system-plugin: implement modify functionality for authorized-key list

jkuless · Aug 8, 2022 · 0a850b5 · 0a850b5
1 parent fb80148
commit 0a850b5
Show file tree

Hide file tree

Showing 4 changed files with 158 additions and 108 deletions.
diff --git a/src/subscription/change.c b/src/subscription/change.c
@@ -655,6 +655,7 @@ int system_subscription_change_authentication_user(sr_session_ctx_t *session, ui
 
 	bool authentication_enabled = false;
 	bool local_users_enabled = false;
+	system_local_user_element_t *user_iter = NULL;
 
 	if (event == SR_EV_ABORT) {
 		SRPLG_LOG_ERR(PLUGIN_NAME, "aborting changes for: %s", xpath);
@@ -683,6 +684,23 @@ int system_subscription_change_authentication_user(sr_session_ctx_t *session, ui
 				goto error_out;
 			}
 
+			// also key users list
+			error = system_authentication_load_user(ctx, &ctx->temp_users.keys.modified);
+			if (error) {
+				SRPLG_LOG_ERR(PLUGIN_NAME, "system_authentication_load_user() error (%d)", error);
+				goto error_out;
+			}
+
+			// load all keys for the modified list
+			LL_FOREACH(ctx->temp_users.keys.modified, user_iter)
+			{
+				error = system_authentication_load_user_authorized_key(ctx, user_iter->user.name, &user_iter->user.key_head);
+				if (error) {
+					SRPLG_LOG_ERR(PLUGIN_NAME, "system_authentication_load_user_authorized_key() error (%d) for user %s", error, user_iter->user.name);
+					goto error_out;
+				}
+			}
+
 			// name change
 			error = snprintf(xpath_buffer, sizeof(xpath_buffer), "%s/name", xpath);
 			if (error < 0) {
@@ -707,15 +725,39 @@ int system_subscription_change_authentication_user(sr_session_ctx_t *session, ui
 				goto error_out;
 			}
 
-			// authorized-key change
-			error = snprintf(xpath_buffer, sizeof(xpath_buffer), "%s/authorized-key", xpath);
+			// authorized-key name change
+			error = snprintf(xpath_buffer, sizeof(xpath_buffer), "%s/authorized-key//name", xpath);
+			if (error < 0) {
+				SRPLG_LOG_ERR(PLUGIN_NAME, "snprintf() error: %d", error);
+				goto error_out;
+			}
+			error = srpc_iterate_changes(ctx, session, xpath_buffer, system_authentication_user_change_authorized_key_name);
+			if (error) {
+				SRPLG_LOG_ERR(PLUGIN_NAME, "srpc_iterate_changes() for user:authorized-key:name failed: %d", error);
+				goto error_out;
+			}
+
+			// authorized-key algorithm change
+			error = snprintf(xpath_buffer, sizeof(xpath_buffer), "%s/authorized-key//algorithm", xpath);
+			if (error < 0) {
+				SRPLG_LOG_ERR(PLUGIN_NAME, "snprintf() error: %d", error);
+				goto error_out;
+			}
+			error = srpc_iterate_changes(ctx, session, xpath_buffer, system_authentication_user_change_authorized_key_algorithm);
+			if (error) {
+				SRPLG_LOG_ERR(PLUGIN_NAME, "srpc_iterate_changes() for user:authorized-key:algorithm failed: %d", error);
+				goto error_out;
+			}
+
+			// authorized-key key-data change
+			error = snprintf(xpath_buffer, sizeof(xpath_buffer), "%s/authorized-key//key-data", xpath);
 			if (error < 0) {
 				SRPLG_LOG_ERR(PLUGIN_NAME, "snprintf() error: %d", error);
 				goto error_out;
 			}
-			error = srpc_iterate_changes(ctx, session, xpath_buffer, system_authentication_change_user_authorized_key);
+			error = srpc_iterate_changes(ctx, session, xpath_buffer, system_authentication_user_change_authorized_key_key_data);
 			if (error) {
-				SRPLG_LOG_ERR(PLUGIN_NAME, "srpc_iterate_changes() for user:authorized-key failed: %d", error);
+				SRPLG_LOG_ERR(PLUGIN_NAME, "srpc_iterate_changes() for user:authorized-key:key-data failed: %d", error);
 				goto error_out;
 			}
 

diff --git a/src/system/api/authentication/change.c b/src/system/api/authentication/change.c
@@ -34,17 +34,13 @@
 static int system_authentication_change_user_extract_name(sr_session_ctx_t *session, const struct lyd_node *node, char *name_buffer, size_t buffer_size);
 static int system_authentication_change_user_authorized_key_extract_name(sr_session_ctx_t *session, const struct lyd_node *node, char *name_buffer, size_t buffer_size);
 static int delete_home_directory(const char *username);
-static int system_authentication_authorized_key_change_name(void *priv, sr_session_ctx_t *session, const srpc_change_ctx_t *change_ctx);
-static int system_authentication_authorized_key_change_algorithm(void *priv, sr_session_ctx_t *session, const srpc_change_ctx_t *change_ctx);
-static int system_authentication_authorized_key_change_key_data(void *priv, sr_session_ctx_t *session, const srpc_change_ctx_t *change_ctx);
 
 int system_authentication_user_apply_changes(system_ctx_t *ctx)
 {
 	int error = 0;
 	um_db_t *user_db = NULL;
 	um_user_t *temp_user = NULL;
 	bool has_user_changes = false;
-	bool has_key_changes = false;
 
 	system_local_user_element_t *user_iter = NULL;
 	system_authorized_key_element_t *key_iter = NULL;
@@ -181,6 +177,15 @@ int system_authentication_user_apply_changes(system_ctx_t *ctx)
 		}
 	}
 
+	LL_FOREACH(ctx->temp_users.keys.modified, user_iter)
+	{
+		error = system_authentication_store_user_authorized_key(ctx, user_iter->user.name, user_iter->user.key_head);
+		if (error) {
+			SRPLG_LOG_ERR(PLUGIN_NAME, "system_authentication_store_user_authorized_key() error (%d) for user %s", error, user_iter->user.name);
+			goto error_out;
+		}
+	}
+
 	LL_FOREACH(ctx->temp_users.keys.deleted, user_iter)
 	{
 		// TODO: remove key from user's .ssh/ directory
@@ -347,66 +352,66 @@ int system_authentication_change_user_password(void *priv, sr_session_ctx_t *ses
 	return error;
 }
 
-int system_authentication_change_user_authorized_key(void *priv, sr_session_ctx_t *session, const srpc_change_ctx_t *change_ctx)
-{
-	int error = 0;
-	system_ctx_t *ctx = priv;
-	const char *node_name = LYD_NAME(change_ctx->node);
-	const char *node_value = lyd_get_value(change_ctx->node);
-	char xpath_buffer[PATH_MAX] = {0};
-	char path_buffer[PATH_MAX] = {0};
-
-	const char *node_path = lyd_path(change_ctx->node, LYD_PATH_STD, path_buffer, sizeof(path_buffer));
-
-	assert(strcmp(node_name, "authorized-key") == 0);
-
-	SRPLG_LOG_INF(PLUGIN_NAME, "Node Name: %s; Previous Value: %s, Value: %s; Operation: %d", node_name, change_ctx->previous_value, node_value, change_ctx->operation);
-
-	// name change
-	error = snprintf(xpath_buffer, sizeof(xpath_buffer), "%s/name", node_path);
-	if (error < 0) {
-		SRPLG_LOG_ERR(PLUGIN_NAME, "snprintf() error: %d", error);
-		goto error_out;
-	}
-	error = srpc_iterate_changes(ctx, session, xpath_buffer, system_authentication_authorized_key_change_name);
-	if (error) {
-		SRPLG_LOG_ERR(PLUGIN_NAME, "srpc_iterate_changes() for name failed: %d", error);
-		goto error_out;
-	}
-
-	// algorithm change
-	error = snprintf(xpath_buffer, sizeof(xpath_buffer), "%s/algorithm", node_path);
-	if (error < 0) {
-		SRPLG_LOG_ERR(PLUGIN_NAME, "snprintf() error: %d", error);
-		goto error_out;
-	}
-	error = srpc_iterate_changes(ctx, session, xpath_buffer, system_authentication_authorized_key_change_algorithm);
-	if (error) {
-		SRPLG_LOG_ERR(PLUGIN_NAME, "srpc_iterate_changes() for algorithm failed: %d", error);
-		goto error_out;
-	}
-
-	// key-data change
-	error = snprintf(xpath_buffer, sizeof(xpath_buffer), "%s/key-data", node_path);
-	if (error < 0) {
-		SRPLG_LOG_ERR(PLUGIN_NAME, "snprintf() error: %d", error);
-		goto error_out;
-	}
-	error = srpc_iterate_changes(ctx, session, xpath_buffer, system_authentication_authorized_key_change_key_data);
-	if (error) {
-		SRPLG_LOG_ERR(PLUGIN_NAME, "srpc_iterate_changes() for key-data failed: %d", error);
-		goto error_out;
-	}
-
-	goto out;
-
-error_out:
-	error = -1;
-
-out:
-
-	return error;
-}
+// int system_authentication_change_user_authorized_key(void *priv, sr_session_ctx_t *session, const srpc_change_ctx_t *change_ctx)
+// {
+// 	int error = 0;
+// 	system_ctx_t *ctx = priv;
+// 	const char *node_name = LYD_NAME(change_ctx->node);
+// 	const char *node_value = lyd_get_value(change_ctx->node);
+// 	char xpath_buffer[PATH_MAX] = {0};
+// 	char path_buffer[PATH_MAX] = {0};
+
+// 	const char *node_path = lyd_path(change_ctx->node, LYD_PATH_STD, path_buffer, sizeof(path_buffer));
+
+// 	// assert(strcmp(node_name, "authorized-key") == 0);
+
+// 	SRPLG_LOG_INF(PLUGIN_NAME, "Node Name: %s; Previous Value: %s, Value: %s; Operation: %d", node_name, change_ctx->previous_value, node_value, change_ctx->operation);
+
+// 	// name change
+// 	error = snprintf(xpath_buffer, sizeof(xpath_buffer), "%s/name", node_path);
+// 	if (error < 0) {
+// 		SRPLG_LOG_ERR(PLUGIN_NAME, "snprintf() error: %d", error);
+// 		goto error_out;
+// 	}
+// 	error = srpc_iterate_changes(ctx, session, xpath_buffer, system_authentication_authorized_key_change_name);
+// 	if (error) {
+// 		SRPLG_LOG_ERR(PLUGIN_NAME, "srpc_iterate_changes() for name failed: %d", error);
+// 		goto error_out;
+// 	}
+
+// 	// algorithm change
+// 	error = snprintf(xpath_buffer, sizeof(xpath_buffer), "%s/algorithm", node_path);
+// 	if (error < 0) {
+// 		SRPLG_LOG_ERR(PLUGIN_NAME, "snprintf() error: %d", error);
+// 		goto error_out;
+// 	}
+// 	error = srpc_iterate_changes(ctx, session, xpath_buffer, system_authentication_authorized_key_change_algorithm);
+// 	if (error) {
+// 		SRPLG_LOG_ERR(PLUGIN_NAME, "srpc_iterate_changes() for algorithm failed: %d", error);
+// 		goto error_out;
+// 	}
+
+// 	// key-data change
+// 	error = snprintf(xpath_buffer, sizeof(xpath_buffer), "%s/key-data", node_path);
+// 	if (error < 0) {
+// 		SRPLG_LOG_ERR(PLUGIN_NAME, "snprintf() error: %d", error);
+// 		goto error_out;
+// 	}
+// 	error = srpc_iterate_changes(ctx, session, xpath_buffer, system_authentication_authorized_key_change_key_data);
+// 	if (error) {
+// 		SRPLG_LOG_ERR(PLUGIN_NAME, "srpc_iterate_changes() for key-data failed: %d", error);
+// 		goto error_out;
+// 	}
+
+// 	goto out;
+
+// error_out:
+// 	error = -1;
+
+// out:
+
+// 	return error;
+// }
 
 static int system_authentication_change_user_extract_name(sr_session_ctx_t *session, const struct lyd_node *node, char *name_buffer, size_t buffer_size)
 {
@@ -524,7 +529,7 @@ static int delete_home_directory(const char *username)
 	return error;
 }
 
-static int system_authentication_authorized_key_change_name(void *priv, sr_session_ctx_t *session, const srpc_change_ctx_t *change_ctx)
+int system_authentication_user_change_authorized_key_name(void *priv, sr_session_ctx_t *session, const srpc_change_ctx_t *change_ctx)
 {
 	int error = 0;
 	system_ctx_t *ctx = priv;
@@ -651,7 +656,7 @@ static int system_authentication_authorized_key_change_name(void *priv, sr_sessi
 	return error;
 }
 
-static int system_authentication_authorized_key_change_algorithm(void *priv, sr_session_ctx_t *session, const srpc_change_ctx_t *change_ctx)
+int system_authentication_user_change_authorized_key_algorithm(void *priv, sr_session_ctx_t *session, const srpc_change_ctx_t *change_ctx)
 {
 	int error = 0;
 	system_ctx_t *ctx = priv;
@@ -729,7 +734,7 @@ static int system_authentication_authorized_key_change_algorithm(void *priv, sr_
 	return error;
 }
 
-static int system_authentication_authorized_key_change_key_data(void *priv, sr_session_ctx_t *session, const srpc_change_ctx_t *change_ctx)
+int system_authentication_user_change_authorized_key_key_data(void *priv, sr_session_ctx_t *session, const srpc_change_ctx_t *change_ctx)
 {
 	int error = 0;
 	system_ctx_t *ctx = priv;
@@ -805,4 +810,4 @@ static int system_authentication_authorized_key_change_key_data(void *priv, sr_s
 out:
 
 	return error;
-}
+}
diff --git a/src/system/api/authentication/change.h b/src/system/api/authentication/change.h
@@ -22,6 +22,9 @@ int system_authentication_user_apply_changes(system_ctx_t *ctx);
 
 int system_authentication_change_user_name(void *priv, sr_session_ctx_t *session, const srpc_change_ctx_t *change_ctx);
 int system_authentication_change_user_password(void *priv, sr_session_ctx_t *session, const srpc_change_ctx_t *change_ctx);
-int system_authentication_change_user_authorized_key(void *priv, sr_session_ctx_t *session, const srpc_change_ctx_t *change_ctx);
+// int system_authentication_change_user_authorized_key(void *priv, sr_session_ctx_t *session, const srpc_change_ctx_t *change_ctx);
+int system_authentication_user_change_authorized_key_name(void *priv, sr_session_ctx_t *session, const srpc_change_ctx_t *change_ctx);
+int system_authentication_user_change_authorized_key_algorithm(void *priv, sr_session_ctx_t *session, const srpc_change_ctx_t *change_ctx);
+int system_authentication_user_change_authorized_key_key_data(void *priv, sr_session_ctx_t *session, const srpc_change_ctx_t *change_ctx);
 
 #endif // SYSTEM_PLUGIN_API_AUTHENTICATION_CHANGE_H
diff --git a/src/system/api/authentication/store.c b/src/system/api/authentication/store.c
@@ -14,6 +14,7 @@
 #include "common.h"
 #include "umgmt/group.h"
 
+#include <asm-generic/errno-base.h>
 #include <linux/limits.h>
 #include <stdbool.h>
 #include <stdio.h>
@@ -266,48 +267,47 @@ int system_authentication_store_user_authorized_key(system_ctx_t *ctx, const cha
 	FILE *key_file = NULL;
 	bool key_file_opened = false;
 
-	error = snprintf(ssh_path_buffer, sizeof(ssh_path_buffer), "/home/%s/.ssh", user);
-	if (error < 0) {
-		SRPLG_LOG_ERR(PLUGIN_NAME, "snprintf() failed");
-		goto error_out;
-	}
-
-	ssh_dir = opendir(ssh_path_buffer);
-	if (errno == ENOENT) {
-		// create directory
-		error = mkdir(ssh_path_buffer, 0700);
-		if (error) {
-			SRPLG_LOG_ERR(PLUGIN_NAME, "mkdir() error (%d)", error);
+	if (strcmp(user, "root")) {
+		error = snprintf(ssh_path_buffer, sizeof(ssh_path_buffer), "/home/%s/.ssh", user);
+		if (error < 0) {
+			SRPLG_LOG_ERR(PLUGIN_NAME, "snprintf() failed");
 			goto error_out;
 		}
-	} else {
-		SRPLG_LOG_ERR(PLUGIN_NAME, "opendir() failed");
-		goto error_out;
-	}
 
-	// create key files
-	LL_FOREACH(head, iter)
-	{
-		if ((error = snprintf(key_path_buffer, sizeof(key_path_buffer), "%s/%s", ssh_path_buffer, iter->key.name)) < 0) {
-			SRPLG_LOG_ERR(PLUGIN_NAME, "snprintf() error (%d)", error);
-			goto error_out;
+		ssh_dir = opendir(ssh_path_buffer);
+		if (errno == ENOENT) {
+			// create directory
+			error = mkdir(ssh_path_buffer, 0700);
+			if (error) {
+				SRPLG_LOG_ERR(PLUGIN_NAME, "mkdir() error (%d) for user %s:%s", error, user, ssh_path_buffer);
+				goto error_out;
+			}
 		}
 
-		key_file = fopen(key_path_buffer, "w");
-		if (!key_file) {
-			SRPLG_LOG_ERR(PLUGIN_NAME, "fopen() failed");
-			goto error_out;
-		}
-		key_file_opened = true;
+		// create key files
+		LL_FOREACH(head, iter)
+		{
+			if ((error = snprintf(key_path_buffer, sizeof(key_path_buffer), "%s/%s", ssh_path_buffer, iter->key.name)) < 0) {
+				SRPLG_LOG_ERR(PLUGIN_NAME, "snprintf() error (%d)", error);
+				goto error_out;
+			}
 
-		error = fprintf(key_file, "%s %s", iter->key.algorithm, iter->key.data);
-		if (error < 0) {
-			SRPLG_LOG_ERR(PLUGIN_NAME, "fprintf() error (%d)", error);
-			goto error_out;
-		}
+			key_file = fopen(key_path_buffer, "w");
+			if (!key_file) {
+				SRPLG_LOG_ERR(PLUGIN_NAME, "fopen() failed");
+				goto error_out;
+			}
+			key_file_opened = true;
 
-		fclose(key_file);
-		key_file_opened = false;
+			error = fprintf(key_file, "%s %s", iter->key.algorithm, iter->key.data);
+			if (error < 0) {
+				SRPLG_LOG_ERR(PLUGIN_NAME, "fprintf() error (%d)", error);
+				goto error_out;
+			}
+
+			fclose(key_file);
+			key_file_opened = false;
+		}
 	}
 
 	error = 0;