Imported Debian patch 4.0.5-6~numeezy

daemons/ipa-slapi-plugins/ipa-otp-lasttoken/Makefile.am

@@ -3,6 +3,7 @@ PLUGIN_COMMON_DIR = ../common
 AM_CPPFLAGS =							\
 	-I.							\
 	-I$(srcdir)						\
+	-I$(srcdir)/../libotp					\
 	-I$(PLUGIN_COMMON_DIR)					\
 	-I/usr/include/dirsrv					\
 	-DPREFIX=\""$(prefix)"\" 				\

daemons/ipa-slapi-plugins/ipa-otp-lasttoken/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.15 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2014 Free Software Foundation, Inc.
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,17 +15,7 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = { \
-  if test -z '$(MAKELEVEL)'; then \
-    false; \
-  elif test -n '$(MAKE_HOST)'; then \
-    true; \
-  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
-    true; \
-  else \
-    false; \
-  fi; \
-}
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -89,12 +79,13 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = ipa-slapi-plugins/ipa-otp-lasttoken
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/../version.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -202,7 +193,6 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
-am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 AMTAR = @AMTAR@
@@ -249,7 +239,6 @@ LDAP_CFLAGS = @LDAP_CFLAGS@
 LDAP_LIBS = @LDAP_LIBS@
 LDFLAGS = @LDFLAGS@
 LIBOBJS = @LIBOBJS@
-LIBPDB_NAME = @LIBPDB_NAME@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LIBVERTO_CFLAGS = @LIBVERTO_CFLAGS@
@@ -257,7 +246,6 @@ LIBVERTO_LIBS = @LIBVERTO_LIBS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
-LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAINT = @MAINT@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
@@ -369,7 +357,6 @@ pythondir = @pythondir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
-subdirs = @subdirs@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 target_alias = @target_alias@
@@ -381,6 +368,7 @@ PLUGIN_COMMON_DIR = ../common
 AM_CPPFLAGS = \
 	-I.							\
 	-I$(srcdir)						\
+	-I$(srcdir)/../libotp					\
 	-I$(PLUGIN_COMMON_DIR)					\
 	-I/usr/include/dirsrv					\
 	-DPREFIX=\""$(prefix)"\" 				\
@@ -416,6 +404,7 @@ $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am  $(am__confi
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign ipa-slapi-plugins/ipa-otp-lasttoken/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --foreign ipa-slapi-plugins/ipa-otp-lasttoken/Makefile
+.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -715,8 +704,6 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \
 	uninstall-pluginLTLIBRARIES
 
-.PRECIOUS: Makefile
-
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.

daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c

@@ -41,182 +41,116 @@
 #  include <config.h>
 #endif
 
-#include "../libotp/otp_token.h"
+#include <libotp.h>
 #include <time.h>
 
-#include "util.h"
+#define PLUGIN_NAME               "ipa-otp-lasttoken"
+#define LOG(sev, ...) \
+    slapi_log_error(SLAPI_LOG_ ## sev, PLUGIN_NAME, \
+                    "%s: %s\n", __func__, __VA_ARGS__), -1
 
-#define PLUGIN_NAME "ipa-otp-lasttoken"
-#define OTP_CONTAINER "cn=otp,%s"
+static void *plugin_id;
+static const Slapi_PluginDesc preop_desc = {
+    PLUGIN_NAME,
+    "FreeIPA",
+    "FreeIPA/1.0",
+    "Protect the user's last active token"
+};
 
-static struct otp_config *otp_config;
-
-static bool entry_is_token(Slapi_Entry *entry)
-{
-    char **ocls;
-
-    ocls = slapi_entry_attr_get_charray(entry, SLAPI_ATTR_OBJECTCLASS);
-    for (size_t i = 0; ocls != NULL && ocls[i] != NULL; i++) {
-        if (strcasecmp(ocls[i], "ipaToken") == 0) {
-            slapi_ch_array_free(ocls);
-            return true;
-        }
-    }
-
-    return false;
-}
-
-static bool sdn_in_otp_container(Slapi_DN *sdn)
-{
-    const Slapi_DN *base;
-    Slapi_DN *container;
-    bool result;
-    char *dn;
-
-    base = slapi_get_suffix_by_dn(sdn);
-    if (base == NULL)
-        return false;
-
-    dn = slapi_ch_smprintf(OTP_CONTAINER, slapi_sdn_get_dn(base));
-    if (dn == NULL)
-        return false;
-
-    container = slapi_sdn_new_dn_passin(dn);
-    result = slapi_sdn_issuffix(sdn, container);
-    slapi_sdn_free(&container);
-
-    return result;
-}
-
-static bool sdn_is_only_enabled_token(Slapi_DN *target_sdn, const char *user_dn)
-{
-    struct otp_token **tokens;
-    bool result = false;
-
-    tokens = otp_token_find(otp_config, user_dn, NULL, true, NULL);
-
-    if (tokens != NULL && tokens[0] != NULL && tokens[1] == NULL) {
-        const Slapi_DN *token_sdn = otp_token_get_sdn(tokens[0]);
-        if (token_sdn != NULL)
-            result = slapi_sdn_compare(token_sdn, target_sdn) == 0;
-    }
-
-    otp_token_free_array(tokens);
-    return result;
-}
-
-static bool is_pwd_enabled(const char *user_dn)
-{
-    char *attrs[] = { "ipaUserAuthType", NULL };
-    Slapi_Entry *entry = NULL;
-    uint32_t authtypes;
-    Slapi_DN *sdn;
-    int search_result = 0;
-
-    sdn = slapi_sdn_new_dn_byval(user_dn);
-    if (sdn == NULL)
-        return false;
-
-    search_result = slapi_search_internal_get_entry(sdn, attrs, &entry,
-            otp_config_plugin_id(otp_config));
-    if (search_result != LDAP_SUCCESS) {
-        LOG_TRACE("File '%s' line %d: Unable to access LDAP entry '%s'. "
-                "Perhaps it doesn't exist? Error code: %d\n", __FILE__,
-                __LINE__, slapi_sdn_get_dn(sdn), search_result);
-    }
-    slapi_sdn_free(&sdn);
-    if (entry == NULL)
-        return false;
-
-    authtypes = otp_config_auth_types(otp_config, entry);
-    slapi_entry_free(entry);
-
-    return authtypes & OTP_CONFIG_AUTH_TYPE_PASSWORD;
-}
-
-static bool is_allowed(Slapi_PBlock *pb, Slapi_Entry *entry)
+static bool
+target_is_only_enabled_token(Slapi_PBlock *pb)
 {
     Slapi_DN *target_sdn = NULL;
-    const char *bind_dn;
+    Slapi_DN *token_sdn = NULL;
+    struct otptoken **tokens;
+    char *user_dn = NULL;
+    bool match;
 
     /* Ignore internal operations. */
     if (slapi_op_internal(pb))
-        return true;
+        return false;
 
-    /* Load parameters. */
-    (void) slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn);
-    (void) slapi_pblock_get(pb, SLAPI_CONN_DN, &bind_dn);
-    if (target_sdn == NULL || bind_dn == NULL) {
-        LOG_FATAL("Missing parameters!\n");
+    /* Get the current user's SDN. */
+    slapi_pblock_get(pb, SLAPI_CONN_DN, &user_dn);
+    if (user_dn == NULL)
+        return false;
+
+    /* Get the SDN of the only enabled token. */
+    tokens = otptoken_find(plugin_id, user_dn, NULL, true, NULL);
+    if (tokens != NULL && tokens[0] != NULL && tokens[1] == NULL)
+        token_sdn = slapi_sdn_dup(otptoken_get_sdn(tokens[0]));
+    otptoken_free_array(tokens);
+    if (token_sdn == NULL)
+        return false;
+
+    /* Get the target SDN. */
+    slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn);
+    if (target_sdn == NULL) {
+        slapi_sdn_free(&token_sdn);
         return false;
     }
 
-    if (entry != NULL
-            ? !entry_is_token(entry)
-            : !sdn_in_otp_container(target_sdn))
-        return true;
-
-    if (!sdn_is_only_enabled_token(target_sdn, bind_dn))
-        return true;
-
-    if (is_pwd_enabled(bind_dn))
-        return true;
-
-    return false;
+    /* Does the target SDN match the only enabled token SDN? */
+    match = slapi_sdn_compare(token_sdn, target_sdn) == 0;
+    slapi_sdn_free(&token_sdn);
+    return match;
 }
 
-static inline int send_error(Slapi_PBlock *pb, int rc, const char *errstr)
+static inline int
+send_error(Slapi_PBlock *pb, int rc, char *errstr)
 {
-    slapi_send_ldap_result(pb, rc, NULL, (char *) errstr, 0, NULL);
-    if (slapi_pblock_set(pb, SLAPI_RESULT_CODE, &rc)) {
-        LOG_FATAL("slapi_pblock_set failed!\n");
-    }
+    slapi_send_ldap_result(pb, rc, NULL, errstr, 0, NULL);
+    slapi_pblock_set(pb, SLAPI_RESULT_CODE, &rc);
     return rc;
 }
 
-static int preop_del(Slapi_PBlock *pb)
+static int
+preop_del(Slapi_PBlock *pb)
 {
-    if (is_allowed(pb, NULL))
+    if (!target_is_only_enabled_token(pb))
         return 0;
 
     return send_error(pb, LDAP_UNWILLING_TO_PERFORM,
                       "Can't delete last active token");
 }
 
-static int preop_mod(Slapi_PBlock *pb)
+static int
+preop_mod(Slapi_PBlock *pb)
 {
-    static const struct {
-        const char *attr;
-        const char *msg;
-    } errors[] = {
-        {"ipatokenDisabled",  "Can't disable last active token"},
-        {"ipatokenOwner",     "Can't change last active token's owner"},
-        {"ipatokenNotBefore", "Can't change last active token's start time"},
-        {"ipatokenNotAfter",  "Can't change last active token's end time"},
-        {}
-    };
+    LDAPMod **mods = NULL;
 
-    const LDAPMod **mods = NULL;
-    Slapi_Entry *entry = NULL;
-
-    (void) slapi_pblock_get(pb, SLAPI_ENTRY_PRE_OP, &entry);
-    (void) slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods);
-
-    if (is_allowed(pb, entry))
+    if (!target_is_only_enabled_token(pb))
         return 0;
 
-    /* If a protected attribute is modified, deny. */
+    /* Do not permit deactivation of the last active token. */
+    slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods);
     for (int i = 0; mods != NULL && mods[i] != NULL; i++) {
-        for (int j = 0; errors[j].attr != NULL; j++) {
-            if (strcasecmp(mods[i]->mod_type, errors[j].attr) == 0)
-                return send_error(pb, LDAP_UNWILLING_TO_PERFORM, errors[j].msg);
+        if (strcasecmp(mods[i]->mod_type, "ipatokenDisabled") == 0) {
+            return send_error(pb, LDAP_UNWILLING_TO_PERFORM,
+                              "Can't disable last active token");
+        }
+
+        if (strcasecmp(mods[i]->mod_type, "ipatokenOwner") == 0) {
+            return send_error(pb, LDAP_UNWILLING_TO_PERFORM,
+                              "Can't change last active token's owner");
+        }
+
+        if (strcasecmp(mods[i]->mod_type, "ipatokenNotBefore") == 0) {
+            return send_error(pb, LDAP_UNWILLING_TO_PERFORM,
+                              "Can't change last active token's start time");
+        }
+
+        if (strcasecmp(mods[i]->mod_type, "ipatokenNotAfter") == 0) {
+            return send_error(pb, LDAP_UNWILLING_TO_PERFORM,
+                              "Can't change last active token's end time");
         }
     }
 
     return 0;
 }
 
-static int preop_init(Slapi_PBlock *pb)
+static int
+preop_init(Slapi_PBlock *pb)
 {
     int ret = 0;
 
@@ -225,59 +159,15 @@ static int preop_init(Slapi_PBlock *pb)
     return ret;
 }
 
-static int update_config(Slapi_PBlock *pb)
+int
+ipa_otp_lasttoken_init(Slapi_PBlock *pb)
 {
-    otp_config_update(otp_config, pb);
-    return 0;
-}
-
-static int intpostop_init(Slapi_PBlock *pb)
-{
-    int ret = 0;
-
-    ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_ADD_FN,    (void *) update_config);
-    ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_DELETE_FN, (void *) update_config);
-    ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_MODIFY_FN, (void *) update_config);
-    ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_MODRDN_FN, (void *) update_config);
-
-    return ret;
-}
-
-static int postop_init(Slapi_PBlock *pb)
-{
-    int ret = 0;
-
-    ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_POST_ADD_FN,    (void *) update_config);
-    ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_POST_DELETE_FN, (void *) update_config);
-    ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_POST_MODIFY_FN, (void *) update_config);
-    ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_POST_MODRDN_FN, (void *) update_config);
-
-    return ret;
-}
-
-int ipa_otp_lasttoken_init(Slapi_PBlock *pb)
-{
-    static const Slapi_PluginDesc preop_desc = {
-        PLUGIN_NAME,
-        "FreeIPA",
-        "FreeIPA/1.0",
-        "Protect the user's last active token"
-    };
-
-    Slapi_ComponentId *plugin_id = NULL;
     int ret = 0;
 
     ret |= slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY, &plugin_id);
     ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01);
     ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, (void *) &preop_desc);
     ret |= slapi_register_plugin("betxnpreoperation", 1, __func__, preop_init,
-                                 PLUGIN_NAME " betxnpreoperation", NULL, plugin_id);
-    ret |= slapi_register_plugin("postoperation", 1, __func__, postop_init,
-                                 PLUGIN_NAME " postoperation", NULL, plugin_id);
-    ret |= slapi_register_plugin("internalpostoperation", 1, __func__, intpostop_init,
-                                 PLUGIN_NAME " internalpostoperation", NULL, plugin_id);
-
-    /* NOTE: leak otp_config on process exit. */
-    otp_config = otp_config_init(plugin_id);
+                                 PLUGIN_NAME, NULL, plugin_id);
     return ret;
 }