[ipfire-3.x.git] / sssd / patches / 0022-SYSDB-Adding-lowercase-sudoUser-form.patch

From b87ca4233342e1537fda5ce731db77cf24e422c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
Date: Wed, 12 Oct 2016 16:48:38 +0200
Subject: [PATCH 22/39] SYSDB: Adding lowercase sudoUser form
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If domain is not case sensitive we add lowercase form of usernames
to sudoUser attributes. So we actually able to apply sudoRule on
user Administrator@... with login admnistrator@...

Resolves:
https://fedorahosted.org/sssd/ticket/3203

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit f4a1046bb88d7a0ab3617e49ae94bfa849d10645)
(cherry picked from commit 88239b7f17f599aefa88a8a31c2d0ea44b766c87)
---
 src/db/sysdb_sudo.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)

diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
index 601fb63f2..4bd93ffc6 100644
--- a/src/db/sysdb_sudo.c
+++ b/src/db/sysdb_sudo.c
@@ -852,6 +852,65 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule,
     return EOK;
 }
 
+static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain,
+                                            struct sysdb_attrs *rule)
+{
+    TALLOC_CTX *tmp_ctx;
+    const char **users = NULL;
+    const char *lowered = NULL;
+    errno_t ret;
+
+    if (domain->case_sensitive == true || rule == NULL) {
+        return EOK;
+    }
+
+    tmp_ctx = talloc_new(NULL);
+    if (tmp_ctx == NULL) {
+        return ENOMEM;
+    }
+
+    ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx,
+                                       &users);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n",
+              SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret));
+        goto done;
+    }
+
+    if (users == NULL) {
+        ret =  EOK;
+        goto done;
+    }
+
+    for (int i = 0; users[i] != NULL; i++) {
+        lowered = sss_tc_utf8_str_tolower(tmp_ctx, users[i]);
+        if (lowered == NULL) {
+            DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
+            ret = ENOMEM;
+            goto done;
+        }
+
+        if (strcmp(users[i], lowered) == 0) {
+            /* It protects us from adding duplicate. */
+            continue;
+        }
+
+        ret = sysdb_attrs_add_string(rule, SYSDB_SUDO_CACHE_AT_USER, lowered);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_OP_FAILURE,
+                  "Unable to add %s attribute [%d]: %s\n",
+                  SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret));
+            goto done;
+        }
+    }
+
+    ret = EOK;
+
+done:
+    talloc_zfree(tmp_ctx);
+    return ret;
+}
+
 static errno_t
 sysdb_sudo_store_rule(struct sss_domain_info *domain,
                       struct sysdb_attrs *rule,
@@ -868,6 +927,11 @@ sysdb_sudo_store_rule(struct sss_domain_info *domain,
 
     DEBUG(SSSDBG_TRACE_FUNC, "Adding sudo rule %s\n", name);
 
+    ret = sysdb_sudo_add_lowered_users(domain, rule);
+    if (ret != EOK) {
+        return ret;
+    }
+
     ret = sysdb_sudo_add_sss_attrs(rule, name, cache_timeout, now);
     if (ret != EOK) {
         return ret;
-- 
2.11.0
Commit	Line	Data
92ae11e3 SS	1	From b87ca4233342e1537fda5ce731db77cf24e422c3 Mon Sep 17 00:00:00 2001
	2	From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
	3	Date: Wed, 12 Oct 2016 16:48:38 +0200
	4	Subject: [PATCH 22/39] SYSDB: Adding lowercase sudoUser form
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	If domain is not case sensitive we add lowercase form of usernames
	10	to sudoUser attributes. So we actually able to apply sudoRule on
	11	user Administrator@... with login admnistrator@...
	12
	13	Resolves:
	14	https://fedorahosted.org/sssd/ticket/3203
	15
	16	Reviewed-by: Pavel Březina <pbrezina@redhat.com>
	17	(cherry picked from commit f4a1046bb88d7a0ab3617e49ae94bfa849d10645)
	18	(cherry picked from commit 88239b7f17f599aefa88a8a31c2d0ea44b766c87)
	19	---
	20	src/db/sysdb_sudo.c \| 64 +++++++++++++++++++++++++++++++++++++++++++++++++++++
	21	1 file changed, 64 insertions(+)
	22
	23	diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
	24	index 601fb63f2..4bd93ffc6 100644
	25	--- a/src/db/sysdb_sudo.c
	26	+++ b/src/db/sysdb_sudo.c
	27	@@ -852,6 +852,65 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule,
	28	return EOK;
	29	}
	30
	31	+static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain,
	32	+ struct sysdb_attrs *rule)
	33	+{
	34	+ TALLOC_CTX *tmp_ctx;
	35	+ const char **users = NULL;
	36	+ const char *lowered = NULL;
	37	+ errno_t ret;
	38	+
	39	+ if (domain->case_sensitive == true \|\| rule == NULL) {
	40	+ return EOK;
	41	+ }
	42	+
	43	+ tmp_ctx = talloc_new(NULL);
	44	+ if (tmp_ctx == NULL) {
	45	+ return ENOMEM;
	46	+ }
	47	+
	48	+ ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx,
	49	+ &users);
	50	+ if (ret != EOK) {
	51	+ DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n",
	52	+ SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret));
	53	+ goto done;
	54	+ }
	55	+
	56	+ if (users == NULL) {
	57	+ ret = EOK;
	58	+ goto done;
	59	+ }
	60	+
	61	+ for (int i = 0; users[i] != NULL; i++) {
	62	+ lowered = sss_tc_utf8_str_tolower(tmp_ctx, users[i]);
	63	+ if (lowered == NULL) {
	64	+ DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
65	+ ret = ENOMEM;
66	+ goto done;
67	+ }
68	+
69	+ if (strcmp(users[i], lowered) == 0) {
70	+ /* It protects us from adding duplicate. */
71	+ continue;
72	+ }
73	+
74	+ ret = sysdb_attrs_add_string(rule, SYSDB_SUDO_CACHE_AT_USER, lowered);
75	+ if (ret != EOK) {
76	+ DEBUG(SSSDBG_OP_FAILURE,
77	+ "Unable to add %s attribute [%d]: %s\n",
78	+ SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret));
79	+ goto done;
80	+ }
81	+ }
82	+
83	+ ret = EOK;
84	+
85	+done:
86	+ talloc_zfree(tmp_ctx);
87	+ return ret;
88	+}
89	+
90	static errno_t
91	sysdb_sudo_store_rule(struct sss_domain_info *domain,
92	struct sysdb_attrs *rule,
93	@@ -868,6 +927,11 @@ sysdb_sudo_store_rule(struct sss_domain_info *domain,
94
95	DEBUG(SSSDBG_TRACE_FUNC, "Adding sudo rule %s\n", name);
96
97	+ ret = sysdb_sudo_add_lowered_users(domain, rule);
98	+ if (ret != EOK) {
99	+ return ret;
100	+ }
101	+
102	ret = sysdb_sudo_add_sss_attrs(rule, name, cache_timeout, now);
103	if (ret != EOK) {
104	return ret;
105	--
106	2.11.0
107