Cherry-pick patches from upstream that enable the files provider

Required for:
    https://bugzilla.redhat.com/show_bug.cgi?id=1357418 - SSSD fast cache for local users
This commit is contained in:
Jakub Hrozek 2017-02-22 16:01:18 +01:00
parent 3e94aee54c
commit 396c651083
95 changed files with 20427 additions and 9 deletions

View File

@ -0,0 +1,23 @@
From 33da7b13eaed678789b7ccba00e49065a8838e9a Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 25 Jan 2017 16:46:31 +0100
Subject: [PATCH 01/79] Updating the version to track the 1.15.1 release
---
version.m4 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/version.m4 b/version.m4
index 5ff77ba10a8e8a512057e4176377ba33713eb285..bec03afc6e4357e8f505978b0474888c2ab16a85 100644
--- a/version.m4
+++ b/version.m4
@@ -1,5 +1,5 @@
# Primary version number
-m4_define([VERSION_NUMBER], [1.15.0])
+m4_define([VERSION_NUMBER], [1.15.1])
# If the PRERELEASE_VERSION_NUMBER is set, we'll append
# it to the release tag when creating an RPM or SRPM
--
2.9.3

View File

@ -0,0 +1,40 @@
From c369b062182c746849196e495db467198039edf4 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Wed, 25 Jan 2017 16:12:02 +0100
Subject: [PATCH 02/79] BUILD: Fix linking of test_wbc_calls
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Client code does not anymore depend on libpthread in master.
This is a reason why we didn't notice any linking failure
in master. But the test should be linked with CLIENT_LIBS.
CCLD test_wbc_calls
/usr/bin/ld: src/sss_client/test_wbc_calls-common.o: undefined reference
to symbol 'pthread_mutexattr_setrobust@@GLIBC_2.12'
//lib/x86_64-linux-gnu/libpthread.so.0: error adding symbols: DSO missing
from command line
collect2: error: ld returned 1 exit status
Makefile:12460: recipe for target 'test_wbc_calls' failed
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
Makefile.am | 1 +
1 file changed, 1 insertion(+)
diff --git a/Makefile.am b/Makefile.am
index 661e9447d56146cb756a23af3a1b0aa0fbf98fa4..674d328f52929cc2b20d1212af830c3777312bf1 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2703,6 +2703,7 @@ test_wbc_calls_LDFLAGS = \
-Wl,-wrap,sss_nss_getnamebysid \
$(NULL)
test_wbc_calls_LDADD = \
+ $(CLIENT_LIBS) \
$(CMOCKA_LIBS) \
$(POPT_LIBS) \
$(TALLOC_LIBS) \
--
2.9.3

View File

@ -0,0 +1,201 @@
From 2e505786d6d9d537f5b6631099862f6b93e2e687 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 30 Jan 2017 12:17:25 +0100
Subject: [PATCH 03/79] Suppres implicit-fallthrough from gcc 7
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Some kind of comments are recognized by gcc7 but they are ignored with
-Wimplicit-fallthrough=5 and only attributes disable the warning.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
configure.ac | 24 ++++++++++++++++++++++++
src/db/sysdb_ops.c | 1 +
src/providers/ad/ad_id.c | 1 +
src/providers/fail_over.c | 4 ++++
src/providers/krb5/krb5_auth.c | 1 +
src/providers/ldap/sdap_idmap.c | 1 +
src/providers/proxy/proxy_id.c | 1 +
src/python/pyhbac.c | 1 +
src/responder/common/responder_dp.c | 1 +
src/util/murmurhash3.c | 3 +++
10 files changed, 38 insertions(+)
diff --git a/configure.ac b/configure.ac
index 291504652bf02e38c7edfd0cc4eefbe4ceaf09e6..d264abf3ebebbc1f3a96d1a450993e0933a5d789 100644
--- a/configure.ac
+++ b/configure.ac
@@ -418,6 +418,30 @@ if test x"$sss_cv_attribute_warn_unused_result" = xyes ; then
[whether compiler supports __attribute__((warn_unused_result))])
fi
+SAFE_CFLAGS=$CFLAGS
+CFLAGS="-Werror"
+AC_CACHE_CHECK(
+ [whether compiler supports __attribute__((fallthrough))],
+ [sss_cv_attribute_fallthrough],
+ [AC_COMPILE_IFELSE(
+ [AC_LANG_SOURCE(
+ [ __attribute__ ((fallthrough)); ])
+ ],[
+ sss_cv_attribute_fallthrough=yes
+ sss_cv_attribute_fallthrough_val="__attribute__ ((fallthrough))"
+ ],[
+ sss_cv_attribute_fallthrough=no
+ sss_cv_attribute_fallthrough_val=
+ ])
+ ])
+CFLAGS=$SAFE_CFLAGS
+
+AC_DEFINE_UNQUOTED(
+ [SSS_ATTRIBUTE_FALLTHROUGH],
+ [$sss_cv_attribute_fallthrough_val],
+ [__attribute__((fallthrough)) if supported])
+
+
PKG_CHECK_MODULES([CHECK], [check >= 0.9.5], [have_check=1], [have_check=])
if test x$have_check = x; then
AC_MSG_WARN([Without the 'CHECK' libraries, you will be unable to run all tests in the 'make check' suite])
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 77e4c1a699eded07d2b266b08d2f4c177e6181a6..7f6c127d4fa3ef7655d5eb931210d0248352e159 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -116,6 +116,7 @@ static int sysdb_delete_cache_entry(struct ldb_context *ldb,
return EOK;
}
/* fall through */
+ SSS_ATTRIBUTE_FALLTHROUGH;
default:
DEBUG(SSSDBG_CRIT_FAILURE, "LDB Error: %s(%d)\nError Message: [%s]\n",
ldb_strerror(ret), ret, ldb_errstring(ldb));
diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c
index 46a41a37b96bb7734f61226e72e75b56f9deccf1..8f26cb8744d2372c6180342c0d1bca025b16f52c 100644
--- a/src/providers/ad/ad_id.c
+++ b/src/providers/ad/ad_id.c
@@ -337,6 +337,7 @@ static bool ad_account_can_shortcut(struct be_ctx *be_ctx,
goto done;
}
/* fall through */
+ SSS_ATTRIBUTE_FALLTHROUGH;
case BE_FILTER_SECID:
csid = sid == NULL ? filter_value : sid;
diff --git a/src/providers/fail_over.c b/src/providers/fail_over.c
index 77084098831a312bc8629513ccfc2a91165241ba..5d3c26d4a690769637f2fa4f41a76627cbdba77a 100644
--- a/src/providers/fail_over.c
+++ b/src/providers/fail_over.c
@@ -1145,6 +1145,7 @@ fo_resolve_service_server(struct tevent_req *req)
state->server->common);
fo_set_server_status(state->server, SERVER_RESOLVING_NAME);
/* FALLTHROUGH */
+ SSS_ATTRIBUTE_FALLTHROUGH;
case SERVER_RESOLVING_NAME:
/* Name resolution is already under way. Just add ourselves into the
* waiting queue so we get notified after the operation is finished. */
@@ -1284,6 +1285,7 @@ resolve_srv_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev,
* "server" might be invalid now if the SRV
* query collapsed
* */
+ SSS_ATTRIBUTE_FALLTHROUGH;
case SRV_NEUTRAL: /* Request SRV lookup */
if (server != NULL && server != state->meta) {
/* A server created by expansion of meta server was marked as
@@ -1443,9 +1445,11 @@ resolve_srv_done(struct tevent_req *subreq)
break;
case ERR_SRV_NOT_FOUND:
/* fall through */
+ SSS_ATTRIBUTE_FALLTHROUGH;
case ERR_SRV_LOOKUP_ERROR:
fo_set_port_status(state->meta, PORT_NOT_WORKING);
/* fall through */
+ SSS_ATTRIBUTE_FALLTHROUGH;
default:
DEBUG(SSSDBG_OP_FAILURE, "Unable to resolve SRV [%d]: %s\n",
ret, sss_strerror(ret));
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index bdd8e24111b077bfb91f19987d2ed289d803b334..0e685618ec2de1f923ffd9d78bf2a9d8816019e1 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -965,6 +965,7 @@ static void krb5_auth_done(struct tevent_req *subreq)
DEBUG(SSSDBG_CRIT_FAILURE, "krb5_delete_ccname failed.\n");
}
/* FALLTHROUGH */
+ SSS_ATTRIBUTE_FALLTHROUGH;
case ERR_CREDS_EXPIRED:
/* If the password is expired we can safely remove the ccache from the
diff --git a/src/providers/ldap/sdap_idmap.c b/src/providers/ldap/sdap_idmap.c
index b5dfc6cefe3ceed4971042a5326dd2b9c7f5eec8..0fda815224b5ce278e6fae4a5264f82cd1ea4a9d 100644
--- a/src/providers/ldap/sdap_idmap.c
+++ b/src/providers/ldap/sdap_idmap.c
@@ -516,6 +516,7 @@ sdap_idmap_sid_to_unix(struct sdap_idmap_ctx *idmap_ctx,
"sssd-ad(5) for an explanation of how to resolve this issue.\n",
sid_str);
/* Fall through intentionally */
+ SSS_ATTRIBUTE_FALLTHROUGH;
default:
DEBUG(SSSDBG_MINOR_FAILURE,
"Could not convert objectSID [%s] to a UNIX ID\n",
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
index 3d272897bda5622fa1e56e6b84448df7c3cefa2b..9b83f7a3cc942560186815b680e8b5f98508f18a 100644
--- a/src/providers/proxy/proxy_id.c
+++ b/src/providers/proxy/proxy_id.c
@@ -1403,6 +1403,7 @@ static int get_initgr_groups_process(TALLOC_CTX *memctx,
"Assume the user is only member of its "
"primary group (%"SPRIgid")\n", pwd->pw_gid);
/* fall through */
+ SSS_ATTRIBUTE_FALLTHROUGH;
case NSS_STATUS_SUCCESS:
DEBUG(SSSDBG_CONF_SETTINGS, "User [%s] appears to be member of %lu "
"groups\n", pwd->pw_name, num_gids);
diff --git a/src/python/pyhbac.c b/src/python/pyhbac.c
index 09d308a0f3c932c4077dfdc92b3a46fe3238b69b..f7633ee02c5f113fad64c5ee41736d8f63a1914a 100644
--- a/src/python/pyhbac.c
+++ b/src/python/pyhbac.c
@@ -1621,6 +1621,7 @@ py_hbac_evaluate(HbacRequest *self, PyObject *args)
goto fail;
}
/* FALLTHROUGH */
+ SSS_ATTRIBUTE_FALLTHROUGH;
case HBAC_EVAL_DENY:
ret = PYNUMBER_FROMLONG(eres);
break;
diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
index da67676675284db14fe7f6fcf8cb47e9f2baa7f9..11eb47ce1d41027f36998aba7b9fbca5fb4c7910 100644
--- a/src/responder/common/responder_dp.c
+++ b/src/responder/common/responder_dp.c
@@ -221,6 +221,7 @@ static int sss_dp_get_reply(DBusPendingCall *pending,
DEBUG(SSSDBG_FATAL_FAILURE,"The Data Provider returned an error [%s]\n",
dbus_message_get_error_name(reply));
/* Falling through to default intentionally*/
+ SSS_ATTRIBUTE_FALLTHROUGH;
default:
/*
* Timeout or other error occurred or something
diff --git a/src/util/murmurhash3.c b/src/util/murmurhash3.c
index 03d10ff6ae360350dcc96e3e40ece0a0ce3d6b58..061e64e990aa4d91d4a300e116d2fb1193e33392 100644
--- a/src/util/murmurhash3.c
+++ b/src/util/murmurhash3.c
@@ -90,14 +90,17 @@ uint32_t murmurhash3(const char *key, int len, uint32_t seed)
switch (len & 3) {
case 3:
k1 ^= tail[2] << 16;
+ SSS_ATTRIBUTE_FALLTHROUGH;
case 2:
k1 ^= tail[1] << 8;
+ SSS_ATTRIBUTE_FALLTHROUGH;
case 1:
k1 ^= tail[0];
k1 *= c1;
k1 = rotl(k1, 15);
k1 *= c2;
h1 ^= k1;
+ break;
default:
break;
}
--
2.9.3

View File

@ -0,0 +1,47 @@
From cbb0e683ff11d7800328da3991f3e75ef88f937f Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 30 Jan 2017 12:49:13 +0100
Subject: [PATCH 04/79] pam_sss: Suppress warning format-truncation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
src/sss_client/pam_sss.c: In function send_and_receive:
src/sss_client/pam_sss.c:742:39: error: %.*s directive output
between 0 and 18446744073709551615 bytes may cause result to exceed
INT_MAX [-Werror=format-truncation=]
ret = snprintf(user_msg, bufsize, "%s%s%.*s",
^~~~~~~~~~
sssd/src/sss_client/pam_sss.c:742:39: note: assuming directive output
of 4294967295 bytes
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/sss_client/pam_sss.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index be697c7fcfb47a57b5b498c61f60fcf4bfbbd57f..b4175ae2c7fc1385a19f81045695bcd73d43f754 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -689,7 +689,7 @@ static int user_info_account_expired(pam_handle_t *pamh, size_t buflen,
ret = snprintf(user_msg, bufsize, "%s%s%.*s",
EXP_ACC_MSG,
msg_len > 0 ? SRV_MSG : "",
- msg_len,
+ (int)msg_len,
msg_len > 0 ? (char *)(buf + 2 * sizeof(uint32_t)) : "" );
if (ret < 0 || ret > bufsize) {
D(("snprintf failed."));
@@ -744,7 +744,7 @@ static int user_info_chpass_error(pam_handle_t *pamh, size_t buflen,
ret = snprintf(user_msg, bufsize, "%s%s%.*s",
_("Password change failed. "),
msg_len > 0 ? _("Server message: ") : "",
- msg_len,
+ (int)msg_len,
msg_len > 0 ? (char *)(buf + 2 * sizeof(uint32_t)) : "" );
if (ret < 0 || ret > bufsize) {
D(("snprintf failed."));
--
2.9.3

View File

@ -0,0 +1,49 @@
From c587e9ae55c618c011bd4dde6a94fe5dc60fff01 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 30 Jan 2017 12:55:59 +0100
Subject: [PATCH 05/79] TOOLS: Fix warning format-truncation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
src/tools/sss_groupshow.c: In function print_group_info:
src/tools/sss_groupshow.c:612:22: error: %d directive output truncated
writing between 10 and 11 bytes into a region of size 7 [-Werror=format-truncation=]
snprintf(fmt, 8, "%%%ds", level*PADDING_SPACES);
^~~~~~~
src/tools/sss_groupshow.c:612:22: note: using the range
[-2147483648, 2147483647] for directive argument
src/tools/sss_groupshow.c:612:5: note: snprintf output between 13 and 14
bytes into a destination of size 8
snprintf(fmt, 8, "%%%ds", level*PADDING_SPACES);
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/tools/sss_groupshow.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/tools/sss_groupshow.c b/src/tools/sss_groupshow.c
index 258d458b0d1a4cb56c8fb61060cb43a1c88c1ed0..ac4c3dc912db3d418c2eace8b5b1f3476768c875 100644
--- a/src/tools/sss_groupshow.c
+++ b/src/tools/sss_groupshow.c
@@ -603,7 +603,7 @@ fail:
/*==================The main program=================================== */
-static void print_group_info(struct group_info *g, int level)
+static void print_group_info(struct group_info *g, unsigned level)
{
int i;
char padding[512];
@@ -634,7 +634,7 @@ static void print_group_info(struct group_info *g, int level)
printf(_("\n%1$sMember groups: "), padding);
}
-static void print_recursive(struct group_info **group_members, int level)
+static void print_recursive(struct group_info **group_members, unsigned level)
{
int i;
--
2.9.3

View File

@ -0,0 +1,50 @@
From bf0b4eb335ec1fb4fdd925f5cf80490ec8b8c24e Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 30 Jan 2017 14:36:56 +0100
Subject: [PATCH 06/79] sssctl: Fix warning may be used uninitialized
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
gcc 7 probably does some new optimisations which might cause few
wariables to be uninitialized.
src/tools/sssctl/sssctl_cache.c: In function sssctl_print_object:
src/tools/sssctl/sssctl_cache.c:523:13: error: dom may be used uninitialized
in this function [-Werror=maybe-uninitialized]
ret = info[i].attr_fn(tmp_ctx, entry, dom, info[i].attr, &value);
~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/tools/sssctl/sssctl_cache.c:472:15: error: entry may be used
uninitialized in this function [-Werror=maybe-uninitialized]
*_entry = talloc_steal(mem_ctx, entry);
^~~~~~~~~~~~
src/tools/sssctl/sssctl_cache.c:437:25: note: entry was declared here
struct sysdb_attrs *entry;
^~~~~
Another workaround would be to remove static modifier from function
sssctl_find_object which probably prevents some inlinig + optimisation.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/tools/sssctl/sssctl_cache.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/tools/sssctl/sssctl_cache.c b/src/tools/sssctl/sssctl_cache.c
index 59c8cb473966d60848908fb8b9adcb7d769c8cd9..8f0fc281b73f38f408c1a2307192b3f207a97b5d 100644
--- a/src/tools/sssctl/sssctl_cache.c
+++ b/src/tools/sssctl/sssctl_cache.c
@@ -434,8 +434,8 @@ static errno_t sssctl_fetch_object(TALLOC_CTX *mem_ctx,
struct sss_domain_info **_dom)
{
TALLOC_CTX *tmp_ctx;
- struct sysdb_attrs *entry;
- struct sss_domain_info *dom;
+ struct sysdb_attrs *entry = NULL;
+ struct sss_domain_info *dom = NULL;
const char **attrs;
char *sanitized;
errno_t ret;
--
2.9.3

View File

@ -0,0 +1,57 @@
From bc898b360b9667195a7ae59537587c3ec696ac19 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 24 Jan 2017 12:36:04 +0100
Subject: [PATCH 07/79] SBUS: remove unused symbols
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/sbus/sssd_dbus.h | 2 --
src/sbus/sssd_dbus_connection.c | 9 ---------
2 files changed, 11 deletions(-)
diff --git a/src/sbus/sssd_dbus.h b/src/sbus/sssd_dbus.h
index 5a66f09d550533839b22465170950fdfdd71aa1e..c6cca7d4edf5014576f41ed146919427f8e3255f 100644
--- a/src/sbus/sssd_dbus.h
+++ b/src/sbus/sssd_dbus.h
@@ -247,8 +247,6 @@ sbus_opath_get_object_name(TALLOC_CTX *mem_ctx,
const char *object_path,
const char *base_path);
-bool sbus_conn_disconnecting(struct sbus_connection *conn);
-
/* max_retries < 0: retry forever
* max_retries = 0: never retry (why are you calling this function?)
* max_retries > 0: obvious
diff --git a/src/sbus/sssd_dbus_connection.c b/src/sbus/sssd_dbus_connection.c
index 450cee9045de88fcf84b3ca379dd9f1bd5c98ef2..9def7084e5d496a5e6aa40ec0eafd2471a64659f 100644
--- a/src/sbus/sssd_dbus_connection.c
+++ b/src/sbus/sssd_dbus_connection.c
@@ -27,9 +27,6 @@
#include "sbus/sssd_dbus_private.h"
#include "sbus/sssd_dbus_meta.h"
-/* Types */
-struct dbus_ctx_list;
-
static int sbus_auto_reconnect(struct sbus_connection *conn);
static void sbus_dispatch(struct tevent_context *ev,
@@ -501,12 +498,6 @@ void sbus_reconnect_init(struct sbus_connection *conn,
conn->reconnect_pvt = pvt;
}
-bool sbus_conn_disconnecting(struct sbus_connection *conn)
-{
- if (conn->disconnect == 1) return true;
- return false;
-}
-
int sss_dbus_conn_send(DBusConnection *dbus_conn,
DBusMessage *msg,
int timeout_ms,
--
2.9.3

View File

@ -0,0 +1,255 @@
From a3b2bc38263191f23eba2ad98470d8ecd016a60b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 24 Jan 2017 13:14:47 +0100
Subject: [PATCH 08/79] SBUS: use sss_ptr_hash for opath table
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This patch reuses sss_ptr_hash module introduced in NSS patches in sbus code.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/sbus/sssd_dbus_connection.c | 4 +-
src/sbus/sssd_dbus_interface.c | 94 +++++++++++------------------------------
src/sbus/sssd_dbus_private.h | 5 +--
3 files changed, 28 insertions(+), 75 deletions(-)
diff --git a/src/sbus/sssd_dbus_connection.c b/src/sbus/sssd_dbus_connection.c
index 9def7084e5d496a5e6aa40ec0eafd2471a64659f..6ca039e8e2a919141bf951ed0203dc2c48b3eb55 100644
--- a/src/sbus/sssd_dbus_connection.c
+++ b/src/sbus/sssd_dbus_connection.c
@@ -163,8 +163,8 @@ int sbus_init_connection(TALLOC_CTX *ctx,
conn->last_request_time = last_request_time;
conn->client_destructor_data = client_destructor_data;
- ret = sbus_opath_hash_init(conn, conn, &conn->managed_paths);
- if (ret != EOK) {
+ conn->managed_paths = sbus_opath_hash_init(conn, conn);
+ if (conn->managed_paths == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create object paths hash table\n");
talloc_free(conn);
return EIO;
diff --git a/src/sbus/sssd_dbus_interface.c b/src/sbus/sssd_dbus_interface.c
index 32e5b27e1f701898d96f5537b2bc72d491903b54..e8c8851231fab68024065a13c5f1e2642ba829e9 100644
--- a/src/sbus/sssd_dbus_interface.c
+++ b/src/sbus/sssd_dbus_interface.c
@@ -23,6 +23,7 @@
#include <dhash.h>
#include "util/util.h"
+#include "util/sss_ptr_hash.h"
#include "sbus/sssd_dbus.h"
#include "sbus/sssd_dbus_meta.h"
#include "sbus/sssd_dbus_private.h"
@@ -492,13 +493,11 @@ sbus_opath_hash_delete_cb(hash_entry_t *item,
dbus_connection_unregister_object_path(conn->dbus.conn, path);
}
-errno_t
+hash_table_t *
sbus_opath_hash_init(TALLOC_CTX *mem_ctx,
- struct sbus_connection *conn,
- hash_table_t **_table)
+ struct sbus_connection *conn)
{
- return sss_hash_create_ex(mem_ctx, 10, _table, 0, 0, 0, 0,
- sbus_opath_hash_delete_cb, conn);
+ return sss_ptr_hash_create(mem_ctx, sbus_opath_hash_delete_cb, conn);
}
static errno_t
@@ -511,11 +510,8 @@ sbus_opath_hash_add_iface(hash_table_t *table,
struct sbus_interface_list *list = NULL;
struct sbus_interface_list *item = NULL;
const char *iface_name = iface->vtable->meta->name;
- hash_key_t key;
- hash_value_t value;
bool path_known;
errno_t ret;
- int hret;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
@@ -536,22 +532,14 @@ sbus_opath_hash_add_iface(hash_table_t *table,
/* first lookup existing list in hash table */
- key.type = HASH_KEY_STRING;
- key.str = talloc_strdup(tmp_ctx, object_path);
- if (key.str == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- hret = hash_lookup(table, &key, &value);
- if (hret == HASH_SUCCESS) {
+ list = sss_ptr_hash_lookup(table, object_path, struct sbus_interface_list);
+ if (list != NULL) {
/* This object path has already some interface registered. We will
* check for existence of the interface currently being added and
* add it if missing. */
path_known = true;
- list = talloc_get_type(value.ptr, struct sbus_interface_list);
if (sbus_iface_list_lookup(list, iface_name) != NULL) {
DEBUG(SSSDBG_MINOR_FAILURE, "Trying to register the same interface"
" twice: iface=%s, opath=%s\n", iface_name, object_path);
@@ -562,9 +550,6 @@ sbus_opath_hash_add_iface(hash_table_t *table,
DLIST_ADD_END(list, item, struct sbus_interface_list *);
ret = EOK;
goto done;
- } else if (hret != HASH_ERROR_KEY_NOT_FOUND) {
- ret = EIO;
- goto done;
}
/* otherwise create new hash entry and new list */
@@ -572,17 +557,8 @@ sbus_opath_hash_add_iface(hash_table_t *table,
path_known = false;
list = item;
- value.type = HASH_VALUE_PTR;
- value.ptr = list;
-
- hret = hash_enter(table, &key, &value);
- if (hret != HASH_SUCCESS) {
- ret = EIO;
- goto done;
- }
-
- talloc_steal(table, key.str);
- ret = EOK;
+ ret = sss_ptr_hash_add(table, object_path, list,
+ struct sbus_interface_list);
done:
if (ret == EOK) {
@@ -599,12 +575,7 @@ static bool
sbus_opath_hash_has_path(hash_table_t *table,
const char *object_path)
{
- hash_key_t key;
-
- key.type = HASH_KEY_STRING;
- key.str = discard_const(object_path);
-
- return hash_has_key(table, &key);
+ return sss_ptr_hash_has_key(table, object_path);
}
/**
@@ -621,9 +592,6 @@ sbus_opath_hash_lookup_iface(hash_table_t *table,
struct sbus_interface_list *list = NULL;
struct sbus_interface *iface = NULL;
char *lookup_path = NULL;
- hash_key_t key;
- hash_value_t value;
- int hret;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
@@ -636,21 +604,13 @@ sbus_opath_hash_lookup_iface(hash_table_t *table,
}
while (lookup_path != NULL) {
- key.type = HASH_KEY_STRING;
- key.str = lookup_path;
-
- hret = hash_lookup(table, &key, &value);
- if (hret == HASH_SUCCESS) {
- list = talloc_get_type(value.ptr, struct sbus_interface_list);
+ list = sss_ptr_hash_lookup(table, lookup_path,
+ struct sbus_interface_list);
+ if (list != NULL) {
iface = sbus_iface_list_lookup(list, iface_name);
if (iface != NULL) {
goto done;
}
- } else if (hret != HASH_ERROR_KEY_NOT_FOUND) {
- DEBUG(SSSDBG_OP_FAILURE,
- "Unable to search hash table: hret=%d\n", hret);
- iface = NULL;
- goto done;
}
/* we will not free lookup path since it is freed with tmp_ctx
@@ -674,13 +634,11 @@ sbus_opath_hash_lookup_supported(TALLOC_CTX *mem_ctx,
{
TALLOC_CTX *tmp_ctx = NULL;
TALLOC_CTX *list_ctx = NULL;
- struct sbus_interface_list *copy = NULL;
- struct sbus_interface_list *list = NULL;
+ struct sbus_interface_list *copy;
+ struct sbus_interface_list *output_list;
+ struct sbus_interface_list *table_list;
char *lookup_path = NULL;
- hash_key_t key;
- hash_value_t value;
errno_t ret;
- int hret;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
@@ -699,23 +657,19 @@ sbus_opath_hash_lookup_supported(TALLOC_CTX *mem_ctx,
goto done;
}
- while (lookup_path != NULL) {
- key.type = HASH_KEY_STRING;
- key.str = lookup_path;
+ /* Initialize output_list. */
+ output_list = NULL;
- hret = hash_lookup(table, &key, &value);
- if (hret == HASH_SUCCESS) {
- ret = sbus_iface_list_copy(list_ctx, value.ptr, &copy);
+ while (lookup_path != NULL) {
+ table_list = sss_ptr_hash_lookup(table, lookup_path,
+ struct sbus_interface_list);
+ if (table_list != NULL) {
+ ret = sbus_iface_list_copy(list_ctx, table_list, &copy);
if (ret != EOK) {
goto done;
}
- DLIST_CONCATENATE(list, copy, struct sbus_interface_list *);
- } else if (hret != HASH_ERROR_KEY_NOT_FOUND) {
- DEBUG(SSSDBG_OP_FAILURE,
- "Unable to search hash table: hret=%d\n", hret);
- ret = EIO;
- goto done;
+ DLIST_CONCATENATE(output_list, copy, struct sbus_interface_list *);
}
/* we will not free lookup path since it is freed with tmp_ctx
@@ -724,7 +678,7 @@ sbus_opath_hash_lookup_supported(TALLOC_CTX *mem_ctx,
}
talloc_steal(mem_ctx, list_ctx);
- *_list = list;
+ *_list = output_list;
ret = EOK;
done:
diff --git a/src/sbus/sssd_dbus_private.h b/src/sbus/sssd_dbus_private.h
index 8abca66b087d9ce1081889feda2ca1e1372514ad..c8913d0f0c522147aacf3214000ef9d4855fdb0c 100644
--- a/src/sbus/sssd_dbus_private.h
+++ b/src/sbus/sssd_dbus_private.h
@@ -121,10 +121,9 @@ struct sbus_interface_list {
struct sbus_interface *interface;
};
-errno_t
+hash_table_t *
sbus_opath_hash_init(TALLOC_CTX *mem_ctx,
- struct sbus_connection *conn,
- hash_table_t **_table);
+ struct sbus_connection *conn);
struct sbus_interface *
sbus_opath_hash_lookup_iface(hash_table_t *table,
--
2.9.3

View File

@ -0,0 +1,165 @@
From ea872f140a04419fba3f2b9722da74d7fd1ca1ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 24 Jan 2017 13:47:42 +0100
Subject: [PATCH 09/79] SBUS: use sss_ptr_hash for nodes table
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This patch reuses sss_ptr_hash module introduced in NSS patches in sbus code.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/sbus/sssd_dbus_connection.c | 4 +--
src/sbus/sssd_dbus_interface.c | 72 +++++++----------------------------------
src/sbus/sssd_dbus_private.h | 6 ++--
3 files changed, 16 insertions(+), 66 deletions(-)
diff --git a/src/sbus/sssd_dbus_connection.c b/src/sbus/sssd_dbus_connection.c
index 6ca039e8e2a919141bf951ed0203dc2c48b3eb55..5e493fb03e835d5f939a599efdc07f7ab2f9be28 100644
--- a/src/sbus/sssd_dbus_connection.c
+++ b/src/sbus/sssd_dbus_connection.c
@@ -170,8 +170,8 @@ int sbus_init_connection(TALLOC_CTX *ctx,
return EIO;
}
- ret = sbus_nodes_hash_init(conn, conn, &conn->nodes_fns);
- if (ret != EOK) {
+ conn->nodes_fns = sbus_nodes_hash_init(conn);
+ if (conn->nodes_fns == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create node functions hash table\n");
talloc_free(conn);
return EIO;
diff --git a/src/sbus/sssd_dbus_interface.c b/src/sbus/sssd_dbus_interface.c
index e8c8851231fab68024065a13c5f1e2642ba829e9..1a11c6abcf23053e3b8c77f4d469d7c202a88eb8 100644
--- a/src/sbus/sssd_dbus_interface.c
+++ b/src/sbus/sssd_dbus_interface.c
@@ -686,13 +686,10 @@ done:
return ret;
}
-errno_t
-sbus_nodes_hash_init(TALLOC_CTX *mem_ctx,
- struct sbus_connection *conn,
- hash_table_t **_table)
+hash_table_t *
+sbus_nodes_hash_init(TALLOC_CTX *mem_ctx)
{
- return sss_hash_create_ex(mem_ctx, 10, _table, 0, 0, 0, 0,
- NULL, conn);
+ return sss_ptr_hash_create(mem_ctx, NULL, NULL);
}
struct sbus_nodes_data {
@@ -706,57 +703,24 @@ sbus_nodes_hash_add(hash_table_t *table,
sbus_nodes_fn nodes_fn,
void *handler_data)
{
- TALLOC_CTX *tmp_ctx;
struct sbus_nodes_data *data;
- hash_key_t key;
- hash_value_t value;
errno_t ret;
- bool has_key;
- int hret;
- tmp_ctx = talloc_new(NULL);
- if (tmp_ctx == NULL) {
- return ENOMEM;
- }
-
- key.type = HASH_KEY_STRING;
- key.str = talloc_strdup(tmp_ctx, object_path);
- if (key.str == NULL) {
- return ENOMEM;
- }
-
- has_key = hash_has_key(table, &key);
- if (has_key) {
- ret = EEXIST;
- goto done;
- }
-
- data = talloc_zero(tmp_ctx, struct sbus_nodes_data);
+ data = talloc_zero(table, struct sbus_nodes_data);
if (data == NULL) {
- ret = ENOMEM;
- goto done;
+ return ENOMEM;
}
data->handler_data = handler_data;
data->nodes_fn = nodes_fn;
- value.type = HASH_VALUE_PTR;
- value.ptr = data;
-
- hret = hash_enter(table, &key, &value);
- if (hret != HASH_SUCCESS) {
- ret = EIO;
- goto done;
+ ret = sss_ptr_hash_add(table, object_path, data, struct sbus_nodes_data);
+ if (ret != EOK) {
+ talloc_free(data);
+ return ret;
}
- talloc_steal(table, key.str);
- talloc_steal(table, data);
-
- ret = EOK;
-
-done:
- talloc_free(tmp_ctx);
- return ret;
+ return EOK;
}
const char **
@@ -765,24 +729,12 @@ sbus_nodes_hash_lookup(TALLOC_CTX *mem_ctx,
const char *object_path)
{
struct sbus_nodes_data *data;
- hash_key_t key;
- hash_value_t value;
- int hret;
- key.type = HASH_KEY_STRING;
- key.str = discard_const(object_path);
-
- hret = hash_lookup(table, &key, &value);
- if (hret == HASH_ERROR_KEY_NOT_FOUND) {
- return NULL;
- } else if (hret != HASH_SUCCESS) {
- DEBUG(SSSDBG_OP_FAILURE,
- "Unable to search hash table: hret=%d\n", hret);
+ data = sss_ptr_hash_lookup(table, object_path, struct sbus_nodes_data);
+ if (data == NULL) {
return NULL;
}
- data = talloc_get_type(value.ptr, struct sbus_nodes_data);
-
return data->nodes_fn(mem_ctx, object_path, data->handler_data);
}
diff --git a/src/sbus/sssd_dbus_private.h b/src/sbus/sssd_dbus_private.h
index c8913d0f0c522147aacf3214000ef9d4855fdb0c..a5a2d47f4bfac99960fcca56aaa48077c36b96e4 100644
--- a/src/sbus/sssd_dbus_private.h
+++ b/src/sbus/sssd_dbus_private.h
@@ -136,10 +136,8 @@ sbus_opath_hash_lookup_supported(TALLOC_CTX *mem_ctx,
const char *object_path,
struct sbus_interface_list **_list);
-errno_t
-sbus_nodes_hash_init(TALLOC_CTX *mem_ctx,
- struct sbus_connection *conn,
- hash_table_t **_table);
+hash_table_t *
+sbus_nodes_hash_init(TALLOC_CTX *mem_ctx);
const char **
sbus_nodes_hash_lookup(TALLOC_CTX *mem_ctx,
--
2.9.3

View File

@ -0,0 +1,168 @@
From b1afef0bc8d98c389a7f71307bee8ef9fc991ced Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 24 Jan 2017 14:02:51 +0100
Subject: [PATCH 10/79] SBUS: use sss_ptr_hash for signals table
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This patch reuses sss_ptr_hash module introduced in NSS patches in sbus code.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/sbus/sssd_dbus_connection.c | 4 +--
src/sbus/sssd_dbus_private.h | 5 ++--
src/sbus/sssd_dbus_signals.c | 58 ++++++++++-------------------------------
3 files changed, 18 insertions(+), 49 deletions(-)
diff --git a/src/sbus/sssd_dbus_connection.c b/src/sbus/sssd_dbus_connection.c
index 5e493fb03e835d5f939a599efdc07f7ab2f9be28..de134f2f21bfb9697fcc8a42622817bc50b54f2a 100644
--- a/src/sbus/sssd_dbus_connection.c
+++ b/src/sbus/sssd_dbus_connection.c
@@ -177,8 +177,8 @@ int sbus_init_connection(TALLOC_CTX *ctx,
return EIO;
}
- ret = sbus_incoming_signal_hash_init(conn, &conn->incoming_signals);
- if (ret != EOK) {
+ conn->incoming_signals = sbus_incoming_signal_hash_init(conn);
+ if (conn->incoming_signals == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create incoming singals "
"hash table\n");
talloc_free(conn);
diff --git a/src/sbus/sssd_dbus_private.h b/src/sbus/sssd_dbus_private.h
index a5a2d47f4bfac99960fcca56aaa48077c36b96e4..a3d4bae166d5a4d17037b16094248d22de7e8f62 100644
--- a/src/sbus/sssd_dbus_private.h
+++ b/src/sbus/sssd_dbus_private.h
@@ -180,9 +180,8 @@ sbus_signal_handler(DBusConnection *conn,
DBusMessage *message,
void *handler_data);
-errno_t
-sbus_incoming_signal_hash_init(TALLOC_CTX *mem_ctx,
- hash_table_t **_table);
+hash_table_t *
+sbus_incoming_signal_hash_init(TALLOC_CTX *mem_ctx);
void sbus_register_common_signals(struct sbus_connection *conn, void *pvt);
diff --git a/src/sbus/sssd_dbus_signals.c b/src/sbus/sssd_dbus_signals.c
index 3f463e603a625cae8415fb17f5cd811ef0c10e15..be1c8527e5513bc258e7764239d9b16af083ac65 100644
--- a/src/sbus/sssd_dbus_signals.c
+++ b/src/sbus/sssd_dbus_signals.c
@@ -23,6 +23,7 @@
#include <dhash.h>
#include "util/util.h"
+#include "util/sss_ptr_hash.h"
#include "sbus/sssd_dbus.h"
#include "sbus/sssd_dbus_private.h"
@@ -60,11 +61,10 @@ struct sbus_incoming_signal_data {
void *handler_data;
};
-errno_t
-sbus_incoming_signal_hash_init(TALLOC_CTX *mem_ctx,
- hash_table_t **_table)
+hash_table_t *
+sbus_incoming_signal_hash_init(TALLOC_CTX *mem_ctx)
{
- return sss_hash_create(mem_ctx, 10, _table);
+ return sss_ptr_hash_create(mem_ctx, NULL, NULL);
}
static errno_t
@@ -76,30 +76,20 @@ sbus_incoming_signal_hash_add(hash_table_t *table,
{
TALLOC_CTX *tmp_ctx;
struct sbus_incoming_signal_data *data;
- hash_key_t key;
- hash_value_t value;
+ char *key;
errno_t ret;
- bool has_key;
- int hret;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
return ENOMEM;
}
- key.type = HASH_KEY_STRING;
- key.str = talloc_asprintf(tmp_ctx, "%s.%s", iface, a_signal);
- if (key.str == NULL) {
+ key = talloc_asprintf(tmp_ctx, "%s.%s", iface, a_signal);
+ if (key == NULL) {
ret = ENOMEM;
goto done;
}
- has_key = hash_has_key(table, &key);
- if (has_key) {
- ret = EEXIST;
- goto done;
- }
-
data = talloc_zero(tmp_ctx, struct sbus_incoming_signal_data);
if (data == NULL) {
ret = ENOMEM;
@@ -109,16 +99,11 @@ sbus_incoming_signal_hash_add(hash_table_t *table,
data->handler_data = handler_data;
data->handler_fn = handler_fn;
- value.type = HASH_VALUE_PTR;
- value.ptr = data;
-
- hret = hash_enter(table, &key, &value);
- if (hret != HASH_SUCCESS) {
- ret = EIO;
+ ret = sss_ptr_hash_add(table, key, data, struct sbus_incoming_signal_data);
+ if (ret != EOK) {
goto done;
}
- talloc_steal(table, key.str);
talloc_steal(table, data);
ret = EOK;
@@ -134,31 +119,16 @@ sbus_incoming_signal_hash_lookup(hash_table_t *table,
const char *a_signal)
{
struct sbus_incoming_signal_data *data;
- hash_key_t key;
- hash_value_t value;
- int hret;
+ char *key;
- key.type = HASH_KEY_STRING;
- key.str = talloc_asprintf(NULL, "%s.%s", iface, a_signal);
- if (key.str == NULL) {
+ key = talloc_asprintf(NULL, "%s.%s", iface, a_signal);
+ if (key == NULL) {
return NULL;
}
- hret = hash_lookup(table, &key, &value);
- if (hret == HASH_ERROR_KEY_NOT_FOUND) {
- data = NULL;
- goto done;
- } else if (hret != HASH_SUCCESS) {
- DEBUG(SSSDBG_OP_FAILURE,
- "Unable to search hash table: hret=%d\n", hret);
- data = NULL;
- goto done;
- }
+ data = sss_ptr_hash_lookup(table, key, struct sbus_incoming_signal_data);
+ talloc_free(key);
- data = talloc_get_type(value.ptr, struct sbus_incoming_signal_data);
-
-done:
- talloc_free(key.str);
return data;
}
--
2.9.3

View File

@ -0,0 +1,139 @@
From cb831fbbcb0dac8b6202037d4cd1a0d82db54f54 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 17 Jan 2017 10:17:24 +0100
Subject: [PATCH 11/79] ldap_child: Fix use after free
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In case on any krb5 related error, we tried to send string
interpretation of krb5 error tb parrent in prepare_response.
However, we cannot use global krb5 context (krb5_error_ctx)
because the context is every time released in done section of
ldap_child_get_tgt_sync.
This patch rather return duplicated string to prevent use after free.
Backtrace:
#0 __strchr_sse42 () at ../sysdeps/x86_64/multiarch/strchr.S:100
100 ../sysdeps/x86_64/multiarch/strchr.S: No such file or directory.
Thread 1 (Thread 0x7fc96cad5880 (LWP 11201)):
#0 __strchr_sse42 () at ../sysdeps/x86_64/multiarch/strchr.S:100
No locals.
#1 0x00007fc96be43725 in err_fmt_fmt (msg=0x7fc96d1cf8d0 "Cannot find KDC for requested realm",
code=-1765328230,
err_fmt=<optimized out>) at kerrs.c:152
buf = {buftype = K5BUF_DYNAMIC, data = 0x7fc96d1cdb10,
space = 128, len = 0}
p = <optimized out>
s = 0xdededededededede <Address 0xdededededededede out of bounds>
#2 krb5_get_error_message (ctx=<optimized out>,
code=code@entry=-1765328230) at kerrs.c:184
std = 0x7fc96d1cf8d0 "Cannot find KDC for requested realm"
#3 0x00007fc96cb224e5 in sss_krb5_get_error_message (ctx=<optimized out>,
ec=ec@entry=-1765328230) at src/util/sss_krb5.c:424
No locals.
#4 0x00007fc96cb1fbb0 in prepare_response (rsp=<synthetic pointer>,
kerr=-1765328230, expire_time=0,
ccname=0x0,
mem_ctx=0x7fc96d1cb390) at src/providers/ldap/ldap_child.c:553
ret = <optimized out>
r = 0x7fc96d1cd8b0
krb5_msg = 0x0
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/providers/ldap/ldap_child.c | 26 +++++++++++++++++---------
1 file changed, 17 insertions(+), 9 deletions(-)
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
index ffcbc3985691b965c76a06805068118628adc198..3f88a28dcffc320ba66afccbdcee71432913b775 100644
--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
@@ -276,7 +276,8 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
const char *keytab_name,
const krb5_deltat lifetime,
const char **ccname_out,
- time_t *expire_time_out)
+ time_t *expire_time_out,
+ char **_krb5_msg)
{
char *ccname;
char *ccname_dummy;
@@ -522,7 +523,14 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
*expire_time_out = my_creds.times.endtime - kdc_time_offset;
done:
- if (krberr != 0) KRB5_SYSLOG(krberr);
+ if (krberr != 0) {
+ const char *krb5_msg;
+
+ KRB5_SYSLOG(krberr);
+ krb5_msg = sss_krb5_get_error_message(context, krberr);
+ *_krb5_msg = talloc_strdup(memctx, krb5_msg);
+ sss_krb5_free_error_message(context, krb5_msg);
+ }
if (keytab) krb5_kt_close(context, keytab);
if (context) krb5_free_context(context);
talloc_free(tmp_ctx);
@@ -533,11 +541,11 @@ static int prepare_response(TALLOC_CTX *mem_ctx,
const char *ccname,
time_t expire_time,
krb5_error_code kerr,
+ char *krb5_msg,
struct response **rsp)
{
int ret;
struct response *r = NULL;
- const char *krb5_msg = NULL;
r = talloc_zero(mem_ctx, struct response);
if (!r) return ENOMEM;
@@ -550,15 +558,13 @@ static int prepare_response(TALLOC_CTX *mem_ctx,
if (kerr == 0) {
ret = pack_buffer(r, EOK, kerr, ccname, expire_time);
} else {
- krb5_msg = sss_krb5_get_error_message(krb5_error_ctx, kerr);
if (krb5_msg == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE,
- "sss_krb5_get_error_message failed.\n");
+ "Empty krb5 error message for non-zero kerr: %"PRIi32"\n",
+ kerr);
return ENOMEM;
}
-
ret = pack_buffer(r, EFAULT, kerr, krb5_msg, 0);
- sss_krb5_free_error_message(krb5_error_ctx, krb5_msg);
}
if (ret != EOK) {
@@ -605,6 +611,7 @@ int main(int argc, const char *argv[])
uint8_t *buf = NULL;
ssize_t len = 0;
const char *ccname = NULL;
+ char *krb5_msg = NULL;
time_t expire_time = 0;
struct input_buffer *ibuf = NULL;
struct response *resp = NULL;
@@ -721,13 +728,14 @@ int main(int argc, const char *argv[])
kerr = ldap_child_get_tgt_sync(main_ctx, ibuf->context,
ibuf->realm_str, ibuf->princ_str,
ibuf->keytab_name, ibuf->lifetime,
- &ccname, &expire_time);
+ &ccname, &expire_time, &krb5_msg);
if (kerr != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "ldap_child_get_tgt_sync failed.\n");
/* Do not return, must report failure */
}
- ret = prepare_response(main_ctx, ccname, expire_time, kerr, &resp);
+ ret = prepare_response(main_ctx, ccname, expire_time, kerr, krb5_msg,
+ &resp);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "prepare_response failed. [%d][%s].\n",
ret, strerror(ret));
--
2.9.3

View File

@ -0,0 +1,41 @@
From 1c7f9a676088ecee4c14df14b8688b391fb32a05 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 19 Dec 2016 16:49:17 -0500
Subject: [PATCH 12/79] FAILOVER: Improve port status log messages
It should be more clear to administrators that when SSSD internal
port status is set as PORT_NOT_WORKING, this does not directly relate
to an assumed network port-related issue.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/providers/fail_over.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/providers/fail_over.c b/src/providers/fail_over.c
index 5d3c26d4a690769637f2fa4f41a76627cbdba77a..168e59d6f4e9fc8abd827be21004daef2c6613f0 100644
--- a/src/providers/fail_over.c
+++ b/src/providers/fail_over.c
@@ -376,12 +376,18 @@ get_port_status(struct fo_server *server)
"Port status of port %d for server '%s' is '%s'\n", server->port,
SERVER_NAME(server), str_port_status(server->port_status));
+ if (server->port_status == PORT_NOT_WORKING) {
+ DEBUG(SSSDBG_MINOR_FAILURE, "SSSD is unable to complete the full "
+ "connection request, this internal status does not necessarily "
+ "indicate network port issues.\n");
+ }
+
timeout = server->service->ctx->opts->retry_timeout;
if (timeout != 0 && server->port_status == PORT_NOT_WORKING) {
gettimeofday(&tv, NULL);
if (STATUS_DIFF(server, tv) > timeout) {
DEBUG(SSSDBG_CONF_SETTINGS,
- "Reseting the status of port %d for server '%s'\n",
+ "Resetting the status of port %d for server '%s'\n",
server->port, SERVER_NAME(server));
server->port_status = PORT_NEUTRAL;
server->last_status_change.tv_sec = tv.tv_sec;
--
2.9.3

View File

@ -0,0 +1,44 @@
From 2ddcd5785f10de42bf03dfc36eca94dbc1fc1fb3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Mon, 6 Feb 2017 18:58:18 +0000
Subject: [PATCH 13/79] IFP: Update ifp_iface_generated.c
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
These changes are leftovers from commit 78b4b7e.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/responder/ifp/ifp_iface_generated.c | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/src/responder/ifp/ifp_iface_generated.c b/src/responder/ifp/ifp_iface_generated.c
index 90cd4ff9e3a4dff3e8d2e3d904bbf6bde6a748ae..d9df6c623b7f597b8ea9427a58488b340b1934ea 100644
--- a/src/responder/ifp/ifp_iface_generated.c
+++ b/src/responder/ifp/ifp_iface_generated.c
@@ -263,11 +263,6 @@ const struct sbus_interface_meta iface_ifp_meta = {
sbus_invoke_get_all, /* GetAll invoker */
};
-/* methods for org.freedesktop.sssd.infopipe.Components */
-const struct sbus_method_meta iface_ifp_components__methods[] = {
- { NULL, }
-};
-
/* property info for org.freedesktop.sssd.infopipe.Components */
const struct sbus_property_meta iface_ifp_components__properties[] = {
{
@@ -321,7 +316,7 @@ const struct sbus_property_meta iface_ifp_components__properties[] = {
/* interface info for org.freedesktop.sssd.infopipe.Components */
const struct sbus_interface_meta iface_ifp_components_meta = {
"org.freedesktop.sssd.infopipe.Components", /* name */
- iface_ifp_components__methods,
+ NULL, /* no methods */
NULL, /* no signals */
iface_ifp_components__properties,
sbus_invoke_get_all, /* GetAll invoker */
--
2.9.3

View File

@ -0,0 +1,30 @@
From 7b4704a10958bb7d3390db9eff863875d2b643f7 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 7 Feb 2017 09:52:59 +0100
Subject: [PATCH 14/79] SYSTEMD: Update journald drop-in file
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We changed type forking into type notify as part of commit
d4063e9a21a4e203bee7e0a0144fa8cabb14cc46.
But we forgot to update template drop-in file for logging into journald.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/sysv/systemd/journal.conf.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/sysv/systemd/journal.conf.in b/src/sysv/systemd/journal.conf.in
index d89325e0872881e3e8485102d9971871101098f3..9ce170b4893629792516aab41573adea1fb741f0 100644
--- a/src/sysv/systemd/journal.conf.in
+++ b/src/sysv/systemd/journal.conf.in
@@ -4,4 +4,4 @@
# run 'systemctl daemon-reload' and then restart the SSSD service
# for this to take effect
#ExecStart=
-#ExecStart=@sbindir@/sssd -D
+#ExecStart=@sbindir@/sssd -i
--
2.9.3

View File

@ -1,13 +1,15 @@
From 829aa39dffbe35f58b34159b962a2dd8de85fd30 Mon Sep 17 00:00:00 2001
From c029f707d4847b01ff64bf3bb1fd46c0b5927cdb Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 12 Dec 2016 18:33:48 +0100
Subject: [PATCH] Partially revert "CONFIG: Use default config when none
Subject: [PATCH 15/79] Partially revert "CONFIG: Use default config when none
provided"
This reverts part of commit 59744cff6edb106ae799b2321cb8731edadf409a.
Removed is copying of default configuration into /etc/sssd/sssd.conf
Sample configurations is still part of installation.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
Makefile.am | 3 ---
src/confdb/confdb.h | 1 -
@ -15,10 +17,10 @@ Sample configurations is still part of installation.
3 files changed, 4 insertions(+), 40 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index a15e68f682f6d8af301e11df8dcaef6d7f27e8c0..45d44146e737fc8460a2ed9ffc0171a6bb494b2b 100644
index 674d328f52929cc2b20d1212af830c3777312bf1..6d21af8e8c455622d8c4c8b4e325789c4c1e34cb 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -462,7 +462,6 @@ AM_CPPFLAGS = \
@@ -473,7 +473,6 @@ AM_CPPFLAGS = \
-DSSSDDATADIR=\"$(sssddatadir)\" \
-DSSSD_LIBEXEC_PATH=\"$(sssdlibexecdir)\" \
-DSSSD_CONF_DIR=\"$(sssdconfdir)\" \
@ -26,7 +28,7 @@ index a15e68f682f6d8af301e11df8dcaef6d7f27e8c0..45d44146e737fc8460a2ed9ffc0171a6
-DSSS_NSS_MCACHE_DIR=\"$(mcpath)\" \
-DSSS_NSS_SOCKET_NAME=\"$(pipepath)/nss\" \
-DSSS_PAM_SOCKET_NAME=\"$(pipepath)/pam\" \
@@ -1232,8 +1231,6 @@ sssd_SOURCES = \
@@ -1252,8 +1251,6 @@ sssd_SOURCES = \
src/confdb/confdb_setup.c \
src/monitor/monitor_iface_generated.c \
src/util/nscd.c \
@ -36,7 +38,7 @@ index a15e68f682f6d8af301e11df8dcaef6d7f27e8c0..45d44146e737fc8460a2ed9ffc0171a6
sssd_LDADD = \
$(SSSD_LIBS) \
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 12beaabf8c949bd111abbe16cb98a205490fb08f..4813072bdafb5d6c9ec56a9ccaa5db6a1120112d 100644
index 9055048865f008a2c3732551730c4a881cb9108c..dd6ac77f5a787b0434b56fccba49aa195b13297a 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -40,7 +40,6 @@
@ -113,5 +115,5 @@ index d6feab9000d54d2c3761de6d8e990053ade7e85f..a71d9dd1202824b3c9a7e69f1d8fa905
ret = sss_ini_config_access_check(init_data);
--
2.11.0
2.9.3

View File

@ -0,0 +1,177 @@
From d0aae3c1e87e2e51ab178b7b343261443094a974 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Fri, 20 Jan 2017 15:43:34 -0500
Subject: [PATCH 16/79] SUDO: Add skip_entry boolean to sudo conversions
Add boolean to convert_attributes function and pass boolean as argument
to sudo conversion functions to add logic for skipping unexpected
entries like replication conflicts.
Resolves:
https://fedorahosted.org/sssd/ticket/3288
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/providers/ipa/ipa_sudo_conversion.c | 55 ++++++++++++++++++++++++---------
1 file changed, 41 insertions(+), 14 deletions(-)
diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c
index 9dbc8604df544ce0865a2e99facf92cfd697123b..05d863c20954c816e52d27fe4a5e1553776c6d41 100644
--- a/src/providers/ipa/ipa_sudo_conversion.c
+++ b/src/providers/ipa/ipa_sudo_conversion.c
@@ -746,12 +746,15 @@ struct ipa_sudo_conv_result_ctx {
static const char *
convert_host(TALLOC_CTX *mem_ctx,
struct ipa_sudo_conv *conv,
- const char *value)
+ const char *value,
+ bool *skip_entry)
{
char *rdn;
const char *group;
errno_t ret;
+ *skip_entry = false;
+
ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn,
MATCHRDN_HOST(conv->map_host));
if (ret == EOK) {
@@ -765,7 +768,8 @@ convert_host(TALLOC_CTX *mem_ctx,
ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn,
MATCHRDN_HOSTGROUP(conv->map_hostgroup));
if (ret == ENOENT) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s\n", value);
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s: Skipping\n", value);
+ *skip_entry = true;
return NULL;
} else if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n",
@@ -782,12 +786,15 @@ convert_host(TALLOC_CTX *mem_ctx,
static const char *
convert_user(TALLOC_CTX *mem_ctx,
struct ipa_sudo_conv *conv,
- const char *value)
+ const char *value,
+ bool *skip_entry)
{
char *rdn;
const char *group;
errno_t ret;
+ *skip_entry = false;
+
ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn,
MATCHRDN_USER(conv->map_user));
if (ret == EOK) {
@@ -801,7 +808,8 @@ convert_user(TALLOC_CTX *mem_ctx,
ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn,
MATCHRDN_GROUP(conv->map_group));
if (ret == ENOENT) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s\n", value);
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s: Skipping\n", value);
+ *skip_entry = true;
return NULL;
} else if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n",
@@ -818,12 +826,15 @@ convert_user(TALLOC_CTX *mem_ctx,
static const char *
convert_user_fqdn(TALLOC_CTX *mem_ctx,
struct ipa_sudo_conv *conv,
- const char *value)
+ const char *value,
+ bool *skip_entry)
{
const char *shortname = NULL;
char *fqdn = NULL;
- shortname = convert_user(mem_ctx, conv, value);
+ *skip_entry = false;
+
+ shortname = convert_user(mem_ctx, conv, value, skip_entry);
if (shortname == NULL) {
return NULL;
}
@@ -836,15 +847,19 @@ convert_user_fqdn(TALLOC_CTX *mem_ctx,
static const char *
convert_group(TALLOC_CTX *mem_ctx,
struct ipa_sudo_conv *conv,
- const char *value)
+ const char *value,
+ bool *skip_entry)
{
char *rdn;
errno_t ret;
+ *skip_entry = false;
+
ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn,
MATCHRDN_GROUP(conv->map_group));
if (ret == ENOENT) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s\n", value);
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s: Skipping\n", value);
+ *skip_entry = true;
return NULL;
} else if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n",
@@ -858,7 +873,8 @@ convert_group(TALLOC_CTX *mem_ctx,
static const char *
convert_runasextusergroup(TALLOC_CTX *mem_ctx,
struct ipa_sudo_conv *conv,
- const char *value)
+ const char *value,
+ bool *skip_entry)
{
return talloc_asprintf(mem_ctx, "%%%s", value);
}
@@ -866,8 +882,12 @@ convert_runasextusergroup(TALLOC_CTX *mem_ctx,
static const char *
convert_cat(TALLOC_CTX *mem_ctx,
struct ipa_sudo_conv *conv,
- const char *value)
+ const char *value,
+ bool *skip_entry)
{
+
+ *skip_entry = false;
+
if (strcmp(value, "all") == 0) {
return talloc_strdup(mem_ctx, "ALL");
}
@@ -885,12 +905,14 @@ convert_attributes(struct ipa_sudo_conv *conv,
const char *value;
errno_t ret;
int i, j;
+ bool skip_entry;
static struct {
const char *ipa;
const char *sudo;
const char *(*conv_fn)(TALLOC_CTX *mem_ctx,
struct ipa_sudo_conv *conv,
- const char *value);
+ const char *value,
+ bool *skip_entry);
} table[] = {{SYSDB_NAME, SYSDB_SUDO_CACHE_AT_CN , NULL},
{SYSDB_IPA_SUDORULE_HOST, SYSDB_SUDO_CACHE_AT_HOST , convert_host},
{SYSDB_IPA_SUDORULE_USER, SYSDB_SUDO_CACHE_AT_USER , convert_user_fqdn},
@@ -931,10 +953,15 @@ convert_attributes(struct ipa_sudo_conv *conv,
for (j = 0; values[j] != NULL; j++) {
if (table[i].conv_fn != NULL) {
- value = table[i].conv_fn(tmp_ctx, conv, values[j]);
+ value = table[i].conv_fn(tmp_ctx, conv, values[j], &skip_entry);
if (value == NULL) {
- ret = ENOMEM;
- goto done;
+ if (skip_entry) {
+ ret = ENOENT;
+ continue;
+ } else {
+ ret = ENOMEM;
+ goto done;
+ }
}
} else {
value = values[j];
--
2.9.3

View File

@ -0,0 +1,36 @@
From 1404f3aa541849d880cce591584ba1580014cb50 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Wed, 25 Jan 2017 17:05:01 -0500
Subject: [PATCH 17/79] TESTS: Add to IPA DN test
Add test to ensure conflict entries return ENOENT
Resolves:
https://fedorahosted.org/sssd/ticket/3288
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/tests/cmocka/test_ipa_dn.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/tests/cmocka/test_ipa_dn.c b/src/tests/cmocka/test_ipa_dn.c
index a6e26ec31ff25519ad895ef934dac0e3a3dd83ae..ff951f28acbb8a567c3d27027a688386ff08b475 100644
--- a/src/tests/cmocka/test_ipa_dn.c
+++ b/src/tests/cmocka/test_ipa_dn.c
@@ -169,6 +169,13 @@ static void ipa_get_rdn_test(void **state)
ret = ipa_get_rdn(test_ctx, test_ctx->sysdb, "cn=rdn,attr1=value1", &rdn, "cn", "attr1", "value1");
assert_int_equal(ret, ENOENT);
assert_null(rdn);
+
+ ret = ipa_get_rdn(test_ctx, test_ctx->sysdb,
+ "cn=rdn+nsuniqueid=9b1e3301-c32611e6-bdcae37a-ef905e7c,"
+ "attr1=value1,attr2=value2,dc=example,dc=com",
+ &rdn, "cn", "attr1", "value1", "attr2", "value2");
+ assert_int_equal(ret, ENOENT);
+ assert_null(rdn);
}
int main(int argc, const char *argv[])
--
2.9.3

View File

@ -0,0 +1,28 @@
From c3593f06da54315c88a08a46cfc0def366acad43 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
Date: Thu, 19 Jan 2017 12:51:27 +0100
Subject: [PATCH 18/79] LDAP: Better logging message
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/providers/ldap/sdap.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index dc7d5e0caf223c3ee3c43054aa44e796f1b37766..eb460d93bfb067e780868bc9f7bf4e6e0aa1b4a3 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -1691,7 +1691,8 @@ static bool sdap_object_in_domain(struct sdap_options *opts,
sdmatch = sdap_domain_get_by_dn(opts, original_dn);
if (sdmatch == NULL) {
DEBUG(SSSDBG_FUNC_DATA,
- "The group has no original DN, assuming our domain\n");
+ "The original DN of the group cannot "
+ "be related to any search base\n");
return true;
}
--
2.9.3

View File

@ -0,0 +1,592 @@
From 3ee411625aee19afda7477bb10b52c3da378b6fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
Date: Wed, 4 Jan 2017 15:33:30 +0100
Subject: [PATCH 19/79] SYSDB: Removing of sysdb_try_to_find_expected_dn()
Currently in order to match multiple LDAP search results we
use two different functions - we have sysdb_try_to_find_expected_dn()
but also sdap_object_in_domain().
This patch removes sysdb_try_to_find_expected_dn() and add new
sdap_search_initgr_user_in_batch() based on sdap_object_in_domain().
This function covers necessary logic.
Resolves:
https://fedorahosted.org/sssd/ticket/3230
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/db/sysdb.h | 6 -
src/db/sysdb_subdomains.c | 332 -----------------------------
src/providers/ldap/sdap.c | 6 +-
src/providers/ldap/sdap.h | 4 +
src/providers/ldap/sdap_async_initgroups.c | 28 ++-
src/tests/cmocka/test_sysdb_subdomains.c | 104 ---------
6 files changed, 30 insertions(+), 450 deletions(-)
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 8a363d09066806c4e7836e4e0cd19ce645d14ee2..809ca359a32f85ef3afbad082665c7eaa9374830 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -1309,10 +1309,4 @@ errno_t sysdb_handle_original_uuid(const char *orig_name,
struct sysdb_attrs *dest_attrs,
const char *dest_name);
-errno_t sysdb_try_to_find_expected_dn(struct sss_domain_info *dom,
- const char *domain_component_name,
- const char *ldap_search_base,
- struct sysdb_attrs **usr_attrs,
- size_t count,
- struct sysdb_attrs **exp_usr);
#endif /* __SYS_DB_H__ */
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
index 780140484f6f023bc6e8c12266e3b81ff016ec10..1f43bfc12e73a9fc7f3b66c85b47f38d2c1a3c19 100644
--- a/src/db/sysdb_subdomains.c
+++ b/src/db/sysdb_subdomains.c
@@ -1144,335 +1144,3 @@ done:
talloc_free(tmp_ctx);
return ret;
}
-
-static errno_t match_cn_users(TALLOC_CTX *tmp_ctx,
- struct sysdb_attrs **usr_attrs,
- size_t count,
- const char *dom_basedn,
- struct sysdb_attrs **_result)
-{
- errno_t ret;
- const char *orig_dn;
- size_t dn_len;
- struct sysdb_attrs *result = NULL;
- const char *result_dn_str = NULL;
- char *cn_users_basedn;
- size_t cn_users_basedn_len;
-
- cn_users_basedn = talloc_asprintf(tmp_ctx, "%s%s", "cn=users,", dom_basedn);
- if (cn_users_basedn == NULL) {
- ret = ENOMEM;
- goto done;
- }
- cn_users_basedn_len = strlen(cn_users_basedn);
- DEBUG(SSSDBG_TRACE_ALL, "cn=users baseDN is [%s].\n", cn_users_basedn);
-
- for (size_t c = 0; c < count; c++) {
- ret = sysdb_attrs_get_string(usr_attrs[c], SYSDB_ORIG_DN, &orig_dn);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n");
- goto done;
- }
- dn_len = strlen(orig_dn);
-
- if (dn_len > cn_users_basedn_len
- && strcasecmp(orig_dn + (dn_len - cn_users_basedn_len),
- cn_users_basedn) == 0) {
- DEBUG(SSSDBG_TRACE_ALL,
- "Found matching dn [%s].\n", orig_dn);
- if (result != NULL) {
- DEBUG(SSSDBG_OP_FAILURE,
- "Found 2 matching DN [%s] and [%s], expecting only 1.\n",
- result_dn_str, orig_dn);
- ret = EINVAL;
- goto done;
- }
- result = usr_attrs[c];
- result_dn_str = orig_dn;
- }
- }
-
- ret = EOK;
-done:
- *_result = result;
- return ret;
-}
-
-static errno_t match_non_dc_comp(TALLOC_CTX *tmp_ctx,
- struct sss_domain_info *dom,
- struct sysdb_attrs **usr_attrs,
- size_t count,
- struct ldb_dn *ldb_basedn,
- const char *basedn,
- const char *domain_component_name,
- struct sysdb_attrs **_result)
-{
- errno_t ret;
- const char *orig_dn;
- size_t orig_dn_len;
- size_t basedn_len;
- struct ldb_context *ldb_ctx;
- struct ldb_dn *ldb_orig_dn;
- int dn_comp_num;
- int basedn_comp_num;
- const char *component_name;
- struct sysdb_attrs *result = NULL;
- const char *result_dn_str = NULL;
-
- ldb_ctx = sysdb_ctx_get_ldb(dom->sysdb);
- if (ldb_ctx == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "Missing ldb context.\n");
- ret = EINVAL;
- goto done;
- }
-
- basedn_len = strlen(basedn);
-
- basedn_comp_num = ldb_dn_get_comp_num(ldb_basedn);
- basedn_comp_num++;
-
- for (size_t c = 0; c < count; c++) {
- ret = sysdb_attrs_get_string(usr_attrs[c], SYSDB_ORIG_DN, &orig_dn);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n");
- goto done;
- }
- orig_dn_len = strlen(orig_dn);
-
- if (orig_dn_len > basedn_len
- /* Does the user's original DN with the non-domain part
- * stripped match the domain base DN?
- */
- && strcasecmp(orig_dn + (orig_dn_len - basedn_len),
- basedn) == 0) {
- ldb_orig_dn = ldb_dn_new(tmp_ctx, ldb_ctx, orig_dn);
- if (ldb_orig_dn == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed");
- ret = ENOMEM;
- goto done;
- }
-
- dn_comp_num = ldb_dn_get_comp_num(ldb_orig_dn);
- if (dn_comp_num > basedn_comp_num) {
- component_name = ldb_dn_get_component_name(ldb_orig_dn,
- (dn_comp_num - basedn_comp_num));
- DEBUG(SSSDBG_TRACE_ALL, "Comparing [%s] and [%s].\n",
- component_name,
- domain_component_name);
- /* If the component is NOT a DC component, then the entry
- * must come from our domain, perhaps from a child container.
- * If it matched the DC component, the entry was from a child
- * subdomain different from this one.
- */
- if (component_name != NULL
- && strcasecmp(component_name,
- domain_component_name) != 0) {
- DEBUG(SSSDBG_TRACE_ALL,
- "Found matching dn [%s].\n", orig_dn);
- if (result != NULL) {
- DEBUG(SSSDBG_OP_FAILURE,
- "Found 2 matching DN [%s] and [%s], "
- "expecting only 1.\n", result_dn_str, orig_dn);
- ret = EINVAL;
- goto done;
- }
- result = usr_attrs[c];
- result_dn_str = orig_dn;
- }
- }
- }
- }
-
- ret = EOK;
- *_result = result;
-done:
- return ret;
-}
-
-static errno_t match_basedn(TALLOC_CTX *tmp_ctx,
- struct sss_domain_info *dom,
- struct sysdb_attrs **usr_attrs,
- size_t count,
- const char *dom_basedn,
- const char *domain_component_name,
- struct sysdb_attrs **_result)
-{
- struct ldb_context *ldb_ctx;
- struct ldb_dn *ldb_dom_basedn;
-
- ldb_ctx = sysdb_ctx_get_ldb(dom->sysdb);
- if (ldb_ctx == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "Missing ldb context.\n");
- return EINVAL;
- }
-
-
- ldb_dom_basedn = ldb_dn_new(tmp_ctx, ldb_ctx, dom_basedn);
- if (ldb_dom_basedn == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed.\n");
- return ENOMEM;
- }
-
- return match_non_dc_comp(tmp_ctx, dom,
- usr_attrs, count,
- ldb_dom_basedn, dom_basedn,
- domain_component_name,
- _result);
-}
-
-static errno_t match_search_base(TALLOC_CTX *tmp_ctx,
- struct sss_domain_info *dom,
- const char *domain_component_name,
- const char *domain_search_base,
- struct sysdb_attrs **usr_attrs,
- size_t count,
- struct sysdb_attrs **_result)
-{
- errno_t ret;
- bool ok;
- const char *search_base;
- struct ldb_context *ldb_ctx;
- struct sysdb_attrs *result = NULL;
- struct ldb_dn *ldb_search_base;
- int search_base_comp_num;
- int non_dc_comp_num;
- const char *component_name;
-
- ldb_ctx = sysdb_ctx_get_ldb(dom->sysdb);
- if (ldb_ctx == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "Missing ldb context.\n");
- ret = EINVAL;
- goto done;
- }
-
- ldb_search_base = ldb_dn_new(tmp_ctx, ldb_ctx, domain_search_base);
- if (ldb_search_base == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed.\n");
- ret = ENOMEM;
- goto done;
- }
-
- /* strip non-DC components from the search base */
- search_base_comp_num = ldb_dn_get_comp_num(ldb_search_base);
- for (non_dc_comp_num = 0;
- non_dc_comp_num < search_base_comp_num;
- non_dc_comp_num++) {
-
- component_name = ldb_dn_get_component_name(ldb_search_base,
- non_dc_comp_num);
- if (strcasecmp(domain_component_name, component_name) == 0) {
- break;
- }
- }
-
- if (non_dc_comp_num == search_base_comp_num) {
- /* The search base does not have any non-DC components, the search wouldn't
- * match anyway
- */
- ret = EOK;
- *_result = NULL;
- goto done;
- }
-
- ok = ldb_dn_remove_child_components(ldb_search_base, non_dc_comp_num);
- if (!ok) {
- ret = EINVAL;
- goto done;
- }
-
- search_base = ldb_dn_get_linearized(ldb_search_base);
- if (search_base == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- ret = match_cn_users(tmp_ctx, usr_attrs, count, search_base, &result);
- if (ret != EOK) {
- goto done;
- }
-
- if (result == NULL) {
- ret = match_non_dc_comp(tmp_ctx, dom,
- usr_attrs, count,
- ldb_search_base, search_base,
- domain_component_name,
- &result);
- if (ret != EOK) {
- goto done;
- }
- }
-
- ret = EOK;
- *_result = result;
-done:
- return ret;
-}
-
-errno_t sysdb_try_to_find_expected_dn(struct sss_domain_info *dom,
- const char *domain_component_name,
- const char *domain_search_base,
- struct sysdb_attrs **usr_attrs,
- size_t count,
- struct sysdb_attrs **exp_usr)
-{
- char *dom_basedn;
- int ret;
- TALLOC_CTX *tmp_ctx;
- struct sysdb_attrs *result = NULL;
-
- if (dom == NULL || domain_component_name == NULL
- || domain_search_base == NULL
- || usr_attrs == NULL || count == 0) {
- return EINVAL;
- }
-
- tmp_ctx = talloc_new(NULL);
- if (tmp_ctx == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
- return ENOMEM;
- }
-
- ret = domain_to_basedn(tmp_ctx, dom->name, &dom_basedn);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "domain_to_basedn failed.\n");
- ret = EINVAL;
- goto done;
- }
-
- ret = match_cn_users(tmp_ctx, usr_attrs, count, dom_basedn, &result);
- if (ret != EOK) {
- goto done;
- }
-
- if (result == NULL) {
- ret = match_basedn(tmp_ctx, dom, usr_attrs,
- count, dom_basedn, domain_component_name,
- &result);
- if (ret != EOK) {
- goto done;
- }
- }
-
- if (result == NULL) {
- ret = match_search_base(tmp_ctx, dom, domain_component_name,
- domain_search_base, usr_attrs, count,
- &result);
- if (ret != EOK) {
- goto done;
- }
- }
-
- if (result == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "No matching DN found.\n");
- ret = ENOENT;
- goto done;
- }
-
- *exp_usr = result;
-
- ret = EOK;
-done:
- talloc_free(tmp_ctx);
-
- return ret;
-}
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index eb460d93bfb067e780868bc9f7bf4e6e0aa1b4a3..bfb7fc6d2a38debf56acae18b8e7eb7a08ccbd1b 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -1673,9 +1673,9 @@ char *sdap_make_oc_list(TALLOC_CTX *mem_ctx, struct sdap_attr_map *map)
}
}
-static bool sdap_object_in_domain(struct sdap_options *opts,
- struct sysdb_attrs *obj,
- struct sss_domain_info *dom)
+bool sdap_object_in_domain(struct sdap_options *opts,
+ struct sysdb_attrs *obj,
+ struct sss_domain_info *dom)
{
errno_t ret;
const char *original_dn = NULL;
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index e3cb8464ff40538e1e7f1ba853ed71d9a5cc3c98..6d4543ed48ce19f82252d34b6d0833a546a81bb9 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -616,4 +616,8 @@ size_t sdap_steal_objects_in_dom(struct sdap_options *opts,
size_t count,
bool filter);
+bool sdap_object_in_domain(struct sdap_options *opts,
+ struct sysdb_attrs *obj,
+ struct sss_domain_info *dom);
+
#endif /* _SDAP_H_ */
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index 2cd9c15b9e284592b3e132eb3d1f35b09a69046e..8c7a65bf36abf341e077cf9eac18a234d3a07c07 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -23,6 +23,7 @@
#include "util/util.h"
#include "db/sysdb.h"
+#include "providers/ldap/sdap.h"
#include "providers/ldap/sdap_async_private.h"
#include "providers/ldap/ldap_common.h"
#include "providers/ldap/sdap_idmap.h"
@@ -2890,6 +2891,25 @@ static errno_t sdap_get_initgr_next_base(struct tevent_req *req)
return EOK;
}
+static int sdap_search_initgr_user_in_batch(struct sdap_get_initgr_state *state,
+ struct sysdb_attrs **users,
+ size_t count)
+{
+ int ret = EINVAL;
+
+ for (size_t i = 0; i < count; i++) {
+ if (sdap_object_in_domain(state->opts, users[i], state->dom) == false) {
+ continue;
+ }
+
+ state->orig_user = talloc_steal(state, users[i]);
+ ret = EOK;
+ break;
+ }
+
+ return ret;
+}
+
static void sdap_get_initgr_user(struct tevent_req *subreq)
{
struct tevent_req *req = tevent_req_callback_data(subreq,
@@ -2951,13 +2971,11 @@ static void sdap_get_initgr_user(struct tevent_req *subreq)
* the first search base because all bases in a single domain would
* have the same DC= components
*/
- ret = sysdb_try_to_find_expected_dn(state->dom, "dc",
- state->sdom->search_bases[0]->basedn,
- usr_attrs, count,
- &state->orig_user);
+ ret = sdap_search_initgr_user_in_batch(state, usr_attrs, count);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
- "try_to_find_expected_dn failed. No matching DN found.\n");
+ "sdap_search_initgr_user_in_batch failed. "
+ "No matching DN found.\n");
tevent_req_error(req, EINVAL);
return;
}
diff --git a/src/tests/cmocka/test_sysdb_subdomains.c b/src/tests/cmocka/test_sysdb_subdomains.c
index 52056e0435d2793893f1a4e336f38acf7a70b2c0..52242e516ed0490e5094ccc1392908207e00359d 100644
--- a/src/tests/cmocka/test_sysdb_subdomains.c
+++ b/src/tests/cmocka/test_sysdb_subdomains.c
@@ -515,107 +515,6 @@ static void test_sysdb_link_ad_multidom(void **state)
}
-static void test_try_to_find_expected_dn(void **state)
-{
- int ret;
- struct sysdb_attrs *result;
- struct sysdb_attrs *usr_attrs[10] = { NULL };
- struct sysdb_attrs *dom_usr_attrs[10] = { NULL };
- struct sss_domain_info *dom;
- char *dom_basedn;
- struct subdom_test_ctx *test_ctx =
- talloc_get_type(*state, struct subdom_test_ctx);
-
- dom = find_domain_by_name(test_ctx->tctx->dom,
- "child2.test_sysdb_subdomains_2", true);
- assert_non_null(dom);
-
- ret = domain_to_basedn(test_ctx, dom->name, &dom_basedn);
- assert_int_equal(ret, EOK);
-
- usr_attrs[0] = sysdb_new_attrs(test_ctx);
- assert_non_null(usr_attrs[0]);
-
- ret = sysdb_attrs_add_string(usr_attrs[0], SYSDB_ORIG_DN,
- "uid=user,cn=abc,dc=c2,dc=child2,dc=test_sysdb_subdomains_2");
- assert_int_equal(ret, EOK);
-
- ret = sysdb_try_to_find_expected_dn(NULL, NULL, NULL, NULL, 0, NULL);
- assert_int_equal(ret, EINVAL);
-
- ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, usr_attrs, 1, &result);
- assert_int_equal(ret, ENOENT);
-
- ret = sysdb_try_to_find_expected_dn(dom, "xy", dom_basedn, usr_attrs, 1, &result);
- assert_int_equal(ret, EOK);
- assert_ptr_equal(result, usr_attrs[0]);
-
- usr_attrs[1] = sysdb_new_attrs(test_ctx);
- assert_non_null(usr_attrs[1]);
-
- ret = sysdb_attrs_add_string(usr_attrs[1], SYSDB_ORIG_DN,
- "uid=user1,cn=abc,dc=child2,dc=test_sysdb_subdomains_2");
- assert_int_equal(ret, EOK);
-
- usr_attrs[2] = sysdb_new_attrs(test_ctx);
- assert_non_null(usr_attrs[2]);
-
- ret = sysdb_attrs_add_string(usr_attrs[2], SYSDB_ORIG_DN,
- "uid=user2,cn=abc,dc=c2,dc=child2,dc=test_sysdb_subdomains_2");
- assert_int_equal(ret, EOK);
-
- ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, usr_attrs, 3, &result);
- assert_int_equal(ret, EOK);
- assert_ptr_equal(result, usr_attrs[1]);
-
- ret = sysdb_try_to_find_expected_dn(dom, "xy", dom_basedn, usr_attrs, 3, &result);
- assert_int_equal(ret, EINVAL);
-
- /* Make sure cn=users match is preferred */
- talloc_free(usr_attrs[2]);
- usr_attrs[2] = sysdb_new_attrs(test_ctx);
- assert_non_null(usr_attrs[2]);
-
- ret = sysdb_attrs_add_string(usr_attrs[2], SYSDB_ORIG_DN,
- "uid=user2,cn=abc,cn=users,dc=child2,dc=test_sysdb_subdomains_2");
- assert_int_equal(ret, EOK);
-
- ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, usr_attrs, 3, &result);
- assert_int_equal(ret, EOK);
- assert_ptr_equal(result, usr_attrs[2]);
-
- /* test a case where the domain name does not match the basedn */
- dom->name = discard_const("default");
- dom_usr_attrs[0] = usr_attrs[0];
-
- ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, dom_usr_attrs, 1, &result);
- assert_int_equal(ret, ENOENT);
-
- dom_usr_attrs[1] = usr_attrs[1];
- dom_usr_attrs[2] = usr_attrs[2];
-
- /* Make sure cn=users match is preferred */
- ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, dom_usr_attrs, 3, &result);
- assert_int_equal(ret, EOK);
- assert_ptr_equal(result, dom_usr_attrs[2]);
-
- talloc_free(usr_attrs[2]);
- usr_attrs[2] = sysdb_new_attrs(test_ctx);
- assert_non_null(usr_attrs[2]);
- ret = sysdb_attrs_add_string(usr_attrs[2], SYSDB_ORIG_DN,
- "uid=user2,cn=abc,dc=c2,dc=child2,dc=test_sysdb_subdomains_2");
- assert_int_equal(ret, EOK);
-
- dom_usr_attrs[2] = usr_attrs[2];
- ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, dom_usr_attrs, 3, &result);
- assert_int_equal(ret, EOK);
- assert_ptr_equal(result, usr_attrs[1]);
-
- talloc_free(usr_attrs[0]);
- talloc_free(usr_attrs[1]);
- talloc_free(usr_attrs[2]);
-}
-
int main(int argc, const char *argv[])
{
int rv;
@@ -649,9 +548,6 @@ int main(int argc, const char *argv[])
cmocka_unit_test_setup_teardown(test_sysdb_link_ad_multidom,
test_sysdb_subdom_setup,
test_sysdb_subdom_teardown),
- cmocka_unit_test_setup_teardown(test_try_to_find_expected_dn,
- test_sysdb_subdom_setup,
- test_sysdb_subdom_teardown),
};
/* Set debug level to invalid value so we can deside if -d 0 was used. */
--
2.9.3

View File

@ -0,0 +1,138 @@
From f1e3364a72eb75673d10cf8c97ba8f1d7a385405 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
Date: Thu, 12 Jan 2017 13:16:10 +0100
Subject: [PATCH 20/79] TEST: create_multidom_test_ctx() extending
Function create_multidom_test_ctx() prepares test environment for
multidomains. This patch enables setting of different params for
each domain.
Resolves:
https://fedorahosted.org/sssd/ticket/3230
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/tests/cmocka/test_ad_common.c | 5 +----
src/tests/cmocka/test_sysdb_subdomains.c | 5 +----
src/tests/cmocka/test_sysdb_ts_cache.c | 5 +----
src/tests/common.h | 2 +-
src/tests/common_dom.c | 6 +++---
5 files changed, 7 insertions(+), 16 deletions(-)
diff --git a/src/tests/cmocka/test_ad_common.c b/src/tests/cmocka/test_ad_common.c
index 7ec292092e0de6a3edabfe6e7480f777e47a475d..ea9998951d1214ad41429cad38a28efcea11dcd0 100644
--- a/src/tests/cmocka/test_ad_common.c
+++ b/src/tests/cmocka/test_ad_common.c
@@ -78,9 +78,6 @@ struct ad_sysdb_test_ctx {
static int test_ad_sysdb_setup(void **state)
{
struct ad_sysdb_test_ctx *test_ctx;
- struct sss_test_conf_param params[] = {
- { NULL, NULL }, /* Sentinel */
- };
assert_true(leak_check_setup());
@@ -92,7 +89,7 @@ static int test_ad_sysdb_setup(void **state)
test_ctx->tctx = create_multidom_test_ctx(test_ctx, TESTS_PATH,
TEST_CONF_DB, domains,
- TEST_ID_PROVIDER, params);
+ TEST_ID_PROVIDER, NULL);
assert_non_null(test_ctx->tctx);
*state = test_ctx;
diff --git a/src/tests/cmocka/test_sysdb_subdomains.c b/src/tests/cmocka/test_sysdb_subdomains.c
index 52242e516ed0490e5094ccc1392908207e00359d..49f44998a06740d1df70ac354ee741824acd8f50 100644
--- a/src/tests/cmocka/test_sysdb_subdomains.c
+++ b/src/tests/cmocka/test_sysdb_subdomains.c
@@ -60,9 +60,6 @@ struct subdom_test_ctx {
static int test_sysdb_subdom_setup(void **state)
{
struct subdom_test_ctx *test_ctx;
- struct sss_test_conf_param params[] = {
- { NULL, NULL }, /* Sentinel */
- };
assert_true(leak_check_setup());
@@ -74,7 +71,7 @@ static int test_sysdb_subdom_setup(void **state)
test_ctx->tctx = create_multidom_test_ctx(test_ctx, TESTS_PATH,
TEST_CONF_DB, domains,
- TEST_ID_PROVIDER, params);
+ TEST_ID_PROVIDER, NULL);
assert_non_null(test_ctx->tctx);
*state = test_ctx;
diff --git a/src/tests/cmocka/test_sysdb_ts_cache.c b/src/tests/cmocka/test_sysdb_ts_cache.c
index e950f88631e4c78573bbb7290edfe94b5ced57cd..f5aab73f001e8fdece1f85de987d6711a459e6aa 100644
--- a/src/tests/cmocka/test_sysdb_ts_cache.c
+++ b/src/tests/cmocka/test_sysdb_ts_cache.c
@@ -74,9 +74,6 @@ const char *domains[] = { TEST_DOM1_NAME,
static int test_sysdb_ts_setup(void **state)
{
struct sysdb_ts_test_ctx *test_ctx;
- struct sss_test_conf_param params[] = {
- { NULL, NULL }, /* Sentinel */
- };
assert_true(leak_check_setup());
@@ -88,7 +85,7 @@ static int test_sysdb_ts_setup(void **state)
test_ctx->tctx = create_multidom_test_ctx(test_ctx, TESTS_PATH,
TEST_CONF_DB, domains,
- TEST_ID_PROVIDER, params);
+ TEST_ID_PROVIDER, NULL);
assert_non_null(test_ctx->tctx);
check_leaks_push(test_ctx);
diff --git a/src/tests/common.h b/src/tests/common.h
index b49cfea9b73d8b4b7b61c721912de9fd2c0ccf13..c06568d3820ab92ffd47b5c206c300842e8f8a39 100644
--- a/src/tests/common.h
+++ b/src/tests/common.h
@@ -92,7 +92,7 @@ create_multidom_test_ctx(TALLOC_CTX *mem_ctx,
const char *cdb_file,
const char **domains,
const char *id_provider,
- struct sss_test_conf_param *params);
+ struct sss_test_conf_param **params);
struct sss_test_ctx *
create_dom_test_ctx(TALLOC_CTX *mem_ctx,
diff --git a/src/tests/common_dom.c b/src/tests/common_dom.c
index f1a92cc99f3423d5d7ef10327013a5972940c792..def28d5101efe9990c963a4180d9fb2bd6f71b42 100644
--- a/src/tests/common_dom.c
+++ b/src/tests/common_dom.c
@@ -231,7 +231,7 @@ create_multidom_test_ctx(TALLOC_CTX *mem_ctx,
const char *cdb_file,
const char **domains,
const char *id_provider,
- struct sss_test_conf_param *params)
+ struct sss_test_conf_param **params)
{
struct sss_domain_info *domain = NULL;
struct sss_test_ctx *test_ctx = NULL;
@@ -255,7 +255,7 @@ create_multidom_test_ctx(TALLOC_CTX *mem_ctx,
/* create confdb objects for the domains */
for (i = 0; domains[i] != NULL; i++) {
ret = mock_confdb_domain(test_ctx, test_ctx->confdb, tests_path,
- domains[i], id_provider, params,
+ domains[i], id_provider, params != NULL ? params[i] : NULL,
(cdb_path == NULL ? &cdb_path : NULL));
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize confdb domain "
@@ -302,7 +302,7 @@ create_dom_test_ctx(TALLOC_CTX *mem_ctx,
const char *domains[] = {domain_name, NULL};
return create_multidom_test_ctx(mem_ctx, tests_path, confdb_path, domains,
- id_provider, params);
+ id_provider, &params);
}
void test_multidom_suite_cleanup(const char *tests_path,
--
2.9.3

View File

@ -0,0 +1,609 @@
From 0b7ded15e53b3f31f1570c366f04bc41e5761929 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
Date: Tue, 10 Jan 2017 14:01:45 +0100
Subject: [PATCH 21/79] TESTS: Tests for sdap_search_initgr_user_in_batch
This patch provides tests for core logic of
sdap_search_initgr_user_in_batch() function. This function replaces
old approach with sysdb_try_to_find_expected_dn() function.
Resolves:
https://fedorahosted.org/sssd/ticket/3230
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
Makefile.am | 22 ++
src/tests/cmocka/test_sdap_initgr.c | 540 ++++++++++++++++++++++++++++++++++++
2 files changed, 562 insertions(+)
create mode 100644 src/tests/cmocka/test_sdap_initgr.c
diff --git a/Makefile.am b/Makefile.am
index 6d21af8e8c455622d8c4c8b4e325789c4c1e34cb..9dd2060c6615b1c23ae8adb61886341bcdc49560 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -289,6 +289,7 @@ non_interactive_cmocka_based_tests += \
ad_access_filter_tests \
ad_gpo_tests \
ad_common_tests \
+ test_sdap_initgr \
test_ad_subdom \
test_ipa_subdom_server \
$(NULL)
@@ -2862,6 +2863,27 @@ test_fo_srv_LDADD = \
libsss_test_common.la \
$(NULL)
+test_sdap_initgr_SOURCES = \
+ src/tests/cmocka/common_mock_sdap.c \
+ src/tests/cmocka/common_mock_sysdb_objects.c \
+ src/tests/cmocka/test_sdap_initgr.c \
+ $(NULL)
+test_sdap_initgr_CFLAGS = \
+ $(AM_CFLAGS) \
+ $(NDR_NBT_CFLAGS) \
+ $(NULL)
+test_sdap_initgr_LDADD = \
+ $(CMOCKA_LIBS) \
+ $(POPT_LIBS) \
+ $(TALLOC_LIBS) \
+ $(SSSD_INTERNAL_LTLIBS) \
+ libsss_ldap_common.la \
+ libsss_ad_tests.la \
+ libsss_idmap.la \
+ libsss_test_common.la \
+ libdlopen_test_providers.la \
+ $(NULL)
+
test_ad_subdom_SOURCES = \
src/tests/cmocka/test_ad_subdomains.c \
$(NULL)
diff --git a/src/tests/cmocka/test_sdap_initgr.c b/src/tests/cmocka/test_sdap_initgr.c
new file mode 100644
index 0000000000000000000000000000000000000000..28c6ae33ef3dd2a343711b339554492c899dd7b5
--- /dev/null
+++ b/src/tests/cmocka/test_sdap_initgr.c
@@ -0,0 +1,540 @@
+/*
+ Authors:
+ Petr Čech <pcech@redhat.com>
+
+ Copyright (C) 2017 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <talloc.h>
+#include <tevent.h>
+#include <errno.h>
+#include <popt.h>
+#include <arpa/inet.h>
+#include <netinet/in.h>
+#include <sys/types.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <pwd.h>
+
+#include "tests/cmocka/common_mock.h"
+#include "tests/cmocka/common_mock_sysdb_objects.h"
+#include "tests/cmocka/common_mock_sdap.h"
+#include "providers/ad/ad_common.h"
+
+#include "providers/ad/ad_opts.c"
+#include "providers/ldap/sdap_async_initgroups.c"
+
+/* Declarations from providers/ldap/sdap_async_initgroups.c */
+struct sdap_get_initgr_state;
+static int sdap_search_initgr_user_in_batch(struct sdap_get_initgr_state *state,
+ struct sysdb_attrs **users,
+ size_t count);
+
+#define TESTS_PATH "tp_" BASE_FILE_STEM
+#define TEST_CONF_DB "test_sdap_initgr_conf.ldb"
+#define TEST_ID_PROVIDER "ldap"
+
+#define TEST_DOM1_NAME "domain.test.com"
+#define TEST_DOM2_NAME "subdom1.domain.test.com"
+#define TEST_DOM3_NAME "another_domain.test.com"
+
+#define OBJECT_BASE_DN1 "dc=domain,dc=test,dc=com,cn=sysdb"
+#define OBJECT_BASE_DN2 "dc=subdom1,dc=domain,dc=test,dc=com,cn=sysdb"
+#define OBJECT_BASE_DN3 "dc=another_domain,dc=test,dc=com,cn=sysdb"
+
+#define TEST_USER_1 "test_user_1"
+#define TEST_USER_2 "test_user_2"
+#define TEST_USER_3 "test_user_3"
+
+const char *domains[] = { TEST_DOM1_NAME,
+ TEST_DOM2_NAME,
+ TEST_DOM3_NAME,
+ NULL };
+
+const char *object_bases[] = { OBJECT_BASE_DN1,
+ OBJECT_BASE_DN2,
+ OBJECT_BASE_DN3,
+ NULL };
+
+const char *test_users[] = { TEST_USER_1,
+ TEST_USER_2,
+ TEST_USER_3,
+ NULL };
+
+/* ====================== Utilities =============================== */
+
+struct test_sdap_initgr_ctx {
+ struct sss_test_ctx *tctx;
+};
+
+static struct passwd **get_users(TALLOC_CTX *ctx)
+{
+ struct passwd **passwds = NULL;
+ char *homedir = NULL;
+ size_t user_count = 0;
+
+ for (int i = 0; test_users[i] != NULL; i++) {
+ user_count++;
+ }
+ passwds = talloc_array(ctx, struct passwd *, user_count);
+ assert_non_null(passwds);
+
+ for (int i = 0; i < user_count; i++) {
+ passwds[i] = talloc(passwds, struct passwd);
+ assert_non_null(passwds[i]);
+
+ homedir = talloc_strdup_append(homedir, "/home/");
+ homedir = talloc_strdup_append(homedir, test_users[i]);
+
+ passwds[i]->pw_name = discard_const(test_users[i]);
+ passwds[i]->pw_uid = 567 + i;
+ passwds[i]->pw_gid = 890 + i;
+ passwds[i]->pw_dir = talloc_strdup(passwds[i], homedir);
+ passwds[i]->pw_gecos = discard_const(test_users[i]);
+ passwds[i]->pw_shell = discard_const("/bin/sh");
+ passwds[i]->pw_passwd = discard_const("*");
+
+ talloc_zfree(homedir);
+ }
+
+ return passwds;
+}
+
+static struct sss_test_conf_param **get_params(TALLOC_CTX *ctx)
+{
+ struct sss_test_conf_param **params;
+ char *user_base_dn = NULL;
+ char *group_base_dn = NULL;
+ size_t base_count = 0;
+
+ for (int i = 0; object_bases[i] != NULL; i++) {
+ base_count++;
+ }
+
+ params = talloc_array(ctx, struct sss_test_conf_param *, base_count + 1);
+ assert_non_null(params);
+
+ for (int i = 0; i < base_count; i++) {
+ params[i] = talloc(params, struct sss_test_conf_param);
+ assert_non_null(params[i]);
+
+ user_base_dn = talloc_strdup_append(user_base_dn, "cn=users,");
+ user_base_dn = talloc_strdup_append(user_base_dn, object_bases[i]);
+
+ group_base_dn = talloc_strdup_append(group_base_dn, "cn=groups,");
+ group_base_dn = talloc_strdup_append(group_base_dn, object_bases[i]);
+
+ params[i] = talloc_array(params[i], struct sss_test_conf_param, 5);
+ params[i][0].key = "ldap_schema";
+ params[i][0].value = "rfc2307bis";
+ params[i][1].key = "ldap_search_base";
+ params[i][1].value = talloc_strdup(params[i], object_bases[i]);
+ params[i][2].key = "ldap_user_search_base";
+ params[i][2].value = talloc_strdup(params[i], user_base_dn);
+ params[i][3].key = "ldap_group_search_base";
+ params[i][3].value = talloc_strdup(params[i], group_base_dn);
+ params[i][4].key = NULL;
+ params[i][4].value = NULL;
+
+ talloc_zfree(user_base_dn);
+ talloc_zfree(group_base_dn);
+ }
+
+ return params;
+}
+
+struct sss_domain_info *get_domain_info(struct sss_domain_info *domain,
+ const char *domain_name)
+{
+ struct sss_domain_info *dom = domain;
+
+ while(dom != NULL) {
+ if (strcmp(dom->name, domain_name) == 0) {
+ break;
+ }
+ dom = dom->next;
+ }
+
+ return dom;
+}
+
+struct sdap_get_initgr_state *prepare_state(struct test_sdap_initgr_ctx *ctx,
+ const char **domain_names)
+{
+ struct sdap_get_initgr_state *state;
+ struct sss_domain_info *dom_info = NULL;
+ struct sss_domain_info *recent_dom_info = NULL;
+
+ state = talloc_zero(ctx->tctx, struct sdap_get_initgr_state);
+ assert_non_null(state);
+
+ for (int i=0; domain_names[i] != NULL; i++) {
+ dom_info = get_domain_info(ctx->tctx->dom, domain_names[i]);
+ assert_non_null(dom_info);
+
+ if (i == 0) {
+ state->dom = dom_info;
+ recent_dom_info = state->dom;
+ } else {
+ recent_dom_info->next = dom_info;
+ recent_dom_info = recent_dom_info->next;
+ }
+ }
+ assert_non_null(state->dom);
+ assert_non_null(recent_dom_info);
+ recent_dom_info->next = NULL;
+
+ state->opts = mock_sdap_options_ldap(state, state->dom,
+ ctx->tctx->confdb,
+ ctx->tctx->conf_dom_path);
+ assert_non_null(state->opts);
+
+ return state;
+}
+
+/* TODO: This function is copied from test_nss_srv.c
+ * It could be fine move both to one place,
+ * for example src/tests/common_sysdb.c
+ */
+static errno_t store_user(TALLOC_CTX *ctx,
+ struct sss_domain_info *dom,
+ struct passwd *user,
+ struct sysdb_attrs *attrs,
+ time_t cache_update)
+{
+ errno_t ret;
+ char *fqname;
+
+ fqname = sss_create_internal_fqname(ctx,
+ user->pw_name,
+ dom->name);
+ if (fqname == NULL) {
+ return ENOMEM;
+ }
+
+ /* Prime the cache with a valid user */
+ ret = sysdb_store_user(dom,
+ fqname,
+ user->pw_passwd,
+ user->pw_uid,
+ user->pw_gid,
+ user->pw_gecos,
+ user->pw_dir,
+ user->pw_shell,
+ NULL, attrs,
+ NULL, 300, cache_update);
+ talloc_free(fqname);
+
+ return ret;
+}
+
+/* ====================== Setup =============================== */
+
+static int test_sdap_initgr_setup_one_domain(void **state)
+{
+ struct test_sdap_initgr_ctx *test_ctx;
+ struct sss_test_conf_param **params;
+
+ assert_true(leak_check_setup());
+
+ test_ctx = talloc_zero(global_talloc_context, struct test_sdap_initgr_ctx);
+ assert_non_null(test_ctx);
+
+ params = get_params(test_ctx);
+ assert_non_null(params);
+
+ test_ctx->tctx = create_dom_test_ctx(test_ctx, TESTS_PATH,
+ TEST_CONF_DB, domains[0],
+ TEST_ID_PROVIDER, params[0]);
+ assert_non_null(test_ctx->tctx);
+
+ check_leaks_push(test_ctx);
+ *state = test_ctx;
+ return 0;
+}
+
+static int test_sdap_initgr_setup_multi_domains(void **state)
+{
+ struct test_sdap_initgr_ctx *test_ctx;
+ struct sss_test_conf_param **params;
+
+ assert_true(leak_check_setup());
+
+ test_ctx = talloc_zero(global_talloc_context, struct test_sdap_initgr_ctx);
+ assert_non_null(test_ctx);
+
+ params = get_params(test_ctx);
+ assert_non_null(params);
+
+ test_ctx->tctx = create_multidom_test_ctx(test_ctx, TESTS_PATH,
+ TEST_CONF_DB, domains,
+ TEST_ID_PROVIDER, params);
+ assert_non_null(test_ctx->tctx);
+
+ check_leaks_push(test_ctx);
+ *state = test_ctx;
+ return 0;
+}
+
+static int test_sdap_initgr_setup_other_multi_domains(void **state)
+{
+ struct test_sdap_initgr_ctx *test_ctx;
+ struct sss_test_conf_param **params;
+ const char *domains_vith_other[] = { TEST_DOM1_NAME,
+ TEST_DOM3_NAME,
+ NULL };
+
+ assert_true(leak_check_setup());
+
+ test_ctx = talloc_zero(global_talloc_context, struct test_sdap_initgr_ctx);
+ assert_non_null(test_ctx);
+
+ params = get_params(test_ctx);
+ assert_non_null(params);
+
+ test_ctx->tctx = create_multidom_test_ctx(test_ctx, TESTS_PATH,
+ TEST_CONF_DB, domains_vith_other,
+ TEST_ID_PROVIDER, params);
+ assert_non_null(test_ctx->tctx);
+
+ check_leaks_push(test_ctx);
+ *state = test_ctx;
+ return 0;
+}
+
+static int test_sdap_initgr_teardown(void **state)
+{
+ struct test_sdap_initgr_ctx *test_ctx;
+
+ test_ctx = talloc_get_type(*state, struct test_sdap_initgr_ctx);
+ assert_non_null(test_ctx);
+
+ assert_true(check_leaks_pop(test_ctx) == true);
+ talloc_free(test_ctx);
+ assert_true(leak_check_teardown());
+ return 0;
+}
+
+/* ====================== The tests =============================== */
+
+static void test_user_is_on_batch(void **state)
+{
+ struct test_sdap_initgr_ctx *test_ctx;
+ struct sdap_get_initgr_state *initgr_state;
+ const char *domains_set[] = { domains[0], NULL };
+ struct sss_domain_info *dom1_info = NULL;
+ struct sss_domain_info *dom2_info = NULL;
+ struct passwd **passwd_users;
+ struct sysdb_attrs **users;
+ const char *user_name;
+ errno_t ret;
+
+ test_ctx = talloc_get_type(*state, struct test_sdap_initgr_ctx);
+ assert_non_null(test_ctx);
+
+ dom1_info = get_domain_info(test_ctx->tctx->dom, domains[0]);
+ assert_non_null(dom1_info);
+ dom2_info = get_domain_info(test_ctx->tctx->dom, domains[1]);
+ assert_non_null(dom2_info);
+
+ initgr_state = prepare_state(test_ctx, domains_set);
+ assert_non_null(initgr_state);
+
+ passwd_users = get_users(test_ctx);
+ assert_non_null(passwd_users);
+
+ ret = store_user(test_ctx, dom1_info, passwd_users[0], NULL, 0);
+ assert_int_equal(ret, 0);
+ ret = store_user(test_ctx, dom2_info, passwd_users[1], NULL, 0);
+ assert_int_equal(ret, 0);
+
+ users = talloc_array(test_ctx, struct sysdb_attrs *, 2);
+ users[0] = mock_sysdb_user(users, object_bases[0],
+ passwd_users[0]->pw_uid,
+ passwd_users[0]->pw_name);
+ users[1] = mock_sysdb_user(users, object_bases[1],
+ passwd_users[1]->pw_uid,
+ passwd_users[1]->pw_name);
+
+ ret = sdap_search_initgr_user_in_batch(initgr_state, users, 2);
+ assert_int_equal(ret, 0);
+
+ ret = sysdb_attrs_get_string(initgr_state->orig_user, "name", &user_name);
+ assert_int_equal(ret, 0);
+ assert_string_equal(user_name, passwd_users[0]->pw_name);
+
+ talloc_zfree(initgr_state);
+ talloc_zfree(passwd_users);
+ talloc_zfree(users);
+}
+
+static void test_user_is_from_subdomain(void **state)
+{
+ struct test_sdap_initgr_ctx *test_ctx;
+ struct sdap_get_initgr_state *initgr_state;
+ const char *domains_set[] = { domains[0], NULL };
+ struct sss_domain_info *dom_info = NULL;
+ struct passwd **passwd_users;
+ struct sysdb_attrs **users;
+ const char *user_name;
+ errno_t ret;
+
+ test_ctx = talloc_get_type(*state, struct test_sdap_initgr_ctx);
+ assert_non_null(test_ctx);
+
+ dom_info = get_domain_info(test_ctx->tctx->dom, domains[0]);
+ assert_non_null(dom_info);
+
+ initgr_state = prepare_state(test_ctx, domains_set);
+ assert_non_null(initgr_state);
+
+ passwd_users = get_users(test_ctx);
+ assert_non_null(passwd_users);
+
+ ret = store_user(test_ctx, dom_info, passwd_users[0], NULL, 0);
+ assert_int_equal(ret, 0);
+
+ users = talloc_array(test_ctx, struct sysdb_attrs *, 1);
+ users[0] = mock_sysdb_user(users, object_bases[1],
+ passwd_users[1]->pw_uid,
+ passwd_users[1]->pw_name);
+
+ const char *original_dn = NULL;
+ ret = sysdb_attrs_get_string(users[0], SYSDB_ORIG_DN, &original_dn);
+
+ ret = sdap_search_initgr_user_in_batch(initgr_state, users, 1);
+ assert_int_equal(ret, 0);
+
+ ret = sysdb_attrs_get_string(initgr_state->orig_user, "name", &user_name);
+ assert_int_equal(ret, 0);
+ assert_string_equal(user_name, passwd_users[1]->pw_name);
+
+ talloc_zfree(initgr_state);
+ talloc_zfree(passwd_users);
+ talloc_zfree(users);
+}
+
+static void test_user_is_from_another_domain(void **state)
+{
+ struct test_sdap_initgr_ctx *test_ctx;
+ struct sdap_get_initgr_state *initgr_state;
+ const char *domains_set[] = { domains[0], domains[2], NULL };
+ struct sss_domain_info *dom_info = NULL;
+ struct sss_domain_info *other_dom_info = NULL;
+ struct sdap_domain *other_sdom = NULL;
+ struct passwd **passwd_users;
+ struct sysdb_attrs **users;
+ errno_t ret;
+
+ test_ctx = talloc_get_type(*state, struct test_sdap_initgr_ctx);
+ assert_non_null(test_ctx);
+
+ dom_info = get_domain_info(test_ctx->tctx->dom, domains[0]);
+ assert_non_null(dom_info);
+
+ initgr_state = prepare_state(test_ctx, domains_set);
+ assert_non_null(initgr_state);
+
+ other_dom_info = get_domain_info(test_ctx->tctx->dom, domains[2]);
+ assert_non_null(other_dom_info);
+
+ ret = sdap_domain_add(initgr_state->opts, other_dom_info, &other_sdom);
+ assert_int_equal(ret, EOK);
+
+ talloc_zfree(other_sdom->search_bases);
+ other_sdom->search_bases = talloc_array(other_sdom,
+ struct sdap_search_base *, 2);
+ assert_non_null(other_sdom->search_bases);
+ other_sdom->search_bases[1] = NULL;
+
+ ret = sdap_create_search_base(other_sdom, object_bases[2],
+ LDAP_SCOPE_SUBTREE, NULL,
+ &other_sdom->search_bases[0]);
+ assert_int_equal(ret, EOK);
+
+ passwd_users = get_users(test_ctx);
+ assert_non_null(passwd_users);
+
+ ret = store_user(test_ctx, dom_info, passwd_users[0], NULL, 0);
+ assert_int_equal(ret, 0);
+
+ users = talloc_array(test_ctx, struct sysdb_attrs *, 1);
+ users[0] = mock_sysdb_user(users, object_bases[2],
+ passwd_users[2]->pw_uid,
+ passwd_users[2]->pw_name);
+
+ ret = sdap_search_initgr_user_in_batch(initgr_state, users, 1);
+ assert_int_equal(ret, EINVAL);
+
+ talloc_zfree(initgr_state);
+ talloc_zfree(passwd_users);
+ talloc_zfree(users);
+}
+
+int main(int argc, const char *argv[])
+{
+ int rv;
+ poptContext pc;
+ int opt;
+ struct poptOption long_options[] = {
+ POPT_AUTOHELP
+ SSSD_DEBUG_OPTS
+ POPT_TABLEEND
+ };
+
+ const struct CMUnitTest tests[] = {
+ cmocka_unit_test_setup_teardown(test_user_is_on_batch,
+ test_sdap_initgr_setup_multi_domains,
+ test_sdap_initgr_teardown),
+ cmocka_unit_test_setup_teardown(test_user_is_from_subdomain,
+ test_sdap_initgr_setup_one_domain,
+ test_sdap_initgr_teardown),
+ cmocka_unit_test_setup_teardown(test_user_is_from_another_domain,
+ test_sdap_initgr_setup_other_multi_domains,
+ test_sdap_initgr_teardown),
+ };
+
+ /* Set debug level to invalid value so we can deside if -d 0 was used. */
+ debug_level = SSSDBG_INVALID;
+
+ pc = poptGetContext(argv[0], argc, argv, long_options, 0);
+ while((opt = poptGetNextOpt(pc)) != -1) {
+ switch(opt) {
+ default:
+ fprintf(stderr, "\nInvalid option %s: %s\n\n",
+ poptBadOption(pc, 0), poptStrerror(opt));
+ poptPrintUsage(pc, stderr, 0);
+ return 1;
+ }
+ }
+ poptFreeContext(pc);
+
+ DEBUG_CLI_INIT(debug_level);
+
+ /* Even though normally the tests should clean up after themselves
+ * they might not after a failed run. Remove the old db to be sure */
+ tests_set_cwd();
+
+ test_multidom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, domains);
+ test_dom_suite_setup(TESTS_PATH);
+
+ rv = cmocka_run_group_tests(tests, NULL, NULL);
+ if (rv == 0) {
+ test_multidom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, domains);
+ }
+
+ return rv;
+}
--
2.9.3

View File

@ -0,0 +1,31 @@
From d8c459feab7659a51c23c941fea486867c2b9dae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 17 Jan 2017 12:00:31 +0100
Subject: [PATCH 22/79] ssh: fix number of output certificates
SSH responder returned invalid number of certificates when
original ad pubkey attribute was not empty. Since we always
return all certificates to the client we should add number
of results to the output not override it.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/ssh/sshsrv_cmd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/responder/ssh/sshsrv_cmd.c b/src/responder/ssh/sshsrv_cmd.c
index 2e64893dfc2018727e6fc5fb80b47bd7eb1fac58..bd6270d0f1b62323ef7d140193351fb8585ce2ec 100644
--- a/src/responder/ssh/sshsrv_cmd.c
+++ b/src/responder/ssh/sshsrv_cmd.c
@@ -1012,7 +1012,7 @@ ssh_cmd_build_reply(struct ssh_cmd_ctx *cmd_ctx)
el_orig = ldb_msg_find_element(cmd_ctx->result,
ORIGINALAD_PREFIX SYSDB_SSH_PUBKEY);
if (el_orig) {
- count = el_orig->num_values;
+ count += el_orig->num_values;
}
if (DOM_HAS_VIEWS(cmd_ctx->domain)) {
--
2.9.3

View File

@ -0,0 +1,76 @@
From e33744e8cc82390153c94ace53c16f72365b9fd9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 17 Jan 2017 11:58:06 +0100
Subject: [PATCH 23/79] ssh: do not create again fq name
We store fully qualified name in sysdb so there is no need to append
the domain part again which result in name@domain@domain string.
This field is not actually used in ssh client so it doesn't cause
any issue but we should stay correct here.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/ssh/sshsrv_cmd.c | 20 ++++++--------------
1 file changed, 6 insertions(+), 14 deletions(-)
diff --git a/src/responder/ssh/sshsrv_cmd.c b/src/responder/ssh/sshsrv_cmd.c
index bd6270d0f1b62323ef7d140193351fb8585ce2ec..195d5763e9c5f4f9ff2f2f5ac49cd856d9198e7a 100644
--- a/src/responder/ssh/sshsrv_cmd.c
+++ b/src/responder/ssh/sshsrv_cmd.c
@@ -982,8 +982,7 @@ ssh_cmd_build_reply(struct ssh_cmd_ctx *cmd_ctx)
struct ldb_message_element *el_user_cert_keys = NULL;
uint32_t count = 0;
const char *name;
- char *fqname;
- uint32_t fqname_len;
+ uint32_t name_len;
TALLOC_CTX *tmp_ctx;
struct ssh_ctx *ssh_ctx;
struct cli_protocol *pctx;
@@ -1060,38 +1059,31 @@ ssh_cmd_build_reply(struct ssh_cmd_ctx *cmd_ctx)
goto done;
}
- fqname = talloc_asprintf(cmd_ctx, "%s@%s",
- name, cmd_ctx->domain->name);
- if (!fqname) {
- ret = ENOMEM;
- goto done;
- }
-
- fqname_len = strlen(fqname)+1;
+ name_len = strlen(name) + 1;
ret = decode_and_add_base64_data(cmd_ctx, el, false, ssh_ctx,
- fqname_len, fqname, &c);
+ name_len, name, &c);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "decode_and_add_base64_data failed.\n");
goto done;
}
ret = decode_and_add_base64_data(cmd_ctx, el_orig, false, ssh_ctx,
- fqname_len, fqname, &c);
+ name_len, name, &c);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "decode_and_add_base64_data failed.\n");
goto done;
}
ret = decode_and_add_base64_data(cmd_ctx, el_override, false, ssh_ctx,
- fqname_len, fqname, &c);
+ name_len, name, &c);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "decode_and_add_base64_data failed.\n");
goto done;
}
ret = decode_and_add_base64_data(cmd_ctx, el_user_cert_keys, true, ssh_ctx,
- fqname_len, fqname, &c);
+ name_len, name, &c);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "decode_and_add_base64_data failed.\n");
goto done;
--
2.9.3

View File

@ -0,0 +1,198 @@
From 2b5704cd96a085b99d3b0d4f80f4414adc134750 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 3 Feb 2017 12:44:15 +0100
Subject: [PATCH 24/79] sss_parse_inp_send: provide default_domain as parameter
It is not always desirable to consider default_domain from configuration
but expect none instead. For example when we search host certificates.
This is currently not used in this patch since host lookups parse
name directly with sss_parse_name but it will be used in the next
patch.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/common/cache_req/cache_req.c | 3 ++-
src/responder/common/responder.h | 5 ++++-
src/responder/common/responder_get_domains.c | 30 ++++++++++++++++++++++++----
src/responder/ifp/ifpsrv_cmd.c | 2 +-
src/tests/cmocka/common_mock_resp_dp.c | 4 +++-
src/tests/cmocka/test_responder_common.c | 12 +++++++----
6 files changed, 44 insertions(+), 12 deletions(-)
diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
index f546e6130a181f7b6d3fc1aca8ad0766e8a7f19d..e5026e1a869064fe81cc04e3b2bbd8c4cefec304 100644
--- a/src/responder/common/cache_req/cache_req.c
+++ b/src/responder/common/cache_req/cache_req.c
@@ -415,7 +415,8 @@ static errno_t cache_req_process_input(TALLOC_CTX *mem_ctx,
CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr,
"Parsing input name [%s]\n", cr->data->name.input);
- subreq = sss_parse_inp_send(mem_ctx, cr->rctx, cr->data->name.input);
+ subreq = sss_parse_inp_send(mem_ctx, cr->rctx, cr->rctx->default_domain,
+ cr->data->name.input);
if (subreq == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n");
return ENOMEM;
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
index d1fa532be3402214842da50e037f5f8d149631fb..c387c6ec326c612eef8798673c1c70c67efd5452 100644
--- a/src/responder/common/responder.h
+++ b/src/responder/common/responder.h
@@ -347,8 +347,11 @@ errno_t check_allowed_uids(uid_t uid, size_t allowed_uids_count,
uid_t *allowed_uids);
struct tevent_req *
-sss_parse_inp_send(TALLOC_CTX *mem_ctx, struct resp_ctx *rctx,
+sss_parse_inp_send(TALLOC_CTX *mem_ctx,
+ struct resp_ctx *rctx,
+ const char *default_domain,
const char *rawinp);
+
errno_t sss_parse_inp_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
char **_name, char **_domname);
diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c
index cc7b99f30046569547a08f83e46cbbe9d6c19897..0f39d107dad6c458785b1b8d708e60d7c34e3901 100644
--- a/src/responder/common/responder_get_domains.c
+++ b/src/responder/common/responder_get_domains.c
@@ -443,6 +443,7 @@ errno_t schedule_get_domains_task(TALLOC_CTX *mem_ctx,
struct sss_parse_inp_state {
struct resp_ctx *rctx;
+ const char *default_domain;
const char *rawinp;
char *name;
@@ -453,7 +454,9 @@ struct sss_parse_inp_state {
static void sss_parse_inp_done(struct tevent_req *subreq);
struct tevent_req *
-sss_parse_inp_send(TALLOC_CTX *mem_ctx, struct resp_ctx *rctx,
+sss_parse_inp_send(TALLOC_CTX *mem_ctx,
+ struct resp_ctx *rctx,
+ const char *default_domain,
const char *rawinp)
{
errno_t ret;
@@ -465,16 +468,35 @@ sss_parse_inp_send(TALLOC_CTX *mem_ctx, struct resp_ctx *rctx,
if (req == NULL) {
return NULL;
}
- state->rawinp = rawinp;
+
+ if (rawinp == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Empty input!\n");
+ ret = EINVAL;
+ goto done;
+ }
+
state->rctx = rctx;
+ state->rawinp = talloc_strdup(state, rawinp);
+ if (state->rawinp == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+
+ state->default_domain = talloc_strdup(state, default_domain);
+ if (default_domain != NULL && state->default_domain == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
/* If the subdomains haven't been checked yet, we need to always
* attach to the post-startup subdomain request and only then parse
* the input. Otherwise, we might not be able to parse input with a
* flat domain name specifier */
if (rctx->get_domains_last_call.tv_sec > 0) {
ret = sss_parse_name_for_domains(state, rctx->domains,
- rctx->default_domain, rawinp,
+ default_domain, rawinp,
&state->domname, &state->name);
if (ret == EOK) {
/* Was able to use cached domains */
@@ -532,7 +554,7 @@ static void sss_parse_inp_done(struct tevent_req *subreq)
state->error = ERR_OK;
ret = sss_parse_name_for_domains(state, state->rctx->domains,
- state->rctx->default_domain,
+ state->default_domain,
state->rawinp,
&state->domname, &state->name);
if (ret == EAGAIN && state->domname != NULL && state->name == NULL) {
diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c
index 23f410a19ea985b4fcfcf34a770d37ea9a864e67..07edcddffa1091f8bbcf79a25962aadc791bb890 100644
--- a/src/responder/ifp/ifpsrv_cmd.c
+++ b/src/responder/ifp/ifpsrv_cmd.c
@@ -453,7 +453,7 @@ ifp_user_get_attr_send(TALLOC_CTX *mem_ctx, struct resp_ctx *rctx,
state->ncache = ncache;
state->search_type = search_type;
- subreq = sss_parse_inp_send(req, rctx, inp);
+ subreq = sss_parse_inp_send(req, rctx, rctx->default_domain, inp);
if (subreq == NULL) {
ret = ENOMEM;
goto done;
diff --git a/src/tests/cmocka/common_mock_resp_dp.c b/src/tests/cmocka/common_mock_resp_dp.c
index f62606eb8a33b6417bbd32a7dccdbeaabd05818f..0b6870346c00954a3e2accf8f21625a14da8afb5 100644
--- a/src/tests/cmocka/common_mock_resp_dp.c
+++ b/src/tests/cmocka/common_mock_resp_dp.c
@@ -80,7 +80,9 @@ void mock_account_recv_simple(void)
}
struct tevent_req *
-sss_parse_inp_send(TALLOC_CTX *mem_ctx, struct resp_ctx *rctx,
+sss_parse_inp_send(TALLOC_CTX *mem_ctx,
+ struct resp_ctx *rctx,
+ const char *default_domain,
const char *rawinp)
{
return test_req_succeed_send(mem_ctx, rctx->ev);
diff --git a/src/tests/cmocka/test_responder_common.c b/src/tests/cmocka/test_responder_common.c
index b25f8a8efcded664ed61be4d5a67b0f2e3adf327..fb7e4ee500570319999e6e85ee14a05cddea8de3 100644
--- a/src/tests/cmocka/test_responder_common.c
+++ b/src/tests/cmocka/test_responder_common.c
@@ -192,7 +192,8 @@ void parse_inp_simple(void **state)
will_return(__wrap_sss_parse_name_for_domains, WRAP_CALL_REAL);
- req = sss_parse_inp_send(parse_inp_ctx, parse_inp_ctx->rctx, NAME);
+ req = sss_parse_inp_send(parse_inp_ctx, parse_inp_ctx->rctx,
+ parse_inp_ctx->rctx->default_domain, NAME);
assert_non_null(req);
tevent_req_set_callback(req, parse_inp_simple_done, parse_inp_ctx);
@@ -213,7 +214,8 @@ void parse_inp_call_dp(void **state)
/* The second one will succeed as the domains are up-to-date */
will_return(__wrap_sss_parse_name_for_domains, WRAP_CALL_REAL);
- req = sss_parse_inp_send(parse_inp_ctx, parse_inp_ctx->rctx, NAME);
+ req = sss_parse_inp_send(parse_inp_ctx, parse_inp_ctx->rctx,
+ parse_inp_ctx->rctx->default_domain, NAME);
assert_non_null(req);
tevent_req_set_callback(req, parse_inp_simple_done, parse_inp_ctx);
@@ -235,7 +237,8 @@ void parse_inp_call_attach(void **state)
* as the domains are up-to-date */
will_return(__wrap_sss_parse_name_for_domains, WRAP_CALL_REAL);
- req = sss_parse_inp_send(parse_inp_ctx, parse_inp_ctx->rctx, NAME);
+ req = sss_parse_inp_send(parse_inp_ctx, parse_inp_ctx->rctx,
+ parse_inp_ctx->rctx->default_domain, NAME);
assert_non_null(req);
tevent_req_set_callback(req, parse_inp_simple_done, parse_inp_ctx);
@@ -271,7 +274,8 @@ void parse_inp_call_neg(void **state)
will_return(__wrap_sss_parse_name_for_domains, WRAP_CALL_WRAPPER);
will_return(__wrap_sss_parse_name_for_domains, EINVAL);
- req = sss_parse_inp_send(parse_inp_ctx, parse_inp_ctx->rctx, NAME);
+ req = sss_parse_inp_send(parse_inp_ctx, parse_inp_ctx->rctx,
+ parse_inp_ctx->rctx->default_domain, NAME);
assert_non_null(req);
tevent_req_set_callback(req, parse_inp_neg_done, parse_inp_ctx);
--
2.9.3

View File

@ -0,0 +1,310 @@
From ddfd1900b26c66a062457d4fcc1a48bafd3eadf6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 3 Feb 2017 13:04:23 +0100
Subject: [PATCH 25/79] cache_req: add ability to not use default domain suffix
This will be used in the next plugin "host by name" where
it is not desirable to use default domain suffix if set.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/common/cache_req/cache_req.c | 8 +++++++-
src/responder/common/cache_req/cache_req_plugin.h | 5 +++++
src/responder/common/cache_req/plugins/cache_req_enum_groups.c | 1 +
src/responder/common/cache_req/plugins/cache_req_enum_svc.c | 1 +
src/responder/common/cache_req/plugins/cache_req_enum_users.c | 1 +
.../common/cache_req/plugins/cache_req_group_by_filter.c | 1 +
src/responder/common/cache_req/plugins/cache_req_group_by_id.c | 1 +
src/responder/common/cache_req/plugins/cache_req_group_by_name.c | 1 +
.../common/cache_req/plugins/cache_req_initgroups_by_name.c | 1 +
.../common/cache_req/plugins/cache_req_initgroups_by_upn.c | 1 +
.../common/cache_req/plugins/cache_req_netgroup_by_name.c | 1 +
src/responder/common/cache_req/plugins/cache_req_object_by_id.c | 1 +
src/responder/common/cache_req/plugins/cache_req_object_by_name.c | 1 +
src/responder/common/cache_req/plugins/cache_req_object_by_sid.c | 1 +
src/responder/common/cache_req/plugins/cache_req_svc_by_name.c | 1 +
src/responder/common/cache_req/plugins/cache_req_svc_by_port.c | 1 +
src/responder/common/cache_req/plugins/cache_req_user_by_cert.c | 1 +
src/responder/common/cache_req/plugins/cache_req_user_by_filter.c | 1 +
src/responder/common/cache_req/plugins/cache_req_user_by_id.c | 1 +
src/responder/common/cache_req/plugins/cache_req_user_by_name.c | 1 +
src/responder/common/cache_req/plugins/cache_req_user_by_upn.c | 1 +
21 files changed, 31 insertions(+), 1 deletion(-)
diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
index e5026e1a869064fe81cc04e3b2bbd8c4cefec304..aed8f1b225899a1c470407e259d2068ef62922b7 100644
--- a/src/responder/common/cache_req/cache_req.c
+++ b/src/responder/common/cache_req/cache_req.c
@@ -400,6 +400,7 @@ static errno_t cache_req_process_input(TALLOC_CTX *mem_ctx,
const char *domain)
{
struct tevent_req *subreq;
+ const char *default_domain;
if (cr->data->name.input == NULL) {
/* Input was not name, there is no need to process it further. */
@@ -411,11 +412,16 @@ static errno_t cache_req_process_input(TALLOC_CTX *mem_ctx,
return cache_req_set_name(cr, cr->data->name.input);
}
+ default_domain = NULL;
+ if (!cr->plugin->ignore_default_domain) {
+ default_domain = cr->rctx->default_domain;
+ }
+
/* Parse name since it may contain a domain name. */
CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr,
"Parsing input name [%s]\n", cr->data->name.input);
- subreq = sss_parse_inp_send(mem_ctx, cr->rctx, cr->rctx->default_domain,
+ subreq = sss_parse_inp_send(mem_ctx, cr->rctx, default_domain,
cr->data->name.input);
if (subreq == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n");
diff --git a/src/responder/common/cache_req/cache_req_plugin.h b/src/responder/common/cache_req/cache_req_plugin.h
index e4d5eef91672a83e1ced47b394368a457acfbcb8..59ef8bad1697e094f729c53f33bda4f1d825cdff 100644
--- a/src/responder/common/cache_req/cache_req_plugin.h
+++ b/src/responder/common/cache_req/cache_req_plugin.h
@@ -157,6 +157,11 @@ struct cache_req_plugin {
bool parse_name;
/**
+ * True if default domain suffix should be ignored when parsing name.
+ */
+ bool ignore_default_domain;
+
+ /**
* True if we always contact data provider.
*/
bool bypass_cache;
diff --git a/src/responder/common/cache_req/plugins/cache_req_enum_groups.c b/src/responder/common/cache_req/plugins/cache_req_enum_groups.c
index de4bd968b18920cde0630dbd5142ce99d3b70a3e..2056dc2ccdadef98772402bde45aef8e043a0e76 100644
--- a/src/responder/common/cache_req/plugins/cache_req_enum_groups.c
+++ b/src/responder/common/cache_req/plugins/cache_req_enum_groups.c
@@ -64,6 +64,7 @@ const struct cache_req_plugin cache_req_enum_groups = {
.dp_type = SSS_DP_GROUP,
.attr_expiration = SYSDB_CACHE_EXPIRE,
.parse_name = false,
+ .ignore_default_domain = false,
.bypass_cache = true,
.only_one_result = false,
.search_all_domains = true,
diff --git a/src/responder/common/cache_req/plugins/cache_req_enum_svc.c b/src/responder/common/cache_req/plugins/cache_req_enum_svc.c
index c83564fdce8abc237a3a4dbe7a88b4bc6c2baaff..e850212977bb26dc13b900f6e5908865fffa59b0 100644
--- a/src/responder/common/cache_req/plugins/cache_req_enum_svc.c
+++ b/src/responder/common/cache_req/plugins/cache_req_enum_svc.c
@@ -65,6 +65,7 @@ const struct cache_req_plugin cache_req_enum_svc = {
.dp_type = SSS_DP_SERVICES,
.attr_expiration = SYSDB_CACHE_EXPIRE,
.parse_name = false,
+ .ignore_default_domain = false,
.bypass_cache = true,
.only_one_result = false,
.search_all_domains = true,
diff --git a/src/responder/common/cache_req/plugins/cache_req_enum_users.c b/src/responder/common/cache_req/plugins/cache_req_enum_users.c
index c4eeed7463cca6ecd17fe8042d62f4b72da46e68..2adeddb6b4bea044371f168f5d39aecc1f06cc45 100644
--- a/src/responder/common/cache_req/plugins/cache_req_enum_users.c
+++ b/src/responder/common/cache_req/plugins/cache_req_enum_users.c
@@ -64,6 +64,7 @@ const struct cache_req_plugin cache_req_enum_users = {
.dp_type = SSS_DP_USER,
.attr_expiration = SYSDB_CACHE_EXPIRE,
.parse_name = false,
+ .ignore_default_domain = false,
.bypass_cache = true,
.only_one_result = false,
.search_all_domains = true,
diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c b/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c
index 1619cf7bdd6ad7ef7c1ea71ef0dd8f24611c1a6e..bc42eb7db0830ba31649c2cbb9525dfd1f7b1fae 100644
--- a/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c
+++ b/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c
@@ -119,6 +119,7 @@ const struct cache_req_plugin cache_req_group_by_filter = {
.dp_type = SSS_DP_WILDCARD_GROUP,
.attr_expiration = SYSDB_CACHE_EXPIRE,
.parse_name = true,
+ .ignore_default_domain = false,
.bypass_cache = true,
.only_one_result = false,
.search_all_domains = false,
diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
index 293994fa1e22a23b7ff19c50050e5c6c25274b5d..e48588087eafde68a4a85c546cf08e90eb6c7605 100644
--- a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
+++ b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
@@ -107,6 +107,7 @@ const struct cache_req_plugin cache_req_group_by_id = {
.dp_type = SSS_DP_GROUP,
.attr_expiration = SYSDB_CACHE_EXPIRE,
.parse_name = false,
+ .ignore_default_domain = false,
.bypass_cache = false,
.only_one_result = true,
.search_all_domains = false,
diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_name.c b/src/responder/common/cache_req/plugins/cache_req_group_by_name.c
index c88dbd4566297da98d306e20deb7f7c64c7991a4..962b38866a1408bbdff556e20df5a69b0d4bbba0 100644
--- a/src/responder/common/cache_req/plugins/cache_req_group_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_group_by_name.c
@@ -157,6 +157,7 @@ const struct cache_req_plugin cache_req_group_by_name = {
.dp_type = SSS_DP_GROUP,
.attr_expiration = SYSDB_CACHE_EXPIRE,
.parse_name = true,
+ .ignore_default_domain = false,
.bypass_cache = false,
.only_one_result = true,
.search_all_domains = false,
diff --git a/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c b/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c
index 9575ae70731875979f924dbf948222ed705fd923..d2f03cbea0780e4e0b88d56fcfbcf8903bcb3c85 100644
--- a/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c
@@ -172,6 +172,7 @@ const struct cache_req_plugin cache_req_initgroups_by_name = {
.dp_type = SSS_DP_INITGROUPS,
.attr_expiration = SYSDB_INITGR_EXPIRE,
.parse_name = true,
+ .ignore_default_domain = false,
.bypass_cache = false,
.only_one_result = false,
.search_all_domains = false,
diff --git a/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c b/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c
index 7a0b96b19f487e046c32235e02ec0fdbc7baa211..9b2d07d4afa98cbfca4a62f944b744f01897a0ee 100644
--- a/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c
+++ b/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c
@@ -108,6 +108,7 @@ const struct cache_req_plugin cache_req_initgroups_by_upn = {
.dp_type = SSS_DP_INITGROUPS,
.attr_expiration = SYSDB_INITGR_EXPIRE,
.parse_name = false,
+ .ignore_default_domain = false,
.bypass_cache = false,
.only_one_result = false,
.search_all_domains = false,
diff --git a/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c b/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c
index 15549adeff9e038387b21b6349b18683c14afe65..5b19edeb2952b83406ff20d001dd7d24449f69c9 100644
--- a/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c
@@ -116,6 +116,7 @@ const struct cache_req_plugin cache_req_netgroup_by_name = {
.dp_type = SSS_DP_NETGR,
.attr_expiration = SYSDB_CACHE_EXPIRE,
.parse_name = true,
+ .ignore_default_domain = false,
.bypass_cache = false,
.only_one_result = true,
.search_all_domains = false,
diff --git a/src/responder/common/cache_req/plugins/cache_req_object_by_id.c b/src/responder/common/cache_req/plugins/cache_req_object_by_id.c
index b8ad3b5e76cbf52fb61e22aa872e51e7f51bbf29..3f47807616054c644e27e4c240ad7c4b752a563e 100644
--- a/src/responder/common/cache_req/plugins/cache_req_object_by_id.c
+++ b/src/responder/common/cache_req/plugins/cache_req_object_by_id.c
@@ -99,6 +99,7 @@ const struct cache_req_plugin cache_req_object_by_id = {
.dp_type = SSS_DP_USER_AND_GROUP,
.attr_expiration = SYSDB_CACHE_EXPIRE,
.parse_name = false,
+ .ignore_default_domain = false,
.bypass_cache = false,
.only_one_result = true,
.search_all_domains = false,
diff --git a/src/responder/common/cache_req/plugins/cache_req_object_by_name.c b/src/responder/common/cache_req/plugins/cache_req_object_by_name.c
index 1ec906c7ad0c0f2d327667c697a96f2c2735d066..6829d0ec97c147aafda46b6eace25b97a28e626a 100644
--- a/src/responder/common/cache_req/plugins/cache_req_object_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_object_by_name.c
@@ -192,6 +192,7 @@ const struct cache_req_plugin cache_req_object_by_name = {
.dp_type = SSS_DP_USER_AND_GROUP,
.attr_expiration = SYSDB_CACHE_EXPIRE,
.parse_name = true,
+ .ignore_default_domain = false,
.bypass_cache = false,
.only_one_result = true,
.search_all_domains = false,
diff --git a/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c b/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c
index 35cb74f61fab0c72dda68c8f95e30be9127f938f..6a6eb8e72c52c069935ca4e612e60f602c7b91bd 100644
--- a/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c
+++ b/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c
@@ -109,6 +109,7 @@ const struct cache_req_plugin cache_req_object_by_sid = {
.dp_type = SSS_DP_SECID,
.attr_expiration = SYSDB_CACHE_EXPIRE,
.parse_name = false,
+ .ignore_default_domain = false,
.bypass_cache = false,
.only_one_result = true,
.search_all_domains = false,
diff --git a/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c b/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c
index 4de27571c199baeeec1064f6d9b626fef08212c7..9562354ed3a453e3aec7264bb32dbd5273fb0927 100644
--- a/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c
@@ -140,6 +140,7 @@ const struct cache_req_plugin cache_req_svc_by_name = {
.dp_type = SSS_DP_SERVICES,
.attr_expiration = SYSDB_CACHE_EXPIRE,
.parse_name = true,
+ .ignore_default_domain = false,
.bypass_cache = false,
.only_one_result = false,
.search_all_domains = false,
diff --git a/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c b/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c
index 1b17c71352678f7dfae830bea3ab3909fd62c564..55117492f6f8aa6a4e31c1e23862215255cdf660 100644
--- a/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c
+++ b/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c
@@ -113,6 +113,7 @@ const struct cache_req_plugin cache_req_svc_by_port = {
.dp_type = SSS_DP_SERVICES,
.attr_expiration = SYSDB_CACHE_EXPIRE,
.parse_name = false,
+ .ignore_default_domain = false,
.bypass_cache = false,
.only_one_result = false,
.search_all_domains = false,
diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c b/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c
index 9a1bcc6aa1225c27362b11b9321994f65261d5cb..5203d3f94421715b711bcd1e01b7a42737b6fe41 100644
--- a/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c
+++ b/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c
@@ -83,6 +83,7 @@ const struct cache_req_plugin cache_req_user_by_cert = {
.dp_type = SSS_DP_CERT,
.attr_expiration = SYSDB_CACHE_EXPIRE,
.parse_name = false,
+ .ignore_default_domain = false,
.bypass_cache = false,
.only_one_result = true,
.search_all_domains = false,
diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c b/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c
index ee9f60bf682629acf3b2ec3d16a3ed075084480d..4c328a5d900e37de0f3396a8c2f1c937360ce081 100644
--- a/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c
+++ b/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c
@@ -119,6 +119,7 @@ const struct cache_req_plugin cache_req_user_by_filter = {
.dp_type = SSS_DP_WILDCARD_USER,
.attr_expiration = SYSDB_CACHE_EXPIRE,
.parse_name = true,
+ .ignore_default_domain = false,
.bypass_cache = true,
.only_one_result = false,
.search_all_domains = false,
diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_id.c b/src/responder/common/cache_req/plugins/cache_req_user_by_id.c
index d710986d1102af4422d29a9943c903f23bea8b9e..d794d248b1e9b11cd41210b8180823e3a2565847 100644
--- a/src/responder/common/cache_req/plugins/cache_req_user_by_id.c
+++ b/src/responder/common/cache_req/plugins/cache_req_user_by_id.c
@@ -107,6 +107,7 @@ const struct cache_req_plugin cache_req_user_by_id = {
.dp_type = SSS_DP_USER,
.attr_expiration = SYSDB_CACHE_EXPIRE,
.parse_name = false,
+ .ignore_default_domain = false,
.bypass_cache = false,
.only_one_result = true,
.search_all_domains = false,
diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_name.c b/src/responder/common/cache_req/plugins/cache_req_user_by_name.c
index 46dd9434b34536b72b0966f53ab341c09542f16c..9ee7bef1cc904d25d156b3f64e039e47be58d1cc 100644
--- a/src/responder/common/cache_req/plugins/cache_req_user_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_user_by_name.c
@@ -157,6 +157,7 @@ const struct cache_req_plugin cache_req_user_by_name = {
.dp_type = SSS_DP_USER,
.attr_expiration = SYSDB_CACHE_EXPIRE,
.parse_name = true,
+ .ignore_default_domain = false,
.bypass_cache = false,
.only_one_result = true,
.search_all_domains = false,
diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c b/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c
index 9d1e703d623cd830c2ab6db6e835c4bec49f57e5..4c6e6bcd056392abb729d416d406f28c28cdaa77 100644
--- a/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c
+++ b/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c
@@ -112,6 +112,7 @@ const struct cache_req_plugin cache_req_user_by_upn = {
.dp_type = SSS_DP_USER,
.attr_expiration = SYSDB_CACHE_EXPIRE,
.parse_name = false,
+ .ignore_default_domain = false,
.bypass_cache = false,
.only_one_result = true,
.search_all_domains = false,
--
2.9.3

View File

@ -0,0 +1,87 @@
From 7723e79f5a1fad4201360199037aea33f655bab6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 11 Jan 2017 11:36:50 +0100
Subject: [PATCH 26/79] cache_req: search user by name with attrs
Sometime is is desirable to aquire more attribute from user object
than SYSDB_PW_ATTRS set. such as user's public key.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/common/cache_req/cache_req.h | 13 +++++++++
.../cache_req/plugins/cache_req_user_by_name.c | 31 ++++++++++++++++++++--
2 files changed, 42 insertions(+), 2 deletions(-)
diff --git a/src/responder/common/cache_req/cache_req.h b/src/responder/common/cache_req/cache_req.h
index 7700091078c96698a5aaf12cf0d50f259cd186d8..2740c21ee0e390c64d94fedd6ab2cb7483cfe302 100644
--- a/src/responder/common/cache_req/cache_req.h
+++ b/src/responder/common/cache_req/cache_req.h
@@ -186,6 +186,19 @@ cache_req_user_by_name_send(TALLOC_CTX *mem_ctx,
cache_req_single_domain_recv(mem_ctx, req, _result)
struct tevent_req *
+cache_req_user_by_name_attrs_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct resp_ctx *rctx,
+ struct sss_nc_ctx *ncache,
+ int cache_refresh_percent,
+ const char *domain,
+ const char *name,
+ const char **attrs);
+
+#define cache_req_user_by_name_attrs_recv(mem_ctx, req, _result) \
+ cache_req_single_domain_recv(mem_ctx, req, _result)
+
+struct tevent_req *
cache_req_user_by_id_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct resp_ctx *rctx,
diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_name.c b/src/responder/common/cache_req/plugins/cache_req_user_by_name.c
index 9ee7bef1cc904d25d156b3f64e039e47be58d1cc..3f343870c7e7c28ac72f4e94272c6dee281b963c 100644
--- a/src/responder/common/cache_req/plugins/cache_req_user_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_user_by_name.c
@@ -105,8 +105,13 @@ cache_req_user_by_name_lookup(TALLOC_CTX *mem_ctx,
struct sss_domain_info *domain,
struct ldb_result **_result)
{
- return sysdb_getpwnam_with_views(mem_ctx, domain, data->name.lookup,
- _result);
+ if (data->attrs == NULL) {
+ return sysdb_getpwnam_with_views(mem_ctx, domain, data->name.lookup,
+ _result);
+ }
+
+ return sysdb_get_user_attr_with_views(mem_ctx, domain, data->name.lookup,
+ data->attrs, _result);
}
static errno_t
@@ -196,3 +201,25 @@ cache_req_user_by_name_send(TALLOC_CTX *mem_ctx,
return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache,
cache_refresh_percent, domain, data);
}
+
+struct tevent_req *
+cache_req_user_by_name_attrs_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct resp_ctx *rctx,
+ struct sss_nc_ctx *ncache,
+ int cache_refresh_percent,
+ const char *domain,
+ const char *name,
+ const char **attrs)
+{
+ struct cache_req_data *data;
+
+ data = cache_req_data_name_attrs(mem_ctx, CACHE_REQ_USER_BY_NAME,
+ name, attrs);
+ if (data == NULL) {
+ return NULL;
+ }
+
+ return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache,
+ cache_refresh_percent, domain, data);
+}
--
2.9.3

View File

@ -0,0 +1,99 @@
From 9492b3b26ac0b1898f836094074a9d8b38916e13 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 17 Jan 2017 14:11:32 +0100
Subject: [PATCH 27/79] cache_req: add api to create ldb_result from message
Some sysdb methods doesn't return ldb_result as output but return
ldb_message instead. Changing sysdb to be consistent is too big
so I added this helper function that will wrap resulting message
into ldb_result.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/common/cache_req/cache_req.c | 47 ++++++++++++++++++------------
1 file changed, 28 insertions(+), 19 deletions(-)
diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
index aed8f1b225899a1c470407e259d2068ef62922b7..31c220b3a66db815100b10a4f2e04388c13eaf78 100644
--- a/src/responder/common/cache_req/cache_req.c
+++ b/src/responder/common/cache_req/cache_req.c
@@ -78,7 +78,6 @@ static errno_t cache_req_set_plugin(struct cache_req *cr,
}
cr->reqname = plugin->name;
- cr->dp_type = plugin->dp_type;
cr->plugin = plugin;
CACHE_REQ_DEBUG(SSSDBG_TRACE_INTERNAL, cr, "Setting \"%s\" plugin\n",
@@ -820,16 +819,11 @@ cache_req_create_result(TALLOC_CTX *mem_ctx,
return result;
}
-struct cache_req_result *
-cache_req_create_result_from_msg(TALLOC_CTX *mem_ctx,
- struct sss_domain_info *domain,
- struct ldb_message *ldb_msg,
- const char *lookup_name,
- const char *well_known_domain)
+struct ldb_result *
+cache_req_create_ldb_result_from_msg(TALLOC_CTX *mem_ctx,
+ struct ldb_message *ldb_msg)
{
- struct cache_req_result *result;
struct ldb_result *ldb_result;
- errno_t ret;
if (ldb_msg == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "No message set!\n");
@@ -847,23 +841,38 @@ cache_req_create_result_from_msg(TALLOC_CTX *mem_ctx,
ldb_result->count = 1;
ldb_result->msgs = talloc_zero_array(ldb_result, struct ldb_message *, 2);
if (ldb_result->msgs == NULL) {
- ret = ENOMEM;
- goto done;
+ talloc_free(ldb_result);
+ return NULL;
}
ldb_result->msgs[0] = talloc_steal(ldb_result->msgs, ldb_msg);
+ return ldb_result;
+}
+
+struct cache_req_result *
+cache_req_create_result_from_msg(TALLOC_CTX *mem_ctx,
+ struct sss_domain_info *domain,
+ struct ldb_message *ldb_msg,
+ const char *lookup_name,
+ const char *well_known_domain)
+{
+ struct cache_req_result *result;
+ struct ldb_result *ldb_result;
+
+ if (ldb_msg == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "No message set!\n");
+ return NULL;
+ }
+
+ ldb_result = cache_req_create_ldb_result_from_msg(mem_ctx, ldb_msg);
+ if (ldb_result == NULL) {
+ return NULL;
+ }
+
result = cache_req_create_result(mem_ctx, domain, ldb_result,
lookup_name, well_known_domain);
if (result == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- ret = EOK;
-
-done:
- if (ret != EOK) {
talloc_free(ldb_result);
return NULL;
}
--
2.9.3

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,453 @@
From 53c31b83e4d06ea4c2813eec2f1e647a613b4a2b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 18 Jan 2017 12:12:01 +0100
Subject: [PATCH 29/79] cache_req: add host by name search
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
Makefile.am | 3 +-
src/responder/common/cache_req/cache_req.c | 2 +
src/responder/common/cache_req/cache_req.h | 23 ++++
src/responder/common/cache_req/cache_req_data.c | 39 +++++++
src/responder/common/cache_req/cache_req_plugin.h | 1 +
src/responder/common/cache_req/cache_req_private.h | 1 +
.../cache_req/plugins/cache_req_host_by_name.c | 121 +++++++++++++++++++++
src/responder/common/responder.h | 15 +++
.../{ssh/sshsrv_dp.c => common/responder_dp_ssh.c} | 3 +-
src/responder/ssh/sshsrv_private.h | 15 ---
src/tests/cmocka/common_mock_resp_dp.c | 33 ++++++
src/tests/cwrap/Makefile.am | 2 +
12 files changed, 240 insertions(+), 18 deletions(-)
create mode 100644 src/responder/common/cache_req/plugins/cache_req_host_by_name.c
rename src/responder/{ssh/sshsrv_dp.c => common/responder_dp_ssh.c} (99%)
diff --git a/Makefile.am b/Makefile.am
index 9dd2060c6615b1c23ae8adb61886341bcdc49560..6592261df87fc4fd0b83aba42e9f5cd12238a6cb 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -513,6 +513,7 @@ SSSD_CACHE_REQ_OBJ = \
src/responder/common/cache_req/plugins/cache_req_svc_by_name.c \
src/responder/common/cache_req/plugins/cache_req_svc_by_port.c \
src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c \
+ src/responder/common/cache_req/plugins/cache_req_host_by_name.c \
$(NULL)
SSSD_RESPONDER_OBJ = \
@@ -521,6 +522,7 @@ SSSD_RESPONDER_OBJ = \
src/responder/common/responder_cmd.c \
src/responder/common/responder_common.c \
src/responder/common/responder_dp.c \
+ src/responder/common/responder_dp_ssh.c \
src/responder/common/responder_packet.c \
src/responder/common/responder_get_domains.c \
src/responder/common/responder_utils.c \
@@ -1331,7 +1333,6 @@ endif
if BUILD_SSH
sssd_ssh_SOURCES = \
src/responder/ssh/sshsrv.c \
- src/responder/ssh/sshsrv_dp.c \
src/responder/ssh/sshsrv_cmd.c \
$(SSSD_RESPONDER_OBJ) \
$(NULL)
diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
index 31c220b3a66db815100b10a4f2e04388c13eaf78..16429c666a6db79afaad52b509fc63d639815b31 100644
--- a/src/responder/common/cache_req/cache_req.c
+++ b/src/responder/common/cache_req/cache_req.c
@@ -56,6 +56,8 @@ cache_req_get_plugin(enum cache_req_type type)
&cache_req_svc_by_port,
&cache_req_netgroup_by_name,
+
+ &cache_req_host_by_name,
};
if (type >= CACHE_REQ_SENTINEL) {
diff --git a/src/responder/common/cache_req/cache_req.h b/src/responder/common/cache_req/cache_req.h
index 2740c21ee0e390c64d94fedd6ab2cb7483cfe302..185558d7d7abd03429e35f391616d249e52c2f76 100644
--- a/src/responder/common/cache_req/cache_req.h
+++ b/src/responder/common/cache_req/cache_req.h
@@ -52,6 +52,8 @@ enum cache_req_type {
CACHE_REQ_NETGROUP_BY_NAME,
+ CACHE_REQ_HOST_BY_NAME,
+
CACHE_REQ_SENTINEL
};
@@ -103,6 +105,13 @@ cache_req_data_svc(TALLOC_CTX *mem_ctx,
const char *protocol,
uint16_t port);
+struct cache_req_data *
+cache_req_data_host(TALLOC_CTX *mem_ctx,
+ enum cache_req_type type,
+ const char *name,
+ const char *alias,
+ const char **attrs);
+
/* Output data. */
struct cache_req_result {
@@ -377,4 +386,18 @@ cache_req_netgroup_by_name_send(TALLOC_CTX *mem_ctx,
#define cache_req_netgroup_by_name_recv(mem_ctx, req, _result) \
cache_req_single_domain_recv(mem_ctx, req, _result)
+struct tevent_req *
+cache_req_host_by_name_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct resp_ctx *rctx,
+ struct sss_nc_ctx *ncache,
+ int cache_refresh_percent,
+ const char *domain,
+ const char *name,
+ const char *alias,
+ const char **attrs);
+
+#define cache_req_host_by_name_recv(mem_ctx, req, _result) \
+ cache_req_single_domain_recv(mem_ctx, req, _result)
+
#endif /* _CACHE_REQ_H_ */
diff --git a/src/responder/common/cache_req/cache_req_data.c b/src/responder/common/cache_req/cache_req_data.c
index d0564785f7fc5ffe826b197a41da720e9f26a43a..b2e22ec1bab699ad71978df6905df19908369ff1 100644
--- a/src/responder/common/cache_req/cache_req_data.c
+++ b/src/responder/common/cache_req/cache_req_data.c
@@ -188,6 +188,29 @@ cache_req_data_create(TALLOC_CTX *mem_ctx,
}
break;
+ case CACHE_REQ_HOST_BY_NAME:
+ if (input->name.input == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Bug: name cannot be NULL!\n");
+ ret = ERR_INTERNAL;
+ goto done;
+ }
+
+ data->name.input = talloc_strdup(data, input->name.input);
+ if (data->name.input == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ if (input->alias == NULL) {
+ break;
+ }
+
+ data->alias = talloc_strdup(data, input->alias);
+ if (data->alias == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+ break;
case CACHE_REQ_SENTINEL:
DEBUG(SSSDBG_CRIT_FAILURE, "Invalid cache request type!\n");
ret = ERR_INTERNAL;
@@ -318,3 +341,19 @@ cache_req_data_svc(TALLOC_CTX *mem_ctx,
return cache_req_data_create(mem_ctx, type, &input);
}
+
+struct cache_req_data *
+cache_req_data_host(TALLOC_CTX *mem_ctx,
+ enum cache_req_type type,
+ const char *name,
+ const char *alias,
+ const char **attrs)
+{
+ struct cache_req_data input = {0};
+
+ input.name.input = name;
+ input.alias = alias;
+ input.attrs = attrs;
+
+ return cache_req_data_create(mem_ctx, type, &input);
+}
diff --git a/src/responder/common/cache_req/cache_req_plugin.h b/src/responder/common/cache_req/cache_req_plugin.h
index 61e346dacfe0d180fb2aae354bc7867093276ab0..e0b619528f6aa31a10a5b48c3c5acc96de90caa1 100644
--- a/src/responder/common/cache_req/cache_req_plugin.h
+++ b/src/responder/common/cache_req/cache_req_plugin.h
@@ -231,5 +231,6 @@ extern const struct cache_req_plugin cache_req_enum_svc;
extern const struct cache_req_plugin cache_req_svc_by_name;
extern const struct cache_req_plugin cache_req_svc_by_port;
extern const struct cache_req_plugin cache_req_netgroup_by_name;
+extern const struct cache_req_plugin cache_req_host_by_name;
#endif /* _CACHE_REQ_PLUGIN_H_ */
diff --git a/src/responder/common/cache_req/cache_req_private.h b/src/responder/common/cache_req/cache_req_private.h
index b544b739e92552189f806f4675ff28689b91ce66..cc473759159fe324e37a4c51dc15ed136f6a09ef 100644
--- a/src/responder/common/cache_req/cache_req_private.h
+++ b/src/responder/common/cache_req/cache_req_private.h
@@ -76,6 +76,7 @@ struct cache_req_data {
uint32_t id;
const char *cert;
const char *sid;
+ const char *alias;
const char **attrs;
struct {
diff --git a/src/responder/common/cache_req/plugins/cache_req_host_by_name.c b/src/responder/common/cache_req/plugins/cache_req_host_by_name.c
new file mode 100644
index 0000000000000000000000000000000000000000..18511e33bc18e44f418a26764f066ff287092d26
--- /dev/null
+++ b/src/responder/common/cache_req/plugins/cache_req_host_by_name.c
@@ -0,0 +1,121 @@
+/*
+ Authors:
+ Pavel Březina <pbrezina@redhat.com>
+
+ Copyright (C) 2016 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <talloc.h>
+#include <ldb.h>
+
+#include "db/sysdb_ssh.h"
+#include "util/util.h"
+#include "providers/data_provider.h"
+#include "responder/common/cache_req/cache_req_plugin.h"
+
+static const char *
+cache_req_host_by_name_create_debug_name(TALLOC_CTX *mem_ctx,
+ struct cache_req_data *data,
+ struct sss_domain_info *domain)
+{
+ return talloc_strdup(mem_ctx, data->name.name);
+}
+
+static errno_t
+cache_req_host_by_name_lookup(TALLOC_CTX *mem_ctx,
+ struct cache_req *cr,
+ struct cache_req_data *data,
+ struct sss_domain_info *domain,
+ struct ldb_result **_result)
+{
+ struct ldb_result *result;
+ struct ldb_message *msg;
+ errno_t ret;
+
+ ret = sysdb_get_ssh_host(mem_ctx, domain, data->name.name,
+ data->attrs, &msg);
+ if (ret != EOK) {
+ return ret;
+ }
+
+ result = cache_req_create_ldb_result_from_msg(mem_ctx, msg);
+ if (result == NULL) {
+ return ENOMEM;
+ }
+
+ *_result = result;
+
+ return EOK;
+}
+
+struct tevent_req *
+cache_req_host_by_name_dp_send(TALLOC_CTX *mem_ctx,
+ struct cache_req *cr,
+ struct cache_req_data *data,
+ struct sss_domain_info *domain,
+ struct ldb_result *result)
+{
+ return sss_dp_get_ssh_host_send(mem_ctx, cr->rctx, domain, false,
+ data->name.name, data->alias);
+}
+
+const struct cache_req_plugin cache_req_host_by_name = {
+ .name = "Host by name",
+ .attr_expiration = SYSDB_CACHE_EXPIRE,
+ .parse_name = true,
+ .ignore_default_domain = true,
+ .bypass_cache = false,
+ .only_one_result = true,
+ .search_all_domains = false,
+ .require_enumeration = false,
+ .allow_missing_fqn = true,
+ .allow_switch_to_upn = false,
+ .upn_equivalent = CACHE_REQ_SENTINEL,
+ .get_next_domain_flags = 0,
+
+ .is_well_known_fn = NULL,
+ .prepare_domain_data_fn = NULL,
+ .create_debug_name_fn = cache_req_host_by_name_create_debug_name,
+ .global_ncache_add_fn = NULL,
+ .ncache_check_fn = NULL,
+ .ncache_add_fn = NULL,
+ .lookup_fn = cache_req_host_by_name_lookup,
+ .dp_send_fn = cache_req_host_by_name_dp_send,
+ .dp_recv_fn = cache_req_common_dp_recv
+};
+
+struct tevent_req *
+cache_req_host_by_name_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct resp_ctx *rctx,
+ struct sss_nc_ctx *ncache,
+ int cache_refresh_percent,
+ const char *domain,
+ const char *name,
+ const char *alias,
+ const char **attrs)
+{
+ struct cache_req_data *data;
+
+ data = cache_req_data_host(mem_ctx, CACHE_REQ_HOST_BY_NAME, name,
+ alias, attrs);
+ if (data == NULL) {
+ return NULL;
+ }
+
+ return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache,
+ cache_refresh_percent, domain, data);
+}
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
index c387c6ec326c612eef8798673c1c70c67efd5452..748dec4301b4a018691d9b8c8fca0193d18167a5 100644
--- a/src/responder/common/responder.h
+++ b/src/responder/common/responder.h
@@ -318,6 +318,21 @@ sss_dp_get_account_recv(TALLOC_CTX *mem_ctx,
dbus_uint32_t *err_min,
char **err_msg);
+struct tevent_req *
+sss_dp_get_ssh_host_send(TALLOC_CTX *mem_ctx,
+ struct resp_ctx *rctx,
+ struct sss_domain_info *dom,
+ bool fast_reply,
+ const char *name,
+ const char *alias);
+
+errno_t
+sss_dp_get_ssh_host_recv(TALLOC_CTX *mem_ctx,
+ struct tevent_req *req,
+ dbus_uint16_t *dp_err,
+ dbus_uint32_t *dp_ret,
+ char **err_msg);
+
bool sss_utf8_check(const uint8_t *s, size_t n);
void responder_set_fd_limit(rlim_t fd_limit);
diff --git a/src/responder/ssh/sshsrv_dp.c b/src/responder/common/responder_dp_ssh.c
similarity index 99%
rename from src/responder/ssh/sshsrv_dp.c
rename to src/responder/common/responder_dp_ssh.c
index f02c3f477e3789360075a6022086d21cfcd7aefd..303ba1568b6230b0d4dfa718e4a7c024ae84d4e9 100644
--- a/src/responder/ssh/sshsrv_dp.c
+++ b/src/responder/common/responder_dp_ssh.c
@@ -21,13 +21,12 @@
#include <talloc.h>
#include <tevent.h>
#include <dbus/dbus.h>
-#include "sbus/sssd_dbus.h"
#include "util/util.h"
#include "sbus/sbus_client.h"
+#include "sbus/sssd_dbus.h"
#include "providers/data_provider/dp_responder_iface.h"
#include "responder/common/responder.h"
-#include "responder/ssh/sshsrv_private.h"
struct sss_dp_get_ssh_host_info {
struct sss_domain_info *dom;
diff --git a/src/responder/ssh/sshsrv_private.h b/src/responder/ssh/sshsrv_private.h
index 9553cd7940571bf107d9fb4562d11d8c1eab3624..3ea895536657cbfa82328b8a2661da56859eb929 100644
--- a/src/responder/ssh/sshsrv_private.h
+++ b/src/responder/ssh/sshsrv_private.h
@@ -51,19 +51,4 @@ struct ssh_cmd_ctx {
struct sss_cmd_table *get_ssh_cmds(void);
-struct tevent_req *
-sss_dp_get_ssh_host_send(TALLOC_CTX *mem_ctx,
- struct resp_ctx *rctx,
- struct sss_domain_info *dom,
- bool fast_reply,
- const char *name,
- const char *alias);
-
-errno_t
-sss_dp_get_ssh_host_recv(TALLOC_CTX *mem_ctx,
- struct tevent_req *req,
- dbus_uint16_t *dp_err,
- dbus_uint32_t *dp_ret,
- char **err_msg);
-
#endif /* _SSHSRV_PRIVATE_H_ */
diff --git a/src/tests/cmocka/common_mock_resp_dp.c b/src/tests/cmocka/common_mock_resp_dp.c
index cbdb65d745a63ae00613001847351d3dba0fe290..5db5255ab61231870982c4b78a39504ae8954bcd 100644
--- a/src/tests/cmocka/common_mock_resp_dp.c
+++ b/src/tests/cmocka/common_mock_resp_dp.c
@@ -61,6 +61,39 @@ sss_dp_get_account_recv(TALLOC_CTX *mem_ctx,
return test_request_recv(req);
}
+struct tevent_req *
+sss_dp_get_ssh_host_send(TALLOC_CTX *mem_ctx,
+ struct resp_ctx *rctx,
+ struct sss_domain_info *dom,
+ bool fast_reply,
+ const char *name,
+ const char *alias)
+{
+ return test_req_succeed_send(mem_ctx, rctx->ev);
+}
+
+
+errno_t
+sss_dp_get_ssh_host_recv(TALLOC_CTX *mem_ctx,
+ struct tevent_req *req,
+ dbus_uint16_t *dp_err,
+ dbus_uint32_t *dp_ret,
+ char **err_msg)
+{
+ acct_cb_t cb;
+
+ *dp_err = sss_mock_type(dbus_uint16_t);
+ *dp_ret = sss_mock_type(dbus_uint32_t);
+ *err_msg = sss_mock_ptr_type(char *);
+
+ cb = sss_mock_ptr_type(acct_cb_t);
+ if (cb) {
+ (cb)(sss_mock_ptr_type(void *));
+ }
+
+ return test_request_recv(req);
+}
+
errno_t
sss_dp_req_recv(TALLOC_CTX *mem_ctx,
struct tevent_req *req,
diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am
index 8ca0026178d79271167a09d295940f7c5f55d98b..09a8b5307dd3ebf9c7f27148097a90eac527a213 100644
--- a/src/tests/cwrap/Makefile.am
+++ b/src/tests/cwrap/Makefile.am
@@ -60,6 +60,7 @@ SSSD_CACHE_REQ_OBJ = \
../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c \
../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c \
../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c \
+ ../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c \
$(NULL)
SSSD_RESPONDER_OBJ = \
@@ -68,6 +69,7 @@ SSSD_RESPONDER_OBJ = \
../../../src/responder/common/responder_cmd.c \
../../../src/responder/common/responder_common.c \
../../../src/responder/common/responder_dp.c \
+ ../../../src/responder/common/responder_dp_ssh.c \
../../../src/responder/common/responder_packet.c \
../../../src/responder/common/responder_get_domains.c \
../../../src/responder/common/responder_utils.c \
--
2.9.3

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,76 @@
From e947a871f7d3cfc4389e981a147fe10bedca0569 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 7 Feb 2017 11:05:47 +0100
Subject: [PATCH 31/79] AD: Use ad_domain to match forest root domain, not the
configured domain from sssd.conf
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If the sssd.conf domain name was different from the joined domain name,
but sssd was joined to the forest root, the AD subdomains code considered
sssd joined to a non-root domain and tried to discover the forest root.
This could be reproduced by joining sssd to a domain, for example
win.trust.test but calling the sssd.conf domain otherwise, for example:
[domain/addomain]
ad_domain = win.trust.test
This is/was a frequent use-case in the RHEL world, where authconfig
often names the sssd.conf domain 'default'.
Without the patch, the trusted domains were not detected.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ad/ad_subdomains.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index 5e57d218c072a2627f165ae072cb761e1a146048..ad075c19a5824b98092ddf534004680784577c0f 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -948,6 +948,7 @@ static void ad_get_root_domain_done(struct tevent_req *subreq);
static struct tevent_req *
ad_get_root_domain_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
+ const char *domain,
const char *forest,
struct sdap_handle *sh,
struct ad_subdomains_ctx *sd_ctx)
@@ -968,7 +969,7 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx,
return NULL;
}
- if (forest != NULL && strcasecmp(sd_ctx->be_ctx->domain->name, forest) == 0) {
+ if (forest != NULL && strcasecmp(domain, forest) == 0) {
state->root_id_ctx = sd_ctx->ad_id_ctx;
state->root_domain_attrs = NULL;
ret = EOK;
@@ -1230,6 +1231,7 @@ static void ad_subdomains_refresh_master_done(struct tevent_req *subreq)
struct ad_subdomains_refresh_state *state;
struct tevent_req *req;
const char *realm;
+ const char *ad_domain;
char *master_sid;
char *flat_name;
char *forest;
@@ -1277,7 +1279,14 @@ static void ad_subdomains_refresh_master_done(struct tevent_req *subreq)
}
}
- subreq = ad_get_root_domain_send(state, state->ev, forest,
+ ad_domain = dp_opt_get_cstring(state->ad_options->basic, AD_DOMAIN);
+ if (ad_domain == NULL) {
+ DEBUG(SSSDBG_CONF_SETTINGS,
+ "Missing AD domain name, falling back to sssd domain name\n");
+ ad_domain = state->sd_ctx->be_ctx->domain->name;
+ }
+
+ subreq = ad_get_root_domain_send(state, state->ev, ad_domain, forest,
sdap_id_op_handle(state->sdap_op),
state->sd_ctx);
if (subreq == NULL) {
--
2.9.3

View File

@ -0,0 +1,44 @@
From e5d8b0e10238490c5d199063c0a258ba53c2ac65 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Wed, 8 Feb 2017 17:58:41 +0100
Subject: [PATCH 32/79] BUILD: Fix linking of test_sdap_initgr
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
There was a linking fialure on debian:
/usr/bin/ld: src/tests/cmocka/test_sdap_initgr-test_sdap_initgr.o:
undefined reference to symbol 'hash_iterate@@DHASH_0.4.3'
//usr/lib64/libdhash.so.1: error adding symbols: DSO missing from command line
collect2: error: ld returned 1 exit status
This patch adds some missing libraries and remove unnecessary libraries.
Bug was intoduced in commit 0b7ded15e53b3f31f1570c366f04bc41e5761929
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
Makefile.am | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 713a83ce0b5c2b8d71495ff05b52e52e413b5c95..2304b39c7eb75225f7cd8cbc30d23592506c146e 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2879,11 +2879,12 @@ test_sdap_initgr_CFLAGS = \
test_sdap_initgr_LDADD = \
$(CMOCKA_LIBS) \
$(POPT_LIBS) \
+ $(DHASH_LIBS) \
$(TALLOC_LIBS) \
+ $(TEVENT_LIBS) \
+ $(LDB_LIBS) \
$(SSSD_INTERNAL_LTLIBS) \
libsss_ldap_common.la \
- libsss_ad_tests.la \
- libsss_idmap.la \
libsss_test_common.la \
libdlopen_test_providers.la \
$(NULL)
--
2.9.3

31
0033-ssh-fix-typo.patch Normal file
View File

@ -0,0 +1,31 @@
From 2ffa245e79a5ed66e69d141f4001c13697e01450 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 8 Feb 2017 13:22:11 +0100
Subject: [PATCH 33/79] ssh: fix typo
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Those macros are the same so there is no functional difference.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/responder/ssh/ssh_cmd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/responder/ssh/ssh_cmd.c b/src/responder/ssh/ssh_cmd.c
index a1188280dc2d1f73c726aec7c203692a63c37a32..1b9aff2b5053b436a9a0bf2797d812a954f25984 100644
--- a/src/responder/ssh/ssh_cmd.c
+++ b/src/responder/ssh/ssh_cmd.c
@@ -213,7 +213,7 @@ static void ssh_cmd_get_host_pubkeys_done(struct tevent_req *subreq)
cmd_ctx = tevent_req_callback_data(subreq, struct ssh_cmd_ctx);
ssh_ctx = talloc_get_type(cmd_ctx->cli_ctx->rctx->pvt_ctx, struct ssh_ctx);
- ret = cache_req_user_by_name_attrs_recv(cmd_ctx, subreq, &result);
+ ret = cache_req_host_by_name_recv(cmd_ctx, subreq, &result);
talloc_zfree(subreq);
if (ret == EOK || ret == ENOENT) {
--
2.9.3

View File

@ -0,0 +1,32 @@
From d9780d2860b2f2c9d707bfd8f2fc72099b9545d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 8 Feb 2017 13:22:42 +0100
Subject: [PATCH 34/79] cache_req: always go to dp first when looking up host
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We need to always lookup host in DP first to update host certificates so
we are consinstent during ssh authentication.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/responder/common/cache_req/plugins/cache_req_host_by_name.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/responder/common/cache_req/plugins/cache_req_host_by_name.c b/src/responder/common/cache_req/plugins/cache_req_host_by_name.c
index 18511e33bc18e44f418a26764f066ff287092d26..77b46831fec3abc4126ef9d9be67221469801094 100644
--- a/src/responder/common/cache_req/plugins/cache_req_host_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_host_by_name.c
@@ -77,7 +77,7 @@ const struct cache_req_plugin cache_req_host_by_name = {
.attr_expiration = SYSDB_CACHE_EXPIRE,
.parse_name = true,
.ignore_default_domain = true,
- .bypass_cache = false,
+ .bypass_cache = true,
.only_one_result = true,
.search_all_domains = false,
.require_enumeration = false,
--
2.9.3

View File

@ -0,0 +1,74 @@
From 040ade7b2e11fecf615aedf58592cc7245900e86 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Sun, 5 Feb 2017 01:48:35 +0100
Subject: [PATCH 35/79] MONITOR: Wrap up sending sd_notify "ready" into a new
function
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This new function will be used later on in this series as we also will
need to notify systemd that we're up in at least one more scenario (for
now).
Related:
https://fedorahosted.org/sssd/ticket/3299
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/monitor/monitor.c | 30 +++++++++++++++++++++---------
1 file changed, 21 insertions(+), 9 deletions(-)
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index b82c6e5fb651796e977085a1fcb87330632fbf3b..f55a89edc38900c3eaaf2a294fb26125e571cf82 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -487,6 +487,26 @@ static void svc_child_info(struct mt_svc *svc, int wait_status)
}
}
+static int notify_startup(void)
+{
+#ifdef HAVE_SYSTEMD
+ int ret;
+
+ DEBUG(SSSDBG_TRACE_FUNC, "Sending startup notification to systemd\n");
+ ret = sd_notify(0, "READY=1");
+ if (ret < 0) {
+ ret = -ret;
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Error sending notification to systemd %d: %s\n",
+ ret, sss_strerror(ret));
+
+ return ret;
+ }
+#endif
+
+ return EOK;
+}
+
static int mark_service_as_started(struct mt_svc *svc)
{
struct mt_ctx *ctx = svc->mt_ctx;
@@ -557,15 +577,7 @@ static int mark_service_as_started(struct mt_svc *svc)
ctx->pid_file_created = true;
-#ifdef HAVE_SYSTEMD
- DEBUG(SSSDBG_TRACE_FUNC, "Sending startup notification to systemd\n");
- ret = sd_notify(0, "READY=1");
- if (ret < 0) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Error sending notification to systemd %d: %s\n",
- -ret, strerror(-ret));
- }
-#endif
+ notify_startup();
/* Initialization is complete, terminate parent process if in daemon
* mode. Make sure we send the signal to the right process */
--
2.9.3

View File

@ -0,0 +1,51 @@
From 00c0b7bc6969d31deab9e8e7541b4a6483b78b3e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Sun, 5 Feb 2017 01:55:56 +0100
Subject: [PATCH 36/79] MONITOR: Don't timeout if using local provider +
socket-activated responders
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When using only the local provider with socket-activated services SSSD
ends up never notifying systemd its startup has been done, as notifying
systemd is done *only* when a service (provider or responder) is started
up, leading SSSD's startup to fail due to a timeout.
So, in order to avoid this situation, let's just notify the startup
earlier in case we have *only* socket-activated services and the *only*
provider set up is the LOCAL one.
Resolves:
https://fedorahosted.org/sssd/ticket/3299
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/monitor/monitor.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index f55a89edc38900c3eaaf2a294fb26125e571cf82..1fa3d4baf579f15b9f93355a4b0c8b9d706bbacf 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -2403,6 +2403,15 @@ static int monitor_process_init(struct mt_ctx *ctx,
}
}
+ /* When the only provider set up is the local one (num_providers == 0) and
+ * there's no responder explicitly set up it means that we should notify
+ * systemd that SSSD is ready right now as any other provider/responder
+ * would be able to do so and the SSSD would end up hitting a systemd
+ * timeout! */
+ if (num_providers == 0 && ctx->services == NULL) {
+ ret = notify_startup();
+ }
+
return EOK;
}
--
2.9.3

View File

@ -0,0 +1,83 @@
From a5ecc93abb01cece628fdef04ebad43bba267419 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Sun, 5 Feb 2017 20:25:23 +0100
Subject: [PATCH 37/79] SUDO: Only store lowercased attribute value once
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The current code doesn't handle the situation where lowercasing the
sudoUser attribute would yield the same value again.
For example:
sudoUser: TUSER
sudoUser tuser
would break.
This patch switches to using the utility function
sysdb_attrs_add_lower_case_string() which already checks for duplicates.
Resolves:
https://fedorahosted.org/sssd/ticket/3301
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/db/sysdb_sudo.c | 17 +++--------------
src/tests/cmocka/test_sysdb_sudo.c | 5 +++++
2 files changed, 8 insertions(+), 14 deletions(-)
diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
index f5160f19012028f92723b9012fad85d803aa5137..97a1bee99c0255579f42cc7263d3d755429cd417 100644
--- a/src/db/sysdb_sudo.c
+++ b/src/db/sysdb_sudo.c
@@ -857,7 +857,6 @@ static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain,
{
TALLOC_CTX *tmp_ctx;
const char **users = NULL;
- const char *lowered = NULL;
errno_t ret;
if (domain->case_sensitive == true || rule == NULL) {
@@ -884,19 +883,9 @@ static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain,
}
for (int i = 0; users[i] != NULL; i++) {
- lowered = sss_tc_utf8_str_tolower(tmp_ctx, users[i]);
- if (lowered == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
- ret = ENOMEM;
- goto done;
- }
-
- if (strcmp(users[i], lowered) == 0) {
- /* It protects us from adding duplicate. */
- continue;
- }
-
- ret = sysdb_attrs_add_string(rule, SYSDB_SUDO_CACHE_AT_USER, lowered);
+ ret = sysdb_attrs_add_lower_case_string(rule, true,
+ SYSDB_SUDO_CACHE_AT_USER,
+ users[i]);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"Unable to add %s attribute [%d]: %s\n",
diff --git a/src/tests/cmocka/test_sysdb_sudo.c b/src/tests/cmocka/test_sysdb_sudo.c
index f21ff3655efbdc5b66a1fdbc24a51ec8174c3c8c..34afe120d97e99e3213a85bf7489a5e0f6309e4b 100644
--- a/src/tests/cmocka/test_sysdb_sudo.c
+++ b/src/tests/cmocka/test_sysdb_sudo.c
@@ -335,6 +335,11 @@ void test_store_sudo_case_insensitive(void **state)
test_ctx->tctx->dom->case_sensitive = false;
+ ret = sysdb_attrs_add_lower_case_string(rule, false,
+ SYSDB_SUDO_CACHE_AT_USER,
+ users[0].name);
+ assert_int_equal(ret, EOK);
+
ret = sysdb_sudo_store(test_ctx->tctx->dom, &rule, 1);
assert_int_equal(ret, EOK);
--
2.9.3

View File

@ -0,0 +1,190 @@
From 99a32e4f5164e174d5a3ffa5a1fe622075a8fe45 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 2 Nov 2016 16:59:12 +0100
Subject: [PATCH 38/79] NEGCACHE: Add API to reset all users and groups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Adds a negative cache API to reset negatively cached users and groups.
This will be used when the files back end finishes enumeration to make
sure all results are available.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/responder/common/negcache.c | 56 ++++++++++++++++++++++++++++++++
src/responder/common/negcache.h | 2 ++
src/tests/cmocka/test_negcache.c | 70 ++++++++++++++++++++++++++++++++++++++++
3 files changed, 128 insertions(+)
diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
index 5b7ad69f432518be94b88e92e24265add722c852..944a06e158f778948c16bb931f0af5659a00b13b 100644
--- a/src/responder/common/negcache.c
+++ b/src/responder/common/negcache.c
@@ -674,6 +674,62 @@ int sss_ncache_reset_permanent(struct sss_nc_ctx *ctx)
return EOK;
}
+static int delete_prefix(struct tdb_context *tdb,
+ TDB_DATA key, TDB_DATA data, void *state)
+{
+ const char *prefix = (const char *) state;
+
+ if (strncmp((char *)key.dptr, prefix, strlen(prefix) - 1) != 0) {
+ /* not interested in this key */
+ return 0;
+ }
+
+ return tdb_delete(tdb, key);
+}
+
+static int sss_ncache_reset_pfx(struct sss_nc_ctx *ctx,
+ const char **prefixes)
+{
+ int ret;
+
+ if (prefixes == NULL) {
+ return EOK;
+ }
+
+ for (int i = 0; prefixes[i] != NULL; i++) {
+ ret = tdb_traverse(ctx->tdb,
+ delete_prefix,
+ discard_const(prefixes[i]));
+ if (ret < 0) {
+ return EIO;
+ }
+ }
+
+ return EOK;
+}
+
+int sss_ncache_reset_users(struct sss_nc_ctx *ctx)
+{
+ const char *prefixes[] = {
+ NC_USER_PREFIX,
+ NC_UID_PREFIX,
+ NULL,
+ };
+
+ return sss_ncache_reset_pfx(ctx, prefixes);
+}
+
+int sss_ncache_reset_groups(struct sss_nc_ctx *ctx)
+{
+ const char *prefixes[] = {
+ NC_GROUP_PREFIX,
+ NC_GID_PREFIX,
+ NULL,
+ };
+
+ return sss_ncache_reset_pfx(ctx, prefixes);
+}
+
errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
struct confdb_ctx *cdb,
struct resp_ctx *rctx)
diff --git a/src/responder/common/negcache.h b/src/responder/common/negcache.h
index 377f97c8b3b20ec5b4a284e08d891737e2e25225..8af736a67aada91d6ac42495399f5de469dec753 100644
--- a/src/responder/common/negcache.h
+++ b/src/responder/common/negcache.h
@@ -78,6 +78,8 @@ int sss_ncache_set_service_port(struct sss_nc_ctx *ctx, bool permanent,
uint16_t port, const char *proto);
int sss_ncache_reset_permanent(struct sss_nc_ctx *ctx);
+int sss_ncache_reset_users(struct sss_nc_ctx *ctx);
+int sss_ncache_reset_groups(struct sss_nc_ctx *ctx);
struct resp_ctx;
diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c
index 14e4fa639a056d712b2453230745d7dc49853dec..d608c20ad3248c80e68029c8c27b826395a61ddc 100644
--- a/src/tests/cmocka/test_negcache.c
+++ b/src/tests/cmocka/test_negcache.c
@@ -785,6 +785,74 @@ static void test_sss_ncache_reset_prepopulate(void **state)
ret = check_group_in_ncache(ncache, dom2, "testgroup2");
assert_int_equal(ret, EEXIST);
}
+
+static void test_sss_ncache_reset(void **state)
+{
+ errno_t ret;
+ struct test_state *ts;
+ struct sss_domain_info *dom;
+
+ ts = talloc_get_type_abort(*state, struct test_state);
+ dom = talloc(ts, struct sss_domain_info);
+ assert_non_null(dom);
+ dom->case_sensitive = true;
+
+ dom->name = discard_const_p(char, TEST_DOM_NAME);
+
+ /* Set users */
+ ret = sss_ncache_check_uid(ts->ctx, NULL, 123);
+ assert_int_equal(ret, ENOENT);
+ ret = sss_ncache_set_uid(ts->ctx, false, NULL, 123);
+ assert_int_equal(ret, EOK);
+ ret = sss_ncache_check_uid(ts->ctx, NULL, 123);
+ assert_int_equal(ret, EEXIST);
+
+ ret = sss_ncache_check_user(ts->ctx, dom, "foo");
+ assert_int_equal(ret, ENOENT);
+ ret = sss_ncache_set_user(ts->ctx, false, dom, "foo");
+ assert_int_equal(ret, EOK);
+ ret = sss_ncache_check_user(ts->ctx, dom, "foo");
+ assert_int_equal(ret, EEXIST);
+
+ /* Set groups */
+ ret = sss_ncache_check_gid(ts->ctx, NULL, 456);
+ assert_int_equal(ret, ENOENT);
+ ret = sss_ncache_set_gid(ts->ctx, false, NULL, 456);
+ assert_int_equal(ret, EOK);
+ ret = sss_ncache_check_gid(ts->ctx, NULL, 456);
+ assert_int_equal(ret, EEXIST);
+
+ ret = sss_ncache_check_group(ts->ctx, dom, "bar");
+ assert_int_equal(ret, ENOENT);
+ ret = sss_ncache_set_group(ts->ctx, false, dom, "bar");
+ assert_int_equal(ret, EOK);
+ ret = sss_ncache_check_group(ts->ctx, dom, "bar");
+ assert_int_equal(ret, EEXIST);
+
+ ret = sss_ncache_reset_users(ts->ctx);
+ assert_int_equal(ret, EOK);
+
+ /* Users are no longer negatively cached */
+ ret = sss_ncache_check_user(ts->ctx, dom, "foo");
+ assert_int_equal(ret, ENOENT);
+ ret = sss_ncache_check_uid(ts->ctx, NULL, 123);
+ assert_int_equal(ret, ENOENT);
+
+ /* Groups still are */
+ ret = sss_ncache_check_gid(ts->ctx, NULL, 456);
+ assert_int_equal(ret, EEXIST);
+ ret = sss_ncache_check_group(ts->ctx, dom, "bar");
+ assert_int_equal(ret, EEXIST);
+
+ ret = sss_ncache_reset_groups(ts->ctx);
+ assert_int_equal(ret, EOK);
+
+ ret = sss_ncache_check_gid(ts->ctx, NULL, 456);
+ assert_int_equal(ret, ENOENT);
+ ret = sss_ncache_check_group(ts->ctx, dom, "bar");
+ assert_int_equal(ret, ENOENT);
+}
+
int main(void)
{
int rv;
@@ -809,6 +877,8 @@ int main(void)
setup, teardown),
cmocka_unit_test_setup_teardown(test_sss_ncache_reset_prepopulate,
setup, teardown),
+ cmocka_unit_test_setup_teardown(test_sss_ncache_reset,
+ setup, teardown),
};
tests_set_cwd();
--
2.9.3

View File

@ -0,0 +1,193 @@
From c3a225d4d735d3a01883125592dda7a030a64e00 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 2 Nov 2016 15:59:37 +0100
Subject: [PATCH 39/79] NSS: Add sbus interface to clear memory cache
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Adds three new NSS interface sbus methods to disable memory caches of
users, groups and initgroups. It's enough to add this interface to the
NSS responder because the NSS responder is the only writer to the memory
cache.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/responder/nss/nss_iface.c | 40 ++++++++++++++++++++++++++++++++-
src/responder/nss/nss_iface.xml | 6 +++++
src/responder/nss/nss_iface_generated.c | 39 ++++++++++++++++++++++++++++++++
src/responder/nss/nss_iface_generated.h | 15 +++++++++++++
4 files changed, 99 insertions(+), 1 deletion(-)
diff --git a/src/responder/nss/nss_iface.c b/src/responder/nss/nss_iface.c
index 58c70c8a01bfcc143eda14c9185672302345ef75..4a38681b54d6c9d0ac9adece69bdebb3d305fcf9 100644
--- a/src/responder/nss/nss_iface.c
+++ b/src/responder/nss/nss_iface.c
@@ -144,6 +144,41 @@ done:
talloc_free(tmp_ctx);
}
+int nss_memorycache_invalidate_users(struct sbus_request *req, void *data)
+{
+ struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx);
+ struct nss_ctx *nctx = talloc_get_type(rctx->pvt_ctx, struct nss_ctx);
+
+ DEBUG(SSSDBG_TRACE_LIBS, "Invalidating all users in memory cache\n");
+ sss_mmap_cache_reset(nctx->pwd_mc_ctx);
+
+ return iface_nss_memorycache_InvalidateAllUsers_finish(req);
+}
+
+int nss_memorycache_invalidate_groups(struct sbus_request *req, void *data)
+{
+ struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx);
+ struct nss_ctx *nctx = talloc_get_type(rctx->pvt_ctx, struct nss_ctx);
+
+ DEBUG(SSSDBG_TRACE_LIBS, "Invalidating all groups in memory cache\n");
+ sss_mmap_cache_reset(nctx->grp_mc_ctx);
+
+ return iface_nss_memorycache_InvalidateAllGroups_finish(req);
+}
+
+int nss_memorycache_invalidate_initgroups(struct sbus_request *req, void *data)
+{
+ struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx);
+ struct nss_ctx *nctx = talloc_get_type(rctx->pvt_ctx, struct nss_ctx);
+
+ DEBUG(SSSDBG_TRACE_LIBS,
+ "Invalidating all initgroup records in memory cache\n");
+ sss_mmap_cache_reset(nctx->initgr_mc_ctx);
+
+ return iface_nss_memorycache_InvalidateAllInitgrRecords_finish(req);
+}
+
+
int nss_memorycache_update_initgroups(struct sbus_request *sbus_req,
void *data,
const char *user,
@@ -164,7 +199,10 @@ int nss_memorycache_update_initgroups(struct sbus_request *sbus_req,
struct iface_nss_memorycache iface_nss_memorycache = {
{ &iface_nss_memorycache_meta, 0 },
- .UpdateInitgroups = nss_memorycache_update_initgroups
+ .UpdateInitgroups = nss_memorycache_update_initgroups,
+ .InvalidateAllUsers = nss_memorycache_invalidate_users,
+ .InvalidateAllGroups = nss_memorycache_invalidate_groups,
+ .InvalidateAllInitgrRecords = nss_memorycache_invalidate_initgroups,
};
static struct sbus_iface_map iface_map[] = {
diff --git a/src/responder/nss/nss_iface.xml b/src/responder/nss/nss_iface.xml
index b7cc4deb77135a592bad2ca62570f206231129b7..79e42c7424e800601bdc2dbe9ecd3e4a49829d68 100644
--- a/src/responder/nss/nss_iface.xml
+++ b/src/responder/nss/nss_iface.xml
@@ -8,5 +8,11 @@
<arg name="domain" type="s" direction="in" />
<arg name="groups" type="au" direction="in" />
</method>
+ <method name="InvalidateAllUsers">
+ </method>
+ <method name="InvalidateAllGroups">
+ </method>
+ <method name="InvalidateAllInitgrRecords">
+ </method>
</interface>
</node>
diff --git a/src/responder/nss/nss_iface_generated.c b/src/responder/nss/nss_iface_generated.c
index 2d0031090e33df9c9e9d9fbf1a18825026509803..4c07080148f62c1d8e18e51e1be62bb261a13566 100644
--- a/src/responder/nss/nss_iface_generated.c
+++ b/src/responder/nss/nss_iface_generated.c
@@ -23,6 +23,24 @@ int iface_nss_memorycache_UpdateInitgroups_finish(struct sbus_request *req)
DBUS_TYPE_INVALID);
}
+int iface_nss_memorycache_InvalidateAllUsers_finish(struct sbus_request *req)
+{
+ return sbus_request_return_and_finish(req,
+ DBUS_TYPE_INVALID);
+}
+
+int iface_nss_memorycache_InvalidateAllGroups_finish(struct sbus_request *req)
+{
+ return sbus_request_return_and_finish(req,
+ DBUS_TYPE_INVALID);
+}
+
+int iface_nss_memorycache_InvalidateAllInitgrRecords_finish(struct sbus_request *req)
+{
+ return sbus_request_return_and_finish(req,
+ DBUS_TYPE_INVALID);
+}
+
/* methods for org.freedesktop.sssd.nss.MemoryCache */
const struct sbus_method_meta iface_nss_memorycache__methods[] = {
{
@@ -32,6 +50,27 @@ const struct sbus_method_meta iface_nss_memorycache__methods[] = {
offsetof(struct iface_nss_memorycache, UpdateInitgroups),
invoke_ssau_method,
},
+ {
+ "InvalidateAllUsers", /* name */
+ NULL, /* no in_args */
+ NULL, /* no out_args */
+ offsetof(struct iface_nss_memorycache, InvalidateAllUsers),
+ NULL, /* no invoker */
+ },
+ {
+ "InvalidateAllGroups", /* name */
+ NULL, /* no in_args */
+ NULL, /* no out_args */
+ offsetof(struct iface_nss_memorycache, InvalidateAllGroups),
+ NULL, /* no invoker */
+ },
+ {
+ "InvalidateAllInitgrRecords", /* name */
+ NULL, /* no in_args */
+ NULL, /* no out_args */
+ offsetof(struct iface_nss_memorycache, InvalidateAllInitgrRecords),
+ NULL, /* no invoker */
+ },
{ NULL, }
};
diff --git a/src/responder/nss/nss_iface_generated.h b/src/responder/nss/nss_iface_generated.h
index ad902482a9be03a60cbf3663b6f771d0a2020b88..6f4d13a35dc5cbe33182ad8744769b37ce449d50 100644
--- a/src/responder/nss/nss_iface_generated.h
+++ b/src/responder/nss/nss_iface_generated.h
@@ -14,6 +14,9 @@
/* constants for org.freedesktop.sssd.nss.MemoryCache */
#define IFACE_NSS_MEMORYCACHE "org.freedesktop.sssd.nss.MemoryCache"
#define IFACE_NSS_MEMORYCACHE_UPDATEINITGROUPS "UpdateInitgroups"
+#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLUSERS "InvalidateAllUsers"
+#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLGROUPS "InvalidateAllGroups"
+#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLINITGRRECORDS "InvalidateAllInitgrRecords"
/* ------------------------------------------------------------------------
* DBus handlers
@@ -37,11 +40,23 @@
struct iface_nss_memorycache {
struct sbus_vtable vtable; /* derive from sbus_vtable */
int (*UpdateInitgroups)(struct sbus_request *req, void *data, const char *arg_user, const char *arg_domain, uint32_t arg_groups[], int len_groups);
+ int (*InvalidateAllUsers)(struct sbus_request *req, void *data);
+ int (*InvalidateAllGroups)(struct sbus_request *req, void *data);
+ int (*InvalidateAllInitgrRecords)(struct sbus_request *req, void *data);
};
/* finish function for UpdateInitgroups */
int iface_nss_memorycache_UpdateInitgroups_finish(struct sbus_request *req);
+/* finish function for InvalidateAllUsers */
+int iface_nss_memorycache_InvalidateAllUsers_finish(struct sbus_request *req);
+
+/* finish function for InvalidateAllGroups */
+int iface_nss_memorycache_InvalidateAllGroups_finish(struct sbus_request *req);
+
+/* finish function for InvalidateAllInitgrRecords */
+int iface_nss_memorycache_InvalidateAllInitgrRecords_finish(struct sbus_request *req);
+
/* ------------------------------------------------------------------------
* DBus Interface Metadata
*
--
2.9.3

View File

@ -0,0 +1,111 @@
From f2047f6c5b56d6759bd8e6d504f572a593476c65 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 23 Jan 2017 22:55:20 +0100
Subject: [PATCH 40/79] NSS: Rename the interface to invalidate memory cache
initgroup records for consistency
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/nss/nss_iface.c | 4 ++--
src/responder/nss/nss_iface.xml | 2 +-
src/responder/nss/nss_iface_generated.c | 6 +++---
src/responder/nss/nss_iface_generated.h | 8 ++++----
4 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/src/responder/nss/nss_iface.c b/src/responder/nss/nss_iface.c
index 4a38681b54d6c9d0ac9adece69bdebb3d305fcf9..fee95f8fc6806d2e70112d02690469fb094efa17 100644
--- a/src/responder/nss/nss_iface.c
+++ b/src/responder/nss/nss_iface.c
@@ -175,7 +175,7 @@ int nss_memorycache_invalidate_initgroups(struct sbus_request *req, void *data)
"Invalidating all initgroup records in memory cache\n");
sss_mmap_cache_reset(nctx->initgr_mc_ctx);
- return iface_nss_memorycache_InvalidateAllInitgrRecords_finish(req);
+ return iface_nss_memorycache_InvalidateAllInitgroups_finish(req);
}
@@ -202,7 +202,7 @@ struct iface_nss_memorycache iface_nss_memorycache = {
.UpdateInitgroups = nss_memorycache_update_initgroups,
.InvalidateAllUsers = nss_memorycache_invalidate_users,
.InvalidateAllGroups = nss_memorycache_invalidate_groups,
- .InvalidateAllInitgrRecords = nss_memorycache_invalidate_initgroups,
+ .InvalidateAllInitgroups = nss_memorycache_invalidate_initgroups,
};
static struct sbus_iface_map iface_map[] = {
diff --git a/src/responder/nss/nss_iface.xml b/src/responder/nss/nss_iface.xml
index 79e42c7424e800601bdc2dbe9ecd3e4a49829d68..27aae019758c49ab7ec04161394d58da88077b60 100644
--- a/src/responder/nss/nss_iface.xml
+++ b/src/responder/nss/nss_iface.xml
@@ -12,7 +12,7 @@
</method>
<method name="InvalidateAllGroups">
</method>
- <method name="InvalidateAllInitgrRecords">
+ <method name="InvalidateAllInitgroups">
</method>
</interface>
</node>
diff --git a/src/responder/nss/nss_iface_generated.c b/src/responder/nss/nss_iface_generated.c
index 4c07080148f62c1d8e18e51e1be62bb261a13566..e4f3aec2d1394fbbe75185acfa68b6f947c0e142 100644
--- a/src/responder/nss/nss_iface_generated.c
+++ b/src/responder/nss/nss_iface_generated.c
@@ -35,7 +35,7 @@ int iface_nss_memorycache_InvalidateAllGroups_finish(struct sbus_request *req)
DBUS_TYPE_INVALID);
}
-int iface_nss_memorycache_InvalidateAllInitgrRecords_finish(struct sbus_request *req)
+int iface_nss_memorycache_InvalidateAllInitgroups_finish(struct sbus_request *req)
{
return sbus_request_return_and_finish(req,
DBUS_TYPE_INVALID);
@@ -65,10 +65,10 @@ const struct sbus_method_meta iface_nss_memorycache__methods[] = {
NULL, /* no invoker */
},
{
- "InvalidateAllInitgrRecords", /* name */
+ "InvalidateAllInitgroups", /* name */
NULL, /* no in_args */
NULL, /* no out_args */
- offsetof(struct iface_nss_memorycache, InvalidateAllInitgrRecords),
+ offsetof(struct iface_nss_memorycache, InvalidateAllInitgroups),
NULL, /* no invoker */
},
{ NULL, }
diff --git a/src/responder/nss/nss_iface_generated.h b/src/responder/nss/nss_iface_generated.h
index 6f4d13a35dc5cbe33182ad8744769b37ce449d50..cacadc57808d6f16998889cccf0c5973682bbe5d 100644
--- a/src/responder/nss/nss_iface_generated.h
+++ b/src/responder/nss/nss_iface_generated.h
@@ -16,7 +16,7 @@
#define IFACE_NSS_MEMORYCACHE_UPDATEINITGROUPS "UpdateInitgroups"
#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLUSERS "InvalidateAllUsers"
#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLGROUPS "InvalidateAllGroups"
-#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLINITGRRECORDS "InvalidateAllInitgrRecords"
+#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLINITGROUPS "InvalidateAllInitgroups"
/* ------------------------------------------------------------------------
* DBus handlers
@@ -42,7 +42,7 @@ struct iface_nss_memorycache {
int (*UpdateInitgroups)(struct sbus_request *req, void *data, const char *arg_user, const char *arg_domain, uint32_t arg_groups[], int len_groups);
int (*InvalidateAllUsers)(struct sbus_request *req, void *data);
int (*InvalidateAllGroups)(struct sbus_request *req, void *data);
- int (*InvalidateAllInitgrRecords)(struct sbus_request *req, void *data);
+ int (*InvalidateAllInitgroups)(struct sbus_request *req, void *data);
};
/* finish function for UpdateInitgroups */
@@ -54,8 +54,8 @@ int iface_nss_memorycache_InvalidateAllUsers_finish(struct sbus_request *req);
/* finish function for InvalidateAllGroups */
int iface_nss_memorycache_InvalidateAllGroups_finish(struct sbus_request *req);
-/* finish function for InvalidateAllInitgrRecords */
-int iface_nss_memorycache_InvalidateAllInitgrRecords_finish(struct sbus_request *req);
+/* finish function for InvalidateAllInitgroups */
+int iface_nss_memorycache_InvalidateAllInitgroups_finish(struct sbus_request *req);
/* ------------------------------------------------------------------------
* DBus Interface Metadata
--
2.9.3

View File

@ -0,0 +1,56 @@
From 2d1a59f6c2cf3cf4667cf2d01b2d780db916db42 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 10 Feb 2017 12:22:23 +0100
Subject: [PATCH 41/79] UTIL: Add a new domain state called DOM_INCONSISTENT
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is a new domain state that indicates to the responder that it
should always send a DP request because the provider is rebuilding the
cache.
Currently it will be only used by the files provider when it is updating
the cache to make sure sssd always returns current data and updating the
cache from files is not as racy.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/confdb/confdb.h | 4 ++++
src/providers/data_provider_be.c | 4 +++-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index dd6ac77f5a787b0434b56fccba49aa195b13297a..7c944698157619652441fb0722a4363053d6a8f3 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -248,6 +248,10 @@ enum sss_domain_state {
* return cached data
*/
DOM_INACTIVE,
+ /** Domain is being updated. Responders should ignore cached data and
+ * always contact the DP
+ */
+ DOM_INCONSISTENT,
};
/**
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index 12b5f43d0b5d514ce06ae8875ae2a75d37f84f88..7e7b74c36993489a93c15ad9acb33af7864f852d 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -166,8 +166,10 @@ static void be_mark_subdom_offline(struct sss_domain_info *subdom,
tv = tevent_timeval_current_ofs(reset_status_timeout, 0);
switch (subdom->state) {
+ case DOM_INCONSISTENT:
case DOM_DISABLED:
- DEBUG(SSSDBG_MINOR_FAILURE, "Won't touch disabled subdomain\n");
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Won't touch disabled or inconsistent subdomain\n");
return;
case DOM_INACTIVE:
DEBUG(SSSDBG_TRACE_ALL, "Subdomain already inactive\n");
--
2.9.3

View File

@ -0,0 +1,561 @@
From c109f063b4469818fd335b8b509f0458e7b33b0a Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Sun, 30 Oct 2016 07:05:43 +0100
Subject: [PATCH 42/79] RESPONDER: Add a responder sbus interface to set domain
state
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Adds a generic responder s-bus interface that all responders implement.
The interface currently contains methods that make it possible for a sssd
domain to be marked as active or inconsistent by a back end.
In the future, this commit will be superseded by sbus signals.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
Makefile.am | 18 ++++-
src/responder/common/iface/responder_domain.c | 73 ++++++++++++++++++++
src/responder/common/iface/responder_iface.c | 36 ++++++++++
src/responder/common/iface/responder_iface.h | 37 ++++++++++
src/responder/common/iface/responder_iface.xml | 13 ++++
.../common/iface/responder_iface_generated.c | 78 ++++++++++++++++++++++
.../common/iface/responder_iface_generated.h | 63 +++++++++++++++++
src/responder/common/responder_common.c | 15 +++++
src/tests/cwrap/Makefile.am | 12 ++++
src/util/domain_info_utils.c | 19 ++++++
10 files changed, 362 insertions(+), 2 deletions(-)
create mode 100644 src/responder/common/iface/responder_domain.c
create mode 100644 src/responder/common/iface/responder_iface.c
create mode 100644 src/responder/common/iface/responder_iface.h
create mode 100644 src/responder/common/iface/responder_iface.xml
create mode 100644 src/responder/common/iface/responder_iface_generated.c
create mode 100644 src/responder/common/iface/responder_iface_generated.h
diff --git a/Makefile.am b/Makefile.am
index 2304b39c7eb75225f7cd8cbc30d23592506c146e..32f62b5b4391e5d6efb7f7dc19e9b29eaa658550 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -516,6 +516,12 @@ SSSD_CACHE_REQ_OBJ = \
src/responder/common/cache_req/plugins/cache_req_host_by_name.c \
$(NULL)
+SSSD_RESPONDER_IFACE_OBJ = \
+ src/responder/common/iface/responder_iface.c \
+ src/responder/common/iface/responder_domain.c \
+ src/responder/common/iface/responder_iface_generated.c \
+ $(NULL)
+
SSSD_RESPONDER_OBJ = \
src/responder/common/negcache_files.c \
src/responder/common/negcache.c \
@@ -530,6 +536,7 @@ SSSD_RESPONDER_OBJ = \
src/responder/common/data_provider/rdp_client.c \
src/monitor/monitor_iface_generated.c \
src/providers/data_provider_req.c \
+ $(SSSD_RESPONDER_IFACE_OBJ) \
$(SSSD_CACHE_REQ_OBJ) \
$(NULL)
@@ -640,6 +647,8 @@ dist_noinst_HEADERS = \
src/responder/common/responder.h \
src/responder/common/responder_packet.h \
src/responder/common/responder_sbus.h \
+ src/responder/common/iface/responder_iface.h \
+ src/responder/common/iface/responder_iface_generated.h \
src/responder/common/cache_req/cache_req.h \
src/responder/common/cache_req/cache_req_plugin.h \
src/responder/common/cache_req/cache_req_private.h \
@@ -1221,7 +1230,9 @@ CODEGEN_XML = \
$(srcdir)/src/providers/data_provider/dp_iface.xml \
$(srcdir)/src/providers/proxy/proxy_iface.xml \
$(srcdir)/src/responder/ifp/ifp_iface.xml \
- $(srcdir)/src/responder/nss/nss_iface.xml
+ $(srcdir)/src/responder/nss/nss_iface.xml \
+ $(srcdir)/src/responder/common/iface/responder_iface.xml \
+ $(NULL)
SBUS_CODEGEN = src/sbus/sbus_codegen
@@ -2038,7 +2049,9 @@ responder_socket_access_tests_SOURCES = \
src/responder/common/responder_packet.c \
src/responder/common/responder_cmd.c \
src/responder/common/data_provider/rdp_message.c \
- src/responder/common/data_provider/rdp_client.c
+ src/responder/common/data_provider/rdp_client.c \
+ $(SSSD_RESPONDER_IFACE_OBJ) \
+ $(NULL)
responder_socket_access_tests_CFLAGS = \
$(AM_CFLAGS) \
$(CHECK_CFLAGS)
@@ -2125,6 +2138,7 @@ TEST_MOCK_RESP_OBJ = \
src/responder/common/data_provider/rdp_client.c \
src/responder/common/responder_utils.c \
$(SSSD_CACHE_REQ_OBJ) \
+ $(SSSD_RESPONDER_IFACE_OBJ) \
$(NULL)
TEST_MOCK_PROVIDER_OBJ = \
diff --git a/src/responder/common/iface/responder_domain.c b/src/responder/common/iface/responder_domain.c
new file mode 100644
index 0000000000000000000000000000000000000000..2e7f788550b3cd0dcec20fc5b91fe8a4cb366875
--- /dev/null
+++ b/src/responder/common/iface/responder_domain.c
@@ -0,0 +1,73 @@
+/*
+ Copyright (C) 2016 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <string.h>
+#include <errno.h>
+
+#include "util/util.h"
+#include "sbus/sssd_dbus.h"
+#include "responder/common/responder.h"
+#include "responder/common/iface/responder_iface.h"
+
+static void set_domain_state_by_name(struct resp_ctx *rctx,
+ const char *domain_name,
+ enum sss_domain_state state)
+{
+ struct sss_domain_info *dom;
+
+ if (domain_name == NULL) {
+ DEBUG(SSSDBG_MINOR_FAILURE, "BUG: NULL domain name\n");
+ return;
+ }
+
+ DEBUG(SSSDBG_TRACE_LIBS, "Setting state of domain %s\n", domain_name);
+
+ for (dom = rctx->domains;
+ dom != NULL;
+ dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) {
+
+ if (strcasecmp(dom->name, domain_name) == 0) {
+ break;
+ }
+ }
+
+ if (dom != NULL) {
+ sss_domain_set_state(dom, state);
+ }
+}
+
+int sss_resp_domain_active(struct sbus_request *req,
+ void *data,
+ const char *domain_name)
+{
+ struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx);
+
+ DEBUG(SSSDBG_TRACE_LIBS, "Enabling domain %s\n", domain_name);
+ set_domain_state_by_name(rctx, domain_name, DOM_ACTIVE);
+ return iface_responder_domain_SetActive_finish(req);
+}
+
+int sss_resp_domain_inconsistent(struct sbus_request *req,
+ void *data,
+ const char *domain_name)
+{
+ struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx);
+
+ DEBUG(SSSDBG_TRACE_LIBS, "Disabling domain %s\n", domain_name);
+ set_domain_state_by_name(rctx, domain_name, DOM_INCONSISTENT);
+ return iface_responder_domain_SetInconsistent_finish(req);
+}
diff --git a/src/responder/common/iface/responder_iface.c b/src/responder/common/iface/responder_iface.c
new file mode 100644
index 0000000000000000000000000000000000000000..f1e618b659af3e7a5ffa1b7307f3d61124180f0c
--- /dev/null
+++ b/src/responder/common/iface/responder_iface.c
@@ -0,0 +1,36 @@
+/*
+ Copyright (C) 2016 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "sbus/sssd_dbus.h"
+#include "responder/common/iface/responder_iface.h"
+#include "responder/common/responder.h"
+
+struct iface_responder_domain iface_responder_domain = {
+ { &iface_responder_domain_meta, 0 },
+ .SetActive = sss_resp_domain_active,
+ .SetInconsistent = sss_resp_domain_inconsistent,
+};
+
+static struct sbus_iface_map iface_map[] = {
+ { RESPONDER_PATH, &iface_responder_domain.vtable },
+ { NULL, NULL }
+};
+
+struct sbus_iface_map *responder_get_sbus_interface()
+{
+ return iface_map;
+}
diff --git a/src/responder/common/iface/responder_iface.h b/src/responder/common/iface/responder_iface.h
new file mode 100644
index 0000000000000000000000000000000000000000..abd7c83ce0b0efbc13867ffb56ec871503c92567
--- /dev/null
+++ b/src/responder/common/iface/responder_iface.h
@@ -0,0 +1,37 @@
+/*
+ Copyright (C) 2016 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _RESPONDER_IFACE_H_
+#define _RESPONDER_IFACE_H_
+
+#include "responder/common/iface/responder_iface_generated.h"
+
+#define RESPONDER_PATH "/org/freedesktop/sssd/responder"
+
+struct sbus_iface_map *responder_get_sbus_interface(void);
+
+/* org.freedesktop.sssd.Responder.Domain */
+
+int sss_resp_domain_active(struct sbus_request *req,
+ void *data,
+ const char *domain_name);
+
+int sss_resp_domain_inconsistent(struct sbus_request *req,
+ void *data,
+ const char *domain_name);
+
+#endif /* _RESPONDER_IFACE_H_ */
diff --git a/src/responder/common/iface/responder_iface.xml b/src/responder/common/iface/responder_iface.xml
new file mode 100644
index 0000000000000000000000000000000000000000..d3d0ff40ed5a8457492f2f54d551d9ae20cc56c3
--- /dev/null
+++ b/src/responder/common/iface/responder_iface.xml
@@ -0,0 +1,13 @@
+<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
+<node>
+ <interface name="org.freedesktop.sssd.Responder.Domain">
+ <annotation value="iface_responder_domain" name="org.freedesktop.DBus.GLib.CSymbol"/>
+ <method name="SetActive">
+ <arg name="name" type="s" direction="in" />
+ </method>
+ <method name="SetInconsistent">
+ <arg name="name" type="s" direction="in" />
+ </method>
+ </interface>
+</node>
diff --git a/src/responder/common/iface/responder_iface_generated.c b/src/responder/common/iface/responder_iface_generated.c
new file mode 100644
index 0000000000000000000000000000000000000000..1d59eafed0eb739fb208c864b5b726cf9883df94
--- /dev/null
+++ b/src/responder/common/iface/responder_iface_generated.c
@@ -0,0 +1,78 @@
+/* The following definitions are auto-generated from responder_iface.xml */
+
+#include "util/util.h"
+#include "sbus/sssd_dbus.h"
+#include "sbus/sssd_dbus_meta.h"
+#include "sbus/sssd_dbus_invokers.h"
+#include "responder_iface_generated.h"
+
+/* invokes a handler with a 's' DBus signature */
+static int invoke_s_method(struct sbus_request *dbus_req, void *function_ptr);
+
+/* arguments for org.freedesktop.sssd.Responder.Domain.SetActive */
+const struct sbus_arg_meta iface_responder_domain_SetActive__in[] = {
+ { "name", "s" },
+ { NULL, }
+};
+
+int iface_responder_domain_SetActive_finish(struct sbus_request *req)
+{
+ return sbus_request_return_and_finish(req,
+ DBUS_TYPE_INVALID);
+}
+
+/* arguments for org.freedesktop.sssd.Responder.Domain.SetInconsistent */
+const struct sbus_arg_meta iface_responder_domain_SetInconsistent__in[] = {
+ { "name", "s" },
+ { NULL, }
+};
+
+int iface_responder_domain_SetInconsistent_finish(struct sbus_request *req)
+{
+ return sbus_request_return_and_finish(req,
+ DBUS_TYPE_INVALID);
+}
+
+/* methods for org.freedesktop.sssd.Responder.Domain */
+const struct sbus_method_meta iface_responder_domain__methods[] = {
+ {
+ "SetActive", /* name */
+ iface_responder_domain_SetActive__in,
+ NULL, /* no out_args */
+ offsetof(struct iface_responder_domain, SetActive),
+ invoke_s_method,
+ },
+ {
+ "SetInconsistent", /* name */
+ iface_responder_domain_SetInconsistent__in,
+ NULL, /* no out_args */
+ offsetof(struct iface_responder_domain, SetInconsistent),
+ invoke_s_method,
+ },
+ { NULL, }
+};
+
+/* interface info for org.freedesktop.sssd.Responder.Domain */
+const struct sbus_interface_meta iface_responder_domain_meta = {
+ "org.freedesktop.sssd.Responder.Domain", /* name */
+ iface_responder_domain__methods,
+ NULL, /* no signals */
+ NULL, /* no properties */
+ sbus_invoke_get_all, /* GetAll invoker */
+};
+
+/* invokes a handler with a 's' DBus signature */
+static int invoke_s_method(struct sbus_request *dbus_req, void *function_ptr)
+{
+ const char * arg_0;
+ int (*handler)(struct sbus_request *, void *, const char *) = function_ptr;
+
+ if (!sbus_request_parse_or_finish(dbus_req,
+ DBUS_TYPE_STRING, &arg_0,
+ DBUS_TYPE_INVALID)) {
+ return EOK; /* request handled */
+ }
+
+ return (handler)(dbus_req, dbus_req->intf->handler_data,
+ arg_0);
+}
diff --git a/src/responder/common/iface/responder_iface_generated.h b/src/responder/common/iface/responder_iface_generated.h
new file mode 100644
index 0000000000000000000000000000000000000000..e7f5c64feb062e13dc04352128cada6883f6f4fa
--- /dev/null
+++ b/src/responder/common/iface/responder_iface_generated.h
@@ -0,0 +1,63 @@
+/* The following declarations are auto-generated from responder_iface.xml */
+
+#ifndef __RESPONDER_IFACE_XML__
+#define __RESPONDER_IFACE_XML__
+
+#include "sbus/sssd_dbus.h"
+
+/* ------------------------------------------------------------------------
+ * DBus Constants
+ *
+ * Various constants of interface and method names mostly for use by clients
+ */
+
+/* constants for org.freedesktop.sssd.Responder.Domain */
+#define IFACE_RESPONDER_DOMAIN "org.freedesktop.sssd.Responder.Domain"
+#define IFACE_RESPONDER_DOMAIN_SETACTIVE "SetActive"
+#define IFACE_RESPONDER_DOMAIN_SETINCONSISTENT "SetInconsistent"
+
+/* ------------------------------------------------------------------------
+ * DBus handlers
+ *
+ * These structures are filled in by implementors of the different
+ * dbus interfaces to handle method calls.
+ *
+ * Handler functions of type sbus_msg_handler_fn accept raw messages,
+ * other handlers are typed appropriately. If a handler that is
+ * set to NULL is invoked it will result in a
+ * org.freedesktop.DBus.Error.NotSupported error for the caller.
+ *
+ * Handlers have a matching xxx_finish() function (unless the method has
+ * accepts raw messages). These finish functions the
+ * sbus_request_return_and_finish() with the appropriate arguments to
+ * construct a valid reply. Once a finish function has been called, the
+ * @dbus_req it was called with is freed and no longer valid.
+ */
+
+/* vtable for org.freedesktop.sssd.Responder.Domain */
+struct iface_responder_domain {
+ struct sbus_vtable vtable; /* derive from sbus_vtable */
+ int (*SetActive)(struct sbus_request *req, void *data, const char *arg_name);
+ int (*SetInconsistent)(struct sbus_request *req, void *data, const char *arg_name);
+};
+
+/* finish function for SetActive */
+int iface_responder_domain_SetActive_finish(struct sbus_request *req);
+
+/* finish function for SetInconsistent */
+int iface_responder_domain_SetInconsistent_finish(struct sbus_request *req);
+
+/* ------------------------------------------------------------------------
+ * DBus Interface Metadata
+ *
+ * These structure definitions are filled in with the information about
+ * the interfaces, methods, properties and so on.
+ *
+ * The actual definitions are found in the accompanying C file next
+ * to this header.
+ */
+
+/* interface info for org.freedesktop.sssd.Responder.Domain */
+extern const struct sbus_interface_meta iface_responder_domain_meta;
+
+#endif /* __RESPONDER_IFACE_XML__ */
diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
index 67922bfccda8f00f256a4d1281aebfe20950d169..1959247ffda76d5041bc031c4c774aef9e0295d8 100644
--- a/src/responder/common/responder_common.c
+++ b/src/responder/common/responder_common.c
@@ -38,6 +38,7 @@
#include "confdb/confdb.h"
#include "sbus/sssd_dbus.h"
#include "responder/common/responder.h"
+#include "responder/common/iface/responder_iface.h"
#include "responder/common/responder_packet.h"
#include "providers/data_provider.h"
#include "monitor/monitor_interfaces.h"
@@ -666,6 +667,7 @@ static int sss_dp_init(struct resp_ctx *rctx,
{
struct be_conn *be_conn;
int ret;
+ struct sbus_iface_map *resp_sbus_iface;
be_conn = talloc_zero(rctx, struct be_conn);
if (!be_conn) return ENOMEM;
@@ -697,6 +699,19 @@ static int sss_dp_init(struct resp_ctx *rctx,
}
}
+ resp_sbus_iface = responder_get_sbus_interface();
+ if (resp_sbus_iface != NULL) {
+ ret = sbus_conn_register_iface_map(be_conn->conn,
+ resp_sbus_iface,
+ rctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Cannot register generic responder iface at %s: %d\n",
+ resp_sbus_iface->path, ret);
+ return ret;
+ }
+ }
+
DLIST_ADD_END(rctx->be_conns, be_conn, struct be_conn *);
/* Identify ourselves to the DP */
diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am
index 09a8b5307dd3ebf9c7f27148097a90eac527a213..f50e9aa58fa5f2b0b8aa144582500d925a0a6438 100644
--- a/src/tests/cwrap/Makefile.am
+++ b/src/tests/cwrap/Makefile.am
@@ -63,6 +63,12 @@ SSSD_CACHE_REQ_OBJ = \
../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c \
$(NULL)
+SSSD_RESPONDER_IFACE_OBJ = \
+ ../../../src/responder/common/iface/responder_iface.c \
+ ../../../src/responder/common/iface/responder_domain.c \
+ ../../../src/responder/common/iface/responder_iface_generated.c \
+ $(NULL)
+
SSSD_RESPONDER_OBJ = \
../../../src/responder/common/negcache_files.c \
../../../src/responder/common/negcache.c \
@@ -77,6 +83,7 @@ SSSD_RESPONDER_OBJ = \
../../../src/responder/common/data_provider/rdp_client.c \
../../../src/monitor/monitor_iface_generated.c \
../../../src/providers/data_provider_req.c \
+ $(SSSD_RESPONDER_IFACE_OBJ) \
$(SSSD_CACHE_REQ_OBJ) \
$(NULL)
@@ -158,6 +165,9 @@ endif
responder_common_tests_SOURCES =\
test_responder_common.c \
+ ../../../src/responder/common/iface/responder_iface.c \
+ ../../../src/responder/common/iface/responder_domain.c \
+ ../../../src/responder/common/iface/responder_iface_generated.c \
../../../src/responder/common/negcache_files.c \
../../../src/responder/common/negcache.c \
../../../src/responder/common/data_provider/rdp_message.c \
@@ -165,6 +175,8 @@ responder_common_tests_SOURCES =\
../../../src/responder/common/responder_common.c \
../../../src/responder/common/responder_packet.c \
../../../src/responder/common/responder_cmd.c \
+ ../../../src/tests/cmocka/common_mock_resp_dp.c \
+ $(SSSD_CACHE_REQ_OBJ) \
$(NULL)
responder_common_tests_CFLAGS = \
$(AM_CFLAGS) \
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index 0feda148bd44b9cefc43c094ddc5a72820412322..6ef6bcfb8c078a360673b6bdd2364fc2918cb324 100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -814,8 +814,25 @@ done:
return ret;
}
+static const char *domain_state_str(struct sss_domain_info *dom)
+{
+ switch (dom->state) {
+ case DOM_ACTIVE:
+ return "Active";
+ case DOM_DISABLED:
+ return "Disabled";
+ case DOM_INACTIVE:
+ return "Inactive";
+ case DOM_INCONSISTENT:
+ return "Inconsistent";
+ }
+ return "Unknown";
+}
+
enum sss_domain_state sss_domain_get_state(struct sss_domain_info *dom)
{
+ DEBUG(SSSDBG_TRACE_LIBS,
+ "Domain %s is %s\n", dom->name, domain_state_str(dom));
return dom->state;
}
@@ -823,6 +840,8 @@ void sss_domain_set_state(struct sss_domain_info *dom,
enum sss_domain_state state)
{
dom->state = state;
+ DEBUG(SSSDBG_TRACE_LIBS,
+ "Domain %s is %s\n", dom->name, domain_state_str(dom));
}
bool is_email_from_domain(const char *email, struct sss_domain_info *dom)
--
2.9.3

View File

@ -0,0 +1,259 @@
From 205a0b9e9234327730fa808be95b2e1db7ffee95 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 2 Nov 2016 17:13:32 +0100
Subject: [PATCH 43/79] RESPONDER: A sbus interface to reset negatively cached
users and groups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Adds two new responder sbus interface functions: ResetNegcacheUsers and
ResetNegcacheGroups. These functions can be called by a Data Provider to
signal to a responder that it should drop its negative cache.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
Makefile.am | 1 +
src/responder/common/iface/responder_iface.c | 7 ++++
src/responder/common/iface/responder_iface.h | 5 +++
src/responder/common/iface/responder_iface.xml | 6 ++++
.../common/iface/responder_iface_generated.c | 40 ++++++++++++++++++++++
.../common/iface/responder_iface_generated.h | 21 ++++++++++++
.../{responder_iface.c => responder_ncache.c} | 31 ++++++++++-------
src/tests/cwrap/Makefile.am | 2 ++
8 files changed, 100 insertions(+), 13 deletions(-)
copy src/responder/common/iface/{responder_iface.c => responder_ncache.c} (55%)
diff --git a/Makefile.am b/Makefile.am
index 32f62b5b4391e5d6efb7f7dc19e9b29eaa658550..aa28a27f992f9a42b78d37d6de8fd8271c99afef 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -519,6 +519,7 @@ SSSD_CACHE_REQ_OBJ = \
SSSD_RESPONDER_IFACE_OBJ = \
src/responder/common/iface/responder_iface.c \
src/responder/common/iface/responder_domain.c \
+ src/responder/common/iface/responder_ncache.c \
src/responder/common/iface/responder_iface_generated.c \
$(NULL)
diff --git a/src/responder/common/iface/responder_iface.c b/src/responder/common/iface/responder_iface.c
index f1e618b659af3e7a5ffa1b7307f3d61124180f0c..07fd1ff6276ae9b847ff50b949ce91550fe68296 100644
--- a/src/responder/common/iface/responder_iface.c
+++ b/src/responder/common/iface/responder_iface.c
@@ -25,8 +25,15 @@ struct iface_responder_domain iface_responder_domain = {
.SetInconsistent = sss_resp_domain_inconsistent,
};
+struct iface_responder_ncache iface_responder_ncache = {
+ { &iface_responder_ncache_meta, 0 },
+ .ResetUsers = sss_resp_reset_ncache_users,
+ .ResetGroups = sss_resp_reset_ncache_groups,
+};
+
static struct sbus_iface_map iface_map[] = {
{ RESPONDER_PATH, &iface_responder_domain.vtable },
+ { RESPONDER_PATH, &iface_responder_ncache.vtable },
{ NULL, NULL }
};
diff --git a/src/responder/common/iface/responder_iface.h b/src/responder/common/iface/responder_iface.h
index abd7c83ce0b0efbc13867ffb56ec871503c92567..5166b624cf9f7278c46f10dfc26c717ac4462408 100644
--- a/src/responder/common/iface/responder_iface.h
+++ b/src/responder/common/iface/responder_iface.h
@@ -34,4 +34,9 @@ int sss_resp_domain_inconsistent(struct sbus_request *req,
void *data,
const char *domain_name);
+/* org.freedesktop.sssd.Responder.NegativeCache */
+
+int sss_resp_reset_ncache_users(struct sbus_request *req, void *data);
+int sss_resp_reset_ncache_groups(struct sbus_request *req, void *data);
+
#endif /* _RESPONDER_IFACE_H_ */
diff --git a/src/responder/common/iface/responder_iface.xml b/src/responder/common/iface/responder_iface.xml
index d3d0ff40ed5a8457492f2f54d551d9ae20cc56c3..9f092e00ffc5354efe98b6c8bde1cdf414ee36d2 100644
--- a/src/responder/common/iface/responder_iface.xml
+++ b/src/responder/common/iface/responder_iface.xml
@@ -10,4 +10,10 @@
<arg name="name" type="s" direction="in" />
</method>
</interface>
+
+ <interface name="org.freedesktop.sssd.Responder.NegativeCache">
+ <annotation value="iface_responder_ncache" name="org.freedesktop.DBus.GLib.CSymbol"/>
+ <method name="ResetUsers" />
+ <method name="ResetGroups" />
+ </interface>
</node>
diff --git a/src/responder/common/iface/responder_iface_generated.c b/src/responder/common/iface/responder_iface_generated.c
index 1d59eafed0eb739fb208c864b5b726cf9883df94..837e67cfd4305494be6ee3de949d56d47179707c 100644
--- a/src/responder/common/iface/responder_iface_generated.c
+++ b/src/responder/common/iface/responder_iface_generated.c
@@ -61,6 +61,46 @@ const struct sbus_interface_meta iface_responder_domain_meta = {
sbus_invoke_get_all, /* GetAll invoker */
};
+int iface_responder_ncache_ResetUsers_finish(struct sbus_request *req)
+{
+ return sbus_request_return_and_finish(req,
+ DBUS_TYPE_INVALID);
+}
+
+int iface_responder_ncache_ResetGroups_finish(struct sbus_request *req)
+{
+ return sbus_request_return_and_finish(req,
+ DBUS_TYPE_INVALID);
+}
+
+/* methods for org.freedesktop.sssd.Responder.NegativeCache */
+const struct sbus_method_meta iface_responder_ncache__methods[] = {
+ {
+ "ResetUsers", /* name */
+ NULL, /* no in_args */
+ NULL, /* no out_args */
+ offsetof(struct iface_responder_ncache, ResetUsers),
+ NULL, /* no invoker */
+ },
+ {
+ "ResetGroups", /* name */
+ NULL, /* no in_args */
+ NULL, /* no out_args */
+ offsetof(struct iface_responder_ncache, ResetGroups),
+ NULL, /* no invoker */
+ },
+ { NULL, }
+};
+
+/* interface info for org.freedesktop.sssd.Responder.NegativeCache */
+const struct sbus_interface_meta iface_responder_ncache_meta = {
+ "org.freedesktop.sssd.Responder.NegativeCache", /* name */
+ iface_responder_ncache__methods,
+ NULL, /* no signals */
+ NULL, /* no properties */
+ sbus_invoke_get_all, /* GetAll invoker */
+};
+
/* invokes a handler with a 's' DBus signature */
static int invoke_s_method(struct sbus_request *dbus_req, void *function_ptr)
{
diff --git a/src/responder/common/iface/responder_iface_generated.h b/src/responder/common/iface/responder_iface_generated.h
index e7f5c64feb062e13dc04352128cada6883f6f4fa..964f19b732595c261e84f857497678490a113412 100644
--- a/src/responder/common/iface/responder_iface_generated.h
+++ b/src/responder/common/iface/responder_iface_generated.h
@@ -16,6 +16,11 @@
#define IFACE_RESPONDER_DOMAIN_SETACTIVE "SetActive"
#define IFACE_RESPONDER_DOMAIN_SETINCONSISTENT "SetInconsistent"
+/* constants for org.freedesktop.sssd.Responder.NegativeCache */
+#define IFACE_RESPONDER_NCACHE "org.freedesktop.sssd.Responder.NegativeCache"
+#define IFACE_RESPONDER_NCACHE_RESETUSERS "ResetUsers"
+#define IFACE_RESPONDER_NCACHE_RESETGROUPS "ResetGroups"
+
/* ------------------------------------------------------------------------
* DBus handlers
*
@@ -47,6 +52,19 @@ int iface_responder_domain_SetActive_finish(struct sbus_request *req);
/* finish function for SetInconsistent */
int iface_responder_domain_SetInconsistent_finish(struct sbus_request *req);
+/* vtable for org.freedesktop.sssd.Responder.NegativeCache */
+struct iface_responder_ncache {
+ struct sbus_vtable vtable; /* derive from sbus_vtable */
+ int (*ResetUsers)(struct sbus_request *req, void *data);
+ int (*ResetGroups)(struct sbus_request *req, void *data);
+};
+
+/* finish function for ResetUsers */
+int iface_responder_ncache_ResetUsers_finish(struct sbus_request *req);
+
+/* finish function for ResetGroups */
+int iface_responder_ncache_ResetGroups_finish(struct sbus_request *req);
+
/* ------------------------------------------------------------------------
* DBus Interface Metadata
*
@@ -60,4 +78,7 @@ int iface_responder_domain_SetInconsistent_finish(struct sbus_request *req);
/* interface info for org.freedesktop.sssd.Responder.Domain */
extern const struct sbus_interface_meta iface_responder_domain_meta;
+/* interface info for org.freedesktop.sssd.Responder.NegativeCache */
+extern const struct sbus_interface_meta iface_responder_ncache_meta;
+
#endif /* __RESPONDER_IFACE_XML__ */
diff --git a/src/responder/common/iface/responder_iface.c b/src/responder/common/iface/responder_ncache.c
similarity index 55%
copy from src/responder/common/iface/responder_iface.c
copy to src/responder/common/iface/responder_ncache.c
index f1e618b659af3e7a5ffa1b7307f3d61124180f0c..c7aa0a3a40f386aa2d2f0d0a00a4fa90a59ffb34 100644
--- a/src/responder/common/iface/responder_iface.c
+++ b/src/responder/common/iface/responder_ncache.c
@@ -1,5 +1,8 @@
/*
- Copyright (C) 2016 Red Hat
+ Authors:
+ Pavel Březina <pbrezina@redhat.com>
+
+ Copyright (C) 2017 Red Hat
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -15,22 +18,24 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
+#include "util/util.h"
#include "sbus/sssd_dbus.h"
-#include "responder/common/iface/responder_iface.h"
#include "responder/common/responder.h"
+#include "responder/common/negcache.h"
+#include "responder/common/iface/responder_iface.h"
-struct iface_responder_domain iface_responder_domain = {
- { &iface_responder_domain_meta, 0 },
- .SetActive = sss_resp_domain_active,
- .SetInconsistent = sss_resp_domain_inconsistent,
-};
+int sss_resp_reset_ncache_users(struct sbus_request *req, void *data)
+{
+ struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx);
-static struct sbus_iface_map iface_map[] = {
- { RESPONDER_PATH, &iface_responder_domain.vtable },
- { NULL, NULL }
-};
+ sss_ncache_reset_users(rctx->ncache);
+ return iface_responder_ncache_ResetUsers_finish(req);
+}
-struct sbus_iface_map *responder_get_sbus_interface()
+int sss_resp_reset_ncache_groups(struct sbus_request *req, void *data)
{
- return iface_map;
+ struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx);
+
+ sss_ncache_reset_groups(rctx->ncache);
+ return iface_responder_ncache_ResetGroups_finish(req);
}
diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am
index f50e9aa58fa5f2b0b8aa144582500d925a0a6438..b4bef8fee1830c1d6798dde50f114ecb4608c645 100644
--- a/src/tests/cwrap/Makefile.am
+++ b/src/tests/cwrap/Makefile.am
@@ -66,6 +66,7 @@ SSSD_CACHE_REQ_OBJ = \
SSSD_RESPONDER_IFACE_OBJ = \
../../../src/responder/common/iface/responder_iface.c \
../../../src/responder/common/iface/responder_domain.c \
+ ../../../src/responder/common/iface/responder_ncache.c \
../../../src/responder/common/iface/responder_iface_generated.c \
$(NULL)
@@ -167,6 +168,7 @@ responder_common_tests_SOURCES =\
test_responder_common.c \
../../../src/responder/common/iface/responder_iface.c \
../../../src/responder/common/iface/responder_domain.c \
+ ../../../src/responder/common/iface/responder_ncache.c \
../../../src/responder/common/iface/responder_iface_generated.c \
../../../src/responder/common/negcache_files.c \
../../../src/responder/common/negcache.c \
--
2.9.3

View File

@ -0,0 +1,148 @@
From b3ee4be9e1794fa823696d70d4958f3b0269939c Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 2 Nov 2016 17:18:07 +0100
Subject: [PATCH 44/79] DP: Add internal DP interface to set domain state
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Adds functions to the interface Data Provider publishes towards back
ends that allows the back ends to notify responders that a domain has
been enabled or disabled.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
Makefile.am | 1 +
src/providers/data_provider/dp.h | 5 ++
src/providers/data_provider/dp_resp_client.c | 93 ++++++++++++++++++++++++++++
3 files changed, 99 insertions(+)
create mode 100644 src/providers/data_provider/dp_resp_client.c
diff --git a/Makefile.am b/Makefile.am
index aa28a27f992f9a42b78d37d6de8fd8271c99afef..5cf496002ff54b8df1c0fdf29179a5b69e4b62c0 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1464,6 +1464,7 @@ sssd_be_SOURCES = \
src/providers/data_provider/dp_iface_backend.c \
src/providers/data_provider/dp_iface_failover.c \
src/providers/data_provider/dp_client.c \
+ src/providers/data_provider/dp_resp_client.c \
src/providers/data_provider/dp_iface_generated.c \
src/providers/data_provider/dp_request.c \
src/providers/data_provider/dp_request_reply.c \
diff --git a/src/providers/data_provider/dp.h b/src/providers/data_provider/dp.h
index 5b36baf3489be4cce463dfb42c65a0b7f7ece9ef..68db75521bd9d78eb6e7944746ea2054918e298d 100644
--- a/src/providers/data_provider/dp.h
+++ b/src/providers/data_provider/dp.h
@@ -161,4 +161,9 @@ bool dp_method_enabled(struct data_provider *provider,
void dp_terminate_domain_requests(struct data_provider *provider,
const char *domain);
+void dp_sbus_domain_active(struct data_provider *provider,
+ struct sss_domain_info *dom);
+void dp_sbus_domain_inconsistent(struct data_provider *provider,
+ struct sss_domain_info *dom);
+
#endif /* _DP_H_ */
diff --git a/src/providers/data_provider/dp_resp_client.c b/src/providers/data_provider/dp_resp_client.c
new file mode 100644
index 0000000000000000000000000000000000000000..3d386eac1cd779e2776e23745a18292c5ce835cd
--- /dev/null
+++ b/src/providers/data_provider/dp_resp_client.c
@@ -0,0 +1,93 @@
+/*
+ SSSD
+
+ Data Provider Responder client - DP calls responder interface
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "config.h"
+#include <talloc.h>
+#include <tevent.h>
+
+#include "confdb/confdb.h"
+#include "sbus/sssd_dbus.h"
+#include "providers/data_provider.h"
+#include "providers/data_provider/dp_private.h"
+#include "responder/common/iface/responder_iface.h"
+#include "src/responder/nss/nss_iface.h"
+
+static void send_msg_to_all_clients(struct data_provider *provider,
+ struct DBusMessage *msg)
+{
+ struct dp_client *cli;
+ int i;
+
+ for (i = 0; provider->clients[i] != NULL; i++) {
+ cli = provider->clients[i];
+ if (cli != NULL) {
+ sbus_conn_send_reply(dp_client_conn(cli), msg);
+ }
+ }
+}
+
+static void dp_sbus_set_domain_state(struct data_provider *provider,
+ struct sss_domain_info *dom,
+ enum sss_domain_state state)
+{
+ DBusMessage *msg;
+ const char *method = NULL;
+
+ switch (state) {
+ case DOM_ACTIVE:
+ DEBUG(SSSDBG_TRACE_FUNC, "Ordering responders to enable domain %s\n",
+ dom->name);
+ method = IFACE_RESPONDER_DOMAIN_SETACTIVE;
+ break;
+ case DOM_INCONSISTENT:
+ DEBUG(SSSDBG_TRACE_FUNC, "Ordering responders to disable domain %s\n",
+ dom->name);
+ method = IFACE_RESPONDER_DOMAIN_SETINCONSISTENT;
+ break;
+ default:
+ /* No other methods provided at the moment */
+ return;
+ }
+
+ sss_domain_set_state(dom, state);
+
+ msg = sbus_create_message(NULL, NULL, RESPONDER_PATH,
+ IFACE_RESPONDER_DOMAIN, method,
+ DBUS_TYPE_STRING, &dom->name);
+ if (msg == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n");
+ return;
+ }
+
+ send_msg_to_all_clients(provider, msg);
+ dbus_message_unref(msg);
+ return;
+}
+
+void dp_sbus_domain_active(struct data_provider *provider,
+ struct sss_domain_info *dom)
+{
+ return dp_sbus_set_domain_state(provider, dom, DOM_ACTIVE);
+}
+
+void dp_sbus_domain_inconsistent(struct data_provider *provider,
+ struct sss_domain_info *dom)
+{
+ return dp_sbus_set_domain_state(provider, dom, DOM_INCONSISTENT);
+}
--
2.9.3

View File

@ -0,0 +1,122 @@
From af28fa659f7ffcd12ecf8bda64e79cf5dd225651 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 16 Nov 2016 17:00:57 +0100
Subject: [PATCH 45/79] DP: Add internal interface to reset negative cache from
DP
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Adds a an interface that allows the Data Provider to notify responders
to drop their negative cache.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/data_provider/dp.h | 5 +++
src/providers/data_provider/dp_resp_client.c | 65 +++++++++++++++++++++++++++-
2 files changed, 69 insertions(+), 1 deletion(-)
diff --git a/src/providers/data_provider/dp.h b/src/providers/data_provider/dp.h
index 68db75521bd9d78eb6e7944746ea2054918e298d..79d02d469c5eb04d5e27b27af48b77f72d132416 100644
--- a/src/providers/data_provider/dp.h
+++ b/src/providers/data_provider/dp.h
@@ -166,4 +166,9 @@ void dp_sbus_domain_active(struct data_provider *provider,
void dp_sbus_domain_inconsistent(struct data_provider *provider,
struct sss_domain_info *dom);
+void dp_sbus_reset_users_ncache(struct data_provider *provider,
+ struct sss_domain_info *dom);
+void dp_sbus_reset_groups_ncache(struct data_provider *provider,
+ struct sss_domain_info *dom);
+
#endif /* _DP_H_ */
diff --git a/src/providers/data_provider/dp_resp_client.c b/src/providers/data_provider/dp_resp_client.c
index 3d386eac1cd779e2776e23745a18292c5ce835cd..6828610acce3771f2b628c877a1d463c3f635015 100644
--- a/src/providers/data_provider/dp_resp_client.c
+++ b/src/providers/data_provider/dp_resp_client.c
@@ -26,7 +26,23 @@
#include "providers/data_provider.h"
#include "providers/data_provider/dp_private.h"
#include "responder/common/iface/responder_iface.h"
-#include "src/responder/nss/nss_iface.h"
+#include "responder/nss/nss_iface.h"
+
+/* List of DP clients that deal with users or groups */
+/* FIXME - it would be much cleaner to implement sbus signals
+ * and let the responder subscribe to these messages rather than
+ * keep a list here..
+ * https://fedorahosted.org/sssd/ticket/2233
+ */
+static enum dp_clients user_clients[] = {
+ DPC_NSS,
+ DPC_PAM,
+ DPC_IFP,
+ DPC_PAC,
+ DPC_SUDO,
+
+ DP_CLIENT_SENTINEL
+};
static void send_msg_to_all_clients(struct data_provider *provider,
struct DBusMessage *msg)
@@ -42,6 +58,21 @@ static void send_msg_to_all_clients(struct data_provider *provider,
}
}
+static void send_msg_to_selected_clients(struct data_provider *provider,
+ struct DBusMessage *msg,
+ enum dp_clients *clients)
+{
+ struct dp_client *cli;
+ int i;
+
+ for (i = 0; clients[i] != DP_CLIENT_SENTINEL; i++) {
+ cli = provider->clients[clients[i]];
+ if (cli != NULL) {
+ sbus_conn_send_reply(dp_client_conn(cli), msg);
+ }
+ }
+}
+
static void dp_sbus_set_domain_state(struct data_provider *provider,
struct sss_domain_info *dom,
enum sss_domain_state state)
@@ -91,3 +122,35 @@ void dp_sbus_domain_inconsistent(struct data_provider *provider,
{
return dp_sbus_set_domain_state(provider, dom, DOM_INCONSISTENT);
}
+
+static void dp_sbus_reset_ncache(struct data_provider *provider,
+ struct sss_domain_info *dom,
+ const char *method)
+{
+ DBusMessage *msg;
+
+ msg = sbus_create_message(NULL, NULL, RESPONDER_PATH,
+ IFACE_RESPONDER_NCACHE, method);
+ if (msg == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n");
+ return;
+ }
+
+ send_msg_to_selected_clients(provider, msg, user_clients);
+ dbus_message_unref(msg);
+ return;
+}
+
+void dp_sbus_reset_users_ncache(struct data_provider *provider,
+ struct sss_domain_info *dom)
+{
+ return dp_sbus_reset_ncache(provider, dom,
+ IFACE_RESPONDER_NCACHE_RESETUSERS);
+}
+
+void dp_sbus_reset_groups_ncache(struct data_provider *provider,
+ struct sss_domain_info *dom)
+{
+ return dp_sbus_reset_ncache(provider, dom,
+ IFACE_RESPONDER_NCACHE_RESETGROUPS);
+}
--
2.9.3

View File

@ -0,0 +1,77 @@
From 5007103e82f34e64a0ff3b278797b9fa42ba1dda Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 14 Feb 2017 20:37:58 +0100
Subject: [PATCH 46/79] DP: Add internal interface to invalidate memory cache
from DP
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Adds an interfae to the Data Provider that allows the DP to notify the
NSS responder to invalidate its memory cache records.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/data_provider/dp.h | 4 ++++
src/providers/data_provider/dp_resp_client.c | 35 ++++++++++++++++++++++++++++
2 files changed, 39 insertions(+)
diff --git a/src/providers/data_provider/dp.h b/src/providers/data_provider/dp.h
index 79d02d469c5eb04d5e27b27af48b77f72d132416..e80a6c3398784dfc176baeff2daf7203c52fc072 100644
--- a/src/providers/data_provider/dp.h
+++ b/src/providers/data_provider/dp.h
@@ -171,4 +171,8 @@ void dp_sbus_reset_users_ncache(struct data_provider *provider,
void dp_sbus_reset_groups_ncache(struct data_provider *provider,
struct sss_domain_info *dom);
+void dp_sbus_reset_users_memcache(struct data_provider *provider);
+void dp_sbus_reset_groups_memcache(struct data_provider *provider);
+void dp_sbus_reset_initgr_memcache(struct data_provider *provider);
+
#endif /* _DP_H_ */
diff --git a/src/providers/data_provider/dp_resp_client.c b/src/providers/data_provider/dp_resp_client.c
index 6828610acce3771f2b628c877a1d463c3f635015..5735188a603b16c35ad6e1050c06a685fdf7ed8d 100644
--- a/src/providers/data_provider/dp_resp_client.c
+++ b/src/providers/data_provider/dp_resp_client.c
@@ -154,3 +154,38 @@ void dp_sbus_reset_groups_ncache(struct data_provider *provider,
return dp_sbus_reset_ncache(provider, dom,
IFACE_RESPONDER_NCACHE_RESETGROUPS);
}
+
+static void dp_sbus_reset_memcache(struct data_provider *provider,
+ const char *method)
+{
+ DBusMessage *msg;
+
+ msg = sbus_create_message(NULL, NULL, NSS_MEMORYCACHE_PATH,
+ IFACE_NSS_MEMORYCACHE, method);
+ if (msg == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n");
+ return;
+ }
+
+ send_msg_to_selected_clients(provider, msg, user_clients);
+ dbus_message_unref(msg);
+ return;
+}
+
+void dp_sbus_reset_users_memcache(struct data_provider *provider)
+{
+ return dp_sbus_reset_memcache(provider,
+ IFACE_NSS_MEMORYCACHE_INVALIDATEALLUSERS);
+}
+
+void dp_sbus_reset_groups_memcache(struct data_provider *provider)
+{
+ return dp_sbus_reset_memcache(provider,
+ IFACE_NSS_MEMORYCACHE_INVALIDATEALLGROUPS);
+}
+
+void dp_sbus_reset_initgr_memcache(struct data_provider *provider)
+{
+ return dp_sbus_reset_memcache(provider,
+ IFACE_NSS_MEMORYCACHE_INVALIDATEALLINITGROUPS);
+}
--
2.9.3

View File

@ -0,0 +1,50 @@
From 2c61b6eee24d90b11f3d2cab7b9cd8690df29f34 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 2 Jan 2017 16:41:31 +0100
Subject: [PATCH 47/79] RESPONDER: Use the NEED_CHECK_DOMAIN macro
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is to avoid a needless round-trip between the responder and the
back end for domains that do not have a traditional back end such as
local or files.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/responder/common/responder_dp.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
index 11eb47ce1d41027f36998aba7b9fbca5fb4c7910..cfd12569a5068d0ffaa7fee5a35e12fe4512fb50 100644
--- a/src/responder/common/responder_dp.c
+++ b/src/responder/common/responder_dp.c
@@ -495,6 +495,12 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx,
goto error;
}
+ if (NEED_CHECK_PROVIDER(dom->provider) == false) {
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Domain %s does not check DP\n", dom->name);
+ ret = EOK;
+ goto error;
+ }
+
info = talloc_zero(state, struct sss_dp_account_info);
info->fast_reply = fast_reply;
info->type = type;
@@ -539,7 +545,11 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx,
return req;
error:
- tevent_req_error(req, ret);
+ if (ret == EOK) {
+ tevent_req_done(req);
+ } else {
+ tevent_req_error(req, ret);
+ }
tevent_req_post(req, rctx->ev);
return req;
}
--
2.9.3

View File

@ -0,0 +1,41 @@
From 26866484a985adbc7edf2e79a1e95b3bb6b8624c Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 2 Dec 2016 17:51:54 +0100
Subject: [PATCH 48/79] RESPONDER: Include the files provider in
NEEDS_CHECK_PROVIDER
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
It makes no sense to contact the Data Provider with the files provider
except when the files provider is updating itself.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/responder/common/responder.h | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
index 748dec4301b4a018691d9b8c8fca0193d18167a5..3515f76d2bd0a553e7bf6b089b6d511255cf1e93 100644
--- a/src/responder/common/responder.h
+++ b/src/responder/common/responder.h
@@ -48,9 +48,14 @@ extern hash_table_t *dp_requests;
* So we set umask to 0111. */
#define SCKT_RSP_UMASK 0111
-/* if there is a provider other than the special local */
+/* Neither the local provider nor the files provider have a back
+ * end in the traditional sense and can always just consult
+ * the responder's cache
+ */
#define NEED_CHECK_PROVIDER(provider) \
- (provider != NULL && strcmp(provider, "local") != 0)
+ (provider != NULL && \
+ (strcmp(provider, "local") != 0 && \
+ strcmp(provider, "files") != 0))
/* needed until nsssrv.h is updated */
struct cli_request {
--
2.9.3

View File

@ -0,0 +1,132 @@
From 50c740cbc2bb27cbe488fa8587e2901b8b85cf87 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 10 Feb 2017 14:39:43 +0100
Subject: [PATCH 49/79] RESPONDER: Contact inconsistent domains
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/data_provider.h | 5 +++
src/responder/common/responder_dp.c | 74 +++++++++++++++++++++++++++++++++++--
2 files changed, 76 insertions(+), 3 deletions(-)
diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h
index 46d9910ddf9ef1c37da585bc33cf314341860332..5ccc0adbaffc6d50f128ae02fe6e5c77743f626b 100644
--- a/src/providers/data_provider.h
+++ b/src/providers/data_provider.h
@@ -229,6 +229,11 @@ int dp_get_sbus_address(TALLOC_CTX *mem_ctx,
char **address, const char *domain_name);
+/* Reserved filter name for request which waits until the files provider finishes mirroring
+ * the file content
+ */
+#define DP_REQ_OPT_FILES_INITGR "files_initgr_request"
+
/* Helpers */
#define NULL_STRING { .string = NULL }
diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
index cfd12569a5068d0ffaa7fee5a35e12fe4512fb50..080f70fd5945ffd234e0ef226d8139df071c4752 100644
--- a/src/responder/common/responder_dp.c
+++ b/src/responder/common/responder_dp.c
@@ -453,6 +453,12 @@ sss_dp_req_recv(TALLOC_CTX *mem_ctx,
*/
static DBusMessage *sss_dp_get_account_msg(void *pvt);
+static int sss_dp_account_files_params(struct sss_domain_info *dom,
+ enum sss_dp_acct_type type_in,
+ const char *opt_name_in,
+ enum sss_dp_acct_type *_type_out,
+ const char **_opt_name_out);
+
struct sss_dp_account_info {
struct sss_domain_info *dom;
@@ -496,9 +502,28 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx,
}
if (NEED_CHECK_PROVIDER(dom->provider) == false) {
- DEBUG(SSSDBG_TRACE_INTERNAL, "Domain %s does not check DP\n", dom->name);
- ret = EOK;
- goto error;
+ if (strcmp(dom->provider, "files") == 0) {
+ /* This is a special case. If the files provider is just being updated,
+ * we issue an enumeration request. We always use the same request type
+ * (user enumeration) to make sure concurrent requests are just chained
+ * in the Data Provider
+ */
+ ret = sss_dp_account_files_params(dom, type, opt_name,
+ &type, &opt_name);
+ if (ret == EOK) {
+ goto error;
+ } else if (ret != EAGAIN) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Failed to set files provider update: %d: %s\n",
+ ret, sss_strerror(ret));
+ goto error;
+ }
+ /* EAGAIN, fall through to issuing the request */
+ } else {
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Domain %s does not check DP\n", dom->name);
+ ret = EOK;
+ goto error;
+ }
}
info = talloc_zero(state, struct sss_dp_account_info);
@@ -554,6 +579,49 @@ error:
return req;
}
+static int sss_dp_account_files_params(struct sss_domain_info *dom,
+ enum sss_dp_acct_type type_in,
+ const char *opt_name_in,
+ enum sss_dp_acct_type *_type_out,
+ const char **_opt_name_out)
+{
+#if 0
+ if (sss_domain_get_state(dom) != DOM_INCONSISTENT) {
+ return EOK;
+ }
+#endif
+
+ DEBUG(SSSDBG_TRACE_INTERNAL,
+ "Domain files is not consistent, issuing update\n");
+
+ switch(type_in) {
+ case SSS_DP_USER:
+ case SSS_DP_GROUP:
+ *_type_out = type_in;
+ *_opt_name_out = NULL;
+ return EAGAIN;
+ case SSS_DP_INITGROUPS:
+ /* There is no initgroups enumeration so let's use a dummy
+ * name to let the DP chain the requests
+ */
+ *_type_out = type_in;
+ *_opt_name_out = DP_REQ_OPT_FILES_INITGR;
+ return EAGAIN;
+ /* These are not handled by the files provider, just fall back */
+ case SSS_DP_NETGR:
+ case SSS_DP_SERVICES:
+ case SSS_DP_SECID:
+ case SSS_DP_USER_AND_GROUP:
+ case SSS_DP_CERT:
+ case SSS_DP_WILDCARD_USER:
+ case SSS_DP_WILDCARD_GROUP:
+ return EOK;
+ }
+
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unhandled type %d\n", type_in);
+ return EINVAL;
+}
+
static DBusMessage *
sss_dp_get_account_msg(void *pvt)
{
--
2.9.3

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,42 @@
From 90a103d6050b266fd8fc8fd0636be32de5885dec Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 25 Oct 2016 16:15:06 +0200
Subject: [PATCH 51/79] CONFDB: Re-enable the files provider
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The files provider was "blacklisted" for a long time, because very old
(pre-1.0) versions of sssd had the capability to create users and groups
by calling into the shadow-utils binaries directly which was later
removed.
Since nobody is (hopefully) running these ancient versions anymore and
we are about to re-enable the files provider, we can remove this check.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/confdb/confdb.c | 7 -------
1 file changed, 7 deletions(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 69200f5cd4dded1c25dc34e06595809c65670205..b0a75867c61fa3af21990d92419f17baa34864ae 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -900,13 +900,6 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
goto done;
}
- if (strcasecmp(domain->provider, "files") == 0) {
- /* The files provider is not valid anymore */
- DEBUG(SSSDBG_FATAL_FAILURE, "The \"files\" provider is invalid\n");
- ret = EINVAL;
- goto done;
- }
-
if (strcasecmp(domain->provider, "local") == 0) {
/* If this is the local provider, we need to ensure that
* no other provider was specified for other types, since
--
2.9.3

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,48 @@
From a60e6ec802cd2858dc85eabd442cff16fb23618f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 17 Nov 2016 15:42:03 +0100
Subject: [PATCH 53/79] CONFDB: The files provider always enumerates
Since the files provider always mirrors the whole passwd and group
contents, the files domain should always permit its contents to be
enumerated.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/confdb/confdb.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index b0a75867c61fa3af21990d92419f17baa34864ae..e52b96c8a854c0706515395dd86a61211d6ac2a6 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -828,6 +828,7 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
char *default_domain;
bool fqnames_default = false;
int memcache_timeout;
+ bool enum_default;
tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) return ENOMEM;
@@ -954,14 +955,17 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
"Interpreting as true\n", domain->name);
domain->enumerate = true;
} else { /* assume the new format */
+ enum_default = strcasecmp(domain->provider, "files") == 0 ? true : false;
+
ret = get_entry_as_bool(res->msgs[0], &domain->enumerate,
- CONFDB_DOMAIN_ENUMERATE, 0);
+ CONFDB_DOMAIN_ENUMERATE, enum_default);
if(ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Invalid value for %s\n", CONFDB_DOMAIN_ENUMERATE);
goto done;
}
}
+
if (!domain->enumerate) {
DEBUG(SSSDBG_TRACE_FUNC, "No enumeration for [%s]!\n", domain->name);
}
--
2.9.3

View File

@ -0,0 +1,147 @@
From c778c36c5170c2b9f1cf7a6e3b0811124534df03 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 21 Nov 2016 12:10:46 +0100
Subject: [PATCH 54/79] CONFDB: Make pwfield configurable per-domain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Previously, the pwfield option was only configurable at the NSS level.
Because it's important for the files provider to report "x" as the
pwfield instead of "*" which is the SSSD default, this commit makes the
pwfield configurable at the domain level.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/confdb/confdb.c | 10 ++++++++++
src/confdb/confdb.h | 1 +
src/responder/nss/nss_private.h | 4 ++++
src/responder/nss/nss_protocol_grent.c | 6 +++---
src/responder/nss/nss_protocol_pwent.c | 6 +++---
src/responder/nss/nss_utils.c | 12 ++++++++++++
6 files changed, 33 insertions(+), 6 deletions(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index e52b96c8a854c0706515395dd86a61211d6ac2a6..5112c6d568cbe2d7374b19d4a0850172d6f3f400 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1325,6 +1325,16 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
}
tmp = ldb_msg_find_attr_as_string(res->msgs[0],
+ CONFDB_NSS_PWFIELD, NULL);
+ if (tmp != NULL) {
+ domain->pwfield = talloc_strdup(domain, tmp);
+ if (!domain->pwfield) {
+ ret = ENOMEM;
+ goto done;
+ }
+ }
+
+ tmp = ldb_msg_find_attr_as_string(res->msgs[0],
CONFDB_SUBDOMAIN_ENUMERATE,
CONFDB_DEFAULT_SUBDOMAIN_ENUMERATE);
if (tmp != NULL) {
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 7c944698157619652441fb0722a4363053d6a8f3..353dfd0a9afbcaba49fcfdc7930026bb2eebfc9e 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -270,6 +270,7 @@ struct sss_domain_info {
bool ignore_group_members;
uint32_t id_min;
uint32_t id_max;
+ const char *pwfield;
bool cache_credentials;
uint32_t cache_credentials_min_ff_length;
diff --git a/src/responder/nss/nss_private.h b/src/responder/nss/nss_private.h
index e63fbabc8cdfd97742fb517aa60292d4fad4a0ed..acb3c4aa504e538ca56dca8d43ee04b0f60954a9 100644
--- a/src/responder/nss/nss_private.h
+++ b/src/responder/nss/nss_private.h
@@ -151,4 +151,8 @@ int sized_member_name(TALLOC_CTX *mem_ctx,
const char *member_name,
struct sized_string **_name);
+const char *
+nss_get_pwfield(struct nss_ctx *nctx,
+ struct sss_domain_info *dom);
+
#endif /* _NSS_PRIVATE_H_ */
diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c
index 7409e0458c0e7c886ac6d523d10d5c90a2038ea9..283ab9f6731bc4c8261ca79075ab030005bf70db 100644
--- a/src/responder/nss/nss_protocol_grent.c
+++ b/src/responder/nss/nss_protocol_grent.c
@@ -219,9 +219,6 @@ nss_protocol_fill_grent(struct nss_ctx *nss_ctx,
return ENOMEM;
}
- /* Password field content. */
- to_sized_string(&pwfield, nss_ctx->pwfield);
-
/* First two fields (length and reserved), filled up later. */
ret = sss_packet_grow(packet, 2 * sizeof(uint32_t));
if (ret != EOK) {
@@ -235,6 +232,9 @@ nss_protocol_fill_grent(struct nss_ctx *nss_ctx,
talloc_free_children(tmp_ctx);
msg = result->msgs[i];
+ /* Password field content. */
+ to_sized_string(&pwfield, nss_get_pwfield(nss_ctx, result->domain));
+
ret = nss_get_grent(tmp_ctx, nss_ctx, result->domain, msg,
&gid, &name);
if (ret != EOK) {
diff --git a/src/responder/nss/nss_protocol_pwent.c b/src/responder/nss/nss_protocol_pwent.c
index 783b06a32f0ff898021ea763d3d3fa0fabf43b25..edda9d3c87389898435a34fe7927868bc1cd9ac5 100644
--- a/src/responder/nss/nss_protocol_pwent.c
+++ b/src/responder/nss/nss_protocol_pwent.c
@@ -287,9 +287,6 @@ nss_protocol_fill_pwent(struct nss_ctx *nss_ctx,
return ENOMEM;
}
- /* Password field content. */
- to_sized_string(&pwfield, nss_ctx->pwfield);
-
/* First two fields (length and reserved), filled up later. */
ret = sss_packet_grow(packet, 2 * sizeof(uint32_t));
if (ret != EOK) {
@@ -303,6 +300,9 @@ nss_protocol_fill_pwent(struct nss_ctx *nss_ctx,
talloc_free_children(tmp_ctx);
msg = result->msgs[i];
+ /* Password field content. */
+ to_sized_string(&pwfield, nss_get_pwfield(nss_ctx, result->domain));
+
ret = nss_get_pwent(tmp_ctx, nss_ctx, result->domain, msg, &uid, &gid,
&name, &gecos, &homedir, &shell);
if (ret != EOK) {
diff --git a/src/responder/nss/nss_utils.c b/src/responder/nss/nss_utils.c
index 41081c914e3f4dad31a7b8bf7614a5fd2eb61d7a..f839930a275db56e8d729888af870562d7b6f260 100644
--- a/src/responder/nss/nss_utils.c
+++ b/src/responder/nss/nss_utils.c
@@ -24,6 +24,7 @@
#include "util/util.h"
#include "confdb/confdb.h"
#include "responder/common/responder.h"
+#include "responder/nss/nss_private.h"
const char *
nss_get_name_from_msg(struct sss_domain_info *domain,
@@ -138,3 +139,14 @@ done:
talloc_free(tmp_ctx);
return ret;
}
+
+const char *
+nss_get_pwfield(struct nss_ctx *nctx,
+ struct sss_domain_info *dom)
+{
+ if (dom->pwfield != NULL) {
+ return dom->pwfield;
+ }
+
+ return nctx->pwfield;
+}
--
2.9.3

View File

@ -0,0 +1,38 @@
From ece2ac6889da2b58f5d4027ec0a1d97992056f66 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 21 Nov 2016 12:11:39 +0100
Subject: [PATCH 55/79] CONFDB: The files domain defaults to "x" as pwfield
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In order to make it possible for files provider users to authenticate
with pam_unix, default to "x" as the pwfield of users from the files
domain.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/confdb/confdb.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 5112c6d568cbe2d7374b19d4a0850172d6f3f400..c7afd683d7f21b513bb491adbf7f7bbe79786212 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -966,6 +966,13 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
}
}
+ if (strcasecmp(domain->provider, "files") == 0) {
+ /* The password field must be reported as 'x', else pam_unix won't
+ * authenticate this entry. See man pwconv(8) for more details.
+ */
+ domain->pwfield = "x";
+ }
+
if (!domain->enumerate) {
DEBUG(SSSDBG_TRACE_FUNC, "No enumeration for [%s]!\n", domain->name);
}
--
2.9.3

View File

@ -0,0 +1,47 @@
From 26577ac05dc33c201c15164bcf19f45393beeca5 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 21 Nov 2016 13:12:11 +0100
Subject: [PATCH 56/79] MAN: Document the pwfield configuration option
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The pwfield was not documented at all previously. In addition, document
the different defaults for remote provider and the file provider.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/man/sssd.conf.5.xml | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index cb608cb0ac06185118e3c9f01d785b83236f8abb..782aef7bf62d9bcef3c3dab534a25e01d85c1764 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -936,6 +936,23 @@ fallback_homedir = /home/%u
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>pwfield (string)</term>
+ <listitem>
+ <para>
+ The value that NSS operations that return
+ users or groups will return for the
+ <quote>password</quote> field.
+ </para>
+ <para>
+ This option can also be set per-domain.
+ </para>
+ <para>
+ Default: <quote>*</quote> (remote domains)
+ or <quote>x</quote> (the files domain)
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
<refsect2 id='PAM'>
--
2.9.3

View File

@ -0,0 +1,95 @@
From 4e17c050dac8f2c6e2d278c4c4a27001c8d7d164 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Thu, 17 Nov 2016 15:43:54 +0100
Subject: [PATCH 57/79] TESTS: move helper fixtures to back up and restore a
file to a utility module
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The fixtures will be useful for tests that set up and restore a user and
group database. While it would be possible to import them already, the
functions were previously used in a test and importing from a test seems
a bit like a hack.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/tests/intg/Makefile.am | 1 +
src/tests/intg/ent_test.py | 14 --------------
src/tests/intg/util.py | 14 ++++++++++++++
3 files changed, 15 insertions(+), 14 deletions(-)
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index e81e5ee950d1a1e50ff478a34ae29853a9783c8b..90e0f308043aa89da5afc0fd353f7d373ac6425f 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -1,5 +1,6 @@
dist_noinst_DATA = \
config.py.m4 \
+ util.py \
sssd_id.py \
sssd_ldb.py \
sssd_netgroup.py \
diff --git a/src/tests/intg/ent_test.py b/src/tests/intg/ent_test.py
index 598930324a41ad9ff473e94e7f2deb302e1bc942..6b240ae9682331be7f4485a1ac81fad4cebde5e6 100644
--- a/src/tests/intg/ent_test.py
+++ b/src/tests/intg/ent_test.py
@@ -19,25 +19,11 @@
import re
import os
import io
-import shutil
import pytest
import ent
from util import *
-def backup_envvar_file(name):
- path = os.environ[name]
- backup_path = path + ".bak"
- shutil.copyfile(path, backup_path)
- return path
-
-
-def restore_envvar_file(name):
- path = os.environ[name]
- backup_path = path + ".bak"
- os.rename(backup_path, path)
-
-
@pytest.fixture(scope="module")
def passwd_path(request):
name = "NSS_WRAPPER_PASSWD"
diff --git a/src/tests/intg/util.py b/src/tests/intg/util.py
index 66ec0baa1aea4f8f9a3210d33640f087c80c6862..2b40311bd1560e05f3aafb34136a1b0efc8a1b49 100644
--- a/src/tests/intg/util.py
+++ b/src/tests/intg/util.py
@@ -21,6 +21,7 @@ import re
import os
import subprocess
import config
+import shutil
UNINDENT_RE = re.compile("^ +", re.MULTILINE)
@@ -64,3 +65,16 @@ def first_dir(*args):
for arg in args:
if os.path.isdir(arg):
return arg
+
+
+def backup_envvar_file(name):
+ path = os.environ[name]
+ backup_path = path + ".bak"
+ shutil.copyfile(path, backup_path)
+ return path
+
+
+def restore_envvar_file(name):
+ path = os.environ[name]
+ backup_path = path + ".bak"
+ os.rename(backup_path, path)
--
2.9.3

View File

@ -0,0 +1,186 @@
From 1921d739ff7b028baa591272cc8969e330c8f872 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Thu, 17 Nov 2016 15:46:00 +0100
Subject: [PATCH 58/79] TESTS: add a helper module with shared NSS constants
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Every module that reads the sssd_nss module directly copied around the
same definition of NSS constants. This commit moves them into a single
file to avoid code duplication.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/tests/intg/Makefile.am | 1 +
src/tests/intg/sssd_id.py | 14 ++-----------
src/tests/intg/sssd_netgroup.py | 25 ++++------------------
src/tests/intg/sssd_nss.py | 46 +++++++++++++++++++++++++++++++++++++++++
4 files changed, 53 insertions(+), 33 deletions(-)
create mode 100644 src/tests/intg/sssd_nss.py
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index 90e0f308043aa89da5afc0fd353f7d373ac6425f..4d364f84a39cd75507c29e8f70d8d8a4881a8063 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -1,6 +1,7 @@
dist_noinst_DATA = \
config.py.m4 \
util.py \
+ sssd_nss.py \
sssd_id.py \
sssd_ldb.py \
sssd_netgroup.py \
diff --git a/src/tests/intg/sssd_id.py b/src/tests/intg/sssd_id.py
index 4f020c3a229c1288935ce120cf1118735e2ae0eb..f4ab9cfb8c0cd3fcf3a0195fd62696ae7d892d61 100644
--- a/src/tests/intg/sssd_id.py
+++ b/src/tests/intg/sssd_id.py
@@ -21,15 +21,7 @@ import pwd
import grp
from ctypes import (cdll, c_int, c_char, c_uint32, c_long, c_char_p,
POINTER, pointer)
-
-
-class NssReturnCode(object):
- """ 'enum' class for name service switch return code """
- TRYAGAIN = -2,
- UNAVAIL = -1
- NOTFOUND = 0
- SUCCESS = 1
- RETURN = 2
+from sssd_nss import NssReturnCode, nss_sss_ctypes_loader
def call_sssd_initgroups(user, gid):
@@ -45,10 +37,8 @@ def call_sssd_initgroups(user, gid):
gids should contain user group IDs if err is NssReturnCode.SUCCESS
otherwise errno will contain non-zero value.
"""
- libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2"
- libnss_sss = cdll.LoadLibrary(libnss_sss_path)
+ func = nss_sss_ctypes_loader('_nss_sss_initgroups_dyn')
- func = libnss_sss._nss_sss_initgroups_dyn
func.restype = c_int
func.argtypes = [POINTER(c_char), c_uint32, POINTER(c_long),
POINTER(c_long), POINTER(POINTER(c_uint32)), c_long,
diff --git a/src/tests/intg/sssd_netgroup.py b/src/tests/intg/sssd_netgroup.py
index 0ea3db3cf69be04a1eda6afb455e4d0a3b301f1b..162c5aac86beb2b3625ccb695da7033e6483341e 100644
--- a/src/tests/intg/sssd_netgroup.py
+++ b/src/tests/intg/sssd_netgroup.py
@@ -19,6 +19,7 @@
from ctypes import (cdll, c_int, c_char, c_char_p, c_size_t, c_void_p, c_ulong,
POINTER, Structure, Union, create_string_buffer, get_errno)
import config
+from sssd_nss import NssReturnCode, nss_sss_ctypes_loader
class NetgroupType(object):
@@ -50,15 +51,6 @@ NameList._fields_ = [("next", POINTER(NameList)),
("name", POINTER(c_char))]
-class NssReturnCode(object):
- """ 'enum' class for name service switch return code """
- TRYAGAIN = -2,
- UNAVAIL = -1
- NOTFOUND = 0
- SUCCESS = 1
- RETURN = 2
-
-
class Netgrent(Structure):
_fields_ = [("type", c_int),
("val", Val),
@@ -92,10 +84,7 @@ class NetgroupRetriever(object):
result_p will contain POINTER(Netgrent) which can be used in
_getnetgrent_r or _getnetgrent_r.
"""
- libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2"
- libnss_sss = cdll.LoadLibrary(libnss_sss_path)
-
- func = libnss_sss._nss_sss_setnetgrent
+ func = nss_sss_ctypes_loader('_nss_sss_setnetgrent')
func.restype = c_int
func.argtypes = [c_char_p, POINTER(Netgrent)]
@@ -123,10 +112,7 @@ class NetgroupRetriever(object):
if err is NssReturnCode.SUCCESS netgroups will contain list of
touples. Each touple will consist of 3 elemets either string or
"""
- libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2"
- libnss_sss = cdll.LoadLibrary(libnss_sss_path)
-
- func = libnss_sss._nss_sss_getnetgrent_r
+ func = nss_sss_ctypes_loader('_nss_sss_getnetgrent_r')
func.restype = c_int
func.argtypes = [POINTER(Netgrent), POINTER(c_char), c_size_t,
POINTER(c_int)]
@@ -148,10 +134,7 @@ class NetgroupRetriever(object):
@return int a constant from class NssReturnCode
"""
- libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2"
- libnss_sss = cdll.LoadLibrary(libnss_sss_path)
-
- func = libnss_sss._nss_sss_endnetgrent
+ func = nss_sss_ctypes_loader('_nss_sss_endnetgrent')
func.restype = c_int
func.argtypes = [POINTER(Netgrent)]
diff --git a/src/tests/intg/sssd_nss.py b/src/tests/intg/sssd_nss.py
new file mode 100644
index 0000000000000000000000000000000000000000..1e846310bca4dc314c47882cc5e7877002c3d78f
--- /dev/null
+++ b/src/tests/intg/sssd_nss.py
@@ -0,0 +1,46 @@
+#
+# Shared module for integration tests that need to access the sssd_nss
+# module directly
+#
+# Copyright (c) 2016 Red Hat, Inc.
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+import config
+import ctypes
+
+
+class NssReturnCode(object):
+ """ 'enum' class for name service switch return code """
+ TRYAGAIN = -2,
+ UNAVAIL = -1
+ NOTFOUND = 0
+ SUCCESS = 1
+ RETURN = 2
+
+
+class SssdNssError(Exception):
+ """ Raised when one of the NSS operations fail """
+ def __init__(self, errno, nssop):
+ self.errno = errno
+ self.nssop = nssop
+
+ def __str__(self):
+ return "NSS operation %s failed %d" % (nssop, errno)
+
+
+def nss_sss_ctypes_loader(func_name):
+ libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2"
+ libnss_sss = ctypes.cdll.LoadLibrary(libnss_sss_path)
+ func = getattr(libnss_sss, func_name)
+ return func
--
2.9.3

View File

@ -0,0 +1,207 @@
From 8578fba1500d43ad9632784462c255bf8bb360fe Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 25 Oct 2016 16:26:24 +0200
Subject: [PATCH 59/79] TESTS: Add a module to call nss_sss's getpw* from tests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Implements a python module that allows to load the nss_sss module and
simulate calling getpw* functions from tests.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/tests/intg/Makefile.am | 1 +
src/tests/intg/sssd_passwd.py | 167 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 168 insertions(+)
create mode 100644 src/tests/intg/sssd_passwd.py
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index 4d364f84a39cd75507c29e8f70d8d8a4881a8063..6cd23967fd02261d516a749da0ef3d66432d0701 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -5,6 +5,7 @@ dist_noinst_DATA = \
sssd_id.py \
sssd_ldb.py \
sssd_netgroup.py \
+ sssd_passwd.py \
ds.py \
ds_openldap.py \
ent.py \
diff --git a/src/tests/intg/sssd_passwd.py b/src/tests/intg/sssd_passwd.py
new file mode 100644
index 0000000000000000000000000000000000000000..8b741ea8c27efe2081ee200e6af02c322c5d53bc
--- /dev/null
+++ b/src/tests/intg/sssd_passwd.py
@@ -0,0 +1,167 @@
+#
+# Module for simulation of utility "getent passwd -s sss" from coreutils
+#
+# Copyright (c) 2016 Red Hat, Inc.
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+from ctypes import (c_int, c_char_p, c_ulong, POINTER,
+ Structure, create_string_buffer, get_errno)
+from sssd_nss import NssReturnCode, SssdNssError, nss_sss_ctypes_loader
+
+PASSWD_BUFLEN = 1024
+
+
+class Passwd(Structure):
+ _fields_ = [("pw_name", c_char_p),
+ ("pw_passwd", c_char_p),
+ ("pw_uid", c_int),
+ ("pw_gid", c_int),
+ ("pw_gecos", c_char_p),
+ ("pw_dir", c_char_p),
+ ("pw_shell", c_char_p)]
+
+
+def set_user_dict(res, result_p):
+ if res != NssReturnCode.SUCCESS:
+ return dict()
+
+ user_dict = dict()
+ user_dict['name'] = result_p[0].pw_name
+ user_dict['passwd'] = result_p[0].pw_passwd
+ user_dict['uid'] = result_p[0].pw_uid
+ user_dict['gid'] = result_p[0].pw_gid
+ user_dict['gecos'] = result_p[0].pw_gecos
+ user_dict['dir'] = result_p[0].pw_dir
+ user_dict['shell'] = result_p[0].pw_shell
+ return user_dict
+
+
+def getpwnam_r(name, result_p, buffer_p, buflen):
+ """
+ ctypes wrapper for:
+ enum nss_status _nss_sss_getpwnam_r(const char *name,
+ struct passwd *result,
+ char *buffer,
+ size_t buflen,
+ int *errnop)
+ """
+ func = nss_sss_ctypes_loader("_nss_sss_getpwnam_r")
+ func.restype = c_int
+ func.argtypes = [c_char_p, POINTER(Passwd),
+ c_char_p, c_ulong, POINTER(c_int)]
+
+ errno = POINTER(c_int)(c_int(0))
+
+ res = func(c_char_p(name), result_p, buffer_p, buflen, errno)
+
+ return (int(res), int(errno[0]), result_p)
+
+
+def setpwent():
+ """
+ ctypes wrapper for:
+ void setpwent(void)
+ """
+ func = nss_sss_ctypes_loader("_nss_sss_setpwent")
+ func.argtypes = []
+
+ res = func()
+ assert res == NssReturnCode.SUCCESS
+
+ errno = get_errno()
+ if errno != 0:
+ raise SssdNssError(errno, "setpwent")
+
+
+def endpwent():
+ """
+ ctypes wrapper for:
+ void endpwent(void)
+ """
+ func = nss_sss_ctypes_loader("_nss_sss_endpwent")
+ func.argtypes = []
+
+ res = func()
+ assert res == NssReturnCode.SUCCESS
+
+ errno = get_errno()
+ if errno != 0:
+ raise SssdNssError(errno, "endpwent")
+
+
+def getpwent_r(result_p, buffer_p, buflen):
+ """
+ ctypes wrapper for:
+ enum nss_status _nss_sss_getpwent_r(struct passwd *result,
+ char *buffer, size_t buflen,
+ int *errnop)
+ """
+ func = nss_sss_ctypes_loader("_nss_sss_getpwent_r")
+ func.restype = c_int
+ func.argtypes = [POINTER(Passwd), c_char_p, c_ulong, POINTER(c_int)]
+
+ errno = POINTER(c_int)(c_int(0))
+
+ res = func(result_p, buffer_p, buflen, errno)
+ return (int(res), int(errno[0]), result_p)
+
+
+def getpwent():
+ result = Passwd()
+ result_p = POINTER(Passwd)(result)
+ buff = create_string_buffer(PASSWD_BUFLEN)
+
+ res, errno, result_p = getpwent_r(result_p, buff, PASSWD_BUFLEN)
+ if errno != 0:
+ raise SssdNssError(errno, "getpwent_r")
+
+ user_dict = set_user_dict(res, result_p)
+ return res, user_dict
+
+
+def call_sssd_getpwnam(name):
+ """
+ A Python wrapper to retrieve a user. Returns:
+ (res, user_dict)
+ if res is NssReturnCode.SUCCESS, then user_dict contains the keys
+ corresponding to the C passwd structure fields. Otherwise, the dictionary
+ is empty and errno indicates the error code
+ """
+ result = Passwd()
+ result_p = POINTER(Passwd)(result)
+ buff = create_string_buffer(PASSWD_BUFLEN)
+
+ res, errno, result_p = getpwnam_r(name, result_p, buff, PASSWD_BUFLEN)
+ if errno != 0:
+ raise SssdNssError(errno, "getpwnam_r")
+
+ user_dict = set_user_dict(res, result_p)
+ return res, user_dict
+
+
+def call_sssd_enumeration():
+ """
+ enumerate users from sssd module only
+ """
+ setpwent()
+ user_list = []
+
+ res, user = getpwent()
+ while res == NssReturnCode.SUCCESS:
+ user_list.append(user)
+ res, user = getpwent()
+
+ endpwent()
+ return user_list
--
2.9.3

View File

@ -0,0 +1,128 @@
From 3728db53ac32da51fcaae96b132e8e56ebbaebfa Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 16 Nov 2016 17:02:43 +0100
Subject: [PATCH 60/79] TESTS: Add a module to call nss_sss's getgr* from tests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Implements a python module that allows to load the nss_sss module and
call functions that act like getgr*
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/tests/intg/Makefile.am | 1 +
src/tests/intg/sssd_group.py | 88 ++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 89 insertions(+)
create mode 100644 src/tests/intg/sssd_group.py
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index 6cd23967fd02261d516a749da0ef3d66432d0701..03245b35d37e81f44fcc708de16541bd52ceb854 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -6,6 +6,7 @@ dist_noinst_DATA = \
sssd_ldb.py \
sssd_netgroup.py \
sssd_passwd.py \
+ sssd_group.py \
ds.py \
ds_openldap.py \
ent.py \
diff --git a/src/tests/intg/sssd_group.py b/src/tests/intg/sssd_group.py
new file mode 100644
index 0000000000000000000000000000000000000000..a9cfb32d59a5406fb1ad738d64c7487404f39a2d
--- /dev/null
+++ b/src/tests/intg/sssd_group.py
@@ -0,0 +1,88 @@
+#
+# Module for simulation of utility "getent group -s sss" from coreutils
+#
+# Copyright (c) 2016 Red Hat, Inc.
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+from ctypes import (c_int, c_char_p, c_ulong, POINTER, Structure,
+ create_string_buffer)
+from sssd_nss import NssReturnCode, SssdNssError, nss_sss_ctypes_loader
+
+GROUP_BUFLEN = 1024
+
+
+class Group(Structure):
+ _fields_ = [("gr_name", c_char_p),
+ ("gr_passwd", c_char_p),
+ ("gr_gid", c_int),
+ ("gr_mem", POINTER(c_char_p))]
+
+
+def getgrnam_r(name, result_p, buffer_p, buflen):
+ """
+ ctypes wrapper for:
+ enum nss_status _nss_sss_getgrnam_r(const char *name,
+ struct group *result,
+ char *buffer,
+ size_t buflen,
+ int *errnop)
+ """
+ func = nss_sss_ctypes_loader("_nss_sss_getgrnam_r")
+ func.restype = c_int
+ func.argtypes = [c_char_p, POINTER(Group),
+ c_char_p, c_ulong, POINTER(c_int)]
+
+ errno = POINTER(c_int)(c_int(0))
+
+ res = func(c_char_p(name), result_p, buffer_p, buflen, errno)
+
+ return (int(res), int(errno[0]), result_p)
+
+
+def set_group_dict(res, result_p):
+ if res != NssReturnCode.SUCCESS:
+ return dict()
+
+ group_dict = dict()
+ group_dict['name'] = result_p[0].gr_name
+ group_dict['gid'] = result_p[0].gr_gid
+ group_dict['mem'] = list()
+
+ i = 0
+ while result_p[0].gr_mem[i] != None:
+ group_dict['mem'].append(result_p[0].gr_mem[i])
+ i = i+1
+
+ return group_dict
+
+
+def call_sssd_getgrnam(name):
+ """
+ A Python wrapper to retrieve a group. Returns:
+ (res, group_dict)
+ if res is NssReturnCode.SUCCESS, then group_dict contains the keys
+ corresponding to the C passwd structure fields. Otherwise, the dictionary
+ is empty and errno indicates the error code
+ """
+ result = Group()
+ result_p = POINTER(Group)(result)
+ buff = create_string_buffer(GROUP_BUFLEN)
+
+ res, errno, result_p = getgrnam_r(name, result_p, buff, GROUP_BUFLEN)
+ if errno != 0:
+ raise SssdNssError(errno, "getgrnam_r")
+
+ group_dict = set_group_dict(res, result_p)
+ return res, group_dict
--
2.9.3

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,44 @@
From f9f1310ba1b87223f8d4d935b30b8238e5c00022 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 22 Nov 2016 17:47:51 +0100
Subject: [PATCH 62/79] MONITOR: Remove checks for sssd.conf changes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This feature was if-ed out for many years and since it's quite unlikely
we will re-enable the feature in the foreseeable future, let's just
remove this code.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/monitor/monitor.c | 13 -------------
1 file changed, 13 deletions(-)
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 1fa3d4baf579f15b9f93355a4b0c8b9d706bbacf..71719917b1b01acfb0eba527c414fe72d1961080 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -2296,19 +2296,6 @@ static int monitor_process_init(struct mt_ctx *ctx,
ret = sss_sigchld_init(ctx, ctx->ev, &ctx->sigchld_ctx);
if (ret != EOK) return ret;
-#if 0
- This feature is incomplete and can leave the SSSD in a bad state if the
- config file is changed while the SSSD is running.
-
- Uncomment this once the backends are honoring reloadConfig()
-
- /* Watch for changes to the confdb config file */
- ret = monitor_config_file(ctx, ctx, config_file, monitor_signal_reconf,
- true);
- if (ret != EOK) {
- return ret;
- }
-#endif
/* Watch for changes to the DNS resolv.conf */
ret = monitor_config_file(ctx, ctx, RESOLV_CONF_PATH,
monitor_update_resolv, false);
--
2.9.3

View File

@ -0,0 +1,700 @@
From ee6c7e8b589497119ec1ee40e99611f362111600 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 22 Nov 2016 18:02:35 +0100
Subject: [PATCH 63/79] MONITOR: Use the common inotify code to watch
resolv.conf
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The monitor code used its own inotify callbacks to watch for changes to
resolv.conf. Instead of keeping this duplicated code around, let's use
the shared inotify module that also powers the files provider.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
Makefile.am | 1 +
src/monitor/monitor.c | 481 ++++++++++++--------------------------------------
src/monitor/monitor.h | 3 -
3 files changed, 114 insertions(+), 371 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index e6d3530d003fff9e92ff6520043f6906d4200bd7..e676e18415c9d20ffd5ba2ce825dddd62d50c909 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1279,6 +1279,7 @@ sssd_SOURCES = \
src/confdb/confdb_setup.c \
src/monitor/monitor_iface_generated.c \
src/util/nscd.c \
+ src/util/inotify.c \
$(NULL)
sssd_LDADD = \
$(SSSD_LIBS) \
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 71719917b1b01acfb0eba527c414fe72d1961080..bc7402103d8024391d2ee27f48b28247ff9cd49c 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -50,6 +50,7 @@
#include "sbus/sssd_dbus.h"
#include "monitor/monitor_interfaces.h"
#include "responder/common/responder_sbus.h"
+#include "util/inotify.h"
#ifdef USE_KEYRING
#include <keyutils.h>
@@ -125,9 +126,11 @@ struct mt_svc {
struct sss_child_ctx *child_ctx;
};
+typedef int (*monitor_reconf_fn)(struct config_file_ctx *file_ctx,
+ const char *filename);
+
struct config_file_callback {
int wd;
- int retries;
monitor_reconf_fn fn;
char *filename;
time_t modified;
@@ -136,11 +139,18 @@ struct config_file_callback {
};
struct config_file_ctx {
- TALLOC_CTX *parent_ctx;
- struct tevent_timer *timer;
- bool needs_update;
+ struct config_file_inotify_check {
+ struct snotify_ctx *snctx;
+ } inotify_check;
+
+ struct config_file_poll_check {
+ TALLOC_CTX *parent_ctx;
+ struct tevent_timer *timer;
+ struct config_file_callback *callbacks;
+ } poll_check;
+
+ monitor_reconf_fn fn;
struct mt_ctx *mt_ctx;
- struct config_file_callback *callbacks;
};
struct mt_ctx {
@@ -153,7 +163,6 @@ struct mt_ctx {
struct mt_svc *svc_list;
struct sbus_connection *sbus_srv;
struct config_file_ctx *file_ctx;
- int inotify_fd;
int service_id_timeout;
bool check_children;
bool services_started;
@@ -712,19 +721,23 @@ static void reload_reply(DBusPendingCall *pending, void *data)
static int service_signal_dns_reload(struct mt_svc *svc);
static int monitor_update_resolv(struct config_file_ctx *file_ctx,
- const char *filename)
+ const char *filename)
{
int ret;
struct mt_svc *cur_svc;
- DEBUG(SSSDBG_OP_FAILURE, "Resolv.conf has been updated. Reloading.\n");
+ struct mt_ctx *mt_ctx;
+
+ mt_ctx = file_ctx->mt_ctx;
+
+ DEBUG(SSSDBG_TRACE_LIBS, "Resolv.conf has been updated. Reloading.\n");
ret = res_init();
- if(ret != 0) {
+ if (ret != 0) {
return EIO;
}
/* Signal all services to reload their DNS configuration */
- for(cur_svc = file_ctx->mt_ctx->svc_list; cur_svc; cur_svc = cur_svc->next) {
+ for (cur_svc = mt_ctx->svc_list; cur_svc; cur_svc = cur_svc->next) {
service_signal_dns_reload(cur_svc);
}
return EOK;
@@ -1716,258 +1729,52 @@ done:
return ret;
}
-static errno_t monitor_config_file_fallback(TALLOC_CTX *mem_ctx,
- struct mt_ctx *ctx,
- const char *file,
- monitor_reconf_fn fn,
- bool ignore_missing);
+static void poll_config_file(struct tevent_context *ev,
+ struct tevent_timer *te,
+ struct timeval t, void *ptr);
+static errno_t monitor_config_file_fallback(TALLOC_CTX *parent_ctx,
+ struct config_file_ctx *file_ctx,
+ const char *file);
-#ifdef HAVE_INOTIFY
-static void process_config_file(struct tevent_context *ev,
- struct tevent_timer *te,
- struct timeval t, void *ptr);
-
-static void config_file_changed(struct tevent_context *ev,
- struct tevent_fd *fde,
- uint16_t flags, void *data)
+static errno_t create_poll_timer(struct config_file_ctx *file_ctx)
{
- struct tevent_timer *te = NULL;
struct timeval tv;
- struct config_file_ctx *file_ctx;
- file_ctx = talloc_get_type(data, struct config_file_ctx);
- if (file_ctx->needs_update) {
- /* Skip updating. It's already queued for update.
- */
- return;
- }
-
- /* We will queue the file for update in one second.
- * This way, if there is a script writing to the file
- * repeatedly, we won't be attempting to update multiple
- * times.
- */
gettimeofday(&tv, NULL);
- tv.tv_sec += 1;
+ tv.tv_sec += CONFIG_FILE_POLL_INTERVAL;
+ tv.tv_usec = 0;
- te = tevent_add_timer(ev, ev, tv, process_config_file, file_ctx);
- if (!te) {
- DEBUG(SSSDBG_FATAL_FAILURE,
- "Unable to queue config file update! Exiting.\n");
- kill(getpid(), SIGTERM);
- return;
+ file_ctx->poll_check.timer = tevent_add_timer(file_ctx->mt_ctx->ev,
+ file_ctx->poll_check.parent_ctx,
+ tv,
+ poll_config_file,
+ file_ctx);
+ if (!file_ctx->poll_check.timer) {
+ talloc_free(file_ctx);
+ return EIO;
}
- file_ctx->needs_update = 1;
+
+ return EOK;
}
-struct rewatch_ctx {
- struct config_file_callback *cb;
- struct config_file_ctx *file_ctx;
-};
-static void rewatch_config_file(struct tevent_context *ev,
- struct tevent_timer *te,
- struct timeval t, void *ptr);
-static void process_config_file(struct tevent_context *ev,
- struct tevent_timer *te,
- struct timeval t, void *ptr)
+static void poll_config_file(struct tevent_context *ev,
+ struct tevent_timer *te,
+ struct timeval t, void *ptr)
{
- TALLOC_CTX *tmp_ctx;
- struct inotify_event *in_event;
- char *name;
- ssize_t len;
+ int ret, err;
+ struct stat file_stat;
struct config_file_ctx *file_ctx;
struct config_file_callback *cb;
- struct rewatch_ctx *rw_ctx;
- errno_t ret;
file_ctx = talloc_get_type(ptr, struct config_file_ctx);
- DEBUG(SSSDBG_CRIT_FAILURE, "Processing config file changes\n");
-
- tmp_ctx = talloc_new(NULL);
- if (!tmp_ctx) return;
-
- in_event = talloc(tmp_ctx, struct inotify_event);
- if (!in_event) {
- goto done;
- }
-
- errno = 0;
- len = sss_atomic_read_s(file_ctx->mt_ctx->inotify_fd, in_event,
- sizeof(struct inotify_event));
- if (len == -1) {
- ret = errno;
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Critical error reading inotify file descriptor [%d]: %s\n",
- ret, strerror(ret));
- goto done;
- }
-
- if (in_event->len > 0) {
- /* Read in the name, even though we don't use it,
- * so that read ptr is in the right place
- */
- name = talloc_size(tmp_ctx, in_event->len);
- if (!name) {
- goto done;
- }
-
- errno = 0;
- len = sss_atomic_read_s(file_ctx->mt_ctx->inotify_fd, name, in_event->len);
- if (len == -1) {
- ret = errno;
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Critical error reading inotify file descriptor [%d]: %s\n",
- ret, strerror(ret));
- goto done;
- }
- }
-
- for (cb = file_ctx->callbacks; cb; cb = cb->next) {
- if (cb->wd == in_event->wd) {
- break;
- }
- }
- if (!cb) {
- DEBUG(SSSDBG_FATAL_FAILURE, "Unknown watch descriptor\n");
- goto done;
- }
-
- if (in_event->mask & IN_IGNORED) {
- /* Some text editors will move a new file on top of the
- * existing one instead of modifying it. In this case,
- * the kernel will send us an IN_IGNORE signal.
- * We will try to open a new watch descriptor on the
- * new file.
- */
- struct timeval tv;
- struct tevent_timer *tev;
- tv.tv_sec = t.tv_sec+5;
- tv.tv_usec = t.tv_usec;
- DEBUG(SSSDBG_FUNC_DATA, "Restoring inotify watch.\n");
-
- cb->retries = 0;
- rw_ctx = talloc(file_ctx, struct rewatch_ctx);
- if(!rw_ctx) {
- DEBUG(SSSDBG_FATAL_FAILURE,
- "Could not restore inotify watch. Quitting!\n");
- close(file_ctx->mt_ctx->inotify_fd);
- kill(getpid(), SIGTERM);
- goto done;
- }
- rw_ctx->cb = cb;
- rw_ctx->file_ctx = file_ctx;
-
- tev = tevent_add_timer(ev, rw_ctx, tv, rewatch_config_file, rw_ctx);
- if (tev == NULL) {
- DEBUG(SSSDBG_FATAL_FAILURE,
- "Could not restore inotify watch. Quitting!\n");
- close(file_ctx->mt_ctx->inotify_fd);
- kill(getpid(), SIGTERM);
- }
- goto done;
- }
-
- /* Tell the monitor to signal the children */
- cb->fn(file_ctx, cb->filename);
- file_ctx->needs_update = 0;
-
-done:
- talloc_free(tmp_ctx);
-}
-
-static void rewatch_config_file(struct tevent_context *ev,
- struct tevent_timer *te,
- struct timeval t, void *ptr)
-{
- int err;
- struct tevent_timer *tev = NULL;
- struct timeval tv;
- struct config_file_callback *cb;
-
- struct rewatch_ctx *rw_ctx;
- struct config_file_ctx *file_ctx;
-
- rw_ctx = talloc_get_type(ptr, struct rewatch_ctx);
-
- cb = rw_ctx->cb;
- file_ctx = rw_ctx->file_ctx;
-
- /* Retry six times at five-second intervals before giving up */
- cb->retries++;
- if (cb->retries > 6) {
- DEBUG(SSSDBG_FATAL_FAILURE,
- "Could not restore inotify watch. Switching to polling!\n");
- close(file_ctx->mt_ctx->inotify_fd);
- err = monitor_config_file_fallback(file_ctx->parent_ctx,
- file_ctx->mt_ctx,
- cb->filename,
- cb->fn,true);
- if (err != EOK)
- kill(getpid(), SIGTERM);
-
- cb->fn(file_ctx, cb->filename);
- talloc_free(rw_ctx);
-
- /* A new callback was created in monitor_config_file_fallback()*/
- DLIST_REMOVE(file_ctx->callbacks, cb);
- talloc_free(cb);
-
- return;
- }
-
- cb->wd = inotify_add_watch(file_ctx->mt_ctx->inotify_fd,
- cb->filename, IN_MODIFY);
- if (cb->wd < 0) {
- err = errno;
-
- tv.tv_sec = t.tv_sec+5;
- tv.tv_usec = t.tv_usec;
-
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Could not add inotify watch for file [%s]. Error [%d:%s]\n",
- cb->filename, err, strerror(err));
-
- tev = tevent_add_timer(ev, ev, tv, rewatch_config_file, rw_ctx);
- if (tev == NULL) {
- DEBUG(SSSDBG_FATAL_FAILURE,
- "Could not restore inotify watch. Quitting!\n");
- close(file_ctx->mt_ctx->inotify_fd);
- kill(getpid(), SIGTERM);
- }
-
- return;
- }
- cb->retries = 0;
-
- /* Tell the monitor to signal the children */
- cb->fn(file_ctx, cb->filename);
-
- talloc_free(rw_ctx);
- file_ctx->needs_update = 0;
-}
-#endif /* HAVE_INOTIFY */
-
-static void poll_config_file(struct tevent_context *ev,
- struct tevent_timer *te,
- struct timeval t, void *ptr)
-{
- int ret, err;
- struct stat file_stat;
- struct timeval tv;
- struct config_file_ctx *file_ctx;
- struct config_file_callback *cb;
-
- file_ctx = talloc_get_type(ptr,struct config_file_ctx);
-
- for (cb = file_ctx->callbacks; cb; cb = cb->next) {
+ for (cb = file_ctx->poll_check.callbacks; cb; cb = cb->next) {
ret = stat(cb->filename, &file_stat);
if (ret < 0) {
err = errno;
DEBUG(SSSDBG_FATAL_FAILURE,
"Could not stat file [%s]. Error [%d:%s]\n",
- cb->filename, err, strerror(err));
- /* TODO: If the config file is missing, should we shut down? */
+ cb->filename, err, strerror(err));
return;
}
@@ -1984,88 +1791,51 @@ static void poll_config_file(struct tevent_context *ev,
}
}
- gettimeofday(&tv, NULL);
- tv.tv_sec += CONFIG_FILE_POLL_INTERVAL;
- tv.tv_usec = 0;
- file_ctx->timer = tevent_add_timer(ev, file_ctx->parent_ctx, tv,
- poll_config_file, file_ctx);
- if (!file_ctx->timer) {
+ ret = create_poll_timer(file_ctx);
+ if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Error: Config file no longer monitored for changes!\n");
}
}
-static int try_inotify(struct config_file_ctx *file_ctx, const char *filename,
- monitor_reconf_fn fn)
+static int resolv_conf_inotify_cb(const char *filename,
+ uint32_t flags,
+ void *pvt)
+{
+ struct config_file_ctx *file_ctx;
+
+ DEBUG(SSSDBG_TRACE_INTERNAL,
+ "Received inotify notification for %s\n", filename);
+
+ file_ctx = talloc_get_type(pvt, struct config_file_ctx);
+ if (file_ctx == NULL) {
+ return EINVAL;
+ }
+
+ return file_ctx->fn(file_ctx, filename);
+}
+
+static int try_inotify(struct config_file_ctx *file_ctx,
+ const char *filename)
{
#ifdef HAVE_INOTIFY
- int err, fd_args, ret;
- struct tevent_fd *tfd;
- struct config_file_callback *cb;
+ struct snotify_ctx *snctx;
+ /* We will queue the file for update in one second.
+ * This way, if there is a script writing to the file
+ * repeatedly, we won't be attempting to update multiple
+ * times.
+ */
+ struct timeval delay = { .tv_sec = 1, .tv_usec = 0 };
- /* Monitoring the file descriptor should be global */
- if (!file_ctx->mt_ctx->inotify_fd) {
- /* Set up inotify to monitor the config file for changes */
- file_ctx->mt_ctx->inotify_fd = inotify_init();
- if (file_ctx->mt_ctx->inotify_fd < 0) {
- err = errno;
- DEBUG(SSSDBG_FATAL_FAILURE,
- "Could not initialize inotify, error [%d:%s]\n",
- err, strerror(err));
- return err;
- }
-
- fd_args = fcntl(file_ctx->mt_ctx->inotify_fd, F_GETFL, NULL);
- if (fd_args < 0) {
- /* Could not set nonblocking */
- close(file_ctx->mt_ctx->inotify_fd);
- return EINVAL;
- }
-
- fd_args |= O_NONBLOCK;
- ret = fcntl(file_ctx->mt_ctx->inotify_fd, F_SETFL, fd_args);
- if (ret < 0) {
- /* Could not set nonblocking */
- close(file_ctx->mt_ctx->inotify_fd);
- return EINVAL;
- }
-
- /* Add the inotify file descriptor to the TEvent context */
- tfd = tevent_add_fd(file_ctx->mt_ctx->ev, file_ctx,
- file_ctx->mt_ctx->inotify_fd,
- TEVENT_FD_READ, config_file_changed,
- file_ctx);
- if (!tfd) {
- close(file_ctx->mt_ctx->inotify_fd);
- return EIO;
- }
- }
-
- cb = talloc_zero(file_ctx, struct config_file_callback);
- if(!cb) {
- close(file_ctx->mt_ctx->inotify_fd);
- return ENOMEM;
+ snctx = snotify_create(file_ctx, file_ctx->mt_ctx->ev, SNOTIFY_WATCH_DIR,
+ filename, &delay,
+ IN_DELETE_SELF | IN_CLOSE_WRITE | IN_MOVE_SELF | \
+ IN_CREATE | IN_MOVED_TO | IN_IGNORED,
+ resolv_conf_inotify_cb, file_ctx);
+ if (snctx == NULL) {
+ return EIO;
}
- cb->filename = talloc_strdup(cb, filename);
- if (!cb->filename) {
- close(file_ctx->mt_ctx->inotify_fd);
- return ENOMEM;
- }
- cb->wd = inotify_add_watch(file_ctx->mt_ctx->inotify_fd,
- cb->filename, IN_MODIFY);
- if (cb->wd < 0) {
- err = errno;
- DEBUG(SSSDBG_FATAL_FAILURE,
- "Could not add inotify watch for file [%s]. Error [%d:%s]\n",
- cb->filename, err, strerror(err));
- close(file_ctx->mt_ctx->inotify_fd);
- return err;
- }
- cb->fn = fn;
-
- DLIST_ADD(file_ctx->callbacks, cb);
-
return EOK;
#else
return EINVAL;
@@ -2074,36 +1844,18 @@ static int try_inotify(struct config_file_ctx *file_ctx, const char *filename,
static int monitor_config_file(TALLOC_CTX *mem_ctx,
struct mt_ctx *ctx,
- const char *file,
monitor_reconf_fn fn,
- bool ignore_missing)
+ const char *file)
{
- int ret, err;
+ int ret;
bool use_inotify;
- struct stat file_stat;
- ret = stat(file, &file_stat);
- if (ret < 0) {
- err = errno;
- if (err == ENOENT && ignore_missing) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "file [%s] is missing. Will not update online status "
- "based on watching the file\n", file);
- return EOK;
- } else {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "Could not stat file [%s]. Error [%d:%s]\n",
- file, err, strerror(err));
-
- return err;
- }
- }
if (!ctx->file_ctx) {
ctx->file_ctx = talloc_zero(mem_ctx, struct config_file_ctx);
if (!ctx->file_ctx) return ENOMEM;
- ctx->file_ctx->parent_ctx = mem_ctx;
ctx->file_ctx->mt_ctx = ctx;
+ ctx->file_ctx->fn = fn;
}
ret = confdb_get_bool(ctx->cdb,
@@ -2116,73 +1868,68 @@ static int monitor_config_file(TALLOC_CTX *mem_ctx,
}
if (use_inotify) {
- ret = try_inotify(ctx->file_ctx, file, fn);
+ ret = try_inotify(ctx->file_ctx, file);
if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE, "Falling back to polling\n");
use_inotify = false;
}
}
- if (!use_inotify) {
- /* Could not monitor file with inotify, fall back to polling */
- ret = monitor_config_file_fallback(mem_ctx, ctx, file, fn, true);
+ if (use_inotify == false) {
+ ret = monitor_config_file_fallback(mem_ctx, ctx->file_ctx, file);
}
return ret;
}
-static errno_t monitor_config_file_fallback(TALLOC_CTX *mem_ctx,
- struct mt_ctx *ctx,
- const char *file,
- monitor_reconf_fn fn,
- bool ignore_missing)
+static errno_t monitor_config_file_fallback(TALLOC_CTX *parent_ctx,
+ struct config_file_ctx *file_ctx,
+ const char *file)
{
struct config_file_callback *cb = NULL;
struct stat file_stat;
int ret, err;
- struct timeval tv;
ret = stat(file, &file_stat);
if (ret < 0) {
err = errno;
- if (err == ENOENT && ignore_missing) {
+ if (err == ENOENT) {
DEBUG(SSSDBG_MINOR_FAILURE,
- "file [%s] is missing. Will not update online status "
- "based on watching the file\n", file);
+ "file [%s] is missing. Will not update online status "
+ "based on watching the file\n", file);
return EOK;
} else {
DEBUG(SSSDBG_FATAL_FAILURE,
- "Could not stat file [%s]. Error [%d:%s]\n",
- file, err, strerror(err));
+ "Could not stat file [%s]. Error [%d:%s]\n",
+ file, err, strerror(err));
return err;
}
}
- cb = talloc_zero(ctx->file_ctx, struct config_file_callback);
+ file_ctx->poll_check.parent_ctx = parent_ctx;
+
+ cb = talloc_zero(file_ctx, struct config_file_callback);
if (!cb) {
- talloc_free(ctx->file_ctx);
+ talloc_free(file_ctx);
return ENOMEM;
}
cb->filename = talloc_strdup(cb, file);
if (!cb->filename) {
- talloc_free(ctx->file_ctx);
+ talloc_free(file_ctx);
return ENOMEM;
}
- cb->fn = fn;
+ cb->fn = file_ctx->fn;
cb->modified = file_stat.st_mtime;
- DLIST_ADD(ctx->file_ctx->callbacks, cb);
+ DLIST_ADD(file_ctx->poll_check.callbacks, cb);
- if(!ctx->file_ctx->timer) {
- gettimeofday(&tv, NULL);
- tv.tv_sec += CONFIG_FILE_POLL_INTERVAL;
- tv.tv_usec = 0;
- ctx->file_ctx->timer = tevent_add_timer(ctx->ev, mem_ctx, tv,
- poll_config_file, ctx->file_ctx);
- if (!ctx->file_ctx->timer) {
- talloc_free(ctx->file_ctx);
- return EIO;
+ if(!file_ctx->poll_check.timer) {
+ ret = create_poll_timer(file_ctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot create poll timer\n");
+ return ret;
}
}
@@ -2198,8 +1945,7 @@ static void missing_resolv_conf(struct tevent_context *ev,
int ret;
struct mt_ctx *ctx = talloc_get_type(data, struct mt_ctx);
- ret = monitor_config_file(ctx, ctx, RESOLV_CONF_PATH,
- monitor_update_resolv, false);
+ ret = monitor_config_file(ctx, ctx, monitor_update_resolv, RESOLV_CONF_PATH);
if (ret == EOK) {
signal_res_init(ctx);
} else if (ret == ENOENT) {
@@ -2297,8 +2043,7 @@ static int monitor_process_init(struct mt_ctx *ctx,
if (ret != EOK) return ret;
/* Watch for changes to the DNS resolv.conf */
- ret = monitor_config_file(ctx, ctx, RESOLV_CONF_PATH,
- monitor_update_resolv, false);
+ ret = monitor_config_file(ctx, ctx, monitor_update_resolv, RESOLV_CONF_PATH);
if (ret == ENOENT) {
tv = tevent_timeval_current_ofs(MISSING_RESOLV_CONF_POLL_TIME, 0);
te = tevent_add_timer(ctx->ev, ctx, tv, missing_resolv_conf, ctx);
diff --git a/src/monitor/monitor.h b/src/monitor/monitor.h
index b5a300bf3c9b281b5e9ffa76872ff30668865117..3f679de8198aa882bc488dad642bacc9f215ba5b 100644
--- a/src/monitor/monitor.h
+++ b/src/monitor/monitor.h
@@ -32,9 +32,6 @@
struct config_file_ctx;
-typedef int (*monitor_reconf_fn) (struct config_file_ctx *file_ctx,
- const char *filename);
-
struct mt_ctx;
/* from monitor_netlink.c */
--
2.9.3

View File

@ -0,0 +1,155 @@
From da95ec568a941c85982e30611398efb86bc884ab Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 7 Dec 2016 14:38:43 +0100
Subject: [PATCH 64/79] MAN: Add documentation for the files provider
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The new provider needs a man page.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
contrib/sssd.spec.in | 1 +
src/man/Makefile.am | 4 +++
src/man/po/po4a.cfg | 1 +
src/man/sssd-files.5.xml | 88 ++++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 94 insertions(+)
create mode 100644 src/man/sssd-files.5.xml
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index fe51f9998aedbc7c157e8897a0dae67af037cec4..baeb08b124d17d4eb9cb4fdfac4168ec12dc56ad 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -850,6 +850,7 @@ done
# The files provider is intentionally packaged in -common
%{_libdir}/%{name}/libsss_files.so
+%{_mandir}/man5/sssd-files.5*
%dir %{sssdstatedir}
%dir %{_localstatedir}/cache/krb5rcache
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
index 49058bc669eb1a5fb8093a0d64c65609a3164744..760bb7831b5852e1bf3be497ad5babdb4f4318c2 100644
--- a/src/man/Makefile.am
+++ b/src/man/Makefile.am
@@ -84,6 +84,10 @@ if BUILD_NFS_IDMAP
man_MANS += sss_rpcidmapd.5
endif
+if HAVE_INOTIFY
+man_MANS += sssd-files.5
+endif
+
SUFFIXES = .1.xml .1 .3.xml .3 .5.xml .5 .8.xml .8
.1.xml.1:
$(XMLLINT) $(XMLLINT_FLAGS) $<
diff --git a/src/man/po/po4a.cfg b/src/man/po/po4a.cfg
index 00fd414428ac20fb97277d6d9225853d6ae6dad1..ffcf9a2793da3c0115bc846744ccb9592a9a68ef 100644
--- a/src/man/po/po4a.cfg
+++ b/src/man/po/po4a.cfg
@@ -28,6 +28,7 @@
[type:docbook] sss_ssh_knownhostsproxy.1.xml $lang:$(builddir)/$lang/sss_ssh_knownhostsproxy.1.xml
[type:docbook] idmap_sss.8.xml $lang:$(builddir)/$lang/idmap_sss.8.xml
[type:docbook] sssctl.8.xml $lang:$(builddir)/$lang/sssctl.8.xml
+[type:docbook] sssd-files.5.xml $lang:$(builddir)/$lang/sssd-files.5.xml
[type:docbook] sssd-secrets.5.xml $lang:$(builddir)/$lang/sssd-secrets.5.xml
[type:docbook] include/service_discovery.xml $lang:$(builddir)/$lang/include/service_discovery.xml opt:"-k 0"
[type:docbook] include/upstream.xml $lang:$(builddir)/$lang/include/upstream.xml opt:"-k 0"
diff --git a/src/man/sssd-files.5.xml b/src/man/sssd-files.5.xml
new file mode 100644
index 0000000000000000000000000000000000000000..d44fffc034803f774699ed01f11f0e5ec5cd8042
--- /dev/null
+++ b/src/man/sssd-files.5.xml
@@ -0,0 +1,88 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<reference>
+<title>SSSD Manual pages</title>
+<refentry>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
+
+ <refmeta>
+ <refentrytitle>sssd-files</refentrytitle>
+ <manvolnum>5</manvolnum>
+ <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id='name'>
+ <refname>sssd-files</refname>
+ <refpurpose>SSSD files provider</refpurpose>
+ </refnamediv>
+
+ <refsect1 id='description'>
+ <title>DESCRIPTION</title>
+ <para>
+ This manual page describes the files provider
+ for
+ <citerefentry>
+ <refentrytitle>sssd</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>.
+ For a detailed syntax reference, refer to the <quote>FILE FORMAT</quote> section of the
+ <citerefentry>
+ <refentrytitle>sssd.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> manual page.
+ </para>
+ <para>
+ The files provider mirrors the content of the
+ <citerefentry>
+ <refentrytitle>passwd</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry>
+ and
+ <citerefentry>
+ <refentrytitle>group</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry>
+ files. The purpose of the files provider is to make the users
+ and groups traditionally only accessible with NSS interfaces
+ also available through the SSSD interfaces such as
+ <citerefentry>
+ <refentrytitle>sssd-ifp</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+
+ <refsect1 id='configuration-options'>
+ <title>CONFIGURATION OPTIONS</title>
+ <para>
+ The files provider has no specific options of its own, however,
+ generic SSSD domain options can be set where applicable.
+ Refer to the section <quote>DOMAIN SECTIONS</quote> of the
+ <citerefentry>
+ <refentrytitle>sssd.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> manual page for details on the configuration
+ of an SSSD domain.
+ </para>
+ </refsect1>
+
+ <refsect1 id='example'>
+ <title>EXAMPLE</title>
+ <para>
+ The following example assumes that SSSD is correctly
+ configured and files is one of the domains in the
+ <replaceable>[sssd]</replaceable> section.
+ </para>
+ <para>
+<programlisting>
+[domain/files]
+id_provider = files
+</programlisting>
+ </para>
+ </refsect1>
+
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
+
+</refentry>
+</reference>
--
2.9.3

View File

@ -0,0 +1,38 @@
From 89e53f7139b134360fda9e43d47ebfb89fcaac92 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 10 Feb 2017 16:39:19 +0100
Subject: [PATCH 65/79] EXAMPLES: Do not point to id_provider=local
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
It makes more sense to show id_provider=files
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/examples/sssd.conf | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/src/examples/sssd.conf b/src/examples/sssd.conf
index a851dbb7ecd5c3220fbd6a946a6c7be2822dbd27..1e8b537a730300a143764142ff0096db6a3f976b 100644
--- a/src/examples/sssd.conf
+++ b/src/examples/sssd.conf
@@ -1,5 +1,4 @@
[sssd]
-config_file_version = 2
services = nss, pam
domains = shadowutils
@@ -8,8 +7,7 @@ domains = shadowutils
[pam]
[domain/shadowutils]
-id_provider = proxy
-proxy_lib_name = files
+id_provider = files
auth_provider = proxy
proxy_pam_target = sssd-shadowutils
--
2.9.3

View File

@ -0,0 +1,40 @@
From 0e7047c1533e5e424b28959488e8ffa91613abd9 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 13 Feb 2017 11:46:06 +0100
Subject: [PATCH 66/79] SBUS: Document how to free the result of
sbus_create_message
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
It might not be apparent how to free the message constructed by
sbus_create_message(). This patch just adds a comment that tells the
developer to either free the parent context or unref the message with a
dbus call directly.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/sbus/sssd_dbus_utils.h | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/sbus/sssd_dbus_utils.h b/src/sbus/sssd_dbus_utils.h
index 74c21fb7930c7f5f5417b6a2587cf691b1bc0b19..e53a7faef10a4066b58213741cd73f7411419f00 100644
--- a/src/sbus/sssd_dbus_utils.h
+++ b/src/sbus/sssd_dbus_utils.h
@@ -25,6 +25,13 @@ errno_t sbus_talloc_bound_message(TALLOC_CTX *mem_ctx, DBusMessage *msg);
errno_t sbus_error_to_errno(DBusError *error);
errno_t sbus_check_reply(DBusMessage *reply);
+/* Creates a DBusMessage from a vararg list. Please note that even though
+ * this function and sbus_create_message accept a talloc memory context,
+ * it is not valid to free the resulting message with talloc_free() directly.
+ * Instead, either free the parent memory context or directly call
+ * dbus_message_unref on the message if you pass NULL memory context to
+ * these functions
+ */
DBusMessage *sbus_create_message_valist(TALLOC_CTX *mem_ctx,
const char *bus,
const char *path,
--
2.9.3

View File

@ -0,0 +1,33 @@
From 334029028e566fab3dce5ce4b1b53cc4809c21b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
Date: Thu, 16 Feb 2017 13:57:09 +0100
Subject: [PATCH 67/79] IPA_SUDO: Unused value fix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Unused value was immediately overwritten.
Resolves:
https://fedorahosted.org/sssd/ticket/3309
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/providers/ipa/ipa_sudo_conversion.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c
index 05d863c20954c816e52d27fe4a5e1553776c6d41..f6d17d82b7c2f1bd63f8deb00c3c7c19d9881bc1 100644
--- a/src/providers/ipa/ipa_sudo_conversion.c
+++ b/src/providers/ipa/ipa_sudo_conversion.c
@@ -956,7 +956,6 @@ convert_attributes(struct ipa_sudo_conv *conv,
value = table[i].conv_fn(tmp_ctx, conv, values[j], &skip_entry);
if (value == NULL) {
if (skip_entry) {
- ret = ENOENT;
continue;
} else {
ret = ENOMEM;
--
2.9.3

View File

@ -0,0 +1,99 @@
From bac4458c89a589055ae3daf4f72cc7dba886264a Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Thu, 16 Feb 2017 10:07:33 +0100
Subject: [PATCH 68/79] intg: Fix python3 issues
NamedTemporaryFile use the default mode 'w+b'
and we tried to write strings. It is not a problem on python2
but failed on pyhton3
Python module ctypes directly uses C functions from libraries.
C functions usually expect/returns "char *" when string is expected.
But python3 uses unicode for string. Decoding returned bytes
("char *") to unicode strings simplify tests in python3.
Otherwise we would need to convert bytes to string in each assertion.
Reviewed-by: Martin Basti <mbasti@redhat.com>
---
src/tests/intg/files_ops.py | 3 ++-
src/tests/intg/sssd_group.py | 6 ++++--
src/tests/intg/sssd_passwd.py | 11 ++++++-----
3 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/src/tests/intg/files_ops.py b/src/tests/intg/files_ops.py
index 65b3e5ee401e453c51dcd55433be8d9fa3ce6c92..62f56517d46b43c10783ca93bb59d75cbedd9224 100644
--- a/src/tests/intg/files_ops.py
+++ b/src/tests/intg/files_ops.py
@@ -76,7 +76,8 @@ class FilesOps(object):
return contents
def _write_contents(self, contents):
- tmp_file = tempfile.NamedTemporaryFile(dir=self.tmp_dir, delete=False)
+ tmp_file = tempfile.NamedTemporaryFile(mode='w', dir=self.tmp_dir,
+ delete=False)
tmp_file.writelines(contents)
tmp_file.flush()
diff --git a/src/tests/intg/sssd_group.py b/src/tests/intg/sssd_group.py
index a9cfb32d59a5406fb1ad738d64c7487404f39a2d..ab873a726d4c1c35ed00fe4c431566ecef648880 100644
--- a/src/tests/intg/sssd_group.py
+++ b/src/tests/intg/sssd_group.py
@@ -46,6 +46,7 @@ def getgrnam_r(name, result_p, buffer_p, buflen):
errno = POINTER(c_int)(c_int(0))
+ name = name.encode('utf-8')
res = func(c_char_p(name), result_p, buffer_p, buflen, errno)
return (int(res), int(errno[0]), result_p)
@@ -56,13 +57,14 @@ def set_group_dict(res, result_p):
return dict()
group_dict = dict()
- group_dict['name'] = result_p[0].gr_name
+ group_dict['name'] = result_p[0].gr_name.decode('utf-8')
group_dict['gid'] = result_p[0].gr_gid
group_dict['mem'] = list()
i = 0
while result_p[0].gr_mem[i] != None:
- group_dict['mem'].append(result_p[0].gr_mem[i])
+ grp_name = result_p[0].gr_mem[i].decode('utf-8')
+ group_dict['mem'].append(grp_name)
i = i+1
return group_dict
diff --git a/src/tests/intg/sssd_passwd.py b/src/tests/intg/sssd_passwd.py
index 8b741ea8c27efe2081ee200e6af02c322c5d53bc..f285b4971d0d9e826bf6cb38ebefeaf1b4422187 100644
--- a/src/tests/intg/sssd_passwd.py
+++ b/src/tests/intg/sssd_passwd.py
@@ -38,13 +38,13 @@ def set_user_dict(res, result_p):
return dict()
user_dict = dict()
- user_dict['name'] = result_p[0].pw_name
- user_dict['passwd'] = result_p[0].pw_passwd
+ user_dict['name'] = result_p[0].pw_name.decode('utf-8')
+ user_dict['passwd'] = result_p[0].pw_passwd.decode('utf-8')
user_dict['uid'] = result_p[0].pw_uid
user_dict['gid'] = result_p[0].pw_gid
- user_dict['gecos'] = result_p[0].pw_gecos
- user_dict['dir'] = result_p[0].pw_dir
- user_dict['shell'] = result_p[0].pw_shell
+ user_dict['gecos'] = result_p[0].pw_gecos.decode('utf-8')
+ user_dict['dir'] = result_p[0].pw_dir.decode('utf-8')
+ user_dict['shell'] = result_p[0].pw_shell.decode('utf-8')
return user_dict
@@ -64,6 +64,7 @@ def getpwnam_r(name, result_p, buffer_p, buflen):
errno = POINTER(c_int)(c_int(0))
+ name = name.encode('utf-8')
res = func(c_char_p(name), result_p, buffer_p, buflen, errno)
return (int(res), int(errno[0]), result_p)
--
2.9.3

View File

@ -0,0 +1,36 @@
From fccd8f9ab7a0ac9868c43ea0e8c3af142b2809fa Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 24 Oct 2016 15:46:50 -0400
Subject: [PATCH 69/79] DYNDNS: Update PTR record after non-fatal error
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Continue to send PTR record update in situations where the nsupdate
child forward zone updates are successful but nsupdate returns non-zero
Resolves:
https://fedorahosted.org/sssd/ticket/3227
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/providers/ldap/sdap_dyndns.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/src/providers/ldap/sdap_dyndns.c b/src/providers/ldap/sdap_dyndns.c
index 83ec05183de9c429f6576c4e2e0fb769c9470a2f..9d28b57589b85a56abf363880bd310bb63ebd8d2 100644
--- a/src/providers/ldap/sdap_dyndns.c
+++ b/src/providers/ldap/sdap_dyndns.c
@@ -381,9 +381,6 @@ sdap_dyndns_update_done(struct tevent_req *subreq)
return;
}
}
-
- tevent_req_error(req, ret);
- return;
}
if (state->update_ptr == false) {
--
2.9.3

View File

@ -0,0 +1,43 @@
From d694d4fdcc81f24c2f9e3bb5a0dbe0a52498f196 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 24 Oct 2016 18:04:11 -0400
Subject: [PATCH 70/79] DYNDNS: Correct debug log message of realm
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If the realm is not added to the nsupdate message, the SSSD Debug log
message should inform about utilizing autodiscovered realm.
Resolves:
https://fedorahosted.org/sssd/ticket/3220
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/providers/be_dyndns.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c
index 07dc3339d2f65874504de60b8d3f2e63a8d7045f..ee264156824d7c5ab27c919ae0c56bbd6c0bc54f 100644
--- a/src/providers/be_dyndns.c
+++ b/src/providers/be_dyndns.c
@@ -435,11 +435,15 @@ nsupdate_msg_create_common(TALLOC_CTX *mem_ctx, const char *realm,
/* Add the server, realm and headers */
update_msg = talloc_asprintf(tmp_ctx, "server %s\n%s",
servername, realm_directive);
- } else {
+ } else if (realm != NULL) {
DEBUG(SSSDBG_FUNC_DATA,
"Creating update message for realm [%s].\n", realm);
/* Add the realm headers */
update_msg = talloc_asprintf(tmp_ctx, "%s", realm_directive);
+ } else {
+ DEBUG(SSSDBG_FUNC_DATA,
+ "Creating update message for auto-discovered realm.\n");
+ update_msg = talloc_asprintf(tmp_ctx, "%s", realm_directive);
}
talloc_free(realm_directive);
if (update_msg == NULL) {
--
2.9.3

View File

@ -0,0 +1,83 @@
From 08bf6b4a281ef4308119dccbba4e86cf28b505d2 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 4 Nov 2016 17:13:30 +0100
Subject: [PATCH 71/79] sdap_extend_map: make sure memory can be freed
If there is an error after calling talloc_realloc() the caller cannot
free the memory properly because neither src_map nor _map were pointing
to a valid memory location. With this patch _map will always point to
the current valid location so that it can always be used with
talloc_free().
Reviewed-by: Petr Cech <pcech@redhat.com>
---
src/providers/ldap/sdap.c | 4 ++--
src/providers/ldap/sdap.h | 21 +++++++++++++++++++++
2 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index bfb7fc6d2a38debf56acae18b8e7eb7a08ccbd1b..342667aae6cc0b6c3df8c76f11eb2445e6bad0be 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -162,9 +162,9 @@ int sdap_extend_map(TALLOC_CTX *memctx,
char *sysdb_attr;
errno_t ret;
+ *_map = src_map;
if (extra_attrs == NULL) {
DEBUG(SSSDBG_FUNC_DATA, "No extra attributes\n");
- *_map = src_map;
*_new_size = num_entries;
return EOK;
}
@@ -177,6 +177,7 @@ int sdap_extend_map(TALLOC_CTX *memctx,
if (map == NULL) {
return ENOMEM;
}
+ *_map = map;
for (i = 0; *extra_attrs != NULL; extra_attrs++) {
ret = split_extra_attr(map, *extra_attrs, &sysdb_attr, &ldap_attr);
@@ -221,7 +222,6 @@ int sdap_extend_map(TALLOC_CTX *memctx,
/* Sentinel */
memset(&map[num_entries+nextra], 0, sizeof(struct sdap_attr_map));
- *_map = map;
*_new_size = num_entries + nextra;
return EOK;
}
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 6d4543ed48ce19f82252d34b6d0833a546a81bb9..6079a8bf62d0bdf23c8d462dc0f19c705e391a6e 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -512,6 +512,27 @@ int sdap_copy_map(TALLOC_CTX *memctx,
int num_entries,
struct sdap_attr_map **_map);
+/**
+ * @brief Add attributes to a map
+ *
+ * sdap_extend_map() will call talloc_realloc() on the second argument so the
+ * original storage location might change. The return value _map will always
+ * contain the current memory location which can be used with talloc_free()
+ * even if there is an error.
+ *
+ * @param[in] memctx Talloc memory context
+ * @param[in] src_map Original map, should not be accessed anymore
+ * @param[in] num_entries Number of entries in the original map
+ * @param[in] extra_attrs NULL-terminated array of extra attribute pairs
+ * sysdb_attr:ldap_attr
+ * @param[out] _map New map
+ * @param[out] _new_size Number of entries in the new map
+ *
+ * @return
+ * - EOK success
+ * - ENOMEM memory allocation failed
+ * - ERR_DUP_EXTRA_ATTR sysdb attribute is already used
+ */
int sdap_extend_map(TALLOC_CTX *memctx,
struct sdap_attr_map *src_map,
size_t num_entries,
--
2.9.3

View File

@ -0,0 +1,79 @@
From 454cf0c3808a9f6a0c9f79e9796e17c58907ee6c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 4 Nov 2016 17:17:13 +0100
Subject: [PATCH 72/79] check_duplicate: check name member before using it
Resolves https://fedorahosted.org/sssd/ticket/3231
Reviewed-by: Petr Cech <pcech@redhat.com>
---
src/providers/ldap/sdap.c | 2 +-
src/tests/ipa_ldap_opt-tests.c | 32 ++++++++++++++++++++++++++++++++
2 files changed, 33 insertions(+), 1 deletion(-)
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index 342667aae6cc0b6c3df8c76f11eb2445e6bad0be..d562a96e252e20051c2b4eabffd3205a8575cc72 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -137,7 +137,7 @@ static enum duplicate_t check_duplicate(struct sdap_attr_map *map,
for (i = 0; i < num_entries; i++) {
if (strcmp(map[i].sys_name, sysdb_attr) == 0) {
- if (strcmp(map[i].name, ldap_attr) == 0) {
+ if (map[i].name != NULL && strcmp(map[i].name, ldap_attr) == 0) {
return ALREADY_IN_MAP;
} else {
return CONFLICT_WITH_MAP;
diff --git a/src/tests/ipa_ldap_opt-tests.c b/src/tests/ipa_ldap_opt-tests.c
index 622a617c3b55495b41bffa1868497d302cc1f1e3..30e09f75b788332858231177017f90c35e21229f 100644
--- a/src/tests/ipa_ldap_opt-tests.c
+++ b/src/tests/ipa_ldap_opt-tests.c
@@ -467,6 +467,37 @@ START_TEST(test_extra_opts_dup)
extra_attrs,
&out_map, &new_size);
fail_unless(ret == ERR_DUP_EXTRA_ATTR, "[%s]", sss_strerror(ret));
+
+ talloc_free(out_map);
+}
+END_TEST
+
+START_TEST(test_extra_opts_empty_name)
+{
+ errno_t ret;
+ char *extra_attrs[] = { discard_const(SYSDB_UUID":bar"),
+ NULL };
+ struct sdap_attr_map *in_map;
+ struct sdap_attr_map *out_map;
+ size_t new_size;
+
+ ret = sdap_copy_map(global_talloc_context, rfc2307_user_map,
+ SDAP_OPTS_USER, &in_map);
+ fail_unless(ret == EOK, "[%s]", strerror(ret));
+
+ /* Make sure the name if really NULL */
+ fail_unless(rfc2307_user_map[SDAP_AT_USER_UUID].name == NULL,
+ "The reference name is not NULL anymore, "
+ "please choose a different attribute.");
+
+ ret = sdap_extend_map(global_talloc_context,
+ in_map,
+ SDAP_OPTS_USER,
+ extra_attrs,
+ &out_map, &new_size);
+ fail_unless(ret == ERR_DUP_EXTRA_ATTR, "[%s]", sss_strerror(ret));
+
+ talloc_free(out_map);
}
END_TEST
@@ -500,6 +531,7 @@ Suite *ipa_ldap_opt_suite (void)
tcase_add_test (tc_extra_opts, test_no_extra_opts);
tcase_add_test (tc_extra_opts, test_extra_opts_neg);
tcase_add_test (tc_extra_opts, test_extra_opts_dup);
+ tcase_add_test (tc_extra_opts, test_extra_opts_empty_name);
suite_add_tcase (s, tc_extra_opts);
return s;
--
2.9.3

View File

@ -0,0 +1,167 @@
From fc91d72f32660712f7c9e872e00deb91f188fea3 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 21 Feb 2017 22:14:35 +0100
Subject: [PATCH 73/79] FILES: Fix reallocation logic
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
There were two bugs in the files provider reallocation logic:
1) the reallocated array was not NULL-terminated properly
2) talloc_get_size was used in place of talloc_array_length
This bug could have resulted in a crash when the passwd or groups file
contained more than FILES_REALLOC_CHUNK entries.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/files/files_ops.c | 9 +++--
src/tests/intg/test_files_provider.py | 66 ++++++++++++++++++++++++++++++++++-
2 files changed, 72 insertions(+), 3 deletions(-)
diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c
index beda47abd75efd1d399ce074cceb9ea9f4b1399f..9ebf3b11bdb6be60c03392a74a0d434c90808782 100644
--- a/src/providers/files/files_ops.c
+++ b/src/providers/files/files_ops.c
@@ -27,6 +27,9 @@
#include "util/inotify.h"
#include "util/util.h"
+/* When changing this constant, make sure to also adjust the files integration
+ * test for reallocation branch
+ */
#define FILES_REALLOC_CHUNK 64
#define PWD_MAXSIZE 1024
@@ -108,7 +111,7 @@ static errno_t enum_files_users(TALLOC_CTX *mem_ctx,
users = talloc_realloc(mem_ctx,
users,
struct passwd *,
- talloc_get_size(users) + FILES_REALLOC_CHUNK);
+ talloc_array_length(users) + FILES_REALLOC_CHUNK);
if (users == NULL) {
ret = ENOMEM;
goto done;
@@ -117,6 +120,7 @@ static errno_t enum_files_users(TALLOC_CTX *mem_ctx,
}
ret = EOK;
+ users[n_users] = NULL;
*_users = users;
done:
if (ret != EOK) {
@@ -211,7 +215,7 @@ static errno_t enum_files_groups(TALLOC_CTX *mem_ctx,
groups = talloc_realloc(mem_ctx,
groups,
struct group *,
- talloc_get_size(groups) + FILES_REALLOC_CHUNK);
+ talloc_array_length(groups) + FILES_REALLOC_CHUNK);
if (groups == NULL) {
ret = ENOMEM;
goto done;
@@ -220,6 +224,7 @@ static errno_t enum_files_groups(TALLOC_CTX *mem_ctx,
}
ret = EOK;
+ groups[n_groups] = NULL;
*_groups = groups;
done:
if (ret != EOK) {
diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
index 0a2e5a7f4da8b27bc410c401baf4f5f226c2a301..528b5e5acc5078cce5bfab9a5f9dab5509e580eb 100644
--- a/src/tests/intg/test_files_provider.py
+++ b/src/tests/intg/test_files_provider.py
@@ -34,6 +34,9 @@ from sssd_group import call_sssd_getgrnam
from files_ops import passwd_ops_setup, group_ops_setup
from util import unindent
+# Sync this with files_ops.c
+FILES_REALLOC_CHUNK = 64
+
CANARY = dict(name='canary', passwd='x', uid=100001, gid=200001,
gecos='Used to check if passwd is resolvable',
dir='/home/canary',
@@ -204,7 +207,7 @@ def sssd_id_sync(name):
# Helper functions
def user_generator(seqnum):
return dict(name='user%d' % seqnum,
- passwd='*',
+ passwd='x',
uid=10000 + seqnum,
gid=20000 + seqnum,
gecos='User for tests',
@@ -221,6 +224,12 @@ def check_user(exp_user, delay=1.0):
assert found_user == exp_user
+def group_generator(seqnum):
+ return dict(name='group%d' % seqnum,
+ gid=30000 + seqnum,
+ mem=[])
+
+
def check_group(exp_group, delay=1.0):
if delay > 0:
time.sleep(delay)
@@ -690,3 +699,58 @@ def test_getgrnam_add_remove_ghosts(setup_pw_with_canary,
assert res == sssd_id.NssReturnCode.SUCCESS
assert len(groups) == 2
assert 'group_nomem' in groups
+
+
+def realloc_users(pwd_ops, num):
+ # Intentionally not including the the last one because
+ # canary is added first
+ for i in range(1, num):
+ user = user_generator(i)
+ pwd_ops.useradd(**user)
+
+ user = user_generator(num-1)
+ check_user(user)
+
+
+def test_realloc_users_exact(setup_pw_with_canary, files_domain_only):
+ """
+ Test that returning exactly FILES_REALLOC_CHUNK users (see files_ops.c)
+ works fine to test reallocation logic. Test exact number of users to
+ check for off-by-one errors.
+ """
+ realloc_users(setup_pw_with_canary, FILES_REALLOC_CHUNK)
+
+
+def test_realloc_users(setup_pw_with_canary, files_domain_only):
+ """
+ Test that returning exactly FILES_REALLOC_CHUNK users (see files_ops.c)
+ works fine to test reallocation logic.
+ """
+ realloc_users(setup_pw_with_canary, FILES_REALLOC_CHUNK*3)
+
+
+def realloc_groups(grp_ops, num):
+ for i in range(1, num):
+ group = group_generator(i)
+ grp_ops.groupadd(**group)
+
+ group = group_generator(num-1)
+ check_group(group)
+
+
+def test_realloc_groups_exact(setup_gr_with_canary, files_domain_only):
+ """
+ Test that returning exactly FILES_REALLOC_CHUNK groups (see files_ops.c)
+ works fine to test reallocation logic. Test exact number of groups to
+ check for off-by-one errors.
+ """
+ realloc_groups(setup_gr_with_canary, FILES_REALLOC_CHUNK*3)
+
+
+def test_realloc_groups(setup_gr_with_canary, files_domain_only):
+ """
+ Test that returning exactly FILES_REALLOC_CHUNK groups (see files_ops.c)
+ works fine to test reallocation logic. Test exact number of groups to
+ check for off-by-one errors.
+ """
+ realloc_groups(setup_gr_with_canary, FILES_REALLOC_CHUNK*3)
--
2.9.3

View File

@ -0,0 +1,47 @@
From 0965a77c4ff0b358d24582955cb7ae375ebaa0d2 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 22 Feb 2017 11:39:48 +0100
Subject: [PATCH 74/79] pam_sss: check conversation callback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
With this patch pam_sss checks if a conversation callback is available
before using it.
Resolves https://fedorahosted.org/sssd/ticket/3296
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/sss_client/pam_sss.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index b4175ae2c7fc1385a19f81045695bcd73d43f754..03613b8cd0cc3e3521f520e86d5e67371ed6ed48 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -205,6 +205,10 @@ static int do_pam_conversation(pam_handle_t *pamh, const int msg_style,
ret=pam_get_item(pamh, PAM_CONV, (const void **) &conv);
if (ret != PAM_SUCCESS) return ret;
+ if (conv == NULL || conv->conv == NULL) {
+ logger(pamh, LOG_ERR, "No conversation function");
+ return PAM_SYSTEM_ERR;
+ }
do {
pam_msg = malloc(sizeof(struct pam_message));
@@ -1304,6 +1308,10 @@ static int prompt_2fa(pam_handle_t *pamh, struct pam_items *pi,
if (ret != PAM_SUCCESS) {
return ret;
}
+ if (conv == NULL || conv->conv == NULL) {
+ logger(pamh, LOG_ERR, "No conversation function");
+ return PAM_SYSTEM_ERR;
+ }
m[0].msg_style = PAM_PROMPT_ECHO_OFF;
m[0].msg = prompt_fa1;
--
2.9.3

View File

@ -0,0 +1,44 @@
From 86bcc81a665dde4799d67ab7ea2bbd23608e7dab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Fri, 3 Feb 2017 18:31:51 +0100
Subject: [PATCH 75/79] MONITOR: Don't return an error in case we fail to
register a service
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This behaviour was mistakenly changed by the {dbus,socket}-activation
series and, as it's now, I've noticed the monitor may end up in some
weird state due to this change, where it doesn't stop properly and leave
some defuncts children processes.
Let's change it back to what it was before and avoid possible
regressions (even if no regression where hit yet).
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/monitor/monitor.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index bc7402103d8024391d2ee27f48b28247ff9cd49c..59bf70741b76871c4937ad75c448aaf776cc37eb 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -372,11 +372,7 @@ static int client_registration(struct sbus_request *dbus_req, void *data)
sbus_request_finish(dbus_req, NULL);
/* FIXME: should we just talloc_zfree(conn) ? */
- if (ret == ENOENT) {
- goto done;
- }
-
- return ret;
+ goto done;
}
/* Fill in svc structure with connection data */
--
2.9.3

View File

@ -0,0 +1,34 @@
From 1f49be4429c17475b789e9089ce4d0ae48315e74 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Thu, 16 Feb 2017 09:15:29 +0100
Subject: [PATCH 76/79] FILES: Remove unnecessary check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
"grp_iter->gr_mem" is an array of strings and not just a string.
We tried to compare first string to NULL (acctually '\0')
But after that we iterated over the array to find count of members
and we check for NULL one more time.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/providers/files/files_ops.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c
index 9ebf3b11bdb6be60c03392a74a0d434c90808782..370dcd971459069915178bac1fa3e87ecf2884ef 100644
--- a/src/providers/files/files_ops.c
+++ b/src/providers/files/files_ops.c
@@ -189,7 +189,7 @@ static errno_t enum_files_groups(TALLOC_CTX *mem_ctx,
}
grp->gr_passwd = talloc_strdup(grp, grp_iter->gr_passwd);
- if (grp_iter->gr_mem != NULL && grp_iter->gr_mem[0] != '\0') {
+ if (grp_iter->gr_mem != NULL) {
size_t nmem;
for (nmem = 0; grp_iter->gr_mem[nmem] != NULL; nmem++);
--
2.9.3

View File

@ -0,0 +1,80 @@
From f561c2bd3c72631ccb7ad6d0b5f6541b27b0922d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 19 Sep 2016 16:56:46 +0200
Subject: [PATCH 77/95] PAM: store user object in the preq context
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/pam/pamsrv.h | 1 +
src/responder/pam/pamsrv_cmd.c | 12 ++++++------
2 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 75045d03937bf71365b4d2654f4257e149087215..e3568123ac6e35d05d63b7b481dbcfbeddbd458c 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -68,6 +68,7 @@ struct pam_auth_req {
struct pam_auth_dp_req *dpreq_spy;
+ struct ldb_message *user_obj;
struct ldb_message *cert_user_obj;
char *token_name;
};
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index e73a819069d0fdf56327d96e38ecfa0585d52a68..e74dd1684ca0a853f4ff1f9f98bb0f9e8d3d219f 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1560,7 +1560,6 @@ static int pam_check_user_search(struct pam_auth_req *preq)
struct pam_ctx *pctx =
talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
static const char *user_attrs[] = SYSDB_PW_ATTRS;
- struct ldb_message *msg;
struct ldb_result *res;
const char *sysdb_name;
@@ -1621,11 +1620,12 @@ static int pam_check_user_search(struct pam_auth_req *preq)
}
if (preq->pd->name_is_upn) {
- ret = sysdb_search_user_by_upn(preq, dom, name, user_attrs, &msg);
+ ret = sysdb_search_user_by_upn(preq, dom, name, user_attrs,
+ &preq->user_obj);
if (ret == EOK) {
/* Since sysdb_search_user_by_upn() searches the whole cache we
* have to set the domain so that it matches the result. */
- sysdb_name = ldb_msg_find_attr_as_string(msg,
+ sysdb_name = ldb_msg_find_attr_as_string(preq->user_obj,
SYSDB_NAME, NULL);
if (sysdb_name == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cached entry has no name.\n");
@@ -1654,7 +1654,7 @@ static int pam_check_user_search(struct pam_auth_req *preq)
} else if (res->count == 0) {
ret = ENOENT;
} else {
- msg = res->msgs[0];
+ preq->user_obj = res->msgs[0];
}
}
if (ret != EOK && ret != ENOENT) {
@@ -1693,7 +1693,7 @@ static int pam_check_user_search(struct pam_auth_req *preq)
/* if we need to check the remote account go on */
if (preq->check_provider) {
- cacheExpire = ldb_msg_find_attr_as_uint64(msg,
+ cacheExpire = ldb_msg_find_attr_as_uint64(preq->user_obj,
SYSDB_CACHE_EXPIRE, 0);
if (cacheExpire < time(NULL)) {
break;
@@ -1704,7 +1704,7 @@ static int pam_check_user_search(struct pam_auth_req *preq)
"Returning info for user [%s@%s]\n", name, dom->name);
/* We might have searched by alias. Pass on the primary name */
- ret = pd_set_primary_name(msg, preq->pd);
+ ret = pd_set_primary_name(preq->user_obj, preq->pd);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Could not canonicalize username\n");
return ret;
--
2.9.3

View File

@ -0,0 +1,72 @@
From 327a16652bbafbb77b5b90cc7abac3ded7c14364 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 25 Jan 2017 17:34:54 +0100
Subject: [PATCH 78/95] PAM: fix memory leak in pam_sss
Since there can be multiple rounds trips between the PAM client and SSSD
it might be possible that the same data is send multiple times by SSSD.
So before overriding the old data it should be freed. I've seen this
with the domain name which is send both in the pre-auth and the auth
responses. To be on the safe side I added free() for some other items as
well.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/sss_client/pam_sss.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 03613b8cd0cc3e3521f520e86d5e67371ed6ed48..8f97af77e3a0c2fa26c84962b6438fe774a75f1a 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -869,6 +869,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
break;
}
D(("domain name: [%s]", &buf[p]));
+ free(pi->domain_name);
pi->domain_name = strdup((char *) &buf[p]);
if (pi->domain_name == NULL) {
D(("strdup failed"));
@@ -937,6 +938,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
break;
}
+ free(pi->otp_vendor);
pi->otp_vendor = strdup((char *) &buf[p]);
if (pi->otp_vendor == NULL) {
D(("strdup failed"));
@@ -950,6 +952,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
pi->otp_vendor = NULL;
break;
}
+ free(pi->otp_token_id);
pi->otp_token_id = strdup((char *) &buf[p + offset]);
if (pi->otp_token_id == NULL) {
D(("strdup failed"));
@@ -963,6 +966,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
pi->otp_token_id = NULL;
break;
}
+ free(pi->otp_challenge);
pi->otp_challenge = strdup((char *) &buf[p + offset]);
if (pi->otp_challenge == NULL) {
D(("strdup failed"));
@@ -976,6 +980,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
break;
}
+ free(pi->cert_user);
pi->cert_user = strdup((char *) &buf[p]);
if (pi->cert_user == NULL) {
D(("strdup failed"));
@@ -1010,6 +1015,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
pi->cert_user = NULL;
break;
}
+ free(pi->token_name);
pi->token_name = strdup((char *) &buf[p + offset]);
if (pi->token_name == NULL) {
D(("strdup failed"));
--
2.9.3

View File

@ -0,0 +1,28 @@
From 254f3898cc9fb9d76e12d72a2955906c49748e6d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 24 Jan 2017 18:18:23 +0100
Subject: [PATCH 79/95] PAM: use sentinel error code in PAM tests
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/tests/cmocka/test_pam_srv.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index 3b8327eb3acbb35cbd3e1a3cd4d8f7dc06b82c9f..e6ed8f509b5b69978f80c158e52bfea738909465 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -883,7 +883,9 @@ void test_pam_open_session(void **state)
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_OPEN_SESSION);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
- pam_test_ctx->exp_pam_status = PAM_NO_MODULE_DATA;
+ /* make sure pam_status is not touched by setting it to a value which is
+ * not used by SSSD. */
+ pam_test_ctx->exp_pam_status = _PAM_RETURN_VALUES;
set_cmd_cb(test_pam_simple_check);
ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_OPEN_SESSION,
pam_test_ctx->pam_cmds);
--
2.9.3

View File

@ -0,0 +1,44 @@
From d4757440418c7b73bbecec7e40baf6dfe8cc9460 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 24 Jan 2017 18:04:11 +0100
Subject: [PATCH 80/95] utils: new error codes
ERR_SC_AUTH_NOT_SUPPORTED can be used by backends to indicate that
Smartcard authentication is not supported. ERR_NO_AUTH_METHOD_AVAILABLE
can be used by backends that no authentication method was found.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/util/util_errors.c | 2 ++
src/util/util_errors.h | 2 ++
2 files changed, 4 insertions(+)
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
index 88ebf4e301f7194ccea920767141f838cbd8dc56..17388c997db5315c2491af1021e75aff07632488 100644
--- a/src/util/util_errors.c
+++ b/src/util/util_errors.c
@@ -102,6 +102,8 @@ struct err_string error_to_str[] = {
{ "No proxy server for secrets available"}, /* ERR_SEC_NO_PROXY */
{ "The maximum number of stored secrets has been reached" }, /* ERR_SEC_INVALID_TOO_MANY_SECRETS */
{ "The secret payload size is too large" }, /* ERR_SEC_PAYLOAD_SIZE_IS_TOO_LARGE */
+ { "No authentication methode available" }, /* ERR_NO_AUTH_METHOD_AVAILABLE */
+ { "Smartcard authentication not supported" }, /* ERR_SC_AUTH_NOT_SUPPORTED */
{ "ERR_LAST" } /* ERR_LAST */
};
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
index 525983f21cfb7aaa299ed78f672161e6d0664ad0..7aacad26084a3a2af6333988f07db865f6a4d299 100644
--- a/src/util/util_errors.h
+++ b/src/util/util_errors.h
@@ -124,6 +124,8 @@ enum sssd_errors {
ERR_SEC_NO_PROXY,
ERR_SEC_INVALID_TOO_MANY_SECRETS,
ERR_SEC_PAYLOAD_SIZE_IS_TOO_LARGE,
+ ERR_NO_AUTH_METHOD_AVAILABLE,
+ ERR_SC_AUTH_NOT_SUPPORTED,
ERR_LAST /* ALWAYS LAST */
};
--
2.9.3

View File

@ -0,0 +1,63 @@
From f70d946f8cde55b6bdc09345e22849842bca4387 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 25 Jan 2017 20:29:43 +0100
Subject: [PATCH 81/95] LDAP/proxy: tell frontend that Smartcard auth is not
supported
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/providers/ldap/ldap_auth.c | 11 ++++++++++-
src/providers/proxy/proxy_auth.c | 8 ++++++++
2 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index 00d38284e428eea42254820fd08ee4fb125235a6..00ddd889b6294e457c13218491547b84f1468266 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -645,7 +645,13 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx,
/* The token must be a password token */
if (sss_authtok_get_type(authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
- tevent_req_error(req, ERR_AUTH_FAILED);
+ if (sss_authtok_get_type(authtok) == SSS_AUTHTOK_TYPE_SC_PIN
+ || sss_authtok_get_type(authtok) == SSS_AUTHTOK_TYPE_SC_KEYPAD) {
+ /* Tell frontend that we do not support Smartcard authentication */
+ tevent_req_error(req, ERR_SC_AUTH_NOT_SUPPORTED);
+ } else {
+ tevent_req_error(req, ERR_AUTH_FAILED);
+ }
return tevent_req_post(req, ev);
}
@@ -1028,6 +1034,9 @@ static void sdap_pam_auth_handler_done(struct tevent_req *subreq)
state->pd->account_locked = true;
state->pd->pam_status = PAM_PERM_DENIED;
break;
+ case ERR_SC_AUTH_NOT_SUPPORTED:
+ state->pd->pam_status = PAM_BAD_ITEM;
+ break;
default:
state->pd->pam_status = PAM_SYSTEM_ERR;
break;
diff --git a/src/providers/proxy/proxy_auth.c b/src/providers/proxy/proxy_auth.c
index 2b3510c38b1cb265e3042425c373f39e524a71eb..e53b38e666343f8530593d5eac21787ce7cb46e1 100644
--- a/src/providers/proxy/proxy_auth.c
+++ b/src/providers/proxy/proxy_auth.c
@@ -737,6 +737,14 @@ proxy_pam_handler_send(TALLOC_CTX *mem_ctx,
state->auth_ctx = proxy_auth_ctx;
state->be_ctx = params->be_ctx;
+ /* Tell frontend that we do not support Smartcard authentication */
+ if (sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_SC_PIN
+ || sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_SC_KEYPAD) {
+ pd->pam_status = PAM_BAD_ITEM;
+ goto immediately;
+ }
+
+
switch (pd->cmd) {
case SSS_PAM_AUTHENTICATE:
case SSS_PAM_CHAUTHTOK:
--
2.9.3

View File

@ -0,0 +1,775 @@
From dd17a3aaddab6f122dff3bd15b7005464c07c0ea Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 23 Sep 2016 17:11:35 +0200
Subject: [PATCH 82/95] authtok: enhance support for Smartcard auth blobs
The blobs contains beside the PIN the name of the PKCS#11 module and the
token name where the certificate of the user was found and the key id.
Those data will be used e.g. by the pkinit module to make sure them
right certificate is used.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/tests/cmocka/test_authtok.c | 89 ++++++++++-
src/util/authtok-utils.c | 91 ++++++++++++
src/util/authtok-utils.h | 56 +++++++
src/util/authtok.c | 320 ++++++++++++++++++++++++++++++++++++++--
src/util/authtok.h | 84 +++++++++++
5 files changed, 625 insertions(+), 15 deletions(-)
diff --git a/src/tests/cmocka/test_authtok.c b/src/tests/cmocka/test_authtok.c
index 30dcc9c8401103a275bd592fe8afd2c2f396ffb1..b2ef08a1c75625253706910e0cc80f4d5d28be5d 100644
--- a/src/tests/cmocka/test_authtok.c
+++ b/src/tests/cmocka/test_authtok.c
@@ -437,6 +437,85 @@ void test_sss_authtok_2fa_blobs(void **state)
talloc_free(fa2);
}
+void test_sss_authtok_sc_blobs(void **state)
+{
+ int ret;
+ struct test_state *ts;
+ size_t needed_size;
+ uint8_t *buf;
+ const char *pin;
+ size_t pin_len;
+ const char *token_name;
+ size_t token_name_len;
+ const char *module_name;
+ size_t module_name_len;
+ const char *key_id;
+ size_t key_id_len;
+
+ ts = talloc_get_type_abort(*state, struct test_state);
+
+ ret = sss_auth_pack_sc_blob("abc", 0, "defg", 0, "hijkl", 0, "mnopqr", 0,
+ NULL, 0, &needed_size);
+ assert_int_equal(ret, EAGAIN);
+
+ buf = talloc_size(ts, needed_size);
+ assert_non_null(buf);
+
+ ret = sss_auth_pack_sc_blob("abc", 0, "defg", 0, "hijkl", 0, "mnopqr", 0,
+ buf, needed_size, &needed_size);
+ assert_int_equal(ret, EOK);
+
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+ assert_memory_equal(buf, "\4\0\0\0\5\0\0\0\6\0\0\0\7\0\0\0abc\0defg\0hijkl\0mnopqr\0",
+ needed_size);
+#else
+ assert_memory_equal(buf, "\0\0\0\4\0\0\0\5\0\0\0\6\0\0\0\7abc\0defg\0hijkl\0mnopqr\0",
+ needed_size);
+#endif
+
+ ret = sss_authtok_set(ts->authtoken, SSS_AUTHTOK_TYPE_SC_PIN, buf,
+ needed_size);
+ assert_int_equal(ret, EOK);
+
+ ret = sss_authtok_get_sc(ts->authtoken, &pin, &pin_len,
+ &token_name, &token_name_len,
+ &module_name, &module_name_len,
+ &key_id, &key_id_len);
+ assert_int_equal(ret, EOK);
+ assert_int_equal(pin_len, 3);
+ assert_string_equal(pin, "abc");
+ assert_int_equal(token_name_len, 4);
+ assert_string_equal(token_name, "defg");
+ assert_int_equal(module_name_len, 5);
+ assert_string_equal(module_name, "hijkl");
+ assert_int_equal(key_id_len, 6);
+ assert_string_equal(key_id, "mnopqr");
+
+ ret = sss_authtok_get_sc(ts->authtoken, NULL, NULL,
+ &token_name, &token_name_len,
+ &module_name, &module_name_len,
+ &key_id, &key_id_len);
+ assert_int_equal(ret, EOK);
+ assert_int_equal(token_name_len, 4);
+ assert_string_equal(token_name, "defg");
+ assert_int_equal(module_name_len, 5);
+ assert_string_equal(module_name, "hijkl");
+ assert_int_equal(key_id_len, 6);
+ assert_string_equal(key_id, "mnopqr");
+
+ ret = sss_authtok_get_sc(ts->authtoken, NULL, NULL,
+ &token_name, NULL,
+ &module_name, NULL,
+ &key_id, NULL);
+ assert_int_equal(ret, EOK);
+ assert_string_equal(token_name, "defg");
+ assert_string_equal(module_name, "hijkl");
+ assert_string_equal(key_id, "mnopqr");
+
+ sss_authtok_set_empty(ts->authtoken);
+ talloc_free(buf);
+}
+
#define MISSING_NULL_CHECK do { \
assert_int_equal(ret, EOK); \
assert_int_equal(fa1_len, 3); \
@@ -524,8 +603,8 @@ void test_sss_authtok_sc_pin(void **state)
assert_int_equal(sss_authtok_get_type(ts->authtoken),
SSS_AUTHTOK_TYPE_SC_PIN);
size = sss_authtok_get_size(ts->authtoken);
- assert_int_equal(size, 9);
- assert_memory_equal(sss_authtok_get_data(ts->authtoken), "12345678\0",
+ assert_int_equal(size, 28);
+ assert_memory_equal(sss_authtok_get_data(ts->authtoken), "\11\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0" "12345678\0\0\0\0",
size);
ret = sss_authtok_set_sc_pin(ts->authtoken, "12345678", 5);
@@ -533,8 +612,8 @@ void test_sss_authtok_sc_pin(void **state)
assert_int_equal(sss_authtok_get_type(ts->authtoken),
SSS_AUTHTOK_TYPE_SC_PIN);
size = sss_authtok_get_size(ts->authtoken);
- assert_int_equal(size, 6);
- assert_memory_equal(sss_authtok_get_data(ts->authtoken), "12345\0",
+ assert_int_equal(size, 25);
+ assert_memory_equal(sss_authtok_get_data(ts->authtoken), "\6\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0" "12345\0\0\0\0",
size);
ret = sss_authtok_get_sc_pin(ts->authtoken, &pin, &len);
@@ -592,6 +671,8 @@ int main(int argc, const char *argv[])
setup, teardown),
cmocka_unit_test_setup_teardown(test_sss_authtok_sc_pin,
setup, teardown),
+ cmocka_unit_test_setup_teardown(test_sss_authtok_sc_blobs,
+ setup, teardown),
};
/* Set debug level to invalid value so we can deside if -d 0 was used. */
diff --git a/src/util/authtok-utils.c b/src/util/authtok-utils.c
index 65fba9022db11786c0c7e4dcab6fec89c9e0cb19..e7123df341ef0f1954b1202921124e9144909fc1 100644
--- a/src/util/authtok-utils.c
+++ b/src/util/authtok-utils.c
@@ -72,3 +72,94 @@ errno_t sss_auth_pack_2fa_blob(const char *fa1, size_t fa1_len,
return 0;
}
+
+errno_t sss_auth_pack_sc_blob(const char *pin, size_t pin_len,
+ const char *token_name, size_t token_name_len,
+ const char *module_name, size_t module_name_len,
+ const char *key_id, size_t key_id_len,
+ uint8_t *buf, size_t buf_len,
+ size_t *_sc_blob_len)
+{
+ size_t c;
+ uint32_t tmp_uint32_t;
+
+ if (pin_len > UINT32_MAX || token_name_len > UINT32_MAX
+ || module_name_len > UINT32_MAX
+ || (pin_len != 0 && pin == NULL)
+ || (token_name_len != 0 && token_name == NULL)
+ || (module_name_len != 0 && module_name == NULL)
+ || (key_id_len != 0 && key_id == NULL)) {
+ return EINVAL;
+ }
+
+ /* A missing pin is ok in the case of a reader with a keyboard */
+ if (pin == NULL) {
+ pin = "";
+ pin_len = 0;
+ }
+
+ if (token_name == NULL) {
+ token_name = "";
+ token_name_len = 0;
+ }
+
+ if (module_name == NULL) {
+ module_name = "";
+ module_name_len = 0;
+ }
+
+ if (key_id == NULL) {
+ key_id = "";
+ key_id_len = 0;
+ }
+
+ /* len should not include the trailing \0 */
+ if (pin_len == 0 || pin[pin_len - 1] == '\0') {
+ pin_len = strlen(pin);
+ }
+
+ if (token_name_len == 0 || token_name[token_name_len - 1] == '\0') {
+ token_name_len = strlen(token_name);
+ }
+
+ if (module_name_len == 0 || module_name[module_name_len - 1] == '\0') {
+ module_name_len = strlen(module_name);
+ }
+
+ if (key_id_len == 0 || key_id[key_id_len - 1] == '\0') {
+ key_id_len = strlen(key_id);
+ }
+
+ *_sc_blob_len = pin_len + token_name_len + module_name_len + key_id_len + 4
+ + 4 * sizeof(uint32_t);
+ if (buf == NULL || buf_len < *_sc_blob_len) {
+ return EAGAIN;
+ }
+
+ c = 0;
+ tmp_uint32_t = (uint32_t) pin_len + 1;
+ SAFEALIGN_COPY_UINT32(buf, &tmp_uint32_t, &c);
+ tmp_uint32_t = (uint32_t) token_name_len + 1;
+ SAFEALIGN_COPY_UINT32(buf + c, &tmp_uint32_t, &c);
+ tmp_uint32_t = (uint32_t) module_name_len + 1;
+ SAFEALIGN_COPY_UINT32(buf + c, &tmp_uint32_t, &c);
+ tmp_uint32_t = (uint32_t) key_id_len + 1;
+ SAFEALIGN_COPY_UINT32(buf + c, &tmp_uint32_t, &c);
+
+ memcpy(buf + c, pin, pin_len);
+ buf[c + pin_len] = '\0';
+ c += pin_len + 1;
+
+ memcpy(buf + c, token_name, token_name_len);
+ buf[c + token_name_len] = '\0';
+ c += token_name_len + 1;
+
+ memcpy(buf + c, module_name, module_name_len);
+ buf[c + module_name_len] = '\0';
+ c += module_name_len + 1;
+
+ memcpy(buf + c, key_id, key_id_len);
+ buf[c + key_id_len] = '\0';
+
+ return 0;
+}
diff --git a/src/util/authtok-utils.h b/src/util/authtok-utils.h
index 07aef3c18395d6e967289f6e345f27e9ee868da2..c5aace39feea0b3c7e24c7ea80206e663712a11c 100644
--- a/src/util/authtok-utils.h
+++ b/src/util/authtok-utils.h
@@ -25,6 +25,37 @@
#include "sss_client/sss_cli.h"
/**
+ * @brief Fill memory buffer with Smartcard authentication blob
+ *
+ * @param[in] pin PIN, null terminated
+ * @param[in] pin_len Length of the PIN, if 0
+ * strlen() will be called internally
+ * @param[in] token_name Token name, null terminated
+ * @param[in] token_name_len Length of the token name, if 0
+ * strlen() will be called internally
+ * @param[in] module_name Name of PKCS#11 module, null terminated
+ * @param[in] module_name_len Length of the module name, if 0
+ * strlen() will be called internally
+ * @param[in] key_id Key ID of the certificate
+ * @param[in] key_id_len Length of the key id of the certificate, if 0
+ * strlen() will be called internally
+ * @param[in] buf memory buffer of size buf_len, may be NULL
+ * @param[in] buf_len size of memory buffer buf
+ *
+ * @param[out] _sc_blob len size of the Smartcard authentication blob
+ *
+ * @return EOK on success
+ * EINVAL if input data is not consistent
+ * EAGAIN if provided buffer is too small, _sc_blob_len
+ * contains the size needed to store the SC blob
+ */
+errno_t sss_auth_pack_sc_blob(const char *pin, size_t pin_len,
+ const char *token_name, size_t token_name_len,
+ const char *module_name, size_t module_name_len,
+ const char *key_id, size_t key_id_len,
+ uint8_t *buf, size_t buf_len,
+ size_t *_sc_blob_len);
+/**
* @brief Fill memory buffer with 2FA blob
*
* @param[in] fa1 First authentication factor, null terminated
@@ -67,4 +98,29 @@ errno_t sss_auth_unpack_2fa_blob(TALLOC_CTX *mem_ctx,
const uint8_t *blob, size_t blob_len,
char **fa1, size_t *_fa1_len,
char **fa2, size_t *_fa2_len);
+
+/**
+ * @brief Extract SC data from memory buffer
+ *
+ * @param[in] mem_ctx Talloc memory context to allocate the 2FA
+ * data on
+ * @param[in] blob Memory buffer containing the 2FA data
+ * @param[in] blob_len Size of the memory buffer
+ * @param[out] _pin PIN, null terminated
+ * @param[out] _pin_len Length of the PIN
+ * @param[out] _token_name Token name, null terminated
+ * @param[out] _token_name_len Length of the token name
+ * @param[out] _module_name Name of PKCS#11 module, null terminated
+ * @param[out] _module_name_len Length of the module name
+ *
+ * @return EOK on success
+ * EINVAL if input data is not consistent
+ * EINVAL if no memory can be allocated
+ */
+errno_t sss_auth_unpack_sc_blob(TALLOC_CTX *mem_ctx,
+ const uint8_t *blob, size_t blob_len,
+ char **pin, size_t *_pin_len,
+ char **token_name, size_t *_token_name_len,
+ char **module_name, size_t *_module_name_len,
+ char **key_id, size_t *_key_id_len);
#endif /* __AUTHTOK_UTILS_H__ */
diff --git a/src/util/authtok.c b/src/util/authtok.c
index 6062cd875ce2c6b541ef237e7f7bdddac80366c5..c2f78be329230a255ce04ce68a01084f7f584c7c 100644
--- a/src/util/authtok.c
+++ b/src/util/authtok.c
@@ -196,10 +196,9 @@ errno_t sss_authtok_set(struct sss_auth_token *tok,
case SSS_AUTHTOK_TYPE_2FA:
return sss_authtok_set_2fa_from_blob(tok, data, len);
case SSS_AUTHTOK_TYPE_SC_PIN:
- return sss_authtok_set_sc_pin(tok, (const char*)data, len);
+ return sss_authtok_set_sc_from_blob(tok, data, len);
case SSS_AUTHTOK_TYPE_SC_KEYPAD:
- sss_authtok_set_sc_keypad(tok);
- return EOK;
+ return sss_authtok_set_sc_from_blob(tok, data, len);
case SSS_AUTHTOK_TYPE_EMPTY:
sss_authtok_set_empty(tok);
return EOK;
@@ -425,6 +424,104 @@ errno_t sss_authtok_set_2fa(struct sss_auth_token *tok,
return EOK;
}
+errno_t sss_authtok_set_sc(struct sss_auth_token *tok,
+ enum sss_authtok_type type,
+ const char *pin, size_t pin_len,
+ const char *token_name, size_t token_name_len,
+ const char *module_name, size_t module_name_len,
+ const char *key_id, size_t key_id_len)
+{
+ int ret;
+ size_t needed_size;
+
+ if (type != SSS_AUTHTOK_TYPE_SC_PIN
+ && type != SSS_AUTHTOK_TYPE_SC_KEYPAD) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Invalid type [%d].\n", type);
+ return EINVAL;
+ }
+
+ sss_authtok_set_empty(tok);
+
+ ret = sss_auth_pack_sc_blob(pin, pin_len, token_name, token_name_len,
+ module_name, module_name_len,
+ key_id, key_id_len, NULL, 0,
+ &needed_size);
+ if (ret != EAGAIN) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_auth_pack_sc_blob failed.\n");
+ return ret;
+ }
+
+ tok->data = talloc_size(tok, needed_size);
+ if (tok->data == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n");
+ return ENOMEM;
+ }
+
+ ret = sss_auth_pack_sc_blob(pin, pin_len, token_name, token_name_len,
+ module_name, module_name_len,
+ key_id, key_id_len, tok->data,
+ needed_size, &needed_size);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_auth_pack_sc_blob failed.\n");
+ talloc_free(tok->data);
+ return ret;
+ }
+
+ tok->length = needed_size;
+ tok->type = type;
+
+ return EOK;
+}
+
+errno_t sss_authtok_set_sc_from_blob(struct sss_auth_token *tok,
+ const uint8_t *data,
+ size_t len)
+{
+ int ret;
+ char *pin = NULL;
+ size_t pin_len;
+ char *token_name = NULL;
+ size_t token_name_len;
+ char *module_name = NULL;
+ size_t module_name_len;
+ char *key_id = NULL;
+ size_t key_id_len;
+ TALLOC_CTX *tmp_ctx;
+
+ if (tok == NULL) {
+ return EFAULT;
+ }
+ if (data == NULL || len == 0) {
+ return EINVAL;
+ }
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sss_auth_unpack_sc_blob(tmp_ctx, data, len, &pin, &pin_len,
+ &token_name, &token_name_len,
+ &module_name, &module_name_len,
+ &key_id, &key_id_len);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_auth_unpack_sc_blob failed.\n");
+ goto done;
+ }
+
+ ret = sss_authtok_set_sc(tok, SSS_AUTHTOK_TYPE_SC_PIN, pin, pin_len,
+ token_name, token_name_len,
+ module_name, module_name_len,
+ key_id, key_id_len);
+
+done:
+ talloc_free(tmp_ctx);
+
+ return ret;
+}
+
errno_t sss_authtok_set_sc_pin(struct sss_auth_token *tok, const char *pin,
size_t len)
{
@@ -435,15 +532,17 @@ errno_t sss_authtok_set_sc_pin(struct sss_auth_token *tok, const char *pin,
return EINVAL;
}
- sss_authtok_set_empty(tok);
-
- return sss_authtok_set_string(tok, SSS_AUTHTOK_TYPE_SC_PIN,
- "sc_pin", pin, len);
+ return sss_authtok_set_sc(tok, SSS_AUTHTOK_TYPE_SC_PIN, pin, len,
+ NULL, 0, NULL, 0, NULL, 0);
}
-errno_t sss_authtok_get_sc_pin(struct sss_auth_token *tok, const char **pin,
+errno_t sss_authtok_get_sc_pin(struct sss_auth_token *tok, const char **_pin,
size_t *len)
{
+ int ret;
+ const char *pin = NULL;
+ size_t pin_len;
+
if (!tok) {
return EFAULT;
}
@@ -451,9 +550,16 @@ errno_t sss_authtok_get_sc_pin(struct sss_auth_token *tok, const char **pin,
case SSS_AUTHTOK_TYPE_EMPTY:
return ENOENT;
case SSS_AUTHTOK_TYPE_SC_PIN:
- *pin = (const char *)tok->data;
+ ret = sss_authtok_get_sc(tok, &pin, &pin_len,
+ NULL, NULL, NULL, NULL, NULL, NULL);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_sc failed.\n");
+ return ret;
+ }
+
+ *_pin = pin;
if (len) {
- *len = tok->length - 1;
+ *len = pin_len;
}
return EOK;
case SSS_AUTHTOK_TYPE_PASSWORD:
@@ -468,10 +574,202 @@ errno_t sss_authtok_get_sc_pin(struct sss_auth_token *tok, const char **pin,
void sss_authtok_set_sc_keypad(struct sss_auth_token *tok)
{
- if (!tok) {
+ if (tok == NULL) {
return;
}
+
sss_authtok_set_empty(tok);
tok->type = SSS_AUTHTOK_TYPE_SC_KEYPAD;
}
+
+errno_t sss_auth_unpack_sc_blob(TALLOC_CTX *mem_ctx,
+ const uint8_t *blob, size_t blob_len,
+ char **pin, size_t *_pin_len,
+ char **token_name, size_t *_token_name_len,
+ char **module_name, size_t *_module_name_len,
+ char **key_id, size_t *_key_id_len)
+{
+ size_t c;
+ uint32_t pin_len;
+ uint32_t token_name_len;
+ uint32_t module_name_len;
+ uint32_t key_id_len;
+
+ c = 0;
+
+ if (blob == NULL || blob_len == 0) {
+ pin_len = 0;
+ token_name_len = 0;
+ module_name_len = 0;
+ key_id_len = 0;
+ } else if (blob_len > 0
+ && strnlen((const char *) blob, blob_len) == blob_len - 1) {
+ pin_len = blob_len;
+ token_name_len = 0;
+ module_name_len = 0;
+ key_id_len = 0;
+ } else {
+ if (blob_len < 4 * sizeof(uint32_t)) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Blob too small.\n");
+ return EINVAL;
+ }
+
+ SAFEALIGN_COPY_UINT32(&pin_len, blob, &c);
+ SAFEALIGN_COPY_UINT32(&token_name_len, blob + c, &c);
+ SAFEALIGN_COPY_UINT32(&module_name_len, blob + c, &c);
+ SAFEALIGN_COPY_UINT32(&key_id_len, blob + c, &c);
+
+ if (blob_len != 4 * sizeof(uint32_t) + pin_len + token_name_len
+ + module_name_len + key_id_len) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Blob size mismatch.\n");
+ return EINVAL;
+ }
+ }
+
+ if (pin_len != 0) {
+ *pin = talloc_strndup(mem_ctx, (const char *) blob + c, pin_len);
+ if (*pin == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
+ return ENOMEM;
+ }
+ } else {
+ *pin = NULL;
+ }
+
+ if (token_name_len != 0) {
+ *token_name = talloc_strndup(mem_ctx, (const char *) blob + c + pin_len,
+ token_name_len);
+ if (*token_name == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
+ talloc_free(*pin);
+ return ENOMEM;
+ }
+ } else {
+ *token_name = NULL;
+ }
+
+ if (module_name_len != 0) {
+ *module_name = talloc_strndup(mem_ctx,
+ (const char *) blob + c + pin_len
+ + token_name_len,
+ module_name_len);
+ if (*module_name == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
+ talloc_free(*pin);
+ talloc_free(*token_name);
+ return ENOMEM;
+ }
+ } else {
+ *module_name = NULL;
+ }
+
+ if (key_id_len != 0) {
+ *key_id = talloc_strndup(mem_ctx,
+ (const char *) blob + c + pin_len
+ + token_name_len
+ + module_name_len,
+ key_id_len);
+ if (*key_id == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
+ talloc_free(*pin);
+ talloc_free(*token_name);
+ talloc_free(*module_name);
+ return ENOMEM;
+ }
+ } else {
+ *key_id = NULL;
+ }
+
+ /* Re-calculate length for the case where \0 was missing in the blob */
+ if (_pin_len != NULL) {
+ *_pin_len = (*pin == NULL) ? 0 : strlen(*pin);
+ }
+ if (_token_name_len != NULL) {
+ *_token_name_len = (*token_name == NULL) ? 0 : strlen(*token_name);
+ }
+ if (_module_name_len != NULL) {
+ *_module_name_len = (*module_name == NULL) ? 0 : strlen(*module_name);
+ }
+
+ if (_key_id_len != NULL) {
+ *_key_id_len = (*key_id == NULL) ? 0 : strlen(*key_id);
+ }
+
+ return EOK;
+}
+
+errno_t sss_authtok_get_sc(struct sss_auth_token *tok,
+ const char **_pin, size_t *_pin_len,
+ const char **_token_name, size_t *_token_name_len,
+ const char **_module_name, size_t *_module_name_len,
+ const char **_key_id, size_t *_key_id_len)
+{
+ size_t c = 0;
+ size_t pin_len;
+ size_t token_name_len;
+ size_t module_name_len;
+ size_t key_id_len;
+ uint32_t tmp_uint32_t;
+
+ if (!tok) {
+ return EFAULT;
+ }
+
+ if (tok->type != SSS_AUTHTOK_TYPE_SC_PIN
+ && tok->type != SSS_AUTHTOK_TYPE_SC_KEYPAD) {
+ return (tok->type == SSS_AUTHTOK_TYPE_EMPTY) ? ENOENT : EACCES;
+ }
+
+ if (tok->length < 4 * sizeof(uint32_t)) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Blob too small.\n");
+ return EINVAL;
+ }
+
+ SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data, &c);
+ pin_len = tmp_uint32_t - 1;
+ SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data + c, &c);
+ token_name_len = tmp_uint32_t - 1;
+ SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data + c, &c);
+ module_name_len = tmp_uint32_t -1;
+ SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data + c, &c);
+ key_id_len = tmp_uint32_t -1;
+
+ if (tok->length != 4 * sizeof(uint32_t) + 4 + pin_len + token_name_len
+ + module_name_len + key_id_len) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Blob size mismatch.\n");
+ return EINVAL;
+ }
+
+ if (_pin != NULL) {
+ *_pin = (const char *) tok->data + c;
+ }
+ if (_pin_len != NULL) {
+ *_pin_len = pin_len;
+ }
+
+ if (_token_name != NULL) {
+ *_token_name = (const char *) tok->data + c + pin_len + 1;
+ }
+ if (_token_name_len != NULL) {
+ *_token_name_len = token_name_len;
+ }
+
+ if (_module_name != NULL) {
+ *_module_name = (const char *) tok->data + c + pin_len + 1
+ + token_name_len + 1;
+ }
+ if (_module_name_len != NULL) {
+ *_module_name_len = module_name_len;
+ }
+
+ if (_key_id != NULL) {
+ *_key_id = (const char *) tok->data + c + pin_len + 1
+ + token_name_len + 1 + module_name_len + 1;
+ }
+ if (_key_id_len != NULL) {
+ *_key_id_len = key_id_len;
+ }
+
+ return EOK;
+}
diff --git a/src/util/authtok.h b/src/util/authtok.h
index f1a01a42306a720fc39e701078550a071835e980..c146ba2066f2aca032e04d6a33459c47c963370f 100644
--- a/src/util/authtok.h
+++ b/src/util/authtok.h
@@ -264,4 +264,88 @@ errno_t sss_authtok_get_sc_pin(struct sss_auth_token *tok, const char **pin,
*/
void sss_authtok_set_sc_keypad(struct sss_auth_token *tok);
+/**
+ * @brief Set complete Smart Card authentication blob including PKCS#11 token
+ * name, module name and key id.
+ *
+ * @param tok A pointer to an sss_auth_token
+ * @param type Authentication token type, may be
+ * SSS_AUTHTOK_TYPE_SC_PIN or SSS_AUTHTOK_TYPE_SC_KEYPAD
+ * @param pin A pointer to a const char *, that will point to a null
+ * terminated string containing the pin
+ * @param pin_len The length of the pin string, if set to 0 it will be
+ * calculated
+ * @param token_name A pointer to a const char *, that will point to a null
+ * terminated string containing the PKCS#11 token name
+ * @param token_name_len The length of the token name string, if set to 0 it
+ * will be calculated
+ * @param module_name A pointer to a const char *, that will point to a null
+ * terminated string containing the PKCS#11 module name
+ * @param module_name_len The length of the module name string, if set to 0 it
+ * will be calculated
+ * @param key_id A pointer to a const char *, that will point to a null
+ * terminated string containing the PKCS#11 key id
+ * @param key_id_len The length of the key id string, if set to 0 it will be
+ * calculated
+ *
+ * @return EOK on success
+ * EINVAL unexpected or inval input
+ * ENOMEM memory allocation error
+ */
+errno_t sss_authtok_set_sc(struct sss_auth_token *tok,
+ enum sss_authtok_type type,
+ const char *pin, size_t pin_len,
+ const char *token_name, size_t token_name_len,
+ const char *module_name, size_t module_name_len,
+ const char *key_id, size_t key_id_len);
+/**
+ * @brief Set a Smart Card authentication data, replacing any previous data
+ *
+ * @param tok A pointer to a sss_auth_token structure to change, also
+ * used as a memory context to allocate the internal data.
+ * @param data Smart Card authentication data blob
+ * @param len The length of the blob
+ *
+ * @return EOK on success
+ * ENOMEM on error
+ */
+errno_t sss_authtok_set_sc_from_blob(struct sss_auth_token *tok,
+ const uint8_t *data,
+ size_t len);
+
+/**
+ * @brief Get complete Smart Card authtoken data
+ *
+ * @param tok A pointer to a sss_auth_token structure
+ * @param[out] _pin A pointer to a const char *, that will point to
+ * a null terminated string holding the pin,
+ * may not be modified or freed
+ * @param[out] _pin__len Length of the pin
+ * @param[out] _token_name A pointer to a const char *, that will point to
+ * a null terminated string holding the PKCS#11
+ * token name, may not be modified or freed
+ * @param[out] _token_name_len Length of the PKCS#11 token name
+ * @param[out] _module_name A pointer to a const char *, that will point to
+ * a null terminated string holding the PKCS#11
+ * module name, may not be modified or freed
+ * @param[out] _module_name_len Length of the PKCS#11 module name
+ * @param[out] _key_id A pointer to a const char *, that will point to
+ * a null terminated string holding the PKCS#11
+ * key id, may not be modified or freed
+ * @param[out] _key_id_len Length of the PKCS#11 key id
+ *
+ * Any of the output pointers may be NULL if the caller does not need the
+ * specific item.
+ *
+ * @return EOK on success
+ * EFAULT missing token
+ * EINVAL if input data is not consistent
+ * ENOENT if the token is empty
+ * EACCESS if the token is not a Smart Card token
+ */
+errno_t sss_authtok_get_sc(struct sss_auth_token *tok,
+ const char **_pin, size_t *_pin_len,
+ const char **_token_name, size_t *_token_name_len,
+ const char **_module_name, size_t *_module_name_len,
+ const char **_key_id, size_t *_key_id_len);
#endif /* __AUTHTOK_H__ */
--
2.9.3

View File

@ -0,0 +1,265 @@
From 82c5971fafe6063a90289ebba08035fc49ae8590 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 8 Oct 2015 16:42:39 +0200
Subject: [PATCH 83/95] PAM: forward Smartcard credentials to backends
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/pam/pamsrv.h | 3 ++
src/responder/pam/pamsrv_cmd.c | 102 +++++++++++++++++++++++++++++++---------
src/tests/cmocka/test_pam_srv.c | 16 ++++++-
3 files changed, 97 insertions(+), 24 deletions(-)
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index e3568123ac6e35d05d63b7b481dbcfbeddbd458c..389888eca389f793079ad169f7713151c896e90c 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -71,6 +71,9 @@ struct pam_auth_req {
struct ldb_message *user_obj;
struct ldb_message *cert_user_obj;
char *token_name;
+ char *module_name;
+ char *key_id;
+ bool cert_auth_local;
};
struct sss_cmd_table *get_pam_cmds(void);
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index e74dd1684ca0a853f4ff1f9f98bb0f9e8d3d219f..529c74f703b3169676dc13b145b39243903ebb50 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -53,6 +53,14 @@ pam_get_last_online_auth_with_curr_token(struct sss_domain_info *domain,
static void pam_reply(struct pam_auth_req *preq);
+static errno_t check_cert(TALLOC_CTX *mctx,
+ struct tevent_context *ev,
+ struct pam_ctx *pctx,
+ struct pam_auth_req *preq,
+ struct pam_data *pd);
+
+static int pam_check_user_done(struct pam_auth_req *preq, int ret);
+
static errno_t pack_user_info_msg(TALLOC_CTX *mem_ctx,
const char *user_error_message,
size_t *resp_len,
@@ -718,6 +726,28 @@ static void pam_reply(struct pam_auth_req *preq)
DEBUG(SSSDBG_FUNC_DATA,
"pam_reply called with result [%d]: %s.\n",
pd->pam_status, pam_strerror(NULL, pd->pam_status));
+
+ if (pd->cmd == SSS_PAM_AUTHENTICATE
+ && (pd->pam_status == PAM_AUTHINFO_UNAVAIL
+ || pd->pam_status == PAM_NO_MODULE_DATA
+ || pd->pam_status == PAM_BAD_ITEM)
+ && may_do_cert_auth(pctx, pd)) {
+ /* We have Smartcard credentials and the backend indicates that it is
+ * offline (PAM_AUTHINFO_UNAVAIL) or cannot handle the credentials
+ * (PAM_BAD_ITEM), so let's try authentication against the Smartcard
+ * PAM_NO_MODULE_DATA is returned by the krb5 backend if no
+ * authentication method was found at all, this might happen if the
+ * user has a Smartcard assigned but the pkint plugin is not available
+ * on the client. */
+ DEBUG(SSSDBG_IMPORTANT_INFO,
+ "Backend cannot handle Smartcard authentication, "
+ "trying local Smartcard authentication.\n");
+ preq->cert_auth_local = true;
+ ret = check_cert(cctx, cctx->ev, pctx, preq, pd);
+ pam_check_user_done(preq, ret);
+ return;
+ }
+
if (pd->pam_status == PAM_AUTHINFO_UNAVAIL || preq->use_cached_auth) {
switch(pd->cmd) {
@@ -1019,7 +1049,6 @@ static void pam_forwarder_cert_cb(struct tevent_req *req);
static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min,
const char *err_msg, void *ptr);
static int pam_check_user_search(struct pam_auth_req *preq);
-static int pam_check_user_done(struct pam_auth_req *preq, int ret);
static errno_t pam_cmd_assume_upn(struct pam_auth_req *preq)
{
@@ -1234,6 +1263,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
}
talloc_set_destructor(preq, pam_auth_req_destructor);
preq->cctx = cctx;
+ preq->cert_auth_local = false;
preq->pd = create_pam_data(preq);
if (!preq->pd) {
@@ -1330,8 +1360,9 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
}
}
-
- if (may_do_cert_auth(pctx, pd)) {
+ /* try backend first for authentication before doing local Smartcard
+ * authentication */
+ if (pd->cmd != SSS_PAM_AUTHENTICATE && may_do_cert_auth(pctx, pd)) {
ret = check_cert(cctx, cctx->ev, pctx, preq, pd);
/* Finish here */
goto done;
@@ -1439,6 +1470,12 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
preq->cert_user_obj = talloc_steal(preq, result->msgs[0]);
if (preq->pd->logon_name == NULL) {
+ if (preq->pd->cmd != SSS_PAM_PREAUTH) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Missing logon name only allowed during pre-auth.\n");
+ ret = ENOENT;
+ goto done;
+ }
cert_user = ldb_msg_find_attr_as_string(preq->cert_user_obj,
SYSDB_NAME, NULL);
if (cert_user == NULL) {
@@ -1451,20 +1488,17 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
DEBUG(SSSDBG_FUNC_DATA, "Found certificate user [%s].\n",
cert_user);
- ret = add_pam_cert_response(preq->pd, cert_user, preq->token_name);
+ ret = sss_parse_name_for_domains(preq->pd,
+ preq->cctx->rctx->domains,
+ preq->cctx->rctx->default_domain,
+ cert_user,
+ &preq->pd->domain,
+ &preq->pd->user);
if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "add_pam_cert_response failed.\n");
- }
-
- preq->pd->domain = talloc_strdup(preq->pd, result->domain->name);
- if (preq->pd->domain == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
- ret = ENOMEM;
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sss_parse_name_for_domains failed.\n");
goto done;
}
- preq->pd->pam_status = PAM_SUCCESS;
- pam_reply(preq);
- return;
}
} else {
if (preq->pd->logon_name == NULL) {
@@ -1475,7 +1509,12 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
}
}
- ret = pam_check_user_search(preq);
+ if (preq->user_obj == NULL) {
+ ret = pam_check_user_search(preq);
+ } else {
+ ret = EOK;
+ }
+
if (ret == EOK) {
pam_dom_forwarder(preq);
}
@@ -1531,7 +1570,9 @@ static void pam_forwarder_cb(struct tevent_req *req)
}
}
- if (may_do_cert_auth(pctx, pd)) {
+ /* try backend first for authentication before doing local Smartcard
+ * authentication */
+ if (pd->cmd != SSS_PAM_AUTHENTICATE && may_do_cert_auth(pctx, pd)) {
ret = check_cert(cctx, cctx->ev, pctx, preq, pd);
/* Finish here */
goto done;
@@ -1985,7 +2026,7 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
NULL);
if (cert_user == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE,
- "Certificate user object has not name.\n");
+ "Certificate user object has no name.\n");
preq->pd->pam_status = PAM_USER_UNKNOWN;
pam_reply(preq);
return;
@@ -1994,11 +2035,21 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
/* pam_check_user_search() calls pd_set_primary_name() is the search
* was successful, so pd->user contains the canonical sysdb name
* as well */
- if (strcmp(cert_user, preq->pd->user) == 0) {
-
- preq->pd->pam_status = PAM_SUCCESS;
+ if (ldb_dn_compare(preq->cert_user_obj->dn, preq->user_obj->dn) == 0) {
if (preq->pd->cmd == SSS_PAM_PREAUTH) {
+ ret = sss_authtok_set_sc(preq->pd->authtok,
+ SSS_AUTHTOK_TYPE_SC_PIN, NULL, 0,
+ preq->token_name, 0,
+ preq->module_name, 0,
+ preq->key_id, 0);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_set_sc failed, "
+ "Smartcard authentication "
+ "detection might fail in the "
+ "backend.\n");
+ }
+
ret = add_pam_cert_response(preq->pd, cert_user,
preq->token_name);
if (ret != EOK) {
@@ -2007,9 +2058,14 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
}
}
- preq->callback = pam_reply;
- pam_reply(preq);
- return;
+ /* We are done if we do not have to call the backend */
+ if (preq->pd->cmd == SSS_PAM_AUTHENTICATE
+ && preq->cert_auth_local) {
+ preq->pd->pam_status = PAM_SUCCESS;
+ preq->callback = pam_reply;
+ pam_reply(preq);
+ return;
+ }
} else {
if (preq->pd->cmd == SSS_PAM_PREAUTH) {
DEBUG(SSSDBG_TRACE_FUNC,
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index e6ed8f509b5b69978f80c158e52bfea738909465..6b91f49c6608043df68c65f9a3338a76ac66bbcc 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -285,6 +285,9 @@ static void pam_test_setup_common(void)
pam_test_ctx->tctx->dom->name);
assert_non_null(pam_test_ctx->wrong_user_fqdn);
+ /* integer values cannot be set by pam_params */
+ pam_test_ctx->pctx->id_timeout = 5;
+
/* Prime the cache with a valid user */
ret = sysdb_add_user(pam_test_ctx->tctx->dom,
pam_test_ctx->pam_user_fqdn,
@@ -783,6 +786,13 @@ static int test_pam_wrong_pw_offline_auth_check(uint32_t status,
return test_pam_simple_check(status, body, blen);
}
+static int test_pam_simple_check_success(uint32_t status,
+ uint8_t *body, size_t blen)
+{
+ pam_test_ctx->exp_pam_status = PAM_SUCCESS;
+ return test_pam_simple_check(status, body, blen);
+}
+
static int test_pam_creds_insufficient_check(uint32_t status,
uint8_t *body, size_t blen)
{
@@ -1752,7 +1762,11 @@ void test_pam_cert_auth(void **state)
mock_account_recv(0, 0, NULL, test_lookup_by_cert_cb,
discard_const(TEST_TOKEN_CERT));
- set_cmd_cb(test_pam_simple_check);
+ /* Assume backend cannot handle Smartcard credentials */
+ pam_test_ctx->exp_pam_status = PAM_BAD_ITEM;
+
+
+ set_cmd_cb(test_pam_simple_check_success);
ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
pam_test_ctx->pam_cmds);
assert_int_equal(ret, EOK);
--
2.9.3

View File

@ -0,0 +1,550 @@
From ead25e32c52c8c2f5fd9abd179e9e81de58f9ca3 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 22 Feb 2017 17:58:15 +0100
Subject: [PATCH 84/95] p11: return name of PKCS#11 module and key id to
pam_sss
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/p11_child/p11_child_nss.c | 55 ++++++++++++++++++++++++--
src/responder/pam/pamsrv.h | 6 ++-
src/responder/pam/pamsrv_cmd.c | 8 +++-
src/responder/pam/pamsrv_p11.c | 86 ++++++++++++++++++++++++++++++++++++++---
src/sss_client/pam_message.h | 2 +
src/sss_client/pam_sss.c | 49 ++++++++++++++++++++++-
src/tests/cmocka/test_pam_srv.c | 33 +++++++++++++++-
7 files changed, 221 insertions(+), 18 deletions(-)
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
index 84772692eadfb28d85298f924013761ae3ca7e82..f165b58e63d2b8a6f26acf8bd89e7b41713e7359 100644
--- a/src/p11_child/p11_child_nss.c
+++ b/src/p11_child/p11_child_nss.c
@@ -72,13 +72,15 @@ static char *password_passthrough(PK11SlotInfo *slot, PRBool retry, void *arg)
int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, const char *slot_name_in,
enum op_mode mode, const char *pin,
struct cert_verify_opts *cert_verify_opts,
- char **cert, char **token_name_out)
+ char **cert, char **token_name_out, char **module_name_out,
+ char **key_id_out)
{
int ret;
SECStatus rv;
NSSInitContext *nss_ctx;
SECMODModuleList *mod_list;
SECMODModuleList *mod_list_item;
+ SECMODModule *module;
const char *slot_name;
const char *token_name;
uint32_t flags = NSS_INIT_READONLY
@@ -91,6 +93,7 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, const char *slot_name_in,
PK11SlotInfo *slot = NULL;
CK_SLOT_ID slot_id;
SECMODModuleID module_id;
+ const char *module_name;
CERTCertList *cert_list = NULL;
CERTCertListNode *cert_list_node;
const PK11DefaultArrayEntry friendly_attr = { "Publicly-readable certs",
@@ -105,6 +108,8 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, const char *slot_name_in,
CERTCertificate *found_cert = NULL;
PK11SlotList *list = NULL;
PK11SlotListElement *le;
+ SECItem *key_id = NULL;
+ char *key_id_str = NULL;
nss_ctx = NSS_InitContext(nss_db, "", "", SECMOD_DB, &parameters, flags);
@@ -187,8 +192,11 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, const char *slot_name_in,
module_id = PK11_GetModuleID(slot);
slot_name = PK11_GetSlotName(slot);
token_name = PK11_GetTokenName(slot);
- DEBUG(SSSDBG_TRACE_ALL, "Found [%s] in slot [%s][%d] of module [%d].\n",
- token_name, slot_name, (int) slot_id, (int) module_id);
+ module = PK11_GetModule(slot);
+ module_name = module->dllName == NULL ? "NSS-Internal" : module->dllName;
+
+ DEBUG(SSSDBG_TRACE_ALL, "Found [%s] in slot [%s][%d] of module [%d][%s].\n",
+ token_name, slot_name, (int) slot_id, (int) module_id, module_name);
if (PK11_IsFriendly(slot)) {
DEBUG(SSSDBG_TRACE_ALL, "Token is friendly.\n");
@@ -346,6 +354,7 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, const char *slot_name_in,
DEBUG(SSSDBG_TRACE_ALL, "No certificate found.\n");
*cert = NULL;
*token_name_out = NULL;
+ *module_name_out = NULL;
ret = EOK;
goto done;
}
@@ -412,6 +421,30 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, const char *slot_name_in,
"Certificate verified and validated.\n");
}
+ key_id = PK11_GetLowLevelKeyIDForCert(slot, found_cert, NULL);
+ if (key_id == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "PK11_GetLowLevelKeyIDForCert failed [%d].\n",
+ PR_GetError());
+ ret = EINVAL;
+ goto done;
+ }
+
+ key_id_str = CERT_Hexify(key_id, PR_FALSE);
+ if (key_id_str == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "CERT_Hexify failed [%d].\n", PR_GetError());
+ ret = ENOMEM;
+ goto done;
+ }
+
+ DEBUG(SSSDBG_TRACE_ALL, "Found certificate has key id [%s].\n", key_id_str);
+
+ *key_id_out = talloc_strdup(mem_ctx, key_id_str);
+ if (*key_id_out == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to copy key id.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
*cert = sss_base64_encode(mem_ctx, found_cert->derCert.data,
found_cert->derCert.len);
if (*cert == NULL) {
@@ -427,6 +460,13 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db, const char *slot_name_in,
goto done;
}
+ *module_name_out = talloc_strdup(mem_ctx, module_name);
+ if (*module_name_out == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to copy module_name_out name.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
ret = EOK;
done:
@@ -438,6 +478,9 @@ done:
CERT_DestroyCertList(cert_list);
}
+ SECITEM_FreeItem(key_id, PR_TRUE);
+ PORT_Free(key_id_str);
+
PORT_Free(signed_random_value.data);
rv = NSS_ShutdownContext(nss_ctx);
@@ -502,6 +545,8 @@ int main(int argc, const char *argv[])
char *pin = NULL;
char *slot_name_in = NULL;
char *token_name_out = NULL;
+ char *module_name_out = NULL;
+ char *key_id_out = NULL;
char *nss_db = NULL;
struct cert_verify_opts *cert_verify_opts;
char *verify_opts = NULL;
@@ -665,7 +710,7 @@ int main(int argc, const char *argv[])
}
ret = do_work(main_ctx, nss_db, slot_name_in, mode, pin, cert_verify_opts,
- &cert, &token_name_out);
+ &cert, &token_name_out, &module_name_out, &key_id_out);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "do_work failed.\n");
goto fail;
@@ -673,6 +718,8 @@ int main(int argc, const char *argv[])
if (cert != NULL) {
fprintf(stdout, "%s\n", token_name_out);
+ fprintf(stdout, "%s\n", module_name_out);
+ fprintf(stdout, "%s\n", key_id_out);
fprintf(stdout, "%s\n", cert);
}
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 389888eca389f793079ad169f7713151c896e90c..7860a99a8032fad383c94aaa948687512fd085e1 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -92,10 +92,12 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
const char *verify_opts,
struct pam_data *pd);
errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
- char **cert, char **token_name);
+ char **cert, char **token_name, char **module_name,
+ char **key_id);
errno_t add_pam_cert_response(struct pam_data *pd, const char *user,
- const char *token_name);
+ const char *token_name, const char *module_name,
+ const char *key_id);
bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd);
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 529c74f703b3169676dc13b145b39243903ebb50..6b7a9493bc2f9f4043a5800530116f7cf6d47263 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1401,7 +1401,9 @@ static void pam_forwarder_cert_cb(struct tevent_req *req)
struct pam_ctx *pctx =
talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
- ret = pam_check_cert_recv(req, preq, &cert, &preq->token_name);
+ ret = pam_check_cert_recv(req, preq, &cert, &preq->token_name,
+ &preq->module_name,
+ &preq->key_id);
talloc_free(req);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "get_cert request failed.\n");
@@ -2051,7 +2053,9 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
}
ret = add_pam_cert_response(preq->pd, cert_user,
- preq->token_name);
+ preq->token_name,
+ preq->module_name,
+ preq->key_id);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "add_pam_cert_response failed.\n");
preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
index 570bfe09d4385a038e7e03fcb64c72dd794774a6..365300b9075983b603a6f9e91ba6f8f21706388f 100644
--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
@@ -133,7 +133,8 @@ static errno_t get_p11_child_write_buffer(TALLOC_CTX *mem_ctx,
static errno_t parse_p11_child_response(TALLOC_CTX *mem_ctx, uint8_t *buf,
ssize_t buf_len, char **_cert,
- char **_token_name)
+ char **_token_name, char **_module_name,
+ char **_key_id)
{
int ret;
TALLOC_CTX *tmp_ctx = NULL;
@@ -141,6 +142,8 @@ static errno_t parse_p11_child_response(TALLOC_CTX *mem_ctx, uint8_t *buf,
uint8_t *pn;
char *cert = NULL;
char *token_name = NULL;
+ char *module_name = NULL;
+ char *key_id = NULL;
if (buf_len < 0) {
DEBUG(SSSDBG_CRIT_FAILURE,
@@ -187,6 +190,54 @@ static errno_t parse_p11_child_response(TALLOC_CTX *mem_ctx, uint8_t *buf,
}
if (pn == p) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Missing module name in p11_child response.\n");
+ ret = EINVAL;
+ goto done;
+ }
+
+ module_name = talloc_strndup(tmp_ctx, (char *) p, (pn - p));
+ if (module_name == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ DEBUG(SSSDBG_TRACE_ALL, "Found module name [%s].\n", module_name);
+
+ p = ++pn;
+ pn = memchr(p, '\n', buf_len - (p - buf));
+ if (pn == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Missing new-line in p11_child response.\n");
+ ret = EINVAL;
+ goto done;
+ }
+
+ if (pn == p) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Missing key id in p11_child response.\n");
+ ret = EINVAL;
+ goto done;
+ }
+
+ key_id = talloc_strndup(tmp_ctx, (char *) p, (pn - p));
+ if (key_id == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ DEBUG(SSSDBG_TRACE_ALL, "Found key id [%s].\n", key_id);
+
+ p = pn + 1;
+ pn = memchr(p, '\n', buf_len - (p - buf));
+ if (pn == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Missing new-line in p11_child response.\n");
+ ret = EINVAL;
+ goto done;
+ }
+
+ if (pn == p) {
DEBUG(SSSDBG_OP_FAILURE, "Missing cert in p11_child response.\n");
ret = EINVAL;
goto done;
@@ -206,6 +257,8 @@ done:
if (ret == EOK) {
*_token_name = talloc_steal(mem_ctx, token_name);
*_cert = talloc_steal(mem_ctx, cert);
+ *_module_name = talloc_steal(mem_ctx, module_name);
+ *_key_id = talloc_steal(mem_ctx, key_id);
}
talloc_free(tmp_ctx);
@@ -222,6 +275,8 @@ struct pam_check_cert_state {
struct child_io_fds *io;
char *cert;
char *token_name;
+ char *module_name;
+ char *key_id;
};
static void p11_child_write_done(struct tevent_req *subreq);
@@ -296,6 +351,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
state->child_status = EFAULT;
state->cert = NULL;
state->token_name = NULL;
+ state->module_name = NULL;
state->io = talloc(state, struct child_io_fds);
if (state->io == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n");
@@ -459,7 +515,8 @@ static void p11_child_done(struct tevent_req *subreq)
PIPE_FD_CLOSE(state->io->read_from_child_fd);
ret = parse_p11_child_response(state, buf, buf_len, &state->cert,
- &state->token_name);
+ &state->token_name, &state->module_name,
+ &state->key_id);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "parse_p11_child_respose failed.\n");
tevent_req_error(req, ret);
@@ -486,7 +543,8 @@ static void p11_child_timeout(struct tevent_context *ev,
}
errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
- char **cert, char **token_name)
+ char **cert, char **token_name, char **module_name,
+ char **key_id)
{
struct pam_check_cert_state *state =
tevent_req_data(req, struct pam_check_cert_state);
@@ -501,6 +559,14 @@ errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
*token_name = talloc_steal(mem_ctx, state->token_name);
}
+ if (module_name != NULL) {
+ *module_name = talloc_steal(mem_ctx, state->module_name);
+ }
+
+ if (key_id != NULL) {
+ *key_id = talloc_steal(mem_ctx, state->key_id);
+ }
+
return EOK;
}
@@ -513,23 +579,29 @@ errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
#define PKCS11_LOGIN_TOKEN_ENV_NAME "PKCS11_LOGIN_TOKEN_NAME"
errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
- const char *token_name)
+ const char *token_name, const char *module_name,
+ const char *key_id)
{
uint8_t *msg = NULL;
char *env = NULL;
size_t user_len;
size_t msg_len;
size_t slot_len;
+ size_t module_len;
+ size_t key_id_len;
int ret;
- if (sysdb_username == NULL || token_name == NULL) {
+ if (sysdb_username == NULL || token_name == NULL || module_name == NULL
+ || key_id == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Missing mandatory user or slot name.\n");
return EINVAL;
}
user_len = strlen(sysdb_username) + 1;
slot_len = strlen(token_name) + 1;
- msg_len = user_len + slot_len;
+ module_len = strlen(module_name) + 1;
+ key_id_len = strlen(key_id) + 1;
+ msg_len = user_len + slot_len + module_len + key_id_len;
msg = talloc_zero_size(pd, msg_len);
if (msg == NULL) {
@@ -546,6 +618,8 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
* being I think using sysdb_username is fine. */
memcpy(msg, sysdb_username, user_len);
memcpy(msg + user_len, token_name, slot_len);
+ memcpy(msg + user_len + slot_len, module_name, module_len);
+ memcpy(msg + user_len + slot_len + module_len, key_id, key_id_len);
ret = pam_add_response(pd, SSS_PAM_CERT_INFO, msg_len, msg);
talloc_free(msg);
diff --git a/src/sss_client/pam_message.h b/src/sss_client/pam_message.h
index 34889e0743decd85892dda311f010f9d7e3ba681..3f4a770ac08ee416ead2f215ab873e8eb277c9eb 100644
--- a/src/sss_client/pam_message.h
+++ b/src/sss_client/pam_message.h
@@ -61,6 +61,8 @@ struct pam_items {
char *cert_user;
char *token_name;
+ char *module_name;
+ char *key_id;
};
int pack_message_v3(struct pam_items *pi, size_t *size, uint8_t **buffer);
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 8f97af77e3a0c2fa26c84962b6438fe774a75f1a..fa30889e787f9ea74dd2eded3cb92380397cdf38 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -162,6 +162,12 @@ static void overwrite_and_free_pam_items(struct pam_items *pi)
free(pi->token_name);
pi->token_name = NULL;
+
+ free(pi->module_name);
+ pi->module_name = NULL;
+
+ free(pi->key_id);
+ pi->key_id = NULL;
}
static int null_strcmp(const char *s1, const char *s2) {
@@ -1019,10 +1025,47 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
pi->token_name = strdup((char *) &buf[p + offset]);
if (pi->token_name == NULL) {
D(("strdup failed"));
+ free(pi->cert_user);
+ pi->cert_user = NULL;
break;
}
- D(("cert user: [%s] token name: [%s]", pi->cert_user,
- pi->token_name));
+
+ offset += strlen(pi->token_name) + 1;
+ if (offset >= len) {
+ D(("Cert message size mismatch"));
+ free(pi->cert_user);
+ pi->cert_user = NULL;
+ free(pi->token_name);
+ pi->token_name = NULL;
+ break;
+ }
+ free(pi->module_name);
+ pi->module_name = strdup((char *) &buf[p + offset]);
+ if (pi->module_name == NULL) {
+ D(("strdup failed"));
+ break;
+ }
+
+ offset += strlen(pi->module_name) + 1;
+ if (offset >= len) {
+ D(("Cert message size mismatch"));
+ free(pi->cert_user);
+ pi->cert_user = NULL;
+ free(pi->token_name);
+ pi->token_name = NULL;
+ free(pi->module_name);
+ pi->module_name = NULL;
+ break;
+ }
+ free(pi->key_id);
+ pi->key_id = strdup((char *) &buf[p + offset]);
+ if (pi->key_id == NULL) {
+ D(("strdup failed"));
+ break;
+ }
+ D(("cert user: [%s] token name: [%s] module: [%s] key id: [%s]",
+ pi->cert_user, pi->token_name, pi->module_name,
+ pi->key_id));
break;
case SSS_PASSWORD_PROMPTING:
D(("Password prompting available."));
@@ -1120,6 +1163,8 @@ static int get_pam_items(pam_handle_t *pamh, uint32_t flags,
pi->cert_user = NULL;
pi->token_name = NULL;
+ pi->module_name = NULL;
+ pi->key_id = NULL;
return PAM_SUCCESS;
}
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index 6b91f49c6608043df68c65f9a3338a76ac66bbcc..cbc1d036720f85845387475390cfb141709d514e 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -48,6 +48,8 @@
#define NSS_DB "sql:"NSS_DB_PATH
#define TEST_TOKEN_NAME "SSSD Test Token"
+#define TEST_MODULE_NAME "NSS-Internal"
+#define TEST_KEY_ID "6822EDDD231DAB8DBCD83721BE16A13DD0E31C08"
#define TEST_TOKEN_CERT \
"MIIECTCCAvGgAwIBAgIBCDANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEu" \
"REVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA2MjMx" \
@@ -668,7 +670,10 @@ static int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body,
assert_int_equal(val, SSS_PAM_CERT_INFO);
SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
- assert_int_equal(val, (sizeof("pamuser@"TEST_DOM_NAME) + sizeof(TEST_TOKEN_NAME)));
+ assert_int_equal(val, (sizeof("pamuser@"TEST_DOM_NAME)
+ + sizeof(TEST_TOKEN_NAME)
+ + sizeof(TEST_MODULE_NAME)
+ + sizeof(TEST_KEY_ID)));
assert_int_equal(*(body + rp + sizeof("pamuser@"TEST_DOM_NAME) - 1), 0);
assert_string_equal(body + rp, "pamuser@"TEST_DOM_NAME);
@@ -676,7 +681,17 @@ static int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body,
assert_int_equal(*(body + rp + sizeof(TEST_TOKEN_NAME) - 1), 0);
assert_string_equal(body + rp, TEST_TOKEN_NAME);
+ rp += sizeof(TEST_TOKEN_NAME);
+ assert_int_equal(*(body + rp + sizeof(TEST_MODULE_NAME) - 1), 0);
+ assert_string_equal(body + rp, TEST_MODULE_NAME);
+ rp += sizeof(TEST_MODULE_NAME);
+
+ assert_int_equal(*(body + rp + sizeof(TEST_KEY_ID) - 1), 0);
+ assert_string_equal(body + rp, TEST_KEY_ID);
+ rp += sizeof(TEST_KEY_ID);
+
+ assert_int_equal(rp, blen);
return EOK;
}
@@ -707,7 +722,10 @@ static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
assert_int_equal(val, SSS_PAM_CERT_INFO);
SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
- assert_int_equal(val, (sizeof("pamuser@"TEST_DOM_NAME) + sizeof(TEST_TOKEN_NAME)));
+ assert_int_equal(val, (sizeof("pamuser@"TEST_DOM_NAME)
+ + sizeof(TEST_TOKEN_NAME)
+ + sizeof(TEST_MODULE_NAME)
+ + sizeof(TEST_KEY_ID)));
assert_int_equal(*(body + rp + sizeof("pamuser@"TEST_DOM_NAME) - 1), 0);
assert_string_equal(body + rp, "pamuser@"TEST_DOM_NAME);
@@ -715,6 +733,17 @@ static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
assert_int_equal(*(body + rp + sizeof(TEST_TOKEN_NAME) - 1), 0);
assert_string_equal(body + rp, TEST_TOKEN_NAME);
+ rp += sizeof(TEST_TOKEN_NAME);
+
+ assert_int_equal(*(body + rp + sizeof(TEST_MODULE_NAME) - 1), 0);
+ assert_string_equal(body + rp, TEST_MODULE_NAME);
+ rp += sizeof(TEST_MODULE_NAME);
+
+ assert_int_equal(*(body + rp + sizeof(TEST_KEY_ID) - 1), 0);
+ assert_string_equal(body + rp, TEST_KEY_ID);
+ rp += sizeof(TEST_KEY_ID);
+
+ assert_int_equal(rp, blen);
return EOK;
}
--
2.9.3

View File

@ -0,0 +1,134 @@
From 52f45837ded98564968da42229b37db6a36ad627 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 27 Sep 2016 16:03:22 +0200
Subject: [PATCH 85/95] pam: enhance Smartcard authentication token
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/providers/krb5/krb5_child.c | 4 ++-
src/providers/krb5/krb5_child_handler.c | 2 ++
src/responder/pam/pamsrv_cmd.c | 9 ++-----
src/sss_client/pam_sss.c | 45 ++++++++++++++++++++++++++++-----
4 files changed, 45 insertions(+), 15 deletions(-)
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index be31ddbc490b7fd03e7092c244a2cc34a41ee22a..031847089c035a18a6ff2859a0257e08228fb19e 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1856,7 +1856,9 @@ static errno_t unpack_authtok(struct sss_auth_token *tok,
ret = sss_authtok_set_ccfile(tok, (char *)(buf + *p), 0);
break;
case SSS_AUTHTOK_TYPE_2FA:
- ret = sss_authtok_set(tok, SSS_AUTHTOK_TYPE_2FA, (buf + *p),
+ case SSS_AUTHTOK_TYPE_SC_PIN:
+ case SSS_AUTHTOK_TYPE_SC_KEYPAD:
+ ret = sss_authtok_set(tok, auth_token_type, (buf + *p),
auth_token_length);
break;
default:
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
index 69636e0bc911a0e3dc7023ac815eb54fa81a2bf5..6a3dc9d739527caad2523d9359cd5ef60e622bab 100644
--- a/src/providers/krb5/krb5_child_handler.c
+++ b/src/providers/krb5/krb5_child_handler.c
@@ -78,6 +78,8 @@ static errno_t pack_authtok(struct io_buffer *buf, size_t *rp,
auth_token_length = len + 1;
break;
case SSS_AUTHTOK_TYPE_2FA:
+ case SSS_AUTHTOK_TYPE_SC_PIN:
+ case SSS_AUTHTOK_TYPE_SC_KEYPAD:
data = (char *) sss_authtok_get_data(tok);
auth_token_length = sss_authtok_get_size(tok);
break;
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 6b7a9493bc2f9f4043a5800530116f7cf6d47263..e788a75a45e7cbfe3dd842310a2784b26aa6f7cc 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -160,15 +160,10 @@ static int extract_authtok_v2(struct sss_auth_token *tok,
}
break;
case SSS_AUTHTOK_TYPE_2FA:
- ret = sss_authtok_set(tok, SSS_AUTHTOK_TYPE_2FA,
- auth_token_data, auth_token_length);
- break;
case SSS_AUTHTOK_TYPE_SC_PIN:
- ret = sss_authtok_set_sc_pin(tok, (const char *) auth_token_data,
- auth_token_length);
- break;
case SSS_AUTHTOK_TYPE_SC_KEYPAD:
- sss_authtok_set_sc_keypad(tok);
+ ret = sss_authtok_set(tok, auth_token_type,
+ auth_token_data, auth_token_length);
break;
default:
return EINVAL;
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index fa30889e787f9ea74dd2eded3cb92380397cdf38..a3d7a8a23b8dd2b25825f02c9b5d78f06731f36b 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1476,6 +1476,7 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
char *answer = NULL;
char *prompt;
size_t size;
+ size_t needed_size;
if (pi->token_name == NULL || *pi->token_name == '\0'
|| pi->cert_user == NULL || *pi->cert_user == '\0') {
@@ -1509,18 +1510,48 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY;
pi->pam_authtok_size=0;
} else {
- pi->pam_authtok = strdup(answer);
- _pam_overwrite((void *)answer);
- free(answer);
- answer=NULL;
+
+ ret = sss_auth_pack_sc_blob(answer, 0, pi->token_name, 0,
+ pi->module_name, 0,
+ pi->key_id, 0,
+ NULL, 0, &needed_size);
+ if (ret != EAGAIN) {
+ D(("sss_auth_pack_sc_blob failed."));
+ ret = PAM_BUF_ERR;
+ goto done;
+ }
+
+ pi->pam_authtok = malloc(needed_size);
if (pi->pam_authtok == NULL) {
- return PAM_BUF_ERR;
+ D(("malloc failed."));
+ ret = PAM_BUF_ERR;
+ goto done;
}
+
+ ret = sss_auth_pack_sc_blob(answer, 0, pi->token_name, 0,
+ pi->module_name, 0,
+ pi->key_id, 0,
+ (uint8_t *) pi->pam_authtok, needed_size,
+ &needed_size);
+ if (ret != EOK) {
+ D(("sss_auth_pack_sc_blob failed."));
+ free((void *)pi->pam_authtok);
+ ret = PAM_BUF_ERR;
+ goto done;
+ }
+
pi->pam_authtok_type = SSS_AUTHTOK_TYPE_SC_PIN;
- pi->pam_authtok_size=strlen(pi->pam_authtok);
+ pi->pam_authtok_size = needed_size;
}
- return PAM_SUCCESS;
+ ret = PAM_SUCCESS;
+
+done:
+ _pam_overwrite((void *)answer);
+ free(answer);
+ answer=NULL;
+
+ return ret;
}
static int prompt_new_password(pam_handle_t *pamh, struct pam_items *pi)
--
2.9.3

View File

@ -0,0 +1,520 @@
From 2d527aab0bab0c5323b7ea09c9a8c3820f4f8736 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 12 Oct 2015 11:52:56 +0200
Subject: [PATCH 86/95] KRB5: allow pkinit pre-authentication
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/providers/krb5/krb5_auth.c | 18 +-
src/providers/krb5/krb5_child.c | 286 ++++++++++++++++++++++++++++++--
src/providers/krb5/krb5_child_handler.c | 6 +-
src/sss_client/sss_cli.h | 6 +
4 files changed, 303 insertions(+), 13 deletions(-)
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 0e685618ec2de1f923ffd9d78bf2a9d8816019e1..c2d6d7eeacc1f766024c4d629f25fd0f0be24e5e 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -344,8 +344,13 @@ static void krb5_auth_store_creds(struct sss_domain_info *domain,
domain->cache_credentials_min_ff_length);
ret = EINVAL;
}
- } else {
+ } else if (sss_authtok_get_type(pd->authtok) ==
+ SSS_AUTHTOK_TYPE_PASSWORD) {
ret = sss_authtok_get_password(pd->authtok, &password, NULL);
+ } else {
+ DEBUG(SSSDBG_MINOR_FAILURE, "Cannot cache authtok type [%d].\n",
+ sss_authtok_get_type(pd->authtok));
+ ret = EINVAL;
}
break;
case SSS_PAM_CHAUTHTOK:
@@ -466,7 +471,9 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
case SSS_PAM_AUTHENTICATE:
case SSS_PAM_CHAUTHTOK:
if (authtok_type != SSS_AUTHTOK_TYPE_PASSWORD
- && authtok_type != SSS_AUTHTOK_TYPE_2FA) {
+ && authtok_type != SSS_AUTHTOK_TYPE_2FA
+ && authtok_type != SSS_AUTHTOK_TYPE_SC_PIN
+ && authtok_type != SSS_AUTHTOK_TYPE_SC_KEYPAD) {
/* handle empty password gracefully */
if (authtok_type == SSS_AUTHTOK_TYPE_EMPTY) {
DEBUG(SSSDBG_CRIT_FAILURE,
@@ -1023,6 +1030,12 @@ static void krb5_auth_done(struct tevent_req *subreq)
ret = EOK;
goto done;
+ case ERR_NO_AUTH_METHOD_AVAILABLE:
+ state->pam_status = PAM_NO_MODULE_DATA;
+ state->dp_err = DP_ERR_OK;
+ ret = EOK;
+ goto done;
+
default:
DEBUG(SSSDBG_IMPORTANT_INFO,
"The krb5_child process returned an error. Please inspect the "
@@ -1185,6 +1198,7 @@ krb5_pam_handler_send(TALLOC_CTX *mem_ctx,
switch (pd->cmd) {
case SSS_PAM_AUTHENTICATE:
+ case SSS_PAM_PREAUTH:
case SSS_CMD_RENEW:
case SSS_PAM_CHAUTHTOK_PRELIM:
case SSS_PAM_CHAUTHTOK:
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 031847089c035a18a6ff2859a0257e08228fb19e..777a25f2a0ea434dde12d2396f6a35c2a1b86cd0 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -64,6 +64,7 @@ struct krb5_req {
krb5_creds *creds;
bool otp;
bool password_prompting;
+ bool pkinit_prompting;
char *otp_vendor;
char *otp_token_id;
char *otp_challenge;
@@ -587,6 +588,138 @@ done:
return ret;
}
+static bool pkinit_identity_matches(const char *identity,
+ const char *token_name,
+ const char *module_name)
+{
+ TALLOC_CTX *tmp_ctx = NULL;
+ char *str;
+ bool res = false;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed.\n");
+ return false;
+ }
+
+ str = talloc_asprintf(tmp_ctx, "module_name=%s", module_name);
+ if (str == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
+ goto done;
+ }
+
+ if (strstr(identity, str) == NULL) {
+ DEBUG(SSSDBG_TRACE_ALL, "Identity [%s] does not contain [%s].\n",
+ identity, str);
+ goto done;
+ }
+ DEBUG(SSSDBG_TRACE_ALL, "Found [%s] in identity [%s].\n", str, identity);
+
+ str = talloc_asprintf(tmp_ctx, "token=%s", token_name);
+ if (str == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
+ goto done;
+ }
+
+ if (strstr(identity, str) == NULL) {
+ DEBUG(SSSDBG_TRACE_ALL, "Identity [%s] does not contain [%s].\n",
+ identity, str);
+ goto done;
+ }
+ DEBUG(SSSDBG_TRACE_ALL, "Found [%s] in identity [%s].\n", str, identity);
+
+ res = true;
+
+done:
+ talloc_free(tmp_ctx);
+
+ return res;
+}
+
+static krb5_error_code answer_pkinit(krb5_context ctx,
+ struct krb5_req *kr,
+ krb5_responder_context rctx)
+{
+ krb5_error_code kerr;
+ const char *pin = NULL;
+ const char *token_name = NULL;
+ const char *module_name = NULL;
+ krb5_responder_pkinit_challenge *chl = NULL;
+ size_t c;
+
+ kerr = krb5_responder_pkinit_get_challenge(ctx, rctx, &chl);
+ if (kerr != EOK || chl == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "krb5_responder_pkinit_get_challenge failed.\n");
+ return kerr;
+ }
+ if (chl->identities == NULL || chl->identities[0] == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "No identities for pkinit!\n");
+ kerr = EINVAL;
+ goto done;
+ }
+
+ if (DEBUG_IS_SET(SSSDBG_TRACE_ALL)) {
+ for (c = 0; chl->identities[c] != NULL; c++) {
+ DEBUG(SSSDBG_TRACE_ALL, "[%zu] Identity [%s] flags [%"PRId32"].\n",
+ c, chl->identities[c]->identity,
+ chl->identities[c]->token_flags);
+ }
+ }
+
+ DEBUG(SSSDBG_TRACE_ALL, "Setting pkinit_prompting.\n");
+ kr->pkinit_prompting = true;
+
+ if (kr->pd->cmd == SSS_PAM_AUTHENTICATE
+ && (sss_authtok_get_type(kr->pd->authtok)
+ == SSS_AUTHTOK_TYPE_SC_PIN
+ || sss_authtok_get_type(kr->pd->authtok)
+ == SSS_AUTHTOK_TYPE_SC_KEYPAD)) {
+ kerr = sss_authtok_get_sc(kr->pd->authtok, &pin, NULL,
+ &token_name, NULL,
+ &module_name, NULL,
+ NULL, NULL);
+ if (kerr != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sss_authtok_get_sc failed.\n");
+ goto done;
+ }
+
+ for (c = 0; chl->identities[c] != NULL; c++) {
+ if (chl->identities[c]->identity != NULL
+ && pkinit_identity_matches(chl->identities[c]->identity,
+ token_name, module_name)) {
+ break;
+ }
+ }
+
+ if (chl->identities[c] == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "No matching identity for [%s][%s] found in pkinit challenge.\n",
+ token_name, module_name);
+ kerr = EINVAL;
+ goto done;
+ }
+
+ kerr = krb5_responder_pkinit_set_answer(ctx, rctx,
+ chl->identities[c]->identity,
+ pin);
+ if (kerr != 0) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "krb5_responder_set_answer failed.\n");
+ }
+
+ goto done;
+ }
+
+ kerr = EOK;
+
+done:
+ krb5_responder_pkinit_challenge_free(ctx, rctx, chl);
+
+ return kerr;
+}
+
static krb5_error_code sss_krb5_responder(krb5_context ctx,
void *data,
krb5_responder_context rctx)
@@ -634,6 +767,9 @@ static krb5_error_code sss_krb5_responder(krb5_context ctx,
return kerr;
}
+ } else if (strcmp(question_list[c],
+ KRB5_RESPONDER_QUESTION_PKINIT) == 0) {
+ return answer_pkinit(ctx, kr, rctx);
}
}
}
@@ -661,18 +797,23 @@ static krb5_error_code sss_krb5_prompter(krb5_context context, void *data,
size_t c;
struct krb5_req *kr = talloc_get_type(data, struct krb5_req);
+ if (kr == NULL) {
+ return EINVAL;
+ }
+
DEBUG(SSSDBG_TRACE_ALL,
"sss_krb5_prompter name [%s] banner [%s] num_prompts [%d] EINVAL.\n",
name, banner, num_prompts);
if (num_prompts != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot handle password prompts.\n");
if (DEBUG_IS_SET(SSSDBG_TRACE_ALL)) {
for (c = 0; c < num_prompts; c++) {
DEBUG(SSSDBG_TRACE_ALL, "Prompt [%zu][%s].\n", c,
prompts[c].prompt);
}
}
+
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot handle password prompts.\n");
return KRB5_LIBOS_CANTREADPWD;
}
@@ -1036,6 +1177,63 @@ static errno_t k5c_send_data(struct krb5_req *kr, int fd, errno_t error)
return EOK;
}
+static errno_t get_pkinit_identity(TALLOC_CTX *mem_ctx,
+ struct sss_auth_token *authtok,
+ char **_identity)
+{
+ int ret;
+ char *identity;
+ const char *token_name;
+ const char *module_name;
+ const char *key_id;
+
+ ret = sss_authtok_get_sc(authtok, NULL, NULL,
+ &token_name, NULL,
+ &module_name, NULL,
+ &key_id, NULL);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_sc failed.\n");
+ return ret;
+ }
+
+ DEBUG(SSSDBG_TRACE_ALL, "Got [%s][%s].\n", token_name, module_name);
+
+ if (module_name == NULL || *module_name == '\0') {
+ module_name = "p11-kit-proxy.so";
+ }
+
+ identity = talloc_asprintf(mem_ctx, "PKCS11:module_name=%s", module_name);
+ if (identity == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
+ return ENOMEM;
+ }
+
+ if (token_name != NULL && *token_name != '\0') {
+ identity = talloc_asprintf_append(identity, ":token=%s",
+ token_name);
+ if (identity == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "talloc_asprintf_append failed.\n");
+ return ENOMEM;
+ }
+ }
+
+ if (key_id != NULL && *key_id != '\0') {
+ identity = talloc_asprintf_append(identity, ":certid=%s", key_id);
+ if (identity == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "talloc_asprintf_append failed.\n");
+ return ENOMEM;
+ }
+ }
+
+ *_identity = identity;
+
+ DEBUG(SSSDBG_TRACE_ALL, "Using pkinit identity [%s].\n", identity);
+
+ return EOK;
+}
+
static errno_t add_ticket_times_and_upn_to_response(struct krb5_req *kr)
{
int ret;
@@ -1268,6 +1466,8 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
int realm_length;
krb5_error_code kerr;
char *cc_name;
+ int ret;
+ char *identity = NULL;
kerr = sss_krb5_get_init_creds_opt_set_expire_callback(kr->ctx, kr->options,
sss_krb5_expire_callback_func,
@@ -1284,6 +1484,30 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
return KRB5KRB_ERR_GENERIC;
}
+ if (sss_authtok_get_type(kr->pd->authtok) == SSS_AUTHTOK_TYPE_SC_PIN
+ || sss_authtok_get_type(kr->pd->authtok)
+ == SSS_AUTHTOK_TYPE_SC_KEYPAD) {
+ DEBUG(SSSDBG_TRACE_ALL,
+ "Found Smartcard credentials, trying pkinit.\n");
+
+ ret = get_pkinit_identity(kr, kr->pd->authtok, &identity);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "get_pkinit_identity failed.\n");
+ return ret;
+ }
+
+ kerr = krb5_get_init_creds_opt_set_pa(kr->ctx, kr->options,
+ "X509_user_identity", identity);
+ talloc_free(identity);
+ if (kerr != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "krb5_get_init_creds_opt_set_pa failed.\n");
+ return kerr;
+ }
+
+ /* TODO: Maybe X509_anchors should be added here as well */
+ }
+
DEBUG(SSSDBG_TRACE_FUNC,
"Attempting kinit for realm [%s]\n",realm_name);
kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ,
@@ -1294,12 +1518,25 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
/* Any errors are ignored during pre-auth, only data is collected to
* be send back to the client.*/
DEBUG(SSSDBG_TRACE_FUNC,
- "krb5_get_init_creds_password returned [%d} during pre-auth.\n",
+ "krb5_get_init_creds_password returned [%d] during pre-auth.\n",
kerr);
return 0;
} else {
if (kerr != 0) {
KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
+
+ /* If during authentication either the MIT Kerberos pkinit
+ * pre-auth module is missing or no Smartcard is inserted and only
+ * pkinit is available KRB5_PREAUTH_FAILED is returned.
+ * ERR_NO_AUTH_METHOD_AVAILABLE is used to indicate to the
+ * frontend that local authentication might be tried. */
+ if (kr->pd->cmd == SSS_PAM_AUTHENTICATE
+ && kerr == KRB5_PREAUTH_FAILED
+ && kr->password_prompting == false
+ && kr->otp == false
+ && kr->pkinit_prompting == false) {
+ return ERR_NO_AUTH_METHOD_AVAILABLE;
+ }
return kerr;
}
}
@@ -1367,6 +1604,12 @@ done:
static errno_t map_krb5_error(krb5_error_code kerr)
{
+ /* just pass SSSD's internal error codes */
+ if (kerr > 0 && IS_SSSD_ERROR(kerr)) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "[%d][%s].\n", kerr, sss_strerror(kerr));
+ return kerr;
+ }
+
if (kerr != 0) {
KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
}
@@ -1615,9 +1858,12 @@ static errno_t tgt_req_child(struct krb5_req *kr)
DEBUG(SSSDBG_TRACE_LIBS, "Attempting to get a TGT\n");
- /* No password is needed for pre-auth, or if we have 2FA */
+ /* No password is needed for pre-auth or if we have 2FA or SC */
if (kr->pd->cmd != SSS_PAM_PREAUTH
- && sss_authtok_get_type(kr->pd->authtok) != SSS_AUTHTOK_TYPE_2FA) {
+ && sss_authtok_get_type(kr->pd->authtok) != SSS_AUTHTOK_TYPE_2FA
+ && sss_authtok_get_type(kr->pd->authtok) != SSS_AUTHTOK_TYPE_SC_PIN
+ && sss_authtok_get_type(kr->pd->authtok)
+ != SSS_AUTHTOK_TYPE_SC_KEYPAD) {
ret = sss_authtok_get_password(kr->pd->authtok, &password, NULL);
switch (ret) {
case EOK:
@@ -1641,7 +1887,12 @@ static errno_t tgt_req_child(struct krb5_req *kr)
if (kr->pd->cmd == SSS_PAM_PREAUTH) {
/* add OTP tokeninfo messge if available */
if (kr->otp) {
- kerr = k5c_attach_otp_info_msg(kr);
+ ret = k5c_attach_otp_info_msg(kr);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "k5c_attach_otp_info_msg failed.\n");
+ goto done;
+ }
}
if (kr->password_prompting) {
@@ -1651,6 +1902,15 @@ static errno_t tgt_req_child(struct krb5_req *kr)
goto done;
}
}
+
+ if (kr->pkinit_prompting) {
+ ret = pam_add_response(kr->pd, SSS_CERT_AUTH_PROMPTING, 0,
+ NULL);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
+ goto done;
+ }
+ }
} else {
if (kerr == 0) {
kerr = k5c_attach_ccname_msg(kr);
@@ -1918,6 +2178,7 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size,
*offline ? "true" : "false", kr->upn ? kr->upn : "none");
if (pd->cmd == SSS_PAM_AUTHENTICATE ||
+ pd->cmd == SSS_PAM_PREAUTH ||
pd->cmd == SSS_CMD_RENEW ||
pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM || pd->cmd == SSS_PAM_CHAUTHTOK) {
SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
@@ -2801,11 +3062,16 @@ int main(int argc, const char *argv[])
goto done;
}
- kerr = become_user(kr->uid, kr->gid);
- if (kerr != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE, "become_user failed.\n");
- ret = EFAULT;
- goto done;
+ /* pkinit need access to pcscd */
+ if ((sss_authtok_get_type(kr->pd->authtok) != SSS_AUTHTOK_TYPE_SC_PIN
+ && sss_authtok_get_type(kr->pd->authtok)
+ != SSS_AUTHTOK_TYPE_SC_KEYPAD)) {
+ kerr = become_user(kr->uid, kr->gid);
+ if (kerr != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "become_user failed.\n");
+ ret = EFAULT;
+ goto done;
+ }
}
DEBUG(SSSDBG_TRACE_INTERNAL,
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
index 6a3dc9d739527caad2523d9359cd5ef60e622bab..680e67b089fcb32280352af24aae35af133a52f3 100644
--- a/src/providers/krb5/krb5_child_handler.c
+++ b/src/providers/krb5/krb5_child_handler.c
@@ -90,7 +90,9 @@ static errno_t pack_authtok(struct io_buffer *buf, size_t *rp,
if (ret == EOK) {
SAFEALIGN_COPY_UINT32(&buf->data[*rp], &auth_token_type, rp);
SAFEALIGN_COPY_UINT32(&buf->data[*rp], &auth_token_length, rp);
- safealign_memcpy(&buf->data[*rp], data, auth_token_length, rp);
+ if (data != NULL) {
+ safealign_memcpy(&buf->data[*rp], data, auth_token_length, rp);
+ }
}
return ret;
@@ -145,6 +147,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
buf->size = 8*sizeof(uint32_t) + strlen(kr->upn);
if (kr->pd->cmd == SSS_PAM_AUTHENTICATE ||
+ kr->pd->cmd == SSS_PAM_PREAUTH ||
kr->pd->cmd == SSS_CMD_RENEW ||
kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM ||
kr->pd->cmd == SSS_PAM_CHAUTHTOK) {
@@ -187,6 +190,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
safealign_memcpy(&buf->data[rp], kr->upn, strlen(kr->upn), &rp);
if (kr->pd->cmd == SSS_PAM_AUTHENTICATE ||
+ kr->pd->cmd == SSS_PAM_PREAUTH ||
kr->pd->cmd == SSS_CMD_RENEW ||
kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM ||
kr->pd->cmd == SSS_PAM_CHAUTHTOK) {
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index b6610bc6d694fae385f462e1be53c78af0a3d8cb..8091e11515184dc9b7f32eed535055d9eee3143f 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -431,6 +431,12 @@ enum response_type {
* SSS_PAM_OTP_INFO to determine the type of
* prompting. There is no message.
* @param None. */
+ SSS_CERT_AUTH_PROMPTING, /**< Indicates that on the server side
+ * Smartcard/certificate based authentication is
+ * available for the selected account. This might
+ * be used together with other prompting options
+ * to determine the type of prompting.
+ * @param None. */
};
/**
--
2.9.3

View File

@ -0,0 +1,28 @@
From 1b55ac98db6a319d45edae6c27ff3804f1f4d28a Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 22 Feb 2017 18:44:55 +0100
Subject: [PATCH 87/95] TESTS: Remove unused import
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/tests/intg/test_ts_cache.py | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/tests/intg/test_ts_cache.py b/src/tests/intg/test_ts_cache.py
index ce0a7c78daf46fd33440aad55ad8f31fa68228a8..445cdf6086302c9436c5f2a9a73f0b04e81adbe6 100644
--- a/src/tests/intg/test_ts_cache.py
+++ b/src/tests/intg/test_ts_cache.py
@@ -33,7 +33,6 @@ import ldap_ent
import sssd_ldb
import sssd_id
from util import unindent
-from util import run_shell
LDAP_BASE_DN = "dc=example,dc=com"
SSSD_DOMAIN = "LDAP"
--
2.9.3

View File

@ -0,0 +1,111 @@
From eed5bc53a0c823276523d32e76bc1c264db3837e Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 24 Feb 2017 09:22:20 +0100
Subject: [PATCH 88/95] DOC: Deprecate README, add README.md
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
To make it easier to display the contents of README on the project
homepage, this patch converts the README contents to README.md.
The original README is removed so that we don't maintain two different
sources.
The links to fedorahosted are retained until we migrate the wiki pages.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
README | 43 -------------------------------------------
README.md | 28 ++++++++++++++++++++++++++++
2 files changed, 28 insertions(+), 43 deletions(-)
delete mode 100644 README
create mode 100644 README.md
diff --git a/README b/README
deleted file mode 100644
index 189f66fe5b20c85728ac2640d734e3b490e23817..0000000000000000000000000000000000000000
--- a/README
+++ /dev/null
@@ -1,43 +0,0 @@
-
- SSSD - System Security Services Daemon
- --------------------------------------
-
- Introduction
- ------------
- SSSD provides a set of daemons to manage access to remote directories and
- authentication mechanisms such as LDAP, Kerberos or FreeIPA. It provides
- an NSS and PAM interface toward the system and a pluggable backend system
- to connect to multiple different account sources.
-
- More information about SSSD can be found on its project page -
- <http://fedorahosted.org/sssd/>
-
- Building and installation
- -------------------------
- Please see the file BUILD.txt for details
-
- Documentation
- -------------
- The most up-to-date documentation can be found at
- <http://fedorahosted.org/sssd/wiki/HOWTO_Configure>
-
- Licensing
- ---------
- Please see the file called COPYING.
-
- Contacts
- --------
- There are several ways to contact us:
-
- * the sssd-devel mailing list:
- Development of the System Security Services Daemon
- <https://fedorahosted.org/mailman/listinfo/sssd-devel>
-
- * the sssd-users mailing list:
- End-user discussions about the System Security Services Daemon
- <https://fedorahosted.org/mailman/listinfo/sssd-users>
-
- * the #sssd and #freeipa IRC channels on freenode:
- irc://irc.freenode.net/sssd
- irc://irc.freenode.net/freeipa
-
diff --git a/README.md b/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..40c88c08070b986a634496ac2d6ffba8643bd8a7
--- /dev/null
+++ b/README.md
@@ -0,0 +1,28 @@
+# SSSD - System Security Services Daemon
+
+## Introduction
+SSSD provides a set of daemons to manage access to remote directories and
+authentication mechanisms such as LDAP, Kerberos or FreeIPA. It provides
+an NSS and PAM interface toward the system and a pluggable backend system
+to connect to multiple different account sources.
+
+More information about SSSD can be found on its project page -
+https://pagure.io/SSSD/sssd/
+
+## Building and installation
+Please see the file BUILD.txt for details
+
+## Documentation
+The most up-to-date documentation can be found at https://fedorahosted.org/sssd/wiki/Documentation
+
+## Licensing
+Please see the file called COPYING.
+
+## Contacts
+There are several ways to contact us:
+
+* the sssd-devel mailing list: [Development of the System Security Services Daemon](https://fedorahosted.org/mailman/listinfo/sssd-devel)
+* the sssd-users mailing list: [End-user discussions about the System Security Services Daemon](https://fedorahosted.org/mailman/listinfo/sssd-users)
+* the #sssd and #freeipa IRC channels on freenode:
+ * irc://irc.freenode.net/sssd
+ * irc://irc.freenode.net/freeipa
--
2.9.3

View File

@ -0,0 +1,397 @@
From 78bb3676fe8326e0fe2b60daad8bf524e4625d4e Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 21 Feb 2017 16:34:45 +0100
Subject: [PATCH 89/95] MONITOR: Enable an implicit files domain if one is not
configured
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If SSSD is compiled with --enable-files-domain, the loading of the
domains changes such that:
* if no domain with id_provider=files exists in the config file, an
implicit SSSD files domain is added
* this domain is always first in the list
The administrator is free to create a files domain in the config file
himself and either place it at the end of the list or not enable it at
all.
Resolves:
https://pagure.io/SSSD/sssd/issue/3112
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/conf_macros.m4 | 13 +++
src/confdb/confdb.c | 182 +++++++++++++++++++++++++++++++++++
src/confdb/confdb.h | 4 +
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/SSSDConfigTest.py | 3 +-
src/config/cfg_rules.ini | 1 +
src/config/etc/sssd.api.conf | 1 +
src/man/Makefile.am | 7 +-
src/man/sssd.conf.5.xml | 17 ++++
src/monitor/monitor.c | 11 +++
10 files changed, 238 insertions(+), 2 deletions(-)
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
index 427b0e08d400d6e5628537b28bb93bc2fc6239a4..749e7694f4dd7086468e461194ef274be2094236 100644
--- a/src/conf_macros.m4
+++ b/src/conf_macros.m4
@@ -903,3 +903,16 @@ AC_DEFUN([WITH_SECRETS_DB_PATH],
AC_SUBST(secdbpath)
AC_DEFINE_UNQUOTED(SECRETS_DB_PATH, "$config_secdbpath", [Path to the SSSD Secrets databases])
])
+
+AC_ARG_ENABLE([files-domain],
+ [AS_HELP_STRING([--enable-files-domain],
+ [If this feature is enabled, then SSSD always enables
+ a domain with id_provider=files even if the domain
+ is not specified in the config file
+ [default=no]])],
+ [enable_files_domain=$enableval],
+ [enable_files_domain=no])
+AS_IF([test x$enable_files_domain = xyes],
+ AC_DEFINE_UNQUOTED([ADD_FILES_DOMAIN], [1],
+ [whether to build unconditionally enable files domain]))
+AM_CONDITIONAL([ADD_FILES_DOMAIN], [test x$enable_files_domain = xyes])
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index c7afd683d7f21b513bb491adbf7f7bbe79786212..d82fd98ee02928b3c20df014528bd869ec946f92 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1643,3 +1643,185 @@ done:
talloc_free(tmp_ctx);
return ret;
}
+
+#ifdef ADD_FILES_DOMAIN
+static int confdb_has_files_domain(struct confdb_ctx *cdb)
+{
+ TALLOC_CTX *tmp_ctx = NULL;
+ struct ldb_dn *dn = NULL;
+ struct ldb_result *res = NULL;
+ static const char *attrs[] = { CONFDB_DOMAIN_ID_PROVIDER, NULL };
+ const char *id_provider = NULL;
+ int ret;
+ unsigned int i;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ return ENOMEM;
+ }
+
+ dn = ldb_dn_new(tmp_ctx, cdb->ldb, CONFDB_DOMAIN_BASEDN);
+ if (dn == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = ldb_search(cdb->ldb, tmp_ctx, &res, dn, LDB_SCOPE_ONELEVEL,
+ attrs, NULL);
+ if (ret != LDB_SUCCESS) {
+ ret = EIO;
+ goto done;
+ }
+
+ for (i = 0; i < res->count; i++) {
+ id_provider = ldb_msg_find_attr_as_string(res->msgs[i],
+ CONFDB_DOMAIN_ID_PROVIDER,
+ NULL);
+ if (id_provider == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "The object [%s] doesn't have a id_provider\n",
+ ldb_dn_get_linearized(res->msgs[i]->dn));
+ ret = EINVAL;
+ goto done;
+ }
+
+ if (strcasecmp(id_provider, "files") == 0) {
+ break;
+ }
+ }
+
+ ret = i < res->count ? EOK : ENOENT;
+done:
+ talloc_free(tmp_ctx);
+ return ret;
+}
+
+static int create_files_domain(struct confdb_ctx *cdb,
+ const char *name)
+{
+ TALLOC_CTX *tmp_ctx = NULL;
+ errno_t ret;
+ char *cdb_path = NULL;
+ const char *val[2] = { NULL, NULL };
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n");
+ return ENOMEM;
+ }
+
+ cdb_path = talloc_asprintf(tmp_ctx, CONFDB_DOMAIN_PATH_TMPL, name);
+ if (cdb_path == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ val[0] = "files";
+ ret = confdb_add_param(cdb, true, cdb_path, "id_provider", val);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add id_provider [%d]: %s\n",
+ ret, sss_strerror(ret));
+ goto done;
+ }
+
+ ret = EOK;
+done:
+ talloc_free(tmp_ctx);
+ return ret;
+}
+
+static int activate_files_domain(struct confdb_ctx *cdb,
+ const char *name)
+{
+ errno_t ret;
+ TALLOC_CTX *tmp_ctx;
+ char *monitor_domlist;
+ const char *domlist[2] = { NULL, NULL };
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ return ENOMEM;
+ }
+
+ ret = confdb_get_string(cdb, tmp_ctx,
+ CONFDB_MONITOR_CONF_ENTRY,
+ CONFDB_MONITOR_ACTIVE_DOMAINS,
+ NULL,
+ &monitor_domlist);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Fatal error retrieving domains list!\n");
+ goto done;
+ }
+
+ if (monitor_domlist != NULL) {
+ domlist[0] = talloc_asprintf(tmp_ctx, "%s,%s", name, monitor_domlist);
+ if (domlist[0] == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+ } else {
+ domlist[0] = name;
+ }
+
+ ret = confdb_add_param(cdb, true,
+ CONFDB_MONITOR_CONF_ENTRY,
+ CONFDB_MONITOR_ACTIVE_DOMAINS,
+ domlist);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Cannot extend the domain list [%d]: %s\n",
+ ret, sss_strerror(ret));
+ return ret;
+ }
+
+ ret = EOK;
+done:
+ talloc_free(tmp_ctx);
+ return ret;
+}
+#endif /* ADD_FILES_DOMAIN */
+
+int confdb_ensure_files_domain(struct confdb_ctx *cdb,
+ const char *implicit_files_dom_name)
+{
+#ifndef ADD_FILES_DOMAIN
+ return EOK;
+#else
+ errno_t ret;
+ bool enable_files;
+
+ ret = confdb_get_bool(cdb,
+ CONFDB_MONITOR_CONF_ENTRY,
+ CONFDB_MONITOR_ENABLE_FILES_DOM,
+ true, &enable_files);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Cannot get the value of %s assuming true\n",
+ CONFDB_MONITOR_ENABLE_FILES_DOM);
+ return ret;
+ }
+
+ if (enable_files == false) {
+ DEBUG(SSSDBG_CONF_SETTINGS, "The implicit files domain is disabled\n");
+ return EOK;
+ }
+
+ ret = confdb_has_files_domain(cdb);
+ if (ret == EOK) {
+ DEBUG(SSSDBG_CONF_SETTINGS, "The files domain is already enabled\n");
+ return EOK;
+ } else if (ret != ENOENT) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Error looking up the files domain\n");
+ return ret;
+ }
+
+ /* ENOENT, so let's add a files domain */
+ ret = create_files_domain(cdb, implicit_files_dom_name);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot add an implicit files domain\n");
+ return ret;
+ }
+
+ return activate_files_domain(cdb, implicit_files_dom_name);
+#endif /* ADD_FILES_DOMAIN */
+}
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 353dfd0a9afbcaba49fcfdc7930026bb2eebfc9e..89b89bf0d54af03cb2f28f421991231f0c7b755f 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -73,6 +73,7 @@
#define CONFDB_MONITOR_USER_RUNAS "user"
#define CONFDB_MONITOR_CERT_VERIFICATION "certificate_verification"
#define CONFDB_MONITOR_DISABLE_NETLINK "disable_netlink"
+#define CONFDB_MONITOR_ENABLE_FILES_DOM "enable_files_domain"
/* Both monitor and domains */
#define CONFDB_NAME_REGEX "re_expression"
@@ -373,6 +374,9 @@ int confdb_get_domain(struct confdb_ctx *cdb,
int confdb_get_domains(struct confdb_ctx *cdb,
struct sss_domain_info **domains);
+int confdb_ensure_files_domain(struct confdb_ctx *cdb,
+ const char *implicit_files_dom_name);
+
/**
* Get a null-terminated linked-list of all domain names
* @param[in] mem_ctx The parent memory context for the value list
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 8c23fd271334acca6dbaf7df5d5aab15b3af5a42..44fb777eccd24d511067fee850f01ba9f3c1f134 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -64,6 +64,7 @@ option_strings = {
'certificate_verification' : _('Tune certificate verification'),
'override_space': _('All spaces in group or user names will be replaced with this character'),
'disable_netlink' : _('Tune sssd to honor or ignore netlink state changes'),
+ 'enable_files_domain' : _('Enable or disable the implicit files domain'),
# [nss]
'enum_cache_timeout' : _('Enumeration cache timeout length (seconds)'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 0da5d63a198bf7242daf7f985ede8e0bc3df3841..8cb03adcbb55c4ca350af1504c0cb3ea1a2d236d 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -312,7 +312,8 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
'description',
'certificate_verification',
'override_space',
- 'disable_netlink']
+ 'disable_netlink',
+ 'enable_files_domain']
self.assertTrue(type(options) == dict,
"Options should be a dictionary")
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 51981c3d0fc89d3f091dbe182cdd1d6de5618e1e..dd0f04b1a829c941215e96e1a160aeba7759e2bf 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -41,6 +41,7 @@ option = certificate_verification
option = override_space
option = config_file_version
option = disable_netlink
+option = enable_files_domain
[rule/allowed_nss_options]
validator = ini_allowed_options
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 56540066fde71cad53f909e3534b3a674633af3f..7d21d6b7016e51021d168243e5bfd36e999801e4 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -30,6 +30,7 @@ default_domain_suffix = str, None, false
certificate_verification = str, None, false
override_space = str, None, false
disable_netlink = bool, None, false
+enable_files_domain = str, None, false
[nss]
# Name service
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
index 760bb7831b5852e1bf3be497ad5babdb4f4318c2..215ce693b56e74db394dbc238c03c87f5f6efe99 100644
--- a/src/man/Makefile.am
+++ b/src/man/Makefile.am
@@ -35,7 +35,12 @@ endif
if HAVE_SYSTEMD_UNIT
SYSTEMD_CONDS = ;have_systemd
endif
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SEC_CONDS)$(SYSTEMD_CONDS)
+if ADD_FILES_DOMAIN
+FILES_CONDS = ;enable_files_domain
+else
+FILES_CONDS = ;no_enable_files_domain
+endif
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SEC_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)
#Special Rules:
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 782aef7bf62d9bcef3c3dab534a25e01d85c1764..2a2ef69ff2da817087d60e81cff8075e91736bae 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -525,6 +525,23 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>enable_files_domain (boolean)</term>
+ <listitem>
+ <para>
+ When this option is enabled, SSSD
+ prepends an implicit domain with
+ <quote>id_provider=files</quote> before
+ any explicitly configured domains.
+ </para>
+ <para condition="no_enable_files_domain">
+ Default: false
+ </para>
+ <para condition="enable_files_domain">
+ Default: true
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</para>
</refsect2>
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 59bf70741b76871c4937ad75c448aaf776cc37eb..7e7b5a07d11aecf1c0b11592213b90d385fd5076 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -90,6 +90,9 @@
"that the file is accessible only by the "\
"owner and owned by root.root.\n"
+/* SSSD domain name that is used for the auto-configured files domain */
+#define IMPLICIT_FILES_DOMAIN_NAME "implicit_files"
+
int cmdline_debug_level;
int cmdline_debug_timestamps;
int cmdline_debug_microseconds;
@@ -1053,6 +1056,14 @@ static int get_monitor_config(struct mt_ctx *ctx)
return ret;
}
+ ret = confdb_ensure_files_domain(ctx->cdb, IMPLICIT_FILES_DOMAIN_NAME);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Cannot add the implicit files domain [%d]: %s\n",
+ ret, strerror(ret));
+ /* Not fatal */
+ }
+
ret = confdb_get_domains(ctx->cdb, &ctx->domains);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "No domains configured.\n");
--
2.9.3

View File

@ -0,0 +1,62 @@
From 76b6d7fb9f31f7836158d248161aec3558098659 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 21 Feb 2017 21:05:25 +0100
Subject: [PATCH 90/95] TESTS: Enable the files domain for all integration
tests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is done to make sure that enabling the files domain doesn't break
existing functionality as well as making it possible to even that the
implicit domain, since all integration tests use the same configuration.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
Makefile.am | 1 +
src/tests/intg/test_enumeration.py | 10 +++++++++-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/Makefile.am b/Makefile.am
index e676e18415c9d20ffd5ba2ce825dddd62d50c909..30ee5e5904a06609a03343bb3dc5b78ef169d4b4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3239,6 +3239,7 @@ intgcheck-prepare:
--with-ldb-lib-dir="$$prefix"/lib/ldb \
--enable-intgcheck-reqs \
--without-semanage \
+ --enable-files-domain \
$(INTGCHECK_CONFIGURE_FLAGS); \
$(MAKE) $(AM_MAKEFLAGS); \
: Force single-thread install to workaround concurrency issues; \
diff --git a/src/tests/intg/test_enumeration.py b/src/tests/intg/test_enumeration.py
index 5cb6c3e07435fea802f3f925e370605a0eb36d2c..47772dea288434c5b213eeba9b4eac904423d707 100644
--- a/src/tests/intg/test_enumeration.py
+++ b/src/tests/intg/test_enumeration.py
@@ -98,7 +98,12 @@ SCHEMA_RFC2307_BIS = "rfc2307bis"
def format_basic_conf(ldap_conn, schema):
- """Format a basic SSSD configuration"""
+ """
+ Format a basic SSSD configuration
+
+ The files domain is defined but not enabled in order to avoid enumerating
+ users from the files domain that would otherwise by implicitly enabled
+ """
schema_conf = "ldap_schema = " + schema + "\n"
if schema == SCHEMA_RFC2307_BIS:
schema_conf += "ldap_group_object_class = groupOfNames\n"
@@ -115,6 +120,9 @@ def format_basic_conf(ldap_conn, schema):
[pam]
debug_level = 0xffff
+ [domain/files]
+ id_provider = files
+
[domain/LDAP]
ldap_auth_disable_tls_never_use_in_production = true
debug_level = 0xffff
--
2.9.3

View File

@ -0,0 +1,111 @@
From 13294bedc56faf1011f5ba7b1ed9a53b08e71c00 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 21 Feb 2017 21:04:29 +0100
Subject: [PATCH 91/95] TESTS: Test the files domain autoconfiguration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Adds tests that exercise the implicit files domain.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/tests/intg/test_files_provider.py | 78 +++++++++++++++++++++++++++++++++++
1 file changed, 78 insertions(+)
diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
index 528b5e5acc5078cce5bfab9a5f9dab5509e580eb..abf836bcc7a1810ea505dcf84ad1edfadf0c382c 100644
--- a/src/tests/intg/test_files_provider.py
+++ b/src/tests/intg/test_files_provider.py
@@ -125,6 +125,48 @@ def files_domain_only(request):
return None
+@pytest.fixture
+def no_sssd_domain(request):
+ conf = unindent("""\
+ [sssd]
+ services = nss
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return None
+
+
+@pytest.fixture
+def no_files_domain(request):
+ conf = unindent("""\
+ [sssd]
+ domains = local
+ services = nss
+
+ [domain/local]
+ id_provider = local
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return None
+
+
+@pytest.fixture
+def disabled_files_domain(request):
+ conf = unindent("""\
+ [sssd]
+ domains = local
+ services = nss
+ enable_files_domain = false
+
+ [domain/local]
+ id_provider = local
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return None
+
+
def setup_pw_with_list(request, user_list):
pwd_ops = passwd_ops_setup(request)
for user in user_list:
@@ -754,3 +796,39 @@ def test_realloc_groups(setup_gr_with_canary, files_domain_only):
check for off-by-one errors.
"""
realloc_groups(setup_gr_with_canary, FILES_REALLOC_CHUNK*3)
+
+
+# Files domain autoconfiguration tests
+def test_no_sssd_domain(add_user_with_canary, no_sssd_domain):
+ """
+ Test that if no sssd domain is configured, sssd will add the implicit one
+ """
+ res, user = sssd_getpwnam_sync(USER1["name"])
+ assert res == NssReturnCode.SUCCESS
+ assert user == USER1
+
+
+def test_no_files_domain(add_user_with_canary, no_files_domain):
+ """
+ Test that if no files domain is configured, sssd will add the implicit one
+ before any explicitly configured domains
+ """
+ # Add a user with a different UID than the one in files
+ subprocess.check_call(
+ ["sss_useradd", "-u", "10009", "-M", USER1["name"]])
+
+ # Even though the local domain is the only one configured,
+ # files will be resolved first
+ res, user = sssd_getpwnam_sync(USER1["name"])
+ assert res == NssReturnCode.SUCCESS
+ assert user == USER1
+
+
+def test_disable_files_domain(add_user_with_canary, disabled_files_domain):
+ """
+ Test that if no files domain is configured, sssd will add the implicit one
+ before any explicitly configured domains
+ """
+ # The local user will not be resolvable through nss_sss now
+ res, user = sssd_getpwnam_sync(USER1["name"])
+ assert res != NssReturnCode.SUCCESS
--
2.9.3

View File

@ -0,0 +1,247 @@
From 5a660d3aa67403fba69a8047ecedfe8a4276fc30 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Thu, 23 Feb 2017 12:02:06 +0100
Subject: [PATCH 92/95] CONFDB: Refactor reading the config file
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is in preparation for creating a fallback configuration
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/confdb/confdb_setup.c | 146 +++++++++++++++++++++++++++-------------------
1 file changed, 85 insertions(+), 61 deletions(-)
diff --git a/src/confdb/confdb_setup.c b/src/confdb/confdb_setup.c
index a71d9dd1202824b3c9a7e69f1d8fa905ac1b8c02..c040bdf9e59f47541f2d598a37699d035eb9e566 100644
--- a/src/confdb/confdb_setup.c
+++ b/src/confdb/confdb_setup.c
@@ -126,69 +126,39 @@ static int confdb_create_base(struct confdb_ctx *cdb)
return EOK;
}
-static int confdb_init_db(const char *config_file, const char *config_dir,
- struct confdb_ctx *cdb)
+static int confdb_ldif_from_ini_file(TALLOC_CTX *mem_ctx,
+ const char *config_file,
+ const char *config_dir,
+ struct sss_ini_initdata *init_data,
+ const char **_timestr,
+ const char **_ldif)
{
- TALLOC_CTX *tmp_ctx;
- int ret;
- int sret = EOK;
- int version;
+ errno_t ret;
char timestr[21];
- bool in_transaction = false;
- const char *config_ldif;
- const char *vals[2] = { timestr, NULL };
- struct ldb_ldif *ldif;
- struct sss_ini_initdata *init_data;
-
- tmp_ctx = talloc_new(cdb);
- if (tmp_ctx == NULL) {
- DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory.\n");
- return ENOMEM;
- }
-
- init_data = sss_ini_initdata_init(tmp_ctx);
- if (!init_data) {
- DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory.\n");
- ret = ENOMEM;
- goto done;
- }
-
- /* Open config file */
- ret = sss_ini_config_file_open(init_data, config_file);
- if (ret != EOK) {
- DEBUG(SSSDBG_TRACE_FUNC,
- "sss_ini_config_file_open failed: %s [%d]\n", strerror(ret),
- ret);
- if (ret == ENOENT) {
- /* sss specific error denoting missing configuration file */
- ret = ERR_MISSING_CONF;
- }
- goto done;
- }
+ int version;
ret = sss_ini_config_access_check(init_data);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Permission check on config file failed.\n");
- ret = EPERM;
- goto done;
+ return EPERM;
}
ret = sss_ini_get_stat(init_data);
if (ret != EOK) {
- DEBUG(SSSDBG_FATAL_FAILURE,
- "Status check on config file failed.\n");
ret = errno;
- goto done;
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Status check on config file failed.\n");
+ return ret;
}
errno = 0;
-
ret = sss_ini_get_mtime(init_data, sizeof(timestr), timestr);
if (ret <= 0 || ret >= (int)sizeof(timestr)) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Failed to convert time_t to string ??\n");
ret = errno ? errno : EFAULT;
+ return ret;
}
/* FIXME: Determine if the conf file or any snippet has changed
@@ -199,7 +169,7 @@ static int confdb_init_db(const char *config_file, const char *config_dir,
ret = sss_ini_get_config(init_data, config_file, config_dir);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "Failed to load configuration\n");
- goto done;
+ return ret;
}
ret = sss_ini_call_validators(init_data,
@@ -214,7 +184,7 @@ static int confdb_init_db(const char *config_file, const char *config_dir,
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Internal error determining config_file_version\n");
- goto done;
+ return ret;
}
ret = sss_ini_check_config_obj(init_data);
@@ -230,21 +200,82 @@ static int confdb_init_db(const char *config_file, const char *config_dir,
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Config file version could not be determined\n");
- goto done;
+ return ret;
} else if (version < CONFDB_VERSION_INT) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Config file is an old version. "
"Please run configuration upgrade script.\n");
- ret = EINVAL;
- goto done;
+ return EINVAL;
} else if (version > CONFDB_VERSION_INT) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Config file version is newer than confdb\n");
- ret = EINVAL;
- goto done;
+ return EINVAL;
}
}
+ ret = sss_confdb_create_ldif(mem_ctx, init_data, _ldif);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create LDIF for confdb\n");
+ return ret;
+ }
+
+ *_timestr = talloc_strdup(mem_ctx, timestr);
+ if (*_timestr == NULL) {
+ return ENOMEM;
+ }
+
+ return EOK;
+}
+
+static int confdb_init_db(const char *config_file, const char *config_dir,
+ struct confdb_ctx *cdb)
+{
+ TALLOC_CTX *tmp_ctx;
+ int ret;
+ int sret = EOK;
+ bool in_transaction = false;
+ const char *timestr = NULL;
+ const char *config_ldif;
+ const char *vals[2] = { NULL, NULL };
+ struct ldb_ldif *ldif;
+ struct sss_ini_initdata *init_data;
+
+ tmp_ctx = talloc_new(cdb);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory.\n");
+ return ENOMEM;
+ }
+
+ init_data = sss_ini_initdata_init(tmp_ctx);
+ if (!init_data) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ /* Open config file */
+ ret = sss_ini_config_file_open(init_data, config_file);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CONF_SETTINGS,
+ "sss_ini_config_file_open failed: %s [%d]\n", sss_strerror(ret),
+ ret);
+ goto done;
+ }
+
+ ret = confdb_ldif_from_ini_file(tmp_ctx,
+ config_file,
+ config_dir,
+ init_data,
+ &timestr,
+ &config_ldif);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Cannot convert INI to LDIF [%d]: [%s]\n",
+ ret, sss_strerror(ret));
+ goto done;
+ }
+ DEBUG(SSSDBG_CONF_SETTINGS, "LDIF file to import: \n%s\n", config_ldif);
+
/* Set up a transaction to replace the configuration */
ret = ldb_transaction_start(cdb->ldb);
if (ret != LDB_SUCCESS) {
@@ -264,20 +295,12 @@ static int confdb_init_db(const char *config_file, const char *config_dir,
goto done;
}
- ret = sss_confdb_create_ldif(tmp_ctx, init_data, &config_ldif);
- if (ret != EOK) {
- DEBUG(SSSDBG_FATAL_FAILURE, "Could not create LDIF for confdb\n");
- goto done;
- }
-
- DEBUG(SSSDBG_TRACE_LIBS, "LDIF file to import: \n%s\n", config_ldif);
-
while ((ldif = ldb_ldif_read_string(cdb->ldb, &config_ldif))) {
ret = ldb_add(cdb->ldb, ldif->msg);
if (ret != LDB_SUCCESS) {
DEBUG(SSSDBG_FATAL_FAILURE,
- "Failed to initialize DB (%d,[%s]), aborting!\n",
- ret, ldb_errstring(cdb->ldb));
+ "Failed to initialize DB (%d,[%s]), aborting!\n",
+ ret, ldb_errstring(cdb->ldb));
ret = EIO;
goto done;
}
@@ -287,10 +310,11 @@ static int confdb_init_db(const char *config_file, const char *config_dir,
/* now store the lastUpdate time so that we do not re-init if nothing
* changed on restart */
+ vals[0] = timestr;
ret = confdb_add_param(cdb, true, "config", "lastUpdate", vals);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
- "Failed to set last update time on db!\n");
+ "Failed to set last update time on db!\n");
goto done;
}
--
2.9.3

View File

@ -0,0 +1,151 @@
From a4837791f62283079e7be4b17efb769be8b2dfd1 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Thu, 23 Feb 2017 12:22:49 +0100
Subject: [PATCH 93/95] CONFDB: If no configuration file is provided, create a
fallback configuration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This functionality is only enabled in case SSSD is configured with with
--enable-files-domain. If not, the behaviour is as it used to -- SSSD
returns an error, instructing the admin to create a configuration file.
If the option is enabled, a very minimal confdb that only enables the
NSS responder is created. The confdb later adds the implicit files
domain.
Resolves:
https://pagure.io/SSSD/sssd/issue/2229
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/confdb/confdb_setup.c | 60 +++++++++++++++++++++++++++--------
src/tests/intg/test_files_provider.py | 16 ++++++++++
2 files changed, 63 insertions(+), 13 deletions(-)
diff --git a/src/confdb/confdb_setup.c b/src/confdb/confdb_setup.c
index c040bdf9e59f47541f2d598a37699d035eb9e566..7884eea6367390c41f64b7023fe505dd653b49db 100644
--- a/src/confdb/confdb_setup.c
+++ b/src/confdb/confdb_setup.c
@@ -28,6 +28,14 @@
#include "confdb_setup.h"
#include "util/sss_ini.h"
+#ifndef SSSD_FALLBACK_CONFIG_LDIF
+#define SSSD_FALLBACK_CONFIG_LDIF \
+"dn: cn=config\n" \
+"version: 2\n\n" \
+"dn: cn=sssd,cn=config\n" \
+"cn: sssd\n" \
+"services: nss\n\n"
+#endif /* SSSD_FALLBACK_CONFIG_LDIF */
static int confdb_test(struct confdb_ctx *cdb)
{
@@ -227,6 +235,23 @@ static int confdb_ldif_from_ini_file(TALLOC_CTX *mem_ctx,
return EOK;
}
+static int confdb_fallback_ldif(TALLOC_CTX *mem_ctx,
+ const char **_timestr,
+ const char **_ldif)
+{
+#ifndef ADD_FILES_DOMAIN
+ return ERR_MISSING_CONF;
+#else
+ *_timestr = talloc_strdup(mem_ctx, "1");
+ *_ldif = talloc_strdup(mem_ctx, SSSD_FALLBACK_CONFIG_LDIF);
+ if (*_timestr == NULL || *_ldif == NULL) {
+ return ENOMEM;
+ }
+
+ return EOK;
+#endif
+}
+
static int confdb_init_db(const char *config_file, const char *config_dir,
struct confdb_ctx *cdb)
{
@@ -255,25 +280,34 @@ static int confdb_init_db(const char *config_file, const char *config_dir,
/* Open config file */
ret = sss_ini_config_file_open(init_data, config_file);
- if (ret != EOK) {
+ if (ret == EOK) {
+ ret = confdb_ldif_from_ini_file(tmp_ctx,
+ config_file,
+ config_dir,
+ init_data,
+ &timestr,
+ &config_ldif);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Cannot convert INI to LDIF [%d]: [%s]\n",
+ ret, sss_strerror(ret));
+ goto done;
+ }
+ } else if (ret == ENOENT) {
+ ret = confdb_fallback_ldif(tmp_ctx, &timestr, &config_ldif);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Cannot create a fallback configuration [%d]: [%s]\n",
+ ret, sss_strerror(ret));
+ goto done;
+ }
+ } else {
DEBUG(SSSDBG_CONF_SETTINGS,
"sss_ini_config_file_open failed: %s [%d]\n", sss_strerror(ret),
ret);
goto done;
}
- ret = confdb_ldif_from_ini_file(tmp_ctx,
- config_file,
- config_dir,
- init_data,
- &timestr,
- &config_ldif);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Cannot convert INI to LDIF [%d]: [%s]\n",
- ret, sss_strerror(ret));
- goto done;
- }
DEBUG(SSSDBG_CONF_SETTINGS, "LDIF file to import: \n%s\n", config_ldif);
/* Set up a transaction to replace the configuration */
diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
index abf836bcc7a1810ea505dcf84ad1edfadf0c382c..8748ac10b089087056b1b93950c8d890a190c8d0 100644
--- a/src/tests/intg/test_files_provider.py
+++ b/src/tests/intg/test_files_provider.py
@@ -167,6 +167,12 @@ def disabled_files_domain(request):
return None
+@pytest.fixture
+def no_sssd_conf(request):
+ create_sssd_fixture(request)
+ return None
+
+
def setup_pw_with_list(request, user_list):
pwd_ops = passwd_ops_setup(request)
for user in user_list:
@@ -832,3 +838,13 @@ def test_disable_files_domain(add_user_with_canary, disabled_files_domain):
# The local user will not be resolvable through nss_sss now
res, user = sssd_getpwnam_sync(USER1["name"])
assert res != NssReturnCode.SUCCESS
+
+
+def test_no_sssd_conf(add_user_with_canary, no_sssd_conf):
+ """
+ Test that running without sssd.conf implicitly configures one with
+ id_provider=files
+ """
+ res, user = sssd_getpwnam_sync(USER1["name"])
+ assert res == NssReturnCode.SUCCESS
+ assert user == USER1
--
2.9.3

View File

@ -0,0 +1,45 @@
From 6b760226c0ed984b6b1a02f459e9cb1fc3d45ff9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 28 Feb 2017 15:54:06 +0100
Subject: [PATCH] authtok: fix tests on big-endian
Related to https://pagure.io/SSSD/sssd/issue/3270
---
src/tests/cmocka/test_authtok.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/tests/cmocka/test_authtok.c b/src/tests/cmocka/test_authtok.c
index b2ef08a1c75625253706910e0cc80f4d5d28be5d..4464230b34b1816ddeb98ec85abc1b59f1524e54 100644
--- a/src/tests/cmocka/test_authtok.c
+++ b/src/tests/cmocka/test_authtok.c
@@ -604,8 +604,13 @@ void test_sss_authtok_sc_pin(void **state)
SSS_AUTHTOK_TYPE_SC_PIN);
size = sss_authtok_get_size(ts->authtoken);
assert_int_equal(size, 28);
+#if __BYTE_ORDER == __LITTLE_ENDIAN
assert_memory_equal(sss_authtok_get_data(ts->authtoken), "\11\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0" "12345678\0\0\0\0",
size);
+#else
+ assert_memory_equal(sss_authtok_get_data(ts->authtoken), "\0\0\0\11\0\0\0\1\0\0\0\1\0\0\0\1" "12345678\0\0\0\0",
+ size);
+#endif
ret = sss_authtok_set_sc_pin(ts->authtoken, "12345678", 5);
assert_int_equal(ret, EOK);
@@ -613,8 +618,13 @@ void test_sss_authtok_sc_pin(void **state)
SSS_AUTHTOK_TYPE_SC_PIN);
size = sss_authtok_get_size(ts->authtoken);
assert_int_equal(size, 25);
+#if __BYTE_ORDER == __LITTLE_ENDIAN
assert_memory_equal(sss_authtok_get_data(ts->authtoken), "\6\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0" "12345\0\0\0\0",
size);
+#else
+ assert_memory_equal(sss_authtok_get_data(ts->authtoken), "\0\0\0\6\0\0\0\1\0\0\0\1\0\0\0\1" "12345\0\0\0\0",
+ size);
+#endif
ret = sss_authtok_get_sc_pin(ts->authtoken, &pin, &len);
assert_int_equal(ret, EOK);
--
2.9.3

108
sssd.spec
View File

@ -26,7 +26,7 @@
Name: sssd
Version: 1.15.0
Release: 3%{?dist}
Release: 4%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -35,7 +35,101 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ###
Patch0501: 0501-Partially-revert-CONFIG-Use-default-config-when-none.patch
Patch0001: 0001-Updating-the-version-to-track-the-1.15.1-release.patch
Patch0002: 0002-BUILD-Fix-linking-of-test_wbc_calls.patch
Patch0003: 0003-Suppres-implicit-fallthrough-from-gcc-7.patch
Patch0004: 0004-pam_sss-Suppress-warning-format-truncation.patch
Patch0005: 0005-TOOLS-Fix-warning-format-truncation.patch
Patch0006: 0006-sssctl-Fix-warning-may-be-used-uninitialized.patch
Patch0007: 0007-SBUS-remove-unused-symbols.patch
Patch0008: 0008-SBUS-use-sss_ptr_hash-for-opath-table.patch
Patch0009: 0009-SBUS-use-sss_ptr_hash-for-nodes-table.patch
Patch0010: 0010-SBUS-use-sss_ptr_hash-for-signals-table.patch
Patch0011: 0011-ldap_child-Fix-use-after-free.patch
Patch0012: 0012-FAILOVER-Improve-port-status-log-messages.patch
Patch0013: 0013-IFP-Update-ifp_iface_generated.c.patch
Patch0014: 0014-SYSTEMD-Update-journald-drop-in-file.patch
Patch0015: 0015-Partially-revert-CONFIG-Use-default-config-when-none.patch
Patch0016: 0016-SUDO-Add-skip_entry-boolean-to-sudo-conversions.patch
Patch0017: 0017-TESTS-Add-to-IPA-DN-test.patch
Patch0018: 0018-LDAP-Better-logging-message.patch
Patch0019: 0019-SYSDB-Removing-of-sysdb_try_to_find_expected_dn.patch
Patch0020: 0020-TEST-create_multidom_test_ctx-extending.patch
Patch0021: 0021-TESTS-Tests-for-sdap_search_initgr_user_in_batch.patch
Patch0022: 0022-ssh-fix-number-of-output-certificates.patch
Patch0023: 0023-ssh-do-not-create-again-fq-name.patch
Patch0024: 0024-sss_parse_inp_send-provide-default_domain-as-paramet.patch
Patch0025: 0025-cache_req-add-ability-to-not-use-default-domain-suff.patch
Patch0026: 0026-cache_req-search-user-by-name-with-attrs.patch
Patch0027: 0027-cache_req-add-api-to-create-ldb_result-from-message.patch
Patch0028: 0028-cache_req-move-dp-request-to-plugin.patch
Patch0029: 0029-cache_req-add-host-by-name-search.patch
Patch0030: 0030-ssh-rewrite-ssh-responder-to-use-cache_req.patch
Patch0031: 0031-AD-Use-ad_domain-to-match-forest-root-domain-not-the.patch
Patch0032: 0032-BUILD-Fix-linking-of-test_sdap_initgr.patch
Patch0033: 0033-ssh-fix-typo.patch
Patch0034: 0034-cache_req-always-go-to-dp-first-when-looking-up-host.patch
Patch0035: 0035-MONITOR-Wrap-up-sending-sd_notify-ready-into-a-new-f.patch
Patch0036: 0036-MONITOR-Don-t-timeout-if-using-local-provider-socket.patch
Patch0037: 0037-SUDO-Only-store-lowercased-attribute-value-once.patch
Patch0038: 0038-NEGCACHE-Add-API-to-reset-all-users-and-groups.patch
Patch0039: 0039-NSS-Add-sbus-interface-to-clear-memory-cache.patch
Patch0040: 0040-NSS-Rename-the-interface-to-invalidate-memory-cache-.patch
Patch0041: 0041-UTIL-Add-a-new-domain-state-called-DOM_INCONSISTENT.patch
Patch0042: 0042-RESPONDER-Add-a-responder-sbus-interface-to-set-doma.patch
Patch0043: 0043-RESPONDER-A-sbus-interface-to-reset-negatively-cache.patch
Patch0044: 0044-DP-Add-internal-DP-interface-to-set-domain-state.patch
Patch0045: 0045-DP-Add-internal-interface-to-reset-negative-cache-fr.patch
Patch0046: 0046-DP-Add-internal-interface-to-invalidate-memory-cache.patch
Patch0047: 0047-RESPONDER-Use-the-NEED_CHECK_DOMAIN-macro.patch
Patch0048: 0048-RESPONDER-Include-the-files-provider-in-NEEDS_CHECK_.patch
Patch0049: 0049-RESPONDER-Contact-inconsistent-domains.patch
Patch0050: 0050-UTIL-Add-a-generic-inotify-module.patch
Patch0051: 0051-CONFDB-Re-enable-the-files-provider.patch
Patch0052: 0052-FILES-Add-the-files-provider.patch
Patch0053: 0053-CONFDB-The-files-provider-always-enumerates.patch
Patch0054: 0054-CONFDB-Make-pwfield-configurable-per-domain.patch
Patch0055: 0055-CONFDB-The-files-domain-defaults-to-x-as-pwfield.patch
Patch0056: 0056-MAN-Document-the-pwfield-configuration-option.patch
Patch0057: 0057-TESTS-move-helper-fixtures-to-back-up-and-restore-a-.patch
Patch0058: 0058-TESTS-add-a-helper-module-with-shared-NSS-constants.patch
Patch0059: 0059-TESTS-Add-a-module-to-call-nss_sss-s-getpw-from-test.patch
Patch0060: 0060-TESTS-Add-a-module-to-call-nss_sss-s-getgr-from-test.patch
Patch0061: 0061-TESTS-Add-files-provider-integration-tests.patch
Patch0062: 0062-MONITOR-Remove-checks-for-sssd.conf-changes.patch
Patch0063: 0063-MONITOR-Use-the-common-inotify-code-to-watch-resolv..patch
Patch0064: 0064-MAN-Add-documentation-for-the-files-provider.patch
Patch0065: 0065-EXAMPLES-Do-not-point-to-id_provider-local.patch
Patch0066: 0066-SBUS-Document-how-to-free-the-result-of-sbus_create_.patch
Patch0067: 0067-IPA_SUDO-Unused-value-fix.patch
Patch0068: 0068-intg-Fix-python3-issues.patch
Patch0069: 0069-DYNDNS-Update-PTR-record-after-non-fatal-error.patch
Patch0070: 0070-DYNDNS-Correct-debug-log-message-of-realm.patch
Patch0071: 0071-sdap_extend_map-make-sure-memory-can-be-freed.patch
Patch0072: 0072-check_duplicate-check-name-member-before-using-it.patch
Patch0073: 0073-FILES-Fix-reallocation-logic.patch
Patch0074: 0074-pam_sss-check-conversation-callback.patch
Patch0075: 0075-MONITOR-Don-t-return-an-error-in-case-we-fail-to-reg.patch
Patch0076: 0076-FILES-Remove-unnecessary-check.patch
Patch0077: 0077-PAM-store-user-object-in-the-preq-context.patch
Patch0078: 0078-PAM-fix-memory-leak-in-pam_sss.patch
Patch0079: 0079-PAM-use-sentinel-error-code-in-PAM-tests.patch
Patch0080: 0080-utils-new-error-codes.patch
Patch0081: 0081-LDAP-proxy-tell-frontend-that-Smartcard-auth-is-not-.patch
Patch0082: 0082-authtok-enhance-support-for-Smartcard-auth-blobs.patch
Patch0083: 0083-PAM-forward-Smartcard-credentials-to-backends.patch
Patch0084: 0084-p11-return-name-of-PKCS-11-module-and-key-id-to-pam_.patch
Patch0085: 0085-pam-enhance-Smartcard-authentication-token.patch
Patch0086: 0086-KRB5-allow-pkinit-pre-authentication.patch
Patch0087: 0087-TESTS-Remove-unused-import.patch
Patch0088: 0088-DOC-Deprecate-README-add-README.md.patch
Patch0089: 0089-MONITOR-Enable-an-implicit-files-domain-if-one-is-no.patch
Patch0090: 0090-TESTS-Enable-the-files-domain-for-all-integration-te.patch
Patch0091: 0091-TESTS-Test-the-files-domain-autoconfiguration.patch
Patch0092: 0092-CONFDB-Refactor-reading-the-config-file.patch
Patch0093: 0093-CONFDB-If-no-configuration-file-is-provided-create-a.patch
Patch0094: 0094-authtok-fix-tests-on-big-endian.patch
Patch0502: 0502-SYSTEMD-Use-capabilities.patch
### Dependencies ###
@ -575,6 +669,7 @@ autoreconf -ivf
--with-initscript=systemd \
--with-syslog=journald \
--enable-sss-default-nss-plugin \
--enable-files-domain \
%{?with_cifs_utils_plugin_option} \
%{?enable_systemtap_opt} \
@ -733,6 +828,7 @@ done
%dir %{_libdir}/%{name}
%{_libdir}/%{name}/libsss_simple.so
%{_libdir}/%{name}/libsss_files.so
#Internal shared libraries
%{_libdir}/%{name}/libsss_child.so
@ -783,6 +879,7 @@ done
%{_mandir}/man1/sss_ssh_knownhostsproxy.1*
%{_mandir}/man5/sssd.conf.5*
%{_mandir}/man5/sssd-simple.5*
%{_mandir}/man5/sssd-files.5*
%{_mandir}/man5/sssd-sudo.5*
%{_mandir}/man5/sssd-secrets.5*
%{_mandir}/man5/sss_rpcidmapd.5*
@ -1122,6 +1219,13 @@ fi
%{_libdir}/%{name}/modules/libwbclient.so
%changelog
* Wed Feb 22 2017 Jakub Hrozek <jhrozek@redhat.com> - 1.15.0-4
- Cherry-pick patches from upstream that enable the files provider
- Enable the files domain
- Retire patch 0501-Partially-revert-CONFIG-Use-default-config-when-none.patch
which is superseded by the files domain autoconfiguration
- Related: rhbz#1357418 - SSSD fast cache for local users
* Tue Feb 14 2017 Lukas Slebodnik <lslebodn@redhat.com> - 1.15.0-3
- Add missing %%license macro