diff options
Diffstat (limited to 'server/infopipe')
-rw-r--r-- | server/infopipe/infopipe_groups.c | 262 | ||||
-rw-r--r-- | server/infopipe/org.freeipa.sssd.infopipe.Introspect.xml | 17 |
2 files changed, 263 insertions, 16 deletions
diff --git a/server/infopipe/infopipe_groups.c b/server/infopipe/infopipe_groups.c index ec02c575..bb3741c9 100644 --- a/server/infopipe/infopipe_groups.c +++ b/server/infopipe/infopipe_groups.c @@ -385,30 +385,276 @@ error: return ret; } -int infp_groups_add_members(DBusMessage *message, struct sbus_conn_ctx *sconn) +enum infp_gr_member_types { + INFP_GR_MEM_USER = 0, + INFP_GR_MEM_GROUP +}; + +struct infp_groupmember_ctx { + struct infp_req_ctx *infp_req; + struct ldb_dn *group_dn; + char **membernames; + uint32_t member_count; + uint32_t index; + uint8_t member_type; + uint8_t modify_type; + struct sysdb_req *sysdb_req; +}; + +static void infp_do_member(struct sysdb_req *req, void *pvt); + +static void infp_do_member_callback(void *pvt, int status, + struct ldb_result *res) { - DBusMessage *reply; + char *fail_msg; + DBusMessage *reply = NULL; + struct infp_groupmember_ctx *grmod_req = + talloc_get_type(pvt, struct infp_groupmember_ctx); - reply = dbus_message_new_error(message, DBUS_ERROR_NOT_SUPPORTED, "Not yet implemented"); + /* Check the results of the current add */ + if(status != EOK) goto fail; - /* send reply */ - sbus_conn_send_reply(sconn, reply); + /* Check if there are more members to process */ + grmod_req->index++; + if(grmod_req->index < grmod_req->member_count) { + infp_do_member(grmod_req->sysdb_req, grmod_req); + return; + } + /* This was the last member. Commit the transaction */ + sysdb_transaction_done(grmod_req->sysdb_req, EOK); + + /* Send an ack reply */ + reply = dbus_message_new_method_return(grmod_req->infp_req->req_message); + if(reply) { + sbus_conn_send_reply(grmod_req->infp_req->sconn, reply); + dbus_message_unref(reply); + } + + talloc_free(grmod_req); + return; + +fail: +sysdb_transaction_done(grmod_req->sysdb_req, status); + fail_msg = talloc_asprintf(grmod_req, "Could not modify group"); + reply = dbus_message_new_error(grmod_req->infp_req->req_message, + DBUS_ERROR_FAILED, + fail_msg); + sbus_conn_send_reply(grmod_req->infp_req->sconn, reply); dbus_message_unref(reply); - return EOK; + talloc_free(grmod_req); + return; +} + +static void infp_do_member(struct sysdb_req *req, void *pvt) +{ + int ret; + struct ldb_dn *member_dn; + struct infp_groupmember_ctx *grmod_req = + talloc_get_type(pvt, struct infp_groupmember_ctx); + + grmod_req->sysdb_req = req; + + if (grmod_req->member_type == INFP_GR_MEM_USER) { + member_dn = + sysdb_user_dn(grmod_req->infp_req->infp->sysdb, + grmod_req, + grmod_req->infp_req->domain->name, + grmod_req->membernames[grmod_req->index]); + if (member_dn == NULL) goto error; + } + else if (grmod_req->member_type == INFP_GR_MEM_GROUP) { + member_dn = + sysdb_group_dn(grmod_req->infp_req->infp->sysdb, + grmod_req, + grmod_req->infp_req->domain->name, + grmod_req->membernames[grmod_req->index]); + if (member_dn == NULL) goto error; + } + else goto error; + + if (grmod_req->modify_type == INFP_ACTION_TYPE_ADDMEMBER) { + ret = sysdb_add_group_member(grmod_req->sysdb_req, + member_dn, + grmod_req->group_dn, + infp_do_member_callback, + grmod_req); + } + else if (grmod_req->modify_type == INFP_ACTION_TYPE_REMOVEMEMBER) { + ret = sysdb_remove_group_member(grmod_req->sysdb_req, + member_dn, + grmod_req->group_dn, + infp_do_member_callback, + grmod_req); + } + if (ret != EOK) goto error; + + return; + +error: + talloc_free(grmod_req); + return; } -int infp_groups_remove_members(DBusMessage *message, struct sbus_conn_ctx *sconn) +static int infp_groups_modify_members(DBusMessage *message, + struct sbus_conn_ctx *sconn, + uint8_t modify_type) { DBusMessage *reply; + DBusError error; + struct infp_groupmember_ctx *grmod_req; + char *einval_msg; + int ret, i; - reply = dbus_message_new_error(message, DBUS_ERROR_NOT_SUPPORTED, "Not yet implemented"); + /* Arguments */ + const char *arg_group; + const char *arg_domain; + char **arg_members = NULL; + int arg_member_count; + uint8_t arg_membertype; + + grmod_req = talloc_zero(NULL, struct infp_groupmember_ctx); + if (grmod_req == NULL) { + ret = ENOMEM; + goto error; + } + + /* Create an infp_req_ctx */ + grmod_req->infp_req = infp_req_init(grmod_req, message, sconn); + if(grmod_req->infp_req == NULL) { + ret = EIO; + goto error; + } + dbus_error_init(&error); + if (!dbus_message_get_args(message, &error, + DBUS_TYPE_STRING, &arg_group, + DBUS_TYPE_STRING, &arg_domain, + DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, + &arg_members, &arg_member_count, + DBUS_TYPE_BYTE, &arg_membertype, + DBUS_TYPE_INVALID)) { + DEBUG(0, ("Parsing arguments to %s failed: %s:%s\n", + INFP_GROUPS_ADD_MEMBERS, error.name, error.message)); + einval_msg = talloc_strdup(grmod_req, error.message); + dbus_error_free(&error); + goto einval; + } + + /* FIXME: Allow modifying groups on domains other than LOCAL */ + if (strcasecmp(arg_domain, "LOCAL") != 0) { + goto denied; + } + + grmod_req->infp_req->domain = + btreemap_get_value(grmod_req->infp_req->infp->domain_map, + (const void *)arg_domain); + /* Check for a valid domain */ + if(grmod_req->infp_req->domain == NULL) { + einval_msg = talloc_strdup(grmod_req, "Invalid domain."); + goto einval; + } + + /* Check permissions */ + if (!infp_get_permissions(grmod_req->infp_req->caller, + grmod_req->infp_req->domain, + INFP_OBJ_TYPE_GROUP, + arg_group, + modify_type, + INFP_ATTR_TYPE_INVALID)) goto denied; + + grmod_req->member_count = arg_member_count; + grmod_req->membernames = talloc_array(grmod_req, char *, + arg_member_count); + if (grmod_req == NULL) { + ret = ENOMEM; + goto error; + } + for (i = 0; i < arg_member_count; i++) { + grmod_req->membernames[i] = talloc_strdup(grmod_req->membernames, + arg_members[i]); + if(grmod_req->membernames[i] == NULL) { + ret = ENOMEM; + goto error; + } + } + dbus_free_string_array(arg_members); + arg_members = NULL; + + grmod_req->group_dn = + sysdb_group_dn(grmod_req->infp_req->infp->sysdb, + grmod_req, + grmod_req->infp_req->domain->name, + arg_group); + if (grmod_req->group_dn == NULL) { + ret = EIO; + goto error; + } + + grmod_req->index = 0; + grmod_req->modify_type = modify_type; + grmod_req->member_type = arg_membertype; + if ((grmod_req->member_type != INFP_GR_MEM_USER) && + (grmod_req->member_type != INFP_GR_MEM_GROUP)) { + einval_msg = talloc_strdup(grmod_req, + "Invalid member type"); + goto einval; + } + + ret = sysdb_transaction(grmod_req, + grmod_req->infp_req->infp->sysdb, + infp_do_member, + grmod_req); + if (ret != EOK) goto error; + + return EOK; + +denied: + reply = dbus_message_new_error(message, DBUS_ERROR_ACCESS_DENIED, NULL); + if(reply == NULL) { + ret = ENOMEM; + goto error; + } /* send reply */ sbus_conn_send_reply(sconn, reply); + dbus_message_unref(reply); + + if (arg_members) dbus_free_string_array(arg_members); + talloc_free(grmod_req); + return EOK; +einval: + reply = dbus_message_new_error(message, + DBUS_ERROR_INVALID_ARGS, + einval_msg); + if (reply == NULL) { + ret = ENOMEM; + goto error; + } + sbus_conn_send_reply(sconn, reply); dbus_message_unref(reply); + if (arg_members) dbus_free_string_array(arg_members); + talloc_free(grmod_req); return EOK; + +error: + if (arg_members) dbus_free_string_array(arg_members); + talloc_free(grmod_req); + return ret; +} + +int infp_groups_add_members(DBusMessage *message, + struct sbus_conn_ctx *sconn) +{ + return infp_groups_modify_members(message, sconn, + INFP_ACTION_TYPE_ADDMEMBER); +} + +int infp_groups_remove_members(DBusMessage *message, + struct sbus_conn_ctx *sconn) +{ + return infp_groups_modify_members(message, sconn, + INFP_ACTION_TYPE_REMOVEMEMBER); } int infp_groups_set_gid(DBusMessage *message, struct sbus_conn_ctx *sconn) diff --git a/server/infopipe/org.freeipa.sssd.infopipe.Introspect.xml b/server/infopipe/org.freeipa.sssd.infopipe.Introspect.xml index 0dcd2a0d..c1a8b3df 100644 --- a/server/infopipe/org.freeipa.sssd.infopipe.Introspect.xml +++ b/server/infopipe/org.freeipa.sssd.infopipe.Introspect.xml @@ -225,16 +225,17 @@ name="org.freeipa.sssd.infopipe.DocString" value="Add members to a group @param group Group being modified. - @domain The domain the group belongs to. - @members Array of member strings to add to the group. + @param domain The domain the group belongs to. + @param members Array of member strings to add to the group. + @param membertype 0: Users, 1: Groups @return Returns an empty D-BUS reply on success. Will return an error on failure. @error DBUS_ERROR_INVALID_ARGS The domain does not exist - @error DBUS_ERROR_ACCESS_DENIED The caller does not have authorization to modify the group. - @note AddGroupMembers ignores members that don't exist" + @error DBUS_ERROR_ACCESS_DENIED The caller does not have authorization to modify the group." /> <arg name="group" type="s" direction="in" /> <arg name="domain" type="s" direction="in" /> <arg name="members" type="as" direction="in" /> + <arg name="membertype" type="y" direction="in" /> </method> <method name="RemoveGroupMembers1"> @@ -242,12 +243,12 @@ name="org.freeipa.sssd.infopipe.DocString" value="Remove members from a group @param group Group being modified. - @domain The domain the group belongs to. - @members Array of member strings to remove from the group. + @param domain The domain the group belongs to. + @param members Array of member strings to remove from the group. + @param membertype 0: Users, 1: Groups @return Returns an empty D-BUS reply on success. Will return an error on failure. @error DBUS_ERROR_INVALID_ARGS The domain does not exist - @error DBUS_ERROR_ACCESS_DENIED The caller does not have authorization to modify the group. - @note RemoveGroupMembers ignores members that don't exist" + @error DBUS_ERROR_ACCESS_DENIED The caller does not have authorization to modify the group." /> <arg name="group" type="s" direction="in" /> <arg name="domain" type="s" direction="in" /> |