sssd/0022-confdb-add-special-handling-for-rules-for-the-files-.patch

From 9386ef605ffbc03abe2bc273efddbc099441fe3b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 6 Jul 2018 15:17:10 +0200
Subject: [PATCH 27/83] confdb: add special handling for rules for the files
 provider

To make the configuration more simple there are some special assumption
for local users, i.e. user managed by the files provider.

Related to https://pagure.io/SSSD/sssd/issue/3500

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/confdb/confdb.c              | 59 ++++++++++++++++++++++++++++++++++++++++
 src/confdb/confdb.h              |  1 +
 src/providers/files/files_init.c | 10 +++++++
 3 files changed, 70 insertions(+)

diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 26415ca..954c3ba 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -2203,6 +2203,56 @@ done:
     return ret;
 }
 
+static errno_t certmap_local_check(struct ldb_message *msg)
+{
+    const char *rule_name;
+    const char *tmp_str;
+    int ret;
+
+    rule_name = ldb_msg_find_attr_as_string(msg, CONFDB_CERTMAP_NAME, NULL);
+    if (rule_name == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Certficate mapping rule [%s] has no name.",
+                                   ldb_dn_get_linearized(msg->dn));
+        return EINVAL;
+    }
+
+    tmp_str = ldb_msg_find_attr_as_string(msg, CONFDB_CERTMAP_DOMAINS, NULL);
+    if (tmp_str != NULL) {
+        DEBUG(SSSDBG_CONF_SETTINGS,
+              "Option [%s] is ignored for local certmap rules.\n",
+              CONFDB_CERTMAP_DOMAINS);
+    }
+
+    tmp_str = ldb_msg_find_attr_as_string(msg, CONFDB_CERTMAP_MAPRULE, NULL);
+    if (tmp_str != NULL) {
+        if (tmp_str[0] != '(' || tmp_str[strlen(tmp_str) - 1] != ')') {
+            DEBUG(SSSDBG_CONF_SETTINGS,
+                  "Mapping rule must be in braces (...).\n");
+            return EINVAL;
+        }
+        DEBUG(SSSDBG_TRACE_ALL, "Using [%s] mapping rule of [%s].\n",
+                                tmp_str, ldb_dn_get_linearized(msg->dn));
+        return EOK;
+    }
+
+    tmp_str = talloc_asprintf(msg, "(%s)", rule_name);
+    if (tmp_str == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
+        return ENOMEM;
+    }
+    ret = ldb_msg_add_string(msg, CONFDB_CERTMAP_MAPRULE, tmp_str);
+    if (ret != LDB_SUCCESS) {
+        talloc_free(discard_const(tmp_str));
+        DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_add_string failed.\n");
+        return EIO;
+    }
+
+    DEBUG(SSSDBG_TRACE_ALL, "Using [%s] as mapping rule for [%s].\n",
+                            tmp_str, ldb_dn_get_linearized(msg->dn));
+
+    return EOK;
+}
+
 static errno_t confdb_get_all_certmaps(TALLOC_CTX *mem_ctx,
                                        struct confdb_ctx *cdb,
                                        struct sss_domain_info *dom,
@@ -2251,6 +2301,15 @@ static errno_t confdb_get_all_certmaps(TALLOC_CTX *mem_ctx,
     }
 
     for (c = 0; c < res->count; c++) {
+        if (is_files_provider(dom)) {
+            ret = certmap_local_check(res->msgs[c]);
+            if (ret != EOK) {
+                DEBUG(SSSDBG_CONF_SETTINGS,
+                      "Invalid certificate mapping [%s] for local user, "
+                      "ignored.\n", ldb_dn_get_linearized(res->msgs[c]->dn));
+                continue;
+            }
+        }
         ret = sysdb_ldb_msg_attr_to_certmap_info(certmap_list, res->msgs[c],
                                                  attrs, &certmap_list[c]);
         if (ret != EOK) {
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 2aae93a..625d156 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -685,6 +685,7 @@ int confdb_get_sub_sections(TALLOC_CTX *mem_ctx,
  */
 int confdb_certmap_to_sysdb(struct confdb_ctx *cdb,
                             struct sss_domain_info *dom);
+
 /**
  * @}
  */
diff --git a/src/providers/files/files_init.c b/src/providers/files/files_init.c
index 746c04a..c793bed 100644
--- a/src/providers/files/files_init.c
+++ b/src/providers/files/files_init.c
@@ -189,6 +189,16 @@ int sssm_files_init(TALLOC_CTX *mem_ctx,
         goto done;
     }
 
+    ret = confdb_certmap_to_sysdb(be_ctx->cdb, be_ctx->domain);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Failed to initialize certificate mapping rules. "
+              "Authentication with certificates/Smartcards might not work "
+              "as expected.\n");
+        /* not fatal, ignored */
+    }
+
+
     *_module_data = ctx;
     ret = EOK;
 done:
-- 
2.9.5
Backport a bunch of upstream fixes - Resolves: upstream#3821 - crash related to sbus_router_destructor() - Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref - Resolves: upstream#3819 - sssd only sets the SELinux login context if it differs from the default - Resolves: upstream#3807 - The sbus codegen script relies on "python" which might not be available on all distributions - Resolves: upstream#3820 - sudo: search with lower cased name for case insensitive domains - Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from an allow-any default to a deny-any default when it can't find any GPOs to apply to a user login. - Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort startup - Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11 also for local account authentication - Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup - Resolves: upstream#3826 - Remove references of sss_user/group/add/del commands in man pages since local provider is deprecated - Resolves: upstream#3827 - SSSD should log to syslog if a domain is not started due to a misconfiguration - Resolves: upstream#3830 - Printing incorrect information about domain with sssctl utility - Resolves: upstream#3489 - p11_child should work wit openssl1.0+ - Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary changes in nsswitch.conf - Resovles: upstream#3650 - RFE: Require smartcard authentication - Resolves: upstream#3334 - sssctl config-check does not check any special characters in domain name of domain section - Resolves: upstream#3849 - Files: The files provider always enumerates which causes duplicate when running getent passwd - Related: upstream#3855 - session not recording for local user when groups defined - Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb - Related: upstream#3493 - Remove the pysss.local interface 2018-10-24 08:34:15 +00:00			`From 9386ef605ffbc03abe2bc273efddbc099441fe3b Mon Sep 17 00:00:00 2001`
			`From: Sumit Bose <sbose@redhat.com>`
			`Date: Fri, 6 Jul 2018 15:17:10 +0200`
			`Subject: [PATCH 27/83] confdb: add special handling for rules for the files`
			`provider`

			`To make the configuration more simple there are some special assumption`
			`for local users, i.e. user managed by the files provider.`

			`Related to https://pagure.io/SSSD/sssd/issue/3500`

			`Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>`
			`---`
			`src/confdb/confdb.c \| 59 ++++++++++++++++++++++++++++++++++++++++`
			`src/confdb/confdb.h \| 1 +`
			`src/providers/files/files_init.c \| 10 +++++++`
			`3 files changed, 70 insertions(+)`

			`diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c`
			`index 26415ca..954c3ba 100644`
			`--- a/src/confdb/confdb.c`
			`+++ b/src/confdb/confdb.c`
			`@@ -2203,6 +2203,56 @@ done:`
			`return ret;`
			`}`

			`+static errno_t certmap_local_check(struct ldb_message *msg)`
			`+{`
			`+ const char *rule_name;`
			`+ const char *tmp_str;`
			`+ int ret;`
			`+`
			`+ rule_name = ldb_msg_find_attr_as_string(msg, CONFDB_CERTMAP_NAME, NULL);`
			`+ if (rule_name == NULL) {`
			`+ DEBUG(SSSDBG_CRIT_FAILURE, "Certficate mapping rule [%s] has no name.",`
			`+ ldb_dn_get_linearized(msg->dn));`
			`+ return EINVAL;`
			`+ }`
			`+`
			`+ tmp_str = ldb_msg_find_attr_as_string(msg, CONFDB_CERTMAP_DOMAINS, NULL);`
			`+ if (tmp_str != NULL) {`
			`+ DEBUG(SSSDBG_CONF_SETTINGS,`
			`+ "Option [%s] is ignored for local certmap rules.\n",`
			`+ CONFDB_CERTMAP_DOMAINS);`
			`+ }`
			`+`
			`+ tmp_str = ldb_msg_find_attr_as_string(msg, CONFDB_CERTMAP_MAPRULE, NULL);`
			`+ if (tmp_str != NULL) {`
			`+ if (tmp_str[0] != '(' \|\| tmp_str[strlen(tmp_str) - 1] != ')') {`
			`+ DEBUG(SSSDBG_CONF_SETTINGS,`
			`+ "Mapping rule must be in braces (...).\n");`
			`+ return EINVAL;`
			`+ }`
			`+ DEBUG(SSSDBG_TRACE_ALL, "Using [%s] mapping rule of [%s].\n",`
			`+ tmp_str, ldb_dn_get_linearized(msg->dn));`
			`+ return EOK;`
			`+ }`
			`+`
			`+ tmp_str = talloc_asprintf(msg, "(%s)", rule_name);`
			`+ if (tmp_str == NULL) {`
			`+ DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");`
			`+ return ENOMEM;`
			`+ }`
			`+ ret = ldb_msg_add_string(msg, CONFDB_CERTMAP_MAPRULE, tmp_str);`
			`+ if (ret != LDB_SUCCESS) {`
			`+ talloc_free(discard_const(tmp_str));`
			`+ DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_add_string failed.\n");`
			`+ return EIO;`
			`+ }`
			`+`
			`+ DEBUG(SSSDBG_TRACE_ALL, "Using [%s] as mapping rule for [%s].\n",`
			`+ tmp_str, ldb_dn_get_linearized(msg->dn));`
			`+`
			`+ return EOK;`
			`+}`
			`+`
			`static errno_t confdb_get_all_certmaps(TALLOC_CTX *mem_ctx,`
			`struct confdb_ctx *cdb,`
			`struct sss_domain_info *dom,`
			`@@ -2251,6 +2301,15 @@ static errno_t confdb_get_all_certmaps(TALLOC_CTX *mem_ctx,`
			`}`

			`for (c = 0; c < res->count; c++) {`
			`+ if (is_files_provider(dom)) {`
			`+ ret = certmap_local_check(res->msgs[c]);`
			`+ if (ret != EOK) {`
			`+ DEBUG(SSSDBG_CONF_SETTINGS,`
			`+ "Invalid certificate mapping [%s] for local user, "`
			`+ "ignored.\n", ldb_dn_get_linearized(res->msgs[c]->dn));`
			`+ continue;`
			`+ }`
			`+ }`
			`ret = sysdb_ldb_msg_attr_to_certmap_info(certmap_list, res->msgs[c],`
			`attrs, &certmap_list[c]);`
			`if (ret != EOK) {`
			`diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h`
			`index 2aae93a..625d156 100644`
			`--- a/src/confdb/confdb.h`
			`+++ b/src/confdb/confdb.h`
			`@@ -685,6 +685,7 @@ int confdb_get_sub_sections(TALLOC_CTX *mem_ctx,`
			`*/`
			`int confdb_certmap_to_sysdb(struct confdb_ctx *cdb,`
			`struct sss_domain_info *dom);`
			`+`
			`/**`
			`* @}`
			`*/`
			`diff --git a/src/providers/files/files_init.c b/src/providers/files/files_init.c`
			`index 746c04a..c793bed 100644`
			`--- a/src/providers/files/files_init.c`
			`+++ b/src/providers/files/files_init.c`
			`@@ -189,6 +189,16 @@ int sssm_files_init(TALLOC_CTX *mem_ctx,`
			`goto done;`
			`}`

			`+ ret = confdb_certmap_to_sysdb(be_ctx->cdb, be_ctx->domain);`
			`+ if (ret != EOK) {`
			`+ DEBUG(SSSDBG_CRIT_FAILURE,`
			`+ "Failed to initialize certificate mapping rules. "`
			`+ "Authentication with certificates/Smartcards might not work "`
			`+ "as expected.\n");`
			`+ /* not fatal, ignored */`
			`+ }`
			`+`
			`+`
			`*_module_data = ctx;`
			`ret = EOK;`
			`done:`
			`--`
			`2.9.5`