/* authzid.c - RFC 3829 Authzid Control */
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software .
*
* Copyright 2010-2022 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted only as authorized by the OpenLDAP
* Public License.
*
* A copy of this license is available in the file LICENSE in the
* top-level directory of the distribution or, alternatively, at
* .
*/
/* ACKNOWLEDGEMENTS:
* This work was initially developed by Pierangelo Masarati for inclusion
* in OpenLDAP Software.
*/
/*
* RFC 3829 Authzid
*
* must be instantiated as a global overlay
*/
#include "portable.h"
#include "slap.h"
#include "slap-config.h"
#include "lutil.h"
#include "ac/string.h"
typedef struct authzid_conn_t {
Connection *conn;
int refcnt;
char authzid_flag;
} authzid_conn_t;
static ldap_pvt_thread_mutex_t authzid_mutex;
static Avlnode *authzid_tree;
static int
authzid_conn_cmp( const void *c1, const void *c2 )
{
const authzid_conn_t *ac1 = (const authzid_conn_t *)c1;
const authzid_conn_t *ac2 = (const authzid_conn_t *)c2;
return SLAP_PTRCMP( ac1->conn, ac2->conn );
}
static int
authzid_conn_dup( void *c1, void *c2 )
{
authzid_conn_t *ac1 = (authzid_conn_t *)c1;
authzid_conn_t *ac2 = (authzid_conn_t *)c2;
if ( ac1->conn == ac2->conn ) {
return -1;
}
return 0;
}
static int authzid_cid;
static slap_overinst authzid;
static authzid_conn_t *
authzid_conn_find( Connection *c )
{
authzid_conn_t *ac = NULL, tmp = { 0 };
tmp.conn = c;
ac = (authzid_conn_t *)ldap_avl_find( authzid_tree, (caddr_t)&tmp, authzid_conn_cmp );
if ( ac == NULL || ( ac != NULL && ac->refcnt != 0 ) ) {
ac = NULL;
}
if ( ac ) {
ac->refcnt++;
}
return ac;
}
static authzid_conn_t *
authzid_conn_get( Connection *c )
{
authzid_conn_t *ac = NULL;
ldap_pvt_thread_mutex_lock( &authzid_mutex );
ac = authzid_conn_find( c );
if ( ac && ac->refcnt ) ac = NULL;
if ( ac ) ac->refcnt++;
ldap_pvt_thread_mutex_unlock( &authzid_mutex );
return ac;
}
static void
authzid_conn_release( authzid_conn_t *ac )
{
ldap_pvt_thread_mutex_lock( &authzid_mutex );
ac->refcnt--;
ldap_pvt_thread_mutex_unlock( &authzid_mutex );
}
static int
authzid_conn_insert( Connection *c, char flag )
{
authzid_conn_t *ac;
int rc;
ldap_pvt_thread_mutex_lock( &authzid_mutex );
ac = authzid_conn_find( c );
if ( ac ) {
ldap_pvt_thread_mutex_unlock( &authzid_mutex );
return -1;
}
ac = ch_malloc( sizeof( authzid_conn_t ) );
ac->conn = c;
ac->refcnt = 0;
ac->authzid_flag = flag;
rc = ldap_avl_insert( &authzid_tree, (caddr_t)ac,
authzid_conn_cmp, authzid_conn_dup );
ldap_pvt_thread_mutex_unlock( &authzid_mutex );
return rc;
}
static int
authzid_conn_remove( Connection *c )
{
authzid_conn_t *ac, *tmp;
ldap_pvt_thread_mutex_lock( &authzid_mutex );
ac = authzid_conn_find( c );
if ( !ac ) {
ldap_pvt_thread_mutex_unlock( &authzid_mutex );
return -1;
}
tmp = ldap_avl_delete( &authzid_tree, (caddr_t)ac, authzid_conn_cmp );
ldap_pvt_thread_mutex_unlock( &authzid_mutex );
assert( tmp == ac );
ch_free( ac );
return 0;
}
static int
authzid_response(
Operation *op,
SlapReply *rs )
{
LDAPControl **ctrls;
struct berval edn = BER_BVNULL;
ber_len_t len = 0;
int n = 0;
assert( rs->sr_tag = LDAP_RES_BIND );
if ( rs->sr_err == LDAP_SASL_BIND_IN_PROGRESS ) {
authzid_conn_t *ac = op->o_controls[ authzid_cid ];
if ( ac ) {
authzid_conn_release( ac );
} else {
(void)authzid_conn_insert( op->o_conn, op->o_ctrlflag[ authzid_cid ] );
}
return SLAP_CB_CONTINUE;
}
(void)authzid_conn_remove( op->o_conn );
if ( rs->sr_err != LDAP_SUCCESS ) {
return SLAP_CB_CONTINUE;
}
if ( !BER_BVISEMPTY( &op->orb_edn ) ) {
edn = op->orb_edn;
} else if ( !BER_BVISEMPTY( &op->o_conn->c_dn ) ) {
edn = op->o_conn->c_dn;
}
if ( !BER_BVISEMPTY( &edn ) ) {
ber_tag_t save_tag = op->o_tag;
struct berval save_dn = op->o_dn;
struct berval save_ndn = op->o_ndn;
int rc;
/* pretend it's an extop without data,
* so it is treated as a generic write
*/
op->o_tag = LDAP_REQ_EXTENDED;
op->o_dn = edn;
op->o_ndn = edn;
rc = backend_check_restrictions( op, rs, NULL );
op->o_tag = save_tag;
op->o_dn = save_dn;
op->o_ndn = save_ndn;
if ( rc != LDAP_SUCCESS ) {
rs->sr_err = LDAP_CONFIDENTIALITY_REQUIRED;
return SLAP_CB_CONTINUE;
}
len = STRLENOF("dn:") + edn.bv_len;
}
/* save original controls in sc_private;
* will be restored by sc_cleanup
*/
if ( rs->sr_ctrls != NULL ) {
op->o_callback->sc_private = rs->sr_ctrls;
for ( ; rs->sr_ctrls[n] != NULL; n++ )
;
}
ctrls = op->o_tmpalloc( sizeof( LDAPControl * )*( n + 2 ), op->o_tmpmemctx );
n = 0;
if ( rs->sr_ctrls ) {
for ( ; rs->sr_ctrls[n] != NULL; n++ ) {
ctrls[n] = rs->sr_ctrls[n];
}
}
/* anonymous: "", otherwise "dn:" */
ctrls[n] = op->o_tmpalloc( sizeof( LDAPControl ) + len + 1, op->o_tmpmemctx );
ctrls[n]->ldctl_oid = LDAP_CONTROL_AUTHZID_RESPONSE;
ctrls[n]->ldctl_iscritical = 0;
ctrls[n]->ldctl_value.bv_len = len;
ctrls[n]->ldctl_value.bv_val = (char *)&ctrls[n][1];
if ( len ) {
char *ptr;
ptr = lutil_strcopy( ctrls[n]->ldctl_value.bv_val, "dn:" );
ptr = lutil_strncopy( ptr, edn.bv_val, edn.bv_len );
}
ctrls[n]->ldctl_value.bv_val[len] = '\0';
ctrls[n + 1] = NULL;
rs->sr_ctrls = ctrls;
return SLAP_CB_CONTINUE;
}
static int
authzid_cleanup(
Operation *op,
SlapReply *rs )
{
if ( rs->sr_ctrls ) {
LDAPControl *ctrl;
/* if ours, cleanup */
ctrl = ldap_control_find( LDAP_CONTROL_AUTHZID_RESPONSE, rs->sr_ctrls, NULL );
if ( ctrl ) {
op->o_tmpfree( rs->sr_ctrls, op->o_tmpmemctx );
rs->sr_ctrls = NULL;
}
if ( op->o_callback->sc_private != NULL ) {
rs->sr_ctrls = (LDAPControl **)op->o_callback->sc_private;
op->o_callback->sc_private = NULL;
}
}
op->o_tmpfree( op->o_callback, op->o_tmpmemctx );
op->o_callback = NULL;
return SLAP_CB_CONTINUE;
}
static int
authzid_op_bind(
Operation *op,
SlapReply *rs )
{
slap_callback *sc;
if ( op->o_ctrlflag[ authzid_cid ] <= SLAP_CONTROL_IGNORED ) {
authzid_conn_t *ac = authzid_conn_get( op->o_conn );
if ( ac ) {
op->o_ctrlflag[ authzid_cid ] = ac->authzid_flag;
op->o_controls[ authzid_cid] = ac;
}
}
if ( op->o_ctrlflag[ authzid_cid ] > SLAP_CONTROL_IGNORED ) {
sc = op->o_callback;
op->o_callback = op->o_tmpalloc( sizeof( slap_callback ), op->o_tmpmemctx );
op->o_callback->sc_response = authzid_response;
op->o_callback->sc_cleanup = authzid_cleanup;
op->o_callback->sc_private = NULL;
op->o_callback->sc_writewait = NULL;
op->o_callback->sc_next = sc;
}
return SLAP_CB_CONTINUE;
}
static int
parse_authzid_ctrl(
Operation *op,
SlapReply *rs,
LDAPControl *ctrl )
{
if ( op->o_ctrlflag[ authzid_cid ] != SLAP_CONTROL_NONE ) {
rs->sr_text = "authzid control specified multiple times";
return LDAP_PROTOCOL_ERROR;
}
if ( !BER_BVISNULL( &ctrl->ldctl_value ) ) {
rs->sr_text = "authzid control value not absent";
return LDAP_PROTOCOL_ERROR;
}
/* drop ongoing requests */
(void)authzid_conn_remove( op->o_conn );
op->o_ctrlflag[ authzid_cid ] = ctrl->ldctl_iscritical ? SLAP_CONTROL_CRITICAL : SLAP_CONTROL_NONCRITICAL;
return LDAP_SUCCESS;
}
static int
authzid_db_init( BackendDB *be, ConfigReply *cr )
{
if ( !SLAP_ISGLOBALOVERLAY( be ) ) {
/* do not allow slapo-ppolicy to be global by now (ITS#5858) */
if ( cr ) {
snprintf( cr->msg, sizeof(cr->msg),
"slapo-authzid must be global" );
Debug( LDAP_DEBUG_ANY, "%s\n", cr->msg );
}
return 1;
}
int rc;
rc = register_supported_control( LDAP_CONTROL_AUTHZID_REQUEST,
SLAP_CTRL_GLOBAL|SLAP_CTRL_BIND|SLAP_CTRL_HIDE, NULL,
parse_authzid_ctrl, &authzid_cid );
if ( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_ANY,
"authzid_initialize: Failed to register control '%s' (%d)\n",
LDAP_CONTROL_AUTHZID_REQUEST, rc );
return rc;
}
return LDAP_SUCCESS;
}
/*
* Almost pointless, by now, since this overlay needs to be global,
* and global overlays deletion is not supported yet.
*/
static int
authzid_db_destroy( BackendDB *be, ConfigReply *cr )
{
#ifdef SLAP_CONFIG_DELETE
overlay_unregister_control( be, LDAP_CONTROL_AUTHZID_REQUEST );
#endif /* SLAP_CONFIG_DELETE */
unregister_supported_control( LDAP_CONTROL_AUTHZID_REQUEST );
return 0;
}
static int
authzid_initialize( void )
{
ldap_pvt_thread_mutex_init( &authzid_mutex );
authzid.on_bi.bi_type = "authzid";
authzid.on_bi.bi_flags = SLAPO_BFLAG_SINGLE;
authzid.on_bi.bi_db_init = authzid_db_init;
authzid.on_bi.bi_db_destroy = authzid_db_destroy;
authzid.on_bi.bi_op_bind = authzid_op_bind;
return overlay_register( &authzid );
}
int
init_module( int argc, char *argv[] )
{
return authzid_initialize();
}