ipaserver/dcerpc: attempt to resolve SIDs through SSSD first

Attempt to resolve SIDs through SSSD first to avoid using trust account password. This makes possible to run HBAC test requests without being in 'trusted admins' group. https://fedorahosted.org/freeipa/ticket/3803
2025-01-11 08:41:55 -06:00 · 2013-07-19 17:04:14 +03:00 · 2013-07-19 17:04:14 +03:00 · 7b5cc3ed83
commit 7b5cc3ed83
parent 17c7d46c25
2 changed files with 47 additions and 7 deletions
--- a/ipalib/plugins/hbactest.py
+++ b/ipalib/plugins/hbactest.py
@ -400,17 +400,14 @@ class hbactest(Command):
                ldap = self.api.Backend.ldap2
                group_container = DN(api.env.container_group, api.env.basedn)
                try:
-                    entries, truncated = ldap.find_entries(filter_sids, ['cn', 'memberOf'], group_container)
+                    entries, truncated = ldap.find_entries(filter_sids, ['cn'], group_container)
                except errors.NotFound:
                    request.user.groups = []
                else:
                    groups = []
                    for dn, entry in entries:
-                        memberof_dns = entry.get('memberof', [])
-                        for memberof_dn in memberof_dns:
-                            if memberof_dn.endswith(group_container):
-                                # this is a group object
-                                groups.append(memberof_dn[0][0].value)
+                        if dn.endswith(group_container):
+                            groups.append(dn[0][0].value)
                    request.user.groups = sorted(set(groups))
            else:
                # try searching for a local user
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@ -53,6 +53,8 @@ from ipapython.ipaldap import IPAdmin
 from ipalib.session import krbccache_dir, krbccache_prefix
 from dns import resolver, rdatatype
 from dns.exception import DNSException
+import pysss_nss_idmap
+import pysss

 __doc__ = _("""
 Classes to manage trust joins using DCE-RPC calls
@ -312,6 +314,12 @@ class DomainValidator(object):
        return entries

    def get_trusted_domain_object_sid(self, object_name):
+        result = pysss_nss_idmap.getsidbyname(object_name)
+        if object_name in result and (pysss_nss_idmap.SID_KEY in result[object_name]):
+            object_sid = result[object_name][pysss_nss_idmap.SID_KEY]
+            return object_sid
+
+        # Else, we are going to contact AD DC LDAP
        components = normalize_name(object_name)
        if not ('domain' in components or 'flatname' in components):
            # No domain or realm specified, ambiguous search
@ -337,7 +345,7 @@ class DomainValidator(object):
            raise errors.ValidationError(name=_('trusted domain object'),
               error= _('Trusted domain did not return a valid SID for the object'))

-    def get_trusted_domain_user_and_groups(self, object_name):
+    def __get_trusted_domain_user_and_groups(self, object_name):
        """
        Returns a tuple with user SID and a list of SIDs of all groups he is
        a member of.
@ -393,6 +401,41 @@ class DomainValidator(object):
        group_sids = [self.__sid_to_str(sid) for sid in entries[0][1]['tokenGroups']]
        return (object_sid, group_sids)

+    def get_trusted_domain_user_and_groups(self, object_name):
+        """
+        Returns a tuple with user SID and a list of SIDs of all groups he is
+        a member of.
+
+        First attempts to perform SID lookup via SSSD and in case of failure
+        resorts back to checking trusted domain's AD DC LDAP directly.
+
+        LIMITATIONS:
+            - only Trusted Admins group members can use this function as it
+              uses secret for IPA-Trusted domain link if SSSD lookup failed
+            - List of group SIDs does not contain group memberships outside
+              of the trusted domain
+        """
+        group_sids = None
+        group_list = None
+        object_sid = None
+        is_valid_sid = is_sid_valid(object_name)
+        if is_valid_sid:
+            object_sid = object_name
+            result = pysss_nss_idmap.getnamebysid(object_name)
+            if object_name in result and (pysss_nss_idmap.NAME_KEY in result[object_name]):
+                group_list = pysss.getgrouplist(result[object_name][pysss_nss_idmap.NAME_KEY])
+        else:
+            result = pysss_nss_idmap.getsidbyname(object_name)
+            if object_name in result and (pysss_nss_idmap.SID_KEY in result[object_name]):
+                object_sid = result[object_name][pysss_nss_idmap.SID_KEY]
+                group_list = pysss.getgrouplist(object_name)
+
+        if not group_list:
+            return self.__get_trusted_domain_user_and_groups(object_name)
+
+        group_sids = pysss_nss_idmap.getsidbyname(group_list)
+        return (object_sid, [el[1][pysss_nss_idmap.SID_KEY] for el in group_sids.items()])
+
    def __sid_to_str(self, sid):
        """
        Converts binary SID to string representation