sssd/0129-overrides-add-certificates-to-mapped-attribute.patch

From 2e5fc89ef25434fab7febe2c52e97ef989b50d5b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 27 Apr 2017 09:28:55 +0200
Subject: [PATCH 129/135] overrides: add certificates to mapped attribute
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Certificates in overrides are explicitly used to map users to
certificates, so we add them to SYSDB_USER_MAPPED_CERT as well.

Resolves https://pagure.io/SSSD/sssd/issue/3373

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
 src/db/sysdb_views.c | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c
index 20db9b06183d68b33bb19f498513d7f5cf84b1cf..3773dda77e16b35fa217be0aa7974da7e34c09f4 100644
--- a/src/db/sysdb_views.c
+++ b/src/db/sysdb_views.c
@@ -777,6 +777,7 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain,
     int ret;
     TALLOC_CTX *tmp_ctx;
     struct sysdb_attrs *attrs;
+    struct sysdb_attrs *mapped_attrs = NULL;
     size_t c;
     size_t d;
     size_t num_values;
@@ -791,6 +792,7 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain,
                                     SYSDB_USER_CERT,
                                     NULL };
     bool override_attrs_found = false;
+    bool is_cert = false;
 
     if (override_attrs == NULL) {
         /* nothing to do */
@@ -846,6 +848,24 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain,
                     num_values = 1;
                 }
 
+                is_cert = false;
+                if (strcmp(allowed_attrs[c], SYSDB_USER_CERT) == 0) {
+                    /* Certificates in overrides are explicitly used to map
+                     * users to certificates, so we add them to
+                     * SYSDB_USER_MAPPED_CERT as well. */
+                    is_cert = true;
+
+                    if (mapped_attrs == NULL) {
+                        mapped_attrs = sysdb_new_attrs(tmp_ctx);
+                        if (mapped_attrs == NULL) {
+                            DEBUG(SSSDBG_OP_FAILURE,
+                                  "sysdb_new_attrs failed.\n");
+                            ret = ENOMEM;
+                            goto done;
+                        }
+                    }
+                }
+
                 for (d = 0; d < num_values; d++) {
                     ret = sysdb_attrs_add_val(attrs,  allowed_attrs[c],
                                               &el->values[d]);
@@ -854,6 +874,18 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain,
                               "sysdb_attrs_add_val failed.\n");
                         goto done;
                     }
+
+                    if (is_cert) {
+                        ret = sysdb_attrs_add_val(mapped_attrs,
+                                                  SYSDB_USER_MAPPED_CERT,
+                                                  &el->values[d]);
+                        if (ret != EOK) {
+                            DEBUG(SSSDBG_OP_FAILURE,
+                                  "sysdb_attrs_add_val failed.\n");
+                            goto done;
+                        }
+                    }
+
                     DEBUG(SSSDBG_TRACE_ALL,
                           "Override [%s] with [%.*s] for [%s].\n",
                           allowed_attrs[c], (int) el->values[d].length,
@@ -878,6 +910,15 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain,
             DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_entry_attr failed.\n");
             goto done;
         }
+
+        if (mapped_attrs != NULL) {
+            ret = sysdb_set_entry_attr(domain->sysdb, obj_dn, mapped_attrs,
+                                       SYSDB_MOD_ADD);
+            if (ret != EOK) {
+                DEBUG(SSSDBG_OP_FAILURE,
+                      "sysdb_set_entry_attr failed, ignored.\n");
+            }
+        }
     }
 
     ret = EOK;
-- 
2.12.2
Resolves: rhbz#1445680 - Properly fall back to local Smartcard authentication Resolves: rhbz#1437199 - sssd-nfs-idmap-1.15.2-1.fc25.x86_64 conflicts with file from package sssd-common-1.15.1-1.fc25.x86_64 Resolves: rhbz#1063278 - sss_ssh_knownhostsproxy doesn't fall back to ipv4 2017-04-29 21:49:49 +00:00			`From 2e5fc89ef25434fab7febe2c52e97ef989b50d5b Mon Sep 17 00:00:00 2001`
			`From: Sumit Bose <sbose@redhat.com>`
			`Date: Thu, 27 Apr 2017 09:28:55 +0200`
			`Subject: [PATCH 129/135] overrides: add certificates to mapped attribute`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`Certificates in overrides are explicitly used to map users to`
			`certificates, so we add them to SYSDB_USER_MAPPED_CERT as well.`

			`Resolves https://pagure.io/SSSD/sssd/issue/3373`

			`Reviewed-by: Pavel Březina <pbrezina@redhat.com>`
			`---`
			`src/db/sysdb_views.c \| 41 +++++++++++++++++++++++++++++++++++++++++`
			`1 file changed, 41 insertions(+)`

			`diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c`
			`index 20db9b06183d68b33bb19f498513d7f5cf84b1cf..3773dda77e16b35fa217be0aa7974da7e34c09f4 100644`
			`--- a/src/db/sysdb_views.c`
			`+++ b/src/db/sysdb_views.c`
			`@@ -777,6 +777,7 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain,`
			`int ret;`
			`TALLOC_CTX *tmp_ctx;`
			`struct sysdb_attrs *attrs;`
			`+ struct sysdb_attrs *mapped_attrs = NULL;`
			`size_t c;`
			`size_t d;`
			`size_t num_values;`
			`@@ -791,6 +792,7 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain,`
			`SYSDB_USER_CERT,`
			`NULL };`
			`bool override_attrs_found = false;`
			`+ bool is_cert = false;`

			`if (override_attrs == NULL) {`
			`/* nothing to do */`
			`@@ -846,6 +848,24 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain,`
			`num_values = 1;`
			`}`

			`+ is_cert = false;`
			`+ if (strcmp(allowed_attrs[c], SYSDB_USER_CERT) == 0) {`
			`+ /* Certificates in overrides are explicitly used to map`
			`+ * users to certificates, so we add them to`
			`+ * SYSDB_USER_MAPPED_CERT as well. */`
			`+ is_cert = true;`
			`+`
			`+ if (mapped_attrs == NULL) {`
			`+ mapped_attrs = sysdb_new_attrs(tmp_ctx);`
			`+ if (mapped_attrs == NULL) {`
			`+ DEBUG(SSSDBG_OP_FAILURE,`
			`+ "sysdb_new_attrs failed.\n");`
			`+ ret = ENOMEM;`
			`+ goto done;`
			`+ }`
			`+ }`
			`+ }`
			`+`
			`for (d = 0; d < num_values; d++) {`
			`ret = sysdb_attrs_add_val(attrs, allowed_attrs[c],`
			`&el->values[d]);`
			`@@ -854,6 +874,18 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain,`
			`"sysdb_attrs_add_val failed.\n");`
			`goto done;`
			`}`
			`+`
			`+ if (is_cert) {`
			`+ ret = sysdb_attrs_add_val(mapped_attrs,`
			`+ SYSDB_USER_MAPPED_CERT,`
			`+ &el->values[d]);`
			`+ if (ret != EOK) {`
			`+ DEBUG(SSSDBG_OP_FAILURE,`
			`+ "sysdb_attrs_add_val failed.\n");`
			`+ goto done;`
			`+ }`
			`+ }`
			`+`
			`DEBUG(SSSDBG_TRACE_ALL,`
			`"Override [%s] with [%.*s] for [%s].\n",`
			`allowed_attrs[c], (int) el->values[d].length,`
			`@@ -878,6 +910,15 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain,`
			`DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_entry_attr failed.\n");`
			`goto done;`
			`}`
			`+`
			`+ if (mapped_attrs != NULL) {`
			`+ ret = sysdb_set_entry_attr(domain->sysdb, obj_dn, mapped_attrs,`
			`+ SYSDB_MOD_ADD);`
			`+ if (ret != EOK) {`
			`+ DEBUG(SSSDBG_OP_FAILURE,`
			`+ "sysdb_set_entry_attr failed, ignored.\n");`
			`+ }`
			`+ }`
			`}`

			`ret = EOK;`
			`--`
			`2.12.2`