1/*	$NetBSD: lastbind.c,v 1.2 2021/08/14 16:14:52 christos Exp $	*/
2
3/* lastbind.c - Record timestamp of the last successful bind to entries */
4/* $OpenLDAP$ */
5/*
6 * Copyright 2009 Jonathan Clarke <jonathan@phillipoux.net>.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted only as authorized by the OpenLDAP
11 * Public License.
12 *
13 * A copy of this license is available in the file LICENSE in the
14 * top-level directory of the distribution or, alternatively, at
15 * <http://www.OpenLDAP.org/license.html>.
16 */
17/* ACKNOWLEDGEMENTS:
18 * This work is loosely derived from the ppolicy overlay.
19 */
20
21#include <sys/cdefs.h>
22__RCSID("$NetBSD: lastbind.c,v 1.2 2021/08/14 16:14:52 christos Exp $");
23
24#include "portable.h"
25
26/*
27 * This file implements an overlay that stores the timestamp of the
28 * last successful bind operation in a directory entry.
29 *
30 * Optimization: to avoid performing a write on each bind,
31 * a precision for this timestamp may be configured, causing it to
32 * only be updated if it is older than a given number of seconds.
33 */
34
35#ifdef SLAPD_OVER_LASTBIND
36
37#include <ldap.h>
38#include "lutil.h"
39#include "slap.h"
40#include <ac/errno.h>
41#include <ac/time.h>
42#include <ac/string.h>
43#include <ac/ctype.h>
44#include "slap-config.h"
45
46/* Per-instance configuration information */
47typedef struct lastbind_info {
48	/* precision to update timestamp in authTimestamp attribute */
49	int timestamp_precision;
50	int forward_updates;	/* use frontend for authTimestamp updates */
51} lastbind_info;
52
53/* Operational attributes */
54static AttributeDescription *ad_authTimestamp;
55
56/* This is the definition used by ISODE, as supplied to us in
57 * ITS#6238 Followup #9
58 */
59static struct schema_info {
60	char *def;
61	AttributeDescription **ad;
62} lastBind_OpSchema[] = {
63	{	"( 1.3.6.1.4.1.453.16.2.188 "
64		"NAME 'authTimestamp' "
65		"DESC 'last successful authentication using any method/mech' "
66		"EQUALITY generalizedTimeMatch "
67		"ORDERING generalizedTimeOrderingMatch "
68		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
69		"SINGLE-VALUE NO-USER-MODIFICATION USAGE dsaOperation )",
70		&ad_authTimestamp},
71	{ NULL, NULL }
72};
73
74/* configuration attribute and objectclass */
75static ConfigTable lastbindcfg[] = {
76	{ "lastbind-precision", "seconds", 2, 2, 0,
77	  ARG_INT|ARG_OFFSET,
78	  (void *)offsetof(lastbind_info, timestamp_precision),
79	  "( OLcfgCtAt:5.1 "
80	  "NAME 'olcLastBindPrecision' "
81	  "DESC 'Precision of authTimestamp attribute' "
82	  "EQUALITY integerMatch "
83	  "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
84	{ "lastbind_forward_updates", "on|off", 1, 2, 0,
85	  ARG_ON_OFF|ARG_OFFSET,
86	  (void *)offsetof(lastbind_info,forward_updates),
87	  "( OLcfgAt:5.2 NAME 'olcLastBindForwardUpdates' "
88	  "DESC 'Allow authTimestamp updates to be forwarded via updateref' "
89	  "EQUALITY booleanMatch "
90	  "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL },
91	{ NULL, NULL, 0, 0, 0, ARG_IGNORED }
92};
93
94static ConfigOCs lastbindocs[] = {
95	{ "( OLcfgCtOc:5.1 "
96	  "NAME 'olcLastBindConfig' "
97	  "DESC 'Last Bind configuration' "
98	  "SUP olcOverlayConfig "
99	  "MAY ( olcLastBindPrecision $ olcLastBindForwardUpdates) )",
100	  Cft_Overlay, lastbindcfg, NULL, NULL },
101	{ NULL, 0, NULL }
102};
103
104static time_t
105parse_time( char *atm )
106{
107	struct lutil_tm tm;
108	struct lutil_timet tt;
109	time_t ret = (time_t)-1;
110
111	if ( lutil_parsetime( atm, &tm ) == 0) {
112		lutil_tm2time( &tm, &tt );
113		ret = tt.tt_sec;
114	}
115	return ret;
116}
117
118static int
119lastbind_bind_response( Operation *op, SlapReply *rs )
120{
121	Modifications *mod = NULL;
122	BackendInfo *bi = op->o_bd->bd_info;
123	Entry *e;
124	int rc;
125
126	/* we're only interested if the bind was successful */
127	if ( rs->sr_err != LDAP_SUCCESS )
128		return SLAP_CB_CONTINUE;
129
130	rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
131	op->o_bd->bd_info = bi;
132
133	if ( rc != LDAP_SUCCESS ) {
134		return SLAP_CB_CONTINUE;
135	}
136
137	{
138		lastbind_info *lbi = (lastbind_info *) op->o_callback->sc_private;
139
140		time_t now, bindtime = (time_t)-1;
141		Attribute *a;
142		Modifications *m;
143		char nowstr[ LDAP_LUTIL_GENTIME_BUFSIZE ];
144		struct berval timestamp;
145
146		/* get the current time */
147		now = slap_get_time();
148
149		/* get authTimestamp attribute, if it exists */
150		if ((a = attr_find( e->e_attrs, ad_authTimestamp)) != NULL) {
151			bindtime = parse_time( a->a_nvals[0].bv_val );
152
153			if (bindtime != (time_t)-1) {
154				/* if the recorded bind time is within our precision, we're done
155				 * it doesn't need to be updated (save a write for nothing) */
156				if ((now - bindtime) < lbi->timestamp_precision) {
157					goto done;
158				}
159			}
160		}
161
162		/* update the authTimestamp in the user's entry with the current time */
163		timestamp.bv_val = nowstr;
164		timestamp.bv_len = sizeof(nowstr);
165		slap_timestamp( &now, &timestamp );
166
167		m = ch_calloc( sizeof(Modifications), 1 );
168		m->sml_op = LDAP_MOD_REPLACE;
169		m->sml_flags = 0;
170		m->sml_type = ad_authTimestamp->ad_cname;
171		m->sml_desc = ad_authTimestamp;
172		m->sml_numvals = 1;
173		m->sml_values = ch_calloc( sizeof(struct berval), 2 );
174		m->sml_nvalues = ch_calloc( sizeof(struct berval), 2 );
175
176		ber_dupbv( &m->sml_values[0], &timestamp );
177		ber_dupbv( &m->sml_nvalues[0], &timestamp );
178		m->sml_next = mod;
179		mod = m;
180	}
181
182done:
183	be_entry_release_r( op, e );
184
185	/* perform the update, if necessary */
186	if ( mod ) {
187		Operation op2 = *op;
188		SlapReply r2 = { REP_RESULT };
189		slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
190		LDAPControl c, *ca[2];
191		lastbind_info *lbi = (lastbind_info *) op->o_callback->sc_private;
192
193		/* This is a DSA-specific opattr, it never gets replicated. */
194		op2.o_tag = LDAP_REQ_MODIFY;
195		op2.o_callback = &cb;
196		op2.orm_modlist = mod;
197		op2.orm_no_opattrs = 0;
198		op2.o_dn = op->o_bd->be_rootdn;
199		op2.o_ndn = op->o_bd->be_rootndn;
200
201		/*
202		 * Code for forwarding of updates adapted from ppolicy.c of slapo-ppolicy
203		 *
204		 * If this server is a shadow and forward_updates is true,
205		 * use the frontend to perform this modify. That will trigger
206		 * the update referral, which can then be forwarded by the
207		 * chain overlay. Obviously the updateref and chain overlay
208		 * must be configured appropriately for this to be useful.
209		 */
210		if ( SLAP_SHADOW( op->o_bd ) && lbi->forward_updates ) {
211			op2.o_bd = frontendDB;
212
213			/* Must use Relax control since these are no-user-mod */
214			op2.o_relax = SLAP_CONTROL_CRITICAL;
215			op2.o_ctrls = ca;
216			ca[0] = &c;
217			ca[1] = NULL;
218			BER_BVZERO( &c.ldctl_value );
219			c.ldctl_iscritical = 1;
220			c.ldctl_oid = LDAP_CONTROL_RELAX;
221		} else {
222			/* If not forwarding, don't update opattrs and don't replicate */
223			if ( SLAP_SINGLE_SHADOW( op->o_bd )) {
224				op2.orm_no_opattrs = 1;
225				op2.o_dont_replicate = 1;
226			}
227			/* TODO: not sure what this does in slapo-ppolicy */
228			/*
229			op2.o_bd->bd_info = (BackendInfo *)on->on_info;
230			*/
231		}
232
233		rc = op2.o_bd->be_modify( &op2, &r2 );
234		slap_mods_free( mod, 1 );
235	}
236
237	op->o_bd->bd_info = bi;
238	return SLAP_CB_CONTINUE;
239}
240
241static int
242lastbind_bind( Operation *op, SlapReply *rs )
243{
244	slap_callback *cb;
245	slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
246
247	/* setup a callback to intercept result of this bind operation
248	 * and pass along the lastbind_info struct */
249	cb = op->o_tmpcalloc( sizeof(slap_callback), 1, op->o_tmpmemctx );
250	cb->sc_response = lastbind_bind_response;
251	cb->sc_next = op->o_callback->sc_next;
252	cb->sc_private = on->on_bi.bi_private;
253	op->o_callback->sc_next = cb;
254
255	return SLAP_CB_CONTINUE;
256}
257
258static int
259lastbind_db_init(
260	BackendDB *be,
261	ConfigReply *cr
262)
263{
264	slap_overinst *on = (slap_overinst *) be->bd_info;
265
266	/* initialize private structure to store configuration */
267	on->on_bi.bi_private = ch_calloc( 1, sizeof(lastbind_info) );
268
269	return 0;
270}
271
272static int
273lastbind_db_close(
274	BackendDB *be,
275	ConfigReply *cr
276)
277{
278	slap_overinst *on = (slap_overinst *) be->bd_info;
279	lastbind_info *lbi = (lastbind_info *) on->on_bi.bi_private;
280
281	/* free private structure to store configuration */
282	free( lbi );
283
284	return 0;
285}
286
287static slap_overinst lastbind;
288
289int lastbind_initialize()
290{
291	int i, code;
292
293	/* register operational schema for this overlay (authTimestamp attribute) */
294	for (i=0; lastBind_OpSchema[i].def; i++) {
295		code = register_at( lastBind_OpSchema[i].def, lastBind_OpSchema[i].ad, 0 );
296		if ( code ) {
297			Debug( LDAP_DEBUG_ANY,
298				"lastbind_initialize: register_at failed\n" );
299			return code;
300		}
301	}
302
303	ad_authTimestamp->ad_type->sat_flags |= SLAP_AT_MANAGEABLE;
304
305	lastbind.on_bi.bi_type = "lastbind";
306	lastbind.on_bi.bi_flags = SLAPO_BFLAG_SINGLE;
307	lastbind.on_bi.bi_db_init = lastbind_db_init;
308	lastbind.on_bi.bi_db_close = lastbind_db_close;
309	lastbind.on_bi.bi_op_bind = lastbind_bind;
310
311	/* register configuration directives */
312	lastbind.on_bi.bi_cf_ocs = lastbindocs;
313	code = config_register_schema( lastbindcfg, lastbindocs );
314	if ( code ) return code;
315
316	return overlay_register( &lastbind );
317}
318
319#if SLAPD_OVER_LASTBIND == SLAPD_MOD_DYNAMIC
320int init_module(int argc, char *argv[]) {
321	return lastbind_initialize();
322}
323#endif
324
325#endif	/* defined(SLAPD_OVER_LASTBIND) */
326