username_alias, char **groupnames, uid_t uid); diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c index 92a09f2..1656ece 100644 --- a/src/responder/sudo/sudosrv_get_sudorules.c +++ b/src/responder/sudo/sudosrv_get_sudorules.c @@ -171,6 +171,7 @@ static errno_t sudosrv_expired_rules(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, uid_t uid, const char *username, + const char *username_alias, char **groups, struct sysdb_attrs ***_rules, uint32_t *_num_rules) @@ -179,7 +180,8 @@ static errno_t sudosrv_expired_rules(TALLOC_CTX *mem_ctx, char *filter; errno_t ret; - filter = sysdb_sudo_filter_expired(NULL, username, groups, uid); + filter = sysdb_sudo_filter_expired(NULL, username, username_alias, + groups, uid); if (filter == NULL) { return ENOMEM; } @@ -195,6 +197,7 @@ static errno_t sudosrv_cached_rules_by_user(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, uid_t uid, const char *username, + const char *username_alias, char **groupnames, struct sysdb_attrs ***_rules, uint32_t *_num_rules) @@ -224,7 +227,8 @@ static errno_t sudosrv_cached_rules_by_user(TALLOC_CTX *mem_ctx, return ENOMEM; } - filter = sysdb_sudo_filter_user(tmp_ctx, username, groupnames, uid); + filter = sysdb_sudo_filter_user(tmp_ctx, username, username_alias, + groupnames, uid); if (filter == NULL) { ret = ENOMEM; goto done; @@ -267,6 +271,7 @@ static errno_t sudosrv_cached_rules_by_ng(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, uid_t uid, const char *username, + const char *username_alias, char **groupnames, struct sysdb_attrs ***_rules, uint32_t *_num_rules) @@ -287,7 +292,8 @@ static errno_t sudosrv_cached_rules_by_ng(TALLOC_CTX *mem_ctx, SYSDB_SUDO_CACHE_AT_ORDER, NULL }; - filter = sysdb_sudo_filter_netgroups(NULL, username, groupnames, uid); + filter = sysdb_sudo_filter_netgroups(NULL, username, username_alias, + groupnames, uid); if (filter == NULL) { return ENOMEM; } @@ -303,6 +309,7 @@ static errno_t sudosrv_cached_rules(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, uid_t uid, const char *username, + const char *username_alias, char **groups, bool inverse_order, struct sysdb_attrs ***_rules, @@ -323,14 +330,16 @@ static errno_t sudosrv_cached_rules(TALLOC_CTX *mem_ctx, return ENOMEM; } - ret = sudosrv_cached_rules_by_user(tmp_ctx, domain, uid, username, groups, - &user_rules, &num_user_rules); + ret = sudosrv_cached_rules_by_user(tmp_ctx, domain, uid, username, + username_alias, groups, &user_rules, + &num_user_rules); if (ret != EOK) { goto done; } - ret = sudosrv_cached_rules_by_ng(tmp_ctx, domain, uid, username, groups, - &ng_rules, &num_ng_rules); + ret = sudosrv_cached_rules_by_ng(tmp_ctx, domain, uid, username, + username_alias, groups, &ng_rules, + &num_ng_rules); if (ret != EOK) { goto done; } @@ -412,6 +421,7 @@ static errno_t sudosrv_fetch_rules(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, uid_t uid, const char *username, + const char *username_alias, char **groups, bool inverse_order, struct sysdb_attrs ***_rules, @@ -428,8 +438,9 @@ static errno_t sudosrv_fetch_rules(TALLOC_CTX *mem_ctx, username, domain->name); debug_name = "rules"; - ret = sudosrv_cached_rules(mem_ctx, domain, uid, username, groups, - inverse_order, &rules, &num_rules); + ret = sudosrv_cached_rules(mem_ctx, domain, uid, username, + username_alias, groups, inverse_order, + &rules, &num_rules); break; case SSS_SUDO_DEFAULTS: @@ -481,6 +492,7 @@ sudosrv_refresh_rules_send(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, uid_t uid, const char *username, + const char *username_alias, char **groups) { struct sudosrv_refresh_rules_state *state; @@ -501,8 +513,8 @@ sudosrv_refresh_rules_send(TALLOC_CTX *mem_ctx, state->domain = domain; state->username = username; - ret = sudosrv_expired_rules(state, domain, uid, username, groups, - &rules, &num_rules); + ret = sudosrv_expired_rules(state, domain, uid, username, username_alias, + groups, &rules, &num_rules); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Unable to retrieve expired sudo rules [%d]: %s\n", @@ -606,6 +618,7 @@ struct sudosrv_get_rules_state { enum sss_sudo_type type; uid_t uid; char *username; + char *username_alias; struct sss_domain_info *domain; char **groups; bool inverse_order; @@ -666,22 +679,68 @@ struct tevent_req *sudosrv_get_rules_send(TALLOC_CTX *mem_ctx, return req; } +static errno_t cache_req_initgr_get_user_alias(TALLOC_CTX *mem_ctx, + struct ldb_result *initgr, + char **_user_alias) +{ + const char *obj_class = NULL; + const char *user_alias = NULL; + errno_t ret; + + for (int i = 0; i < initgr->count; i++) { + obj_class = ldb_msg_find_attr_as_string(initgr->msgs[i], + SYSDB_OBJECTCLASS, NULL); + if (obj_class == NULL) { + ret = ENOENT; + goto done; + } + + if (strcmp(obj_class, SYSDB_USER_CLASS) == 0) { + user_alias = ldb_msg_find_attr_as_string(initgr->msgs[i], + SYSDB_NAME, NULL); + if (user_alias == NULL) { + ret = ENOENT; + goto done; + } + break; + } + } + + if (user_alias == NULL) { + ret = ENOENT; + goto done; + } + + *_user_alias = talloc_steal(mem_ctx, discard_const(user_alias)); + ret = EOK; + +done: + return ret; +} + static void sudosrv_get_rules_initgr_done(struct tevent_req *subreq) { struct sudosrv_get_rules_state *state; struct tevent_req *req; + struct ldb_result *initgr_res; errno_t ret; req = tevent_req_callback_data(subreq, struct tevent_req); state = tevent_req_data(req, struct sudosrv_get_rules_state); - ret = cache_req_initgr_by_name_recv(state, subreq, NULL, + ret = cache_req_initgr_by_name_recv(state, subreq, &initgr_res, &state->domain, &state->username); talloc_zfree(subreq); if (ret != EOK) { goto done; } + ret = cache_req_initgr_get_user_alias(state, initgr_res, + &state->username_alias); + if (ret != EOK) { + goto done; + } + ret = sysdb_get_sudo_user_info(state, state->domain, state->username, NULL, &state->groups); if (ret != EOK) { @@ -692,7 +751,8 @@ static void sudosrv_get_rules_initgr_done(struct tevent_req *subreq) subreq = sudosrv_refresh_rules_send(state, state->ev, state->rctx, state->domain, state->uid, - state->username, state->groups); + state->username, state->username_alias, + state->groups); if (subreq == NULL) { ret = ENOMEM; goto done; @@ -729,8 +789,8 @@ static void sudosrv_get_rules_done(struct tevent_req *subreq) } ret = sudosrv_fetch_rules(state, state->type, state->domain, state->uid, - state->username, state->groups, - state->inverse_order, + state->username, state->username_alias, + state->groups, state->inverse_order, &state->rules, &state->num_rules); if (ret != EOK) { diff --git a/src/tests/cmocka/test_sysdb_sudo.c b/src/tests/cmocka/test_sysdb_sudo.c index 889de72..5ed65ac 100644 --- a/src/tests/cmocka/test_sysdb_sudo.c +++ b/src/tests/cmocka/test_sysdb_sudo.c @@ -184,7 +184,7 @@ void test_store_sudo(void **state) ret = sysdb_sudo_store(test_ctx->tctx->dom, &rule, 1); assert_int_equal(ret, EOK); - filter = sysdb_sudo_filter_user(test_ctx, users[0].name, NULL, 0); + filter = sysdb_sudo_filter_user(test_ctx, users[0].name, NULL, NULL, 0); assert_non_null(filter); ret = sysdb_search_sudo_rules(test_ctx, test_ctx->tctx->dom, filter, @@ -233,7 +233,8 @@ void test_sudo_purge_by_filter(void **state) assert_int_equal(ret, EOK); assert_int_equal(get_stored_rules_count(test_ctx), 1); - delete_filter = sysdb_sudo_filter_user(test_ctx, users[0].name, NULL, 0); + delete_filter = sysdb_sudo_filter_user(test_ctx, users[0].name, NULL, NULL, + 0); assert_non_null(delete_filter); ret = sysdb_sudo_purge(test_ctx->tctx->dom, delete_filter, NULL, 0); @@ -359,7 +360,7 @@ void test_set_sudo_rule_attr_add(void **state) new_rule, SYSDB_MOD_ADD); assert_int_equal(ret, EOK); - filter = sysdb_sudo_filter_user(test_ctx, users[0].name, NULL, 0); + filter = sysdb_sudo_filter_user(test_ctx, users[0].name, NULL, NULL, 0); assert_non_null(filter); ret = sysdb_search_sudo_rules(test_ctx, test_ctx->tctx->dom, filter, @@ -412,7 +413,7 @@ void test_set_sudo_rule_attr_replace(void **state) new_rule, SYSDB_MOD_REP); assert_int_equal(ret, EOK); - filter = sysdb_sudo_filter_user(test_ctx, users[0].name, NULL, 0); + filter = sysdb_sudo_filter_user(test_ctx, users[0].name, NULL, NULL, 0); assert_non_null(filter); ret = sysdb_search_sudo_rules(test_ctx, test_ctx->tctx->dom, filter, @@ -466,7 +467,7 @@ void test_set_sudo_rule_attr_delete(void **state) new_rule, LDB_FLAG_MOD_DELETE); assert_int_equal(ret, EOK); - filter = sysdb_sudo_filter_user(test_ctx, users[0].name, NULL, 0); + filter = sysdb_sudo_filter_user(test_ctx, users[0].name, NULL, NULL, 0); assert_non_null(filter); ret = sysdb_search_sudo_rules(test_ctx, test_ctx->tctx->dom, filter,
_______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
