New upstream release 1.13 alpha
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.0alpha
This commit is contained in:
parent
b4d3da407f
commit
3fa3e7c22a
1
.gitignore
vendored
1
.gitignore
vendored
@ -62,3 +62,4 @@ sssd-1.2.91.tar.gz
|
||||
/sssd-1.12.3.tar.gz
|
||||
/sssd-1.12.4.tar.gz
|
||||
/sssd-1.12.5.tar.gz
|
||||
/sssd-1.13.0alpha.tar.gz
|
||||
|
@ -1,34 +0,0 @@
|
||||
From 07a71386a04d4b1860a4250ea57fd5866ea792fe Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Mon, 9 Feb 2015 17:40:07 +0100
|
||||
Subject: [PATCH 01/30] BUILD: Remove unused libraries for pysss.so
|
||||
|
||||
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||
---
|
||||
Makefile.am | 8 +-------
|
||||
1 file changed, 1 insertion(+), 7 deletions(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index ac6a358ea14239781c26e6f2ac02bdeb3007659f..bdca46a0548ddb98dde485a7786566eb623b181b 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -445,15 +445,9 @@ SSSD_LIBS = \
|
||||
|
||||
PYTHON_BINDINGS_LIBS = \
|
||||
$(TALLOC_LIBS) \
|
||||
- $(TEVENT_LIBS) \
|
||||
$(POPT_LIBS) \
|
||||
$(LDB_LIBS) \
|
||||
- $(DBUS_LIBS) \
|
||||
- $(PCRE_LIBS) \
|
||||
- $(DHASH_LIBS) \
|
||||
- $(SSS_CRYPT_LIBS) \
|
||||
- $(OPENLDAP_LIBS) \
|
||||
- $(TDB_LIBS)
|
||||
+ $(NULL)
|
||||
|
||||
TOOLS_LIBS = \
|
||||
$(LTLIBINTL) \
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,26 +0,0 @@
|
||||
From 8b57611326949037065899fa8f7f53d635700930 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Mon, 9 Feb 2015 18:46:16 +0100
|
||||
Subject: [PATCH 02/30] BUILD: Remove unused variables
|
||||
|
||||
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||
---
|
||||
src/external/python.m4 | 2 --
|
||||
1 file changed, 2 deletions(-)
|
||||
|
||||
diff --git a/src/external/python.m4 b/src/external/python.m4
|
||||
index a1bd87a0ee3a56ddd25c4aba7687ffc7540b4ec2..241de9fd0e401c40f8136861e7c7070c8a50cddd 100644
|
||||
--- a/src/external/python.m4
|
||||
+++ b/src/external/python.m4
|
||||
@@ -37,8 +37,6 @@ AC_DEFUN([AM_CHECK_PYTHON_HEADERS],
|
||||
AC_MSG_CHECKING(for headers required to compile python extensions)
|
||||
|
||||
dnl deduce PYTHON_INCLUDES
|
||||
- py_prefix=`$PYTHON -c "import sys; print(sys.prefix)"`
|
||||
- py_exec_prefix=`$PYTHON -c "import sys; print(sys.exec_prefix)"`
|
||||
PYTHON_INCLUDES=-I`$PYTHON -c "from distutils import sysconfig; print(sysconfig.get_config_var('INCLUDEPY'))"`
|
||||
|
||||
AC_SUBST(PYTHON_INCLUDES)
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,57 +0,0 @@
|
||||
From d95bbdfd54b8f752efb1d27a09a277aba46a1271 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Mon, 9 Feb 2015 19:16:30 +0100
|
||||
Subject: [PATCH 03/30] BUILD: Remove detection of type Py_ssize_t
|
||||
|
||||
The type Py_ssize_t is defined in python >= 2.6
|
||||
|
||||
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||
---
|
||||
src/external/python.m4 | 5 -----
|
||||
src/util/sss_python.h | 14 --------------
|
||||
2 files changed, 19 deletions(-)
|
||||
|
||||
diff --git a/src/external/python.m4 b/src/external/python.m4
|
||||
index 241de9fd0e401c40f8136861e7c7070c8a50cddd..858af3c197603fcda100eddcffc396dad674a9e6 100644
|
||||
--- a/src/external/python.m4
|
||||
+++ b/src/external/python.m4
|
||||
@@ -62,11 +62,6 @@ AC_DEFUN([AM_CHECK_PYTHON_COMPAT],
|
||||
CPPFLAGS="$CPPFLAGS $PYTHON_INCLUDES"
|
||||
LIBS="$LIBS $PYTHON_LIBS"
|
||||
|
||||
- AC_CHECK_TYPE(Py_ssize_t,
|
||||
- [ AC_DEFINE_UNQUOTED(HAVE_PY_SSIZE_T, 1, [Native Py_ssize_t type]) ],
|
||||
- [],
|
||||
- [[#include <Python.h>]])
|
||||
-
|
||||
AC_CHECK_FUNCS([PySet_New PySet_Add PyErr_NewExceptionWithDoc])
|
||||
AC_CHECK_DECLS([PySet_Check, PyModule_AddIntMacro, PyUnicode_FromString], [], [], [[#include <Python.h>]])
|
||||
|
||||
diff --git a/src/util/sss_python.h b/src/util/sss_python.h
|
||||
index 828bd22ec44fe9493bfaa246b072777b70c7b585..cf8c848482d82e0060cbfe748c05bd09c7492c4f 100644
|
||||
--- a/src/util/sss_python.h
|
||||
+++ b/src/util/sss_python.h
|
||||
@@ -25,20 +25,6 @@
|
||||
#define PYNUMBER_ASLONG(what) PyInt_AsLong(what)
|
||||
#endif
|
||||
|
||||
-/* Py_ssize_t compatibility for python < 2.5 as per
|
||||
- * http://www.python.org/dev/peps/pep-0353/ */
|
||||
-#ifndef HAVE_PY_SSIZE_T
|
||||
-typedef int Py_ssize_t;
|
||||
-#endif
|
||||
-
|
||||
-#ifndef PY_SSIZE_T_MAX
|
||||
-#define PY_SSIZE_T_MAX INT_MAX
|
||||
-#endif
|
||||
-
|
||||
-#ifndef PY_SSIZE_T_MIN
|
||||
-#define PY_SSIZE_T_MIN INT_MIN
|
||||
-#endif
|
||||
-
|
||||
/* Wrappers providing the subset of C API for python's set objects we use */
|
||||
PyObject *sss_python_set_new(void);
|
||||
int sss_python_set_add(PyObject *set, PyObject *key);
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,86 +0,0 @@
|
||||
From ab725a8a098f2784a4f77d0d699ea593fa75f630 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Mon, 9 Feb 2015 19:19:55 +0100
|
||||
Subject: [PATCH 04/30] UTIL: Remove python wrapper sss_python_set_new
|
||||
|
||||
The function PySet_New is available in python >= 2.6
|
||||
|
||||
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||
---
|
||||
src/external/python.m4 | 2 +-
|
||||
src/python/pyhbac.c | 4 ++--
|
||||
src/util/sss_python.c | 10 ----------
|
||||
src/util/sss_python.h | 1 -
|
||||
4 files changed, 3 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/src/external/python.m4 b/src/external/python.m4
|
||||
index 858af3c197603fcda100eddcffc396dad674a9e6..440d2f97740e43c31c9a530daecb7c5ded92a0dd 100644
|
||||
--- a/src/external/python.m4
|
||||
+++ b/src/external/python.m4
|
||||
@@ -62,7 +62,7 @@ AC_DEFUN([AM_CHECK_PYTHON_COMPAT],
|
||||
CPPFLAGS="$CPPFLAGS $PYTHON_INCLUDES"
|
||||
LIBS="$LIBS $PYTHON_LIBS"
|
||||
|
||||
- AC_CHECK_FUNCS([PySet_New PySet_Add PyErr_NewExceptionWithDoc])
|
||||
+ AC_CHECK_FUNCS([PySet_Add PyErr_NewExceptionWithDoc])
|
||||
AC_CHECK_DECLS([PySet_Check, PyModule_AddIntMacro, PyUnicode_FromString], [], [], [[#include <Python.h>]])
|
||||
|
||||
CPPFLAGS="$save_CPPFLAGS"
|
||||
diff --git a/src/python/pyhbac.c b/src/python/pyhbac.c
|
||||
index c46f7c6b300df9eb82fa411673da3d77504080cd..58d906d138464c9f25e6b513ad41b985b510baa2 100644
|
||||
--- a/src/python/pyhbac.c
|
||||
+++ b/src/python/pyhbac.c
|
||||
@@ -303,7 +303,7 @@ HbacRuleElement_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- self->category = sss_python_set_new();
|
||||
+ self->category = PySet_New(NULL);
|
||||
self->names = PyList_New(0);
|
||||
self->groups = PyList_New(0);
|
||||
if (!self->names || !self->groups || !self->category) {
|
||||
@@ -945,7 +945,7 @@ py_hbac_rule_validate(HbacRuleObject *self, PyObject *args)
|
||||
}
|
||||
|
||||
py_is_valid = PyBool_FromLong(is_valid);
|
||||
- py_missing = sss_python_set_new();
|
||||
+ py_missing = PySet_New(NULL);
|
||||
if (!py_missing || !py_is_valid) {
|
||||
PyErr_NoMemory();
|
||||
goto fail;
|
||||
diff --git a/src/util/sss_python.c b/src/util/sss_python.c
|
||||
index 19717a55c986b6831234addfbf91a529d652f592..dad2a46d86f4243fb4a2d1fad94e49f66db23f0c 100644
|
||||
--- a/src/util/sss_python.c
|
||||
+++ b/src/util/sss_python.c
|
||||
@@ -21,16 +21,6 @@
|
||||
#include "src/util/sss_python.h"
|
||||
#include "config.h"
|
||||
|
||||
-PyObject *
|
||||
-sss_python_set_new(void)
|
||||
-{
|
||||
-#ifdef HAVE_PYSET_NEW
|
||||
- return PySet_New(NULL);
|
||||
-#else
|
||||
- return PyObject_CallObject((PyObject *) &PySet_Type, NULL);
|
||||
-#endif
|
||||
-}
|
||||
-
|
||||
int
|
||||
sss_python_set_add(PyObject *set, PyObject *key)
|
||||
{
|
||||
diff --git a/src/util/sss_python.h b/src/util/sss_python.h
|
||||
index cf8c848482d82e0060cbfe748c05bd09c7492c4f..6851a64e816ccf3bb84321bbeb9946ad2fbfbc41 100644
|
||||
--- a/src/util/sss_python.h
|
||||
+++ b/src/util/sss_python.h
|
||||
@@ -26,7 +26,6 @@
|
||||
#endif
|
||||
|
||||
/* Wrappers providing the subset of C API for python's set objects we use */
|
||||
-PyObject *sss_python_set_new(void);
|
||||
int sss_python_set_add(PyObject *set, PyObject *key);
|
||||
bool sss_python_set_check(PyObject *set);
|
||||
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,93 +0,0 @@
|
||||
From 3ce5c930239870ba6435508dec8a68e3f7802830 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Mon, 9 Feb 2015 19:23:44 +0100
|
||||
Subject: [PATCH 05/30] UTIL: Remove python wrapper sss_python_set_add
|
||||
|
||||
The function PySet_Add is available in python >= 2.6
|
||||
|
||||
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||
---
|
||||
src/external/python.m4 | 2 +-
|
||||
src/python/pyhbac.c | 4 ++--
|
||||
src/util/sss_python.c | 17 -----------------
|
||||
src/util/sss_python.h | 1 -
|
||||
4 files changed, 3 insertions(+), 21 deletions(-)
|
||||
|
||||
diff --git a/src/external/python.m4 b/src/external/python.m4
|
||||
index 440d2f97740e43c31c9a530daecb7c5ded92a0dd..e3812a50406e7f6e2b2f143f3022ee07431ac120 100644
|
||||
--- a/src/external/python.m4
|
||||
+++ b/src/external/python.m4
|
||||
@@ -62,7 +62,7 @@ AC_DEFUN([AM_CHECK_PYTHON_COMPAT],
|
||||
CPPFLAGS="$CPPFLAGS $PYTHON_INCLUDES"
|
||||
LIBS="$LIBS $PYTHON_LIBS"
|
||||
|
||||
- AC_CHECK_FUNCS([PySet_Add PyErr_NewExceptionWithDoc])
|
||||
+ AC_CHECK_FUNCS([PyErr_NewExceptionWithDoc])
|
||||
AC_CHECK_DECLS([PySet_Check, PyModule_AddIntMacro, PyUnicode_FromString], [], [], [[#include <Python.h>]])
|
||||
|
||||
CPPFLAGS="$save_CPPFLAGS"
|
||||
diff --git a/src/python/pyhbac.c b/src/python/pyhbac.c
|
||||
index 58d906d138464c9f25e6b513ad41b985b510baa2..11cd40656bbeaf93c2b1717483e716ba45a78a69 100644
|
||||
--- a/src/python/pyhbac.c
|
||||
+++ b/src/python/pyhbac.c
|
||||
@@ -388,7 +388,7 @@ HbacRuleElement_init(HbacRuleElement *self, PyObject *args, PyObject *kwargs)
|
||||
return -1;
|
||||
}
|
||||
|
||||
- if (sss_python_set_add(self->category, tmp) != 0) {
|
||||
+ if (PySet_Add(self->category, tmp) != 0) {
|
||||
Py_DECREF(tmp);
|
||||
return -1;
|
||||
}
|
||||
@@ -962,7 +962,7 @@ py_hbac_rule_validate(HbacRuleObject *self, PyObject *args)
|
||||
goto fail;
|
||||
}
|
||||
|
||||
- if (sss_python_set_add(py_missing, py_attr) != 0) {
|
||||
+ if (PySet_Add(py_missing, py_attr) != 0) {
|
||||
/* If the set-add succeeded, it would steal the reference */
|
||||
Py_DECREF(py_attr);
|
||||
goto fail;
|
||||
diff --git a/src/util/sss_python.c b/src/util/sss_python.c
|
||||
index dad2a46d86f4243fb4a2d1fad94e49f66db23f0c..56850782a64314db70286ef67d76ae1227d8625f 100644
|
||||
--- a/src/util/sss_python.c
|
||||
+++ b/src/util/sss_python.c
|
||||
@@ -21,23 +21,6 @@
|
||||
#include "src/util/sss_python.h"
|
||||
#include "config.h"
|
||||
|
||||
-int
|
||||
-sss_python_set_add(PyObject *set, PyObject *key)
|
||||
-{
|
||||
-#ifdef HAVE_PYSET_ADD
|
||||
- return PySet_Add(set, key);
|
||||
-#else
|
||||
- PyObject *pyret;
|
||||
- int ret;
|
||||
-
|
||||
- pyret = PyObject_CallMethod(set, sss_py_const_p(char, "add"),
|
||||
- sss_py_const_p(char, "O"), key);
|
||||
- ret = (pyret == NULL) ? -1 : 0;
|
||||
- Py_XDECREF(pyret);
|
||||
- return ret;
|
||||
-#endif
|
||||
-}
|
||||
-
|
||||
bool
|
||||
sss_python_set_check(PyObject *set)
|
||||
{
|
||||
diff --git a/src/util/sss_python.h b/src/util/sss_python.h
|
||||
index 6851a64e816ccf3bb84321bbeb9946ad2fbfbc41..1ff13c4ef4380ff791cf3cfbe12845fb26b3b873 100644
|
||||
--- a/src/util/sss_python.h
|
||||
+++ b/src/util/sss_python.h
|
||||
@@ -26,7 +26,6 @@
|
||||
#endif
|
||||
|
||||
/* Wrappers providing the subset of C API for python's set objects we use */
|
||||
-int sss_python_set_add(PyObject *set, PyObject *key);
|
||||
bool sss_python_set_check(PyObject *set);
|
||||
|
||||
/* Unicode compatibility */
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,79 +0,0 @@
|
||||
From 2505d3dd124f35cb9357a7082a7306925bb3ebbe Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Mon, 9 Feb 2015 19:30:39 +0100
|
||||
Subject: [PATCH 06/30] UTIL: Remove python wrapper sss_python_set_check
|
||||
|
||||
The macro PySet_Check is defined in python >= 2.6
|
||||
|
||||
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||
---
|
||||
src/external/python.m4 | 2 +-
|
||||
src/python/pyhbac.c | 2 +-
|
||||
src/util/sss_python.c | 10 ----------
|
||||
src/util/sss_python.h | 3 ---
|
||||
4 files changed, 2 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/src/external/python.m4 b/src/external/python.m4
|
||||
index e3812a50406e7f6e2b2f143f3022ee07431ac120..e93f850092b0f54565e138b3235b9c29f89e5444 100644
|
||||
--- a/src/external/python.m4
|
||||
+++ b/src/external/python.m4
|
||||
@@ -63,7 +63,7 @@ AC_DEFUN([AM_CHECK_PYTHON_COMPAT],
|
||||
LIBS="$LIBS $PYTHON_LIBS"
|
||||
|
||||
AC_CHECK_FUNCS([PyErr_NewExceptionWithDoc])
|
||||
- AC_CHECK_DECLS([PySet_Check, PyModule_AddIntMacro, PyUnicode_FromString], [], [], [[#include <Python.h>]])
|
||||
+ AC_CHECK_DECLS([PyModule_AddIntMacro, PyUnicode_FromString], [], [], [[#include <Python.h>]])
|
||||
|
||||
CPPFLAGS="$save_CPPFLAGS"
|
||||
LIBS="$save_LIBS"
|
||||
diff --git a/src/python/pyhbac.c b/src/python/pyhbac.c
|
||||
index 11cd40656bbeaf93c2b1717483e716ba45a78a69..bbdf2b9fb75e2be0d46749faa6aaf0698a5d5ebb 100644
|
||||
--- a/src/python/pyhbac.c
|
||||
+++ b/src/python/pyhbac.c
|
||||
@@ -452,7 +452,7 @@ hbac_rule_element_set_category(HbacRuleElement *self,
|
||||
|
||||
CHECK_ATTRIBUTE_DELETE(category, "category");
|
||||
|
||||
- if (!sss_python_set_check(category)) {
|
||||
+ if (!PySet_Check(category)) {
|
||||
PyErr_Format(PyExc_TypeError, "The category must be a set type\n");
|
||||
return -1;
|
||||
}
|
||||
diff --git a/src/util/sss_python.c b/src/util/sss_python.c
|
||||
index 56850782a64314db70286ef67d76ae1227d8625f..ba78bf9689c903713229395a49e5f3686e5e6f10 100644
|
||||
--- a/src/util/sss_python.c
|
||||
+++ b/src/util/sss_python.c
|
||||
@@ -21,16 +21,6 @@
|
||||
#include "src/util/sss_python.h"
|
||||
#include "config.h"
|
||||
|
||||
-bool
|
||||
-sss_python_set_check(PyObject *set)
|
||||
-{
|
||||
-#if HAVE_DECL_PYSET_CHECK
|
||||
- return PySet_Check(set);
|
||||
-#else
|
||||
- return PyObject_TypeCheck(set, &PySet_Type);
|
||||
-#endif
|
||||
-}
|
||||
-
|
||||
PyObject *
|
||||
sss_python_unicode_from_string(const char *u)
|
||||
{
|
||||
diff --git a/src/util/sss_python.h b/src/util/sss_python.h
|
||||
index 1ff13c4ef4380ff791cf3cfbe12845fb26b3b873..56c25ebb74bffc061688c3c32515d6e0288ac94d 100644
|
||||
--- a/src/util/sss_python.h
|
||||
+++ b/src/util/sss_python.h
|
||||
@@ -25,9 +25,6 @@
|
||||
#define PYNUMBER_ASLONG(what) PyInt_AsLong(what)
|
||||
#endif
|
||||
|
||||
-/* Wrappers providing the subset of C API for python's set objects we use */
|
||||
-bool sss_python_set_check(PyObject *set);
|
||||
-
|
||||
/* Unicode compatibility */
|
||||
PyObject *sss_python_unicode_from_string(const char *u);
|
||||
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,45 +0,0 @@
|
||||
From 61311b000c5d36322a35103cee2eb304875d235f Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Mon, 9 Feb 2015 19:33:44 +0100
|
||||
Subject: [PATCH 07/30] UTIL: Remove compatibility macro PyModule_AddIntMacro
|
||||
|
||||
The macro PyModule_AddIntMacro is defined in python >= 2.6
|
||||
|
||||
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||
---
|
||||
src/external/python.m4 | 2 +-
|
||||
src/util/sss_python.h | 5 -----
|
||||
2 files changed, 1 insertion(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/external/python.m4 b/src/external/python.m4
|
||||
index e93f850092b0f54565e138b3235b9c29f89e5444..ac427268d4ff8828314cefb43ce2af72d34bc295 100644
|
||||
--- a/src/external/python.m4
|
||||
+++ b/src/external/python.m4
|
||||
@@ -63,7 +63,7 @@ AC_DEFUN([AM_CHECK_PYTHON_COMPAT],
|
||||
LIBS="$LIBS $PYTHON_LIBS"
|
||||
|
||||
AC_CHECK_FUNCS([PyErr_NewExceptionWithDoc])
|
||||
- AC_CHECK_DECLS([PyModule_AddIntMacro, PyUnicode_FromString], [], [], [[#include <Python.h>]])
|
||||
+ AC_CHECK_DECLS([PyUnicode_FromString], [], [], [[#include <Python.h>]])
|
||||
|
||||
CPPFLAGS="$save_CPPFLAGS"
|
||||
LIBS="$save_LIBS"
|
||||
diff --git a/src/util/sss_python.h b/src/util/sss_python.h
|
||||
index 56c25ebb74bffc061688c3c32515d6e0288ac94d..5521aa5cfd84acffc65edbe76a264b1f2a52e9fd 100644
|
||||
--- a/src/util/sss_python.h
|
||||
+++ b/src/util/sss_python.h
|
||||
@@ -32,11 +32,6 @@ PyObject *sss_python_unicode_from_string(const char *u);
|
||||
PyObject *
|
||||
sss_exception_with_doc(char *name, char *doc, PyObject *base, PyObject *dict);
|
||||
|
||||
-/* PyModule_AddIntMacro() compatibility */
|
||||
-#if !HAVE_DECL_PYMODULE_ADDINTMACRO
|
||||
-#define PyModule_AddIntMacro(m, c) PyModule_AddIntConstant(m, sss_py_const_p(char, #c), c)
|
||||
-#endif
|
||||
-
|
||||
/* Convenience macros */
|
||||
#define TYPE_READY(module, type, name) do { \
|
||||
if (PyType_Ready(&type) < 0) \
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,160 +0,0 @@
|
||||
From 099738f89b0887a7aaaf542440383b6808ffd2db Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Mon, 9 Feb 2015 19:38:42 +0100
|
||||
Subject: [PATCH 08/30] UTIL: Remove python wrapper
|
||||
sss_python_unicode_from_string
|
||||
|
||||
The function PyUnicode_FromString is available in python >= 2.6
|
||||
|
||||
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||
---
|
||||
src/external/python.m4 | 3 +--
|
||||
src/python/pyhbac.c | 18 +++++++++---------
|
||||
src/util/sss_python.c | 10 ----------
|
||||
src/util/sss_python.h | 3 ---
|
||||
4 files changed, 10 insertions(+), 24 deletions(-)
|
||||
|
||||
diff --git a/src/external/python.m4 b/src/external/python.m4
|
||||
index ac427268d4ff8828314cefb43ce2af72d34bc295..d59233aa01ac591cfc86be974d8ae26ebbe4635d 100644
|
||||
--- a/src/external/python.m4
|
||||
+++ b/src/external/python.m4
|
||||
@@ -54,7 +54,7 @@ AC_DEFUN([AM_CHECK_PYTHON_HEADERS],
|
||||
|
||||
|
||||
dnl Checks for a couple of functions we use that may not be defined
|
||||
-dnl in some older python versions used e.g. on RHEL5
|
||||
+dnl in some older python (< 2.6) versions used e.g. on RHEL6
|
||||
AC_DEFUN([AM_CHECK_PYTHON_COMPAT],
|
||||
[AC_REQUIRE([AM_CHECK_PYTHON_HEADERS])
|
||||
save_CPPFLAGS="$CPPFLAGS"
|
||||
@@ -63,7 +63,6 @@ AC_DEFUN([AM_CHECK_PYTHON_COMPAT],
|
||||
LIBS="$LIBS $PYTHON_LIBS"
|
||||
|
||||
AC_CHECK_FUNCS([PyErr_NewExceptionWithDoc])
|
||||
- AC_CHECK_DECLS([PyUnicode_FromString], [], [], [[#include <Python.h>]])
|
||||
|
||||
CPPFLAGS="$save_CPPFLAGS"
|
||||
LIBS="$save_LIBS"
|
||||
diff --git a/src/python/pyhbac.c b/src/python/pyhbac.c
|
||||
index bbdf2b9fb75e2be0d46749faa6aaf0698a5d5ebb..2ccff6856b5bb5fbbb4803633ae549481ebb6035 100644
|
||||
--- a/src/python/pyhbac.c
|
||||
+++ b/src/python/pyhbac.c
|
||||
@@ -493,7 +493,7 @@ HbacRuleElement_repr(HbacRuleElement *self)
|
||||
uint32_t category;
|
||||
PyObject *o, *format, *args;
|
||||
|
||||
- format = sss_python_unicode_from_string("<category %lu names [%s] groups [%s]>");
|
||||
+ format = PyUnicode_FromString("<category %lu names [%s] groups [%s]>");
|
||||
if (format == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
@@ -651,7 +651,7 @@ HbacRule_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- self->name = sss_python_unicode_from_string("");
|
||||
+ self->name = PyUnicode_FromString("");
|
||||
if (self->name == NULL) {
|
||||
Py_DECREF(self);
|
||||
PyErr_NoMemory();
|
||||
@@ -869,7 +869,7 @@ HbacRule_repr(HbacRuleObject *self)
|
||||
PyObject *srchosts_repr;
|
||||
PyObject *o, *format, *args;
|
||||
|
||||
- format = sss_python_unicode_from_string("<name %s enabled %d "
|
||||
+ format = PyUnicode_FromString("<name %s enabled %d "
|
||||
"users %s services %s "
|
||||
"targethosts %s srchosts %s>");
|
||||
if (format == NULL) {
|
||||
@@ -1149,7 +1149,7 @@ HbacRequestElement_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- self->name = sss_python_unicode_from_string("");
|
||||
+ self->name = PyUnicode_FromString("");
|
||||
if (self->name == NULL) {
|
||||
PyErr_NoMemory();
|
||||
Py_DECREF(self);
|
||||
@@ -1291,7 +1291,7 @@ HbacRequestElement_repr(HbacRequestElement *self)
|
||||
char *strgroups;
|
||||
PyObject *o, *format, *args;
|
||||
|
||||
- format = sss_python_unicode_from_string("<name %s groups [%s]>");
|
||||
+ format = PyUnicode_FromString("<name %s groups [%s]>");
|
||||
if (format == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
@@ -1609,7 +1609,7 @@ py_hbac_evaluate(HbacRequest *self, PyObject *args)
|
||||
eres = hbac_evaluate(rules, hbac_req, &info);
|
||||
switch (eres) {
|
||||
case HBAC_EVAL_ALLOW:
|
||||
- self->rule_name = sss_python_unicode_from_string(info->rule_name);
|
||||
+ self->rule_name = PyUnicode_FromString(info->rule_name);
|
||||
if (!self->rule_name) {
|
||||
PyErr_NoMemory();
|
||||
goto fail;
|
||||
@@ -1662,7 +1662,7 @@ HbacRequest_repr(HbacRequest *self)
|
||||
PyObject *srchost_repr;
|
||||
PyObject *o, *format, *args;
|
||||
|
||||
- format = sss_python_unicode_from_string("<user %s service %s "
|
||||
+ format = PyUnicode_FromString("<user %s service %s "
|
||||
"targethost %s srchost %s>");
|
||||
if (format == NULL) {
|
||||
return NULL;
|
||||
@@ -1853,7 +1853,7 @@ py_hbac_result_string(PyObject *module, PyObject *args)
|
||||
return Py_None;
|
||||
}
|
||||
|
||||
- return sss_python_unicode_from_string(str);
|
||||
+ return PyUnicode_FromString(str);
|
||||
}
|
||||
|
||||
PyDoc_STRVAR(py_hbac_error_string__doc__,
|
||||
@@ -1877,7 +1877,7 @@ py_hbac_error_string(PyObject *module, PyObject *args)
|
||||
return Py_None;
|
||||
}
|
||||
|
||||
- return sss_python_unicode_from_string(str);
|
||||
+ return PyUnicode_FromString(str);
|
||||
}
|
||||
|
||||
static PyMethodDef pyhbac_module_methods[] = {
|
||||
diff --git a/src/util/sss_python.c b/src/util/sss_python.c
|
||||
index ba78bf9689c903713229395a49e5f3686e5e6f10..560effc26d474bdb367784083cb354bb57ead412 100644
|
||||
--- a/src/util/sss_python.c
|
||||
+++ b/src/util/sss_python.c
|
||||
@@ -22,16 +22,6 @@
|
||||
#include "config.h"
|
||||
|
||||
PyObject *
|
||||
-sss_python_unicode_from_string(const char *u)
|
||||
-{
|
||||
-#ifdef HAVE_PYUNICODE_FROMSTRING
|
||||
- return PyUnicode_FromString(u);
|
||||
-#else
|
||||
- return PyUnicode_DecodeUTF8(u, strlen(u), NULL);
|
||||
-#endif
|
||||
-}
|
||||
-
|
||||
-PyObject *
|
||||
sss_exception_with_doc(char *name, char *doc, PyObject *base, PyObject *dict)
|
||||
{
|
||||
#ifdef HAVE_PYERR_NEWEXCEPTIONWITHDOC
|
||||
diff --git a/src/util/sss_python.h b/src/util/sss_python.h
|
||||
index 5521aa5cfd84acffc65edbe76a264b1f2a52e9fd..7e2bac33656dcbac91bb4f4d32ec9fbc44bb4e52 100644
|
||||
--- a/src/util/sss_python.h
|
||||
+++ b/src/util/sss_python.h
|
||||
@@ -25,9 +25,6 @@
|
||||
#define PYNUMBER_ASLONG(what) PyInt_AsLong(what)
|
||||
#endif
|
||||
|
||||
-/* Unicode compatibility */
|
||||
-PyObject *sss_python_unicode_from_string(const char *u);
|
||||
-
|
||||
/* Exceptions compatibility */
|
||||
PyObject *
|
||||
sss_exception_with_doc(char *name, char *doc, PyObject *base, PyObject *dict);
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,133 +0,0 @@
|
||||
From c0f7ae30d0b2b5d394d9cca88e7487ddc6394555 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Tue, 10 Feb 2015 16:14:59 +0100
|
||||
Subject: [PATCH 09/30] BUILD: Use python-config for detection *FLAGS
|
||||
|
||||
The script python-config was not available in older versions of python.
|
||||
This patch simplify detection of python CFLAGS and LDFLAGS and increase
|
||||
minimal required version of python to 2.6
|
||||
|
||||
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||
---
|
||||
configure.ac | 6 +++--
|
||||
src/external/python.m4 | 63 +++++++++++++++++++++++++-------------------------
|
||||
2 files changed, 36 insertions(+), 33 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index cdbe6f9bff3822bb80d8d43b593e02c39d729f64..f72e448528edcffb855504a38a179c400f98ac42 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -248,11 +248,13 @@ AM_CONDITIONAL([HAVE_MANPAGES], [test "x$HAVE_MANPAGES" != "x"])
|
||||
AM_CONDITIONAL([HAVE_PO4A], [test "x$PO4A" != "xno"])
|
||||
|
||||
if test x$HAVE_PYTHON_BINDINGS != x; then
|
||||
- AM_PATH_PYTHON([2.4])
|
||||
+ AM_PATH_PYTHON([2.6])
|
||||
+ AM_PYTHON_CONFIG([python])
|
||||
AM_CHECK_PYTHON_HEADERS([],
|
||||
AC_MSG_ERROR([Could not find python headers]))
|
||||
- AM_PYTHON_CONFIG
|
||||
AM_CHECK_PYTHON_COMPAT
|
||||
+ AC_SUBST([PYTHON_CFLAGS])
|
||||
+ AC_SUBST([PYTHON_LIBS])
|
||||
fi
|
||||
|
||||
if test x$HAVE_SELINUX != x; then
|
||||
diff --git a/src/external/python.m4 b/src/external/python.m4
|
||||
index d59233aa01ac591cfc86be974d8ae26ebbe4635d..c91e8df17b0371538f02bfeb9cade1ce639074bd 100644
|
||||
--- a/src/external/python.m4
|
||||
+++ b/src/external/python.m4
|
||||
@@ -1,46 +1,33 @@
|
||||
dnl Check for python-config and substitute needed CFLAGS and LDFLAGS
|
||||
dnl Usage:
|
||||
-dnl AM_PYTHON_CONFIG
|
||||
+dnl AM_PYTHON_CONFIG(python_with_major_version)
|
||||
+dnl argument python_with_major_version should be either python2 or python3
|
||||
+dnl This function sets the PYTHON_CFLAGS, PYTHON_LIBS and PYTHON_INCLUDES
|
||||
+dnl variables
|
||||
|
||||
AC_DEFUN([AM_PYTHON_CONFIG],
|
||||
-[ AC_SUBST(PYTHON_CFLAGS)
|
||||
- AC_SUBST(PYTHON_LIBS)
|
||||
+[
|
||||
+ AC_PATH_PROG([PYTHON_CONFIG], [python$PYTHON_VERSION-config])
|
||||
+ AS_IF([test x"$PYTHON_CONFIG" = x],
|
||||
+ AC_MSG_ERROR([
|
||||
+The program python$PYTHON_VERSION-config was not found in search path.
|
||||
+Please ensure that it is installed and its directory is included in the search
|
||||
+path. If you want to build sssd without $1 bindings then specify
|
||||
+--without-$1-bindings when running configure.]))
|
||||
|
||||
-dnl We need to check for python build flags using distutils.sysconfig
|
||||
-dnl We cannot use python-config, as it was not available on older
|
||||
-dnl versions of python
|
||||
- AC_PATH_PROG(PYTHON, python)
|
||||
- AC_MSG_CHECKING([for working python])
|
||||
- if test -x "$PYTHON"; then
|
||||
- PYTHON_CFLAGS="`$PYTHON -c \"from distutils import sysconfig; \
|
||||
- print('-I' + sysconfig.get_python_inc() + \
|
||||
- ' -I' + sysconfig.get_python_inc(plat_specific=True) + ' ' + \
|
||||
- sysconfig.get_config_var('BASECFLAGS'))\"`"
|
||||
- PYTHON_LIBS="`$PYTHON -c \"from distutils import sysconfig; \
|
||||
- print(' '.join(sysconfig.get_config_var('LIBS').split() + \
|
||||
- sysconfig.get_config_var('SYSLIBS').split()) + \
|
||||
- ' ' + sysconfig.get_config_var('BLDLIBRARY') + ' ' + \
|
||||
- ' -L' + sysconfig.get_config_var('LIBDIR'))\"`"
|
||||
- AC_MSG_RESULT([yes])
|
||||
- else
|
||||
- AC_MSG_RESULT([no])
|
||||
- AC_MSG_ERROR([Please install python devel package])
|
||||
- fi
|
||||
+ PYTHON_CFLAGS="` $PYTHON_CONFIG --cflags`"
|
||||
+ PYTHON_LIBS="` $PYTHON_CONFIG --libs`"
|
||||
+ PYTHON_INCLUDES="` $PYTHON_CONFIG --includes`"
|
||||
])
|
||||
|
||||
dnl Taken from GNOME sources
|
||||
dnl a macro to check for ability to create python extensions
|
||||
dnl AM_CHECK_PYTHON_HEADERS([ACTION-IF-POSSIBLE], [ACTION-IF-NOT-POSSIBLE])
|
||||
-dnl function also defines PYTHON_INCLUDES
|
||||
AC_DEFUN([AM_CHECK_PYTHON_HEADERS],
|
||||
-[AC_REQUIRE([AM_PATH_PYTHON])
|
||||
+[
|
||||
+ AC_REQUIRE([AM_PATH_PYTHON])
|
||||
AC_MSG_CHECKING(for headers required to compile python extensions)
|
||||
|
||||
- dnl deduce PYTHON_INCLUDES
|
||||
- PYTHON_INCLUDES=-I`$PYTHON -c "from distutils import sysconfig; print(sysconfig.get_config_var('INCLUDEPY'))"`
|
||||
-
|
||||
- AC_SUBST(PYTHON_INCLUDES)
|
||||
-
|
||||
dnl check if the headers exist:
|
||||
save_CPPFLAGS="$CPPFLAGS"
|
||||
CPPFLAGS="$CPPFLAGS $PYTHON_INCLUDES"
|
||||
@@ -56,7 +43,8 @@ AC_DEFUN([AM_CHECK_PYTHON_HEADERS],
|
||||
dnl Checks for a couple of functions we use that may not be defined
|
||||
dnl in some older python (< 2.6) versions used e.g. on RHEL6
|
||||
AC_DEFUN([AM_CHECK_PYTHON_COMPAT],
|
||||
-[AC_REQUIRE([AM_CHECK_PYTHON_HEADERS])
|
||||
+[
|
||||
+ AC_REQUIRE([AM_CHECK_PYTHON_HEADERS])
|
||||
save_CPPFLAGS="$CPPFLAGS"
|
||||
save_LIBS="$LIBS"
|
||||
CPPFLAGS="$CPPFLAGS $PYTHON_INCLUDES"
|
||||
@@ -67,3 +55,16 @@ AC_DEFUN([AM_CHECK_PYTHON_COMPAT],
|
||||
CPPFLAGS="$save_CPPFLAGS"
|
||||
LIBS="$save_LIBS"
|
||||
])
|
||||
+
|
||||
+dnl Clean variables after detection of python
|
||||
+AC_DEFUN([SSS_CLEAN_PYTHON_VARIABLES],
|
||||
+[
|
||||
+ unset pyexecdir pkgpyexecdir pythondir pgkpythondir
|
||||
+ unset PYTHON PYTHON_CFLAGS PYTHON_LIBS PYTHON_INCLUDES
|
||||
+ unset PYTHON_PREFIX PYTHON_EXEC_PREFIX PYTHON_VERSION PYTHON_CONFIG
|
||||
+
|
||||
+ dnl removed cached variables, required for reusing of AM_PATH_PYTHON
|
||||
+ unset am_cv_pathless_PYTHON ac_cv_path_PYTHON am_cv_python_version
|
||||
+ unset am_cv_python_platform am_cv_python_pythondir am_cv_python_pyexecdir
|
||||
+ unset ac_cv_path_PYTHON_CONFIG
|
||||
+])
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,71 +0,0 @@
|
||||
From 7a0b12ac7b5aa17794a97adcbde2bf0db19281a4 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Tue, 10 Feb 2015 16:33:04 +0100
|
||||
Subject: [PATCH 10/30] SPEC: Use new convention for python packages
|
||||
|
||||
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||
---
|
||||
contrib/sssd.spec.in | 20 ++++++++++++--------
|
||||
1 file changed, 12 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
|
||||
index 2600438f3020abccc2bd376d274a0b251f2bcc80..c9e62b301aa9ac4109041a7a4425e13d4ad236ba 100644
|
||||
--- a/contrib/sssd.spec.in
|
||||
+++ b/contrib/sssd.spec.in
|
||||
@@ -339,14 +339,16 @@ Requires: libipa_hbac = %{version}-%{release}
|
||||
%description -n libipa_hbac-devel
|
||||
Utility library to validate FreeIPA HBAC rules for authorization requests
|
||||
|
||||
-%package -n libipa_hbac-python
|
||||
+%package -n python-libipa_hbac
|
||||
Summary: Python bindings for the FreeIPA HBAC Evaluator library
|
||||
Group: Development/Libraries
|
||||
License: LGPLv3+
|
||||
Requires: libipa_hbac = %{version}-%{release}
|
||||
+Provides: libipa_hbac-python = %{version}-%{release}
|
||||
+Obsoletes: libipa_hbac-python < 1.12.90
|
||||
|
||||
-%description -n libipa_hbac-python
|
||||
-The libipa_hbac-python contains the bindings so that libipa_hbac can be
|
||||
+%description -n python-libipa_hbac
|
||||
+The python-libipa_hbac contains the bindings so that libipa_hbac can be
|
||||
used by Python applications.
|
||||
|
||||
%package -n libsss_nss_idmap
|
||||
@@ -368,14 +370,16 @@ Requires: libsss_nss_idmap = %{version}-%{release}
|
||||
%description -n libsss_nss_idmap-devel
|
||||
Utility library for SID based lookups
|
||||
|
||||
-%package -n libsss_nss_idmap-python
|
||||
+%package -n python-libsss_nss_idmap
|
||||
Summary: Python bindings for libsss_nss_idmap
|
||||
Group: Development/Libraries
|
||||
License: LGPLv3+
|
||||
Requires: libsss_nss_idmap = %{version}-%{release}
|
||||
+Provides: libsss_nss_idmap-python = %{version}-%{release}
|
||||
+Obsoletes: libsss_nss_idmap-python < 1.12.90
|
||||
|
||||
-%description -n libsss_nss_idmap-python
|
||||
-The libsss_nss_idmap-python contains the bindings so that libsss_nss_idmap can
|
||||
+%description -n python-libsss_nss_idmap
|
||||
+The python-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can
|
||||
be used by Python applications.
|
||||
|
||||
%package dbus
|
||||
@@ -787,11 +791,11 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_libdir}/libsss_nss_idmap.so
|
||||
%{_libdir}/pkgconfig/sss_nss_idmap.pc
|
||||
|
||||
-%files -n libsss_nss_idmap-python
|
||||
+%files -n python-libsss_nss_idmap
|
||||
%defattr(-,root,root,-)
|
||||
%{python_sitearch}/pysss_nss_idmap.so
|
||||
|
||||
-%files -n libipa_hbac-python
|
||||
+%files -n python-libipa_hbac
|
||||
%defattr(-,root,root,-)
|
||||
%{python_sitearch}/pyhbac.so
|
||||
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,83 +0,0 @@
|
||||
From 2641bd5495cdebe2652f26bbd3a5a93013446ef2 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Tue, 10 Feb 2015 16:50:12 +0100
|
||||
Subject: [PATCH 11/30] SPEC: Move python bindings to separate packages
|
||||
|
||||
Some pyhton bindings pysss and pysss_murmur was in package sssd-common.
|
||||
Therefore package sssd-common had python as a dependency.
|
||||
|
||||
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||
---
|
||||
contrib/sssd.spec.in | 35 +++++++++++++++++++++++++++++++++--
|
||||
1 file changed, 33 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
|
||||
index c9e62b301aa9ac4109041a7a4425e13d4ad236ba..2dbcd9e40c03e46e4e132a4ef4560044e88ea853 100644
|
||||
--- a/contrib/sssd.spec.in
|
||||
+++ b/contrib/sssd.spec.in
|
||||
@@ -196,6 +196,9 @@ Summary: Userspace tools for use with the SSSD
|
||||
Group: Applications/System
|
||||
License: GPLv3+
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
+# required by sss_obfuscate
|
||||
+Requires: python-sss = %{version}-%{release}
|
||||
+Requires: python-sssdconfig = %{version}-%{release}
|
||||
|
||||
%description tools
|
||||
Provides userspace tools for manipulating users, groups, and nested groups in
|
||||
@@ -215,6 +218,28 @@ BuildArch: noarch
|
||||
%description -n python-sssdconfig
|
||||
Provides python files for manipulation SSSD and IPA configuration files.
|
||||
|
||||
+%package -n python-sss
|
||||
+Summary: Python bindings for sssd
|
||||
+Group: Development/Libraries
|
||||
+License: LGPLv3+
|
||||
+Requires: sssd-common = %{version}-%{release}
|
||||
+
|
||||
+%description -n python-sss
|
||||
+Provides python module for manipulating users, groups, and nested groups in
|
||||
+SSSD when using id_provider = local in /etc/sssd/sssd.conf.
|
||||
+
|
||||
+Also provides several other useful python bindings:
|
||||
+ * function for retrieving list of groups user belongs to.
|
||||
+ * class for obfuscation of passwords
|
||||
+
|
||||
+%package -n python-sss-murmur
|
||||
+Summary: Python bindings for murmur hash function
|
||||
+Group: Development/Libraries
|
||||
+License: LGPLv3+
|
||||
+
|
||||
+%description -n python-sss-murmur
|
||||
+Provides python module for calculating the murmur hash version 3
|
||||
+
|
||||
%package ldap
|
||||
Summary: The LDAP back end of the SSSD
|
||||
Group: Applications/System
|
||||
@@ -638,8 +663,6 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_mandir}/man8/sss_cache.8*
|
||||
%{_mandir}/man1/sss_ssh_authorizedkeys.1*
|
||||
%{_mandir}/man1/sss_ssh_knownhostsproxy.1*
|
||||
-%{python_sitearch}/pysss.so
|
||||
-%{python_sitearch}/pysss_murmur.so
|
||||
|
||||
%files ldap -f sssd_ldap.lang
|
||||
%defattr(-,root,root,-)
|
||||
@@ -755,6 +778,14 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%dir %{python_sitelib}/SSSDConfig
|
||||
%{python_sitelib}/SSSDConfig/*.py*
|
||||
|
||||
+%files -n python-sss
|
||||
+%defattr(-,root,root,-)
|
||||
+%{python_sitearch}/pysss.so
|
||||
+
|
||||
+%files -n python-sss-murmur
|
||||
+%defattr(-,root,root,-)
|
||||
+%{python_sitearch}/pysss_murmur.so
|
||||
+
|
||||
%files -n libsss_idmap
|
||||
%defattr(-,root,root,-)
|
||||
%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,532 +0,0 @@
|
||||
From e9e0f3a46fabc6ba9503e10dc2b685480b65a8e2 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Tue, 10 Feb 2015 17:22:03 +0100
|
||||
Subject: [PATCH 12/30] BUILD: Add possibility to build python{2,3} bindings
|
||||
|
||||
Resolves:
|
||||
https://fedorahosted.org/sssd/ticket/2574
|
||||
|
||||
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||
---
|
||||
Makefile.am | 196 ++++++++++++++++++++++++++++++++---------
|
||||
configure.ac | 49 +++++++++--
|
||||
contrib/sssd.spec.in | 4 +
|
||||
src/conf_macros.m4 | 39 +++++---
|
||||
src/tests/pyhbac-test.py | 22 ++++-
|
||||
src/tests/pysss_murmur-test.py | 22 ++++-
|
||||
6 files changed, 267 insertions(+), 65 deletions(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index bdca46a0548ddb98dde485a7786566eb623b181b..0a1511c23ce844ce9963ac33ac3daadd31bdc27e 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -301,12 +301,22 @@ noinst_LTLIBRARIES =
|
||||
|
||||
pkglib_LTLIBRARIES =
|
||||
|
||||
-if BUILD_PYTHON_BINDINGS
|
||||
-pyexec_LTLIBRARIES = \
|
||||
- pysss.la \
|
||||
- pyhbac.la \
|
||||
- pysss_murmur.la \
|
||||
- pysss_nss_idmap.la
|
||||
+if BUILD_PYTHON2_BINDINGS
|
||||
+py2exec_LTLIBRARIES = \
|
||||
+ _py2sss.la \
|
||||
+ _py2hbac.la \
|
||||
+ _py2sss_murmur.la \
|
||||
+ _py2sss_nss_idmap.la \
|
||||
+ $(NULL)
|
||||
+endif
|
||||
+
|
||||
+if BUILD_PYTHON3_BINDINGS
|
||||
+py3exec_LTLIBRARIES = \
|
||||
+ _py3sss.la \
|
||||
+ _py3hbac.la \
|
||||
+ _py3sss_murmur.la \
|
||||
+ _py3sss_nss_idmap.la \
|
||||
+ $(NULL)
|
||||
endif
|
||||
|
||||
dist_noinst_SCRIPTS = \
|
||||
@@ -2841,58 +2851,109 @@ sssd_pac_plugin_la_LDFLAGS = \
|
||||
-avoid-version \
|
||||
-module
|
||||
|
||||
-if BUILD_PYTHON_BINDINGS
|
||||
+# python[23] bindings
|
||||
pysss_la_SOURCES = \
|
||||
$(SSSD_TOOLS_OBJ) \
|
||||
src/python/pysss.c
|
||||
-pysss_la_CFLAGS = \
|
||||
- $(AM_CFLAGS) \
|
||||
- $(PYTHON_CFLAGS)
|
||||
-pysss_la_LIBADD = \
|
||||
- $(SSSD_INTERNAL_LTLIBS) \
|
||||
- $(PYTHON_BINDINGS_LIBS) \
|
||||
- $(PYTHON_LIBS)
|
||||
pysss_la_LDFLAGS = \
|
||||
-avoid-version \
|
||||
-module
|
||||
|
||||
+_py2sss_la_SOURCES = $(pysss_la_SOURCES)
|
||||
+_py2sss_la_CFLAGS = \
|
||||
+ $(AM_CFLAGS) \
|
||||
+ $(PYTHON2_CFLAGS)
|
||||
+_py2sss_la_LIBADD = \
|
||||
+ $(SSSD_INTERNAL_LTLIBS) \
|
||||
+ $(PYTHON_BINDINGS_LIBS) \
|
||||
+ $(PYTHON2_LIBS)
|
||||
+_py2sss_la_LDFLAGS = $(pysss_la_LDFLAGS)
|
||||
+
|
||||
+_py3sss_la_SOURCES = $(pysss_la_SOURCES)
|
||||
+_py3sss_la_CFLAGS = \
|
||||
+ $(AM_CFLAGS) \
|
||||
+ $(PYTHON3_CFLAGS)
|
||||
+_py3sss_la_LIBADD = \
|
||||
+ $(SSSD_INTERNAL_LTLIBS) \
|
||||
+ $(PYTHON_BINDINGS_LIBS) \
|
||||
+ $(PYTHON3_LIBS)
|
||||
+_py3sss_la_LDFLAGS = $(pysss_la_LDFLAGS)
|
||||
+
|
||||
+
|
||||
pyhbac_la_SOURCES = \
|
||||
src/python/pyhbac.c \
|
||||
src/util/sss_python.c
|
||||
-pyhbac_la_CFLAGS = \
|
||||
- $(AM_CFLAGS) \
|
||||
- $(PYTHON_CFLAGS)
|
||||
-pyhbac_la_LIBADD = \
|
||||
- $(PYTHON_LIBS) \
|
||||
- libipa_hbac.la
|
||||
pyhbac_la_LDFLAGS = \
|
||||
-avoid-version \
|
||||
-module
|
||||
|
||||
+_py2hbac_la_SOURCES = $(pyhbac_la_SOURCES)
|
||||
+_py2hbac_la_CFLAGS = \
|
||||
+ $(AM_CFLAGS) \
|
||||
+ $(PYTHON2_CFLAGS)
|
||||
+_py2hbac_la_LIBADD = \
|
||||
+ $(PYTHON2_LIBS) \
|
||||
+ libipa_hbac.la
|
||||
+_py2hbac_la_LDFLAGS = $(pyhbac_la_LDFLAGS)
|
||||
+
|
||||
+_py3hbac_la_SOURCES = $(pyhbac_la_SOURCES)
|
||||
+_py3hbac_la_CFLAGS = \
|
||||
+ $(AM_CFLAGS) \
|
||||
+ $(PYTHON3_CFLAGS)
|
||||
+_py3hbac_la_LIBADD = \
|
||||
+ $(PYTHON3_LIBS) \
|
||||
+ libipa_hbac.la
|
||||
+_py3hbac_la_LDFLAGS = $(pyhbac_la_LDFLAGS)
|
||||
+
|
||||
+
|
||||
pysss_murmur_la_SOURCES = \
|
||||
src/python/pysss_murmur.c \
|
||||
src/util/murmurhash3.c
|
||||
-pysss_murmur_la_CFLAGS = \
|
||||
- $(AM_CFLAGS) \
|
||||
- $(PYTHON_CFLAGS)
|
||||
-pysss_murmur_la_LIBADD = \
|
||||
- $(PYTHON_LIBS)
|
||||
pysss_murmur_la_LDFLAGS = \
|
||||
-avoid-version \
|
||||
-module
|
||||
|
||||
+_py2sss_murmur_la_SOURCES = $(pysss_murmur_la_SOURCES)
|
||||
+_py2sss_murmur_la_CFLAGS = \
|
||||
+ $(AM_CFLAGS) \
|
||||
+ $(PYTHON2_CFLAGS)
|
||||
+_py2sss_murmur_la_LIBADD = \
|
||||
+ $(PYTHON2_LIBS)
|
||||
+_py2sss_murmur_la_LDFLAGS = $(pysss_murmur_la_LDFLAGS)
|
||||
+
|
||||
+_py3sss_murmur_la_SOURCES = $(pysss_murmur_la_SOURCES)
|
||||
+_py3sss_murmur_la_CFLAGS = \
|
||||
+ $(AM_CFLAGS) \
|
||||
+ $(PYTHON3_CFLAGS)
|
||||
+_py3sss_murmur_la_LIBADD = \
|
||||
+ $(PYTHON3_LIBS)
|
||||
+_py3sss_murmur_la_LDFLAGS = $(pysss_murmur_la_LDFLAGS)
|
||||
+
|
||||
+
|
||||
pysss_nss_idmap_la_SOURCES = \
|
||||
src/python/pysss_nss_idmap.c
|
||||
-pysss_nss_idmap_la_CFLAGS = \
|
||||
- $(AM_CFLAGS) \
|
||||
- $(PYTHON_CFLAGS)
|
||||
-pysss_nss_idmap_la_LIBADD = \
|
||||
- $(PYTHON_LIBS) \
|
||||
- libsss_nss_idmap.la
|
||||
pysss_nss_idmap_la_LDFLAGS = \
|
||||
-avoid-version \
|
||||
-module
|
||||
-endif
|
||||
+
|
||||
+_py2sss_nss_idmap_la_SOURCES = $(pysss_nss_idmap_la_SOURCES)
|
||||
+_py2sss_nss_idmap_la_CFLAGS = \
|
||||
+ $(AM_CFLAGS) \
|
||||
+ $(PYTHON2_CFLAGS)
|
||||
+_py2sss_nss_idmap_la_LIBADD = \
|
||||
+ $(PYTHON2_LIBS) \
|
||||
+ libsss_nss_idmap.la
|
||||
+_py2sss_nss_idmap_la_LDFLAGS = $(pysss_nss_idmap_la_LDFLAGS)
|
||||
+
|
||||
+_py3sss_nss_idmap_la_SOURCES = $(pysss_nss_idmap_la_SOURCES)
|
||||
+_py3sss_nss_idmap_la_CFLAGS = \
|
||||
+ $(AM_CFLAGS) \
|
||||
+ $(PYTHON3_CFLAGS)
|
||||
+_py3sss_nss_idmap_la_LIBADD = \
|
||||
+ $(PYTHON3_LIBS) \
|
||||
+ libsss_nss_idmap.la
|
||||
+_py3sss_nss_idmap_la_LDFLAGS = $(pysss_nss_idmap_la_LDFLAGS)
|
||||
+# end of python[23] bindings
|
||||
|
||||
if BUILD_CIFS_IDMAP_PLUGIN
|
||||
cifs_idmap_sss_la_SOURCES = \
|
||||
@@ -3054,17 +3115,51 @@ SSSSCONFIG_MODULES =
|
||||
endif
|
||||
|
||||
all-local: ldb_mod_test_dir $(SSSDCONFIG_MODULES)
|
||||
-if BUILD_PYTHON_BINDINGS
|
||||
- cd $(builddir)/src/config; $(PYTHON) setup.py build --build-base $(abs_builddir)/src/config
|
||||
+if BUILD_PYTHON2_BINDINGS
|
||||
+ cd $(builddir)/src/config; \
|
||||
+ $(PYTHON2) setup.py build --build-base $(abs_builddir)/src/config
|
||||
+endif
|
||||
+if BUILD_PYTHON3_BINDINGS
|
||||
+ cd $(builddir)/src/config; \
|
||||
+ $(PYTHON3) setup.py build --build-base $(abs_builddir)/src/config
|
||||
endif
|
||||
|
||||
install-exec-hook: installsssddirs
|
||||
-if BUILD_PYTHON_BINDINGS
|
||||
+if BUILD_PYTHON2_BINDINGS
|
||||
if [ "$(DESTDIR)" = "" ]; then \
|
||||
- cd $(builddir)/src/config; $(PYTHON) setup.py build --build-base $(abs_builddir)/src/config install $(DISTSETUPOPTS) --prefix=$(PYTHON_PREFIX) --record=$(abs_builddir)/src/config/.files; \
|
||||
+ cd $(builddir)/src/config; \
|
||||
+ $(PYTHON2) setup.py build --build-base $(abs_builddir)/src/config \
|
||||
+ install $(DISTSETUPOPTS) --prefix=$(PYTHON2_PREFIX) \
|
||||
+ --record=$(abs_builddir)/src/config/.files2; \
|
||||
else \
|
||||
- cd $(builddir)/src/config; $(PYTHON) setup.py build --build-base $(abs_builddir)/src/config install $(DISTSETUPOPTS) --prefix=$(PYTHON_PREFIX) --root=$(DESTDIR) --record=$(abs_builddir)/src/config/.files; \
|
||||
+ cd $(builddir)/src/config; \
|
||||
+ $(PYTHON2) setup.py build --build-base $(abs_builddir)/src/config \
|
||||
+ install $(DISTSETUPOPTS) --prefix=$(PYTHON2_PREFIX) \
|
||||
+ --record=$(abs_builddir)/src/config/.files2 --root=$(DESTDIR); \
|
||||
fi
|
||||
+ cd $(DESTDIR)$(py2execdir) && \
|
||||
+ $(LN_S) _py2sss.so pysss.so ; \
|
||||
+ $(LN_S) _py2hbac.so pyhbac.so ; \
|
||||
+ $(LN_S) _py2sss_murmur.so pysss_murmur.so ; \
|
||||
+ $(LN_S) _py2sss_nss_idmap.so pysss_nss_idmap.so
|
||||
+endif
|
||||
+if BUILD_PYTHON3_BINDINGS
|
||||
+ if [ "$(DESTDIR)" = "" ]; then \
|
||||
+ cd $(builddir)/src/config; \
|
||||
+ $(PYTHON3) setup.py build --build-base $(abs_builddir)/src/config \
|
||||
+ install $(DISTSETUPOPTS) --prefix=$(PYTHON3_PREFIX) \
|
||||
+ --record=$(abs_builddir)/src/config/.files3; \
|
||||
+ else \
|
||||
+ cd $(builddir)/src/config; \
|
||||
+ $(PYTHON3) setup.py build --build-base $(abs_builddir)/src/config \
|
||||
+ install $(DISTSETUPOPTS) --prefix=$(PYTHON3_PREFIX) \
|
||||
+ --record=$(abs_builddir)/src/config/.files3 --root=$(DESTDIR); \
|
||||
+ fi
|
||||
+ cd $(DESTDIR)$(py3execdir) && \
|
||||
+ $(LN_S) _py3sss.so pysss.so ; \
|
||||
+ $(LN_S) _py3hbac.so pyhbac.so ; \
|
||||
+ $(LN_S) _py3sss_murmur.so pysss_murmur.so ; \
|
||||
+ $(LN_S) _py3sss_nss_idmap.so pysss_nss_idmap.so
|
||||
endif
|
||||
for doc in $(SSSD_DOCS); do \
|
||||
$(MKDIR_P) $$doc $(DESTDIR)/$(docdir); \
|
||||
@@ -3100,16 +3195,20 @@ install-data-hook:
|
||||
fi
|
||||
|
||||
uninstall-hook:
|
||||
- if [ -f $(abs_builddir)/src/config/.files ]; then \
|
||||
- cat $(abs_builddir)/src/config/.files | xargs -iq rm -f $(DESTDIR)/q; \
|
||||
- rm $(abs_builddir)/src/config/.files ; \
|
||||
+ if [ -f $(abs_builddir)/src/config/.files2 ]; then \
|
||||
+ cat $(abs_builddir)/src/config/.files2 | xargs -iq rm -f $(DESTDIR)/q; \
|
||||
+ rm $(abs_builddir)/src/config/.files2 ; \
|
||||
+ fi
|
||||
+ if [ -f $(abs_builddir)/src/config/.files3 ]; then \
|
||||
+ cat $(abs_builddir)/src/config/.files3 | xargs -iq rm -f $(DESTDIR)/q; \
|
||||
+ rm $(abs_builddir)/src/config/.files3 ; \
|
||||
fi
|
||||
for doc in $(SSSD_DOCS); do \
|
||||
rm -Rf $(DESTDIR)/$(docdir)/$$doc; \
|
||||
done;
|
||||
|
||||
clean-local:
|
||||
-if BUILD_PYTHON_BINDINGS
|
||||
+if BUILD_PYTHON2_BINDINGS
|
||||
if [ ! $(srcdir)/src/config/SSSDConfig/ipachangeconf.py -ef $(builddir)/src/config/SSSDConfig/ipachangeconf.py ]; then \
|
||||
rm -f $(builddir)/src/config/SSSDConfig/ipachangeconf.py ; \
|
||||
fi
|
||||
@@ -3120,7 +3219,20 @@ if BUILD_PYTHON_BINDINGS
|
||||
|
||||
rm -f $(builddir)/src/config/SSSDConfig/*.pyc
|
||||
|
||||
- cd $(builddir)/src/config; $(PYTHON) setup.py build --build-base $(abs_builddir)/src/config clean --all
|
||||
+ cd $(builddir)/src/config; $(PYTHON2) setup.py build --build-base $(abs_builddir)/src/config clean --all
|
||||
+endif
|
||||
+if BUILD_PYTHON3_BINDINGS
|
||||
+ if [ ! $(srcdir)/src/config/SSSDConfig/ipachangeconf.py -ef $(builddir)/src/config/SSSDConfig/ipachangeconf.py ]; then \
|
||||
+ rm -f $(builddir)/src/config/SSSDConfig/ipachangeconf.py ; \
|
||||
+ fi
|
||||
+
|
||||
+ if [ ! $(srcdir)/src/config/SSSDConfig/ipachangeconf.py -ef $(builddir)/src/config/SSSDConfig/ipachangeconf.py ]; then \
|
||||
+ rm -f $(builddir)/src/config/SSSDConfig/sssd_upgrade_config.py ; \
|
||||
+ fi
|
||||
+
|
||||
+ rm -f $(builddir)/src/config/SSSDConfig/__pycache__/*.pyc
|
||||
+
|
||||
+ cd $(builddir)/src/config; $(PYTHON3) setup.py build --build-base $(abs_builddir)/src/config clean --all
|
||||
endif
|
||||
for doc in $(SSSD_DOCS); do \
|
||||
rm -Rf $$doc; \
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index f72e448528edcffb855504a38a179c400f98ac42..e30405f3a17ffd2c9899b6eb17af85ec9bc15234 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -117,7 +117,8 @@ WITH_KRB5_PLUGIN_PATH
|
||||
WITH_KRB5_RCACHE_DIR
|
||||
WITH_KRB5AUTHDATA_PLUGIN_PATH
|
||||
WITH_KRB5_CONF
|
||||
-WITH_PYTHON_BINDINGS
|
||||
+WITH_PYTHON2_BINDINGS
|
||||
+WITH_PYTHON3_BINDINGS
|
||||
WITH_CIFS_PLUGIN_PATH
|
||||
WITH_SELINUX
|
||||
WITH_NSCD
|
||||
@@ -247,16 +248,52 @@ AM_CONDITIONAL([HAVE_PROFILE_CATALOGS], [test "x$HAVE_PROFILE_CATALOGS" != "x"])
|
||||
AM_CONDITIONAL([HAVE_MANPAGES], [test "x$HAVE_MANPAGES" != "x"])
|
||||
AM_CONDITIONAL([HAVE_PO4A], [test "x$PO4A" != "xno"])
|
||||
|
||||
-if test x$HAVE_PYTHON_BINDINGS != x; then
|
||||
+if test x$HAVE_PYTHON2_BINDINGS = x1; then
|
||||
+ AC_PATH_PROG(PYTHON2, python2)
|
||||
+ PYTHON=$PYTHON2
|
||||
AM_PATH_PYTHON([2.6])
|
||||
- AM_PYTHON_CONFIG([python])
|
||||
+ AM_PYTHON_CONFIG([python2])
|
||||
AM_CHECK_PYTHON_HEADERS([],
|
||||
- AC_MSG_ERROR([Could not find python headers]))
|
||||
+ AC_MSG_ERROR([Could not find python2 headers]))
|
||||
AM_CHECK_PYTHON_COMPAT
|
||||
- AC_SUBST([PYTHON_CFLAGS])
|
||||
- AC_SUBST([PYTHON_LIBS])
|
||||
+
|
||||
+ AC_SUBST([py2execdir], [$pyexecdir])
|
||||
+ AC_SUBST([python2dir], [$pythondir])
|
||||
+ AC_SUBST([PYTHON2_CFLAGS], [$PYTHON_CFLAGS])
|
||||
+ AC_SUBST([PYTHON2_LIBS], [$PYTHON_LIBS])
|
||||
+ AC_SUBST([PYTHON2_INCLUDES], [$PYTHON_INCLUDES])
|
||||
+ AC_SUBST([PYTHON2_VERSION], [$PYTHON_VERSION])
|
||||
+ AC_SUBST([PYTHON2_PREFIX], [$PYTHON_PREFIX])
|
||||
+ AC_SUBST([PYTHON2_EXEC_PREFIX], [$PYTHON_EXEC_PREFIX])
|
||||
+
|
||||
+ SSS_CLEAN_PYTHON_VARIABLES
|
||||
fi
|
||||
|
||||
+if test x$HAVE_PYTHON3_BINDINGS = x1; then
|
||||
+ AC_PATH_PROG(PYTHON3, python3)
|
||||
+ PYTHON=$PYTHON3
|
||||
+ AM_PATH_PYTHON([3.3])
|
||||
+ AM_PYTHON_CONFIG([python3])
|
||||
+ AM_CHECK_PYTHON_HEADERS([],
|
||||
+ AC_MSG_ERROR([Could not find python3 headers]))
|
||||
+ AM_CHECK_PYTHON_COMPAT
|
||||
+
|
||||
+ AC_SUBST([py3execdir], [$pyexecdir])
|
||||
+ AC_SUBST([python3dir], [$pythondir])
|
||||
+ AC_SUBST([PYTHON3_CFLAGS], [$PYTHON_CFLAGS])
|
||||
+ AC_SUBST([PYTHON3_LIBS], [$PYTHON_LIBS])
|
||||
+ AC_SUBST([PYTHON3_INCLUDES], [$PYTHON_INCLUDES])
|
||||
+ AC_SUBST([PYTHON3_VERSION], [$PYTHON_VERSION])
|
||||
+ AC_SUBST([PYTHON3_PREFIX], [$PYTHON_PREFIX])
|
||||
+ AC_SUBST([PYTHON3_EXEC_PREFIX], [$PYTHON_EXEC_PREFIX])
|
||||
+
|
||||
+ SSS_CLEAN_PYTHON_VARIABLES
|
||||
+fi
|
||||
+
|
||||
+AM_CONDITIONAL([BUILD_PYTHON_BINDINGS],
|
||||
+ [test x"$with_python2_bindings" = xyes \
|
||||
+ -o x"$with_python3_bindings" = xyes])
|
||||
+
|
||||
if test x$HAVE_SELINUX != x; then
|
||||
AM_CHECK_SELINUX
|
||||
AM_CHECK_SELINUX_LOGIN_DIR
|
||||
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
|
||||
index 2dbcd9e40c03e46e4e132a4ef4560044e88ea853..c50eebd193de5815eca55824670a319603b54501 100644
|
||||
--- a/contrib/sssd.spec.in
|
||||
+++ b/contrib/sssd.spec.in
|
||||
@@ -781,10 +781,12 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%files -n python-sss
|
||||
%defattr(-,root,root,-)
|
||||
%{python_sitearch}/pysss.so
|
||||
+%{python_sitearch}/_py2sss.so
|
||||
|
||||
%files -n python-sss-murmur
|
||||
%defattr(-,root,root,-)
|
||||
%{python_sitearch}/pysss_murmur.so
|
||||
+%{python_sitearch}/_py2sss_murmur.so
|
||||
|
||||
%files -n libsss_idmap
|
||||
%defattr(-,root,root,-)
|
||||
@@ -825,10 +827,12 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%files -n python-libsss_nss_idmap
|
||||
%defattr(-,root,root,-)
|
||||
%{python_sitearch}/pysss_nss_idmap.so
|
||||
+%{python_sitearch}/_py2sss_nss_idmap.so
|
||||
|
||||
%files -n python-libipa_hbac
|
||||
%defattr(-,root,root,-)
|
||||
%{python_sitearch}/pyhbac.so
|
||||
+%{python_sitearch}/_py2hbac.so
|
||||
|
||||
%files libwbclient
|
||||
%defattr(-,root,root,-)
|
||||
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
|
||||
index 86ecc446b4e27196298456b0dd63ab5516442c3b..48d1e6e7d6d1189c86d626a4509d919143aa6821 100644
|
||||
--- a/src/conf_macros.m4
|
||||
+++ b/src/conf_macros.m4
|
||||
@@ -360,21 +360,38 @@ AC_DEFUN([WITH_KRB5_CONF],
|
||||
AC_DEFINE_UNQUOTED([KRB5_CONF_PATH], ["$KRB5_CONF_PATH"], [KRB5 configuration file])
|
||||
])
|
||||
|
||||
-AC_DEFUN([WITH_PYTHON_BINDINGS],
|
||||
- [ AC_ARG_WITH([python-bindings],
|
||||
- [AC_HELP_STRING([--with-python-bindings],
|
||||
- [Whether to build python bindings [yes]]
|
||||
- )
|
||||
+AC_DEFUN([WITH_PYTHON2_BINDINGS],
|
||||
+ [ AC_ARG_WITH([python2-bindings],
|
||||
+ [AC_HELP_STRING([--with-python2-bindings],
|
||||
+ [Whether to build python2 bindings [yes]])
|
||||
],
|
||||
[],
|
||||
- with_python_bindings=yes
|
||||
+ [with_python2_bindings=yes]
|
||||
)
|
||||
- if test x"$with_python_bindings" = xyes; then
|
||||
- HAVE_PYTHON_BINDINGS=1
|
||||
- AC_SUBST(HAVE_PYTHON_BINDINGS)
|
||||
- AC_DEFINE_UNQUOTED(HAVE_PYTHON_BINDINGS, 1, [Build with python bindings])
|
||||
+ if test x"$with_python2_bindings" = xyes; then
|
||||
+ AC_SUBST([HAVE_PYTHON2_BINDINGS], [1])
|
||||
+ AC_DEFINE_UNQUOTED([HAVE_PYTHON2_BINDINGS], [1],
|
||||
+ [Build with python2 bindings])
|
||||
fi
|
||||
- AM_CONDITIONAL([BUILD_PYTHON_BINDINGS], [test x"$with_python_bindings" = xyes])
|
||||
+ AM_CONDITIONAL([BUILD_PYTHON2_BINDINGS],
|
||||
+ [test x"$with_python2_bindings" = xyes])
|
||||
+ ])
|
||||
+
|
||||
+AC_DEFUN([WITH_PYTHON3_BINDINGS],
|
||||
+ [ AC_ARG_WITH([python3-bindings],
|
||||
+ [AC_HELP_STRING([--with-python3-bindings],
|
||||
+ [Whether to build python3 bindings [yes]])
|
||||
+ ],
|
||||
+ [],
|
||||
+ [with_python3_bindings=no]
|
||||
+ )
|
||||
+ if test x"$with_python3_bindings" = xyes; then
|
||||
+ AC_SUBST([HAVE_PYTHON3_BINDINGS], [1])
|
||||
+ AC_DEFINE_UNQUOTED([HAVE_PYTHON3_BINDINGS], [1],
|
||||
+ [Build with python3 bindings])
|
||||
+ fi
|
||||
+ AM_CONDITIONAL([BUILD_PYTHON3_BINDINGS],
|
||||
+ [test x"$with_python3_bindings" = xyes])
|
||||
])
|
||||
|
||||
AC_DEFUN([WITH_SELINUX],
|
||||
diff --git a/src/tests/pyhbac-test.py b/src/tests/pyhbac-test.py
|
||||
index 0abc5703dedb2466b4d99718b5b524951b8af95c..83958d7bffcccea375c79166ee7dfca6f9956cff 100755
|
||||
--- a/src/tests/pyhbac-test.py
|
||||
+++ b/src/tests/pyhbac-test.py
|
||||
@@ -6,10 +6,9 @@ import sys
|
||||
import os
|
||||
import copy
|
||||
import sys
|
||||
+import errno
|
||||
|
||||
-srcdir = os.getenv('builddir')
|
||||
-if not srcdir:
|
||||
- srcdir = "."
|
||||
+srcdir = os.getenv('builddir') or "."
|
||||
MODPATH = srcdir + "/.libs" #FIXME - is there a way to get this from libtool?
|
||||
|
||||
if sys.version_info[0] > 2:
|
||||
@@ -41,6 +40,23 @@ class PyHbacImport(unittest.TestCase):
|
||||
def testImport(self):
|
||||
" Import the module and assert it comes from tree "
|
||||
try:
|
||||
+ cwd_backup = os.getcwd()
|
||||
+
|
||||
+ try:
|
||||
+ os.unlink(MODPATH + "/pyhbac.so")
|
||||
+ except OSError as e:
|
||||
+ if e.errno == errno.ENOENT:
|
||||
+ pass
|
||||
+ else:
|
||||
+ raise e
|
||||
+
|
||||
+ os.chdir(MODPATH)
|
||||
+ if sys.version_info[0] > 2:
|
||||
+ os.symlink("_py3hbac.so", "pyhbac.so")
|
||||
+ else:
|
||||
+ os.symlink("_py2hbac.so", "pyhbac.so")
|
||||
+ os.chdir(cwd_backup)
|
||||
+
|
||||
import pyhbac
|
||||
except ImportError as e:
|
||||
print("Could not load the pyhbac module. Please check if it is compiled", file=sys.stderr)
|
||||
diff --git a/src/tests/pysss_murmur-test.py b/src/tests/pysss_murmur-test.py
|
||||
index 0b28f45e67cb4b033516a585867085dba7b412e6..faa8bb2d33b9d94d380b8f7045ba45aa06ac4793 100755
|
||||
--- a/src/tests/pysss_murmur-test.py
|
||||
+++ b/src/tests/pysss_murmur-test.py
|
||||
@@ -23,10 +23,9 @@ import unittest
|
||||
import sys
|
||||
import os
|
||||
import copy
|
||||
+import errno
|
||||
|
||||
-srcdir = os.getenv('builddir')
|
||||
-if not srcdir:
|
||||
- srcdir = "."
|
||||
+srcdir = os.getenv('builddir') or "."
|
||||
MODPATH = srcdir + "/.libs" #FIXME - is there a way to get this from libtool?
|
||||
|
||||
def compat_assertItemsEqual(this, expected_seq, actual_seq, msg=None):
|
||||
@@ -57,6 +56,23 @@ class PySssMurmurImport(unittest.TestCase):
|
||||
def testImport(self):
|
||||
" Import the module and assert it comes from tree "
|
||||
try:
|
||||
+ cwd_backup = os.getcwd()
|
||||
+
|
||||
+ try:
|
||||
+ os.unlink(MODPATH + "/pysss_murmur.so")
|
||||
+ except OSError as e:
|
||||
+ if e.errno == errno.ENOENT:
|
||||
+ pass
|
||||
+ else:
|
||||
+ raise e
|
||||
+
|
||||
+ os.chdir(MODPATH)
|
||||
+ if sys.version_info[0] > 2:
|
||||
+ os.symlink("_py3sss_murmur.so", "pysss_murmur.so")
|
||||
+ else:
|
||||
+ os.symlink("_py2sss_murmur.so", "pysss_murmur.so")
|
||||
+ os.chdir(cwd_backup)
|
||||
+
|
||||
import pysss_murmur
|
||||
except ImportError as e:
|
||||
print("Could not load the pysss_murmur module. Please check if it is compiled", file=sys.stderr)
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,146 +0,0 @@
|
||||
From 72574d55a5604900cee99a0ea578abde33e9ad6b Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Mon, 23 Feb 2015 22:56:55 +0100
|
||||
Subject: [PATCH 13/30] TESTS: Run python tests with all supported python
|
||||
versions
|
||||
|
||||
This patch add simple bash wrappers for python tests.
|
||||
They are executed either with python2 or python3.
|
||||
|
||||
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||
---
|
||||
Makefile.am | 23 ++++++++++++++++++-----
|
||||
src/config/SSSDConfigTest.py2.sh | 5 +++++
|
||||
src/config/SSSDConfigTest.py3.sh | 5 +++++
|
||||
src/tests/pyhbac-test.py2.sh | 5 +++++
|
||||
src/tests/pyhbac-test.py3.sh | 5 +++++
|
||||
src/tests/pysss_murmur-test.py2.sh | 5 +++++
|
||||
src/tests/pysss_murmur-test.py3.sh | 5 +++++
|
||||
7 files changed, 48 insertions(+), 5 deletions(-)
|
||||
create mode 100755 src/config/SSSDConfigTest.py2.sh
|
||||
create mode 100755 src/config/SSSDConfigTest.py3.sh
|
||||
create mode 100755 src/tests/pyhbac-test.py2.sh
|
||||
create mode 100755 src/tests/pyhbac-test.py3.sh
|
||||
create mode 100755 src/tests/pysss_murmur-test.py2.sh
|
||||
create mode 100755 src/tests/pysss_murmur-test.py3.sh
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 0a1511c23ce844ce9963ac33ac3daadd31bdc27e..7aa44d7dfc3a01334d6d4e68c96095df66dee324 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -250,13 +250,20 @@ endif # HAVE_CMOCKA
|
||||
|
||||
PYTHON_TESTS =
|
||||
|
||||
-if BUILD_PYTHON_BINDINGS
|
||||
-PYTHON_TESTS += src/config/SSSDConfigTest.py \
|
||||
- src/tests/pyhbac-test.py \
|
||||
- src/tests/pysss_murmur-test.py
|
||||
+if BUILD_PYTHON2_BINDINGS
|
||||
+PYTHON_TESTS += src/config/SSSDConfigTest.py2.sh \
|
||||
+ src/tests/pyhbac-test.py2.sh \
|
||||
+ src/tests/pysss_murmur-test.py2.sh \
|
||||
+ $(NULL)
|
||||
+endif
|
||||
+if BUILD_PYTHON3_BINDINGS
|
||||
+PYTHON_TESTS += src/config/SSSDConfigTest.py3.sh \
|
||||
+ src/tests/pyhbac-test.py3.sh \
|
||||
+ src/tests/pysss_murmur-test.py3.sh \
|
||||
+ $(NULL)
|
||||
endif
|
||||
|
||||
-TEST_EXTENSIONS = .py
|
||||
+TEST_EXTENSIONS = .sh
|
||||
TESTS = \
|
||||
$(PYTHON_TESTS) \
|
||||
$(non_interactive_cmocka_based_tests) \
|
||||
@@ -325,6 +332,8 @@ dist_noinst_SCRIPTS = \
|
||||
src/config/SSSDConfig/ipachangeconf.py \
|
||||
src/config/SSSDConfig/__init__.py \
|
||||
src/config/SSSDConfigTest.py \
|
||||
+ src/config/SSSDConfigTest.py2.sh \
|
||||
+ src/config/SSSDConfigTest.py3.sh \
|
||||
src/config/SSSDConfig/sssd_upgrade_config.py \
|
||||
contrib/rhel/update_debug_levels.py \
|
||||
contrib/fedora/bashrc_sssd \
|
||||
@@ -335,7 +344,11 @@ dist_noinst_SCRIPTS = \
|
||||
contrib/ci/run \
|
||||
contrib/ci/valgrind-condense \
|
||||
src/tests/pyhbac-test.py \
|
||||
+ src/tests/pyhbac-test.py2.sh \
|
||||
+ src/tests/pyhbac-test.py3.sh \
|
||||
src/tests/pysss_murmur-test.py \
|
||||
+ src/tests/pysss_murmur-test.py2.sh \
|
||||
+ src/tests/pysss_murmur-test.py3.sh \
|
||||
src/tests/python-test.py \
|
||||
$(NULL)
|
||||
|
||||
diff --git a/src/config/SSSDConfigTest.py2.sh b/src/config/SSSDConfigTest.py2.sh
|
||||
new file mode 100755
|
||||
index 0000000000000000000000000000000000000000..7bbd82af3997b295d48f8ea6d1d59afd5eaba43f
|
||||
--- /dev/null
|
||||
+++ b/src/config/SSSDConfigTest.py2.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/sh
|
||||
+
|
||||
+SCRIPT=$(readlink -f "$0")
|
||||
+SCRIPT_PATH=$(dirname "$SCRIPT")
|
||||
+exec python2 $SCRIPT_PATH/SSSDConfigTest.py
|
||||
diff --git a/src/config/SSSDConfigTest.py3.sh b/src/config/SSSDConfigTest.py3.sh
|
||||
new file mode 100755
|
||||
index 0000000000000000000000000000000000000000..89b9f0720473904fe093ee4c065ae01579ee94ef
|
||||
--- /dev/null
|
||||
+++ b/src/config/SSSDConfigTest.py3.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/sh
|
||||
+
|
||||
+SCRIPT=$(readlink -f "$0")
|
||||
+SCRIPT_PATH=$(dirname "$SCRIPT")
|
||||
+exec python3 $SCRIPT_PATH/SSSDConfigTest.py
|
||||
diff --git a/src/tests/pyhbac-test.py2.sh b/src/tests/pyhbac-test.py2.sh
|
||||
new file mode 100755
|
||||
index 0000000000000000000000000000000000000000..48cd16908eaf9cf2c61f8e5fda1d954f116c68cc
|
||||
--- /dev/null
|
||||
+++ b/src/tests/pyhbac-test.py2.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/sh
|
||||
+
|
||||
+SCRIPT=$(readlink -f "$0")
|
||||
+SCRIPT_PATH=$(dirname "$SCRIPT")
|
||||
+exec python2 $SCRIPT_PATH/pyhbac-test.py
|
||||
diff --git a/src/tests/pyhbac-test.py3.sh b/src/tests/pyhbac-test.py3.sh
|
||||
new file mode 100755
|
||||
index 0000000000000000000000000000000000000000..862c7b23a87ea9d0b747dca12466175f0fd00b76
|
||||
--- /dev/null
|
||||
+++ b/src/tests/pyhbac-test.py3.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/sh
|
||||
+
|
||||
+SCRIPT=$(readlink -f "$0")
|
||||
+SCRIPT_PATH=$(dirname "$SCRIPT")
|
||||
+exec python3 $SCRIPT_PATH/pyhbac-test.py
|
||||
diff --git a/src/tests/pysss_murmur-test.py2.sh b/src/tests/pysss_murmur-test.py2.sh
|
||||
new file mode 100755
|
||||
index 0000000000000000000000000000000000000000..714459786c19b69f738e91df77d9423eba2b72fd
|
||||
--- /dev/null
|
||||
+++ b/src/tests/pysss_murmur-test.py2.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/sh
|
||||
+
|
||||
+SCRIPT=$(readlink -f "$0")
|
||||
+SCRIPT_PATH=$(dirname "$SCRIPT")
|
||||
+exec python2 $SCRIPT_PATH/pysss_murmur-test.py
|
||||
diff --git a/src/tests/pysss_murmur-test.py3.sh b/src/tests/pysss_murmur-test.py3.sh
|
||||
new file mode 100755
|
||||
index 0000000000000000000000000000000000000000..00b352ad3e15ba7d53885b86129bf76ede7ca4e6
|
||||
--- /dev/null
|
||||
+++ b/src/tests/pysss_murmur-test.py3.sh
|
||||
@@ -0,0 +1,5 @@
|
||||
+#!/bin/sh
|
||||
+
|
||||
+SCRIPT=$(readlink -f "$0")
|
||||
+SCRIPT_PATH=$(dirname "$SCRIPT")
|
||||
+exec python3 $SCRIPT_PATH/pysss_murmur-test.py
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,91 +0,0 @@
|
||||
From 023ce335f80d03631c98e41cd6802bda09fb555a Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Tue, 10 Feb 2015 18:07:05 +0100
|
||||
Subject: [PATCH 14/30] SPEC: Replace python_ macros with python2_
|
||||
|
||||
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||
---
|
||||
contrib/sssd.spec.in | 34 ++++++++++++++++++++--------------
|
||||
1 file changed, 20 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
|
||||
index c50eebd193de5815eca55824670a319603b54501..6235bcf46fed96befbe035c7fe93026955dd0c3e 100644
|
||||
--- a/contrib/sssd.spec.in
|
||||
+++ b/contrib/sssd.spec.in
|
||||
@@ -1,8 +1,14 @@
|
||||
%global rhel7_minor %(%{__grep} -o "7.[0-9]*" /etc/redhat-release |%{__sed} -s 's/7.//')
|
||||
|
||||
+%if 0%{?rhel} && 0%{?rhel} <= 6
|
||||
+%{!?__python2: %global __python2 /usr/bin/python2}
|
||||
+%{!?python2_sitelib: %global python2_sitelib %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")}
|
||||
+%{!?python2_sitearch: %global python2_sitearch %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
|
||||
+%endif
|
||||
+
|
||||
# Fedora and RHEL 6+
|
||||
# we don't want to provide private python extension libs
|
||||
-%define __provides_exclude_from %{python_sitearch}/.*\.so$
|
||||
+%define __provides_exclude_from %{python2_sitearch}/.*\.so$
|
||||
|
||||
%if (0%{?fedora} || 0%{?rhel} >= 7)
|
||||
%global use_systemd 1
|
||||
@@ -528,9 +534,9 @@ rm -Rf ${RPM_BUILD_ROOT}/%{_docdir}/%{name}
|
||||
|
||||
# Older versions of rpmbuild can only handle one -f option
|
||||
# So we need to append to the sssd*.lang file
|
||||
-for file in `ls $RPM_BUILD_ROOT/%{python_sitelib}/*.egg-info 2> /dev/null`
|
||||
+for file in `ls $RPM_BUILD_ROOT/%{python2_sitelib}/*.egg-info 2> /dev/null`
|
||||
do
|
||||
- echo %{python_sitelib}/`basename $file` >> python_sssdconfig.lang
|
||||
+ echo %{python2_sitelib}/`basename $file` >> python2_sssdconfig.lang
|
||||
done
|
||||
|
||||
touch sssd.lang
|
||||
@@ -773,20 +779,20 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_mandir}/man8/sss_debuglevel.8*
|
||||
%{_mandir}/man8/sss_seed.8*
|
||||
|
||||
-%files -n python-sssdconfig -f python_sssdconfig.lang
|
||||
+%files -n python-sssdconfig -f python2_sssdconfig.lang
|
||||
%defattr(-,root,root,-)
|
||||
-%dir %{python_sitelib}/SSSDConfig
|
||||
-%{python_sitelib}/SSSDConfig/*.py*
|
||||
+%dir %{python2_sitelib}/SSSDConfig
|
||||
+%{python2_sitelib}/SSSDConfig/*.py*
|
||||
|
||||
%files -n python-sss
|
||||
%defattr(-,root,root,-)
|
||||
-%{python_sitearch}/pysss.so
|
||||
-%{python_sitearch}/_py2sss.so
|
||||
+%{python2_sitearch}/pysss.so
|
||||
+%{python2_sitearch}/_py2sss.so
|
||||
|
||||
%files -n python-sss-murmur
|
||||
%defattr(-,root,root,-)
|
||||
-%{python_sitearch}/pysss_murmur.so
|
||||
-%{python_sitearch}/_py2sss_murmur.so
|
||||
+%{python2_sitearch}/pysss_murmur.so
|
||||
+%{python2_sitearch}/_py2sss_murmur.so
|
||||
|
||||
%files -n libsss_idmap
|
||||
%defattr(-,root,root,-)
|
||||
@@ -826,13 +832,13 @@ rm -rf $RPM_BUILD_ROOT
|
||||
|
||||
%files -n python-libsss_nss_idmap
|
||||
%defattr(-,root,root,-)
|
||||
-%{python_sitearch}/pysss_nss_idmap.so
|
||||
-%{python_sitearch}/_py2sss_nss_idmap.so
|
||||
+%{python2_sitearch}/pysss_nss_idmap.so
|
||||
+%{python2_sitearch}/_py2sss_nss_idmap.so
|
||||
|
||||
%files -n python-libipa_hbac
|
||||
%defattr(-,root,root,-)
|
||||
-%{python_sitearch}/pyhbac.so
|
||||
-%{python_sitearch}/_py2hbac.so
|
||||
+%{python2_sitearch}/pyhbac.so
|
||||
+%{python2_sitearch}/_py2hbac.so
|
||||
|
||||
%files libwbclient
|
||||
%defattr(-,root,root,-)
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,378 +0,0 @@
|
||||
From 61bf76430dac157452e44da5fa66a4c4f268a806 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Tue, 10 Feb 2015 19:39:45 +0100
|
||||
Subject: [PATCH 15/30] SPEC: Build python3 bindings on available platforms
|
||||
|
||||
Resolves:
|
||||
https://fedorahosted.org/sssd/ticket/2574
|
||||
|
||||
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||
---
|
||||
contrib/ci/configure.sh | 6 ++
|
||||
contrib/ci/deps.sh | 1 +
|
||||
contrib/sssd.spec.in | 144 ++++++++++++++++++++++++++++++++++++++++++++---
|
||||
src/conf_macros.m4 | 2 +-
|
||||
src/tests/dlopen-tests.c | 14 +++--
|
||||
5 files changed, 154 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/contrib/ci/configure.sh b/contrib/ci/configure.sh
|
||||
index 8af273043a77556a2eee10224ff2a0baaf53d497..d5d4c791a35f3583416efd904ad5804bcbebf4c8 100644
|
||||
--- a/contrib/ci/configure.sh
|
||||
+++ b/contrib/ci/configure.sh
|
||||
@@ -35,9 +35,15 @@ if [[ "$DISTRO_BRANCH" == -redhat-redhatenterprise*-6.*- ]]; then
|
||||
CONFIGURE_ARG_LIST+=(
|
||||
"--disable-cifs-idmap-plugin"
|
||||
"--with-syslog=syslog"
|
||||
+ "--without-python3-bindings"
|
||||
)
|
||||
fi
|
||||
|
||||
+if [[ "$DISTRO_BRANCH" == -redhat-redhatenterprise*-7.*- ]]; then
|
||||
+ CONFIGURE_ARG_LIST+=(
|
||||
+ "--without-python3-bindings"
|
||||
+ )
|
||||
+fi
|
||||
declare -r -a CONFIGURE_ARG_LIST
|
||||
|
||||
fi # _CONFIGURE_SH
|
||||
diff --git a/contrib/ci/deps.sh b/contrib/ci/deps.sh
|
||||
index 0cdb9962987edddf4dd2fff659e3262bbd50b045..4e0ce1e0328927f42b3849d9c39180b4064a9d4b 100644
|
||||
--- a/contrib/ci/deps.sh
|
||||
+++ b/contrib/ci/deps.sh
|
||||
@@ -92,6 +92,7 @@ if [[ "$DISTRO_BRANCH" == -debian-* ]]; then
|
||||
libxml2-utils
|
||||
make
|
||||
python-dev
|
||||
+ python3-dev
|
||||
samba-dev
|
||||
systemd
|
||||
xml-core
|
||||
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
|
||||
index 6235bcf46fed96befbe035c7fe93026955dd0c3e..2d9c9b18c38f78956b516cb70cd42b9c62ccff8e 100644
|
||||
--- a/contrib/sssd.spec.in
|
||||
+++ b/contrib/sssd.spec.in
|
||||
@@ -9,6 +9,7 @@
|
||||
# Fedora and RHEL 6+
|
||||
# we don't want to provide private python extension libs
|
||||
%define __provides_exclude_from %{python2_sitearch}/.*\.so$
|
||||
+%define __provides_exclude_from %{python3_sitearch}/.*\.so$
|
||||
|
||||
%if (0%{?fedora} || 0%{?rhel} >= 7)
|
||||
%global use_systemd 1
|
||||
@@ -44,6 +45,12 @@
|
||||
%global with_krb5_localauth_plugin 1
|
||||
%endif
|
||||
|
||||
+%if (0%{?fedora})
|
||||
+ %global with_python3 1
|
||||
+%else
|
||||
+ %global with_python3_option --without-python3-bindings
|
||||
+%endif
|
||||
+
|
||||
Name: @PACKAGE_NAME@
|
||||
Version: @PACKAGE_VERSION@
|
||||
Release: 0@PRERELEASE_VERSION@%{?dist}
|
||||
@@ -65,7 +72,11 @@ Requires: sssd-ipa = %{version}-%{release}
|
||||
Requires: sssd-common-pac = %{version}-%{release}
|
||||
Requires: sssd-ad = %{version}-%{release}
|
||||
Requires: sssd-proxy = %{version}-%{release}
|
||||
+%if (0%{?with_python3} == 1)
|
||||
+Requires: python3-sssdconfig = %{version}-%{release}
|
||||
+%else
|
||||
Requires: python-sssdconfig = %{version}-%{release}
|
||||
+%endif
|
||||
|
||||
%global servicename sssd
|
||||
%global sssdstatedir %{_localstatedir}/lib/sss
|
||||
@@ -106,6 +117,9 @@ BuildRequires: krb5-devel
|
||||
%endif
|
||||
BuildRequires: c-ares-devel
|
||||
BuildRequires: python-devel
|
||||
+%if (0%{?with_python3} == 1)
|
||||
+BuildRequires: python3-devel
|
||||
+%endif
|
||||
BuildRequires: check-devel
|
||||
BuildRequires: doxygen
|
||||
BuildRequires: libselinux-devel
|
||||
@@ -203,8 +217,13 @@ Group: Applications/System
|
||||
License: GPLv3+
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
# required by sss_obfuscate
|
||||
+%if (0%{?with_python3} == 1)
|
||||
+Requires: python3-sss = %{version}-%{release}
|
||||
+Requires: python3-sssdconfig = %{version}-%{release}
|
||||
+%else
|
||||
Requires: python-sss = %{version}-%{release}
|
||||
Requires: python-sssdconfig = %{version}-%{release}
|
||||
+%endif
|
||||
|
||||
%description tools
|
||||
Provides userspace tools for manipulating users, groups, and nested groups in
|
||||
@@ -222,29 +241,66 @@ License: GPLv3+
|
||||
BuildArch: noarch
|
||||
|
||||
%description -n python-sssdconfig
|
||||
-Provides python files for manipulation SSSD and IPA configuration files.
|
||||
+Provides python2 files for manipulation SSSD and IPA configuration files.
|
||||
+
|
||||
+%if (0%{?with_python3} == 1)
|
||||
+%package -n python3-sssdconfig
|
||||
+Summary: SSSD and IPA configuration file manipulation classes and functions
|
||||
+Group: Applications/System
|
||||
+License: GPLv3+
|
||||
+BuildArch: noarch
|
||||
+
|
||||
+%description -n python3-sssdconfig
|
||||
+Provides python3 files for manipulation SSSD and IPA configuration files.
|
||||
+%endif
|
||||
|
||||
%package -n python-sss
|
||||
-Summary: Python bindings for sssd
|
||||
+Summary: Python2 bindings for sssd
|
||||
Group: Development/Libraries
|
||||
License: LGPLv3+
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
|
||||
%description -n python-sss
|
||||
-Provides python module for manipulating users, groups, and nested groups in
|
||||
+Provides python2 module for manipulating users, groups, and nested groups in
|
||||
SSSD when using id_provider = local in /etc/sssd/sssd.conf.
|
||||
|
||||
-Also provides several other useful python bindings:
|
||||
+Also provides several other useful python2 bindings:
|
||||
* function for retrieving list of groups user belongs to.
|
||||
* class for obfuscation of passwords
|
||||
|
||||
+%if (0%{?with_python3} == 1)
|
||||
+%package -n python3-sss
|
||||
+Summary: Python3 bindings for sssd
|
||||
+Group: Development/Libraries
|
||||
+License: LGPLv3+
|
||||
+Requires: sssd-common = %{version}-%{release}
|
||||
+
|
||||
+%description -n python3-sss
|
||||
+Provides python3 module for manipulating users, groups, and nested groups in
|
||||
+SSSD when using id_provider = local in /etc/sssd/sssd.conf.
|
||||
+
|
||||
+Also provides several other useful python3 bindings:
|
||||
+ * function for retrieving list of groups user belongs to.
|
||||
+ * class for obfuscation of passwords
|
||||
+%endif
|
||||
+
|
||||
%package -n python-sss-murmur
|
||||
-Summary: Python bindings for murmur hash function
|
||||
+Summary: Python2 bindings for murmur hash function
|
||||
Group: Development/Libraries
|
||||
License: LGPLv3+
|
||||
|
||||
%description -n python-sss-murmur
|
||||
-Provides python module for calculating the murmur hash version 3
|
||||
+Provides python2 module for calculating the murmur hash version 3
|
||||
+
|
||||
+%if (0%{?with_python3} == 1)
|
||||
+%package -n python3-sss-murmur
|
||||
+Summary: Python3 bindings for murmur hash function
|
||||
+Group: Development/Libraries
|
||||
+License: LGPLv3+
|
||||
+
|
||||
+%description -n python3-sss-murmur
|
||||
+Provides python3 module for calculating the murmur hash version 3
|
||||
+%endif
|
||||
|
||||
%package ldap
|
||||
Summary: The LDAP back end of the SSSD
|
||||
@@ -371,7 +427,7 @@ Requires: libipa_hbac = %{version}-%{release}
|
||||
Utility library to validate FreeIPA HBAC rules for authorization requests
|
||||
|
||||
%package -n python-libipa_hbac
|
||||
-Summary: Python bindings for the FreeIPA HBAC Evaluator library
|
||||
+Summary: Python2 bindings for the FreeIPA HBAC Evaluator library
|
||||
Group: Development/Libraries
|
||||
License: LGPLv3+
|
||||
Requires: libipa_hbac = %{version}-%{release}
|
||||
@@ -382,6 +438,18 @@ Obsoletes: libipa_hbac-python < 1.12.90
|
||||
The python-libipa_hbac contains the bindings so that libipa_hbac can be
|
||||
used by Python applications.
|
||||
|
||||
+%if (0%{?with_python3} == 1)
|
||||
+%package -n python3-libipa_hbac
|
||||
+Summary: Python3 bindings for the FreeIPA HBAC Evaluator library
|
||||
+Group: Development/Libraries
|
||||
+License: LGPLv3+
|
||||
+Requires: libipa_hbac = %{version}-%{release}
|
||||
+
|
||||
+%description -n python3-libipa_hbac
|
||||
+The python3-libipa_hbac contains the bindings so that libipa_hbac can be
|
||||
+used by Python applications.
|
||||
+%endif
|
||||
+
|
||||
%package -n libsss_nss_idmap
|
||||
Summary: Library for SID based lookups
|
||||
Group: Development/Libraries
|
||||
@@ -402,7 +470,7 @@ Requires: libsss_nss_idmap = %{version}-%{release}
|
||||
Utility library for SID based lookups
|
||||
|
||||
%package -n python-libsss_nss_idmap
|
||||
-Summary: Python bindings for libsss_nss_idmap
|
||||
+Summary: Python2 bindings for libsss_nss_idmap
|
||||
Group: Development/Libraries
|
||||
License: LGPLv3+
|
||||
Requires: libsss_nss_idmap = %{version}-%{release}
|
||||
@@ -413,6 +481,18 @@ Obsoletes: libsss_nss_idmap-python < 1.12.90
|
||||
The python-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can
|
||||
be used by Python applications.
|
||||
|
||||
+%if (0%{?with_python3} == 1)
|
||||
+%package -n python3-libsss_nss_idmap
|
||||
+Summary: Python3 bindings for libsss_nss_idmap
|
||||
+Group: Development/Libraries
|
||||
+License: LGPLv3+
|
||||
+Requires: libsss_nss_idmap = %{version}-%{release}
|
||||
+
|
||||
+%description -n python3-libsss_nss_idmap
|
||||
+The python3-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can
|
||||
+be used by Python applications.
|
||||
+%endif
|
||||
+
|
||||
%package dbus
|
||||
Summary: The D-Bus responder of the SSSD
|
||||
Group: Applications/System
|
||||
@@ -495,6 +575,7 @@ autoreconf -ivf
|
||||
%{with_initscript} \
|
||||
%{?with_syslog} \
|
||||
%{?with_cifs_utils_plugin_option} \
|
||||
+ %{?with_python3_option} \
|
||||
%{?experimental}
|
||||
|
||||
make %{?_smp_mflags} all
|
||||
@@ -509,6 +590,10 @@ unset CK_TIMEOUT_MULTIPLIER
|
||||
%install
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
|
||||
+%if (0%{?with_python3} == 1)
|
||||
+sed -i -e 's:/usr/bin/python:/usr/bin/python3:' src/tools/sss_obfuscate
|
||||
+%endif
|
||||
+
|
||||
make install DESTDIR=$RPM_BUILD_ROOT
|
||||
|
||||
# Prepare language files
|
||||
@@ -539,6 +624,13 @@ do
|
||||
echo %{python2_sitelib}/`basename $file` >> python2_sssdconfig.lang
|
||||
done
|
||||
|
||||
+%if (0%{?with_python3} == 1)
|
||||
+for file in `ls $RPM_BUILD_ROOT/%{python3_sitelib}/*.egg-info 2> /dev/null`
|
||||
+do
|
||||
+ echo %{python3_sitelib}/`basename $file` >> python3_sssdconfig.lang
|
||||
+done
|
||||
+%endif
|
||||
+
|
||||
touch sssd.lang
|
||||
touch sssd_tools.lang
|
||||
touch sssd_client.lang
|
||||
@@ -784,16 +876,38 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%dir %{python2_sitelib}/SSSDConfig
|
||||
%{python2_sitelib}/SSSDConfig/*.py*
|
||||
|
||||
+%if (0%{?with_python3} == 1)
|
||||
+%files -n python3-sssdconfig -f python3_sssdconfig.lang
|
||||
+%defattr(-,root,root,-)
|
||||
+%dir %{python3_sitelib}/SSSDConfig
|
||||
+%{python3_sitelib}/SSSDConfig/*.py*
|
||||
+%{python3_sitelib}/SSSDConfig/__pycache__/*.py*
|
||||
+%endif
|
||||
+
|
||||
%files -n python-sss
|
||||
%defattr(-,root,root,-)
|
||||
%{python2_sitearch}/pysss.so
|
||||
%{python2_sitearch}/_py2sss.so
|
||||
|
||||
+%if (0%{?with_python3} == 1)
|
||||
+%files -n python3-sss
|
||||
+%defattr(-,root,root,-)
|
||||
+%{python3_sitearch}/pysss.so
|
||||
+%{python3_sitearch}/_py3sss.so
|
||||
+%endif
|
||||
+
|
||||
%files -n python-sss-murmur
|
||||
%defattr(-,root,root,-)
|
||||
%{python2_sitearch}/pysss_murmur.so
|
||||
%{python2_sitearch}/_py2sss_murmur.so
|
||||
|
||||
+%if (0%{?with_python3} == 1)
|
||||
+%files -n python3-sss-murmur
|
||||
+%defattr(-,root,root,-)
|
||||
+%{python3_sitearch}/pysss_murmur.so
|
||||
+%{python3_sitearch}/_py3sss_murmur.so
|
||||
+%endif
|
||||
+
|
||||
%files -n libsss_idmap
|
||||
%defattr(-,root,root,-)
|
||||
%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
|
||||
@@ -835,11 +949,25 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{python2_sitearch}/pysss_nss_idmap.so
|
||||
%{python2_sitearch}/_py2sss_nss_idmap.so
|
||||
|
||||
+%if (0%{?with_python3} == 1)
|
||||
+%files -n python3-libsss_nss_idmap
|
||||
+%defattr(-,root,root,-)
|
||||
+%{python3_sitearch}/pysss_nss_idmap.so
|
||||
+%{python3_sitearch}/_py3sss_nss_idmap.so
|
||||
+%endif
|
||||
+
|
||||
%files -n python-libipa_hbac
|
||||
%defattr(-,root,root,-)
|
||||
%{python2_sitearch}/pyhbac.so
|
||||
%{python2_sitearch}/_py2hbac.so
|
||||
|
||||
+%if (0%{?with_python3} == 1)
|
||||
+%files -n python3-libipa_hbac
|
||||
+%defattr(-,root,root,-)
|
||||
+%{python3_sitearch}/pyhbac.so
|
||||
+%{python3_sitearch}/_py3hbac.so
|
||||
+%endif
|
||||
+
|
||||
%files libwbclient
|
||||
%defattr(-,root,root,-)
|
||||
%{_libdir}/%{name}/modules/libwbclient.so.*
|
||||
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
|
||||
index 48d1e6e7d6d1189c86d626a4509d919143aa6821..86876fab8115c49f38ebef4e3037a8ba36a5b92e 100644
|
||||
--- a/src/conf_macros.m4
|
||||
+++ b/src/conf_macros.m4
|
||||
@@ -383,7 +383,7 @@ AC_DEFUN([WITH_PYTHON3_BINDINGS],
|
||||
[Whether to build python3 bindings [yes]])
|
||||
],
|
||||
[],
|
||||
- [with_python3_bindings=no]
|
||||
+ [with_python3_bindings=yes]
|
||||
)
|
||||
if test x"$with_python3_bindings" = xyes; then
|
||||
AC_SUBST([HAVE_PYTHON3_BINDINGS], [1])
|
||||
diff --git a/src/tests/dlopen-tests.c b/src/tests/dlopen-tests.c
|
||||
index 5cc6cae693f09adae12df0d2267e0868ae2f74c0..e808f23e7560241e3fc158d71da2dbdbe1543dfc 100644
|
||||
--- a/src/tests/dlopen-tests.c
|
||||
+++ b/src/tests/dlopen-tests.c
|
||||
@@ -96,10 +96,16 @@ struct so {
|
||||
{ "libdlopen_test_providers.so", { LIBPFX"libdlopen_test_providers.so",
|
||||
NULL } },
|
||||
#ifdef HAVE_PYTHON_BINDINGS
|
||||
- { "pyhbac.so", { LIBPFX"pyhbac.so", NULL } },
|
||||
- { "pysss.so", { LIBPFX"pysss.so", NULL } },
|
||||
- { "pysss_murmur.so", { LIBPFX"pysss_murmur.so", NULL } },
|
||||
- { "pysss_nss_idmap.so", { LIBPFX"pysss_nss_idmap.so", NULL } },
|
||||
+ { "_py2hbac.so", { LIBPFX"_py2hbac.so", NULL } },
|
||||
+ { "_py2sss.so", { LIBPFX"_py2sss.so", NULL } },
|
||||
+ { "_py2sss_murmur.so", { LIBPFX"_py2sss_murmur.so", NULL } },
|
||||
+ { "_py2sss_nss_idmap.so", { LIBPFX"_py2sss_nss_idmap.so", NULL } },
|
||||
+#endif
|
||||
+#ifdef HAVE_PYTHON_BINDINGS
|
||||
+ { "_py3hbac.so", { LIBPFX"_py3hbac.so", NULL } },
|
||||
+ { "_py3sss.so", { LIBPFX"_py3sss.so", NULL } },
|
||||
+ { "_py3sss_murmur.so", { LIBPFX"_py3sss_murmur.so", NULL } },
|
||||
+ { "_py3sss_nss_idmap.so", { LIBPFX"_py3sss_nss_idmap.so", NULL } },
|
||||
#endif
|
||||
#ifdef HAVE_CONFIG_LIB
|
||||
{ "libsss_config.so", { LIBPFX"libsss_config.so", NULL } },
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,39 +0,0 @@
|
||||
From be0fb81d4720c590269d0fc747fcb31f53791bef Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Tue, 7 Apr 2015 09:47:17 +0200
|
||||
Subject: [PATCH 16/30] ad_opts: Use different default attribute for group name
|
||||
|
||||
The MSFT docs [1,2] for LDAP attributes says:
|
||||
samAccountName is mandotory for 'user' and 'group' objectclasses
|
||||
via the 'Security-Principal' aux-class
|
||||
|
||||
name is part of the 'top' class and *not* mandatory for 'user' or 'group'.
|
||||
|
||||
[1] https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx
|
||||
[2] https://msdn.microsoft.com/en-us/library/ms678697%28v=vs.85%29.aspx
|
||||
|
||||
Resolves:
|
||||
https://fedorahosted.org/sssd/ticket/2593
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
(cherry picked from commit b83620d6a2aaf988b353969ae12a47a616250f47)
|
||||
---
|
||||
src/providers/ad/ad_opts.h | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
|
||||
index 4c287021c2d901999602621a4fe3b7af9c6b8c35..b03c74612d3141170dac84ab805529184fec5a49 100644
|
||||
--- a/src/providers/ad/ad_opts.h
|
||||
+++ b/src/providers/ad/ad_opts.h
|
||||
@@ -221,7 +221,7 @@ struct sdap_attr_map ad_2008r2_user_map[] = {
|
||||
struct sdap_attr_map ad_2008r2_group_map[] = {
|
||||
{ "ldap_group_object_class", "group", SYSDB_GROUP_CLASS, NULL },
|
||||
{ "ldap_group_object_class_alt", NULL, SYSDB_GROUP_CLASS, NULL },
|
||||
- { "ldap_group_name", "name", SYSDB_NAME, NULL },
|
||||
+ { "ldap_group_name", "sAMAccountName", SYSDB_NAME, NULL },
|
||||
{ "ldap_group_pwd", NULL, SYSDB_PWD, NULL },
|
||||
{ "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL },
|
||||
{ "ldap_group_member", "member", SYSDB_MEMBER, NULL },
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,207 +0,0 @@
|
||||
From 0e5aa8439679a86c55694a49a3f123cba9a3c9e4 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 12 Feb 2015 21:53:15 +0100
|
||||
Subject: [PATCH 17/30] Add leak check and command line option to test_authtok
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
(cherry picked from commit 80b5dbe123ec94c5a8fcb99f9a4953c1513deb58)
|
||||
---
|
||||
Makefile.am | 3 ++
|
||||
src/tests/cmocka/test_authtok.c | 67 +++++++++++++++++++++++++++++++++++------
|
||||
2 files changed, 60 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 7aa44d7dfc3a01334d6d4e68c96095df66dee324..46c42171ab89a5c570858b85d9c3e5a7ef2ba0ce 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -1864,11 +1864,14 @@ test_authtok_SOURCES = \
|
||||
test_authtok_CFLAGS = \
|
||||
$(AM_CFLAGS) \
|
||||
$(TALLOC_CFLAGS) \
|
||||
+ $(POPT_CFLAGS) \
|
||||
$(DHASH_CFLAGS)
|
||||
test_authtok_LDADD = \
|
||||
$(TALLOC_LIBS) \
|
||||
$(CMOCKA_LIBS) \
|
||||
$(DHASH_LIBS) \
|
||||
+ $(POPT_LIBS) \
|
||||
+ libsss_test_common.la \
|
||||
libsss_debug.la
|
||||
|
||||
sss_nss_idmap_tests_SOURCES = \
|
||||
diff --git a/src/tests/cmocka/test_authtok.c b/src/tests/cmocka/test_authtok.c
|
||||
index e37e92f68373d564f53b1267f078ea89c31ae051..0c7b7197fb2c03d69dc4df2310229ea100ad28d4 100644
|
||||
--- a/src/tests/cmocka/test_authtok.c
|
||||
+++ b/src/tests/cmocka/test_authtok.c
|
||||
@@ -22,11 +22,10 @@
|
||||
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
-#include <stdarg.h>
|
||||
-#include <stddef.h>
|
||||
-#include <setjmp.h>
|
||||
-#include <cmocka.h>
|
||||
#include <string.h>
|
||||
+#include <popt.h>
|
||||
+
|
||||
+#include "tests/cmocka/common_mock.h"
|
||||
|
||||
#include "util/authtok.h"
|
||||
|
||||
@@ -39,12 +38,15 @@ static int setup(void **state)
|
||||
{
|
||||
struct test_state *ts = NULL;
|
||||
|
||||
- ts = talloc(NULL, struct test_state);
|
||||
+ assert_true(leak_check_setup());
|
||||
+
|
||||
+ ts = talloc(global_talloc_context, struct test_state);
|
||||
assert_non_null(ts);
|
||||
|
||||
ts->authtoken = sss_authtok_new(ts);
|
||||
assert_non_null(ts->authtoken);
|
||||
|
||||
+ check_leaks_push(ts);
|
||||
*state = (void *)ts;
|
||||
return 0;
|
||||
}
|
||||
@@ -52,7 +54,12 @@ static int setup(void **state)
|
||||
static int teardown(void **state)
|
||||
{
|
||||
struct test_state *ts = talloc_get_type_abort(*state, struct test_state);
|
||||
+
|
||||
+ assert_non_null(ts);
|
||||
+
|
||||
+ assert_true(check_leaks_pop(ts) == true);
|
||||
talloc_free(ts);
|
||||
+ assert_true(leak_check_teardown());
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -85,7 +92,7 @@ static void test_sss_authtok_password(void **state)
|
||||
{
|
||||
size_t len;
|
||||
errno_t ret;
|
||||
- const char *data;
|
||||
+ char *data;
|
||||
size_t ret_len;
|
||||
const char *pwd;
|
||||
struct test_state *ts;
|
||||
@@ -117,6 +124,9 @@ static void test_sss_authtok_password(void **state)
|
||||
assert_int_equal(ret, EOK);
|
||||
assert_string_equal(data, pwd);
|
||||
assert_int_equal(len - 1, ret_len);
|
||||
+
|
||||
+ talloc_free(data);
|
||||
+ sss_authtok_set_empty(ts->authtoken);
|
||||
}
|
||||
|
||||
/* Test when type has value SSS_AUTHTOK_TYPE_CCFILE */
|
||||
@@ -124,7 +134,7 @@ static void test_sss_authtok_ccfile(void **state)
|
||||
{
|
||||
size_t len;
|
||||
errno_t ret;
|
||||
- const char *data;
|
||||
+ char *data;
|
||||
size_t ret_len;
|
||||
const char *pwd;
|
||||
struct test_state *ts;
|
||||
@@ -172,6 +182,9 @@ static void test_sss_authtok_ccfile(void **state)
|
||||
assert_int_equal(ret, EOK);
|
||||
assert_string_equal(data, pwd);
|
||||
assert_int_equal(len - 1, ret_len);
|
||||
+
|
||||
+ talloc_free(data);
|
||||
+ sss_authtok_set_empty(ts->authtoken);
|
||||
}
|
||||
|
||||
/* Test when type has value SSS_AUTHTOK_TYPE_EMPTY */
|
||||
@@ -226,7 +239,7 @@ static void test_sss_authtok_wipe_password(void **state)
|
||||
{
|
||||
size_t len;
|
||||
errno_t ret;
|
||||
- const char *data;
|
||||
+ char *data;
|
||||
size_t ret_len;
|
||||
const char *pwd;
|
||||
struct test_state *ts;
|
||||
@@ -249,13 +262,16 @@ static void test_sss_authtok_wipe_password(void **state)
|
||||
assert_int_equal(ret, EOK);
|
||||
assert_string_equal(pwd, "");
|
||||
assert_int_equal(len - 1, ret_len);
|
||||
+
|
||||
+ sss_authtok_set_empty(ts->authtoken);
|
||||
+ talloc_free(data);
|
||||
}
|
||||
|
||||
static void test_sss_authtok_copy(void **state)
|
||||
{
|
||||
size_t len;
|
||||
errno_t ret;
|
||||
- const char *data;
|
||||
+ char *data;
|
||||
struct test_state *ts;
|
||||
enum sss_authtok_type type;
|
||||
struct sss_auth_token *dest_authtoken;
|
||||
@@ -276,6 +292,7 @@ static void test_sss_authtok_copy(void **state)
|
||||
assert_int_equal(EOK, sss_authtok_copy(ts->authtoken, dest_authtoken));
|
||||
assert_int_equal(type, sss_authtok_get_type(dest_authtoken));
|
||||
|
||||
+ sss_authtok_set_empty(dest_authtoken);
|
||||
type = SSS_AUTHTOK_TYPE_PASSWORD;
|
||||
ret = sss_authtok_set(ts->authtoken, type, (const uint8_t *)data, len);
|
||||
|
||||
@@ -287,10 +304,23 @@ static void test_sss_authtok_copy(void **state)
|
||||
assert_int_equal(type, sss_authtok_get_type(dest_authtoken));
|
||||
assert_string_equal(data, sss_authtok_get_data(dest_authtoken));
|
||||
assert_int_equal(len, sss_authtok_get_size(dest_authtoken));
|
||||
+
|
||||
+ sss_authtok_set_empty(dest_authtoken);
|
||||
+ talloc_free(dest_authtoken);
|
||||
+ sss_authtok_set_empty(ts->authtoken);
|
||||
+ talloc_free(data);
|
||||
}
|
||||
|
||||
-int main(void)
|
||||
+int main(int argc, const char *argv[])
|
||||
{
|
||||
+ poptContext pc;
|
||||
+ int opt;
|
||||
+ struct poptOption long_options[] = {
|
||||
+ POPT_AUTOHELP
|
||||
+ SSSD_DEBUG_OPTS
|
||||
+ POPT_TABLEEND
|
||||
+ };
|
||||
+
|
||||
const struct CMUnitTest tests[] = {
|
||||
cmocka_unit_test_setup_teardown(test_sss_authtok_new,
|
||||
setup, teardown),
|
||||
@@ -306,5 +336,22 @@ int main(void)
|
||||
setup, teardown)
|
||||
};
|
||||
|
||||
+ /* Set debug level to invalid value so we can deside if -d 0 was used. */
|
||||
+ debug_level = SSSDBG_INVALID;
|
||||
+
|
||||
+ pc = poptGetContext(argv[0], argc, argv, long_options, 0);
|
||||
+ while((opt = poptGetNextOpt(pc)) != -1) {
|
||||
+ switch(opt) {
|
||||
+ default:
|
||||
+ fprintf(stderr, "\nInvalid option %s: %s\n\n",
|
||||
+ poptBadOption(pc, 0), poptStrerror(opt));
|
||||
+ poptPrintUsage(pc, stderr, 0);
|
||||
+ return 1;
|
||||
+ }
|
||||
+ }
|
||||
+ poptFreeContext(pc);
|
||||
+
|
||||
+ DEBUG_CLI_INIT(debug_level);
|
||||
+
|
||||
return cmocka_run_group_tests(tests, NULL, NULL);
|
||||
}
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,765 +0,0 @@
|
||||
From 4b0dc81aacba3317ccf6e79ce69e4331e74c3d1f Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 7 Jan 2015 18:11:16 +0100
|
||||
Subject: [PATCH 18/30] utils: add sss_authtok_[gs]et_2fa
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
(cherry picked from commit bc052ea17d858c19f9cb9c9e2bc602e754f68831)
|
||||
---
|
||||
Makefile.am | 5 ++
|
||||
src/sss_client/pam_sss.c | 1 +
|
||||
src/sss_client/sss_cli.h | 3 +
|
||||
src/tests/cmocka/test_authtok.c | 189 +++++++++++++++++++++++++++++++++++++++-
|
||||
src/util/authtok-utils.c | 74 ++++++++++++++++
|
||||
src/util/authtok-utils.h | 70 +++++++++++++++
|
||||
src/util/authtok.c | 181 ++++++++++++++++++++++++++++++++++++++
|
||||
src/util/authtok.h | 44 ++++++++++
|
||||
8 files changed, 564 insertions(+), 3 deletions(-)
|
||||
create mode 100644 src/util/authtok-utils.c
|
||||
create mode 100644 src/util/authtok-utils.h
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 46c42171ab89a5c570858b85d9c3e5a7ef2ba0ce..d3fea94b206a538b86a0fb119ed186947fa8d8e6 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -519,6 +519,7 @@ dist_noinst_HEADERS = \
|
||||
src/util/atomic_io.h \
|
||||
src/util/auth_utils.h \
|
||||
src/util/authtok.h \
|
||||
+ src/util/authtok-utils.h \
|
||||
src/util/util_safealign.h \
|
||||
src/util/util_sss_idmap.h \
|
||||
src/monitor/monitor.h \
|
||||
@@ -752,6 +753,7 @@ libsss_util_la_SOURCES = \
|
||||
src/util/murmurhash3.c \
|
||||
src/util/atomic_io.c \
|
||||
src/util/authtok.c \
|
||||
+ src/util/authtok-utils.c \
|
||||
src/util/sss_selinux.c \
|
||||
src/util/domain_info_utils.c \
|
||||
src/util/util_lock.c \
|
||||
@@ -1860,6 +1862,7 @@ test_negcache_LDADD = \
|
||||
test_authtok_SOURCES = \
|
||||
src/tests/cmocka/test_authtok.c \
|
||||
src/util/authtok.c \
|
||||
+ src/util/authtok-utils.c \
|
||||
src/util/util.c
|
||||
test_authtok_CFLAGS = \
|
||||
$(AM_CFLAGS) \
|
||||
@@ -2711,6 +2714,7 @@ krb5_child_SOURCES = \
|
||||
src/util/find_uid.c \
|
||||
src/util/atomic_io.c \
|
||||
src/util/authtok.c \
|
||||
+ src/util/authtok-utils.c \
|
||||
src/util/util.c \
|
||||
src/util/signal.c \
|
||||
src/util/strtonum.c \
|
||||
@@ -2742,6 +2746,7 @@ ldap_child_SOURCES = \
|
||||
src/util/sss_krb5.c \
|
||||
src/util/atomic_io.c \
|
||||
src/util/authtok.c \
|
||||
+ src/util/authtok-utils.c \
|
||||
src/util/util.c \
|
||||
src/util/signal.c \
|
||||
src/util/become_user.c \
|
||||
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
||||
index 28a36d5af95297b394a74f39d6614f48831bb901..4007d125e34932dfb5ac6bc840f4d25306e3008f 100644
|
||||
--- a/src/sss_client/pam_sss.c
|
||||
+++ b/src/sss_client/pam_sss.c
|
||||
@@ -41,6 +41,7 @@
|
||||
|
||||
#include "sss_cli.h"
|
||||
#include "util/atomic_io.h"
|
||||
+#include "util/authtok-utils.h"
|
||||
|
||||
#include <libintl.h>
|
||||
#define _(STRING) dgettext (PACKAGE, STRING)
|
||||
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
|
||||
index d508a0671cd1b3ee087e0967f7015628ceabe20f..9a19d7d47d0a9d7dabeac36dc2c866c3420ef501 100644
|
||||
--- a/src/sss_client/sss_cli.h
|
||||
+++ b/src/sss_client/sss_cli.h
|
||||
@@ -301,6 +301,9 @@ enum sss_authtok_type {
|
||||
* a Kerberos credential cache file,
|
||||
* it may or may no contain
|
||||
* a trailing \\0 */
|
||||
+ SSS_AUTHTOK_TYPE_2FA = 0x0003, /**< Authentication token has two
|
||||
+ * factors, they may or may no contain
|
||||
+ * a trailing \\0 */
|
||||
};
|
||||
|
||||
/**
|
||||
diff --git a/src/tests/cmocka/test_authtok.c b/src/tests/cmocka/test_authtok.c
|
||||
index 0c7b7197fb2c03d69dc4df2310229ea100ad28d4..5aa47c7b6b8c955666a9c73d5f9627d6378d13e0 100644
|
||||
--- a/src/tests/cmocka/test_authtok.c
|
||||
+++ b/src/tests/cmocka/test_authtok.c
|
||||
@@ -57,7 +57,7 @@ static int teardown(void **state)
|
||||
|
||||
assert_non_null(ts);
|
||||
|
||||
- assert_true(check_leaks_pop(ts) == true);
|
||||
+ assert_true(check_leaks_pop(ts));
|
||||
talloc_free(ts);
|
||||
assert_true(leak_check_teardown());
|
||||
return 0;
|
||||
@@ -118,8 +118,8 @@ static void test_sss_authtok_password(void **state)
|
||||
assert_int_equal(len - 1, ret_len);
|
||||
|
||||
ret = sss_authtok_set_password(ts->authtoken, data, len);
|
||||
-
|
||||
assert_int_equal(ret, EOK);
|
||||
+
|
||||
ret = sss_authtok_get_password(ts->authtoken, &pwd, &ret_len);
|
||||
assert_int_equal(ret, EOK);
|
||||
assert_string_equal(data, pwd);
|
||||
@@ -311,6 +311,183 @@ static void test_sss_authtok_copy(void **state)
|
||||
talloc_free(data);
|
||||
}
|
||||
|
||||
+void test_sss_authtok_2fa(void **state)
|
||||
+{
|
||||
+ int ret;
|
||||
+ const char *fa1;
|
||||
+ size_t fa1_size;
|
||||
+ const char *fa2;
|
||||
+ size_t fa2_size;
|
||||
+ struct test_state *ts;
|
||||
+
|
||||
+ ts = talloc_get_type_abort(*state, struct test_state);
|
||||
+
|
||||
+ ret = sss_authtok_set_2fa(NULL, "a", 0, "b", 0);
|
||||
+ assert_int_equal(ret, EINVAL);
|
||||
+
|
||||
+ /* Test missing first factor */
|
||||
+ ret = sss_authtok_set_2fa(ts->authtoken, NULL, 1, "b", 1);
|
||||
+ assert_int_equal(ret, EINVAL);
|
||||
+ /* Test missing second factor */
|
||||
+ ret = sss_authtok_set_2fa(ts->authtoken, "a", 1, NULL, 1);
|
||||
+ assert_int_equal(ret, EINVAL);
|
||||
+ /* Test wrong first factor length */
|
||||
+ ret = sss_authtok_set_2fa(ts->authtoken, "ab", 1, "b", 1);
|
||||
+ assert_int_equal(ret, EINVAL);
|
||||
+ /* Test wrong second factor length */
|
||||
+ ret = sss_authtok_set_2fa(ts->authtoken, "a", 1, "bc", 1);
|
||||
+ assert_int_equal(ret, EINVAL);
|
||||
+
|
||||
+ ret = sss_authtok_set_2fa(ts->authtoken, "a", 1, "bc", 2);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+ assert_int_equal(sss_authtok_get_size(ts->authtoken),
|
||||
+ 2 * sizeof(uint32_t) + 5);
|
||||
+ assert_int_equal(sss_authtok_get_type(ts->authtoken), SSS_AUTHTOK_TYPE_2FA);
|
||||
+#if __BYTE_ORDER == __LITTLE_ENDIAN
|
||||
+ assert_memory_equal(sss_authtok_get_data(ts->authtoken),
|
||||
+ "\2\0\0\0\3\0\0\0a\0bc\0",
|
||||
+ 2 * sizeof(uint32_t) + 5);
|
||||
+#else
|
||||
+ assert_memory_equal(sss_authtok_get_data(ts->authtoken),
|
||||
+ "\0\0\0\2\0\0\0\3a\0bc\0",
|
||||
+ 2 * sizeof(uint32_t) + 5);
|
||||
+#endif
|
||||
+
|
||||
+ ret = sss_authtok_get_2fa(ts->authtoken, &fa1, &fa1_size, &fa2, &fa2_size);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+ assert_int_equal(fa1_size, 1);
|
||||
+ assert_string_equal(fa1, "a");
|
||||
+ assert_int_equal(fa2_size, 2);
|
||||
+ assert_string_equal(fa2, "bc");
|
||||
+
|
||||
+ sss_authtok_set_empty(ts->authtoken);
|
||||
+
|
||||
+ /* check return code of empty token */
|
||||
+ ret = sss_authtok_get_2fa(ts->authtoken, &fa1, &fa1_size, &fa2, &fa2_size);
|
||||
+ assert_int_equal(ret, ENOENT);
|
||||
+
|
||||
+ /* check return code for other token type */
|
||||
+ ret = sss_authtok_set_password(ts->authtoken, "abc", 0);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ ret = sss_authtok_get_2fa(ts->authtoken, &fa1, &fa1_size, &fa2, &fa2_size);
|
||||
+ assert_int_equal(ret, EACCES);
|
||||
+
|
||||
+ sss_authtok_set_empty(ts->authtoken);
|
||||
+
|
||||
+ /* check return code for garbage */
|
||||
+ ret = sss_authtok_set(ts->authtoken, SSS_AUTHTOK_TYPE_2FA,
|
||||
+ (const uint8_t *) "1111222233334444", 16);
|
||||
+ assert_int_equal(ret, EINVAL);
|
||||
+
|
||||
+ sss_authtok_set_empty(ts->authtoken);
|
||||
+}
|
||||
+
|
||||
+void test_sss_authtok_2fa_blobs(void **state)
|
||||
+{
|
||||
+ int ret;
|
||||
+ struct test_state *ts;
|
||||
+ size_t needed_size;
|
||||
+ uint8_t *buf;
|
||||
+ char *fa1;
|
||||
+ size_t fa1_len;
|
||||
+ char *fa2;
|
||||
+ size_t fa2_len;
|
||||
+
|
||||
+ ts = talloc_get_type_abort(*state, struct test_state);
|
||||
+
|
||||
+ ret = sss_auth_pack_2fa_blob(NULL, 0, "defg", 0, NULL, 0, &needed_size);
|
||||
+ assert_int_equal(ret, EINVAL);
|
||||
+
|
||||
+ ret = sss_auth_pack_2fa_blob("abc", 0, NULL, 0, NULL, 0, &needed_size);
|
||||
+ assert_int_equal(ret, EINVAL);
|
||||
+
|
||||
+ ret = sss_auth_pack_2fa_blob("", 0, "defg", 0, NULL, 0, &needed_size);
|
||||
+ assert_int_equal(ret, EINVAL);
|
||||
+
|
||||
+ ret = sss_auth_pack_2fa_blob("abc", 0, "", 0, NULL, 0, &needed_size);
|
||||
+ assert_int_equal(ret, EINVAL);
|
||||
+
|
||||
+ ret = sss_auth_pack_2fa_blob("abc", 0, "defg", 0, NULL, 0, &needed_size);
|
||||
+ assert_int_equal(ret, EAGAIN);
|
||||
+
|
||||
+ buf = talloc_size(ts, needed_size);
|
||||
+ assert_non_null(buf);
|
||||
+
|
||||
+ ret = sss_auth_pack_2fa_blob("abc", 0, "defg", 0, buf, needed_size,
|
||||
+ &needed_size);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+#if __BYTE_ORDER == __LITTLE_ENDIAN
|
||||
+ assert_memory_equal(buf, "\4\0\0\0\5\0\0\0abc\0defg\0", needed_size);
|
||||
+#else
|
||||
+ assert_memory_equal(buf, "\0\0\0\4\0\0\0\5abc\0defg\0", needed_size);
|
||||
+#endif
|
||||
+
|
||||
+ ret = sss_auth_unpack_2fa_blob(ts, buf, needed_size, &fa1, &fa1_len, &fa2,
|
||||
+ &fa2_len);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+ assert_int_equal(fa1_len, 3);
|
||||
+ assert_string_equal(fa1, "abc");
|
||||
+ assert_int_equal(fa2_len, 4);
|
||||
+ assert_string_equal(fa2, "defg");
|
||||
+
|
||||
+ talloc_free(buf);
|
||||
+ talloc_free(fa1);
|
||||
+ talloc_free(fa2);
|
||||
+}
|
||||
+
|
||||
+#define MISSING_NULL_CHECK do { \
|
||||
+ assert_int_equal(ret, EOK); \
|
||||
+ assert_int_equal(fa1_len, 3); \
|
||||
+ assert_string_equal(fa1, "abc"); \
|
||||
+ assert_int_equal(fa2_len, 4); \
|
||||
+ assert_string_equal(fa2, "defg"); \
|
||||
+ \
|
||||
+ talloc_free(fa1); \
|
||||
+ talloc_free(fa2); \
|
||||
+} while (0)
|
||||
+
|
||||
+void test_sss_authtok_2fa_blobs_missing_null(void **state)
|
||||
+{
|
||||
+ int ret;
|
||||
+ struct test_state *ts;
|
||||
+ char *fa1;
|
||||
+ size_t fa1_len;
|
||||
+ char *fa2;
|
||||
+ size_t fa2_len;
|
||||
+#if __BYTE_ORDER == __LITTLE_ENDIAN
|
||||
+ uint8_t b0[] = {0x04, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 'a', 'b', 'c', 0x00, 'd', 'e', 'f', 'g', 0x00};
|
||||
+ uint8_t b1[] = {0x03, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 'a', 'b', 'c', 'd', 'e', 'f', 'g', 0x00};
|
||||
+ uint8_t b2[] = {0x04, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 'a', 'b', 'c', 0x00, 'd', 'e', 'f', 'g'};
|
||||
+ uint8_t b3[] = {0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 'a', 'b', 'c', 'd', 'e', 'f', 'g'};
|
||||
+#else
|
||||
+ uint8_t b0[] = {0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x05, 'a', 'b', 'c', 0x00, 'd', 'e', 'f', 'g', 0x00};
|
||||
+ uint8_t b1[] = {0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x05, 'a', 'b', 'c', 'd', 'e', 'f', 'g', 0x00};
|
||||
+ uint8_t b2[] = {0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x04, 'a', 'b', 'c', 0x00, 'd', 'e', 'f', 'g'};
|
||||
+ uint8_t b3[] = {0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 'a', 'b', 'c', 'd', 'e', 'f', 'g'};
|
||||
+#endif
|
||||
+
|
||||
+
|
||||
+ ts = talloc_get_type_abort(*state, struct test_state);
|
||||
+
|
||||
+ ret = sss_auth_unpack_2fa_blob(ts, b0, sizeof(b0), &fa1, &fa1_len, &fa2,
|
||||
+ &fa2_len);
|
||||
+ MISSING_NULL_CHECK;
|
||||
+
|
||||
+ ret = sss_auth_unpack_2fa_blob(ts, b1, sizeof(b1), &fa1, &fa1_len, &fa2,
|
||||
+ &fa2_len);
|
||||
+ MISSING_NULL_CHECK;
|
||||
+
|
||||
+ ret = sss_auth_unpack_2fa_blob(ts, b2, sizeof(b2), &fa1, &fa1_len, &fa2,
|
||||
+ &fa2_len);
|
||||
+ MISSING_NULL_CHECK;
|
||||
+
|
||||
+ ret = sss_auth_unpack_2fa_blob(ts, b3, sizeof(b3), &fa1, &fa1_len, &fa2,
|
||||
+ &fa2_len);
|
||||
+ MISSING_NULL_CHECK;
|
||||
+}
|
||||
+
|
||||
int main(int argc, const char *argv[])
|
||||
{
|
||||
poptContext pc;
|
||||
@@ -333,7 +510,13 @@ int main(int argc, const char *argv[])
|
||||
cmocka_unit_test_setup_teardown(test_sss_authtok_wipe_password,
|
||||
setup, teardown),
|
||||
cmocka_unit_test_setup_teardown(test_sss_authtok_copy,
|
||||
- setup, teardown)
|
||||
+ setup, teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sss_authtok_2fa,
|
||||
+ setup, teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sss_authtok_2fa_blobs,
|
||||
+ setup, teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sss_authtok_2fa_blobs_missing_null,
|
||||
+ setup, teardown),
|
||||
};
|
||||
|
||||
/* Set debug level to invalid value so we can deside if -d 0 was used. */
|
||||
diff --git a/src/util/authtok-utils.c b/src/util/authtok-utils.c
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..65fba9022db11786c0c7e4dcab6fec89c9e0cb19
|
||||
--- /dev/null
|
||||
+++ b/src/util/authtok-utils.c
|
||||
@@ -0,0 +1,74 @@
|
||||
+/*
|
||||
+ SSSD - auth utils helpers
|
||||
+
|
||||
+ Copyright (C) Sumit Bose <sbose@redhat.com> 2015
|
||||
+
|
||||
+ This program is free software; you can redistribute it and/or modify
|
||||
+ it under the terms of the GNU General Public License as published by
|
||||
+ the Free Software Foundation; either version 3 of the License, or
|
||||
+ (at your option) any later version.
|
||||
+
|
||||
+ This program is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ GNU General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU General Public License
|
||||
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+*/
|
||||
+
|
||||
+/* This file is use by SSSD clients and the main daemons. Please do not add
|
||||
+ * code which is specific to only one of them. */
|
||||
+
|
||||
+#include <errno.h>
|
||||
+
|
||||
+#include "sss_client/sss_cli.h"
|
||||
+
|
||||
+errno_t sss_auth_pack_2fa_blob(const char *fa1, size_t fa1_len,
|
||||
+ const char *fa2, size_t fa2_len,
|
||||
+ uint8_t *buf, size_t buf_len,
|
||||
+ size_t *_2fa_blob_len)
|
||||
+{
|
||||
+ size_t c;
|
||||
+ uint32_t tmp_uint32_t;
|
||||
+
|
||||
+ if (fa1 == NULL || *fa1 == '\0' || fa1_len > UINT32_MAX
|
||||
+ || fa2 == NULL || *fa2 == '\0' || fa2_len > UINT32_MAX
|
||||
+ || (buf == NULL && buf_len != 0)) {
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ if (fa1_len == 0) {
|
||||
+ fa1_len = strlen(fa1);
|
||||
+ } else {
|
||||
+ if (fa1[fa1_len] != '\0') {
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (fa2_len == 0) {
|
||||
+ fa2_len = strlen(fa2);
|
||||
+ } else {
|
||||
+ if (fa2[fa2_len] != '\0') {
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ *_2fa_blob_len = fa1_len + fa2_len + 2 + 2 * sizeof(uint32_t);
|
||||
+ if (buf == NULL || buf_len < *_2fa_blob_len) {
|
||||
+ return EAGAIN;
|
||||
+ }
|
||||
+
|
||||
+ c = 0;
|
||||
+ tmp_uint32_t = (uint32_t) fa1_len + 1;
|
||||
+ SAFEALIGN_COPY_UINT32(buf, &tmp_uint32_t, &c);
|
||||
+ tmp_uint32_t = (uint32_t) fa2_len + 1;
|
||||
+ SAFEALIGN_COPY_UINT32(buf + c, &tmp_uint32_t, &c);
|
||||
+
|
||||
+ memcpy(buf + c, fa1, fa1_len + 1);
|
||||
+ c += fa1_len + 1;
|
||||
+
|
||||
+ memcpy(buf + c, fa2, fa2_len + 1);
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
diff --git a/src/util/authtok-utils.h b/src/util/authtok-utils.h
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..07aef3c18395d6e967289f6e345f27e9ee868da2
|
||||
--- /dev/null
|
||||
+++ b/src/util/authtok-utils.h
|
||||
@@ -0,0 +1,70 @@
|
||||
+/*
|
||||
+ SSSD - auth utils helpers
|
||||
+
|
||||
+ Copyright (C) Sumit Bose <simo@redhat.com> 2015
|
||||
+
|
||||
+ This program is free software; you can redistribute it and/or modify
|
||||
+ it under the terms of the GNU General Public License as published by
|
||||
+ the Free Software Foundation; either version 3 of the License, or
|
||||
+ (at your option) any later version.
|
||||
+
|
||||
+ This program is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ GNU General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU General Public License
|
||||
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+*/
|
||||
+
|
||||
+#ifndef __AUTHTOK_UTILS_H__
|
||||
+#define __AUTHTOK_UTILS_H__
|
||||
+
|
||||
+#include <talloc.h>
|
||||
+
|
||||
+#include "sss_client/sss_cli.h"
|
||||
+
|
||||
+/**
|
||||
+ * @brief Fill memory buffer with 2FA blob
|
||||
+ *
|
||||
+ * @param[in] fa1 First authentication factor, null terminated
|
||||
+ * @param[in] fa1_len Length of the first authentication factor, if 0
|
||||
+ * strlen() will be called internally
|
||||
+ * @param[in] fa2 Second authentication factor, null terminated
|
||||
+ * @param[in] fa2_len Length of the second authentication factor, if 0
|
||||
+ * strlen() will be called internally
|
||||
+ * @param[in] buf memory buffer of size buf_len
|
||||
+ * @param[in] buf_len size of memory buffer buf
|
||||
+ *
|
||||
+ * @param[out] _2fa_blob_len size of the 2FA blob
|
||||
+ *
|
||||
+ * @return EOK on success
|
||||
+ * EINVAL if input data is not consistent
|
||||
+ * EAGAIN if provided buffer is too small, _2fa_blob_len
|
||||
+ * contains the size needed to store the 2FA blob
|
||||
+ */
|
||||
+errno_t sss_auth_pack_2fa_blob(const char *fa1, size_t fa1_len,
|
||||
+ const char *fa2, size_t fa2_len,
|
||||
+ uint8_t *buf, size_t buf_len,
|
||||
+ size_t *_2fa_blob_len);
|
||||
+
|
||||
+/**
|
||||
+ * @brief Extract 2FA data from memory buffer
|
||||
+ *
|
||||
+ * @param[in] mem_ctx Talloc memory context to allocate the 2FA data on
|
||||
+ * @param[in] blob Memory buffer containing the 2FA data
|
||||
+ * @param[in] blob_len Size of the memory buffer
|
||||
+ * @param[out] _fa1 First authentication factor, null terminated
|
||||
+ * @param[out] _fa1_len Length of the first authentication factor
|
||||
+ * @param[out] _fa2 Second authentication factor, null terminated
|
||||
+ * @param[out] _fa2_len Length of the second authentication factor
|
||||
+ *
|
||||
+ * @return EOK on success
|
||||
+ * EINVAL if input data is not consistent
|
||||
+ * EINVAL if no memory can be allocated
|
||||
+ */
|
||||
+errno_t sss_auth_unpack_2fa_blob(TALLOC_CTX *mem_ctx,
|
||||
+ const uint8_t *blob, size_t blob_len,
|
||||
+ char **fa1, size_t *_fa1_len,
|
||||
+ char **fa2, size_t *_fa2_len);
|
||||
+#endif /* __AUTHTOK_UTILS_H__ */
|
||||
diff --git a/src/util/authtok.c b/src/util/authtok.c
|
||||
index b7bc17ed0cdc5cfee7f455b0d7047803e628274a..45761df80175fded8a6c6e5dac8a90180b11d225 100644
|
||||
--- a/src/util/authtok.c
|
||||
+++ b/src/util/authtok.c
|
||||
@@ -38,6 +38,7 @@ size_t sss_authtok_get_size(struct sss_auth_token *tok)
|
||||
switch (tok->type) {
|
||||
case SSS_AUTHTOK_TYPE_PASSWORD:
|
||||
case SSS_AUTHTOK_TYPE_CCFILE:
|
||||
+ case SSS_AUTHTOK_TYPE_2FA:
|
||||
return tok->length;
|
||||
case SSS_AUTHTOK_TYPE_EMPTY:
|
||||
return 0;
|
||||
@@ -70,6 +71,7 @@ errno_t sss_authtok_get_password(struct sss_auth_token *tok,
|
||||
}
|
||||
return EOK;
|
||||
case SSS_AUTHTOK_TYPE_CCFILE:
|
||||
+ case SSS_AUTHTOK_TYPE_2FA:
|
||||
return EACCES;
|
||||
}
|
||||
|
||||
@@ -92,6 +94,7 @@ errno_t sss_authtok_get_ccfile(struct sss_auth_token *tok,
|
||||
}
|
||||
return EOK;
|
||||
case SSS_AUTHTOK_TYPE_PASSWORD:
|
||||
+ case SSS_AUTHTOK_TYPE_2FA:
|
||||
return EACCES;
|
||||
}
|
||||
|
||||
@@ -140,6 +143,7 @@ void sss_authtok_set_empty(struct sss_auth_token *tok)
|
||||
case SSS_AUTHTOK_TYPE_EMPTY:
|
||||
return;
|
||||
case SSS_AUTHTOK_TYPE_PASSWORD:
|
||||
+ case SSS_AUTHTOK_TYPE_2FA:
|
||||
safezero(tok->data, tok->length);
|
||||
break;
|
||||
case SSS_AUTHTOK_TYPE_CCFILE:
|
||||
@@ -169,6 +173,9 @@ errno_t sss_authtok_set_ccfile(struct sss_auth_token *tok,
|
||||
"ccfile", ccfile, len);
|
||||
}
|
||||
|
||||
+static errno_t sss_authtok_set_2fa_from_blob(struct sss_auth_token *tok,
|
||||
+ const uint8_t *data, size_t len);
|
||||
+
|
||||
errno_t sss_authtok_set(struct sss_auth_token *tok,
|
||||
enum sss_authtok_type type,
|
||||
const uint8_t *data, size_t len)
|
||||
@@ -178,6 +185,8 @@ errno_t sss_authtok_set(struct sss_auth_token *tok,
|
||||
return sss_authtok_set_password(tok, (const char *)data, len);
|
||||
case SSS_AUTHTOK_TYPE_CCFILE:
|
||||
return sss_authtok_set_ccfile(tok, (const char *)data, len);
|
||||
+ case SSS_AUTHTOK_TYPE_2FA:
|
||||
+ return sss_authtok_set_2fa_from_blob(tok, data, len);
|
||||
case SSS_AUTHTOK_TYPE_EMPTY:
|
||||
sss_authtok_set_empty(tok);
|
||||
return EOK;
|
||||
@@ -230,3 +239,175 @@ void sss_authtok_wipe_password(struct sss_auth_token *tok)
|
||||
safezero(tok->data, tok->length);
|
||||
}
|
||||
|
||||
+errno_t sss_auth_unpack_2fa_blob(TALLOC_CTX *mem_ctx,
|
||||
+ const uint8_t *blob, size_t blob_len,
|
||||
+ char **fa1, size_t *_fa1_len,
|
||||
+ char **fa2, size_t *_fa2_len)
|
||||
+{
|
||||
+ size_t c;
|
||||
+ uint32_t fa1_len;
|
||||
+ uint32_t fa2_len;
|
||||
+
|
||||
+ if (blob_len < 2 * sizeof(uint32_t)) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Blob too small.\n");
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ c = 0;
|
||||
+ SAFEALIGN_COPY_UINT32(&fa1_len, blob, &c);
|
||||
+ SAFEALIGN_COPY_UINT32(&fa2_len, blob + c, &c);
|
||||
+
|
||||
+ if (blob_len != 2 * sizeof(uint32_t) + fa1_len + fa2_len) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Blob size mismatch.\n");
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ if (fa1_len != 0) {
|
||||
+ *fa1 = talloc_strndup(mem_ctx, (const char *) blob + c, fa1_len);
|
||||
+ if (*fa1 == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+ } else {
|
||||
+ *fa1 = NULL;
|
||||
+ }
|
||||
+
|
||||
+ if (fa2_len != 0) {
|
||||
+ *fa2 = talloc_strndup(mem_ctx, (const char *) blob + c + fa1_len,
|
||||
+ fa2_len);
|
||||
+ if (*fa2 == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
|
||||
+ talloc_free(*fa1);
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+ } else {
|
||||
+ *fa2 = NULL;
|
||||
+ }
|
||||
+
|
||||
+ /* Re-calculate length for the case where \0 was missing in the blob */
|
||||
+ *_fa1_len = (*fa1 == NULL) ? 0 : strlen(*fa1);
|
||||
+ *_fa2_len = (*fa2 == NULL) ? 0 : strlen(*fa2);
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
+static errno_t sss_authtok_set_2fa_from_blob(struct sss_auth_token *tok,
|
||||
+ const uint8_t *data, size_t len)
|
||||
+{
|
||||
+ TALLOC_CTX *tmp_ctx;
|
||||
+ int ret;
|
||||
+ char *fa1;
|
||||
+ size_t fa1_len;
|
||||
+ char *fa2;
|
||||
+ size_t fa2_len;
|
||||
+
|
||||
+ tmp_ctx = talloc_new(NULL);
|
||||
+ if (tmp_ctx == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = sss_auth_unpack_2fa_blob(tmp_ctx, data, len, &fa1, &fa1_len,
|
||||
+ &fa2, &fa2_len);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sss_auth_unpack_2fa_blob failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = sss_authtok_set_2fa(tok, fa1, fa1_len, fa2, fa2_len);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_set_2fa failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = EOK;
|
||||
+done:
|
||||
+ talloc_free(tmp_ctx);
|
||||
+
|
||||
+ if (ret != EOK) {
|
||||
+ sss_authtok_set_empty(tok);
|
||||
+ }
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+errno_t sss_authtok_get_2fa(struct sss_auth_token *tok,
|
||||
+ const char **fa1, size_t *fa1_len,
|
||||
+ const char **fa2, size_t *fa2_len)
|
||||
+{
|
||||
+ size_t c;
|
||||
+ uint32_t tmp_uint32_t;
|
||||
+
|
||||
+ if (tok->type != SSS_AUTHTOK_TYPE_2FA) {
|
||||
+ return (tok->type == SSS_AUTHTOK_TYPE_EMPTY) ? ENOENT : EACCES;
|
||||
+ }
|
||||
+
|
||||
+ if (tok->length < 2 * sizeof(uint32_t)) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Blob too small.\n");
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ c = 0;
|
||||
+ SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data, &c);
|
||||
+ *fa1_len = tmp_uint32_t - 1;
|
||||
+ SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data + c, &c);
|
||||
+ *fa2_len = tmp_uint32_t - 1;
|
||||
+
|
||||
+ if (*fa1_len == 0 || *fa2_len == 0
|
||||
+ || tok->length != 2 * sizeof(uint32_t) + *fa1_len + *fa2_len + 2) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Blob size mismatch.\n");
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ if (tok->data[c + *fa1_len] != '\0'
|
||||
+ || tok->data[c + *fa1_len + 1 + *fa2_len] != '\0') {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Missing terminating null character.\n");
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ *fa1 = (const char *) tok->data + c;
|
||||
+ *fa2 = (const char *) tok->data + c + *fa1_len + 1;
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
+errno_t sss_authtok_set_2fa(struct sss_auth_token *tok,
|
||||
+ const char *fa1, size_t fa1_len,
|
||||
+ const char *fa2, size_t fa2_len)
|
||||
+{
|
||||
+ int ret;
|
||||
+ size_t needed_size;
|
||||
+
|
||||
+ if (tok == NULL) {
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ sss_authtok_set_empty(tok);
|
||||
+
|
||||
+ ret = sss_auth_pack_2fa_blob(fa1, fa1_len, fa2, fa2_len, NULL, 0,
|
||||
+ &needed_size);
|
||||
+ if (ret != EAGAIN) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "sss_auth_pack_2fa_blob unexpectedly returned [%d].\n", ret);
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ tok->data = talloc_size(tok, needed_size);
|
||||
+ if (tok->data == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n");
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ ret = sss_auth_pack_2fa_blob(fa1, fa1_len, fa2, fa2_len, tok->data,
|
||||
+ needed_size, &needed_size);
|
||||
+ if (ret != EOK) {
|
||||
+ talloc_free(tok->data);
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sss_auth_pack_2fa_blob failed.\n");
|
||||
+ return ret;
|
||||
+ }
|
||||
+ tok->length = needed_size;
|
||||
+ tok->type = SSS_AUTHTOK_TYPE_2FA;
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
diff --git a/src/util/authtok.h b/src/util/authtok.h
|
||||
index 1f6def4c3b6a1cbf6c4f34bb76c496ddae6f9d5f..cb366270832852281a222018f8e27feb1500ff01 100644
|
||||
--- a/src/util/authtok.h
|
||||
+++ b/src/util/authtok.h
|
||||
@@ -21,6 +21,7 @@
|
||||
#define __AUTHTOK_H__
|
||||
|
||||
#include "util/util.h"
|
||||
+#include "util/authtok-utils.h"
|
||||
#include "sss_client/sss_cli.h"
|
||||
|
||||
/* Use sss_authtok_* accesor functions instead of struct sss_auth_token
|
||||
@@ -179,4 +180,47 @@ void sss_authtok_wipe_password(struct sss_auth_token *tok);
|
||||
*/
|
||||
struct sss_auth_token *sss_authtok_new(TALLOC_CTX *mem_ctx);
|
||||
|
||||
+/**
|
||||
+ * @brief Set authtoken with 2FA data
|
||||
+ *
|
||||
+ * @param tok A pointer to a sss_auth_token structure to change, also
|
||||
+ * used as a memory context to allocate the internal data.
|
||||
+ * @param[in] fa1 First authentication factor, null terminated
|
||||
+ * @param[in] fa1_len Length of the first authentication factor, if 0
|
||||
+ * strlen() will be called internally
|
||||
+ * @param[in] fa2 Second authentication factor, null terminated
|
||||
+ * @param[in] fa2_len Length of the second authentication factor, if 0
|
||||
+ * strlen() will be called internally
|
||||
+ *
|
||||
+ * @return EOK on success
|
||||
+ * ENOMEM if memory allocation failed
|
||||
+ * EINVAL if input data is not consistent
|
||||
+ */
|
||||
+errno_t sss_authtok_set_2fa(struct sss_auth_token *tok,
|
||||
+ const char *fa1, size_t fa1_len,
|
||||
+ const char *fa2, size_t fa2_len);
|
||||
+
|
||||
+/**
|
||||
+ * @brief Get 2FA factors from authtoken
|
||||
+ *
|
||||
+ * @param tok A pointer to a sss_auth_token structure to change, also
|
||||
+ * used as a memory context to allocate the internal data.
|
||||
+ * @param[out] fa1 A pointer to a const char *, that will point to a
|
||||
+ * null terminated string holding the first
|
||||
+ * authentication factor, may not be modified or freed
|
||||
+ * @param[out] fa1_len Length of the first authentication factor
|
||||
+ * @param[out] fa2 A pointer to a const char *, that will point to a
|
||||
+ * null terminated string holding the second
|
||||
+ * authentication factor, may not be modified or freed
|
||||
+ * @param[out] fa2_len Length of the second authentication factor
|
||||
+ *
|
||||
+ * @return EOK on success
|
||||
+ * ENOMEM if memory allocation failed
|
||||
+ * EINVAL if input data is not consistent
|
||||
+ * ENOENT if the token is empty
|
||||
+ * EACCESS if the token is not a 2FA token
|
||||
+ */
|
||||
+errno_t sss_authtok_get_2fa(struct sss_auth_token *tok,
|
||||
+ const char **fa1, size_t *fa1_len,
|
||||
+ const char **fa2, size_t *fa2_len);
|
||||
#endif /* __AUTHTOK_H__ */
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,32 +0,0 @@
|
||||
From 2860a08f325cd0d190f6ca02423b77ff8a4808f4 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 8 Jan 2015 17:10:42 +0100
|
||||
Subject: [PATCH 19/30] pam: handle 2FA authentication token in the responder
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
(cherry picked from commit ea98a7af0584d7667b6c07c19a4b22942c94ca5d)
|
||||
---
|
||||
src/responder/pam/pamsrv_cmd.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
||||
index 0b54402729e77f22391c6bd17fd8c937ddea3592..2ca5aa789ab98aea9005b891be1a36ea91ab40f4 100644
|
||||
--- a/src/responder/pam/pamsrv_cmd.c
|
||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
||||
@@ -143,6 +143,10 @@ static int extract_authtok_v2(struct sss_auth_token *tok,
|
||||
auth_token_length);
|
||||
}
|
||||
break;
|
||||
+ case SSS_AUTHTOK_TYPE_2FA:
|
||||
+ ret = sss_authtok_set(tok, SSS_AUTHTOK_TYPE_2FA,
|
||||
+ auth_token_data, auth_token_length);
|
||||
+ break;
|
||||
default:
|
||||
return EINVAL;
|
||||
}
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,112 +0,0 @@
|
||||
From 81f4c515c85e6cb389a26a8cb10d8b2b8f6ee470 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 24 Mar 2015 17:24:50 +0100
|
||||
Subject: [PATCH 20/30] Add pre-auth request
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
(cherry picked from commit fb045f6e5a9a7f8936ad6f89c28862dcd035a4fe)
|
||||
---
|
||||
src/providers/data_provider_be.c | 1 +
|
||||
src/providers/dp_pam_data_util.c | 2 ++
|
||||
src/providers/ipa/ipa_auth.c | 1 +
|
||||
src/providers/krb5/krb5_auth.c | 2 ++
|
||||
src/responder/pam/pamsrv_cmd.c | 7 +++++++
|
||||
src/sss_client/sss_cli.h | 4 ++++
|
||||
6 files changed, 17 insertions(+)
|
||||
|
||||
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
|
||||
index 805f3ee81964ee7e7339627bb4d2a47c25218c73..1dbb63f61de07d81426832bb0304e1d5f15a4c98 100644
|
||||
--- a/src/providers/data_provider_be.c
|
||||
+++ b/src/providers/data_provider_be.c
|
||||
@@ -1374,6 +1374,7 @@ static int be_pam_handler(struct sbus_request *dbus_req, void *user_data)
|
||||
|
||||
switch (pd->cmd) {
|
||||
case SSS_PAM_AUTHENTICATE:
|
||||
+ case SSS_PAM_PREAUTH:
|
||||
target = BET_AUTH;
|
||||
break;
|
||||
case SSS_PAM_ACCT_MGMT:
|
||||
diff --git a/src/providers/dp_pam_data_util.c b/src/providers/dp_pam_data_util.c
|
||||
index 313948b369cf605c91eb608b9a394d32a1e128d1..8724bf936f3f46fb8393c8a3da57215a73b4191a 100644
|
||||
--- a/src/providers/dp_pam_data_util.c
|
||||
+++ b/src/providers/dp_pam_data_util.c
|
||||
@@ -43,6 +43,8 @@ static const char *pamcmd2str(int cmd) {
|
||||
return "PAM_CHAUTHTOK";
|
||||
case SSS_PAM_CHAUTHTOK_PRELIM:
|
||||
return "PAM_CHAUTHTOK_PRELIM";
|
||||
+ case SSS_PAM_PREAUTH:
|
||||
+ return "SSS_PAM_PREAUTH";
|
||||
default:
|
||||
return "UNKNOWN";
|
||||
}
|
||||
diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
|
||||
index f9a0706be7c7fee2b8431cabad82e3c559795db4..f8badbdd16bfc4761ea177fdf5179ff2d4158080 100644
|
||||
--- a/src/providers/ipa/ipa_auth.c
|
||||
+++ b/src/providers/ipa/ipa_auth.c
|
||||
@@ -208,6 +208,7 @@ void ipa_auth(struct be_req *be_req)
|
||||
|
||||
switch (state->pd->cmd) {
|
||||
case SSS_PAM_AUTHENTICATE:
|
||||
+ case SSS_PAM_PREAUTH:
|
||||
state->ipa_auth_ctx = talloc_get_type(
|
||||
be_ctx->bet_info[BET_AUTH].pvt_bet_data,
|
||||
struct ipa_auth_ctx);
|
||||
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
|
||||
index 9f136041e98b9df607676c5d79799193038130ee..c0cfaf7cfae5e4aa897bf4fd915fb294c6c24161 100644
|
||||
--- a/src/providers/krb5/krb5_auth.c
|
||||
+++ b/src/providers/krb5/krb5_auth.c
|
||||
@@ -497,6 +497,8 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
|
||||
goto done;
|
||||
}
|
||||
break;
|
||||
+ case SSS_PAM_PREAUTH:
|
||||
+ break;
|
||||
default:
|
||||
DEBUG(SSSDBG_CONF_SETTINGS, "Unexpected pam task %d.\n", pd->cmd);
|
||||
state->pam_status = PAM_SYSTEM_ERR;
|
||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
||||
index 2ca5aa789ab98aea9005b891be1a36ea91ab40f4..c7eb697f29b6de9f7edaaf7715a58d2b7afdc733 100644
|
||||
--- a/src/responder/pam/pamsrv_cmd.c
|
||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
||||
@@ -1454,6 +1454,12 @@ static int pam_cmd_chauthtok_prelim(struct cli_ctx *cctx) {
|
||||
return pam_forwarder(cctx, SSS_PAM_CHAUTHTOK_PRELIM);
|
||||
}
|
||||
|
||||
+static int pam_cmd_preauth(struct cli_ctx *cctx)
|
||||
+{
|
||||
+ DEBUG(SSSDBG_CONF_SETTINGS, "entering pam_cmd_preauth\n");
|
||||
+ return pam_forwarder(cctx, SSS_PAM_PREAUTH);
|
||||
+}
|
||||
+
|
||||
struct cli_protocol_version *register_cli_protocol_version(void)
|
||||
{
|
||||
static struct cli_protocol_version pam_cli_protocol_version[] = {
|
||||
@@ -1477,6 +1483,7 @@ struct sss_cmd_table *get_pam_cmds(void)
|
||||
{SSS_PAM_CLOSE_SESSION, pam_cmd_close_session},
|
||||
{SSS_PAM_CHAUTHTOK, pam_cmd_chauthtok},
|
||||
{SSS_PAM_CHAUTHTOK_PRELIM, pam_cmd_chauthtok_prelim},
|
||||
+ {SSS_PAM_PREAUTH, pam_cmd_preauth},
|
||||
{SSS_CLI_NULL, NULL}
|
||||
};
|
||||
|
||||
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
|
||||
index 9a19d7d47d0a9d7dabeac36dc2c866c3420ef501..2895659b9c3ed4ab520ca90846379c22fd9567f7 100644
|
||||
--- a/src/sss_client/sss_cli.h
|
||||
+++ b/src/sss_client/sss_cli.h
|
||||
@@ -220,6 +220,10 @@ enum sss_cli_command {
|
||||
SSS_CMD_RENEW = 0x00F8, /**< Renew a credential with a limited
|
||||
* lifetime, e.g. a Kerberos Ticket
|
||||
* Granting Ticket (TGT) */
|
||||
+ SSS_PAM_PREAUTH = 0x00F9, /**< Request which can be run before
|
||||
+ * an authentication request to find
|
||||
+ * out which authentication methods
|
||||
+ * are available for the given user. */
|
||||
|
||||
/* PAC responder calls */
|
||||
SSS_PAC_ADD_PAC_USER = 0x0101,
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,427 +0,0 @@
|
||||
From 308a445c9e9c5eacd184fa6958a9753592e5eec4 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 24 Mar 2015 17:26:53 +0100
|
||||
Subject: [PATCH 21/30] krb5-child: add preauth and split 2fa token support
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
(cherry picked from commit 4b1b2e60d0764fed289eada9a7afbfd1993cadcd)
|
||||
---
|
||||
src/providers/krb5/krb5_auth.c | 3 +-
|
||||
src/providers/krb5/krb5_child.c | 265 +++++++++++++++++++++++++++++---
|
||||
src/providers/krb5/krb5_child_handler.c | 4 +
|
||||
src/sss_client/sss_cli.h | 6 +
|
||||
4 files changed, 257 insertions(+), 21 deletions(-)
|
||||
|
||||
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
|
||||
index c0cfaf7cfae5e4aa897bf4fd915fb294c6c24161..6b818440717a9cfaa22a8332fc65440d21d79d00 100644
|
||||
--- a/src/providers/krb5/krb5_auth.c
|
||||
+++ b/src/providers/krb5/krb5_auth.c
|
||||
@@ -450,7 +450,8 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
|
||||
switch (pd->cmd) {
|
||||
case SSS_PAM_AUTHENTICATE:
|
||||
case SSS_PAM_CHAUTHTOK:
|
||||
- if (authtok_type != SSS_AUTHTOK_TYPE_PASSWORD) {
|
||||
+ if (authtok_type != SSS_AUTHTOK_TYPE_PASSWORD
|
||||
+ && authtok_type != SSS_AUTHTOK_TYPE_2FA) {
|
||||
/* handle empty password gracefully */
|
||||
if (authtok_type == SSS_AUTHTOK_TYPE_EMPTY) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
|
||||
index 0fcec981633989593d7155a57811d02a997db251..4b976ddb86b7a1cf6fdc14f99d0b5f4b321814c0 100644
|
||||
--- a/src/providers/krb5/krb5_child.c
|
||||
+++ b/src/providers/krb5/krb5_child.c
|
||||
@@ -54,6 +54,9 @@ struct krb5_req {
|
||||
char* name;
|
||||
krb5_creds *creds;
|
||||
bool otp;
|
||||
+ char *otp_vendor;
|
||||
+ char *otp_token_id;
|
||||
+ char *otp_challenge;
|
||||
krb5_get_init_creds_opt *options;
|
||||
|
||||
struct pam_data *pd;
|
||||
@@ -268,7 +271,87 @@ static int token_pin_destructor(char *mem)
|
||||
return 0;
|
||||
}
|
||||
|
||||
-static krb5_error_code tokeninfo_matches(TALLOC_CTX *mem_ctx,
|
||||
+static krb5_error_code tokeninfo_matches_2fa(TALLOC_CTX *mem_ctx,
|
||||
+ const krb5_responder_otp_tokeninfo *ti,
|
||||
+ const char *fa1, size_t fa1_len,
|
||||
+ const char *fa2, size_t fa2_len,
|
||||
+ char **out_token, char **out_pin)
|
||||
+{
|
||||
+ char *token = NULL, *pin = NULL;
|
||||
+ checker check = NULL;
|
||||
+ int i;
|
||||
+
|
||||
+ if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_NEXTOTP) {
|
||||
+ return ENOTSUP;
|
||||
+ }
|
||||
+
|
||||
+ if (ti->challenge != NULL) {
|
||||
+ return ENOTSUP;
|
||||
+ }
|
||||
+
|
||||
+ /* This is a non-sensical value. */
|
||||
+ if (ti->length == 0) {
|
||||
+ return EPROTO;
|
||||
+ }
|
||||
+
|
||||
+ if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN) {
|
||||
+ if (ti->length > 0 && ti->length != fa2_len) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Expected [%d] and given [%zu] token size "
|
||||
+ "do not match.\n", ti->length, fa2_len);
|
||||
+ return EMSGSIZE;
|
||||
+ }
|
||||
+
|
||||
+ if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN) {
|
||||
+ if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN) {
|
||||
+
|
||||
+ pin = talloc_strndup(mem_ctx, fa1, fa1_len);
|
||||
+ if (pin == NULL) {
|
||||
+ talloc_free(token);
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+ talloc_set_destructor(pin, token_pin_destructor);
|
||||
+
|
||||
+ token = talloc_strndup(mem_ctx, fa2, fa2_len);
|
||||
+ if (token == NULL) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+ talloc_set_destructor(token, token_pin_destructor);
|
||||
+
|
||||
+ check = pick_checker(ti->format);
|
||||
+ }
|
||||
+ } else {
|
||||
+ token = talloc_asprintf(mem_ctx, "%s%s", fa1, fa2);
|
||||
+ if (token == NULL) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+ talloc_set_destructor(token, token_pin_destructor);
|
||||
+
|
||||
+ check = pick_checker(ti->format);
|
||||
+ }
|
||||
+ } else {
|
||||
+ /* Assuming PIN only required */
|
||||
+ pin = talloc_strndup(mem_ctx, fa1, fa1_len);
|
||||
+ if (pin == NULL) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+ talloc_set_destructor(pin, token_pin_destructor);
|
||||
+ }
|
||||
+
|
||||
+ /* If check is set, we need to verify the contents of the token. */
|
||||
+ for (i = 0; check != NULL && token[i] != '\0'; i++) {
|
||||
+ if (!check(token[i])) {
|
||||
+ talloc_free(token);
|
||||
+ talloc_free(pin);
|
||||
+ return EBADMSG;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ *out_token = token;
|
||||
+ *out_pin = pin;
|
||||
+ return 0;
|
||||
+}
|
||||
+static krb5_error_code tokeninfo_matches_pwd(TALLOC_CTX *mem_ctx,
|
||||
const krb5_responder_otp_tokeninfo *ti,
|
||||
const char *pwd, size_t len,
|
||||
char **out_token, char **out_pin)
|
||||
@@ -364,15 +447,52 @@ static krb5_error_code tokeninfo_matches(TALLOC_CTX *mem_ctx,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static krb5_error_code tokeninfo_matches(TALLOC_CTX *mem_ctx,
|
||||
+ const krb5_responder_otp_tokeninfo *ti,
|
||||
+ struct sss_auth_token *auth_tok,
|
||||
+ char **out_token, char **out_pin)
|
||||
+{
|
||||
+ int ret;
|
||||
+ const char *pwd;
|
||||
+ size_t len;
|
||||
+ const char *fa2;
|
||||
+ size_t fa2_len;
|
||||
+
|
||||
+ switch (sss_authtok_get_type(auth_tok)) {
|
||||
+ case SSS_AUTHTOK_TYPE_PASSWORD:
|
||||
+ ret = sss_authtok_get_password(auth_tok, &pwd, &len);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_password failed.\n");
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ return tokeninfo_matches_pwd(mem_ctx, ti, pwd, len, out_token, out_pin);
|
||||
+ break;
|
||||
+ case SSS_AUTHTOK_TYPE_2FA:
|
||||
+ ret = sss_authtok_get_2fa(auth_tok, &pwd, &len, &fa2, &fa2_len);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_2fa failed.\n");
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ return tokeninfo_matches_2fa(mem_ctx, ti, pwd, len, fa2, fa2_len,
|
||||
+ out_token, out_pin);
|
||||
+ break;
|
||||
+ default:
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported authtok type.\n");
|
||||
+ }
|
||||
+
|
||||
+ return EINVAL;
|
||||
+}
|
||||
+
|
||||
static krb5_error_code answer_otp(krb5_context ctx,
|
||||
struct krb5_req *kr,
|
||||
krb5_responder_context rctx)
|
||||
{
|
||||
krb5_responder_otp_challenge *chl;
|
||||
char *token = NULL, *pin = NULL;
|
||||
- const char *pwd = NULL;
|
||||
krb5_error_code ret;
|
||||
- size_t i, len;
|
||||
+ size_t i;
|
||||
|
||||
ret = krb5_responder_otp_get_challenge(ctx, rctx, &chl);
|
||||
if (ret != EOK || chl == NULL) {
|
||||
@@ -388,14 +508,37 @@ static krb5_error_code answer_otp(krb5_context ctx,
|
||||
|
||||
kr->otp = true;
|
||||
|
||||
- /* Validate our assumptions about the contents of authtok. */
|
||||
- ret = sss_authtok_get_password(kr->pd->authtok, &pwd, &len);
|
||||
- if (ret != EOK)
|
||||
- goto done;
|
||||
+ if (kr->pd->cmd == SSS_PAM_PREAUTH) {
|
||||
+ for (i = 0; chl->tokeninfo[i] != NULL; i++) {
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "[%zu] Vendor [%s].\n",
|
||||
+ i, chl->tokeninfo[i]->vendor);
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "[%zu] Token-ID [%s].\n",
|
||||
+ i, chl->tokeninfo[i]->token_id);
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "[%zu] Challenge [%s].\n",
|
||||
+ i, chl->tokeninfo[i]->challenge);
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "[%zu] Flags [%d].\n",
|
||||
+ i, chl->tokeninfo[i]->flags);
|
||||
+ }
|
||||
+
|
||||
+ if (chl->tokeninfo[0]->vendor != NULL) {
|
||||
+ kr->otp_vendor = talloc_strdup(kr, chl->tokeninfo[0]->vendor);
|
||||
+ }
|
||||
+ if (chl->tokeninfo[0]->token_id != NULL) {
|
||||
+ kr->otp_token_id = talloc_strdup(kr, chl->tokeninfo[0]->token_id);
|
||||
+ }
|
||||
+ if (chl->tokeninfo[0]->challenge != NULL) {
|
||||
+ kr->otp_challenge = talloc_strdup(kr, chl->tokeninfo[0]->challenge);
|
||||
+ }
|
||||
+ /* Allocation errors are ignored on purpose */
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Exit answer_otp during pre-auth.\n");
|
||||
+ return EAGAIN;
|
||||
+ }
|
||||
|
||||
/* Find the first supported tokeninfo which matches our authtoken. */
|
||||
for (i = 0; chl->tokeninfo[i] != NULL; i++) {
|
||||
- ret = tokeninfo_matches(kr, chl->tokeninfo[i], pwd, len, &token, &pin);
|
||||
+ ret = tokeninfo_matches(kr, chl->tokeninfo[i], kr->pd->authtok,
|
||||
+ &token, &pin);
|
||||
if (ret == EOK) {
|
||||
break;
|
||||
}
|
||||
@@ -683,6 +826,58 @@ static errno_t pack_response_packet(TALLOC_CTX *mem_ctx, errno_t error,
|
||||
return EOK;
|
||||
}
|
||||
|
||||
+static errno_t k5c_attach_otp_info_msg(struct krb5_req *kr)
|
||||
+{
|
||||
+ uint8_t *msg = NULL;
|
||||
+ size_t msg_len;
|
||||
+ int ret;
|
||||
+ size_t vendor_len = 0;
|
||||
+ size_t token_id_len = 0;
|
||||
+ size_t challenge_len = 0;
|
||||
+ size_t idx = 0;
|
||||
+
|
||||
+ msg_len = 3;
|
||||
+ if (kr->otp_vendor != NULL) {
|
||||
+ vendor_len = strlen(kr->otp_vendor);
|
||||
+ msg_len += vendor_len;
|
||||
+ }
|
||||
+
|
||||
+ if (kr->otp_token_id != NULL) {
|
||||
+ token_id_len = strlen(kr->otp_token_id);
|
||||
+ msg_len += token_id_len;
|
||||
+ }
|
||||
+
|
||||
+ if (kr->otp_challenge != NULL) {
|
||||
+ challenge_len = strlen(kr->otp_challenge);
|
||||
+ msg_len += challenge_len;
|
||||
+ }
|
||||
+
|
||||
+ msg = talloc_zero_size(kr, msg_len);
|
||||
+ if (msg == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n");
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ if (kr->otp_vendor != NULL) {
|
||||
+ memcpy(msg, kr->otp_vendor, vendor_len);
|
||||
+ }
|
||||
+ idx += vendor_len +1;
|
||||
+
|
||||
+ if (kr->otp_token_id != NULL) {
|
||||
+ memcpy(msg + idx, kr->otp_token_id, token_id_len);
|
||||
+ }
|
||||
+ idx += token_id_len +1;
|
||||
+
|
||||
+ if (kr->otp_challenge != NULL) {
|
||||
+ memcpy(msg + idx, kr->otp_challenge, challenge_len);
|
||||
+ }
|
||||
+
|
||||
+ ret = pam_add_response(kr->pd, SSS_PAM_OTP_INFO, msg_len, msg);
|
||||
+ talloc_zfree(msg);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
static errno_t k5c_attach_ccname_msg(struct krb5_req *kr)
|
||||
{
|
||||
char *msg = NULL;
|
||||
@@ -996,9 +1191,18 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
|
||||
discard_const(password),
|
||||
sss_krb5_prompter, kr, 0,
|
||||
NULL, kr->options);
|
||||
- if (kerr != 0) {
|
||||
- KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
|
||||
- return kerr;
|
||||
+ if (kr->pd->cmd == SSS_PAM_PREAUTH) {
|
||||
+ /* Any errors are ignored during pre-auth, only data is collected to
|
||||
+ * be send back to the client.*/
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC,
|
||||
+ "krb5_get_init_creds_password returned [%d} during pre-auth.\n",
|
||||
+ kerr);
|
||||
+ return 0;
|
||||
+ } else {
|
||||
+ if (kerr != 0) {
|
||||
+ KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
|
||||
+ return kerr;
|
||||
+ }
|
||||
}
|
||||
|
||||
if (kr->validate) {
|
||||
@@ -1300,8 +1504,11 @@ static errno_t tgt_req_child(struct krb5_req *kr)
|
||||
|
||||
DEBUG(SSSDBG_TRACE_LIBS, "Attempting to get a TGT\n");
|
||||
|
||||
- ret = sss_authtok_get_password(kr->pd->authtok, &password, NULL);
|
||||
- switch (ret) {
|
||||
+ /* No password is needed for pre-auth, or if we have 2FA */
|
||||
+ if (kr->pd->cmd != SSS_PAM_PREAUTH
|
||||
+ && sss_authtok_get_type(kr->pd->authtok) != SSS_AUTHTOK_TYPE_2FA) {
|
||||
+ ret = sss_authtok_get_password(kr->pd->authtok, &password, NULL);
|
||||
+ switch (ret) {
|
||||
case EOK:
|
||||
break;
|
||||
|
||||
@@ -1314,13 +1521,21 @@ static errno_t tgt_req_child(struct krb5_req *kr)
|
||||
DEBUG(SSSDBG_OP_FAILURE, "No credentials available\n");
|
||||
return ERR_NO_CREDS;
|
||||
break;
|
||||
+ }
|
||||
}
|
||||
|
||||
kerr = get_and_save_tgt(kr, password);
|
||||
|
||||
if (kerr != KRB5KDC_ERR_KEY_EXP) {
|
||||
- if (kerr == 0) {
|
||||
- kerr = k5c_attach_ccname_msg(kr);
|
||||
+ if (kr->pd->cmd == SSS_PAM_PREAUTH) {
|
||||
+ /* add OTP tokeninfo messge if available */
|
||||
+ if (kr->otp) {
|
||||
+ kerr = k5c_attach_otp_info_msg(kr);
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (kerr == 0) {
|
||||
+ kerr = k5c_attach_ccname_msg(kr);
|
||||
+ }
|
||||
}
|
||||
ret = map_krb5_error(kerr);
|
||||
goto done;
|
||||
@@ -1523,6 +1738,10 @@ static errno_t unpack_authtok(struct sss_auth_token *tok,
|
||||
case SSS_AUTHTOK_TYPE_CCFILE:
|
||||
ret = sss_authtok_set_ccfile(tok, (char *)(buf + *p), 0);
|
||||
break;
|
||||
+ case SSS_AUTHTOK_TYPE_2FA:
|
||||
+ ret = sss_authtok_set(tok, SSS_AUTHTOK_TYPE_2FA, (buf + *p),
|
||||
+ auth_token_length);
|
||||
+ break;
|
||||
default:
|
||||
return EINVAL;
|
||||
}
|
||||
@@ -2285,11 +2504,13 @@ static krb5_error_code privileged_krb5_setup(struct krb5_req *kr,
|
||||
}
|
||||
|
||||
/* For ccache types FILE: and DIR: we might need to create some directory
|
||||
- * components as root */
|
||||
- ret = k5c_ccache_setup(kr, offline);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "k5c_ccache_setup failed.\n");
|
||||
- return ret;
|
||||
+ * components as root. Cache files are not needed during preauth. */
|
||||
+ if (kr->pd->cmd != SSS_PAM_PREAUTH) {
|
||||
+ ret = k5c_ccache_setup(kr, offline);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "k5c_ccache_setup failed.\n");
|
||||
+ return ret;
|
||||
+ }
|
||||
}
|
||||
|
||||
if (!(offline ||
|
||||
@@ -2464,6 +2685,10 @@ int main(int argc, const char *argv[])
|
||||
DEBUG(SSSDBG_TRACE_FUNC, "Will perform ticket renewal\n");
|
||||
ret = renew_tgt_child(kr);
|
||||
break;
|
||||
+ case SSS_PAM_PREAUTH:
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC, "Will perform pre-auth\n");
|
||||
+ ret = tgt_req_child(kr);
|
||||
+ break;
|
||||
default:
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"PAM command [%d] not supported.\n", kr->pd->cmd);
|
||||
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
|
||||
index 633cd917737d3f39526b049cc3d930b67f8b5c66..1f839ab5ebf93271556371b2f172f6c524da6270 100644
|
||||
--- a/src/providers/krb5/krb5_child_handler.c
|
||||
+++ b/src/providers/krb5/krb5_child_handler.c
|
||||
@@ -77,6 +77,10 @@ static errno_t pack_authtok(struct io_buffer *buf, size_t *rp,
|
||||
ret = sss_authtok_get_ccfile(tok, &data, &len);
|
||||
auth_token_length = len + 1;
|
||||
break;
|
||||
+ case SSS_AUTHTOK_TYPE_2FA:
|
||||
+ data = (char *) sss_authtok_get_data(tok);
|
||||
+ auth_token_length = sss_authtok_get_size(tok);
|
||||
+ break;
|
||||
default:
|
||||
ret = EINVAL;
|
||||
}
|
||||
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
|
||||
index 2895659b9c3ed4ab520ca90846379c22fd9567f7..1d7e8549cd548b00eeedba95080f346439afc3dd 100644
|
||||
--- a/src/sss_client/sss_cli.h
|
||||
+++ b/src/sss_client/sss_cli.h
|
||||
@@ -402,6 +402,12 @@ enum response_type {
|
||||
* the user.This should only be used in the case where
|
||||
* it is not possile to use SSS_PAM_USER_INFO.
|
||||
* @param A zero terminated string. */
|
||||
+ SSS_PAM_OTP_INFO, /**< A message which optionally may contain the name
|
||||
+ * of the vendor, the ID of an OTP token and a
|
||||
+ * challenge.
|
||||
+ * @param Three zero terminated strings, if one of the
|
||||
+ * strings is missing the message will contain only
|
||||
+ * an empty string (\0) for that component. */
|
||||
SSS_OTP, /**< Indicates that the autotok was a OTP, so don't
|
||||
* cache it. There is no message.
|
||||
* @param None. */
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,115 +0,0 @@
|
||||
From badabcb4536794f376fbbefec21fd821654481c5 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 24 Mar 2015 11:19:46 +0100
|
||||
Subject: [PATCH 22/30] IPA: create preauth indicator file at startup
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
(cherry picked from commit deb28a893c76f7c94b6cc8e596742665e23d97d5)
|
||||
---
|
||||
src/providers/ipa/ipa_init.c | 66 ++++++++++++++++++++++++++++++++++++++++++++
|
||||
src/sss_client/sss_cli.h | 2 ++
|
||||
2 files changed, 68 insertions(+)
|
||||
|
||||
diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
|
||||
index 4b26e8baad4d0592729aec9a0b188ae89973fa98..15ec2339d95754db2e54f383bf8e423e780e9838 100644
|
||||
--- a/src/providers/ipa/ipa_init.c
|
||||
+++ b/src/providers/ipa/ipa_init.c
|
||||
@@ -371,6 +371,62 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+void cleanup_ipa_preauth_indicator(void)
|
||||
+{
|
||||
+ int ret;
|
||||
+
|
||||
+ ret = unlink(PAM_PREAUTH_INDICATOR);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Failed to remove preauth indicator file [%s].\n",
|
||||
+ PAM_PREAUTH_INDICATOR);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static errno_t create_ipa_preauth_indicator(void)
|
||||
+{
|
||||
+ int ret;
|
||||
+ TALLOC_CTX *tmp_ctx = NULL;
|
||||
+ int fd;
|
||||
+
|
||||
+ tmp_ctx = talloc_new(NULL);
|
||||
+ if (tmp_ctx == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ fd = open(PAM_PREAUTH_INDICATOR, O_CREAT | O_EXCL | O_WRONLY | O_NOFOLLOW,
|
||||
+ 0644);
|
||||
+ if (fd < 0) {
|
||||
+ if (errno != EEXIST) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Failed to create preauth indicator file [%s].\n",
|
||||
+ PAM_PREAUTH_INDICATOR);
|
||||
+ ret = EOK;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Preauth indicator file [%s] already exists. "
|
||||
+ "Maybe it is left after an unplanned exit. Continuing.\n",
|
||||
+ PAM_PREAUTH_INDICATOR);
|
||||
+ } else {
|
||||
+ close(fd);
|
||||
+ }
|
||||
+
|
||||
+ ret = atexit(cleanup_ipa_preauth_indicator);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "atexit failed. Continuing.\n");
|
||||
+ }
|
||||
+
|
||||
+ ret = EOK;
|
||||
+
|
||||
+done:
|
||||
+ talloc_free(tmp_ctx);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
int sssm_ipa_auth_init(struct be_ctx *bectx,
|
||||
struct bet_ops **ops,
|
||||
void **pvt_data)
|
||||
@@ -469,6 +525,16 @@ int sssm_ipa_auth_init(struct be_ctx *bectx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ ret = create_ipa_preauth_indicator();
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to create preauth indicator file, special password "
|
||||
+ "prompting might not be available.\n");
|
||||
+ sss_log(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to create preauth indicator file, special password "
|
||||
+ "prompting might not be available.\n");
|
||||
+ }
|
||||
+
|
||||
*ops = &ipa_auth_ops;
|
||||
*pvt_data = ipa_auth_ctx;
|
||||
ret = EOK;
|
||||
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
|
||||
index 1d7e8549cd548b00eeedba95080f346439afc3dd..317700ef8cfcbb1b58e2a7d1ffcc7f00658fe815 100644
|
||||
--- a/src/sss_client/sss_cli.h
|
||||
+++ b/src/sss_client/sss_cli.h
|
||||
@@ -317,6 +317,8 @@ enum sss_authtok_type {
|
||||
#define SSS_START_OF_PAM_REQUEST 0x4d415049
|
||||
#define SSS_END_OF_PAM_REQUEST 0x4950414d
|
||||
|
||||
+#define PAM_PREAUTH_INDICATOR PUBCONF_PATH"/pam_preauth_available"
|
||||
+
|
||||
enum pam_item_type {
|
||||
SSS_PAM_ITEM_EMPTY = 0x0000,
|
||||
SSS_PAM_ITEM_USER,
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,373 +0,0 @@
|
||||
From ced64f67b32fdb513f29931f6dcc5ca482df1447 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 12 Feb 2015 23:08:12 +0100
|
||||
Subject: [PATCH 23/30] pam_sss: add pre-auth and 2fa support
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
(cherry picked from commit e5698314b87e147c0223d0d8bcac206733dfae8c)
|
||||
---
|
||||
Makefile.am | 1 +
|
||||
src/sss_client/pam_sss.c | 235 ++++++++++++++++++++++++++++++++++++++++++++++-
|
||||
2 files changed, 234 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index d3fea94b206a538b86a0fb119ed186947fa8d8e6..793a2a67be11232aefa67e57b986f6304b8a68b3 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -2361,6 +2361,7 @@ pam_sss_la_SOURCES = \
|
||||
src/sss_client/common.c \
|
||||
src/sss_client/sss_cli.h \
|
||||
src/util/atomic_io.c \
|
||||
+ src/util/authtok-utils.c \
|
||||
src/sss_client/sss_pam_macros.h \
|
||||
src/sss_client/sss_pam_compat.h
|
||||
|
||||
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
||||
index 4007d125e34932dfb5ac6bc840f4d25306e3008f..f11871a47d1b29f44c179e57a33d8f41be79078d 100644
|
||||
--- a/src/sss_client/pam_sss.c
|
||||
+++ b/src/sss_client/pam_sss.c
|
||||
@@ -51,6 +51,7 @@
|
||||
#define FLAGS_USE_AUTHTOK (1 << 2)
|
||||
#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
|
||||
#define FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
|
||||
+#define FLAGS_USE_2FA (1 << 5)
|
||||
|
||||
#define PWEXP_FLAG "pam_sss:password_expired_flag"
|
||||
#define FD_DESTRUCTOR "pam_sss:fd_destructor"
|
||||
@@ -88,6 +89,10 @@ struct pam_items {
|
||||
char *domain_name;
|
||||
const char *requested_domains;
|
||||
size_t requested_domains_size;
|
||||
+ char *otp_vendor;
|
||||
+ char *otp_token_id;
|
||||
+ char *otp_challenge;
|
||||
+ char *first_factor;
|
||||
};
|
||||
|
||||
#define DEBUG_MGS_LEN 1024
|
||||
@@ -224,6 +229,12 @@ static void overwrite_and_free_authtoks(struct pam_items *pi)
|
||||
pi->pam_newauthtok = NULL;
|
||||
}
|
||||
|
||||
+ if (pi->first_factor != NULL) {
|
||||
+ _pam_overwrite_n((void *)pi->first_factor, strlen(pi->first_factor));
|
||||
+ free((void *)pi->first_factor);
|
||||
+ pi->first_factor = NULL;
|
||||
+ }
|
||||
+
|
||||
pi->pamstack_authtok = NULL;
|
||||
pi->pamstack_oldauthtok = NULL;
|
||||
}
|
||||
@@ -234,6 +245,15 @@ static void overwrite_and_free_pam_items(struct pam_items *pi)
|
||||
|
||||
free(pi->domain_name);
|
||||
pi->domain_name = NULL;
|
||||
+
|
||||
+ free(pi->otp_vendor);
|
||||
+ pi->otp_vendor = NULL;
|
||||
+
|
||||
+ free(pi->otp_token_id);
|
||||
+ pi->otp_token_id = NULL;
|
||||
+
|
||||
+ free(pi->otp_challenge);
|
||||
+ pi->otp_challenge = NULL;
|
||||
}
|
||||
|
||||
static int pack_message_v3(struct pam_items *pi, size_t *size,
|
||||
@@ -969,6 +989,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
|
||||
int32_t type;
|
||||
int32_t len;
|
||||
int32_t pam_status;
|
||||
+ size_t offset;
|
||||
|
||||
if (buflen < (2*sizeof(int32_t))) {
|
||||
D(("response buffer is too small"));
|
||||
@@ -1075,6 +1096,45 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
|
||||
pam_strerror(pamh,ret)));
|
||||
}
|
||||
break;
|
||||
+ case SSS_PAM_OTP_INFO:
|
||||
+ if (buf[p + (len - 1)] != '\0') {
|
||||
+ D(("system info does not end with \\0."));
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ pi->otp_vendor = strdup((char *) &buf[p]);
|
||||
+ if (pi->otp_vendor == NULL) {
|
||||
+ D(("strdup failed"));
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ offset = strlen(pi->otp_vendor) + 1;
|
||||
+ if (offset >= len) {
|
||||
+ D(("OTP message size mismatch"));
|
||||
+ free(pi->otp_vendor);
|
||||
+ pi->otp_vendor = NULL;
|
||||
+ break;
|
||||
+ }
|
||||
+ pi->otp_token_id = strdup((char *) &buf[p + offset]);
|
||||
+ if (pi->otp_token_id == NULL) {
|
||||
+ D(("strdup failed"));
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ offset += strlen(pi->otp_token_id) + 1;
|
||||
+ if (offset >= len) {
|
||||
+ D(("OTP message size mismatch"));
|
||||
+ free(pi->otp_token_id);
|
||||
+ pi->otp_token_id = NULL;
|
||||
+ break;
|
||||
+ }
|
||||
+ pi->otp_challenge = strdup((char *) &buf[p + offset]);
|
||||
+ if (pi->otp_challenge == NULL) {
|
||||
+ D(("strdup failed"));
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ break;
|
||||
default:
|
||||
D(("Unknown response type [%d]", type));
|
||||
}
|
||||
@@ -1096,6 +1156,7 @@ static int get_pam_items(pam_handle_t *pamh, struct pam_items *pi)
|
||||
pi->pam_newauthtok_type = SSS_AUTHTOK_TYPE_EMPTY;
|
||||
pi->pam_newauthtok = NULL;
|
||||
pi->pam_newauthtok_size = 0;
|
||||
+ pi->first_factor = NULL;
|
||||
|
||||
ret = pam_get_item(pamh, PAM_SERVICE, (const void **) &(pi->pam_service));
|
||||
if (ret != PAM_SUCCESS) return ret;
|
||||
@@ -1150,6 +1211,10 @@ static int get_pam_items(pam_handle_t *pamh, struct pam_items *pi)
|
||||
if (pi->requested_domains == NULL) pi->requested_domains = "";
|
||||
pi->requested_domains_size = strlen(pi->requested_domains) + 1;
|
||||
|
||||
+ pi->otp_vendor = NULL;
|
||||
+ pi->otp_token_id = NULL;
|
||||
+ pi->otp_challenge = NULL;
|
||||
+
|
||||
return PAM_SUCCESS;
|
||||
}
|
||||
|
||||
@@ -1281,6 +1346,7 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
|
||||
case SSS_PAM_OPEN_SESSION:
|
||||
case SSS_PAM_SETCRED:
|
||||
case SSS_PAM_CLOSE_SESSION:
|
||||
+ case SSS_PAM_PREAUTH:
|
||||
break;
|
||||
default:
|
||||
D(("Illegal task [%d]", task));
|
||||
@@ -1328,6 +1394,133 @@ static int prompt_password(pam_handle_t *pamh, struct pam_items *pi,
|
||||
return PAM_SUCCESS;
|
||||
}
|
||||
|
||||
+static int prompt_2fa(pam_handle_t *pamh, struct pam_items *pi,
|
||||
+ const char *prompt_fa1, const char *prompt_fa2)
|
||||
+{
|
||||
+ int ret;
|
||||
+ const struct pam_conv *conv;
|
||||
+ const struct pam_message *mesg[2] = { NULL, NULL };
|
||||
+ struct pam_message *m1;
|
||||
+ struct pam_message *m2;
|
||||
+ struct pam_response *resp = NULL;
|
||||
+ size_t needed_size;
|
||||
+
|
||||
+ ret = pam_get_item(pamh, PAM_CONV, (const void **) &conv);
|
||||
+ if (ret != PAM_SUCCESS) {
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ m1 = malloc(sizeof(struct pam_message));
|
||||
+ if (m1 == NULL) {
|
||||
+ D(("Malloc failed."));
|
||||
+ return PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
+
|
||||
+ m2 = malloc(sizeof(struct pam_message));
|
||||
+ if (m2 == NULL) {
|
||||
+ D(("Malloc failed."));
|
||||
+ free(m1);
|
||||
+ return PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
+ m1->msg_style = PAM_PROMPT_ECHO_OFF;
|
||||
+ m1->msg = prompt_fa1;
|
||||
+ m2->msg_style = PAM_PROMPT_ECHO_OFF;
|
||||
+ m2->msg = prompt_fa2;
|
||||
+
|
||||
+ mesg[0] = (const struct pam_message *) m1;
|
||||
+ mesg[1] = (const struct pam_message *) m2;
|
||||
+
|
||||
+ ret = conv->conv(2, mesg, &resp, conv->appdata_ptr);
|
||||
+ free(m1);
|
||||
+ free(m2);
|
||||
+ if (ret != PAM_SUCCESS) {
|
||||
+ D(("Conversation failure: %s.", pam_strerror(pamh, ret)));
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ if (resp == NULL) {
|
||||
+ D(("response expected, but resp==NULL"));
|
||||
+ return PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
+
|
||||
+ if (resp[0].resp == NULL || *(resp[0].resp) == '\0') {
|
||||
+ D(("Missing factor."));
|
||||
+ ret = PAM_CRED_INSUFFICIENT;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (resp[1].resp == NULL || *(resp[1].resp) == '\0'
|
||||
+ || (pi->pam_service != NULL && strcmp(pi->pam_service, "sshd") == 0
|
||||
+ && strcmp(resp[0].resp, resp[1].resp) == 0)) {
|
||||
+ /* Missing second factor, assume first factor contains combined 2FA
|
||||
+ * credentials.
|
||||
+ * Special handling for SSH with password authentication. Combined
|
||||
+ * 2FA credentials are used but SSH puts them in both responses. */
|
||||
+
|
||||
+ pi->pam_authtok = strndup(resp[0].resp, MAX_AUTHTOK_SIZE);
|
||||
+ if (pi->pam_authtok == NULL) {
|
||||
+ D(("strndup failed."));
|
||||
+ ret = PAM_BUF_ERR;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ pi->pam_authtok_size = strlen(pi->pam_authtok) + 1;
|
||||
+ pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
|
||||
+ } else {
|
||||
+
|
||||
+ ret = sss_auth_pack_2fa_blob(resp[0].resp, 0, resp[1].resp, 0, NULL, 0,
|
||||
+ &needed_size);
|
||||
+ if (ret != EAGAIN) {
|
||||
+ D(("sss_auth_pack_2fa_blob failed."));
|
||||
+ ret = PAM_BUF_ERR;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ pi->pam_authtok = malloc(needed_size);
|
||||
+ if (pi->pam_authtok == NULL) {
|
||||
+ D(("malloc failed."));
|
||||
+ ret = PAM_BUF_ERR;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = sss_auth_pack_2fa_blob(resp[0].resp, 0, resp[1].resp, 0,
|
||||
+ (uint8_t *) pi->pam_authtok, needed_size,
|
||||
+ &needed_size);
|
||||
+ if (ret != EOK) {
|
||||
+ D(("sss_auth_pack_2fa_blob failed."));
|
||||
+ ret = PAM_BUF_ERR;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ pi->pam_authtok_size = needed_size;
|
||||
+ pi->pam_authtok_type = SSS_AUTHTOK_TYPE_2FA;
|
||||
+ pi->first_factor = strndup(resp[0].resp, MAX_AUTHTOK_SIZE);
|
||||
+ if (pi->first_factor == NULL) {
|
||||
+ D(("strndup failed."));
|
||||
+ ret = PAM_BUF_ERR;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ ret = PAM_SUCCESS;
|
||||
+
|
||||
+done:
|
||||
+ if (resp != NULL) {
|
||||
+ if (resp[0].resp != NULL) {
|
||||
+ _pam_overwrite((void *)resp[0].resp);
|
||||
+ free(resp[0].resp);
|
||||
+ }
|
||||
+ if (resp[1].resp != NULL) {
|
||||
+ _pam_overwrite((void *)resp[1].resp);
|
||||
+ free(resp[1].resp);
|
||||
+ }
|
||||
+
|
||||
+ free(resp);
|
||||
+ resp = NULL;
|
||||
+ }
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
static int prompt_new_password(pam_handle_t *pamh, struct pam_items *pi)
|
||||
{
|
||||
int ret;
|
||||
@@ -1411,6 +1604,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
|
||||
*flags |= FLAGS_IGNORE_UNKNOWN_USER;
|
||||
} else if (strcmp(*argv, "ignore_authinfo_unavail") == 0) {
|
||||
*flags |= FLAGS_IGNORE_AUTHINFO_UNAVAIL;
|
||||
+ } else if (strcmp(*argv, "use_2fa") == 0) {
|
||||
+ *flags |= FLAGS_USE_2FA;
|
||||
} else {
|
||||
logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
|
||||
}
|
||||
@@ -1434,14 +1629,28 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
|
||||
}
|
||||
pi->pam_authtok_size = strlen(pi->pam_authtok);
|
||||
} else {
|
||||
- ret = prompt_password(pamh, pi, _("Password: "));
|
||||
+ if (flags & FLAGS_USE_2FA
|
||||
+ || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
|
||||
+ && pi->otp_challenge != NULL)) {
|
||||
+ ret = prompt_2fa(pamh, pi, _("First Factor: "),
|
||||
+ _("Second Factor: "));
|
||||
+ } else {
|
||||
+ ret = prompt_password(pamh, pi, _("Password: "));
|
||||
+ }
|
||||
if (ret != PAM_SUCCESS) {
|
||||
D(("failed to get password from user"));
|
||||
return ret;
|
||||
}
|
||||
|
||||
if (flags & FLAGS_FORWARD_PASS) {
|
||||
- ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_authtok);
|
||||
+ if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_PASSWORD) {
|
||||
+ ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_authtok);
|
||||
+ } else if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA
|
||||
+ && pi->first_factor != NULL) {
|
||||
+ ret = pam_set_item(pamh, PAM_AUTHTOK, pi->first_factor);
|
||||
+ } else {
|
||||
+ ret = EINVAL;
|
||||
+ }
|
||||
if (ret != PAM_SUCCESS) {
|
||||
D(("Failed to set PAM_AUTHTOK [%s], "
|
||||
"authtok may not be available for other modules",
|
||||
@@ -1576,6 +1785,27 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
||||
|
||||
switch(task) {
|
||||
case SSS_PAM_AUTHENTICATE:
|
||||
+ /*
|
||||
+ * Only do preauth if
|
||||
+ * - FLAGS_USE_FIRST_PASS is not set
|
||||
+ * - no password is on the stack
|
||||
+ * - preauth indicator file exists.
|
||||
+ */
|
||||
+ if ( !(flags & FLAGS_USE_FIRST_PASS) && pi.pam_authtok == NULL
|
||||
+ && access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
|
||||
+ pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
|
||||
+ quiet_mode);
|
||||
+ if (pam_status != PAM_SUCCESS) {
|
||||
+ D(("send_and_receive returned [%d] during pre-auth",
|
||||
+ pam_status));
|
||||
+ /*
|
||||
+ * Since we are only interested in the result message
|
||||
+ * and will always use password authentication
|
||||
+ * as a fallback, errors can be ignored here.
|
||||
+ */
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
ret = get_authtok_for_authentication(pamh, &pi, flags);
|
||||
if (ret != PAM_SUCCESS) {
|
||||
D(("failed to get authentication token: %s",
|
||||
@@ -1588,6 +1818,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
||||
if (ret != PAM_SUCCESS) {
|
||||
D(("failed to get tokens for password change: %s",
|
||||
pam_strerror(pamh, ret)));
|
||||
+ overwrite_and_free_pam_items(&pi);
|
||||
return ret;
|
||||
}
|
||||
if (pam_flags & PAM_PRELIM_CHECK) {
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,145 +0,0 @@
|
||||
From edf37611b0eacb47b4d72bac97b9281231b4476f Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 24 Mar 2015 13:00:14 +0100
|
||||
Subject: [PATCH 24/30] Add cache_credentials_minimal_first_factor_length
|
||||
config option
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
(cherry picked from commit 932c3e22e3c59a9c33f30dcc09e6bef257e14320)
|
||||
---
|
||||
src/confdb/confdb.c | 11 +++++++++++
|
||||
src/confdb/confdb.h | 4 ++++
|
||||
src/config/SSSDConfigTest.py | 2 ++
|
||||
src/config/etc/sssd.api.conf | 1 +
|
||||
src/man/sssd.conf.5.xml | 22 ++++++++++++++++++++++
|
||||
src/util/domain_info_utils.c | 2 ++
|
||||
6 files changed, 42 insertions(+)
|
||||
|
||||
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
||||
index 9ce7b13114e1336a4b8ffb8fdfa13c49d2c0c006..2ebf6c15e060ad5899a60629aa6b28021d0f408d 100644
|
||||
--- a/src/confdb/confdb.c
|
||||
+++ b/src/confdb/confdb.c
|
||||
@@ -956,6 +956,17 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ ret = get_entry_as_uint32(res->msgs[0],
|
||||
+ &domain->cache_credentials_min_ff_length,
|
||||
+ CONFDB_DOMAIN_CACHE_CREDS_MIN_FF_LENGTH,
|
||||
+ CONFDB_DEFAULT_CACHE_CREDS_MIN_FF_LENGTH);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
+ "Invalid value for %s\n",
|
||||
+ CONFDB_DOMAIN_CACHE_CREDS_MIN_FF_LENGTH);
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
ret = get_entry_as_bool(res->msgs[0], &domain->legacy_passwords,
|
||||
CONFDB_DOMAIN_LEGACY_PASS, 0);
|
||||
if(ret != EOK) {
|
||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
||||
index e97c46b34e34a02f80903c204e3a1744b0a5977e..93fbce5e5e46e4a7517d971f2ab886ded65a68f3 100644
|
||||
--- a/src/confdb/confdb.h
|
||||
+++ b/src/confdb/confdb.h
|
||||
@@ -162,6 +162,9 @@
|
||||
#define CONFDB_DOMAIN_MINID "min_id"
|
||||
#define CONFDB_DOMAIN_MAXID "max_id"
|
||||
#define CONFDB_DOMAIN_CACHE_CREDS "cache_credentials"
|
||||
+#define CONFDB_DOMAIN_CACHE_CREDS_MIN_FF_LENGTH \
|
||||
+ "cache_credentials_minimal_first_factor_length"
|
||||
+#define CONFDB_DEFAULT_CACHE_CREDS_MIN_FF_LENGTH 8
|
||||
#define CONFDB_DOMAIN_LEGACY_PASS "store_legacy_passwords"
|
||||
#define CONFDB_DOMAIN_MPG "magic_private_groups"
|
||||
#define CONFDB_DOMAIN_FQ "use_fully_qualified_names"
|
||||
@@ -222,6 +225,7 @@ struct sss_domain_info {
|
||||
uint32_t id_max;
|
||||
|
||||
bool cache_credentials;
|
||||
+ uint32_t cache_credentials_min_ff_length;
|
||||
bool legacy_passwords;
|
||||
bool case_sensitive;
|
||||
bool case_preserve;
|
||||
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
|
||||
index aed76e5a0dd695b1969f3946f245a80062627e24..2a5dc8d561ab88d888a0a33f091bac55be1d701f 100755
|
||||
--- a/src/config/SSSDConfigTest.py
|
||||
+++ b/src/config/SSSDConfigTest.py
|
||||
@@ -494,6 +494,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
|
||||
'command',
|
||||
'enumerate',
|
||||
'cache_credentials',
|
||||
+ 'cache_credentials_minimal_first_factor_length',
|
||||
'store_legacy_passwords',
|
||||
'use_fully_qualified_names',
|
||||
'ignore_group_members',
|
||||
@@ -856,6 +857,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
|
||||
'command',
|
||||
'enumerate',
|
||||
'cache_credentials',
|
||||
+ 'cache_credentials_minimal_first_factor_length',
|
||||
'store_legacy_passwords',
|
||||
'use_fully_qualified_names',
|
||||
'ignore_group_members',
|
||||
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
|
||||
index 59d755c2668235d046781227568d7f9e805a45d0..7ad84cd826a648ca61d9d2ede70e7886049d469a 100644
|
||||
--- a/src/config/etc/sssd.api.conf
|
||||
+++ b/src/config/etc/sssd.api.conf
|
||||
@@ -110,6 +110,7 @@ subdomain_enumerate = str, None, false
|
||||
force_timeout = int, None, false
|
||||
offline_timeout = int, None, false
|
||||
cache_credentials = bool, None, false
|
||||
+cache_credentials_minimal_first_factor_length = int, None, false
|
||||
store_legacy_passwords = bool, None, false
|
||||
use_fully_qualified_names = bool, None, false
|
||||
ignore_group_members = bool, None, false
|
||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||||
index 4961d5b956f6d1736dc1e9967bd0115f4993ec77..fd05e3af20426121e2d6ec5943c9b70786a5db5f 100644
|
||||
--- a/src/man/sssd.conf.5.xml
|
||||
+++ b/src/man/sssd.conf.5.xml
|
||||
@@ -1420,6 +1420,28 @@ pam_account_expired_message = Account expired, please call help desk.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
+
|
||||
+ <varlistentry>
|
||||
+ <term>cache_credentials_minimal_first_factor_length (int)</term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ If 2-Factor-Authentication (2FA) is used and
|
||||
+ credentials should be saved this value determines
|
||||
+ the minimal lenght the first authentication factor
|
||||
+ (long term password) must have to be saved as SHA512
|
||||
+ hash into the cache.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ This should avoid that the short PINs of a PIN based
|
||||
+ 2FA scheme are saved in the cache which would make
|
||||
+ them easy targets for brute-force attacks.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Default: 8
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
<varlistentry>
|
||||
<term>account_cache_expiration (integer)</term>
|
||||
<listitem>
|
||||
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
|
||||
index e2dec04354e62bc8d135567fdbac88ea5da8cc00..1e2a473a7571a37bff5f10d66f917ed1f176f172 100644
|
||||
--- a/src/util/domain_info_utils.c
|
||||
+++ b/src/util/domain_info_utils.c
|
||||
@@ -297,6 +297,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
|
||||
dom->id_max = parent->id_max ? parent->id_max : 0xffffffff;
|
||||
dom->pwd_expiration_warning = parent->pwd_expiration_warning;
|
||||
dom->cache_credentials = parent->cache_credentials;
|
||||
+ dom->cache_credentials_min_ff_length =
|
||||
+ parent->cache_credentials_min_ff_length;
|
||||
dom->case_sensitive = false;
|
||||
dom->user_timeout = parent->user_timeout;
|
||||
dom->group_timeout = parent->group_timeout;
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,174 +0,0 @@
|
||||
From fd92f2270544489149c4dae2aed513e506813c04 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 24 Mar 2015 15:35:01 +0100
|
||||
Subject: [PATCH 25/30] sysdb: add sysdb_cache_password_ex()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
(cherry picked from commit 55b7fdd837a780ab0f71cbfaa2403f4626993922)
|
||||
---
|
||||
src/db/sysdb.h | 9 +++++++++
|
||||
src/db/sysdb_ops.c | 25 ++++++++++++++++++++---
|
||||
src/tests/sysdb-tests.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
3 files changed, 84 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
|
||||
index a1b6f207399555c85c14c8decf89edc498deb871..63d6d3cdc0baf49dff86a1aa62f61a4eacee7465 100644
|
||||
--- a/src/db/sysdb.h
|
||||
+++ b/src/db/sysdb.h
|
||||
@@ -24,6 +24,7 @@
|
||||
|
||||
#include "util/util.h"
|
||||
#include "confdb/confdb.h"
|
||||
+#include "sss_client/sss_cli.h"
|
||||
#include <tevent.h>
|
||||
|
||||
#define CACHE_SYSDB_FILE "cache_%s.ldb"
|
||||
@@ -105,6 +106,8 @@
|
||||
#define SYSDB_SERVERHOSTNAME "serverHostname"
|
||||
|
||||
#define SYSDB_CACHEDPWD "cachedPassword"
|
||||
+#define SYSDB_CACHEDPWD_TYPE "cachedPasswordType"
|
||||
+#define SYSDB_CACHEDPWD_FA2_LEN "cachedPasswordSecondFactorLen"
|
||||
|
||||
#define SYSDB_UUID "uniqueID"
|
||||
#define SYSDB_SID "objectSID"
|
||||
@@ -888,6 +891,12 @@ int sysdb_cache_password(struct sss_domain_info *domain,
|
||||
const char *username,
|
||||
const char *password);
|
||||
|
||||
+int sysdb_cache_password_ex(struct sss_domain_info *domain,
|
||||
+ const char *username,
|
||||
+ const char *password,
|
||||
+ enum sss_authtok_type authtok_type,
|
||||
+ size_t second_factor_size);
|
||||
+
|
||||
errno_t check_failed_login_attempts(struct confdb_ctx *cdb,
|
||||
struct ldb_message *ldb_msg,
|
||||
uint32_t *failed_login_attempts,
|
||||
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
|
||||
index ea786d59158eb8a82952c7e457ea83286abbf2c4..083d2778c97fe4d6149e4fc030885c482c511105 100644
|
||||
--- a/src/db/sysdb_ops.c
|
||||
+++ b/src/db/sysdb_ops.c
|
||||
@@ -2226,9 +2226,11 @@ int sysdb_remove_group_member(struct sss_domain_info *domain,
|
||||
|
||||
/* =Password-Caching====================================================== */
|
||||
|
||||
-int sysdb_cache_password(struct sss_domain_info *domain,
|
||||
- const char *username,
|
||||
- const char *password)
|
||||
+int sysdb_cache_password_ex(struct sss_domain_info *domain,
|
||||
+ const char *username,
|
||||
+ const char *password,
|
||||
+ enum sss_authtok_type authtok_type,
|
||||
+ size_t second_factor_len)
|
||||
{
|
||||
TALLOC_CTX *tmp_ctx;
|
||||
struct sysdb_attrs *attrs;
|
||||
@@ -2261,6 +2263,15 @@ int sysdb_cache_password(struct sss_domain_info *domain,
|
||||
ret = sysdb_attrs_add_string(attrs, SYSDB_CACHEDPWD, hash);
|
||||
if (ret) goto fail;
|
||||
|
||||
+ ret = sysdb_attrs_add_long(attrs, SYSDB_CACHEDPWD_TYPE, authtok_type);
|
||||
+ if (ret) goto fail;
|
||||
+
|
||||
+ if (authtok_type == SSS_AUTHTOK_TYPE_2FA && second_factor_len > 0) {
|
||||
+ ret = sysdb_attrs_add_long(attrs, SYSDB_CACHEDPWD_FA2_LEN,
|
||||
+ second_factor_len);
|
||||
+ if (ret) goto fail;
|
||||
+ }
|
||||
+
|
||||
/* FIXME: should we use a different attribute for chache passwords ?? */
|
||||
ret = sysdb_attrs_add_long(attrs, "lastCachedPasswordChange",
|
||||
(long)time(NULL));
|
||||
@@ -2285,6 +2296,14 @@ fail:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+int sysdb_cache_password(struct sss_domain_info *domain,
|
||||
+ const char *username,
|
||||
+ const char *password)
|
||||
+{
|
||||
+ return sysdb_cache_password_ex(domain, username, password,
|
||||
+ SSS_AUTHTOK_TYPE_PASSWORD, 0);
|
||||
+}
|
||||
+
|
||||
/* =Custom Search================== */
|
||||
|
||||
int sysdb_search_custom(TALLOC_CTX *mem_ctx,
|
||||
diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
|
||||
index 450a9d1d693135c296f3433d905d1aba115548b8..3d5e97afbfaa5441281ef193d072122204db0514 100644
|
||||
--- a/src/tests/sysdb-tests.c
|
||||
+++ b/src/tests/sysdb-tests.c
|
||||
@@ -1808,6 +1808,57 @@ START_TEST (test_sysdb_cache_password)
|
||||
}
|
||||
END_TEST
|
||||
|
||||
+START_TEST (test_sysdb_cache_password_ex)
|
||||
+{
|
||||
+ struct sysdb_test_ctx *test_ctx;
|
||||
+ struct test_data *data;
|
||||
+ int ret;
|
||||
+ struct ldb_result *res;
|
||||
+ const char *attrs[] = { SYSDB_CACHEDPWD_TYPE, SYSDB_CACHEDPWD_FA2_LEN,
|
||||
+ NULL };
|
||||
+ int val;
|
||||
+
|
||||
+ /* Setup */
|
||||
+ ret = setup_sysdb_tests(&test_ctx);
|
||||
+ fail_unless(ret == EOK, "Could not set up the test");
|
||||
+
|
||||
+ data = talloc_zero(test_ctx, struct test_data);
|
||||
+ data->ctx = test_ctx;
|
||||
+ data->ev = test_ctx->ev;
|
||||
+ data->username = talloc_asprintf(data, "testuser%d", _i);
|
||||
+
|
||||
+ ret = sysdb_get_user_attr(test_ctx, test_ctx->domain, data->username,
|
||||
+ attrs, &res);
|
||||
+ fail_unless(ret == EOK, "sysdb_get_user_attr request failed [%d].", ret);
|
||||
+
|
||||
+ val = ldb_msg_find_attr_as_int(res->msgs[0], SYSDB_CACHEDPWD_TYPE, 0);
|
||||
+ fail_unless(val == SSS_AUTHTOK_TYPE_PASSWORD,
|
||||
+ "Unexptected authtok type, found [%d], expected [%d].",
|
||||
+ val, SSS_AUTHTOK_TYPE_PASSWORD);
|
||||
+
|
||||
+ ret = sysdb_cache_password_ex(test_ctx->domain, data->username,
|
||||
+ data->username, SSS_AUTHTOK_TYPE_2FA, 12);
|
||||
+
|
||||
+ fail_unless(ret == EOK, "sysdb_cache_password request failed [%d].", ret);
|
||||
+
|
||||
+ ret = sysdb_get_user_attr(test_ctx, test_ctx->domain, data->username,
|
||||
+ attrs, &res);
|
||||
+ fail_unless(ret == EOK, "sysdb_get_user_attr request failed [%d].", ret);
|
||||
+
|
||||
+ val = ldb_msg_find_attr_as_int(res->msgs[0], SYSDB_CACHEDPWD_TYPE, 0);
|
||||
+ fail_unless(val == SSS_AUTHTOK_TYPE_2FA,
|
||||
+ "Unexptected authtok type, found [%d], expected [%d].",
|
||||
+ val, SSS_AUTHTOK_TYPE_2FA);
|
||||
+
|
||||
+ val = ldb_msg_find_attr_as_int(res->msgs[0], SYSDB_CACHEDPWD_FA2_LEN, 0);
|
||||
+ fail_unless(val == 12,
|
||||
+ "Unexptected second factor lenght, found [%d], expected [%d].",
|
||||
+ val, 12);
|
||||
+
|
||||
+ talloc_free(test_ctx);
|
||||
+}
|
||||
+END_TEST
|
||||
+
|
||||
static void cached_authentication_without_expiration(const char *username,
|
||||
const char *password,
|
||||
int expected_result)
|
||||
@@ -6256,6 +6307,8 @@ Suite *create_sysdb_suite(void)
|
||||
27010, 27011);
|
||||
tcase_add_loop_test(tc_sysdb, test_sysdb_cached_authentication, 27010, 27011);
|
||||
|
||||
+ tcase_add_loop_test(tc_sysdb, test_sysdb_cache_password_ex, 27010, 27011);
|
||||
+
|
||||
/* ASQ search test */
|
||||
tcase_add_loop_test(tc_sysdb, test_sysdb_prepare_asq_test_user, 28011, 28020);
|
||||
tcase_add_test(tc_sysdb, test_sysdb_asq_search);
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,76 +0,0 @@
|
||||
From c14a1642229f20fe8a1ff1da1e33b8ad6a46686d Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 24 Mar 2015 15:53:17 +0100
|
||||
Subject: [PATCH 26/30] krb5: save hash of the first authentication factor to
|
||||
the cache
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
(cherry picked from commit c5ae04b2da970a3991f21173acae3e892198ce0c)
|
||||
---
|
||||
src/providers/krb5/krb5_auth.c | 26 +++++++++++++++++++++++---
|
||||
1 file changed, 23 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
|
||||
index 6b818440717a9cfaa22a8332fc65440d21d79d00..5a946de4dba5081ed3b082e54af84e73b567a22f 100644
|
||||
--- a/src/providers/krb5/krb5_auth.c
|
||||
+++ b/src/providers/krb5/krb5_auth.c
|
||||
@@ -321,6 +321,9 @@ static void krb5_auth_store_creds(struct sss_domain_info *domain,
|
||||
struct pam_data *pd)
|
||||
{
|
||||
const char *password = NULL;
|
||||
+ const char *fa2;
|
||||
+ size_t password_len;
|
||||
+ size_t fa2_len = 0;
|
||||
int ret = EOK;
|
||||
|
||||
switch(pd->cmd) {
|
||||
@@ -332,7 +335,20 @@ static void krb5_auth_store_creds(struct sss_domain_info *domain,
|
||||
break;
|
||||
case SSS_PAM_AUTHENTICATE:
|
||||
case SSS_PAM_CHAUTHTOK_PRELIM:
|
||||
- ret = sss_authtok_get_password(pd->authtok, &password, NULL);
|
||||
+ if (sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_2FA) {
|
||||
+ ret = sss_authtok_get_2fa(pd->authtok, &password, &password_len,
|
||||
+ &fa2, &fa2_len);
|
||||
+ if (ret == EOK && password_len <
|
||||
+ domain->cache_credentials_min_ff_length) {
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
+ "First factor is too short to be cache, "
|
||||
+ "minimum length is [%u].\n",
|
||||
+ domain->cache_credentials_min_ff_length);
|
||||
+ ret = EINVAL;
|
||||
+ }
|
||||
+ } else {
|
||||
+ ret = sss_authtok_get_password(pd->authtok, &password, NULL);
|
||||
+ }
|
||||
break;
|
||||
case SSS_PAM_CHAUTHTOK:
|
||||
ret = sss_authtok_get_password(pd->newauthtok, &password, NULL);
|
||||
@@ -358,7 +374,8 @@ static void krb5_auth_store_creds(struct sss_domain_info *domain,
|
||||
return;
|
||||
}
|
||||
|
||||
- ret = sysdb_cache_password(domain, pd->user, password);
|
||||
+ ret = sysdb_cache_password_ex(domain, pd->user, password,
|
||||
+ sss_authtok_get_type(pd->authtok), fa2_len);
|
||||
if (ret) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
"Failed to cache password, offline auth may not work."
|
||||
@@ -1074,7 +1091,10 @@ static void krb5_auth_done(struct tevent_req *subreq)
|
||||
goto done;
|
||||
}
|
||||
|
||||
- if (state->be_ctx->domain->cache_credentials == TRUE && !res->otp) {
|
||||
+ if (state->be_ctx->domain->cache_credentials == TRUE
|
||||
+ && (!res->otp
|
||||
+ || (res->otp && sss_authtok_get_type(pd->authtok) ==
|
||||
+ SSS_AUTHTOK_TYPE_2FA))) {
|
||||
krb5_auth_store_creds(state->domain, pd);
|
||||
}
|
||||
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,36 +0,0 @@
|
||||
From c1fce215b02fca5ed9df19bf66aaff3b52ed777b Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 25 Mar 2015 12:04:57 +0100
|
||||
Subject: [PATCH 27/30] krb5: try delayed online authentication only for single
|
||||
factor auth
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
(cherry picked from commit 2d0e7658198d1aa6e3926bf967ff683660249114)
|
||||
---
|
||||
src/providers/krb5/krb5_auth.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
|
||||
index 5a946de4dba5081ed3b082e54af84e73b567a22f..2cfb3a805ea1472cc725aca068edcc69b036daba 100644
|
||||
--- a/src/providers/krb5/krb5_auth.c
|
||||
+++ b/src/providers/krb5/krb5_auth.c
|
||||
@@ -263,6 +263,13 @@ static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx,
|
||||
const char *password = NULL;
|
||||
errno_t ret;
|
||||
|
||||
+ if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
+ "Delayed authentication is only available for password "
|
||||
+ "authentication (single factor).\n");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
ret = sss_authtok_get_password(pd->authtok, &password, NULL);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,173 +0,0 @@
|
||||
From 33a78367bb6812daf2b00c956d83653362d671e2 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 27 Mar 2015 15:20:13 +0100
|
||||
Subject: [PATCH 28/30] 2FA offline auth
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
(cherry picked from commit 219f5b698fa72c0d5a8da2b0dd99daec3f924c94)
|
||||
---
|
||||
src/db/sysdb_ops.c | 77 ++++++++++++++++++++++++++++++++++++++++--
|
||||
src/responder/pam/pamsrv_cmd.c | 35 +++++++++++++++++--
|
||||
2 files changed, 107 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
|
||||
index 083d2778c97fe4d6149e4fc030885c482c511105..ed936e0fbe4451e9813402466d4850f0f586c1f5 100644
|
||||
--- a/src/db/sysdb_ops.c
|
||||
+++ b/src/db/sysdb_ops.c
|
||||
@@ -3155,6 +3155,76 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static errno_t check_for_combined_2fa_password(struct sss_domain_info *domain,
|
||||
+ struct ldb_message *ldb_msg,
|
||||
+ const char *password,
|
||||
+ const char *userhash)
|
||||
+{
|
||||
+
|
||||
+ unsigned int cached_authtok_type;
|
||||
+ unsigned int cached_fa2_len;
|
||||
+ char *short_pw;
|
||||
+ char *comphash;
|
||||
+ size_t pw_len;
|
||||
+ TALLOC_CTX *tmp_ctx;
|
||||
+ int ret;
|
||||
+
|
||||
+ cached_authtok_type = ldb_msg_find_attr_as_uint(ldb_msg,
|
||||
+ SYSDB_CACHEDPWD_TYPE,
|
||||
+ SSS_AUTHTOK_TYPE_EMPTY);
|
||||
+ if (cached_authtok_type != SSS_AUTHTOK_TYPE_2FA) {
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS, "Wrong authtok type.\n");
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ cached_fa2_len = ldb_msg_find_attr_as_uint(ldb_msg, SYSDB_CACHEDPWD_FA2_LEN,
|
||||
+ 0);
|
||||
+ if (cached_fa2_len == 0) {
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS, "Second factor size not available.\n");
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ pw_len = strlen(password);
|
||||
+ if (pw_len < cached_fa2_len + domain->cache_credentials_min_ff_length) {
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS, "Password too short.\n");
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ tmp_ctx = talloc_new(NULL);
|
||||
+ if (tmp_ctx == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ short_pw = talloc_strndup(tmp_ctx, password, (pw_len - cached_fa2_len));
|
||||
+ if (short_pw == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = s3crypt_sha512(tmp_ctx, short_pw, userhash, &comphash);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CONF_SETTINGS, "Failed to create password hash.\n");
|
||||
+ ret = ERR_INTERNAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (strcmp(userhash, comphash) != 0) {
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
+ "Hash of shorten password does not match.\n");
|
||||
+ ret = ERR_AUTH_FAILED;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = EOK;
|
||||
+
|
||||
+done:
|
||||
+ talloc_free(tmp_ctx);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
int sysdb_cache_auth(struct sss_domain_info *domain,
|
||||
const char *name,
|
||||
const char *password,
|
||||
@@ -3168,7 +3238,8 @@ int sysdb_cache_auth(struct sss_domain_info *domain,
|
||||
SYSDB_LAST_LOGIN, SYSDB_LAST_ONLINE_AUTH,
|
||||
"lastCachedPasswordChange",
|
||||
"accountExpires", SYSDB_FAILED_LOGIN_ATTEMPTS,
|
||||
- SYSDB_LAST_FAILED_LOGIN, NULL };
|
||||
+ SYSDB_LAST_FAILED_LOGIN, SYSDB_CACHEDPWD_TYPE,
|
||||
+ SYSDB_CACHEDPWD_FA2_LEN, NULL };
|
||||
struct ldb_message *ldb_msg;
|
||||
const char *userhash;
|
||||
char *comphash;
|
||||
@@ -3279,7 +3350,9 @@ int sysdb_cache_auth(struct sss_domain_info *domain,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- if (strcmp(userhash, comphash) == 0) {
|
||||
+ if (strcmp(userhash, comphash) == 0
|
||||
+ || check_for_combined_2fa_password(domain, ldb_msg,
|
||||
+ password, userhash) == EOK) {
|
||||
/* TODO: probable good point for audit logging */
|
||||
DEBUG(SSSDBG_CONF_SETTINGS, "Hashes do match!\n");
|
||||
authentication_successful = true;
|
||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
||||
index c7eb697f29b6de9f7edaaf7715a58d2b7afdc733..e8d2b65fe429bcb390f33ef994934f9b82b1a4b7 100644
|
||||
--- a/src/responder/pam/pamsrv_cmd.c
|
||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
||||
@@ -528,6 +528,34 @@ static void pam_reply_delay(struct tevent_context *ev, struct tevent_timer *te,
|
||||
pam_reply(preq);
|
||||
}
|
||||
|
||||
+static errno_t get_password_for_cache_auth(struct sss_auth_token *authtok,
|
||||
+ const char **password)
|
||||
+{
|
||||
+ int ret;
|
||||
+ size_t pw_len;
|
||||
+ const char *fa2;
|
||||
+ size_t fa2_len;
|
||||
+
|
||||
+ switch (sss_authtok_get_type(authtok)) {
|
||||
+ case SSS_AUTHTOK_TYPE_PASSWORD:
|
||||
+ ret = sss_authtok_get_password(authtok, password, NULL);
|
||||
+ break;
|
||||
+ case SSS_AUTHTOK_TYPE_2FA:
|
||||
+ ret = sss_authtok_get_2fa(authtok, password, &pw_len, &fa2, &fa2_len);
|
||||
+ break;
|
||||
+ default:
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE, "Unsupported auth token type [%d].\n",
|
||||
+ sss_authtok_get_type(authtok));
|
||||
+ ret = EINVAL;
|
||||
+ }
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to get password.\n");
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd);
|
||||
static void pam_handle_cached_login(struct pam_auth_req *preq, int ret,
|
||||
time_t expire_date, time_t delayed_until);
|
||||
@@ -586,9 +614,10 @@ static void pam_reply(struct pam_auth_req *preq)
|
||||
goto done;
|
||||
}
|
||||
|
||||
- ret = sss_authtok_get_password(pd->authtok, &password, NULL);
|
||||
- if (ret) {
|
||||
- DEBUG(SSSDBG_FATAL_FAILURE, "Failed to get password.\n");
|
||||
+ ret = get_password_for_cache_auth(pd->authtok, &password);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
+ "get_password_and_type_for_cache_auth failed.\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,502 +0,0 @@
|
||||
From 7eb1f0611ad5df755a981dcc86e10b01439e3618 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 18 Mar 2015 16:02:47 +0100
|
||||
Subject: [PATCH 29/30] pam_sss: move message encoding into separate file
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
(cherry picked from commit bf6c3f07d653d474da9e43b2b7cced57fc4ea069)
|
||||
---
|
||||
Makefile.am | 2 +
|
||||
src/sss_client/pam_message.c | 178 +++++++++++++++++++++++++++++++++++++++++++
|
||||
src/sss_client/pam_message.h | 61 +++++++++++++++
|
||||
src/sss_client/pam_sss.c | 177 +-----------------------------------------
|
||||
4 files changed, 242 insertions(+), 176 deletions(-)
|
||||
create mode 100644 src/sss_client/pam_message.c
|
||||
create mode 100644 src/sss_client/pam_message.h
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 793a2a67be11232aefa67e57b986f6304b8a68b3..e8bd8b3237a9b533a3a102059ab9ca083714abe0 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -614,6 +614,7 @@ dist_noinst_HEADERS = \
|
||||
src/tests/cmocka/common_mock_resp.h \
|
||||
src/tests/cmocka/common_mock_sdap.h \
|
||||
src/tests/cmocka/common_mock_sysdb_objects.h \
|
||||
+ src/sss_client/pam_message.h \
|
||||
src/sss_client/ssh/sss_ssh_client.h \
|
||||
src/sss_client/sudo/sss_sudo.h \
|
||||
src/sss_client/libwbclient/libwbclient.h \
|
||||
@@ -2358,6 +2359,7 @@ endif
|
||||
pamlib_LTLIBRARIES = pam_sss.la
|
||||
pam_sss_la_SOURCES = \
|
||||
src/sss_client/pam_sss.c \
|
||||
+ src/sss_client/pam_message.c \
|
||||
src/sss_client/common.c \
|
||||
src/sss_client/sss_cli.h \
|
||||
src/util/atomic_io.c \
|
||||
diff --git a/src/sss_client/pam_message.c b/src/sss_client/pam_message.c
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..b8104c680d0e733b713c665e6206dc4b0d379237
|
||||
--- /dev/null
|
||||
+++ b/src/sss_client/pam_message.c
|
||||
@@ -0,0 +1,178 @@
|
||||
+/*
|
||||
+ Authors:
|
||||
+ Sumit Bose <sbose@redhat.com>
|
||||
+
|
||||
+ PAM client - create message blob
|
||||
+
|
||||
+ Copyright (C) 2015 Red Hat
|
||||
+
|
||||
+ This program is free software; you can redistribute it and/or modify
|
||||
+ it under the terms of the GNU Lesser General Public License as published by
|
||||
+ the Free Software Foundation; either version 3 of the License, or
|
||||
+ (at your option) any later version.
|
||||
+
|
||||
+ This program is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ GNU Lesser General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU Lesser General Public License
|
||||
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+*/
|
||||
+
|
||||
+#include <stdlib.h>
|
||||
+#include <security/pam_modules.h>
|
||||
+
|
||||
+#include "sss_pam_compat.h"
|
||||
+#include "sss_pam_macros.h"
|
||||
+
|
||||
+#include "pam_message.h"
|
||||
+
|
||||
+#include "sss_cli.h"
|
||||
+
|
||||
+static size_t add_authtok_item(enum pam_item_type type,
|
||||
+ enum sss_authtok_type authtok_type,
|
||||
+ const char *tok, const size_t size,
|
||||
+ uint8_t *buf)
|
||||
+{
|
||||
+ size_t rp = 0;
|
||||
+ uint32_t c;
|
||||
+
|
||||
+ if (tok == NULL) return 0;
|
||||
+
|
||||
+ c = type;
|
||||
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
|
||||
+ rp += sizeof(uint32_t);
|
||||
+
|
||||
+ c = size + sizeof(uint32_t);
|
||||
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
|
||||
+ rp += sizeof(uint32_t);
|
||||
+
|
||||
+ c = authtok_type;
|
||||
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
|
||||
+ rp += sizeof(uint32_t);
|
||||
+
|
||||
+ memcpy(&buf[rp], tok, size);
|
||||
+ rp += size;
|
||||
+
|
||||
+ return rp;
|
||||
+}
|
||||
+
|
||||
+static size_t add_uint32_t_item(enum pam_item_type type, const uint32_t val,
|
||||
+ uint8_t *buf)
|
||||
+{
|
||||
+ size_t rp = 0;
|
||||
+ uint32_t c;
|
||||
+
|
||||
+ c = type;
|
||||
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
|
||||
+ rp += sizeof(uint32_t);
|
||||
+
|
||||
+ c = sizeof(uint32_t);
|
||||
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
|
||||
+ rp += sizeof(uint32_t);
|
||||
+
|
||||
+ c = val;
|
||||
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
|
||||
+ rp += sizeof(uint32_t);
|
||||
+
|
||||
+ return rp;
|
||||
+}
|
||||
+
|
||||
+static size_t add_string_item(enum pam_item_type type, const char *str,
|
||||
+ const size_t size, uint8_t *buf)
|
||||
+{
|
||||
+ size_t rp = 0;
|
||||
+ uint32_t c;
|
||||
+
|
||||
+ if (str == NULL || *str == '\0') return 0;
|
||||
+
|
||||
+ c = type;
|
||||
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
|
||||
+ rp += sizeof(uint32_t);
|
||||
+
|
||||
+ c = size;
|
||||
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
|
||||
+ rp += sizeof(uint32_t);
|
||||
+
|
||||
+ memcpy(&buf[rp], str, size);
|
||||
+ rp += size;
|
||||
+
|
||||
+ return rp;
|
||||
+}
|
||||
+
|
||||
+int pack_message_v3(struct pam_items *pi, size_t *size, uint8_t **buffer)
|
||||
+{
|
||||
+ int len;
|
||||
+ uint8_t *buf;
|
||||
+ size_t rp;
|
||||
+
|
||||
+ len = sizeof(uint32_t) +
|
||||
+ 2*sizeof(uint32_t) + pi->pam_user_size +
|
||||
+ sizeof(uint32_t);
|
||||
+ len += *pi->pam_service != '\0' ?
|
||||
+ 2*sizeof(uint32_t) + pi->pam_service_size : 0;
|
||||
+ len += *pi->pam_tty != '\0' ?
|
||||
+ 2*sizeof(uint32_t) + pi->pam_tty_size : 0;
|
||||
+ len += *pi->pam_ruser != '\0' ?
|
||||
+ 2*sizeof(uint32_t) + pi->pam_ruser_size : 0;
|
||||
+ len += *pi->pam_rhost != '\0' ?
|
||||
+ 2*sizeof(uint32_t) + pi->pam_rhost_size : 0;
|
||||
+ len += pi->pam_authtok != NULL ?
|
||||
+ 3*sizeof(uint32_t) + pi->pam_authtok_size : 0;
|
||||
+ len += pi->pam_newauthtok != NULL ?
|
||||
+ 3*sizeof(uint32_t) + pi->pam_newauthtok_size : 0;
|
||||
+ len += 3*sizeof(uint32_t); /* cli_pid */
|
||||
+ len += *pi->requested_domains != '\0' ?
|
||||
+ 2*sizeof(uint32_t) + pi->requested_domains_size : 0;
|
||||
+
|
||||
+ buf = malloc(len);
|
||||
+ if (buf == NULL) {
|
||||
+ D(("malloc failed."));
|
||||
+ return PAM_BUF_ERR;
|
||||
+ }
|
||||
+
|
||||
+ rp = 0;
|
||||
+ SAFEALIGN_SETMEM_UINT32(buf, SSS_START_OF_PAM_REQUEST, &rp);
|
||||
+
|
||||
+ rp += add_string_item(SSS_PAM_ITEM_USER, pi->pam_user, pi->pam_user_size,
|
||||
+ &buf[rp]);
|
||||
+
|
||||
+ rp += add_string_item(SSS_PAM_ITEM_SERVICE, pi->pam_service,
|
||||
+ pi->pam_service_size, &buf[rp]);
|
||||
+
|
||||
+ rp += add_string_item(SSS_PAM_ITEM_TTY, pi->pam_tty, pi->pam_tty_size,
|
||||
+ &buf[rp]);
|
||||
+
|
||||
+ rp += add_string_item(SSS_PAM_ITEM_RUSER, pi->pam_ruser, pi->pam_ruser_size,
|
||||
+ &buf[rp]);
|
||||
+
|
||||
+ rp += add_string_item(SSS_PAM_ITEM_RHOST, pi->pam_rhost, pi->pam_rhost_size,
|
||||
+ &buf[rp]);
|
||||
+
|
||||
+ rp += add_string_item(SSS_PAM_ITEM_REQUESTED_DOMAINS, pi->requested_domains, pi->requested_domains_size,
|
||||
+ &buf[rp]);
|
||||
+
|
||||
+ rp += add_uint32_t_item(SSS_PAM_ITEM_CLI_PID, (uint32_t) pi->cli_pid,
|
||||
+ &buf[rp]);
|
||||
+
|
||||
+ rp += add_authtok_item(SSS_PAM_ITEM_AUTHTOK, pi->pam_authtok_type,
|
||||
+ pi->pam_authtok, pi->pam_authtok_size, &buf[rp]);
|
||||
+
|
||||
+ rp += add_authtok_item(SSS_PAM_ITEM_NEWAUTHTOK, pi->pam_newauthtok_type,
|
||||
+ pi->pam_newauthtok, pi->pam_newauthtok_size,
|
||||
+ &buf[rp]);
|
||||
+
|
||||
+ SAFEALIGN_SETMEM_UINT32(buf + rp, SSS_END_OF_PAM_REQUEST, &rp);
|
||||
+
|
||||
+ if (rp != len) {
|
||||
+ D(("error during packet creation."));
|
||||
+ free(buf);
|
||||
+ return PAM_BUF_ERR;
|
||||
+ }
|
||||
+
|
||||
+ *size = len;
|
||||
+ *buffer = buf;
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
diff --git a/src/sss_client/pam_message.h b/src/sss_client/pam_message.h
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..8ade6d871b840d4d0153bbf56e0d458861ab3816
|
||||
--- /dev/null
|
||||
+++ b/src/sss_client/pam_message.h
|
||||
@@ -0,0 +1,61 @@
|
||||
+/*
|
||||
+ Authors:
|
||||
+ Sumit Bose <sbose@redhat.com>
|
||||
+
|
||||
+ Copyright (C) 2015 Red Hat
|
||||
+
|
||||
+ PAM client - create message blob
|
||||
+
|
||||
+ This program is free software; you can redistribute it and/or modify
|
||||
+ it under the terms of the GNU Lesser General Public License as published by
|
||||
+ the Free Software Foundation; either version 3 of the License, or
|
||||
+ (at your option) any later version.
|
||||
+
|
||||
+ This program is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ GNU Lesser General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU Lesser General Public License
|
||||
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+*/
|
||||
+
|
||||
+#ifndef _PAM_MESSAGE_H_
|
||||
+#define _PAM_MESSAGE_H_
|
||||
+
|
||||
+#include <unistd.h>
|
||||
+#include <stdint.h>
|
||||
+
|
||||
+struct pam_items {
|
||||
+ const char *pam_service;
|
||||
+ const char *pam_user;
|
||||
+ const char *pam_tty;
|
||||
+ const char *pam_ruser;
|
||||
+ const char *pam_rhost;
|
||||
+ char *pam_authtok;
|
||||
+ char *pam_newauthtok;
|
||||
+ const char *pamstack_authtok;
|
||||
+ const char *pamstack_oldauthtok;
|
||||
+ size_t pam_service_size;
|
||||
+ size_t pam_user_size;
|
||||
+ size_t pam_tty_size;
|
||||
+ size_t pam_ruser_size;
|
||||
+ size_t pam_rhost_size;
|
||||
+ int pam_authtok_type;
|
||||
+ size_t pam_authtok_size;
|
||||
+ int pam_newauthtok_type;
|
||||
+ size_t pam_newauthtok_size;
|
||||
+ pid_t cli_pid;
|
||||
+ const char *login_name;
|
||||
+ char *domain_name;
|
||||
+ const char *requested_domains;
|
||||
+ size_t requested_domains_size;
|
||||
+ char *otp_vendor;
|
||||
+ char *otp_token_id;
|
||||
+ char *otp_challenge;
|
||||
+ char *first_factor;
|
||||
+};
|
||||
+
|
||||
+int pack_message_v3(struct pam_items *pi, size_t *size, uint8_t **buffer);
|
||||
+
|
||||
+#endif /* _PAM_MESSAGE_H_ */
|
||||
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
||||
index f11871a47d1b29f44c179e57a33d8f41be79078d..e01c5031650d3837a23f8a7404d334a9d2f55441 100644
|
||||
--- a/src/sss_client/pam_sss.c
|
||||
+++ b/src/sss_client/pam_sss.c
|
||||
@@ -40,6 +40,7 @@
|
||||
#include "sss_pam_macros.h"
|
||||
|
||||
#include "sss_cli.h"
|
||||
+#include "pam_message.h"
|
||||
#include "util/atomic_io.h"
|
||||
#include "util/authtok-utils.h"
|
||||
|
||||
@@ -65,36 +66,6 @@
|
||||
#define EXP_ACC_MSG _("Permission denied. ")
|
||||
#define SRV_MSG _("Server message: ")
|
||||
|
||||
-struct pam_items {
|
||||
- const char* pam_service;
|
||||
- const char* pam_user;
|
||||
- const char* pam_tty;
|
||||
- const char* pam_ruser;
|
||||
- const char* pam_rhost;
|
||||
- char* pam_authtok;
|
||||
- char* pam_newauthtok;
|
||||
- const char* pamstack_authtok;
|
||||
- const char* pamstack_oldauthtok;
|
||||
- size_t pam_service_size;
|
||||
- size_t pam_user_size;
|
||||
- size_t pam_tty_size;
|
||||
- size_t pam_ruser_size;
|
||||
- size_t pam_rhost_size;
|
||||
- int pam_authtok_type;
|
||||
- size_t pam_authtok_size;
|
||||
- int pam_newauthtok_type;
|
||||
- size_t pam_newauthtok_size;
|
||||
- pid_t cli_pid;
|
||||
- const char *login_name;
|
||||
- char *domain_name;
|
||||
- const char *requested_domains;
|
||||
- size_t requested_domains_size;
|
||||
- char *otp_vendor;
|
||||
- char *otp_token_id;
|
||||
- char *otp_challenge;
|
||||
- char *first_factor;
|
||||
-};
|
||||
-
|
||||
#define DEBUG_MGS_LEN 1024
|
||||
#define MAX_AUTHTOK_SIZE (1024*1024)
|
||||
#define CHECK_AND_RETURN_PI_STRING(s) ((s != NULL && *s != '\0')? s : "(not available)")
|
||||
@@ -146,75 +117,6 @@ static void close_fd(pam_handle_t *pamh, void *ptr, int err)
|
||||
sss_pam_close_fd();
|
||||
}
|
||||
|
||||
-static size_t add_authtok_item(enum pam_item_type type,
|
||||
- enum sss_authtok_type authtok_type,
|
||||
- const char *tok, const size_t size,
|
||||
- uint8_t *buf) {
|
||||
- size_t rp=0;
|
||||
- uint32_t c;
|
||||
-
|
||||
- if (tok == NULL) return 0;
|
||||
-
|
||||
- c = type;
|
||||
- memcpy(&buf[rp], &c, sizeof(uint32_t));
|
||||
- rp += sizeof(uint32_t);
|
||||
-
|
||||
- c = size + sizeof(uint32_t);
|
||||
- memcpy(&buf[rp], &c, sizeof(uint32_t));
|
||||
- rp += sizeof(uint32_t);
|
||||
-
|
||||
- c = authtok_type;
|
||||
- memcpy(&buf[rp], &c, sizeof(uint32_t));
|
||||
- rp += sizeof(uint32_t);
|
||||
-
|
||||
- memcpy(&buf[rp], tok, size);
|
||||
- rp += size;
|
||||
-
|
||||
- return rp;
|
||||
-}
|
||||
-
|
||||
-
|
||||
-static size_t add_uint32_t_item(enum pam_item_type type, const uint32_t val,
|
||||
- uint8_t *buf) {
|
||||
- size_t rp=0;
|
||||
- uint32_t c;
|
||||
-
|
||||
- c = type;
|
||||
- memcpy(&buf[rp], &c, sizeof(uint32_t));
|
||||
- rp += sizeof(uint32_t);
|
||||
-
|
||||
- c = sizeof(uint32_t);
|
||||
- memcpy(&buf[rp], &c, sizeof(uint32_t));
|
||||
- rp += sizeof(uint32_t);
|
||||
-
|
||||
- c = val;
|
||||
- memcpy(&buf[rp], &c, sizeof(uint32_t));
|
||||
- rp += sizeof(uint32_t);
|
||||
-
|
||||
- return rp;
|
||||
-}
|
||||
-
|
||||
-static size_t add_string_item(enum pam_item_type type, const char *str,
|
||||
- const size_t size, uint8_t *buf) {
|
||||
- size_t rp=0;
|
||||
- uint32_t c;
|
||||
-
|
||||
- if (str == NULL || *str == '\0') return 0;
|
||||
-
|
||||
- c = type;
|
||||
- memcpy(&buf[rp], &c, sizeof(uint32_t));
|
||||
- rp += sizeof(uint32_t);
|
||||
-
|
||||
- c = size;
|
||||
- memcpy(&buf[rp], &c, sizeof(uint32_t));
|
||||
- rp += sizeof(uint32_t);
|
||||
-
|
||||
- memcpy(&buf[rp], str, size);
|
||||
- rp += size;
|
||||
-
|
||||
- return rp;
|
||||
-}
|
||||
-
|
||||
static void overwrite_and_free_authtoks(struct pam_items *pi)
|
||||
{
|
||||
if (pi->pam_authtok != NULL) {
|
||||
@@ -256,83 +158,6 @@ static void overwrite_and_free_pam_items(struct pam_items *pi)
|
||||
pi->otp_challenge = NULL;
|
||||
}
|
||||
|
||||
-static int pack_message_v3(struct pam_items *pi, size_t *size,
|
||||
- uint8_t **buffer) {
|
||||
- int len;
|
||||
- uint8_t *buf;
|
||||
- size_t rp;
|
||||
-
|
||||
- len = sizeof(uint32_t) +
|
||||
- 2*sizeof(uint32_t) + pi->pam_user_size +
|
||||
- sizeof(uint32_t);
|
||||
- len += *pi->pam_service != '\0' ?
|
||||
- 2*sizeof(uint32_t) + pi->pam_service_size : 0;
|
||||
- len += *pi->pam_tty != '\0' ?
|
||||
- 2*sizeof(uint32_t) + pi->pam_tty_size : 0;
|
||||
- len += *pi->pam_ruser != '\0' ?
|
||||
- 2*sizeof(uint32_t) + pi->pam_ruser_size : 0;
|
||||
- len += *pi->pam_rhost != '\0' ?
|
||||
- 2*sizeof(uint32_t) + pi->pam_rhost_size : 0;
|
||||
- len += pi->pam_authtok != NULL ?
|
||||
- 3*sizeof(uint32_t) + pi->pam_authtok_size : 0;
|
||||
- len += pi->pam_newauthtok != NULL ?
|
||||
- 3*sizeof(uint32_t) + pi->pam_newauthtok_size : 0;
|
||||
- len += 3*sizeof(uint32_t); /* cli_pid */
|
||||
- len += *pi->requested_domains != '\0' ?
|
||||
- 2*sizeof(uint32_t) + pi->requested_domains_size : 0;
|
||||
-
|
||||
-
|
||||
- buf = malloc(len);
|
||||
- if (buf == NULL) {
|
||||
- D(("malloc failed."));
|
||||
- return PAM_BUF_ERR;
|
||||
- }
|
||||
-
|
||||
- rp = 0;
|
||||
- SAFEALIGN_SETMEM_UINT32(buf, SSS_START_OF_PAM_REQUEST, &rp);
|
||||
-
|
||||
- rp += add_string_item(SSS_PAM_ITEM_USER, pi->pam_user, pi->pam_user_size,
|
||||
- &buf[rp]);
|
||||
-
|
||||
- rp += add_string_item(SSS_PAM_ITEM_SERVICE, pi->pam_service,
|
||||
- pi->pam_service_size, &buf[rp]);
|
||||
-
|
||||
- rp += add_string_item(SSS_PAM_ITEM_TTY, pi->pam_tty, pi->pam_tty_size,
|
||||
- &buf[rp]);
|
||||
-
|
||||
- rp += add_string_item(SSS_PAM_ITEM_RUSER, pi->pam_ruser, pi->pam_ruser_size,
|
||||
- &buf[rp]);
|
||||
-
|
||||
- rp += add_string_item(SSS_PAM_ITEM_RHOST, pi->pam_rhost, pi->pam_rhost_size,
|
||||
- &buf[rp]);
|
||||
-
|
||||
- rp += add_string_item(SSS_PAM_ITEM_REQUESTED_DOMAINS, pi->requested_domains, pi->requested_domains_size,
|
||||
- &buf[rp]);
|
||||
-
|
||||
- rp += add_uint32_t_item(SSS_PAM_ITEM_CLI_PID, (uint32_t) pi->cli_pid,
|
||||
- &buf[rp]);
|
||||
-
|
||||
- rp += add_authtok_item(SSS_PAM_ITEM_AUTHTOK, pi->pam_authtok_type,
|
||||
- pi->pam_authtok, pi->pam_authtok_size, &buf[rp]);
|
||||
-
|
||||
- rp += add_authtok_item(SSS_PAM_ITEM_NEWAUTHTOK, pi->pam_newauthtok_type,
|
||||
- pi->pam_newauthtok, pi->pam_newauthtok_size,
|
||||
- &buf[rp]);
|
||||
-
|
||||
- SAFEALIGN_SETMEM_UINT32(buf + rp, SSS_END_OF_PAM_REQUEST, &rp);
|
||||
-
|
||||
- if (rp != len) {
|
||||
- D(("error during packet creation."));
|
||||
- free(buf);
|
||||
- return PAM_BUF_ERR;
|
||||
- }
|
||||
-
|
||||
- *size = len;
|
||||
- *buffer = buf;
|
||||
-
|
||||
- return 0;
|
||||
-}
|
||||
-
|
||||
static int null_strcmp(const char *s1, const char *s2) {
|
||||
if (s1 == NULL && s2 == NULL) return 0;
|
||||
if (s1 == NULL && s2 != NULL) return -1;
|
||||
--
|
||||
2.4.3
|
||||
|
File diff suppressed because it is too large
Load Diff
2
sources
2
sources
@ -1 +1 @@
|
||||
4439852e76e221c9bcd60a8586c136e2 sssd-1.12.5.tar.gz
|
||||
0ffa8d3b8d7d22acb9200e11b1f641dd sssd-1.13.0alpha.tar.gz
|
||||
|
72
sssd.spec
72
sssd.spec
@ -28,46 +28,16 @@
|
||||
%endif
|
||||
|
||||
Name: sssd
|
||||
Version: 1.12.5
|
||||
Release: 4%{?dist}
|
||||
Version: 1.13.0
|
||||
Release: 1%{?dist}.alpha
|
||||
Group: Applications/System
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
URL: http://fedorahosted.org/sssd/
|
||||
Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
|
||||
Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}alpha.tar.gz
|
||||
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
|
||||
|
||||
### Patches ###
|
||||
Patch0001: 0001-BUILD-Remove-unused-libraries-for-pysss.so.patch
|
||||
Patch0002: 0002-BUILD-Remove-unused-variables.patch
|
||||
Patch0003: 0003-BUILD-Remove-detection-of-type-Py_ssize_t.patch
|
||||
Patch0004: 0004-UTIL-Remove-python-wrapper-sss_python_set_new.patch
|
||||
Patch0005: 0005-UTIL-Remove-python-wrapper-sss_python_set_add.patch
|
||||
Patch0006: 0006-UTIL-Remove-python-wrapper-sss_python_set_check.patch
|
||||
Patch0007: 0007-UTIL-Remove-compatibility-macro-PyModule_AddIntMacro.patch
|
||||
Patch0008: 0008-UTIL-Remove-python-wrapper-sss_python_unicode_from_s.patch
|
||||
Patch0009: 0009-BUILD-Use-python-config-for-detection-FLAGS.patch
|
||||
Patch0010: 0010-SPEC-Use-new-convention-for-python-packages.patch
|
||||
Patch0011: 0011-SPEC-Move-python-bindings-to-separate-packages.patch
|
||||
Patch0012: 0012-BUILD-Add-possibility-to-build-python-2-3-bindings.patch
|
||||
Patch0013: 0013-TESTS-Run-python-tests-with-all-supported-python-ver.patch
|
||||
Patch0014: 0014-SPEC-Replace-python_-macros-with-python2_.patch
|
||||
Patch0015: 0015-SPEC-Build-python3-bindings-on-available-platforms.patch
|
||||
Patch0016: 0016-ad_opts-Use-different-default-attribute-for-group-na.patch
|
||||
Patch0017: 0017-Add-leak-check-and-command-line-option-to-test_autht.patch
|
||||
Patch0018: 0018-utils-add-sss_authtok_-gs-et_2fa.patch
|
||||
Patch0019: 0019-pam-handle-2FA-authentication-token-in-the-responder.patch
|
||||
Patch0020: 0020-Add-pre-auth-request.patch
|
||||
Patch0021: 0021-krb5-child-add-preauth-and-split-2fa-token-support.patch
|
||||
Patch0022: 0022-IPA-create-preauth-indicator-file-at-startup.patch
|
||||
Patch0023: 0023-pam_sss-add-pre-auth-and-2fa-support.patch
|
||||
Patch0024: 0024-Add-cache_credentials_minimal_first_factor_length-co.patch
|
||||
Patch0025: 0025-sysdb-add-sysdb_cache_password_ex.patch
|
||||
Patch0026: 0026-krb5-save-hash-of-the-first-authentication-factor-to.patch
|
||||
Patch0027: 0027-krb5-try-delayed-online-authentication-only-for-sing.patch
|
||||
Patch0028: 0028-2FA-offline-auth.patch
|
||||
Patch0029: 0029-pam_sss-move-message-encoding-into-separate-file.patch
|
||||
Patch0030: 0030-PAM-add-PAM-responder-unit-test.patch
|
||||
|
||||
### Dependencies ###
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
@ -82,6 +52,7 @@ Requires: python3-sssdconfig = %{version}-%{release}
|
||||
%global servicename sssd
|
||||
%global sssdstatedir %{_localstatedir}/lib/sss
|
||||
%global dbpath %{sssdstatedir}/db
|
||||
%global keytabdir %{sssdstatedir}/keytabs
|
||||
%global pipepath %{sssdstatedir}/pipes
|
||||
%global mcpath %{sssdstatedir}/mc
|
||||
%global pubconfpath %{sssdstatedir}/pubconf
|
||||
@ -107,6 +78,7 @@ BuildRequires: dbus-libs
|
||||
BuildRequires: openldap-devel
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: nss-devel
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: nspr-devel
|
||||
BuildRequires: pcre-devel
|
||||
BuildRequires: libxslt
|
||||
@ -407,14 +379,16 @@ Requires: libipa_hbac = %{version}-%{release}
|
||||
%description -n libipa_hbac-devel
|
||||
Utility library to validate FreeIPA HBAC rules for authorization requests
|
||||
|
||||
%package -n libipa_hbac-python
|
||||
%package -n python-libipa_hbac
|
||||
Summary: Python2 bindings for the FreeIPA HBAC Evaluator library
|
||||
Group: Development/Libraries
|
||||
License: LGPLv3+
|
||||
Requires: libipa_hbac = %{version}-%{release}
|
||||
Provides: libipa_hbac-python = %{version}-%{release}
|
||||
Obsoletes: libipa_hbac-python < 1.13.0
|
||||
|
||||
%description -n libipa_hbac-python
|
||||
The libipa_hbac-python contains the bindings so that libipa_hbac can be
|
||||
%description -n python-libipa_hbac
|
||||
The python-libipa_hbac contains the bindings so that libipa_hbac can be
|
||||
used by Python applications.
|
||||
|
||||
%package -n python3-libipa_hbac
|
||||
@ -446,14 +420,16 @@ Requires: libsss_nss_idmap = %{version}-%{release}
|
||||
%description -n libsss_nss_idmap-devel
|
||||
Utility library for SID based lookups
|
||||
|
||||
%package -n libsss_nss_idmap-python
|
||||
%package -n python-libsss_nss_idmap
|
||||
Summary: Python2 bindings for libsss_nss_idmap
|
||||
Group: Development/Libraries
|
||||
License: LGPLv3+
|
||||
Requires: libsss_nss_idmap = %{version}-%{release}
|
||||
Provides: libsss_nss_idmap-python = %{version}-%{release}
|
||||
Obsoletes: libsss_nss_idmap-python < 1.13.0
|
||||
|
||||
%description -n libsss_nss_idmap-python
|
||||
The libsss_nss_idmap-python contains the bindings so that libsss_nss_idmap can
|
||||
%description -n python-libsss_nss_idmap
|
||||
The python-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can
|
||||
be used by Python applications.
|
||||
|
||||
%package -n python3-libsss_nss_idmap
|
||||
@ -534,7 +510,7 @@ UpdateTimestamps() {
|
||||
done
|
||||
}
|
||||
|
||||
%setup -q
|
||||
%setup -q -n %{name}-1.12.90
|
||||
|
||||
for p in %patches ; do
|
||||
%__patch -p1 -i $p
|
||||
@ -566,12 +542,6 @@ autoreconf -ivf
|
||||
make %{?_smp_mflags} all docs
|
||||
|
||||
%check
|
||||
|
||||
# the utility patch did not apply changes in file permissions
|
||||
chmod 755 src/config/SSSDConfigTest.py*.sh \
|
||||
src/tests/pyhbac-test.py*.sh \
|
||||
src/tests/pysss_murmur-test.py*.sh
|
||||
|
||||
export CK_TIMEOUT_MULTIPLIER=10
|
||||
make %{?_smp_mflags} check VERBOSE=yes
|
||||
unset CK_TIMEOUT_MULTIPLIER
|
||||
@ -708,6 +678,7 @@ rm -rf $RPM_BUILD_ROOT
|
||||
#Internal shared libraries
|
||||
%{_libdir}/%{name}/libsss_child.so
|
||||
%{_libdir}/%{name}/libsss_crypt.so
|
||||
%{_libdir}/%{name}/libsss_cert.so
|
||||
%{_libdir}/%{name}/libsss_debug.so
|
||||
%{_libdir}/%{name}/libsss_krb5_common.so
|
||||
%{_libdir}/%{name}/libsss_ldap_common.so
|
||||
@ -781,6 +752,7 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%defattr(-,root,root,-)
|
||||
%doc COPYING
|
||||
%attr(755,root,root) %dir %{pubconfpath}/krb5.include.d
|
||||
%attr(700,root,root) %dir %{keytabdir}
|
||||
%{_libdir}/%{name}/libsss_ipa.so
|
||||
%{_libexecdir}/%{servicename}/selinux_child
|
||||
%{_mandir}/man5/sssd-ipa.5*
|
||||
@ -929,7 +901,7 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_libdir}/libsss_nss_idmap.so
|
||||
%{_libdir}/pkgconfig/sss_nss_idmap.pc
|
||||
|
||||
%files -n libsss_nss_idmap-python
|
||||
%files -n python-libsss_nss_idmap
|
||||
%defattr(-,root,root,-)
|
||||
%{python2_sitearch}/pysss_nss_idmap.so
|
||||
%{python2_sitearch}/_py2sss_nss_idmap.so
|
||||
@ -939,7 +911,7 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{python3_sitearch}/pysss_nss_idmap.so
|
||||
%{python3_sitearch}/_py3sss_nss_idmap.so
|
||||
|
||||
%files -n libipa_hbac-python
|
||||
%files -n python-libipa_hbac
|
||||
%defattr(-,root,root,-)
|
||||
%{python2_sitearch}/pyhbac.so
|
||||
%{python2_sitearch}/_py2hbac.so
|
||||
@ -1038,6 +1010,10 @@ fi
|
||||
%{_libdir}/%{name}/modules/libwbclient.so
|
||||
|
||||
%changelog
|
||||
* Mon Jun 22 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.13.0-1.alpha
|
||||
- New upstream release 1.13 alpha
|
||||
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.0alpha
|
||||
|
||||
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.12.5-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user