xref: /titanic_50/usr/src/cmd/ldap/ns_ldap/ldapaddrbac.c (revision 3eae19d9cf3390cf5b75e10c9c1945fd36ad856a)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 /*
29  * ldapaddrbac.c
30  *
31  * Routines to add RBAC /etc files into LDAP.
32  * Can also be used to dump entries from a ldap container in /etc format.
33  */
34 
35 #include <stdio.h>
36 #include <stdlib.h>
37 #include <libintl.h>
38 #include <strings.h>
39 #include <sys/param.h>
40 #include <ctype.h>
41 #include <sys/types.h>
42 #include <sys/socket.h>
43 #include <netinet/in.h>
44 #include <arpa/inet.h>
45 #include <locale.h>
46 #include <syslog.h>
47 #include "ldapaddent.h"
48 
49 #undef opaque
50 #undef	GROUP
51 #include <bsm/libbsm.h>
52 
53 extern	char	*_strtok_escape(char *, char *, char **); /* from libnsl */
54 
55 #include <user_attr.h>
56 #include <prof_attr.h>
57 #include <exec_attr.h>
58 #include <auth_attr.h>
59 
60 /*
61  * The parsing routines for RBAC and audit_user databases
62  */
63 
64 /*
65  * genent_attr:
66  *   Generic function for generating entries for all of the *_attr databases.
67  */
68 int
69 genent_attr(
70 	char	*line,		/* entry to parse */
71 	int	ncol,		/* number of columns in the database */
72 	entry_col	**ecolret)	/* return entry array */
73 {
74 	int		i;
75 	char		(*buf)[BUFSIZ + 1];
76 	char		*s;
77 	char		*sep = KV_TOKEN_DELIMIT;
78 	char		*lasts;
79 	entry_col	*ecol;
80 
81 	/*
82 	 * check input length
83 	 */
84 	if (strlen(line) >= sizeof (*buf)) {
85 		(void) strcpy(parse_err_msg, "line too long");
86 		return (GENENT_PARSEERR);
87 	}
88 
89 	/*
90 	 * setup and clear column data
91 	 */
92 	if ((ecol = (entry_col *)malloc(ncol * sizeof (entry_col) +
93 	    sizeof (*buf))) == NULL)
94 		return (GENENT_ERR);
95 	(void) memset((char *)ecol, 0, ncol * sizeof (ecol));
96 
97 	/* don't scribble over input */
98 	buf = (char (*)[sizeof (*buf)]) (ecol + ncol);
99 	(void) strncpy((char *)buf, line, sizeof (*buf));
100 
101 	/* Split up columns */
102 	for (i = 0; i < ncol; i++, buf = NULL) {
103 		s = _strtok_escape((char *)buf, sep, &lasts);
104 		if (s == NULL) {
105 			ecol[i].ec_value.ec_value_val = "";
106 			ecol[i].ec_value.ec_value_len = 0;
107 		} else {
108 			ecol[i].ec_value.ec_value_val = s;
109 			ecol[i].ec_value.ec_value_len = strlen(s)+1;
110 		}
111 	}
112 
113 	*ecolret = ecol;
114 	return (GENENT_OK);
115 }
116 
117 int
118 genent_user_attr(char *line, int (*cback)())
119 {
120 	entry_col	*ecol;
121 	userstr_t	data;
122 	int		res, retval;
123 
124 	/*
125 	 * parse entry into columns
126 	 */
127 	res = genent_attr(line, USERATTR_DB_NCOL, &ecol);
128 	if (res != GENENT_OK)
129 		return (res);
130 
131 	data.name = ecol[0].ec_value.ec_value_val;
132 	data.qualifier = ecol[1].ec_value.ec_value_val;
133 	data.res1 = NULL;
134 	data.res2 = NULL;
135 	data.attr = ecol[4].ec_value.ec_value_val;
136 
137 	if (flags & F_VERBOSE)
138 		(void) fprintf(stdout,
139 		    gettext("Adding entry : %s\n"), data.name);
140 
141 	retval = (*cback)(&data, 1);
142 	if (retval != NS_LDAP_SUCCESS) {
143 		if (retval == LDAP_NO_SUCH_OBJECT)
144 			(void) fprintf(stdout,
145 			gettext("Cannot add user_attr entry (%s), "
146 			"add passwd entry first\n"), data.name);
147 		if (continue_onerror == 0) res = GENENT_CBERR;
148 	}
149 
150 	free(ecol);
151 
152 	return (res);
153 }
154 
155 void
156 dump_user_attr(ns_ldap_result_t *res)
157 {
158 	char	**value = NULL;
159 
160 	value = __ns_ldap_getAttr(res->entry, "uid");
161 	if (value && value[0])
162 		(void) fprintf(stdout, "%s", value[0]);
163 	else
164 		return;
165 
166 	(void) fprintf(stdout, "::::");
167 	value = __ns_ldap_getAttr(res->entry, "SolarisAttrKeyValue");
168 	if (value && value[0])
169 		(void) fprintf(stdout, "%s", value[0]);
170 	(void) fprintf(stdout, "\n");
171 }
172 
173 int
174 genent_prof_attr(char *line, int (*cback)())
175 {
176 	entry_col	*ecol;
177 	profstr_t	data;
178 	int		res, retval;
179 
180 	/*
181 	 * parse entry into columns
182 	 */
183 	res = genent_attr(line, PROFATTR_DB_NCOL, &ecol);
184 	if (res != GENENT_OK)
185 		return (res);
186 
187 	data.name = ecol[0].ec_value.ec_value_val;
188 	data.res1 = NULL;
189 	data.res2 = NULL;
190 	data.desc = ecol[3].ec_value.ec_value_val;
191 	data.attr = ecol[4].ec_value.ec_value_val;
192 
193 	if (flags & F_VERBOSE)
194 		(void) fprintf(stdout,
195 		    gettext("Adding entry : %s\n"), data.name);
196 
197 	retval = (*cback)(&data, 0);
198 	if (retval == LDAP_ALREADY_EXISTS) {
199 		if (continue_onerror)
200 			(void) fprintf(stderr,
201 			    gettext("Entry: %s - already Exists,"
202 			    " skipping it.\n"),
203 			    data.name);
204 		else {
205 			res = GENENT_CBERR;
206 			(void) fprintf(stderr,
207 			    gettext("Entry: %s - already Exists\n"),
208 			    data.name);
209 		}
210 	} else if (retval)
211 		res = GENENT_CBERR;
212 
213 	free(ecol);
214 
215 	return (res);
216 }
217 
218 void
219 dump_prof_attr(ns_ldap_result_t *res)
220 {
221 	char	**value = NULL;
222 
223 	value = __ns_ldap_getAttr(res->entry, "cn");
224 	if (value && value[0])
225 		(void) fprintf(stdout, "%s", value[0]);
226 	else
227 		return;
228 
229 	(void) fprintf(stdout, ":::");
230 	value = __ns_ldap_getAttr(res->entry, "SolarisAttrLongDesc");
231 	if (value && value[0])
232 		(void) fprintf(stdout, "%s", value[0]);
233 	(void) fprintf(stdout, ":");
234 	value = __ns_ldap_getAttr(res->entry, "SolarisAttrKeyValue");
235 	if (value && value[0])
236 		(void) fprintf(stdout, "%s", value[0]);
237 	(void) fprintf(stdout, "\n");
238 }
239 
240 int
241 genent_exec_attr(char *line, int (*cback)())
242 {
243 	entry_col	*ecol;
244 	execstr_t	data;
245 	int		res, retval;
246 
247 	/*
248 	 * parse entry into columns
249 	 */
250 	res = genent_attr(line, EXECATTR_DB_NCOL, &ecol);
251 	if (res != GENENT_OK)
252 		return (res);
253 
254 	data.name = ecol[0].ec_value.ec_value_val;
255 	data.policy = ecol[1].ec_value.ec_value_val;
256 	data.type = ecol[2].ec_value.ec_value_val;
257 	data.res1 = NULL;
258 	data.res2 = NULL;
259 	data.id = ecol[5].ec_value.ec_value_val;
260 	data.attr = ecol[6].ec_value.ec_value_val;
261 	data.next = NULL;
262 
263 	if (flags & F_VERBOSE)
264 		(void) fprintf(stdout,
265 		    gettext("Adding entry : %s+%s+%s+%s\n"),
266 		    data.name, data.policy, data.type, data.id);
267 
268 	retval = (*cback)(&data, 0);
269 	if (retval == LDAP_ALREADY_EXISTS) {
270 		if (continue_onerror)
271 			(void) fprintf(stderr,
272 			    gettext("Entry: %s+%s+%s+%s - already Exists,"
273 			    " skipping it.\n"),
274 			    data.name, data.policy, data.type, data.id);
275 		else {
276 			res = GENENT_CBERR;
277 			(void) fprintf(stderr,
278 			    gettext("Entry: %s+%s+%s+%s - already Exists\n"),
279 			    data.name, data.policy, data.type, data.id);
280 		}
281 	} else if (retval)
282 		res = GENENT_CBERR;
283 
284 	free(ecol);
285 
286 	return (res);
287 }
288 
289 void
290 dump_exec_attr(ns_ldap_result_t *res)
291 {
292 	char	**profile;
293 	char	**policy;
294 	char	**type;
295 	char	**id;
296 	char	**value;
297 
298 	profile = __ns_ldap_getAttr(res->entry, "cn");
299 	policy = __ns_ldap_getAttr(res->entry, "SolarisKernelSecurityPolicy");
300 	type = __ns_ldap_getAttr(res->entry, "SolarisProfileType");
301 	id = __ns_ldap_getAttr(res->entry, "SolarisProfileId");
302 
303 	if (profile == NULL || profile[0] == NULL ||
304 	    policy == NULL || policy[0] == NULL ||
305 	    type == NULL || type[0] == NULL ||
306 	    id == NULL || id[0] == NULL)
307 		return;
308 
309 	(void) fprintf(stdout, "%s", profile[0]);
310 	(void) fprintf(stdout, ":");
311 	(void) fprintf(stdout, "%s", policy[0]);
312 	(void) fprintf(stdout, ":");
313 	(void) fprintf(stdout, "%s", type[0]);
314 	(void) fprintf(stdout, ":::");
315 	(void) fprintf(stdout, "%s", id[0]);
316 	(void) fprintf(stdout, ":");
317 	value = __ns_ldap_getAttr(res->entry, "SolarisAttrKeyValue");
318 	if (value && value[0])
319 		(void) fprintf(stdout, "%s", value[0]);
320 	(void) fprintf(stdout, "\n");
321 }
322 
323 int
324 genent_auth_attr(char *line, int (*cback)())
325 {
326 	entry_col	*ecol;
327 	authstr_t	data;
328 	int		res, retval;
329 
330 	/*
331 	 * parse entry into columns
332 	 */
333 	res = genent_attr(line, AUTHATTR_DB_NCOL, &ecol);
334 	if (res != GENENT_OK)
335 		return (res);
336 
337 	data.name = ecol[0].ec_value.ec_value_val;
338 	data.res1 = NULL;
339 	data.res2 = NULL;
340 	data.short_desc = ecol[3].ec_value.ec_value_val;
341 	data.long_desc = ecol[4].ec_value.ec_value_val;
342 	data.attr = ecol[5].ec_value.ec_value_val;
343 
344 	if (flags & F_VERBOSE)
345 		(void) fprintf(stdout,
346 		    gettext("Adding entry : %s\n"), data.name);
347 
348 	retval = (*cback)(&data, 0);
349 	if (retval == LDAP_ALREADY_EXISTS) {
350 		if (continue_onerror)
351 			(void) fprintf(stderr,
352 			    gettext("Entry: %s - already Exists,"
353 			    " skipping it.\n"), data.name);
354 		else {
355 			res = GENENT_CBERR;
356 			(void) fprintf(stderr,
357 			    gettext("Entry: %s - already Exists\n"),
358 			    data.name);
359 		}
360 	} else if (retval)
361 		res = GENENT_CBERR;
362 
363 	free(ecol);
364 
365 	return (res);
366 }
367 
368 void
369 dump_auth_attr(ns_ldap_result_t *res)
370 {
371 	char	**value = NULL;
372 
373 	value = __ns_ldap_getAttr(res->entry, "cn");
374 	if (value && value[0])
375 		(void) fprintf(stdout, "%s", value[0]);
376 	else
377 		return;
378 
379 	(void) fprintf(stdout, ":::");
380 	value = __ns_ldap_getAttr(res->entry, "SolarisAttrShortDesc");
381 	if (value && value[0])
382 		(void) fprintf(stdout, "%s", value[0]);
383 	(void) fprintf(stdout, ":");
384 	value = __ns_ldap_getAttr(res->entry, "SolarisAttrLongDesc");
385 	if (value && value[0])
386 		(void) fprintf(stdout, "%s", value[0]);
387 	(void) fprintf(stdout, ":");
388 	value = __ns_ldap_getAttr(res->entry, "SolarisAttrKeyValue");
389 	if (value && value[0])
390 		(void) fprintf(stdout, "%s", value[0]);
391 	(void) fprintf(stdout, "\n");
392 }
393 
394 int
395 genent_audit_user(char *line, int (*cback)())
396 {
397 	entry_col	*ecol;
398 	au_user_str_t	data;
399 	int		res, retval;
400 
401 	/*
402 	 * parse entry into columns
403 	 */
404 	res = genent_attr(line, AUDITUSER_DB_NCOL, &ecol);
405 	if (res != GENENT_OK)
406 		return (res);
407 
408 	data.au_name = strdup(ecol[0].ec_value.ec_value_val);
409 	data.au_always = strdup(ecol[1].ec_value.ec_value_val);
410 	data.au_never = strdup(ecol[2].ec_value.ec_value_val);
411 
412 	if (flags & F_VERBOSE)
413 		(void) fprintf(stdout,
414 		    gettext("Adding entry : %s\n"), data.au_name);
415 
416 	retval = (*cback)(&data, 1);
417 	if (retval != NS_LDAP_SUCCESS) {
418 		if (retval == LDAP_NO_SUCH_OBJECT)
419 			(void) fprintf(stdout,
420 			gettext("Cannot add audit_user entry (%s), "
421 			"add passwd entry first\n"), data.au_name);
422 		if (continue_onerror == 0) res = GENENT_CBERR;
423 	}
424 
425 	free(ecol);
426 
427 	return (res);
428 }
429 
430 void
431 dump_audit_user(ns_ldap_result_t *res)
432 {
433 	char	**value = NULL;
434 
435 	value = __ns_ldap_getAttr(res->entry, "uid");
436 	if (value && value[0])
437 		(void) fprintf(stdout, "%s", value[0]);
438 	else
439 		return;
440 
441 	(void) fprintf(stdout, ":");
442 	value = __ns_ldap_getAttr(res->entry, "SolarisAuditAlways");
443 	if (value && value[0])
444 		(void) fprintf(stdout, "%s", value[0]);
445 	(void) fprintf(stdout, ":");
446 	value = __ns_ldap_getAttr(res->entry, "SolarisAuditNever");
447 	if (value && value[0])
448 		(void) fprintf(stdout, "%s", value[0]);
449 	(void) fprintf(stdout, "\n");
450 }
451