From 2a2a021aa6ff9f3651c389201292c4066af4319d Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 8 Apr 2016 13:22:24 +0200 Subject: [PATCH 09/12] sss_override: add certificate support --- src/db/sysdb.h | 1 + src/tests/intg/ldap_local_override_test.py | 8 +++---- src/tools/sss_override.c | 38 ++++++++++++++++++++++++++---- 3 files changed, 38 insertions(+), 9 deletions(-) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index d694508166d78a909316b66d672e3f16067c43ae..25c8763f76fcebc84fc32458edf18bcaec86658d 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -215,6 +215,7 @@ SYSDB_PRIMARY_GROUP_GIDNUM, \ SYSDB_SID_STR, \ SYSDB_UPN, \ + SYSDB_USER_CERT, \ SYSDB_OVERRIDE_DN, \ SYSDB_OVERRIDE_OBJECT_DN, \ SYSDB_DEFAULT_OVERRIDE_NAME, \ diff --git a/src/tests/intg/ldap_local_override_test.py b/src/tests/intg/ldap_local_override_test.py index 542527180cf2c7ec5a2984f6b42655fb0c75f5d1..046535c7727d0f2271f4b974f68ba0722222982b 100644 --- a/src/tests/intg/ldap_local_override_test.py +++ b/src/tests/intg/ldap_local_override_test.py @@ -529,11 +529,11 @@ def test_show_user_override(ldap_conn, env_show_user_override): out = check_output(['sss_override', 'user-show', 'user1']) assert out == "user1@LDAP:ov_user1:10010:20010:Overriden User 1:"\ - "/home/ov/user1:/bin/ov_user1_shell\n" + "/home/ov/user1:/bin/ov_user1_shell:\n" out = check_output(['sss_override', 'user-show', 'user2@LDAP']) assert out == "user2@LDAP:ov_user2:10020:20020:Overriden User 2:"\ - "/home/ov/user2:/bin/ov_user2_shell\n" + "/home/ov/user2:/bin/ov_user2_shell:\n" # Return error on non-existing user ret = subprocess.call(['sss_override', 'user-show', 'nonexisting_user']) @@ -557,9 +557,9 @@ def test_find_user_override(ldap_conn, env_find_user_override): # Expected override of users exp_usr_ovrd = ['user1@LDAP:ov_user1:10010:20010:Overriden User 1:' - '/home/ov/user1:/bin/ov_user1_shell', + '/home/ov/user1:/bin/ov_user1_shell:', 'user2@LDAP:ov_user2:10020:20020:Overriden User 2:' - '/home/ov/user2:/bin/ov_user2_shell'] + '/home/ov/user2:/bin/ov_user2_shell:'] assert set(out.splitlines()) == set(exp_usr_ovrd) diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c index 7e63bdf6ecb3bb968f631e79f691942237f61793..f911ce8806228d3b1b9fb113cc5b451a04a44140 100644 --- a/src/tools/sss_override.c +++ b/src/tools/sss_override.c @@ -21,6 +21,7 @@ #include #include "util/util.h" +#include "util/crypto/sss_crypto.h" #include "db/sysdb.h" #include "tools/common/sss_tools.h" #include "tools/common/sss_colondb.h" @@ -39,6 +40,7 @@ struct override_user { const char *home; const char *shell; const char *gecos; + const char *cert; }; struct override_group { @@ -97,6 +99,7 @@ static int parse_cmdline_user_add(struct sss_cmdline *cmdline, {"home", 'h', POPT_ARG_STRING, &user->home, 0, _("Override home directory"), NULL }, {"shell", 's', POPT_ARG_STRING, &user->shell, 0, _("Override shell"), NULL }, {"gecos", 'c', POPT_ARG_STRING, &user->gecos, 0, _("Override gecos"), NULL }, + {"certificate", 'x', POPT_ARG_STRING, &user->cert, 0, _("Override certificate"), NULL }, POPT_TABLEEND }; @@ -296,7 +299,8 @@ static struct sysdb_attrs *build_attrs(TALLOC_CTX *mem_ctx, gid_t gid, const char *home, const char *shell, - const char *gecos) + const char *gecos, + const char *cert) { struct sysdb_attrs *attrs; errno_t ret; @@ -348,6 +352,13 @@ static struct sysdb_attrs *build_attrs(TALLOC_CTX *mem_ctx, } } + if (cert != NULL) { + ret = sysdb_attrs_add_base64_blob(attrs, SYSDB_USER_CERT, cert); + if (ret != EOK) { + goto done; + } + } + ret = EOK; done: @@ -363,13 +374,13 @@ static struct sysdb_attrs *build_user_attrs(TALLOC_CTX *mem_ctx, struct override_user *user) { return build_attrs(mem_ctx, user->name, user->uid, user->gid, user->home, - user->shell, user->gecos); + user->shell, user->gecos, user->cert); } static struct sysdb_attrs *build_group_attrs(TALLOC_CTX *mem_ctx, struct override_group *group) { - return build_attrs(mem_ctx, group->name, 0, group->gid, 0, NULL, NULL); + return build_attrs(mem_ctx, group->name, 0, group->gid, 0, NULL, NULL, NULL); } static char *get_fqname(TALLOC_CTX *mem_ctx, @@ -1101,6 +1112,7 @@ list_user_overrides(TALLOC_CTX *mem_ctx, size_t i; errno_t ret; const char *attrs[] = SYSDB_PW_ATTRS; + struct ldb_message_element *el; tmp_ctx = talloc_new(NULL); if (tmp_ctx == NULL) { @@ -1136,6 +1148,20 @@ list_user_overrides(TALLOC_CTX *mem_ctx, objs[i].shell = ldb_msg_find_attr_as_string(msgs[i], SYSDB_SHELL, NULL); objs[i].gecos = ldb_msg_find_attr_as_string(msgs[i], SYSDB_GECOS, NULL); + el = ldb_msg_find_element(msgs[i], SYSDB_USER_CERT); + if (el != NULL && el->num_values > 0) { + /* Currently we support only 1 certificate override */ + objs[i].cert = sss_base64_encode(objs, el->values[0].data, + el->values[0].length); + if (objs[i].cert == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_base64_encode failed.\n"); + ret = ERR_INTERNAL; + goto done; + } + } else { + objs[i].cert = NULL; + } + talloc_steal(objs, objs[i].orig_name); talloc_steal(objs, objs[i].name); talloc_steal(objs, objs[i].home); @@ -1249,7 +1275,7 @@ static errno_t user_export(const char *filename, for (i = 0; objs[i].orig_name != NULL; i++) { /** - * Format: orig_name:name:uid:gid:gecos:home:shell + * Format: orig_name:name:uid:gid:gecos:home:shell:certificate */ struct sss_colondb_write_field table[] = { {SSS_COLONDB_STRING, {.str = objs[i].orig_name}}, @@ -1259,6 +1285,7 @@ static errno_t user_export(const char *filename, {SSS_COLONDB_STRING, {.str = objs[i].gecos}}, {SSS_COLONDB_STRING, {.str = objs[i].home}}, {SSS_COLONDB_STRING, {.str = objs[i].shell}}, + {SSS_COLONDB_STRING, {.str = objs[i].cert}}, {SSS_COLONDB_SENTINEL, {0}} }; @@ -1523,7 +1550,7 @@ static int override_user_import(struct sss_cmdline *cmdline, } /** - * Format: orig_name:name:uid:gid:gecos:home:shell + * Format: orig_name:name:uid:gid:gecos:home:shell:certificate */ struct sss_colondb_read_field table[] = { {SSS_COLONDB_STRING, {.str = &obj.input_name}}, @@ -1533,6 +1560,7 @@ static int override_user_import(struct sss_cmdline *cmdline, {SSS_COLONDB_STRING, {.str = &obj.gecos}}, {SSS_COLONDB_STRING, {.str = &obj.home}}, {SSS_COLONDB_STRING, {.str = &obj.shell}}, + {SSS_COLONDB_STRING, {.str = &obj.cert}}, {SSS_COLONDB_SENTINEL, {0}} }; -- 2.1.0