xref: /illumos-gate/usr/src/lib/nsswitch/ldap/common/getgrent.c (revision 45ede40b2394db7967e59f19288fae9b62efd4aa)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  *
25  * Copyright 2017 Nexenta Systems, Inc.  All rights reserved.
26  * Copyright 2020 Joyent, Inc.
27  */
28 
29 #include <grp.h>
30 #include "ldap_common.h"
31 #include <string.h>
32 
33 /* String which may need to be removed from beginning of group password */
34 #define	_CRYPT		"{CRYPT}"
35 #define	_NO_PASSWD_VAL	""
36 
37 /* Group attributes filters */
38 #define	_G_NAME		"cn"
39 #define	_G_GID		"gidnumber"
40 #define	_G_PASSWD	"userpassword"
41 #define	_G_MEMUID	"memberuid"
42 #define	_G_MEM_DN	"member"	/* DN */
43 
44 #define	_F_GETGRNAM	"(&(objectClass=posixGroup)(cn=%s))"
45 #define	_F_GETGRNAM_SSD	"(&(%%s)(cn=%s))"
46 #define	_F_GETGRGID	"(&(objectClass=posixGroup)(gidNumber=%u))"
47 #define	_F_GETGRGID_SSD	"(&(%%s)(gidNumber=%u))"
48 
49 /*
50  * When searching for groups in which a specified user is a member,
51  * there are a few different membership schema that might be in use.
52  * We'll use a filter that should work with an of the common ones:
53  * "memberUid=NAME", or "member=DN" (try uniquemember too?)
54  * The first parameter in the filter string is replaced by username,
55  * and the remaining ones by the full DN.
56  */
57 #define	_F_GETGRMEM "(&(objectClass=posixGroup)" \
58 	"(|(memberUid=%s)(member=%s)))"
59 #define	_F_GETGRMEM_SSD	"(&(%%s)" \
60 	"(|(memberUid=%s)(member=%s)))"
61 
62 static const char *gr_attrs[] = {
63 	_G_NAME,
64 	_G_GID,
65 	_G_PASSWD,
66 	_G_MEMUID,
67 	_G_MEM_DN,
68 	(char *)NULL
69 };
70 
71 static int
72 getmembers_UID(char **bufpp, int *lenp, ns_ldap_attr_t *members);
73 static int
74 getmembers_DN(char **bufpp, int *lenp, ns_ldap_attr_t *members);
75 
76 
77 /*
78  * _nss_ldap_group2str is the data marshaling method for the group getXbyY
79  * (e.g., getgrnam(), getgrgid(), getgrent()) backend processes. This method
80  * is called after a successful ldap search has been performed. This method
81  * will parse the ldap search values into the file format.
82  * e.g.
83  *
84  * adm::4:root,adm,daemon
85  *
86  */
87 
88 static int
89 _nss_ldap_group2str(ldap_backend_ptr be, nss_XbyY_args_t *argp)
90 {
91 	int		i;
92 	int		nss_result;
93 	int		buflen = 0, len;
94 	char		*buffer = NULL;
95 	ns_ldap_result_t	*result = be->result;
96 	char		**gname, **passwd, **gid, *password, *end;
97 	char		gid_nobody[NOBODY_STR_LEN];
98 	char		*gid_nobody_v[1];
99 	ns_ldap_attr_t	*members;
100 
101 	(void) snprintf(gid_nobody, sizeof (gid_nobody), "%u", GID_NOBODY);
102 	gid_nobody_v[0] = gid_nobody;
103 
104 	if (result == NULL)
105 		return (NSS_STR_PARSE_PARSE);
106 	buflen = argp->buf.buflen;
107 
108 	if (argp->buf.result != NULL) {
109 		if ((be->buffer = calloc(1, buflen)) == NULL) {
110 			nss_result = NSS_STR_PARSE_PARSE;
111 			goto result_grp2str;
112 		}
113 		buffer = be->buffer;
114 	} else
115 		buffer = argp->buf.buffer;
116 
117 	nss_result = NSS_STR_PARSE_SUCCESS;
118 	(void) memset(buffer, 0, buflen);
119 
120 	gname = __ns_ldap_getAttr(result->entry, _G_NAME);
121 	if (gname == NULL || gname[0] == NULL || (strlen(gname[0]) < 1)) {
122 		nss_result = NSS_STR_PARSE_PARSE;
123 		goto result_grp2str;
124 	}
125 	passwd = __ns_ldap_getAttr(result->entry, _G_PASSWD);
126 	if (passwd == NULL || passwd[0] == NULL || (strlen(passwd[0]) == 0)) {
127 		/* group password could be NULL, replace it with "" */
128 		password = _NO_PASSWD_VAL;
129 	} else {
130 		/*
131 		 * Preen "{crypt}" if necessary.
132 		 * If the password does not include the {crypt} prefix
133 		 * then the password may be plain text.  And thus
134 		 * perhaps crypt(3c) should be used to encrypt it.
135 		 * Currently the password is copied verbatim.
136 		 */
137 		if (strncasecmp(passwd[0], _CRYPT, strlen(_CRYPT)) == 0)
138 			password = passwd[0] + strlen(_CRYPT);
139 		else
140 			password = passwd[0];
141 	}
142 	gid = __ns_ldap_getAttr(result->entry, _G_GID);
143 	if (gid == NULL || gid[0] == NULL || (strlen(gid[0]) < 1)) {
144 		nss_result = NSS_STR_PARSE_PARSE;
145 		goto result_grp2str;
146 	}
147 	/* Validate GID */
148 	if (strtoul(gid[0], &end, 10) > MAXUID)
149 		gid = gid_nobody_v;
150 	len = snprintf(buffer, buflen, "%s:%s:%s:", gname[0], password, gid[0]);
151 	TEST_AND_ADJUST(len, buffer, buflen, result_grp2str);
152 
153 	members = __ns_ldap_getAttrStruct(result->entry, _G_MEMUID);
154 	if (members != NULL && members->attrvalue != NULL) {
155 		nss_result = getmembers_UID(&buffer, &buflen, members);
156 		if (nss_result != 0)
157 			goto result_grp2str;
158 	}
159 
160 	members = __ns_ldap_getAttrStruct(result->entry, _G_MEM_DN);
161 	if (members != NULL && members->attrvalue != NULL) {
162 		nss_result = getmembers_DN(&buffer, &buflen, members);
163 		if (nss_result != 0)
164 			goto result_grp2str;
165 	}
166 
167 	/* The front end marshaller doesn't need the trailing nulls */
168 	if (argp->buf.result != NULL)
169 		be->buflen = strlen(be->buffer);
170 result_grp2str:
171 	(void) __ns_ldap_freeResult(&be->result);
172 	return (nss_result);
173 }
174 
175 /*
176  * Process the list values from the "memberUid" attribute of the
177  * current group.  Note that this list is often empty, and we
178  * get the real list of members via getmember_DN (see below).
179  */
180 static int
181 getmembers_UID(char **bufpp, int *lenp, ns_ldap_attr_t *members)
182 {
183 	char	*member_str, *strtok_state;
184 	char	*buffer;
185 	int	buflen;
186 	int	i, len;
187 	int	nss_result = 0;
188 	int	firsttime;
189 
190 	buffer = *bufpp;
191 	buflen = *lenp;
192 	firsttime = (buffer[-1] == ':');
193 
194 	for (i = 0; i < members->value_count; i++) {
195 		member_str = members->attrvalue[i];
196 		if (member_str == NULL)
197 			goto out;
198 
199 #ifdef DEBUG
200 		(void) fprintf(stdout, "getmembers_UID: uid=<%s>\n",
201 		    member_str);
202 #endif
203 		/*
204 		 * If not a valid Unix user name, or
205 		 * not valid in ldap, just skip.
206 		 */
207 		if (member_str[0] == '\0' ||
208 		    strpbrk(member_str, " ,:=") != NULL)
209 			continue;
210 
211 		if (firsttime) {
212 			len = snprintf(buffer, buflen, "%s", member_str);
213 			firsttime = 0;
214 		} else {
215 			len = snprintf(buffer, buflen, ",%s", member_str);
216 		}
217 		TEST_AND_ADJUST(len, buffer, buflen, out);
218 	}
219 
220 out:
221 	*bufpp = buffer;
222 	*lenp = buflen;
223 	return (nss_result);
224 }
225 
226 /*
227  * Process the list values from the "member" attribute of the
228  * current group.  Note that this list is ONLY one that can be
229  * assumed to be non-empty.  The problem here is that this list
230  * contains the list of members as "distinguished names" (DN),
231  * and we want the Unix names (known here as "uid").  We must
232  * lookup the "uid" for each DN in the member list.  Example:
233  * CN=Doe\, John,OU=Users,DC=contoso,DC=com => john.doe
234  */
235 static int
236 getmembers_DN(char **bufpp, int *lenp, ns_ldap_attr_t *members)
237 {
238 	ns_ldap_error_t *error = NULL;
239 	char	*member_dn, *member_uid;
240 	char	*buffer;
241 	int	buflen;
242 	int	i, len;
243 	int	nss_result = 0; /* used by TEST_AND_ADJUST macro */
244 	int	firsttime;
245 
246 	buffer = *bufpp;
247 	buflen = *lenp;
248 	firsttime = (buffer[-1] == ':');
249 
250 	for (i = 0; i < members->value_count; i++) {
251 		member_dn = members->attrvalue[i];
252 		if (member_dn == NULL)
253 			goto out;
254 
255 		/*
256 		 * The attribute name was "member", so these should be
257 		 * full distinguished names (DNs).  We need to loookup
258 		 * the Unix UID (name) for each.
259 		 */
260 #ifdef DEBUG
261 		(void) fprintf(stdout, "getmembers_DN: dn=%s\n",
262 		    member_dn);
263 #endif
264 		if (member_dn[0] == '\0')
265 			continue;
266 
267 		if (__ns_ldap_dn2uid(member_dn,
268 		    &member_uid, NULL, &error) != NS_LDAP_SUCCESS) {
269 			(void) __ns_ldap_freeError(&error);
270 			error = NULL;
271 			continue;
272 		}
273 #ifdef DEBUG
274 		(void) fprintf(stdout, "getmembers_DN: uid=<%s>\n",
275 		    member_uid);
276 #endif
277 		/* Skip invalid names. */
278 		if (member_uid[0] == '\0' ||
279 		    strpbrk(member_uid, " ,:=") != NULL) {
280 			free(member_uid);
281 			continue;
282 		}
283 
284 		if (firsttime) {
285 			len = snprintf(buffer, buflen, "%s", member_uid);
286 			firsttime = 0;
287 		} else {
288 			len = snprintf(buffer, buflen, ",%s", member_uid);
289 		}
290 		free(member_uid);
291 		TEST_AND_ADJUST(len, buffer, buflen, out);
292 	}
293 
294 out:
295 	*bufpp = buffer;
296 	*lenp = buflen;
297 	return (nss_result);
298 }
299 
300 /*
301  * getbynam gets a group entry by name. This function constructs an ldap
302  * search filter using the name invocation parameter and the getgrnam search
303  * filter defined. Once the filter is constructed, we searche for a matching
304  * entry and marshal the data results into struct group for the frontend
305  * process. The function _nss_ldap_group2ent performs the data marshaling.
306  */
307 
308 static nss_status_t
309 getbynam(ldap_backend_ptr be, void *a)
310 {
311 	nss_XbyY_args_t	*argp = (nss_XbyY_args_t *)a;
312 	char		searchfilter[SEARCHFILTERLEN];
313 	char		userdata[SEARCHFILTERLEN];
314 	char		groupname[SEARCHFILTERLEN];
315 	int		ret;
316 
317 	if (_ldap_filter_name(groupname, argp->key.name, sizeof (groupname)) !=
318 	    0)
319 		return ((nss_status_t)NSS_NOTFOUND);
320 
321 	ret = snprintf(searchfilter, sizeof (searchfilter),
322 	    _F_GETGRNAM, groupname);
323 	if (ret >= sizeof (searchfilter) || ret < 0)
324 		return ((nss_status_t)NSS_NOTFOUND);
325 
326 	ret = snprintf(userdata, sizeof (userdata), _F_GETGRNAM_SSD, groupname);
327 	if (ret >= sizeof (userdata) || ret < 0)
328 		return ((nss_status_t)NSS_NOTFOUND);
329 
330 	return ((nss_status_t)_nss_ldap_lookup(be, argp,
331 	    _GROUP, searchfilter, NULL, _merge_SSD_filter, userdata));
332 }
333 
334 
335 /*
336  * getbygid gets a group entry by number. This function constructs an ldap
337  * search filter using the name invocation parameter and the getgrgid search
338  * filter defined. Once the filter is constructed, we searche for a matching
339  * entry and marshal the data results into struct group for the frontend
340  * process. The function _nss_ldap_group2ent performs the data marshaling.
341  */
342 
343 static nss_status_t
344 getbygid(ldap_backend_ptr be, void *a)
345 {
346 	nss_XbyY_args_t	*argp = (nss_XbyY_args_t *)a;
347 	char searchfilter[SEARCHFILTERLEN];
348 	char userdata[SEARCHFILTERLEN];
349 	int ret;
350 
351 	if (argp->key.uid > MAXUID)
352 		return ((nss_status_t)NSS_NOTFOUND);
353 
354 	ret = snprintf(searchfilter, sizeof (searchfilter),
355 	    _F_GETGRGID, argp->key.uid);
356 	if (ret >= sizeof (searchfilter) || ret < 0)
357 		return ((nss_status_t)NSS_NOTFOUND);
358 
359 	ret = snprintf(userdata, sizeof (userdata),
360 	    _F_GETGRGID_SSD, argp->key.uid);
361 	if (ret >= sizeof (userdata) || ret < 0)
362 		return ((nss_status_t)NSS_NOTFOUND);
363 
364 	return ((nss_status_t)_nss_ldap_lookup(be, argp,
365 	    _GROUP, searchfilter, NULL, _merge_SSD_filter, userdata));
366 
367 }
368 
369 
370 /*
371  * Use a custom attributes list for getbymember, because the LDAP
372  * query for this requests a list of groups, and the result can be
373  * very large if it includes the list of members with each group.
374  * We don't need or want the list of members in this case.
375  */
376 static const char *grbymem_attrs[] = {
377 	_G_NAME,	/* cn */
378 	_G_GID,		/* gidnumber */
379 	(char *)NULL
380 };
381 
382 /*
383  * getbymember returns all groups a user is defined in. This function
384  * uses different architectural procedures than the other group backend
385  * system calls because it's a private interface. This function constructs
386  * an ldap search filter using the name invocation parameter. Once the
387  * filter is constructed, we search for all matching groups counting
388  * and storing each group name, gid, etc. Data marshaling is used for
389  * group processing. The function _nss_ldap_group2ent() performs the
390  * data marshaling.
391  *
392  * (const char *)argp->username;	(size_t)strlen(argp->username);
393  * (gid_t)argp->gid_array;		(int)argp->maxgids;
394  * (int)argp->numgids;
395  */
396 
397 static nss_status_t
398 getbymember(ldap_backend_ptr be, void *a)
399 {
400 	ns_ldap_error_t		*error = NULL;
401 	int			i, j, k;
402 	int			gcnt = (int)0;
403 	char			**groupvalue;
404 	nss_status_t		lstat;
405 	struct nss_groupsbymem	*argp = (struct nss_groupsbymem *)a;
406 	char			searchfilter[SEARCHFILTERLEN];
407 	char			userdata[SEARCHFILTERLEN];
408 	char			name[SEARCHFILTERLEN];
409 	char			escdn[SEARCHFILTERLEN];
410 	ns_ldap_result_t	*result;
411 	ns_ldap_entry_t		*curEntry;
412 	char			*dn;
413 	gid_t			gid;
414 	int			ret1, ret2;
415 
416 	if (strcmp(argp->username, "") == 0 ||
417 	    strcmp(argp->username, "root") == 0)
418 		return ((nss_status_t)NSS_NOTFOUND);
419 
420 	if (_ldap_filter_name(name, argp->username, sizeof (name)) != 0)
421 		return ((nss_status_t)NSS_NOTFOUND);
422 
423 	/*
424 	 * Look up the user DN in ldap. If it's not found, search solely by
425 	 * username.
426 	 */
427 	lstat = __ns_ldap_uid2dn(name, &dn, NULL, &error);
428 	if (lstat != (nss_status_t)NS_LDAP_SUCCESS) {
429 		/* Can't get DN.  Use bare name */
430 		(void) __ns_ldap_freeError(&error);
431 		dn = name;
432 	}
433 	/* Note: must free dn if != name */
434 
435 	/*
436 	 * Compose filter patterns
437 	 */
438 	ret1 = snprintf(searchfilter, sizeof (searchfilter),
439 	    _F_GETGRMEM, name, dn);
440 	ret2 = snprintf(userdata, sizeof (userdata),
441 	    _F_GETGRMEM_SSD, name, dn);
442 	if (dn != name)
443 		free(dn);
444 	if (ret1 >= sizeof (searchfilter) || ret1 < 0)
445 		return ((nss_status_t)NSS_NOTFOUND);
446 	if (ret2 >= sizeof (userdata) || ret2 < 0)
447 		return ((nss_status_t)NSS_NOTFOUND);
448 
449 	/*
450 	 * Query for groups matching the filter.
451 	 */
452 	lstat = (nss_status_t)_nss_ldap_nocb_lookup(be, NULL,
453 	    _GROUP, searchfilter, grbymem_attrs,
454 	    _merge_SSD_filter, userdata);
455 	if (lstat != (nss_status_t)NS_LDAP_SUCCESS)
456 		return ((nss_status_t)lstat);
457 	if (be->result == NULL)
458 		return (NSS_NOTFOUND);
459 
460 	/*
461 	 * Walk the query result, collecting GIDs.
462 	 */
463 	result = (ns_ldap_result_t *)be->result;
464 	curEntry = (ns_ldap_entry_t *)result->entry;
465 	gcnt = (int)argp->numgids;
466 	for (i = 0; i < result->entries_count; i++) {
467 
468 		/*
469 		 * Does this group have a gidNumber attr?
470 		 */
471 		groupvalue = __ns_ldap_getAttr(curEntry, _G_GID);
472 		if (groupvalue == NULL || groupvalue[0] == NULL) {
473 			/* Drop this group from the list */
474 			goto next_group;
475 		}
476 
477 		/*
478 		 * Convert it to a numeric GID
479 		 */
480 		errno = 0;
481 		gid = (gid_t)strtol(groupvalue[0], (char **)NULL, 10);
482 		if (errno != 0)
483 			goto next_group;
484 
485 		/*
486 		 * If we don't already have this GID, add it.
487 		 */
488 		if (argp->numgids < argp->maxgids) {
489 			for (k = 0; k < argp->numgids; k++) {
490 				if (argp->gid_array[k] == gid) {
491 					/* already have it */
492 					goto next_group;
493 				}
494 			}
495 			argp->gid_array[argp->numgids++] = gid;
496 		}
497 
498 	next_group:
499 		curEntry = curEntry->next;
500 	}
501 
502 	(void) __ns_ldap_freeResult((ns_ldap_result_t **)&be->result);
503 	if (gcnt == argp->numgids)
504 		return ((nss_status_t)NSS_NOTFOUND);
505 
506 	/*
507 	 * Return NSS_SUCCESS only if array is full.
508 	 * Explained in <nss_dbdefs.h>.
509 	 */
510 	return ((nss_status_t)((argp->numgids == argp->maxgids)
511 	    ? NSS_SUCCESS
512 	    : NSS_NOTFOUND));
513 }
514 
515 static ldap_backend_op_t gr_ops[] = {
516 	_nss_ldap_destr,
517 	_nss_ldap_endent,
518 	_nss_ldap_setent,
519 	_nss_ldap_getent,
520 	getbynam,
521 	getbygid,
522 	getbymember
523 };
524 
525 
526 /*ARGSUSED0*/
527 nss_backend_t *
528 _nss_ldap_group_constr(const char *dummy1, const char *dummy2,
529     const char *dummy3)
530 {
531 
532 	return ((nss_backend_t *)_nss_ldap_constr(gr_ops,
533 	    sizeof (gr_ops)/sizeof (gr_ops[0]), _GROUP, gr_attrs,
534 	    _nss_ldap_group2str));
535 }
536