idmap/idmapd/server.c

c5c4113dSnw141292/*
c5c4113dSnw141292 * CDDL HEADER START
c5c4113dSnw141292 *
c5c4113dSnw141292 * The contents of this file are subject to the terms of the
c5c4113dSnw141292 * Common Development and Distribution License (the "License").
c5c4113dSnw141292 * You may not use this file except in compliance with the License.
c5c4113dSnw141292 *
c5c4113dSnw141292 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
c5c4113dSnw141292 * or http://www.opensolaris.org/os/licensing.
c5c4113dSnw141292 * See the License for the specific language governing permissions
c5c4113dSnw141292 * and limitations under the License.
c5c4113dSnw141292 *
c5c4113dSnw141292 * When distributing Covered Code, include this CDDL HEADER in each
c5c4113dSnw141292 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
c5c4113dSnw141292 * If applicable, add the following below this CDDL HEADER, with the
c5c4113dSnw141292 * fields enclosed by brackets "[]" replaced with your own identifying
c5c4113dSnw141292 * information: Portions Copyright [yyyy] [name of copyright owner]
c5c4113dSnw141292 *
c5c4113dSnw141292 * CDDL HEADER END
c5c4113dSnw141292 */
c5c4113dSnw141292/*
1fcced4cSJordan Brown * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
c5c4113dSnw141292 * Use is subject to license terms.
c5c4113dSnw141292 */
c5c4113dSnw141292
c5c4113dSnw141292
c5c4113dSnw141292/*
c5c4113dSnw141292 * Service routines
c5c4113dSnw141292 */
c5c4113dSnw141292
c5c4113dSnw141292#include "idmapd.h"
c5c4113dSnw141292#include "idmap_priv.h"
e8c27ec8Sbaban#include "nldaputils.h"
c5c4113dSnw141292#include <signal.h>
c5c4113dSnw141292#include <thread.h>
c5c4113dSnw141292#include <string.h>
c5c4113dSnw141292#include <strings.h>
c5c4113dSnw141292#include <errno.h>
c5c4113dSnw141292#include <assert.h>
c5c4113dSnw141292#include <sys/types.h>
c5c4113dSnw141292#include <sys/stat.h>
c5c4113dSnw141292#include <ucred.h>
c5c4113dSnw141292#include <pwd.h>
c5c4113dSnw141292#include <auth_attr.h>
c5c4113dSnw141292#include <secdb.h>
0dcc7149Snw141292#include <sys/u8_textprep.h>
1fcced4cSJordan Brown#include <note.h>
c5c4113dSnw141292
c5c4113dSnw141292#define	_VALIDATE_LIST_CB_DATA(col, val, siz)\
c5c4113dSnw141292	retcode = validate_list_cb_data(cb_data, argc, argv, col,\
c5c4113dSnw141292			(uchar_t **)val, siz);\
c5c4113dSnw141292	if (retcode == IDMAP_NEXT) {\
c5c4113dSnw141292		result->retcode = IDMAP_NEXT;\
c5c4113dSnw141292		return (0);\
c5c4113dSnw141292	} else if (retcode < 0) {\
c5c4113dSnw141292		result->retcode = retcode;\
c5c4113dSnw141292		return (1);\
c5c4113dSnw141292	}
c5c4113dSnw141292
48258c6bSjp151216#define	PROCESS_LIST_SVC_SQL(rcode, db, dbname, sql, limit, flag, cb, res, len)\
48258c6bSjp151216	rcode = process_list_svc_sql(db, dbname, sql, limit, flag, cb, res);\
c5c4113dSnw141292	if (rcode == IDMAP_ERR_BUSY)\
c5c4113dSnw141292		res->retcode = IDMAP_ERR_BUSY;\
c5c4113dSnw141292	else if (rcode == IDMAP_SUCCESS && len == 0)\
c5c4113dSnw141292		res->retcode = IDMAP_ERR_NOTFOUND;
c5c4113dSnw141292
c5c4113dSnw141292
8e228215Sdm199847#define	STRDUP_OR_FAIL(to, from) \
8e228215Sdm199847	if ((from) == NULL) \
8e228215Sdm199847		to = NULL; \
8e228215Sdm199847	else { \
8e228215Sdm199847		if ((to = strdup(from)) == NULL) \
8e228215Sdm199847			return (1); \
8e228215Sdm199847	}
8e228215Sdm199847
479ac375Sdm199847#define	STRDUP_CHECK(to, from) \
479ac375Sdm199847	if ((from) != NULL) { \
479ac375Sdm199847		to = strdup(from); \
479ac375Sdm199847		if (to == NULL) { \
479ac375Sdm199847			result->retcode = IDMAP_ERR_MEMORY; \
479ac375Sdm199847			goto out; \
479ac375Sdm199847		} \
479ac375Sdm199847	}
479ac375Sdm199847
c5c4113dSnw141292/* ARGSUSED */
c5c4113dSnw141292bool_t
cd37da74Snw141292idmap_null_1_svc(void *result, struct svc_req *rqstp)
cd37da74Snw141292{
c5c4113dSnw141292	return (TRUE);
c5c4113dSnw141292}
c5c4113dSnw141292
334e3463Sbaban/*
334e3463Sbaban * RPC layer allocates empty strings to replace NULL char *.
334e3463Sbaban * This utility function frees these empty strings.
334e3463Sbaban */
e8c27ec8Sbabanstatic
e8c27ec8Sbabanvoid
334e3463Sbabansanitize_mapping_request(idmap_mapping *req)
334e3463Sbaban{
*fe1c642dSBill Krier	if (EMPTY_STRING(req->id1name)) {
334e3463Sbaban		free(req->id1name);
334e3463Sbaban		req->id1name = NULL;
*fe1c642dSBill Krier	}
*fe1c642dSBill Krier	if (EMPTY_STRING(req->id1domain)) {
334e3463Sbaban		free(req->id1domain);
334e3463Sbaban		req->id1domain = NULL;
*fe1c642dSBill Krier	}
*fe1c642dSBill Krier	if (EMPTY_STRING(req->id2name)) {
334e3463Sbaban		free(req->id2name);
334e3463Sbaban		req->id2name = NULL;
*fe1c642dSBill Krier	}
*fe1c642dSBill Krier	if (EMPTY_STRING(req->id2domain)) {
334e3463Sbaban		free(req->id2domain);
334e3463Sbaban		req->id2domain = NULL;
*fe1c642dSBill Krier	}
e8c27ec8Sbaban	req->direction = _IDMAP_F_DONE;
334e3463Sbaban}
334e3463Sbaban
0dcc7149Snw141292static
0dcc7149Snw141292int
0dcc7149Snw141292validate_mapped_id_by_name_req(idmap_mapping *req)
0dcc7149Snw141292{
0dcc7149Snw141292	int e;
0dcc7149Snw141292
0dcc7149Snw141292	if (IS_REQUEST_UID(*req) || IS_REQUEST_GID(*req))
0dcc7149Snw141292		return (IDMAP_SUCCESS);
0dcc7149Snw141292
0dcc7149Snw141292	if (IS_REQUEST_SID(*req, 1)) {
0dcc7149Snw141292		if (!EMPTY_STRING(req->id1name) &&
0dcc7149Snw141292		    u8_validate(req->id1name, strlen(req->id1name),
0dcc7149Snw141292		    NULL, U8_VALIDATE_ENTIRE, &e) < 0)
0dcc7149Snw141292			return (IDMAP_ERR_BAD_UTF8);
0dcc7149Snw141292		if (!EMPTY_STRING(req->id1domain) &&
0dcc7149Snw141292		    u8_validate(req->id1domain, strlen(req->id1domain),
0dcc7149Snw141292		    NULL, U8_VALIDATE_ENTIRE, &e) < 0)
0dcc7149Snw141292			return (IDMAP_ERR_BAD_UTF8);
0dcc7149Snw141292	}
0dcc7149Snw141292
0dcc7149Snw141292	return (IDMAP_SUCCESS);
0dcc7149Snw141292}
0dcc7149Snw141292
0dcc7149Snw141292static
0dcc7149Snw141292int
0dcc7149Snw141292validate_rule(idmap_namerule *rule)
0dcc7149Snw141292{
0dcc7149Snw141292	int e;
0dcc7149Snw141292
0dcc7149Snw141292	if (!EMPTY_STRING(rule->winname) &&
0dcc7149Snw141292	    u8_validate(rule->winname, strlen(rule->winname),
0dcc7149Snw141292	    NULL, U8_VALIDATE_ENTIRE, &e) < 0)
0dcc7149Snw141292		return (IDMAP_ERR_BAD_UTF8);
0dcc7149Snw141292
0dcc7149Snw141292	if (!EMPTY_STRING(rule->windomain) &&
0dcc7149Snw141292	    u8_validate(rule->windomain, strlen(rule->windomain),
0dcc7149Snw141292	    NULL, U8_VALIDATE_ENTIRE, &e) < 0)
0dcc7149Snw141292		return (IDMAP_ERR_BAD_UTF8);
0dcc7149Snw141292
0dcc7149Snw141292	return (IDMAP_SUCCESS);
0dcc7149Snw141292
0dcc7149Snw141292}
0dcc7149Snw141292
0dcc7149Snw141292static
0dcc7149Snw141292bool_t
0dcc7149Snw141292validate_rules(idmap_update_batch *batch)
0dcc7149Snw141292{
0dcc7149Snw141292	idmap_update_op	*up;
0dcc7149Snw141292	int i;
0dcc7149Snw141292
0dcc7149Snw141292	for (i = 0; i < batch->idmap_update_batch_len; i++) {
0dcc7149Snw141292		up = &(batch->idmap_update_batch_val[i]);
0dcc7149Snw141292		if (validate_rule(&(up->idmap_update_op_u.rule))
0dcc7149Snw141292		    != IDMAP_SUCCESS)
0dcc7149Snw141292			return (IDMAP_ERR_BAD_UTF8);
0dcc7149Snw141292	}
0dcc7149Snw141292
0dcc7149Snw141292	return (IDMAP_SUCCESS);
0dcc7149Snw141292}
0dcc7149Snw141292
c5c4113dSnw141292/* ARGSUSED */
c5c4113dSnw141292bool_t
c5c4113dSnw141292idmap_get_mapped_ids_1_svc(idmap_mapping_batch batch,
cd37da74Snw141292		idmap_ids_res *result, struct svc_req *rqstp)
cd37da74Snw141292{
c5c4113dSnw141292	sqlite		*cache = NULL, *db = NULL;
c5c4113dSnw141292	lookup_state_t	state;
e8c27ec8Sbaban	idmap_retcode	retcode;
62c60062Sbaban	uint_t		i;
c5c4113dSnw141292
c5c4113dSnw141292	/* Init */
c5c4113dSnw141292	(void) memset(result, 0, sizeof (*result));
c5c4113dSnw141292	(void) memset(&state, 0, sizeof (state));
c5c4113dSnw141292
c5c4113dSnw141292	/* Return success if nothing was requested */
c5c4113dSnw141292	if (batch.idmap_mapping_batch_len < 1)
c5c4113dSnw141292		goto out;
c5c4113dSnw141292
c5c4113dSnw141292	/* Get cache handle */
c5c4113dSnw141292	result->retcode = get_cache_handle(&cache);
c5c4113dSnw141292	if (result->retcode != IDMAP_SUCCESS)
c5c4113dSnw141292		goto out;
479ac375Sdm199847	state.cache = cache;
c5c4113dSnw141292
c5c4113dSnw141292	/* Get db handle */
c5c4113dSnw141292	result->retcode = get_db_handle(&db);
c5c4113dSnw141292	if (result->retcode != IDMAP_SUCCESS)
c5c4113dSnw141292		goto out;
479ac375Sdm199847	state.db = db;
c5c4113dSnw141292
c5c4113dSnw141292	/* Allocate result array */
c5c4113dSnw141292	result->ids.ids_val = calloc(batch.idmap_mapping_batch_len,
c5c4113dSnw141292	    sizeof (idmap_id_res));
c5c4113dSnw141292	if (result->ids.ids_val == NULL) {
c5c4113dSnw141292		idmapdlog(LOG_ERR, "Out of memory");
c5c4113dSnw141292		result->retcode = IDMAP_ERR_MEMORY;
c5c4113dSnw141292		goto out;
c5c4113dSnw141292	}
c5c4113dSnw141292	result->ids.ids_len = batch.idmap_mapping_batch_len;
c5c4113dSnw141292
62c60062Sbaban	/* Allocate hash table to check for duplicate sids */
62c60062Sbaban	state.sid_history = calloc(batch.idmap_mapping_batch_len,
62c60062Sbaban	    sizeof (*state.sid_history));
62c60062Sbaban	if (state.sid_history == NULL) {
62c60062Sbaban		idmapdlog(LOG_ERR, "Out of memory");
62c60062Sbaban		result->retcode = IDMAP_ERR_MEMORY;
62c60062Sbaban		goto out;
62c60062Sbaban	}
62c60062Sbaban	state.sid_history_size = batch.idmap_mapping_batch_len;
62c60062Sbaban	for (i = 0; i < state.sid_history_size; i++) {
62c60062Sbaban		state.sid_history[i].key = state.sid_history_size;
62c60062Sbaban		state.sid_history[i].next = state.sid_history_size;
62c60062Sbaban	}
62c60062Sbaban	state.batch = &batch;
62c60062Sbaban	state.result = result;
62c60062Sbaban
e8c27ec8Sbaban	/* Get directory-based name mapping info */
479ac375Sdm199847	result->retcode = load_cfg_in_state(&state);
e8c27ec8Sbaban	if (result->retcode != IDMAP_SUCCESS)
e8c27ec8Sbaban		goto out;
e8c27ec8Sbaban
c5c4113dSnw141292	/* Init our 'done' flags */
c5c4113dSnw141292	state.sid2pid_done = state.pid2sid_done = TRUE;
c5c4113dSnw141292
c5c4113dSnw141292	/* First stage */
c5c4113dSnw141292	for (i = 0; i < batch.idmap_mapping_batch_len; i++) {
62c60062Sbaban		state.curpos = i;
334e3463Sbaban		(void) sanitize_mapping_request(
334e3463Sbaban		    &batch.idmap_mapping_batch_val[i]);
c5c4113dSnw141292		if (IS_BATCH_SID(batch, i)) {
c5c4113dSnw141292			retcode = sid2pid_first_pass(
c5c4113dSnw141292			    &state,
c5c4113dSnw141292			    &batch.idmap_mapping_batch_val[i],
c5c4113dSnw141292			    &result->ids.ids_val[i]);
c5c4113dSnw141292		} else if (IS_BATCH_UID(batch, i)) {
c5c4113dSnw141292			retcode = pid2sid_first_pass(
c5c4113dSnw141292			    &state,
c5c4113dSnw141292			    &batch.idmap_mapping_batch_val[i],
*fe1c642dSBill Krier			    &result->ids.ids_val[i], 1);
c5c4113dSnw141292		} else if (IS_BATCH_GID(batch, i)) {
c5c4113dSnw141292			retcode = pid2sid_first_pass(
c5c4113dSnw141292			    &state,
c5c4113dSnw141292			    &batch.idmap_mapping_batch_val[i],
*fe1c642dSBill Krier			    &result->ids.ids_val[i], 0);
c5c4113dSnw141292		} else {
c5c4113dSnw141292			result->ids.ids_val[i].retcode = IDMAP_ERR_IDTYPE;
c5c4113dSnw141292			continue;
c5c4113dSnw141292		}
c5c4113dSnw141292		if (IDMAP_FATAL_ERROR(retcode)) {
c5c4113dSnw141292			result->retcode = retcode;
c5c4113dSnw141292			goto out;
c5c4113dSnw141292		}
c5c4113dSnw141292	}
c5c4113dSnw141292
c5c4113dSnw141292	/* Check if we are done */
c5c4113dSnw141292	if (state.sid2pid_done == TRUE && state.pid2sid_done == TRUE)
c5c4113dSnw141292		goto out;
c5c4113dSnw141292
e8c27ec8Sbaban	/*
e8c27ec8Sbaban	 * native LDAP lookups:
479ac375Sdm199847	 *  pid2sid:
479ac375Sdm199847	 *	- nldap or mixed mode. Lookup nldap by pid or unixname to get
479ac375Sdm199847	 *	  winname.
479ac375Sdm199847	 *  sid2pid:
479ac375Sdm199847	 *	- nldap mode. Got winname and sid (either given or found in
479ac375Sdm199847	 *	  name_cache). Lookup nldap by winname to get pid and
479ac375Sdm199847	 *	  unixname.
e8c27ec8Sbaban	 */
e8c27ec8Sbaban	if (state.nldap_nqueries) {
e8c27ec8Sbaban		retcode = nldap_lookup_batch(&state, &batch, result);
e8c27ec8Sbaban		if (IDMAP_FATAL_ERROR(retcode)) {
e8c27ec8Sbaban			result->retcode = retcode;
c5c4113dSnw141292			goto out;
c5c4113dSnw141292		}
e8c27ec8Sbaban	}
c5c4113dSnw141292
e8c27ec8Sbaban	/*
e8c27ec8Sbaban	 * AD lookups:
479ac375Sdm199847	 *  pid2sid:
479ac375Sdm199847	 *	- nldap or mixed mode. Got winname from nldap lookup.
479ac375Sdm199847	 *	  winname2sid could not be resolved locally. Lookup AD
479ac375Sdm199847	 *	  by winname to get sid.
479ac375Sdm199847	 *	- ad mode. Got unixname. Lookup AD by unixname to get
479ac375Sdm199847	 *	  winname and sid.
479ac375Sdm199847	 *  sid2pid:
479ac375Sdm199847	 *	- ad or mixed mode. Lookup AD by sid or winname to get
479ac375Sdm199847	 *	  winname, sid and unixname.
479ac375Sdm199847	 *	- any mode. Got either sid or winname but not both. Lookup
479ac375Sdm199847	 *	  AD by sid or winname to get winname, sid.
e8c27ec8Sbaban	 */
e8c27ec8Sbaban	if (state.ad_nqueries) {
e8c27ec8Sbaban		retcode = ad_lookup_batch(&state, &batch, result);
e8c27ec8Sbaban		if (IDMAP_FATAL_ERROR(retcode)) {
e8c27ec8Sbaban			result->retcode = retcode;
e8c27ec8Sbaban			goto out;
e8c27ec8Sbaban		}
e8c27ec8Sbaban	}
e8c27ec8Sbaban
e8c27ec8Sbaban	/*
e8c27ec8Sbaban	 * native LDAP lookups:
479ac375Sdm199847	 *  sid2pid:
479ac375Sdm199847	 *	- nldap mode. Got winname and sid from AD lookup. Lookup nldap
479ac375Sdm199847	 *	  by winname to get pid and unixname.
e8c27ec8Sbaban	 */
e8c27ec8Sbaban	if (state.nldap_nqueries) {
e8c27ec8Sbaban		retcode = nldap_lookup_batch(&state, &batch, result);
e8c27ec8Sbaban		if (IDMAP_FATAL_ERROR(retcode)) {
e8c27ec8Sbaban			result->retcode = retcode;
e8c27ec8Sbaban			goto out;
e8c27ec8Sbaban		}
e8c27ec8Sbaban	}
e8c27ec8Sbaban
e8c27ec8Sbaban	/* Reset 'done' flags */
e8c27ec8Sbaban	state.sid2pid_done = state.pid2sid_done = TRUE;
c5c4113dSnw141292
c5c4113dSnw141292	/* Second stage */
c5c4113dSnw141292	for (i = 0; i < batch.idmap_mapping_batch_len; i++) {
62c60062Sbaban		state.curpos = i;
c5c4113dSnw141292		if (IS_BATCH_SID(batch, i)) {
c5c4113dSnw141292			retcode = sid2pid_second_pass(
c5c4113dSnw141292			    &state,
c5c4113dSnw141292			    &batch.idmap_mapping_batch_val[i],
c5c4113dSnw141292			    &result->ids.ids_val[i]);
e8c27ec8Sbaban		} else if (IS_BATCH_UID(batch, i)) {
e8c27ec8Sbaban			retcode = pid2sid_second_pass(
e8c27ec8Sbaban			    &state,
e8c27ec8Sbaban			    &batch.idmap_mapping_batch_val[i],
e8c27ec8Sbaban			    &result->ids.ids_val[i], 1);
e8c27ec8Sbaban		} else if (IS_BATCH_GID(batch, i)) {
e8c27ec8Sbaban			retcode = pid2sid_second_pass(
e8c27ec8Sbaban			    &state,
e8c27ec8Sbaban			    &batch.idmap_mapping_batch_val[i],
e8c27ec8Sbaban			    &result->ids.ids_val[i], 0);
e8c27ec8Sbaban		} else {
e8c27ec8Sbaban			/* First stage has already set the error */
e8c27ec8Sbaban			continue;
e8c27ec8Sbaban		}
c5c4113dSnw141292		if (IDMAP_FATAL_ERROR(retcode)) {
c5c4113dSnw141292			result->retcode = retcode;
c5c4113dSnw141292			goto out;
c5c4113dSnw141292		}
c5c4113dSnw141292	}
c5c4113dSnw141292
c5c4113dSnw141292	/* Check if we are done */
c5c4113dSnw141292	if (state.sid2pid_done == TRUE && state.pid2sid_done == TRUE)
c5c4113dSnw141292		goto out;
c5c4113dSnw141292
c5c4113dSnw141292	/* Reset our 'done' flags */
c5c4113dSnw141292	state.sid2pid_done = state.pid2sid_done = TRUE;
c5c4113dSnw141292
c5c4113dSnw141292	/* Update cache in a single transaction */
71590c90Snw141292	if (sql_exec_no_cb(cache, IDMAP_CACHENAME, "BEGIN TRANSACTION;")
71590c90Snw141292	    != IDMAP_SUCCESS)
c5c4113dSnw141292		goto out;
c5c4113dSnw141292
c5c4113dSnw141292	for (i = 0; i < batch.idmap_mapping_batch_len; i++) {
62c60062Sbaban		state.curpos = i;
c5c4113dSnw141292		if (IS_BATCH_SID(batch, i)) {
c5c4113dSnw141292			(void) update_cache_sid2pid(
c5c4113dSnw141292			    &state,
c5c4113dSnw141292			    &batch.idmap_mapping_batch_val[i],
c5c4113dSnw141292			    &result->ids.ids_val[i]);
c5c4113dSnw141292		} else if ((IS_BATCH_UID(batch, i)) ||
c5c4113dSnw141292		    (IS_BATCH_GID(batch, i))) {
c5c4113dSnw141292			(void) update_cache_pid2sid(
c5c4113dSnw141292			    &state,
c5c4113dSnw141292			    &batch.idmap_mapping_batch_val[i],
c5c4113dSnw141292			    &result->ids.ids_val[i]);
c5c4113dSnw141292		}
c5c4113dSnw141292	}
c5c4113dSnw141292
c5c4113dSnw141292	/* Commit if we have at least one successful update */
c5c4113dSnw141292	if (state.sid2pid_done == FALSE || state.pid2sid_done == FALSE)
71590c90Snw141292		(void) sql_exec_no_cb(cache, IDMAP_CACHENAME,
71590c90Snw141292		    "COMMIT TRANSACTION;");
c5c4113dSnw141292	else
71590c90Snw141292		(void) sql_exec_no_cb(cache, IDMAP_CACHENAME,
71590c90Snw141292		    "END TRANSACTION;");
c5c4113dSnw141292
c5c4113dSnw141292out:
e8c27ec8Sbaban	cleanup_lookup_state(&state);
c5c4113dSnw141292	if (IDMAP_ERROR(result->retcode)) {
c5c4113dSnw141292		xdr_free(xdr_idmap_ids_res, (caddr_t)result);
c5c4113dSnw141292		result->ids.ids_len = 0;
c5c4113dSnw141292		result->ids.ids_val = NULL;
c5c4113dSnw141292	}
c5c4113dSnw141292	result->retcode = idmap_stat4prot(result->retcode);
c5c4113dSnw141292	return (TRUE);
c5c4113dSnw141292}
c5c4113dSnw141292
c5c4113dSnw141292
c5c4113dSnw141292/* ARGSUSED */
cd37da74Snw141292static
cd37da74Snw141292int
cd37da74Snw141292list_mappings_cb(void *parg, int argc, char **argv, char **colnames)
cd37da74Snw141292{
c5c4113dSnw141292	list_cb_data_t		*cb_data;
c5c4113dSnw141292	char			*str;
c5c4113dSnw141292	idmap_mappings_res	*result;
c5c4113dSnw141292	idmap_retcode		retcode;
c5c4113dSnw141292	int			w2u, u2w;
c5c4113dSnw141292	char			*end;
cd37da74Snw141292	static int		validated_column_names = 0;
48258c6bSjp151216	idmap_how		*how;
48258c6bSjp151216
48258c6bSjp151216	cb_data = (list_cb_data_t *)parg;
cd37da74Snw141292
cd37da74Snw141292	if (!validated_column_names) {
cd37da74Snw141292		assert(strcmp(colnames[0], "rowid") == 0);
cd37da74Snw141292		assert(strcmp(colnames[1], "sidprefix") == 0);
cd37da74Snw141292		assert(strcmp(colnames[2], "rid") == 0);
cd37da74Snw141292		assert(strcmp(colnames[3], "pid") == 0);
cd37da74Snw141292		assert(strcmp(colnames[4], "w2u") == 0);
cd37da74Snw141292		assert(strcmp(colnames[5], "u2w") == 0);
cd37da74Snw141292		assert(strcmp(colnames[6], "windomain") == 0);
cd37da74Snw141292		assert(strcmp(colnames[7], "canon_winname") == 0);
cd37da74Snw141292		assert(strcmp(colnames[8], "unixname") == 0);
cd37da74Snw141292		assert(strcmp(colnames[9], "is_user") == 0);
cd37da74Snw141292		assert(strcmp(colnames[10], "is_wuser") == 0);
48258c6bSjp151216		assert(strcmp(colnames[11], "map_type") == 0);
48258c6bSjp151216		assert(strcmp(colnames[12], "map_dn") == 0);
48258c6bSjp151216		assert(strcmp(colnames[13], "map_attr") == 0);
48258c6bSjp151216		assert(strcmp(colnames[14], "map_value") == 0);
48258c6bSjp151216		assert(strcmp(colnames[15], "map_windomain") == 0);
48258c6bSjp151216		assert(strcmp(colnames[16], "map_winname") == 0);
48258c6bSjp151216		assert(strcmp(colnames[17], "map_unixname") == 0);
48258c6bSjp151216		assert(strcmp(colnames[18], "map_is_nt4") == 0);
cd37da74Snw141292		validated_column_names = 1;
cd37da74Snw141292	}
cd37da74Snw141292
c5c4113dSnw141292	result = (idmap_mappings_res *)cb_data->result;
c5c4113dSnw141292
48258c6bSjp151216	_VALIDATE_LIST_CB_DATA(19, &result->mappings.mappings_val,
c5c4113dSnw141292	    sizeof (idmap_mapping));
c5c4113dSnw141292
c5c4113dSnw141292	result->mappings.mappings_len++;
c5c4113dSnw141292
c5c4113dSnw141292	if ((str = strdup(argv[1])) == NULL)
c5c4113dSnw141292		return (1);
c5c4113dSnw141292	result->mappings.mappings_val[cb_data->next].id1.idmap_id_u.sid.prefix =
c5c4113dSnw141292	    str;
c5c4113dSnw141292	result->mappings.mappings_val[cb_data->next].id1.idmap_id_u.sid.rid =
c5c4113dSnw141292	    strtoul(argv[2], &end, 10);
cd37da74Snw141292	result->mappings.mappings_val[cb_data->next].id1.idtype =
cd37da74Snw141292	    strtol(argv[10], &end, 10) ? IDMAP_USID : IDMAP_GSID;
c5c4113dSnw141292
c5c4113dSnw141292	result->mappings.mappings_val[cb_data->next].id2.idmap_id_u.uid =
c5c4113dSnw141292	    strtoul(argv[3], &end, 10);
cd37da74Snw141292	result->mappings.mappings_val[cb_data->next].id2.idtype =
cd37da74Snw141292	    strtol(argv[9], &end, 10) ? IDMAP_UID : IDMAP_GID;
c5c4113dSnw141292
c5c4113dSnw141292	w2u = argv[4] ? strtol(argv[4], &end, 10) : 0;
c5c4113dSnw141292	u2w = argv[5] ? strtol(argv[5], &end, 10) : 0;
c5c4113dSnw141292
c5c4113dSnw141292	if (w2u > 0 && u2w == 0)
651c0131Sbaban		result->mappings.mappings_val[cb_data->next].direction =
651c0131Sbaban		    IDMAP_DIRECTION_W2U;
c5c4113dSnw141292	else if (w2u == 0 && u2w > 0)
651c0131Sbaban		result->mappings.mappings_val[cb_data->next].direction =
651c0131Sbaban		    IDMAP_DIRECTION_U2W;
c5c4113dSnw141292	else
651c0131Sbaban		result->mappings.mappings_val[cb_data->next].direction =
651c0131Sbaban		    IDMAP_DIRECTION_BI;
c5c4113dSnw141292
8e228215Sdm199847	STRDUP_OR_FAIL(result->mappings.mappings_val[cb_data->next].id1domain,
8e228215Sdm199847	    argv[6]);
c5c4113dSnw141292
8e228215Sdm199847	STRDUP_OR_FAIL(result->mappings.mappings_val[cb_data->next].id1name,
8e228215Sdm199847	    argv[7]);
c5c4113dSnw141292
8e228215Sdm199847	STRDUP_OR_FAIL(result->mappings.mappings_val[cb_data->next].id2name,
8e228215Sdm199847	    argv[8]);
8e228215Sdm199847
48258c6bSjp151216	if (cb_data->flag & IDMAP_REQ_FLG_MAPPING_INFO) {
48258c6bSjp151216		how = &result->mappings.mappings_val[cb_data->next].info.how;
48258c6bSjp151216		how->map_type = strtoul(argv[11], &end, 10);
48258c6bSjp151216		switch (how->map_type) {
48258c6bSjp151216		case IDMAP_MAP_TYPE_DS_AD:
48258c6bSjp151216			how->idmap_how_u.ad.dn =
48258c6bSjp151216			    strdup(argv[12]);
48258c6bSjp151216			how->idmap_how_u.ad.attr =
48258c6bSjp151216			    strdup(argv[13]);
48258c6bSjp151216			how->idmap_how_u.ad.value =
48258c6bSjp151216			    strdup(argv[14]);
48258c6bSjp151216			break;
48258c6bSjp151216
48258c6bSjp151216		case IDMAP_MAP_TYPE_DS_NLDAP:
48258c6bSjp151216			how->idmap_how_u.nldap.dn =
48258c6bSjp151216			    strdup(argv[12]);
48258c6bSjp151216			how->idmap_how_u.nldap.attr =
48258c6bSjp151216			    strdup(argv[13]);
48258c6bSjp151216			how->idmap_how_u.nldap.value =
48258c6bSjp151216			    strdup(argv[14]);
48258c6bSjp151216			break;
48258c6bSjp151216
48258c6bSjp151216		case IDMAP_MAP_TYPE_RULE_BASED:
48258c6bSjp151216			how->idmap_how_u.rule.windomain =
48258c6bSjp151216			    strdup(argv[15]);
48258c6bSjp151216			how->idmap_how_u.rule.winname =
48258c6bSjp151216			    strdup(argv[16]);
48258c6bSjp151216			how->idmap_how_u.rule.unixname =
48258c6bSjp151216			    strdup(argv[17]);
48258c6bSjp151216			how->idmap_how_u.rule.is_nt4 =
48258c6bSjp151216			    strtoul(argv[18], &end, 10);
48258c6bSjp151216			how->idmap_how_u.rule.is_user =
48258c6bSjp151216			    strtol(argv[9], &end, 10);
48258c6bSjp151216			how->idmap_how_u.rule.is_wuser =
48258c6bSjp151216			    strtol(argv[10], &end, 10);
48258c6bSjp151216			break;
48258c6bSjp151216
48258c6bSjp151216		case IDMAP_MAP_TYPE_EPHEMERAL:
48258c6bSjp151216			break;
48258c6bSjp151216
48258c6bSjp151216		case IDMAP_MAP_TYPE_LOCAL_SID:
48258c6bSjp151216			break;
48258c6bSjp151216
e3f2c991SKeyur Desai		case IDMAP_MAP_TYPE_IDMU:
e3f2c991SKeyur Desai			how->idmap_how_u.idmu.dn =
e3f2c991SKeyur Desai			    strdup(argv[12]);
e3f2c991SKeyur Desai			how->idmap_how_u.idmu.attr =
e3f2c991SKeyur Desai			    strdup(argv[13]);
e3f2c991SKeyur Desai			how->idmap_how_u.idmu.value =
e3f2c991SKeyur Desai			    strdup(argv[14]);
e3f2c991SKeyur Desai			break;
e3f2c991SKeyur Desai
48258c6bSjp151216		default:
e3f2c991SKeyur Desai			/* Unknown mapping type */
48258c6bSjp151216			assert(FALSE);
48258c6bSjp151216		}
48258c6bSjp151216
48258c6bSjp151216	}
c5c4113dSnw141292
c5c4113dSnw141292	result->lastrowid = strtoll(argv[0], &end, 10);
c5c4113dSnw141292	cb_data->next++;
c5c4113dSnw141292	result->retcode = IDMAP_SUCCESS;
c5c4113dSnw141292	return (0);
c5c4113dSnw141292}
c5c4113dSnw141292
c5c4113dSnw141292
c5c4113dSnw141292/* ARGSUSED */
c5c4113dSnw141292bool_t
48258c6bSjp151216idmap_list_mappings_1_svc(int64_t lastrowid, uint64_t limit, int32_t flag,
cd37da74Snw141292    idmap_mappings_res *result, struct svc_req *rqstp)
cd37da74Snw141292{
c5c4113dSnw141292	sqlite		*cache = NULL;
c5c4113dSnw141292	char		lbuf[30], rbuf[30];
c5c4113dSnw141292	uint64_t	maxlimit;
c5c4113dSnw141292	idmap_retcode	retcode;
c5c4113dSnw141292	char		*sql = NULL;
48258c6bSjp151216	time_t		curtime;
c5c4113dSnw141292
c5c4113dSnw141292	(void) memset(result, 0, sizeof (*result));
c5c4113dSnw141292
48258c6bSjp151216	/* Current time */
48258c6bSjp151216	errno = 0;
48258c6bSjp151216	if ((curtime = time(NULL)) == (time_t)-1) {
48258c6bSjp151216		idmapdlog(LOG_ERR, "Failed to get current time (%s)",
48258c6bSjp151216		    strerror(errno));
48258c6bSjp151216		retcode = IDMAP_ERR_INTERNAL;
48258c6bSjp151216		goto out;
48258c6bSjp151216	}
48258c6bSjp151216
c5c4113dSnw141292	RDLOCK_CONFIG();
c5c4113dSnw141292	maxlimit = _idmapdstate.cfg->pgcfg.list_size_limit;
c5c4113dSnw141292	UNLOCK_CONFIG();
c5c4113dSnw141292
c5c4113dSnw141292	/* Get cache handle */
c5c4113dSnw141292	result->retcode = get_cache_handle(&cache);
c5c4113dSnw141292	if (result->retcode != IDMAP_SUCCESS)
c5c4113dSnw141292		goto out;
c5c4113dSnw141292
c5c4113dSnw141292	result->retcode = IDMAP_ERR_INTERNAL;
c5c4113dSnw141292
c5c4113dSnw141292	/* Create LIMIT expression. */
c5c4113dSnw141292	if (limit == 0 || (maxlimit > 0 && maxlimit < limit))
c5c4113dSnw141292		limit = maxlimit;
c5c4113dSnw141292	if (limit > 0)
c5c4113dSnw141292		(void) snprintf(lbuf, sizeof (lbuf),
c5c4113dSnw141292		    "LIMIT %" PRIu64, limit + 1ULL);
bbf6f00cSJordan Brown	else
bbf6f00cSJordan Brown		lbuf[0] = '\0';
c5c4113dSnw141292
c5c4113dSnw141292	(void) snprintf(rbuf, sizeof (rbuf), "rowid > %" PRIu64, lastrowid);
c5c4113dSnw141292
c5c4113dSnw141292	/*
c5c4113dSnw141292	 * Combine all the above into a giant SELECT statement that
c5c4113dSnw141292	 * will return the requested mappings
c5c4113dSnw141292	 */
48258c6bSjp151216
48258c6bSjp151216	sql = sqlite_mprintf("SELECT rowid, sidprefix, rid, pid, w2u, "
48258c6bSjp151216	    "u2w, windomain, canon_winname, unixname, is_user, is_wuser, "
48258c6bSjp151216	    "map_type, map_dn, map_attr, map_value, map_windomain, "
48258c6bSjp151216	    "map_winname, map_unixname, map_is_nt4 "
48258c6bSjp151216	    "FROM idmap_cache WHERE %s AND "
48258c6bSjp151216	    "(pid >= 2147483648 OR (expiration = 0 OR "
48258c6bSjp151216	    "expiration ISNULL  OR expiration > %d)) "
48258c6bSjp151216	    "%s;",
48258c6bSjp151216	    rbuf, curtime, lbuf);
c5c4113dSnw141292	if (sql == NULL) {
479ac375Sdm199847		result->retcode = IDMAP_ERR_MEMORY;
c5c4113dSnw141292		idmapdlog(LOG_ERR, "Out of memory");
c5c4113dSnw141292		goto out;
c5c4113dSnw141292	}
c5c4113dSnw141292
c5c4113dSnw141292	/* Execute the SQL statement and update the return buffer */
71590c90Snw141292	PROCESS_LIST_SVC_SQL(retcode, cache, IDMAP_CACHENAME, sql, limit,
48258c6bSjp151216	    flag, list_mappings_cb, result, result->mappings.mappings_len);
c5c4113dSnw141292
c5c4113dSnw141292out:
c5c4113dSnw141292	if (sql)
c5c4113dSnw141292		sqlite_freemem(sql);
c5c4113dSnw141292	if (IDMAP_ERROR(result->retcode))
c5c4113dSnw141292		(void) xdr_free(xdr_idmap_mappings_res, (caddr_t)result);
c5c4113dSnw141292	result->retcode = idmap_stat4prot(result->retcode);
c5c4113dSnw141292	return (TRUE);
c5c4113dSnw141292}
c5c4113dSnw141292
c5c4113dSnw141292
c5c4113dSnw141292/* ARGSUSED */
cd37da74Snw141292static
cd37da74Snw141292int
cd37da74Snw141292list_namerules_cb(void *parg, int argc, char **argv, char **colnames)
cd37da74Snw141292{
c5c4113dSnw141292	list_cb_data_t		*cb_data;
c5c4113dSnw141292	idmap_namerules_res	*result;
c5c4113dSnw141292	idmap_retcode		retcode;
c5c4113dSnw141292	int			w2u_order, u2w_order;
c5c4113dSnw141292	char			*end;
cd37da74Snw141292	static int		validated_column_names = 0;
cd37da74Snw141292
cd37da74Snw141292	if (!validated_column_names) {
cd37da74Snw141292		assert(strcmp(colnames[0], "rowid") == 0);
cd37da74Snw141292		assert(strcmp(colnames[1], "is_user") == 0);
cd37da74Snw141292		assert(strcmp(colnames[2], "is_wuser") == 0);
cd37da74Snw141292		assert(strcmp(colnames[3], "windomain") == 0);
cd37da74Snw141292		assert(strcmp(colnames[4], "winname_display") == 0);
cd37da74Snw141292		assert(strcmp(colnames[5], "is_nt4") == 0);
cd37da74Snw141292		assert(strcmp(colnames[6], "unixname") == 0);
cd37da74Snw141292		assert(strcmp(colnames[7], "w2u_order") == 0);
cd37da74Snw141292		assert(strcmp(colnames[8], "u2w_order") == 0);
cd37da74Snw141292		validated_column_names = 1;
cd37da74Snw141292	}
c5c4113dSnw141292
c5c4113dSnw141292	cb_data = (list_cb_data_t *)parg;
c5c4113dSnw141292	result = (idmap_namerules_res *)cb_data->result;
c5c4113dSnw141292
cd37da74Snw141292	_VALIDATE_LIST_CB_DATA(9, &result->rules.rules_val,
c5c4113dSnw141292	    sizeof (idmap_namerule));
c5c4113dSnw141292
c5c4113dSnw141292	result->rules.rules_len++;
c5c4113dSnw141292
c5c4113dSnw141292	result->rules.rules_val[cb_data->next].is_user =
c5c4113dSnw141292	    strtol(argv[1], &end, 10);
c5c4113dSnw141292
cd37da74Snw141292	result->rules.rules_val[cb_data->next].is_wuser =
cd37da74Snw141292	    strtol(argv[2], &end, 10);
c5c4113dSnw141292
cd37da74Snw141292	STRDUP_OR_FAIL(result->rules.rules_val[cb_data->next].windomain,
8e228215Sdm199847	    argv[3]);
c5c4113dSnw141292
cd37da74Snw141292	STRDUP_OR_FAIL(result->rules.rules_val[cb_data->next].winname,
cd37da74Snw141292	    argv[4]);
cd37da74Snw141292
c5c4113dSnw141292	result->rules.rules_val[cb_data->next].is_nt4 =
cd37da74Snw141292	    strtol(argv[5], &end, 10);
c5c4113dSnw141292
8e228215Sdm199847	STRDUP_OR_FAIL(result->rules.rules_val[cb_data->next].unixname,
cd37da74Snw141292	    argv[6]);
c5c4113dSnw141292
cd37da74Snw141292	w2u_order = argv[7] ? strtol(argv[7], &end, 10) : 0;
cd37da74Snw141292	u2w_order = argv[8] ? strtol(argv[8], &end, 10) : 0;
c5c4113dSnw141292
c5c4113dSnw141292	if (w2u_order > 0 && u2w_order == 0)
651c0131Sbaban		result->rules.rules_val[cb_data->next].direction =
651c0131Sbaban		    IDMAP_DIRECTION_W2U;
c5c4113dSnw141292	else if (w2u_order == 0 && u2w_order > 0)
651c0131Sbaban		result->rules.rules_val[cb_data->next].direction =
651c0131Sbaban		    IDMAP_DIRECTION_U2W;
c5c4113dSnw141292	else
651c0131Sbaban		result->rules.rules_val[cb_data->next].direction =
651c0131Sbaban		    IDMAP_DIRECTION_BI;
c5c4113dSnw141292
c5c4113dSnw141292	result->lastrowid = strtoll(argv[0], &end, 10);
c5c4113dSnw141292	cb_data->next++;
c5c4113dSnw141292	result->retcode = IDMAP_SUCCESS;
c5c4113dSnw141292	return (0);
c5c4113dSnw141292}
c5c4113dSnw141292
c5c4113dSnw141292
c5c4113dSnw141292/* ARGSUSED */
c5c4113dSnw141292bool_t
c5c4113dSnw141292idmap_list_namerules_1_svc(idmap_namerule rule, uint64_t lastrowid,
c5c4113dSnw141292		uint64_t limit, idmap_namerules_res *result,
cd37da74Snw141292		struct svc_req *rqstp)
cd37da74Snw141292{
c5c4113dSnw141292
c5c4113dSnw141292	sqlite		*db = NULL;
c5c4113dSnw141292	char		lbuf[30], rbuf[30];
c5c4113dSnw141292	char		*sql = NULL;
cd37da74Snw141292	char		*expr = NULL;
c5c4113dSnw141292	uint64_t	maxlimit;
c5c4113dSnw141292	idmap_retcode	retcode;
c5c4113dSnw141292
c5c4113dSnw141292	(void) memset(result, 0, sizeof (*result));
c5c4113dSnw141292
0dcc7149Snw141292	result->retcode = validate_rule(&rule);
0dcc7149Snw141292	if (result->retcode != IDMAP_SUCCESS)
0dcc7149Snw141292		goto out;
0dcc7149Snw141292
c5c4113dSnw141292	RDLOCK_CONFIG();
c5c4113dSnw141292	maxlimit = _idmapdstate.cfg->pgcfg.list_size_limit;
c5c4113dSnw141292	UNLOCK_CONFIG();
c5c4113dSnw141292
c5c4113dSnw141292	/* Get db handle */
c5c4113dSnw141292	result->retcode = get_db_handle(&db);
c5c4113dSnw141292	if (result->retcode != IDMAP_SUCCESS)
c5c4113dSnw141292		goto out;
c5c4113dSnw141292
0dcc7149Snw141292	result->retcode = gen_sql_expr_from_rule(&rule, &expr);
0dcc7149Snw141292	if (result->retcode != IDMAP_SUCCESS)
c5c4113dSnw141292		goto out;
c5c4113dSnw141292
c5c4113dSnw141292	/* Create LIMIT expression. */
c5c4113dSnw141292	if (limit == 0 || (maxlimit > 0 && maxlimit < limit))
c5c4113dSnw141292		limit = maxlimit;
c5c4113dSnw141292	if (limit > 0)
c5c4113dSnw141292		(void) snprintf(lbuf, sizeof (lbuf),
c5c4113dSnw141292		    "LIMIT %" PRIu64, limit + 1ULL);
bbf6f00cSJordan Brown	else
bbf6f00cSJordan Brown		lbuf[0] = '\0';
c5c4113dSnw141292
c5c4113dSnw141292	(void) snprintf(rbuf, sizeof (rbuf), "rowid > %" PRIu64, lastrowid);
c5c4113dSnw141292
c5c4113dSnw141292	/*
c5c4113dSnw141292	 * Combine all the above into a giant SELECT statement that
c5c4113dSnw141292	 * will return the requested rules
c5c4113dSnw141292	 */
cd37da74Snw141292	sql = sqlite_mprintf("SELECT rowid, is_user, is_wuser, windomain, "
cd37da74Snw141292	    "winname_display, is_nt4, unixname, w2u_order, u2w_order "
c5c4113dSnw141292	    "FROM namerules WHERE "
bbf6f00cSJordan Brown	    " %s %s %s;",
bbf6f00cSJordan Brown	    rbuf, expr, lbuf);
cd37da74Snw141292
c5c4113dSnw141292	if (sql == NULL) {
479ac375Sdm199847		result->retcode = IDMAP_ERR_MEMORY;
c5c4113dSnw141292		idmapdlog(LOG_ERR, "Out of memory");
c5c4113dSnw141292		goto out;
c5c4113dSnw141292	}
c5c4113dSnw141292
c5c4113dSnw141292	/* Execute the SQL statement and update the return buffer */
71590c90Snw141292	PROCESS_LIST_SVC_SQL(retcode, db, IDMAP_DBNAME, sql, limit,
48258c6bSjp151216	    0, list_namerules_cb, result, result->rules.rules_len);
c5c4113dSnw141292
c5c4113dSnw141292out:
cd37da74Snw141292	if (expr)
cd37da74Snw141292		sqlite_freemem(expr);
c5c4113dSnw141292	if (sql)
c5c4113dSnw141292		sqlite_freemem(sql);
c5c4113dSnw141292	if (IDMAP_ERROR(result->retcode))
c5c4113dSnw141292		(void) xdr_free(xdr_idmap_namerules_res, (caddr_t)result);
c5c4113dSnw141292	result->retcode = idmap_stat4prot(result->retcode);
c5c4113dSnw141292	return (TRUE);
c5c4113dSnw141292}
c5c4113dSnw141292
c5c4113dSnw141292#define	IDMAP_RULES_AUTH	"solaris.admin.idmap.rules"
c5c4113dSnw141292static int
cd37da74Snw141292verify_rules_auth(struct svc_req *rqstp)
cd37da74Snw141292{
c5c4113dSnw141292	ucred_t		*uc = NULL;
c5c4113dSnw141292	uid_t		uid;
c5c4113dSnw141292	char		buf[1024];
c5c4113dSnw141292	struct passwd	pwd;
c5c4113dSnw141292
c5c4113dSnw141292	if (svc_getcallerucred(rqstp->rq_xprt, &uc) != 0) {
71590c90Snw141292		idmapdlog(LOG_ERR, "svc_getcallerucred failed during "
71590c90Snw141292		    "authorization (%s)", strerror(errno));
c5c4113dSnw141292		return (-1);
c5c4113dSnw141292	}
c5c4113dSnw141292
c5c4113dSnw141292	uid = ucred_geteuid(uc);
c5c4113dSnw141292	if (uid == (uid_t)-1) {
71590c90Snw141292		idmapdlog(LOG_ERR, "ucred_geteuid failed during "
71590c90Snw141292		    "authorization (%s)", strerror(errno));
c5c4113dSnw141292		ucred_free(uc);
c5c4113dSnw141292		return (-1);
c5c4113dSnw141292	}
c5c4113dSnw141292
c5c4113dSnw141292	if (getpwuid_r(uid, &pwd, buf, sizeof (buf)) == NULL) {
71590c90Snw141292		idmapdlog(LOG_ERR, "getpwuid_r(%u) failed during "
71590c90Snw141292		    "authorization (%s)", uid, strerror(errno));
c5c4113dSnw141292		ucred_free(uc);
c5c4113dSnw141292		return (-1);
c5c4113dSnw141292	}
c5c4113dSnw141292
c5c4113dSnw141292	if (chkauthattr(IDMAP_RULES_AUTH, pwd.pw_name) != 1) {
71590c90Snw141292		idmapdlog(LOG_INFO, "%s is not authorized (%s)",
71590c90Snw141292		    pwd.pw_name, IDMAP_RULES_AUTH);
c5c4113dSnw141292		ucred_free(uc);
c5c4113dSnw141292		return (-1);
c5c4113dSnw141292	}
c5c4113dSnw141292
c5c4113dSnw141292	ucred_free(uc);
c5c4113dSnw141292	return (1);
c5c4113dSnw141292}
c5c4113dSnw141292
8e228215Sdm199847/*
8e228215Sdm199847 * Meaning of the return values is the following: For retcode ==
8e228215Sdm199847 * IDMAP_SUCCESS, everything went OK and error_index is
8e228215Sdm199847 * undefined. Otherwise, error_index >=0 shows the failed batch
8e228215Sdm199847 * element. errro_index == -1 indicates failure at the beginning,
8e228215Sdm199847 * error_index == -2 at the end.
8e228215Sdm199847 */
8e228215Sdm199847
c5c4113dSnw141292/* ARGSUSED */
c5c4113dSnw141292bool_t
8e228215Sdm199847idmap_update_1_svc(idmap_update_batch batch, idmap_update_res *res,
cd37da74Snw141292		struct svc_req *rqstp)
cd37da74Snw141292{
c5c4113dSnw141292	sqlite		*db = NULL;
c5c4113dSnw141292	idmap_update_op	*up;
c5c4113dSnw141292	int		i;
84decf41Sjp151216	int		trans = FALSE;
c5c4113dSnw141292
8e228215Sdm199847	res->error_index = -1;
8e228215Sdm199847	(void) memset(&res->error_rule, 0, sizeof (res->error_rule));
8e228215Sdm199847	(void) memset(&res->conflict_rule, 0, sizeof (res->conflict_rule));
8e228215Sdm199847
c5c4113dSnw141292	if (verify_rules_auth(rqstp) < 0) {
8e228215Sdm199847		res->retcode = IDMAP_ERR_PERMISSION_DENIED;
c5c4113dSnw141292		goto out;
c5c4113dSnw141292	}
c5c4113dSnw141292
c5c4113dSnw141292	if (batch.idmap_update_batch_len == 0 ||
c5c4113dSnw141292	    batch.idmap_update_batch_val == NULL) {
8e228215Sdm199847		res->retcode = IDMAP_SUCCESS;
c5c4113dSnw141292		goto out;
c5c4113dSnw141292	}
c5c4113dSnw141292
0dcc7149Snw141292	res->retcode = validate_rules(&batch);
0dcc7149Snw141292	if (res->retcode != IDMAP_SUCCESS)
0dcc7149Snw141292		goto out;
0dcc7149Snw141292
c5c4113dSnw141292	/* Get db handle */
8e228215Sdm199847	res->retcode = get_db_handle(&db);
8e228215Sdm199847	if (res->retcode != IDMAP_SUCCESS)
c5c4113dSnw141292		goto out;
c5c4113dSnw141292
71590c90Snw141292	res->retcode = sql_exec_no_cb(db, IDMAP_DBNAME, "BEGIN TRANSACTION;");
8e228215Sdm199847	if (res->retcode != IDMAP_SUCCESS)
c5c4113dSnw141292		goto out;
84decf41Sjp151216	trans = TRUE;
c5c4113dSnw141292
c5c4113dSnw141292	for (i = 0; i < batch.idmap_update_batch_len; i++) {
c5c4113dSnw141292		up = &batch.idmap_update_batch_val[i];
c5c4113dSnw141292		switch (up->opnum) {
c5c4113dSnw141292		case OP_NONE:
8e228215Sdm199847			res->retcode = IDMAP_SUCCESS;
c5c4113dSnw141292			break;
c5c4113dSnw141292		case OP_ADD_NAMERULE:
8e228215Sdm199847			res->retcode = add_namerule(db,
c5c4113dSnw141292			    &up->idmap_update_op_u.rule);
c5c4113dSnw141292			break;
c5c4113dSnw141292		case OP_RM_NAMERULE:
8e228215Sdm199847			res->retcode = rm_namerule(db,
c5c4113dSnw141292			    &up->idmap_update_op_u.rule);
c5c4113dSnw141292			break;
c5c4113dSnw141292		case OP_FLUSH_NAMERULES:
cd37da74Snw141292			res->retcode = flush_namerules(db);
c5c4113dSnw141292			break;
c5c4113dSnw141292		default:
8e228215Sdm199847			res->retcode = IDMAP_ERR_NOTSUPPORTED;
8e228215Sdm199847			break;
c5c4113dSnw141292		};
c5c4113dSnw141292
8e228215Sdm199847		if (res->retcode != IDMAP_SUCCESS) {
8e228215Sdm199847			res->error_index = i;
8e228215Sdm199847			if (up->opnum == OP_ADD_NAMERULE ||
8e228215Sdm199847			    up->opnum == OP_RM_NAMERULE) {
8e228215Sdm199847				idmap_stat r2 =
8e228215Sdm199847				    idmap_namerule_cpy(&res->error_rule,
8e228215Sdm199847				    &up->idmap_update_op_u.rule);
8e228215Sdm199847				if (r2 != IDMAP_SUCCESS)
8e228215Sdm199847					res->retcode = r2;
8e228215Sdm199847			}
c5c4113dSnw141292			goto out;
c5c4113dSnw141292		}
8e228215Sdm199847	}
c5c4113dSnw141292
c5c4113dSnw141292out:
84decf41Sjp151216	if (trans) {
8e228215Sdm199847		if (res->retcode == IDMAP_SUCCESS) {
8e228215Sdm199847			res->retcode =
71590c90Snw141292			    sql_exec_no_cb(db, IDMAP_DBNAME,
71590c90Snw141292			    "COMMIT TRANSACTION;");
8e228215Sdm199847			if (res->retcode !=  IDMAP_SUCCESS)
8e228215Sdm199847				res->error_index = -2;
8e228215Sdm199847		}
84decf41Sjp151216		else
71590c90Snw141292			(void) sql_exec_no_cb(db, IDMAP_DBNAME,
71590c90Snw141292			    "ROLLBACK TRANSACTION;");
c5c4113dSnw141292	}
8e228215Sdm199847
8e228215Sdm199847	res->retcode = idmap_stat4prot(res->retcode);
8e228215Sdm199847
c5c4113dSnw141292	return (TRUE);
c5c4113dSnw141292}
c5c4113dSnw141292
*fe1c642dSBill Krierstatic
*fe1c642dSBill Krierint
*fe1c642dSBill Kriercopy_string(char **to, char *from)
*fe1c642dSBill Krier{
*fe1c642dSBill Krier	if (EMPTY_STRING(from)) {
*fe1c642dSBill Krier		*to = NULL;
*fe1c642dSBill Krier	} else {
*fe1c642dSBill Krier		*to = strdup(from);
*fe1c642dSBill Krier		if (*to == NULL) {
*fe1c642dSBill Krier			idmapdlog(LOG_ERR, "Out of memory");
*fe1c642dSBill Krier			return (IDMAP_ERR_MEMORY);
*fe1c642dSBill Krier		}
*fe1c642dSBill Krier	}
*fe1c642dSBill Krier	return (IDMAP_SUCCESS);
*fe1c642dSBill Krier}
*fe1c642dSBill Krier
*fe1c642dSBill Krierstatic
*fe1c642dSBill Krierint
*fe1c642dSBill Kriercopy_id(idmap_id *to, idmap_id *from)
*fe1c642dSBill Krier{
*fe1c642dSBill Krier	(void) memset(to, 0, sizeof (*to));
*fe1c642dSBill Krier
*fe1c642dSBill Krier	to->idtype = from->idtype;
*fe1c642dSBill Krier	if (IS_ID_SID(*from)) {
*fe1c642dSBill Krier		idmap_retcode retcode;
*fe1c642dSBill Krier
*fe1c642dSBill Krier		to->idmap_id_u.sid.rid = from->idmap_id_u.sid.rid;
*fe1c642dSBill Krier		retcode = copy_string(&to->idmap_id_u.sid.prefix,
*fe1c642dSBill Krier		    from->idmap_id_u.sid.prefix);
*fe1c642dSBill Krier
*fe1c642dSBill Krier		return (retcode);
*fe1c642dSBill Krier	} else {
*fe1c642dSBill Krier		to->idmap_id_u.uid = from->idmap_id_u.uid;
*fe1c642dSBill Krier		return (IDMAP_SUCCESS);
*fe1c642dSBill Krier	}
*fe1c642dSBill Krier}
*fe1c642dSBill Krier
*fe1c642dSBill Krierstatic
*fe1c642dSBill Krierint
*fe1c642dSBill Kriercopy_mapping(idmap_mapping *mapping, idmap_mapping *request)
*fe1c642dSBill Krier{
*fe1c642dSBill Krier	idmap_retcode retcode;
*fe1c642dSBill Krier
*fe1c642dSBill Krier	(void) memset(mapping, 0, sizeof (*mapping));
*fe1c642dSBill Krier
*fe1c642dSBill Krier	mapping->flag = request->flag;
*fe1c642dSBill Krier	mapping->direction = _IDMAP_F_DONE;
*fe1c642dSBill Krier
*fe1c642dSBill Krier	retcode = copy_id(&mapping->id1, &request->id1);
*fe1c642dSBill Krier	if (retcode != IDMAP_SUCCESS)
*fe1c642dSBill Krier		goto errout;
*fe1c642dSBill Krier
*fe1c642dSBill Krier	retcode = copy_string(&mapping->id1domain, request->id1domain);
*fe1c642dSBill Krier	if (retcode != IDMAP_SUCCESS)
*fe1c642dSBill Krier		goto errout;
*fe1c642dSBill Krier
*fe1c642dSBill Krier	retcode = copy_string(&mapping->id1name, request->id1name);
*fe1c642dSBill Krier	if (retcode != IDMAP_SUCCESS)
*fe1c642dSBill Krier		goto errout;
*fe1c642dSBill Krier
*fe1c642dSBill Krier	retcode = copy_id(&mapping->id2, &request->id2);
*fe1c642dSBill Krier	if (retcode != IDMAP_SUCCESS)
*fe1c642dSBill Krier		goto errout;
*fe1c642dSBill Krier
*fe1c642dSBill Krier	retcode = copy_string(&mapping->id2domain, request->id2domain);
*fe1c642dSBill Krier	if (retcode != IDMAP_SUCCESS)
*fe1c642dSBill Krier		goto errout;
*fe1c642dSBill Krier	retcode = copy_string(&mapping->id2name, request->id2name);
*fe1c642dSBill Krier	if (retcode != IDMAP_SUCCESS)
*fe1c642dSBill Krier		goto errout;
*fe1c642dSBill Krier
*fe1c642dSBill Krier	return (IDMAP_SUCCESS);
*fe1c642dSBill Krier
*fe1c642dSBill Kriererrout:
*fe1c642dSBill Krier	if (IS_ID_SID(mapping->id1))
*fe1c642dSBill Krier		free(mapping->id1.idmap_id_u.sid.prefix);
*fe1c642dSBill Krier	free(mapping->id1domain);
*fe1c642dSBill Krier	free(mapping->id1name);
*fe1c642dSBill Krier	if (IS_ID_SID(mapping->id2))
*fe1c642dSBill Krier		free(mapping->id2.idmap_id_u.sid.prefix);
*fe1c642dSBill Krier	free(mapping->id2domain);
*fe1c642dSBill Krier	free(mapping->id2name);
*fe1c642dSBill Krier
*fe1c642dSBill Krier	(void) memset(mapping, 0, sizeof (*mapping));
*fe1c642dSBill Krier	return (retcode);
*fe1c642dSBill Krier}
*fe1c642dSBill Krier
c5c4113dSnw141292
c5c4113dSnw141292/* ARGSUSED */
c5c4113dSnw141292bool_t
c5c4113dSnw141292idmap_get_mapped_id_by_name_1_svc(idmap_mapping request,
cd37da74Snw141292		idmap_mappings_res *result, struct svc_req *rqstp)
cd37da74Snw141292{
*fe1c642dSBill Krier	idmap_mapping_batch batch_request;
*fe1c642dSBill Krier	idmap_ids_res batch_result;
*fe1c642dSBill Krier	idmap_mapping *map;
c5c4113dSnw141292
*fe1c642dSBill Krier	/* Clear out things we might want to xdr_free on error */
*fe1c642dSBill Krier	(void) memset(&batch_result, 0, sizeof (batch_result));
c5c4113dSnw141292	(void) memset(result, 0, sizeof (*result));
c5c4113dSnw141292
0dcc7149Snw141292	result->retcode = validate_mapped_id_by_name_req(&request);
0dcc7149Snw141292	if (result->retcode != IDMAP_SUCCESS)
0dcc7149Snw141292		goto out;
0dcc7149Snw141292
*fe1c642dSBill Krier	/*
*fe1c642dSBill Krier	 * Copy the request.  We need to modify it, and
*fe1c642dSBill Krier	 * what we have is a shallow copy.  Freeing pointers from
*fe1c642dSBill Krier	 * our copy will lead to problems, since the RPC framework
*fe1c642dSBill Krier	 * has its own copy of those pointers.  Besides, we need
*fe1c642dSBill Krier	 * a copy to return.
*fe1c642dSBill Krier	 */
*fe1c642dSBill Krier	map = calloc(1, sizeof (idmap_mapping));
*fe1c642dSBill Krier	if (map == NULL) {
c5c4113dSnw141292		idmapdlog(LOG_ERR, "Out of memory");
c5c4113dSnw141292		result->retcode = IDMAP_ERR_MEMORY;
c5c4113dSnw141292		goto out;
c5c4113dSnw141292	}
*fe1c642dSBill Krier
*fe1c642dSBill Krier	/*
*fe1c642dSBill Krier	 * Set up to return the filled-in mapping structure.
*fe1c642dSBill Krier	 * Note that we xdr_free result on error, and that'll take
*fe1c642dSBill Krier	 * care of freeing the mapping structure.
*fe1c642dSBill Krier	 */
*fe1c642dSBill Krier	result->mappings.mappings_val = map;
c5c4113dSnw141292	result->mappings.mappings_len = 1;
c5c4113dSnw141292
*fe1c642dSBill Krier	result->retcode = copy_mapping(map, &request);
*fe1c642dSBill Krier	if (result->retcode != IDMAP_SUCCESS)
*fe1c642dSBill Krier		goto out;
cd37da74Snw141292
*fe1c642dSBill Krier	/* Set up for the request to the batch API */
*fe1c642dSBill Krier	batch_request.idmap_mapping_batch_val = map;
*fe1c642dSBill Krier	batch_request.idmap_mapping_batch_len = 1;
*fe1c642dSBill Krier
*fe1c642dSBill Krier	/* Do the real work. */
*fe1c642dSBill Krier	(void) idmap_get_mapped_ids_1_svc(batch_request,
*fe1c642dSBill Krier	    &batch_result, rqstp);
*fe1c642dSBill Krier
*fe1c642dSBill Krier	/* Copy what we need out of the batch response */
*fe1c642dSBill Krier
*fe1c642dSBill Krier	if (batch_result.retcode != IDMAP_SUCCESS) {
*fe1c642dSBill Krier		result->retcode = batch_result.retcode;
*fe1c642dSBill Krier		goto out;
*fe1c642dSBill Krier	}
*fe1c642dSBill Krier
*fe1c642dSBill Krier	result->retcode = copy_id(&map->id2, &batch_result.ids.ids_val[0].id);
*fe1c642dSBill Krier	if (result->retcode != IDMAP_SUCCESS)
*fe1c642dSBill Krier		goto out;
*fe1c642dSBill Krier
*fe1c642dSBill Krier	map->direction = batch_result.ids.ids_val[0].direction;
*fe1c642dSBill Krier
*fe1c642dSBill Krier	result->retcode = batch_result.ids.ids_val[0].retcode;
*fe1c642dSBill Krier
*fe1c642dSBill Krier	if (map->flag & IDMAP_REQ_FLG_MAPPING_INFO ||
*fe1c642dSBill Krier	    result->retcode != IDMAP_SUCCESS) {
*fe1c642dSBill Krier		(void) idmap_info_mov(&map->info,
*fe1c642dSBill Krier		    &batch_result.ids.ids_val[0].info);
c5c4113dSnw141292	}
c5c4113dSnw141292
c5c4113dSnw141292out:
c5c4113dSnw141292	if (IDMAP_FATAL_ERROR(result->retcode)) {
c5c4113dSnw141292		xdr_free(xdr_idmap_mappings_res, (caddr_t)result);
c5c4113dSnw141292		result->mappings.mappings_len = 0;
c5c4113dSnw141292		result->mappings.mappings_val = NULL;
c5c4113dSnw141292	}
c5c4113dSnw141292	result->retcode = idmap_stat4prot(result->retcode);
*fe1c642dSBill Krier
*fe1c642dSBill Krier	xdr_free(xdr_idmap_ids_res, (char *)&batch_result);
*fe1c642dSBill Krier
c5c4113dSnw141292	return (TRUE);
c5c4113dSnw141292}
c5c4113dSnw141292
479ac375Sdm199847/* ARGSUSED */
479ac375Sdm199847bool_t
479ac375Sdm199847idmap_get_prop_1_svc(idmap_prop_type request,
479ac375Sdm199847		idmap_prop_res *result, struct svc_req *rqstp)
479ac375Sdm199847{
479ac375Sdm199847	idmap_pg_config_t *pgcfg;
479ac375Sdm199847
479ac375Sdm199847	/* Init */
479ac375Sdm199847	(void) memset(result, 0, sizeof (*result));
479ac375Sdm199847	result->retcode = IDMAP_SUCCESS;
479ac375Sdm199847	result->value.prop = request;
479ac375Sdm199847
479ac375Sdm199847	RDLOCK_CONFIG();
479ac375Sdm199847
479ac375Sdm199847	/* Just shortcuts: */
479ac375Sdm199847	pgcfg = &_idmapdstate.cfg->pgcfg;
4d61c878SJulian Pullen
479ac375Sdm199847
479ac375Sdm199847	switch (request) {
479ac375Sdm199847	case PROP_LIST_SIZE_LIMIT:
479ac375Sdm199847		result->value.idmap_prop_val_u.intval = pgcfg->list_size_limit;
479ac375Sdm199847		result->auto_discovered = FALSE;
479ac375Sdm199847		break;
479ac375Sdm199847	case PROP_DEFAULT_DOMAIN:
479ac375Sdm199847		result->auto_discovered = FALSE;
479ac375Sdm199847		STRDUP_CHECK(result->value.idmap_prop_val_u.utf8val,
479ac375Sdm199847		    pgcfg->default_domain);
479ac375Sdm199847		break;
479ac375Sdm199847	case PROP_DOMAIN_NAME:
479ac375Sdm199847		STRDUP_CHECK(result->value.idmap_prop_val_u.utf8val,
479ac375Sdm199847		    pgcfg->domain_name);
479ac375Sdm199847		result->auto_discovered =
4d61c878SJulian Pullen		    pgcfg->domain_name_auto_disc;
479ac375Sdm199847		break;
479ac375Sdm199847	case PROP_MACHINE_SID:
479ac375Sdm199847		result->auto_discovered = FALSE;
479ac375Sdm199847		STRDUP_CHECK(result->value.idmap_prop_val_u.utf8val,
479ac375Sdm199847		    pgcfg->machine_sid);
479ac375Sdm199847		break;
479ac375Sdm199847	case PROP_DOMAIN_CONTROLLER:
479ac375Sdm199847		if (pgcfg->domain_controller != NULL) {
479ac375Sdm199847			(void) memcpy(&result->value.idmap_prop_val_u.dsval,
479ac375Sdm199847			    pgcfg->domain_controller,
479ac375Sdm199847			    sizeof (idmap_ad_disc_ds_t));
479ac375Sdm199847		}
4d61c878SJulian Pullen		result->auto_discovered = pgcfg->domain_controller_auto_disc;
479ac375Sdm199847		break;
479ac375Sdm199847	case PROP_FOREST_NAME:
479ac375Sdm199847		STRDUP_CHECK(result->value.idmap_prop_val_u.utf8val,
479ac375Sdm199847		    pgcfg->forest_name);
4d61c878SJulian Pullen		result->auto_discovered = pgcfg->forest_name_auto_disc;
479ac375Sdm199847		break;
479ac375Sdm199847	case PROP_SITE_NAME:
479ac375Sdm199847		STRDUP_CHECK(result->value.idmap_prop_val_u.utf8val,
479ac375Sdm199847		    pgcfg->site_name);
4d61c878SJulian Pullen		result->auto_discovered = pgcfg->site_name_auto_disc;
479ac375Sdm199847		break;
479ac375Sdm199847	case PROP_GLOBAL_CATALOG:
479ac375Sdm199847		if (pgcfg->global_catalog != NULL) {
479ac375Sdm199847			(void) memcpy(&result->value.idmap_prop_val_u.dsval,
479ac375Sdm199847			    pgcfg->global_catalog, sizeof (idmap_ad_disc_ds_t));
479ac375Sdm199847		}
4d61c878SJulian Pullen		result->auto_discovered = pgcfg->global_catalog_auto_disc;
479ac375Sdm199847		break;
479ac375Sdm199847	case PROP_AD_UNIXUSER_ATTR:
479ac375Sdm199847		STRDUP_CHECK(result->value.idmap_prop_val_u.utf8val,
479ac375Sdm199847		    pgcfg->ad_unixuser_attr);
479ac375Sdm199847		result->auto_discovered = FALSE;
479ac375Sdm199847		break;
479ac375Sdm199847	case PROP_AD_UNIXGROUP_ATTR:
479ac375Sdm199847		STRDUP_CHECK(result->value.idmap_prop_val_u.utf8val,
479ac375Sdm199847		    pgcfg->ad_unixgroup_attr);
479ac375Sdm199847		result->auto_discovered = FALSE;
479ac375Sdm199847		break;
479ac375Sdm199847	case PROP_NLDAP_WINNAME_ATTR:
479ac375Sdm199847		STRDUP_CHECK(result->value.idmap_prop_val_u.utf8val,
479ac375Sdm199847		    pgcfg->nldap_winname_attr);
479ac375Sdm199847		result->auto_discovered = FALSE;
479ac375Sdm199847		break;
e3f2c991SKeyur Desai	case PROP_DIRECTORY_BASED_MAPPING:
e3f2c991SKeyur Desai		STRDUP_CHECK(result->value.idmap_prop_val_u.utf8val,
e3f2c991SKeyur Desai		    enum_lookup(pgcfg->directory_based_mapping,
e3f2c991SKeyur Desai		    directory_mapping_map));
479ac375Sdm199847		result->auto_discovered = FALSE;
479ac375Sdm199847		break;
479ac375Sdm199847	default:
479ac375Sdm199847		result->retcode = IDMAP_ERR_PROP_UNKNOWN;
479ac375Sdm199847		break;
479ac375Sdm199847	}
479ac375Sdm199847
479ac375Sdm199847out:
479ac375Sdm199847	UNLOCK_CONFIG();
479ac375Sdm199847	if (IDMAP_FATAL_ERROR(result->retcode)) {
479ac375Sdm199847		xdr_free(xdr_idmap_prop_res, (caddr_t)result);
479ac375Sdm199847		result->value.prop = PROP_UNKNOWN;
479ac375Sdm199847	}
479ac375Sdm199847	result->retcode = idmap_stat4prot(result->retcode);
479ac375Sdm199847	return (TRUE);
479ac375Sdm199847}
479ac375Sdm199847
c5c4113dSnw141292
c5c4113dSnw141292/* ARGSUSED */
c5c4113dSnw141292int
c5c4113dSnw141292idmap_prog_1_freeresult(SVCXPRT *transp, xdrproc_t xdr_result,
cd37da74Snw141292		caddr_t result)
cd37da74Snw141292{
c5c4113dSnw141292	(void) xdr_free(xdr_result, result);
c5c4113dSnw141292	return (TRUE);
c5c4113dSnw141292}
1fcced4cSJordan Brown
1fcced4cSJordan Brown/*
1fcced4cSJordan Brown * This function is called by rpc_svc.c when it encounters an error.
1fcced4cSJordan Brown */
1fcced4cSJordan BrownNOTE(PRINTFLIKE(1))
1fcced4cSJordan Brownvoid
1fcced4cSJordan Brownidmap_rpc_msgout(const char *fmt, ...)
1fcced4cSJordan Brown{
1fcced4cSJordan Brown	va_list va;
1fcced4cSJordan Brown	char buf[1000];
1fcced4cSJordan Brown
1fcced4cSJordan Brown	va_start(va, fmt);
1fcced4cSJordan Brown	(void) vsnprintf(buf, sizeof (buf), fmt, va);
1fcced4cSJordan Brown	va_end(va);
1fcced4cSJordan Brown
1fcced4cSJordan Brown	idmapdlog(LOG_ERR, "idmap RPC:  %s", buf);
1fcced4cSJordan Brown}