root/usr/src/uts/common/fs/smbsrv/smb_idmap.c 
/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
 * Copyright 2020 Nexenta by DDN, Inc. All rights reserved.
 * Copyright 2023 RackTop Systems, Inc.
 */

/*
 * SMB server interface to idmap
 * (smb_idmap_get..., smb_idmap_batch_...)
 *
 * There are three implementations of this interface.
 * This is the kernel version of these routines.  See also:
 * $SRC/lib/smbsrv/libfksmbsrv/common/fksmb_idmap.c
 * $SRC/lib/smbsrv/libsmb/common/smb_idmap.c
 *
 * There are enough differences (relative to the code size)
 * that it's more trouble than it's worth to merge them.
 *
 * This one differs from the others in that it:
 *      calls kernel (kidmap_...) interfaces
 *      returned domain SIDs are shared, not strdup'ed
 */

/*
 * SMB ID mapping
 *
 * Solaris ID mapping service (aka Winchester) works with domain SIDs
 * and RIDs where domain SIDs are in string format. CIFS service works
 * with binary SIDs understandable by CIFS clients. A layer of SMB ID
 * mapping functions are implemeted to hide the SID conversion details
 * and also hide the handling of array of batch mapping requests.
 */

#include <sys/param.h>
#include <sys/types.h>
#include <sys/tzfile.h>
#include <sys/atomic.h>
#include <sys/kidmap.h>
#include <sys/time.h>
#include <sys/spl.h>
#include <sys/random.h>
#include <smbsrv/smb_kproto.h>
#include <smbsrv/smb_fsops.h>
#include <smbsrv/smbinfo.h>
#include <smbsrv/smb_xdr.h>
#include <smbsrv/smb_vops.h>
#include <smbsrv/smb_idmap.h>

#include <sys/sid.h>
#include <sys/priv_names.h>

static int smb_idmap_batch_binsid(smb_idmap_batch_t *sib);

/*
 * smb_idmap_getsid
 *
 * Maps the given Solaris ID to a Windows SID using the
 * simple mapping API.
 */
idmap_stat
smb_idmap_getsid(uid_t id, int idtype, smb_sid_t **sid)
{
        smb_idmap_t sim;

        switch (idtype) {
        case SMB_IDMAP_USER:
                sim.sim_stat = kidmap_getsidbyuid(curzone, id,
                    (const char **)&sim.sim_domsid, &sim.sim_rid);
                break;

        case SMB_IDMAP_GROUP:
                sim.sim_stat = kidmap_getsidbygid(curzone, id,
                    (const char **)&sim.sim_domsid, &sim.sim_rid);
                break;

        case SMB_IDMAP_EVERYONE:
                /* Everyone S-1-1-0 */
                sim.sim_domsid = "S-1-1";
                sim.sim_rid = 0;
                sim.sim_stat = IDMAP_SUCCESS;
                break;

        default:
                ASSERT(0);
                return (IDMAP_ERR_ARG);
        }

        /*
         * IDMAP_ERR_NOTFOUND is an advisory error
         * and idmap will generate a local sid.
         */
        if (sim.sim_stat == IDMAP_ERR_NOTFOUND &&
            sim.sim_domsid != NULL)
                sim.sim_stat = IDMAP_SUCCESS;

        if (sim.sim_stat != IDMAP_SUCCESS)
                return (sim.sim_stat);

        if (sim.sim_domsid == NULL)
                return (IDMAP_ERR_NOMAPPING);

        sim.sim_sid = smb_sid_fromstr(sim.sim_domsid);
        if (sim.sim_sid == NULL)
                return (IDMAP_ERR_INTERNAL);

        *sid = smb_sid_splice(sim.sim_sid, sim.sim_rid);
        smb_sid_free(sim.sim_sid);
        if (*sid == NULL)
                sim.sim_stat = IDMAP_ERR_INTERNAL;

        return (sim.sim_stat);
}

/*
 * smb_idmap_getid
 *
 * Maps the given Windows SID to a Unix ID using the
 * simple mapping API.
 */
idmap_stat
smb_idmap_getid(smb_sid_t *sid, uid_t *id, int *idtype)
{
        smb_idmap_t sim;
        char sidstr[SMB_SID_STRSZ];

        smb_sid_tostr(sid, sidstr);
        if (smb_sid_splitstr(sidstr, &sim.sim_rid) != 0)
                return (IDMAP_ERR_SID);
        sim.sim_domsid = sidstr;
        sim.sim_id = id;

        switch (*idtype) {
        case SMB_IDMAP_USER:
                sim.sim_stat = kidmap_getuidbysid(curzone, sim.sim_domsid,
                    sim.sim_rid, sim.sim_id);
                break;

        case SMB_IDMAP_GROUP:
                sim.sim_stat = kidmap_getgidbysid(curzone, sim.sim_domsid,
                    sim.sim_rid, sim.sim_id);
                break;

        case SMB_IDMAP_UNKNOWN:
                sim.sim_stat = kidmap_getpidbysid(curzone, sim.sim_domsid,
                    sim.sim_rid, sim.sim_id, &sim.sim_idtype);
                break;

        default:
                ASSERT(0);
                return (IDMAP_ERR_ARG);
        }

        *idtype = sim.sim_idtype;

        return (sim.sim_stat);
}

/*
 * smb_idmap_batch_create
 *
 * Creates and initializes the context for batch ID mapping.
 */
idmap_stat
smb_idmap_batch_create(smb_idmap_batch_t *sib, uint16_t nmap, int flags)
{
        ASSERT(sib != NULL);

        bzero(sib, sizeof (smb_idmap_batch_t));

        sib->sib_idmaph = kidmap_get_create(curzone);

        sib->sib_flags = flags;
        sib->sib_nmap = nmap;
        sib->sib_size = nmap * sizeof (smb_idmap_t);
        sib->sib_maps = kmem_zalloc(sib->sib_size, KM_SLEEP);

        return (IDMAP_SUCCESS);
}

/*
 * smb_idmap_batch_destroy
 *
 * Frees the batch ID mapping context.
 * If ID mapping is Solaris -> Windows it frees memories
 * allocated for binary SIDs.
 */
void
smb_idmap_batch_destroy(smb_idmap_batch_t *sib)
{
        char *domsid;
        int i;

        ASSERT(sib != NULL);
        ASSERT(sib->sib_maps != NULL);

        if (sib->sib_idmaph) {
                kidmap_get_destroy(sib->sib_idmaph);
                sib->sib_idmaph = NULL;
        }

        if (sib->sib_flags & SMB_IDMAP_ID2SID) {
                /*
                 * SIDs are allocated only when mapping
                 * UID/GID to SIDs
                 */
                for (i = 0; i < sib->sib_nmap; i++)
                        smb_sid_free(sib->sib_maps[i].sim_sid);
        } else if (sib->sib_flags & SMB_IDMAP_SID2ID) {
                /*
                 * SID prefixes are allocated only when mapping
                 * SIDs to UID/GID
                 */
                for (i = 0; i < sib->sib_nmap; i++) {
                        domsid = sib->sib_maps[i].sim_domsid;
                        if (domsid)
                                smb_mem_free(domsid);
                }
        }

        if (sib->sib_size && sib->sib_maps) {
                kmem_free(sib->sib_maps, sib->sib_size);
                sib->sib_maps = NULL;
        }
}

/*
 * smb_idmap_batch_getid
 *
 * Queue a request to map the given SID to a UID or GID.
 *
 * sim->sim_id should point to variable that's supposed to
 * hold the returned UID/GID. This needs to be setup by caller
 * of this function.
 *
 * If requested ID type is known, it's passed as 'idtype',
 * if it's unknown it'll be returned in sim->sim_idtype.
 */
idmap_stat
smb_idmap_batch_getid(idmap_get_handle_t *idmaph, smb_idmap_t *sim,
    smb_sid_t *sid, int idtype)
{
        char strsid[SMB_SID_STRSZ];
        idmap_stat idm_stat;

        ASSERT(idmaph != NULL);
        ASSERT(sim != NULL);
        ASSERT(sid != NULL);

        smb_sid_tostr(sid, strsid);
        if (smb_sid_splitstr(strsid, &sim->sim_rid) != 0)
                return (IDMAP_ERR_SID);
        /* Note: Free sim_domsid in smb_idmap_batch_destroy */
        sim->sim_domsid = smb_mem_strdup(strsid);
        sim->sim_idtype = idtype;

        switch (idtype) {
        case SMB_IDMAP_USER:
                idm_stat = kidmap_batch_getuidbysid(idmaph, sim->sim_domsid,
                    sim->sim_rid, sim->sim_id, &sim->sim_stat);
                break;

        case SMB_IDMAP_GROUP:
                idm_stat = kidmap_batch_getgidbysid(idmaph, sim->sim_domsid,
                    sim->sim_rid, sim->sim_id, &sim->sim_stat);
                break;

        case SMB_IDMAP_UNKNOWN:
                idm_stat = kidmap_batch_getpidbysid(idmaph, sim->sim_domsid,
                    sim->sim_rid, sim->sim_id, &sim->sim_idtype,
                    &sim->sim_stat);
                break;

        default:
                ASSERT(0);
                return (IDMAP_ERR_ARG);
        }

        return (idm_stat);
}

/*
 * smb_idmap_batch_getsid
 *
 * Queue a request to map the given UID/GID to a SID.
 *
 * sim->sim_domsid and sim->sim_rid will contain the mapping
 * result upon successful process of the batched request.
 * Stash the type for error reporting (caller saves the ID).
 */
idmap_stat
smb_idmap_batch_getsid(idmap_get_handle_t *idmaph, smb_idmap_t *sim,
    uid_t id, int idtype)
{
        idmap_stat idm_stat;

        sim->sim_idtype = idtype;
        switch (idtype) {
        case SMB_IDMAP_USER:
                idm_stat = kidmap_batch_getsidbyuid(idmaph, id,
                    (const char **)&sim->sim_domsid, &sim->sim_rid,
                    &sim->sim_stat);
                break;

        case SMB_IDMAP_GROUP:
                idm_stat = kidmap_batch_getsidbygid(idmaph, id,
                    (const char **)&sim->sim_domsid, &sim->sim_rid,
                    &sim->sim_stat);
                break;

        case SMB_IDMAP_OWNERAT:
                /* Current Owner S-1-5-32-766 */
                sim->sim_domsid = NT_BUILTIN_DOMAIN_SIDSTR;
                sim->sim_rid = SECURITY_CURRENT_OWNER_RID;
                sim->sim_stat = IDMAP_SUCCESS;
                idm_stat = IDMAP_SUCCESS;
                break;

        case SMB_IDMAP_GROUPAT:
                /* Current Group S-1-5-32-767 */
                sim->sim_domsid = NT_BUILTIN_DOMAIN_SIDSTR;
                sim->sim_rid = SECURITY_CURRENT_GROUP_RID;
                sim->sim_stat = IDMAP_SUCCESS;
                idm_stat = IDMAP_SUCCESS;
                break;

        case SMB_IDMAP_EVERYONE:
                /* Everyone S-1-1-0 */
                sim->sim_domsid = NT_WORLD_AUTH_SIDSTR;
                sim->sim_rid = 0;
                sim->sim_stat = IDMAP_SUCCESS;
                idm_stat = IDMAP_SUCCESS;
                break;

        default:
                ASSERT(0);
                return (IDMAP_ERR_ARG);
        }

        return (idm_stat);
}

/*
 * smb_idmap_batch_getmappings
 *
 * trigger ID mapping service to get the mappings for queued
 * requests.
 *
 * Checks the result of all the queued requests.
 * If this is a Solaris -> Windows mapping it generates
 * binary SIDs from returned (domsid, rid) pairs.
 */
idmap_stat
smb_idmap_batch_getmappings(smb_idmap_batch_t *sib,
    smb_idmap_batch_errcb_t errcb)
{
        idmap_stat idm_stat = IDMAP_SUCCESS;
        smb_idmap_t *sim;
        int i;

        idm_stat = kidmap_get_mappings(sib->sib_idmaph);
        if (idm_stat != IDMAP_SUCCESS)
                return (idm_stat);

        /*
         * Check the status for all the queued requests
         */
        for (i = 0, sim = sib->sib_maps; i < sib->sib_nmap; i++, sim++) {
                if (sim->sim_stat != IDMAP_SUCCESS) {
                        sib->sib_nerr++;
                        if (errcb != NULL)
                                errcb(sib, sim);
                        if ((sib->sib_flags & SMB_IDMAP_SKIP_ERRS) == 0) {
                                return (sim->sim_stat);
                        }
                }
        }

        if (smb_idmap_batch_binsid(sib) != 0)
                idm_stat = IDMAP_ERR_OTHER;

        return (idm_stat);
}

/*
 * smb_idmap_batch_binsid
 *
 * Convert sidrids to binary sids
 *
 * Returns 0 if successful and non-zero upon failure.
 */
static int
smb_idmap_batch_binsid(smb_idmap_batch_t *sib)
{
        smb_sid_t *sid;
        smb_idmap_t *sim;
        int i;

        if (sib->sib_flags & SMB_IDMAP_SID2ID)
                /* This operation is not required */
                return (0);

        sim = sib->sib_maps;
        for (i = 0; i < sib->sib_nmap; sim++, i++) {
                ASSERT(sim->sim_domsid != NULL);
                if (sim->sim_domsid == NULL)
                        return (1);

                if ((sid = smb_sid_fromstr(sim->sim_domsid)) == NULL)
                        return (1);

                sim->sim_sid = smb_sid_splice(sid, sim->sim_rid);
                smb_sid_free(sid);
        }

        return (0);
}