Imported Upstream version 4.0.5
This commit is contained in:
Mario Fetka
@@ -41,182 +41,116 @@
|
||||
# include <config.h>
|
||||
#endif
|
||||
|
||||
#include "../libotp/otp_token.h"
|
||||
#include <libotp.h>
|
||||
#include <time.h>
|
||||
|
||||
#include "util.h"
|
||||
#define PLUGIN_NAME "ipa-otp-lasttoken"
|
||||
#define LOG(sev, ...) \
|
||||
slapi_log_error(SLAPI_LOG_ ## sev, PLUGIN_NAME, \
|
||||
"%s: %s\n", __func__, __VA_ARGS__), -1
|
||||
|
||||
#define PLUGIN_NAME "ipa-otp-lasttoken"
|
||||
#define OTP_CONTAINER "cn=otp,%s"
|
||||
static void *plugin_id;
|
||||
static const Slapi_PluginDesc preop_desc = {
|
||||
PLUGIN_NAME,
|
||||
"FreeIPA",
|
||||
"FreeIPA/1.0",
|
||||
"Protect the user's last active token"
|
||||
};
|
||||
|
||||
static struct otp_config *otp_config;
|
||||
|
||||
static bool entry_is_token(Slapi_Entry *entry)
|
||||
{
|
||||
char **ocls;
|
||||
|
||||
ocls = slapi_entry_attr_get_charray(entry, SLAPI_ATTR_OBJECTCLASS);
|
||||
for (size_t i = 0; ocls != NULL && ocls[i] != NULL; i++) {
|
||||
if (strcasecmp(ocls[i], "ipaToken") == 0) {
|
||||
slapi_ch_array_free(ocls);
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
static bool sdn_in_otp_container(Slapi_DN *sdn)
|
||||
{
|
||||
const Slapi_DN *base;
|
||||
Slapi_DN *container;
|
||||
bool result;
|
||||
char *dn;
|
||||
|
||||
base = slapi_get_suffix_by_dn(sdn);
|
||||
if (base == NULL)
|
||||
return false;
|
||||
|
||||
dn = slapi_ch_smprintf(OTP_CONTAINER, slapi_sdn_get_dn(base));
|
||||
if (dn == NULL)
|
||||
return false;
|
||||
|
||||
container = slapi_sdn_new_dn_passin(dn);
|
||||
result = slapi_sdn_issuffix(sdn, container);
|
||||
slapi_sdn_free(&container);
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
static bool sdn_is_only_enabled_token(Slapi_DN *target_sdn, const char *user_dn)
|
||||
{
|
||||
struct otp_token **tokens;
|
||||
bool result = false;
|
||||
|
||||
tokens = otp_token_find(otp_config, user_dn, NULL, true, NULL);
|
||||
|
||||
if (tokens != NULL && tokens[0] != NULL && tokens[1] == NULL) {
|
||||
const Slapi_DN *token_sdn = otp_token_get_sdn(tokens[0]);
|
||||
if (token_sdn != NULL)
|
||||
result = slapi_sdn_compare(token_sdn, target_sdn) == 0;
|
||||
}
|
||||
|
||||
otp_token_free_array(tokens);
|
||||
return result;
|
||||
}
|
||||
|
||||
static bool is_pwd_enabled(const char *user_dn)
|
||||
{
|
||||
char *attrs[] = { "ipaUserAuthType", NULL };
|
||||
Slapi_Entry *entry = NULL;
|
||||
uint32_t authtypes;
|
||||
Slapi_DN *sdn;
|
||||
int search_result = 0;
|
||||
|
||||
sdn = slapi_sdn_new_dn_byval(user_dn);
|
||||
if (sdn == NULL)
|
||||
return false;
|
||||
|
||||
search_result = slapi_search_internal_get_entry(sdn, attrs, &entry,
|
||||
otp_config_plugin_id(otp_config));
|
||||
if (search_result != LDAP_SUCCESS) {
|
||||
LOG_TRACE("File '%s' line %d: Unable to access LDAP entry '%s'. "
|
||||
"Perhaps it doesn't exist? Error code: %d\n", __FILE__,
|
||||
__LINE__, slapi_sdn_get_dn(sdn), search_result);
|
||||
}
|
||||
slapi_sdn_free(&sdn);
|
||||
if (entry == NULL)
|
||||
return false;
|
||||
|
||||
authtypes = otp_config_auth_types(otp_config, entry);
|
||||
slapi_entry_free(entry);
|
||||
|
||||
return authtypes & OTP_CONFIG_AUTH_TYPE_PASSWORD;
|
||||
}
|
||||
|
||||
static bool is_allowed(Slapi_PBlock *pb, Slapi_Entry *entry)
|
||||
static bool
|
||||
target_is_only_enabled_token(Slapi_PBlock *pb)
|
||||
{
|
||||
Slapi_DN *target_sdn = NULL;
|
||||
const char *bind_dn;
|
||||
Slapi_DN *token_sdn = NULL;
|
||||
struct otptoken **tokens;
|
||||
char *user_dn = NULL;
|
||||
bool match;
|
||||
|
||||
/* Ignore internal operations. */
|
||||
if (slapi_op_internal(pb))
|
||||
return true;
|
||||
return false;
|
||||
|
||||
/* Load parameters. */
|
||||
(void) slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn);
|
||||
(void) slapi_pblock_get(pb, SLAPI_CONN_DN, &bind_dn);
|
||||
if (target_sdn == NULL || bind_dn == NULL) {
|
||||
LOG_FATAL("Missing parameters!\n");
|
||||
/* Get the current user's SDN. */
|
||||
slapi_pblock_get(pb, SLAPI_CONN_DN, &user_dn);
|
||||
if (user_dn == NULL)
|
||||
return false;
|
||||
|
||||
/* Get the SDN of the only enabled token. */
|
||||
tokens = otptoken_find(plugin_id, user_dn, NULL, true, NULL);
|
||||
if (tokens != NULL && tokens[0] != NULL && tokens[1] == NULL)
|
||||
token_sdn = slapi_sdn_dup(otptoken_get_sdn(tokens[0]));
|
||||
otptoken_free_array(tokens);
|
||||
if (token_sdn == NULL)
|
||||
return false;
|
||||
|
||||
/* Get the target SDN. */
|
||||
slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn);
|
||||
if (target_sdn == NULL) {
|
||||
slapi_sdn_free(&token_sdn);
|
||||
return false;
|
||||
}
|
||||
|
||||
if (entry != NULL
|
||||
? !entry_is_token(entry)
|
||||
: !sdn_in_otp_container(target_sdn))
|
||||
return true;
|
||||
|
||||
if (!sdn_is_only_enabled_token(target_sdn, bind_dn))
|
||||
return true;
|
||||
|
||||
if (is_pwd_enabled(bind_dn))
|
||||
return true;
|
||||
|
||||
return false;
|
||||
/* Does the target SDN match the only enabled token SDN? */
|
||||
match = slapi_sdn_compare(token_sdn, target_sdn) == 0;
|
||||
slapi_sdn_free(&token_sdn);
|
||||
return match;
|
||||
}
|
||||
|
||||
static inline int send_error(Slapi_PBlock *pb, int rc, const char *errstr)
|
||||
static inline int
|
||||
send_error(Slapi_PBlock *pb, int rc, char *errstr)
|
||||
{
|
||||
slapi_send_ldap_result(pb, rc, NULL, (char *) errstr, 0, NULL);
|
||||
if (slapi_pblock_set(pb, SLAPI_RESULT_CODE, &rc)) {
|
||||
LOG_FATAL("slapi_pblock_set failed!\n");
|
||||
}
|
||||
slapi_send_ldap_result(pb, rc, NULL, errstr, 0, NULL);
|
||||
slapi_pblock_set(pb, SLAPI_RESULT_CODE, &rc);
|
||||
return rc;
|
||||
}
|
||||
|
||||
static int preop_del(Slapi_PBlock *pb)
|
||||
static int
|
||||
preop_del(Slapi_PBlock *pb)
|
||||
{
|
||||
if (is_allowed(pb, NULL))
|
||||
if (!target_is_only_enabled_token(pb))
|
||||
return 0;
|
||||
|
||||
return send_error(pb, LDAP_UNWILLING_TO_PERFORM,
|
||||
"Can't delete last active token");
|
||||
}
|
||||
|
||||
static int preop_mod(Slapi_PBlock *pb)
|
||||
static int
|
||||
preop_mod(Slapi_PBlock *pb)
|
||||
{
|
||||
static const struct {
|
||||
const char *attr;
|
||||
const char *msg;
|
||||
} errors[] = {
|
||||
{"ipatokenDisabled", "Can't disable last active token"},
|
||||
{"ipatokenOwner", "Can't change last active token's owner"},
|
||||
{"ipatokenNotBefore", "Can't change last active token's start time"},
|
||||
{"ipatokenNotAfter", "Can't change last active token's end time"},
|
||||
{}
|
||||
};
|
||||
LDAPMod **mods = NULL;
|
||||
|
||||
const LDAPMod **mods = NULL;
|
||||
Slapi_Entry *entry = NULL;
|
||||
|
||||
(void) slapi_pblock_get(pb, SLAPI_ENTRY_PRE_OP, &entry);
|
||||
(void) slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods);
|
||||
|
||||
if (is_allowed(pb, entry))
|
||||
if (!target_is_only_enabled_token(pb))
|
||||
return 0;
|
||||
|
||||
/* If a protected attribute is modified, deny. */
|
||||
/* Do not permit deactivation of the last active token. */
|
||||
slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods);
|
||||
for (int i = 0; mods != NULL && mods[i] != NULL; i++) {
|
||||
for (int j = 0; errors[j].attr != NULL; j++) {
|
||||
if (strcasecmp(mods[i]->mod_type, errors[j].attr) == 0)
|
||||
return send_error(pb, LDAP_UNWILLING_TO_PERFORM, errors[j].msg);
|
||||
if (strcasecmp(mods[i]->mod_type, "ipatokenDisabled") == 0) {
|
||||
return send_error(pb, LDAP_UNWILLING_TO_PERFORM,
|
||||
"Can't disable last active token");
|
||||
}
|
||||
|
||||
if (strcasecmp(mods[i]->mod_type, "ipatokenOwner") == 0) {
|
||||
return send_error(pb, LDAP_UNWILLING_TO_PERFORM,
|
||||
"Can't change last active token's owner");
|
||||
}
|
||||
|
||||
if (strcasecmp(mods[i]->mod_type, "ipatokenNotBefore") == 0) {
|
||||
return send_error(pb, LDAP_UNWILLING_TO_PERFORM,
|
||||
"Can't change last active token's start time");
|
||||
}
|
||||
|
||||
if (strcasecmp(mods[i]->mod_type, "ipatokenNotAfter") == 0) {
|
||||
return send_error(pb, LDAP_UNWILLING_TO_PERFORM,
|
||||
"Can't change last active token's end time");
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int preop_init(Slapi_PBlock *pb)
|
||||
static int
|
||||
preop_init(Slapi_PBlock *pb)
|
||||
{
|
||||
int ret = 0;
|
||||
|
||||
@@ -225,59 +159,15 @@ static int preop_init(Slapi_PBlock *pb)
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int update_config(Slapi_PBlock *pb)
|
||||
int
|
||||
ipa_otp_lasttoken_init(Slapi_PBlock *pb)
|
||||
{
|
||||
otp_config_update(otp_config, pb);
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int intpostop_init(Slapi_PBlock *pb)
|
||||
{
|
||||
int ret = 0;
|
||||
|
||||
ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_ADD_FN, (void *) update_config);
|
||||
ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_DELETE_FN, (void *) update_config);
|
||||
ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_MODIFY_FN, (void *) update_config);
|
||||
ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_MODRDN_FN, (void *) update_config);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int postop_init(Slapi_PBlock *pb)
|
||||
{
|
||||
int ret = 0;
|
||||
|
||||
ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_POST_ADD_FN, (void *) update_config);
|
||||
ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_POST_DELETE_FN, (void *) update_config);
|
||||
ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_POST_MODIFY_FN, (void *) update_config);
|
||||
ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_POST_MODRDN_FN, (void *) update_config);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
int ipa_otp_lasttoken_init(Slapi_PBlock *pb)
|
||||
{
|
||||
static const Slapi_PluginDesc preop_desc = {
|
||||
PLUGIN_NAME,
|
||||
"FreeIPA",
|
||||
"FreeIPA/1.0",
|
||||
"Protect the user's last active token"
|
||||
};
|
||||
|
||||
Slapi_ComponentId *plugin_id = NULL;
|
||||
int ret = 0;
|
||||
|
||||
ret |= slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY, &plugin_id);
|
||||
ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01);
|
||||
ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, (void *) &preop_desc);
|
||||
ret |= slapi_register_plugin("betxnpreoperation", 1, __func__, preop_init,
|
||||
PLUGIN_NAME " betxnpreoperation", NULL, plugin_id);
|
||||
ret |= slapi_register_plugin("postoperation", 1, __func__, postop_init,
|
||||
PLUGIN_NAME " postoperation", NULL, plugin_id);
|
||||
ret |= slapi_register_plugin("internalpostoperation", 1, __func__, intpostop_init,
|
||||
PLUGIN_NAME " internalpostoperation", NULL, plugin_id);
|
||||
|
||||
/* NOTE: leak otp_config on process exit. */
|
||||
otp_config = otp_config_init(plugin_id);
|
||||
PLUGIN_NAME, NULL, plugin_id);
|
||||
return ret;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user