Session target in IPA provider

Makefile.am

@@ -361,7 +361,10 @@ dist_noinst_HEADERS = \
     src/providers/ipa/ipa_common.h \
     src/providers/ipa/ipa_config.h \
     src/providers/ipa/ipa_access.h \
+    src/providers/ipa/ipa_session.h \
     src/providers/ipa/ipa_hosts.h \
+    src/providers/ipa/ipa_selinux_common.h \
+    src/providers/ipa/ipa_selinux_maps.h \
     src/providers/ipa/ipa_auth.h \
     src/providers/ipa/ipa_dyndns.h \
     src/providers/ipa/ipa_id.h \
@@ -1080,6 +1083,9 @@ libsss_ipa_la_SOURCES = \
     src/providers/ipa/ipa_hbac_services.c \
     src/providers/ipa/ipa_hbac_users.c \
     src/providers/ipa/ipa_hbac_common.c \
+    src/providers/ipa/ipa_session.c \
+    src/providers/ipa/ipa_selinux_maps.c \
+    src/providers/ipa/ipa_selinux_common.c \
     src/providers/ldap/ldap_id.c \
     src/providers/ldap/ldap_id_enum.c \
     src/providers/ldap/ldap_id_cleanup.c \

src/providers/ipa/ipa_common.c

@@ -26,6 +26,7 @@
 #include <ctype.h>
 #include <arpa/inet.h>
 
+#include "db/sysdb_selinux.h"
 #include "providers/ipa/ipa_common.h"
 #include "providers/ldap/sdap_async_private.h"
 #include "util/sss_krb5.h"
@@ -39,6 +40,7 @@ struct dp_option ipa_basic_opts[] = {
     { "ipa_dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING},
     { "ipa_hbac_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING},
     { "ipa_host_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "ipa_selinux_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING},
     { "ipa_hbac_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
     { "ipa_hbac_treat_deny_as", DP_OPT_STRING, { "DENY_ALL" }, NULL_STRING },
@@ -181,6 +183,19 @@ struct sdap_attr_map ipa_host_map[] = {
     { "ipa_host_member_of", "memberOf", SYSDB_MEMBEROF, NULL },
 };
 
+static struct sdap_attr_map ipa_selinux_user_map[] = {
+    {"ipa_selinux_usermap_object_class", "ipaselinuxusermap", SYSDB_SELINUX_USERMAP_CLASS, NULL},
+    {"ipa_selinux_usermap_name", "cn", SYSDB_NAME, NULL},
+    {"ipa_selinux_usermap_member_user", "memberUser", SYSDB_ORIG_MEMBER_USER, NULL},
+    {"ipa_selinux_usermap_member_host", "memberHost", SYSDB_ORIG_MEMBER_HOST, NULL},
+    {"ipa_selinux_usermap_see_also", "seeAlso", SYSDB_SELINUX_SEEALSO, NULL},
+    {"ipa_selinux_usermap_selinux_user", "ipaSELinuxUser", SYSDB_SELINUX_USER, NULL},
+    {"ipa_selinux_usermap_enabled", "ipaEnabledFlag", SYSDB_SELINUX_ENABLED, NULL},
+    {"ipa_selinux_usermap_user_category", "userCategory", SYSDB_USER_CATEGORY, NULL},
+    {"ipa_selinux_usermap_host_category", "hostCategory", SYSDB_HOST_CATEGORY, NULL},
+    {"ipa_selinux_usermap_uuid", "ipaUniqueID", SYSDB_UUID, NULL}
+};
+
 struct dp_option ipa_def_krb5_opts[] = {
     { "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
@@ -605,6 +620,29 @@ int ipa_get_id_options(struct ipa_options *ipa_opts,
                                  &ipa_opts->hbac_search_bases);
     if (ret != EOK) goto done;
 
+    if (NULL == dp_opt_get_string(ipa_opts->basic,
+                                  IPA_SELINUX_SEARCH_BASE)) {
+        value = talloc_asprintf(tmpctx, "cn=selinux,%s", basedn);
+        if (!value) {
+            ret = ENOMEM;
+            goto done;
+        }
+
+        ret = dp_opt_set_string(ipa_opts->basic, IPA_SELINUX_SEARCH_BASE, value);
+        if (ret != EOK) {
+            goto done;
+        }
+
+        DEBUG(SSSDBG_CONF_SETTINGS, ("Option %s set to %s\n",
+                  ipa_opts->basic[IPA_SELINUX_SEARCH_BASE].opt_name,
+                  dp_opt_get_string(ipa_opts->basic,
+                                    IPA_SELINUX_SEARCH_BASE)));
+    }
+    ret = sdap_parse_search_base(ipa_opts->basic, ipa_opts->basic,
+                                 IPA_SELINUX_SEARCH_BASE,
+                                 &ipa_opts->selinux_search_bases);
+    if (ret != EOK) goto done;
+
     value = dp_opt_get_string(ipa_opts->id->basic, SDAP_DEREF);
     if (value != NULL) {
         ret = deref_string_to_val(value, &i);
@@ -686,6 +724,15 @@ int ipa_get_id_options(struct ipa_options *ipa_opts,
         goto done;
     }
 
+    ret = sdap_get_map(ipa_opts->id,
+                       cdb, conf_path,
+                       ipa_selinux_user_map,
+                       IPA_OPTS_SELINUX_USERMAP,
+                       &ipa_opts->id->selinuxuser_map);
+    if (ret != EOK) {
+        goto done;
+    }
+
     ret = EOK;
     *_opts = ipa_opts->id;
 

src/providers/ipa/ipa_common.h

@@ -52,6 +52,7 @@ enum ipa_basic_opt {
     IPA_DYNDNS_IFACE,
     IPA_HBAC_SEARCH_BASE,
     IPA_HOST_SEARCH_BASE,
+    IPA_SELINUX_SEARCH_BASE,
     IPA_KRB5_REALM,
     IPA_HBAC_REFRESH,
     IPA_HBAC_DENY_METHOD,
@@ -82,6 +83,21 @@ enum ipa_host_attrs {
     IPA_OPTS_HOST /* attrs counter */
 };
 
+enum ipa_selinux_usermap_attrs {
+    IPA_OC_SELINUX_USERMAP = 0,
+    IPA_AT_SELINUX_USERMAP_NAME,
+    IPA_AT_SELINUX_USERMAP_MEMBER_USER,
+    IPA_AT_SELINUX_USERMAP_MEMBER_HOST,
+    IPA_AT_SELINUX_USERMAP_SEE_ALSO,
+    IPA_AT_SELINUX_USERMAP_SELINUX_USER,
+    IPA_AT_SELINUX_USERMAP_ENABLED,
+    IPA_AT_SELINUX_USERMAP_USERCAT,
+    IPA_AT_SELINUX_USERMAP_HOSTCAT,
+    IPA_AT_SELINUX_USERMAP_UUID,
+
+    IPA_OPTS_SELINUX_USERMAP /* attrs counter */
+};
+
 struct ipa_auth_ctx {
     struct krb5_ctx *krb5_auth_ctx;
     struct sdap_id_ctx *sdap_id_ctx;
@@ -99,6 +115,7 @@ struct ipa_options {
 
     struct sdap_search_base **host_search_bases;
     struct sdap_search_base **hbac_search_bases;
+    struct sdap_search_base **selinux_search_bases;
     struct ipa_service *service;
 
     /* id provider */

src/providers/ipa/ipa_init.c

@@ -34,6 +34,7 @@
 #include "providers/ipa/ipa_auth.h"
 #include "providers/ipa/ipa_access.h"
 #include "providers/ipa/ipa_dyndns.h"
+#include "providers/ipa/ipa_session.h"
 
 struct ipa_options *ipa_options = NULL;
 
@@ -59,6 +60,11 @@ struct bet_ops ipa_access_ops = {
     .finalize = NULL
 };
 
+struct bet_ops ipa_session_ops = {
+    .handler = ipa_session_handler,
+    .finalize = NULL
+};
+
 int common_ipa_init(struct be_ctx *bectx)
 {
     const char *ipa_servers;
@@ -393,3 +399,39 @@ int sssm_ipa_access_init(struct be_ctx *bectx,
     }
     return ret;
 }
+
+int sssm_ipa_session_init(struct be_ctx *bectx,
+                          struct bet_ops **ops,
+                          void **pvt_data)
+{
+    int ret;
+    struct ipa_session_ctx *session_ctx;
+    struct ipa_options *opts;
+
+    session_ctx = talloc_zero(bectx, struct ipa_session_ctx);
+    if (session_ctx == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_zero failed.\n"));
+        return ENOMEM;
+    }
+
+    ret = sssm_ipa_id_init(bectx, ops, (void **) &session_ctx->id_ctx);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE, ("sssm_ipa_id_init failed.\n"));
+        goto done;
+    }
+
+    opts = session_ctx->id_ctx->ipa_options;
+
+    session_ctx->hbac_search_bases = opts->hbac_search_bases;
+    session_ctx->host_search_bases = opts->host_search_bases;
+    session_ctx->selinux_search_bases = opts->selinux_search_bases;
+
+    *ops = &ipa_session_ops;
+    *pvt_data = session_ctx;
+
+done:
+    if (ret != EOK) {
+        talloc_free(session_ctx);
+    }
+    return ret;
+}

src/providers/ipa/ipa_selinux_common.c

@@ -0,0 +1,103 @@
+/*
+    SSSD
+
+    IPA Backend Module -- SELinux common routines
+
+    Authors:
+        Jan Zeleny <jzeleny@redhat.com>
+
+    Copyright (C) 2012 Red Hat
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "db/sysdb_selinux.h"
+#include "providers/ldap/sdap_async.h"
+#include "providers/ipa/ipa_selinux_common.h"
+
+
+errno_t ipa_selinux_map_merge(struct sysdb_attrs *map,
+                              struct sysdb_attrs *rule,
+                              const char *attr)
+{
+    struct ldb_message_element *map_el;
+    struct ldb_message_element *rule_el;
+    size_t total_cnt;
+    errno_t ret;
+    int i = 0;
+
+    ret = sysdb_attrs_get_el(map, attr, &map_el);
+    if (ret != EOK) {
+        goto done;
+    }
+
+    ret = sysdb_attrs_get_el(rule, attr, &rule_el);
+    if (ret != EOK) {
+        goto done;
+    }
+
+    total_cnt = map_el->num_values + rule_el->num_values;
+    map_el->values = talloc_realloc(map->a, map_el->values,
+                                    struct ldb_val, total_cnt);
+    if (map_el->values == NULL) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    while (map_el->num_values < total_cnt)
+    {
+        map_el->values[map_el->num_values] = ldb_val_dup(map_el->values,
+                                                         &rule_el->values[i]);
+        map_el->num_values++;
+        i++;
+    }
+
+    ret = EOK;
+done:
+    return ret;
+}
+
+errno_t ipa_save_user_maps(struct sysdb_ctx *sysdb,
+                           size_t map_count,
+                           struct sysdb_attrs **maps)
+{
+    errno_t ret;
+    int i;
+
+    ret = sysdb_transaction_start(sysdb);
+    if (ret) {
+        goto done;
+    }
+
+    for (i = 0; i < map_count; i++) {
+        ret = sysdb_store_selinux_usermap(sysdb, maps[i]);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_OP_FAILURE, ("Failed to store user map %d. "
+                                      "Ignoring.\n", i));
+        } else {
+            DEBUG(SSSDBG_TRACE_FUNC, ("User map %d processed.\n", i));
+        }
+    }
+
+    ret = sysdb_transaction_commit(sysdb);
+    if (ret) {
+        DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to commit transaction!\n"));
+        goto done;
+    }
+
+    ret = EOK;
+
+done:
+    return ret;
+}

src/providers/ipa/ipa_selinux_common.h

@@ -0,0 +1,39 @@
+/*
+    SSSD
+
+    IPA Backend Module -- SELinux common routines
+
+    Authors:
+        Jan Zeleny <jzeleny@redhat.com>
+
+    Copyright (C) 2012 Red Hat
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef IPA_SELINUX_COMMON_H_
+#define IPA_SELINUX_COMMON_H_
+
+errno_t ipa_selinux_map_merge(struct sysdb_attrs *map,
+                              struct sysdb_attrs *rule,
+                              const char *attr);
+
+errno_t ipa_save_host(struct sysdb_ctx *sysdb,
+                      struct sysdb_attrs *host);
+
+errno_t ipa_save_user_maps(struct sysdb_ctx *sysdb,
+                           size_t map_count,
+                           struct sysdb_attrs **maps);
+
+#endif /* IPA_SELINUX_COMMON_H_ */