Cherry-pick patches from upstream that enable the files provider
Required for: https://bugzilla.redhat.com/show_bug.cgi?id=1357418 - SSSD fast cache for local users
This commit is contained in:
parent
3e94aee54c
commit
396c651083
23
0001-Updating-the-version-to-track-the-1.15.1-release.patch
Normal file
23
0001-Updating-the-version-to-track-the-1.15.1-release.patch
Normal file
@ -0,0 +1,23 @@
|
||||
From 33da7b13eaed678789b7ccba00e49065a8838e9a Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Wed, 25 Jan 2017 16:46:31 +0100
|
||||
Subject: [PATCH 01/79] Updating the version to track the 1.15.1 release
|
||||
|
||||
---
|
||||
version.m4 | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/version.m4 b/version.m4
|
||||
index 5ff77ba10a8e8a512057e4176377ba33713eb285..bec03afc6e4357e8f505978b0474888c2ab16a85 100644
|
||||
--- a/version.m4
|
||||
+++ b/version.m4
|
||||
@@ -1,5 +1,5 @@
|
||||
# Primary version number
|
||||
-m4_define([VERSION_NUMBER], [1.15.0])
|
||||
+m4_define([VERSION_NUMBER], [1.15.1])
|
||||
|
||||
# If the PRERELEASE_VERSION_NUMBER is set, we'll append
|
||||
# it to the release tag when creating an RPM or SRPM
|
||||
--
|
||||
2.9.3
|
||||
|
40
0002-BUILD-Fix-linking-of-test_wbc_calls.patch
Normal file
40
0002-BUILD-Fix-linking-of-test_wbc_calls.patch
Normal file
@ -0,0 +1,40 @@
|
||||
From c369b062182c746849196e495db467198039edf4 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Wed, 25 Jan 2017 16:12:02 +0100
|
||||
Subject: [PATCH 02/79] BUILD: Fix linking of test_wbc_calls
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Client code does not anymore depend on libpthread in master.
|
||||
This is a reason why we didn't notice any linking failure
|
||||
in master. But the test should be linked with CLIENT_LIBS.
|
||||
|
||||
CCLD test_wbc_calls
|
||||
/usr/bin/ld: src/sss_client/test_wbc_calls-common.o: undefined reference
|
||||
to symbol 'pthread_mutexattr_setrobust@@GLIBC_2.12'
|
||||
//lib/x86_64-linux-gnu/libpthread.so.0: error adding symbols: DSO missing
|
||||
from command line
|
||||
collect2: error: ld returned 1 exit status
|
||||
Makefile:12460: recipe for target 'test_wbc_calls' failed
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
Makefile.am | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 661e9447d56146cb756a23af3a1b0aa0fbf98fa4..674d328f52929cc2b20d1212af830c3777312bf1 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -2703,6 +2703,7 @@ test_wbc_calls_LDFLAGS = \
|
||||
-Wl,-wrap,sss_nss_getnamebysid \
|
||||
$(NULL)
|
||||
test_wbc_calls_LDADD = \
|
||||
+ $(CLIENT_LIBS) \
|
||||
$(CMOCKA_LIBS) \
|
||||
$(POPT_LIBS) \
|
||||
$(TALLOC_LIBS) \
|
||||
--
|
||||
2.9.3
|
||||
|
201
0003-Suppres-implicit-fallthrough-from-gcc-7.patch
Normal file
201
0003-Suppres-implicit-fallthrough-from-gcc-7.patch
Normal file
@ -0,0 +1,201 @@
|
||||
From 2e505786d6d9d537f5b6631099862f6b93e2e687 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Mon, 30 Jan 2017 12:17:25 +0100
|
||||
Subject: [PATCH 03/79] Suppres implicit-fallthrough from gcc 7
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Some kind of comments are recognized by gcc7 but they are ignored with
|
||||
-Wimplicit-fallthrough=5 and only attributes disable the warning.
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
configure.ac | 24 ++++++++++++++++++++++++
|
||||
src/db/sysdb_ops.c | 1 +
|
||||
src/providers/ad/ad_id.c | 1 +
|
||||
src/providers/fail_over.c | 4 ++++
|
||||
src/providers/krb5/krb5_auth.c | 1 +
|
||||
src/providers/ldap/sdap_idmap.c | 1 +
|
||||
src/providers/proxy/proxy_id.c | 1 +
|
||||
src/python/pyhbac.c | 1 +
|
||||
src/responder/common/responder_dp.c | 1 +
|
||||
src/util/murmurhash3.c | 3 +++
|
||||
10 files changed, 38 insertions(+)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 291504652bf02e38c7edfd0cc4eefbe4ceaf09e6..d264abf3ebebbc1f3a96d1a450993e0933a5d789 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -418,6 +418,30 @@ if test x"$sss_cv_attribute_warn_unused_result" = xyes ; then
|
||||
[whether compiler supports __attribute__((warn_unused_result))])
|
||||
fi
|
||||
|
||||
+SAFE_CFLAGS=$CFLAGS
|
||||
+CFLAGS="-Werror"
|
||||
+AC_CACHE_CHECK(
|
||||
+ [whether compiler supports __attribute__((fallthrough))],
|
||||
+ [sss_cv_attribute_fallthrough],
|
||||
+ [AC_COMPILE_IFELSE(
|
||||
+ [AC_LANG_SOURCE(
|
||||
+ [ __attribute__ ((fallthrough)); ])
|
||||
+ ],[
|
||||
+ sss_cv_attribute_fallthrough=yes
|
||||
+ sss_cv_attribute_fallthrough_val="__attribute__ ((fallthrough))"
|
||||
+ ],[
|
||||
+ sss_cv_attribute_fallthrough=no
|
||||
+ sss_cv_attribute_fallthrough_val=
|
||||
+ ])
|
||||
+ ])
|
||||
+CFLAGS=$SAFE_CFLAGS
|
||||
+
|
||||
+AC_DEFINE_UNQUOTED(
|
||||
+ [SSS_ATTRIBUTE_FALLTHROUGH],
|
||||
+ [$sss_cv_attribute_fallthrough_val],
|
||||
+ [__attribute__((fallthrough)) if supported])
|
||||
+
|
||||
+
|
||||
PKG_CHECK_MODULES([CHECK], [check >= 0.9.5], [have_check=1], [have_check=])
|
||||
if test x$have_check = x; then
|
||||
AC_MSG_WARN([Without the 'CHECK' libraries, you will be unable to run all tests in the 'make check' suite])
|
||||
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
|
||||
index 77e4c1a699eded07d2b266b08d2f4c177e6181a6..7f6c127d4fa3ef7655d5eb931210d0248352e159 100644
|
||||
--- a/src/db/sysdb_ops.c
|
||||
+++ b/src/db/sysdb_ops.c
|
||||
@@ -116,6 +116,7 @@ static int sysdb_delete_cache_entry(struct ldb_context *ldb,
|
||||
return EOK;
|
||||
}
|
||||
/* fall through */
|
||||
+ SSS_ATTRIBUTE_FALLTHROUGH;
|
||||
default:
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "LDB Error: %s(%d)\nError Message: [%s]\n",
|
||||
ldb_strerror(ret), ret, ldb_errstring(ldb));
|
||||
diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c
|
||||
index 46a41a37b96bb7734f61226e72e75b56f9deccf1..8f26cb8744d2372c6180342c0d1bca025b16f52c 100644
|
||||
--- a/src/providers/ad/ad_id.c
|
||||
+++ b/src/providers/ad/ad_id.c
|
||||
@@ -337,6 +337,7 @@ static bool ad_account_can_shortcut(struct be_ctx *be_ctx,
|
||||
goto done;
|
||||
}
|
||||
/* fall through */
|
||||
+ SSS_ATTRIBUTE_FALLTHROUGH;
|
||||
case BE_FILTER_SECID:
|
||||
csid = sid == NULL ? filter_value : sid;
|
||||
|
||||
diff --git a/src/providers/fail_over.c b/src/providers/fail_over.c
|
||||
index 77084098831a312bc8629513ccfc2a91165241ba..5d3c26d4a690769637f2fa4f41a76627cbdba77a 100644
|
||||
--- a/src/providers/fail_over.c
|
||||
+++ b/src/providers/fail_over.c
|
||||
@@ -1145,6 +1145,7 @@ fo_resolve_service_server(struct tevent_req *req)
|
||||
state->server->common);
|
||||
fo_set_server_status(state->server, SERVER_RESOLVING_NAME);
|
||||
/* FALLTHROUGH */
|
||||
+ SSS_ATTRIBUTE_FALLTHROUGH;
|
||||
case SERVER_RESOLVING_NAME:
|
||||
/* Name resolution is already under way. Just add ourselves into the
|
||||
* waiting queue so we get notified after the operation is finished. */
|
||||
@@ -1284,6 +1285,7 @@ resolve_srv_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev,
|
||||
* "server" might be invalid now if the SRV
|
||||
* query collapsed
|
||||
* */
|
||||
+ SSS_ATTRIBUTE_FALLTHROUGH;
|
||||
case SRV_NEUTRAL: /* Request SRV lookup */
|
||||
if (server != NULL && server != state->meta) {
|
||||
/* A server created by expansion of meta server was marked as
|
||||
@@ -1443,9 +1445,11 @@ resolve_srv_done(struct tevent_req *subreq)
|
||||
break;
|
||||
case ERR_SRV_NOT_FOUND:
|
||||
/* fall through */
|
||||
+ SSS_ATTRIBUTE_FALLTHROUGH;
|
||||
case ERR_SRV_LOOKUP_ERROR:
|
||||
fo_set_port_status(state->meta, PORT_NOT_WORKING);
|
||||
/* fall through */
|
||||
+ SSS_ATTRIBUTE_FALLTHROUGH;
|
||||
default:
|
||||
DEBUG(SSSDBG_OP_FAILURE, "Unable to resolve SRV [%d]: %s\n",
|
||||
ret, sss_strerror(ret));
|
||||
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
|
||||
index bdd8e24111b077bfb91f19987d2ed289d803b334..0e685618ec2de1f923ffd9d78bf2a9d8816019e1 100644
|
||||
--- a/src/providers/krb5/krb5_auth.c
|
||||
+++ b/src/providers/krb5/krb5_auth.c
|
||||
@@ -965,6 +965,7 @@ static void krb5_auth_done(struct tevent_req *subreq)
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "krb5_delete_ccname failed.\n");
|
||||
}
|
||||
/* FALLTHROUGH */
|
||||
+ SSS_ATTRIBUTE_FALLTHROUGH;
|
||||
|
||||
case ERR_CREDS_EXPIRED:
|
||||
/* If the password is expired we can safely remove the ccache from the
|
||||
diff --git a/src/providers/ldap/sdap_idmap.c b/src/providers/ldap/sdap_idmap.c
|
||||
index b5dfc6cefe3ceed4971042a5326dd2b9c7f5eec8..0fda815224b5ce278e6fae4a5264f82cd1ea4a9d 100644
|
||||
--- a/src/providers/ldap/sdap_idmap.c
|
||||
+++ b/src/providers/ldap/sdap_idmap.c
|
||||
@@ -516,6 +516,7 @@ sdap_idmap_sid_to_unix(struct sdap_idmap_ctx *idmap_ctx,
|
||||
"sssd-ad(5) for an explanation of how to resolve this issue.\n",
|
||||
sid_str);
|
||||
/* Fall through intentionally */
|
||||
+ SSS_ATTRIBUTE_FALLTHROUGH;
|
||||
default:
|
||||
DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
"Could not convert objectSID [%s] to a UNIX ID\n",
|
||||
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
|
||||
index 3d272897bda5622fa1e56e6b84448df7c3cefa2b..9b83f7a3cc942560186815b680e8b5f98508f18a 100644
|
||||
--- a/src/providers/proxy/proxy_id.c
|
||||
+++ b/src/providers/proxy/proxy_id.c
|
||||
@@ -1403,6 +1403,7 @@ static int get_initgr_groups_process(TALLOC_CTX *memctx,
|
||||
"Assume the user is only member of its "
|
||||
"primary group (%"SPRIgid")\n", pwd->pw_gid);
|
||||
/* fall through */
|
||||
+ SSS_ATTRIBUTE_FALLTHROUGH;
|
||||
case NSS_STATUS_SUCCESS:
|
||||
DEBUG(SSSDBG_CONF_SETTINGS, "User [%s] appears to be member of %lu "
|
||||
"groups\n", pwd->pw_name, num_gids);
|
||||
diff --git a/src/python/pyhbac.c b/src/python/pyhbac.c
|
||||
index 09d308a0f3c932c4077dfdc92b3a46fe3238b69b..f7633ee02c5f113fad64c5ee41736d8f63a1914a 100644
|
||||
--- a/src/python/pyhbac.c
|
||||
+++ b/src/python/pyhbac.c
|
||||
@@ -1621,6 +1621,7 @@ py_hbac_evaluate(HbacRequest *self, PyObject *args)
|
||||
goto fail;
|
||||
}
|
||||
/* FALLTHROUGH */
|
||||
+ SSS_ATTRIBUTE_FALLTHROUGH;
|
||||
case HBAC_EVAL_DENY:
|
||||
ret = PYNUMBER_FROMLONG(eres);
|
||||
break;
|
||||
diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
|
||||
index da67676675284db14fe7f6fcf8cb47e9f2baa7f9..11eb47ce1d41027f36998aba7b9fbca5fb4c7910 100644
|
||||
--- a/src/responder/common/responder_dp.c
|
||||
+++ b/src/responder/common/responder_dp.c
|
||||
@@ -221,6 +221,7 @@ static int sss_dp_get_reply(DBusPendingCall *pending,
|
||||
DEBUG(SSSDBG_FATAL_FAILURE,"The Data Provider returned an error [%s]\n",
|
||||
dbus_message_get_error_name(reply));
|
||||
/* Falling through to default intentionally*/
|
||||
+ SSS_ATTRIBUTE_FALLTHROUGH;
|
||||
default:
|
||||
/*
|
||||
* Timeout or other error occurred or something
|
||||
diff --git a/src/util/murmurhash3.c b/src/util/murmurhash3.c
|
||||
index 03d10ff6ae360350dcc96e3e40ece0a0ce3d6b58..061e64e990aa4d91d4a300e116d2fb1193e33392 100644
|
||||
--- a/src/util/murmurhash3.c
|
||||
+++ b/src/util/murmurhash3.c
|
||||
@@ -90,14 +90,17 @@ uint32_t murmurhash3(const char *key, int len, uint32_t seed)
|
||||
switch (len & 3) {
|
||||
case 3:
|
||||
k1 ^= tail[2] << 16;
|
||||
+ SSS_ATTRIBUTE_FALLTHROUGH;
|
||||
case 2:
|
||||
k1 ^= tail[1] << 8;
|
||||
+ SSS_ATTRIBUTE_FALLTHROUGH;
|
||||
case 1:
|
||||
k1 ^= tail[0];
|
||||
k1 *= c1;
|
||||
k1 = rotl(k1, 15);
|
||||
k1 *= c2;
|
||||
h1 ^= k1;
|
||||
+ break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
--
|
||||
2.9.3
|
||||
|
47
0004-pam_sss-Suppress-warning-format-truncation.patch
Normal file
47
0004-pam_sss-Suppress-warning-format-truncation.patch
Normal file
@ -0,0 +1,47 @@
|
||||
From cbb0e683ff11d7800328da3991f3e75ef88f937f Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Mon, 30 Jan 2017 12:49:13 +0100
|
||||
Subject: [PATCH 04/79] pam_sss: Suppress warning format-truncation
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
src/sss_client/pam_sss.c: In function ‘send_and_receive’:
|
||||
src/sss_client/pam_sss.c:742:39: error: ‘%.*s’ directive output
|
||||
between 0 and 18446744073709551615 bytes may cause result to exceed
|
||||
‘INT_MAX’ [-Werror=format-truncation=]
|
||||
ret = snprintf(user_msg, bufsize, "%s%s%.*s",
|
||||
^~~~~~~~~~
|
||||
sssd/src/sss_client/pam_sss.c:742:39: note: assuming directive output
|
||||
of 4294967295 bytes
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/sss_client/pam_sss.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
||||
index be697c7fcfb47a57b5b498c61f60fcf4bfbbd57f..b4175ae2c7fc1385a19f81045695bcd73d43f754 100644
|
||||
--- a/src/sss_client/pam_sss.c
|
||||
+++ b/src/sss_client/pam_sss.c
|
||||
@@ -689,7 +689,7 @@ static int user_info_account_expired(pam_handle_t *pamh, size_t buflen,
|
||||
ret = snprintf(user_msg, bufsize, "%s%s%.*s",
|
||||
EXP_ACC_MSG,
|
||||
msg_len > 0 ? SRV_MSG : "",
|
||||
- msg_len,
|
||||
+ (int)msg_len,
|
||||
msg_len > 0 ? (char *)(buf + 2 * sizeof(uint32_t)) : "" );
|
||||
if (ret < 0 || ret > bufsize) {
|
||||
D(("snprintf failed."));
|
||||
@@ -744,7 +744,7 @@ static int user_info_chpass_error(pam_handle_t *pamh, size_t buflen,
|
||||
ret = snprintf(user_msg, bufsize, "%s%s%.*s",
|
||||
_("Password change failed. "),
|
||||
msg_len > 0 ? _("Server message: ") : "",
|
||||
- msg_len,
|
||||
+ (int)msg_len,
|
||||
msg_len > 0 ? (char *)(buf + 2 * sizeof(uint32_t)) : "" );
|
||||
if (ret < 0 || ret > bufsize) {
|
||||
D(("snprintf failed."));
|
||||
--
|
||||
2.9.3
|
||||
|
49
0005-TOOLS-Fix-warning-format-truncation.patch
Normal file
49
0005-TOOLS-Fix-warning-format-truncation.patch
Normal file
@ -0,0 +1,49 @@
|
||||
From c587e9ae55c618c011bd4dde6a94fe5dc60fff01 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Mon, 30 Jan 2017 12:55:59 +0100
|
||||
Subject: [PATCH 05/79] TOOLS: Fix warning format-truncation
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
src/tools/sss_groupshow.c: In function ‘print_group_info’:
|
||||
src/tools/sss_groupshow.c:612:22: error: ‘%d’ directive output truncated
|
||||
writing between 10 and 11 bytes into a region of size 7 [-Werror=format-truncation=]
|
||||
snprintf(fmt, 8, "%%%ds", level*PADDING_SPACES);
|
||||
^~~~~~~
|
||||
src/tools/sss_groupshow.c:612:22: note: using the range
|
||||
[-2147483648, 2147483647] for directive argument
|
||||
src/tools/sss_groupshow.c:612:5: note: ‘snprintf’ output between 13 and 14
|
||||
bytes into a destination of size 8
|
||||
snprintf(fmt, 8, "%%%ds", level*PADDING_SPACES);
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/tools/sss_groupshow.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/tools/sss_groupshow.c b/src/tools/sss_groupshow.c
|
||||
index 258d458b0d1a4cb56c8fb61060cb43a1c88c1ed0..ac4c3dc912db3d418c2eace8b5b1f3476768c875 100644
|
||||
--- a/src/tools/sss_groupshow.c
|
||||
+++ b/src/tools/sss_groupshow.c
|
||||
@@ -603,7 +603,7 @@ fail:
|
||||
|
||||
/*==================The main program=================================== */
|
||||
|
||||
-static void print_group_info(struct group_info *g, int level)
|
||||
+static void print_group_info(struct group_info *g, unsigned level)
|
||||
{
|
||||
int i;
|
||||
char padding[512];
|
||||
@@ -634,7 +634,7 @@ static void print_group_info(struct group_info *g, int level)
|
||||
printf(_("\n%1$sMember groups: "), padding);
|
||||
}
|
||||
|
||||
-static void print_recursive(struct group_info **group_members, int level)
|
||||
+static void print_recursive(struct group_info **group_members, unsigned level)
|
||||
{
|
||||
int i;
|
||||
|
||||
--
|
||||
2.9.3
|
||||
|
50
0006-sssctl-Fix-warning-may-be-used-uninitialized.patch
Normal file
50
0006-sssctl-Fix-warning-may-be-used-uninitialized.patch
Normal file
@ -0,0 +1,50 @@
|
||||
From bf0b4eb335ec1fb4fdd925f5cf80490ec8b8c24e Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Mon, 30 Jan 2017 14:36:56 +0100
|
||||
Subject: [PATCH 06/79] sssctl: Fix warning may be used uninitialized
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
gcc 7 probably does some new optimisations which might cause few
|
||||
wariables to be uninitialized.
|
||||
|
||||
src/tools/sssctl/sssctl_cache.c: In function ‘sssctl_print_object’:
|
||||
src/tools/sssctl/sssctl_cache.c:523:13: error: ‘dom’ may be used uninitialized
|
||||
in this function [-Werror=maybe-uninitialized]
|
||||
ret = info[i].attr_fn(tmp_ctx, entry, dom, info[i].attr, &value);
|
||||
~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
src/tools/sssctl/sssctl_cache.c:472:15: error: ‘entry’ may be used
|
||||
uninitialized in this function [-Werror=maybe-uninitialized]
|
||||
*_entry = talloc_steal(mem_ctx, entry);
|
||||
^~~~~~~~~~~~
|
||||
src/tools/sssctl/sssctl_cache.c:437:25: note: ‘entry’ was declared here
|
||||
struct sysdb_attrs *entry;
|
||||
^~~~~
|
||||
|
||||
Another workaround would be to remove static modifier from function
|
||||
sssctl_find_object which probably prevents some inlinig + optimisation.
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/tools/sssctl/sssctl_cache.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/tools/sssctl/sssctl_cache.c b/src/tools/sssctl/sssctl_cache.c
|
||||
index 59c8cb473966d60848908fb8b9adcb7d769c8cd9..8f0fc281b73f38f408c1a2307192b3f207a97b5d 100644
|
||||
--- a/src/tools/sssctl/sssctl_cache.c
|
||||
+++ b/src/tools/sssctl/sssctl_cache.c
|
||||
@@ -434,8 +434,8 @@ static errno_t sssctl_fetch_object(TALLOC_CTX *mem_ctx,
|
||||
struct sss_domain_info **_dom)
|
||||
{
|
||||
TALLOC_CTX *tmp_ctx;
|
||||
- struct sysdb_attrs *entry;
|
||||
- struct sss_domain_info *dom;
|
||||
+ struct sysdb_attrs *entry = NULL;
|
||||
+ struct sss_domain_info *dom = NULL;
|
||||
const char **attrs;
|
||||
char *sanitized;
|
||||
errno_t ret;
|
||||
--
|
||||
2.9.3
|
||||
|
57
0007-SBUS-remove-unused-symbols.patch
Normal file
57
0007-SBUS-remove-unused-symbols.patch
Normal file
@ -0,0 +1,57 @@
|
||||
From bc898b360b9667195a7ae59537587c3ec696ac19 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Tue, 24 Jan 2017 12:36:04 +0100
|
||||
Subject: [PATCH 07/79] SBUS: remove unused symbols
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/sbus/sssd_dbus.h | 2 --
|
||||
src/sbus/sssd_dbus_connection.c | 9 ---------
|
||||
2 files changed, 11 deletions(-)
|
||||
|
||||
diff --git a/src/sbus/sssd_dbus.h b/src/sbus/sssd_dbus.h
|
||||
index 5a66f09d550533839b22465170950fdfdd71aa1e..c6cca7d4edf5014576f41ed146919427f8e3255f 100644
|
||||
--- a/src/sbus/sssd_dbus.h
|
||||
+++ b/src/sbus/sssd_dbus.h
|
||||
@@ -247,8 +247,6 @@ sbus_opath_get_object_name(TALLOC_CTX *mem_ctx,
|
||||
const char *object_path,
|
||||
const char *base_path);
|
||||
|
||||
-bool sbus_conn_disconnecting(struct sbus_connection *conn);
|
||||
-
|
||||
/* max_retries < 0: retry forever
|
||||
* max_retries = 0: never retry (why are you calling this function?)
|
||||
* max_retries > 0: obvious
|
||||
diff --git a/src/sbus/sssd_dbus_connection.c b/src/sbus/sssd_dbus_connection.c
|
||||
index 450cee9045de88fcf84b3ca379dd9f1bd5c98ef2..9def7084e5d496a5e6aa40ec0eafd2471a64659f 100644
|
||||
--- a/src/sbus/sssd_dbus_connection.c
|
||||
+++ b/src/sbus/sssd_dbus_connection.c
|
||||
@@ -27,9 +27,6 @@
|
||||
#include "sbus/sssd_dbus_private.h"
|
||||
#include "sbus/sssd_dbus_meta.h"
|
||||
|
||||
-/* Types */
|
||||
-struct dbus_ctx_list;
|
||||
-
|
||||
static int sbus_auto_reconnect(struct sbus_connection *conn);
|
||||
|
||||
static void sbus_dispatch(struct tevent_context *ev,
|
||||
@@ -501,12 +498,6 @@ void sbus_reconnect_init(struct sbus_connection *conn,
|
||||
conn->reconnect_pvt = pvt;
|
||||
}
|
||||
|
||||
-bool sbus_conn_disconnecting(struct sbus_connection *conn)
|
||||
-{
|
||||
- if (conn->disconnect == 1) return true;
|
||||
- return false;
|
||||
-}
|
||||
-
|
||||
int sss_dbus_conn_send(DBusConnection *dbus_conn,
|
||||
DBusMessage *msg,
|
||||
int timeout_ms,
|
||||
--
|
||||
2.9.3
|
||||
|
255
0008-SBUS-use-sss_ptr_hash-for-opath-table.patch
Normal file
255
0008-SBUS-use-sss_ptr_hash-for-opath-table.patch
Normal file
@ -0,0 +1,255 @@
|
||||
From a3b2bc38263191f23eba2ad98470d8ecd016a60b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Tue, 24 Jan 2017 13:14:47 +0100
|
||||
Subject: [PATCH 08/79] SBUS: use sss_ptr_hash for opath table
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This patch reuses sss_ptr_hash module introduced in NSS patches in sbus code.
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/sbus/sssd_dbus_connection.c | 4 +-
|
||||
src/sbus/sssd_dbus_interface.c | 94 +++++++++++------------------------------
|
||||
src/sbus/sssd_dbus_private.h | 5 +--
|
||||
3 files changed, 28 insertions(+), 75 deletions(-)
|
||||
|
||||
diff --git a/src/sbus/sssd_dbus_connection.c b/src/sbus/sssd_dbus_connection.c
|
||||
index 9def7084e5d496a5e6aa40ec0eafd2471a64659f..6ca039e8e2a919141bf951ed0203dc2c48b3eb55 100644
|
||||
--- a/src/sbus/sssd_dbus_connection.c
|
||||
+++ b/src/sbus/sssd_dbus_connection.c
|
||||
@@ -163,8 +163,8 @@ int sbus_init_connection(TALLOC_CTX *ctx,
|
||||
conn->last_request_time = last_request_time;
|
||||
conn->client_destructor_data = client_destructor_data;
|
||||
|
||||
- ret = sbus_opath_hash_init(conn, conn, &conn->managed_paths);
|
||||
- if (ret != EOK) {
|
||||
+ conn->managed_paths = sbus_opath_hash_init(conn, conn);
|
||||
+ if (conn->managed_paths == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create object paths hash table\n");
|
||||
talloc_free(conn);
|
||||
return EIO;
|
||||
diff --git a/src/sbus/sssd_dbus_interface.c b/src/sbus/sssd_dbus_interface.c
|
||||
index 32e5b27e1f701898d96f5537b2bc72d491903b54..e8c8851231fab68024065a13c5f1e2642ba829e9 100644
|
||||
--- a/src/sbus/sssd_dbus_interface.c
|
||||
+++ b/src/sbus/sssd_dbus_interface.c
|
||||
@@ -23,6 +23,7 @@
|
||||
#include <dhash.h>
|
||||
|
||||
#include "util/util.h"
|
||||
+#include "util/sss_ptr_hash.h"
|
||||
#include "sbus/sssd_dbus.h"
|
||||
#include "sbus/sssd_dbus_meta.h"
|
||||
#include "sbus/sssd_dbus_private.h"
|
||||
@@ -492,13 +493,11 @@ sbus_opath_hash_delete_cb(hash_entry_t *item,
|
||||
dbus_connection_unregister_object_path(conn->dbus.conn, path);
|
||||
}
|
||||
|
||||
-errno_t
|
||||
+hash_table_t *
|
||||
sbus_opath_hash_init(TALLOC_CTX *mem_ctx,
|
||||
- struct sbus_connection *conn,
|
||||
- hash_table_t **_table)
|
||||
+ struct sbus_connection *conn)
|
||||
{
|
||||
- return sss_hash_create_ex(mem_ctx, 10, _table, 0, 0, 0, 0,
|
||||
- sbus_opath_hash_delete_cb, conn);
|
||||
+ return sss_ptr_hash_create(mem_ctx, sbus_opath_hash_delete_cb, conn);
|
||||
}
|
||||
|
||||
static errno_t
|
||||
@@ -511,11 +510,8 @@ sbus_opath_hash_add_iface(hash_table_t *table,
|
||||
struct sbus_interface_list *list = NULL;
|
||||
struct sbus_interface_list *item = NULL;
|
||||
const char *iface_name = iface->vtable->meta->name;
|
||||
- hash_key_t key;
|
||||
- hash_value_t value;
|
||||
bool path_known;
|
||||
errno_t ret;
|
||||
- int hret;
|
||||
|
||||
tmp_ctx = talloc_new(NULL);
|
||||
if (tmp_ctx == NULL) {
|
||||
@@ -536,22 +532,14 @@ sbus_opath_hash_add_iface(hash_table_t *table,
|
||||
|
||||
/* first lookup existing list in hash table */
|
||||
|
||||
- key.type = HASH_KEY_STRING;
|
||||
- key.str = talloc_strdup(tmp_ctx, object_path);
|
||||
- if (key.str == NULL) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- hret = hash_lookup(table, &key, &value);
|
||||
- if (hret == HASH_SUCCESS) {
|
||||
+ list = sss_ptr_hash_lookup(table, object_path, struct sbus_interface_list);
|
||||
+ if (list != NULL) {
|
||||
/* This object path has already some interface registered. We will
|
||||
* check for existence of the interface currently being added and
|
||||
* add it if missing. */
|
||||
|
||||
path_known = true;
|
||||
|
||||
- list = talloc_get_type(value.ptr, struct sbus_interface_list);
|
||||
if (sbus_iface_list_lookup(list, iface_name) != NULL) {
|
||||
DEBUG(SSSDBG_MINOR_FAILURE, "Trying to register the same interface"
|
||||
" twice: iface=%s, opath=%s\n", iface_name, object_path);
|
||||
@@ -562,9 +550,6 @@ sbus_opath_hash_add_iface(hash_table_t *table,
|
||||
DLIST_ADD_END(list, item, struct sbus_interface_list *);
|
||||
ret = EOK;
|
||||
goto done;
|
||||
- } else if (hret != HASH_ERROR_KEY_NOT_FOUND) {
|
||||
- ret = EIO;
|
||||
- goto done;
|
||||
}
|
||||
|
||||
/* otherwise create new hash entry and new list */
|
||||
@@ -572,17 +557,8 @@ sbus_opath_hash_add_iface(hash_table_t *table,
|
||||
path_known = false;
|
||||
list = item;
|
||||
|
||||
- value.type = HASH_VALUE_PTR;
|
||||
- value.ptr = list;
|
||||
-
|
||||
- hret = hash_enter(table, &key, &value);
|
||||
- if (hret != HASH_SUCCESS) {
|
||||
- ret = EIO;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- talloc_steal(table, key.str);
|
||||
- ret = EOK;
|
||||
+ ret = sss_ptr_hash_add(table, object_path, list,
|
||||
+ struct sbus_interface_list);
|
||||
|
||||
done:
|
||||
if (ret == EOK) {
|
||||
@@ -599,12 +575,7 @@ static bool
|
||||
sbus_opath_hash_has_path(hash_table_t *table,
|
||||
const char *object_path)
|
||||
{
|
||||
- hash_key_t key;
|
||||
-
|
||||
- key.type = HASH_KEY_STRING;
|
||||
- key.str = discard_const(object_path);
|
||||
-
|
||||
- return hash_has_key(table, &key);
|
||||
+ return sss_ptr_hash_has_key(table, object_path);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -621,9 +592,6 @@ sbus_opath_hash_lookup_iface(hash_table_t *table,
|
||||
struct sbus_interface_list *list = NULL;
|
||||
struct sbus_interface *iface = NULL;
|
||||
char *lookup_path = NULL;
|
||||
- hash_key_t key;
|
||||
- hash_value_t value;
|
||||
- int hret;
|
||||
|
||||
tmp_ctx = talloc_new(NULL);
|
||||
if (tmp_ctx == NULL) {
|
||||
@@ -636,21 +604,13 @@ sbus_opath_hash_lookup_iface(hash_table_t *table,
|
||||
}
|
||||
|
||||
while (lookup_path != NULL) {
|
||||
- key.type = HASH_KEY_STRING;
|
||||
- key.str = lookup_path;
|
||||
-
|
||||
- hret = hash_lookup(table, &key, &value);
|
||||
- if (hret == HASH_SUCCESS) {
|
||||
- list = talloc_get_type(value.ptr, struct sbus_interface_list);
|
||||
+ list = sss_ptr_hash_lookup(table, lookup_path,
|
||||
+ struct sbus_interface_list);
|
||||
+ if (list != NULL) {
|
||||
iface = sbus_iface_list_lookup(list, iface_name);
|
||||
if (iface != NULL) {
|
||||
goto done;
|
||||
}
|
||||
- } else if (hret != HASH_ERROR_KEY_NOT_FOUND) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE,
|
||||
- "Unable to search hash table: hret=%d\n", hret);
|
||||
- iface = NULL;
|
||||
- goto done;
|
||||
}
|
||||
|
||||
/* we will not free lookup path since it is freed with tmp_ctx
|
||||
@@ -674,13 +634,11 @@ sbus_opath_hash_lookup_supported(TALLOC_CTX *mem_ctx,
|
||||
{
|
||||
TALLOC_CTX *tmp_ctx = NULL;
|
||||
TALLOC_CTX *list_ctx = NULL;
|
||||
- struct sbus_interface_list *copy = NULL;
|
||||
- struct sbus_interface_list *list = NULL;
|
||||
+ struct sbus_interface_list *copy;
|
||||
+ struct sbus_interface_list *output_list;
|
||||
+ struct sbus_interface_list *table_list;
|
||||
char *lookup_path = NULL;
|
||||
- hash_key_t key;
|
||||
- hash_value_t value;
|
||||
errno_t ret;
|
||||
- int hret;
|
||||
|
||||
tmp_ctx = talloc_new(NULL);
|
||||
if (tmp_ctx == NULL) {
|
||||
@@ -699,23 +657,19 @@ sbus_opath_hash_lookup_supported(TALLOC_CTX *mem_ctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- while (lookup_path != NULL) {
|
||||
- key.type = HASH_KEY_STRING;
|
||||
- key.str = lookup_path;
|
||||
+ /* Initialize output_list. */
|
||||
+ output_list = NULL;
|
||||
|
||||
- hret = hash_lookup(table, &key, &value);
|
||||
- if (hret == HASH_SUCCESS) {
|
||||
- ret = sbus_iface_list_copy(list_ctx, value.ptr, ©);
|
||||
+ while (lookup_path != NULL) {
|
||||
+ table_list = sss_ptr_hash_lookup(table, lookup_path,
|
||||
+ struct sbus_interface_list);
|
||||
+ if (table_list != NULL) {
|
||||
+ ret = sbus_iface_list_copy(list_ctx, table_list, ©);
|
||||
if (ret != EOK) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
- DLIST_CONCATENATE(list, copy, struct sbus_interface_list *);
|
||||
- } else if (hret != HASH_ERROR_KEY_NOT_FOUND) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE,
|
||||
- "Unable to search hash table: hret=%d\n", hret);
|
||||
- ret = EIO;
|
||||
- goto done;
|
||||
+ DLIST_CONCATENATE(output_list, copy, struct sbus_interface_list *);
|
||||
}
|
||||
|
||||
/* we will not free lookup path since it is freed with tmp_ctx
|
||||
@@ -724,7 +678,7 @@ sbus_opath_hash_lookup_supported(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
talloc_steal(mem_ctx, list_ctx);
|
||||
- *_list = list;
|
||||
+ *_list = output_list;
|
||||
ret = EOK;
|
||||
|
||||
done:
|
||||
diff --git a/src/sbus/sssd_dbus_private.h b/src/sbus/sssd_dbus_private.h
|
||||
index 8abca66b087d9ce1081889feda2ca1e1372514ad..c8913d0f0c522147aacf3214000ef9d4855fdb0c 100644
|
||||
--- a/src/sbus/sssd_dbus_private.h
|
||||
+++ b/src/sbus/sssd_dbus_private.h
|
||||
@@ -121,10 +121,9 @@ struct sbus_interface_list {
|
||||
struct sbus_interface *interface;
|
||||
};
|
||||
|
||||
-errno_t
|
||||
+hash_table_t *
|
||||
sbus_opath_hash_init(TALLOC_CTX *mem_ctx,
|
||||
- struct sbus_connection *conn,
|
||||
- hash_table_t **_table);
|
||||
+ struct sbus_connection *conn);
|
||||
|
||||
struct sbus_interface *
|
||||
sbus_opath_hash_lookup_iface(hash_table_t *table,
|
||||
--
|
||||
2.9.3
|
||||
|
165
0009-SBUS-use-sss_ptr_hash-for-nodes-table.patch
Normal file
165
0009-SBUS-use-sss_ptr_hash-for-nodes-table.patch
Normal file
@ -0,0 +1,165 @@
|
||||
From ea872f140a04419fba3f2b9722da74d7fd1ca1ee Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Tue, 24 Jan 2017 13:47:42 +0100
|
||||
Subject: [PATCH 09/79] SBUS: use sss_ptr_hash for nodes table
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This patch reuses sss_ptr_hash module introduced in NSS patches in sbus code.
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/sbus/sssd_dbus_connection.c | 4 +--
|
||||
src/sbus/sssd_dbus_interface.c | 72 +++++++----------------------------------
|
||||
src/sbus/sssd_dbus_private.h | 6 ++--
|
||||
3 files changed, 16 insertions(+), 66 deletions(-)
|
||||
|
||||
diff --git a/src/sbus/sssd_dbus_connection.c b/src/sbus/sssd_dbus_connection.c
|
||||
index 6ca039e8e2a919141bf951ed0203dc2c48b3eb55..5e493fb03e835d5f939a599efdc07f7ab2f9be28 100644
|
||||
--- a/src/sbus/sssd_dbus_connection.c
|
||||
+++ b/src/sbus/sssd_dbus_connection.c
|
||||
@@ -170,8 +170,8 @@ int sbus_init_connection(TALLOC_CTX *ctx,
|
||||
return EIO;
|
||||
}
|
||||
|
||||
- ret = sbus_nodes_hash_init(conn, conn, &conn->nodes_fns);
|
||||
- if (ret != EOK) {
|
||||
+ conn->nodes_fns = sbus_nodes_hash_init(conn);
|
||||
+ if (conn->nodes_fns == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create node functions hash table\n");
|
||||
talloc_free(conn);
|
||||
return EIO;
|
||||
diff --git a/src/sbus/sssd_dbus_interface.c b/src/sbus/sssd_dbus_interface.c
|
||||
index e8c8851231fab68024065a13c5f1e2642ba829e9..1a11c6abcf23053e3b8c77f4d469d7c202a88eb8 100644
|
||||
--- a/src/sbus/sssd_dbus_interface.c
|
||||
+++ b/src/sbus/sssd_dbus_interface.c
|
||||
@@ -686,13 +686,10 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
-errno_t
|
||||
-sbus_nodes_hash_init(TALLOC_CTX *mem_ctx,
|
||||
- struct sbus_connection *conn,
|
||||
- hash_table_t **_table)
|
||||
+hash_table_t *
|
||||
+sbus_nodes_hash_init(TALLOC_CTX *mem_ctx)
|
||||
{
|
||||
- return sss_hash_create_ex(mem_ctx, 10, _table, 0, 0, 0, 0,
|
||||
- NULL, conn);
|
||||
+ return sss_ptr_hash_create(mem_ctx, NULL, NULL);
|
||||
}
|
||||
|
||||
struct sbus_nodes_data {
|
||||
@@ -706,57 +703,24 @@ sbus_nodes_hash_add(hash_table_t *table,
|
||||
sbus_nodes_fn nodes_fn,
|
||||
void *handler_data)
|
||||
{
|
||||
- TALLOC_CTX *tmp_ctx;
|
||||
struct sbus_nodes_data *data;
|
||||
- hash_key_t key;
|
||||
- hash_value_t value;
|
||||
errno_t ret;
|
||||
- bool has_key;
|
||||
- int hret;
|
||||
|
||||
- tmp_ctx = talloc_new(NULL);
|
||||
- if (tmp_ctx == NULL) {
|
||||
- return ENOMEM;
|
||||
- }
|
||||
-
|
||||
- key.type = HASH_KEY_STRING;
|
||||
- key.str = talloc_strdup(tmp_ctx, object_path);
|
||||
- if (key.str == NULL) {
|
||||
- return ENOMEM;
|
||||
- }
|
||||
-
|
||||
- has_key = hash_has_key(table, &key);
|
||||
- if (has_key) {
|
||||
- ret = EEXIST;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- data = talloc_zero(tmp_ctx, struct sbus_nodes_data);
|
||||
+ data = talloc_zero(table, struct sbus_nodes_data);
|
||||
if (data == NULL) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
+ return ENOMEM;
|
||||
}
|
||||
|
||||
data->handler_data = handler_data;
|
||||
data->nodes_fn = nodes_fn;
|
||||
|
||||
- value.type = HASH_VALUE_PTR;
|
||||
- value.ptr = data;
|
||||
-
|
||||
- hret = hash_enter(table, &key, &value);
|
||||
- if (hret != HASH_SUCCESS) {
|
||||
- ret = EIO;
|
||||
- goto done;
|
||||
+ ret = sss_ptr_hash_add(table, object_path, data, struct sbus_nodes_data);
|
||||
+ if (ret != EOK) {
|
||||
+ talloc_free(data);
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
- talloc_steal(table, key.str);
|
||||
- talloc_steal(table, data);
|
||||
-
|
||||
- ret = EOK;
|
||||
-
|
||||
-done:
|
||||
- talloc_free(tmp_ctx);
|
||||
- return ret;
|
||||
+ return EOK;
|
||||
}
|
||||
|
||||
const char **
|
||||
@@ -765,24 +729,12 @@ sbus_nodes_hash_lookup(TALLOC_CTX *mem_ctx,
|
||||
const char *object_path)
|
||||
{
|
||||
struct sbus_nodes_data *data;
|
||||
- hash_key_t key;
|
||||
- hash_value_t value;
|
||||
- int hret;
|
||||
|
||||
- key.type = HASH_KEY_STRING;
|
||||
- key.str = discard_const(object_path);
|
||||
-
|
||||
- hret = hash_lookup(table, &key, &value);
|
||||
- if (hret == HASH_ERROR_KEY_NOT_FOUND) {
|
||||
- return NULL;
|
||||
- } else if (hret != HASH_SUCCESS) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE,
|
||||
- "Unable to search hash table: hret=%d\n", hret);
|
||||
+ data = sss_ptr_hash_lookup(table, object_path, struct sbus_nodes_data);
|
||||
+ if (data == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- data = talloc_get_type(value.ptr, struct sbus_nodes_data);
|
||||
-
|
||||
return data->nodes_fn(mem_ctx, object_path, data->handler_data);
|
||||
}
|
||||
|
||||
diff --git a/src/sbus/sssd_dbus_private.h b/src/sbus/sssd_dbus_private.h
|
||||
index c8913d0f0c522147aacf3214000ef9d4855fdb0c..a5a2d47f4bfac99960fcca56aaa48077c36b96e4 100644
|
||||
--- a/src/sbus/sssd_dbus_private.h
|
||||
+++ b/src/sbus/sssd_dbus_private.h
|
||||
@@ -136,10 +136,8 @@ sbus_opath_hash_lookup_supported(TALLOC_CTX *mem_ctx,
|
||||
const char *object_path,
|
||||
struct sbus_interface_list **_list);
|
||||
|
||||
-errno_t
|
||||
-sbus_nodes_hash_init(TALLOC_CTX *mem_ctx,
|
||||
- struct sbus_connection *conn,
|
||||
- hash_table_t **_table);
|
||||
+hash_table_t *
|
||||
+sbus_nodes_hash_init(TALLOC_CTX *mem_ctx);
|
||||
|
||||
const char **
|
||||
sbus_nodes_hash_lookup(TALLOC_CTX *mem_ctx,
|
||||
--
|
||||
2.9.3
|
||||
|
168
0010-SBUS-use-sss_ptr_hash-for-signals-table.patch
Normal file
168
0010-SBUS-use-sss_ptr_hash-for-signals-table.patch
Normal file
@ -0,0 +1,168 @@
|
||||
From b1afef0bc8d98c389a7f71307bee8ef9fc991ced Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Tue, 24 Jan 2017 14:02:51 +0100
|
||||
Subject: [PATCH 10/79] SBUS: use sss_ptr_hash for signals table
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This patch reuses sss_ptr_hash module introduced in NSS patches in sbus code.
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/sbus/sssd_dbus_connection.c | 4 +--
|
||||
src/sbus/sssd_dbus_private.h | 5 ++--
|
||||
src/sbus/sssd_dbus_signals.c | 58 ++++++++++-------------------------------
|
||||
3 files changed, 18 insertions(+), 49 deletions(-)
|
||||
|
||||
diff --git a/src/sbus/sssd_dbus_connection.c b/src/sbus/sssd_dbus_connection.c
|
||||
index 5e493fb03e835d5f939a599efdc07f7ab2f9be28..de134f2f21bfb9697fcc8a42622817bc50b54f2a 100644
|
||||
--- a/src/sbus/sssd_dbus_connection.c
|
||||
+++ b/src/sbus/sssd_dbus_connection.c
|
||||
@@ -177,8 +177,8 @@ int sbus_init_connection(TALLOC_CTX *ctx,
|
||||
return EIO;
|
||||
}
|
||||
|
||||
- ret = sbus_incoming_signal_hash_init(conn, &conn->incoming_signals);
|
||||
- if (ret != EOK) {
|
||||
+ conn->incoming_signals = sbus_incoming_signal_hash_init(conn);
|
||||
+ if (conn->incoming_signals == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create incoming singals "
|
||||
"hash table\n");
|
||||
talloc_free(conn);
|
||||
diff --git a/src/sbus/sssd_dbus_private.h b/src/sbus/sssd_dbus_private.h
|
||||
index a5a2d47f4bfac99960fcca56aaa48077c36b96e4..a3d4bae166d5a4d17037b16094248d22de7e8f62 100644
|
||||
--- a/src/sbus/sssd_dbus_private.h
|
||||
+++ b/src/sbus/sssd_dbus_private.h
|
||||
@@ -180,9 +180,8 @@ sbus_signal_handler(DBusConnection *conn,
|
||||
DBusMessage *message,
|
||||
void *handler_data);
|
||||
|
||||
-errno_t
|
||||
-sbus_incoming_signal_hash_init(TALLOC_CTX *mem_ctx,
|
||||
- hash_table_t **_table);
|
||||
+hash_table_t *
|
||||
+sbus_incoming_signal_hash_init(TALLOC_CTX *mem_ctx);
|
||||
|
||||
void sbus_register_common_signals(struct sbus_connection *conn, void *pvt);
|
||||
|
||||
diff --git a/src/sbus/sssd_dbus_signals.c b/src/sbus/sssd_dbus_signals.c
|
||||
index 3f463e603a625cae8415fb17f5cd811ef0c10e15..be1c8527e5513bc258e7764239d9b16af083ac65 100644
|
||||
--- a/src/sbus/sssd_dbus_signals.c
|
||||
+++ b/src/sbus/sssd_dbus_signals.c
|
||||
@@ -23,6 +23,7 @@
|
||||
#include <dhash.h>
|
||||
|
||||
#include "util/util.h"
|
||||
+#include "util/sss_ptr_hash.h"
|
||||
#include "sbus/sssd_dbus.h"
|
||||
#include "sbus/sssd_dbus_private.h"
|
||||
|
||||
@@ -60,11 +61,10 @@ struct sbus_incoming_signal_data {
|
||||
void *handler_data;
|
||||
};
|
||||
|
||||
-errno_t
|
||||
-sbus_incoming_signal_hash_init(TALLOC_CTX *mem_ctx,
|
||||
- hash_table_t **_table)
|
||||
+hash_table_t *
|
||||
+sbus_incoming_signal_hash_init(TALLOC_CTX *mem_ctx)
|
||||
{
|
||||
- return sss_hash_create(mem_ctx, 10, _table);
|
||||
+ return sss_ptr_hash_create(mem_ctx, NULL, NULL);
|
||||
}
|
||||
|
||||
static errno_t
|
||||
@@ -76,30 +76,20 @@ sbus_incoming_signal_hash_add(hash_table_t *table,
|
||||
{
|
||||
TALLOC_CTX *tmp_ctx;
|
||||
struct sbus_incoming_signal_data *data;
|
||||
- hash_key_t key;
|
||||
- hash_value_t value;
|
||||
+ char *key;
|
||||
errno_t ret;
|
||||
- bool has_key;
|
||||
- int hret;
|
||||
|
||||
tmp_ctx = talloc_new(NULL);
|
||||
if (tmp_ctx == NULL) {
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
- key.type = HASH_KEY_STRING;
|
||||
- key.str = talloc_asprintf(tmp_ctx, "%s.%s", iface, a_signal);
|
||||
- if (key.str == NULL) {
|
||||
+ key = talloc_asprintf(tmp_ctx, "%s.%s", iface, a_signal);
|
||||
+ if (key == NULL) {
|
||||
ret = ENOMEM;
|
||||
goto done;
|
||||
}
|
||||
|
||||
- has_key = hash_has_key(table, &key);
|
||||
- if (has_key) {
|
||||
- ret = EEXIST;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
data = talloc_zero(tmp_ctx, struct sbus_incoming_signal_data);
|
||||
if (data == NULL) {
|
||||
ret = ENOMEM;
|
||||
@@ -109,16 +99,11 @@ sbus_incoming_signal_hash_add(hash_table_t *table,
|
||||
data->handler_data = handler_data;
|
||||
data->handler_fn = handler_fn;
|
||||
|
||||
- value.type = HASH_VALUE_PTR;
|
||||
- value.ptr = data;
|
||||
-
|
||||
- hret = hash_enter(table, &key, &value);
|
||||
- if (hret != HASH_SUCCESS) {
|
||||
- ret = EIO;
|
||||
+ ret = sss_ptr_hash_add(table, key, data, struct sbus_incoming_signal_data);
|
||||
+ if (ret != EOK) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
- talloc_steal(table, key.str);
|
||||
talloc_steal(table, data);
|
||||
|
||||
ret = EOK;
|
||||
@@ -134,31 +119,16 @@ sbus_incoming_signal_hash_lookup(hash_table_t *table,
|
||||
const char *a_signal)
|
||||
{
|
||||
struct sbus_incoming_signal_data *data;
|
||||
- hash_key_t key;
|
||||
- hash_value_t value;
|
||||
- int hret;
|
||||
+ char *key;
|
||||
|
||||
- key.type = HASH_KEY_STRING;
|
||||
- key.str = talloc_asprintf(NULL, "%s.%s", iface, a_signal);
|
||||
- if (key.str == NULL) {
|
||||
+ key = talloc_asprintf(NULL, "%s.%s", iface, a_signal);
|
||||
+ if (key == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- hret = hash_lookup(table, &key, &value);
|
||||
- if (hret == HASH_ERROR_KEY_NOT_FOUND) {
|
||||
- data = NULL;
|
||||
- goto done;
|
||||
- } else if (hret != HASH_SUCCESS) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE,
|
||||
- "Unable to search hash table: hret=%d\n", hret);
|
||||
- data = NULL;
|
||||
- goto done;
|
||||
- }
|
||||
+ data = sss_ptr_hash_lookup(table, key, struct sbus_incoming_signal_data);
|
||||
+ talloc_free(key);
|
||||
|
||||
- data = talloc_get_type(value.ptr, struct sbus_incoming_signal_data);
|
||||
-
|
||||
-done:
|
||||
- talloc_free(key.str);
|
||||
return data;
|
||||
}
|
||||
|
||||
--
|
||||
2.9.3
|
||||
|
139
0011-ldap_child-Fix-use-after-free.patch
Normal file
139
0011-ldap_child-Fix-use-after-free.patch
Normal file
@ -0,0 +1,139 @@
|
||||
From cb831fbbcb0dac8b6202037d4cd1a0d82db54f54 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Tue, 17 Jan 2017 10:17:24 +0100
|
||||
Subject: [PATCH 11/79] ldap_child: Fix use after free
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
In case on any krb5 related error, we tried to send string
|
||||
interpretation of krb5 error tb parrent in prepare_response.
|
||||
|
||||
However, we cannot use global krb5 context (krb5_error_ctx)
|
||||
because the context is every time released in done section of
|
||||
ldap_child_get_tgt_sync.
|
||||
|
||||
This patch rather return duplicated string to prevent use after free.
|
||||
|
||||
Backtrace:
|
||||
#0 __strchr_sse42 () at ../sysdeps/x86_64/multiarch/strchr.S:100
|
||||
100 ../sysdeps/x86_64/multiarch/strchr.S: No such file or directory.
|
||||
|
||||
Thread 1 (Thread 0x7fc96cad5880 (LWP 11201)):
|
||||
#0 __strchr_sse42 () at ../sysdeps/x86_64/multiarch/strchr.S:100
|
||||
No locals.
|
||||
#1 0x00007fc96be43725 in err_fmt_fmt (msg=0x7fc96d1cf8d0 "Cannot find KDC for requested realm",
|
||||
code=-1765328230,
|
||||
err_fmt=<optimized out>) at kerrs.c:152
|
||||
buf = {buftype = K5BUF_DYNAMIC, data = 0x7fc96d1cdb10,
|
||||
space = 128, len = 0}
|
||||
p = <optimized out>
|
||||
s = 0xdededededededede <Address 0xdededededededede out of bounds>
|
||||
#2 krb5_get_error_message (ctx=<optimized out>,
|
||||
code=code@entry=-1765328230) at kerrs.c:184
|
||||
std = 0x7fc96d1cf8d0 "Cannot find KDC for requested realm"
|
||||
#3 0x00007fc96cb224e5 in sss_krb5_get_error_message (ctx=<optimized out>,
|
||||
ec=ec@entry=-1765328230) at src/util/sss_krb5.c:424
|
||||
No locals.
|
||||
#4 0x00007fc96cb1fbb0 in prepare_response (rsp=<synthetic pointer>,
|
||||
kerr=-1765328230, expire_time=0,
|
||||
ccname=0x0,
|
||||
mem_ctx=0x7fc96d1cb390) at src/providers/ldap/ldap_child.c:553
|
||||
ret = <optimized out>
|
||||
r = 0x7fc96d1cd8b0
|
||||
krb5_msg = 0x0
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/providers/ldap/ldap_child.c | 26 +++++++++++++++++---------
|
||||
1 file changed, 17 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
|
||||
index ffcbc3985691b965c76a06805068118628adc198..3f88a28dcffc320ba66afccbdcee71432913b775 100644
|
||||
--- a/src/providers/ldap/ldap_child.c
|
||||
+++ b/src/providers/ldap/ldap_child.c
|
||||
@@ -276,7 +276,8 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
|
||||
const char *keytab_name,
|
||||
const krb5_deltat lifetime,
|
||||
const char **ccname_out,
|
||||
- time_t *expire_time_out)
|
||||
+ time_t *expire_time_out,
|
||||
+ char **_krb5_msg)
|
||||
{
|
||||
char *ccname;
|
||||
char *ccname_dummy;
|
||||
@@ -522,7 +523,14 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
|
||||
*expire_time_out = my_creds.times.endtime - kdc_time_offset;
|
||||
|
||||
done:
|
||||
- if (krberr != 0) KRB5_SYSLOG(krberr);
|
||||
+ if (krberr != 0) {
|
||||
+ const char *krb5_msg;
|
||||
+
|
||||
+ KRB5_SYSLOG(krberr);
|
||||
+ krb5_msg = sss_krb5_get_error_message(context, krberr);
|
||||
+ *_krb5_msg = talloc_strdup(memctx, krb5_msg);
|
||||
+ sss_krb5_free_error_message(context, krb5_msg);
|
||||
+ }
|
||||
if (keytab) krb5_kt_close(context, keytab);
|
||||
if (context) krb5_free_context(context);
|
||||
talloc_free(tmp_ctx);
|
||||
@@ -533,11 +541,11 @@ static int prepare_response(TALLOC_CTX *mem_ctx,
|
||||
const char *ccname,
|
||||
time_t expire_time,
|
||||
krb5_error_code kerr,
|
||||
+ char *krb5_msg,
|
||||
struct response **rsp)
|
||||
{
|
||||
int ret;
|
||||
struct response *r = NULL;
|
||||
- const char *krb5_msg = NULL;
|
||||
|
||||
r = talloc_zero(mem_ctx, struct response);
|
||||
if (!r) return ENOMEM;
|
||||
@@ -550,15 +558,13 @@ static int prepare_response(TALLOC_CTX *mem_ctx,
|
||||
if (kerr == 0) {
|
||||
ret = pack_buffer(r, EOK, kerr, ccname, expire_time);
|
||||
} else {
|
||||
- krb5_msg = sss_krb5_get_error_message(krb5_error_ctx, kerr);
|
||||
if (krb5_msg == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "sss_krb5_get_error_message failed.\n");
|
||||
+ "Empty krb5 error message for non-zero kerr: %"PRIi32"\n",
|
||||
+ kerr);
|
||||
return ENOMEM;
|
||||
}
|
||||
-
|
||||
ret = pack_buffer(r, EFAULT, kerr, krb5_msg, 0);
|
||||
- sss_krb5_free_error_message(krb5_error_ctx, krb5_msg);
|
||||
}
|
||||
|
||||
if (ret != EOK) {
|
||||
@@ -605,6 +611,7 @@ int main(int argc, const char *argv[])
|
||||
uint8_t *buf = NULL;
|
||||
ssize_t len = 0;
|
||||
const char *ccname = NULL;
|
||||
+ char *krb5_msg = NULL;
|
||||
time_t expire_time = 0;
|
||||
struct input_buffer *ibuf = NULL;
|
||||
struct response *resp = NULL;
|
||||
@@ -721,13 +728,14 @@ int main(int argc, const char *argv[])
|
||||
kerr = ldap_child_get_tgt_sync(main_ctx, ibuf->context,
|
||||
ibuf->realm_str, ibuf->princ_str,
|
||||
ibuf->keytab_name, ibuf->lifetime,
|
||||
- &ccname, &expire_time);
|
||||
+ &ccname, &expire_time, &krb5_msg);
|
||||
if (kerr != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "ldap_child_get_tgt_sync failed.\n");
|
||||
/* Do not return, must report failure */
|
||||
}
|
||||
|
||||
- ret = prepare_response(main_ctx, ccname, expire_time, kerr, &resp);
|
||||
+ ret = prepare_response(main_ctx, ccname, expire_time, kerr, krb5_msg,
|
||||
+ &resp);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "prepare_response failed. [%d][%s].\n",
|
||||
ret, strerror(ret));
|
||||
--
|
||||
2.9.3
|
||||
|
41
0012-FAILOVER-Improve-port-status-log-messages.patch
Normal file
41
0012-FAILOVER-Improve-port-status-log-messages.patch
Normal file
@ -0,0 +1,41 @@
|
||||
From 1c7f9a676088ecee4c14df14b8688b391fb32a05 Mon Sep 17 00:00:00 2001
|
||||
From: Justin Stephenson <jstephen@redhat.com>
|
||||
Date: Mon, 19 Dec 2016 16:49:17 -0500
|
||||
Subject: [PATCH 12/79] FAILOVER: Improve port status log messages
|
||||
|
||||
It should be more clear to administrators that when SSSD internal
|
||||
port status is set as PORT_NOT_WORKING, this does not directly relate
|
||||
to an assumed network port-related issue.
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/providers/fail_over.c | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/fail_over.c b/src/providers/fail_over.c
|
||||
index 5d3c26d4a690769637f2fa4f41a76627cbdba77a..168e59d6f4e9fc8abd827be21004daef2c6613f0 100644
|
||||
--- a/src/providers/fail_over.c
|
||||
+++ b/src/providers/fail_over.c
|
||||
@@ -376,12 +376,18 @@ get_port_status(struct fo_server *server)
|
||||
"Port status of port %d for server '%s' is '%s'\n", server->port,
|
||||
SERVER_NAME(server), str_port_status(server->port_status));
|
||||
|
||||
+ if (server->port_status == PORT_NOT_WORKING) {
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE, "SSSD is unable to complete the full "
|
||||
+ "connection request, this internal status does not necessarily "
|
||||
+ "indicate network port issues.\n");
|
||||
+ }
|
||||
+
|
||||
timeout = server->service->ctx->opts->retry_timeout;
|
||||
if (timeout != 0 && server->port_status == PORT_NOT_WORKING) {
|
||||
gettimeofday(&tv, NULL);
|
||||
if (STATUS_DIFF(server, tv) > timeout) {
|
||||
DEBUG(SSSDBG_CONF_SETTINGS,
|
||||
- "Reseting the status of port %d for server '%s'\n",
|
||||
+ "Resetting the status of port %d for server '%s'\n",
|
||||
server->port, SERVER_NAME(server));
|
||||
server->port_status = PORT_NEUTRAL;
|
||||
server->last_status_change.tv_sec = tv.tv_sec;
|
||||
--
|
||||
2.9.3
|
||||
|
44
0013-IFP-Update-ifp_iface_generated.c.patch
Normal file
44
0013-IFP-Update-ifp_iface_generated.c.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From 2ddcd5785f10de42bf03dfc36eca94dbc1fc1fb3 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Mon, 6 Feb 2017 18:58:18 +0000
|
||||
Subject: [PATCH 13/79] IFP: Update ifp_iface_generated.c
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
These changes are leftovers from commit 78b4b7e.
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/responder/ifp/ifp_iface_generated.c | 7 +------
|
||||
1 file changed, 1 insertion(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/responder/ifp/ifp_iface_generated.c b/src/responder/ifp/ifp_iface_generated.c
|
||||
index 90cd4ff9e3a4dff3e8d2e3d904bbf6bde6a748ae..d9df6c623b7f597b8ea9427a58488b340b1934ea 100644
|
||||
--- a/src/responder/ifp/ifp_iface_generated.c
|
||||
+++ b/src/responder/ifp/ifp_iface_generated.c
|
||||
@@ -263,11 +263,6 @@ const struct sbus_interface_meta iface_ifp_meta = {
|
||||
sbus_invoke_get_all, /* GetAll invoker */
|
||||
};
|
||||
|
||||
-/* methods for org.freedesktop.sssd.infopipe.Components */
|
||||
-const struct sbus_method_meta iface_ifp_components__methods[] = {
|
||||
- { NULL, }
|
||||
-};
|
||||
-
|
||||
/* property info for org.freedesktop.sssd.infopipe.Components */
|
||||
const struct sbus_property_meta iface_ifp_components__properties[] = {
|
||||
{
|
||||
@@ -321,7 +316,7 @@ const struct sbus_property_meta iface_ifp_components__properties[] = {
|
||||
/* interface info for org.freedesktop.sssd.infopipe.Components */
|
||||
const struct sbus_interface_meta iface_ifp_components_meta = {
|
||||
"org.freedesktop.sssd.infopipe.Components", /* name */
|
||||
- iface_ifp_components__methods,
|
||||
+ NULL, /* no methods */
|
||||
NULL, /* no signals */
|
||||
iface_ifp_components__properties,
|
||||
sbus_invoke_get_all, /* GetAll invoker */
|
||||
--
|
||||
2.9.3
|
||||
|
30
0014-SYSTEMD-Update-journald-drop-in-file.patch
Normal file
30
0014-SYSTEMD-Update-journald-drop-in-file.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From 7b4704a10958bb7d3390db9eff863875d2b643f7 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Tue, 7 Feb 2017 09:52:59 +0100
|
||||
Subject: [PATCH 14/79] SYSTEMD: Update journald drop-in file
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
We changed type forking into type notify as part of commit
|
||||
d4063e9a21a4e203bee7e0a0144fa8cabb14cc46.
|
||||
But we forgot to update template drop-in file for logging into journald.
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/sysv/systemd/journal.conf.in | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/sysv/systemd/journal.conf.in b/src/sysv/systemd/journal.conf.in
|
||||
index d89325e0872881e3e8485102d9971871101098f3..9ce170b4893629792516aab41573adea1fb741f0 100644
|
||||
--- a/src/sysv/systemd/journal.conf.in
|
||||
+++ b/src/sysv/systemd/journal.conf.in
|
||||
@@ -4,4 +4,4 @@
|
||||
# run 'systemctl daemon-reload' and then restart the SSSD service
|
||||
# for this to take effect
|
||||
#ExecStart=
|
||||
-#ExecStart=@sbindir@/sssd -D
|
||||
+#ExecStart=@sbindir@/sssd -i
|
||||
--
|
||||
2.9.3
|
||||
|
@ -1,13 +1,15 @@
|
||||
From 829aa39dffbe35f58b34159b962a2dd8de85fd30 Mon Sep 17 00:00:00 2001
|
||||
From c029f707d4847b01ff64bf3bb1fd46c0b5927cdb Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Mon, 12 Dec 2016 18:33:48 +0100
|
||||
Subject: [PATCH] Partially revert "CONFIG: Use default config when none
|
||||
Subject: [PATCH 15/79] Partially revert "CONFIG: Use default config when none
|
||||
provided"
|
||||
|
||||
This reverts part of commit 59744cff6edb106ae799b2321cb8731edadf409a.
|
||||
|
||||
Removed is copying of default configuration into /etc/sssd/sssd.conf
|
||||
Sample configurations is still part of installation.
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
Makefile.am | 3 ---
|
||||
src/confdb/confdb.h | 1 -
|
||||
@ -15,10 +17,10 @@ Sample configurations is still part of installation.
|
||||
3 files changed, 4 insertions(+), 40 deletions(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index a15e68f682f6d8af301e11df8dcaef6d7f27e8c0..45d44146e737fc8460a2ed9ffc0171a6bb494b2b 100644
|
||||
index 674d328f52929cc2b20d1212af830c3777312bf1..6d21af8e8c455622d8c4c8b4e325789c4c1e34cb 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -462,7 +462,6 @@ AM_CPPFLAGS = \
|
||||
@@ -473,7 +473,6 @@ AM_CPPFLAGS = \
|
||||
-DSSSDDATADIR=\"$(sssddatadir)\" \
|
||||
-DSSSD_LIBEXEC_PATH=\"$(sssdlibexecdir)\" \
|
||||
-DSSSD_CONF_DIR=\"$(sssdconfdir)\" \
|
||||
@ -26,7 +28,7 @@ index a15e68f682f6d8af301e11df8dcaef6d7f27e8c0..45d44146e737fc8460a2ed9ffc0171a6
|
||||
-DSSS_NSS_MCACHE_DIR=\"$(mcpath)\" \
|
||||
-DSSS_NSS_SOCKET_NAME=\"$(pipepath)/nss\" \
|
||||
-DSSS_PAM_SOCKET_NAME=\"$(pipepath)/pam\" \
|
||||
@@ -1232,8 +1231,6 @@ sssd_SOURCES = \
|
||||
@@ -1252,8 +1251,6 @@ sssd_SOURCES = \
|
||||
src/confdb/confdb_setup.c \
|
||||
src/monitor/monitor_iface_generated.c \
|
||||
src/util/nscd.c \
|
||||
@ -36,7 +38,7 @@ index a15e68f682f6d8af301e11df8dcaef6d7f27e8c0..45d44146e737fc8460a2ed9ffc0171a6
|
||||
sssd_LDADD = \
|
||||
$(SSSD_LIBS) \
|
||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
||||
index 12beaabf8c949bd111abbe16cb98a205490fb08f..4813072bdafb5d6c9ec56a9ccaa5db6a1120112d 100644
|
||||
index 9055048865f008a2c3732551730c4a881cb9108c..dd6ac77f5a787b0434b56fccba49aa195b13297a 100644
|
||||
--- a/src/confdb/confdb.h
|
||||
+++ b/src/confdb/confdb.h
|
||||
@@ -40,7 +40,6 @@
|
||||
@ -113,5 +115,5 @@ index d6feab9000d54d2c3761de6d8e990053ade7e85f..a71d9dd1202824b3c9a7e69f1d8fa905
|
||||
|
||||
ret = sss_ini_config_access_check(init_data);
|
||||
--
|
||||
2.11.0
|
||||
2.9.3
|
||||
|
177
0016-SUDO-Add-skip_entry-boolean-to-sudo-conversions.patch
Normal file
177
0016-SUDO-Add-skip_entry-boolean-to-sudo-conversions.patch
Normal file
@ -0,0 +1,177 @@
|
||||
From d0aae3c1e87e2e51ab178b7b343261443094a974 Mon Sep 17 00:00:00 2001
|
||||
From: Justin Stephenson <jstephen@redhat.com>
|
||||
Date: Fri, 20 Jan 2017 15:43:34 -0500
|
||||
Subject: [PATCH 16/79] SUDO: Add skip_entry boolean to sudo conversions
|
||||
|
||||
Add boolean to convert_attributes function and pass boolean as argument
|
||||
to sudo conversion functions to add logic for skipping unexpected
|
||||
entries like replication conflicts.
|
||||
|
||||
Resolves:
|
||||
https://fedorahosted.org/sssd/ticket/3288
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/providers/ipa/ipa_sudo_conversion.c | 55 ++++++++++++++++++++++++---------
|
||||
1 file changed, 41 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c
|
||||
index 9dbc8604df544ce0865a2e99facf92cfd697123b..05d863c20954c816e52d27fe4a5e1553776c6d41 100644
|
||||
--- a/src/providers/ipa/ipa_sudo_conversion.c
|
||||
+++ b/src/providers/ipa/ipa_sudo_conversion.c
|
||||
@@ -746,12 +746,15 @@ struct ipa_sudo_conv_result_ctx {
|
||||
static const char *
|
||||
convert_host(TALLOC_CTX *mem_ctx,
|
||||
struct ipa_sudo_conv *conv,
|
||||
- const char *value)
|
||||
+ const char *value,
|
||||
+ bool *skip_entry)
|
||||
{
|
||||
char *rdn;
|
||||
const char *group;
|
||||
errno_t ret;
|
||||
|
||||
+ *skip_entry = false;
|
||||
+
|
||||
ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn,
|
||||
MATCHRDN_HOST(conv->map_host));
|
||||
if (ret == EOK) {
|
||||
@@ -765,7 +768,8 @@ convert_host(TALLOC_CTX *mem_ctx,
|
||||
ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn,
|
||||
MATCHRDN_HOSTGROUP(conv->map_hostgroup));
|
||||
if (ret == ENOENT) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s\n", value);
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s: Skipping\n", value);
|
||||
+ *skip_entry = true;
|
||||
return NULL;
|
||||
} else if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n",
|
||||
@@ -782,12 +786,15 @@ convert_host(TALLOC_CTX *mem_ctx,
|
||||
static const char *
|
||||
convert_user(TALLOC_CTX *mem_ctx,
|
||||
struct ipa_sudo_conv *conv,
|
||||
- const char *value)
|
||||
+ const char *value,
|
||||
+ bool *skip_entry)
|
||||
{
|
||||
char *rdn;
|
||||
const char *group;
|
||||
errno_t ret;
|
||||
|
||||
+ *skip_entry = false;
|
||||
+
|
||||
ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn,
|
||||
MATCHRDN_USER(conv->map_user));
|
||||
if (ret == EOK) {
|
||||
@@ -801,7 +808,8 @@ convert_user(TALLOC_CTX *mem_ctx,
|
||||
ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn,
|
||||
MATCHRDN_GROUP(conv->map_group));
|
||||
if (ret == ENOENT) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s\n", value);
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s: Skipping\n", value);
|
||||
+ *skip_entry = true;
|
||||
return NULL;
|
||||
} else if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n",
|
||||
@@ -818,12 +826,15 @@ convert_user(TALLOC_CTX *mem_ctx,
|
||||
static const char *
|
||||
convert_user_fqdn(TALLOC_CTX *mem_ctx,
|
||||
struct ipa_sudo_conv *conv,
|
||||
- const char *value)
|
||||
+ const char *value,
|
||||
+ bool *skip_entry)
|
||||
{
|
||||
const char *shortname = NULL;
|
||||
char *fqdn = NULL;
|
||||
|
||||
- shortname = convert_user(mem_ctx, conv, value);
|
||||
+ *skip_entry = false;
|
||||
+
|
||||
+ shortname = convert_user(mem_ctx, conv, value, skip_entry);
|
||||
if (shortname == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
@@ -836,15 +847,19 @@ convert_user_fqdn(TALLOC_CTX *mem_ctx,
|
||||
static const char *
|
||||
convert_group(TALLOC_CTX *mem_ctx,
|
||||
struct ipa_sudo_conv *conv,
|
||||
- const char *value)
|
||||
+ const char *value,
|
||||
+ bool *skip_entry)
|
||||
{
|
||||
char *rdn;
|
||||
errno_t ret;
|
||||
|
||||
+ *skip_entry = false;
|
||||
+
|
||||
ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn,
|
||||
MATCHRDN_GROUP(conv->map_group));
|
||||
if (ret == ENOENT) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s\n", value);
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s: Skipping\n", value);
|
||||
+ *skip_entry = true;
|
||||
return NULL;
|
||||
} else if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n",
|
||||
@@ -858,7 +873,8 @@ convert_group(TALLOC_CTX *mem_ctx,
|
||||
static const char *
|
||||
convert_runasextusergroup(TALLOC_CTX *mem_ctx,
|
||||
struct ipa_sudo_conv *conv,
|
||||
- const char *value)
|
||||
+ const char *value,
|
||||
+ bool *skip_entry)
|
||||
{
|
||||
return talloc_asprintf(mem_ctx, "%%%s", value);
|
||||
}
|
||||
@@ -866,8 +882,12 @@ convert_runasextusergroup(TALLOC_CTX *mem_ctx,
|
||||
static const char *
|
||||
convert_cat(TALLOC_CTX *mem_ctx,
|
||||
struct ipa_sudo_conv *conv,
|
||||
- const char *value)
|
||||
+ const char *value,
|
||||
+ bool *skip_entry)
|
||||
{
|
||||
+
|
||||
+ *skip_entry = false;
|
||||
+
|
||||
if (strcmp(value, "all") == 0) {
|
||||
return talloc_strdup(mem_ctx, "ALL");
|
||||
}
|
||||
@@ -885,12 +905,14 @@ convert_attributes(struct ipa_sudo_conv *conv,
|
||||
const char *value;
|
||||
errno_t ret;
|
||||
int i, j;
|
||||
+ bool skip_entry;
|
||||
static struct {
|
||||
const char *ipa;
|
||||
const char *sudo;
|
||||
const char *(*conv_fn)(TALLOC_CTX *mem_ctx,
|
||||
struct ipa_sudo_conv *conv,
|
||||
- const char *value);
|
||||
+ const char *value,
|
||||
+ bool *skip_entry);
|
||||
} table[] = {{SYSDB_NAME, SYSDB_SUDO_CACHE_AT_CN , NULL},
|
||||
{SYSDB_IPA_SUDORULE_HOST, SYSDB_SUDO_CACHE_AT_HOST , convert_host},
|
||||
{SYSDB_IPA_SUDORULE_USER, SYSDB_SUDO_CACHE_AT_USER , convert_user_fqdn},
|
||||
@@ -931,10 +953,15 @@ convert_attributes(struct ipa_sudo_conv *conv,
|
||||
|
||||
for (j = 0; values[j] != NULL; j++) {
|
||||
if (table[i].conv_fn != NULL) {
|
||||
- value = table[i].conv_fn(tmp_ctx, conv, values[j]);
|
||||
+ value = table[i].conv_fn(tmp_ctx, conv, values[j], &skip_entry);
|
||||
if (value == NULL) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
+ if (skip_entry) {
|
||||
+ ret = ENOENT;
|
||||
+ continue;
|
||||
+ } else {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
}
|
||||
} else {
|
||||
value = values[j];
|
||||
--
|
||||
2.9.3
|
||||
|
36
0017-TESTS-Add-to-IPA-DN-test.patch
Normal file
36
0017-TESTS-Add-to-IPA-DN-test.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From 1404f3aa541849d880cce591584ba1580014cb50 Mon Sep 17 00:00:00 2001
|
||||
From: Justin Stephenson <jstephen@redhat.com>
|
||||
Date: Wed, 25 Jan 2017 17:05:01 -0500
|
||||
Subject: [PATCH 17/79] TESTS: Add to IPA DN test
|
||||
|
||||
Add test to ensure conflict entries return ENOENT
|
||||
|
||||
Resolves:
|
||||
https://fedorahosted.org/sssd/ticket/3288
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/tests/cmocka/test_ipa_dn.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/src/tests/cmocka/test_ipa_dn.c b/src/tests/cmocka/test_ipa_dn.c
|
||||
index a6e26ec31ff25519ad895ef934dac0e3a3dd83ae..ff951f28acbb8a567c3d27027a688386ff08b475 100644
|
||||
--- a/src/tests/cmocka/test_ipa_dn.c
|
||||
+++ b/src/tests/cmocka/test_ipa_dn.c
|
||||
@@ -169,6 +169,13 @@ static void ipa_get_rdn_test(void **state)
|
||||
ret = ipa_get_rdn(test_ctx, test_ctx->sysdb, "cn=rdn,attr1=value1", &rdn, "cn", "attr1", "value1");
|
||||
assert_int_equal(ret, ENOENT);
|
||||
assert_null(rdn);
|
||||
+
|
||||
+ ret = ipa_get_rdn(test_ctx, test_ctx->sysdb,
|
||||
+ "cn=rdn+nsuniqueid=9b1e3301-c32611e6-bdcae37a-ef905e7c,"
|
||||
+ "attr1=value1,attr2=value2,dc=example,dc=com",
|
||||
+ &rdn, "cn", "attr1", "value1", "attr2", "value2");
|
||||
+ assert_int_equal(ret, ENOENT);
|
||||
+ assert_null(rdn);
|
||||
}
|
||||
|
||||
int main(int argc, const char *argv[])
|
||||
--
|
||||
2.9.3
|
||||
|
28
0018-LDAP-Better-logging-message.patch
Normal file
28
0018-LDAP-Better-logging-message.patch
Normal file
@ -0,0 +1,28 @@
|
||||
From c3593f06da54315c88a08a46cfc0def366acad43 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
|
||||
Date: Thu, 19 Jan 2017 12:51:27 +0100
|
||||
Subject: [PATCH 18/79] LDAP: Better logging message
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/providers/ldap/sdap.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
|
||||
index dc7d5e0caf223c3ee3c43054aa44e796f1b37766..eb460d93bfb067e780868bc9f7bf4e6e0aa1b4a3 100644
|
||||
--- a/src/providers/ldap/sdap.c
|
||||
+++ b/src/providers/ldap/sdap.c
|
||||
@@ -1691,7 +1691,8 @@ static bool sdap_object_in_domain(struct sdap_options *opts,
|
||||
sdmatch = sdap_domain_get_by_dn(opts, original_dn);
|
||||
if (sdmatch == NULL) {
|
||||
DEBUG(SSSDBG_FUNC_DATA,
|
||||
- "The group has no original DN, assuming our domain\n");
|
||||
+ "The original DN of the group cannot "
|
||||
+ "be related to any search base\n");
|
||||
return true;
|
||||
}
|
||||
|
||||
--
|
||||
2.9.3
|
||||
|
592
0019-SYSDB-Removing-of-sysdb_try_to_find_expected_dn.patch
Normal file
592
0019-SYSDB-Removing-of-sysdb_try_to_find_expected_dn.patch
Normal file
@ -0,0 +1,592 @@
|
||||
From 3ee411625aee19afda7477bb10b52c3da378b6fb Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
|
||||
Date: Wed, 4 Jan 2017 15:33:30 +0100
|
||||
Subject: [PATCH 19/79] SYSDB: Removing of sysdb_try_to_find_expected_dn()
|
||||
|
||||
Currently in order to match multiple LDAP search results we
|
||||
use two different functions - we have sysdb_try_to_find_expected_dn()
|
||||
but also sdap_object_in_domain().
|
||||
|
||||
This patch removes sysdb_try_to_find_expected_dn() and add new
|
||||
sdap_search_initgr_user_in_batch() based on sdap_object_in_domain().
|
||||
This function covers necessary logic.
|
||||
|
||||
Resolves:
|
||||
https://fedorahosted.org/sssd/ticket/3230
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/db/sysdb.h | 6 -
|
||||
src/db/sysdb_subdomains.c | 332 -----------------------------
|
||||
src/providers/ldap/sdap.c | 6 +-
|
||||
src/providers/ldap/sdap.h | 4 +
|
||||
src/providers/ldap/sdap_async_initgroups.c | 28 ++-
|
||||
src/tests/cmocka/test_sysdb_subdomains.c | 104 ---------
|
||||
6 files changed, 30 insertions(+), 450 deletions(-)
|
||||
|
||||
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
|
||||
index 8a363d09066806c4e7836e4e0cd19ce645d14ee2..809ca359a32f85ef3afbad082665c7eaa9374830 100644
|
||||
--- a/src/db/sysdb.h
|
||||
+++ b/src/db/sysdb.h
|
||||
@@ -1309,10 +1309,4 @@ errno_t sysdb_handle_original_uuid(const char *orig_name,
|
||||
struct sysdb_attrs *dest_attrs,
|
||||
const char *dest_name);
|
||||
|
||||
-errno_t sysdb_try_to_find_expected_dn(struct sss_domain_info *dom,
|
||||
- const char *domain_component_name,
|
||||
- const char *ldap_search_base,
|
||||
- struct sysdb_attrs **usr_attrs,
|
||||
- size_t count,
|
||||
- struct sysdb_attrs **exp_usr);
|
||||
#endif /* __SYS_DB_H__ */
|
||||
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
|
||||
index 780140484f6f023bc6e8c12266e3b81ff016ec10..1f43bfc12e73a9fc7f3b66c85b47f38d2c1a3c19 100644
|
||||
--- a/src/db/sysdb_subdomains.c
|
||||
+++ b/src/db/sysdb_subdomains.c
|
||||
@@ -1144,335 +1144,3 @@ done:
|
||||
talloc_free(tmp_ctx);
|
||||
return ret;
|
||||
}
|
||||
-
|
||||
-static errno_t match_cn_users(TALLOC_CTX *tmp_ctx,
|
||||
- struct sysdb_attrs **usr_attrs,
|
||||
- size_t count,
|
||||
- const char *dom_basedn,
|
||||
- struct sysdb_attrs **_result)
|
||||
-{
|
||||
- errno_t ret;
|
||||
- const char *orig_dn;
|
||||
- size_t dn_len;
|
||||
- struct sysdb_attrs *result = NULL;
|
||||
- const char *result_dn_str = NULL;
|
||||
- char *cn_users_basedn;
|
||||
- size_t cn_users_basedn_len;
|
||||
-
|
||||
- cn_users_basedn = talloc_asprintf(tmp_ctx, "%s%s", "cn=users,", dom_basedn);
|
||||
- if (cn_users_basedn == NULL) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
- cn_users_basedn_len = strlen(cn_users_basedn);
|
||||
- DEBUG(SSSDBG_TRACE_ALL, "cn=users baseDN is [%s].\n", cn_users_basedn);
|
||||
-
|
||||
- for (size_t c = 0; c < count; c++) {
|
||||
- ret = sysdb_attrs_get_string(usr_attrs[c], SYSDB_ORIG_DN, &orig_dn);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n");
|
||||
- goto done;
|
||||
- }
|
||||
- dn_len = strlen(orig_dn);
|
||||
-
|
||||
- if (dn_len > cn_users_basedn_len
|
||||
- && strcasecmp(orig_dn + (dn_len - cn_users_basedn_len),
|
||||
- cn_users_basedn) == 0) {
|
||||
- DEBUG(SSSDBG_TRACE_ALL,
|
||||
- "Found matching dn [%s].\n", orig_dn);
|
||||
- if (result != NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE,
|
||||
- "Found 2 matching DN [%s] and [%s], expecting only 1.\n",
|
||||
- result_dn_str, orig_dn);
|
||||
- ret = EINVAL;
|
||||
- goto done;
|
||||
- }
|
||||
- result = usr_attrs[c];
|
||||
- result_dn_str = orig_dn;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- ret = EOK;
|
||||
-done:
|
||||
- *_result = result;
|
||||
- return ret;
|
||||
-}
|
||||
-
|
||||
-static errno_t match_non_dc_comp(TALLOC_CTX *tmp_ctx,
|
||||
- struct sss_domain_info *dom,
|
||||
- struct sysdb_attrs **usr_attrs,
|
||||
- size_t count,
|
||||
- struct ldb_dn *ldb_basedn,
|
||||
- const char *basedn,
|
||||
- const char *domain_component_name,
|
||||
- struct sysdb_attrs **_result)
|
||||
-{
|
||||
- errno_t ret;
|
||||
- const char *orig_dn;
|
||||
- size_t orig_dn_len;
|
||||
- size_t basedn_len;
|
||||
- struct ldb_context *ldb_ctx;
|
||||
- struct ldb_dn *ldb_orig_dn;
|
||||
- int dn_comp_num;
|
||||
- int basedn_comp_num;
|
||||
- const char *component_name;
|
||||
- struct sysdb_attrs *result = NULL;
|
||||
- const char *result_dn_str = NULL;
|
||||
-
|
||||
- ldb_ctx = sysdb_ctx_get_ldb(dom->sysdb);
|
||||
- if (ldb_ctx == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "Missing ldb context.\n");
|
||||
- ret = EINVAL;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- basedn_len = strlen(basedn);
|
||||
-
|
||||
- basedn_comp_num = ldb_dn_get_comp_num(ldb_basedn);
|
||||
- basedn_comp_num++;
|
||||
-
|
||||
- for (size_t c = 0; c < count; c++) {
|
||||
- ret = sysdb_attrs_get_string(usr_attrs[c], SYSDB_ORIG_DN, &orig_dn);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n");
|
||||
- goto done;
|
||||
- }
|
||||
- orig_dn_len = strlen(orig_dn);
|
||||
-
|
||||
- if (orig_dn_len > basedn_len
|
||||
- /* Does the user's original DN with the non-domain part
|
||||
- * stripped match the domain base DN?
|
||||
- */
|
||||
- && strcasecmp(orig_dn + (orig_dn_len - basedn_len),
|
||||
- basedn) == 0) {
|
||||
- ldb_orig_dn = ldb_dn_new(tmp_ctx, ldb_ctx, orig_dn);
|
||||
- if (ldb_orig_dn == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed");
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- dn_comp_num = ldb_dn_get_comp_num(ldb_orig_dn);
|
||||
- if (dn_comp_num > basedn_comp_num) {
|
||||
- component_name = ldb_dn_get_component_name(ldb_orig_dn,
|
||||
- (dn_comp_num - basedn_comp_num));
|
||||
- DEBUG(SSSDBG_TRACE_ALL, "Comparing [%s] and [%s].\n",
|
||||
- component_name,
|
||||
- domain_component_name);
|
||||
- /* If the component is NOT a DC component, then the entry
|
||||
- * must come from our domain, perhaps from a child container.
|
||||
- * If it matched the DC component, the entry was from a child
|
||||
- * subdomain different from this one.
|
||||
- */
|
||||
- if (component_name != NULL
|
||||
- && strcasecmp(component_name,
|
||||
- domain_component_name) != 0) {
|
||||
- DEBUG(SSSDBG_TRACE_ALL,
|
||||
- "Found matching dn [%s].\n", orig_dn);
|
||||
- if (result != NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE,
|
||||
- "Found 2 matching DN [%s] and [%s], "
|
||||
- "expecting only 1.\n", result_dn_str, orig_dn);
|
||||
- ret = EINVAL;
|
||||
- goto done;
|
||||
- }
|
||||
- result = usr_attrs[c];
|
||||
- result_dn_str = orig_dn;
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- ret = EOK;
|
||||
- *_result = result;
|
||||
-done:
|
||||
- return ret;
|
||||
-}
|
||||
-
|
||||
-static errno_t match_basedn(TALLOC_CTX *tmp_ctx,
|
||||
- struct sss_domain_info *dom,
|
||||
- struct sysdb_attrs **usr_attrs,
|
||||
- size_t count,
|
||||
- const char *dom_basedn,
|
||||
- const char *domain_component_name,
|
||||
- struct sysdb_attrs **_result)
|
||||
-{
|
||||
- struct ldb_context *ldb_ctx;
|
||||
- struct ldb_dn *ldb_dom_basedn;
|
||||
-
|
||||
- ldb_ctx = sysdb_ctx_get_ldb(dom->sysdb);
|
||||
- if (ldb_ctx == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "Missing ldb context.\n");
|
||||
- return EINVAL;
|
||||
- }
|
||||
-
|
||||
-
|
||||
- ldb_dom_basedn = ldb_dn_new(tmp_ctx, ldb_ctx, dom_basedn);
|
||||
- if (ldb_dom_basedn == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed.\n");
|
||||
- return ENOMEM;
|
||||
- }
|
||||
-
|
||||
- return match_non_dc_comp(tmp_ctx, dom,
|
||||
- usr_attrs, count,
|
||||
- ldb_dom_basedn, dom_basedn,
|
||||
- domain_component_name,
|
||||
- _result);
|
||||
-}
|
||||
-
|
||||
-static errno_t match_search_base(TALLOC_CTX *tmp_ctx,
|
||||
- struct sss_domain_info *dom,
|
||||
- const char *domain_component_name,
|
||||
- const char *domain_search_base,
|
||||
- struct sysdb_attrs **usr_attrs,
|
||||
- size_t count,
|
||||
- struct sysdb_attrs **_result)
|
||||
-{
|
||||
- errno_t ret;
|
||||
- bool ok;
|
||||
- const char *search_base;
|
||||
- struct ldb_context *ldb_ctx;
|
||||
- struct sysdb_attrs *result = NULL;
|
||||
- struct ldb_dn *ldb_search_base;
|
||||
- int search_base_comp_num;
|
||||
- int non_dc_comp_num;
|
||||
- const char *component_name;
|
||||
-
|
||||
- ldb_ctx = sysdb_ctx_get_ldb(dom->sysdb);
|
||||
- if (ldb_ctx == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "Missing ldb context.\n");
|
||||
- ret = EINVAL;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- ldb_search_base = ldb_dn_new(tmp_ctx, ldb_ctx, domain_search_base);
|
||||
- if (ldb_search_base == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed.\n");
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- /* strip non-DC components from the search base */
|
||||
- search_base_comp_num = ldb_dn_get_comp_num(ldb_search_base);
|
||||
- for (non_dc_comp_num = 0;
|
||||
- non_dc_comp_num < search_base_comp_num;
|
||||
- non_dc_comp_num++) {
|
||||
-
|
||||
- component_name = ldb_dn_get_component_name(ldb_search_base,
|
||||
- non_dc_comp_num);
|
||||
- if (strcasecmp(domain_component_name, component_name) == 0) {
|
||||
- break;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- if (non_dc_comp_num == search_base_comp_num) {
|
||||
- /* The search base does not have any non-DC components, the search wouldn't
|
||||
- * match anyway
|
||||
- */
|
||||
- ret = EOK;
|
||||
- *_result = NULL;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- ok = ldb_dn_remove_child_components(ldb_search_base, non_dc_comp_num);
|
||||
- if (!ok) {
|
||||
- ret = EINVAL;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- search_base = ldb_dn_get_linearized(ldb_search_base);
|
||||
- if (search_base == NULL) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- ret = match_cn_users(tmp_ctx, usr_attrs, count, search_base, &result);
|
||||
- if (ret != EOK) {
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- if (result == NULL) {
|
||||
- ret = match_non_dc_comp(tmp_ctx, dom,
|
||||
- usr_attrs, count,
|
||||
- ldb_search_base, search_base,
|
||||
- domain_component_name,
|
||||
- &result);
|
||||
- if (ret != EOK) {
|
||||
- goto done;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- ret = EOK;
|
||||
- *_result = result;
|
||||
-done:
|
||||
- return ret;
|
||||
-}
|
||||
-
|
||||
-errno_t sysdb_try_to_find_expected_dn(struct sss_domain_info *dom,
|
||||
- const char *domain_component_name,
|
||||
- const char *domain_search_base,
|
||||
- struct sysdb_attrs **usr_attrs,
|
||||
- size_t count,
|
||||
- struct sysdb_attrs **exp_usr)
|
||||
-{
|
||||
- char *dom_basedn;
|
||||
- int ret;
|
||||
- TALLOC_CTX *tmp_ctx;
|
||||
- struct sysdb_attrs *result = NULL;
|
||||
-
|
||||
- if (dom == NULL || domain_component_name == NULL
|
||||
- || domain_search_base == NULL
|
||||
- || usr_attrs == NULL || count == 0) {
|
||||
- return EINVAL;
|
||||
- }
|
||||
-
|
||||
- tmp_ctx = talloc_new(NULL);
|
||||
- if (tmp_ctx == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
|
||||
- return ENOMEM;
|
||||
- }
|
||||
-
|
||||
- ret = domain_to_basedn(tmp_ctx, dom->name, &dom_basedn);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "domain_to_basedn failed.\n");
|
||||
- ret = EINVAL;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- ret = match_cn_users(tmp_ctx, usr_attrs, count, dom_basedn, &result);
|
||||
- if (ret != EOK) {
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- if (result == NULL) {
|
||||
- ret = match_basedn(tmp_ctx, dom, usr_attrs,
|
||||
- count, dom_basedn, domain_component_name,
|
||||
- &result);
|
||||
- if (ret != EOK) {
|
||||
- goto done;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- if (result == NULL) {
|
||||
- ret = match_search_base(tmp_ctx, dom, domain_component_name,
|
||||
- domain_search_base, usr_attrs, count,
|
||||
- &result);
|
||||
- if (ret != EOK) {
|
||||
- goto done;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- if (result == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "No matching DN found.\n");
|
||||
- ret = ENOENT;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- *exp_usr = result;
|
||||
-
|
||||
- ret = EOK;
|
||||
-done:
|
||||
- talloc_free(tmp_ctx);
|
||||
-
|
||||
- return ret;
|
||||
-}
|
||||
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
|
||||
index eb460d93bfb067e780868bc9f7bf4e6e0aa1b4a3..bfb7fc6d2a38debf56acae18b8e7eb7a08ccbd1b 100644
|
||||
--- a/src/providers/ldap/sdap.c
|
||||
+++ b/src/providers/ldap/sdap.c
|
||||
@@ -1673,9 +1673,9 @@ char *sdap_make_oc_list(TALLOC_CTX *mem_ctx, struct sdap_attr_map *map)
|
||||
}
|
||||
}
|
||||
|
||||
-static bool sdap_object_in_domain(struct sdap_options *opts,
|
||||
- struct sysdb_attrs *obj,
|
||||
- struct sss_domain_info *dom)
|
||||
+bool sdap_object_in_domain(struct sdap_options *opts,
|
||||
+ struct sysdb_attrs *obj,
|
||||
+ struct sss_domain_info *dom)
|
||||
{
|
||||
errno_t ret;
|
||||
const char *original_dn = NULL;
|
||||
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
|
||||
index e3cb8464ff40538e1e7f1ba853ed71d9a5cc3c98..6d4543ed48ce19f82252d34b6d0833a546a81bb9 100644
|
||||
--- a/src/providers/ldap/sdap.h
|
||||
+++ b/src/providers/ldap/sdap.h
|
||||
@@ -616,4 +616,8 @@ size_t sdap_steal_objects_in_dom(struct sdap_options *opts,
|
||||
size_t count,
|
||||
bool filter);
|
||||
|
||||
+bool sdap_object_in_domain(struct sdap_options *opts,
|
||||
+ struct sysdb_attrs *obj,
|
||||
+ struct sss_domain_info *dom);
|
||||
+
|
||||
#endif /* _SDAP_H_ */
|
||||
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
|
||||
index 2cd9c15b9e284592b3e132eb3d1f35b09a69046e..8c7a65bf36abf341e077cf9eac18a234d3a07c07 100644
|
||||
--- a/src/providers/ldap/sdap_async_initgroups.c
|
||||
+++ b/src/providers/ldap/sdap_async_initgroups.c
|
||||
@@ -23,6 +23,7 @@
|
||||
|
||||
#include "util/util.h"
|
||||
#include "db/sysdb.h"
|
||||
+#include "providers/ldap/sdap.h"
|
||||
#include "providers/ldap/sdap_async_private.h"
|
||||
#include "providers/ldap/ldap_common.h"
|
||||
#include "providers/ldap/sdap_idmap.h"
|
||||
@@ -2890,6 +2891,25 @@ static errno_t sdap_get_initgr_next_base(struct tevent_req *req)
|
||||
return EOK;
|
||||
}
|
||||
|
||||
+static int sdap_search_initgr_user_in_batch(struct sdap_get_initgr_state *state,
|
||||
+ struct sysdb_attrs **users,
|
||||
+ size_t count)
|
||||
+{
|
||||
+ int ret = EINVAL;
|
||||
+
|
||||
+ for (size_t i = 0; i < count; i++) {
|
||||
+ if (sdap_object_in_domain(state->opts, users[i], state->dom) == false) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ state->orig_user = talloc_steal(state, users[i]);
|
||||
+ ret = EOK;
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
static void sdap_get_initgr_user(struct tevent_req *subreq)
|
||||
{
|
||||
struct tevent_req *req = tevent_req_callback_data(subreq,
|
||||
@@ -2951,13 +2971,11 @@ static void sdap_get_initgr_user(struct tevent_req *subreq)
|
||||
* the first search base because all bases in a single domain would
|
||||
* have the same DC= components
|
||||
*/
|
||||
- ret = sysdb_try_to_find_expected_dn(state->dom, "dc",
|
||||
- state->sdom->search_bases[0]->basedn,
|
||||
- usr_attrs, count,
|
||||
- &state->orig_user);
|
||||
+ ret = sdap_search_initgr_user_in_batch(state, usr_attrs, count);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
- "try_to_find_expected_dn failed. No matching DN found.\n");
|
||||
+ "sdap_search_initgr_user_in_batch failed. "
|
||||
+ "No matching DN found.\n");
|
||||
tevent_req_error(req, EINVAL);
|
||||
return;
|
||||
}
|
||||
diff --git a/src/tests/cmocka/test_sysdb_subdomains.c b/src/tests/cmocka/test_sysdb_subdomains.c
|
||||
index 52056e0435d2793893f1a4e336f38acf7a70b2c0..52242e516ed0490e5094ccc1392908207e00359d 100644
|
||||
--- a/src/tests/cmocka/test_sysdb_subdomains.c
|
||||
+++ b/src/tests/cmocka/test_sysdb_subdomains.c
|
||||
@@ -515,107 +515,6 @@ static void test_sysdb_link_ad_multidom(void **state)
|
||||
|
||||
}
|
||||
|
||||
-static void test_try_to_find_expected_dn(void **state)
|
||||
-{
|
||||
- int ret;
|
||||
- struct sysdb_attrs *result;
|
||||
- struct sysdb_attrs *usr_attrs[10] = { NULL };
|
||||
- struct sysdb_attrs *dom_usr_attrs[10] = { NULL };
|
||||
- struct sss_domain_info *dom;
|
||||
- char *dom_basedn;
|
||||
- struct subdom_test_ctx *test_ctx =
|
||||
- talloc_get_type(*state, struct subdom_test_ctx);
|
||||
-
|
||||
- dom = find_domain_by_name(test_ctx->tctx->dom,
|
||||
- "child2.test_sysdb_subdomains_2", true);
|
||||
- assert_non_null(dom);
|
||||
-
|
||||
- ret = domain_to_basedn(test_ctx, dom->name, &dom_basedn);
|
||||
- assert_int_equal(ret, EOK);
|
||||
-
|
||||
- usr_attrs[0] = sysdb_new_attrs(test_ctx);
|
||||
- assert_non_null(usr_attrs[0]);
|
||||
-
|
||||
- ret = sysdb_attrs_add_string(usr_attrs[0], SYSDB_ORIG_DN,
|
||||
- "uid=user,cn=abc,dc=c2,dc=child2,dc=test_sysdb_subdomains_2");
|
||||
- assert_int_equal(ret, EOK);
|
||||
-
|
||||
- ret = sysdb_try_to_find_expected_dn(NULL, NULL, NULL, NULL, 0, NULL);
|
||||
- assert_int_equal(ret, EINVAL);
|
||||
-
|
||||
- ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, usr_attrs, 1, &result);
|
||||
- assert_int_equal(ret, ENOENT);
|
||||
-
|
||||
- ret = sysdb_try_to_find_expected_dn(dom, "xy", dom_basedn, usr_attrs, 1, &result);
|
||||
- assert_int_equal(ret, EOK);
|
||||
- assert_ptr_equal(result, usr_attrs[0]);
|
||||
-
|
||||
- usr_attrs[1] = sysdb_new_attrs(test_ctx);
|
||||
- assert_non_null(usr_attrs[1]);
|
||||
-
|
||||
- ret = sysdb_attrs_add_string(usr_attrs[1], SYSDB_ORIG_DN,
|
||||
- "uid=user1,cn=abc,dc=child2,dc=test_sysdb_subdomains_2");
|
||||
- assert_int_equal(ret, EOK);
|
||||
-
|
||||
- usr_attrs[2] = sysdb_new_attrs(test_ctx);
|
||||
- assert_non_null(usr_attrs[2]);
|
||||
-
|
||||
- ret = sysdb_attrs_add_string(usr_attrs[2], SYSDB_ORIG_DN,
|
||||
- "uid=user2,cn=abc,dc=c2,dc=child2,dc=test_sysdb_subdomains_2");
|
||||
- assert_int_equal(ret, EOK);
|
||||
-
|
||||
- ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, usr_attrs, 3, &result);
|
||||
- assert_int_equal(ret, EOK);
|
||||
- assert_ptr_equal(result, usr_attrs[1]);
|
||||
-
|
||||
- ret = sysdb_try_to_find_expected_dn(dom, "xy", dom_basedn, usr_attrs, 3, &result);
|
||||
- assert_int_equal(ret, EINVAL);
|
||||
-
|
||||
- /* Make sure cn=users match is preferred */
|
||||
- talloc_free(usr_attrs[2]);
|
||||
- usr_attrs[2] = sysdb_new_attrs(test_ctx);
|
||||
- assert_non_null(usr_attrs[2]);
|
||||
-
|
||||
- ret = sysdb_attrs_add_string(usr_attrs[2], SYSDB_ORIG_DN,
|
||||
- "uid=user2,cn=abc,cn=users,dc=child2,dc=test_sysdb_subdomains_2");
|
||||
- assert_int_equal(ret, EOK);
|
||||
-
|
||||
- ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, usr_attrs, 3, &result);
|
||||
- assert_int_equal(ret, EOK);
|
||||
- assert_ptr_equal(result, usr_attrs[2]);
|
||||
-
|
||||
- /* test a case where the domain name does not match the basedn */
|
||||
- dom->name = discard_const("default");
|
||||
- dom_usr_attrs[0] = usr_attrs[0];
|
||||
-
|
||||
- ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, dom_usr_attrs, 1, &result);
|
||||
- assert_int_equal(ret, ENOENT);
|
||||
-
|
||||
- dom_usr_attrs[1] = usr_attrs[1];
|
||||
- dom_usr_attrs[2] = usr_attrs[2];
|
||||
-
|
||||
- /* Make sure cn=users match is preferred */
|
||||
- ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, dom_usr_attrs, 3, &result);
|
||||
- assert_int_equal(ret, EOK);
|
||||
- assert_ptr_equal(result, dom_usr_attrs[2]);
|
||||
-
|
||||
- talloc_free(usr_attrs[2]);
|
||||
- usr_attrs[2] = sysdb_new_attrs(test_ctx);
|
||||
- assert_non_null(usr_attrs[2]);
|
||||
- ret = sysdb_attrs_add_string(usr_attrs[2], SYSDB_ORIG_DN,
|
||||
- "uid=user2,cn=abc,dc=c2,dc=child2,dc=test_sysdb_subdomains_2");
|
||||
- assert_int_equal(ret, EOK);
|
||||
-
|
||||
- dom_usr_attrs[2] = usr_attrs[2];
|
||||
- ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, dom_usr_attrs, 3, &result);
|
||||
- assert_int_equal(ret, EOK);
|
||||
- assert_ptr_equal(result, usr_attrs[1]);
|
||||
-
|
||||
- talloc_free(usr_attrs[0]);
|
||||
- talloc_free(usr_attrs[1]);
|
||||
- talloc_free(usr_attrs[2]);
|
||||
-}
|
||||
-
|
||||
int main(int argc, const char *argv[])
|
||||
{
|
||||
int rv;
|
||||
@@ -649,9 +548,6 @@ int main(int argc, const char *argv[])
|
||||
cmocka_unit_test_setup_teardown(test_sysdb_link_ad_multidom,
|
||||
test_sysdb_subdom_setup,
|
||||
test_sysdb_subdom_teardown),
|
||||
- cmocka_unit_test_setup_teardown(test_try_to_find_expected_dn,
|
||||
- test_sysdb_subdom_setup,
|
||||
- test_sysdb_subdom_teardown),
|
||||
};
|
||||
|
||||
/* Set debug level to invalid value so we can deside if -d 0 was used. */
|
||||
--
|
||||
2.9.3
|
||||
|
138
0020-TEST-create_multidom_test_ctx-extending.patch
Normal file
138
0020-TEST-create_multidom_test_ctx-extending.patch
Normal file
@ -0,0 +1,138 @@
|
||||
From f1e3364a72eb75673d10cf8c97ba8f1d7a385405 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
|
||||
Date: Thu, 12 Jan 2017 13:16:10 +0100
|
||||
Subject: [PATCH 20/79] TEST: create_multidom_test_ctx() extending
|
||||
|
||||
Function create_multidom_test_ctx() prepares test environment for
|
||||
multidomains. This patch enables setting of different params for
|
||||
each domain.
|
||||
|
||||
Resolves:
|
||||
https://fedorahosted.org/sssd/ticket/3230
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/tests/cmocka/test_ad_common.c | 5 +----
|
||||
src/tests/cmocka/test_sysdb_subdomains.c | 5 +----
|
||||
src/tests/cmocka/test_sysdb_ts_cache.c | 5 +----
|
||||
src/tests/common.h | 2 +-
|
||||
src/tests/common_dom.c | 6 +++---
|
||||
5 files changed, 7 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/src/tests/cmocka/test_ad_common.c b/src/tests/cmocka/test_ad_common.c
|
||||
index 7ec292092e0de6a3edabfe6e7480f777e47a475d..ea9998951d1214ad41429cad38a28efcea11dcd0 100644
|
||||
--- a/src/tests/cmocka/test_ad_common.c
|
||||
+++ b/src/tests/cmocka/test_ad_common.c
|
||||
@@ -78,9 +78,6 @@ struct ad_sysdb_test_ctx {
|
||||
static int test_ad_sysdb_setup(void **state)
|
||||
{
|
||||
struct ad_sysdb_test_ctx *test_ctx;
|
||||
- struct sss_test_conf_param params[] = {
|
||||
- { NULL, NULL }, /* Sentinel */
|
||||
- };
|
||||
|
||||
assert_true(leak_check_setup());
|
||||
|
||||
@@ -92,7 +89,7 @@ static int test_ad_sysdb_setup(void **state)
|
||||
|
||||
test_ctx->tctx = create_multidom_test_ctx(test_ctx, TESTS_PATH,
|
||||
TEST_CONF_DB, domains,
|
||||
- TEST_ID_PROVIDER, params);
|
||||
+ TEST_ID_PROVIDER, NULL);
|
||||
assert_non_null(test_ctx->tctx);
|
||||
|
||||
*state = test_ctx;
|
||||
diff --git a/src/tests/cmocka/test_sysdb_subdomains.c b/src/tests/cmocka/test_sysdb_subdomains.c
|
||||
index 52242e516ed0490e5094ccc1392908207e00359d..49f44998a06740d1df70ac354ee741824acd8f50 100644
|
||||
--- a/src/tests/cmocka/test_sysdb_subdomains.c
|
||||
+++ b/src/tests/cmocka/test_sysdb_subdomains.c
|
||||
@@ -60,9 +60,6 @@ struct subdom_test_ctx {
|
||||
static int test_sysdb_subdom_setup(void **state)
|
||||
{
|
||||
struct subdom_test_ctx *test_ctx;
|
||||
- struct sss_test_conf_param params[] = {
|
||||
- { NULL, NULL }, /* Sentinel */
|
||||
- };
|
||||
|
||||
assert_true(leak_check_setup());
|
||||
|
||||
@@ -74,7 +71,7 @@ static int test_sysdb_subdom_setup(void **state)
|
||||
|
||||
test_ctx->tctx = create_multidom_test_ctx(test_ctx, TESTS_PATH,
|
||||
TEST_CONF_DB, domains,
|
||||
- TEST_ID_PROVIDER, params);
|
||||
+ TEST_ID_PROVIDER, NULL);
|
||||
assert_non_null(test_ctx->tctx);
|
||||
|
||||
*state = test_ctx;
|
||||
diff --git a/src/tests/cmocka/test_sysdb_ts_cache.c b/src/tests/cmocka/test_sysdb_ts_cache.c
|
||||
index e950f88631e4c78573bbb7290edfe94b5ced57cd..f5aab73f001e8fdece1f85de987d6711a459e6aa 100644
|
||||
--- a/src/tests/cmocka/test_sysdb_ts_cache.c
|
||||
+++ b/src/tests/cmocka/test_sysdb_ts_cache.c
|
||||
@@ -74,9 +74,6 @@ const char *domains[] = { TEST_DOM1_NAME,
|
||||
static int test_sysdb_ts_setup(void **state)
|
||||
{
|
||||
struct sysdb_ts_test_ctx *test_ctx;
|
||||
- struct sss_test_conf_param params[] = {
|
||||
- { NULL, NULL }, /* Sentinel */
|
||||
- };
|
||||
|
||||
assert_true(leak_check_setup());
|
||||
|
||||
@@ -88,7 +85,7 @@ static int test_sysdb_ts_setup(void **state)
|
||||
|
||||
test_ctx->tctx = create_multidom_test_ctx(test_ctx, TESTS_PATH,
|
||||
TEST_CONF_DB, domains,
|
||||
- TEST_ID_PROVIDER, params);
|
||||
+ TEST_ID_PROVIDER, NULL);
|
||||
assert_non_null(test_ctx->tctx);
|
||||
|
||||
check_leaks_push(test_ctx);
|
||||
diff --git a/src/tests/common.h b/src/tests/common.h
|
||||
index b49cfea9b73d8b4b7b61c721912de9fd2c0ccf13..c06568d3820ab92ffd47b5c206c300842e8f8a39 100644
|
||||
--- a/src/tests/common.h
|
||||
+++ b/src/tests/common.h
|
||||
@@ -92,7 +92,7 @@ create_multidom_test_ctx(TALLOC_CTX *mem_ctx,
|
||||
const char *cdb_file,
|
||||
const char **domains,
|
||||
const char *id_provider,
|
||||
- struct sss_test_conf_param *params);
|
||||
+ struct sss_test_conf_param **params);
|
||||
|
||||
struct sss_test_ctx *
|
||||
create_dom_test_ctx(TALLOC_CTX *mem_ctx,
|
||||
diff --git a/src/tests/common_dom.c b/src/tests/common_dom.c
|
||||
index f1a92cc99f3423d5d7ef10327013a5972940c792..def28d5101efe9990c963a4180d9fb2bd6f71b42 100644
|
||||
--- a/src/tests/common_dom.c
|
||||
+++ b/src/tests/common_dom.c
|
||||
@@ -231,7 +231,7 @@ create_multidom_test_ctx(TALLOC_CTX *mem_ctx,
|
||||
const char *cdb_file,
|
||||
const char **domains,
|
||||
const char *id_provider,
|
||||
- struct sss_test_conf_param *params)
|
||||
+ struct sss_test_conf_param **params)
|
||||
{
|
||||
struct sss_domain_info *domain = NULL;
|
||||
struct sss_test_ctx *test_ctx = NULL;
|
||||
@@ -255,7 +255,7 @@ create_multidom_test_ctx(TALLOC_CTX *mem_ctx,
|
||||
/* create confdb objects for the domains */
|
||||
for (i = 0; domains[i] != NULL; i++) {
|
||||
ret = mock_confdb_domain(test_ctx, test_ctx->confdb, tests_path,
|
||||
- domains[i], id_provider, params,
|
||||
+ domains[i], id_provider, params != NULL ? params[i] : NULL,
|
||||
(cdb_path == NULL ? &cdb_path : NULL));
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize confdb domain "
|
||||
@@ -302,7 +302,7 @@ create_dom_test_ctx(TALLOC_CTX *mem_ctx,
|
||||
const char *domains[] = {domain_name, NULL};
|
||||
|
||||
return create_multidom_test_ctx(mem_ctx, tests_path, confdb_path, domains,
|
||||
- id_provider, params);
|
||||
+ id_provider, ¶ms);
|
||||
}
|
||||
|
||||
void test_multidom_suite_cleanup(const char *tests_path,
|
||||
--
|
||||
2.9.3
|
||||
|
609
0021-TESTS-Tests-for-sdap_search_initgr_user_in_batch.patch
Normal file
609
0021-TESTS-Tests-for-sdap_search_initgr_user_in_batch.patch
Normal file
@ -0,0 +1,609 @@
|
||||
From 0b7ded15e53b3f31f1570c366f04bc41e5761929 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
|
||||
Date: Tue, 10 Jan 2017 14:01:45 +0100
|
||||
Subject: [PATCH 21/79] TESTS: Tests for sdap_search_initgr_user_in_batch
|
||||
|
||||
This patch provides tests for core logic of
|
||||
sdap_search_initgr_user_in_batch() function. This function replaces
|
||||
old approach with sysdb_try_to_find_expected_dn() function.
|
||||
|
||||
Resolves:
|
||||
https://fedorahosted.org/sssd/ticket/3230
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
Makefile.am | 22 ++
|
||||
src/tests/cmocka/test_sdap_initgr.c | 540 ++++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 562 insertions(+)
|
||||
create mode 100644 src/tests/cmocka/test_sdap_initgr.c
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 6d21af8e8c455622d8c4c8b4e325789c4c1e34cb..9dd2060c6615b1c23ae8adb61886341bcdc49560 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -289,6 +289,7 @@ non_interactive_cmocka_based_tests += \
|
||||
ad_access_filter_tests \
|
||||
ad_gpo_tests \
|
||||
ad_common_tests \
|
||||
+ test_sdap_initgr \
|
||||
test_ad_subdom \
|
||||
test_ipa_subdom_server \
|
||||
$(NULL)
|
||||
@@ -2862,6 +2863,27 @@ test_fo_srv_LDADD = \
|
||||
libsss_test_common.la \
|
||||
$(NULL)
|
||||
|
||||
+test_sdap_initgr_SOURCES = \
|
||||
+ src/tests/cmocka/common_mock_sdap.c \
|
||||
+ src/tests/cmocka/common_mock_sysdb_objects.c \
|
||||
+ src/tests/cmocka/test_sdap_initgr.c \
|
||||
+ $(NULL)
|
||||
+test_sdap_initgr_CFLAGS = \
|
||||
+ $(AM_CFLAGS) \
|
||||
+ $(NDR_NBT_CFLAGS) \
|
||||
+ $(NULL)
|
||||
+test_sdap_initgr_LDADD = \
|
||||
+ $(CMOCKA_LIBS) \
|
||||
+ $(POPT_LIBS) \
|
||||
+ $(TALLOC_LIBS) \
|
||||
+ $(SSSD_INTERNAL_LTLIBS) \
|
||||
+ libsss_ldap_common.la \
|
||||
+ libsss_ad_tests.la \
|
||||
+ libsss_idmap.la \
|
||||
+ libsss_test_common.la \
|
||||
+ libdlopen_test_providers.la \
|
||||
+ $(NULL)
|
||||
+
|
||||
test_ad_subdom_SOURCES = \
|
||||
src/tests/cmocka/test_ad_subdomains.c \
|
||||
$(NULL)
|
||||
diff --git a/src/tests/cmocka/test_sdap_initgr.c b/src/tests/cmocka/test_sdap_initgr.c
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..28c6ae33ef3dd2a343711b339554492c899dd7b5
|
||||
--- /dev/null
|
||||
+++ b/src/tests/cmocka/test_sdap_initgr.c
|
||||
@@ -0,0 +1,540 @@
|
||||
+/*
|
||||
+ Authors:
|
||||
+ Petr Čech <pcech@redhat.com>
|
||||
+
|
||||
+ Copyright (C) 2017 Red Hat
|
||||
+
|
||||
+ This program is free software; you can redistribute it and/or modify
|
||||
+ it under the terms of the GNU General Public License as published by
|
||||
+ the Free Software Foundation; either version 3 of the License, or
|
||||
+ (at your option) any later version.
|
||||
+
|
||||
+ This program is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ GNU General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU General Public License
|
||||
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+*/
|
||||
+
|
||||
+#include <talloc.h>
|
||||
+#include <tevent.h>
|
||||
+#include <errno.h>
|
||||
+#include <popt.h>
|
||||
+#include <arpa/inet.h>
|
||||
+#include <netinet/in.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <stdarg.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <pwd.h>
|
||||
+
|
||||
+#include "tests/cmocka/common_mock.h"
|
||||
+#include "tests/cmocka/common_mock_sysdb_objects.h"
|
||||
+#include "tests/cmocka/common_mock_sdap.h"
|
||||
+#include "providers/ad/ad_common.h"
|
||||
+
|
||||
+#include "providers/ad/ad_opts.c"
|
||||
+#include "providers/ldap/sdap_async_initgroups.c"
|
||||
+
|
||||
+/* Declarations from providers/ldap/sdap_async_initgroups.c */
|
||||
+struct sdap_get_initgr_state;
|
||||
+static int sdap_search_initgr_user_in_batch(struct sdap_get_initgr_state *state,
|
||||
+ struct sysdb_attrs **users,
|
||||
+ size_t count);
|
||||
+
|
||||
+#define TESTS_PATH "tp_" BASE_FILE_STEM
|
||||
+#define TEST_CONF_DB "test_sdap_initgr_conf.ldb"
|
||||
+#define TEST_ID_PROVIDER "ldap"
|
||||
+
|
||||
+#define TEST_DOM1_NAME "domain.test.com"
|
||||
+#define TEST_DOM2_NAME "subdom1.domain.test.com"
|
||||
+#define TEST_DOM3_NAME "another_domain.test.com"
|
||||
+
|
||||
+#define OBJECT_BASE_DN1 "dc=domain,dc=test,dc=com,cn=sysdb"
|
||||
+#define OBJECT_BASE_DN2 "dc=subdom1,dc=domain,dc=test,dc=com,cn=sysdb"
|
||||
+#define OBJECT_BASE_DN3 "dc=another_domain,dc=test,dc=com,cn=sysdb"
|
||||
+
|
||||
+#define TEST_USER_1 "test_user_1"
|
||||
+#define TEST_USER_2 "test_user_2"
|
||||
+#define TEST_USER_3 "test_user_3"
|
||||
+
|
||||
+const char *domains[] = { TEST_DOM1_NAME,
|
||||
+ TEST_DOM2_NAME,
|
||||
+ TEST_DOM3_NAME,
|
||||
+ NULL };
|
||||
+
|
||||
+const char *object_bases[] = { OBJECT_BASE_DN1,
|
||||
+ OBJECT_BASE_DN2,
|
||||
+ OBJECT_BASE_DN3,
|
||||
+ NULL };
|
||||
+
|
||||
+const char *test_users[] = { TEST_USER_1,
|
||||
+ TEST_USER_2,
|
||||
+ TEST_USER_3,
|
||||
+ NULL };
|
||||
+
|
||||
+/* ====================== Utilities =============================== */
|
||||
+
|
||||
+struct test_sdap_initgr_ctx {
|
||||
+ struct sss_test_ctx *tctx;
|
||||
+};
|
||||
+
|
||||
+static struct passwd **get_users(TALLOC_CTX *ctx)
|
||||
+{
|
||||
+ struct passwd **passwds = NULL;
|
||||
+ char *homedir = NULL;
|
||||
+ size_t user_count = 0;
|
||||
+
|
||||
+ for (int i = 0; test_users[i] != NULL; i++) {
|
||||
+ user_count++;
|
||||
+ }
|
||||
+ passwds = talloc_array(ctx, struct passwd *, user_count);
|
||||
+ assert_non_null(passwds);
|
||||
+
|
||||
+ for (int i = 0; i < user_count; i++) {
|
||||
+ passwds[i] = talloc(passwds, struct passwd);
|
||||
+ assert_non_null(passwds[i]);
|
||||
+
|
||||
+ homedir = talloc_strdup_append(homedir, "/home/");
|
||||
+ homedir = talloc_strdup_append(homedir, test_users[i]);
|
||||
+
|
||||
+ passwds[i]->pw_name = discard_const(test_users[i]);
|
||||
+ passwds[i]->pw_uid = 567 + i;
|
||||
+ passwds[i]->pw_gid = 890 + i;
|
||||
+ passwds[i]->pw_dir = talloc_strdup(passwds[i], homedir);
|
||||
+ passwds[i]->pw_gecos = discard_const(test_users[i]);
|
||||
+ passwds[i]->pw_shell = discard_const("/bin/sh");
|
||||
+ passwds[i]->pw_passwd = discard_const("*");
|
||||
+
|
||||
+ talloc_zfree(homedir);
|
||||
+ }
|
||||
+
|
||||
+ return passwds;
|
||||
+}
|
||||
+
|
||||
+static struct sss_test_conf_param **get_params(TALLOC_CTX *ctx)
|
||||
+{
|
||||
+ struct sss_test_conf_param **params;
|
||||
+ char *user_base_dn = NULL;
|
||||
+ char *group_base_dn = NULL;
|
||||
+ size_t base_count = 0;
|
||||
+
|
||||
+ for (int i = 0; object_bases[i] != NULL; i++) {
|
||||
+ base_count++;
|
||||
+ }
|
||||
+
|
||||
+ params = talloc_array(ctx, struct sss_test_conf_param *, base_count + 1);
|
||||
+ assert_non_null(params);
|
||||
+
|
||||
+ for (int i = 0; i < base_count; i++) {
|
||||
+ params[i] = talloc(params, struct sss_test_conf_param);
|
||||
+ assert_non_null(params[i]);
|
||||
+
|
||||
+ user_base_dn = talloc_strdup_append(user_base_dn, "cn=users,");
|
||||
+ user_base_dn = talloc_strdup_append(user_base_dn, object_bases[i]);
|
||||
+
|
||||
+ group_base_dn = talloc_strdup_append(group_base_dn, "cn=groups,");
|
||||
+ group_base_dn = talloc_strdup_append(group_base_dn, object_bases[i]);
|
||||
+
|
||||
+ params[i] = talloc_array(params[i], struct sss_test_conf_param, 5);
|
||||
+ params[i][0].key = "ldap_schema";
|
||||
+ params[i][0].value = "rfc2307bis";
|
||||
+ params[i][1].key = "ldap_search_base";
|
||||
+ params[i][1].value = talloc_strdup(params[i], object_bases[i]);
|
||||
+ params[i][2].key = "ldap_user_search_base";
|
||||
+ params[i][2].value = talloc_strdup(params[i], user_base_dn);
|
||||
+ params[i][3].key = "ldap_group_search_base";
|
||||
+ params[i][3].value = talloc_strdup(params[i], group_base_dn);
|
||||
+ params[i][4].key = NULL;
|
||||
+ params[i][4].value = NULL;
|
||||
+
|
||||
+ talloc_zfree(user_base_dn);
|
||||
+ talloc_zfree(group_base_dn);
|
||||
+ }
|
||||
+
|
||||
+ return params;
|
||||
+}
|
||||
+
|
||||
+struct sss_domain_info *get_domain_info(struct sss_domain_info *domain,
|
||||
+ const char *domain_name)
|
||||
+{
|
||||
+ struct sss_domain_info *dom = domain;
|
||||
+
|
||||
+ while(dom != NULL) {
|
||||
+ if (strcmp(dom->name, domain_name) == 0) {
|
||||
+ break;
|
||||
+ }
|
||||
+ dom = dom->next;
|
||||
+ }
|
||||
+
|
||||
+ return dom;
|
||||
+}
|
||||
+
|
||||
+struct sdap_get_initgr_state *prepare_state(struct test_sdap_initgr_ctx *ctx,
|
||||
+ const char **domain_names)
|
||||
+{
|
||||
+ struct sdap_get_initgr_state *state;
|
||||
+ struct sss_domain_info *dom_info = NULL;
|
||||
+ struct sss_domain_info *recent_dom_info = NULL;
|
||||
+
|
||||
+ state = talloc_zero(ctx->tctx, struct sdap_get_initgr_state);
|
||||
+ assert_non_null(state);
|
||||
+
|
||||
+ for (int i=0; domain_names[i] != NULL; i++) {
|
||||
+ dom_info = get_domain_info(ctx->tctx->dom, domain_names[i]);
|
||||
+ assert_non_null(dom_info);
|
||||
+
|
||||
+ if (i == 0) {
|
||||
+ state->dom = dom_info;
|
||||
+ recent_dom_info = state->dom;
|
||||
+ } else {
|
||||
+ recent_dom_info->next = dom_info;
|
||||
+ recent_dom_info = recent_dom_info->next;
|
||||
+ }
|
||||
+ }
|
||||
+ assert_non_null(state->dom);
|
||||
+ assert_non_null(recent_dom_info);
|
||||
+ recent_dom_info->next = NULL;
|
||||
+
|
||||
+ state->opts = mock_sdap_options_ldap(state, state->dom,
|
||||
+ ctx->tctx->confdb,
|
||||
+ ctx->tctx->conf_dom_path);
|
||||
+ assert_non_null(state->opts);
|
||||
+
|
||||
+ return state;
|
||||
+}
|
||||
+
|
||||
+/* TODO: This function is copied from test_nss_srv.c
|
||||
+ * It could be fine move both to one place,
|
||||
+ * for example src/tests/common_sysdb.c
|
||||
+ */
|
||||
+static errno_t store_user(TALLOC_CTX *ctx,
|
||||
+ struct sss_domain_info *dom,
|
||||
+ struct passwd *user,
|
||||
+ struct sysdb_attrs *attrs,
|
||||
+ time_t cache_update)
|
||||
+{
|
||||
+ errno_t ret;
|
||||
+ char *fqname;
|
||||
+
|
||||
+ fqname = sss_create_internal_fqname(ctx,
|
||||
+ user->pw_name,
|
||||
+ dom->name);
|
||||
+ if (fqname == NULL) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ /* Prime the cache with a valid user */
|
||||
+ ret = sysdb_store_user(dom,
|
||||
+ fqname,
|
||||
+ user->pw_passwd,
|
||||
+ user->pw_uid,
|
||||
+ user->pw_gid,
|
||||
+ user->pw_gecos,
|
||||
+ user->pw_dir,
|
||||
+ user->pw_shell,
|
||||
+ NULL, attrs,
|
||||
+ NULL, 300, cache_update);
|
||||
+ talloc_free(fqname);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+/* ====================== Setup =============================== */
|
||||
+
|
||||
+static int test_sdap_initgr_setup_one_domain(void **state)
|
||||
+{
|
||||
+ struct test_sdap_initgr_ctx *test_ctx;
|
||||
+ struct sss_test_conf_param **params;
|
||||
+
|
||||
+ assert_true(leak_check_setup());
|
||||
+
|
||||
+ test_ctx = talloc_zero(global_talloc_context, struct test_sdap_initgr_ctx);
|
||||
+ assert_non_null(test_ctx);
|
||||
+
|
||||
+ params = get_params(test_ctx);
|
||||
+ assert_non_null(params);
|
||||
+
|
||||
+ test_ctx->tctx = create_dom_test_ctx(test_ctx, TESTS_PATH,
|
||||
+ TEST_CONF_DB, domains[0],
|
||||
+ TEST_ID_PROVIDER, params[0]);
|
||||
+ assert_non_null(test_ctx->tctx);
|
||||
+
|
||||
+ check_leaks_push(test_ctx);
|
||||
+ *state = test_ctx;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static int test_sdap_initgr_setup_multi_domains(void **state)
|
||||
+{
|
||||
+ struct test_sdap_initgr_ctx *test_ctx;
|
||||
+ struct sss_test_conf_param **params;
|
||||
+
|
||||
+ assert_true(leak_check_setup());
|
||||
+
|
||||
+ test_ctx = talloc_zero(global_talloc_context, struct test_sdap_initgr_ctx);
|
||||
+ assert_non_null(test_ctx);
|
||||
+
|
||||
+ params = get_params(test_ctx);
|
||||
+ assert_non_null(params);
|
||||
+
|
||||
+ test_ctx->tctx = create_multidom_test_ctx(test_ctx, TESTS_PATH,
|
||||
+ TEST_CONF_DB, domains,
|
||||
+ TEST_ID_PROVIDER, params);
|
||||
+ assert_non_null(test_ctx->tctx);
|
||||
+
|
||||
+ check_leaks_push(test_ctx);
|
||||
+ *state = test_ctx;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static int test_sdap_initgr_setup_other_multi_domains(void **state)
|
||||
+{
|
||||
+ struct test_sdap_initgr_ctx *test_ctx;
|
||||
+ struct sss_test_conf_param **params;
|
||||
+ const char *domains_vith_other[] = { TEST_DOM1_NAME,
|
||||
+ TEST_DOM3_NAME,
|
||||
+ NULL };
|
||||
+
|
||||
+ assert_true(leak_check_setup());
|
||||
+
|
||||
+ test_ctx = talloc_zero(global_talloc_context, struct test_sdap_initgr_ctx);
|
||||
+ assert_non_null(test_ctx);
|
||||
+
|
||||
+ params = get_params(test_ctx);
|
||||
+ assert_non_null(params);
|
||||
+
|
||||
+ test_ctx->tctx = create_multidom_test_ctx(test_ctx, TESTS_PATH,
|
||||
+ TEST_CONF_DB, domains_vith_other,
|
||||
+ TEST_ID_PROVIDER, params);
|
||||
+ assert_non_null(test_ctx->tctx);
|
||||
+
|
||||
+ check_leaks_push(test_ctx);
|
||||
+ *state = test_ctx;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static int test_sdap_initgr_teardown(void **state)
|
||||
+{
|
||||
+ struct test_sdap_initgr_ctx *test_ctx;
|
||||
+
|
||||
+ test_ctx = talloc_get_type(*state, struct test_sdap_initgr_ctx);
|
||||
+ assert_non_null(test_ctx);
|
||||
+
|
||||
+ assert_true(check_leaks_pop(test_ctx) == true);
|
||||
+ talloc_free(test_ctx);
|
||||
+ assert_true(leak_check_teardown());
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/* ====================== The tests =============================== */
|
||||
+
|
||||
+static void test_user_is_on_batch(void **state)
|
||||
+{
|
||||
+ struct test_sdap_initgr_ctx *test_ctx;
|
||||
+ struct sdap_get_initgr_state *initgr_state;
|
||||
+ const char *domains_set[] = { domains[0], NULL };
|
||||
+ struct sss_domain_info *dom1_info = NULL;
|
||||
+ struct sss_domain_info *dom2_info = NULL;
|
||||
+ struct passwd **passwd_users;
|
||||
+ struct sysdb_attrs **users;
|
||||
+ const char *user_name;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ test_ctx = talloc_get_type(*state, struct test_sdap_initgr_ctx);
|
||||
+ assert_non_null(test_ctx);
|
||||
+
|
||||
+ dom1_info = get_domain_info(test_ctx->tctx->dom, domains[0]);
|
||||
+ assert_non_null(dom1_info);
|
||||
+ dom2_info = get_domain_info(test_ctx->tctx->dom, domains[1]);
|
||||
+ assert_non_null(dom2_info);
|
||||
+
|
||||
+ initgr_state = prepare_state(test_ctx, domains_set);
|
||||
+ assert_non_null(initgr_state);
|
||||
+
|
||||
+ passwd_users = get_users(test_ctx);
|
||||
+ assert_non_null(passwd_users);
|
||||
+
|
||||
+ ret = store_user(test_ctx, dom1_info, passwd_users[0], NULL, 0);
|
||||
+ assert_int_equal(ret, 0);
|
||||
+ ret = store_user(test_ctx, dom2_info, passwd_users[1], NULL, 0);
|
||||
+ assert_int_equal(ret, 0);
|
||||
+
|
||||
+ users = talloc_array(test_ctx, struct sysdb_attrs *, 2);
|
||||
+ users[0] = mock_sysdb_user(users, object_bases[0],
|
||||
+ passwd_users[0]->pw_uid,
|
||||
+ passwd_users[0]->pw_name);
|
||||
+ users[1] = mock_sysdb_user(users, object_bases[1],
|
||||
+ passwd_users[1]->pw_uid,
|
||||
+ passwd_users[1]->pw_name);
|
||||
+
|
||||
+ ret = sdap_search_initgr_user_in_batch(initgr_state, users, 2);
|
||||
+ assert_int_equal(ret, 0);
|
||||
+
|
||||
+ ret = sysdb_attrs_get_string(initgr_state->orig_user, "name", &user_name);
|
||||
+ assert_int_equal(ret, 0);
|
||||
+ assert_string_equal(user_name, passwd_users[0]->pw_name);
|
||||
+
|
||||
+ talloc_zfree(initgr_state);
|
||||
+ talloc_zfree(passwd_users);
|
||||
+ talloc_zfree(users);
|
||||
+}
|
||||
+
|
||||
+static void test_user_is_from_subdomain(void **state)
|
||||
+{
|
||||
+ struct test_sdap_initgr_ctx *test_ctx;
|
||||
+ struct sdap_get_initgr_state *initgr_state;
|
||||
+ const char *domains_set[] = { domains[0], NULL };
|
||||
+ struct sss_domain_info *dom_info = NULL;
|
||||
+ struct passwd **passwd_users;
|
||||
+ struct sysdb_attrs **users;
|
||||
+ const char *user_name;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ test_ctx = talloc_get_type(*state, struct test_sdap_initgr_ctx);
|
||||
+ assert_non_null(test_ctx);
|
||||
+
|
||||
+ dom_info = get_domain_info(test_ctx->tctx->dom, domains[0]);
|
||||
+ assert_non_null(dom_info);
|
||||
+
|
||||
+ initgr_state = prepare_state(test_ctx, domains_set);
|
||||
+ assert_non_null(initgr_state);
|
||||
+
|
||||
+ passwd_users = get_users(test_ctx);
|
||||
+ assert_non_null(passwd_users);
|
||||
+
|
||||
+ ret = store_user(test_ctx, dom_info, passwd_users[0], NULL, 0);
|
||||
+ assert_int_equal(ret, 0);
|
||||
+
|
||||
+ users = talloc_array(test_ctx, struct sysdb_attrs *, 1);
|
||||
+ users[0] = mock_sysdb_user(users, object_bases[1],
|
||||
+ passwd_users[1]->pw_uid,
|
||||
+ passwd_users[1]->pw_name);
|
||||
+
|
||||
+ const char *original_dn = NULL;
|
||||
+ ret = sysdb_attrs_get_string(users[0], SYSDB_ORIG_DN, &original_dn);
|
||||
+
|
||||
+ ret = sdap_search_initgr_user_in_batch(initgr_state, users, 1);
|
||||
+ assert_int_equal(ret, 0);
|
||||
+
|
||||
+ ret = sysdb_attrs_get_string(initgr_state->orig_user, "name", &user_name);
|
||||
+ assert_int_equal(ret, 0);
|
||||
+ assert_string_equal(user_name, passwd_users[1]->pw_name);
|
||||
+
|
||||
+ talloc_zfree(initgr_state);
|
||||
+ talloc_zfree(passwd_users);
|
||||
+ talloc_zfree(users);
|
||||
+}
|
||||
+
|
||||
+static void test_user_is_from_another_domain(void **state)
|
||||
+{
|
||||
+ struct test_sdap_initgr_ctx *test_ctx;
|
||||
+ struct sdap_get_initgr_state *initgr_state;
|
||||
+ const char *domains_set[] = { domains[0], domains[2], NULL };
|
||||
+ struct sss_domain_info *dom_info = NULL;
|
||||
+ struct sss_domain_info *other_dom_info = NULL;
|
||||
+ struct sdap_domain *other_sdom = NULL;
|
||||
+ struct passwd **passwd_users;
|
||||
+ struct sysdb_attrs **users;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ test_ctx = talloc_get_type(*state, struct test_sdap_initgr_ctx);
|
||||
+ assert_non_null(test_ctx);
|
||||
+
|
||||
+ dom_info = get_domain_info(test_ctx->tctx->dom, domains[0]);
|
||||
+ assert_non_null(dom_info);
|
||||
+
|
||||
+ initgr_state = prepare_state(test_ctx, domains_set);
|
||||
+ assert_non_null(initgr_state);
|
||||
+
|
||||
+ other_dom_info = get_domain_info(test_ctx->tctx->dom, domains[2]);
|
||||
+ assert_non_null(other_dom_info);
|
||||
+
|
||||
+ ret = sdap_domain_add(initgr_state->opts, other_dom_info, &other_sdom);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ talloc_zfree(other_sdom->search_bases);
|
||||
+ other_sdom->search_bases = talloc_array(other_sdom,
|
||||
+ struct sdap_search_base *, 2);
|
||||
+ assert_non_null(other_sdom->search_bases);
|
||||
+ other_sdom->search_bases[1] = NULL;
|
||||
+
|
||||
+ ret = sdap_create_search_base(other_sdom, object_bases[2],
|
||||
+ LDAP_SCOPE_SUBTREE, NULL,
|
||||
+ &other_sdom->search_bases[0]);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ passwd_users = get_users(test_ctx);
|
||||
+ assert_non_null(passwd_users);
|
||||
+
|
||||
+ ret = store_user(test_ctx, dom_info, passwd_users[0], NULL, 0);
|
||||
+ assert_int_equal(ret, 0);
|
||||
+
|
||||
+ users = talloc_array(test_ctx, struct sysdb_attrs *, 1);
|
||||
+ users[0] = mock_sysdb_user(users, object_bases[2],
|
||||
+ passwd_users[2]->pw_uid,
|
||||
+ passwd_users[2]->pw_name);
|
||||
+
|
||||
+ ret = sdap_search_initgr_user_in_batch(initgr_state, users, 1);
|
||||
+ assert_int_equal(ret, EINVAL);
|
||||
+
|
||||
+ talloc_zfree(initgr_state);
|
||||
+ talloc_zfree(passwd_users);
|
||||
+ talloc_zfree(users);
|
||||
+}
|
||||
+
|
||||
+int main(int argc, const char *argv[])
|
||||
+{
|
||||
+ int rv;
|
||||
+ poptContext pc;
|
||||
+ int opt;
|
||||
+ struct poptOption long_options[] = {
|
||||
+ POPT_AUTOHELP
|
||||
+ SSSD_DEBUG_OPTS
|
||||
+ POPT_TABLEEND
|
||||
+ };
|
||||
+
|
||||
+ const struct CMUnitTest tests[] = {
|
||||
+ cmocka_unit_test_setup_teardown(test_user_is_on_batch,
|
||||
+ test_sdap_initgr_setup_multi_domains,
|
||||
+ test_sdap_initgr_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_user_is_from_subdomain,
|
||||
+ test_sdap_initgr_setup_one_domain,
|
||||
+ test_sdap_initgr_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_user_is_from_another_domain,
|
||||
+ test_sdap_initgr_setup_other_multi_domains,
|
||||
+ test_sdap_initgr_teardown),
|
||||
+ };
|
||||
+
|
||||
+ /* Set debug level to invalid value so we can deside if -d 0 was used. */
|
||||
+ debug_level = SSSDBG_INVALID;
|
||||
+
|
||||
+ pc = poptGetContext(argv[0], argc, argv, long_options, 0);
|
||||
+ while((opt = poptGetNextOpt(pc)) != -1) {
|
||||
+ switch(opt) {
|
||||
+ default:
|
||||
+ fprintf(stderr, "\nInvalid option %s: %s\n\n",
|
||||
+ poptBadOption(pc, 0), poptStrerror(opt));
|
||||
+ poptPrintUsage(pc, stderr, 0);
|
||||
+ return 1;
|
||||
+ }
|
||||
+ }
|
||||
+ poptFreeContext(pc);
|
||||
+
|
||||
+ DEBUG_CLI_INIT(debug_level);
|
||||
+
|
||||
+ /* Even though normally the tests should clean up after themselves
|
||||
+ * they might not after a failed run. Remove the old db to be sure */
|
||||
+ tests_set_cwd();
|
||||
+
|
||||
+ test_multidom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, domains);
|
||||
+ test_dom_suite_setup(TESTS_PATH);
|
||||
+
|
||||
+ rv = cmocka_run_group_tests(tests, NULL, NULL);
|
||||
+ if (rv == 0) {
|
||||
+ test_multidom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, domains);
|
||||
+ }
|
||||
+
|
||||
+ return rv;
|
||||
+}
|
||||
--
|
||||
2.9.3
|
||||
|
31
0022-ssh-fix-number-of-output-certificates.patch
Normal file
31
0022-ssh-fix-number-of-output-certificates.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From d8c459feab7659a51c23c941fea486867c2b9dae Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Tue, 17 Jan 2017 12:00:31 +0100
|
||||
Subject: [PATCH 22/79] ssh: fix number of output certificates
|
||||
|
||||
SSH responder returned invalid number of certificates when
|
||||
original ad pubkey attribute was not empty. Since we always
|
||||
return all certificates to the client we should add number
|
||||
of results to the output not override it.
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/ssh/sshsrv_cmd.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/ssh/sshsrv_cmd.c b/src/responder/ssh/sshsrv_cmd.c
|
||||
index 2e64893dfc2018727e6fc5fb80b47bd7eb1fac58..bd6270d0f1b62323ef7d140193351fb8585ce2ec 100644
|
||||
--- a/src/responder/ssh/sshsrv_cmd.c
|
||||
+++ b/src/responder/ssh/sshsrv_cmd.c
|
||||
@@ -1012,7 +1012,7 @@ ssh_cmd_build_reply(struct ssh_cmd_ctx *cmd_ctx)
|
||||
el_orig = ldb_msg_find_element(cmd_ctx->result,
|
||||
ORIGINALAD_PREFIX SYSDB_SSH_PUBKEY);
|
||||
if (el_orig) {
|
||||
- count = el_orig->num_values;
|
||||
+ count += el_orig->num_values;
|
||||
}
|
||||
|
||||
if (DOM_HAS_VIEWS(cmd_ctx->domain)) {
|
||||
--
|
||||
2.9.3
|
||||
|
76
0023-ssh-do-not-create-again-fq-name.patch
Normal file
76
0023-ssh-do-not-create-again-fq-name.patch
Normal file
@ -0,0 +1,76 @@
|
||||
From e33744e8cc82390153c94ace53c16f72365b9fd9 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Tue, 17 Jan 2017 11:58:06 +0100
|
||||
Subject: [PATCH 23/79] ssh: do not create again fq name
|
||||
|
||||
We store fully qualified name in sysdb so there is no need to append
|
||||
the domain part again which result in name@domain@domain string.
|
||||
This field is not actually used in ssh client so it doesn't cause
|
||||
any issue but we should stay correct here.
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/ssh/sshsrv_cmd.c | 20 ++++++--------------
|
||||
1 file changed, 6 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/src/responder/ssh/sshsrv_cmd.c b/src/responder/ssh/sshsrv_cmd.c
|
||||
index bd6270d0f1b62323ef7d140193351fb8585ce2ec..195d5763e9c5f4f9ff2f2f5ac49cd856d9198e7a 100644
|
||||
--- a/src/responder/ssh/sshsrv_cmd.c
|
||||
+++ b/src/responder/ssh/sshsrv_cmd.c
|
||||
@@ -982,8 +982,7 @@ ssh_cmd_build_reply(struct ssh_cmd_ctx *cmd_ctx)
|
||||
struct ldb_message_element *el_user_cert_keys = NULL;
|
||||
uint32_t count = 0;
|
||||
const char *name;
|
||||
- char *fqname;
|
||||
- uint32_t fqname_len;
|
||||
+ uint32_t name_len;
|
||||
TALLOC_CTX *tmp_ctx;
|
||||
struct ssh_ctx *ssh_ctx;
|
||||
struct cli_protocol *pctx;
|
||||
@@ -1060,38 +1059,31 @@ ssh_cmd_build_reply(struct ssh_cmd_ctx *cmd_ctx)
|
||||
goto done;
|
||||
}
|
||||
|
||||
- fqname = talloc_asprintf(cmd_ctx, "%s@%s",
|
||||
- name, cmd_ctx->domain->name);
|
||||
- if (!fqname) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- fqname_len = strlen(fqname)+1;
|
||||
+ name_len = strlen(name) + 1;
|
||||
|
||||
ret = decode_and_add_base64_data(cmd_ctx, el, false, ssh_ctx,
|
||||
- fqname_len, fqname, &c);
|
||||
+ name_len, name, &c);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "decode_and_add_base64_data failed.\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
ret = decode_and_add_base64_data(cmd_ctx, el_orig, false, ssh_ctx,
|
||||
- fqname_len, fqname, &c);
|
||||
+ name_len, name, &c);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "decode_and_add_base64_data failed.\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
ret = decode_and_add_base64_data(cmd_ctx, el_override, false, ssh_ctx,
|
||||
- fqname_len, fqname, &c);
|
||||
+ name_len, name, &c);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "decode_and_add_base64_data failed.\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
ret = decode_and_add_base64_data(cmd_ctx, el_user_cert_keys, true, ssh_ctx,
|
||||
- fqname_len, fqname, &c);
|
||||
+ name_len, name, &c);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "decode_and_add_base64_data failed.\n");
|
||||
goto done;
|
||||
--
|
||||
2.9.3
|
||||
|
198
0024-sss_parse_inp_send-provide-default_domain-as-paramet.patch
Normal file
198
0024-sss_parse_inp_send-provide-default_domain-as-paramet.patch
Normal file
@ -0,0 +1,198 @@
|
||||
From 2b5704cd96a085b99d3b0d4f80f4414adc134750 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Fri, 3 Feb 2017 12:44:15 +0100
|
||||
Subject: [PATCH 24/79] sss_parse_inp_send: provide default_domain as parameter
|
||||
|
||||
It is not always desirable to consider default_domain from configuration
|
||||
but expect none instead. For example when we search host certificates.
|
||||
|
||||
This is currently not used in this patch since host lookups parse
|
||||
name directly with sss_parse_name but it will be used in the next
|
||||
patch.
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/common/cache_req/cache_req.c | 3 ++-
|
||||
src/responder/common/responder.h | 5 ++++-
|
||||
src/responder/common/responder_get_domains.c | 30 ++++++++++++++++++++++++----
|
||||
src/responder/ifp/ifpsrv_cmd.c | 2 +-
|
||||
src/tests/cmocka/common_mock_resp_dp.c | 4 +++-
|
||||
src/tests/cmocka/test_responder_common.c | 12 +++++++----
|
||||
6 files changed, 44 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
|
||||
index f546e6130a181f7b6d3fc1aca8ad0766e8a7f19d..e5026e1a869064fe81cc04e3b2bbd8c4cefec304 100644
|
||||
--- a/src/responder/common/cache_req/cache_req.c
|
||||
+++ b/src/responder/common/cache_req/cache_req.c
|
||||
@@ -415,7 +415,8 @@ static errno_t cache_req_process_input(TALLOC_CTX *mem_ctx,
|
||||
CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr,
|
||||
"Parsing input name [%s]\n", cr->data->name.input);
|
||||
|
||||
- subreq = sss_parse_inp_send(mem_ctx, cr->rctx, cr->data->name.input);
|
||||
+ subreq = sss_parse_inp_send(mem_ctx, cr->rctx, cr->rctx->default_domain,
|
||||
+ cr->data->name.input);
|
||||
if (subreq == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n");
|
||||
return ENOMEM;
|
||||
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
|
||||
index d1fa532be3402214842da50e037f5f8d149631fb..c387c6ec326c612eef8798673c1c70c67efd5452 100644
|
||||
--- a/src/responder/common/responder.h
|
||||
+++ b/src/responder/common/responder.h
|
||||
@@ -347,8 +347,11 @@ errno_t check_allowed_uids(uid_t uid, size_t allowed_uids_count,
|
||||
uid_t *allowed_uids);
|
||||
|
||||
struct tevent_req *
|
||||
-sss_parse_inp_send(TALLOC_CTX *mem_ctx, struct resp_ctx *rctx,
|
||||
+sss_parse_inp_send(TALLOC_CTX *mem_ctx,
|
||||
+ struct resp_ctx *rctx,
|
||||
+ const char *default_domain,
|
||||
const char *rawinp);
|
||||
+
|
||||
errno_t sss_parse_inp_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
|
||||
char **_name, char **_domname);
|
||||
|
||||
diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c
|
||||
index cc7b99f30046569547a08f83e46cbbe9d6c19897..0f39d107dad6c458785b1b8d708e60d7c34e3901 100644
|
||||
--- a/src/responder/common/responder_get_domains.c
|
||||
+++ b/src/responder/common/responder_get_domains.c
|
||||
@@ -443,6 +443,7 @@ errno_t schedule_get_domains_task(TALLOC_CTX *mem_ctx,
|
||||
|
||||
struct sss_parse_inp_state {
|
||||
struct resp_ctx *rctx;
|
||||
+ const char *default_domain;
|
||||
const char *rawinp;
|
||||
|
||||
char *name;
|
||||
@@ -453,7 +454,9 @@ struct sss_parse_inp_state {
|
||||
static void sss_parse_inp_done(struct tevent_req *subreq);
|
||||
|
||||
struct tevent_req *
|
||||
-sss_parse_inp_send(TALLOC_CTX *mem_ctx, struct resp_ctx *rctx,
|
||||
+sss_parse_inp_send(TALLOC_CTX *mem_ctx,
|
||||
+ struct resp_ctx *rctx,
|
||||
+ const char *default_domain,
|
||||
const char *rawinp)
|
||||
{
|
||||
errno_t ret;
|
||||
@@ -465,16 +468,35 @@ sss_parse_inp_send(TALLOC_CTX *mem_ctx, struct resp_ctx *rctx,
|
||||
if (req == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
- state->rawinp = rawinp;
|
||||
+
|
||||
+ if (rawinp == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Empty input!\n");
|
||||
+ ret = EINVAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
state->rctx = rctx;
|
||||
|
||||
+ state->rawinp = talloc_strdup(state, rawinp);
|
||||
+ if (state->rawinp == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+
|
||||
+ state->default_domain = talloc_strdup(state, default_domain);
|
||||
+ if (default_domain != NULL && state->default_domain == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
/* If the subdomains haven't been checked yet, we need to always
|
||||
* attach to the post-startup subdomain request and only then parse
|
||||
* the input. Otherwise, we might not be able to parse input with a
|
||||
* flat domain name specifier */
|
||||
if (rctx->get_domains_last_call.tv_sec > 0) {
|
||||
ret = sss_parse_name_for_domains(state, rctx->domains,
|
||||
- rctx->default_domain, rawinp,
|
||||
+ default_domain, rawinp,
|
||||
&state->domname, &state->name);
|
||||
if (ret == EOK) {
|
||||
/* Was able to use cached domains */
|
||||
@@ -532,7 +554,7 @@ static void sss_parse_inp_done(struct tevent_req *subreq)
|
||||
state->error = ERR_OK;
|
||||
|
||||
ret = sss_parse_name_for_domains(state, state->rctx->domains,
|
||||
- state->rctx->default_domain,
|
||||
+ state->default_domain,
|
||||
state->rawinp,
|
||||
&state->domname, &state->name);
|
||||
if (ret == EAGAIN && state->domname != NULL && state->name == NULL) {
|
||||
diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c
|
||||
index 23f410a19ea985b4fcfcf34a770d37ea9a864e67..07edcddffa1091f8bbcf79a25962aadc791bb890 100644
|
||||
--- a/src/responder/ifp/ifpsrv_cmd.c
|
||||
+++ b/src/responder/ifp/ifpsrv_cmd.c
|
||||
@@ -453,7 +453,7 @@ ifp_user_get_attr_send(TALLOC_CTX *mem_ctx, struct resp_ctx *rctx,
|
||||
state->ncache = ncache;
|
||||
state->search_type = search_type;
|
||||
|
||||
- subreq = sss_parse_inp_send(req, rctx, inp);
|
||||
+ subreq = sss_parse_inp_send(req, rctx, rctx->default_domain, inp);
|
||||
if (subreq == NULL) {
|
||||
ret = ENOMEM;
|
||||
goto done;
|
||||
diff --git a/src/tests/cmocka/common_mock_resp_dp.c b/src/tests/cmocka/common_mock_resp_dp.c
|
||||
index f62606eb8a33b6417bbd32a7dccdbeaabd05818f..0b6870346c00954a3e2accf8f21625a14da8afb5 100644
|
||||
--- a/src/tests/cmocka/common_mock_resp_dp.c
|
||||
+++ b/src/tests/cmocka/common_mock_resp_dp.c
|
||||
@@ -80,7 +80,9 @@ void mock_account_recv_simple(void)
|
||||
}
|
||||
|
||||
struct tevent_req *
|
||||
-sss_parse_inp_send(TALLOC_CTX *mem_ctx, struct resp_ctx *rctx,
|
||||
+sss_parse_inp_send(TALLOC_CTX *mem_ctx,
|
||||
+ struct resp_ctx *rctx,
|
||||
+ const char *default_domain,
|
||||
const char *rawinp)
|
||||
{
|
||||
return test_req_succeed_send(mem_ctx, rctx->ev);
|
||||
diff --git a/src/tests/cmocka/test_responder_common.c b/src/tests/cmocka/test_responder_common.c
|
||||
index b25f8a8efcded664ed61be4d5a67b0f2e3adf327..fb7e4ee500570319999e6e85ee14a05cddea8de3 100644
|
||||
--- a/src/tests/cmocka/test_responder_common.c
|
||||
+++ b/src/tests/cmocka/test_responder_common.c
|
||||
@@ -192,7 +192,8 @@ void parse_inp_simple(void **state)
|
||||
|
||||
will_return(__wrap_sss_parse_name_for_domains, WRAP_CALL_REAL);
|
||||
|
||||
- req = sss_parse_inp_send(parse_inp_ctx, parse_inp_ctx->rctx, NAME);
|
||||
+ req = sss_parse_inp_send(parse_inp_ctx, parse_inp_ctx->rctx,
|
||||
+ parse_inp_ctx->rctx->default_domain, NAME);
|
||||
assert_non_null(req);
|
||||
tevent_req_set_callback(req, parse_inp_simple_done, parse_inp_ctx);
|
||||
|
||||
@@ -213,7 +214,8 @@ void parse_inp_call_dp(void **state)
|
||||
/* The second one will succeed as the domains are up-to-date */
|
||||
will_return(__wrap_sss_parse_name_for_domains, WRAP_CALL_REAL);
|
||||
|
||||
- req = sss_parse_inp_send(parse_inp_ctx, parse_inp_ctx->rctx, NAME);
|
||||
+ req = sss_parse_inp_send(parse_inp_ctx, parse_inp_ctx->rctx,
|
||||
+ parse_inp_ctx->rctx->default_domain, NAME);
|
||||
assert_non_null(req);
|
||||
tevent_req_set_callback(req, parse_inp_simple_done, parse_inp_ctx);
|
||||
|
||||
@@ -235,7 +237,8 @@ void parse_inp_call_attach(void **state)
|
||||
* as the domains are up-to-date */
|
||||
will_return(__wrap_sss_parse_name_for_domains, WRAP_CALL_REAL);
|
||||
|
||||
- req = sss_parse_inp_send(parse_inp_ctx, parse_inp_ctx->rctx, NAME);
|
||||
+ req = sss_parse_inp_send(parse_inp_ctx, parse_inp_ctx->rctx,
|
||||
+ parse_inp_ctx->rctx->default_domain, NAME);
|
||||
assert_non_null(req);
|
||||
tevent_req_set_callback(req, parse_inp_simple_done, parse_inp_ctx);
|
||||
|
||||
@@ -271,7 +274,8 @@ void parse_inp_call_neg(void **state)
|
||||
will_return(__wrap_sss_parse_name_for_domains, WRAP_CALL_WRAPPER);
|
||||
will_return(__wrap_sss_parse_name_for_domains, EINVAL);
|
||||
|
||||
- req = sss_parse_inp_send(parse_inp_ctx, parse_inp_ctx->rctx, NAME);
|
||||
+ req = sss_parse_inp_send(parse_inp_ctx, parse_inp_ctx->rctx,
|
||||
+ parse_inp_ctx->rctx->default_domain, NAME);
|
||||
assert_non_null(req);
|
||||
tevent_req_set_callback(req, parse_inp_neg_done, parse_inp_ctx);
|
||||
|
||||
--
|
||||
2.9.3
|
||||
|
310
0025-cache_req-add-ability-to-not-use-default-domain-suff.patch
Normal file
310
0025-cache_req-add-ability-to-not-use-default-domain-suff.patch
Normal file
@ -0,0 +1,310 @@
|
||||
From ddfd1900b26c66a062457d4fcc1a48bafd3eadf6 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Fri, 3 Feb 2017 13:04:23 +0100
|
||||
Subject: [PATCH 25/79] cache_req: add ability to not use default domain suffix
|
||||
|
||||
This will be used in the next plugin "host by name" where
|
||||
it is not desirable to use default domain suffix if set.
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/common/cache_req/cache_req.c | 8 +++++++-
|
||||
src/responder/common/cache_req/cache_req_plugin.h | 5 +++++
|
||||
src/responder/common/cache_req/plugins/cache_req_enum_groups.c | 1 +
|
||||
src/responder/common/cache_req/plugins/cache_req_enum_svc.c | 1 +
|
||||
src/responder/common/cache_req/plugins/cache_req_enum_users.c | 1 +
|
||||
.../common/cache_req/plugins/cache_req_group_by_filter.c | 1 +
|
||||
src/responder/common/cache_req/plugins/cache_req_group_by_id.c | 1 +
|
||||
src/responder/common/cache_req/plugins/cache_req_group_by_name.c | 1 +
|
||||
.../common/cache_req/plugins/cache_req_initgroups_by_name.c | 1 +
|
||||
.../common/cache_req/plugins/cache_req_initgroups_by_upn.c | 1 +
|
||||
.../common/cache_req/plugins/cache_req_netgroup_by_name.c | 1 +
|
||||
src/responder/common/cache_req/plugins/cache_req_object_by_id.c | 1 +
|
||||
src/responder/common/cache_req/plugins/cache_req_object_by_name.c | 1 +
|
||||
src/responder/common/cache_req/plugins/cache_req_object_by_sid.c | 1 +
|
||||
src/responder/common/cache_req/plugins/cache_req_svc_by_name.c | 1 +
|
||||
src/responder/common/cache_req/plugins/cache_req_svc_by_port.c | 1 +
|
||||
src/responder/common/cache_req/plugins/cache_req_user_by_cert.c | 1 +
|
||||
src/responder/common/cache_req/plugins/cache_req_user_by_filter.c | 1 +
|
||||
src/responder/common/cache_req/plugins/cache_req_user_by_id.c | 1 +
|
||||
src/responder/common/cache_req/plugins/cache_req_user_by_name.c | 1 +
|
||||
src/responder/common/cache_req/plugins/cache_req_user_by_upn.c | 1 +
|
||||
21 files changed, 31 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
|
||||
index e5026e1a869064fe81cc04e3b2bbd8c4cefec304..aed8f1b225899a1c470407e259d2068ef62922b7 100644
|
||||
--- a/src/responder/common/cache_req/cache_req.c
|
||||
+++ b/src/responder/common/cache_req/cache_req.c
|
||||
@@ -400,6 +400,7 @@ static errno_t cache_req_process_input(TALLOC_CTX *mem_ctx,
|
||||
const char *domain)
|
||||
{
|
||||
struct tevent_req *subreq;
|
||||
+ const char *default_domain;
|
||||
|
||||
if (cr->data->name.input == NULL) {
|
||||
/* Input was not name, there is no need to process it further. */
|
||||
@@ -411,11 +412,16 @@ static errno_t cache_req_process_input(TALLOC_CTX *mem_ctx,
|
||||
return cache_req_set_name(cr, cr->data->name.input);
|
||||
}
|
||||
|
||||
+ default_domain = NULL;
|
||||
+ if (!cr->plugin->ignore_default_domain) {
|
||||
+ default_domain = cr->rctx->default_domain;
|
||||
+ }
|
||||
+
|
||||
/* Parse name since it may contain a domain name. */
|
||||
CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr,
|
||||
"Parsing input name [%s]\n", cr->data->name.input);
|
||||
|
||||
- subreq = sss_parse_inp_send(mem_ctx, cr->rctx, cr->rctx->default_domain,
|
||||
+ subreq = sss_parse_inp_send(mem_ctx, cr->rctx, default_domain,
|
||||
cr->data->name.input);
|
||||
if (subreq == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n");
|
||||
diff --git a/src/responder/common/cache_req/cache_req_plugin.h b/src/responder/common/cache_req/cache_req_plugin.h
|
||||
index e4d5eef91672a83e1ced47b394368a457acfbcb8..59ef8bad1697e094f729c53f33bda4f1d825cdff 100644
|
||||
--- a/src/responder/common/cache_req/cache_req_plugin.h
|
||||
+++ b/src/responder/common/cache_req/cache_req_plugin.h
|
||||
@@ -157,6 +157,11 @@ struct cache_req_plugin {
|
||||
bool parse_name;
|
||||
|
||||
/**
|
||||
+ * True if default domain suffix should be ignored when parsing name.
|
||||
+ */
|
||||
+ bool ignore_default_domain;
|
||||
+
|
||||
+ /**
|
||||
* True if we always contact data provider.
|
||||
*/
|
||||
bool bypass_cache;
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_enum_groups.c b/src/responder/common/cache_req/plugins/cache_req_enum_groups.c
|
||||
index de4bd968b18920cde0630dbd5142ce99d3b70a3e..2056dc2ccdadef98772402bde45aef8e043a0e76 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_enum_groups.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_enum_groups.c
|
||||
@@ -64,6 +64,7 @@ const struct cache_req_plugin cache_req_enum_groups = {
|
||||
.dp_type = SSS_DP_GROUP,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = false,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = true,
|
||||
.only_one_result = false,
|
||||
.search_all_domains = true,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_enum_svc.c b/src/responder/common/cache_req/plugins/cache_req_enum_svc.c
|
||||
index c83564fdce8abc237a3a4dbe7a88b4bc6c2baaff..e850212977bb26dc13b900f6e5908865fffa59b0 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_enum_svc.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_enum_svc.c
|
||||
@@ -65,6 +65,7 @@ const struct cache_req_plugin cache_req_enum_svc = {
|
||||
.dp_type = SSS_DP_SERVICES,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = false,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = true,
|
||||
.only_one_result = false,
|
||||
.search_all_domains = true,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_enum_users.c b/src/responder/common/cache_req/plugins/cache_req_enum_users.c
|
||||
index c4eeed7463cca6ecd17fe8042d62f4b72da46e68..2adeddb6b4bea044371f168f5d39aecc1f06cc45 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_enum_users.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_enum_users.c
|
||||
@@ -64,6 +64,7 @@ const struct cache_req_plugin cache_req_enum_users = {
|
||||
.dp_type = SSS_DP_USER,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = false,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = true,
|
||||
.only_one_result = false,
|
||||
.search_all_domains = true,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c b/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c
|
||||
index 1619cf7bdd6ad7ef7c1ea71ef0dd8f24611c1a6e..bc42eb7db0830ba31649c2cbb9525dfd1f7b1fae 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c
|
||||
@@ -119,6 +119,7 @@ const struct cache_req_plugin cache_req_group_by_filter = {
|
||||
.dp_type = SSS_DP_WILDCARD_GROUP,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = true,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = true,
|
||||
.only_one_result = false,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
|
||||
index 293994fa1e22a23b7ff19c50050e5c6c25274b5d..e48588087eafde68a4a85c546cf08e90eb6c7605 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
|
||||
@@ -107,6 +107,7 @@ const struct cache_req_plugin cache_req_group_by_id = {
|
||||
.dp_type = SSS_DP_GROUP,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = false,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = false,
|
||||
.only_one_result = true,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_name.c b/src/responder/common/cache_req/plugins/cache_req_group_by_name.c
|
||||
index c88dbd4566297da98d306e20deb7f7c64c7991a4..962b38866a1408bbdff556e20df5a69b0d4bbba0 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_group_by_name.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_group_by_name.c
|
||||
@@ -157,6 +157,7 @@ const struct cache_req_plugin cache_req_group_by_name = {
|
||||
.dp_type = SSS_DP_GROUP,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = true,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = false,
|
||||
.only_one_result = true,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c b/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c
|
||||
index 9575ae70731875979f924dbf948222ed705fd923..d2f03cbea0780e4e0b88d56fcfbcf8903bcb3c85 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c
|
||||
@@ -172,6 +172,7 @@ const struct cache_req_plugin cache_req_initgroups_by_name = {
|
||||
.dp_type = SSS_DP_INITGROUPS,
|
||||
.attr_expiration = SYSDB_INITGR_EXPIRE,
|
||||
.parse_name = true,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = false,
|
||||
.only_one_result = false,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c b/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c
|
||||
index 7a0b96b19f487e046c32235e02ec0fdbc7baa211..9b2d07d4afa98cbfca4a62f944b744f01897a0ee 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c
|
||||
@@ -108,6 +108,7 @@ const struct cache_req_plugin cache_req_initgroups_by_upn = {
|
||||
.dp_type = SSS_DP_INITGROUPS,
|
||||
.attr_expiration = SYSDB_INITGR_EXPIRE,
|
||||
.parse_name = false,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = false,
|
||||
.only_one_result = false,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c b/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c
|
||||
index 15549adeff9e038387b21b6349b18683c14afe65..5b19edeb2952b83406ff20d001dd7d24449f69c9 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c
|
||||
@@ -116,6 +116,7 @@ const struct cache_req_plugin cache_req_netgroup_by_name = {
|
||||
.dp_type = SSS_DP_NETGR,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = true,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = false,
|
||||
.only_one_result = true,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_object_by_id.c b/src/responder/common/cache_req/plugins/cache_req_object_by_id.c
|
||||
index b8ad3b5e76cbf52fb61e22aa872e51e7f51bbf29..3f47807616054c644e27e4c240ad7c4b752a563e 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_object_by_id.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_object_by_id.c
|
||||
@@ -99,6 +99,7 @@ const struct cache_req_plugin cache_req_object_by_id = {
|
||||
.dp_type = SSS_DP_USER_AND_GROUP,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = false,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = false,
|
||||
.only_one_result = true,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_object_by_name.c b/src/responder/common/cache_req/plugins/cache_req_object_by_name.c
|
||||
index 1ec906c7ad0c0f2d327667c697a96f2c2735d066..6829d0ec97c147aafda46b6eace25b97a28e626a 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_object_by_name.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_object_by_name.c
|
||||
@@ -192,6 +192,7 @@ const struct cache_req_plugin cache_req_object_by_name = {
|
||||
.dp_type = SSS_DP_USER_AND_GROUP,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = true,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = false,
|
||||
.only_one_result = true,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c b/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c
|
||||
index 35cb74f61fab0c72dda68c8f95e30be9127f938f..6a6eb8e72c52c069935ca4e612e60f602c7b91bd 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c
|
||||
@@ -109,6 +109,7 @@ const struct cache_req_plugin cache_req_object_by_sid = {
|
||||
.dp_type = SSS_DP_SECID,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = false,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = false,
|
||||
.only_one_result = true,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c b/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c
|
||||
index 4de27571c199baeeec1064f6d9b626fef08212c7..9562354ed3a453e3aec7264bb32dbd5273fb0927 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c
|
||||
@@ -140,6 +140,7 @@ const struct cache_req_plugin cache_req_svc_by_name = {
|
||||
.dp_type = SSS_DP_SERVICES,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = true,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = false,
|
||||
.only_one_result = false,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c b/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c
|
||||
index 1b17c71352678f7dfae830bea3ab3909fd62c564..55117492f6f8aa6a4e31c1e23862215255cdf660 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c
|
||||
@@ -113,6 +113,7 @@ const struct cache_req_plugin cache_req_svc_by_port = {
|
||||
.dp_type = SSS_DP_SERVICES,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = false,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = false,
|
||||
.only_one_result = false,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c b/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c
|
||||
index 9a1bcc6aa1225c27362b11b9321994f65261d5cb..5203d3f94421715b711bcd1e01b7a42737b6fe41 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c
|
||||
@@ -83,6 +83,7 @@ const struct cache_req_plugin cache_req_user_by_cert = {
|
||||
.dp_type = SSS_DP_CERT,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = false,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = false,
|
||||
.only_one_result = true,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c b/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c
|
||||
index ee9f60bf682629acf3b2ec3d16a3ed075084480d..4c328a5d900e37de0f3396a8c2f1c937360ce081 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c
|
||||
@@ -119,6 +119,7 @@ const struct cache_req_plugin cache_req_user_by_filter = {
|
||||
.dp_type = SSS_DP_WILDCARD_USER,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = true,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = true,
|
||||
.only_one_result = false,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_id.c b/src/responder/common/cache_req/plugins/cache_req_user_by_id.c
|
||||
index d710986d1102af4422d29a9943c903f23bea8b9e..d794d248b1e9b11cd41210b8180823e3a2565847 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_user_by_id.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_user_by_id.c
|
||||
@@ -107,6 +107,7 @@ const struct cache_req_plugin cache_req_user_by_id = {
|
||||
.dp_type = SSS_DP_USER,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = false,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = false,
|
||||
.only_one_result = true,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_name.c b/src/responder/common/cache_req/plugins/cache_req_user_by_name.c
|
||||
index 46dd9434b34536b72b0966f53ab341c09542f16c..9ee7bef1cc904d25d156b3f64e039e47be58d1cc 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_user_by_name.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_user_by_name.c
|
||||
@@ -157,6 +157,7 @@ const struct cache_req_plugin cache_req_user_by_name = {
|
||||
.dp_type = SSS_DP_USER,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = true,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = false,
|
||||
.only_one_result = true,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c b/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c
|
||||
index 9d1e703d623cd830c2ab6db6e835c4bec49f57e5..4c6e6bcd056392abb729d416d406f28c28cdaa77 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c
|
||||
@@ -112,6 +112,7 @@ const struct cache_req_plugin cache_req_user_by_upn = {
|
||||
.dp_type = SSS_DP_USER,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = false,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = false,
|
||||
.only_one_result = true,
|
||||
.search_all_domains = false,
|
||||
--
|
||||
2.9.3
|
||||
|
87
0026-cache_req-search-user-by-name-with-attrs.patch
Normal file
87
0026-cache_req-search-user-by-name-with-attrs.patch
Normal file
@ -0,0 +1,87 @@
|
||||
From 7723e79f5a1fad4201360199037aea33f655bab6 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Wed, 11 Jan 2017 11:36:50 +0100
|
||||
Subject: [PATCH 26/79] cache_req: search user by name with attrs
|
||||
|
||||
Sometime is is desirable to aquire more attribute from user object
|
||||
than SYSDB_PW_ATTRS set. such as user's public key.
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/common/cache_req/cache_req.h | 13 +++++++++
|
||||
.../cache_req/plugins/cache_req_user_by_name.c | 31 ++++++++++++++++++++--
|
||||
2 files changed, 42 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/responder/common/cache_req/cache_req.h b/src/responder/common/cache_req/cache_req.h
|
||||
index 7700091078c96698a5aaf12cf0d50f259cd186d8..2740c21ee0e390c64d94fedd6ab2cb7483cfe302 100644
|
||||
--- a/src/responder/common/cache_req/cache_req.h
|
||||
+++ b/src/responder/common/cache_req/cache_req.h
|
||||
@@ -186,6 +186,19 @@ cache_req_user_by_name_send(TALLOC_CTX *mem_ctx,
|
||||
cache_req_single_domain_recv(mem_ctx, req, _result)
|
||||
|
||||
struct tevent_req *
|
||||
+cache_req_user_by_name_attrs_send(TALLOC_CTX *mem_ctx,
|
||||
+ struct tevent_context *ev,
|
||||
+ struct resp_ctx *rctx,
|
||||
+ struct sss_nc_ctx *ncache,
|
||||
+ int cache_refresh_percent,
|
||||
+ const char *domain,
|
||||
+ const char *name,
|
||||
+ const char **attrs);
|
||||
+
|
||||
+#define cache_req_user_by_name_attrs_recv(mem_ctx, req, _result) \
|
||||
+ cache_req_single_domain_recv(mem_ctx, req, _result)
|
||||
+
|
||||
+struct tevent_req *
|
||||
cache_req_user_by_id_send(TALLOC_CTX *mem_ctx,
|
||||
struct tevent_context *ev,
|
||||
struct resp_ctx *rctx,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_name.c b/src/responder/common/cache_req/plugins/cache_req_user_by_name.c
|
||||
index 9ee7bef1cc904d25d156b3f64e039e47be58d1cc..3f343870c7e7c28ac72f4e94272c6dee281b963c 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_user_by_name.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_user_by_name.c
|
||||
@@ -105,8 +105,13 @@ cache_req_user_by_name_lookup(TALLOC_CTX *mem_ctx,
|
||||
struct sss_domain_info *domain,
|
||||
struct ldb_result **_result)
|
||||
{
|
||||
- return sysdb_getpwnam_with_views(mem_ctx, domain, data->name.lookup,
|
||||
- _result);
|
||||
+ if (data->attrs == NULL) {
|
||||
+ return sysdb_getpwnam_with_views(mem_ctx, domain, data->name.lookup,
|
||||
+ _result);
|
||||
+ }
|
||||
+
|
||||
+ return sysdb_get_user_attr_with_views(mem_ctx, domain, data->name.lookup,
|
||||
+ data->attrs, _result);
|
||||
}
|
||||
|
||||
static errno_t
|
||||
@@ -196,3 +201,25 @@ cache_req_user_by_name_send(TALLOC_CTX *mem_ctx,
|
||||
return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache,
|
||||
cache_refresh_percent, domain, data);
|
||||
}
|
||||
+
|
||||
+struct tevent_req *
|
||||
+cache_req_user_by_name_attrs_send(TALLOC_CTX *mem_ctx,
|
||||
+ struct tevent_context *ev,
|
||||
+ struct resp_ctx *rctx,
|
||||
+ struct sss_nc_ctx *ncache,
|
||||
+ int cache_refresh_percent,
|
||||
+ const char *domain,
|
||||
+ const char *name,
|
||||
+ const char **attrs)
|
||||
+{
|
||||
+ struct cache_req_data *data;
|
||||
+
|
||||
+ data = cache_req_data_name_attrs(mem_ctx, CACHE_REQ_USER_BY_NAME,
|
||||
+ name, attrs);
|
||||
+ if (data == NULL) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache,
|
||||
+ cache_refresh_percent, domain, data);
|
||||
+}
|
||||
--
|
||||
2.9.3
|
||||
|
@ -0,0 +1,99 @@
|
||||
From 9492b3b26ac0b1898f836094074a9d8b38916e13 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Tue, 17 Jan 2017 14:11:32 +0100
|
||||
Subject: [PATCH 27/79] cache_req: add api to create ldb_result from message
|
||||
|
||||
Some sysdb methods doesn't return ldb_result as output but return
|
||||
ldb_message instead. Changing sysdb to be consistent is too big
|
||||
so I added this helper function that will wrap resulting message
|
||||
into ldb_result.
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/common/cache_req/cache_req.c | 47 ++++++++++++++++++------------
|
||||
1 file changed, 28 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
|
||||
index aed8f1b225899a1c470407e259d2068ef62922b7..31c220b3a66db815100b10a4f2e04388c13eaf78 100644
|
||||
--- a/src/responder/common/cache_req/cache_req.c
|
||||
+++ b/src/responder/common/cache_req/cache_req.c
|
||||
@@ -78,7 +78,6 @@ static errno_t cache_req_set_plugin(struct cache_req *cr,
|
||||
}
|
||||
|
||||
cr->reqname = plugin->name;
|
||||
- cr->dp_type = plugin->dp_type;
|
||||
cr->plugin = plugin;
|
||||
|
||||
CACHE_REQ_DEBUG(SSSDBG_TRACE_INTERNAL, cr, "Setting \"%s\" plugin\n",
|
||||
@@ -820,16 +819,11 @@ cache_req_create_result(TALLOC_CTX *mem_ctx,
|
||||
return result;
|
||||
}
|
||||
|
||||
-struct cache_req_result *
|
||||
-cache_req_create_result_from_msg(TALLOC_CTX *mem_ctx,
|
||||
- struct sss_domain_info *domain,
|
||||
- struct ldb_message *ldb_msg,
|
||||
- const char *lookup_name,
|
||||
- const char *well_known_domain)
|
||||
+struct ldb_result *
|
||||
+cache_req_create_ldb_result_from_msg(TALLOC_CTX *mem_ctx,
|
||||
+ struct ldb_message *ldb_msg)
|
||||
{
|
||||
- struct cache_req_result *result;
|
||||
struct ldb_result *ldb_result;
|
||||
- errno_t ret;
|
||||
|
||||
if (ldb_msg == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "No message set!\n");
|
||||
@@ -847,23 +841,38 @@ cache_req_create_result_from_msg(TALLOC_CTX *mem_ctx,
|
||||
ldb_result->count = 1;
|
||||
ldb_result->msgs = talloc_zero_array(ldb_result, struct ldb_message *, 2);
|
||||
if (ldb_result->msgs == NULL) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
+ talloc_free(ldb_result);
|
||||
+ return NULL;
|
||||
}
|
||||
|
||||
ldb_result->msgs[0] = talloc_steal(ldb_result->msgs, ldb_msg);
|
||||
|
||||
+ return ldb_result;
|
||||
+}
|
||||
+
|
||||
+struct cache_req_result *
|
||||
+cache_req_create_result_from_msg(TALLOC_CTX *mem_ctx,
|
||||
+ struct sss_domain_info *domain,
|
||||
+ struct ldb_message *ldb_msg,
|
||||
+ const char *lookup_name,
|
||||
+ const char *well_known_domain)
|
||||
+{
|
||||
+ struct cache_req_result *result;
|
||||
+ struct ldb_result *ldb_result;
|
||||
+
|
||||
+ if (ldb_msg == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "No message set!\n");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ ldb_result = cache_req_create_ldb_result_from_msg(mem_ctx, ldb_msg);
|
||||
+ if (ldb_result == NULL) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
result = cache_req_create_result(mem_ctx, domain, ldb_result,
|
||||
lookup_name, well_known_domain);
|
||||
if (result == NULL) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- ret = EOK;
|
||||
-
|
||||
-done:
|
||||
- if (ret != EOK) {
|
||||
talloc_free(ldb_result);
|
||||
return NULL;
|
||||
}
|
||||
--
|
||||
2.9.3
|
||||
|
1426
0028-cache_req-move-dp-request-to-plugin.patch
Normal file
1426
0028-cache_req-move-dp-request-to-plugin.patch
Normal file
File diff suppressed because it is too large
Load Diff
453
0029-cache_req-add-host-by-name-search.patch
Normal file
453
0029-cache_req-add-host-by-name-search.patch
Normal file
@ -0,0 +1,453 @@
|
||||
From 53c31b83e4d06ea4c2813eec2f1e647a613b4a2b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Wed, 18 Jan 2017 12:12:01 +0100
|
||||
Subject: [PATCH 29/79] cache_req: add host by name search
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
Makefile.am | 3 +-
|
||||
src/responder/common/cache_req/cache_req.c | 2 +
|
||||
src/responder/common/cache_req/cache_req.h | 23 ++++
|
||||
src/responder/common/cache_req/cache_req_data.c | 39 +++++++
|
||||
src/responder/common/cache_req/cache_req_plugin.h | 1 +
|
||||
src/responder/common/cache_req/cache_req_private.h | 1 +
|
||||
.../cache_req/plugins/cache_req_host_by_name.c | 121 +++++++++++++++++++++
|
||||
src/responder/common/responder.h | 15 +++
|
||||
.../{ssh/sshsrv_dp.c => common/responder_dp_ssh.c} | 3 +-
|
||||
src/responder/ssh/sshsrv_private.h | 15 ---
|
||||
src/tests/cmocka/common_mock_resp_dp.c | 33 ++++++
|
||||
src/tests/cwrap/Makefile.am | 2 +
|
||||
12 files changed, 240 insertions(+), 18 deletions(-)
|
||||
create mode 100644 src/responder/common/cache_req/plugins/cache_req_host_by_name.c
|
||||
rename src/responder/{ssh/sshsrv_dp.c => common/responder_dp_ssh.c} (99%)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 9dd2060c6615b1c23ae8adb61886341bcdc49560..6592261df87fc4fd0b83aba42e9f5cd12238a6cb 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -513,6 +513,7 @@ SSSD_CACHE_REQ_OBJ = \
|
||||
src/responder/common/cache_req/plugins/cache_req_svc_by_name.c \
|
||||
src/responder/common/cache_req/plugins/cache_req_svc_by_port.c \
|
||||
src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c \
|
||||
+ src/responder/common/cache_req/plugins/cache_req_host_by_name.c \
|
||||
$(NULL)
|
||||
|
||||
SSSD_RESPONDER_OBJ = \
|
||||
@@ -521,6 +522,7 @@ SSSD_RESPONDER_OBJ = \
|
||||
src/responder/common/responder_cmd.c \
|
||||
src/responder/common/responder_common.c \
|
||||
src/responder/common/responder_dp.c \
|
||||
+ src/responder/common/responder_dp_ssh.c \
|
||||
src/responder/common/responder_packet.c \
|
||||
src/responder/common/responder_get_domains.c \
|
||||
src/responder/common/responder_utils.c \
|
||||
@@ -1331,7 +1333,6 @@ endif
|
||||
if BUILD_SSH
|
||||
sssd_ssh_SOURCES = \
|
||||
src/responder/ssh/sshsrv.c \
|
||||
- src/responder/ssh/sshsrv_dp.c \
|
||||
src/responder/ssh/sshsrv_cmd.c \
|
||||
$(SSSD_RESPONDER_OBJ) \
|
||||
$(NULL)
|
||||
diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
|
||||
index 31c220b3a66db815100b10a4f2e04388c13eaf78..16429c666a6db79afaad52b509fc63d639815b31 100644
|
||||
--- a/src/responder/common/cache_req/cache_req.c
|
||||
+++ b/src/responder/common/cache_req/cache_req.c
|
||||
@@ -56,6 +56,8 @@ cache_req_get_plugin(enum cache_req_type type)
|
||||
&cache_req_svc_by_port,
|
||||
|
||||
&cache_req_netgroup_by_name,
|
||||
+
|
||||
+ &cache_req_host_by_name,
|
||||
};
|
||||
|
||||
if (type >= CACHE_REQ_SENTINEL) {
|
||||
diff --git a/src/responder/common/cache_req/cache_req.h b/src/responder/common/cache_req/cache_req.h
|
||||
index 2740c21ee0e390c64d94fedd6ab2cb7483cfe302..185558d7d7abd03429e35f391616d249e52c2f76 100644
|
||||
--- a/src/responder/common/cache_req/cache_req.h
|
||||
+++ b/src/responder/common/cache_req/cache_req.h
|
||||
@@ -52,6 +52,8 @@ enum cache_req_type {
|
||||
|
||||
CACHE_REQ_NETGROUP_BY_NAME,
|
||||
|
||||
+ CACHE_REQ_HOST_BY_NAME,
|
||||
+
|
||||
CACHE_REQ_SENTINEL
|
||||
};
|
||||
|
||||
@@ -103,6 +105,13 @@ cache_req_data_svc(TALLOC_CTX *mem_ctx,
|
||||
const char *protocol,
|
||||
uint16_t port);
|
||||
|
||||
+struct cache_req_data *
|
||||
+cache_req_data_host(TALLOC_CTX *mem_ctx,
|
||||
+ enum cache_req_type type,
|
||||
+ const char *name,
|
||||
+ const char *alias,
|
||||
+ const char **attrs);
|
||||
+
|
||||
/* Output data. */
|
||||
|
||||
struct cache_req_result {
|
||||
@@ -377,4 +386,18 @@ cache_req_netgroup_by_name_send(TALLOC_CTX *mem_ctx,
|
||||
#define cache_req_netgroup_by_name_recv(mem_ctx, req, _result) \
|
||||
cache_req_single_domain_recv(mem_ctx, req, _result)
|
||||
|
||||
+struct tevent_req *
|
||||
+cache_req_host_by_name_send(TALLOC_CTX *mem_ctx,
|
||||
+ struct tevent_context *ev,
|
||||
+ struct resp_ctx *rctx,
|
||||
+ struct sss_nc_ctx *ncache,
|
||||
+ int cache_refresh_percent,
|
||||
+ const char *domain,
|
||||
+ const char *name,
|
||||
+ const char *alias,
|
||||
+ const char **attrs);
|
||||
+
|
||||
+#define cache_req_host_by_name_recv(mem_ctx, req, _result) \
|
||||
+ cache_req_single_domain_recv(mem_ctx, req, _result)
|
||||
+
|
||||
#endif /* _CACHE_REQ_H_ */
|
||||
diff --git a/src/responder/common/cache_req/cache_req_data.c b/src/responder/common/cache_req/cache_req_data.c
|
||||
index d0564785f7fc5ffe826b197a41da720e9f26a43a..b2e22ec1bab699ad71978df6905df19908369ff1 100644
|
||||
--- a/src/responder/common/cache_req/cache_req_data.c
|
||||
+++ b/src/responder/common/cache_req/cache_req_data.c
|
||||
@@ -188,6 +188,29 @@ cache_req_data_create(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
break;
|
||||
+ case CACHE_REQ_HOST_BY_NAME:
|
||||
+ if (input->name.input == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Bug: name cannot be NULL!\n");
|
||||
+ ret = ERR_INTERNAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ data->name.input = talloc_strdup(data, input->name.input);
|
||||
+ if (data->name.input == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (input->alias == NULL) {
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ data->alias = talloc_strdup(data, input->alias);
|
||||
+ if (data->alias == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ break;
|
||||
case CACHE_REQ_SENTINEL:
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Invalid cache request type!\n");
|
||||
ret = ERR_INTERNAL;
|
||||
@@ -318,3 +341,19 @@ cache_req_data_svc(TALLOC_CTX *mem_ctx,
|
||||
|
||||
return cache_req_data_create(mem_ctx, type, &input);
|
||||
}
|
||||
+
|
||||
+struct cache_req_data *
|
||||
+cache_req_data_host(TALLOC_CTX *mem_ctx,
|
||||
+ enum cache_req_type type,
|
||||
+ const char *name,
|
||||
+ const char *alias,
|
||||
+ const char **attrs)
|
||||
+{
|
||||
+ struct cache_req_data input = {0};
|
||||
+
|
||||
+ input.name.input = name;
|
||||
+ input.alias = alias;
|
||||
+ input.attrs = attrs;
|
||||
+
|
||||
+ return cache_req_data_create(mem_ctx, type, &input);
|
||||
+}
|
||||
diff --git a/src/responder/common/cache_req/cache_req_plugin.h b/src/responder/common/cache_req/cache_req_plugin.h
|
||||
index 61e346dacfe0d180fb2aae354bc7867093276ab0..e0b619528f6aa31a10a5b48c3c5acc96de90caa1 100644
|
||||
--- a/src/responder/common/cache_req/cache_req_plugin.h
|
||||
+++ b/src/responder/common/cache_req/cache_req_plugin.h
|
||||
@@ -231,5 +231,6 @@ extern const struct cache_req_plugin cache_req_enum_svc;
|
||||
extern const struct cache_req_plugin cache_req_svc_by_name;
|
||||
extern const struct cache_req_plugin cache_req_svc_by_port;
|
||||
extern const struct cache_req_plugin cache_req_netgroup_by_name;
|
||||
+extern const struct cache_req_plugin cache_req_host_by_name;
|
||||
|
||||
#endif /* _CACHE_REQ_PLUGIN_H_ */
|
||||
diff --git a/src/responder/common/cache_req/cache_req_private.h b/src/responder/common/cache_req/cache_req_private.h
|
||||
index b544b739e92552189f806f4675ff28689b91ce66..cc473759159fe324e37a4c51dc15ed136f6a09ef 100644
|
||||
--- a/src/responder/common/cache_req/cache_req_private.h
|
||||
+++ b/src/responder/common/cache_req/cache_req_private.h
|
||||
@@ -76,6 +76,7 @@ struct cache_req_data {
|
||||
uint32_t id;
|
||||
const char *cert;
|
||||
const char *sid;
|
||||
+ const char *alias;
|
||||
const char **attrs;
|
||||
|
||||
struct {
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_host_by_name.c b/src/responder/common/cache_req/plugins/cache_req_host_by_name.c
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..18511e33bc18e44f418a26764f066ff287092d26
|
||||
--- /dev/null
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_host_by_name.c
|
||||
@@ -0,0 +1,121 @@
|
||||
+/*
|
||||
+ Authors:
|
||||
+ Pavel Březina <pbrezina@redhat.com>
|
||||
+
|
||||
+ Copyright (C) 2016 Red Hat
|
||||
+
|
||||
+ This program is free software; you can redistribute it and/or modify
|
||||
+ it under the terms of the GNU General Public License as published by
|
||||
+ the Free Software Foundation; either version 3 of the License, or
|
||||
+ (at your option) any later version.
|
||||
+
|
||||
+ This program is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ GNU General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU General Public License
|
||||
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+*/
|
||||
+
|
||||
+#include <talloc.h>
|
||||
+#include <ldb.h>
|
||||
+
|
||||
+#include "db/sysdb_ssh.h"
|
||||
+#include "util/util.h"
|
||||
+#include "providers/data_provider.h"
|
||||
+#include "responder/common/cache_req/cache_req_plugin.h"
|
||||
+
|
||||
+static const char *
|
||||
+cache_req_host_by_name_create_debug_name(TALLOC_CTX *mem_ctx,
|
||||
+ struct cache_req_data *data,
|
||||
+ struct sss_domain_info *domain)
|
||||
+{
|
||||
+ return talloc_strdup(mem_ctx, data->name.name);
|
||||
+}
|
||||
+
|
||||
+static errno_t
|
||||
+cache_req_host_by_name_lookup(TALLOC_CTX *mem_ctx,
|
||||
+ struct cache_req *cr,
|
||||
+ struct cache_req_data *data,
|
||||
+ struct sss_domain_info *domain,
|
||||
+ struct ldb_result **_result)
|
||||
+{
|
||||
+ struct ldb_result *result;
|
||||
+ struct ldb_message *msg;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ ret = sysdb_get_ssh_host(mem_ctx, domain, data->name.name,
|
||||
+ data->attrs, &msg);
|
||||
+ if (ret != EOK) {
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ result = cache_req_create_ldb_result_from_msg(mem_ctx, msg);
|
||||
+ if (result == NULL) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ *_result = result;
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
+struct tevent_req *
|
||||
+cache_req_host_by_name_dp_send(TALLOC_CTX *mem_ctx,
|
||||
+ struct cache_req *cr,
|
||||
+ struct cache_req_data *data,
|
||||
+ struct sss_domain_info *domain,
|
||||
+ struct ldb_result *result)
|
||||
+{
|
||||
+ return sss_dp_get_ssh_host_send(mem_ctx, cr->rctx, domain, false,
|
||||
+ data->name.name, data->alias);
|
||||
+}
|
||||
+
|
||||
+const struct cache_req_plugin cache_req_host_by_name = {
|
||||
+ .name = "Host by name",
|
||||
+ .attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
+ .parse_name = true,
|
||||
+ .ignore_default_domain = true,
|
||||
+ .bypass_cache = false,
|
||||
+ .only_one_result = true,
|
||||
+ .search_all_domains = false,
|
||||
+ .require_enumeration = false,
|
||||
+ .allow_missing_fqn = true,
|
||||
+ .allow_switch_to_upn = false,
|
||||
+ .upn_equivalent = CACHE_REQ_SENTINEL,
|
||||
+ .get_next_domain_flags = 0,
|
||||
+
|
||||
+ .is_well_known_fn = NULL,
|
||||
+ .prepare_domain_data_fn = NULL,
|
||||
+ .create_debug_name_fn = cache_req_host_by_name_create_debug_name,
|
||||
+ .global_ncache_add_fn = NULL,
|
||||
+ .ncache_check_fn = NULL,
|
||||
+ .ncache_add_fn = NULL,
|
||||
+ .lookup_fn = cache_req_host_by_name_lookup,
|
||||
+ .dp_send_fn = cache_req_host_by_name_dp_send,
|
||||
+ .dp_recv_fn = cache_req_common_dp_recv
|
||||
+};
|
||||
+
|
||||
+struct tevent_req *
|
||||
+cache_req_host_by_name_send(TALLOC_CTX *mem_ctx,
|
||||
+ struct tevent_context *ev,
|
||||
+ struct resp_ctx *rctx,
|
||||
+ struct sss_nc_ctx *ncache,
|
||||
+ int cache_refresh_percent,
|
||||
+ const char *domain,
|
||||
+ const char *name,
|
||||
+ const char *alias,
|
||||
+ const char **attrs)
|
||||
+{
|
||||
+ struct cache_req_data *data;
|
||||
+
|
||||
+ data = cache_req_data_host(mem_ctx, CACHE_REQ_HOST_BY_NAME, name,
|
||||
+ alias, attrs);
|
||||
+ if (data == NULL) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache,
|
||||
+ cache_refresh_percent, domain, data);
|
||||
+}
|
||||
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
|
||||
index c387c6ec326c612eef8798673c1c70c67efd5452..748dec4301b4a018691d9b8c8fca0193d18167a5 100644
|
||||
--- a/src/responder/common/responder.h
|
||||
+++ b/src/responder/common/responder.h
|
||||
@@ -318,6 +318,21 @@ sss_dp_get_account_recv(TALLOC_CTX *mem_ctx,
|
||||
dbus_uint32_t *err_min,
|
||||
char **err_msg);
|
||||
|
||||
+struct tevent_req *
|
||||
+sss_dp_get_ssh_host_send(TALLOC_CTX *mem_ctx,
|
||||
+ struct resp_ctx *rctx,
|
||||
+ struct sss_domain_info *dom,
|
||||
+ bool fast_reply,
|
||||
+ const char *name,
|
||||
+ const char *alias);
|
||||
+
|
||||
+errno_t
|
||||
+sss_dp_get_ssh_host_recv(TALLOC_CTX *mem_ctx,
|
||||
+ struct tevent_req *req,
|
||||
+ dbus_uint16_t *dp_err,
|
||||
+ dbus_uint32_t *dp_ret,
|
||||
+ char **err_msg);
|
||||
+
|
||||
bool sss_utf8_check(const uint8_t *s, size_t n);
|
||||
|
||||
void responder_set_fd_limit(rlim_t fd_limit);
|
||||
diff --git a/src/responder/ssh/sshsrv_dp.c b/src/responder/common/responder_dp_ssh.c
|
||||
similarity index 99%
|
||||
rename from src/responder/ssh/sshsrv_dp.c
|
||||
rename to src/responder/common/responder_dp_ssh.c
|
||||
index f02c3f477e3789360075a6022086d21cfcd7aefd..303ba1568b6230b0d4dfa718e4a7c024ae84d4e9 100644
|
||||
--- a/src/responder/ssh/sshsrv_dp.c
|
||||
+++ b/src/responder/common/responder_dp_ssh.c
|
||||
@@ -21,13 +21,12 @@
|
||||
#include <talloc.h>
|
||||
#include <tevent.h>
|
||||
#include <dbus/dbus.h>
|
||||
-#include "sbus/sssd_dbus.h"
|
||||
|
||||
#include "util/util.h"
|
||||
#include "sbus/sbus_client.h"
|
||||
+#include "sbus/sssd_dbus.h"
|
||||
#include "providers/data_provider/dp_responder_iface.h"
|
||||
#include "responder/common/responder.h"
|
||||
-#include "responder/ssh/sshsrv_private.h"
|
||||
|
||||
struct sss_dp_get_ssh_host_info {
|
||||
struct sss_domain_info *dom;
|
||||
diff --git a/src/responder/ssh/sshsrv_private.h b/src/responder/ssh/sshsrv_private.h
|
||||
index 9553cd7940571bf107d9fb4562d11d8c1eab3624..3ea895536657cbfa82328b8a2661da56859eb929 100644
|
||||
--- a/src/responder/ssh/sshsrv_private.h
|
||||
+++ b/src/responder/ssh/sshsrv_private.h
|
||||
@@ -51,19 +51,4 @@ struct ssh_cmd_ctx {
|
||||
|
||||
struct sss_cmd_table *get_ssh_cmds(void);
|
||||
|
||||
-struct tevent_req *
|
||||
-sss_dp_get_ssh_host_send(TALLOC_CTX *mem_ctx,
|
||||
- struct resp_ctx *rctx,
|
||||
- struct sss_domain_info *dom,
|
||||
- bool fast_reply,
|
||||
- const char *name,
|
||||
- const char *alias);
|
||||
-
|
||||
-errno_t
|
||||
-sss_dp_get_ssh_host_recv(TALLOC_CTX *mem_ctx,
|
||||
- struct tevent_req *req,
|
||||
- dbus_uint16_t *dp_err,
|
||||
- dbus_uint32_t *dp_ret,
|
||||
- char **err_msg);
|
||||
-
|
||||
#endif /* _SSHSRV_PRIVATE_H_ */
|
||||
diff --git a/src/tests/cmocka/common_mock_resp_dp.c b/src/tests/cmocka/common_mock_resp_dp.c
|
||||
index cbdb65d745a63ae00613001847351d3dba0fe290..5db5255ab61231870982c4b78a39504ae8954bcd 100644
|
||||
--- a/src/tests/cmocka/common_mock_resp_dp.c
|
||||
+++ b/src/tests/cmocka/common_mock_resp_dp.c
|
||||
@@ -61,6 +61,39 @@ sss_dp_get_account_recv(TALLOC_CTX *mem_ctx,
|
||||
return test_request_recv(req);
|
||||
}
|
||||
|
||||
+struct tevent_req *
|
||||
+sss_dp_get_ssh_host_send(TALLOC_CTX *mem_ctx,
|
||||
+ struct resp_ctx *rctx,
|
||||
+ struct sss_domain_info *dom,
|
||||
+ bool fast_reply,
|
||||
+ const char *name,
|
||||
+ const char *alias)
|
||||
+{
|
||||
+ return test_req_succeed_send(mem_ctx, rctx->ev);
|
||||
+}
|
||||
+
|
||||
+
|
||||
+errno_t
|
||||
+sss_dp_get_ssh_host_recv(TALLOC_CTX *mem_ctx,
|
||||
+ struct tevent_req *req,
|
||||
+ dbus_uint16_t *dp_err,
|
||||
+ dbus_uint32_t *dp_ret,
|
||||
+ char **err_msg)
|
||||
+{
|
||||
+ acct_cb_t cb;
|
||||
+
|
||||
+ *dp_err = sss_mock_type(dbus_uint16_t);
|
||||
+ *dp_ret = sss_mock_type(dbus_uint32_t);
|
||||
+ *err_msg = sss_mock_ptr_type(char *);
|
||||
+
|
||||
+ cb = sss_mock_ptr_type(acct_cb_t);
|
||||
+ if (cb) {
|
||||
+ (cb)(sss_mock_ptr_type(void *));
|
||||
+ }
|
||||
+
|
||||
+ return test_request_recv(req);
|
||||
+}
|
||||
+
|
||||
errno_t
|
||||
sss_dp_req_recv(TALLOC_CTX *mem_ctx,
|
||||
struct tevent_req *req,
|
||||
diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am
|
||||
index 8ca0026178d79271167a09d295940f7c5f55d98b..09a8b5307dd3ebf9c7f27148097a90eac527a213 100644
|
||||
--- a/src/tests/cwrap/Makefile.am
|
||||
+++ b/src/tests/cwrap/Makefile.am
|
||||
@@ -60,6 +60,7 @@ SSSD_CACHE_REQ_OBJ = \
|
||||
../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c \
|
||||
../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c \
|
||||
../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c \
|
||||
+ ../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c \
|
||||
$(NULL)
|
||||
|
||||
SSSD_RESPONDER_OBJ = \
|
||||
@@ -68,6 +69,7 @@ SSSD_RESPONDER_OBJ = \
|
||||
../../../src/responder/common/responder_cmd.c \
|
||||
../../../src/responder/common/responder_common.c \
|
||||
../../../src/responder/common/responder_dp.c \
|
||||
+ ../../../src/responder/common/responder_dp_ssh.c \
|
||||
../../../src/responder/common/responder_packet.c \
|
||||
../../../src/responder/common/responder_get_domains.c \
|
||||
../../../src/responder/common/responder_utils.c \
|
||||
--
|
||||
2.9.3
|
||||
|
2506
0030-ssh-rewrite-ssh-responder-to-use-cache_req.patch
Normal file
2506
0030-ssh-rewrite-ssh-responder-to-use-cache_req.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,76 @@
|
||||
From e947a871f7d3cfc4389e981a147fe10bedca0569 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Tue, 7 Feb 2017 11:05:47 +0100
|
||||
Subject: [PATCH 31/79] AD: Use ad_domain to match forest root domain, not the
|
||||
configured domain from sssd.conf
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If the sssd.conf domain name was different from the joined domain name,
|
||||
but sssd was joined to the forest root, the AD subdomains code considered
|
||||
sssd joined to a non-root domain and tried to discover the forest root.
|
||||
|
||||
This could be reproduced by joining sssd to a domain, for example
|
||||
win.trust.test but calling the sssd.conf domain otherwise, for example:
|
||||
[domain/addomain]
|
||||
ad_domain = win.trust.test
|
||||
|
||||
This is/was a frequent use-case in the RHEL world, where authconfig
|
||||
often names the sssd.conf domain 'default'.
|
||||
|
||||
Without the patch, the trusted domains were not detected.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_subdomains.c | 13 +++++++++++--
|
||||
1 file changed, 11 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
||||
index 5e57d218c072a2627f165ae072cb761e1a146048..ad075c19a5824b98092ddf534004680784577c0f 100644
|
||||
--- a/src/providers/ad/ad_subdomains.c
|
||||
+++ b/src/providers/ad/ad_subdomains.c
|
||||
@@ -948,6 +948,7 @@ static void ad_get_root_domain_done(struct tevent_req *subreq);
|
||||
static struct tevent_req *
|
||||
ad_get_root_domain_send(TALLOC_CTX *mem_ctx,
|
||||
struct tevent_context *ev,
|
||||
+ const char *domain,
|
||||
const char *forest,
|
||||
struct sdap_handle *sh,
|
||||
struct ad_subdomains_ctx *sd_ctx)
|
||||
@@ -968,7 +969,7 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx,
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- if (forest != NULL && strcasecmp(sd_ctx->be_ctx->domain->name, forest) == 0) {
|
||||
+ if (forest != NULL && strcasecmp(domain, forest) == 0) {
|
||||
state->root_id_ctx = sd_ctx->ad_id_ctx;
|
||||
state->root_domain_attrs = NULL;
|
||||
ret = EOK;
|
||||
@@ -1230,6 +1231,7 @@ static void ad_subdomains_refresh_master_done(struct tevent_req *subreq)
|
||||
struct ad_subdomains_refresh_state *state;
|
||||
struct tevent_req *req;
|
||||
const char *realm;
|
||||
+ const char *ad_domain;
|
||||
char *master_sid;
|
||||
char *flat_name;
|
||||
char *forest;
|
||||
@@ -1277,7 +1279,14 @@ static void ad_subdomains_refresh_master_done(struct tevent_req *subreq)
|
||||
}
|
||||
}
|
||||
|
||||
- subreq = ad_get_root_domain_send(state, state->ev, forest,
|
||||
+ ad_domain = dp_opt_get_cstring(state->ad_options->basic, AD_DOMAIN);
|
||||
+ if (ad_domain == NULL) {
|
||||
+ DEBUG(SSSDBG_CONF_SETTINGS,
|
||||
+ "Missing AD domain name, falling back to sssd domain name\n");
|
||||
+ ad_domain = state->sd_ctx->be_ctx->domain->name;
|
||||
+ }
|
||||
+
|
||||
+ subreq = ad_get_root_domain_send(state, state->ev, ad_domain, forest,
|
||||
sdap_id_op_handle(state->sdap_op),
|
||||
state->sd_ctx);
|
||||
if (subreq == NULL) {
|
||||
--
|
||||
2.9.3
|
||||
|
44
0032-BUILD-Fix-linking-of-test_sdap_initgr.patch
Normal file
44
0032-BUILD-Fix-linking-of-test_sdap_initgr.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From e5d8b0e10238490c5d199063c0a258ba53c2ac65 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Wed, 8 Feb 2017 17:58:41 +0100
|
||||
Subject: [PATCH 32/79] BUILD: Fix linking of test_sdap_initgr
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
There was a linking fialure on debian:
|
||||
/usr/bin/ld: src/tests/cmocka/test_sdap_initgr-test_sdap_initgr.o:
|
||||
undefined reference to symbol 'hash_iterate@@DHASH_0.4.3'
|
||||
//usr/lib64/libdhash.so.1: error adding symbols: DSO missing from command line
|
||||
collect2: error: ld returned 1 exit status
|
||||
|
||||
This patch adds some missing libraries and remove unnecessary libraries.
|
||||
Bug was intoduced in commit 0b7ded15e53b3f31f1570c366f04bc41e5761929
|
||||
|
||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||
---
|
||||
Makefile.am | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 713a83ce0b5c2b8d71495ff05b52e52e413b5c95..2304b39c7eb75225f7cd8cbc30d23592506c146e 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -2879,11 +2879,12 @@ test_sdap_initgr_CFLAGS = \
|
||||
test_sdap_initgr_LDADD = \
|
||||
$(CMOCKA_LIBS) \
|
||||
$(POPT_LIBS) \
|
||||
+ $(DHASH_LIBS) \
|
||||
$(TALLOC_LIBS) \
|
||||
+ $(TEVENT_LIBS) \
|
||||
+ $(LDB_LIBS) \
|
||||
$(SSSD_INTERNAL_LTLIBS) \
|
||||
libsss_ldap_common.la \
|
||||
- libsss_ad_tests.la \
|
||||
- libsss_idmap.la \
|
||||
libsss_test_common.la \
|
||||
libdlopen_test_providers.la \
|
||||
$(NULL)
|
||||
--
|
||||
2.9.3
|
||||
|
31
0033-ssh-fix-typo.patch
Normal file
31
0033-ssh-fix-typo.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From 2ffa245e79a5ed66e69d141f4001c13697e01450 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Wed, 8 Feb 2017 13:22:11 +0100
|
||||
Subject: [PATCH 33/79] ssh: fix typo
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Those macros are the same so there is no functional difference.
|
||||
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
---
|
||||
src/responder/ssh/ssh_cmd.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/ssh/ssh_cmd.c b/src/responder/ssh/ssh_cmd.c
|
||||
index a1188280dc2d1f73c726aec7c203692a63c37a32..1b9aff2b5053b436a9a0bf2797d812a954f25984 100644
|
||||
--- a/src/responder/ssh/ssh_cmd.c
|
||||
+++ b/src/responder/ssh/ssh_cmd.c
|
||||
@@ -213,7 +213,7 @@ static void ssh_cmd_get_host_pubkeys_done(struct tevent_req *subreq)
|
||||
cmd_ctx = tevent_req_callback_data(subreq, struct ssh_cmd_ctx);
|
||||
ssh_ctx = talloc_get_type(cmd_ctx->cli_ctx->rctx->pvt_ctx, struct ssh_ctx);
|
||||
|
||||
- ret = cache_req_user_by_name_attrs_recv(cmd_ctx, subreq, &result);
|
||||
+ ret = cache_req_host_by_name_recv(cmd_ctx, subreq, &result);
|
||||
talloc_zfree(subreq);
|
||||
|
||||
if (ret == EOK || ret == ENOENT) {
|
||||
--
|
||||
2.9.3
|
||||
|
@ -0,0 +1,32 @@
|
||||
From d9780d2860b2f2c9d707bfd8f2fc72099b9545d7 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Wed, 8 Feb 2017 13:22:42 +0100
|
||||
Subject: [PATCH 34/79] cache_req: always go to dp first when looking up host
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
We need to always lookup host in DP first to update host certificates so
|
||||
we are consinstent during ssh authentication.
|
||||
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
---
|
||||
src/responder/common/cache_req/plugins/cache_req_host_by_name.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_host_by_name.c b/src/responder/common/cache_req/plugins/cache_req_host_by_name.c
|
||||
index 18511e33bc18e44f418a26764f066ff287092d26..77b46831fec3abc4126ef9d9be67221469801094 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_host_by_name.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_host_by_name.c
|
||||
@@ -77,7 +77,7 @@ const struct cache_req_plugin cache_req_host_by_name = {
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = true,
|
||||
.ignore_default_domain = true,
|
||||
- .bypass_cache = false,
|
||||
+ .bypass_cache = true,
|
||||
.only_one_result = true,
|
||||
.search_all_domains = false,
|
||||
.require_enumeration = false,
|
||||
--
|
||||
2.9.3
|
||||
|
@ -0,0 +1,74 @@
|
||||
From 040ade7b2e11fecf615aedf58592cc7245900e86 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Sun, 5 Feb 2017 01:48:35 +0100
|
||||
Subject: [PATCH 35/79] MONITOR: Wrap up sending sd_notify "ready" into a new
|
||||
function
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This new function will be used later on in this series as we also will
|
||||
need to notify systemd that we're up in at least one more scenario (for
|
||||
now).
|
||||
|
||||
Related:
|
||||
https://fedorahosted.org/sssd/ticket/3299
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/monitor/monitor.c | 30 +++++++++++++++++++++---------
|
||||
1 file changed, 21 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
|
||||
index b82c6e5fb651796e977085a1fcb87330632fbf3b..f55a89edc38900c3eaaf2a294fb26125e571cf82 100644
|
||||
--- a/src/monitor/monitor.c
|
||||
+++ b/src/monitor/monitor.c
|
||||
@@ -487,6 +487,26 @@ static void svc_child_info(struct mt_svc *svc, int wait_status)
|
||||
}
|
||||
}
|
||||
|
||||
+static int notify_startup(void)
|
||||
+{
|
||||
+#ifdef HAVE_SYSTEMD
|
||||
+ int ret;
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC, "Sending startup notification to systemd\n");
|
||||
+ ret = sd_notify(0, "READY=1");
|
||||
+ if (ret < 0) {
|
||||
+ ret = -ret;
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Error sending notification to systemd %d: %s\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
+
|
||||
+ return ret;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
static int mark_service_as_started(struct mt_svc *svc)
|
||||
{
|
||||
struct mt_ctx *ctx = svc->mt_ctx;
|
||||
@@ -557,15 +577,7 @@ static int mark_service_as_started(struct mt_svc *svc)
|
||||
|
||||
ctx->pid_file_created = true;
|
||||
|
||||
-#ifdef HAVE_SYSTEMD
|
||||
- DEBUG(SSSDBG_TRACE_FUNC, "Sending startup notification to systemd\n");
|
||||
- ret = sd_notify(0, "READY=1");
|
||||
- if (ret < 0) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Error sending notification to systemd %d: %s\n",
|
||||
- -ret, strerror(-ret));
|
||||
- }
|
||||
-#endif
|
||||
+ notify_startup();
|
||||
|
||||
/* Initialization is complete, terminate parent process if in daemon
|
||||
* mode. Make sure we send the signal to the right process */
|
||||
--
|
||||
2.9.3
|
||||
|
@ -0,0 +1,51 @@
|
||||
From 00c0b7bc6969d31deab9e8e7541b4a6483b78b3e Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Sun, 5 Feb 2017 01:55:56 +0100
|
||||
Subject: [PATCH 36/79] MONITOR: Don't timeout if using local provider +
|
||||
socket-activated responders
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
When using only the local provider with socket-activated services SSSD
|
||||
ends up never notifying systemd its startup has been done, as notifying
|
||||
systemd is done *only* when a service (provider or responder) is started
|
||||
up, leading SSSD's startup to fail due to a timeout.
|
||||
|
||||
So, in order to avoid this situation, let's just notify the startup
|
||||
earlier in case we have *only* socket-activated services and the *only*
|
||||
provider set up is the LOCAL one.
|
||||
|
||||
Resolves:
|
||||
https://fedorahosted.org/sssd/ticket/3299
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/monitor/monitor.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
|
||||
index f55a89edc38900c3eaaf2a294fb26125e571cf82..1fa3d4baf579f15b9f93355a4b0c8b9d706bbacf 100644
|
||||
--- a/src/monitor/monitor.c
|
||||
+++ b/src/monitor/monitor.c
|
||||
@@ -2403,6 +2403,15 @@ static int monitor_process_init(struct mt_ctx *ctx,
|
||||
}
|
||||
}
|
||||
|
||||
+ /* When the only provider set up is the local one (num_providers == 0) and
|
||||
+ * there's no responder explicitly set up it means that we should notify
|
||||
+ * systemd that SSSD is ready right now as any other provider/responder
|
||||
+ * would be able to do so and the SSSD would end up hitting a systemd
|
||||
+ * timeout! */
|
||||
+ if (num_providers == 0 && ctx->services == NULL) {
|
||||
+ ret = notify_startup();
|
||||
+ }
|
||||
+
|
||||
return EOK;
|
||||
}
|
||||
|
||||
--
|
||||
2.9.3
|
||||
|
83
0037-SUDO-Only-store-lowercased-attribute-value-once.patch
Normal file
83
0037-SUDO-Only-store-lowercased-attribute-value-once.patch
Normal file
@ -0,0 +1,83 @@
|
||||
From a5ecc93abb01cece628fdef04ebad43bba267419 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Sun, 5 Feb 2017 20:25:23 +0100
|
||||
Subject: [PATCH 37/79] SUDO: Only store lowercased attribute value once
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The current code doesn't handle the situation where lowercasing the
|
||||
sudoUser attribute would yield the same value again.
|
||||
|
||||
For example:
|
||||
sudoUser: TUSER
|
||||
sudoUser tuser
|
||||
would break.
|
||||
|
||||
This patch switches to using the utility function
|
||||
sysdb_attrs_add_lower_case_string() which already checks for duplicates.
|
||||
|
||||
Resolves:
|
||||
https://fedorahosted.org/sssd/ticket/3301
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/db/sysdb_sudo.c | 17 +++--------------
|
||||
src/tests/cmocka/test_sysdb_sudo.c | 5 +++++
|
||||
2 files changed, 8 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
|
||||
index f5160f19012028f92723b9012fad85d803aa5137..97a1bee99c0255579f42cc7263d3d755429cd417 100644
|
||||
--- a/src/db/sysdb_sudo.c
|
||||
+++ b/src/db/sysdb_sudo.c
|
||||
@@ -857,7 +857,6 @@ static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain,
|
||||
{
|
||||
TALLOC_CTX *tmp_ctx;
|
||||
const char **users = NULL;
|
||||
- const char *lowered = NULL;
|
||||
errno_t ret;
|
||||
|
||||
if (domain->case_sensitive == true || rule == NULL) {
|
||||
@@ -884,19 +883,9 @@ static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain,
|
||||
}
|
||||
|
||||
for (int i = 0; users[i] != NULL; i++) {
|
||||
- lowered = sss_tc_utf8_str_tolower(tmp_ctx, users[i]);
|
||||
- if (lowered == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- if (strcmp(users[i], lowered) == 0) {
|
||||
- /* It protects us from adding duplicate. */
|
||||
- continue;
|
||||
- }
|
||||
-
|
||||
- ret = sysdb_attrs_add_string(rule, SYSDB_SUDO_CACHE_AT_USER, lowered);
|
||||
+ ret = sysdb_attrs_add_lower_case_string(rule, true,
|
||||
+ SYSDB_SUDO_CACHE_AT_USER,
|
||||
+ users[i]);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
"Unable to add %s attribute [%d]: %s\n",
|
||||
diff --git a/src/tests/cmocka/test_sysdb_sudo.c b/src/tests/cmocka/test_sysdb_sudo.c
|
||||
index f21ff3655efbdc5b66a1fdbc24a51ec8174c3c8c..34afe120d97e99e3213a85bf7489a5e0f6309e4b 100644
|
||||
--- a/src/tests/cmocka/test_sysdb_sudo.c
|
||||
+++ b/src/tests/cmocka/test_sysdb_sudo.c
|
||||
@@ -335,6 +335,11 @@ void test_store_sudo_case_insensitive(void **state)
|
||||
|
||||
test_ctx->tctx->dom->case_sensitive = false;
|
||||
|
||||
+ ret = sysdb_attrs_add_lower_case_string(rule, false,
|
||||
+ SYSDB_SUDO_CACHE_AT_USER,
|
||||
+ users[0].name);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
ret = sysdb_sudo_store(test_ctx->tctx->dom, &rule, 1);
|
||||
assert_int_equal(ret, EOK);
|
||||
|
||||
--
|
||||
2.9.3
|
||||
|
190
0038-NEGCACHE-Add-API-to-reset-all-users-and-groups.patch
Normal file
190
0038-NEGCACHE-Add-API-to-reset-all-users-and-groups.patch
Normal file
@ -0,0 +1,190 @@
|
||||
From 99a32e4f5164e174d5a3ffa5a1fe622075a8fe45 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Wed, 2 Nov 2016 16:59:12 +0100
|
||||
Subject: [PATCH 38/79] NEGCACHE: Add API to reset all users and groups
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Adds a negative cache API to reset negatively cached users and groups.
|
||||
This will be used when the files back end finishes enumeration to make
|
||||
sure all results are available.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/responder/common/negcache.c | 56 ++++++++++++++++++++++++++++++++
|
||||
src/responder/common/negcache.h | 2 ++
|
||||
src/tests/cmocka/test_negcache.c | 70 ++++++++++++++++++++++++++++++++++++++++
|
||||
3 files changed, 128 insertions(+)
|
||||
|
||||
diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
|
||||
index 5b7ad69f432518be94b88e92e24265add722c852..944a06e158f778948c16bb931f0af5659a00b13b 100644
|
||||
--- a/src/responder/common/negcache.c
|
||||
+++ b/src/responder/common/negcache.c
|
||||
@@ -674,6 +674,62 @@ int sss_ncache_reset_permanent(struct sss_nc_ctx *ctx)
|
||||
return EOK;
|
||||
}
|
||||
|
||||
+static int delete_prefix(struct tdb_context *tdb,
|
||||
+ TDB_DATA key, TDB_DATA data, void *state)
|
||||
+{
|
||||
+ const char *prefix = (const char *) state;
|
||||
+
|
||||
+ if (strncmp((char *)key.dptr, prefix, strlen(prefix) - 1) != 0) {
|
||||
+ /* not interested in this key */
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ return tdb_delete(tdb, key);
|
||||
+}
|
||||
+
|
||||
+static int sss_ncache_reset_pfx(struct sss_nc_ctx *ctx,
|
||||
+ const char **prefixes)
|
||||
+{
|
||||
+ int ret;
|
||||
+
|
||||
+ if (prefixes == NULL) {
|
||||
+ return EOK;
|
||||
+ }
|
||||
+
|
||||
+ for (int i = 0; prefixes[i] != NULL; i++) {
|
||||
+ ret = tdb_traverse(ctx->tdb,
|
||||
+ delete_prefix,
|
||||
+ discard_const(prefixes[i]));
|
||||
+ if (ret < 0) {
|
||||
+ return EIO;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
+int sss_ncache_reset_users(struct sss_nc_ctx *ctx)
|
||||
+{
|
||||
+ const char *prefixes[] = {
|
||||
+ NC_USER_PREFIX,
|
||||
+ NC_UID_PREFIX,
|
||||
+ NULL,
|
||||
+ };
|
||||
+
|
||||
+ return sss_ncache_reset_pfx(ctx, prefixes);
|
||||
+}
|
||||
+
|
||||
+int sss_ncache_reset_groups(struct sss_nc_ctx *ctx)
|
||||
+{
|
||||
+ const char *prefixes[] = {
|
||||
+ NC_GROUP_PREFIX,
|
||||
+ NC_GID_PREFIX,
|
||||
+ NULL,
|
||||
+ };
|
||||
+
|
||||
+ return sss_ncache_reset_pfx(ctx, prefixes);
|
||||
+}
|
||||
+
|
||||
errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
|
||||
struct confdb_ctx *cdb,
|
||||
struct resp_ctx *rctx)
|
||||
diff --git a/src/responder/common/negcache.h b/src/responder/common/negcache.h
|
||||
index 377f97c8b3b20ec5b4a284e08d891737e2e25225..8af736a67aada91d6ac42495399f5de469dec753 100644
|
||||
--- a/src/responder/common/negcache.h
|
||||
+++ b/src/responder/common/negcache.h
|
||||
@@ -78,6 +78,8 @@ int sss_ncache_set_service_port(struct sss_nc_ctx *ctx, bool permanent,
|
||||
uint16_t port, const char *proto);
|
||||
|
||||
int sss_ncache_reset_permanent(struct sss_nc_ctx *ctx);
|
||||
+int sss_ncache_reset_users(struct sss_nc_ctx *ctx);
|
||||
+int sss_ncache_reset_groups(struct sss_nc_ctx *ctx);
|
||||
|
||||
struct resp_ctx;
|
||||
|
||||
diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c
|
||||
index 14e4fa639a056d712b2453230745d7dc49853dec..d608c20ad3248c80e68029c8c27b826395a61ddc 100644
|
||||
--- a/src/tests/cmocka/test_negcache.c
|
||||
+++ b/src/tests/cmocka/test_negcache.c
|
||||
@@ -785,6 +785,74 @@ static void test_sss_ncache_reset_prepopulate(void **state)
|
||||
ret = check_group_in_ncache(ncache, dom2, "testgroup2");
|
||||
assert_int_equal(ret, EEXIST);
|
||||
}
|
||||
+
|
||||
+static void test_sss_ncache_reset(void **state)
|
||||
+{
|
||||
+ errno_t ret;
|
||||
+ struct test_state *ts;
|
||||
+ struct sss_domain_info *dom;
|
||||
+
|
||||
+ ts = talloc_get_type_abort(*state, struct test_state);
|
||||
+ dom = talloc(ts, struct sss_domain_info);
|
||||
+ assert_non_null(dom);
|
||||
+ dom->case_sensitive = true;
|
||||
+
|
||||
+ dom->name = discard_const_p(char, TEST_DOM_NAME);
|
||||
+
|
||||
+ /* Set users */
|
||||
+ ret = sss_ncache_check_uid(ts->ctx, NULL, 123);
|
||||
+ assert_int_equal(ret, ENOENT);
|
||||
+ ret = sss_ncache_set_uid(ts->ctx, false, NULL, 123);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+ ret = sss_ncache_check_uid(ts->ctx, NULL, 123);
|
||||
+ assert_int_equal(ret, EEXIST);
|
||||
+
|
||||
+ ret = sss_ncache_check_user(ts->ctx, dom, "foo");
|
||||
+ assert_int_equal(ret, ENOENT);
|
||||
+ ret = sss_ncache_set_user(ts->ctx, false, dom, "foo");
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+ ret = sss_ncache_check_user(ts->ctx, dom, "foo");
|
||||
+ assert_int_equal(ret, EEXIST);
|
||||
+
|
||||
+ /* Set groups */
|
||||
+ ret = sss_ncache_check_gid(ts->ctx, NULL, 456);
|
||||
+ assert_int_equal(ret, ENOENT);
|
||||
+ ret = sss_ncache_set_gid(ts->ctx, false, NULL, 456);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+ ret = sss_ncache_check_gid(ts->ctx, NULL, 456);
|
||||
+ assert_int_equal(ret, EEXIST);
|
||||
+
|
||||
+ ret = sss_ncache_check_group(ts->ctx, dom, "bar");
|
||||
+ assert_int_equal(ret, ENOENT);
|
||||
+ ret = sss_ncache_set_group(ts->ctx, false, dom, "bar");
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+ ret = sss_ncache_check_group(ts->ctx, dom, "bar");
|
||||
+ assert_int_equal(ret, EEXIST);
|
||||
+
|
||||
+ ret = sss_ncache_reset_users(ts->ctx);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ /* Users are no longer negatively cached */
|
||||
+ ret = sss_ncache_check_user(ts->ctx, dom, "foo");
|
||||
+ assert_int_equal(ret, ENOENT);
|
||||
+ ret = sss_ncache_check_uid(ts->ctx, NULL, 123);
|
||||
+ assert_int_equal(ret, ENOENT);
|
||||
+
|
||||
+ /* Groups still are */
|
||||
+ ret = sss_ncache_check_gid(ts->ctx, NULL, 456);
|
||||
+ assert_int_equal(ret, EEXIST);
|
||||
+ ret = sss_ncache_check_group(ts->ctx, dom, "bar");
|
||||
+ assert_int_equal(ret, EEXIST);
|
||||
+
|
||||
+ ret = sss_ncache_reset_groups(ts->ctx);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ ret = sss_ncache_check_gid(ts->ctx, NULL, 456);
|
||||
+ assert_int_equal(ret, ENOENT);
|
||||
+ ret = sss_ncache_check_group(ts->ctx, dom, "bar");
|
||||
+ assert_int_equal(ret, ENOENT);
|
||||
+}
|
||||
+
|
||||
int main(void)
|
||||
{
|
||||
int rv;
|
||||
@@ -809,6 +877,8 @@ int main(void)
|
||||
setup, teardown),
|
||||
cmocka_unit_test_setup_teardown(test_sss_ncache_reset_prepopulate,
|
||||
setup, teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sss_ncache_reset,
|
||||
+ setup, teardown),
|
||||
};
|
||||
|
||||
tests_set_cwd();
|
||||
--
|
||||
2.9.3
|
||||
|
193
0039-NSS-Add-sbus-interface-to-clear-memory-cache.patch
Normal file
193
0039-NSS-Add-sbus-interface-to-clear-memory-cache.patch
Normal file
@ -0,0 +1,193 @@
|
||||
From c3a225d4d735d3a01883125592dda7a030a64e00 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Wed, 2 Nov 2016 15:59:37 +0100
|
||||
Subject: [PATCH 39/79] NSS: Add sbus interface to clear memory cache
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Adds three new NSS interface sbus methods to disable memory caches of
|
||||
users, groups and initgroups. It's enough to add this interface to the
|
||||
NSS responder because the NSS responder is the only writer to the memory
|
||||
cache.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/responder/nss/nss_iface.c | 40 ++++++++++++++++++++++++++++++++-
|
||||
src/responder/nss/nss_iface.xml | 6 +++++
|
||||
src/responder/nss/nss_iface_generated.c | 39 ++++++++++++++++++++++++++++++++
|
||||
src/responder/nss/nss_iface_generated.h | 15 +++++++++++++
|
||||
4 files changed, 99 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/nss/nss_iface.c b/src/responder/nss/nss_iface.c
|
||||
index 58c70c8a01bfcc143eda14c9185672302345ef75..4a38681b54d6c9d0ac9adece69bdebb3d305fcf9 100644
|
||||
--- a/src/responder/nss/nss_iface.c
|
||||
+++ b/src/responder/nss/nss_iface.c
|
||||
@@ -144,6 +144,41 @@ done:
|
||||
talloc_free(tmp_ctx);
|
||||
}
|
||||
|
||||
+int nss_memorycache_invalidate_users(struct sbus_request *req, void *data)
|
||||
+{
|
||||
+ struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx);
|
||||
+ struct nss_ctx *nctx = talloc_get_type(rctx->pvt_ctx, struct nss_ctx);
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS, "Invalidating all users in memory cache\n");
|
||||
+ sss_mmap_cache_reset(nctx->pwd_mc_ctx);
|
||||
+
|
||||
+ return iface_nss_memorycache_InvalidateAllUsers_finish(req);
|
||||
+}
|
||||
+
|
||||
+int nss_memorycache_invalidate_groups(struct sbus_request *req, void *data)
|
||||
+{
|
||||
+ struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx);
|
||||
+ struct nss_ctx *nctx = talloc_get_type(rctx->pvt_ctx, struct nss_ctx);
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS, "Invalidating all groups in memory cache\n");
|
||||
+ sss_mmap_cache_reset(nctx->grp_mc_ctx);
|
||||
+
|
||||
+ return iface_nss_memorycache_InvalidateAllGroups_finish(req);
|
||||
+}
|
||||
+
|
||||
+int nss_memorycache_invalidate_initgroups(struct sbus_request *req, void *data)
|
||||
+{
|
||||
+ struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx);
|
||||
+ struct nss_ctx *nctx = talloc_get_type(rctx->pvt_ctx, struct nss_ctx);
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS,
|
||||
+ "Invalidating all initgroup records in memory cache\n");
|
||||
+ sss_mmap_cache_reset(nctx->initgr_mc_ctx);
|
||||
+
|
||||
+ return iface_nss_memorycache_InvalidateAllInitgrRecords_finish(req);
|
||||
+}
|
||||
+
|
||||
+
|
||||
int nss_memorycache_update_initgroups(struct sbus_request *sbus_req,
|
||||
void *data,
|
||||
const char *user,
|
||||
@@ -164,7 +199,10 @@ int nss_memorycache_update_initgroups(struct sbus_request *sbus_req,
|
||||
|
||||
struct iface_nss_memorycache iface_nss_memorycache = {
|
||||
{ &iface_nss_memorycache_meta, 0 },
|
||||
- .UpdateInitgroups = nss_memorycache_update_initgroups
|
||||
+ .UpdateInitgroups = nss_memorycache_update_initgroups,
|
||||
+ .InvalidateAllUsers = nss_memorycache_invalidate_users,
|
||||
+ .InvalidateAllGroups = nss_memorycache_invalidate_groups,
|
||||
+ .InvalidateAllInitgrRecords = nss_memorycache_invalidate_initgroups,
|
||||
};
|
||||
|
||||
static struct sbus_iface_map iface_map[] = {
|
||||
diff --git a/src/responder/nss/nss_iface.xml b/src/responder/nss/nss_iface.xml
|
||||
index b7cc4deb77135a592bad2ca62570f206231129b7..79e42c7424e800601bdc2dbe9ecd3e4a49829d68 100644
|
||||
--- a/src/responder/nss/nss_iface.xml
|
||||
+++ b/src/responder/nss/nss_iface.xml
|
||||
@@ -8,5 +8,11 @@
|
||||
<arg name="domain" type="s" direction="in" />
|
||||
<arg name="groups" type="au" direction="in" />
|
||||
</method>
|
||||
+ <method name="InvalidateAllUsers">
|
||||
+ </method>
|
||||
+ <method name="InvalidateAllGroups">
|
||||
+ </method>
|
||||
+ <method name="InvalidateAllInitgrRecords">
|
||||
+ </method>
|
||||
</interface>
|
||||
</node>
|
||||
diff --git a/src/responder/nss/nss_iface_generated.c b/src/responder/nss/nss_iface_generated.c
|
||||
index 2d0031090e33df9c9e9d9fbf1a18825026509803..4c07080148f62c1d8e18e51e1be62bb261a13566 100644
|
||||
--- a/src/responder/nss/nss_iface_generated.c
|
||||
+++ b/src/responder/nss/nss_iface_generated.c
|
||||
@@ -23,6 +23,24 @@ int iface_nss_memorycache_UpdateInitgroups_finish(struct sbus_request *req)
|
||||
DBUS_TYPE_INVALID);
|
||||
}
|
||||
|
||||
+int iface_nss_memorycache_InvalidateAllUsers_finish(struct sbus_request *req)
|
||||
+{
|
||||
+ return sbus_request_return_and_finish(req,
|
||||
+ DBUS_TYPE_INVALID);
|
||||
+}
|
||||
+
|
||||
+int iface_nss_memorycache_InvalidateAllGroups_finish(struct sbus_request *req)
|
||||
+{
|
||||
+ return sbus_request_return_and_finish(req,
|
||||
+ DBUS_TYPE_INVALID);
|
||||
+}
|
||||
+
|
||||
+int iface_nss_memorycache_InvalidateAllInitgrRecords_finish(struct sbus_request *req)
|
||||
+{
|
||||
+ return sbus_request_return_and_finish(req,
|
||||
+ DBUS_TYPE_INVALID);
|
||||
+}
|
||||
+
|
||||
/* methods for org.freedesktop.sssd.nss.MemoryCache */
|
||||
const struct sbus_method_meta iface_nss_memorycache__methods[] = {
|
||||
{
|
||||
@@ -32,6 +50,27 @@ const struct sbus_method_meta iface_nss_memorycache__methods[] = {
|
||||
offsetof(struct iface_nss_memorycache, UpdateInitgroups),
|
||||
invoke_ssau_method,
|
||||
},
|
||||
+ {
|
||||
+ "InvalidateAllUsers", /* name */
|
||||
+ NULL, /* no in_args */
|
||||
+ NULL, /* no out_args */
|
||||
+ offsetof(struct iface_nss_memorycache, InvalidateAllUsers),
|
||||
+ NULL, /* no invoker */
|
||||
+ },
|
||||
+ {
|
||||
+ "InvalidateAllGroups", /* name */
|
||||
+ NULL, /* no in_args */
|
||||
+ NULL, /* no out_args */
|
||||
+ offsetof(struct iface_nss_memorycache, InvalidateAllGroups),
|
||||
+ NULL, /* no invoker */
|
||||
+ },
|
||||
+ {
|
||||
+ "InvalidateAllInitgrRecords", /* name */
|
||||
+ NULL, /* no in_args */
|
||||
+ NULL, /* no out_args */
|
||||
+ offsetof(struct iface_nss_memorycache, InvalidateAllInitgrRecords),
|
||||
+ NULL, /* no invoker */
|
||||
+ },
|
||||
{ NULL, }
|
||||
};
|
||||
|
||||
diff --git a/src/responder/nss/nss_iface_generated.h b/src/responder/nss/nss_iface_generated.h
|
||||
index ad902482a9be03a60cbf3663b6f771d0a2020b88..6f4d13a35dc5cbe33182ad8744769b37ce449d50 100644
|
||||
--- a/src/responder/nss/nss_iface_generated.h
|
||||
+++ b/src/responder/nss/nss_iface_generated.h
|
||||
@@ -14,6 +14,9 @@
|
||||
/* constants for org.freedesktop.sssd.nss.MemoryCache */
|
||||
#define IFACE_NSS_MEMORYCACHE "org.freedesktop.sssd.nss.MemoryCache"
|
||||
#define IFACE_NSS_MEMORYCACHE_UPDATEINITGROUPS "UpdateInitgroups"
|
||||
+#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLUSERS "InvalidateAllUsers"
|
||||
+#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLGROUPS "InvalidateAllGroups"
|
||||
+#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLINITGRRECORDS "InvalidateAllInitgrRecords"
|
||||
|
||||
/* ------------------------------------------------------------------------
|
||||
* DBus handlers
|
||||
@@ -37,11 +40,23 @@
|
||||
struct iface_nss_memorycache {
|
||||
struct sbus_vtable vtable; /* derive from sbus_vtable */
|
||||
int (*UpdateInitgroups)(struct sbus_request *req, void *data, const char *arg_user, const char *arg_domain, uint32_t arg_groups[], int len_groups);
|
||||
+ int (*InvalidateAllUsers)(struct sbus_request *req, void *data);
|
||||
+ int (*InvalidateAllGroups)(struct sbus_request *req, void *data);
|
||||
+ int (*InvalidateAllInitgrRecords)(struct sbus_request *req, void *data);
|
||||
};
|
||||
|
||||
/* finish function for UpdateInitgroups */
|
||||
int iface_nss_memorycache_UpdateInitgroups_finish(struct sbus_request *req);
|
||||
|
||||
+/* finish function for InvalidateAllUsers */
|
||||
+int iface_nss_memorycache_InvalidateAllUsers_finish(struct sbus_request *req);
|
||||
+
|
||||
+/* finish function for InvalidateAllGroups */
|
||||
+int iface_nss_memorycache_InvalidateAllGroups_finish(struct sbus_request *req);
|
||||
+
|
||||
+/* finish function for InvalidateAllInitgrRecords */
|
||||
+int iface_nss_memorycache_InvalidateAllInitgrRecords_finish(struct sbus_request *req);
|
||||
+
|
||||
/* ------------------------------------------------------------------------
|
||||
* DBus Interface Metadata
|
||||
*
|
||||
--
|
||||
2.9.3
|
||||
|
111
0040-NSS-Rename-the-interface-to-invalidate-memory-cache-.patch
Normal file
111
0040-NSS-Rename-the-interface-to-invalidate-memory-cache-.patch
Normal file
@ -0,0 +1,111 @@
|
||||
From f2047f6c5b56d6759bd8e6d504f572a593476c65 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Mon, 23 Jan 2017 22:55:20 +0100
|
||||
Subject: [PATCH 40/79] NSS: Rename the interface to invalidate memory cache
|
||||
initgroup records for consistency
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/nss/nss_iface.c | 4 ++--
|
||||
src/responder/nss/nss_iface.xml | 2 +-
|
||||
src/responder/nss/nss_iface_generated.c | 6 +++---
|
||||
src/responder/nss/nss_iface_generated.h | 8 ++++----
|
||||
4 files changed, 10 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/src/responder/nss/nss_iface.c b/src/responder/nss/nss_iface.c
|
||||
index 4a38681b54d6c9d0ac9adece69bdebb3d305fcf9..fee95f8fc6806d2e70112d02690469fb094efa17 100644
|
||||
--- a/src/responder/nss/nss_iface.c
|
||||
+++ b/src/responder/nss/nss_iface.c
|
||||
@@ -175,7 +175,7 @@ int nss_memorycache_invalidate_initgroups(struct sbus_request *req, void *data)
|
||||
"Invalidating all initgroup records in memory cache\n");
|
||||
sss_mmap_cache_reset(nctx->initgr_mc_ctx);
|
||||
|
||||
- return iface_nss_memorycache_InvalidateAllInitgrRecords_finish(req);
|
||||
+ return iface_nss_memorycache_InvalidateAllInitgroups_finish(req);
|
||||
}
|
||||
|
||||
|
||||
@@ -202,7 +202,7 @@ struct iface_nss_memorycache iface_nss_memorycache = {
|
||||
.UpdateInitgroups = nss_memorycache_update_initgroups,
|
||||
.InvalidateAllUsers = nss_memorycache_invalidate_users,
|
||||
.InvalidateAllGroups = nss_memorycache_invalidate_groups,
|
||||
- .InvalidateAllInitgrRecords = nss_memorycache_invalidate_initgroups,
|
||||
+ .InvalidateAllInitgroups = nss_memorycache_invalidate_initgroups,
|
||||
};
|
||||
|
||||
static struct sbus_iface_map iface_map[] = {
|
||||
diff --git a/src/responder/nss/nss_iface.xml b/src/responder/nss/nss_iface.xml
|
||||
index 79e42c7424e800601bdc2dbe9ecd3e4a49829d68..27aae019758c49ab7ec04161394d58da88077b60 100644
|
||||
--- a/src/responder/nss/nss_iface.xml
|
||||
+++ b/src/responder/nss/nss_iface.xml
|
||||
@@ -12,7 +12,7 @@
|
||||
</method>
|
||||
<method name="InvalidateAllGroups">
|
||||
</method>
|
||||
- <method name="InvalidateAllInitgrRecords">
|
||||
+ <method name="InvalidateAllInitgroups">
|
||||
</method>
|
||||
</interface>
|
||||
</node>
|
||||
diff --git a/src/responder/nss/nss_iface_generated.c b/src/responder/nss/nss_iface_generated.c
|
||||
index 4c07080148f62c1d8e18e51e1be62bb261a13566..e4f3aec2d1394fbbe75185acfa68b6f947c0e142 100644
|
||||
--- a/src/responder/nss/nss_iface_generated.c
|
||||
+++ b/src/responder/nss/nss_iface_generated.c
|
||||
@@ -35,7 +35,7 @@ int iface_nss_memorycache_InvalidateAllGroups_finish(struct sbus_request *req)
|
||||
DBUS_TYPE_INVALID);
|
||||
}
|
||||
|
||||
-int iface_nss_memorycache_InvalidateAllInitgrRecords_finish(struct sbus_request *req)
|
||||
+int iface_nss_memorycache_InvalidateAllInitgroups_finish(struct sbus_request *req)
|
||||
{
|
||||
return sbus_request_return_and_finish(req,
|
||||
DBUS_TYPE_INVALID);
|
||||
@@ -65,10 +65,10 @@ const struct sbus_method_meta iface_nss_memorycache__methods[] = {
|
||||
NULL, /* no invoker */
|
||||
},
|
||||
{
|
||||
- "InvalidateAllInitgrRecords", /* name */
|
||||
+ "InvalidateAllInitgroups", /* name */
|
||||
NULL, /* no in_args */
|
||||
NULL, /* no out_args */
|
||||
- offsetof(struct iface_nss_memorycache, InvalidateAllInitgrRecords),
|
||||
+ offsetof(struct iface_nss_memorycache, InvalidateAllInitgroups),
|
||||
NULL, /* no invoker */
|
||||
},
|
||||
{ NULL, }
|
||||
diff --git a/src/responder/nss/nss_iface_generated.h b/src/responder/nss/nss_iface_generated.h
|
||||
index 6f4d13a35dc5cbe33182ad8744769b37ce449d50..cacadc57808d6f16998889cccf0c5973682bbe5d 100644
|
||||
--- a/src/responder/nss/nss_iface_generated.h
|
||||
+++ b/src/responder/nss/nss_iface_generated.h
|
||||
@@ -16,7 +16,7 @@
|
||||
#define IFACE_NSS_MEMORYCACHE_UPDATEINITGROUPS "UpdateInitgroups"
|
||||
#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLUSERS "InvalidateAllUsers"
|
||||
#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLGROUPS "InvalidateAllGroups"
|
||||
-#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLINITGRRECORDS "InvalidateAllInitgrRecords"
|
||||
+#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLINITGROUPS "InvalidateAllInitgroups"
|
||||
|
||||
/* ------------------------------------------------------------------------
|
||||
* DBus handlers
|
||||
@@ -42,7 +42,7 @@ struct iface_nss_memorycache {
|
||||
int (*UpdateInitgroups)(struct sbus_request *req, void *data, const char *arg_user, const char *arg_domain, uint32_t arg_groups[], int len_groups);
|
||||
int (*InvalidateAllUsers)(struct sbus_request *req, void *data);
|
||||
int (*InvalidateAllGroups)(struct sbus_request *req, void *data);
|
||||
- int (*InvalidateAllInitgrRecords)(struct sbus_request *req, void *data);
|
||||
+ int (*InvalidateAllInitgroups)(struct sbus_request *req, void *data);
|
||||
};
|
||||
|
||||
/* finish function for UpdateInitgroups */
|
||||
@@ -54,8 +54,8 @@ int iface_nss_memorycache_InvalidateAllUsers_finish(struct sbus_request *req);
|
||||
/* finish function for InvalidateAllGroups */
|
||||
int iface_nss_memorycache_InvalidateAllGroups_finish(struct sbus_request *req);
|
||||
|
||||
-/* finish function for InvalidateAllInitgrRecords */
|
||||
-int iface_nss_memorycache_InvalidateAllInitgrRecords_finish(struct sbus_request *req);
|
||||
+/* finish function for InvalidateAllInitgroups */
|
||||
+int iface_nss_memorycache_InvalidateAllInitgroups_finish(struct sbus_request *req);
|
||||
|
||||
/* ------------------------------------------------------------------------
|
||||
* DBus Interface Metadata
|
||||
--
|
||||
2.9.3
|
||||
|
@ -0,0 +1,56 @@
|
||||
From 2d1a59f6c2cf3cf4667cf2d01b2d780db916db42 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Fri, 10 Feb 2017 12:22:23 +0100
|
||||
Subject: [PATCH 41/79] UTIL: Add a new domain state called DOM_INCONSISTENT
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This is a new domain state that indicates to the responder that it
|
||||
should always send a DP request because the provider is rebuilding the
|
||||
cache.
|
||||
|
||||
Currently it will be only used by the files provider when it is updating
|
||||
the cache to make sure sssd always returns current data and updating the
|
||||
cache from files is not as racy.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/confdb/confdb.h | 4 ++++
|
||||
src/providers/data_provider_be.c | 4 +++-
|
||||
2 files changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
||||
index dd6ac77f5a787b0434b56fccba49aa195b13297a..7c944698157619652441fb0722a4363053d6a8f3 100644
|
||||
--- a/src/confdb/confdb.h
|
||||
+++ b/src/confdb/confdb.h
|
||||
@@ -248,6 +248,10 @@ enum sss_domain_state {
|
||||
* return cached data
|
||||
*/
|
||||
DOM_INACTIVE,
|
||||
+ /** Domain is being updated. Responders should ignore cached data and
|
||||
+ * always contact the DP
|
||||
+ */
|
||||
+ DOM_INCONSISTENT,
|
||||
};
|
||||
|
||||
/**
|
||||
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
|
||||
index 12b5f43d0b5d514ce06ae8875ae2a75d37f84f88..7e7b74c36993489a93c15ad9acb33af7864f852d 100644
|
||||
--- a/src/providers/data_provider_be.c
|
||||
+++ b/src/providers/data_provider_be.c
|
||||
@@ -166,8 +166,10 @@ static void be_mark_subdom_offline(struct sss_domain_info *subdom,
|
||||
tv = tevent_timeval_current_ofs(reset_status_timeout, 0);
|
||||
|
||||
switch (subdom->state) {
|
||||
+ case DOM_INCONSISTENT:
|
||||
case DOM_DISABLED:
|
||||
- DEBUG(SSSDBG_MINOR_FAILURE, "Won't touch disabled subdomain\n");
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
+ "Won't touch disabled or inconsistent subdomain\n");
|
||||
return;
|
||||
case DOM_INACTIVE:
|
||||
DEBUG(SSSDBG_TRACE_ALL, "Subdomain already inactive\n");
|
||||
--
|
||||
2.9.3
|
||||
|
561
0042-RESPONDER-Add-a-responder-sbus-interface-to-set-doma.patch
Normal file
561
0042-RESPONDER-Add-a-responder-sbus-interface-to-set-doma.patch
Normal file
@ -0,0 +1,561 @@
|
||||
From c109f063b4469818fd335b8b509f0458e7b33b0a Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Sun, 30 Oct 2016 07:05:43 +0100
|
||||
Subject: [PATCH 42/79] RESPONDER: Add a responder sbus interface to set domain
|
||||
state
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Adds a generic responder s-bus interface that all responders implement.
|
||||
The interface currently contains methods that make it possible for a sssd
|
||||
domain to be marked as active or inconsistent by a back end.
|
||||
|
||||
In the future, this commit will be superseded by sbus signals.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
Makefile.am | 18 ++++-
|
||||
src/responder/common/iface/responder_domain.c | 73 ++++++++++++++++++++
|
||||
src/responder/common/iface/responder_iface.c | 36 ++++++++++
|
||||
src/responder/common/iface/responder_iface.h | 37 ++++++++++
|
||||
src/responder/common/iface/responder_iface.xml | 13 ++++
|
||||
.../common/iface/responder_iface_generated.c | 78 ++++++++++++++++++++++
|
||||
.../common/iface/responder_iface_generated.h | 63 +++++++++++++++++
|
||||
src/responder/common/responder_common.c | 15 +++++
|
||||
src/tests/cwrap/Makefile.am | 12 ++++
|
||||
src/util/domain_info_utils.c | 19 ++++++
|
||||
10 files changed, 362 insertions(+), 2 deletions(-)
|
||||
create mode 100644 src/responder/common/iface/responder_domain.c
|
||||
create mode 100644 src/responder/common/iface/responder_iface.c
|
||||
create mode 100644 src/responder/common/iface/responder_iface.h
|
||||
create mode 100644 src/responder/common/iface/responder_iface.xml
|
||||
create mode 100644 src/responder/common/iface/responder_iface_generated.c
|
||||
create mode 100644 src/responder/common/iface/responder_iface_generated.h
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 2304b39c7eb75225f7cd8cbc30d23592506c146e..32f62b5b4391e5d6efb7f7dc19e9b29eaa658550 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -516,6 +516,12 @@ SSSD_CACHE_REQ_OBJ = \
|
||||
src/responder/common/cache_req/plugins/cache_req_host_by_name.c \
|
||||
$(NULL)
|
||||
|
||||
+SSSD_RESPONDER_IFACE_OBJ = \
|
||||
+ src/responder/common/iface/responder_iface.c \
|
||||
+ src/responder/common/iface/responder_domain.c \
|
||||
+ src/responder/common/iface/responder_iface_generated.c \
|
||||
+ $(NULL)
|
||||
+
|
||||
SSSD_RESPONDER_OBJ = \
|
||||
src/responder/common/negcache_files.c \
|
||||
src/responder/common/negcache.c \
|
||||
@@ -530,6 +536,7 @@ SSSD_RESPONDER_OBJ = \
|
||||
src/responder/common/data_provider/rdp_client.c \
|
||||
src/monitor/monitor_iface_generated.c \
|
||||
src/providers/data_provider_req.c \
|
||||
+ $(SSSD_RESPONDER_IFACE_OBJ) \
|
||||
$(SSSD_CACHE_REQ_OBJ) \
|
||||
$(NULL)
|
||||
|
||||
@@ -640,6 +647,8 @@ dist_noinst_HEADERS = \
|
||||
src/responder/common/responder.h \
|
||||
src/responder/common/responder_packet.h \
|
||||
src/responder/common/responder_sbus.h \
|
||||
+ src/responder/common/iface/responder_iface.h \
|
||||
+ src/responder/common/iface/responder_iface_generated.h \
|
||||
src/responder/common/cache_req/cache_req.h \
|
||||
src/responder/common/cache_req/cache_req_plugin.h \
|
||||
src/responder/common/cache_req/cache_req_private.h \
|
||||
@@ -1221,7 +1230,9 @@ CODEGEN_XML = \
|
||||
$(srcdir)/src/providers/data_provider/dp_iface.xml \
|
||||
$(srcdir)/src/providers/proxy/proxy_iface.xml \
|
||||
$(srcdir)/src/responder/ifp/ifp_iface.xml \
|
||||
- $(srcdir)/src/responder/nss/nss_iface.xml
|
||||
+ $(srcdir)/src/responder/nss/nss_iface.xml \
|
||||
+ $(srcdir)/src/responder/common/iface/responder_iface.xml \
|
||||
+ $(NULL)
|
||||
|
||||
SBUS_CODEGEN = src/sbus/sbus_codegen
|
||||
|
||||
@@ -2038,7 +2049,9 @@ responder_socket_access_tests_SOURCES = \
|
||||
src/responder/common/responder_packet.c \
|
||||
src/responder/common/responder_cmd.c \
|
||||
src/responder/common/data_provider/rdp_message.c \
|
||||
- src/responder/common/data_provider/rdp_client.c
|
||||
+ src/responder/common/data_provider/rdp_client.c \
|
||||
+ $(SSSD_RESPONDER_IFACE_OBJ) \
|
||||
+ $(NULL)
|
||||
responder_socket_access_tests_CFLAGS = \
|
||||
$(AM_CFLAGS) \
|
||||
$(CHECK_CFLAGS)
|
||||
@@ -2125,6 +2138,7 @@ TEST_MOCK_RESP_OBJ = \
|
||||
src/responder/common/data_provider/rdp_client.c \
|
||||
src/responder/common/responder_utils.c \
|
||||
$(SSSD_CACHE_REQ_OBJ) \
|
||||
+ $(SSSD_RESPONDER_IFACE_OBJ) \
|
||||
$(NULL)
|
||||
|
||||
TEST_MOCK_PROVIDER_OBJ = \
|
||||
diff --git a/src/responder/common/iface/responder_domain.c b/src/responder/common/iface/responder_domain.c
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..2e7f788550b3cd0dcec20fc5b91fe8a4cb366875
|
||||
--- /dev/null
|
||||
+++ b/src/responder/common/iface/responder_domain.c
|
||||
@@ -0,0 +1,73 @@
|
||||
+/*
|
||||
+ Copyright (C) 2016 Red Hat
|
||||
+
|
||||
+ This program is free software; you can redistribute it and/or modify
|
||||
+ it under the terms of the GNU General Public License as published by
|
||||
+ the Free Software Foundation; either version 3 of the License, or
|
||||
+ (at your option) any later version.
|
||||
+
|
||||
+ This program is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ GNU General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU General Public License
|
||||
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+*/
|
||||
+
|
||||
+#include <string.h>
|
||||
+#include <errno.h>
|
||||
+
|
||||
+#include "util/util.h"
|
||||
+#include "sbus/sssd_dbus.h"
|
||||
+#include "responder/common/responder.h"
|
||||
+#include "responder/common/iface/responder_iface.h"
|
||||
+
|
||||
+static void set_domain_state_by_name(struct resp_ctx *rctx,
|
||||
+ const char *domain_name,
|
||||
+ enum sss_domain_state state)
|
||||
+{
|
||||
+ struct sss_domain_info *dom;
|
||||
+
|
||||
+ if (domain_name == NULL) {
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE, "BUG: NULL domain name\n");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS, "Setting state of domain %s\n", domain_name);
|
||||
+
|
||||
+ for (dom = rctx->domains;
|
||||
+ dom != NULL;
|
||||
+ dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) {
|
||||
+
|
||||
+ if (strcasecmp(dom->name, domain_name) == 0) {
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (dom != NULL) {
|
||||
+ sss_domain_set_state(dom, state);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+int sss_resp_domain_active(struct sbus_request *req,
|
||||
+ void *data,
|
||||
+ const char *domain_name)
|
||||
+{
|
||||
+ struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx);
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS, "Enabling domain %s\n", domain_name);
|
||||
+ set_domain_state_by_name(rctx, domain_name, DOM_ACTIVE);
|
||||
+ return iface_responder_domain_SetActive_finish(req);
|
||||
+}
|
||||
+
|
||||
+int sss_resp_domain_inconsistent(struct sbus_request *req,
|
||||
+ void *data,
|
||||
+ const char *domain_name)
|
||||
+{
|
||||
+ struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx);
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS, "Disabling domain %s\n", domain_name);
|
||||
+ set_domain_state_by_name(rctx, domain_name, DOM_INCONSISTENT);
|
||||
+ return iface_responder_domain_SetInconsistent_finish(req);
|
||||
+}
|
||||
diff --git a/src/responder/common/iface/responder_iface.c b/src/responder/common/iface/responder_iface.c
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..f1e618b659af3e7a5ffa1b7307f3d61124180f0c
|
||||
--- /dev/null
|
||||
+++ b/src/responder/common/iface/responder_iface.c
|
||||
@@ -0,0 +1,36 @@
|
||||
+/*
|
||||
+ Copyright (C) 2016 Red Hat
|
||||
+
|
||||
+ This program is free software; you can redistribute it and/or modify
|
||||
+ it under the terms of the GNU General Public License as published by
|
||||
+ the Free Software Foundation; either version 3 of the License, or
|
||||
+ (at your option) any later version.
|
||||
+
|
||||
+ This program is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ GNU General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU General Public License
|
||||
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+*/
|
||||
+
|
||||
+#include "sbus/sssd_dbus.h"
|
||||
+#include "responder/common/iface/responder_iface.h"
|
||||
+#include "responder/common/responder.h"
|
||||
+
|
||||
+struct iface_responder_domain iface_responder_domain = {
|
||||
+ { &iface_responder_domain_meta, 0 },
|
||||
+ .SetActive = sss_resp_domain_active,
|
||||
+ .SetInconsistent = sss_resp_domain_inconsistent,
|
||||
+};
|
||||
+
|
||||
+static struct sbus_iface_map iface_map[] = {
|
||||
+ { RESPONDER_PATH, &iface_responder_domain.vtable },
|
||||
+ { NULL, NULL }
|
||||
+};
|
||||
+
|
||||
+struct sbus_iface_map *responder_get_sbus_interface()
|
||||
+{
|
||||
+ return iface_map;
|
||||
+}
|
||||
diff --git a/src/responder/common/iface/responder_iface.h b/src/responder/common/iface/responder_iface.h
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..abd7c83ce0b0efbc13867ffb56ec871503c92567
|
||||
--- /dev/null
|
||||
+++ b/src/responder/common/iface/responder_iface.h
|
||||
@@ -0,0 +1,37 @@
|
||||
+/*
|
||||
+ Copyright (C) 2016 Red Hat
|
||||
+
|
||||
+ This program is free software; you can redistribute it and/or modify
|
||||
+ it under the terms of the GNU General Public License as published by
|
||||
+ the Free Software Foundation; either version 3 of the License, or
|
||||
+ (at your option) any later version.
|
||||
+
|
||||
+ This program is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ GNU General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU General Public License
|
||||
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+*/
|
||||
+
|
||||
+#ifndef _RESPONDER_IFACE_H_
|
||||
+#define _RESPONDER_IFACE_H_
|
||||
+
|
||||
+#include "responder/common/iface/responder_iface_generated.h"
|
||||
+
|
||||
+#define RESPONDER_PATH "/org/freedesktop/sssd/responder"
|
||||
+
|
||||
+struct sbus_iface_map *responder_get_sbus_interface(void);
|
||||
+
|
||||
+/* org.freedesktop.sssd.Responder.Domain */
|
||||
+
|
||||
+int sss_resp_domain_active(struct sbus_request *req,
|
||||
+ void *data,
|
||||
+ const char *domain_name);
|
||||
+
|
||||
+int sss_resp_domain_inconsistent(struct sbus_request *req,
|
||||
+ void *data,
|
||||
+ const char *domain_name);
|
||||
+
|
||||
+#endif /* _RESPONDER_IFACE_H_ */
|
||||
diff --git a/src/responder/common/iface/responder_iface.xml b/src/responder/common/iface/responder_iface.xml
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..d3d0ff40ed5a8457492f2f54d551d9ae20cc56c3
|
||||
--- /dev/null
|
||||
+++ b/src/responder/common/iface/responder_iface.xml
|
||||
@@ -0,0 +1,13 @@
|
||||
+<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
|
||||
+ "http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
|
||||
+<node>
|
||||
+ <interface name="org.freedesktop.sssd.Responder.Domain">
|
||||
+ <annotation value="iface_responder_domain" name="org.freedesktop.DBus.GLib.CSymbol"/>
|
||||
+ <method name="SetActive">
|
||||
+ <arg name="name" type="s" direction="in" />
|
||||
+ </method>
|
||||
+ <method name="SetInconsistent">
|
||||
+ <arg name="name" type="s" direction="in" />
|
||||
+ </method>
|
||||
+ </interface>
|
||||
+</node>
|
||||
diff --git a/src/responder/common/iface/responder_iface_generated.c b/src/responder/common/iface/responder_iface_generated.c
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..1d59eafed0eb739fb208c864b5b726cf9883df94
|
||||
--- /dev/null
|
||||
+++ b/src/responder/common/iface/responder_iface_generated.c
|
||||
@@ -0,0 +1,78 @@
|
||||
+/* The following definitions are auto-generated from responder_iface.xml */
|
||||
+
|
||||
+#include "util/util.h"
|
||||
+#include "sbus/sssd_dbus.h"
|
||||
+#include "sbus/sssd_dbus_meta.h"
|
||||
+#include "sbus/sssd_dbus_invokers.h"
|
||||
+#include "responder_iface_generated.h"
|
||||
+
|
||||
+/* invokes a handler with a 's' DBus signature */
|
||||
+static int invoke_s_method(struct sbus_request *dbus_req, void *function_ptr);
|
||||
+
|
||||
+/* arguments for org.freedesktop.sssd.Responder.Domain.SetActive */
|
||||
+const struct sbus_arg_meta iface_responder_domain_SetActive__in[] = {
|
||||
+ { "name", "s" },
|
||||
+ { NULL, }
|
||||
+};
|
||||
+
|
||||
+int iface_responder_domain_SetActive_finish(struct sbus_request *req)
|
||||
+{
|
||||
+ return sbus_request_return_and_finish(req,
|
||||
+ DBUS_TYPE_INVALID);
|
||||
+}
|
||||
+
|
||||
+/* arguments for org.freedesktop.sssd.Responder.Domain.SetInconsistent */
|
||||
+const struct sbus_arg_meta iface_responder_domain_SetInconsistent__in[] = {
|
||||
+ { "name", "s" },
|
||||
+ { NULL, }
|
||||
+};
|
||||
+
|
||||
+int iface_responder_domain_SetInconsistent_finish(struct sbus_request *req)
|
||||
+{
|
||||
+ return sbus_request_return_and_finish(req,
|
||||
+ DBUS_TYPE_INVALID);
|
||||
+}
|
||||
+
|
||||
+/* methods for org.freedesktop.sssd.Responder.Domain */
|
||||
+const struct sbus_method_meta iface_responder_domain__methods[] = {
|
||||
+ {
|
||||
+ "SetActive", /* name */
|
||||
+ iface_responder_domain_SetActive__in,
|
||||
+ NULL, /* no out_args */
|
||||
+ offsetof(struct iface_responder_domain, SetActive),
|
||||
+ invoke_s_method,
|
||||
+ },
|
||||
+ {
|
||||
+ "SetInconsistent", /* name */
|
||||
+ iface_responder_domain_SetInconsistent__in,
|
||||
+ NULL, /* no out_args */
|
||||
+ offsetof(struct iface_responder_domain, SetInconsistent),
|
||||
+ invoke_s_method,
|
||||
+ },
|
||||
+ { NULL, }
|
||||
+};
|
||||
+
|
||||
+/* interface info for org.freedesktop.sssd.Responder.Domain */
|
||||
+const struct sbus_interface_meta iface_responder_domain_meta = {
|
||||
+ "org.freedesktop.sssd.Responder.Domain", /* name */
|
||||
+ iface_responder_domain__methods,
|
||||
+ NULL, /* no signals */
|
||||
+ NULL, /* no properties */
|
||||
+ sbus_invoke_get_all, /* GetAll invoker */
|
||||
+};
|
||||
+
|
||||
+/* invokes a handler with a 's' DBus signature */
|
||||
+static int invoke_s_method(struct sbus_request *dbus_req, void *function_ptr)
|
||||
+{
|
||||
+ const char * arg_0;
|
||||
+ int (*handler)(struct sbus_request *, void *, const char *) = function_ptr;
|
||||
+
|
||||
+ if (!sbus_request_parse_or_finish(dbus_req,
|
||||
+ DBUS_TYPE_STRING, &arg_0,
|
||||
+ DBUS_TYPE_INVALID)) {
|
||||
+ return EOK; /* request handled */
|
||||
+ }
|
||||
+
|
||||
+ return (handler)(dbus_req, dbus_req->intf->handler_data,
|
||||
+ arg_0);
|
||||
+}
|
||||
diff --git a/src/responder/common/iface/responder_iface_generated.h b/src/responder/common/iface/responder_iface_generated.h
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..e7f5c64feb062e13dc04352128cada6883f6f4fa
|
||||
--- /dev/null
|
||||
+++ b/src/responder/common/iface/responder_iface_generated.h
|
||||
@@ -0,0 +1,63 @@
|
||||
+/* The following declarations are auto-generated from responder_iface.xml */
|
||||
+
|
||||
+#ifndef __RESPONDER_IFACE_XML__
|
||||
+#define __RESPONDER_IFACE_XML__
|
||||
+
|
||||
+#include "sbus/sssd_dbus.h"
|
||||
+
|
||||
+/* ------------------------------------------------------------------------
|
||||
+ * DBus Constants
|
||||
+ *
|
||||
+ * Various constants of interface and method names mostly for use by clients
|
||||
+ */
|
||||
+
|
||||
+/* constants for org.freedesktop.sssd.Responder.Domain */
|
||||
+#define IFACE_RESPONDER_DOMAIN "org.freedesktop.sssd.Responder.Domain"
|
||||
+#define IFACE_RESPONDER_DOMAIN_SETACTIVE "SetActive"
|
||||
+#define IFACE_RESPONDER_DOMAIN_SETINCONSISTENT "SetInconsistent"
|
||||
+
|
||||
+/* ------------------------------------------------------------------------
|
||||
+ * DBus handlers
|
||||
+ *
|
||||
+ * These structures are filled in by implementors of the different
|
||||
+ * dbus interfaces to handle method calls.
|
||||
+ *
|
||||
+ * Handler functions of type sbus_msg_handler_fn accept raw messages,
|
||||
+ * other handlers are typed appropriately. If a handler that is
|
||||
+ * set to NULL is invoked it will result in a
|
||||
+ * org.freedesktop.DBus.Error.NotSupported error for the caller.
|
||||
+ *
|
||||
+ * Handlers have a matching xxx_finish() function (unless the method has
|
||||
+ * accepts raw messages). These finish functions the
|
||||
+ * sbus_request_return_and_finish() with the appropriate arguments to
|
||||
+ * construct a valid reply. Once a finish function has been called, the
|
||||
+ * @dbus_req it was called with is freed and no longer valid.
|
||||
+ */
|
||||
+
|
||||
+/* vtable for org.freedesktop.sssd.Responder.Domain */
|
||||
+struct iface_responder_domain {
|
||||
+ struct sbus_vtable vtable; /* derive from sbus_vtable */
|
||||
+ int (*SetActive)(struct sbus_request *req, void *data, const char *arg_name);
|
||||
+ int (*SetInconsistent)(struct sbus_request *req, void *data, const char *arg_name);
|
||||
+};
|
||||
+
|
||||
+/* finish function for SetActive */
|
||||
+int iface_responder_domain_SetActive_finish(struct sbus_request *req);
|
||||
+
|
||||
+/* finish function for SetInconsistent */
|
||||
+int iface_responder_domain_SetInconsistent_finish(struct sbus_request *req);
|
||||
+
|
||||
+/* ------------------------------------------------------------------------
|
||||
+ * DBus Interface Metadata
|
||||
+ *
|
||||
+ * These structure definitions are filled in with the information about
|
||||
+ * the interfaces, methods, properties and so on.
|
||||
+ *
|
||||
+ * The actual definitions are found in the accompanying C file next
|
||||
+ * to this header.
|
||||
+ */
|
||||
+
|
||||
+/* interface info for org.freedesktop.sssd.Responder.Domain */
|
||||
+extern const struct sbus_interface_meta iface_responder_domain_meta;
|
||||
+
|
||||
+#endif /* __RESPONDER_IFACE_XML__ */
|
||||
diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
|
||||
index 67922bfccda8f00f256a4d1281aebfe20950d169..1959247ffda76d5041bc031c4c774aef9e0295d8 100644
|
||||
--- a/src/responder/common/responder_common.c
|
||||
+++ b/src/responder/common/responder_common.c
|
||||
@@ -38,6 +38,7 @@
|
||||
#include "confdb/confdb.h"
|
||||
#include "sbus/sssd_dbus.h"
|
||||
#include "responder/common/responder.h"
|
||||
+#include "responder/common/iface/responder_iface.h"
|
||||
#include "responder/common/responder_packet.h"
|
||||
#include "providers/data_provider.h"
|
||||
#include "monitor/monitor_interfaces.h"
|
||||
@@ -666,6 +667,7 @@ static int sss_dp_init(struct resp_ctx *rctx,
|
||||
{
|
||||
struct be_conn *be_conn;
|
||||
int ret;
|
||||
+ struct sbus_iface_map *resp_sbus_iface;
|
||||
|
||||
be_conn = talloc_zero(rctx, struct be_conn);
|
||||
if (!be_conn) return ENOMEM;
|
||||
@@ -697,6 +699,19 @@ static int sss_dp_init(struct resp_ctx *rctx,
|
||||
}
|
||||
}
|
||||
|
||||
+ resp_sbus_iface = responder_get_sbus_interface();
|
||||
+ if (resp_sbus_iface != NULL) {
|
||||
+ ret = sbus_conn_register_iface_map(be_conn->conn,
|
||||
+ resp_sbus_iface,
|
||||
+ rctx);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
+ "Cannot register generic responder iface at %s: %d\n",
|
||||
+ resp_sbus_iface->path, ret);
|
||||
+ return ret;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
DLIST_ADD_END(rctx->be_conns, be_conn, struct be_conn *);
|
||||
|
||||
/* Identify ourselves to the DP */
|
||||
diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am
|
||||
index 09a8b5307dd3ebf9c7f27148097a90eac527a213..f50e9aa58fa5f2b0b8aa144582500d925a0a6438 100644
|
||||
--- a/src/tests/cwrap/Makefile.am
|
||||
+++ b/src/tests/cwrap/Makefile.am
|
||||
@@ -63,6 +63,12 @@ SSSD_CACHE_REQ_OBJ = \
|
||||
../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c \
|
||||
$(NULL)
|
||||
|
||||
+SSSD_RESPONDER_IFACE_OBJ = \
|
||||
+ ../../../src/responder/common/iface/responder_iface.c \
|
||||
+ ../../../src/responder/common/iface/responder_domain.c \
|
||||
+ ../../../src/responder/common/iface/responder_iface_generated.c \
|
||||
+ $(NULL)
|
||||
+
|
||||
SSSD_RESPONDER_OBJ = \
|
||||
../../../src/responder/common/negcache_files.c \
|
||||
../../../src/responder/common/negcache.c \
|
||||
@@ -77,6 +83,7 @@ SSSD_RESPONDER_OBJ = \
|
||||
../../../src/responder/common/data_provider/rdp_client.c \
|
||||
../../../src/monitor/monitor_iface_generated.c \
|
||||
../../../src/providers/data_provider_req.c \
|
||||
+ $(SSSD_RESPONDER_IFACE_OBJ) \
|
||||
$(SSSD_CACHE_REQ_OBJ) \
|
||||
$(NULL)
|
||||
|
||||
@@ -158,6 +165,9 @@ endif
|
||||
|
||||
responder_common_tests_SOURCES =\
|
||||
test_responder_common.c \
|
||||
+ ../../../src/responder/common/iface/responder_iface.c \
|
||||
+ ../../../src/responder/common/iface/responder_domain.c \
|
||||
+ ../../../src/responder/common/iface/responder_iface_generated.c \
|
||||
../../../src/responder/common/negcache_files.c \
|
||||
../../../src/responder/common/negcache.c \
|
||||
../../../src/responder/common/data_provider/rdp_message.c \
|
||||
@@ -165,6 +175,8 @@ responder_common_tests_SOURCES =\
|
||||
../../../src/responder/common/responder_common.c \
|
||||
../../../src/responder/common/responder_packet.c \
|
||||
../../../src/responder/common/responder_cmd.c \
|
||||
+ ../../../src/tests/cmocka/common_mock_resp_dp.c \
|
||||
+ $(SSSD_CACHE_REQ_OBJ) \
|
||||
$(NULL)
|
||||
responder_common_tests_CFLAGS = \
|
||||
$(AM_CFLAGS) \
|
||||
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
|
||||
index 0feda148bd44b9cefc43c094ddc5a72820412322..6ef6bcfb8c078a360673b6bdd2364fc2918cb324 100644
|
||||
--- a/src/util/domain_info_utils.c
|
||||
+++ b/src/util/domain_info_utils.c
|
||||
@@ -814,8 +814,25 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static const char *domain_state_str(struct sss_domain_info *dom)
|
||||
+{
|
||||
+ switch (dom->state) {
|
||||
+ case DOM_ACTIVE:
|
||||
+ return "Active";
|
||||
+ case DOM_DISABLED:
|
||||
+ return "Disabled";
|
||||
+ case DOM_INACTIVE:
|
||||
+ return "Inactive";
|
||||
+ case DOM_INCONSISTENT:
|
||||
+ return "Inconsistent";
|
||||
+ }
|
||||
+ return "Unknown";
|
||||
+}
|
||||
+
|
||||
enum sss_domain_state sss_domain_get_state(struct sss_domain_info *dom)
|
||||
{
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS,
|
||||
+ "Domain %s is %s\n", dom->name, domain_state_str(dom));
|
||||
return dom->state;
|
||||
}
|
||||
|
||||
@@ -823,6 +840,8 @@ void sss_domain_set_state(struct sss_domain_info *dom,
|
||||
enum sss_domain_state state)
|
||||
{
|
||||
dom->state = state;
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS,
|
||||
+ "Domain %s is %s\n", dom->name, domain_state_str(dom));
|
||||
}
|
||||
|
||||
bool is_email_from_domain(const char *email, struct sss_domain_info *dom)
|
||||
--
|
||||
2.9.3
|
||||
|
259
0043-RESPONDER-A-sbus-interface-to-reset-negatively-cache.patch
Normal file
259
0043-RESPONDER-A-sbus-interface-to-reset-negatively-cache.patch
Normal file
@ -0,0 +1,259 @@
|
||||
From 205a0b9e9234327730fa808be95b2e1db7ffee95 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Wed, 2 Nov 2016 17:13:32 +0100
|
||||
Subject: [PATCH 43/79] RESPONDER: A sbus interface to reset negatively cached
|
||||
users and groups
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Adds two new responder sbus interface functions: ResetNegcacheUsers and
|
||||
ResetNegcacheGroups. These functions can be called by a Data Provider to
|
||||
signal to a responder that it should drop its negative cache.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
Makefile.am | 1 +
|
||||
src/responder/common/iface/responder_iface.c | 7 ++++
|
||||
src/responder/common/iface/responder_iface.h | 5 +++
|
||||
src/responder/common/iface/responder_iface.xml | 6 ++++
|
||||
.../common/iface/responder_iface_generated.c | 40 ++++++++++++++++++++++
|
||||
.../common/iface/responder_iface_generated.h | 21 ++++++++++++
|
||||
.../{responder_iface.c => responder_ncache.c} | 31 ++++++++++-------
|
||||
src/tests/cwrap/Makefile.am | 2 ++
|
||||
8 files changed, 100 insertions(+), 13 deletions(-)
|
||||
copy src/responder/common/iface/{responder_iface.c => responder_ncache.c} (55%)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 32f62b5b4391e5d6efb7f7dc19e9b29eaa658550..aa28a27f992f9a42b78d37d6de8fd8271c99afef 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -519,6 +519,7 @@ SSSD_CACHE_REQ_OBJ = \
|
||||
SSSD_RESPONDER_IFACE_OBJ = \
|
||||
src/responder/common/iface/responder_iface.c \
|
||||
src/responder/common/iface/responder_domain.c \
|
||||
+ src/responder/common/iface/responder_ncache.c \
|
||||
src/responder/common/iface/responder_iface_generated.c \
|
||||
$(NULL)
|
||||
|
||||
diff --git a/src/responder/common/iface/responder_iface.c b/src/responder/common/iface/responder_iface.c
|
||||
index f1e618b659af3e7a5ffa1b7307f3d61124180f0c..07fd1ff6276ae9b847ff50b949ce91550fe68296 100644
|
||||
--- a/src/responder/common/iface/responder_iface.c
|
||||
+++ b/src/responder/common/iface/responder_iface.c
|
||||
@@ -25,8 +25,15 @@ struct iface_responder_domain iface_responder_domain = {
|
||||
.SetInconsistent = sss_resp_domain_inconsistent,
|
||||
};
|
||||
|
||||
+struct iface_responder_ncache iface_responder_ncache = {
|
||||
+ { &iface_responder_ncache_meta, 0 },
|
||||
+ .ResetUsers = sss_resp_reset_ncache_users,
|
||||
+ .ResetGroups = sss_resp_reset_ncache_groups,
|
||||
+};
|
||||
+
|
||||
static struct sbus_iface_map iface_map[] = {
|
||||
{ RESPONDER_PATH, &iface_responder_domain.vtable },
|
||||
+ { RESPONDER_PATH, &iface_responder_ncache.vtable },
|
||||
{ NULL, NULL }
|
||||
};
|
||||
|
||||
diff --git a/src/responder/common/iface/responder_iface.h b/src/responder/common/iface/responder_iface.h
|
||||
index abd7c83ce0b0efbc13867ffb56ec871503c92567..5166b624cf9f7278c46f10dfc26c717ac4462408 100644
|
||||
--- a/src/responder/common/iface/responder_iface.h
|
||||
+++ b/src/responder/common/iface/responder_iface.h
|
||||
@@ -34,4 +34,9 @@ int sss_resp_domain_inconsistent(struct sbus_request *req,
|
||||
void *data,
|
||||
const char *domain_name);
|
||||
|
||||
+/* org.freedesktop.sssd.Responder.NegativeCache */
|
||||
+
|
||||
+int sss_resp_reset_ncache_users(struct sbus_request *req, void *data);
|
||||
+int sss_resp_reset_ncache_groups(struct sbus_request *req, void *data);
|
||||
+
|
||||
#endif /* _RESPONDER_IFACE_H_ */
|
||||
diff --git a/src/responder/common/iface/responder_iface.xml b/src/responder/common/iface/responder_iface.xml
|
||||
index d3d0ff40ed5a8457492f2f54d551d9ae20cc56c3..9f092e00ffc5354efe98b6c8bde1cdf414ee36d2 100644
|
||||
--- a/src/responder/common/iface/responder_iface.xml
|
||||
+++ b/src/responder/common/iface/responder_iface.xml
|
||||
@@ -10,4 +10,10 @@
|
||||
<arg name="name" type="s" direction="in" />
|
||||
</method>
|
||||
</interface>
|
||||
+
|
||||
+ <interface name="org.freedesktop.sssd.Responder.NegativeCache">
|
||||
+ <annotation value="iface_responder_ncache" name="org.freedesktop.DBus.GLib.CSymbol"/>
|
||||
+ <method name="ResetUsers" />
|
||||
+ <method name="ResetGroups" />
|
||||
+ </interface>
|
||||
</node>
|
||||
diff --git a/src/responder/common/iface/responder_iface_generated.c b/src/responder/common/iface/responder_iface_generated.c
|
||||
index 1d59eafed0eb739fb208c864b5b726cf9883df94..837e67cfd4305494be6ee3de949d56d47179707c 100644
|
||||
--- a/src/responder/common/iface/responder_iface_generated.c
|
||||
+++ b/src/responder/common/iface/responder_iface_generated.c
|
||||
@@ -61,6 +61,46 @@ const struct sbus_interface_meta iface_responder_domain_meta = {
|
||||
sbus_invoke_get_all, /* GetAll invoker */
|
||||
};
|
||||
|
||||
+int iface_responder_ncache_ResetUsers_finish(struct sbus_request *req)
|
||||
+{
|
||||
+ return sbus_request_return_and_finish(req,
|
||||
+ DBUS_TYPE_INVALID);
|
||||
+}
|
||||
+
|
||||
+int iface_responder_ncache_ResetGroups_finish(struct sbus_request *req)
|
||||
+{
|
||||
+ return sbus_request_return_and_finish(req,
|
||||
+ DBUS_TYPE_INVALID);
|
||||
+}
|
||||
+
|
||||
+/* methods for org.freedesktop.sssd.Responder.NegativeCache */
|
||||
+const struct sbus_method_meta iface_responder_ncache__methods[] = {
|
||||
+ {
|
||||
+ "ResetUsers", /* name */
|
||||
+ NULL, /* no in_args */
|
||||
+ NULL, /* no out_args */
|
||||
+ offsetof(struct iface_responder_ncache, ResetUsers),
|
||||
+ NULL, /* no invoker */
|
||||
+ },
|
||||
+ {
|
||||
+ "ResetGroups", /* name */
|
||||
+ NULL, /* no in_args */
|
||||
+ NULL, /* no out_args */
|
||||
+ offsetof(struct iface_responder_ncache, ResetGroups),
|
||||
+ NULL, /* no invoker */
|
||||
+ },
|
||||
+ { NULL, }
|
||||
+};
|
||||
+
|
||||
+/* interface info for org.freedesktop.sssd.Responder.NegativeCache */
|
||||
+const struct sbus_interface_meta iface_responder_ncache_meta = {
|
||||
+ "org.freedesktop.sssd.Responder.NegativeCache", /* name */
|
||||
+ iface_responder_ncache__methods,
|
||||
+ NULL, /* no signals */
|
||||
+ NULL, /* no properties */
|
||||
+ sbus_invoke_get_all, /* GetAll invoker */
|
||||
+};
|
||||
+
|
||||
/* invokes a handler with a 's' DBus signature */
|
||||
static int invoke_s_method(struct sbus_request *dbus_req, void *function_ptr)
|
||||
{
|
||||
diff --git a/src/responder/common/iface/responder_iface_generated.h b/src/responder/common/iface/responder_iface_generated.h
|
||||
index e7f5c64feb062e13dc04352128cada6883f6f4fa..964f19b732595c261e84f857497678490a113412 100644
|
||||
--- a/src/responder/common/iface/responder_iface_generated.h
|
||||
+++ b/src/responder/common/iface/responder_iface_generated.h
|
||||
@@ -16,6 +16,11 @@
|
||||
#define IFACE_RESPONDER_DOMAIN_SETACTIVE "SetActive"
|
||||
#define IFACE_RESPONDER_DOMAIN_SETINCONSISTENT "SetInconsistent"
|
||||
|
||||
+/* constants for org.freedesktop.sssd.Responder.NegativeCache */
|
||||
+#define IFACE_RESPONDER_NCACHE "org.freedesktop.sssd.Responder.NegativeCache"
|
||||
+#define IFACE_RESPONDER_NCACHE_RESETUSERS "ResetUsers"
|
||||
+#define IFACE_RESPONDER_NCACHE_RESETGROUPS "ResetGroups"
|
||||
+
|
||||
/* ------------------------------------------------------------------------
|
||||
* DBus handlers
|
||||
*
|
||||
@@ -47,6 +52,19 @@ int iface_responder_domain_SetActive_finish(struct sbus_request *req);
|
||||
/* finish function for SetInconsistent */
|
||||
int iface_responder_domain_SetInconsistent_finish(struct sbus_request *req);
|
||||
|
||||
+/* vtable for org.freedesktop.sssd.Responder.NegativeCache */
|
||||
+struct iface_responder_ncache {
|
||||
+ struct sbus_vtable vtable; /* derive from sbus_vtable */
|
||||
+ int (*ResetUsers)(struct sbus_request *req, void *data);
|
||||
+ int (*ResetGroups)(struct sbus_request *req, void *data);
|
||||
+};
|
||||
+
|
||||
+/* finish function for ResetUsers */
|
||||
+int iface_responder_ncache_ResetUsers_finish(struct sbus_request *req);
|
||||
+
|
||||
+/* finish function for ResetGroups */
|
||||
+int iface_responder_ncache_ResetGroups_finish(struct sbus_request *req);
|
||||
+
|
||||
/* ------------------------------------------------------------------------
|
||||
* DBus Interface Metadata
|
||||
*
|
||||
@@ -60,4 +78,7 @@ int iface_responder_domain_SetInconsistent_finish(struct sbus_request *req);
|
||||
/* interface info for org.freedesktop.sssd.Responder.Domain */
|
||||
extern const struct sbus_interface_meta iface_responder_domain_meta;
|
||||
|
||||
+/* interface info for org.freedesktop.sssd.Responder.NegativeCache */
|
||||
+extern const struct sbus_interface_meta iface_responder_ncache_meta;
|
||||
+
|
||||
#endif /* __RESPONDER_IFACE_XML__ */
|
||||
diff --git a/src/responder/common/iface/responder_iface.c b/src/responder/common/iface/responder_ncache.c
|
||||
similarity index 55%
|
||||
copy from src/responder/common/iface/responder_iface.c
|
||||
copy to src/responder/common/iface/responder_ncache.c
|
||||
index f1e618b659af3e7a5ffa1b7307f3d61124180f0c..c7aa0a3a40f386aa2d2f0d0a00a4fa90a59ffb34 100644
|
||||
--- a/src/responder/common/iface/responder_iface.c
|
||||
+++ b/src/responder/common/iface/responder_ncache.c
|
||||
@@ -1,5 +1,8 @@
|
||||
/*
|
||||
- Copyright (C) 2016 Red Hat
|
||||
+ Authors:
|
||||
+ Pavel Březina <pbrezina@redhat.com>
|
||||
+
|
||||
+ Copyright (C) 2017 Red Hat
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
@@ -15,22 +18,24 @@
|
||||
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
+#include "util/util.h"
|
||||
#include "sbus/sssd_dbus.h"
|
||||
-#include "responder/common/iface/responder_iface.h"
|
||||
#include "responder/common/responder.h"
|
||||
+#include "responder/common/negcache.h"
|
||||
+#include "responder/common/iface/responder_iface.h"
|
||||
|
||||
-struct iface_responder_domain iface_responder_domain = {
|
||||
- { &iface_responder_domain_meta, 0 },
|
||||
- .SetActive = sss_resp_domain_active,
|
||||
- .SetInconsistent = sss_resp_domain_inconsistent,
|
||||
-};
|
||||
+int sss_resp_reset_ncache_users(struct sbus_request *req, void *data)
|
||||
+{
|
||||
+ struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx);
|
||||
|
||||
-static struct sbus_iface_map iface_map[] = {
|
||||
- { RESPONDER_PATH, &iface_responder_domain.vtable },
|
||||
- { NULL, NULL }
|
||||
-};
|
||||
+ sss_ncache_reset_users(rctx->ncache);
|
||||
+ return iface_responder_ncache_ResetUsers_finish(req);
|
||||
+}
|
||||
|
||||
-struct sbus_iface_map *responder_get_sbus_interface()
|
||||
+int sss_resp_reset_ncache_groups(struct sbus_request *req, void *data)
|
||||
{
|
||||
- return iface_map;
|
||||
+ struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx);
|
||||
+
|
||||
+ sss_ncache_reset_groups(rctx->ncache);
|
||||
+ return iface_responder_ncache_ResetGroups_finish(req);
|
||||
}
|
||||
diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am
|
||||
index f50e9aa58fa5f2b0b8aa144582500d925a0a6438..b4bef8fee1830c1d6798dde50f114ecb4608c645 100644
|
||||
--- a/src/tests/cwrap/Makefile.am
|
||||
+++ b/src/tests/cwrap/Makefile.am
|
||||
@@ -66,6 +66,7 @@ SSSD_CACHE_REQ_OBJ = \
|
||||
SSSD_RESPONDER_IFACE_OBJ = \
|
||||
../../../src/responder/common/iface/responder_iface.c \
|
||||
../../../src/responder/common/iface/responder_domain.c \
|
||||
+ ../../../src/responder/common/iface/responder_ncache.c \
|
||||
../../../src/responder/common/iface/responder_iface_generated.c \
|
||||
$(NULL)
|
||||
|
||||
@@ -167,6 +168,7 @@ responder_common_tests_SOURCES =\
|
||||
test_responder_common.c \
|
||||
../../../src/responder/common/iface/responder_iface.c \
|
||||
../../../src/responder/common/iface/responder_domain.c \
|
||||
+ ../../../src/responder/common/iface/responder_ncache.c \
|
||||
../../../src/responder/common/iface/responder_iface_generated.c \
|
||||
../../../src/responder/common/negcache_files.c \
|
||||
../../../src/responder/common/negcache.c \
|
||||
--
|
||||
2.9.3
|
||||
|
148
0044-DP-Add-internal-DP-interface-to-set-domain-state.patch
Normal file
148
0044-DP-Add-internal-DP-interface-to-set-domain-state.patch
Normal file
@ -0,0 +1,148 @@
|
||||
From b3ee4be9e1794fa823696d70d4958f3b0269939c Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Wed, 2 Nov 2016 17:18:07 +0100
|
||||
Subject: [PATCH 44/79] DP: Add internal DP interface to set domain state
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Adds functions to the interface Data Provider publishes towards back
|
||||
ends that allows the back ends to notify responders that a domain has
|
||||
been enabled or disabled.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
Makefile.am | 1 +
|
||||
src/providers/data_provider/dp.h | 5 ++
|
||||
src/providers/data_provider/dp_resp_client.c | 93 ++++++++++++++++++++++++++++
|
||||
3 files changed, 99 insertions(+)
|
||||
create mode 100644 src/providers/data_provider/dp_resp_client.c
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index aa28a27f992f9a42b78d37d6de8fd8271c99afef..5cf496002ff54b8df1c0fdf29179a5b69e4b62c0 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -1464,6 +1464,7 @@ sssd_be_SOURCES = \
|
||||
src/providers/data_provider/dp_iface_backend.c \
|
||||
src/providers/data_provider/dp_iface_failover.c \
|
||||
src/providers/data_provider/dp_client.c \
|
||||
+ src/providers/data_provider/dp_resp_client.c \
|
||||
src/providers/data_provider/dp_iface_generated.c \
|
||||
src/providers/data_provider/dp_request.c \
|
||||
src/providers/data_provider/dp_request_reply.c \
|
||||
diff --git a/src/providers/data_provider/dp.h b/src/providers/data_provider/dp.h
|
||||
index 5b36baf3489be4cce463dfb42c65a0b7f7ece9ef..68db75521bd9d78eb6e7944746ea2054918e298d 100644
|
||||
--- a/src/providers/data_provider/dp.h
|
||||
+++ b/src/providers/data_provider/dp.h
|
||||
@@ -161,4 +161,9 @@ bool dp_method_enabled(struct data_provider *provider,
|
||||
void dp_terminate_domain_requests(struct data_provider *provider,
|
||||
const char *domain);
|
||||
|
||||
+void dp_sbus_domain_active(struct data_provider *provider,
|
||||
+ struct sss_domain_info *dom);
|
||||
+void dp_sbus_domain_inconsistent(struct data_provider *provider,
|
||||
+ struct sss_domain_info *dom);
|
||||
+
|
||||
#endif /* _DP_H_ */
|
||||
diff --git a/src/providers/data_provider/dp_resp_client.c b/src/providers/data_provider/dp_resp_client.c
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..3d386eac1cd779e2776e23745a18292c5ce835cd
|
||||
--- /dev/null
|
||||
+++ b/src/providers/data_provider/dp_resp_client.c
|
||||
@@ -0,0 +1,93 @@
|
||||
+/*
|
||||
+ SSSD
|
||||
+
|
||||
+ Data Provider Responder client - DP calls responder interface
|
||||
+
|
||||
+ This program is free software; you can redistribute it and/or modify
|
||||
+ it under the terms of the GNU General Public License as published by
|
||||
+ the Free Software Foundation; either version 3 of the License, or
|
||||
+ (at your option) any later version.
|
||||
+
|
||||
+ This program is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ GNU General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU General Public License
|
||||
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+*/
|
||||
+
|
||||
+#include "config.h"
|
||||
+#include <talloc.h>
|
||||
+#include <tevent.h>
|
||||
+
|
||||
+#include "confdb/confdb.h"
|
||||
+#include "sbus/sssd_dbus.h"
|
||||
+#include "providers/data_provider.h"
|
||||
+#include "providers/data_provider/dp_private.h"
|
||||
+#include "responder/common/iface/responder_iface.h"
|
||||
+#include "src/responder/nss/nss_iface.h"
|
||||
+
|
||||
+static void send_msg_to_all_clients(struct data_provider *provider,
|
||||
+ struct DBusMessage *msg)
|
||||
+{
|
||||
+ struct dp_client *cli;
|
||||
+ int i;
|
||||
+
|
||||
+ for (i = 0; provider->clients[i] != NULL; i++) {
|
||||
+ cli = provider->clients[i];
|
||||
+ if (cli != NULL) {
|
||||
+ sbus_conn_send_reply(dp_client_conn(cli), msg);
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static void dp_sbus_set_domain_state(struct data_provider *provider,
|
||||
+ struct sss_domain_info *dom,
|
||||
+ enum sss_domain_state state)
|
||||
+{
|
||||
+ DBusMessage *msg;
|
||||
+ const char *method = NULL;
|
||||
+
|
||||
+ switch (state) {
|
||||
+ case DOM_ACTIVE:
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC, "Ordering responders to enable domain %s\n",
|
||||
+ dom->name);
|
||||
+ method = IFACE_RESPONDER_DOMAIN_SETACTIVE;
|
||||
+ break;
|
||||
+ case DOM_INCONSISTENT:
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC, "Ordering responders to disable domain %s\n",
|
||||
+ dom->name);
|
||||
+ method = IFACE_RESPONDER_DOMAIN_SETINCONSISTENT;
|
||||
+ break;
|
||||
+ default:
|
||||
+ /* No other methods provided at the moment */
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ sss_domain_set_state(dom, state);
|
||||
+
|
||||
+ msg = sbus_create_message(NULL, NULL, RESPONDER_PATH,
|
||||
+ IFACE_RESPONDER_DOMAIN, method,
|
||||
+ DBUS_TYPE_STRING, &dom->name);
|
||||
+ if (msg == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ send_msg_to_all_clients(provider, msg);
|
||||
+ dbus_message_unref(msg);
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
+void dp_sbus_domain_active(struct data_provider *provider,
|
||||
+ struct sss_domain_info *dom)
|
||||
+{
|
||||
+ return dp_sbus_set_domain_state(provider, dom, DOM_ACTIVE);
|
||||
+}
|
||||
+
|
||||
+void dp_sbus_domain_inconsistent(struct data_provider *provider,
|
||||
+ struct sss_domain_info *dom)
|
||||
+{
|
||||
+ return dp_sbus_set_domain_state(provider, dom, DOM_INCONSISTENT);
|
||||
+}
|
||||
--
|
||||
2.9.3
|
||||
|
122
0045-DP-Add-internal-interface-to-reset-negative-cache-fr.patch
Normal file
122
0045-DP-Add-internal-interface-to-reset-negative-cache-fr.patch
Normal file
@ -0,0 +1,122 @@
|
||||
From af28fa659f7ffcd12ecf8bda64e79cf5dd225651 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Wed, 16 Nov 2016 17:00:57 +0100
|
||||
Subject: [PATCH 45/79] DP: Add internal interface to reset negative cache from
|
||||
DP
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Adds a an interface that allows the Data Provider to notify responders
|
||||
to drop their negative cache.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/data_provider/dp.h | 5 +++
|
||||
src/providers/data_provider/dp_resp_client.c | 65 +++++++++++++++++++++++++++-
|
||||
2 files changed, 69 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/data_provider/dp.h b/src/providers/data_provider/dp.h
|
||||
index 68db75521bd9d78eb6e7944746ea2054918e298d..79d02d469c5eb04d5e27b27af48b77f72d132416 100644
|
||||
--- a/src/providers/data_provider/dp.h
|
||||
+++ b/src/providers/data_provider/dp.h
|
||||
@@ -166,4 +166,9 @@ void dp_sbus_domain_active(struct data_provider *provider,
|
||||
void dp_sbus_domain_inconsistent(struct data_provider *provider,
|
||||
struct sss_domain_info *dom);
|
||||
|
||||
+void dp_sbus_reset_users_ncache(struct data_provider *provider,
|
||||
+ struct sss_domain_info *dom);
|
||||
+void dp_sbus_reset_groups_ncache(struct data_provider *provider,
|
||||
+ struct sss_domain_info *dom);
|
||||
+
|
||||
#endif /* _DP_H_ */
|
||||
diff --git a/src/providers/data_provider/dp_resp_client.c b/src/providers/data_provider/dp_resp_client.c
|
||||
index 3d386eac1cd779e2776e23745a18292c5ce835cd..6828610acce3771f2b628c877a1d463c3f635015 100644
|
||||
--- a/src/providers/data_provider/dp_resp_client.c
|
||||
+++ b/src/providers/data_provider/dp_resp_client.c
|
||||
@@ -26,7 +26,23 @@
|
||||
#include "providers/data_provider.h"
|
||||
#include "providers/data_provider/dp_private.h"
|
||||
#include "responder/common/iface/responder_iface.h"
|
||||
-#include "src/responder/nss/nss_iface.h"
|
||||
+#include "responder/nss/nss_iface.h"
|
||||
+
|
||||
+/* List of DP clients that deal with users or groups */
|
||||
+/* FIXME - it would be much cleaner to implement sbus signals
|
||||
+ * and let the responder subscribe to these messages rather than
|
||||
+ * keep a list here..
|
||||
+ * https://fedorahosted.org/sssd/ticket/2233
|
||||
+ */
|
||||
+static enum dp_clients user_clients[] = {
|
||||
+ DPC_NSS,
|
||||
+ DPC_PAM,
|
||||
+ DPC_IFP,
|
||||
+ DPC_PAC,
|
||||
+ DPC_SUDO,
|
||||
+
|
||||
+ DP_CLIENT_SENTINEL
|
||||
+};
|
||||
|
||||
static void send_msg_to_all_clients(struct data_provider *provider,
|
||||
struct DBusMessage *msg)
|
||||
@@ -42,6 +58,21 @@ static void send_msg_to_all_clients(struct data_provider *provider,
|
||||
}
|
||||
}
|
||||
|
||||
+static void send_msg_to_selected_clients(struct data_provider *provider,
|
||||
+ struct DBusMessage *msg,
|
||||
+ enum dp_clients *clients)
|
||||
+{
|
||||
+ struct dp_client *cli;
|
||||
+ int i;
|
||||
+
|
||||
+ for (i = 0; clients[i] != DP_CLIENT_SENTINEL; i++) {
|
||||
+ cli = provider->clients[clients[i]];
|
||||
+ if (cli != NULL) {
|
||||
+ sbus_conn_send_reply(dp_client_conn(cli), msg);
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
static void dp_sbus_set_domain_state(struct data_provider *provider,
|
||||
struct sss_domain_info *dom,
|
||||
enum sss_domain_state state)
|
||||
@@ -91,3 +122,35 @@ void dp_sbus_domain_inconsistent(struct data_provider *provider,
|
||||
{
|
||||
return dp_sbus_set_domain_state(provider, dom, DOM_INCONSISTENT);
|
||||
}
|
||||
+
|
||||
+static void dp_sbus_reset_ncache(struct data_provider *provider,
|
||||
+ struct sss_domain_info *dom,
|
||||
+ const char *method)
|
||||
+{
|
||||
+ DBusMessage *msg;
|
||||
+
|
||||
+ msg = sbus_create_message(NULL, NULL, RESPONDER_PATH,
|
||||
+ IFACE_RESPONDER_NCACHE, method);
|
||||
+ if (msg == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ send_msg_to_selected_clients(provider, msg, user_clients);
|
||||
+ dbus_message_unref(msg);
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
+void dp_sbus_reset_users_ncache(struct data_provider *provider,
|
||||
+ struct sss_domain_info *dom)
|
||||
+{
|
||||
+ return dp_sbus_reset_ncache(provider, dom,
|
||||
+ IFACE_RESPONDER_NCACHE_RESETUSERS);
|
||||
+}
|
||||
+
|
||||
+void dp_sbus_reset_groups_ncache(struct data_provider *provider,
|
||||
+ struct sss_domain_info *dom)
|
||||
+{
|
||||
+ return dp_sbus_reset_ncache(provider, dom,
|
||||
+ IFACE_RESPONDER_NCACHE_RESETGROUPS);
|
||||
+}
|
||||
--
|
||||
2.9.3
|
||||
|
@ -0,0 +1,77 @@
|
||||
From 5007103e82f34e64a0ff3b278797b9fa42ba1dda Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Tue, 14 Feb 2017 20:37:58 +0100
|
||||
Subject: [PATCH 46/79] DP: Add internal interface to invalidate memory cache
|
||||
from DP
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Adds an interfae to the Data Provider that allows the DP to notify the
|
||||
NSS responder to invalidate its memory cache records.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/data_provider/dp.h | 4 ++++
|
||||
src/providers/data_provider/dp_resp_client.c | 35 ++++++++++++++++++++++++++++
|
||||
2 files changed, 39 insertions(+)
|
||||
|
||||
diff --git a/src/providers/data_provider/dp.h b/src/providers/data_provider/dp.h
|
||||
index 79d02d469c5eb04d5e27b27af48b77f72d132416..e80a6c3398784dfc176baeff2daf7203c52fc072 100644
|
||||
--- a/src/providers/data_provider/dp.h
|
||||
+++ b/src/providers/data_provider/dp.h
|
||||
@@ -171,4 +171,8 @@ void dp_sbus_reset_users_ncache(struct data_provider *provider,
|
||||
void dp_sbus_reset_groups_ncache(struct data_provider *provider,
|
||||
struct sss_domain_info *dom);
|
||||
|
||||
+void dp_sbus_reset_users_memcache(struct data_provider *provider);
|
||||
+void dp_sbus_reset_groups_memcache(struct data_provider *provider);
|
||||
+void dp_sbus_reset_initgr_memcache(struct data_provider *provider);
|
||||
+
|
||||
#endif /* _DP_H_ */
|
||||
diff --git a/src/providers/data_provider/dp_resp_client.c b/src/providers/data_provider/dp_resp_client.c
|
||||
index 6828610acce3771f2b628c877a1d463c3f635015..5735188a603b16c35ad6e1050c06a685fdf7ed8d 100644
|
||||
--- a/src/providers/data_provider/dp_resp_client.c
|
||||
+++ b/src/providers/data_provider/dp_resp_client.c
|
||||
@@ -154,3 +154,38 @@ void dp_sbus_reset_groups_ncache(struct data_provider *provider,
|
||||
return dp_sbus_reset_ncache(provider, dom,
|
||||
IFACE_RESPONDER_NCACHE_RESETGROUPS);
|
||||
}
|
||||
+
|
||||
+static void dp_sbus_reset_memcache(struct data_provider *provider,
|
||||
+ const char *method)
|
||||
+{
|
||||
+ DBusMessage *msg;
|
||||
+
|
||||
+ msg = sbus_create_message(NULL, NULL, NSS_MEMORYCACHE_PATH,
|
||||
+ IFACE_NSS_MEMORYCACHE, method);
|
||||
+ if (msg == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ send_msg_to_selected_clients(provider, msg, user_clients);
|
||||
+ dbus_message_unref(msg);
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
+void dp_sbus_reset_users_memcache(struct data_provider *provider)
|
||||
+{
|
||||
+ return dp_sbus_reset_memcache(provider,
|
||||
+ IFACE_NSS_MEMORYCACHE_INVALIDATEALLUSERS);
|
||||
+}
|
||||
+
|
||||
+void dp_sbus_reset_groups_memcache(struct data_provider *provider)
|
||||
+{
|
||||
+ return dp_sbus_reset_memcache(provider,
|
||||
+ IFACE_NSS_MEMORYCACHE_INVALIDATEALLGROUPS);
|
||||
+}
|
||||
+
|
||||
+void dp_sbus_reset_initgr_memcache(struct data_provider *provider)
|
||||
+{
|
||||
+ return dp_sbus_reset_memcache(provider,
|
||||
+ IFACE_NSS_MEMORYCACHE_INVALIDATEALLINITGROUPS);
|
||||
+}
|
||||
--
|
||||
2.9.3
|
||||
|
50
0047-RESPONDER-Use-the-NEED_CHECK_DOMAIN-macro.patch
Normal file
50
0047-RESPONDER-Use-the-NEED_CHECK_DOMAIN-macro.patch
Normal file
@ -0,0 +1,50 @@
|
||||
From 2c61b6eee24d90b11f3d2cab7b9cd8690df29f34 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Mon, 2 Jan 2017 16:41:31 +0100
|
||||
Subject: [PATCH 47/79] RESPONDER: Use the NEED_CHECK_DOMAIN macro
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This is to avoid a needless round-trip between the responder and the
|
||||
back end for domains that do not have a traditional back end such as
|
||||
local or files.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/responder/common/responder_dp.c | 12 +++++++++++-
|
||||
1 file changed, 11 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
|
||||
index 11eb47ce1d41027f36998aba7b9fbca5fb4c7910..cfd12569a5068d0ffaa7fee5a35e12fe4512fb50 100644
|
||||
--- a/src/responder/common/responder_dp.c
|
||||
+++ b/src/responder/common/responder_dp.c
|
||||
@@ -495,6 +495,12 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx,
|
||||
goto error;
|
||||
}
|
||||
|
||||
+ if (NEED_CHECK_PROVIDER(dom->provider) == false) {
|
||||
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Domain %s does not check DP\n", dom->name);
|
||||
+ ret = EOK;
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
info = talloc_zero(state, struct sss_dp_account_info);
|
||||
info->fast_reply = fast_reply;
|
||||
info->type = type;
|
||||
@@ -539,7 +545,11 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx,
|
||||
return req;
|
||||
|
||||
error:
|
||||
- tevent_req_error(req, ret);
|
||||
+ if (ret == EOK) {
|
||||
+ tevent_req_done(req);
|
||||
+ } else {
|
||||
+ tevent_req_error(req, ret);
|
||||
+ }
|
||||
tevent_req_post(req, rctx->ev);
|
||||
return req;
|
||||
}
|
||||
--
|
||||
2.9.3
|
||||
|
@ -0,0 +1,41 @@
|
||||
From 26866484a985adbc7edf2e79a1e95b3bb6b8624c Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Fri, 2 Dec 2016 17:51:54 +0100
|
||||
Subject: [PATCH 48/79] RESPONDER: Include the files provider in
|
||||
NEEDS_CHECK_PROVIDER
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
It makes no sense to contact the Data Provider with the files provider
|
||||
except when the files provider is updating itself.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/responder/common/responder.h | 9 +++++++--
|
||||
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
|
||||
index 748dec4301b4a018691d9b8c8fca0193d18167a5..3515f76d2bd0a553e7bf6b089b6d511255cf1e93 100644
|
||||
--- a/src/responder/common/responder.h
|
||||
+++ b/src/responder/common/responder.h
|
||||
@@ -48,9 +48,14 @@ extern hash_table_t *dp_requests;
|
||||
* So we set umask to 0111. */
|
||||
#define SCKT_RSP_UMASK 0111
|
||||
|
||||
-/* if there is a provider other than the special local */
|
||||
+/* Neither the local provider nor the files provider have a back
|
||||
+ * end in the traditional sense and can always just consult
|
||||
+ * the responder's cache
|
||||
+ */
|
||||
#define NEED_CHECK_PROVIDER(provider) \
|
||||
- (provider != NULL && strcmp(provider, "local") != 0)
|
||||
+ (provider != NULL && \
|
||||
+ (strcmp(provider, "local") != 0 && \
|
||||
+ strcmp(provider, "files") != 0))
|
||||
|
||||
/* needed until nsssrv.h is updated */
|
||||
struct cli_request {
|
||||
--
|
||||
2.9.3
|
||||
|
132
0049-RESPONDER-Contact-inconsistent-domains.patch
Normal file
132
0049-RESPONDER-Contact-inconsistent-domains.patch
Normal file
@ -0,0 +1,132 @@
|
||||
From 50c740cbc2bb27cbe488fa8587e2901b8b85cf87 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Fri, 10 Feb 2017 14:39:43 +0100
|
||||
Subject: [PATCH 49/79] RESPONDER: Contact inconsistent domains
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/data_provider.h | 5 +++
|
||||
src/responder/common/responder_dp.c | 74 +++++++++++++++++++++++++++++++++++--
|
||||
2 files changed, 76 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h
|
||||
index 46d9910ddf9ef1c37da585bc33cf314341860332..5ccc0adbaffc6d50f128ae02fe6e5c77743f626b 100644
|
||||
--- a/src/providers/data_provider.h
|
||||
+++ b/src/providers/data_provider.h
|
||||
@@ -229,6 +229,11 @@ int dp_get_sbus_address(TALLOC_CTX *mem_ctx,
|
||||
char **address, const char *domain_name);
|
||||
|
||||
|
||||
+/* Reserved filter name for request which waits until the files provider finishes mirroring
|
||||
+ * the file content
|
||||
+ */
|
||||
+#define DP_REQ_OPT_FILES_INITGR "files_initgr_request"
|
||||
+
|
||||
/* Helpers */
|
||||
|
||||
#define NULL_STRING { .string = NULL }
|
||||
diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
|
||||
index cfd12569a5068d0ffaa7fee5a35e12fe4512fb50..080f70fd5945ffd234e0ef226d8139df071c4752 100644
|
||||
--- a/src/responder/common/responder_dp.c
|
||||
+++ b/src/responder/common/responder_dp.c
|
||||
@@ -453,6 +453,12 @@ sss_dp_req_recv(TALLOC_CTX *mem_ctx,
|
||||
*/
|
||||
static DBusMessage *sss_dp_get_account_msg(void *pvt);
|
||||
|
||||
+static int sss_dp_account_files_params(struct sss_domain_info *dom,
|
||||
+ enum sss_dp_acct_type type_in,
|
||||
+ const char *opt_name_in,
|
||||
+ enum sss_dp_acct_type *_type_out,
|
||||
+ const char **_opt_name_out);
|
||||
+
|
||||
struct sss_dp_account_info {
|
||||
struct sss_domain_info *dom;
|
||||
|
||||
@@ -496,9 +502,28 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
if (NEED_CHECK_PROVIDER(dom->provider) == false) {
|
||||
- DEBUG(SSSDBG_TRACE_INTERNAL, "Domain %s does not check DP\n", dom->name);
|
||||
- ret = EOK;
|
||||
- goto error;
|
||||
+ if (strcmp(dom->provider, "files") == 0) {
|
||||
+ /* This is a special case. If the files provider is just being updated,
|
||||
+ * we issue an enumeration request. We always use the same request type
|
||||
+ * (user enumeration) to make sure concurrent requests are just chained
|
||||
+ * in the Data Provider
|
||||
+ */
|
||||
+ ret = sss_dp_account_files_params(dom, type, opt_name,
|
||||
+ &type, &opt_name);
|
||||
+ if (ret == EOK) {
|
||||
+ goto error;
|
||||
+ } else if (ret != EAGAIN) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Failed to set files provider update: %d: %s\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
+ goto error;
|
||||
+ }
|
||||
+ /* EAGAIN, fall through to issuing the request */
|
||||
+ } else {
|
||||
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Domain %s does not check DP\n", dom->name);
|
||||
+ ret = EOK;
|
||||
+ goto error;
|
||||
+ }
|
||||
}
|
||||
|
||||
info = talloc_zero(state, struct sss_dp_account_info);
|
||||
@@ -554,6 +579,49 @@ error:
|
||||
return req;
|
||||
}
|
||||
|
||||
+static int sss_dp_account_files_params(struct sss_domain_info *dom,
|
||||
+ enum sss_dp_acct_type type_in,
|
||||
+ const char *opt_name_in,
|
||||
+ enum sss_dp_acct_type *_type_out,
|
||||
+ const char **_opt_name_out)
|
||||
+{
|
||||
+#if 0
|
||||
+ if (sss_domain_get_state(dom) != DOM_INCONSISTENT) {
|
||||
+ return EOK;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_INTERNAL,
|
||||
+ "Domain files is not consistent, issuing update\n");
|
||||
+
|
||||
+ switch(type_in) {
|
||||
+ case SSS_DP_USER:
|
||||
+ case SSS_DP_GROUP:
|
||||
+ *_type_out = type_in;
|
||||
+ *_opt_name_out = NULL;
|
||||
+ return EAGAIN;
|
||||
+ case SSS_DP_INITGROUPS:
|
||||
+ /* There is no initgroups enumeration so let's use a dummy
|
||||
+ * name to let the DP chain the requests
|
||||
+ */
|
||||
+ *_type_out = type_in;
|
||||
+ *_opt_name_out = DP_REQ_OPT_FILES_INITGR;
|
||||
+ return EAGAIN;
|
||||
+ /* These are not handled by the files provider, just fall back */
|
||||
+ case SSS_DP_NETGR:
|
||||
+ case SSS_DP_SERVICES:
|
||||
+ case SSS_DP_SECID:
|
||||
+ case SSS_DP_USER_AND_GROUP:
|
||||
+ case SSS_DP_CERT:
|
||||
+ case SSS_DP_WILDCARD_USER:
|
||||
+ case SSS_DP_WILDCARD_GROUP:
|
||||
+ return EOK;
|
||||
+ }
|
||||
+
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unhandled type %d\n", type_in);
|
||||
+ return EINVAL;
|
||||
+}
|
||||
+
|
||||
static DBusMessage *
|
||||
sss_dp_get_account_msg(void *pvt)
|
||||
{
|
||||
--
|
||||
2.9.3
|
||||
|
1312
0050-UTIL-Add-a-generic-inotify-module.patch
Normal file
1312
0050-UTIL-Add-a-generic-inotify-module.patch
Normal file
File diff suppressed because it is too large
Load Diff
42
0051-CONFDB-Re-enable-the-files-provider.patch
Normal file
42
0051-CONFDB-Re-enable-the-files-provider.patch
Normal file
@ -0,0 +1,42 @@
|
||||
From 90a103d6050b266fd8fc8fd0636be32de5885dec Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Tue, 25 Oct 2016 16:15:06 +0200
|
||||
Subject: [PATCH 51/79] CONFDB: Re-enable the files provider
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The files provider was "blacklisted" for a long time, because very old
|
||||
(pre-1.0) versions of sssd had the capability to create users and groups
|
||||
by calling into the shadow-utils binaries directly which was later
|
||||
removed.
|
||||
|
||||
Since nobody is (hopefully) running these ancient versions anymore and
|
||||
we are about to re-enable the files provider, we can remove this check.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/confdb/confdb.c | 7 -------
|
||||
1 file changed, 7 deletions(-)
|
||||
|
||||
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
||||
index 69200f5cd4dded1c25dc34e06595809c65670205..b0a75867c61fa3af21990d92419f17baa34864ae 100644
|
||||
--- a/src/confdb/confdb.c
|
||||
+++ b/src/confdb/confdb.c
|
||||
@@ -900,13 +900,6 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- if (strcasecmp(domain->provider, "files") == 0) {
|
||||
- /* The files provider is not valid anymore */
|
||||
- DEBUG(SSSDBG_FATAL_FAILURE, "The \"files\" provider is invalid\n");
|
||||
- ret = EINVAL;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
if (strcasecmp(domain->provider, "local") == 0) {
|
||||
/* If this is the local provider, we need to ensure that
|
||||
* no other provider was specified for other types, since
|
||||
--
|
||||
2.9.3
|
||||
|
1329
0052-FILES-Add-the-files-provider.patch
Normal file
1329
0052-FILES-Add-the-files-provider.patch
Normal file
File diff suppressed because it is too large
Load Diff
48
0053-CONFDB-The-files-provider-always-enumerates.patch
Normal file
48
0053-CONFDB-The-files-provider-always-enumerates.patch
Normal file
@ -0,0 +1,48 @@
|
||||
From a60e6ec802cd2858dc85eabd442cff16fb23618f Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Thu, 17 Nov 2016 15:42:03 +0100
|
||||
Subject: [PATCH 53/79] CONFDB: The files provider always enumerates
|
||||
|
||||
Since the files provider always mirrors the whole passwd and group
|
||||
contents, the files domain should always permit its contents to be
|
||||
enumerated.
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/confdb/confdb.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
||||
index b0a75867c61fa3af21990d92419f17baa34864ae..e52b96c8a854c0706515395dd86a61211d6ac2a6 100644
|
||||
--- a/src/confdb/confdb.c
|
||||
+++ b/src/confdb/confdb.c
|
||||
@@ -828,6 +828,7 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
||||
char *default_domain;
|
||||
bool fqnames_default = false;
|
||||
int memcache_timeout;
|
||||
+ bool enum_default;
|
||||
|
||||
tmp_ctx = talloc_new(mem_ctx);
|
||||
if (!tmp_ctx) return ENOMEM;
|
||||
@@ -954,14 +955,17 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
||||
"Interpreting as true\n", domain->name);
|
||||
domain->enumerate = true;
|
||||
} else { /* assume the new format */
|
||||
+ enum_default = strcasecmp(domain->provider, "files") == 0 ? true : false;
|
||||
+
|
||||
ret = get_entry_as_bool(res->msgs[0], &domain->enumerate,
|
||||
- CONFDB_DOMAIN_ENUMERATE, 0);
|
||||
+ CONFDB_DOMAIN_ENUMERATE, enum_default);
|
||||
if(ret != EOK) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
"Invalid value for %s\n", CONFDB_DOMAIN_ENUMERATE);
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
+
|
||||
if (!domain->enumerate) {
|
||||
DEBUG(SSSDBG_TRACE_FUNC, "No enumeration for [%s]!\n", domain->name);
|
||||
}
|
||||
--
|
||||
2.9.3
|
||||
|
147
0054-CONFDB-Make-pwfield-configurable-per-domain.patch
Normal file
147
0054-CONFDB-Make-pwfield-configurable-per-domain.patch
Normal file
@ -0,0 +1,147 @@
|
||||
From c778c36c5170c2b9f1cf7a6e3b0811124534df03 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Mon, 21 Nov 2016 12:10:46 +0100
|
||||
Subject: [PATCH 54/79] CONFDB: Make pwfield configurable per-domain
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Previously, the pwfield option was only configurable at the NSS level.
|
||||
Because it's important for the files provider to report "x" as the
|
||||
pwfield instead of "*" which is the SSSD default, this commit makes the
|
||||
pwfield configurable at the domain level.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/confdb/confdb.c | 10 ++++++++++
|
||||
src/confdb/confdb.h | 1 +
|
||||
src/responder/nss/nss_private.h | 4 ++++
|
||||
src/responder/nss/nss_protocol_grent.c | 6 +++---
|
||||
src/responder/nss/nss_protocol_pwent.c | 6 +++---
|
||||
src/responder/nss/nss_utils.c | 12 ++++++++++++
|
||||
6 files changed, 33 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
||||
index e52b96c8a854c0706515395dd86a61211d6ac2a6..5112c6d568cbe2d7374b19d4a0850172d6f3f400 100644
|
||||
--- a/src/confdb/confdb.c
|
||||
+++ b/src/confdb/confdb.c
|
||||
@@ -1325,6 +1325,16 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
||||
}
|
||||
|
||||
tmp = ldb_msg_find_attr_as_string(res->msgs[0],
|
||||
+ CONFDB_NSS_PWFIELD, NULL);
|
||||
+ if (tmp != NULL) {
|
||||
+ domain->pwfield = talloc_strdup(domain, tmp);
|
||||
+ if (!domain->pwfield) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ tmp = ldb_msg_find_attr_as_string(res->msgs[0],
|
||||
CONFDB_SUBDOMAIN_ENUMERATE,
|
||||
CONFDB_DEFAULT_SUBDOMAIN_ENUMERATE);
|
||||
if (tmp != NULL) {
|
||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
||||
index 7c944698157619652441fb0722a4363053d6a8f3..353dfd0a9afbcaba49fcfdc7930026bb2eebfc9e 100644
|
||||
--- a/src/confdb/confdb.h
|
||||
+++ b/src/confdb/confdb.h
|
||||
@@ -270,6 +270,7 @@ struct sss_domain_info {
|
||||
bool ignore_group_members;
|
||||
uint32_t id_min;
|
||||
uint32_t id_max;
|
||||
+ const char *pwfield;
|
||||
|
||||
bool cache_credentials;
|
||||
uint32_t cache_credentials_min_ff_length;
|
||||
diff --git a/src/responder/nss/nss_private.h b/src/responder/nss/nss_private.h
|
||||
index e63fbabc8cdfd97742fb517aa60292d4fad4a0ed..acb3c4aa504e538ca56dca8d43ee04b0f60954a9 100644
|
||||
--- a/src/responder/nss/nss_private.h
|
||||
+++ b/src/responder/nss/nss_private.h
|
||||
@@ -151,4 +151,8 @@ int sized_member_name(TALLOC_CTX *mem_ctx,
|
||||
const char *member_name,
|
||||
struct sized_string **_name);
|
||||
|
||||
+const char *
|
||||
+nss_get_pwfield(struct nss_ctx *nctx,
|
||||
+ struct sss_domain_info *dom);
|
||||
+
|
||||
#endif /* _NSS_PRIVATE_H_ */
|
||||
diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c
|
||||
index 7409e0458c0e7c886ac6d523d10d5c90a2038ea9..283ab9f6731bc4c8261ca79075ab030005bf70db 100644
|
||||
--- a/src/responder/nss/nss_protocol_grent.c
|
||||
+++ b/src/responder/nss/nss_protocol_grent.c
|
||||
@@ -219,9 +219,6 @@ nss_protocol_fill_grent(struct nss_ctx *nss_ctx,
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
- /* Password field content. */
|
||||
- to_sized_string(&pwfield, nss_ctx->pwfield);
|
||||
-
|
||||
/* First two fields (length and reserved), filled up later. */
|
||||
ret = sss_packet_grow(packet, 2 * sizeof(uint32_t));
|
||||
if (ret != EOK) {
|
||||
@@ -235,6 +232,9 @@ nss_protocol_fill_grent(struct nss_ctx *nss_ctx,
|
||||
talloc_free_children(tmp_ctx);
|
||||
msg = result->msgs[i];
|
||||
|
||||
+ /* Password field content. */
|
||||
+ to_sized_string(&pwfield, nss_get_pwfield(nss_ctx, result->domain));
|
||||
+
|
||||
ret = nss_get_grent(tmp_ctx, nss_ctx, result->domain, msg,
|
||||
&gid, &name);
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/responder/nss/nss_protocol_pwent.c b/src/responder/nss/nss_protocol_pwent.c
|
||||
index 783b06a32f0ff898021ea763d3d3fa0fabf43b25..edda9d3c87389898435a34fe7927868bc1cd9ac5 100644
|
||||
--- a/src/responder/nss/nss_protocol_pwent.c
|
||||
+++ b/src/responder/nss/nss_protocol_pwent.c
|
||||
@@ -287,9 +287,6 @@ nss_protocol_fill_pwent(struct nss_ctx *nss_ctx,
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
- /* Password field content. */
|
||||
- to_sized_string(&pwfield, nss_ctx->pwfield);
|
||||
-
|
||||
/* First two fields (length and reserved), filled up later. */
|
||||
ret = sss_packet_grow(packet, 2 * sizeof(uint32_t));
|
||||
if (ret != EOK) {
|
||||
@@ -303,6 +300,9 @@ nss_protocol_fill_pwent(struct nss_ctx *nss_ctx,
|
||||
talloc_free_children(tmp_ctx);
|
||||
msg = result->msgs[i];
|
||||
|
||||
+ /* Password field content. */
|
||||
+ to_sized_string(&pwfield, nss_get_pwfield(nss_ctx, result->domain));
|
||||
+
|
||||
ret = nss_get_pwent(tmp_ctx, nss_ctx, result->domain, msg, &uid, &gid,
|
||||
&name, &gecos, &homedir, &shell);
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/responder/nss/nss_utils.c b/src/responder/nss/nss_utils.c
|
||||
index 41081c914e3f4dad31a7b8bf7614a5fd2eb61d7a..f839930a275db56e8d729888af870562d7b6f260 100644
|
||||
--- a/src/responder/nss/nss_utils.c
|
||||
+++ b/src/responder/nss/nss_utils.c
|
||||
@@ -24,6 +24,7 @@
|
||||
#include "util/util.h"
|
||||
#include "confdb/confdb.h"
|
||||
#include "responder/common/responder.h"
|
||||
+#include "responder/nss/nss_private.h"
|
||||
|
||||
const char *
|
||||
nss_get_name_from_msg(struct sss_domain_info *domain,
|
||||
@@ -138,3 +139,14 @@ done:
|
||||
talloc_free(tmp_ctx);
|
||||
return ret;
|
||||
}
|
||||
+
|
||||
+const char *
|
||||
+nss_get_pwfield(struct nss_ctx *nctx,
|
||||
+ struct sss_domain_info *dom)
|
||||
+{
|
||||
+ if (dom->pwfield != NULL) {
|
||||
+ return dom->pwfield;
|
||||
+ }
|
||||
+
|
||||
+ return nctx->pwfield;
|
||||
+}
|
||||
--
|
||||
2.9.3
|
||||
|
38
0055-CONFDB-The-files-domain-defaults-to-x-as-pwfield.patch
Normal file
38
0055-CONFDB-The-files-domain-defaults-to-x-as-pwfield.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From ece2ac6889da2b58f5d4027ec0a1d97992056f66 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Mon, 21 Nov 2016 12:11:39 +0100
|
||||
Subject: [PATCH 55/79] CONFDB: The files domain defaults to "x" as pwfield
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
In order to make it possible for files provider users to authenticate
|
||||
with pam_unix, default to "x" as the pwfield of users from the files
|
||||
domain.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/confdb/confdb.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
||||
index 5112c6d568cbe2d7374b19d4a0850172d6f3f400..c7afd683d7f21b513bb491adbf7f7bbe79786212 100644
|
||||
--- a/src/confdb/confdb.c
|
||||
+++ b/src/confdb/confdb.c
|
||||
@@ -966,6 +966,13 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
||||
}
|
||||
}
|
||||
|
||||
+ if (strcasecmp(domain->provider, "files") == 0) {
|
||||
+ /* The password field must be reported as 'x', else pam_unix won't
|
||||
+ * authenticate this entry. See man pwconv(8) for more details.
|
||||
+ */
|
||||
+ domain->pwfield = "x";
|
||||
+ }
|
||||
+
|
||||
if (!domain->enumerate) {
|
||||
DEBUG(SSSDBG_TRACE_FUNC, "No enumeration for [%s]!\n", domain->name);
|
||||
}
|
||||
--
|
||||
2.9.3
|
||||
|
47
0056-MAN-Document-the-pwfield-configuration-option.patch
Normal file
47
0056-MAN-Document-the-pwfield-configuration-option.patch
Normal file
@ -0,0 +1,47 @@
|
||||
From 26577ac05dc33c201c15164bcf19f45393beeca5 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Mon, 21 Nov 2016 13:12:11 +0100
|
||||
Subject: [PATCH 56/79] MAN: Document the pwfield configuration option
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The pwfield was not documented at all previously. In addition, document
|
||||
the different defaults for remote provider and the file provider.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/man/sssd.conf.5.xml | 17 +++++++++++++++++
|
||||
1 file changed, 17 insertions(+)
|
||||
|
||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||||
index cb608cb0ac06185118e3c9f01d785b83236f8abb..782aef7bf62d9bcef3c3dab534a25e01d85c1764 100644
|
||||
--- a/src/man/sssd.conf.5.xml
|
||||
+++ b/src/man/sssd.conf.5.xml
|
||||
@@ -936,6 +936,23 @@ fallback_homedir = /home/%u
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>pwfield (string)</term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ The value that NSS operations that return
|
||||
+ users or groups will return for the
|
||||
+ <quote>password</quote> field.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ This option can also be set per-domain.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Default: <quote>*</quote> (remote domains)
|
||||
+ or <quote>x</quote> (the files domain)
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
</variablelist>
|
||||
</refsect2>
|
||||
<refsect2 id='PAM'>
|
||||
--
|
||||
2.9.3
|
||||
|
@ -0,0 +1,95 @@
|
||||
From 4e17c050dac8f2c6e2d278c4c4a27001c8d7d164 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Thu, 17 Nov 2016 15:43:54 +0100
|
||||
Subject: [PATCH 57/79] TESTS: move helper fixtures to back up and restore a
|
||||
file to a utility module
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The fixtures will be useful for tests that set up and restore a user and
|
||||
group database. While it would be possible to import them already, the
|
||||
functions were previously used in a test and importing from a test seems
|
||||
a bit like a hack.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
---
|
||||
src/tests/intg/Makefile.am | 1 +
|
||||
src/tests/intg/ent_test.py | 14 --------------
|
||||
src/tests/intg/util.py | 14 ++++++++++++++
|
||||
3 files changed, 15 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
|
||||
index e81e5ee950d1a1e50ff478a34ae29853a9783c8b..90e0f308043aa89da5afc0fd353f7d373ac6425f 100644
|
||||
--- a/src/tests/intg/Makefile.am
|
||||
+++ b/src/tests/intg/Makefile.am
|
||||
@@ -1,5 +1,6 @@
|
||||
dist_noinst_DATA = \
|
||||
config.py.m4 \
|
||||
+ util.py \
|
||||
sssd_id.py \
|
||||
sssd_ldb.py \
|
||||
sssd_netgroup.py \
|
||||
diff --git a/src/tests/intg/ent_test.py b/src/tests/intg/ent_test.py
|
||||
index 598930324a41ad9ff473e94e7f2deb302e1bc942..6b240ae9682331be7f4485a1ac81fad4cebde5e6 100644
|
||||
--- a/src/tests/intg/ent_test.py
|
||||
+++ b/src/tests/intg/ent_test.py
|
||||
@@ -19,25 +19,11 @@
|
||||
import re
|
||||
import os
|
||||
import io
|
||||
-import shutil
|
||||
import pytest
|
||||
import ent
|
||||
from util import *
|
||||
|
||||
|
||||
-def backup_envvar_file(name):
|
||||
- path = os.environ[name]
|
||||
- backup_path = path + ".bak"
|
||||
- shutil.copyfile(path, backup_path)
|
||||
- return path
|
||||
-
|
||||
-
|
||||
-def restore_envvar_file(name):
|
||||
- path = os.environ[name]
|
||||
- backup_path = path + ".bak"
|
||||
- os.rename(backup_path, path)
|
||||
-
|
||||
-
|
||||
@pytest.fixture(scope="module")
|
||||
def passwd_path(request):
|
||||
name = "NSS_WRAPPER_PASSWD"
|
||||
diff --git a/src/tests/intg/util.py b/src/tests/intg/util.py
|
||||
index 66ec0baa1aea4f8f9a3210d33640f087c80c6862..2b40311bd1560e05f3aafb34136a1b0efc8a1b49 100644
|
||||
--- a/src/tests/intg/util.py
|
||||
+++ b/src/tests/intg/util.py
|
||||
@@ -21,6 +21,7 @@ import re
|
||||
import os
|
||||
import subprocess
|
||||
import config
|
||||
+import shutil
|
||||
|
||||
UNINDENT_RE = re.compile("^ +", re.MULTILINE)
|
||||
|
||||
@@ -64,3 +65,16 @@ def first_dir(*args):
|
||||
for arg in args:
|
||||
if os.path.isdir(arg):
|
||||
return arg
|
||||
+
|
||||
+
|
||||
+def backup_envvar_file(name):
|
||||
+ path = os.environ[name]
|
||||
+ backup_path = path + ".bak"
|
||||
+ shutil.copyfile(path, backup_path)
|
||||
+ return path
|
||||
+
|
||||
+
|
||||
+def restore_envvar_file(name):
|
||||
+ path = os.environ[name]
|
||||
+ backup_path = path + ".bak"
|
||||
+ os.rename(backup_path, path)
|
||||
--
|
||||
2.9.3
|
||||
|
186
0058-TESTS-add-a-helper-module-with-shared-NSS-constants.patch
Normal file
186
0058-TESTS-add-a-helper-module-with-shared-NSS-constants.patch
Normal file
@ -0,0 +1,186 @@
|
||||
From 1921d739ff7b028baa591272cc8969e330c8f872 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Thu, 17 Nov 2016 15:46:00 +0100
|
||||
Subject: [PATCH 58/79] TESTS: add a helper module with shared NSS constants
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Every module that reads the sssd_nss module directly copied around the
|
||||
same definition of NSS constants. This commit moves them into a single
|
||||
file to avoid code duplication.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
---
|
||||
src/tests/intg/Makefile.am | 1 +
|
||||
src/tests/intg/sssd_id.py | 14 ++-----------
|
||||
src/tests/intg/sssd_netgroup.py | 25 ++++------------------
|
||||
src/tests/intg/sssd_nss.py | 46 +++++++++++++++++++++++++++++++++++++++++
|
||||
4 files changed, 53 insertions(+), 33 deletions(-)
|
||||
create mode 100644 src/tests/intg/sssd_nss.py
|
||||
|
||||
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
|
||||
index 90e0f308043aa89da5afc0fd353f7d373ac6425f..4d364f84a39cd75507c29e8f70d8d8a4881a8063 100644
|
||||
--- a/src/tests/intg/Makefile.am
|
||||
+++ b/src/tests/intg/Makefile.am
|
||||
@@ -1,6 +1,7 @@
|
||||
dist_noinst_DATA = \
|
||||
config.py.m4 \
|
||||
util.py \
|
||||
+ sssd_nss.py \
|
||||
sssd_id.py \
|
||||
sssd_ldb.py \
|
||||
sssd_netgroup.py \
|
||||
diff --git a/src/tests/intg/sssd_id.py b/src/tests/intg/sssd_id.py
|
||||
index 4f020c3a229c1288935ce120cf1118735e2ae0eb..f4ab9cfb8c0cd3fcf3a0195fd62696ae7d892d61 100644
|
||||
--- a/src/tests/intg/sssd_id.py
|
||||
+++ b/src/tests/intg/sssd_id.py
|
||||
@@ -21,15 +21,7 @@ import pwd
|
||||
import grp
|
||||
from ctypes import (cdll, c_int, c_char, c_uint32, c_long, c_char_p,
|
||||
POINTER, pointer)
|
||||
-
|
||||
-
|
||||
-class NssReturnCode(object):
|
||||
- """ 'enum' class for name service switch return code """
|
||||
- TRYAGAIN = -2,
|
||||
- UNAVAIL = -1
|
||||
- NOTFOUND = 0
|
||||
- SUCCESS = 1
|
||||
- RETURN = 2
|
||||
+from sssd_nss import NssReturnCode, nss_sss_ctypes_loader
|
||||
|
||||
|
||||
def call_sssd_initgroups(user, gid):
|
||||
@@ -45,10 +37,8 @@ def call_sssd_initgroups(user, gid):
|
||||
gids should contain user group IDs if err is NssReturnCode.SUCCESS
|
||||
otherwise errno will contain non-zero value.
|
||||
"""
|
||||
- libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2"
|
||||
- libnss_sss = cdll.LoadLibrary(libnss_sss_path)
|
||||
+ func = nss_sss_ctypes_loader('_nss_sss_initgroups_dyn')
|
||||
|
||||
- func = libnss_sss._nss_sss_initgroups_dyn
|
||||
func.restype = c_int
|
||||
func.argtypes = [POINTER(c_char), c_uint32, POINTER(c_long),
|
||||
POINTER(c_long), POINTER(POINTER(c_uint32)), c_long,
|
||||
diff --git a/src/tests/intg/sssd_netgroup.py b/src/tests/intg/sssd_netgroup.py
|
||||
index 0ea3db3cf69be04a1eda6afb455e4d0a3b301f1b..162c5aac86beb2b3625ccb695da7033e6483341e 100644
|
||||
--- a/src/tests/intg/sssd_netgroup.py
|
||||
+++ b/src/tests/intg/sssd_netgroup.py
|
||||
@@ -19,6 +19,7 @@
|
||||
from ctypes import (cdll, c_int, c_char, c_char_p, c_size_t, c_void_p, c_ulong,
|
||||
POINTER, Structure, Union, create_string_buffer, get_errno)
|
||||
import config
|
||||
+from sssd_nss import NssReturnCode, nss_sss_ctypes_loader
|
||||
|
||||
|
||||
class NetgroupType(object):
|
||||
@@ -50,15 +51,6 @@ NameList._fields_ = [("next", POINTER(NameList)),
|
||||
("name", POINTER(c_char))]
|
||||
|
||||
|
||||
-class NssReturnCode(object):
|
||||
- """ 'enum' class for name service switch return code """
|
||||
- TRYAGAIN = -2,
|
||||
- UNAVAIL = -1
|
||||
- NOTFOUND = 0
|
||||
- SUCCESS = 1
|
||||
- RETURN = 2
|
||||
-
|
||||
-
|
||||
class Netgrent(Structure):
|
||||
_fields_ = [("type", c_int),
|
||||
("val", Val),
|
||||
@@ -92,10 +84,7 @@ class NetgroupRetriever(object):
|
||||
result_p will contain POINTER(Netgrent) which can be used in
|
||||
_getnetgrent_r or _getnetgrent_r.
|
||||
"""
|
||||
- libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2"
|
||||
- libnss_sss = cdll.LoadLibrary(libnss_sss_path)
|
||||
-
|
||||
- func = libnss_sss._nss_sss_setnetgrent
|
||||
+ func = nss_sss_ctypes_loader('_nss_sss_setnetgrent')
|
||||
func.restype = c_int
|
||||
func.argtypes = [c_char_p, POINTER(Netgrent)]
|
||||
|
||||
@@ -123,10 +112,7 @@ class NetgroupRetriever(object):
|
||||
if err is NssReturnCode.SUCCESS netgroups will contain list of
|
||||
touples. Each touple will consist of 3 elemets either string or
|
||||
"""
|
||||
- libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2"
|
||||
- libnss_sss = cdll.LoadLibrary(libnss_sss_path)
|
||||
-
|
||||
- func = libnss_sss._nss_sss_getnetgrent_r
|
||||
+ func = nss_sss_ctypes_loader('_nss_sss_getnetgrent_r')
|
||||
func.restype = c_int
|
||||
func.argtypes = [POINTER(Netgrent), POINTER(c_char), c_size_t,
|
||||
POINTER(c_int)]
|
||||
@@ -148,10 +134,7 @@ class NetgroupRetriever(object):
|
||||
|
||||
@return int a constant from class NssReturnCode
|
||||
"""
|
||||
- libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2"
|
||||
- libnss_sss = cdll.LoadLibrary(libnss_sss_path)
|
||||
-
|
||||
- func = libnss_sss._nss_sss_endnetgrent
|
||||
+ func = nss_sss_ctypes_loader('_nss_sss_endnetgrent')
|
||||
func.restype = c_int
|
||||
func.argtypes = [POINTER(Netgrent)]
|
||||
|
||||
diff --git a/src/tests/intg/sssd_nss.py b/src/tests/intg/sssd_nss.py
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..1e846310bca4dc314c47882cc5e7877002c3d78f
|
||||
--- /dev/null
|
||||
+++ b/src/tests/intg/sssd_nss.py
|
||||
@@ -0,0 +1,46 @@
|
||||
+#
|
||||
+# Shared module for integration tests that need to access the sssd_nss
|
||||
+# module directly
|
||||
+#
|
||||
+# Copyright (c) 2016 Red Hat, Inc.
|
||||
+#
|
||||
+# This is free software; you can redistribute it and/or modify it
|
||||
+# under the terms of the GNU General Public License as published by
|
||||
+# the Free Software Foundation; version 2 only
|
||||
+#
|
||||
+# This program is distributed in the hope that it will be useful, but
|
||||
+# WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+# General Public License for more details.
|
||||
+#
|
||||
+# You should have received a copy of the GNU General Public License
|
||||
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+#
|
||||
+import config
|
||||
+import ctypes
|
||||
+
|
||||
+
|
||||
+class NssReturnCode(object):
|
||||
+ """ 'enum' class for name service switch return code """
|
||||
+ TRYAGAIN = -2,
|
||||
+ UNAVAIL = -1
|
||||
+ NOTFOUND = 0
|
||||
+ SUCCESS = 1
|
||||
+ RETURN = 2
|
||||
+
|
||||
+
|
||||
+class SssdNssError(Exception):
|
||||
+ """ Raised when one of the NSS operations fail """
|
||||
+ def __init__(self, errno, nssop):
|
||||
+ self.errno = errno
|
||||
+ self.nssop = nssop
|
||||
+
|
||||
+ def __str__(self):
|
||||
+ return "NSS operation %s failed %d" % (nssop, errno)
|
||||
+
|
||||
+
|
||||
+def nss_sss_ctypes_loader(func_name):
|
||||
+ libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2"
|
||||
+ libnss_sss = ctypes.cdll.LoadLibrary(libnss_sss_path)
|
||||
+ func = getattr(libnss_sss, func_name)
|
||||
+ return func
|
||||
--
|
||||
2.9.3
|
||||
|
207
0059-TESTS-Add-a-module-to-call-nss_sss-s-getpw-from-test.patch
Normal file
207
0059-TESTS-Add-a-module-to-call-nss_sss-s-getpw-from-test.patch
Normal file
@ -0,0 +1,207 @@
|
||||
From 8578fba1500d43ad9632784462c255bf8bb360fe Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Tue, 25 Oct 2016 16:26:24 +0200
|
||||
Subject: [PATCH 59/79] TESTS: Add a module to call nss_sss's getpw* from tests
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Implements a python module that allows to load the nss_sss module and
|
||||
simulate calling getpw* functions from tests.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
---
|
||||
src/tests/intg/Makefile.am | 1 +
|
||||
src/tests/intg/sssd_passwd.py | 167 ++++++++++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 168 insertions(+)
|
||||
create mode 100644 src/tests/intg/sssd_passwd.py
|
||||
|
||||
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
|
||||
index 4d364f84a39cd75507c29e8f70d8d8a4881a8063..6cd23967fd02261d516a749da0ef3d66432d0701 100644
|
||||
--- a/src/tests/intg/Makefile.am
|
||||
+++ b/src/tests/intg/Makefile.am
|
||||
@@ -5,6 +5,7 @@ dist_noinst_DATA = \
|
||||
sssd_id.py \
|
||||
sssd_ldb.py \
|
||||
sssd_netgroup.py \
|
||||
+ sssd_passwd.py \
|
||||
ds.py \
|
||||
ds_openldap.py \
|
||||
ent.py \
|
||||
diff --git a/src/tests/intg/sssd_passwd.py b/src/tests/intg/sssd_passwd.py
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..8b741ea8c27efe2081ee200e6af02c322c5d53bc
|
||||
--- /dev/null
|
||||
+++ b/src/tests/intg/sssd_passwd.py
|
||||
@@ -0,0 +1,167 @@
|
||||
+#
|
||||
+# Module for simulation of utility "getent passwd -s sss" from coreutils
|
||||
+#
|
||||
+# Copyright (c) 2016 Red Hat, Inc.
|
||||
+#
|
||||
+# This is free software; you can redistribute it and/or modify it
|
||||
+# under the terms of the GNU General Public License as published by
|
||||
+# the Free Software Foundation; version 2 only
|
||||
+#
|
||||
+# This program is distributed in the hope that it will be useful, but
|
||||
+# WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+# General Public License for more details.
|
||||
+#
|
||||
+# You should have received a copy of the GNU General Public License
|
||||
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+#
|
||||
+
|
||||
+from ctypes import (c_int, c_char_p, c_ulong, POINTER,
|
||||
+ Structure, create_string_buffer, get_errno)
|
||||
+from sssd_nss import NssReturnCode, SssdNssError, nss_sss_ctypes_loader
|
||||
+
|
||||
+PASSWD_BUFLEN = 1024
|
||||
+
|
||||
+
|
||||
+class Passwd(Structure):
|
||||
+ _fields_ = [("pw_name", c_char_p),
|
||||
+ ("pw_passwd", c_char_p),
|
||||
+ ("pw_uid", c_int),
|
||||
+ ("pw_gid", c_int),
|
||||
+ ("pw_gecos", c_char_p),
|
||||
+ ("pw_dir", c_char_p),
|
||||
+ ("pw_shell", c_char_p)]
|
||||
+
|
||||
+
|
||||
+def set_user_dict(res, result_p):
|
||||
+ if res != NssReturnCode.SUCCESS:
|
||||
+ return dict()
|
||||
+
|
||||
+ user_dict = dict()
|
||||
+ user_dict['name'] = result_p[0].pw_name
|
||||
+ user_dict['passwd'] = result_p[0].pw_passwd
|
||||
+ user_dict['uid'] = result_p[0].pw_uid
|
||||
+ user_dict['gid'] = result_p[0].pw_gid
|
||||
+ user_dict['gecos'] = result_p[0].pw_gecos
|
||||
+ user_dict['dir'] = result_p[0].pw_dir
|
||||
+ user_dict['shell'] = result_p[0].pw_shell
|
||||
+ return user_dict
|
||||
+
|
||||
+
|
||||
+def getpwnam_r(name, result_p, buffer_p, buflen):
|
||||
+ """
|
||||
+ ctypes wrapper for:
|
||||
+ enum nss_status _nss_sss_getpwnam_r(const char *name,
|
||||
+ struct passwd *result,
|
||||
+ char *buffer,
|
||||
+ size_t buflen,
|
||||
+ int *errnop)
|
||||
+ """
|
||||
+ func = nss_sss_ctypes_loader("_nss_sss_getpwnam_r")
|
||||
+ func.restype = c_int
|
||||
+ func.argtypes = [c_char_p, POINTER(Passwd),
|
||||
+ c_char_p, c_ulong, POINTER(c_int)]
|
||||
+
|
||||
+ errno = POINTER(c_int)(c_int(0))
|
||||
+
|
||||
+ res = func(c_char_p(name), result_p, buffer_p, buflen, errno)
|
||||
+
|
||||
+ return (int(res), int(errno[0]), result_p)
|
||||
+
|
||||
+
|
||||
+def setpwent():
|
||||
+ """
|
||||
+ ctypes wrapper for:
|
||||
+ void setpwent(void)
|
||||
+ """
|
||||
+ func = nss_sss_ctypes_loader("_nss_sss_setpwent")
|
||||
+ func.argtypes = []
|
||||
+
|
||||
+ res = func()
|
||||
+ assert res == NssReturnCode.SUCCESS
|
||||
+
|
||||
+ errno = get_errno()
|
||||
+ if errno != 0:
|
||||
+ raise SssdNssError(errno, "setpwent")
|
||||
+
|
||||
+
|
||||
+def endpwent():
|
||||
+ """
|
||||
+ ctypes wrapper for:
|
||||
+ void endpwent(void)
|
||||
+ """
|
||||
+ func = nss_sss_ctypes_loader("_nss_sss_endpwent")
|
||||
+ func.argtypes = []
|
||||
+
|
||||
+ res = func()
|
||||
+ assert res == NssReturnCode.SUCCESS
|
||||
+
|
||||
+ errno = get_errno()
|
||||
+ if errno != 0:
|
||||
+ raise SssdNssError(errno, "endpwent")
|
||||
+
|
||||
+
|
||||
+def getpwent_r(result_p, buffer_p, buflen):
|
||||
+ """
|
||||
+ ctypes wrapper for:
|
||||
+ enum nss_status _nss_sss_getpwent_r(struct passwd *result,
|
||||
+ char *buffer, size_t buflen,
|
||||
+ int *errnop)
|
||||
+ """
|
||||
+ func = nss_sss_ctypes_loader("_nss_sss_getpwent_r")
|
||||
+ func.restype = c_int
|
||||
+ func.argtypes = [POINTER(Passwd), c_char_p, c_ulong, POINTER(c_int)]
|
||||
+
|
||||
+ errno = POINTER(c_int)(c_int(0))
|
||||
+
|
||||
+ res = func(result_p, buffer_p, buflen, errno)
|
||||
+ return (int(res), int(errno[0]), result_p)
|
||||
+
|
||||
+
|
||||
+def getpwent():
|
||||
+ result = Passwd()
|
||||
+ result_p = POINTER(Passwd)(result)
|
||||
+ buff = create_string_buffer(PASSWD_BUFLEN)
|
||||
+
|
||||
+ res, errno, result_p = getpwent_r(result_p, buff, PASSWD_BUFLEN)
|
||||
+ if errno != 0:
|
||||
+ raise SssdNssError(errno, "getpwent_r")
|
||||
+
|
||||
+ user_dict = set_user_dict(res, result_p)
|
||||
+ return res, user_dict
|
||||
+
|
||||
+
|
||||
+def call_sssd_getpwnam(name):
|
||||
+ """
|
||||
+ A Python wrapper to retrieve a user. Returns:
|
||||
+ (res, user_dict)
|
||||
+ if res is NssReturnCode.SUCCESS, then user_dict contains the keys
|
||||
+ corresponding to the C passwd structure fields. Otherwise, the dictionary
|
||||
+ is empty and errno indicates the error code
|
||||
+ """
|
||||
+ result = Passwd()
|
||||
+ result_p = POINTER(Passwd)(result)
|
||||
+ buff = create_string_buffer(PASSWD_BUFLEN)
|
||||
+
|
||||
+ res, errno, result_p = getpwnam_r(name, result_p, buff, PASSWD_BUFLEN)
|
||||
+ if errno != 0:
|
||||
+ raise SssdNssError(errno, "getpwnam_r")
|
||||
+
|
||||
+ user_dict = set_user_dict(res, result_p)
|
||||
+ return res, user_dict
|
||||
+
|
||||
+
|
||||
+def call_sssd_enumeration():
|
||||
+ """
|
||||
+ enumerate users from sssd module only
|
||||
+ """
|
||||
+ setpwent()
|
||||
+ user_list = []
|
||||
+
|
||||
+ res, user = getpwent()
|
||||
+ while res == NssReturnCode.SUCCESS:
|
||||
+ user_list.append(user)
|
||||
+ res, user = getpwent()
|
||||
+
|
||||
+ endpwent()
|
||||
+ return user_list
|
||||
--
|
||||
2.9.3
|
||||
|
128
0060-TESTS-Add-a-module-to-call-nss_sss-s-getgr-from-test.patch
Normal file
128
0060-TESTS-Add-a-module-to-call-nss_sss-s-getgr-from-test.patch
Normal file
@ -0,0 +1,128 @@
|
||||
From 3728db53ac32da51fcaae96b132e8e56ebbaebfa Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Wed, 16 Nov 2016 17:02:43 +0100
|
||||
Subject: [PATCH 60/79] TESTS: Add a module to call nss_sss's getgr* from tests
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Implements a python module that allows to load the nss_sss module and
|
||||
call functions that act like getgr*
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
---
|
||||
src/tests/intg/Makefile.am | 1 +
|
||||
src/tests/intg/sssd_group.py | 88 ++++++++++++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 89 insertions(+)
|
||||
create mode 100644 src/tests/intg/sssd_group.py
|
||||
|
||||
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
|
||||
index 6cd23967fd02261d516a749da0ef3d66432d0701..03245b35d37e81f44fcc708de16541bd52ceb854 100644
|
||||
--- a/src/tests/intg/Makefile.am
|
||||
+++ b/src/tests/intg/Makefile.am
|
||||
@@ -6,6 +6,7 @@ dist_noinst_DATA = \
|
||||
sssd_ldb.py \
|
||||
sssd_netgroup.py \
|
||||
sssd_passwd.py \
|
||||
+ sssd_group.py \
|
||||
ds.py \
|
||||
ds_openldap.py \
|
||||
ent.py \
|
||||
diff --git a/src/tests/intg/sssd_group.py b/src/tests/intg/sssd_group.py
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..a9cfb32d59a5406fb1ad738d64c7487404f39a2d
|
||||
--- /dev/null
|
||||
+++ b/src/tests/intg/sssd_group.py
|
||||
@@ -0,0 +1,88 @@
|
||||
+#
|
||||
+# Module for simulation of utility "getent group -s sss" from coreutils
|
||||
+#
|
||||
+# Copyright (c) 2016 Red Hat, Inc.
|
||||
+#
|
||||
+# This is free software; you can redistribute it and/or modify it
|
||||
+# under the terms of the GNU General Public License as published by
|
||||
+# the Free Software Foundation; version 2 only
|
||||
+#
|
||||
+# This program is distributed in the hope that it will be useful, but
|
||||
+# WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+# General Public License for more details.
|
||||
+#
|
||||
+# You should have received a copy of the GNU General Public License
|
||||
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+#
|
||||
+
|
||||
+from ctypes import (c_int, c_char_p, c_ulong, POINTER, Structure,
|
||||
+ create_string_buffer)
|
||||
+from sssd_nss import NssReturnCode, SssdNssError, nss_sss_ctypes_loader
|
||||
+
|
||||
+GROUP_BUFLEN = 1024
|
||||
+
|
||||
+
|
||||
+class Group(Structure):
|
||||
+ _fields_ = [("gr_name", c_char_p),
|
||||
+ ("gr_passwd", c_char_p),
|
||||
+ ("gr_gid", c_int),
|
||||
+ ("gr_mem", POINTER(c_char_p))]
|
||||
+
|
||||
+
|
||||
+def getgrnam_r(name, result_p, buffer_p, buflen):
|
||||
+ """
|
||||
+ ctypes wrapper for:
|
||||
+ enum nss_status _nss_sss_getgrnam_r(const char *name,
|
||||
+ struct group *result,
|
||||
+ char *buffer,
|
||||
+ size_t buflen,
|
||||
+ int *errnop)
|
||||
+ """
|
||||
+ func = nss_sss_ctypes_loader("_nss_sss_getgrnam_r")
|
||||
+ func.restype = c_int
|
||||
+ func.argtypes = [c_char_p, POINTER(Group),
|
||||
+ c_char_p, c_ulong, POINTER(c_int)]
|
||||
+
|
||||
+ errno = POINTER(c_int)(c_int(0))
|
||||
+
|
||||
+ res = func(c_char_p(name), result_p, buffer_p, buflen, errno)
|
||||
+
|
||||
+ return (int(res), int(errno[0]), result_p)
|
||||
+
|
||||
+
|
||||
+def set_group_dict(res, result_p):
|
||||
+ if res != NssReturnCode.SUCCESS:
|
||||
+ return dict()
|
||||
+
|
||||
+ group_dict = dict()
|
||||
+ group_dict['name'] = result_p[0].gr_name
|
||||
+ group_dict['gid'] = result_p[0].gr_gid
|
||||
+ group_dict['mem'] = list()
|
||||
+
|
||||
+ i = 0
|
||||
+ while result_p[0].gr_mem[i] != None:
|
||||
+ group_dict['mem'].append(result_p[0].gr_mem[i])
|
||||
+ i = i+1
|
||||
+
|
||||
+ return group_dict
|
||||
+
|
||||
+
|
||||
+def call_sssd_getgrnam(name):
|
||||
+ """
|
||||
+ A Python wrapper to retrieve a group. Returns:
|
||||
+ (res, group_dict)
|
||||
+ if res is NssReturnCode.SUCCESS, then group_dict contains the keys
|
||||
+ corresponding to the C passwd structure fields. Otherwise, the dictionary
|
||||
+ is empty and errno indicates the error code
|
||||
+ """
|
||||
+ result = Group()
|
||||
+ result_p = POINTER(Group)(result)
|
||||
+ buff = create_string_buffer(GROUP_BUFLEN)
|
||||
+
|
||||
+ res, errno, result_p = getgrnam_r(name, result_p, buff, GROUP_BUFLEN)
|
||||
+ if errno != 0:
|
||||
+ raise SssdNssError(errno, "getgrnam_r")
|
||||
+
|
||||
+ group_dict = set_group_dict(res, result_p)
|
||||
+ return res, group_dict
|
||||
--
|
||||
2.9.3
|
||||
|
1002
0061-TESTS-Add-files-provider-integration-tests.patch
Normal file
1002
0061-TESTS-Add-files-provider-integration-tests.patch
Normal file
File diff suppressed because it is too large
Load Diff
44
0062-MONITOR-Remove-checks-for-sssd.conf-changes.patch
Normal file
44
0062-MONITOR-Remove-checks-for-sssd.conf-changes.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From f9f1310ba1b87223f8d4d935b30b8238e5c00022 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Tue, 22 Nov 2016 17:47:51 +0100
|
||||
Subject: [PATCH 62/79] MONITOR: Remove checks for sssd.conf changes
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This feature was if-ed out for many years and since it's quite unlikely
|
||||
we will re-enable the feature in the foreseeable future, let's just
|
||||
remove this code.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/monitor/monitor.c | 13 -------------
|
||||
1 file changed, 13 deletions(-)
|
||||
|
||||
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
|
||||
index 1fa3d4baf579f15b9f93355a4b0c8b9d706bbacf..71719917b1b01acfb0eba527c414fe72d1961080 100644
|
||||
--- a/src/monitor/monitor.c
|
||||
+++ b/src/monitor/monitor.c
|
||||
@@ -2296,19 +2296,6 @@ static int monitor_process_init(struct mt_ctx *ctx,
|
||||
ret = sss_sigchld_init(ctx, ctx->ev, &ctx->sigchld_ctx);
|
||||
if (ret != EOK) return ret;
|
||||
|
||||
-#if 0
|
||||
- This feature is incomplete and can leave the SSSD in a bad state if the
|
||||
- config file is changed while the SSSD is running.
|
||||
-
|
||||
- Uncomment this once the backends are honoring reloadConfig()
|
||||
-
|
||||
- /* Watch for changes to the confdb config file */
|
||||
- ret = monitor_config_file(ctx, ctx, config_file, monitor_signal_reconf,
|
||||
- true);
|
||||
- if (ret != EOK) {
|
||||
- return ret;
|
||||
- }
|
||||
-#endif
|
||||
/* Watch for changes to the DNS resolv.conf */
|
||||
ret = monitor_config_file(ctx, ctx, RESOLV_CONF_PATH,
|
||||
monitor_update_resolv, false);
|
||||
--
|
||||
2.9.3
|
||||
|
700
0063-MONITOR-Use-the-common-inotify-code-to-watch-resolv..patch
Normal file
700
0063-MONITOR-Use-the-common-inotify-code-to-watch-resolv..patch
Normal file
@ -0,0 +1,700 @@
|
||||
From ee6c7e8b589497119ec1ee40e99611f362111600 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Tue, 22 Nov 2016 18:02:35 +0100
|
||||
Subject: [PATCH 63/79] MONITOR: Use the common inotify code to watch
|
||||
resolv.conf
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The monitor code used its own inotify callbacks to watch for changes to
|
||||
resolv.conf. Instead of keeping this duplicated code around, let's use
|
||||
the shared inotify module that also powers the files provider.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
Makefile.am | 1 +
|
||||
src/monitor/monitor.c | 481 ++++++++++++--------------------------------------
|
||||
src/monitor/monitor.h | 3 -
|
||||
3 files changed, 114 insertions(+), 371 deletions(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index e6d3530d003fff9e92ff6520043f6906d4200bd7..e676e18415c9d20ffd5ba2ce825dddd62d50c909 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -1279,6 +1279,7 @@ sssd_SOURCES = \
|
||||
src/confdb/confdb_setup.c \
|
||||
src/monitor/monitor_iface_generated.c \
|
||||
src/util/nscd.c \
|
||||
+ src/util/inotify.c \
|
||||
$(NULL)
|
||||
sssd_LDADD = \
|
||||
$(SSSD_LIBS) \
|
||||
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
|
||||
index 71719917b1b01acfb0eba527c414fe72d1961080..bc7402103d8024391d2ee27f48b28247ff9cd49c 100644
|
||||
--- a/src/monitor/monitor.c
|
||||
+++ b/src/monitor/monitor.c
|
||||
@@ -50,6 +50,7 @@
|
||||
#include "sbus/sssd_dbus.h"
|
||||
#include "monitor/monitor_interfaces.h"
|
||||
#include "responder/common/responder_sbus.h"
|
||||
+#include "util/inotify.h"
|
||||
|
||||
#ifdef USE_KEYRING
|
||||
#include <keyutils.h>
|
||||
@@ -125,9 +126,11 @@ struct mt_svc {
|
||||
struct sss_child_ctx *child_ctx;
|
||||
};
|
||||
|
||||
+typedef int (*monitor_reconf_fn)(struct config_file_ctx *file_ctx,
|
||||
+ const char *filename);
|
||||
+
|
||||
struct config_file_callback {
|
||||
int wd;
|
||||
- int retries;
|
||||
monitor_reconf_fn fn;
|
||||
char *filename;
|
||||
time_t modified;
|
||||
@@ -136,11 +139,18 @@ struct config_file_callback {
|
||||
};
|
||||
|
||||
struct config_file_ctx {
|
||||
- TALLOC_CTX *parent_ctx;
|
||||
- struct tevent_timer *timer;
|
||||
- bool needs_update;
|
||||
+ struct config_file_inotify_check {
|
||||
+ struct snotify_ctx *snctx;
|
||||
+ } inotify_check;
|
||||
+
|
||||
+ struct config_file_poll_check {
|
||||
+ TALLOC_CTX *parent_ctx;
|
||||
+ struct tevent_timer *timer;
|
||||
+ struct config_file_callback *callbacks;
|
||||
+ } poll_check;
|
||||
+
|
||||
+ monitor_reconf_fn fn;
|
||||
struct mt_ctx *mt_ctx;
|
||||
- struct config_file_callback *callbacks;
|
||||
};
|
||||
|
||||
struct mt_ctx {
|
||||
@@ -153,7 +163,6 @@ struct mt_ctx {
|
||||
struct mt_svc *svc_list;
|
||||
struct sbus_connection *sbus_srv;
|
||||
struct config_file_ctx *file_ctx;
|
||||
- int inotify_fd;
|
||||
int service_id_timeout;
|
||||
bool check_children;
|
||||
bool services_started;
|
||||
@@ -712,19 +721,23 @@ static void reload_reply(DBusPendingCall *pending, void *data)
|
||||
|
||||
static int service_signal_dns_reload(struct mt_svc *svc);
|
||||
static int monitor_update_resolv(struct config_file_ctx *file_ctx,
|
||||
- const char *filename)
|
||||
+ const char *filename)
|
||||
{
|
||||
int ret;
|
||||
struct mt_svc *cur_svc;
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "Resolv.conf has been updated. Reloading.\n");
|
||||
+ struct mt_ctx *mt_ctx;
|
||||
+
|
||||
+ mt_ctx = file_ctx->mt_ctx;
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS, "Resolv.conf has been updated. Reloading.\n");
|
||||
|
||||
ret = res_init();
|
||||
- if(ret != 0) {
|
||||
+ if (ret != 0) {
|
||||
return EIO;
|
||||
}
|
||||
|
||||
/* Signal all services to reload their DNS configuration */
|
||||
- for(cur_svc = file_ctx->mt_ctx->svc_list; cur_svc; cur_svc = cur_svc->next) {
|
||||
+ for (cur_svc = mt_ctx->svc_list; cur_svc; cur_svc = cur_svc->next) {
|
||||
service_signal_dns_reload(cur_svc);
|
||||
}
|
||||
return EOK;
|
||||
@@ -1716,258 +1729,52 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
-static errno_t monitor_config_file_fallback(TALLOC_CTX *mem_ctx,
|
||||
- struct mt_ctx *ctx,
|
||||
- const char *file,
|
||||
- monitor_reconf_fn fn,
|
||||
- bool ignore_missing);
|
||||
+static void poll_config_file(struct tevent_context *ev,
|
||||
+ struct tevent_timer *te,
|
||||
+ struct timeval t, void *ptr);
|
||||
+static errno_t monitor_config_file_fallback(TALLOC_CTX *parent_ctx,
|
||||
+ struct config_file_ctx *file_ctx,
|
||||
+ const char *file);
|
||||
|
||||
-#ifdef HAVE_INOTIFY
|
||||
-static void process_config_file(struct tevent_context *ev,
|
||||
- struct tevent_timer *te,
|
||||
- struct timeval t, void *ptr);
|
||||
-
|
||||
-static void config_file_changed(struct tevent_context *ev,
|
||||
- struct tevent_fd *fde,
|
||||
- uint16_t flags, void *data)
|
||||
+static errno_t create_poll_timer(struct config_file_ctx *file_ctx)
|
||||
{
|
||||
- struct tevent_timer *te = NULL;
|
||||
struct timeval tv;
|
||||
- struct config_file_ctx *file_ctx;
|
||||
|
||||
- file_ctx = talloc_get_type(data, struct config_file_ctx);
|
||||
- if (file_ctx->needs_update) {
|
||||
- /* Skip updating. It's already queued for update.
|
||||
- */
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
- /* We will queue the file for update in one second.
|
||||
- * This way, if there is a script writing to the file
|
||||
- * repeatedly, we won't be attempting to update multiple
|
||||
- * times.
|
||||
- */
|
||||
gettimeofday(&tv, NULL);
|
||||
- tv.tv_sec += 1;
|
||||
+ tv.tv_sec += CONFIG_FILE_POLL_INTERVAL;
|
||||
+ tv.tv_usec = 0;
|
||||
|
||||
- te = tevent_add_timer(ev, ev, tv, process_config_file, file_ctx);
|
||||
- if (!te) {
|
||||
- DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
- "Unable to queue config file update! Exiting.\n");
|
||||
- kill(getpid(), SIGTERM);
|
||||
- return;
|
||||
+ file_ctx->poll_check.timer = tevent_add_timer(file_ctx->mt_ctx->ev,
|
||||
+ file_ctx->poll_check.parent_ctx,
|
||||
+ tv,
|
||||
+ poll_config_file,
|
||||
+ file_ctx);
|
||||
+ if (!file_ctx->poll_check.timer) {
|
||||
+ talloc_free(file_ctx);
|
||||
+ return EIO;
|
||||
}
|
||||
- file_ctx->needs_update = 1;
|
||||
+
|
||||
+ return EOK;
|
||||
}
|
||||
|
||||
-struct rewatch_ctx {
|
||||
- struct config_file_callback *cb;
|
||||
- struct config_file_ctx *file_ctx;
|
||||
-};
|
||||
-static void rewatch_config_file(struct tevent_context *ev,
|
||||
- struct tevent_timer *te,
|
||||
- struct timeval t, void *ptr);
|
||||
-static void process_config_file(struct tevent_context *ev,
|
||||
- struct tevent_timer *te,
|
||||
- struct timeval t, void *ptr)
|
||||
+static void poll_config_file(struct tevent_context *ev,
|
||||
+ struct tevent_timer *te,
|
||||
+ struct timeval t, void *ptr)
|
||||
{
|
||||
- TALLOC_CTX *tmp_ctx;
|
||||
- struct inotify_event *in_event;
|
||||
- char *name;
|
||||
- ssize_t len;
|
||||
+ int ret, err;
|
||||
+ struct stat file_stat;
|
||||
struct config_file_ctx *file_ctx;
|
||||
struct config_file_callback *cb;
|
||||
- struct rewatch_ctx *rw_ctx;
|
||||
- errno_t ret;
|
||||
|
||||
file_ctx = talloc_get_type(ptr, struct config_file_ctx);
|
||||
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Processing config file changes\n");
|
||||
-
|
||||
- tmp_ctx = talloc_new(NULL);
|
||||
- if (!tmp_ctx) return;
|
||||
-
|
||||
- in_event = talloc(tmp_ctx, struct inotify_event);
|
||||
- if (!in_event) {
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- errno = 0;
|
||||
- len = sss_atomic_read_s(file_ctx->mt_ctx->inotify_fd, in_event,
|
||||
- sizeof(struct inotify_event));
|
||||
- if (len == -1) {
|
||||
- ret = errno;
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Critical error reading inotify file descriptor [%d]: %s\n",
|
||||
- ret, strerror(ret));
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- if (in_event->len > 0) {
|
||||
- /* Read in the name, even though we don't use it,
|
||||
- * so that read ptr is in the right place
|
||||
- */
|
||||
- name = talloc_size(tmp_ctx, in_event->len);
|
||||
- if (!name) {
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- errno = 0;
|
||||
- len = sss_atomic_read_s(file_ctx->mt_ctx->inotify_fd, name, in_event->len);
|
||||
- if (len == -1) {
|
||||
- ret = errno;
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Critical error reading inotify file descriptor [%d]: %s\n",
|
||||
- ret, strerror(ret));
|
||||
- goto done;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- for (cb = file_ctx->callbacks; cb; cb = cb->next) {
|
||||
- if (cb->wd == in_event->wd) {
|
||||
- break;
|
||||
- }
|
||||
- }
|
||||
- if (!cb) {
|
||||
- DEBUG(SSSDBG_FATAL_FAILURE, "Unknown watch descriptor\n");
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- if (in_event->mask & IN_IGNORED) {
|
||||
- /* Some text editors will move a new file on top of the
|
||||
- * existing one instead of modifying it. In this case,
|
||||
- * the kernel will send us an IN_IGNORE signal.
|
||||
- * We will try to open a new watch descriptor on the
|
||||
- * new file.
|
||||
- */
|
||||
- struct timeval tv;
|
||||
- struct tevent_timer *tev;
|
||||
- tv.tv_sec = t.tv_sec+5;
|
||||
- tv.tv_usec = t.tv_usec;
|
||||
- DEBUG(SSSDBG_FUNC_DATA, "Restoring inotify watch.\n");
|
||||
-
|
||||
- cb->retries = 0;
|
||||
- rw_ctx = talloc(file_ctx, struct rewatch_ctx);
|
||||
- if(!rw_ctx) {
|
||||
- DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
- "Could not restore inotify watch. Quitting!\n");
|
||||
- close(file_ctx->mt_ctx->inotify_fd);
|
||||
- kill(getpid(), SIGTERM);
|
||||
- goto done;
|
||||
- }
|
||||
- rw_ctx->cb = cb;
|
||||
- rw_ctx->file_ctx = file_ctx;
|
||||
-
|
||||
- tev = tevent_add_timer(ev, rw_ctx, tv, rewatch_config_file, rw_ctx);
|
||||
- if (tev == NULL) {
|
||||
- DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
- "Could not restore inotify watch. Quitting!\n");
|
||||
- close(file_ctx->mt_ctx->inotify_fd);
|
||||
- kill(getpid(), SIGTERM);
|
||||
- }
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- /* Tell the monitor to signal the children */
|
||||
- cb->fn(file_ctx, cb->filename);
|
||||
- file_ctx->needs_update = 0;
|
||||
-
|
||||
-done:
|
||||
- talloc_free(tmp_ctx);
|
||||
-}
|
||||
-
|
||||
-static void rewatch_config_file(struct tevent_context *ev,
|
||||
- struct tevent_timer *te,
|
||||
- struct timeval t, void *ptr)
|
||||
-{
|
||||
- int err;
|
||||
- struct tevent_timer *tev = NULL;
|
||||
- struct timeval tv;
|
||||
- struct config_file_callback *cb;
|
||||
-
|
||||
- struct rewatch_ctx *rw_ctx;
|
||||
- struct config_file_ctx *file_ctx;
|
||||
-
|
||||
- rw_ctx = talloc_get_type(ptr, struct rewatch_ctx);
|
||||
-
|
||||
- cb = rw_ctx->cb;
|
||||
- file_ctx = rw_ctx->file_ctx;
|
||||
-
|
||||
- /* Retry six times at five-second intervals before giving up */
|
||||
- cb->retries++;
|
||||
- if (cb->retries > 6) {
|
||||
- DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
- "Could not restore inotify watch. Switching to polling!\n");
|
||||
- close(file_ctx->mt_ctx->inotify_fd);
|
||||
- err = monitor_config_file_fallback(file_ctx->parent_ctx,
|
||||
- file_ctx->mt_ctx,
|
||||
- cb->filename,
|
||||
- cb->fn,true);
|
||||
- if (err != EOK)
|
||||
- kill(getpid(), SIGTERM);
|
||||
-
|
||||
- cb->fn(file_ctx, cb->filename);
|
||||
- talloc_free(rw_ctx);
|
||||
-
|
||||
- /* A new callback was created in monitor_config_file_fallback()*/
|
||||
- DLIST_REMOVE(file_ctx->callbacks, cb);
|
||||
- talloc_free(cb);
|
||||
-
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
- cb->wd = inotify_add_watch(file_ctx->mt_ctx->inotify_fd,
|
||||
- cb->filename, IN_MODIFY);
|
||||
- if (cb->wd < 0) {
|
||||
- err = errno;
|
||||
-
|
||||
- tv.tv_sec = t.tv_sec+5;
|
||||
- tv.tv_usec = t.tv_usec;
|
||||
-
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Could not add inotify watch for file [%s]. Error [%d:%s]\n",
|
||||
- cb->filename, err, strerror(err));
|
||||
-
|
||||
- tev = tevent_add_timer(ev, ev, tv, rewatch_config_file, rw_ctx);
|
||||
- if (tev == NULL) {
|
||||
- DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
- "Could not restore inotify watch. Quitting!\n");
|
||||
- close(file_ctx->mt_ctx->inotify_fd);
|
||||
- kill(getpid(), SIGTERM);
|
||||
- }
|
||||
-
|
||||
- return;
|
||||
- }
|
||||
- cb->retries = 0;
|
||||
-
|
||||
- /* Tell the monitor to signal the children */
|
||||
- cb->fn(file_ctx, cb->filename);
|
||||
-
|
||||
- talloc_free(rw_ctx);
|
||||
- file_ctx->needs_update = 0;
|
||||
-}
|
||||
-#endif /* HAVE_INOTIFY */
|
||||
-
|
||||
-static void poll_config_file(struct tevent_context *ev,
|
||||
- struct tevent_timer *te,
|
||||
- struct timeval t, void *ptr)
|
||||
-{
|
||||
- int ret, err;
|
||||
- struct stat file_stat;
|
||||
- struct timeval tv;
|
||||
- struct config_file_ctx *file_ctx;
|
||||
- struct config_file_callback *cb;
|
||||
-
|
||||
- file_ctx = talloc_get_type(ptr,struct config_file_ctx);
|
||||
-
|
||||
- for (cb = file_ctx->callbacks; cb; cb = cb->next) {
|
||||
+ for (cb = file_ctx->poll_check.callbacks; cb; cb = cb->next) {
|
||||
ret = stat(cb->filename, &file_stat);
|
||||
if (ret < 0) {
|
||||
err = errno;
|
||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
"Could not stat file [%s]. Error [%d:%s]\n",
|
||||
- cb->filename, err, strerror(err));
|
||||
- /* TODO: If the config file is missing, should we shut down? */
|
||||
+ cb->filename, err, strerror(err));
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -1984,88 +1791,51 @@ static void poll_config_file(struct tevent_context *ev,
|
||||
}
|
||||
}
|
||||
|
||||
- gettimeofday(&tv, NULL);
|
||||
- tv.tv_sec += CONFIG_FILE_POLL_INTERVAL;
|
||||
- tv.tv_usec = 0;
|
||||
- file_ctx->timer = tevent_add_timer(ev, file_ctx->parent_ctx, tv,
|
||||
- poll_config_file, file_ctx);
|
||||
- if (!file_ctx->timer) {
|
||||
+ ret = create_poll_timer(file_ctx);
|
||||
+ if (ret != EOK) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
"Error: Config file no longer monitored for changes!\n");
|
||||
}
|
||||
}
|
||||
|
||||
-static int try_inotify(struct config_file_ctx *file_ctx, const char *filename,
|
||||
- monitor_reconf_fn fn)
|
||||
+static int resolv_conf_inotify_cb(const char *filename,
|
||||
+ uint32_t flags,
|
||||
+ void *pvt)
|
||||
+{
|
||||
+ struct config_file_ctx *file_ctx;
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_INTERNAL,
|
||||
+ "Received inotify notification for %s\n", filename);
|
||||
+
|
||||
+ file_ctx = talloc_get_type(pvt, struct config_file_ctx);
|
||||
+ if (file_ctx == NULL) {
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ return file_ctx->fn(file_ctx, filename);
|
||||
+}
|
||||
+
|
||||
+static int try_inotify(struct config_file_ctx *file_ctx,
|
||||
+ const char *filename)
|
||||
{
|
||||
#ifdef HAVE_INOTIFY
|
||||
- int err, fd_args, ret;
|
||||
- struct tevent_fd *tfd;
|
||||
- struct config_file_callback *cb;
|
||||
+ struct snotify_ctx *snctx;
|
||||
+ /* We will queue the file for update in one second.
|
||||
+ * This way, if there is a script writing to the file
|
||||
+ * repeatedly, we won't be attempting to update multiple
|
||||
+ * times.
|
||||
+ */
|
||||
+ struct timeval delay = { .tv_sec = 1, .tv_usec = 0 };
|
||||
|
||||
- /* Monitoring the file descriptor should be global */
|
||||
- if (!file_ctx->mt_ctx->inotify_fd) {
|
||||
- /* Set up inotify to monitor the config file for changes */
|
||||
- file_ctx->mt_ctx->inotify_fd = inotify_init();
|
||||
- if (file_ctx->mt_ctx->inotify_fd < 0) {
|
||||
- err = errno;
|
||||
- DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
- "Could not initialize inotify, error [%d:%s]\n",
|
||||
- err, strerror(err));
|
||||
- return err;
|
||||
- }
|
||||
-
|
||||
- fd_args = fcntl(file_ctx->mt_ctx->inotify_fd, F_GETFL, NULL);
|
||||
- if (fd_args < 0) {
|
||||
- /* Could not set nonblocking */
|
||||
- close(file_ctx->mt_ctx->inotify_fd);
|
||||
- return EINVAL;
|
||||
- }
|
||||
-
|
||||
- fd_args |= O_NONBLOCK;
|
||||
- ret = fcntl(file_ctx->mt_ctx->inotify_fd, F_SETFL, fd_args);
|
||||
- if (ret < 0) {
|
||||
- /* Could not set nonblocking */
|
||||
- close(file_ctx->mt_ctx->inotify_fd);
|
||||
- return EINVAL;
|
||||
- }
|
||||
-
|
||||
- /* Add the inotify file descriptor to the TEvent context */
|
||||
- tfd = tevent_add_fd(file_ctx->mt_ctx->ev, file_ctx,
|
||||
- file_ctx->mt_ctx->inotify_fd,
|
||||
- TEVENT_FD_READ, config_file_changed,
|
||||
- file_ctx);
|
||||
- if (!tfd) {
|
||||
- close(file_ctx->mt_ctx->inotify_fd);
|
||||
- return EIO;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- cb = talloc_zero(file_ctx, struct config_file_callback);
|
||||
- if(!cb) {
|
||||
- close(file_ctx->mt_ctx->inotify_fd);
|
||||
- return ENOMEM;
|
||||
+ snctx = snotify_create(file_ctx, file_ctx->mt_ctx->ev, SNOTIFY_WATCH_DIR,
|
||||
+ filename, &delay,
|
||||
+ IN_DELETE_SELF | IN_CLOSE_WRITE | IN_MOVE_SELF | \
|
||||
+ IN_CREATE | IN_MOVED_TO | IN_IGNORED,
|
||||
+ resolv_conf_inotify_cb, file_ctx);
|
||||
+ if (snctx == NULL) {
|
||||
+ return EIO;
|
||||
}
|
||||
|
||||
- cb->filename = talloc_strdup(cb, filename);
|
||||
- if (!cb->filename) {
|
||||
- close(file_ctx->mt_ctx->inotify_fd);
|
||||
- return ENOMEM;
|
||||
- }
|
||||
- cb->wd = inotify_add_watch(file_ctx->mt_ctx->inotify_fd,
|
||||
- cb->filename, IN_MODIFY);
|
||||
- if (cb->wd < 0) {
|
||||
- err = errno;
|
||||
- DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
- "Could not add inotify watch for file [%s]. Error [%d:%s]\n",
|
||||
- cb->filename, err, strerror(err));
|
||||
- close(file_ctx->mt_ctx->inotify_fd);
|
||||
- return err;
|
||||
- }
|
||||
- cb->fn = fn;
|
||||
-
|
||||
- DLIST_ADD(file_ctx->callbacks, cb);
|
||||
-
|
||||
return EOK;
|
||||
#else
|
||||
return EINVAL;
|
||||
@@ -2074,36 +1844,18 @@ static int try_inotify(struct config_file_ctx *file_ctx, const char *filename,
|
||||
|
||||
static int monitor_config_file(TALLOC_CTX *mem_ctx,
|
||||
struct mt_ctx *ctx,
|
||||
- const char *file,
|
||||
monitor_reconf_fn fn,
|
||||
- bool ignore_missing)
|
||||
+ const char *file)
|
||||
{
|
||||
- int ret, err;
|
||||
+ int ret;
|
||||
bool use_inotify;
|
||||
- struct stat file_stat;
|
||||
|
||||
- ret = stat(file, &file_stat);
|
||||
- if (ret < 0) {
|
||||
- err = errno;
|
||||
- if (err == ENOENT && ignore_missing) {
|
||||
- DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
- "file [%s] is missing. Will not update online status "
|
||||
- "based on watching the file\n", file);
|
||||
- return EOK;
|
||||
- } else {
|
||||
- DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
- "Could not stat file [%s]. Error [%d:%s]\n",
|
||||
- file, err, strerror(err));
|
||||
-
|
||||
- return err;
|
||||
- }
|
||||
- }
|
||||
if (!ctx->file_ctx) {
|
||||
ctx->file_ctx = talloc_zero(mem_ctx, struct config_file_ctx);
|
||||
if (!ctx->file_ctx) return ENOMEM;
|
||||
|
||||
- ctx->file_ctx->parent_ctx = mem_ctx;
|
||||
ctx->file_ctx->mt_ctx = ctx;
|
||||
+ ctx->file_ctx->fn = fn;
|
||||
}
|
||||
|
||||
ret = confdb_get_bool(ctx->cdb,
|
||||
@@ -2116,73 +1868,68 @@ static int monitor_config_file(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
if (use_inotify) {
|
||||
- ret = try_inotify(ctx->file_ctx, file, fn);
|
||||
+ ret = try_inotify(ctx->file_ctx, file);
|
||||
if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE, "Falling back to polling\n");
|
||||
use_inotify = false;
|
||||
}
|
||||
}
|
||||
|
||||
- if (!use_inotify) {
|
||||
- /* Could not monitor file with inotify, fall back to polling */
|
||||
- ret = monitor_config_file_fallback(mem_ctx, ctx, file, fn, true);
|
||||
+ if (use_inotify == false) {
|
||||
+ ret = monitor_config_file_fallback(mem_ctx, ctx->file_ctx, file);
|
||||
}
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
-static errno_t monitor_config_file_fallback(TALLOC_CTX *mem_ctx,
|
||||
- struct mt_ctx *ctx,
|
||||
- const char *file,
|
||||
- monitor_reconf_fn fn,
|
||||
- bool ignore_missing)
|
||||
+static errno_t monitor_config_file_fallback(TALLOC_CTX *parent_ctx,
|
||||
+ struct config_file_ctx *file_ctx,
|
||||
+ const char *file)
|
||||
{
|
||||
struct config_file_callback *cb = NULL;
|
||||
struct stat file_stat;
|
||||
int ret, err;
|
||||
- struct timeval tv;
|
||||
|
||||
ret = stat(file, &file_stat);
|
||||
if (ret < 0) {
|
||||
err = errno;
|
||||
- if (err == ENOENT && ignore_missing) {
|
||||
+ if (err == ENOENT) {
|
||||
DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
- "file [%s] is missing. Will not update online status "
|
||||
- "based on watching the file\n", file);
|
||||
+ "file [%s] is missing. Will not update online status "
|
||||
+ "based on watching the file\n", file);
|
||||
return EOK;
|
||||
|
||||
} else {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
- "Could not stat file [%s]. Error [%d:%s]\n",
|
||||
- file, err, strerror(err));
|
||||
+ "Could not stat file [%s]. Error [%d:%s]\n",
|
||||
+ file, err, strerror(err));
|
||||
|
||||
return err;
|
||||
}
|
||||
}
|
||||
|
||||
- cb = talloc_zero(ctx->file_ctx, struct config_file_callback);
|
||||
+ file_ctx->poll_check.parent_ctx = parent_ctx;
|
||||
+
|
||||
+ cb = talloc_zero(file_ctx, struct config_file_callback);
|
||||
if (!cb) {
|
||||
- talloc_free(ctx->file_ctx);
|
||||
+ talloc_free(file_ctx);
|
||||
return ENOMEM;
|
||||
}
|
||||
cb->filename = talloc_strdup(cb, file);
|
||||
if (!cb->filename) {
|
||||
- talloc_free(ctx->file_ctx);
|
||||
+ talloc_free(file_ctx);
|
||||
return ENOMEM;
|
||||
}
|
||||
- cb->fn = fn;
|
||||
+ cb->fn = file_ctx->fn;
|
||||
cb->modified = file_stat.st_mtime;
|
||||
|
||||
- DLIST_ADD(ctx->file_ctx->callbacks, cb);
|
||||
+ DLIST_ADD(file_ctx->poll_check.callbacks, cb);
|
||||
|
||||
- if(!ctx->file_ctx->timer) {
|
||||
- gettimeofday(&tv, NULL);
|
||||
- tv.tv_sec += CONFIG_FILE_POLL_INTERVAL;
|
||||
- tv.tv_usec = 0;
|
||||
- ctx->file_ctx->timer = tevent_add_timer(ctx->ev, mem_ctx, tv,
|
||||
- poll_config_file, ctx->file_ctx);
|
||||
- if (!ctx->file_ctx->timer) {
|
||||
- talloc_free(ctx->file_ctx);
|
||||
- return EIO;
|
||||
+ if(!file_ctx->poll_check.timer) {
|
||||
+ ret = create_poll_timer(file_ctx);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot create poll timer\n");
|
||||
+ return ret;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -2198,8 +1945,7 @@ static void missing_resolv_conf(struct tevent_context *ev,
|
||||
int ret;
|
||||
struct mt_ctx *ctx = talloc_get_type(data, struct mt_ctx);
|
||||
|
||||
- ret = monitor_config_file(ctx, ctx, RESOLV_CONF_PATH,
|
||||
- monitor_update_resolv, false);
|
||||
+ ret = monitor_config_file(ctx, ctx, monitor_update_resolv, RESOLV_CONF_PATH);
|
||||
if (ret == EOK) {
|
||||
signal_res_init(ctx);
|
||||
} else if (ret == ENOENT) {
|
||||
@@ -2297,8 +2043,7 @@ static int monitor_process_init(struct mt_ctx *ctx,
|
||||
if (ret != EOK) return ret;
|
||||
|
||||
/* Watch for changes to the DNS resolv.conf */
|
||||
- ret = monitor_config_file(ctx, ctx, RESOLV_CONF_PATH,
|
||||
- monitor_update_resolv, false);
|
||||
+ ret = monitor_config_file(ctx, ctx, monitor_update_resolv, RESOLV_CONF_PATH);
|
||||
if (ret == ENOENT) {
|
||||
tv = tevent_timeval_current_ofs(MISSING_RESOLV_CONF_POLL_TIME, 0);
|
||||
te = tevent_add_timer(ctx->ev, ctx, tv, missing_resolv_conf, ctx);
|
||||
diff --git a/src/monitor/monitor.h b/src/monitor/monitor.h
|
||||
index b5a300bf3c9b281b5e9ffa76872ff30668865117..3f679de8198aa882bc488dad642bacc9f215ba5b 100644
|
||||
--- a/src/monitor/monitor.h
|
||||
+++ b/src/monitor/monitor.h
|
||||
@@ -32,9 +32,6 @@
|
||||
|
||||
struct config_file_ctx;
|
||||
|
||||
-typedef int (*monitor_reconf_fn) (struct config_file_ctx *file_ctx,
|
||||
- const char *filename);
|
||||
-
|
||||
struct mt_ctx;
|
||||
|
||||
/* from monitor_netlink.c */
|
||||
--
|
||||
2.9.3
|
||||
|
155
0064-MAN-Add-documentation-for-the-files-provider.patch
Normal file
155
0064-MAN-Add-documentation-for-the-files-provider.patch
Normal file
@ -0,0 +1,155 @@
|
||||
From da95ec568a941c85982e30611398efb86bc884ab Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Wed, 7 Dec 2016 14:38:43 +0100
|
||||
Subject: [PATCH 64/79] MAN: Add documentation for the files provider
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The new provider needs a man page.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
contrib/sssd.spec.in | 1 +
|
||||
src/man/Makefile.am | 4 +++
|
||||
src/man/po/po4a.cfg | 1 +
|
||||
src/man/sssd-files.5.xml | 88 ++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
4 files changed, 94 insertions(+)
|
||||
create mode 100644 src/man/sssd-files.5.xml
|
||||
|
||||
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
|
||||
index fe51f9998aedbc7c157e8897a0dae67af037cec4..baeb08b124d17d4eb9cb4fdfac4168ec12dc56ad 100644
|
||||
--- a/contrib/sssd.spec.in
|
||||
+++ b/contrib/sssd.spec.in
|
||||
@@ -850,6 +850,7 @@ done
|
||||
|
||||
# The files provider is intentionally packaged in -common
|
||||
%{_libdir}/%{name}/libsss_files.so
|
||||
+%{_mandir}/man5/sssd-files.5*
|
||||
|
||||
%dir %{sssdstatedir}
|
||||
%dir %{_localstatedir}/cache/krb5rcache
|
||||
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
|
||||
index 49058bc669eb1a5fb8093a0d64c65609a3164744..760bb7831b5852e1bf3be497ad5babdb4f4318c2 100644
|
||||
--- a/src/man/Makefile.am
|
||||
+++ b/src/man/Makefile.am
|
||||
@@ -84,6 +84,10 @@ if BUILD_NFS_IDMAP
|
||||
man_MANS += sss_rpcidmapd.5
|
||||
endif
|
||||
|
||||
+if HAVE_INOTIFY
|
||||
+man_MANS += sssd-files.5
|
||||
+endif
|
||||
+
|
||||
SUFFIXES = .1.xml .1 .3.xml .3 .5.xml .5 .8.xml .8
|
||||
.1.xml.1:
|
||||
$(XMLLINT) $(XMLLINT_FLAGS) $<
|
||||
diff --git a/src/man/po/po4a.cfg b/src/man/po/po4a.cfg
|
||||
index 00fd414428ac20fb97277d6d9225853d6ae6dad1..ffcf9a2793da3c0115bc846744ccb9592a9a68ef 100644
|
||||
--- a/src/man/po/po4a.cfg
|
||||
+++ b/src/man/po/po4a.cfg
|
||||
@@ -28,6 +28,7 @@
|
||||
[type:docbook] sss_ssh_knownhostsproxy.1.xml $lang:$(builddir)/$lang/sss_ssh_knownhostsproxy.1.xml
|
||||
[type:docbook] idmap_sss.8.xml $lang:$(builddir)/$lang/idmap_sss.8.xml
|
||||
[type:docbook] sssctl.8.xml $lang:$(builddir)/$lang/sssctl.8.xml
|
||||
+[type:docbook] sssd-files.5.xml $lang:$(builddir)/$lang/sssd-files.5.xml
|
||||
[type:docbook] sssd-secrets.5.xml $lang:$(builddir)/$lang/sssd-secrets.5.xml
|
||||
[type:docbook] include/service_discovery.xml $lang:$(builddir)/$lang/include/service_discovery.xml opt:"-k 0"
|
||||
[type:docbook] include/upstream.xml $lang:$(builddir)/$lang/include/upstream.xml opt:"-k 0"
|
||||
diff --git a/src/man/sssd-files.5.xml b/src/man/sssd-files.5.xml
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..d44fffc034803f774699ed01f11f0e5ec5cd8042
|
||||
--- /dev/null
|
||||
+++ b/src/man/sssd-files.5.xml
|
||||
@@ -0,0 +1,88 @@
|
||||
+<?xml version="1.0" encoding="UTF-8"?>
|
||||
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
|
||||
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
||||
+<reference>
|
||||
+<title>SSSD Manual pages</title>
|
||||
+<refentry>
|
||||
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
|
||||
+
|
||||
+ <refmeta>
|
||||
+ <refentrytitle>sssd-files</refentrytitle>
|
||||
+ <manvolnum>5</manvolnum>
|
||||
+ <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
|
||||
+ </refmeta>
|
||||
+
|
||||
+ <refnamediv id='name'>
|
||||
+ <refname>sssd-files</refname>
|
||||
+ <refpurpose>SSSD files provider</refpurpose>
|
||||
+ </refnamediv>
|
||||
+
|
||||
+ <refsect1 id='description'>
|
||||
+ <title>DESCRIPTION</title>
|
||||
+ <para>
|
||||
+ This manual page describes the files provider
|
||||
+ for
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>sssd</refentrytitle>
|
||||
+ <manvolnum>8</manvolnum>
|
||||
+ </citerefentry>.
|
||||
+ For a detailed syntax reference, refer to the <quote>FILE FORMAT</quote> section of the
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>sssd.conf</refentrytitle>
|
||||
+ <manvolnum>5</manvolnum>
|
||||
+ </citerefentry> manual page.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ The files provider mirrors the content of the
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>passwd</refentrytitle>
|
||||
+ <manvolnum>5</manvolnum>
|
||||
+ </citerefentry>
|
||||
+ and
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>group</refentrytitle>
|
||||
+ <manvolnum>5</manvolnum>
|
||||
+ </citerefentry>
|
||||
+ files. The purpose of the files provider is to make the users
|
||||
+ and groups traditionally only accessible with NSS interfaces
|
||||
+ also available through the SSSD interfaces such as
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>sssd-ifp</refentrytitle>
|
||||
+ <manvolnum>5</manvolnum>
|
||||
+ </citerefentry>.
|
||||
+ </para>
|
||||
+ </refsect1>
|
||||
+
|
||||
+ <refsect1 id='configuration-options'>
|
||||
+ <title>CONFIGURATION OPTIONS</title>
|
||||
+ <para>
|
||||
+ The files provider has no specific options of its own, however,
|
||||
+ generic SSSD domain options can be set where applicable.
|
||||
+ Refer to the section <quote>DOMAIN SECTIONS</quote> of the
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>sssd.conf</refentrytitle>
|
||||
+ <manvolnum>5</manvolnum>
|
||||
+ </citerefentry> manual page for details on the configuration
|
||||
+ of an SSSD domain.
|
||||
+ </para>
|
||||
+ </refsect1>
|
||||
+
|
||||
+ <refsect1 id='example'>
|
||||
+ <title>EXAMPLE</title>
|
||||
+ <para>
|
||||
+ The following example assumes that SSSD is correctly
|
||||
+ configured and files is one of the domains in the
|
||||
+ <replaceable>[sssd]</replaceable> section.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+<programlisting>
|
||||
+[domain/files]
|
||||
+id_provider = files
|
||||
+</programlisting>
|
||||
+ </para>
|
||||
+ </refsect1>
|
||||
+
|
||||
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
|
||||
+
|
||||
+</refentry>
|
||||
+</reference>
|
||||
--
|
||||
2.9.3
|
||||
|
38
0065-EXAMPLES-Do-not-point-to-id_provider-local.patch
Normal file
38
0065-EXAMPLES-Do-not-point-to-id_provider-local.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From 89e53f7139b134360fda9e43d47ebfb89fcaac92 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Fri, 10 Feb 2017 16:39:19 +0100
|
||||
Subject: [PATCH 65/79] EXAMPLES: Do not point to id_provider=local
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
It makes more sense to show id_provider=files
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/examples/sssd.conf | 4 +---
|
||||
1 file changed, 1 insertion(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/examples/sssd.conf b/src/examples/sssd.conf
|
||||
index a851dbb7ecd5c3220fbd6a946a6c7be2822dbd27..1e8b537a730300a143764142ff0096db6a3f976b 100644
|
||||
--- a/src/examples/sssd.conf
|
||||
+++ b/src/examples/sssd.conf
|
||||
@@ -1,5 +1,4 @@
|
||||
[sssd]
|
||||
-config_file_version = 2
|
||||
services = nss, pam
|
||||
domains = shadowutils
|
||||
|
||||
@@ -8,8 +7,7 @@ domains = shadowutils
|
||||
[pam]
|
||||
|
||||
[domain/shadowutils]
|
||||
-id_provider = proxy
|
||||
-proxy_lib_name = files
|
||||
+id_provider = files
|
||||
|
||||
auth_provider = proxy
|
||||
proxy_pam_target = sssd-shadowutils
|
||||
--
|
||||
2.9.3
|
||||
|
@ -0,0 +1,40 @@
|
||||
From 0e7047c1533e5e424b28959488e8ffa91613abd9 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Mon, 13 Feb 2017 11:46:06 +0100
|
||||
Subject: [PATCH 66/79] SBUS: Document how to free the result of
|
||||
sbus_create_message
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
It might not be apparent how to free the message constructed by
|
||||
sbus_create_message(). This patch just adds a comment that tells the
|
||||
developer to either free the parent context or unref the message with a
|
||||
dbus call directly.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/sbus/sssd_dbus_utils.h | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/src/sbus/sssd_dbus_utils.h b/src/sbus/sssd_dbus_utils.h
|
||||
index 74c21fb7930c7f5f5417b6a2587cf691b1bc0b19..e53a7faef10a4066b58213741cd73f7411419f00 100644
|
||||
--- a/src/sbus/sssd_dbus_utils.h
|
||||
+++ b/src/sbus/sssd_dbus_utils.h
|
||||
@@ -25,6 +25,13 @@ errno_t sbus_talloc_bound_message(TALLOC_CTX *mem_ctx, DBusMessage *msg);
|
||||
errno_t sbus_error_to_errno(DBusError *error);
|
||||
errno_t sbus_check_reply(DBusMessage *reply);
|
||||
|
||||
+/* Creates a DBusMessage from a vararg list. Please note that even though
|
||||
+ * this function and sbus_create_message accept a talloc memory context,
|
||||
+ * it is not valid to free the resulting message with talloc_free() directly.
|
||||
+ * Instead, either free the parent memory context or directly call
|
||||
+ * dbus_message_unref on the message if you pass NULL memory context to
|
||||
+ * these functions
|
||||
+ */
|
||||
DBusMessage *sbus_create_message_valist(TALLOC_CTX *mem_ctx,
|
||||
const char *bus,
|
||||
const char *path,
|
||||
--
|
||||
2.9.3
|
||||
|
33
0067-IPA_SUDO-Unused-value-fix.patch
Normal file
33
0067-IPA_SUDO-Unused-value-fix.patch
Normal file
@ -0,0 +1,33 @@
|
||||
From 334029028e566fab3dce5ce4b1b53cc4809c21b8 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
|
||||
Date: Thu, 16 Feb 2017 13:57:09 +0100
|
||||
Subject: [PATCH 67/79] IPA_SUDO: Unused value fix
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Unused value was immediately overwritten.
|
||||
|
||||
Resolves:
|
||||
https://fedorahosted.org/sssd/ticket/3309
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/providers/ipa/ipa_sudo_conversion.c | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c
|
||||
index 05d863c20954c816e52d27fe4a5e1553776c6d41..f6d17d82b7c2f1bd63f8deb00c3c7c19d9881bc1 100644
|
||||
--- a/src/providers/ipa/ipa_sudo_conversion.c
|
||||
+++ b/src/providers/ipa/ipa_sudo_conversion.c
|
||||
@@ -956,7 +956,6 @@ convert_attributes(struct ipa_sudo_conv *conv,
|
||||
value = table[i].conv_fn(tmp_ctx, conv, values[j], &skip_entry);
|
||||
if (value == NULL) {
|
||||
if (skip_entry) {
|
||||
- ret = ENOENT;
|
||||
continue;
|
||||
} else {
|
||||
ret = ENOMEM;
|
||||
--
|
||||
2.9.3
|
||||
|
99
0068-intg-Fix-python3-issues.patch
Normal file
99
0068-intg-Fix-python3-issues.patch
Normal file
@ -0,0 +1,99 @@
|
||||
From bac4458c89a589055ae3daf4f72cc7dba886264a Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Thu, 16 Feb 2017 10:07:33 +0100
|
||||
Subject: [PATCH 68/79] intg: Fix python3 issues
|
||||
|
||||
NamedTemporaryFile use the default mode 'w+b'
|
||||
and we tried to write strings. It is not a problem on python2
|
||||
but failed on pyhton3
|
||||
|
||||
Python module ctypes directly uses C functions from libraries.
|
||||
C functions usually expect/returns "char *" when string is expected.
|
||||
But python3 uses unicode for string. Decoding returned bytes
|
||||
("char *") to unicode strings simplify tests in python3.
|
||||
Otherwise we would need to convert bytes to string in each assertion.
|
||||
|
||||
Reviewed-by: Martin Basti <mbasti@redhat.com>
|
||||
---
|
||||
src/tests/intg/files_ops.py | 3 ++-
|
||||
src/tests/intg/sssd_group.py | 6 ++++--
|
||||
src/tests/intg/sssd_passwd.py | 11 ++++++-----
|
||||
3 files changed, 12 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/tests/intg/files_ops.py b/src/tests/intg/files_ops.py
|
||||
index 65b3e5ee401e453c51dcd55433be8d9fa3ce6c92..62f56517d46b43c10783ca93bb59d75cbedd9224 100644
|
||||
--- a/src/tests/intg/files_ops.py
|
||||
+++ b/src/tests/intg/files_ops.py
|
||||
@@ -76,7 +76,8 @@ class FilesOps(object):
|
||||
return contents
|
||||
|
||||
def _write_contents(self, contents):
|
||||
- tmp_file = tempfile.NamedTemporaryFile(dir=self.tmp_dir, delete=False)
|
||||
+ tmp_file = tempfile.NamedTemporaryFile(mode='w', dir=self.tmp_dir,
|
||||
+ delete=False)
|
||||
tmp_file.writelines(contents)
|
||||
tmp_file.flush()
|
||||
|
||||
diff --git a/src/tests/intg/sssd_group.py b/src/tests/intg/sssd_group.py
|
||||
index a9cfb32d59a5406fb1ad738d64c7487404f39a2d..ab873a726d4c1c35ed00fe4c431566ecef648880 100644
|
||||
--- a/src/tests/intg/sssd_group.py
|
||||
+++ b/src/tests/intg/sssd_group.py
|
||||
@@ -46,6 +46,7 @@ def getgrnam_r(name, result_p, buffer_p, buflen):
|
||||
|
||||
errno = POINTER(c_int)(c_int(0))
|
||||
|
||||
+ name = name.encode('utf-8')
|
||||
res = func(c_char_p(name), result_p, buffer_p, buflen, errno)
|
||||
|
||||
return (int(res), int(errno[0]), result_p)
|
||||
@@ -56,13 +57,14 @@ def set_group_dict(res, result_p):
|
||||
return dict()
|
||||
|
||||
group_dict = dict()
|
||||
- group_dict['name'] = result_p[0].gr_name
|
||||
+ group_dict['name'] = result_p[0].gr_name.decode('utf-8')
|
||||
group_dict['gid'] = result_p[0].gr_gid
|
||||
group_dict['mem'] = list()
|
||||
|
||||
i = 0
|
||||
while result_p[0].gr_mem[i] != None:
|
||||
- group_dict['mem'].append(result_p[0].gr_mem[i])
|
||||
+ grp_name = result_p[0].gr_mem[i].decode('utf-8')
|
||||
+ group_dict['mem'].append(grp_name)
|
||||
i = i+1
|
||||
|
||||
return group_dict
|
||||
diff --git a/src/tests/intg/sssd_passwd.py b/src/tests/intg/sssd_passwd.py
|
||||
index 8b741ea8c27efe2081ee200e6af02c322c5d53bc..f285b4971d0d9e826bf6cb38ebefeaf1b4422187 100644
|
||||
--- a/src/tests/intg/sssd_passwd.py
|
||||
+++ b/src/tests/intg/sssd_passwd.py
|
||||
@@ -38,13 +38,13 @@ def set_user_dict(res, result_p):
|
||||
return dict()
|
||||
|
||||
user_dict = dict()
|
||||
- user_dict['name'] = result_p[0].pw_name
|
||||
- user_dict['passwd'] = result_p[0].pw_passwd
|
||||
+ user_dict['name'] = result_p[0].pw_name.decode('utf-8')
|
||||
+ user_dict['passwd'] = result_p[0].pw_passwd.decode('utf-8')
|
||||
user_dict['uid'] = result_p[0].pw_uid
|
||||
user_dict['gid'] = result_p[0].pw_gid
|
||||
- user_dict['gecos'] = result_p[0].pw_gecos
|
||||
- user_dict['dir'] = result_p[0].pw_dir
|
||||
- user_dict['shell'] = result_p[0].pw_shell
|
||||
+ user_dict['gecos'] = result_p[0].pw_gecos.decode('utf-8')
|
||||
+ user_dict['dir'] = result_p[0].pw_dir.decode('utf-8')
|
||||
+ user_dict['shell'] = result_p[0].pw_shell.decode('utf-8')
|
||||
return user_dict
|
||||
|
||||
|
||||
@@ -64,6 +64,7 @@ def getpwnam_r(name, result_p, buffer_p, buflen):
|
||||
|
||||
errno = POINTER(c_int)(c_int(0))
|
||||
|
||||
+ name = name.encode('utf-8')
|
||||
res = func(c_char_p(name), result_p, buffer_p, buflen, errno)
|
||||
|
||||
return (int(res), int(errno[0]), result_p)
|
||||
--
|
||||
2.9.3
|
||||
|
36
0069-DYNDNS-Update-PTR-record-after-non-fatal-error.patch
Normal file
36
0069-DYNDNS-Update-PTR-record-after-non-fatal-error.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From fccd8f9ab7a0ac9868c43ea0e8c3af142b2809fa Mon Sep 17 00:00:00 2001
|
||||
From: Justin Stephenson <jstephen@redhat.com>
|
||||
Date: Mon, 24 Oct 2016 15:46:50 -0400
|
||||
Subject: [PATCH 69/79] DYNDNS: Update PTR record after non-fatal error
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Continue to send PTR record update in situations where the nsupdate
|
||||
child forward zone updates are successful but nsupdate returns non-zero
|
||||
|
||||
Resolves:
|
||||
https://fedorahosted.org/sssd/ticket/3227
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/providers/ldap/sdap_dyndns.c | 3 ---
|
||||
1 file changed, 3 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ldap/sdap_dyndns.c b/src/providers/ldap/sdap_dyndns.c
|
||||
index 83ec05183de9c429f6576c4e2e0fb769c9470a2f..9d28b57589b85a56abf363880bd310bb63ebd8d2 100644
|
||||
--- a/src/providers/ldap/sdap_dyndns.c
|
||||
+++ b/src/providers/ldap/sdap_dyndns.c
|
||||
@@ -381,9 +381,6 @@ sdap_dyndns_update_done(struct tevent_req *subreq)
|
||||
return;
|
||||
}
|
||||
}
|
||||
-
|
||||
- tevent_req_error(req, ret);
|
||||
- return;
|
||||
}
|
||||
|
||||
if (state->update_ptr == false) {
|
||||
--
|
||||
2.9.3
|
||||
|
43
0070-DYNDNS-Correct-debug-log-message-of-realm.patch
Normal file
43
0070-DYNDNS-Correct-debug-log-message-of-realm.patch
Normal file
@ -0,0 +1,43 @@
|
||||
From d694d4fdcc81f24c2f9e3bb5a0dbe0a52498f196 Mon Sep 17 00:00:00 2001
|
||||
From: Justin Stephenson <jstephen@redhat.com>
|
||||
Date: Mon, 24 Oct 2016 18:04:11 -0400
|
||||
Subject: [PATCH 70/79] DYNDNS: Correct debug log message of realm
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If the realm is not added to the nsupdate message, the SSSD Debug log
|
||||
message should inform about utilizing autodiscovered realm.
|
||||
|
||||
Resolves:
|
||||
https://fedorahosted.org/sssd/ticket/3220
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/providers/be_dyndns.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c
|
||||
index 07dc3339d2f65874504de60b8d3f2e63a8d7045f..ee264156824d7c5ab27c919ae0c56bbd6c0bc54f 100644
|
||||
--- a/src/providers/be_dyndns.c
|
||||
+++ b/src/providers/be_dyndns.c
|
||||
@@ -435,11 +435,15 @@ nsupdate_msg_create_common(TALLOC_CTX *mem_ctx, const char *realm,
|
||||
/* Add the server, realm and headers */
|
||||
update_msg = talloc_asprintf(tmp_ctx, "server %s\n%s",
|
||||
servername, realm_directive);
|
||||
- } else {
|
||||
+ } else if (realm != NULL) {
|
||||
DEBUG(SSSDBG_FUNC_DATA,
|
||||
"Creating update message for realm [%s].\n", realm);
|
||||
/* Add the realm headers */
|
||||
update_msg = talloc_asprintf(tmp_ctx, "%s", realm_directive);
|
||||
+ } else {
|
||||
+ DEBUG(SSSDBG_FUNC_DATA,
|
||||
+ "Creating update message for auto-discovered realm.\n");
|
||||
+ update_msg = talloc_asprintf(tmp_ctx, "%s", realm_directive);
|
||||
}
|
||||
talloc_free(realm_directive);
|
||||
if (update_msg == NULL) {
|
||||
--
|
||||
2.9.3
|
||||
|
83
0071-sdap_extend_map-make-sure-memory-can-be-freed.patch
Normal file
83
0071-sdap_extend_map-make-sure-memory-can-be-freed.patch
Normal file
@ -0,0 +1,83 @@
|
||||
From 08bf6b4a281ef4308119dccbba4e86cf28b505d2 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 4 Nov 2016 17:13:30 +0100
|
||||
Subject: [PATCH 71/79] sdap_extend_map: make sure memory can be freed
|
||||
|
||||
If there is an error after calling talloc_realloc() the caller cannot
|
||||
free the memory properly because neither src_map nor _map were pointing
|
||||
to a valid memory location. With this patch _map will always point to
|
||||
the current valid location so that it can always be used with
|
||||
talloc_free().
|
||||
|
||||
Reviewed-by: Petr Cech <pcech@redhat.com>
|
||||
---
|
||||
src/providers/ldap/sdap.c | 4 ++--
|
||||
src/providers/ldap/sdap.h | 21 +++++++++++++++++++++
|
||||
2 files changed, 23 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
|
||||
index bfb7fc6d2a38debf56acae18b8e7eb7a08ccbd1b..342667aae6cc0b6c3df8c76f11eb2445e6bad0be 100644
|
||||
--- a/src/providers/ldap/sdap.c
|
||||
+++ b/src/providers/ldap/sdap.c
|
||||
@@ -162,9 +162,9 @@ int sdap_extend_map(TALLOC_CTX *memctx,
|
||||
char *sysdb_attr;
|
||||
errno_t ret;
|
||||
|
||||
+ *_map = src_map;
|
||||
if (extra_attrs == NULL) {
|
||||
DEBUG(SSSDBG_FUNC_DATA, "No extra attributes\n");
|
||||
- *_map = src_map;
|
||||
*_new_size = num_entries;
|
||||
return EOK;
|
||||
}
|
||||
@@ -177,6 +177,7 @@ int sdap_extend_map(TALLOC_CTX *memctx,
|
||||
if (map == NULL) {
|
||||
return ENOMEM;
|
||||
}
|
||||
+ *_map = map;
|
||||
|
||||
for (i = 0; *extra_attrs != NULL; extra_attrs++) {
|
||||
ret = split_extra_attr(map, *extra_attrs, &sysdb_attr, &ldap_attr);
|
||||
@@ -221,7 +222,6 @@ int sdap_extend_map(TALLOC_CTX *memctx,
|
||||
/* Sentinel */
|
||||
memset(&map[num_entries+nextra], 0, sizeof(struct sdap_attr_map));
|
||||
|
||||
- *_map = map;
|
||||
*_new_size = num_entries + nextra;
|
||||
return EOK;
|
||||
}
|
||||
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
|
||||
index 6d4543ed48ce19f82252d34b6d0833a546a81bb9..6079a8bf62d0bdf23c8d462dc0f19c705e391a6e 100644
|
||||
--- a/src/providers/ldap/sdap.h
|
||||
+++ b/src/providers/ldap/sdap.h
|
||||
@@ -512,6 +512,27 @@ int sdap_copy_map(TALLOC_CTX *memctx,
|
||||
int num_entries,
|
||||
struct sdap_attr_map **_map);
|
||||
|
||||
+/**
|
||||
+ * @brief Add attributes to a map
|
||||
+ *
|
||||
+ * sdap_extend_map() will call talloc_realloc() on the second argument so the
|
||||
+ * original storage location might change. The return value _map will always
|
||||
+ * contain the current memory location which can be used with talloc_free()
|
||||
+ * even if there is an error.
|
||||
+ *
|
||||
+ * @param[in] memctx Talloc memory context
|
||||
+ * @param[in] src_map Original map, should not be accessed anymore
|
||||
+ * @param[in] num_entries Number of entries in the original map
|
||||
+ * @param[in] extra_attrs NULL-terminated array of extra attribute pairs
|
||||
+ * sysdb_attr:ldap_attr
|
||||
+ * @param[out] _map New map
|
||||
+ * @param[out] _new_size Number of entries in the new map
|
||||
+ *
|
||||
+ * @return
|
||||
+ * - EOK success
|
||||
+ * - ENOMEM memory allocation failed
|
||||
+ * - ERR_DUP_EXTRA_ATTR sysdb attribute is already used
|
||||
+ */
|
||||
int sdap_extend_map(TALLOC_CTX *memctx,
|
||||
struct sdap_attr_map *src_map,
|
||||
size_t num_entries,
|
||||
--
|
||||
2.9.3
|
||||
|
79
0072-check_duplicate-check-name-member-before-using-it.patch
Normal file
79
0072-check_duplicate-check-name-member-before-using-it.patch
Normal file
@ -0,0 +1,79 @@
|
||||
From 454cf0c3808a9f6a0c9f79e9796e17c58907ee6c Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 4 Nov 2016 17:17:13 +0100
|
||||
Subject: [PATCH 72/79] check_duplicate: check name member before using it
|
||||
|
||||
Resolves https://fedorahosted.org/sssd/ticket/3231
|
||||
|
||||
Reviewed-by: Petr Cech <pcech@redhat.com>
|
||||
---
|
||||
src/providers/ldap/sdap.c | 2 +-
|
||||
src/tests/ipa_ldap_opt-tests.c | 32 ++++++++++++++++++++++++++++++++
|
||||
2 files changed, 33 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
|
||||
index 342667aae6cc0b6c3df8c76f11eb2445e6bad0be..d562a96e252e20051c2b4eabffd3205a8575cc72 100644
|
||||
--- a/src/providers/ldap/sdap.c
|
||||
+++ b/src/providers/ldap/sdap.c
|
||||
@@ -137,7 +137,7 @@ static enum duplicate_t check_duplicate(struct sdap_attr_map *map,
|
||||
|
||||
for (i = 0; i < num_entries; i++) {
|
||||
if (strcmp(map[i].sys_name, sysdb_attr) == 0) {
|
||||
- if (strcmp(map[i].name, ldap_attr) == 0) {
|
||||
+ if (map[i].name != NULL && strcmp(map[i].name, ldap_attr) == 0) {
|
||||
return ALREADY_IN_MAP;
|
||||
} else {
|
||||
return CONFLICT_WITH_MAP;
|
||||
diff --git a/src/tests/ipa_ldap_opt-tests.c b/src/tests/ipa_ldap_opt-tests.c
|
||||
index 622a617c3b55495b41bffa1868497d302cc1f1e3..30e09f75b788332858231177017f90c35e21229f 100644
|
||||
--- a/src/tests/ipa_ldap_opt-tests.c
|
||||
+++ b/src/tests/ipa_ldap_opt-tests.c
|
||||
@@ -467,6 +467,37 @@ START_TEST(test_extra_opts_dup)
|
||||
extra_attrs,
|
||||
&out_map, &new_size);
|
||||
fail_unless(ret == ERR_DUP_EXTRA_ATTR, "[%s]", sss_strerror(ret));
|
||||
+
|
||||
+ talloc_free(out_map);
|
||||
+}
|
||||
+END_TEST
|
||||
+
|
||||
+START_TEST(test_extra_opts_empty_name)
|
||||
+{
|
||||
+ errno_t ret;
|
||||
+ char *extra_attrs[] = { discard_const(SYSDB_UUID":bar"),
|
||||
+ NULL };
|
||||
+ struct sdap_attr_map *in_map;
|
||||
+ struct sdap_attr_map *out_map;
|
||||
+ size_t new_size;
|
||||
+
|
||||
+ ret = sdap_copy_map(global_talloc_context, rfc2307_user_map,
|
||||
+ SDAP_OPTS_USER, &in_map);
|
||||
+ fail_unless(ret == EOK, "[%s]", strerror(ret));
|
||||
+
|
||||
+ /* Make sure the name if really NULL */
|
||||
+ fail_unless(rfc2307_user_map[SDAP_AT_USER_UUID].name == NULL,
|
||||
+ "The reference name is not NULL anymore, "
|
||||
+ "please choose a different attribute.");
|
||||
+
|
||||
+ ret = sdap_extend_map(global_talloc_context,
|
||||
+ in_map,
|
||||
+ SDAP_OPTS_USER,
|
||||
+ extra_attrs,
|
||||
+ &out_map, &new_size);
|
||||
+ fail_unless(ret == ERR_DUP_EXTRA_ATTR, "[%s]", sss_strerror(ret));
|
||||
+
|
||||
+ talloc_free(out_map);
|
||||
}
|
||||
END_TEST
|
||||
|
||||
@@ -500,6 +531,7 @@ Suite *ipa_ldap_opt_suite (void)
|
||||
tcase_add_test (tc_extra_opts, test_no_extra_opts);
|
||||
tcase_add_test (tc_extra_opts, test_extra_opts_neg);
|
||||
tcase_add_test (tc_extra_opts, test_extra_opts_dup);
|
||||
+ tcase_add_test (tc_extra_opts, test_extra_opts_empty_name);
|
||||
suite_add_tcase (s, tc_extra_opts);
|
||||
|
||||
return s;
|
||||
--
|
||||
2.9.3
|
||||
|
167
0073-FILES-Fix-reallocation-logic.patch
Normal file
167
0073-FILES-Fix-reallocation-logic.patch
Normal file
@ -0,0 +1,167 @@
|
||||
From fc91d72f32660712f7c9e872e00deb91f188fea3 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Tue, 21 Feb 2017 22:14:35 +0100
|
||||
Subject: [PATCH 73/79] FILES: Fix reallocation logic
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
There were two bugs in the files provider reallocation logic:
|
||||
1) the reallocated array was not NULL-terminated properly
|
||||
2) talloc_get_size was used in place of talloc_array_length
|
||||
|
||||
This bug could have resulted in a crash when the passwd or groups file
|
||||
contained more than FILES_REALLOC_CHUNK entries.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/files/files_ops.c | 9 +++--
|
||||
src/tests/intg/test_files_provider.py | 66 ++++++++++++++++++++++++++++++++++-
|
||||
2 files changed, 72 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c
|
||||
index beda47abd75efd1d399ce074cceb9ea9f4b1399f..9ebf3b11bdb6be60c03392a74a0d434c90808782 100644
|
||||
--- a/src/providers/files/files_ops.c
|
||||
+++ b/src/providers/files/files_ops.c
|
||||
@@ -27,6 +27,9 @@
|
||||
#include "util/inotify.h"
|
||||
#include "util/util.h"
|
||||
|
||||
+/* When changing this constant, make sure to also adjust the files integration
|
||||
+ * test for reallocation branch
|
||||
+ */
|
||||
#define FILES_REALLOC_CHUNK 64
|
||||
|
||||
#define PWD_MAXSIZE 1024
|
||||
@@ -108,7 +111,7 @@ static errno_t enum_files_users(TALLOC_CTX *mem_ctx,
|
||||
users = talloc_realloc(mem_ctx,
|
||||
users,
|
||||
struct passwd *,
|
||||
- talloc_get_size(users) + FILES_REALLOC_CHUNK);
|
||||
+ talloc_array_length(users) + FILES_REALLOC_CHUNK);
|
||||
if (users == NULL) {
|
||||
ret = ENOMEM;
|
||||
goto done;
|
||||
@@ -117,6 +120,7 @@ static errno_t enum_files_users(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
ret = EOK;
|
||||
+ users[n_users] = NULL;
|
||||
*_users = users;
|
||||
done:
|
||||
if (ret != EOK) {
|
||||
@@ -211,7 +215,7 @@ static errno_t enum_files_groups(TALLOC_CTX *mem_ctx,
|
||||
groups = talloc_realloc(mem_ctx,
|
||||
groups,
|
||||
struct group *,
|
||||
- talloc_get_size(groups) + FILES_REALLOC_CHUNK);
|
||||
+ talloc_array_length(groups) + FILES_REALLOC_CHUNK);
|
||||
if (groups == NULL) {
|
||||
ret = ENOMEM;
|
||||
goto done;
|
||||
@@ -220,6 +224,7 @@ static errno_t enum_files_groups(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
ret = EOK;
|
||||
+ groups[n_groups] = NULL;
|
||||
*_groups = groups;
|
||||
done:
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
|
||||
index 0a2e5a7f4da8b27bc410c401baf4f5f226c2a301..528b5e5acc5078cce5bfab9a5f9dab5509e580eb 100644
|
||||
--- a/src/tests/intg/test_files_provider.py
|
||||
+++ b/src/tests/intg/test_files_provider.py
|
||||
@@ -34,6 +34,9 @@ from sssd_group import call_sssd_getgrnam
|
||||
from files_ops import passwd_ops_setup, group_ops_setup
|
||||
from util import unindent
|
||||
|
||||
+# Sync this with files_ops.c
|
||||
+FILES_REALLOC_CHUNK = 64
|
||||
+
|
||||
CANARY = dict(name='canary', passwd='x', uid=100001, gid=200001,
|
||||
gecos='Used to check if passwd is resolvable',
|
||||
dir='/home/canary',
|
||||
@@ -204,7 +207,7 @@ def sssd_id_sync(name):
|
||||
# Helper functions
|
||||
def user_generator(seqnum):
|
||||
return dict(name='user%d' % seqnum,
|
||||
- passwd='*',
|
||||
+ passwd='x',
|
||||
uid=10000 + seqnum,
|
||||
gid=20000 + seqnum,
|
||||
gecos='User for tests',
|
||||
@@ -221,6 +224,12 @@ def check_user(exp_user, delay=1.0):
|
||||
assert found_user == exp_user
|
||||
|
||||
|
||||
+def group_generator(seqnum):
|
||||
+ return dict(name='group%d' % seqnum,
|
||||
+ gid=30000 + seqnum,
|
||||
+ mem=[])
|
||||
+
|
||||
+
|
||||
def check_group(exp_group, delay=1.0):
|
||||
if delay > 0:
|
||||
time.sleep(delay)
|
||||
@@ -690,3 +699,58 @@ def test_getgrnam_add_remove_ghosts(setup_pw_with_canary,
|
||||
assert res == sssd_id.NssReturnCode.SUCCESS
|
||||
assert len(groups) == 2
|
||||
assert 'group_nomem' in groups
|
||||
+
|
||||
+
|
||||
+def realloc_users(pwd_ops, num):
|
||||
+ # Intentionally not including the the last one because
|
||||
+ # canary is added first
|
||||
+ for i in range(1, num):
|
||||
+ user = user_generator(i)
|
||||
+ pwd_ops.useradd(**user)
|
||||
+
|
||||
+ user = user_generator(num-1)
|
||||
+ check_user(user)
|
||||
+
|
||||
+
|
||||
+def test_realloc_users_exact(setup_pw_with_canary, files_domain_only):
|
||||
+ """
|
||||
+ Test that returning exactly FILES_REALLOC_CHUNK users (see files_ops.c)
|
||||
+ works fine to test reallocation logic. Test exact number of users to
|
||||
+ check for off-by-one errors.
|
||||
+ """
|
||||
+ realloc_users(setup_pw_with_canary, FILES_REALLOC_CHUNK)
|
||||
+
|
||||
+
|
||||
+def test_realloc_users(setup_pw_with_canary, files_domain_only):
|
||||
+ """
|
||||
+ Test that returning exactly FILES_REALLOC_CHUNK users (see files_ops.c)
|
||||
+ works fine to test reallocation logic.
|
||||
+ """
|
||||
+ realloc_users(setup_pw_with_canary, FILES_REALLOC_CHUNK*3)
|
||||
+
|
||||
+
|
||||
+def realloc_groups(grp_ops, num):
|
||||
+ for i in range(1, num):
|
||||
+ group = group_generator(i)
|
||||
+ grp_ops.groupadd(**group)
|
||||
+
|
||||
+ group = group_generator(num-1)
|
||||
+ check_group(group)
|
||||
+
|
||||
+
|
||||
+def test_realloc_groups_exact(setup_gr_with_canary, files_domain_only):
|
||||
+ """
|
||||
+ Test that returning exactly FILES_REALLOC_CHUNK groups (see files_ops.c)
|
||||
+ works fine to test reallocation logic. Test exact number of groups to
|
||||
+ check for off-by-one errors.
|
||||
+ """
|
||||
+ realloc_groups(setup_gr_with_canary, FILES_REALLOC_CHUNK*3)
|
||||
+
|
||||
+
|
||||
+def test_realloc_groups(setup_gr_with_canary, files_domain_only):
|
||||
+ """
|
||||
+ Test that returning exactly FILES_REALLOC_CHUNK groups (see files_ops.c)
|
||||
+ works fine to test reallocation logic. Test exact number of groups to
|
||||
+ check for off-by-one errors.
|
||||
+ """
|
||||
+ realloc_groups(setup_gr_with_canary, FILES_REALLOC_CHUNK*3)
|
||||
--
|
||||
2.9.3
|
||||
|
47
0074-pam_sss-check-conversation-callback.patch
Normal file
47
0074-pam_sss-check-conversation-callback.patch
Normal file
@ -0,0 +1,47 @@
|
||||
From 0965a77c4ff0b358d24582955cb7ae375ebaa0d2 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 22 Feb 2017 11:39:48 +0100
|
||||
Subject: [PATCH 74/79] pam_sss: check conversation callback
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
With this patch pam_sss checks if a conversation callback is available
|
||||
before using it.
|
||||
|
||||
Resolves https://fedorahosted.org/sssd/ticket/3296
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/sss_client/pam_sss.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
||||
index b4175ae2c7fc1385a19f81045695bcd73d43f754..03613b8cd0cc3e3521f520e86d5e67371ed6ed48 100644
|
||||
--- a/src/sss_client/pam_sss.c
|
||||
+++ b/src/sss_client/pam_sss.c
|
||||
@@ -205,6 +205,10 @@ static int do_pam_conversation(pam_handle_t *pamh, const int msg_style,
|
||||
|
||||
ret=pam_get_item(pamh, PAM_CONV, (const void **) &conv);
|
||||
if (ret != PAM_SUCCESS) return ret;
|
||||
+ if (conv == NULL || conv->conv == NULL) {
|
||||
+ logger(pamh, LOG_ERR, "No conversation function");
|
||||
+ return PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
|
||||
do {
|
||||
pam_msg = malloc(sizeof(struct pam_message));
|
||||
@@ -1304,6 +1308,10 @@ static int prompt_2fa(pam_handle_t *pamh, struct pam_items *pi,
|
||||
if (ret != PAM_SUCCESS) {
|
||||
return ret;
|
||||
}
|
||||
+ if (conv == NULL || conv->conv == NULL) {
|
||||
+ logger(pamh, LOG_ERR, "No conversation function");
|
||||
+ return PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
|
||||
m[0].msg_style = PAM_PROMPT_ECHO_OFF;
|
||||
m[0].msg = prompt_fa1;
|
||||
--
|
||||
2.9.3
|
||||
|
@ -0,0 +1,44 @@
|
||||
From 86bcc81a665dde4799d67ab7ea2bbd23608e7dab Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Fri, 3 Feb 2017 18:31:51 +0100
|
||||
Subject: [PATCH 75/79] MONITOR: Don't return an error in case we fail to
|
||||
register a service
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This behaviour was mistakenly changed by the {dbus,socket}-activation
|
||||
series and, as it's now, I've noticed the monitor may end up in some
|
||||
weird state due to this change, where it doesn't stop properly and leave
|
||||
some defuncts children processes.
|
||||
|
||||
Let's change it back to what it was before and avoid possible
|
||||
regressions (even if no regression where hit yet).
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/monitor/monitor.c | 6 +-----
|
||||
1 file changed, 1 insertion(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
|
||||
index bc7402103d8024391d2ee27f48b28247ff9cd49c..59bf70741b76871c4937ad75c448aaf776cc37eb 100644
|
||||
--- a/src/monitor/monitor.c
|
||||
+++ b/src/monitor/monitor.c
|
||||
@@ -372,11 +372,7 @@ static int client_registration(struct sbus_request *dbus_req, void *data)
|
||||
sbus_request_finish(dbus_req, NULL);
|
||||
/* FIXME: should we just talloc_zfree(conn) ? */
|
||||
|
||||
- if (ret == ENOENT) {
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- return ret;
|
||||
+ goto done;
|
||||
}
|
||||
|
||||
/* Fill in svc structure with connection data */
|
||||
--
|
||||
2.9.3
|
||||
|
34
0076-FILES-Remove-unnecessary-check.patch
Normal file
34
0076-FILES-Remove-unnecessary-check.patch
Normal file
@ -0,0 +1,34 @@
|
||||
From 1f49be4429c17475b789e9089ce4d0ae48315e74 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Thu, 16 Feb 2017 09:15:29 +0100
|
||||
Subject: [PATCH 76/79] FILES: Remove unnecessary check
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
"grp_iter->gr_mem" is an array of strings and not just a string.
|
||||
We tried to compare first string to NULL (acctually '\0')
|
||||
But after that we iterated over the array to find count of members
|
||||
and we check for NULL one more time.
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/providers/files/files_ops.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c
|
||||
index 9ebf3b11bdb6be60c03392a74a0d434c90808782..370dcd971459069915178bac1fa3e87ecf2884ef 100644
|
||||
--- a/src/providers/files/files_ops.c
|
||||
+++ b/src/providers/files/files_ops.c
|
||||
@@ -189,7 +189,7 @@ static errno_t enum_files_groups(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
grp->gr_passwd = talloc_strdup(grp, grp_iter->gr_passwd);
|
||||
|
||||
- if (grp_iter->gr_mem != NULL && grp_iter->gr_mem[0] != '\0') {
|
||||
+ if (grp_iter->gr_mem != NULL) {
|
||||
size_t nmem;
|
||||
|
||||
for (nmem = 0; grp_iter->gr_mem[nmem] != NULL; nmem++);
|
||||
--
|
||||
2.9.3
|
||||
|
80
0077-PAM-store-user-object-in-the-preq-context.patch
Normal file
80
0077-PAM-store-user-object-in-the-preq-context.patch
Normal file
@ -0,0 +1,80 @@
|
||||
From f561c2bd3c72631ccb7ad6d0b5f6541b27b0922d Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 19 Sep 2016 16:56:46 +0200
|
||||
Subject: [PATCH 77/95] PAM: store user object in the preq context
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/pam/pamsrv.h | 1 +
|
||||
src/responder/pam/pamsrv_cmd.c | 12 ++++++------
|
||||
2 files changed, 7 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
|
||||
index 75045d03937bf71365b4d2654f4257e149087215..e3568123ac6e35d05d63b7b481dbcfbeddbd458c 100644
|
||||
--- a/src/responder/pam/pamsrv.h
|
||||
+++ b/src/responder/pam/pamsrv.h
|
||||
@@ -68,6 +68,7 @@ struct pam_auth_req {
|
||||
|
||||
struct pam_auth_dp_req *dpreq_spy;
|
||||
|
||||
+ struct ldb_message *user_obj;
|
||||
struct ldb_message *cert_user_obj;
|
||||
char *token_name;
|
||||
};
|
||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
||||
index e73a819069d0fdf56327d96e38ecfa0585d52a68..e74dd1684ca0a853f4ff1f9f98bb0f9e8d3d219f 100644
|
||||
--- a/src/responder/pam/pamsrv_cmd.c
|
||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
||||
@@ -1560,7 +1560,6 @@ static int pam_check_user_search(struct pam_auth_req *preq)
|
||||
struct pam_ctx *pctx =
|
||||
talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
|
||||
static const char *user_attrs[] = SYSDB_PW_ATTRS;
|
||||
- struct ldb_message *msg;
|
||||
struct ldb_result *res;
|
||||
const char *sysdb_name;
|
||||
|
||||
@@ -1621,11 +1620,12 @@ static int pam_check_user_search(struct pam_auth_req *preq)
|
||||
}
|
||||
|
||||
if (preq->pd->name_is_upn) {
|
||||
- ret = sysdb_search_user_by_upn(preq, dom, name, user_attrs, &msg);
|
||||
+ ret = sysdb_search_user_by_upn(preq, dom, name, user_attrs,
|
||||
+ &preq->user_obj);
|
||||
if (ret == EOK) {
|
||||
/* Since sysdb_search_user_by_upn() searches the whole cache we
|
||||
* have to set the domain so that it matches the result. */
|
||||
- sysdb_name = ldb_msg_find_attr_as_string(msg,
|
||||
+ sysdb_name = ldb_msg_find_attr_as_string(preq->user_obj,
|
||||
SYSDB_NAME, NULL);
|
||||
if (sysdb_name == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Cached entry has no name.\n");
|
||||
@@ -1654,7 +1654,7 @@ static int pam_check_user_search(struct pam_auth_req *preq)
|
||||
} else if (res->count == 0) {
|
||||
ret = ENOENT;
|
||||
} else {
|
||||
- msg = res->msgs[0];
|
||||
+ preq->user_obj = res->msgs[0];
|
||||
}
|
||||
}
|
||||
if (ret != EOK && ret != ENOENT) {
|
||||
@@ -1693,7 +1693,7 @@ static int pam_check_user_search(struct pam_auth_req *preq)
|
||||
|
||||
/* if we need to check the remote account go on */
|
||||
if (preq->check_provider) {
|
||||
- cacheExpire = ldb_msg_find_attr_as_uint64(msg,
|
||||
+ cacheExpire = ldb_msg_find_attr_as_uint64(preq->user_obj,
|
||||
SYSDB_CACHE_EXPIRE, 0);
|
||||
if (cacheExpire < time(NULL)) {
|
||||
break;
|
||||
@@ -1704,7 +1704,7 @@ static int pam_check_user_search(struct pam_auth_req *preq)
|
||||
"Returning info for user [%s@%s]\n", name, dom->name);
|
||||
|
||||
/* We might have searched by alias. Pass on the primary name */
|
||||
- ret = pd_set_primary_name(msg, preq->pd);
|
||||
+ ret = pd_set_primary_name(preq->user_obj, preq->pd);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Could not canonicalize username\n");
|
||||
return ret;
|
||||
--
|
||||
2.9.3
|
||||
|
72
0078-PAM-fix-memory-leak-in-pam_sss.patch
Normal file
72
0078-PAM-fix-memory-leak-in-pam_sss.patch
Normal file
@ -0,0 +1,72 @@
|
||||
From 327a16652bbafbb77b5b90cc7abac3ded7c14364 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 25 Jan 2017 17:34:54 +0100
|
||||
Subject: [PATCH 78/95] PAM: fix memory leak in pam_sss
|
||||
|
||||
Since there can be multiple rounds trips between the PAM client and SSSD
|
||||
it might be possible that the same data is send multiple times by SSSD.
|
||||
So before overriding the old data it should be freed. I've seen this
|
||||
with the domain name which is send both in the pre-auth and the auth
|
||||
responses. To be on the safe side I added free() for some other items as
|
||||
well.
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/sss_client/pam_sss.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
||||
index 03613b8cd0cc3e3521f520e86d5e67371ed6ed48..8f97af77e3a0c2fa26c84962b6438fe774a75f1a 100644
|
||||
--- a/src/sss_client/pam_sss.c
|
||||
+++ b/src/sss_client/pam_sss.c
|
||||
@@ -869,6 +869,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
|
||||
break;
|
||||
}
|
||||
D(("domain name: [%s]", &buf[p]));
|
||||
+ free(pi->domain_name);
|
||||
pi->domain_name = strdup((char *) &buf[p]);
|
||||
if (pi->domain_name == NULL) {
|
||||
D(("strdup failed"));
|
||||
@@ -937,6 +938,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
|
||||
break;
|
||||
}
|
||||
|
||||
+ free(pi->otp_vendor);
|
||||
pi->otp_vendor = strdup((char *) &buf[p]);
|
||||
if (pi->otp_vendor == NULL) {
|
||||
D(("strdup failed"));
|
||||
@@ -950,6 +952,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
|
||||
pi->otp_vendor = NULL;
|
||||
break;
|
||||
}
|
||||
+ free(pi->otp_token_id);
|
||||
pi->otp_token_id = strdup((char *) &buf[p + offset]);
|
||||
if (pi->otp_token_id == NULL) {
|
||||
D(("strdup failed"));
|
||||
@@ -963,6 +966,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
|
||||
pi->otp_token_id = NULL;
|
||||
break;
|
||||
}
|
||||
+ free(pi->otp_challenge);
|
||||
pi->otp_challenge = strdup((char *) &buf[p + offset]);
|
||||
if (pi->otp_challenge == NULL) {
|
||||
D(("strdup failed"));
|
||||
@@ -976,6 +980,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
|
||||
break;
|
||||
}
|
||||
|
||||
+ free(pi->cert_user);
|
||||
pi->cert_user = strdup((char *) &buf[p]);
|
||||
if (pi->cert_user == NULL) {
|
||||
D(("strdup failed"));
|
||||
@@ -1010,6 +1015,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
|
||||
pi->cert_user = NULL;
|
||||
break;
|
||||
}
|
||||
+ free(pi->token_name);
|
||||
pi->token_name = strdup((char *) &buf[p + offset]);
|
||||
if (pi->token_name == NULL) {
|
||||
D(("strdup failed"));
|
||||
--
|
||||
2.9.3
|
||||
|
28
0079-PAM-use-sentinel-error-code-in-PAM-tests.patch
Normal file
28
0079-PAM-use-sentinel-error-code-in-PAM-tests.patch
Normal file
@ -0,0 +1,28 @@
|
||||
From 254f3898cc9fb9d76e12d72a2955906c49748e6d Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 24 Jan 2017 18:18:23 +0100
|
||||
Subject: [PATCH 79/95] PAM: use sentinel error code in PAM tests
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/tests/cmocka/test_pam_srv.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
|
||||
index 3b8327eb3acbb35cbd3e1a3cd4d8f7dc06b82c9f..e6ed8f509b5b69978f80c158e52bfea738909465 100644
|
||||
--- a/src/tests/cmocka/test_pam_srv.c
|
||||
+++ b/src/tests/cmocka/test_pam_srv.c
|
||||
@@ -883,7 +883,9 @@ void test_pam_open_session(void **state)
|
||||
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_OPEN_SESSION);
|
||||
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
||||
|
||||
- pam_test_ctx->exp_pam_status = PAM_NO_MODULE_DATA;
|
||||
+ /* make sure pam_status is not touched by setting it to a value which is
|
||||
+ * not used by SSSD. */
|
||||
+ pam_test_ctx->exp_pam_status = _PAM_RETURN_VALUES;
|
||||
set_cmd_cb(test_pam_simple_check);
|
||||
ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_OPEN_SESSION,
|
||||
pam_test_ctx->pam_cmds);
|
||||
--
|
||||
2.9.3
|
||||
|
44
0080-utils-new-error-codes.patch
Normal file
44
0080-utils-new-error-codes.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From d4757440418c7b73bbecec7e40baf6dfe8cc9460 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 24 Jan 2017 18:04:11 +0100
|
||||
Subject: [PATCH 80/95] utils: new error codes
|
||||
|
||||
ERR_SC_AUTH_NOT_SUPPORTED can be used by backends to indicate that
|
||||
Smartcard authentication is not supported. ERR_NO_AUTH_METHOD_AVAILABLE
|
||||
can be used by backends that no authentication method was found.
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/util/util_errors.c | 2 ++
|
||||
src/util/util_errors.h | 2 ++
|
||||
2 files changed, 4 insertions(+)
|
||||
|
||||
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
|
||||
index 88ebf4e301f7194ccea920767141f838cbd8dc56..17388c997db5315c2491af1021e75aff07632488 100644
|
||||
--- a/src/util/util_errors.c
|
||||
+++ b/src/util/util_errors.c
|
||||
@@ -102,6 +102,8 @@ struct err_string error_to_str[] = {
|
||||
{ "No proxy server for secrets available"}, /* ERR_SEC_NO_PROXY */
|
||||
{ "The maximum number of stored secrets has been reached" }, /* ERR_SEC_INVALID_TOO_MANY_SECRETS */
|
||||
{ "The secret payload size is too large" }, /* ERR_SEC_PAYLOAD_SIZE_IS_TOO_LARGE */
|
||||
+ { "No authentication methode available" }, /* ERR_NO_AUTH_METHOD_AVAILABLE */
|
||||
+ { "Smartcard authentication not supported" }, /* ERR_SC_AUTH_NOT_SUPPORTED */
|
||||
{ "ERR_LAST" } /* ERR_LAST */
|
||||
};
|
||||
|
||||
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
|
||||
index 525983f21cfb7aaa299ed78f672161e6d0664ad0..7aacad26084a3a2af6333988f07db865f6a4d299 100644
|
||||
--- a/src/util/util_errors.h
|
||||
+++ b/src/util/util_errors.h
|
||||
@@ -124,6 +124,8 @@ enum sssd_errors {
|
||||
ERR_SEC_NO_PROXY,
|
||||
ERR_SEC_INVALID_TOO_MANY_SECRETS,
|
||||
ERR_SEC_PAYLOAD_SIZE_IS_TOO_LARGE,
|
||||
+ ERR_NO_AUTH_METHOD_AVAILABLE,
|
||||
+ ERR_SC_AUTH_NOT_SUPPORTED,
|
||||
ERR_LAST /* ALWAYS LAST */
|
||||
};
|
||||
|
||||
--
|
||||
2.9.3
|
||||
|
@ -0,0 +1,63 @@
|
||||
From f70d946f8cde55b6bdc09345e22849842bca4387 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 25 Jan 2017 20:29:43 +0100
|
||||
Subject: [PATCH 81/95] LDAP/proxy: tell frontend that Smartcard auth is not
|
||||
supported
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/providers/ldap/ldap_auth.c | 11 ++++++++++-
|
||||
src/providers/proxy/proxy_auth.c | 8 ++++++++
|
||||
2 files changed, 18 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
|
||||
index 00d38284e428eea42254820fd08ee4fb125235a6..00ddd889b6294e457c13218491547b84f1468266 100644
|
||||
--- a/src/providers/ldap/ldap_auth.c
|
||||
+++ b/src/providers/ldap/ldap_auth.c
|
||||
@@ -645,7 +645,13 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx,
|
||||
|
||||
/* The token must be a password token */
|
||||
if (sss_authtok_get_type(authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
|
||||
- tevent_req_error(req, ERR_AUTH_FAILED);
|
||||
+ if (sss_authtok_get_type(authtok) == SSS_AUTHTOK_TYPE_SC_PIN
|
||||
+ || sss_authtok_get_type(authtok) == SSS_AUTHTOK_TYPE_SC_KEYPAD) {
|
||||
+ /* Tell frontend that we do not support Smartcard authentication */
|
||||
+ tevent_req_error(req, ERR_SC_AUTH_NOT_SUPPORTED);
|
||||
+ } else {
|
||||
+ tevent_req_error(req, ERR_AUTH_FAILED);
|
||||
+ }
|
||||
return tevent_req_post(req, ev);
|
||||
}
|
||||
|
||||
@@ -1028,6 +1034,9 @@ static void sdap_pam_auth_handler_done(struct tevent_req *subreq)
|
||||
state->pd->account_locked = true;
|
||||
state->pd->pam_status = PAM_PERM_DENIED;
|
||||
break;
|
||||
+ case ERR_SC_AUTH_NOT_SUPPORTED:
|
||||
+ state->pd->pam_status = PAM_BAD_ITEM;
|
||||
+ break;
|
||||
default:
|
||||
state->pd->pam_status = PAM_SYSTEM_ERR;
|
||||
break;
|
||||
diff --git a/src/providers/proxy/proxy_auth.c b/src/providers/proxy/proxy_auth.c
|
||||
index 2b3510c38b1cb265e3042425c373f39e524a71eb..e53b38e666343f8530593d5eac21787ce7cb46e1 100644
|
||||
--- a/src/providers/proxy/proxy_auth.c
|
||||
+++ b/src/providers/proxy/proxy_auth.c
|
||||
@@ -737,6 +737,14 @@ proxy_pam_handler_send(TALLOC_CTX *mem_ctx,
|
||||
state->auth_ctx = proxy_auth_ctx;
|
||||
state->be_ctx = params->be_ctx;
|
||||
|
||||
+ /* Tell frontend that we do not support Smartcard authentication */
|
||||
+ if (sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_SC_PIN
|
||||
+ || sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_SC_KEYPAD) {
|
||||
+ pd->pam_status = PAM_BAD_ITEM;
|
||||
+ goto immediately;
|
||||
+ }
|
||||
+
|
||||
+
|
||||
switch (pd->cmd) {
|
||||
case SSS_PAM_AUTHENTICATE:
|
||||
case SSS_PAM_CHAUTHTOK:
|
||||
--
|
||||
2.9.3
|
||||
|
775
0082-authtok-enhance-support-for-Smartcard-auth-blobs.patch
Normal file
775
0082-authtok-enhance-support-for-Smartcard-auth-blobs.patch
Normal file
@ -0,0 +1,775 @@
|
||||
From dd17a3aaddab6f122dff3bd15b7005464c07c0ea Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 23 Sep 2016 17:11:35 +0200
|
||||
Subject: [PATCH 82/95] authtok: enhance support for Smartcard auth blobs
|
||||
|
||||
The blobs contains beside the PIN the name of the PKCS#11 module and the
|
||||
token name where the certificate of the user was found and the key id.
|
||||
Those data will be used e.g. by the pkinit module to make sure them
|
||||
right certificate is used.
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/tests/cmocka/test_authtok.c | 89 ++++++++++-
|
||||
src/util/authtok-utils.c | 91 ++++++++++++
|
||||
src/util/authtok-utils.h | 56 +++++++
|
||||
src/util/authtok.c | 320 ++++++++++++++++++++++++++++++++++++++--
|
||||
src/util/authtok.h | 84 +++++++++++
|
||||
5 files changed, 625 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/src/tests/cmocka/test_authtok.c b/src/tests/cmocka/test_authtok.c
|
||||
index 30dcc9c8401103a275bd592fe8afd2c2f396ffb1..b2ef08a1c75625253706910e0cc80f4d5d28be5d 100644
|
||||
--- a/src/tests/cmocka/test_authtok.c
|
||||
+++ b/src/tests/cmocka/test_authtok.c
|
||||
@@ -437,6 +437,85 @@ void test_sss_authtok_2fa_blobs(void **state)
|
||||
talloc_free(fa2);
|
||||
}
|
||||
|
||||
+void test_sss_authtok_sc_blobs(void **state)
|
||||
+{
|
||||
+ int ret;
|
||||
+ struct test_state *ts;
|
||||
+ size_t needed_size;
|
||||
+ uint8_t *buf;
|
||||
+ const char *pin;
|
||||
+ size_t pin_len;
|
||||
+ const char *token_name;
|
||||
+ size_t token_name_len;
|
||||
+ const char *module_name;
|
||||
+ size_t module_name_len;
|
||||
+ const char *key_id;
|
||||
+ size_t key_id_len;
|
||||
+
|
||||
+ ts = talloc_get_type_abort(*state, struct test_state);
|
||||
+
|
||||
+ ret = sss_auth_pack_sc_blob("abc", 0, "defg", 0, "hijkl", 0, "mnopqr", 0,
|
||||
+ NULL, 0, &needed_size);
|
||||
+ assert_int_equal(ret, EAGAIN);
|
||||
+
|
||||
+ buf = talloc_size(ts, needed_size);
|
||||
+ assert_non_null(buf);
|
||||
+
|
||||
+ ret = sss_auth_pack_sc_blob("abc", 0, "defg", 0, "hijkl", 0, "mnopqr", 0,
|
||||
+ buf, needed_size, &needed_size);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+#if __BYTE_ORDER == __LITTLE_ENDIAN
|
||||
+ assert_memory_equal(buf, "\4\0\0\0\5\0\0\0\6\0\0\0\7\0\0\0abc\0defg\0hijkl\0mnopqr\0",
|
||||
+ needed_size);
|
||||
+#else
|
||||
+ assert_memory_equal(buf, "\0\0\0\4\0\0\0\5\0\0\0\6\0\0\0\7abc\0defg\0hijkl\0mnopqr\0",
|
||||
+ needed_size);
|
||||
+#endif
|
||||
+
|
||||
+ ret = sss_authtok_set(ts->authtoken, SSS_AUTHTOK_TYPE_SC_PIN, buf,
|
||||
+ needed_size);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ ret = sss_authtok_get_sc(ts->authtoken, &pin, &pin_len,
|
||||
+ &token_name, &token_name_len,
|
||||
+ &module_name, &module_name_len,
|
||||
+ &key_id, &key_id_len);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+ assert_int_equal(pin_len, 3);
|
||||
+ assert_string_equal(pin, "abc");
|
||||
+ assert_int_equal(token_name_len, 4);
|
||||
+ assert_string_equal(token_name, "defg");
|
||||
+ assert_int_equal(module_name_len, 5);
|
||||
+ assert_string_equal(module_name, "hijkl");
|
||||
+ assert_int_equal(key_id_len, 6);
|
||||
+ assert_string_equal(key_id, "mnopqr");
|
||||
+
|
||||
+ ret = sss_authtok_get_sc(ts->authtoken, NULL, NULL,
|
||||
+ &token_name, &token_name_len,
|
||||
+ &module_name, &module_name_len,
|
||||
+ &key_id, &key_id_len);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+ assert_int_equal(token_name_len, 4);
|
||||
+ assert_string_equal(token_name, "defg");
|
||||
+ assert_int_equal(module_name_len, 5);
|
||||
+ assert_string_equal(module_name, "hijkl");
|
||||
+ assert_int_equal(key_id_len, 6);
|
||||
+ assert_string_equal(key_id, "mnopqr");
|
||||
+
|
||||
+ ret = sss_authtok_get_sc(ts->authtoken, NULL, NULL,
|
||||
+ &token_name, NULL,
|
||||
+ &module_name, NULL,
|
||||
+ &key_id, NULL);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+ assert_string_equal(token_name, "defg");
|
||||
+ assert_string_equal(module_name, "hijkl");
|
||||
+ assert_string_equal(key_id, "mnopqr");
|
||||
+
|
||||
+ sss_authtok_set_empty(ts->authtoken);
|
||||
+ talloc_free(buf);
|
||||
+}
|
||||
+
|
||||
#define MISSING_NULL_CHECK do { \
|
||||
assert_int_equal(ret, EOK); \
|
||||
assert_int_equal(fa1_len, 3); \
|
||||
@@ -524,8 +603,8 @@ void test_sss_authtok_sc_pin(void **state)
|
||||
assert_int_equal(sss_authtok_get_type(ts->authtoken),
|
||||
SSS_AUTHTOK_TYPE_SC_PIN);
|
||||
size = sss_authtok_get_size(ts->authtoken);
|
||||
- assert_int_equal(size, 9);
|
||||
- assert_memory_equal(sss_authtok_get_data(ts->authtoken), "12345678\0",
|
||||
+ assert_int_equal(size, 28);
|
||||
+ assert_memory_equal(sss_authtok_get_data(ts->authtoken), "\11\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0" "12345678\0\0\0\0",
|
||||
size);
|
||||
|
||||
ret = sss_authtok_set_sc_pin(ts->authtoken, "12345678", 5);
|
||||
@@ -533,8 +612,8 @@ void test_sss_authtok_sc_pin(void **state)
|
||||
assert_int_equal(sss_authtok_get_type(ts->authtoken),
|
||||
SSS_AUTHTOK_TYPE_SC_PIN);
|
||||
size = sss_authtok_get_size(ts->authtoken);
|
||||
- assert_int_equal(size, 6);
|
||||
- assert_memory_equal(sss_authtok_get_data(ts->authtoken), "12345\0",
|
||||
+ assert_int_equal(size, 25);
|
||||
+ assert_memory_equal(sss_authtok_get_data(ts->authtoken), "\6\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0" "12345\0\0\0\0",
|
||||
size);
|
||||
|
||||
ret = sss_authtok_get_sc_pin(ts->authtoken, &pin, &len);
|
||||
@@ -592,6 +671,8 @@ int main(int argc, const char *argv[])
|
||||
setup, teardown),
|
||||
cmocka_unit_test_setup_teardown(test_sss_authtok_sc_pin,
|
||||
setup, teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sss_authtok_sc_blobs,
|
||||
+ setup, teardown),
|
||||
};
|
||||
|
||||
/* Set debug level to invalid value so we can deside if -d 0 was used. */
|
||||
diff --git a/src/util/authtok-utils.c b/src/util/authtok-utils.c
|
||||
index 65fba9022db11786c0c7e4dcab6fec89c9e0cb19..e7123df341ef0f1954b1202921124e9144909fc1 100644
|
||||
--- a/src/util/authtok-utils.c
|
||||
+++ b/src/util/authtok-utils.c
|
||||
@@ -72,3 +72,94 @@ errno_t sss_auth_pack_2fa_blob(const char *fa1, size_t fa1_len,
|
||||
|
||||
return 0;
|
||||
}
|
||||
+
|
||||
+errno_t sss_auth_pack_sc_blob(const char *pin, size_t pin_len,
|
||||
+ const char *token_name, size_t token_name_len,
|
||||
+ const char *module_name, size_t module_name_len,
|
||||
+ const char *key_id, size_t key_id_len,
|
||||
+ uint8_t *buf, size_t buf_len,
|
||||
+ size_t *_sc_blob_len)
|
||||
+{
|
||||
+ size_t c;
|
||||
+ uint32_t tmp_uint32_t;
|
||||
+
|
||||
+ if (pin_len > UINT32_MAX || token_name_len > UINT32_MAX
|
||||
+ || module_name_len > UINT32_MAX
|
||||
+ || (pin_len != 0 && pin == NULL)
|
||||
+ || (token_name_len != 0 && token_name == NULL)
|
||||
+ || (module_name_len != 0 && module_name == NULL)
|
||||
+ || (key_id_len != 0 && key_id == NULL)) {
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ /* A missing pin is ok in the case of a reader with a keyboard */
|
||||
+ if (pin == NULL) {
|
||||
+ pin = "";
|
||||
+ pin_len = 0;
|
||||
+ }
|
||||
+
|
||||
+ if (token_name == NULL) {
|
||||
+ token_name = "";
|
||||
+ token_name_len = 0;
|
||||
+ }
|
||||
+
|
||||
+ if (module_name == NULL) {
|
||||
+ module_name = "";
|
||||
+ module_name_len = 0;
|
||||
+ }
|
||||
+
|
||||
+ if (key_id == NULL) {
|
||||
+ key_id = "";
|
||||
+ key_id_len = 0;
|
||||
+ }
|
||||
+
|
||||
+ /* len should not include the trailing \0 */
|
||||
+ if (pin_len == 0 || pin[pin_len - 1] == '\0') {
|
||||
+ pin_len = strlen(pin);
|
||||
+ }
|
||||
+
|
||||
+ if (token_name_len == 0 || token_name[token_name_len - 1] == '\0') {
|
||||
+ token_name_len = strlen(token_name);
|
||||
+ }
|
||||
+
|
||||
+ if (module_name_len == 0 || module_name[module_name_len - 1] == '\0') {
|
||||
+ module_name_len = strlen(module_name);
|
||||
+ }
|
||||
+
|
||||
+ if (key_id_len == 0 || key_id[key_id_len - 1] == '\0') {
|
||||
+ key_id_len = strlen(key_id);
|
||||
+ }
|
||||
+
|
||||
+ *_sc_blob_len = pin_len + token_name_len + module_name_len + key_id_len + 4
|
||||
+ + 4 * sizeof(uint32_t);
|
||||
+ if (buf == NULL || buf_len < *_sc_blob_len) {
|
||||
+ return EAGAIN;
|
||||
+ }
|
||||
+
|
||||
+ c = 0;
|
||||
+ tmp_uint32_t = (uint32_t) pin_len + 1;
|
||||
+ SAFEALIGN_COPY_UINT32(buf, &tmp_uint32_t, &c);
|
||||
+ tmp_uint32_t = (uint32_t) token_name_len + 1;
|
||||
+ SAFEALIGN_COPY_UINT32(buf + c, &tmp_uint32_t, &c);
|
||||
+ tmp_uint32_t = (uint32_t) module_name_len + 1;
|
||||
+ SAFEALIGN_COPY_UINT32(buf + c, &tmp_uint32_t, &c);
|
||||
+ tmp_uint32_t = (uint32_t) key_id_len + 1;
|
||||
+ SAFEALIGN_COPY_UINT32(buf + c, &tmp_uint32_t, &c);
|
||||
+
|
||||
+ memcpy(buf + c, pin, pin_len);
|
||||
+ buf[c + pin_len] = '\0';
|
||||
+ c += pin_len + 1;
|
||||
+
|
||||
+ memcpy(buf + c, token_name, token_name_len);
|
||||
+ buf[c + token_name_len] = '\0';
|
||||
+ c += token_name_len + 1;
|
||||
+
|
||||
+ memcpy(buf + c, module_name, module_name_len);
|
||||
+ buf[c + module_name_len] = '\0';
|
||||
+ c += module_name_len + 1;
|
||||
+
|
||||
+ memcpy(buf + c, key_id, key_id_len);
|
||||
+ buf[c + key_id_len] = '\0';
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
diff --git a/src/util/authtok-utils.h b/src/util/authtok-utils.h
|
||||
index 07aef3c18395d6e967289f6e345f27e9ee868da2..c5aace39feea0b3c7e24c7ea80206e663712a11c 100644
|
||||
--- a/src/util/authtok-utils.h
|
||||
+++ b/src/util/authtok-utils.h
|
||||
@@ -25,6 +25,37 @@
|
||||
#include "sss_client/sss_cli.h"
|
||||
|
||||
/**
|
||||
+ * @brief Fill memory buffer with Smartcard authentication blob
|
||||
+ *
|
||||
+ * @param[in] pin PIN, null terminated
|
||||
+ * @param[in] pin_len Length of the PIN, if 0
|
||||
+ * strlen() will be called internally
|
||||
+ * @param[in] token_name Token name, null terminated
|
||||
+ * @param[in] token_name_len Length of the token name, if 0
|
||||
+ * strlen() will be called internally
|
||||
+ * @param[in] module_name Name of PKCS#11 module, null terminated
|
||||
+ * @param[in] module_name_len Length of the module name, if 0
|
||||
+ * strlen() will be called internally
|
||||
+ * @param[in] key_id Key ID of the certificate
|
||||
+ * @param[in] key_id_len Length of the key id of the certificate, if 0
|
||||
+ * strlen() will be called internally
|
||||
+ * @param[in] buf memory buffer of size buf_len, may be NULL
|
||||
+ * @param[in] buf_len size of memory buffer buf
|
||||
+ *
|
||||
+ * @param[out] _sc_blob len size of the Smartcard authentication blob
|
||||
+ *
|
||||
+ * @return EOK on success
|
||||
+ * EINVAL if input data is not consistent
|
||||
+ * EAGAIN if provided buffer is too small, _sc_blob_len
|
||||
+ * contains the size needed to store the SC blob
|
||||
+ */
|
||||
+errno_t sss_auth_pack_sc_blob(const char *pin, size_t pin_len,
|
||||
+ const char *token_name, size_t token_name_len,
|
||||
+ const char *module_name, size_t module_name_len,
|
||||
+ const char *key_id, size_t key_id_len,
|
||||
+ uint8_t *buf, size_t buf_len,
|
||||
+ size_t *_sc_blob_len);
|
||||
+/**
|
||||
* @brief Fill memory buffer with 2FA blob
|
||||
*
|
||||
* @param[in] fa1 First authentication factor, null terminated
|
||||
@@ -67,4 +98,29 @@ errno_t sss_auth_unpack_2fa_blob(TALLOC_CTX *mem_ctx,
|
||||
const uint8_t *blob, size_t blob_len,
|
||||
char **fa1, size_t *_fa1_len,
|
||||
char **fa2, size_t *_fa2_len);
|
||||
+
|
||||
+/**
|
||||
+ * @brief Extract SC data from memory buffer
|
||||
+ *
|
||||
+ * @param[in] mem_ctx Talloc memory context to allocate the 2FA
|
||||
+ * data on
|
||||
+ * @param[in] blob Memory buffer containing the 2FA data
|
||||
+ * @param[in] blob_len Size of the memory buffer
|
||||
+ * @param[out] _pin PIN, null terminated
|
||||
+ * @param[out] _pin_len Length of the PIN
|
||||
+ * @param[out] _token_name Token name, null terminated
|
||||
+ * @param[out] _token_name_len Length of the token name
|
||||
+ * @param[out] _module_name Name of PKCS#11 module, null terminated
|
||||
+ * @param[out] _module_name_len Length of the module name
|
||||
+ *
|
||||
+ * @return EOK on success
|
||||
+ * EINVAL if input data is not consistent
|
||||
+ * EINVAL if no memory can be allocated
|
||||
+ */
|
||||
+errno_t sss_auth_unpack_sc_blob(TALLOC_CTX *mem_ctx,
|
||||
+ const uint8_t *blob, size_t blob_len,
|
||||
+ char **pin, size_t *_pin_len,
|
||||
+ char **token_name, size_t *_token_name_len,
|
||||
+ char **module_name, size_t *_module_name_len,
|
||||
+ char **key_id, size_t *_key_id_len);
|
||||
#endif /* __AUTHTOK_UTILS_H__ */
|
||||
diff --git a/src/util/authtok.c b/src/util/authtok.c
|
||||
index 6062cd875ce2c6b541ef237e7f7bdddac80366c5..c2f78be329230a255ce04ce68a01084f7f584c7c 100644
|
||||
--- a/src/util/authtok.c
|
||||
+++ b/src/util/authtok.c
|
||||
@@ -196,10 +196,9 @@ errno_t sss_authtok_set(struct sss_auth_token *tok,
|
||||
case SSS_AUTHTOK_TYPE_2FA:
|
||||
return sss_authtok_set_2fa_from_blob(tok, data, len);
|
||||
case SSS_AUTHTOK_TYPE_SC_PIN:
|
||||
- return sss_authtok_set_sc_pin(tok, (const char*)data, len);
|
||||
+ return sss_authtok_set_sc_from_blob(tok, data, len);
|
||||
case SSS_AUTHTOK_TYPE_SC_KEYPAD:
|
||||
- sss_authtok_set_sc_keypad(tok);
|
||||
- return EOK;
|
||||
+ return sss_authtok_set_sc_from_blob(tok, data, len);
|
||||
case SSS_AUTHTOK_TYPE_EMPTY:
|
||||
sss_authtok_set_empty(tok);
|
||||
return EOK;
|
||||
@@ -425,6 +424,104 @@ errno_t sss_authtok_set_2fa(struct sss_auth_token *tok,
|
||||
return EOK;
|
||||
}
|
||||
|
||||
+errno_t sss_authtok_set_sc(struct sss_auth_token *tok,
|
||||
+ enum sss_authtok_type type,
|
||||
+ const char *pin, size_t pin_len,
|
||||
+ const char *token_name, size_t token_name_len,
|
||||
+ const char *module_name, size_t module_name_len,
|
||||
+ const char *key_id, size_t key_id_len)
|
||||
+{
|
||||
+ int ret;
|
||||
+ size_t needed_size;
|
||||
+
|
||||
+ if (type != SSS_AUTHTOK_TYPE_SC_PIN
|
||||
+ && type != SSS_AUTHTOK_TYPE_SC_KEYPAD) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Invalid type [%d].\n", type);
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ sss_authtok_set_empty(tok);
|
||||
+
|
||||
+ ret = sss_auth_pack_sc_blob(pin, pin_len, token_name, token_name_len,
|
||||
+ module_name, module_name_len,
|
||||
+ key_id, key_id_len, NULL, 0,
|
||||
+ &needed_size);
|
||||
+ if (ret != EAGAIN) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sss_auth_pack_sc_blob failed.\n");
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ tok->data = talloc_size(tok, needed_size);
|
||||
+ if (tok->data == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n");
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ ret = sss_auth_pack_sc_blob(pin, pin_len, token_name, token_name_len,
|
||||
+ module_name, module_name_len,
|
||||
+ key_id, key_id_len, tok->data,
|
||||
+ needed_size, &needed_size);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sss_auth_pack_sc_blob failed.\n");
|
||||
+ talloc_free(tok->data);
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ tok->length = needed_size;
|
||||
+ tok->type = type;
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
+errno_t sss_authtok_set_sc_from_blob(struct sss_auth_token *tok,
|
||||
+ const uint8_t *data,
|
||||
+ size_t len)
|
||||
+{
|
||||
+ int ret;
|
||||
+ char *pin = NULL;
|
||||
+ size_t pin_len;
|
||||
+ char *token_name = NULL;
|
||||
+ size_t token_name_len;
|
||||
+ char *module_name = NULL;
|
||||
+ size_t module_name_len;
|
||||
+ char *key_id = NULL;
|
||||
+ size_t key_id_len;
|
||||
+ TALLOC_CTX *tmp_ctx;
|
||||
+
|
||||
+ if (tok == NULL) {
|
||||
+ return EFAULT;
|
||||
+ }
|
||||
+ if (data == NULL || len == 0) {
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ tmp_ctx = talloc_new(NULL);
|
||||
+ if (tmp_ctx == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = sss_auth_unpack_sc_blob(tmp_ctx, data, len, &pin, &pin_len,
|
||||
+ &token_name, &token_name_len,
|
||||
+ &module_name, &module_name_len,
|
||||
+ &key_id, &key_id_len);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sss_auth_unpack_sc_blob failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = sss_authtok_set_sc(tok, SSS_AUTHTOK_TYPE_SC_PIN, pin, pin_len,
|
||||
+ token_name, token_name_len,
|
||||
+ module_name, module_name_len,
|
||||
+ key_id, key_id_len);
|
||||
+
|
||||
+done:
|
||||
+ talloc_free(tmp_ctx);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
errno_t sss_authtok_set_sc_pin(struct sss_auth_token *tok, const char *pin,
|
||||
size_t len)
|
||||
{
|
||||
@@ -435,15 +532,17 @@ errno_t sss_authtok_set_sc_pin(struct sss_auth_token *tok, const char *pin,
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
- sss_authtok_set_empty(tok);
|
||||
-
|
||||
- return sss_authtok_set_string(tok, SSS_AUTHTOK_TYPE_SC_PIN,
|
||||
- "sc_pin", pin, len);
|
||||
+ return sss_authtok_set_sc(tok, SSS_AUTHTOK_TYPE_SC_PIN, pin, len,
|
||||
+ NULL, 0, NULL, 0, NULL, 0);
|
||||
}
|
||||
|
||||
-errno_t sss_authtok_get_sc_pin(struct sss_auth_token *tok, const char **pin,
|
||||
+errno_t sss_authtok_get_sc_pin(struct sss_auth_token *tok, const char **_pin,
|
||||
size_t *len)
|
||||
{
|
||||
+ int ret;
|
||||
+ const char *pin = NULL;
|
||||
+ size_t pin_len;
|
||||
+
|
||||
if (!tok) {
|
||||
return EFAULT;
|
||||
}
|
||||
@@ -451,9 +550,16 @@ errno_t sss_authtok_get_sc_pin(struct sss_auth_token *tok, const char **pin,
|
||||
case SSS_AUTHTOK_TYPE_EMPTY:
|
||||
return ENOENT;
|
||||
case SSS_AUTHTOK_TYPE_SC_PIN:
|
||||
- *pin = (const char *)tok->data;
|
||||
+ ret = sss_authtok_get_sc(tok, &pin, &pin_len,
|
||||
+ NULL, NULL, NULL, NULL, NULL, NULL);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_sc failed.\n");
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ *_pin = pin;
|
||||
if (len) {
|
||||
- *len = tok->length - 1;
|
||||
+ *len = pin_len;
|
||||
}
|
||||
return EOK;
|
||||
case SSS_AUTHTOK_TYPE_PASSWORD:
|
||||
@@ -468,10 +574,202 @@ errno_t sss_authtok_get_sc_pin(struct sss_auth_token *tok, const char **pin,
|
||||
|
||||
void sss_authtok_set_sc_keypad(struct sss_auth_token *tok)
|
||||
{
|
||||
- if (!tok) {
|
||||
+ if (tok == NULL) {
|
||||
return;
|
||||
}
|
||||
+
|
||||
sss_authtok_set_empty(tok);
|
||||
|
||||
tok->type = SSS_AUTHTOK_TYPE_SC_KEYPAD;
|
||||
}
|
||||
+
|
||||
+errno_t sss_auth_unpack_sc_blob(TALLOC_CTX *mem_ctx,
|
||||
+ const uint8_t *blob, size_t blob_len,
|
||||
+ char **pin, size_t *_pin_len,
|
||||
+ char **token_name, size_t *_token_name_len,
|
||||
+ char **module_name, size_t *_module_name_len,
|
||||
+ char **key_id, size_t *_key_id_len)
|
||||
+{
|
||||
+ size_t c;
|
||||
+ uint32_t pin_len;
|
||||
+ uint32_t token_name_len;
|
||||
+ uint32_t module_name_len;
|
||||
+ uint32_t key_id_len;
|
||||
+
|
||||
+ c = 0;
|
||||
+
|
||||
+ if (blob == NULL || blob_len == 0) {
|
||||
+ pin_len = 0;
|
||||
+ token_name_len = 0;
|
||||
+ module_name_len = 0;
|
||||
+ key_id_len = 0;
|
||||
+ } else if (blob_len > 0
|
||||
+ && strnlen((const char *) blob, blob_len) == blob_len - 1) {
|
||||
+ pin_len = blob_len;
|
||||
+ token_name_len = 0;
|
||||
+ module_name_len = 0;
|
||||
+ key_id_len = 0;
|
||||
+ } else {
|
||||
+ if (blob_len < 4 * sizeof(uint32_t)) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Blob too small.\n");
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ SAFEALIGN_COPY_UINT32(&pin_len, blob, &c);
|
||||
+ SAFEALIGN_COPY_UINT32(&token_name_len, blob + c, &c);
|
||||
+ SAFEALIGN_COPY_UINT32(&module_name_len, blob + c, &c);
|
||||
+ SAFEALIGN_COPY_UINT32(&key_id_len, blob + c, &c);
|
||||
+
|
||||
+ if (blob_len != 4 * sizeof(uint32_t) + pin_len + token_name_len
|
||||
+ + module_name_len + key_id_len) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Blob size mismatch.\n");
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (pin_len != 0) {
|
||||
+ *pin = talloc_strndup(mem_ctx, (const char *) blob + c, pin_len);
|
||||
+ if (*pin == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+ } else {
|
||||
+ *pin = NULL;
|
||||
+ }
|
||||
+
|
||||
+ if (token_name_len != 0) {
|
||||
+ *token_name = talloc_strndup(mem_ctx, (const char *) blob + c + pin_len,
|
||||
+ token_name_len);
|
||||
+ if (*token_name == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
|
||||
+ talloc_free(*pin);
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+ } else {
|
||||
+ *token_name = NULL;
|
||||
+ }
|
||||
+
|
||||
+ if (module_name_len != 0) {
|
||||
+ *module_name = talloc_strndup(mem_ctx,
|
||||
+ (const char *) blob + c + pin_len
|
||||
+ + token_name_len,
|
||||
+ module_name_len);
|
||||
+ if (*module_name == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
|
||||
+ talloc_free(*pin);
|
||||
+ talloc_free(*token_name);
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+ } else {
|
||||
+ *module_name = NULL;
|
||||
+ }
|
||||
+
|
||||
+ if (key_id_len != 0) {
|
||||
+ *key_id = talloc_strndup(mem_ctx,
|
||||
+ (const char *) blob + c + pin_len
|
||||
+ + token_name_len
|
||||
+ + module_name_len,
|
||||
+ key_id_len);
|
||||
+ if (*key_id == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
|
||||
+ talloc_free(*pin);
|
||||
+ talloc_free(*token_name);
|
||||
+ talloc_free(*module_name);
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+ } else {
|
||||
+ *key_id = NULL;
|
||||
+ }
|
||||
+
|
||||
+ /* Re-calculate length for the case where \0 was missing in the blob */
|
||||
+ if (_pin_len != NULL) {
|
||||
+ *_pin_len = (*pin == NULL) ? 0 : strlen(*pin);
|
||||
+ }
|
||||
+ if (_token_name_len != NULL) {
|
||||
+ *_token_name_len = (*token_name == NULL) ? 0 : strlen(*token_name);
|
||||
+ }
|
||||
+ if (_module_name_len != NULL) {
|
||||
+ *_module_name_len = (*module_name == NULL) ? 0 : strlen(*module_name);
|
||||
+ }
|
||||
+
|
||||
+ if (_key_id_len != NULL) {
|
||||
+ *_key_id_len = (*key_id == NULL) ? 0 : strlen(*key_id);
|
||||
+ }
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
+errno_t sss_authtok_get_sc(struct sss_auth_token *tok,
|
||||
+ const char **_pin, size_t *_pin_len,
|
||||
+ const char **_token_name, size_t *_token_name_len,
|
||||
+ const char **_module_name, size_t *_module_name_len,
|
||||
+ const char **_key_id, size_t *_key_id_len)
|
||||
+{
|
||||
+ size_t c = 0;
|
||||
+ size_t pin_len;
|
||||
+ size_t token_name_len;
|
||||
+ size_t module_name_len;
|
||||
+ size_t key_id_len;
|
||||
+ uint32_t tmp_uint32_t;
|
||||
+
|
||||
+ if (!tok) {
|
||||
+ return EFAULT;
|
||||
+ }
|
||||
+
|
||||
+ if (tok->type != SSS_AUTHTOK_TYPE_SC_PIN
|
||||
+ && tok->type != SSS_AUTHTOK_TYPE_SC_KEYPAD) {
|
||||
+ return (tok->type == SSS_AUTHTOK_TYPE_EMPTY) ? ENOENT : EACCES;
|
||||
+ }
|
||||
+
|
||||
+ if (tok->length < 4 * sizeof(uint32_t)) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Blob too small.\n");
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data, &c);
|
||||
+ pin_len = tmp_uint32_t - 1;
|
||||
+ SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data + c, &c);
|
||||
+ token_name_len = tmp_uint32_t - 1;
|
||||
+ SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data + c, &c);
|
||||
+ module_name_len = tmp_uint32_t -1;
|
||||
+ SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data + c, &c);
|
||||
+ key_id_len = tmp_uint32_t -1;
|
||||
+
|
||||
+ if (tok->length != 4 * sizeof(uint32_t) + 4 + pin_len + token_name_len
|
||||
+ + module_name_len + key_id_len) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Blob size mismatch.\n");
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ if (_pin != NULL) {
|
||||
+ *_pin = (const char *) tok->data + c;
|
||||
+ }
|
||||
+ if (_pin_len != NULL) {
|
||||
+ *_pin_len = pin_len;
|
||||
+ }
|
||||
+
|
||||
+ if (_token_name != NULL) {
|
||||
+ *_token_name = (const char *) tok->data + c + pin_len + 1;
|
||||
+ }
|
||||
+ if (_token_name_len != NULL) {
|
||||
+ *_token_name_len = token_name_len;
|
||||
+ }
|
||||
+
|
||||
+ if (_module_name != NULL) {
|
||||
+ *_module_name = (const char *) tok->data + c + pin_len + 1
|
||||
+ + token_name_len + 1;
|
||||
+ }
|
||||
+ if (_module_name_len != NULL) {
|
||||
+ *_module_name_len = module_name_len;
|
||||
+ }
|
||||
+
|
||||
+ if (_key_id != NULL) {
|
||||
+ *_key_id = (const char *) tok->data + c + pin_len + 1
|
||||
+ + token_name_len + 1 + module_name_len + 1;
|
||||
+ }
|
||||
+ if (_key_id_len != NULL) {
|
||||
+ *_key_id_len = key_id_len;
|
||||
+ }
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
diff --git a/src/util/authtok.h b/src/util/authtok.h
|
||||
index f1a01a42306a720fc39e701078550a071835e980..c146ba2066f2aca032e04d6a33459c47c963370f 100644
|
||||
--- a/src/util/authtok.h
|
||||
+++ b/src/util/authtok.h
|
||||
@@ -264,4 +264,88 @@ errno_t sss_authtok_get_sc_pin(struct sss_auth_token *tok, const char **pin,
|
||||
*/
|
||||
void sss_authtok_set_sc_keypad(struct sss_auth_token *tok);
|
||||
|
||||
+/**
|
||||
+ * @brief Set complete Smart Card authentication blob including PKCS#11 token
|
||||
+ * name, module name and key id.
|
||||
+ *
|
||||
+ * @param tok A pointer to an sss_auth_token
|
||||
+ * @param type Authentication token type, may be
|
||||
+ * SSS_AUTHTOK_TYPE_SC_PIN or SSS_AUTHTOK_TYPE_SC_KEYPAD
|
||||
+ * @param pin A pointer to a const char *, that will point to a null
|
||||
+ * terminated string containing the pin
|
||||
+ * @param pin_len The length of the pin string, if set to 0 it will be
|
||||
+ * calculated
|
||||
+ * @param token_name A pointer to a const char *, that will point to a null
|
||||
+ * terminated string containing the PKCS#11 token name
|
||||
+ * @param token_name_len The length of the token name string, if set to 0 it
|
||||
+ * will be calculated
|
||||
+ * @param module_name A pointer to a const char *, that will point to a null
|
||||
+ * terminated string containing the PKCS#11 module name
|
||||
+ * @param module_name_len The length of the module name string, if set to 0 it
|
||||
+ * will be calculated
|
||||
+ * @param key_id A pointer to a const char *, that will point to a null
|
||||
+ * terminated string containing the PKCS#11 key id
|
||||
+ * @param key_id_len The length of the key id string, if set to 0 it will be
|
||||
+ * calculated
|
||||
+ *
|
||||
+ * @return EOK on success
|
||||
+ * EINVAL unexpected or inval input
|
||||
+ * ENOMEM memory allocation error
|
||||
+ */
|
||||
+errno_t sss_authtok_set_sc(struct sss_auth_token *tok,
|
||||
+ enum sss_authtok_type type,
|
||||
+ const char *pin, size_t pin_len,
|
||||
+ const char *token_name, size_t token_name_len,
|
||||
+ const char *module_name, size_t module_name_len,
|
||||
+ const char *key_id, size_t key_id_len);
|
||||
+/**
|
||||
+ * @brief Set a Smart Card authentication data, replacing any previous data
|
||||
+ *
|
||||
+ * @param tok A pointer to a sss_auth_token structure to change, also
|
||||
+ * used as a memory context to allocate the internal data.
|
||||
+ * @param data Smart Card authentication data blob
|
||||
+ * @param len The length of the blob
|
||||
+ *
|
||||
+ * @return EOK on success
|
||||
+ * ENOMEM on error
|
||||
+ */
|
||||
+errno_t sss_authtok_set_sc_from_blob(struct sss_auth_token *tok,
|
||||
+ const uint8_t *data,
|
||||
+ size_t len);
|
||||
+
|
||||
+/**
|
||||
+ * @brief Get complete Smart Card authtoken data
|
||||
+ *
|
||||
+ * @param tok A pointer to a sss_auth_token structure
|
||||
+ * @param[out] _pin A pointer to a const char *, that will point to
|
||||
+ * a null terminated string holding the pin,
|
||||
+ * may not be modified or freed
|
||||
+ * @param[out] _pin__len Length of the pin
|
||||
+ * @param[out] _token_name A pointer to a const char *, that will point to
|
||||
+ * a null terminated string holding the PKCS#11
|
||||
+ * token name, may not be modified or freed
|
||||
+ * @param[out] _token_name_len Length of the PKCS#11 token name
|
||||
+ * @param[out] _module_name A pointer to a const char *, that will point to
|
||||
+ * a null terminated string holding the PKCS#11
|
||||
+ * module name, may not be modified or freed
|
||||
+ * @param[out] _module_name_len Length of the PKCS#11 module name
|
||||
+ * @param[out] _key_id A pointer to a const char *, that will point to
|
||||
+ * a null terminated string holding the PKCS#11
|
||||
+ * key id, may not be modified or freed
|
||||
+ * @param[out] _key_id_len Length of the PKCS#11 key id
|
||||
+ *
|
||||
+ * Any of the output pointers may be NULL if the caller does not need the
|
||||
+ * specific item.
|
||||
+ *
|
||||
+ * @return EOK on success
|
||||
+ * EFAULT missing token
|
||||
+ * EINVAL if input data is not consistent
|
||||
+ * ENOENT if the token is empty
|
||||
+ * EACCESS if the token is not a Smart Card token
|
||||
+ */
|
||||
+errno_t sss_authtok_get_sc(struct sss_auth_token *tok,
|
||||
+ const char **_pin, size_t *_pin_len,
|
||||
+ const char **_token_name, size_t *_token_name_len,
|
||||
+ const char **_module_name, size_t *_module_name_len,
|
||||
+ const char **_key_id, size_t *_key_id_len);
|
||||
#endif /* __AUTHTOK_H__ */
|
||||
--
|
||||
2.9.3
|
||||
|
265
0083-PAM-forward-Smartcard-credentials-to-backends.patch
Normal file
265
0083-PAM-forward-Smartcard-credentials-to-backends.patch
Normal file
@ -0,0 +1,265 @@
|
||||
From 82c5971fafe6063a90289ebba08035fc49ae8590 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 8 Oct 2015 16:42:39 +0200
|
||||
Subject: [PATCH 83/95] PAM: forward Smartcard credentials to backends
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/pam/pamsrv.h | 3 ++
|
||||
src/responder/pam/pamsrv_cmd.c | 102 +++++++++++++++++++++++++++++++---------
|
||||
src/tests/cmocka/test_pam_srv.c | 16 ++++++-
|
||||
3 files changed, 97 insertions(+), 24 deletions(-)
|
||||
|
||||
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
|
||||
index e3568123ac6e35d05d63b7b481dbcfbeddbd458c..389888eca389f793079ad169f7713151c896e90c 100644
|
||||
--- a/src/responder/pam/pamsrv.h
|
||||
+++ b/src/responder/pam/pamsrv.h
|
||||
@@ -71,6 +71,9 @@ struct pam_auth_req {
|
||||
struct ldb_message *user_obj;
|
||||
struct ldb_message *cert_user_obj;
|
||||
char *token_name;
|
||||
+ char *module_name;
|
||||
+ char *key_id;
|
||||
+ bool cert_auth_local;
|
||||
};
|
||||
|
||||
struct sss_cmd_table *get_pam_cmds(void);
|
||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
||||
index e74dd1684ca0a853f4ff1f9f98bb0f9e8d3d219f..529c74f703b3169676dc13b145b39243903ebb50 100644
|
||||
--- a/src/responder/pam/pamsrv_cmd.c
|
||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
||||
@@ -53,6 +53,14 @@ pam_get_last_online_auth_with_curr_token(struct sss_domain_info *domain,
|
||||
|
||||
static void pam_reply(struct pam_auth_req *preq);
|
||||
|
||||
+static errno_t check_cert(TALLOC_CTX *mctx,
|
||||
+ struct tevent_context *ev,
|
||||
+ struct pam_ctx *pctx,
|
||||
+ struct pam_auth_req *preq,
|
||||
+ struct pam_data *pd);
|
||||
+
|
||||
+static int pam_check_user_done(struct pam_auth_req *preq, int ret);
|
||||
+
|
||||
static errno_t pack_user_info_msg(TALLOC_CTX *mem_ctx,
|
||||
const char *user_error_message,
|
||||
size_t *resp_len,
|
||||
@@ -718,6 +726,28 @@ static void pam_reply(struct pam_auth_req *preq)
|
||||
DEBUG(SSSDBG_FUNC_DATA,
|
||||
"pam_reply called with result [%d]: %s.\n",
|
||||
pd->pam_status, pam_strerror(NULL, pd->pam_status));
|
||||
+
|
||||
+ if (pd->cmd == SSS_PAM_AUTHENTICATE
|
||||
+ && (pd->pam_status == PAM_AUTHINFO_UNAVAIL
|
||||
+ || pd->pam_status == PAM_NO_MODULE_DATA
|
||||
+ || pd->pam_status == PAM_BAD_ITEM)
|
||||
+ && may_do_cert_auth(pctx, pd)) {
|
||||
+ /* We have Smartcard credentials and the backend indicates that it is
|
||||
+ * offline (PAM_AUTHINFO_UNAVAIL) or cannot handle the credentials
|
||||
+ * (PAM_BAD_ITEM), so let's try authentication against the Smartcard
|
||||
+ * PAM_NO_MODULE_DATA is returned by the krb5 backend if no
|
||||
+ * authentication method was found at all, this might happen if the
|
||||
+ * user has a Smartcard assigned but the pkint plugin is not available
|
||||
+ * on the client. */
|
||||
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||
+ "Backend cannot handle Smartcard authentication, "
|
||||
+ "trying local Smartcard authentication.\n");
|
||||
+ preq->cert_auth_local = true;
|
||||
+ ret = check_cert(cctx, cctx->ev, pctx, preq, pd);
|
||||
+ pam_check_user_done(preq, ret);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
if (pd->pam_status == PAM_AUTHINFO_UNAVAIL || preq->use_cached_auth) {
|
||||
|
||||
switch(pd->cmd) {
|
||||
@@ -1019,7 +1049,6 @@ static void pam_forwarder_cert_cb(struct tevent_req *req);
|
||||
static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min,
|
||||
const char *err_msg, void *ptr);
|
||||
static int pam_check_user_search(struct pam_auth_req *preq);
|
||||
-static int pam_check_user_done(struct pam_auth_req *preq, int ret);
|
||||
|
||||
static errno_t pam_cmd_assume_upn(struct pam_auth_req *preq)
|
||||
{
|
||||
@@ -1234,6 +1263,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
|
||||
}
|
||||
talloc_set_destructor(preq, pam_auth_req_destructor);
|
||||
preq->cctx = cctx;
|
||||
+ preq->cert_auth_local = false;
|
||||
|
||||
preq->pd = create_pam_data(preq);
|
||||
if (!preq->pd) {
|
||||
@@ -1330,8 +1360,9 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
|
||||
}
|
||||
}
|
||||
|
||||
-
|
||||
- if (may_do_cert_auth(pctx, pd)) {
|
||||
+ /* try backend first for authentication before doing local Smartcard
|
||||
+ * authentication */
|
||||
+ if (pd->cmd != SSS_PAM_AUTHENTICATE && may_do_cert_auth(pctx, pd)) {
|
||||
ret = check_cert(cctx, cctx->ev, pctx, preq, pd);
|
||||
/* Finish here */
|
||||
goto done;
|
||||
@@ -1439,6 +1470,12 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
|
||||
preq->cert_user_obj = talloc_steal(preq, result->msgs[0]);
|
||||
|
||||
if (preq->pd->logon_name == NULL) {
|
||||
+ if (preq->pd->cmd != SSS_PAM_PREAUTH) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Missing logon name only allowed during pre-auth.\n");
|
||||
+ ret = ENOENT;
|
||||
+ goto done;
|
||||
+ }
|
||||
cert_user = ldb_msg_find_attr_as_string(preq->cert_user_obj,
|
||||
SYSDB_NAME, NULL);
|
||||
if (cert_user == NULL) {
|
||||
@@ -1451,20 +1488,17 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
|
||||
DEBUG(SSSDBG_FUNC_DATA, "Found certificate user [%s].\n",
|
||||
cert_user);
|
||||
|
||||
- ret = add_pam_cert_response(preq->pd, cert_user, preq->token_name);
|
||||
+ ret = sss_parse_name_for_domains(preq->pd,
|
||||
+ preq->cctx->rctx->domains,
|
||||
+ preq->cctx->rctx->default_domain,
|
||||
+ cert_user,
|
||||
+ &preq->pd->domain,
|
||||
+ &preq->pd->user);
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "add_pam_cert_response failed.\n");
|
||||
- }
|
||||
-
|
||||
- preq->pd->domain = talloc_strdup(preq->pd, result->domain->name);
|
||||
- if (preq->pd->domain == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
|
||||
- ret = ENOMEM;
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "sss_parse_name_for_domains failed.\n");
|
||||
goto done;
|
||||
}
|
||||
- preq->pd->pam_status = PAM_SUCCESS;
|
||||
- pam_reply(preq);
|
||||
- return;
|
||||
}
|
||||
} else {
|
||||
if (preq->pd->logon_name == NULL) {
|
||||
@@ -1475,7 +1509,12 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
|
||||
}
|
||||
}
|
||||
|
||||
- ret = pam_check_user_search(preq);
|
||||
+ if (preq->user_obj == NULL) {
|
||||
+ ret = pam_check_user_search(preq);
|
||||
+ } else {
|
||||
+ ret = EOK;
|
||||
+ }
|
||||
+
|
||||
if (ret == EOK) {
|
||||
pam_dom_forwarder(preq);
|
||||
}
|
||||
@@ -1531,7 +1570,9 @@ static void pam_forwarder_cb(struct tevent_req *req)
|
||||
}
|
||||
}
|
||||
|
||||
- if (may_do_cert_auth(pctx, pd)) {
|
||||
+ /* try backend first for authentication before doing local Smartcard
|
||||
+ * authentication */
|
||||
+ if (pd->cmd != SSS_PAM_AUTHENTICATE && may_do_cert_auth(pctx, pd)) {
|
||||
ret = check_cert(cctx, cctx->ev, pctx, preq, pd);
|
||||
/* Finish here */
|
||||
goto done;
|
||||
@@ -1985,7 +2026,7 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
|
||||
NULL);
|
||||
if (cert_user == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Certificate user object has not name.\n");
|
||||
+ "Certificate user object has no name.\n");
|
||||
preq->pd->pam_status = PAM_USER_UNKNOWN;
|
||||
pam_reply(preq);
|
||||
return;
|
||||
@@ -1994,11 +2035,21 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
|
||||
/* pam_check_user_search() calls pd_set_primary_name() is the search
|
||||
* was successful, so pd->user contains the canonical sysdb name
|
||||
* as well */
|
||||
- if (strcmp(cert_user, preq->pd->user) == 0) {
|
||||
-
|
||||
- preq->pd->pam_status = PAM_SUCCESS;
|
||||
+ if (ldb_dn_compare(preq->cert_user_obj->dn, preq->user_obj->dn) == 0) {
|
||||
|
||||
if (preq->pd->cmd == SSS_PAM_PREAUTH) {
|
||||
+ ret = sss_authtok_set_sc(preq->pd->authtok,
|
||||
+ SSS_AUTHTOK_TYPE_SC_PIN, NULL, 0,
|
||||
+ preq->token_name, 0,
|
||||
+ preq->module_name, 0,
|
||||
+ preq->key_id, 0);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_set_sc failed, "
|
||||
+ "Smartcard authentication "
|
||||
+ "detection might fail in the "
|
||||
+ "backend.\n");
|
||||
+ }
|
||||
+
|
||||
ret = add_pam_cert_response(preq->pd, cert_user,
|
||||
preq->token_name);
|
||||
if (ret != EOK) {
|
||||
@@ -2007,9 +2058,14 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
|
||||
}
|
||||
}
|
||||
|
||||
- preq->callback = pam_reply;
|
||||
- pam_reply(preq);
|
||||
- return;
|
||||
+ /* We are done if we do not have to call the backend */
|
||||
+ if (preq->pd->cmd == SSS_PAM_AUTHENTICATE
|
||||
+ && preq->cert_auth_local) {
|
||||
+ preq->pd->pam_status = PAM_SUCCESS;
|
||||
+ preq->callback = pam_reply;
|
||||
+ pam_reply(preq);
|
||||
+ return;
|
||||
+ }
|
||||
} else {
|
||||
if (preq->pd->cmd == SSS_PAM_PREAUTH) {
|
||||
DEBUG(SSSDBG_TRACE_FUNC,
|
||||
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
|
||||
index e6ed8f509b5b69978f80c158e52bfea738909465..6b91f49c6608043df68c65f9a3338a76ac66bbcc 100644
|
||||
--- a/src/tests/cmocka/test_pam_srv.c
|
||||
+++ b/src/tests/cmocka/test_pam_srv.c
|
||||
@@ -285,6 +285,9 @@ static void pam_test_setup_common(void)
|
||||
pam_test_ctx->tctx->dom->name);
|
||||
assert_non_null(pam_test_ctx->wrong_user_fqdn);
|
||||
|
||||
+ /* integer values cannot be set by pam_params */
|
||||
+ pam_test_ctx->pctx->id_timeout = 5;
|
||||
+
|
||||
/* Prime the cache with a valid user */
|
||||
ret = sysdb_add_user(pam_test_ctx->tctx->dom,
|
||||
pam_test_ctx->pam_user_fqdn,
|
||||
@@ -783,6 +786,13 @@ static int test_pam_wrong_pw_offline_auth_check(uint32_t status,
|
||||
return test_pam_simple_check(status, body, blen);
|
||||
}
|
||||
|
||||
+static int test_pam_simple_check_success(uint32_t status,
|
||||
+ uint8_t *body, size_t blen)
|
||||
+{
|
||||
+ pam_test_ctx->exp_pam_status = PAM_SUCCESS;
|
||||
+ return test_pam_simple_check(status, body, blen);
|
||||
+}
|
||||
+
|
||||
static int test_pam_creds_insufficient_check(uint32_t status,
|
||||
uint8_t *body, size_t blen)
|
||||
{
|
||||
@@ -1752,7 +1762,11 @@ void test_pam_cert_auth(void **state)
|
||||
mock_account_recv(0, 0, NULL, test_lookup_by_cert_cb,
|
||||
discard_const(TEST_TOKEN_CERT));
|
||||
|
||||
- set_cmd_cb(test_pam_simple_check);
|
||||
+ /* Assume backend cannot handle Smartcard credentials */
|
||||
+ pam_test_ctx->exp_pam_status = PAM_BAD_ITEM;
|
||||
+
|
||||
+
|
||||
+ set_cmd_cb(test_pam_simple_check_success);
|
||||
ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
|
||||
pam_test_ctx->pam_cmds);
|
||||
assert_int_equal(ret, EOK);
|
||||
--
|
||||
2.9.3
|
||||
|
550
0084-p11-return-name-of-PKCS-11-module-and-key-id-to-pam_.patch
Normal file
550
0084-p11-return-name-of-PKCS-11-module-and-key-id-to-pam_.patch
Normal file
@ -0,0 +1,550 @@
|
||||
From ead25e32c52c8c2f5fd9abd179e9e81de58f9ca3 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 22 Feb 2017 17:58:15 +0100
|
||||
Subject: [PATCH 84/95] p11: return name of PKCS#11 module and key id to
|
||||
pam_sss
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/p11_child/p11_child_nss.c | 55 ++++++++++++++++++++++++--
|
||||
src/responder/pam/pamsrv.h | 6 ++-
|
||||
src/responder/pam/pamsrv_cmd.c | 8 +++-
|
||||
src/responder/pam/pamsrv_p11.c | 86 ++++++++++++++++++++++++++++++++++++++---
|
||||
src/sss_client/pam_message.h | 2 +
|
||||
src/sss_client/pam_sss.c | 49 ++++++++++++++++++++++-
|
||||
src/tests/cmocka/test_pam_srv.c | 33 +++++++++++++++-
|
||||
7 files changed, 221 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
|
||||
index 84772692eadfb28d85298f924013761ae3ca7e82..f165b58e63d2b8a6f26acf8bd89e7b41713e7359 100644
|
||||
--- a/src/p11_child/p11_child_nss.c
|
||||
+++ b/src/p11_child/p11_child_nss.c
|
||||
@@ -72,13 +72,15 @@ static char *password_passthrough(PK11SlotInfo *slot, PRBool retry, void *arg)
|
||||
int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, const char *slot_name_in,
|
||||
enum op_mode mode, const char *pin,
|
||||
struct cert_verify_opts *cert_verify_opts,
|
||||
- char **cert, char **token_name_out)
|
||||
+ char **cert, char **token_name_out, char **module_name_out,
|
||||
+ char **key_id_out)
|
||||
{
|
||||
int ret;
|
||||
SECStatus rv;
|
||||
NSSInitContext *nss_ctx;
|
||||
SECMODModuleList *mod_list;
|
||||
SECMODModuleList *mod_list_item;
|
||||
+ SECMODModule *module;
|
||||
const char *slot_name;
|
||||
const char *token_name;
|
||||
uint32_t flags = NSS_INIT_READONLY
|
||||
@@ -91,6 +93,7 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, const char *slot_name_in,
|
||||
PK11SlotInfo *slot = NULL;
|
||||
CK_SLOT_ID slot_id;
|
||||
SECMODModuleID module_id;
|
||||
+ const char *module_name;
|
||||
CERTCertList *cert_list = NULL;
|
||||
CERTCertListNode *cert_list_node;
|
||||
const PK11DefaultArrayEntry friendly_attr = { "Publicly-readable certs",
|
||||
@@ -105,6 +108,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, const char *slot_name_in,
|
||||
CERTCertificate *found_cert = NULL;
|
||||
PK11SlotList *list = NULL;
|
||||
PK11SlotListElement *le;
|
||||
+ SECItem *key_id = NULL;
|
||||
+ char *key_id_str = NULL;
|
||||
|
||||
|
||||
nss_ctx = NSS_InitContext(nss_db, "", "", SECMOD_DB, ¶meters, flags);
|
||||
@@ -187,8 +192,11 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, const char *slot_name_in,
|
||||
module_id = PK11_GetModuleID(slot);
|
||||
slot_name = PK11_GetSlotName(slot);
|
||||
token_name = PK11_GetTokenName(slot);
|
||||
- DEBUG(SSSDBG_TRACE_ALL, "Found [%s] in slot [%s][%d] of module [%d].\n",
|
||||
- token_name, slot_name, (int) slot_id, (int) module_id);
|
||||
+ module = PK11_GetModule(slot);
|
||||
+ module_name = module->dllName == NULL ? "NSS-Internal" : module->dllName;
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Found [%s] in slot [%s][%d] of module [%d][%s].\n",
|
||||
+ token_name, slot_name, (int) slot_id, (int) module_id, module_name);
|
||||
|
||||
if (PK11_IsFriendly(slot)) {
|
||||
DEBUG(SSSDBG_TRACE_ALL, "Token is friendly.\n");
|
||||
@@ -346,6 +354,7 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, const char *slot_name_in,
|
||||
DEBUG(SSSDBG_TRACE_ALL, "No certificate found.\n");
|
||||
*cert = NULL;
|
||||
*token_name_out = NULL;
|
||||
+ *module_name_out = NULL;
|
||||
ret = EOK;
|
||||
goto done;
|
||||
}
|
||||
@@ -412,6 +421,30 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, const char *slot_name_in,
|
||||
"Certificate verified and validated.\n");
|
||||
}
|
||||
|
||||
+ key_id = PK11_GetLowLevelKeyIDForCert(slot, found_cert, NULL);
|
||||
+ if (key_id == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "PK11_GetLowLevelKeyIDForCert failed [%d].\n",
|
||||
+ PR_GetError());
|
||||
+ ret = EINVAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ key_id_str = CERT_Hexify(key_id, PR_FALSE);
|
||||
+ if (key_id_str == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "CERT_Hexify failed [%d].\n", PR_GetError());
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Found certificate has key id [%s].\n", key_id_str);
|
||||
+
|
||||
+ *key_id_out = talloc_strdup(mem_ctx, key_id_str);
|
||||
+ if (*key_id_out == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to copy key id.\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
*cert = sss_base64_encode(mem_ctx, found_cert->derCert.data,
|
||||
found_cert->derCert.len);
|
||||
if (*cert == NULL) {
|
||||
@@ -427,6 +460,13 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, const char *slot_name_in,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ *module_name_out = talloc_strdup(mem_ctx, module_name);
|
||||
+ if (*module_name_out == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to copy module_name_out name.\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
ret = EOK;
|
||||
|
||||
done:
|
||||
@@ -438,6 +478,9 @@ done:
|
||||
CERT_DestroyCertList(cert_list);
|
||||
}
|
||||
|
||||
+ SECITEM_FreeItem(key_id, PR_TRUE);
|
||||
+ PORT_Free(key_id_str);
|
||||
+
|
||||
PORT_Free(signed_random_value.data);
|
||||
|
||||
rv = NSS_ShutdownContext(nss_ctx);
|
||||
@@ -502,6 +545,8 @@ int main(int argc, const char *argv[])
|
||||
char *pin = NULL;
|
||||
char *slot_name_in = NULL;
|
||||
char *token_name_out = NULL;
|
||||
+ char *module_name_out = NULL;
|
||||
+ char *key_id_out = NULL;
|
||||
char *nss_db = NULL;
|
||||
struct cert_verify_opts *cert_verify_opts;
|
||||
char *verify_opts = NULL;
|
||||
@@ -665,7 +710,7 @@ int main(int argc, const char *argv[])
|
||||
}
|
||||
|
||||
ret = do_work(main_ctx, nss_db, slot_name_in, mode, pin, cert_verify_opts,
|
||||
- &cert, &token_name_out);
|
||||
+ &cert, &token_name_out, &module_name_out, &key_id_out);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "do_work failed.\n");
|
||||
goto fail;
|
||||
@@ -673,6 +718,8 @@ int main(int argc, const char *argv[])
|
||||
|
||||
if (cert != NULL) {
|
||||
fprintf(stdout, "%s\n", token_name_out);
|
||||
+ fprintf(stdout, "%s\n", module_name_out);
|
||||
+ fprintf(stdout, "%s\n", key_id_out);
|
||||
fprintf(stdout, "%s\n", cert);
|
||||
}
|
||||
|
||||
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
|
||||
index 389888eca389f793079ad169f7713151c896e90c..7860a99a8032fad383c94aaa948687512fd085e1 100644
|
||||
--- a/src/responder/pam/pamsrv.h
|
||||
+++ b/src/responder/pam/pamsrv.h
|
||||
@@ -92,10 +92,12 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
|
||||
const char *verify_opts,
|
||||
struct pam_data *pd);
|
||||
errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
|
||||
- char **cert, char **token_name);
|
||||
+ char **cert, char **token_name, char **module_name,
|
||||
+ char **key_id);
|
||||
|
||||
errno_t add_pam_cert_response(struct pam_data *pd, const char *user,
|
||||
- const char *token_name);
|
||||
+ const char *token_name, const char *module_name,
|
||||
+ const char *key_id);
|
||||
|
||||
bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd);
|
||||
|
||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
||||
index 529c74f703b3169676dc13b145b39243903ebb50..6b7a9493bc2f9f4043a5800530116f7cf6d47263 100644
|
||||
--- a/src/responder/pam/pamsrv_cmd.c
|
||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
||||
@@ -1401,7 +1401,9 @@ static void pam_forwarder_cert_cb(struct tevent_req *req)
|
||||
struct pam_ctx *pctx =
|
||||
talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
|
||||
|
||||
- ret = pam_check_cert_recv(req, preq, &cert, &preq->token_name);
|
||||
+ ret = pam_check_cert_recv(req, preq, &cert, &preq->token_name,
|
||||
+ &preq->module_name,
|
||||
+ &preq->key_id);
|
||||
talloc_free(req);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "get_cert request failed.\n");
|
||||
@@ -2051,7 +2053,9 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
|
||||
}
|
||||
|
||||
ret = add_pam_cert_response(preq->pd, cert_user,
|
||||
- preq->token_name);
|
||||
+ preq->token_name,
|
||||
+ preq->module_name,
|
||||
+ preq->key_id);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "add_pam_cert_response failed.\n");
|
||||
preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
|
||||
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
|
||||
index 570bfe09d4385a038e7e03fcb64c72dd794774a6..365300b9075983b603a6f9e91ba6f8f21706388f 100644
|
||||
--- a/src/responder/pam/pamsrv_p11.c
|
||||
+++ b/src/responder/pam/pamsrv_p11.c
|
||||
@@ -133,7 +133,8 @@ static errno_t get_p11_child_write_buffer(TALLOC_CTX *mem_ctx,
|
||||
|
||||
static errno_t parse_p11_child_response(TALLOC_CTX *mem_ctx, uint8_t *buf,
|
||||
ssize_t buf_len, char **_cert,
|
||||
- char **_token_name)
|
||||
+ char **_token_name, char **_module_name,
|
||||
+ char **_key_id)
|
||||
{
|
||||
int ret;
|
||||
TALLOC_CTX *tmp_ctx = NULL;
|
||||
@@ -141,6 +142,8 @@ static errno_t parse_p11_child_response(TALLOC_CTX *mem_ctx, uint8_t *buf,
|
||||
uint8_t *pn;
|
||||
char *cert = NULL;
|
||||
char *token_name = NULL;
|
||||
+ char *module_name = NULL;
|
||||
+ char *key_id = NULL;
|
||||
|
||||
if (buf_len < 0) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
@@ -187,6 +190,54 @@ static errno_t parse_p11_child_response(TALLOC_CTX *mem_ctx, uint8_t *buf,
|
||||
}
|
||||
|
||||
if (pn == p) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Missing module name in p11_child response.\n");
|
||||
+ ret = EINVAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ module_name = talloc_strndup(tmp_ctx, (char *) p, (pn - p));
|
||||
+ if (module_name == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Found module name [%s].\n", module_name);
|
||||
+
|
||||
+ p = ++pn;
|
||||
+ pn = memchr(p, '\n', buf_len - (p - buf));
|
||||
+ if (pn == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Missing new-line in p11_child response.\n");
|
||||
+ ret = EINVAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (pn == p) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Missing key id in p11_child response.\n");
|
||||
+ ret = EINVAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ key_id = talloc_strndup(tmp_ctx, (char *) p, (pn - p));
|
||||
+ if (key_id == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Found key id [%s].\n", key_id);
|
||||
+
|
||||
+ p = pn + 1;
|
||||
+ pn = memchr(p, '\n', buf_len - (p - buf));
|
||||
+ if (pn == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Missing new-line in p11_child response.\n");
|
||||
+ ret = EINVAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (pn == p) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "Missing cert in p11_child response.\n");
|
||||
ret = EINVAL;
|
||||
goto done;
|
||||
@@ -206,6 +257,8 @@ done:
|
||||
if (ret == EOK) {
|
||||
*_token_name = talloc_steal(mem_ctx, token_name);
|
||||
*_cert = talloc_steal(mem_ctx, cert);
|
||||
+ *_module_name = talloc_steal(mem_ctx, module_name);
|
||||
+ *_key_id = talloc_steal(mem_ctx, key_id);
|
||||
}
|
||||
|
||||
talloc_free(tmp_ctx);
|
||||
@@ -222,6 +275,8 @@ struct pam_check_cert_state {
|
||||
struct child_io_fds *io;
|
||||
char *cert;
|
||||
char *token_name;
|
||||
+ char *module_name;
|
||||
+ char *key_id;
|
||||
};
|
||||
|
||||
static void p11_child_write_done(struct tevent_req *subreq);
|
||||
@@ -296,6 +351,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
|
||||
state->child_status = EFAULT;
|
||||
state->cert = NULL;
|
||||
state->token_name = NULL;
|
||||
+ state->module_name = NULL;
|
||||
state->io = talloc(state, struct child_io_fds);
|
||||
if (state->io == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n");
|
||||
@@ -459,7 +515,8 @@ static void p11_child_done(struct tevent_req *subreq)
|
||||
PIPE_FD_CLOSE(state->io->read_from_child_fd);
|
||||
|
||||
ret = parse_p11_child_response(state, buf, buf_len, &state->cert,
|
||||
- &state->token_name);
|
||||
+ &state->token_name, &state->module_name,
|
||||
+ &state->key_id);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "parse_p11_child_respose failed.\n");
|
||||
tevent_req_error(req, ret);
|
||||
@@ -486,7 +543,8 @@ static void p11_child_timeout(struct tevent_context *ev,
|
||||
}
|
||||
|
||||
errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
|
||||
- char **cert, char **token_name)
|
||||
+ char **cert, char **token_name, char **module_name,
|
||||
+ char **key_id)
|
||||
{
|
||||
struct pam_check_cert_state *state =
|
||||
tevent_req_data(req, struct pam_check_cert_state);
|
||||
@@ -501,6 +559,14 @@ errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
|
||||
*token_name = talloc_steal(mem_ctx, state->token_name);
|
||||
}
|
||||
|
||||
+ if (module_name != NULL) {
|
||||
+ *module_name = talloc_steal(mem_ctx, state->module_name);
|
||||
+ }
|
||||
+
|
||||
+ if (key_id != NULL) {
|
||||
+ *key_id = talloc_steal(mem_ctx, state->key_id);
|
||||
+ }
|
||||
+
|
||||
return EOK;
|
||||
}
|
||||
|
||||
@@ -513,23 +579,29 @@ errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
|
||||
#define PKCS11_LOGIN_TOKEN_ENV_NAME "PKCS11_LOGIN_TOKEN_NAME"
|
||||
|
||||
errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
|
||||
- const char *token_name)
|
||||
+ const char *token_name, const char *module_name,
|
||||
+ const char *key_id)
|
||||
{
|
||||
uint8_t *msg = NULL;
|
||||
char *env = NULL;
|
||||
size_t user_len;
|
||||
size_t msg_len;
|
||||
size_t slot_len;
|
||||
+ size_t module_len;
|
||||
+ size_t key_id_len;
|
||||
int ret;
|
||||
|
||||
- if (sysdb_username == NULL || token_name == NULL) {
|
||||
+ if (sysdb_username == NULL || token_name == NULL || module_name == NULL
|
||||
+ || key_id == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Missing mandatory user or slot name.\n");
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
user_len = strlen(sysdb_username) + 1;
|
||||
slot_len = strlen(token_name) + 1;
|
||||
- msg_len = user_len + slot_len;
|
||||
+ module_len = strlen(module_name) + 1;
|
||||
+ key_id_len = strlen(key_id) + 1;
|
||||
+ msg_len = user_len + slot_len + module_len + key_id_len;
|
||||
|
||||
msg = talloc_zero_size(pd, msg_len);
|
||||
if (msg == NULL) {
|
||||
@@ -546,6 +618,8 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
|
||||
* being I think using sysdb_username is fine. */
|
||||
memcpy(msg, sysdb_username, user_len);
|
||||
memcpy(msg + user_len, token_name, slot_len);
|
||||
+ memcpy(msg + user_len + slot_len, module_name, module_len);
|
||||
+ memcpy(msg + user_len + slot_len + module_len, key_id, key_id_len);
|
||||
|
||||
ret = pam_add_response(pd, SSS_PAM_CERT_INFO, msg_len, msg);
|
||||
talloc_free(msg);
|
||||
diff --git a/src/sss_client/pam_message.h b/src/sss_client/pam_message.h
|
||||
index 34889e0743decd85892dda311f010f9d7e3ba681..3f4a770ac08ee416ead2f215ab873e8eb277c9eb 100644
|
||||
--- a/src/sss_client/pam_message.h
|
||||
+++ b/src/sss_client/pam_message.h
|
||||
@@ -61,6 +61,8 @@ struct pam_items {
|
||||
|
||||
char *cert_user;
|
||||
char *token_name;
|
||||
+ char *module_name;
|
||||
+ char *key_id;
|
||||
};
|
||||
|
||||
int pack_message_v3(struct pam_items *pi, size_t *size, uint8_t **buffer);
|
||||
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
||||
index 8f97af77e3a0c2fa26c84962b6438fe774a75f1a..fa30889e787f9ea74dd2eded3cb92380397cdf38 100644
|
||||
--- a/src/sss_client/pam_sss.c
|
||||
+++ b/src/sss_client/pam_sss.c
|
||||
@@ -162,6 +162,12 @@ static void overwrite_and_free_pam_items(struct pam_items *pi)
|
||||
|
||||
free(pi->token_name);
|
||||
pi->token_name = NULL;
|
||||
+
|
||||
+ free(pi->module_name);
|
||||
+ pi->module_name = NULL;
|
||||
+
|
||||
+ free(pi->key_id);
|
||||
+ pi->key_id = NULL;
|
||||
}
|
||||
|
||||
static int null_strcmp(const char *s1, const char *s2) {
|
||||
@@ -1019,10 +1025,47 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
|
||||
pi->token_name = strdup((char *) &buf[p + offset]);
|
||||
if (pi->token_name == NULL) {
|
||||
D(("strdup failed"));
|
||||
+ free(pi->cert_user);
|
||||
+ pi->cert_user = NULL;
|
||||
break;
|
||||
}
|
||||
- D(("cert user: [%s] token name: [%s]", pi->cert_user,
|
||||
- pi->token_name));
|
||||
+
|
||||
+ offset += strlen(pi->token_name) + 1;
|
||||
+ if (offset >= len) {
|
||||
+ D(("Cert message size mismatch"));
|
||||
+ free(pi->cert_user);
|
||||
+ pi->cert_user = NULL;
|
||||
+ free(pi->token_name);
|
||||
+ pi->token_name = NULL;
|
||||
+ break;
|
||||
+ }
|
||||
+ free(pi->module_name);
|
||||
+ pi->module_name = strdup((char *) &buf[p + offset]);
|
||||
+ if (pi->module_name == NULL) {
|
||||
+ D(("strdup failed"));
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ offset += strlen(pi->module_name) + 1;
|
||||
+ if (offset >= len) {
|
||||
+ D(("Cert message size mismatch"));
|
||||
+ free(pi->cert_user);
|
||||
+ pi->cert_user = NULL;
|
||||
+ free(pi->token_name);
|
||||
+ pi->token_name = NULL;
|
||||
+ free(pi->module_name);
|
||||
+ pi->module_name = NULL;
|
||||
+ break;
|
||||
+ }
|
||||
+ free(pi->key_id);
|
||||
+ pi->key_id = strdup((char *) &buf[p + offset]);
|
||||
+ if (pi->key_id == NULL) {
|
||||
+ D(("strdup failed"));
|
||||
+ break;
|
||||
+ }
|
||||
+ D(("cert user: [%s] token name: [%s] module: [%s] key id: [%s]",
|
||||
+ pi->cert_user, pi->token_name, pi->module_name,
|
||||
+ pi->key_id));
|
||||
break;
|
||||
case SSS_PASSWORD_PROMPTING:
|
||||
D(("Password prompting available."));
|
||||
@@ -1120,6 +1163,8 @@ static int get_pam_items(pam_handle_t *pamh, uint32_t flags,
|
||||
|
||||
pi->cert_user = NULL;
|
||||
pi->token_name = NULL;
|
||||
+ pi->module_name = NULL;
|
||||
+ pi->key_id = NULL;
|
||||
|
||||
return PAM_SUCCESS;
|
||||
}
|
||||
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
|
||||
index 6b91f49c6608043df68c65f9a3338a76ac66bbcc..cbc1d036720f85845387475390cfb141709d514e 100644
|
||||
--- a/src/tests/cmocka/test_pam_srv.c
|
||||
+++ b/src/tests/cmocka/test_pam_srv.c
|
||||
@@ -48,6 +48,8 @@
|
||||
#define NSS_DB "sql:"NSS_DB_PATH
|
||||
|
||||
#define TEST_TOKEN_NAME "SSSD Test Token"
|
||||
+#define TEST_MODULE_NAME "NSS-Internal"
|
||||
+#define TEST_KEY_ID "6822EDDD231DAB8DBCD83721BE16A13DD0E31C08"
|
||||
#define TEST_TOKEN_CERT \
|
||||
"MIIECTCCAvGgAwIBAgIBCDANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEu" \
|
||||
"REVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA2MjMx" \
|
||||
@@ -668,7 +670,10 @@ static int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body,
|
||||
assert_int_equal(val, SSS_PAM_CERT_INFO);
|
||||
|
||||
SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
||||
- assert_int_equal(val, (sizeof("pamuser@"TEST_DOM_NAME) + sizeof(TEST_TOKEN_NAME)));
|
||||
+ assert_int_equal(val, (sizeof("pamuser@"TEST_DOM_NAME)
|
||||
+ + sizeof(TEST_TOKEN_NAME)
|
||||
+ + sizeof(TEST_MODULE_NAME)
|
||||
+ + sizeof(TEST_KEY_ID)));
|
||||
|
||||
assert_int_equal(*(body + rp + sizeof("pamuser@"TEST_DOM_NAME) - 1), 0);
|
||||
assert_string_equal(body + rp, "pamuser@"TEST_DOM_NAME);
|
||||
@@ -676,7 +681,17 @@ static int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body,
|
||||
|
||||
assert_int_equal(*(body + rp + sizeof(TEST_TOKEN_NAME) - 1), 0);
|
||||
assert_string_equal(body + rp, TEST_TOKEN_NAME);
|
||||
+ rp += sizeof(TEST_TOKEN_NAME);
|
||||
|
||||
+ assert_int_equal(*(body + rp + sizeof(TEST_MODULE_NAME) - 1), 0);
|
||||
+ assert_string_equal(body + rp, TEST_MODULE_NAME);
|
||||
+ rp += sizeof(TEST_MODULE_NAME);
|
||||
+
|
||||
+ assert_int_equal(*(body + rp + sizeof(TEST_KEY_ID) - 1), 0);
|
||||
+ assert_string_equal(body + rp, TEST_KEY_ID);
|
||||
+ rp += sizeof(TEST_KEY_ID);
|
||||
+
|
||||
+ assert_int_equal(rp, blen);
|
||||
return EOK;
|
||||
}
|
||||
|
||||
@@ -707,7 +722,10 @@ static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
|
||||
assert_int_equal(val, SSS_PAM_CERT_INFO);
|
||||
|
||||
SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
||||
- assert_int_equal(val, (sizeof("pamuser@"TEST_DOM_NAME) + sizeof(TEST_TOKEN_NAME)));
|
||||
+ assert_int_equal(val, (sizeof("pamuser@"TEST_DOM_NAME)
|
||||
+ + sizeof(TEST_TOKEN_NAME)
|
||||
+ + sizeof(TEST_MODULE_NAME)
|
||||
+ + sizeof(TEST_KEY_ID)));
|
||||
|
||||
assert_int_equal(*(body + rp + sizeof("pamuser@"TEST_DOM_NAME) - 1), 0);
|
||||
assert_string_equal(body + rp, "pamuser@"TEST_DOM_NAME);
|
||||
@@ -715,6 +733,17 @@ static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
|
||||
|
||||
assert_int_equal(*(body + rp + sizeof(TEST_TOKEN_NAME) - 1), 0);
|
||||
assert_string_equal(body + rp, TEST_TOKEN_NAME);
|
||||
+ rp += sizeof(TEST_TOKEN_NAME);
|
||||
+
|
||||
+ assert_int_equal(*(body + rp + sizeof(TEST_MODULE_NAME) - 1), 0);
|
||||
+ assert_string_equal(body + rp, TEST_MODULE_NAME);
|
||||
+ rp += sizeof(TEST_MODULE_NAME);
|
||||
+
|
||||
+ assert_int_equal(*(body + rp + sizeof(TEST_KEY_ID) - 1), 0);
|
||||
+ assert_string_equal(body + rp, TEST_KEY_ID);
|
||||
+ rp += sizeof(TEST_KEY_ID);
|
||||
+
|
||||
+ assert_int_equal(rp, blen);
|
||||
|
||||
return EOK;
|
||||
}
|
||||
--
|
||||
2.9.3
|
||||
|
134
0085-pam-enhance-Smartcard-authentication-token.patch
Normal file
134
0085-pam-enhance-Smartcard-authentication-token.patch
Normal file
@ -0,0 +1,134 @@
|
||||
From 52f45837ded98564968da42229b37db6a36ad627 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 27 Sep 2016 16:03:22 +0200
|
||||
Subject: [PATCH 85/95] pam: enhance Smartcard authentication token
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/providers/krb5/krb5_child.c | 4 ++-
|
||||
src/providers/krb5/krb5_child_handler.c | 2 ++
|
||||
src/responder/pam/pamsrv_cmd.c | 9 ++-----
|
||||
src/sss_client/pam_sss.c | 45 ++++++++++++++++++++++++++++-----
|
||||
4 files changed, 45 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
|
||||
index be31ddbc490b7fd03e7092c244a2cc34a41ee22a..031847089c035a18a6ff2859a0257e08228fb19e 100644
|
||||
--- a/src/providers/krb5/krb5_child.c
|
||||
+++ b/src/providers/krb5/krb5_child.c
|
||||
@@ -1856,7 +1856,9 @@ static errno_t unpack_authtok(struct sss_auth_token *tok,
|
||||
ret = sss_authtok_set_ccfile(tok, (char *)(buf + *p), 0);
|
||||
break;
|
||||
case SSS_AUTHTOK_TYPE_2FA:
|
||||
- ret = sss_authtok_set(tok, SSS_AUTHTOK_TYPE_2FA, (buf + *p),
|
||||
+ case SSS_AUTHTOK_TYPE_SC_PIN:
|
||||
+ case SSS_AUTHTOK_TYPE_SC_KEYPAD:
|
||||
+ ret = sss_authtok_set(tok, auth_token_type, (buf + *p),
|
||||
auth_token_length);
|
||||
break;
|
||||
default:
|
||||
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
|
||||
index 69636e0bc911a0e3dc7023ac815eb54fa81a2bf5..6a3dc9d739527caad2523d9359cd5ef60e622bab 100644
|
||||
--- a/src/providers/krb5/krb5_child_handler.c
|
||||
+++ b/src/providers/krb5/krb5_child_handler.c
|
||||
@@ -78,6 +78,8 @@ static errno_t pack_authtok(struct io_buffer *buf, size_t *rp,
|
||||
auth_token_length = len + 1;
|
||||
break;
|
||||
case SSS_AUTHTOK_TYPE_2FA:
|
||||
+ case SSS_AUTHTOK_TYPE_SC_PIN:
|
||||
+ case SSS_AUTHTOK_TYPE_SC_KEYPAD:
|
||||
data = (char *) sss_authtok_get_data(tok);
|
||||
auth_token_length = sss_authtok_get_size(tok);
|
||||
break;
|
||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
||||
index 6b7a9493bc2f9f4043a5800530116f7cf6d47263..e788a75a45e7cbfe3dd842310a2784b26aa6f7cc 100644
|
||||
--- a/src/responder/pam/pamsrv_cmd.c
|
||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
||||
@@ -160,15 +160,10 @@ static int extract_authtok_v2(struct sss_auth_token *tok,
|
||||
}
|
||||
break;
|
||||
case SSS_AUTHTOK_TYPE_2FA:
|
||||
- ret = sss_authtok_set(tok, SSS_AUTHTOK_TYPE_2FA,
|
||||
- auth_token_data, auth_token_length);
|
||||
- break;
|
||||
case SSS_AUTHTOK_TYPE_SC_PIN:
|
||||
- ret = sss_authtok_set_sc_pin(tok, (const char *) auth_token_data,
|
||||
- auth_token_length);
|
||||
- break;
|
||||
case SSS_AUTHTOK_TYPE_SC_KEYPAD:
|
||||
- sss_authtok_set_sc_keypad(tok);
|
||||
+ ret = sss_authtok_set(tok, auth_token_type,
|
||||
+ auth_token_data, auth_token_length);
|
||||
break;
|
||||
default:
|
||||
return EINVAL;
|
||||
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
||||
index fa30889e787f9ea74dd2eded3cb92380397cdf38..a3d7a8a23b8dd2b25825f02c9b5d78f06731f36b 100644
|
||||
--- a/src/sss_client/pam_sss.c
|
||||
+++ b/src/sss_client/pam_sss.c
|
||||
@@ -1476,6 +1476,7 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
|
||||
char *answer = NULL;
|
||||
char *prompt;
|
||||
size_t size;
|
||||
+ size_t needed_size;
|
||||
|
||||
if (pi->token_name == NULL || *pi->token_name == '\0'
|
||||
|| pi->cert_user == NULL || *pi->cert_user == '\0') {
|
||||
@@ -1509,18 +1510,48 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
|
||||
pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY;
|
||||
pi->pam_authtok_size=0;
|
||||
} else {
|
||||
- pi->pam_authtok = strdup(answer);
|
||||
- _pam_overwrite((void *)answer);
|
||||
- free(answer);
|
||||
- answer=NULL;
|
||||
+
|
||||
+ ret = sss_auth_pack_sc_blob(answer, 0, pi->token_name, 0,
|
||||
+ pi->module_name, 0,
|
||||
+ pi->key_id, 0,
|
||||
+ NULL, 0, &needed_size);
|
||||
+ if (ret != EAGAIN) {
|
||||
+ D(("sss_auth_pack_sc_blob failed."));
|
||||
+ ret = PAM_BUF_ERR;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ pi->pam_authtok = malloc(needed_size);
|
||||
if (pi->pam_authtok == NULL) {
|
||||
- return PAM_BUF_ERR;
|
||||
+ D(("malloc failed."));
|
||||
+ ret = PAM_BUF_ERR;
|
||||
+ goto done;
|
||||
}
|
||||
+
|
||||
+ ret = sss_auth_pack_sc_blob(answer, 0, pi->token_name, 0,
|
||||
+ pi->module_name, 0,
|
||||
+ pi->key_id, 0,
|
||||
+ (uint8_t *) pi->pam_authtok, needed_size,
|
||||
+ &needed_size);
|
||||
+ if (ret != EOK) {
|
||||
+ D(("sss_auth_pack_sc_blob failed."));
|
||||
+ free((void *)pi->pam_authtok);
|
||||
+ ret = PAM_BUF_ERR;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
pi->pam_authtok_type = SSS_AUTHTOK_TYPE_SC_PIN;
|
||||
- pi->pam_authtok_size=strlen(pi->pam_authtok);
|
||||
+ pi->pam_authtok_size = needed_size;
|
||||
}
|
||||
|
||||
- return PAM_SUCCESS;
|
||||
+ ret = PAM_SUCCESS;
|
||||
+
|
||||
+done:
|
||||
+ _pam_overwrite((void *)answer);
|
||||
+ free(answer);
|
||||
+ answer=NULL;
|
||||
+
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
static int prompt_new_password(pam_handle_t *pamh, struct pam_items *pi)
|
||||
--
|
||||
2.9.3
|
||||
|
520
0086-KRB5-allow-pkinit-pre-authentication.patch
Normal file
520
0086-KRB5-allow-pkinit-pre-authentication.patch
Normal file
@ -0,0 +1,520 @@
|
||||
From 2d527aab0bab0c5323b7ea09c9a8c3820f4f8736 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 12 Oct 2015 11:52:56 +0200
|
||||
Subject: [PATCH 86/95] KRB5: allow pkinit pre-authentication
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/providers/krb5/krb5_auth.c | 18 +-
|
||||
src/providers/krb5/krb5_child.c | 286 ++++++++++++++++++++++++++++++--
|
||||
src/providers/krb5/krb5_child_handler.c | 6 +-
|
||||
src/sss_client/sss_cli.h | 6 +
|
||||
4 files changed, 303 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
|
||||
index 0e685618ec2de1f923ffd9d78bf2a9d8816019e1..c2d6d7eeacc1f766024c4d629f25fd0f0be24e5e 100644
|
||||
--- a/src/providers/krb5/krb5_auth.c
|
||||
+++ b/src/providers/krb5/krb5_auth.c
|
||||
@@ -344,8 +344,13 @@ static void krb5_auth_store_creds(struct sss_domain_info *domain,
|
||||
domain->cache_credentials_min_ff_length);
|
||||
ret = EINVAL;
|
||||
}
|
||||
- } else {
|
||||
+ } else if (sss_authtok_get_type(pd->authtok) ==
|
||||
+ SSS_AUTHTOK_TYPE_PASSWORD) {
|
||||
ret = sss_authtok_get_password(pd->authtok, &password, NULL);
|
||||
+ } else {
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE, "Cannot cache authtok type [%d].\n",
|
||||
+ sss_authtok_get_type(pd->authtok));
|
||||
+ ret = EINVAL;
|
||||
}
|
||||
break;
|
||||
case SSS_PAM_CHAUTHTOK:
|
||||
@@ -466,7 +471,9 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
|
||||
case SSS_PAM_AUTHENTICATE:
|
||||
case SSS_PAM_CHAUTHTOK:
|
||||
if (authtok_type != SSS_AUTHTOK_TYPE_PASSWORD
|
||||
- && authtok_type != SSS_AUTHTOK_TYPE_2FA) {
|
||||
+ && authtok_type != SSS_AUTHTOK_TYPE_2FA
|
||||
+ && authtok_type != SSS_AUTHTOK_TYPE_SC_PIN
|
||||
+ && authtok_type != SSS_AUTHTOK_TYPE_SC_KEYPAD) {
|
||||
/* handle empty password gracefully */
|
||||
if (authtok_type == SSS_AUTHTOK_TYPE_EMPTY) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
@@ -1023,6 +1030,12 @@ static void krb5_auth_done(struct tevent_req *subreq)
|
||||
ret = EOK;
|
||||
goto done;
|
||||
|
||||
+ case ERR_NO_AUTH_METHOD_AVAILABLE:
|
||||
+ state->pam_status = PAM_NO_MODULE_DATA;
|
||||
+ state->dp_err = DP_ERR_OK;
|
||||
+ ret = EOK;
|
||||
+ goto done;
|
||||
+
|
||||
default:
|
||||
DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||
"The krb5_child process returned an error. Please inspect the "
|
||||
@@ -1185,6 +1198,7 @@ krb5_pam_handler_send(TALLOC_CTX *mem_ctx,
|
||||
|
||||
switch (pd->cmd) {
|
||||
case SSS_PAM_AUTHENTICATE:
|
||||
+ case SSS_PAM_PREAUTH:
|
||||
case SSS_CMD_RENEW:
|
||||
case SSS_PAM_CHAUTHTOK_PRELIM:
|
||||
case SSS_PAM_CHAUTHTOK:
|
||||
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
|
||||
index 031847089c035a18a6ff2859a0257e08228fb19e..777a25f2a0ea434dde12d2396f6a35c2a1b86cd0 100644
|
||||
--- a/src/providers/krb5/krb5_child.c
|
||||
+++ b/src/providers/krb5/krb5_child.c
|
||||
@@ -64,6 +64,7 @@ struct krb5_req {
|
||||
krb5_creds *creds;
|
||||
bool otp;
|
||||
bool password_prompting;
|
||||
+ bool pkinit_prompting;
|
||||
char *otp_vendor;
|
||||
char *otp_token_id;
|
||||
char *otp_challenge;
|
||||
@@ -587,6 +588,138 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static bool pkinit_identity_matches(const char *identity,
|
||||
+ const char *token_name,
|
||||
+ const char *module_name)
|
||||
+{
|
||||
+ TALLOC_CTX *tmp_ctx = NULL;
|
||||
+ char *str;
|
||||
+ bool res = false;
|
||||
+
|
||||
+ tmp_ctx = talloc_new(NULL);
|
||||
+ if (tmp_ctx == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed.\n");
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ str = talloc_asprintf(tmp_ctx, "module_name=%s", module_name);
|
||||
+ if (str == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (strstr(identity, str) == NULL) {
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Identity [%s] does not contain [%s].\n",
|
||||
+ identity, str);
|
||||
+ goto done;
|
||||
+ }
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Found [%s] in identity [%s].\n", str, identity);
|
||||
+
|
||||
+ str = talloc_asprintf(tmp_ctx, "token=%s", token_name);
|
||||
+ if (str == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (strstr(identity, str) == NULL) {
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Identity [%s] does not contain [%s].\n",
|
||||
+ identity, str);
|
||||
+ goto done;
|
||||
+ }
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Found [%s] in identity [%s].\n", str, identity);
|
||||
+
|
||||
+ res = true;
|
||||
+
|
||||
+done:
|
||||
+ talloc_free(tmp_ctx);
|
||||
+
|
||||
+ return res;
|
||||
+}
|
||||
+
|
||||
+static krb5_error_code answer_pkinit(krb5_context ctx,
|
||||
+ struct krb5_req *kr,
|
||||
+ krb5_responder_context rctx)
|
||||
+{
|
||||
+ krb5_error_code kerr;
|
||||
+ const char *pin = NULL;
|
||||
+ const char *token_name = NULL;
|
||||
+ const char *module_name = NULL;
|
||||
+ krb5_responder_pkinit_challenge *chl = NULL;
|
||||
+ size_t c;
|
||||
+
|
||||
+ kerr = krb5_responder_pkinit_get_challenge(ctx, rctx, &chl);
|
||||
+ if (kerr != EOK || chl == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "krb5_responder_pkinit_get_challenge failed.\n");
|
||||
+ return kerr;
|
||||
+ }
|
||||
+ if (chl->identities == NULL || chl->identities[0] == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "No identities for pkinit!\n");
|
||||
+ kerr = EINVAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (DEBUG_IS_SET(SSSDBG_TRACE_ALL)) {
|
||||
+ for (c = 0; chl->identities[c] != NULL; c++) {
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "[%zu] Identity [%s] flags [%"PRId32"].\n",
|
||||
+ c, chl->identities[c]->identity,
|
||||
+ chl->identities[c]->token_flags);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Setting pkinit_prompting.\n");
|
||||
+ kr->pkinit_prompting = true;
|
||||
+
|
||||
+ if (kr->pd->cmd == SSS_PAM_AUTHENTICATE
|
||||
+ && (sss_authtok_get_type(kr->pd->authtok)
|
||||
+ == SSS_AUTHTOK_TYPE_SC_PIN
|
||||
+ || sss_authtok_get_type(kr->pd->authtok)
|
||||
+ == SSS_AUTHTOK_TYPE_SC_KEYPAD)) {
|
||||
+ kerr = sss_authtok_get_sc(kr->pd->authtok, &pin, NULL,
|
||||
+ &token_name, NULL,
|
||||
+ &module_name, NULL,
|
||||
+ NULL, NULL);
|
||||
+ if (kerr != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "sss_authtok_get_sc failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ for (c = 0; chl->identities[c] != NULL; c++) {
|
||||
+ if (chl->identities[c]->identity != NULL
|
||||
+ && pkinit_identity_matches(chl->identities[c]->identity,
|
||||
+ token_name, module_name)) {
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (chl->identities[c] == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "No matching identity for [%s][%s] found in pkinit challenge.\n",
|
||||
+ token_name, module_name);
|
||||
+ kerr = EINVAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ kerr = krb5_responder_pkinit_set_answer(ctx, rctx,
|
||||
+ chl->identities[c]->identity,
|
||||
+ pin);
|
||||
+ if (kerr != 0) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "krb5_responder_set_answer failed.\n");
|
||||
+ }
|
||||
+
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ kerr = EOK;
|
||||
+
|
||||
+done:
|
||||
+ krb5_responder_pkinit_challenge_free(ctx, rctx, chl);
|
||||
+
|
||||
+ return kerr;
|
||||
+}
|
||||
+
|
||||
static krb5_error_code sss_krb5_responder(krb5_context ctx,
|
||||
void *data,
|
||||
krb5_responder_context rctx)
|
||||
@@ -634,6 +767,9 @@ static krb5_error_code sss_krb5_responder(krb5_context ctx,
|
||||
|
||||
return kerr;
|
||||
}
|
||||
+ } else if (strcmp(question_list[c],
|
||||
+ KRB5_RESPONDER_QUESTION_PKINIT) == 0) {
|
||||
+ return answer_pkinit(ctx, kr, rctx);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -661,18 +797,23 @@ static krb5_error_code sss_krb5_prompter(krb5_context context, void *data,
|
||||
size_t c;
|
||||
struct krb5_req *kr = talloc_get_type(data, struct krb5_req);
|
||||
|
||||
+ if (kr == NULL) {
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
DEBUG(SSSDBG_TRACE_ALL,
|
||||
"sss_krb5_prompter name [%s] banner [%s] num_prompts [%d] EINVAL.\n",
|
||||
name, banner, num_prompts);
|
||||
|
||||
if (num_prompts != 0) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot handle password prompts.\n");
|
||||
if (DEBUG_IS_SET(SSSDBG_TRACE_ALL)) {
|
||||
for (c = 0; c < num_prompts; c++) {
|
||||
DEBUG(SSSDBG_TRACE_ALL, "Prompt [%zu][%s].\n", c,
|
||||
prompts[c].prompt);
|
||||
}
|
||||
}
|
||||
+
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot handle password prompts.\n");
|
||||
return KRB5_LIBOS_CANTREADPWD;
|
||||
}
|
||||
|
||||
@@ -1036,6 +1177,63 @@ static errno_t k5c_send_data(struct krb5_req *kr, int fd, errno_t error)
|
||||
return EOK;
|
||||
}
|
||||
|
||||
+static errno_t get_pkinit_identity(TALLOC_CTX *mem_ctx,
|
||||
+ struct sss_auth_token *authtok,
|
||||
+ char **_identity)
|
||||
+{
|
||||
+ int ret;
|
||||
+ char *identity;
|
||||
+ const char *token_name;
|
||||
+ const char *module_name;
|
||||
+ const char *key_id;
|
||||
+
|
||||
+ ret = sss_authtok_get_sc(authtok, NULL, NULL,
|
||||
+ &token_name, NULL,
|
||||
+ &module_name, NULL,
|
||||
+ &key_id, NULL);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_sc failed.\n");
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Got [%s][%s].\n", token_name, module_name);
|
||||
+
|
||||
+ if (module_name == NULL || *module_name == '\0') {
|
||||
+ module_name = "p11-kit-proxy.so";
|
||||
+ }
|
||||
+
|
||||
+ identity = talloc_asprintf(mem_ctx, "PKCS11:module_name=%s", module_name);
|
||||
+ if (identity == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ if (token_name != NULL && *token_name != '\0') {
|
||||
+ identity = talloc_asprintf_append(identity, ":token=%s",
|
||||
+ token_name);
|
||||
+ if (identity == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "talloc_asprintf_append failed.\n");
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (key_id != NULL && *key_id != '\0') {
|
||||
+ identity = talloc_asprintf_append(identity, ":certid=%s", key_id);
|
||||
+ if (identity == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "talloc_asprintf_append failed.\n");
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ *_identity = identity;
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Using pkinit identity [%s].\n", identity);
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
static errno_t add_ticket_times_and_upn_to_response(struct krb5_req *kr)
|
||||
{
|
||||
int ret;
|
||||
@@ -1268,6 +1466,8 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
|
||||
int realm_length;
|
||||
krb5_error_code kerr;
|
||||
char *cc_name;
|
||||
+ int ret;
|
||||
+ char *identity = NULL;
|
||||
|
||||
kerr = sss_krb5_get_init_creds_opt_set_expire_callback(kr->ctx, kr->options,
|
||||
sss_krb5_expire_callback_func,
|
||||
@@ -1284,6 +1484,30 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
|
||||
return KRB5KRB_ERR_GENERIC;
|
||||
}
|
||||
|
||||
+ if (sss_authtok_get_type(kr->pd->authtok) == SSS_AUTHTOK_TYPE_SC_PIN
|
||||
+ || sss_authtok_get_type(kr->pd->authtok)
|
||||
+ == SSS_AUTHTOK_TYPE_SC_KEYPAD) {
|
||||
+ DEBUG(SSSDBG_TRACE_ALL,
|
||||
+ "Found Smartcard credentials, trying pkinit.\n");
|
||||
+
|
||||
+ ret = get_pkinit_identity(kr, kr->pd->authtok, &identity);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "get_pkinit_identity failed.\n");
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ kerr = krb5_get_init_creds_opt_set_pa(kr->ctx, kr->options,
|
||||
+ "X509_user_identity", identity);
|
||||
+ talloc_free(identity);
|
||||
+ if (kerr != 0) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "krb5_get_init_creds_opt_set_pa failed.\n");
|
||||
+ return kerr;
|
||||
+ }
|
||||
+
|
||||
+ /* TODO: Maybe X509_anchors should be added here as well */
|
||||
+ }
|
||||
+
|
||||
DEBUG(SSSDBG_TRACE_FUNC,
|
||||
"Attempting kinit for realm [%s]\n",realm_name);
|
||||
kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ,
|
||||
@@ -1294,12 +1518,25 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
|
||||
/* Any errors are ignored during pre-auth, only data is collected to
|
||||
* be send back to the client.*/
|
||||
DEBUG(SSSDBG_TRACE_FUNC,
|
||||
- "krb5_get_init_creds_password returned [%d} during pre-auth.\n",
|
||||
+ "krb5_get_init_creds_password returned [%d] during pre-auth.\n",
|
||||
kerr);
|
||||
return 0;
|
||||
} else {
|
||||
if (kerr != 0) {
|
||||
KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
|
||||
+
|
||||
+ /* If during authentication either the MIT Kerberos pkinit
|
||||
+ * pre-auth module is missing or no Smartcard is inserted and only
|
||||
+ * pkinit is available KRB5_PREAUTH_FAILED is returned.
|
||||
+ * ERR_NO_AUTH_METHOD_AVAILABLE is used to indicate to the
|
||||
+ * frontend that local authentication might be tried. */
|
||||
+ if (kr->pd->cmd == SSS_PAM_AUTHENTICATE
|
||||
+ && kerr == KRB5_PREAUTH_FAILED
|
||||
+ && kr->password_prompting == false
|
||||
+ && kr->otp == false
|
||||
+ && kr->pkinit_prompting == false) {
|
||||
+ return ERR_NO_AUTH_METHOD_AVAILABLE;
|
||||
+ }
|
||||
return kerr;
|
||||
}
|
||||
}
|
||||
@@ -1367,6 +1604,12 @@ done:
|
||||
|
||||
static errno_t map_krb5_error(krb5_error_code kerr)
|
||||
{
|
||||
+ /* just pass SSSD's internal error codes */
|
||||
+ if (kerr > 0 && IS_SSSD_ERROR(kerr)) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "[%d][%s].\n", kerr, sss_strerror(kerr));
|
||||
+ return kerr;
|
||||
+ }
|
||||
+
|
||||
if (kerr != 0) {
|
||||
KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
|
||||
}
|
||||
@@ -1615,9 +1858,12 @@ static errno_t tgt_req_child(struct krb5_req *kr)
|
||||
|
||||
DEBUG(SSSDBG_TRACE_LIBS, "Attempting to get a TGT\n");
|
||||
|
||||
- /* No password is needed for pre-auth, or if we have 2FA */
|
||||
+ /* No password is needed for pre-auth or if we have 2FA or SC */
|
||||
if (kr->pd->cmd != SSS_PAM_PREAUTH
|
||||
- && sss_authtok_get_type(kr->pd->authtok) != SSS_AUTHTOK_TYPE_2FA) {
|
||||
+ && sss_authtok_get_type(kr->pd->authtok) != SSS_AUTHTOK_TYPE_2FA
|
||||
+ && sss_authtok_get_type(kr->pd->authtok) != SSS_AUTHTOK_TYPE_SC_PIN
|
||||
+ && sss_authtok_get_type(kr->pd->authtok)
|
||||
+ != SSS_AUTHTOK_TYPE_SC_KEYPAD) {
|
||||
ret = sss_authtok_get_password(kr->pd->authtok, &password, NULL);
|
||||
switch (ret) {
|
||||
case EOK:
|
||||
@@ -1641,7 +1887,12 @@ static errno_t tgt_req_child(struct krb5_req *kr)
|
||||
if (kr->pd->cmd == SSS_PAM_PREAUTH) {
|
||||
/* add OTP tokeninfo messge if available */
|
||||
if (kr->otp) {
|
||||
- kerr = k5c_attach_otp_info_msg(kr);
|
||||
+ ret = k5c_attach_otp_info_msg(kr);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "k5c_attach_otp_info_msg failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
}
|
||||
|
||||
if (kr->password_prompting) {
|
||||
@@ -1651,6 +1902,15 @@ static errno_t tgt_req_child(struct krb5_req *kr)
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
+
|
||||
+ if (kr->pkinit_prompting) {
|
||||
+ ret = pam_add_response(kr->pd, SSS_CERT_AUTH_PROMPTING, 0,
|
||||
+ NULL);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
} else {
|
||||
if (kerr == 0) {
|
||||
kerr = k5c_attach_ccname_msg(kr);
|
||||
@@ -1918,6 +2178,7 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size,
|
||||
*offline ? "true" : "false", kr->upn ? kr->upn : "none");
|
||||
|
||||
if (pd->cmd == SSS_PAM_AUTHENTICATE ||
|
||||
+ pd->cmd == SSS_PAM_PREAUTH ||
|
||||
pd->cmd == SSS_CMD_RENEW ||
|
||||
pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM || pd->cmd == SSS_PAM_CHAUTHTOK) {
|
||||
SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
|
||||
@@ -2801,11 +3062,16 @@ int main(int argc, const char *argv[])
|
||||
goto done;
|
||||
}
|
||||
|
||||
- kerr = become_user(kr->uid, kr->gid);
|
||||
- if (kerr != 0) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "become_user failed.\n");
|
||||
- ret = EFAULT;
|
||||
- goto done;
|
||||
+ /* pkinit need access to pcscd */
|
||||
+ if ((sss_authtok_get_type(kr->pd->authtok) != SSS_AUTHTOK_TYPE_SC_PIN
|
||||
+ && sss_authtok_get_type(kr->pd->authtok)
|
||||
+ != SSS_AUTHTOK_TYPE_SC_KEYPAD)) {
|
||||
+ kerr = become_user(kr->uid, kr->gid);
|
||||
+ if (kerr != 0) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "become_user failed.\n");
|
||||
+ ret = EFAULT;
|
||||
+ goto done;
|
||||
+ }
|
||||
}
|
||||
|
||||
DEBUG(SSSDBG_TRACE_INTERNAL,
|
||||
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
|
||||
index 6a3dc9d739527caad2523d9359cd5ef60e622bab..680e67b089fcb32280352af24aae35af133a52f3 100644
|
||||
--- a/src/providers/krb5/krb5_child_handler.c
|
||||
+++ b/src/providers/krb5/krb5_child_handler.c
|
||||
@@ -90,7 +90,9 @@ static errno_t pack_authtok(struct io_buffer *buf, size_t *rp,
|
||||
if (ret == EOK) {
|
||||
SAFEALIGN_COPY_UINT32(&buf->data[*rp], &auth_token_type, rp);
|
||||
SAFEALIGN_COPY_UINT32(&buf->data[*rp], &auth_token_length, rp);
|
||||
- safealign_memcpy(&buf->data[*rp], data, auth_token_length, rp);
|
||||
+ if (data != NULL) {
|
||||
+ safealign_memcpy(&buf->data[*rp], data, auth_token_length, rp);
|
||||
+ }
|
||||
}
|
||||
|
||||
return ret;
|
||||
@@ -145,6 +147,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
|
||||
buf->size = 8*sizeof(uint32_t) + strlen(kr->upn);
|
||||
|
||||
if (kr->pd->cmd == SSS_PAM_AUTHENTICATE ||
|
||||
+ kr->pd->cmd == SSS_PAM_PREAUTH ||
|
||||
kr->pd->cmd == SSS_CMD_RENEW ||
|
||||
kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM ||
|
||||
kr->pd->cmd == SSS_PAM_CHAUTHTOK) {
|
||||
@@ -187,6 +190,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
|
||||
safealign_memcpy(&buf->data[rp], kr->upn, strlen(kr->upn), &rp);
|
||||
|
||||
if (kr->pd->cmd == SSS_PAM_AUTHENTICATE ||
|
||||
+ kr->pd->cmd == SSS_PAM_PREAUTH ||
|
||||
kr->pd->cmd == SSS_CMD_RENEW ||
|
||||
kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM ||
|
||||
kr->pd->cmd == SSS_PAM_CHAUTHTOK) {
|
||||
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
|
||||
index b6610bc6d694fae385f462e1be53c78af0a3d8cb..8091e11515184dc9b7f32eed535055d9eee3143f 100644
|
||||
--- a/src/sss_client/sss_cli.h
|
||||
+++ b/src/sss_client/sss_cli.h
|
||||
@@ -431,6 +431,12 @@ enum response_type {
|
||||
* SSS_PAM_OTP_INFO to determine the type of
|
||||
* prompting. There is no message.
|
||||
* @param None. */
|
||||
+ SSS_CERT_AUTH_PROMPTING, /**< Indicates that on the server side
|
||||
+ * Smartcard/certificate based authentication is
|
||||
+ * available for the selected account. This might
|
||||
+ * be used together with other prompting options
|
||||
+ * to determine the type of prompting.
|
||||
+ * @param None. */
|
||||
};
|
||||
|
||||
/**
|
||||
--
|
||||
2.9.3
|
||||
|
28
0087-TESTS-Remove-unused-import.patch
Normal file
28
0087-TESTS-Remove-unused-import.patch
Normal file
@ -0,0 +1,28 @@
|
||||
From 1b55ac98db6a319d45edae6c27ff3804f1f4d28a Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Wed, 22 Feb 2017 18:44:55 +0100
|
||||
Subject: [PATCH 87/95] TESTS: Remove unused import
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/tests/intg/test_ts_cache.py | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/src/tests/intg/test_ts_cache.py b/src/tests/intg/test_ts_cache.py
|
||||
index ce0a7c78daf46fd33440aad55ad8f31fa68228a8..445cdf6086302c9436c5f2a9a73f0b04e81adbe6 100644
|
||||
--- a/src/tests/intg/test_ts_cache.py
|
||||
+++ b/src/tests/intg/test_ts_cache.py
|
||||
@@ -33,7 +33,6 @@ import ldap_ent
|
||||
import sssd_ldb
|
||||
import sssd_id
|
||||
from util import unindent
|
||||
-from util import run_shell
|
||||
|
||||
LDAP_BASE_DN = "dc=example,dc=com"
|
||||
SSSD_DOMAIN = "LDAP"
|
||||
--
|
||||
2.9.3
|
||||
|
111
0088-DOC-Deprecate-README-add-README.md.patch
Normal file
111
0088-DOC-Deprecate-README-add-README.md.patch
Normal file
@ -0,0 +1,111 @@
|
||||
From eed5bc53a0c823276523d32e76bc1c264db3837e Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Fri, 24 Feb 2017 09:22:20 +0100
|
||||
Subject: [PATCH 88/95] DOC: Deprecate README, add README.md
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
To make it easier to display the contents of README on the project
|
||||
homepage, this patch converts the README contents to README.md.
|
||||
|
||||
The original README is removed so that we don't maintain two different
|
||||
sources.
|
||||
|
||||
The links to fedorahosted are retained until we migrate the wiki pages.
|
||||
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
README | 43 -------------------------------------------
|
||||
README.md | 28 ++++++++++++++++++++++++++++
|
||||
2 files changed, 28 insertions(+), 43 deletions(-)
|
||||
delete mode 100644 README
|
||||
create mode 100644 README.md
|
||||
|
||||
diff --git a/README b/README
|
||||
deleted file mode 100644
|
||||
index 189f66fe5b20c85728ac2640d734e3b490e23817..0000000000000000000000000000000000000000
|
||||
--- a/README
|
||||
+++ /dev/null
|
||||
@@ -1,43 +0,0 @@
|
||||
-
|
||||
- SSSD - System Security Services Daemon
|
||||
- --------------------------------------
|
||||
-
|
||||
- Introduction
|
||||
- ------------
|
||||
- SSSD provides a set of daemons to manage access to remote directories and
|
||||
- authentication mechanisms such as LDAP, Kerberos or FreeIPA. It provides
|
||||
- an NSS and PAM interface toward the system and a pluggable backend system
|
||||
- to connect to multiple different account sources.
|
||||
-
|
||||
- More information about SSSD can be found on its project page -
|
||||
- <http://fedorahosted.org/sssd/>
|
||||
-
|
||||
- Building and installation
|
||||
- -------------------------
|
||||
- Please see the file BUILD.txt for details
|
||||
-
|
||||
- Documentation
|
||||
- -------------
|
||||
- The most up-to-date documentation can be found at
|
||||
- <http://fedorahosted.org/sssd/wiki/HOWTO_Configure>
|
||||
-
|
||||
- Licensing
|
||||
- ---------
|
||||
- Please see the file called COPYING.
|
||||
-
|
||||
- Contacts
|
||||
- --------
|
||||
- There are several ways to contact us:
|
||||
-
|
||||
- * the sssd-devel mailing list:
|
||||
- Development of the System Security Services Daemon
|
||||
- <https://fedorahosted.org/mailman/listinfo/sssd-devel>
|
||||
-
|
||||
- * the sssd-users mailing list:
|
||||
- End-user discussions about the System Security Services Daemon
|
||||
- <https://fedorahosted.org/mailman/listinfo/sssd-users>
|
||||
-
|
||||
- * the #sssd and #freeipa IRC channels on freenode:
|
||||
- irc://irc.freenode.net/sssd
|
||||
- irc://irc.freenode.net/freeipa
|
||||
-
|
||||
diff --git a/README.md b/README.md
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..40c88c08070b986a634496ac2d6ffba8643bd8a7
|
||||
--- /dev/null
|
||||
+++ b/README.md
|
||||
@@ -0,0 +1,28 @@
|
||||
+# SSSD - System Security Services Daemon
|
||||
+
|
||||
+## Introduction
|
||||
+SSSD provides a set of daemons to manage access to remote directories and
|
||||
+authentication mechanisms such as LDAP, Kerberos or FreeIPA. It provides
|
||||
+an NSS and PAM interface toward the system and a pluggable backend system
|
||||
+to connect to multiple different account sources.
|
||||
+
|
||||
+More information about SSSD can be found on its project page -
|
||||
+https://pagure.io/SSSD/sssd/
|
||||
+
|
||||
+## Building and installation
|
||||
+Please see the file BUILD.txt for details
|
||||
+
|
||||
+## Documentation
|
||||
+The most up-to-date documentation can be found at https://fedorahosted.org/sssd/wiki/Documentation
|
||||
+
|
||||
+## Licensing
|
||||
+Please see the file called COPYING.
|
||||
+
|
||||
+## Contacts
|
||||
+There are several ways to contact us:
|
||||
+
|
||||
+* the sssd-devel mailing list: [Development of the System Security Services Daemon](https://fedorahosted.org/mailman/listinfo/sssd-devel)
|
||||
+* the sssd-users mailing list: [End-user discussions about the System Security Services Daemon](https://fedorahosted.org/mailman/listinfo/sssd-users)
|
||||
+* the #sssd and #freeipa IRC channels on freenode:
|
||||
+ * irc://irc.freenode.net/sssd
|
||||
+ * irc://irc.freenode.net/freeipa
|
||||
--
|
||||
2.9.3
|
||||
|
397
0089-MONITOR-Enable-an-implicit-files-domain-if-one-is-no.patch
Normal file
397
0089-MONITOR-Enable-an-implicit-files-domain-if-one-is-no.patch
Normal file
@ -0,0 +1,397 @@
|
||||
From 78bb3676fe8326e0fe2b60daad8bf524e4625d4e Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Tue, 21 Feb 2017 16:34:45 +0100
|
||||
Subject: [PATCH 89/95] MONITOR: Enable an implicit files domain if one is not
|
||||
configured
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If SSSD is compiled with --enable-files-domain, the loading of the
|
||||
domains changes such that:
|
||||
* if no domain with id_provider=files exists in the config file, an
|
||||
implicit SSSD files domain is added
|
||||
* this domain is always first in the list
|
||||
|
||||
The administrator is free to create a files domain in the config file
|
||||
himself and either place it at the end of the list or not enable it at
|
||||
all.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3112
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/conf_macros.m4 | 13 +++
|
||||
src/confdb/confdb.c | 182 +++++++++++++++++++++++++++++++++++
|
||||
src/confdb/confdb.h | 4 +
|
||||
src/config/SSSDConfig/__init__.py.in | 1 +
|
||||
src/config/SSSDConfigTest.py | 3 +-
|
||||
src/config/cfg_rules.ini | 1 +
|
||||
src/config/etc/sssd.api.conf | 1 +
|
||||
src/man/Makefile.am | 7 +-
|
||||
src/man/sssd.conf.5.xml | 17 ++++
|
||||
src/monitor/monitor.c | 11 +++
|
||||
10 files changed, 238 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
|
||||
index 427b0e08d400d6e5628537b28bb93bc2fc6239a4..749e7694f4dd7086468e461194ef274be2094236 100644
|
||||
--- a/src/conf_macros.m4
|
||||
+++ b/src/conf_macros.m4
|
||||
@@ -903,3 +903,16 @@ AC_DEFUN([WITH_SECRETS_DB_PATH],
|
||||
AC_SUBST(secdbpath)
|
||||
AC_DEFINE_UNQUOTED(SECRETS_DB_PATH, "$config_secdbpath", [Path to the SSSD Secrets databases])
|
||||
])
|
||||
+
|
||||
+AC_ARG_ENABLE([files-domain],
|
||||
+ [AS_HELP_STRING([--enable-files-domain],
|
||||
+ [If this feature is enabled, then SSSD always enables
|
||||
+ a domain with id_provider=files even if the domain
|
||||
+ is not specified in the config file
|
||||
+ [default=no]])],
|
||||
+ [enable_files_domain=$enableval],
|
||||
+ [enable_files_domain=no])
|
||||
+AS_IF([test x$enable_files_domain = xyes],
|
||||
+ AC_DEFINE_UNQUOTED([ADD_FILES_DOMAIN], [1],
|
||||
+ [whether to build unconditionally enable files domain]))
|
||||
+AM_CONDITIONAL([ADD_FILES_DOMAIN], [test x$enable_files_domain = xyes])
|
||||
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
||||
index c7afd683d7f21b513bb491adbf7f7bbe79786212..d82fd98ee02928b3c20df014528bd869ec946f92 100644
|
||||
--- a/src/confdb/confdb.c
|
||||
+++ b/src/confdb/confdb.c
|
||||
@@ -1643,3 +1643,185 @@ done:
|
||||
talloc_free(tmp_ctx);
|
||||
return ret;
|
||||
}
|
||||
+
|
||||
+#ifdef ADD_FILES_DOMAIN
|
||||
+static int confdb_has_files_domain(struct confdb_ctx *cdb)
|
||||
+{
|
||||
+ TALLOC_CTX *tmp_ctx = NULL;
|
||||
+ struct ldb_dn *dn = NULL;
|
||||
+ struct ldb_result *res = NULL;
|
||||
+ static const char *attrs[] = { CONFDB_DOMAIN_ID_PROVIDER, NULL };
|
||||
+ const char *id_provider = NULL;
|
||||
+ int ret;
|
||||
+ unsigned int i;
|
||||
+
|
||||
+ tmp_ctx = talloc_new(NULL);
|
||||
+ if (tmp_ctx == NULL) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ dn = ldb_dn_new(tmp_ctx, cdb->ldb, CONFDB_DOMAIN_BASEDN);
|
||||
+ if (dn == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = ldb_search(cdb->ldb, tmp_ctx, &res, dn, LDB_SCOPE_ONELEVEL,
|
||||
+ attrs, NULL);
|
||||
+ if (ret != LDB_SUCCESS) {
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ for (i = 0; i < res->count; i++) {
|
||||
+ id_provider = ldb_msg_find_attr_as_string(res->msgs[i],
|
||||
+ CONFDB_DOMAIN_ID_PROVIDER,
|
||||
+ NULL);
|
||||
+ if (id_provider == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "The object [%s] doesn't have a id_provider\n",
|
||||
+ ldb_dn_get_linearized(res->msgs[i]->dn));
|
||||
+ ret = EINVAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (strcasecmp(id_provider, "files") == 0) {
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ ret = i < res->count ? EOK : ENOENT;
|
||||
+done:
|
||||
+ talloc_free(tmp_ctx);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static int create_files_domain(struct confdb_ctx *cdb,
|
||||
+ const char *name)
|
||||
+{
|
||||
+ TALLOC_CTX *tmp_ctx = NULL;
|
||||
+ errno_t ret;
|
||||
+ char *cdb_path = NULL;
|
||||
+ const char *val[2] = { NULL, NULL };
|
||||
+
|
||||
+ tmp_ctx = talloc_new(NULL);
|
||||
+ if (tmp_ctx == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n");
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ cdb_path = talloc_asprintf(tmp_ctx, CONFDB_DOMAIN_PATH_TMPL, name);
|
||||
+ if (cdb_path == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ val[0] = "files";
|
||||
+ ret = confdb_add_param(cdb, true, cdb_path, "id_provider", val);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add id_provider [%d]: %s\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = EOK;
|
||||
+done:
|
||||
+ talloc_free(tmp_ctx);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static int activate_files_domain(struct confdb_ctx *cdb,
|
||||
+ const char *name)
|
||||
+{
|
||||
+ errno_t ret;
|
||||
+ TALLOC_CTX *tmp_ctx;
|
||||
+ char *monitor_domlist;
|
||||
+ const char *domlist[2] = { NULL, NULL };
|
||||
+
|
||||
+ tmp_ctx = talloc_new(NULL);
|
||||
+ if (tmp_ctx == NULL) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ ret = confdb_get_string(cdb, tmp_ctx,
|
||||
+ CONFDB_MONITOR_CONF_ENTRY,
|
||||
+ CONFDB_MONITOR_ACTIVE_DOMAINS,
|
||||
+ NULL,
|
||||
+ &monitor_domlist);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE, "Fatal error retrieving domains list!\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (monitor_domlist != NULL) {
|
||||
+ domlist[0] = talloc_asprintf(tmp_ctx, "%s,%s", name, monitor_domlist);
|
||||
+ if (domlist[0] == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ } else {
|
||||
+ domlist[0] = name;
|
||||
+ }
|
||||
+
|
||||
+ ret = confdb_add_param(cdb, true,
|
||||
+ CONFDB_MONITOR_CONF_ENTRY,
|
||||
+ CONFDB_MONITOR_ACTIVE_DOMAINS,
|
||||
+ domlist);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Cannot extend the domain list [%d]: %s\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ ret = EOK;
|
||||
+done:
|
||||
+ talloc_free(tmp_ctx);
|
||||
+ return ret;
|
||||
+}
|
||||
+#endif /* ADD_FILES_DOMAIN */
|
||||
+
|
||||
+int confdb_ensure_files_domain(struct confdb_ctx *cdb,
|
||||
+ const char *implicit_files_dom_name)
|
||||
+{
|
||||
+#ifndef ADD_FILES_DOMAIN
|
||||
+ return EOK;
|
||||
+#else
|
||||
+ errno_t ret;
|
||||
+ bool enable_files;
|
||||
+
|
||||
+ ret = confdb_get_bool(cdb,
|
||||
+ CONFDB_MONITOR_CONF_ENTRY,
|
||||
+ CONFDB_MONITOR_ENABLE_FILES_DOM,
|
||||
+ true, &enable_files);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
+ "Cannot get the value of %s assuming true\n",
|
||||
+ CONFDB_MONITOR_ENABLE_FILES_DOM);
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ if (enable_files == false) {
|
||||
+ DEBUG(SSSDBG_CONF_SETTINGS, "The implicit files domain is disabled\n");
|
||||
+ return EOK;
|
||||
+ }
|
||||
+
|
||||
+ ret = confdb_has_files_domain(cdb);
|
||||
+ if (ret == EOK) {
|
||||
+ DEBUG(SSSDBG_CONF_SETTINGS, "The files domain is already enabled\n");
|
||||
+ return EOK;
|
||||
+ } else if (ret != ENOENT) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Error looking up the files domain\n");
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ /* ENOENT, so let's add a files domain */
|
||||
+ ret = create_files_domain(cdb, implicit_files_dom_name);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot add an implicit files domain\n");
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ return activate_files_domain(cdb, implicit_files_dom_name);
|
||||
+#endif /* ADD_FILES_DOMAIN */
|
||||
+}
|
||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
||||
index 353dfd0a9afbcaba49fcfdc7930026bb2eebfc9e..89b89bf0d54af03cb2f28f421991231f0c7b755f 100644
|
||||
--- a/src/confdb/confdb.h
|
||||
+++ b/src/confdb/confdb.h
|
||||
@@ -73,6 +73,7 @@
|
||||
#define CONFDB_MONITOR_USER_RUNAS "user"
|
||||
#define CONFDB_MONITOR_CERT_VERIFICATION "certificate_verification"
|
||||
#define CONFDB_MONITOR_DISABLE_NETLINK "disable_netlink"
|
||||
+#define CONFDB_MONITOR_ENABLE_FILES_DOM "enable_files_domain"
|
||||
|
||||
/* Both monitor and domains */
|
||||
#define CONFDB_NAME_REGEX "re_expression"
|
||||
@@ -373,6 +374,9 @@ int confdb_get_domain(struct confdb_ctx *cdb,
|
||||
int confdb_get_domains(struct confdb_ctx *cdb,
|
||||
struct sss_domain_info **domains);
|
||||
|
||||
+int confdb_ensure_files_domain(struct confdb_ctx *cdb,
|
||||
+ const char *implicit_files_dom_name);
|
||||
+
|
||||
/**
|
||||
* Get a null-terminated linked-list of all domain names
|
||||
* @param[in] mem_ctx The parent memory context for the value list
|
||||
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
||||
index 8c23fd271334acca6dbaf7df5d5aab15b3af5a42..44fb777eccd24d511067fee850f01ba9f3c1f134 100644
|
||||
--- a/src/config/SSSDConfig/__init__.py.in
|
||||
+++ b/src/config/SSSDConfig/__init__.py.in
|
||||
@@ -64,6 +64,7 @@ option_strings = {
|
||||
'certificate_verification' : _('Tune certificate verification'),
|
||||
'override_space': _('All spaces in group or user names will be replaced with this character'),
|
||||
'disable_netlink' : _('Tune sssd to honor or ignore netlink state changes'),
|
||||
+ 'enable_files_domain' : _('Enable or disable the implicit files domain'),
|
||||
|
||||
# [nss]
|
||||
'enum_cache_timeout' : _('Enumeration cache timeout length (seconds)'),
|
||||
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
|
||||
index 0da5d63a198bf7242daf7f985ede8e0bc3df3841..8cb03adcbb55c4ca350af1504c0cb3ea1a2d236d 100755
|
||||
--- a/src/config/SSSDConfigTest.py
|
||||
+++ b/src/config/SSSDConfigTest.py
|
||||
@@ -312,7 +312,8 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
|
||||
'description',
|
||||
'certificate_verification',
|
||||
'override_space',
|
||||
- 'disable_netlink']
|
||||
+ 'disable_netlink',
|
||||
+ 'enable_files_domain']
|
||||
|
||||
self.assertTrue(type(options) == dict,
|
||||
"Options should be a dictionary")
|
||||
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
||||
index 51981c3d0fc89d3f091dbe182cdd1d6de5618e1e..dd0f04b1a829c941215e96e1a160aeba7759e2bf 100644
|
||||
--- a/src/config/cfg_rules.ini
|
||||
+++ b/src/config/cfg_rules.ini
|
||||
@@ -41,6 +41,7 @@ option = certificate_verification
|
||||
option = override_space
|
||||
option = config_file_version
|
||||
option = disable_netlink
|
||||
+option = enable_files_domain
|
||||
|
||||
[rule/allowed_nss_options]
|
||||
validator = ini_allowed_options
|
||||
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
|
||||
index 56540066fde71cad53f909e3534b3a674633af3f..7d21d6b7016e51021d168243e5bfd36e999801e4 100644
|
||||
--- a/src/config/etc/sssd.api.conf
|
||||
+++ b/src/config/etc/sssd.api.conf
|
||||
@@ -30,6 +30,7 @@ default_domain_suffix = str, None, false
|
||||
certificate_verification = str, None, false
|
||||
override_space = str, None, false
|
||||
disable_netlink = bool, None, false
|
||||
+enable_files_domain = str, None, false
|
||||
|
||||
[nss]
|
||||
# Name service
|
||||
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
|
||||
index 760bb7831b5852e1bf3be497ad5babdb4f4318c2..215ce693b56e74db394dbc238c03c87f5f6efe99 100644
|
||||
--- a/src/man/Makefile.am
|
||||
+++ b/src/man/Makefile.am
|
||||
@@ -35,7 +35,12 @@ endif
|
||||
if HAVE_SYSTEMD_UNIT
|
||||
SYSTEMD_CONDS = ;have_systemd
|
||||
endif
|
||||
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SEC_CONDS)$(SYSTEMD_CONDS)
|
||||
+if ADD_FILES_DOMAIN
|
||||
+FILES_CONDS = ;enable_files_domain
|
||||
+else
|
||||
+FILES_CONDS = ;no_enable_files_domain
|
||||
+endif
|
||||
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SEC_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)
|
||||
|
||||
|
||||
#Special Rules:
|
||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||||
index 782aef7bf62d9bcef3c3dab534a25e01d85c1764..2a2ef69ff2da817087d60e81cff8075e91736bae 100644
|
||||
--- a/src/man/sssd.conf.5.xml
|
||||
+++ b/src/man/sssd.conf.5.xml
|
||||
@@ -525,6 +525,23 @@
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>enable_files_domain (boolean)</term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ When this option is enabled, SSSD
|
||||
+ prepends an implicit domain with
|
||||
+ <quote>id_provider=files</quote> before
|
||||
+ any explicitly configured domains.
|
||||
+ </para>
|
||||
+ <para condition="no_enable_files_domain">
|
||||
+ Default: false
|
||||
+ </para>
|
||||
+ <para condition="enable_files_domain">
|
||||
+ Default: true
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
</variablelist>
|
||||
</para>
|
||||
</refsect2>
|
||||
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
|
||||
index 59bf70741b76871c4937ad75c448aaf776cc37eb..7e7b5a07d11aecf1c0b11592213b90d385fd5076 100644
|
||||
--- a/src/monitor/monitor.c
|
||||
+++ b/src/monitor/monitor.c
|
||||
@@ -90,6 +90,9 @@
|
||||
"that the file is accessible only by the "\
|
||||
"owner and owned by root.root.\n"
|
||||
|
||||
+/* SSSD domain name that is used for the auto-configured files domain */
|
||||
+#define IMPLICIT_FILES_DOMAIN_NAME "implicit_files"
|
||||
+
|
||||
int cmdline_debug_level;
|
||||
int cmdline_debug_timestamps;
|
||||
int cmdline_debug_microseconds;
|
||||
@@ -1053,6 +1056,14 @@ static int get_monitor_config(struct mt_ctx *ctx)
|
||||
return ret;
|
||||
}
|
||||
|
||||
+ ret = confdb_ensure_files_domain(ctx->cdb, IMPLICIT_FILES_DOMAIN_NAME);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
+ "Cannot add the implicit files domain [%d]: %s\n",
|
||||
+ ret, strerror(ret));
|
||||
+ /* Not fatal */
|
||||
+ }
|
||||
+
|
||||
ret = confdb_get_domains(ctx->cdb, &ctx->domains);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE, "No domains configured.\n");
|
||||
--
|
||||
2.9.3
|
||||
|
@ -0,0 +1,62 @@
|
||||
From 76b6d7fb9f31f7836158d248161aec3558098659 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Tue, 21 Feb 2017 21:05:25 +0100
|
||||
Subject: [PATCH 90/95] TESTS: Enable the files domain for all integration
|
||||
tests
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This is done to make sure that enabling the files domain doesn't break
|
||||
existing functionality as well as making it possible to even that the
|
||||
implicit domain, since all integration tests use the same configuration.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
Makefile.am | 1 +
|
||||
src/tests/intg/test_enumeration.py | 10 +++++++++-
|
||||
2 files changed, 10 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index e676e18415c9d20ffd5ba2ce825dddd62d50c909..30ee5e5904a06609a03343bb3dc5b78ef169d4b4 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -3239,6 +3239,7 @@ intgcheck-prepare:
|
||||
--with-ldb-lib-dir="$$prefix"/lib/ldb \
|
||||
--enable-intgcheck-reqs \
|
||||
--without-semanage \
|
||||
+ --enable-files-domain \
|
||||
$(INTGCHECK_CONFIGURE_FLAGS); \
|
||||
$(MAKE) $(AM_MAKEFLAGS); \
|
||||
: Force single-thread install to workaround concurrency issues; \
|
||||
diff --git a/src/tests/intg/test_enumeration.py b/src/tests/intg/test_enumeration.py
|
||||
index 5cb6c3e07435fea802f3f925e370605a0eb36d2c..47772dea288434c5b213eeba9b4eac904423d707 100644
|
||||
--- a/src/tests/intg/test_enumeration.py
|
||||
+++ b/src/tests/intg/test_enumeration.py
|
||||
@@ -98,7 +98,12 @@ SCHEMA_RFC2307_BIS = "rfc2307bis"
|
||||
|
||||
|
||||
def format_basic_conf(ldap_conn, schema):
|
||||
- """Format a basic SSSD configuration"""
|
||||
+ """
|
||||
+ Format a basic SSSD configuration
|
||||
+
|
||||
+ The files domain is defined but not enabled in order to avoid enumerating
|
||||
+ users from the files domain that would otherwise by implicitly enabled
|
||||
+ """
|
||||
schema_conf = "ldap_schema = " + schema + "\n"
|
||||
if schema == SCHEMA_RFC2307_BIS:
|
||||
schema_conf += "ldap_group_object_class = groupOfNames\n"
|
||||
@@ -115,6 +120,9 @@ def format_basic_conf(ldap_conn, schema):
|
||||
[pam]
|
||||
debug_level = 0xffff
|
||||
|
||||
+ [domain/files]
|
||||
+ id_provider = files
|
||||
+
|
||||
[domain/LDAP]
|
||||
ldap_auth_disable_tls_never_use_in_production = true
|
||||
debug_level = 0xffff
|
||||
--
|
||||
2.9.3
|
||||
|
111
0091-TESTS-Test-the-files-domain-autoconfiguration.patch
Normal file
111
0091-TESTS-Test-the-files-domain-autoconfiguration.patch
Normal file
@ -0,0 +1,111 @@
|
||||
From 13294bedc56faf1011f5ba7b1ed9a53b08e71c00 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Tue, 21 Feb 2017 21:04:29 +0100
|
||||
Subject: [PATCH 91/95] TESTS: Test the files domain autoconfiguration
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Adds tests that exercise the implicit files domain.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/tests/intg/test_files_provider.py | 78 +++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 78 insertions(+)
|
||||
|
||||
diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
|
||||
index 528b5e5acc5078cce5bfab9a5f9dab5509e580eb..abf836bcc7a1810ea505dcf84ad1edfadf0c382c 100644
|
||||
--- a/src/tests/intg/test_files_provider.py
|
||||
+++ b/src/tests/intg/test_files_provider.py
|
||||
@@ -125,6 +125,48 @@ def files_domain_only(request):
|
||||
return None
|
||||
|
||||
|
||||
+@pytest.fixture
|
||||
+def no_sssd_domain(request):
|
||||
+ conf = unindent("""\
|
||||
+ [sssd]
|
||||
+ services = nss
|
||||
+ """).format(**locals())
|
||||
+ create_conf_fixture(request, conf)
|
||||
+ create_sssd_fixture(request)
|
||||
+ return None
|
||||
+
|
||||
+
|
||||
+@pytest.fixture
|
||||
+def no_files_domain(request):
|
||||
+ conf = unindent("""\
|
||||
+ [sssd]
|
||||
+ domains = local
|
||||
+ services = nss
|
||||
+
|
||||
+ [domain/local]
|
||||
+ id_provider = local
|
||||
+ """).format(**locals())
|
||||
+ create_conf_fixture(request, conf)
|
||||
+ create_sssd_fixture(request)
|
||||
+ return None
|
||||
+
|
||||
+
|
||||
+@pytest.fixture
|
||||
+def disabled_files_domain(request):
|
||||
+ conf = unindent("""\
|
||||
+ [sssd]
|
||||
+ domains = local
|
||||
+ services = nss
|
||||
+ enable_files_domain = false
|
||||
+
|
||||
+ [domain/local]
|
||||
+ id_provider = local
|
||||
+ """).format(**locals())
|
||||
+ create_conf_fixture(request, conf)
|
||||
+ create_sssd_fixture(request)
|
||||
+ return None
|
||||
+
|
||||
+
|
||||
def setup_pw_with_list(request, user_list):
|
||||
pwd_ops = passwd_ops_setup(request)
|
||||
for user in user_list:
|
||||
@@ -754,3 +796,39 @@ def test_realloc_groups(setup_gr_with_canary, files_domain_only):
|
||||
check for off-by-one errors.
|
||||
"""
|
||||
realloc_groups(setup_gr_with_canary, FILES_REALLOC_CHUNK*3)
|
||||
+
|
||||
+
|
||||
+# Files domain autoconfiguration tests
|
||||
+def test_no_sssd_domain(add_user_with_canary, no_sssd_domain):
|
||||
+ """
|
||||
+ Test that if no sssd domain is configured, sssd will add the implicit one
|
||||
+ """
|
||||
+ res, user = sssd_getpwnam_sync(USER1["name"])
|
||||
+ assert res == NssReturnCode.SUCCESS
|
||||
+ assert user == USER1
|
||||
+
|
||||
+
|
||||
+def test_no_files_domain(add_user_with_canary, no_files_domain):
|
||||
+ """
|
||||
+ Test that if no files domain is configured, sssd will add the implicit one
|
||||
+ before any explicitly configured domains
|
||||
+ """
|
||||
+ # Add a user with a different UID than the one in files
|
||||
+ subprocess.check_call(
|
||||
+ ["sss_useradd", "-u", "10009", "-M", USER1["name"]])
|
||||
+
|
||||
+ # Even though the local domain is the only one configured,
|
||||
+ # files will be resolved first
|
||||
+ res, user = sssd_getpwnam_sync(USER1["name"])
|
||||
+ assert res == NssReturnCode.SUCCESS
|
||||
+ assert user == USER1
|
||||
+
|
||||
+
|
||||
+def test_disable_files_domain(add_user_with_canary, disabled_files_domain):
|
||||
+ """
|
||||
+ Test that if no files domain is configured, sssd will add the implicit one
|
||||
+ before any explicitly configured domains
|
||||
+ """
|
||||
+ # The local user will not be resolvable through nss_sss now
|
||||
+ res, user = sssd_getpwnam_sync(USER1["name"])
|
||||
+ assert res != NssReturnCode.SUCCESS
|
||||
--
|
||||
2.9.3
|
||||
|
247
0092-CONFDB-Refactor-reading-the-config-file.patch
Normal file
247
0092-CONFDB-Refactor-reading-the-config-file.patch
Normal file
@ -0,0 +1,247 @@
|
||||
From 5a660d3aa67403fba69a8047ecedfe8a4276fc30 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Thu, 23 Feb 2017 12:02:06 +0100
|
||||
Subject: [PATCH 92/95] CONFDB: Refactor reading the config file
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This is in preparation for creating a fallback configuration
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/confdb/confdb_setup.c | 146 +++++++++++++++++++++++++++-------------------
|
||||
1 file changed, 85 insertions(+), 61 deletions(-)
|
||||
|
||||
diff --git a/src/confdb/confdb_setup.c b/src/confdb/confdb_setup.c
|
||||
index a71d9dd1202824b3c9a7e69f1d8fa905ac1b8c02..c040bdf9e59f47541f2d598a37699d035eb9e566 100644
|
||||
--- a/src/confdb/confdb_setup.c
|
||||
+++ b/src/confdb/confdb_setup.c
|
||||
@@ -126,69 +126,39 @@ static int confdb_create_base(struct confdb_ctx *cdb)
|
||||
return EOK;
|
||||
}
|
||||
|
||||
-static int confdb_init_db(const char *config_file, const char *config_dir,
|
||||
- struct confdb_ctx *cdb)
|
||||
+static int confdb_ldif_from_ini_file(TALLOC_CTX *mem_ctx,
|
||||
+ const char *config_file,
|
||||
+ const char *config_dir,
|
||||
+ struct sss_ini_initdata *init_data,
|
||||
+ const char **_timestr,
|
||||
+ const char **_ldif)
|
||||
{
|
||||
- TALLOC_CTX *tmp_ctx;
|
||||
- int ret;
|
||||
- int sret = EOK;
|
||||
- int version;
|
||||
+ errno_t ret;
|
||||
char timestr[21];
|
||||
- bool in_transaction = false;
|
||||
- const char *config_ldif;
|
||||
- const char *vals[2] = { timestr, NULL };
|
||||
- struct ldb_ldif *ldif;
|
||||
- struct sss_ini_initdata *init_data;
|
||||
-
|
||||
- tmp_ctx = talloc_new(cdb);
|
||||
- if (tmp_ctx == NULL) {
|
||||
- DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory.\n");
|
||||
- return ENOMEM;
|
||||
- }
|
||||
-
|
||||
- init_data = sss_ini_initdata_init(tmp_ctx);
|
||||
- if (!init_data) {
|
||||
- DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory.\n");
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- /* Open config file */
|
||||
- ret = sss_ini_config_file_open(init_data, config_file);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_TRACE_FUNC,
|
||||
- "sss_ini_config_file_open failed: %s [%d]\n", strerror(ret),
|
||||
- ret);
|
||||
- if (ret == ENOENT) {
|
||||
- /* sss specific error denoting missing configuration file */
|
||||
- ret = ERR_MISSING_CONF;
|
||||
- }
|
||||
- goto done;
|
||||
- }
|
||||
+ int version;
|
||||
|
||||
ret = sss_ini_config_access_check(init_data);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"Permission check on config file failed.\n");
|
||||
- ret = EPERM;
|
||||
- goto done;
|
||||
+ return EPERM;
|
||||
}
|
||||
|
||||
ret = sss_ini_get_stat(init_data);
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
- "Status check on config file failed.\n");
|
||||
ret = errno;
|
||||
- goto done;
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
+ "Status check on config file failed.\n");
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
errno = 0;
|
||||
-
|
||||
ret = sss_ini_get_mtime(init_data, sizeof(timestr), timestr);
|
||||
if (ret <= 0 || ret >= (int)sizeof(timestr)) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
"Failed to convert time_t to string ??\n");
|
||||
ret = errno ? errno : EFAULT;
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
/* FIXME: Determine if the conf file or any snippet has changed
|
||||
@@ -199,7 +169,7 @@ static int confdb_init_db(const char *config_file, const char *config_dir,
|
||||
ret = sss_ini_get_config(init_data, config_file, config_dir);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE, "Failed to load configuration\n");
|
||||
- goto done;
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
ret = sss_ini_call_validators(init_data,
|
||||
@@ -214,7 +184,7 @@ static int confdb_init_db(const char *config_file, const char *config_dir,
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
"Internal error determining config_file_version\n");
|
||||
- goto done;
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
ret = sss_ini_check_config_obj(init_data);
|
||||
@@ -230,21 +200,82 @@ static int confdb_init_db(const char *config_file, const char *config_dir,
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
"Config file version could not be determined\n");
|
||||
- goto done;
|
||||
+ return ret;
|
||||
} else if (version < CONFDB_VERSION_INT) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
"Config file is an old version. "
|
||||
"Please run configuration upgrade script.\n");
|
||||
- ret = EINVAL;
|
||||
- goto done;
|
||||
+ return EINVAL;
|
||||
} else if (version > CONFDB_VERSION_INT) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
"Config file version is newer than confdb\n");
|
||||
- ret = EINVAL;
|
||||
- goto done;
|
||||
+ return EINVAL;
|
||||
}
|
||||
}
|
||||
|
||||
+ ret = sss_confdb_create_ldif(mem_ctx, init_data, _ldif);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create LDIF for confdb\n");
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ *_timestr = talloc_strdup(mem_ctx, timestr);
|
||||
+ if (*_timestr == NULL) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
+static int confdb_init_db(const char *config_file, const char *config_dir,
|
||||
+ struct confdb_ctx *cdb)
|
||||
+{
|
||||
+ TALLOC_CTX *tmp_ctx;
|
||||
+ int ret;
|
||||
+ int sret = EOK;
|
||||
+ bool in_transaction = false;
|
||||
+ const char *timestr = NULL;
|
||||
+ const char *config_ldif;
|
||||
+ const char *vals[2] = { NULL, NULL };
|
||||
+ struct ldb_ldif *ldif;
|
||||
+ struct sss_ini_initdata *init_data;
|
||||
+
|
||||
+ tmp_ctx = talloc_new(cdb);
|
||||
+ if (tmp_ctx == NULL) {
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory.\n");
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ init_data = sss_ini_initdata_init(tmp_ctx);
|
||||
+ if (!init_data) {
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory.\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* Open config file */
|
||||
+ ret = sss_ini_config_file_open(init_data, config_file);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CONF_SETTINGS,
|
||||
+ "sss_ini_config_file_open failed: %s [%d]\n", sss_strerror(ret),
|
||||
+ ret);
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = confdb_ldif_from_ini_file(tmp_ctx,
|
||||
+ config_file,
|
||||
+ config_dir,
|
||||
+ init_data,
|
||||
+ ×tr,
|
||||
+ &config_ldif);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Cannot convert INI to LDIF [%d]: [%s]\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
+ goto done;
|
||||
+ }
|
||||
+ DEBUG(SSSDBG_CONF_SETTINGS, "LDIF file to import: \n%s\n", config_ldif);
|
||||
+
|
||||
/* Set up a transaction to replace the configuration */
|
||||
ret = ldb_transaction_start(cdb->ldb);
|
||||
if (ret != LDB_SUCCESS) {
|
||||
@@ -264,20 +295,12 @@ static int confdb_init_db(const char *config_file, const char *config_dir,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- ret = sss_confdb_create_ldif(tmp_ctx, init_data, &config_ldif);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_FATAL_FAILURE, "Could not create LDIF for confdb\n");
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- DEBUG(SSSDBG_TRACE_LIBS, "LDIF file to import: \n%s\n", config_ldif);
|
||||
-
|
||||
while ((ldif = ldb_ldif_read_string(cdb->ldb, &config_ldif))) {
|
||||
ret = ldb_add(cdb->ldb, ldif->msg);
|
||||
if (ret != LDB_SUCCESS) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
- "Failed to initialize DB (%d,[%s]), aborting!\n",
|
||||
- ret, ldb_errstring(cdb->ldb));
|
||||
+ "Failed to initialize DB (%d,[%s]), aborting!\n",
|
||||
+ ret, ldb_errstring(cdb->ldb));
|
||||
ret = EIO;
|
||||
goto done;
|
||||
}
|
||||
@@ -287,10 +310,11 @@ static int confdb_init_db(const char *config_file, const char *config_dir,
|
||||
/* now store the lastUpdate time so that we do not re-init if nothing
|
||||
* changed on restart */
|
||||
|
||||
+ vals[0] = timestr;
|
||||
ret = confdb_add_param(cdb, true, "config", "lastUpdate", vals);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
- "Failed to set last update time on db!\n");
|
||||
+ "Failed to set last update time on db!\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
--
|
||||
2.9.3
|
||||
|
151
0093-CONFDB-If-no-configuration-file-is-provided-create-a.patch
Normal file
151
0093-CONFDB-If-no-configuration-file-is-provided-create-a.patch
Normal file
@ -0,0 +1,151 @@
|
||||
From a4837791f62283079e7be4b17efb769be8b2dfd1 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Thu, 23 Feb 2017 12:22:49 +0100
|
||||
Subject: [PATCH 93/95] CONFDB: If no configuration file is provided, create a
|
||||
fallback configuration
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This functionality is only enabled in case SSSD is configured with with
|
||||
--enable-files-domain. If not, the behaviour is as it used to -- SSSD
|
||||
returns an error, instructing the admin to create a configuration file.
|
||||
|
||||
If the option is enabled, a very minimal confdb that only enables the
|
||||
NSS responder is created. The confdb later adds the implicit files
|
||||
domain.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/2229
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/confdb/confdb_setup.c | 60 +++++++++++++++++++++++++++--------
|
||||
src/tests/intg/test_files_provider.py | 16 ++++++++++
|
||||
2 files changed, 63 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/src/confdb/confdb_setup.c b/src/confdb/confdb_setup.c
|
||||
index c040bdf9e59f47541f2d598a37699d035eb9e566..7884eea6367390c41f64b7023fe505dd653b49db 100644
|
||||
--- a/src/confdb/confdb_setup.c
|
||||
+++ b/src/confdb/confdb_setup.c
|
||||
@@ -28,6 +28,14 @@
|
||||
#include "confdb_setup.h"
|
||||
#include "util/sss_ini.h"
|
||||
|
||||
+#ifndef SSSD_FALLBACK_CONFIG_LDIF
|
||||
+#define SSSD_FALLBACK_CONFIG_LDIF \
|
||||
+"dn: cn=config\n" \
|
||||
+"version: 2\n\n" \
|
||||
+"dn: cn=sssd,cn=config\n" \
|
||||
+"cn: sssd\n" \
|
||||
+"services: nss\n\n"
|
||||
+#endif /* SSSD_FALLBACK_CONFIG_LDIF */
|
||||
|
||||
static int confdb_test(struct confdb_ctx *cdb)
|
||||
{
|
||||
@@ -227,6 +235,23 @@ static int confdb_ldif_from_ini_file(TALLOC_CTX *mem_ctx,
|
||||
return EOK;
|
||||
}
|
||||
|
||||
+static int confdb_fallback_ldif(TALLOC_CTX *mem_ctx,
|
||||
+ const char **_timestr,
|
||||
+ const char **_ldif)
|
||||
+{
|
||||
+#ifndef ADD_FILES_DOMAIN
|
||||
+ return ERR_MISSING_CONF;
|
||||
+#else
|
||||
+ *_timestr = talloc_strdup(mem_ctx, "1");
|
||||
+ *_ldif = talloc_strdup(mem_ctx, SSSD_FALLBACK_CONFIG_LDIF);
|
||||
+ if (*_timestr == NULL || *_ldif == NULL) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ return EOK;
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
static int confdb_init_db(const char *config_file, const char *config_dir,
|
||||
struct confdb_ctx *cdb)
|
||||
{
|
||||
@@ -255,25 +280,34 @@ static int confdb_init_db(const char *config_file, const char *config_dir,
|
||||
|
||||
/* Open config file */
|
||||
ret = sss_ini_config_file_open(init_data, config_file);
|
||||
- if (ret != EOK) {
|
||||
+ if (ret == EOK) {
|
||||
+ ret = confdb_ldif_from_ini_file(tmp_ctx,
|
||||
+ config_file,
|
||||
+ config_dir,
|
||||
+ init_data,
|
||||
+ ×tr,
|
||||
+ &config_ldif);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Cannot convert INI to LDIF [%d]: [%s]\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
+ goto done;
|
||||
+ }
|
||||
+ } else if (ret == ENOENT) {
|
||||
+ ret = confdb_fallback_ldif(tmp_ctx, ×tr, &config_ldif);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Cannot create a fallback configuration [%d]: [%s]\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
+ goto done;
|
||||
+ }
|
||||
+ } else {
|
||||
DEBUG(SSSDBG_CONF_SETTINGS,
|
||||
"sss_ini_config_file_open failed: %s [%d]\n", sss_strerror(ret),
|
||||
ret);
|
||||
goto done;
|
||||
}
|
||||
|
||||
- ret = confdb_ldif_from_ini_file(tmp_ctx,
|
||||
- config_file,
|
||||
- config_dir,
|
||||
- init_data,
|
||||
- ×tr,
|
||||
- &config_ldif);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Cannot convert INI to LDIF [%d]: [%s]\n",
|
||||
- ret, sss_strerror(ret));
|
||||
- goto done;
|
||||
- }
|
||||
DEBUG(SSSDBG_CONF_SETTINGS, "LDIF file to import: \n%s\n", config_ldif);
|
||||
|
||||
/* Set up a transaction to replace the configuration */
|
||||
diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
|
||||
index abf836bcc7a1810ea505dcf84ad1edfadf0c382c..8748ac10b089087056b1b93950c8d890a190c8d0 100644
|
||||
--- a/src/tests/intg/test_files_provider.py
|
||||
+++ b/src/tests/intg/test_files_provider.py
|
||||
@@ -167,6 +167,12 @@ def disabled_files_domain(request):
|
||||
return None
|
||||
|
||||
|
||||
+@pytest.fixture
|
||||
+def no_sssd_conf(request):
|
||||
+ create_sssd_fixture(request)
|
||||
+ return None
|
||||
+
|
||||
+
|
||||
def setup_pw_with_list(request, user_list):
|
||||
pwd_ops = passwd_ops_setup(request)
|
||||
for user in user_list:
|
||||
@@ -832,3 +838,13 @@ def test_disable_files_domain(add_user_with_canary, disabled_files_domain):
|
||||
# The local user will not be resolvable through nss_sss now
|
||||
res, user = sssd_getpwnam_sync(USER1["name"])
|
||||
assert res != NssReturnCode.SUCCESS
|
||||
+
|
||||
+
|
||||
+def test_no_sssd_conf(add_user_with_canary, no_sssd_conf):
|
||||
+ """
|
||||
+ Test that running without sssd.conf implicitly configures one with
|
||||
+ id_provider=files
|
||||
+ """
|
||||
+ res, user = sssd_getpwnam_sync(USER1["name"])
|
||||
+ assert res == NssReturnCode.SUCCESS
|
||||
+ assert user == USER1
|
||||
--
|
||||
2.9.3
|
||||
|
45
0094-authtok-fix-tests-on-big-endian.patch
Normal file
45
0094-authtok-fix-tests-on-big-endian.patch
Normal file
@ -0,0 +1,45 @@
|
||||
From 6b760226c0ed984b6b1a02f459e9cb1fc3d45ff9 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 28 Feb 2017 15:54:06 +0100
|
||||
Subject: [PATCH] authtok: fix tests on big-endian
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3270
|
||||
---
|
||||
src/tests/cmocka/test_authtok.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/src/tests/cmocka/test_authtok.c b/src/tests/cmocka/test_authtok.c
|
||||
index b2ef08a1c75625253706910e0cc80f4d5d28be5d..4464230b34b1816ddeb98ec85abc1b59f1524e54 100644
|
||||
--- a/src/tests/cmocka/test_authtok.c
|
||||
+++ b/src/tests/cmocka/test_authtok.c
|
||||
@@ -604,8 +604,13 @@ void test_sss_authtok_sc_pin(void **state)
|
||||
SSS_AUTHTOK_TYPE_SC_PIN);
|
||||
size = sss_authtok_get_size(ts->authtoken);
|
||||
assert_int_equal(size, 28);
|
||||
+#if __BYTE_ORDER == __LITTLE_ENDIAN
|
||||
assert_memory_equal(sss_authtok_get_data(ts->authtoken), "\11\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0" "12345678\0\0\0\0",
|
||||
size);
|
||||
+#else
|
||||
+ assert_memory_equal(sss_authtok_get_data(ts->authtoken), "\0\0\0\11\0\0\0\1\0\0\0\1\0\0\0\1" "12345678\0\0\0\0",
|
||||
+ size);
|
||||
+#endif
|
||||
|
||||
ret = sss_authtok_set_sc_pin(ts->authtoken, "12345678", 5);
|
||||
assert_int_equal(ret, EOK);
|
||||
@@ -613,8 +618,13 @@ void test_sss_authtok_sc_pin(void **state)
|
||||
SSS_AUTHTOK_TYPE_SC_PIN);
|
||||
size = sss_authtok_get_size(ts->authtoken);
|
||||
assert_int_equal(size, 25);
|
||||
+#if __BYTE_ORDER == __LITTLE_ENDIAN
|
||||
assert_memory_equal(sss_authtok_get_data(ts->authtoken), "\6\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0" "12345\0\0\0\0",
|
||||
size);
|
||||
+#else
|
||||
+ assert_memory_equal(sss_authtok_get_data(ts->authtoken), "\0\0\0\6\0\0\0\1\0\0\0\1\0\0\0\1" "12345\0\0\0\0",
|
||||
+ size);
|
||||
+#endif
|
||||
|
||||
ret = sss_authtok_get_sc_pin(ts->authtoken, &pin, &len);
|
||||
assert_int_equal(ret, EOK);
|
||||
--
|
||||
2.9.3
|
||||
|
108
sssd.spec
108
sssd.spec
@ -26,7 +26,7 @@
|
||||
|
||||
Name: sssd
|
||||
Version: 1.15.0
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Group: Applications/System
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
@ -35,7 +35,101 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
|
||||
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
|
||||
|
||||
### Patches ###
|
||||
Patch0501: 0501-Partially-revert-CONFIG-Use-default-config-when-none.patch
|
||||
Patch0001: 0001-Updating-the-version-to-track-the-1.15.1-release.patch
|
||||
Patch0002: 0002-BUILD-Fix-linking-of-test_wbc_calls.patch
|
||||
Patch0003: 0003-Suppres-implicit-fallthrough-from-gcc-7.patch
|
||||
Patch0004: 0004-pam_sss-Suppress-warning-format-truncation.patch
|
||||
Patch0005: 0005-TOOLS-Fix-warning-format-truncation.patch
|
||||
Patch0006: 0006-sssctl-Fix-warning-may-be-used-uninitialized.patch
|
||||
Patch0007: 0007-SBUS-remove-unused-symbols.patch
|
||||
Patch0008: 0008-SBUS-use-sss_ptr_hash-for-opath-table.patch
|
||||
Patch0009: 0009-SBUS-use-sss_ptr_hash-for-nodes-table.patch
|
||||
Patch0010: 0010-SBUS-use-sss_ptr_hash-for-signals-table.patch
|
||||
Patch0011: 0011-ldap_child-Fix-use-after-free.patch
|
||||
Patch0012: 0012-FAILOVER-Improve-port-status-log-messages.patch
|
||||
Patch0013: 0013-IFP-Update-ifp_iface_generated.c.patch
|
||||
Patch0014: 0014-SYSTEMD-Update-journald-drop-in-file.patch
|
||||
Patch0015: 0015-Partially-revert-CONFIG-Use-default-config-when-none.patch
|
||||
Patch0016: 0016-SUDO-Add-skip_entry-boolean-to-sudo-conversions.patch
|
||||
Patch0017: 0017-TESTS-Add-to-IPA-DN-test.patch
|
||||
Patch0018: 0018-LDAP-Better-logging-message.patch
|
||||
Patch0019: 0019-SYSDB-Removing-of-sysdb_try_to_find_expected_dn.patch
|
||||
Patch0020: 0020-TEST-create_multidom_test_ctx-extending.patch
|
||||
Patch0021: 0021-TESTS-Tests-for-sdap_search_initgr_user_in_batch.patch
|
||||
Patch0022: 0022-ssh-fix-number-of-output-certificates.patch
|
||||
Patch0023: 0023-ssh-do-not-create-again-fq-name.patch
|
||||
Patch0024: 0024-sss_parse_inp_send-provide-default_domain-as-paramet.patch
|
||||
Patch0025: 0025-cache_req-add-ability-to-not-use-default-domain-suff.patch
|
||||
Patch0026: 0026-cache_req-search-user-by-name-with-attrs.patch
|
||||
Patch0027: 0027-cache_req-add-api-to-create-ldb_result-from-message.patch
|
||||
Patch0028: 0028-cache_req-move-dp-request-to-plugin.patch
|
||||
Patch0029: 0029-cache_req-add-host-by-name-search.patch
|
||||
Patch0030: 0030-ssh-rewrite-ssh-responder-to-use-cache_req.patch
|
||||
Patch0031: 0031-AD-Use-ad_domain-to-match-forest-root-domain-not-the.patch
|
||||
Patch0032: 0032-BUILD-Fix-linking-of-test_sdap_initgr.patch
|
||||
Patch0033: 0033-ssh-fix-typo.patch
|
||||
Patch0034: 0034-cache_req-always-go-to-dp-first-when-looking-up-host.patch
|
||||
Patch0035: 0035-MONITOR-Wrap-up-sending-sd_notify-ready-into-a-new-f.patch
|
||||
Patch0036: 0036-MONITOR-Don-t-timeout-if-using-local-provider-socket.patch
|
||||
Patch0037: 0037-SUDO-Only-store-lowercased-attribute-value-once.patch
|
||||
Patch0038: 0038-NEGCACHE-Add-API-to-reset-all-users-and-groups.patch
|
||||
Patch0039: 0039-NSS-Add-sbus-interface-to-clear-memory-cache.patch
|
||||
Patch0040: 0040-NSS-Rename-the-interface-to-invalidate-memory-cache-.patch
|
||||
Patch0041: 0041-UTIL-Add-a-new-domain-state-called-DOM_INCONSISTENT.patch
|
||||
Patch0042: 0042-RESPONDER-Add-a-responder-sbus-interface-to-set-doma.patch
|
||||
Patch0043: 0043-RESPONDER-A-sbus-interface-to-reset-negatively-cache.patch
|
||||
Patch0044: 0044-DP-Add-internal-DP-interface-to-set-domain-state.patch
|
||||
Patch0045: 0045-DP-Add-internal-interface-to-reset-negative-cache-fr.patch
|
||||
Patch0046: 0046-DP-Add-internal-interface-to-invalidate-memory-cache.patch
|
||||
Patch0047: 0047-RESPONDER-Use-the-NEED_CHECK_DOMAIN-macro.patch
|
||||
Patch0048: 0048-RESPONDER-Include-the-files-provider-in-NEEDS_CHECK_.patch
|
||||
Patch0049: 0049-RESPONDER-Contact-inconsistent-domains.patch
|
||||
Patch0050: 0050-UTIL-Add-a-generic-inotify-module.patch
|
||||
Patch0051: 0051-CONFDB-Re-enable-the-files-provider.patch
|
||||
Patch0052: 0052-FILES-Add-the-files-provider.patch
|
||||
Patch0053: 0053-CONFDB-The-files-provider-always-enumerates.patch
|
||||
Patch0054: 0054-CONFDB-Make-pwfield-configurable-per-domain.patch
|
||||
Patch0055: 0055-CONFDB-The-files-domain-defaults-to-x-as-pwfield.patch
|
||||
Patch0056: 0056-MAN-Document-the-pwfield-configuration-option.patch
|
||||
Patch0057: 0057-TESTS-move-helper-fixtures-to-back-up-and-restore-a-.patch
|
||||
Patch0058: 0058-TESTS-add-a-helper-module-with-shared-NSS-constants.patch
|
||||
Patch0059: 0059-TESTS-Add-a-module-to-call-nss_sss-s-getpw-from-test.patch
|
||||
Patch0060: 0060-TESTS-Add-a-module-to-call-nss_sss-s-getgr-from-test.patch
|
||||
Patch0061: 0061-TESTS-Add-files-provider-integration-tests.patch
|
||||
Patch0062: 0062-MONITOR-Remove-checks-for-sssd.conf-changes.patch
|
||||
Patch0063: 0063-MONITOR-Use-the-common-inotify-code-to-watch-resolv..patch
|
||||
Patch0064: 0064-MAN-Add-documentation-for-the-files-provider.patch
|
||||
Patch0065: 0065-EXAMPLES-Do-not-point-to-id_provider-local.patch
|
||||
Patch0066: 0066-SBUS-Document-how-to-free-the-result-of-sbus_create_.patch
|
||||
Patch0067: 0067-IPA_SUDO-Unused-value-fix.patch
|
||||
Patch0068: 0068-intg-Fix-python3-issues.patch
|
||||
Patch0069: 0069-DYNDNS-Update-PTR-record-after-non-fatal-error.patch
|
||||
Patch0070: 0070-DYNDNS-Correct-debug-log-message-of-realm.patch
|
||||
Patch0071: 0071-sdap_extend_map-make-sure-memory-can-be-freed.patch
|
||||
Patch0072: 0072-check_duplicate-check-name-member-before-using-it.patch
|
||||
Patch0073: 0073-FILES-Fix-reallocation-logic.patch
|
||||
Patch0074: 0074-pam_sss-check-conversation-callback.patch
|
||||
Patch0075: 0075-MONITOR-Don-t-return-an-error-in-case-we-fail-to-reg.patch
|
||||
Patch0076: 0076-FILES-Remove-unnecessary-check.patch
|
||||
Patch0077: 0077-PAM-store-user-object-in-the-preq-context.patch
|
||||
Patch0078: 0078-PAM-fix-memory-leak-in-pam_sss.patch
|
||||
Patch0079: 0079-PAM-use-sentinel-error-code-in-PAM-tests.patch
|
||||
Patch0080: 0080-utils-new-error-codes.patch
|
||||
Patch0081: 0081-LDAP-proxy-tell-frontend-that-Smartcard-auth-is-not-.patch
|
||||
Patch0082: 0082-authtok-enhance-support-for-Smartcard-auth-blobs.patch
|
||||
Patch0083: 0083-PAM-forward-Smartcard-credentials-to-backends.patch
|
||||
Patch0084: 0084-p11-return-name-of-PKCS-11-module-and-key-id-to-pam_.patch
|
||||
Patch0085: 0085-pam-enhance-Smartcard-authentication-token.patch
|
||||
Patch0086: 0086-KRB5-allow-pkinit-pre-authentication.patch
|
||||
Patch0087: 0087-TESTS-Remove-unused-import.patch
|
||||
Patch0088: 0088-DOC-Deprecate-README-add-README.md.patch
|
||||
Patch0089: 0089-MONITOR-Enable-an-implicit-files-domain-if-one-is-no.patch
|
||||
Patch0090: 0090-TESTS-Enable-the-files-domain-for-all-integration-te.patch
|
||||
Patch0091: 0091-TESTS-Test-the-files-domain-autoconfiguration.patch
|
||||
Patch0092: 0092-CONFDB-Refactor-reading-the-config-file.patch
|
||||
Patch0093: 0093-CONFDB-If-no-configuration-file-is-provided-create-a.patch
|
||||
Patch0094: 0094-authtok-fix-tests-on-big-endian.patch
|
||||
|
||||
Patch0502: 0502-SYSTEMD-Use-capabilities.patch
|
||||
|
||||
### Dependencies ###
|
||||
@ -575,6 +669,7 @@ autoreconf -ivf
|
||||
--with-initscript=systemd \
|
||||
--with-syslog=journald \
|
||||
--enable-sss-default-nss-plugin \
|
||||
--enable-files-domain \
|
||||
%{?with_cifs_utils_plugin_option} \
|
||||
%{?enable_systemtap_opt} \
|
||||
|
||||
@ -733,6 +828,7 @@ done
|
||||
|
||||
%dir %{_libdir}/%{name}
|
||||
%{_libdir}/%{name}/libsss_simple.so
|
||||
%{_libdir}/%{name}/libsss_files.so
|
||||
|
||||
#Internal shared libraries
|
||||
%{_libdir}/%{name}/libsss_child.so
|
||||
@ -783,6 +879,7 @@ done
|
||||
%{_mandir}/man1/sss_ssh_knownhostsproxy.1*
|
||||
%{_mandir}/man5/sssd.conf.5*
|
||||
%{_mandir}/man5/sssd-simple.5*
|
||||
%{_mandir}/man5/sssd-files.5*
|
||||
%{_mandir}/man5/sssd-sudo.5*
|
||||
%{_mandir}/man5/sssd-secrets.5*
|
||||
%{_mandir}/man5/sss_rpcidmapd.5*
|
||||
@ -1122,6 +1219,13 @@ fi
|
||||
%{_libdir}/%{name}/modules/libwbclient.so
|
||||
|
||||
%changelog
|
||||
* Wed Feb 22 2017 Jakub Hrozek <jhrozek@redhat.com> - 1.15.0-4
|
||||
- Cherry-pick patches from upstream that enable the files provider
|
||||
- Enable the files domain
|
||||
- Retire patch 0501-Partially-revert-CONFIG-Use-default-config-when-none.patch
|
||||
which is superseded by the files domain autoconfiguration
|
||||
- Related: rhbz#1357418 - SSSD fast cache for local users
|
||||
|
||||
* Tue Feb 14 2017 Lukas Slebodnik <lslebodn@redhat.com> - 1.15.0-3
|
||||
- Add missing %%license macro
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user