sssd/0022-IPA-SUDO-choose-between-IPA-and-LDAP-schema.patch

From 420700d4afe7ca56a8cb707cc81d0494e9296a34 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 25 Nov 2015 12:32:25 +0100
Subject: [PATCH 22/49] IPA SUDO: choose between IPA and LDAP schema

This patch implement logic to choose between IPA and LDAP schema. From
this point the sudo support in IPA is removed if sudo search base is
not set specifically, it will be brought back in furter patches.

Resolves:
https://fedorahosted.org/sssd/ticket/1108

Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 0f04241fc90f134af0272eb0999e75fb6749b595)
---
 src/providers/ipa/ipa_common.c |  38 ---------------
 src/providers/ipa/ipa_sudo.c   | 108 +++++++++++++++++++++++++++++++++--------
 2 files changed, 88 insertions(+), 58 deletions(-)

diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 2940a42cc8d1eeb0dc18289bbe14d0effcc2be91..90be427518b55a22e307249fbd628017ae4600a3 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -311,44 +311,6 @@ int ipa_get_id_options(struct ipa_options *ipa_opts,
     if (ret != EOK) goto done;
 
     if (NULL == dp_opt_get_string(ipa_opts->id->basic,
-                                  SDAP_SUDO_SEARCH_BASE)) {
-#if 0
-        ret = dp_opt_set_string(ipa_opts->id->basic, SDAP_SUDO_SEARCH_BASE,
-                                dp_opt_get_string(ipa_opts->id->basic,
-                                                  SDAP_SEARCH_BASE));
-        if (ret != EOK) {
-            goto done;
-        }
-#else
-        /* We don't yet have support for the representation
-         * of sudo in IPA. For now, we need to point at the
-         * compat tree
-         */
-        value = talloc_asprintf(tmpctx, "ou=SUDOers,%s", basedn);
-        if (!value) {
-            ret = ENOMEM;
-            goto done;
-        }
-
-        ret = dp_opt_set_string(ipa_opts->id->basic,
-                                SDAP_SUDO_SEARCH_BASE,
-                                 value);
-        if (ret != EOK) {
-            goto done;
-        }
-#endif
-
-        DEBUG(SSSDBG_TRACE_FUNC, "Option %s set to %s\n",
-                  ipa_opts->id->basic[SDAP_SUDO_SEARCH_BASE].opt_name,
-                  dp_opt_get_string(ipa_opts->id->basic,
-                                    SDAP_SUDO_SEARCH_BASE));
-    }
-    ret = sdap_parse_search_base(ipa_opts->id, ipa_opts->id->basic,
-                                 SDAP_SUDO_SEARCH_BASE,
-                                 &ipa_opts->id->sdom->sudo_search_bases);
-    if (ret != EOK) goto done;
-
-    if (NULL == dp_opt_get_string(ipa_opts->id->basic,
                                   SDAP_NETGROUP_SEARCH_BASE)) {
         value = talloc_asprintf(tmpctx, "cn=ng,cn=alt,%s", basedn);
         if (!value) {
diff --git a/src/providers/ipa/ipa_sudo.c b/src/providers/ipa/ipa_sudo.c
index 4863aa55904c47ff7d19e3fdb364c06bad5f5678..3d159b3ac0f4ce8f423454506f66f23009eb463f 100644
--- a/src/providers/ipa/ipa_sudo.c
+++ b/src/providers/ipa/ipa_sudo.c
@@ -1,12 +1,8 @@
 /*
-    SSSD
-
-    IPA Provider Initialization functions
-
     Authors:
-        Lukas Slebodnik <lslebodn@redhat.com>
+        Pavel Březina <pbrezina@redhat.com>
 
-    Copyright (C) 2013 Red Hat
+    Copyright (C) 2015 Red Hat
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -25,31 +21,103 @@
 #include "providers/ipa/ipa_common.h"
 #include "providers/ldap/sdap_sudo.h"
 
+enum sudo_schema {
+    SUDO_SCHEMA_IPA,
+    SUDO_SCHEMA_LDAP
+};
+
+static errno_t
+ipa_sudo_choose_schema(struct dp_option *ipa_opts,
+                       struct dp_option *sdap_opts,
+                       enum sudo_schema *_schema)
+{
+    TALLOC_CTX *tmp_ctx;
+    char *ipa_search_base;
+    char *search_base;
+    char *basedn;
+    errno_t ret;
+
+    tmp_ctx = talloc_new(NULL);
+    if (tmp_ctx == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n");
+        return ENOMEM;
+    }
+
+    ret = domain_to_basedn(tmp_ctx, dp_opt_get_string(ipa_opts,
+                           IPA_KRB5_REALM), &basedn);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to obtain basedn\n");
+        goto done;
+    }
+
+    ipa_search_base = talloc_asprintf(tmp_ctx, "cn=sudo,%s", basedn);
+    if (ipa_search_base == NULL) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    search_base = dp_opt_get_string(sdap_opts, SDAP_SUDO_SEARCH_BASE);
+    if (search_base == NULL) {
+        ret = dp_opt_set_string(sdap_opts, SDAP_SUDO_SEARCH_BASE,
+                                ipa_search_base);
+        if (ret != EOK) {
+            goto done;
+        }
+
+        DEBUG(SSSDBG_TRACE_FUNC, "Option %s set to %s\n",
+              sdap_opts[SDAP_SUDO_SEARCH_BASE].opt_name, ipa_search_base);
+
+        search_base = ipa_search_base;
+    }
+
+    /* Use IPA schema only if search base is cn=sudo,$dc. */
+    if (strcmp(ipa_search_base, search_base) == 0) {
+        *_schema = SUDO_SCHEMA_IPA;
+    } else {
+        *_schema = SUDO_SCHEMA_LDAP;
+    }
+
+    ret = EOK;
+
+done:
+    talloc_free(tmp_ctx);
+    return ret;
+}
+
 int ipa_sudo_init(struct be_ctx *be_ctx,
                   struct ipa_id_ctx *id_ctx,
                   struct bet_ops **ops,
                   void **pvt_data)
 {
-    int ret;
-    struct ipa_options *ipa_options;
-    struct sdap_options *ldap_options;
+    enum sudo_schema schema;
+    errno_t ret;
 
-    DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing sudo IPA back end\n");
+    DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing IPA sudo back end\n");
 
-    /*
-     * SDAP_SUDO_SEARCH_BASE has already been initialized in
-     * function ipa_get_id_options
-     */
-    ret = sdap_sudo_init(be_ctx, id_ctx->sdap_id_ctx, ops, pvt_data);
+    ret = ipa_sudo_choose_schema(id_ctx->ipa_options->basic,
+                                 id_ctx->ipa_options->id->basic,
+                                 &schema);
     if (ret != EOK) {
-        DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize LDAP SUDO [%d]: %s\n",
-                                  ret, strerror(ret));
+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to choose sudo schema [%d]: %s\n",
+                                   ret, sss_strerror(ret));
         return ret;
     }
 
-    ipa_options = id_ctx->ipa_options;
-    ldap_options = id_ctx->sdap_id_ctx->opts;
+    switch (schema) {
+    case SUDO_SCHEMA_IPA:
+        DEBUG(SSSDBG_TRACE_FUNC, "Using IPA schema for sudo\n");
+        break;
+    case SUDO_SCHEMA_LDAP:
+        DEBUG(SSSDBG_TRACE_FUNC, "Using LDAP schema for sudo\n");
+        ret = sdap_sudo_init(be_ctx, id_ctx->sdap_id_ctx, ops, pvt_data);
+        break;
+    }
+
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize sudo provider"
+              "[%d]: %s\n", ret, sss_strerror(ret));
+        return ret;
+    }
 
-    ipa_options->id->sudorule_map = ldap_options->sudorule_map;
     return EOK;
 }
-- 
2.5.0
Resolves: rhbz#1256849 - SUDO: Support the IPA schema 2016-01-19 17:23:34 +00:00			`From 420700d4afe7ca56a8cb707cc81d0494e9296a34 Mon Sep 17 00:00:00 2001`
			`From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>`
			`Date: Wed, 25 Nov 2015 12:32:25 +0100`
			`Subject: [PATCH 22/49] IPA SUDO: choose between IPA and LDAP schema`

			`This patch implement logic to choose between IPA and LDAP schema. From`
			`this point the sudo support in IPA is removed if sudo search base is`
			`not set specifically, it will be brought back in furter patches.`

			`Resolves:`
			`https://fedorahosted.org/sssd/ticket/1108`

			`Reviewed-by: Sumit Bose <sbose@redhat.com>`
			`(cherry picked from commit 0f04241fc90f134af0272eb0999e75fb6749b595)`
			`---`
			`src/providers/ipa/ipa_common.c \| 38 ---------------`
			`src/providers/ipa/ipa_sudo.c \| 108 +++++++++++++++++++++++++++++++++--------`
			`2 files changed, 88 insertions(+), 58 deletions(-)`

			`diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c`
			`index 2940a42cc8d1eeb0dc18289bbe14d0effcc2be91..90be427518b55a22e307249fbd628017ae4600a3 100644`
			`--- a/src/providers/ipa/ipa_common.c`
			`+++ b/src/providers/ipa/ipa_common.c`
			`@@ -311,44 +311,6 @@ int ipa_get_id_options(struct ipa_options *ipa_opts,`
			`if (ret != EOK) goto done;`

			`if (NULL == dp_opt_get_string(ipa_opts->id->basic,`
			`- SDAP_SUDO_SEARCH_BASE)) {`
			`-#if 0`
			`- ret = dp_opt_set_string(ipa_opts->id->basic, SDAP_SUDO_SEARCH_BASE,`
			`- dp_opt_get_string(ipa_opts->id->basic,`
			`- SDAP_SEARCH_BASE));`
			`- if (ret != EOK) {`
			`- goto done;`
			`- }`
			`-#else`
			`- /* We don't yet have support for the representation`
			`- * of sudo in IPA. For now, we need to point at the`
			`- * compat tree`
			`- */`
			`- value = talloc_asprintf(tmpctx, "ou=SUDOers,%s", basedn);`
			`- if (!value) {`
			`- ret = ENOMEM;`
			`- goto done;`
			`- }`
			`-`
			`- ret = dp_opt_set_string(ipa_opts->id->basic,`
			`- SDAP_SUDO_SEARCH_BASE,`
			`- value);`
			`- if (ret != EOK) {`
			`- goto done;`
			`- }`
			`-#endif`
			`-`
			`- DEBUG(SSSDBG_TRACE_FUNC, "Option %s set to %s\n",`
			`- ipa_opts->id->basic[SDAP_SUDO_SEARCH_BASE].opt_name,`
			`- dp_opt_get_string(ipa_opts->id->basic,`
			`- SDAP_SUDO_SEARCH_BASE));`
			`- }`
			`- ret = sdap_parse_search_base(ipa_opts->id, ipa_opts->id->basic,`
			`- SDAP_SUDO_SEARCH_BASE,`
			`- &ipa_opts->id->sdom->sudo_search_bases);`
			`- if (ret != EOK) goto done;`
			`-`
			`- if (NULL == dp_opt_get_string(ipa_opts->id->basic,`
			`SDAP_NETGROUP_SEARCH_BASE)) {`
			`value = talloc_asprintf(tmpctx, "cn=ng,cn=alt,%s", basedn);`
			`if (!value) {`
			`diff --git a/src/providers/ipa/ipa_sudo.c b/src/providers/ipa/ipa_sudo.c`
			`index 4863aa55904c47ff7d19e3fdb364c06bad5f5678..3d159b3ac0f4ce8f423454506f66f23009eb463f 100644`
			`--- a/src/providers/ipa/ipa_sudo.c`
			`+++ b/src/providers/ipa/ipa_sudo.c`
			`@@ -1,12 +1,8 @@`
			`/*`
			`- SSSD`
			`-`
			`- IPA Provider Initialization functions`
			`-`
			`Authors:`
			`- Lukas Slebodnik <lslebodn@redhat.com>`
			`+ Pavel Březina <pbrezina@redhat.com>`

			`- Copyright (C) 2013 Red Hat`
			`+ Copyright (C) 2015 Red Hat`

			`This program is free software; you can redistribute it and/or modify`
			`it under the terms of the GNU General Public License as published by`
			`@@ -25,31 +21,103 @@`
			`#include "providers/ipa/ipa_common.h"`
			`#include "providers/ldap/sdap_sudo.h"`

			`+enum sudo_schema {`
			`+ SUDO_SCHEMA_IPA,`
			`+ SUDO_SCHEMA_LDAP`
			`+};`
			`+`
			`+static errno_t`
			`+ipa_sudo_choose_schema(struct dp_option *ipa_opts,`
			`+ struct dp_option *sdap_opts,`
			`+ enum sudo_schema *_schema)`
			`+{`
			`+ TALLOC_CTX *tmp_ctx;`
			`+ char *ipa_search_base;`
			`+ char *search_base;`
			`+ char *basedn;`
			`+ errno_t ret;`
			`+`
			`+ tmp_ctx = talloc_new(NULL);`
			`+ if (tmp_ctx == NULL) {`
			`+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n");`
			`+ return ENOMEM;`
			`+ }`
			`+`
			`+ ret = domain_to_basedn(tmp_ctx, dp_opt_get_string(ipa_opts,`
			`+ IPA_KRB5_REALM), &basedn);`
			`+ if (ret != EOK) {`
			`+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to obtain basedn\n");`
			`+ goto done;`
			`+ }`
			`+`
			`+ ipa_search_base = talloc_asprintf(tmp_ctx, "cn=sudo,%s", basedn);`
			`+ if (ipa_search_base == NULL) {`
			`+ ret = ENOMEM;`
			`+ goto done;`
			`+ }`
			`+`
			`+ search_base = dp_opt_get_string(sdap_opts, SDAP_SUDO_SEARCH_BASE);`
			`+ if (search_base == NULL) {`
			`+ ret = dp_opt_set_string(sdap_opts, SDAP_SUDO_SEARCH_BASE,`
			`+ ipa_search_base);`
			`+ if (ret != EOK) {`
			`+ goto done;`
			`+ }`
			`+`
			`+ DEBUG(SSSDBG_TRACE_FUNC, "Option %s set to %s\n",`
			`+ sdap_opts[SDAP_SUDO_SEARCH_BASE].opt_name, ipa_search_base);`
			`+`
			`+ search_base = ipa_search_base;`
			`+ }`
			`+`
			`+ /* Use IPA schema only if search base is cn=sudo,$dc. */`
			`+ if (strcmp(ipa_search_base, search_base) == 0) {`
			`+ *_schema = SUDO_SCHEMA_IPA;`
			`+ } else {`
			`+ *_schema = SUDO_SCHEMA_LDAP;`
			`+ }`
			`+`
			`+ ret = EOK;`
			`+`
			`+done:`
			`+ talloc_free(tmp_ctx);`
			`+ return ret;`
			`+}`
			`+`
			`int ipa_sudo_init(struct be_ctx *be_ctx,`
			`struct ipa_id_ctx *id_ctx,`
			`struct bet_ops **ops,`
			`void **pvt_data)`
			`{`
			`- int ret;`
			`- struct ipa_options *ipa_options;`
			`- struct sdap_options *ldap_options;`
			`+ enum sudo_schema schema;`
			`+ errno_t ret;`

			`- DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing sudo IPA back end\n");`
			`+ DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing IPA sudo back end\n");`

			`- /*`
			`- * SDAP_SUDO_SEARCH_BASE has already been initialized in`
			`- * function ipa_get_id_options`
			`- */`
			`- ret = sdap_sudo_init(be_ctx, id_ctx->sdap_id_ctx, ops, pvt_data);`
			`+ ret = ipa_sudo_choose_schema(id_ctx->ipa_options->basic,`
			`+ id_ctx->ipa_options->id->basic,`
			`+ &schema);`
			`if (ret != EOK) {`
			`- DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize LDAP SUDO [%d]: %s\n",`
			`- ret, strerror(ret));`
			`+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to choose sudo schema [%d]: %s\n",`
			`+ ret, sss_strerror(ret));`
			`return ret;`
			`}`

			`- ipa_options = id_ctx->ipa_options;`
			`- ldap_options = id_ctx->sdap_id_ctx->opts;`
			`+ switch (schema) {`
			`+ case SUDO_SCHEMA_IPA:`
			`+ DEBUG(SSSDBG_TRACE_FUNC, "Using IPA schema for sudo\n");`
			`+ break;`
			`+ case SUDO_SCHEMA_LDAP:`
			`+ DEBUG(SSSDBG_TRACE_FUNC, "Using LDAP schema for sudo\n");`
			`+ ret = sdap_sudo_init(be_ctx, id_ctx->sdap_id_ctx, ops, pvt_data);`
			`+ break;`
			`+ }`
			`+`
			`+ if (ret != EOK) {`
			`+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize sudo provider"`
			`+ "[%d]: %s\n", ret, sss_strerror(ret));`
			`+ return ret;`
			`+ }`

			`- ipa_options->id->sudorule_map = ldap_options->sudorule_map;`
			`return EOK;`
			`}`
			`--`
			`2.5.0`