rpms/sssd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

New upstream release 1.13 alpha

Browse Source 
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.0alpha
This commit is contained in:
Lukas Slebodnik 2015-06-22 13:52:08 +02:00
parent b4d3da407f
commit 3fa3e7c22a
33 changed files with 26 additions and 6299 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -62,3 +62,4 @@ sssd-1.2.91.tar.gz
/sssd-1.12.3.tar.gz /sssd-1.12.3.tar.gz
/sssd-1.12.4.tar.gz /sssd-1.12.4.tar.gz
/sssd-1.12.5.tar.gz /sssd-1.12.5.tar.gz
/sssd-1.13.0alpha.tar.gz

34
0001-BUILD-Remove-unused-libraries-for-pysss.so.patch
View File

@ -1,34 +0,0 @@
From 07a71386a04d4b1860a4250ea57fd5866ea792fe Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 9 Feb 2015 17:40:07 +0100
Subject: [PATCH 01/30] BUILD: Remove unused libraries for pysss.so
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
---
Makefile.am | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index ac6a358ea14239781c26e6f2ac02bdeb3007659f..bdca46a0548ddb98dde485a7786566eb623b181b 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -445,15 +445,9 @@ SSSD_LIBS = \
PYTHON_BINDINGS_LIBS = \
$(TALLOC_LIBS) \
- $(TEVENT_LIBS) \
$(POPT_LIBS) \
$(LDB_LIBS) \
- $(DBUS_LIBS) \
- $(PCRE_LIBS) \
- $(DHASH_LIBS) \
- $(SSS_CRYPT_LIBS) \
- $(OPENLDAP_LIBS) \
- $(TDB_LIBS)
+ $(NULL)
TOOLS_LIBS = \
$(LTLIBINTL) \
--
2.4.3

26
0002-BUILD-Remove-unused-variables.patch
View File

@ -1,26 +0,0 @@
From 8b57611326949037065899fa8f7f53d635700930 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 9 Feb 2015 18:46:16 +0100
Subject: [PATCH 02/30] BUILD: Remove unused variables
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
---
src/external/python.m4 | 2 --
1 file changed, 2 deletions(-)
diff --git a/src/external/python.m4 b/src/external/python.m4
index a1bd87a0ee3a56ddd25c4aba7687ffc7540b4ec2..241de9fd0e401c40f8136861e7c7070c8a50cddd 100644
--- a/src/external/python.m4
+++ b/src/external/python.m4
@@ -37,8 +37,6 @@ AC_DEFUN([AM_CHECK_PYTHON_HEADERS],
AC_MSG_CHECKING(for headers required to compile python extensions)
dnl deduce PYTHON_INCLUDES
- py_prefix=`$PYTHON -c "import sys; print(sys.prefix)"`
- py_exec_prefix=`$PYTHON -c "import sys; print(sys.exec_prefix)"`
PYTHON_INCLUDES=-I`$PYTHON -c "from distutils import sysconfig; print(sysconfig.get_config_var('INCLUDEPY'))"`
AC_SUBST(PYTHON_INCLUDES)
--
2.4.3

57
0003-BUILD-Remove-detection-of-type-Py_ssize_t.patch
View File

@ -1,57 +0,0 @@
From d95bbdfd54b8f752efb1d27a09a277aba46a1271 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 9 Feb 2015 19:16:30 +0100
Subject: [PATCH 03/30] BUILD: Remove detection of type Py_ssize_t
The type Py_ssize_t is defined in python >= 2.6
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
---
src/external/python.m4 | 5 -----
src/util/sss_python.h | 14 --------------
2 files changed, 19 deletions(-)
diff --git a/src/external/python.m4 b/src/external/python.m4
index 241de9fd0e401c40f8136861e7c7070c8a50cddd..858af3c197603fcda100eddcffc396dad674a9e6 100644
--- a/src/external/python.m4
+++ b/src/external/python.m4
@@ -62,11 +62,6 @@ AC_DEFUN([AM_CHECK_PYTHON_COMPAT],
CPPFLAGS="$CPPFLAGS $PYTHON_INCLUDES"
LIBS="$LIBS $PYTHON_LIBS"
- AC_CHECK_TYPE(Py_ssize_t,
- [ AC_DEFINE_UNQUOTED(HAVE_PY_SSIZE_T, 1, [Native Py_ssize_t type]) ],
- [],
- [[#include <Python.h>]])
-
AC_CHECK_FUNCS([PySet_New PySet_Add PyErr_NewExceptionWithDoc])
AC_CHECK_DECLS([PySet_Check, PyModule_AddIntMacro, PyUnicode_FromString], [], [], [[#include <Python.h>]])
diff --git a/src/util/sss_python.h b/src/util/sss_python.h
index 828bd22ec44fe9493bfaa246b072777b70c7b585..cf8c848482d82e0060cbfe748c05bd09c7492c4f 100644
--- a/src/util/sss_python.h
+++ b/src/util/sss_python.h
@@ -25,20 +25,6 @@
#define PYNUMBER_ASLONG(what) PyInt_AsLong(what)
#endif
-/* Py_ssize_t compatibility for python < 2.5 as per
- * http://www.python.org/dev/peps/pep-0353/ */
-#ifndef HAVE_PY_SSIZE_T
-typedef int Py_ssize_t;
-#endif
-
-#ifndef PY_SSIZE_T_MAX
-#define PY_SSIZE_T_MAX INT_MAX
-#endif
-
-#ifndef PY_SSIZE_T_MIN
-#define PY_SSIZE_T_MIN INT_MIN
-#endif
-
/* Wrappers providing the subset of C API for python's set objects we use */
PyObject *sss_python_set_new(void);
int sss_python_set_add(PyObject *set, PyObject *key);
--
2.4.3

86
0004-UTIL-Remove-python-wrapper-sss_python_set_new.patch
View File

@ -1,86 +0,0 @@
From ab725a8a098f2784a4f77d0d699ea593fa75f630 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 9 Feb 2015 19:19:55 +0100
Subject: [PATCH 04/30] UTIL: Remove python wrapper sss_python_set_new
The function PySet_New is available in python >= 2.6
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
---
src/external/python.m4 | 2 +-
src/python/pyhbac.c | 4 ++--
src/util/sss_python.c | 10 ----------
src/util/sss_python.h | 1 -
4 files changed, 3 insertions(+), 14 deletions(-)
diff --git a/src/external/python.m4 b/src/external/python.m4
index 858af3c197603fcda100eddcffc396dad674a9e6..440d2f97740e43c31c9a530daecb7c5ded92a0dd 100644
--- a/src/external/python.m4
+++ b/src/external/python.m4
@@ -62,7 +62,7 @@ AC_DEFUN([AM_CHECK_PYTHON_COMPAT],
CPPFLAGS="$CPPFLAGS $PYTHON_INCLUDES"
LIBS="$LIBS $PYTHON_LIBS"
- AC_CHECK_FUNCS([PySet_New PySet_Add PyErr_NewExceptionWithDoc])
+ AC_CHECK_FUNCS([PySet_Add PyErr_NewExceptionWithDoc])
AC_CHECK_DECLS([PySet_Check, PyModule_AddIntMacro, PyUnicode_FromString], [], [], [[#include <Python.h>]])
CPPFLAGS="$save_CPPFLAGS"
diff --git a/src/python/pyhbac.c b/src/python/pyhbac.c
index c46f7c6b300df9eb82fa411673da3d77504080cd..58d906d138464c9f25e6b513ad41b985b510baa2 100644
--- a/src/python/pyhbac.c
+++ b/src/python/pyhbac.c
@@ -303,7 +303,7 @@ HbacRuleElement_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
return NULL;
}
- self->category = sss_python_set_new();
+ self->category = PySet_New(NULL);
self->names = PyList_New(0);
self->groups = PyList_New(0);
if (!self->names || !self->groups || !self->category) {
@@ -945,7 +945,7 @@ py_hbac_rule_validate(HbacRuleObject *self, PyObject *args)
}
py_is_valid = PyBool_FromLong(is_valid);
- py_missing = sss_python_set_new();
+ py_missing = PySet_New(NULL);
if (!py_missing || !py_is_valid) {
PyErr_NoMemory();
goto fail;
diff --git a/src/util/sss_python.c b/src/util/sss_python.c
index 19717a55c986b6831234addfbf91a529d652f592..dad2a46d86f4243fb4a2d1fad94e49f66db23f0c 100644
--- a/src/util/sss_python.c
+++ b/src/util/sss_python.c
@@ -21,16 +21,6 @@
#include "src/util/sss_python.h"
#include "config.h"
-PyObject *
-sss_python_set_new(void)
-{
-#ifdef HAVE_PYSET_NEW
- return PySet_New(NULL);
-#else
- return PyObject_CallObject((PyObject *) &PySet_Type, NULL);
-#endif
-}
-
int
sss_python_set_add(PyObject *set, PyObject *key)
{
diff --git a/src/util/sss_python.h b/src/util/sss_python.h
index cf8c848482d82e0060cbfe748c05bd09c7492c4f..6851a64e816ccf3bb84321bbeb9946ad2fbfbc41 100644
--- a/src/util/sss_python.h
+++ b/src/util/sss_python.h
@@ -26,7 +26,6 @@
#endif
/* Wrappers providing the subset of C API for python's set objects we use */
-PyObject *sss_python_set_new(void);
int sss_python_set_add(PyObject *set, PyObject *key);
bool sss_python_set_check(PyObject *set);
--
2.4.3

93
0005-UTIL-Remove-python-wrapper-sss_python_set_add.patch
View File

@ -1,93 +0,0 @@
From 3ce5c930239870ba6435508dec8a68e3f7802830 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 9 Feb 2015 19:23:44 +0100
Subject: [PATCH 05/30] UTIL: Remove python wrapper sss_python_set_add
The function PySet_Add is available in python >= 2.6
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
---
src/external/python.m4 | 2 +-
src/python/pyhbac.c | 4 ++--
src/util/sss_python.c | 17 -----------------
src/util/sss_python.h | 1 -
4 files changed, 3 insertions(+), 21 deletions(-)
diff --git a/src/external/python.m4 b/src/external/python.m4
index 440d2f97740e43c31c9a530daecb7c5ded92a0dd..e3812a50406e7f6e2b2f143f3022ee07431ac120 100644
--- a/src/external/python.m4
+++ b/src/external/python.m4
@@ -62,7 +62,7 @@ AC_DEFUN([AM_CHECK_PYTHON_COMPAT],
CPPFLAGS="$CPPFLAGS $PYTHON_INCLUDES"
LIBS="$LIBS $PYTHON_LIBS"
- AC_CHECK_FUNCS([PySet_Add PyErr_NewExceptionWithDoc])
+ AC_CHECK_FUNCS([PyErr_NewExceptionWithDoc])
AC_CHECK_DECLS([PySet_Check, PyModule_AddIntMacro, PyUnicode_FromString], [], [], [[#include <Python.h>]])
CPPFLAGS="$save_CPPFLAGS"
diff --git a/src/python/pyhbac.c b/src/python/pyhbac.c
index 58d906d138464c9f25e6b513ad41b985b510baa2..11cd40656bbeaf93c2b1717483e716ba45a78a69 100644
--- a/src/python/pyhbac.c
+++ b/src/python/pyhbac.c
@@ -388,7 +388,7 @@ HbacRuleElement_init(HbacRuleElement *self, PyObject *args, PyObject *kwargs)
return -1;
}
- if (sss_python_set_add(self->category, tmp) != 0) {
+ if (PySet_Add(self->category, tmp) != 0) {
Py_DECREF(tmp);
return -1;
}
@@ -962,7 +962,7 @@ py_hbac_rule_validate(HbacRuleObject *self, PyObject *args)
goto fail;
}
- if (sss_python_set_add(py_missing, py_attr) != 0) {
+ if (PySet_Add(py_missing, py_attr) != 0) {
/* If the set-add succeeded, it would steal the reference */
Py_DECREF(py_attr);
goto fail;
diff --git a/src/util/sss_python.c b/src/util/sss_python.c
index dad2a46d86f4243fb4a2d1fad94e49f66db23f0c..56850782a64314db70286ef67d76ae1227d8625f 100644
--- a/src/util/sss_python.c
+++ b/src/util/sss_python.c
@@ -21,23 +21,6 @@
#include "src/util/sss_python.h"
#include "config.h"
-int
-sss_python_set_add(PyObject *set, PyObject *key)
-{
-#ifdef HAVE_PYSET_ADD
- return PySet_Add(set, key);
-#else
- PyObject *pyret;
- int ret;
-
- pyret = PyObject_CallMethod(set, sss_py_const_p(char, "add"),
- sss_py_const_p(char, "O"), key);
- ret = (pyret == NULL) ? -1 : 0;
- Py_XDECREF(pyret);
- return ret;
-#endif
-}
-
bool
sss_python_set_check(PyObject *set)
{
diff --git a/src/util/sss_python.h b/src/util/sss_python.h
index 6851a64e816ccf3bb84321bbeb9946ad2fbfbc41..1ff13c4ef4380ff791cf3cfbe12845fb26b3b873 100644
--- a/src/util/sss_python.h
+++ b/src/util/sss_python.h
@@ -26,7 +26,6 @@
#endif
/* Wrappers providing the subset of C API for python's set objects we use */
-int sss_python_set_add(PyObject *set, PyObject *key);
bool sss_python_set_check(PyObject *set);
/* Unicode compatibility */
--
2.4.3

79
0006-UTIL-Remove-python-wrapper-sss_python_set_check.patch
View File

@ -1,79 +0,0 @@
From 2505d3dd124f35cb9357a7082a7306925bb3ebbe Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 9 Feb 2015 19:30:39 +0100
Subject: [PATCH 06/30] UTIL: Remove python wrapper sss_python_set_check
The macro PySet_Check is defined in python >= 2.6
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
---
src/external/python.m4 | 2 +-
src/python/pyhbac.c | 2 +-
src/util/sss_python.c | 10 ----------
src/util/sss_python.h | 3 ---
4 files changed, 2 insertions(+), 15 deletions(-)
diff --git a/src/external/python.m4 b/src/external/python.m4
index e3812a50406e7f6e2b2f143f3022ee07431ac120..e93f850092b0f54565e138b3235b9c29f89e5444 100644
--- a/src/external/python.m4
+++ b/src/external/python.m4
@@ -63,7 +63,7 @@ AC_DEFUN([AM_CHECK_PYTHON_COMPAT],
LIBS="$LIBS $PYTHON_LIBS"
AC_CHECK_FUNCS([PyErr_NewExceptionWithDoc])
- AC_CHECK_DECLS([PySet_Check, PyModule_AddIntMacro, PyUnicode_FromString], [], [], [[#include <Python.h>]])
+ AC_CHECK_DECLS([PyModule_AddIntMacro, PyUnicode_FromString], [], [], [[#include <Python.h>]])
CPPFLAGS="$save_CPPFLAGS"
LIBS="$save_LIBS"
diff --git a/src/python/pyhbac.c b/src/python/pyhbac.c
index 11cd40656bbeaf93c2b1717483e716ba45a78a69..bbdf2b9fb75e2be0d46749faa6aaf0698a5d5ebb 100644
--- a/src/python/pyhbac.c
+++ b/src/python/pyhbac.c
@@ -452,7 +452,7 @@ hbac_rule_element_set_category(HbacRuleElement *self,
CHECK_ATTRIBUTE_DELETE(category, "category");
- if (!sss_python_set_check(category)) {
+ if (!PySet_Check(category)) {
PyErr_Format(PyExc_TypeError, "The category must be a set type\n");
return -1;
}
diff --git a/src/util/sss_python.c b/src/util/sss_python.c
index 56850782a64314db70286ef67d76ae1227d8625f..ba78bf9689c903713229395a49e5f3686e5e6f10 100644
--- a/src/util/sss_python.c
+++ b/src/util/sss_python.c
@@ -21,16 +21,6 @@
#include "src/util/sss_python.h"
#include "config.h"
-bool
-sss_python_set_check(PyObject *set)
-{
-#if HAVE_DECL_PYSET_CHECK
- return PySet_Check(set);
-#else
- return PyObject_TypeCheck(set, &PySet_Type);
-#endif
-}
-
PyObject *
sss_python_unicode_from_string(const char *u)
{
diff --git a/src/util/sss_python.h b/src/util/sss_python.h
index 1ff13c4ef4380ff791cf3cfbe12845fb26b3b873..56c25ebb74bffc061688c3c32515d6e0288ac94d 100644
--- a/src/util/sss_python.h
+++ b/src/util/sss_python.h
@@ -25,9 +25,6 @@
#define PYNUMBER_ASLONG(what) PyInt_AsLong(what)
#endif
-/* Wrappers providing the subset of C API for python's set objects we use */
-bool sss_python_set_check(PyObject *set);
-
/* Unicode compatibility */
PyObject *sss_python_unicode_from_string(const char *u);
--
2.4.3

45
0007-UTIL-Remove-compatibility-macro-PyModule_AddIntMacro.patch
View File

@ -1,45 +0,0 @@
From 61311b000c5d36322a35103cee2eb304875d235f Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 9 Feb 2015 19:33:44 +0100
Subject: [PATCH 07/30] UTIL: Remove compatibility macro PyModule_AddIntMacro
The macro PyModule_AddIntMacro is defined in python >= 2.6
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
---
src/external/python.m4 | 2 +-
src/util/sss_python.h | 5 -----
2 files changed, 1 insertion(+), 6 deletions(-)
diff --git a/src/external/python.m4 b/src/external/python.m4
index e93f850092b0f54565e138b3235b9c29f89e5444..ac427268d4ff8828314cefb43ce2af72d34bc295 100644
--- a/src/external/python.m4
+++ b/src/external/python.m4
@@ -63,7 +63,7 @@ AC_DEFUN([AM_CHECK_PYTHON_COMPAT],
LIBS="$LIBS $PYTHON_LIBS"
AC_CHECK_FUNCS([PyErr_NewExceptionWithDoc])
- AC_CHECK_DECLS([PyModule_AddIntMacro, PyUnicode_FromString], [], [], [[#include <Python.h>]])
+ AC_CHECK_DECLS([PyUnicode_FromString], [], [], [[#include <Python.h>]])
CPPFLAGS="$save_CPPFLAGS"
LIBS="$save_LIBS"
diff --git a/src/util/sss_python.h b/src/util/sss_python.h
index 56c25ebb74bffc061688c3c32515d6e0288ac94d..5521aa5cfd84acffc65edbe76a264b1f2a52e9fd 100644
--- a/src/util/sss_python.h
+++ b/src/util/sss_python.h
@@ -32,11 +32,6 @@ PyObject *sss_python_unicode_from_string(const char *u);
PyObject *
sss_exception_with_doc(char *name, char *doc, PyObject *base, PyObject *dict);
-/* PyModule_AddIntMacro() compatibility */
-#if !HAVE_DECL_PYMODULE_ADDINTMACRO
-#define PyModule_AddIntMacro(m, c) PyModule_AddIntConstant(m, sss_py_const_p(char, #c), c)
-#endif
-
/* Convenience macros */
#define TYPE_READY(module, type, name) do { \
if (PyType_Ready(&type) < 0) \
--
2.4.3

160
0008-UTIL-Remove-python-wrapper-sss_python_unicode_from_s.patch
View File

@ -1,160 +0,0 @@
From 099738f89b0887a7aaaf542440383b6808ffd2db Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 9 Feb 2015 19:38:42 +0100
Subject: [PATCH 08/30] UTIL: Remove python wrapper
sss_python_unicode_from_string
The function PyUnicode_FromString is available in python >= 2.6
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
---
src/external/python.m4 | 3 +--
src/python/pyhbac.c | 18 +++++++++---------
src/util/sss_python.c | 10 ----------
src/util/sss_python.h | 3 ---
4 files changed, 10 insertions(+), 24 deletions(-)
diff --git a/src/external/python.m4 b/src/external/python.m4
index ac427268d4ff8828314cefb43ce2af72d34bc295..d59233aa01ac591cfc86be974d8ae26ebbe4635d 100644
--- a/src/external/python.m4
+++ b/src/external/python.m4
@@ -54,7 +54,7 @@ AC_DEFUN([AM_CHECK_PYTHON_HEADERS],
dnl Checks for a couple of functions we use that may not be defined
-dnl in some older python versions used e.g. on RHEL5
+dnl in some older python (< 2.6) versions used e.g. on RHEL6
AC_DEFUN([AM_CHECK_PYTHON_COMPAT],
[AC_REQUIRE([AM_CHECK_PYTHON_HEADERS])
save_CPPFLAGS="$CPPFLAGS"
@@ -63,7 +63,6 @@ AC_DEFUN([AM_CHECK_PYTHON_COMPAT],
LIBS="$LIBS $PYTHON_LIBS"
AC_CHECK_FUNCS([PyErr_NewExceptionWithDoc])
- AC_CHECK_DECLS([PyUnicode_FromString], [], [], [[#include <Python.h>]])
CPPFLAGS="$save_CPPFLAGS"
LIBS="$save_LIBS"
diff --git a/src/python/pyhbac.c b/src/python/pyhbac.c
index bbdf2b9fb75e2be0d46749faa6aaf0698a5d5ebb..2ccff6856b5bb5fbbb4803633ae549481ebb6035 100644
--- a/src/python/pyhbac.c
+++ b/src/python/pyhbac.c
@@ -493,7 +493,7 @@ HbacRuleElement_repr(HbacRuleElement *self)
uint32_t category;
PyObject *o, *format, *args;
- format = sss_python_unicode_from_string("<category %lu names [%s] groups [%s]>");
+ format = PyUnicode_FromString("<category %lu names [%s] groups [%s]>");
if (format == NULL) {
return NULL;
}
@@ -651,7 +651,7 @@ HbacRule_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
return NULL;
}
- self->name = sss_python_unicode_from_string("");
+ self->name = PyUnicode_FromString("");
if (self->name == NULL) {
Py_DECREF(self);
PyErr_NoMemory();
@@ -869,7 +869,7 @@ HbacRule_repr(HbacRuleObject *self)
PyObject *srchosts_repr;
PyObject *o, *format, *args;
- format = sss_python_unicode_from_string("<name %s enabled %d "
+ format = PyUnicode_FromString("<name %s enabled %d "
"users %s services %s "
"targethosts %s srchosts %s>");
if (format == NULL) {
@@ -1149,7 +1149,7 @@ HbacRequestElement_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
return NULL;
}
- self->name = sss_python_unicode_from_string("");
+ self->name = PyUnicode_FromString("");
if (self->name == NULL) {
PyErr_NoMemory();
Py_DECREF(self);
@@ -1291,7 +1291,7 @@ HbacRequestElement_repr(HbacRequestElement *self)
char *strgroups;
PyObject *o, *format, *args;
- format = sss_python_unicode_from_string("<name %s groups [%s]>");
+ format = PyUnicode_FromString("<name %s groups [%s]>");
if (format == NULL) {
return NULL;
}
@@ -1609,7 +1609,7 @@ py_hbac_evaluate(HbacRequest *self, PyObject *args)
eres = hbac_evaluate(rules, hbac_req, &info);
switch (eres) {
case HBAC_EVAL_ALLOW:
- self->rule_name = sss_python_unicode_from_string(info->rule_name);
+ self->rule_name = PyUnicode_FromString(info->rule_name);
if (!self->rule_name) {
PyErr_NoMemory();
goto fail;
@@ -1662,7 +1662,7 @@ HbacRequest_repr(HbacRequest *self)
PyObject *srchost_repr;
PyObject *o, *format, *args;
- format = sss_python_unicode_from_string("<user %s service %s "
+ format = PyUnicode_FromString("<user %s service %s "
"targethost %s srchost %s>");
if (format == NULL) {
return NULL;
@@ -1853,7 +1853,7 @@ py_hbac_result_string(PyObject *module, PyObject *args)
return Py_None;
}
- return sss_python_unicode_from_string(str);
+ return PyUnicode_FromString(str);
}
PyDoc_STRVAR(py_hbac_error_string__doc__,
@@ -1877,7 +1877,7 @@ py_hbac_error_string(PyObject *module, PyObject *args)
return Py_None;
}
- return sss_python_unicode_from_string(str);
+ return PyUnicode_FromString(str);
}
static PyMethodDef pyhbac_module_methods[] = {
diff --git a/src/util/sss_python.c b/src/util/sss_python.c
index ba78bf9689c903713229395a49e5f3686e5e6f10..560effc26d474bdb367784083cb354bb57ead412 100644
--- a/src/util/sss_python.c
+++ b/src/util/sss_python.c
@@ -22,16 +22,6 @@
#include "config.h"
PyObject *
-sss_python_unicode_from_string(const char *u)
-{
-#ifdef HAVE_PYUNICODE_FROMSTRING
- return PyUnicode_FromString(u);
-#else
- return PyUnicode_DecodeUTF8(u, strlen(u), NULL);
-#endif
-}
-
-PyObject *
sss_exception_with_doc(char *name, char *doc, PyObject *base, PyObject *dict)
{
#ifdef HAVE_PYERR_NEWEXCEPTIONWITHDOC
diff --git a/src/util/sss_python.h b/src/util/sss_python.h
index 5521aa5cfd84acffc65edbe76a264b1f2a52e9fd..7e2bac33656dcbac91bb4f4d32ec9fbc44bb4e52 100644
--- a/src/util/sss_python.h
+++ b/src/util/sss_python.h
@@ -25,9 +25,6 @@
#define PYNUMBER_ASLONG(what) PyInt_AsLong(what)
#endif
-/* Unicode compatibility */
-PyObject *sss_python_unicode_from_string(const char *u);
-
/* Exceptions compatibility */
PyObject *
sss_exception_with_doc(char *name, char *doc, PyObject *base, PyObject *dict);
--
2.4.3

133
0009-BUILD-Use-python-config-for-detection-FLAGS.patch
View File

@ -1,133 +0,0 @@
From c0f7ae30d0b2b5d394d9cca88e7487ddc6394555 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 10 Feb 2015 16:14:59 +0100
Subject: [PATCH 09/30] BUILD: Use python-config for detection *FLAGS
The script python-config was not available in older versions of python.
This patch simplify detection of python CFLAGS and LDFLAGS and increase
minimal required version of python to 2.6
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
---
configure.ac | 6 +++--
src/external/python.m4 | 63 +++++++++++++++++++++++++-------------------------
2 files changed, 36 insertions(+), 33 deletions(-)
diff --git a/configure.ac b/configure.ac
index cdbe6f9bff3822bb80d8d43b593e02c39d729f64..f72e448528edcffb855504a38a179c400f98ac42 100644
--- a/configure.ac
+++ b/configure.ac
@@ -248,11 +248,13 @@ AM_CONDITIONAL([HAVE_MANPAGES], [test "x$HAVE_MANPAGES" != "x"])
AM_CONDITIONAL([HAVE_PO4A], [test "x$PO4A" != "xno"])
if test x$HAVE_PYTHON_BINDINGS != x; then
- AM_PATH_PYTHON([2.4])
+ AM_PATH_PYTHON([2.6])
+ AM_PYTHON_CONFIG([python])
AM_CHECK_PYTHON_HEADERS([],
AC_MSG_ERROR([Could not find python headers]))
- AM_PYTHON_CONFIG
AM_CHECK_PYTHON_COMPAT
+ AC_SUBST([PYTHON_CFLAGS])
+ AC_SUBST([PYTHON_LIBS])
fi
if test x$HAVE_SELINUX != x; then
diff --git a/src/external/python.m4 b/src/external/python.m4
index d59233aa01ac591cfc86be974d8ae26ebbe4635d..c91e8df17b0371538f02bfeb9cade1ce639074bd 100644
--- a/src/external/python.m4
+++ b/src/external/python.m4
@@ -1,46 +1,33 @@
dnl Check for python-config and substitute needed CFLAGS and LDFLAGS
dnl Usage:
-dnl AM_PYTHON_CONFIG
+dnl AM_PYTHON_CONFIG(python_with_major_version)
+dnl argument python_with_major_version should be either python2 or python3
+dnl This function sets the PYTHON_CFLAGS, PYTHON_LIBS and PYTHON_INCLUDES
+dnl variables
AC_DEFUN([AM_PYTHON_CONFIG],
-[ AC_SUBST(PYTHON_CFLAGS)
- AC_SUBST(PYTHON_LIBS)
+[
+ AC_PATH_PROG([PYTHON_CONFIG], [python$PYTHON_VERSION-config])
+ AS_IF([test x"$PYTHON_CONFIG" = x],
+ AC_MSG_ERROR([
+The program python$PYTHON_VERSION-config was not found in search path.
+Please ensure that it is installed and its directory is included in the search
+path. If you want to build sssd without $1 bindings then specify
+--without-$1-bindings when running configure.]))
-dnl We need to check for python build flags using distutils.sysconfig
-dnl We cannot use python-config, as it was not available on older
-dnl versions of python
- AC_PATH_PROG(PYTHON, python)
- AC_MSG_CHECKING([for working python])
- if test -x "$PYTHON"; then
- PYTHON_CFLAGS="`$PYTHON -c \"from distutils import sysconfig; \
- print('-I' + sysconfig.get_python_inc() + \
- ' -I' + sysconfig.get_python_inc(plat_specific=True) + ' ' + \
- sysconfig.get_config_var('BASECFLAGS'))\"`"
- PYTHON_LIBS="`$PYTHON -c \"from distutils import sysconfig; \
- print(' '.join(sysconfig.get_config_var('LIBS').split() + \
- sysconfig.get_config_var('SYSLIBS').split()) + \
- ' ' + sysconfig.get_config_var('BLDLIBRARY') + ' ' + \
- ' -L' + sysconfig.get_config_var('LIBDIR'))\"`"
- AC_MSG_RESULT([yes])
- else
- AC_MSG_RESULT([no])
- AC_MSG_ERROR([Please install python devel package])
- fi
+ PYTHON_CFLAGS="` $PYTHON_CONFIG --cflags`"
+ PYTHON_LIBS="` $PYTHON_CONFIG --libs`"
+ PYTHON_INCLUDES="` $PYTHON_CONFIG --includes`"
])
dnl Taken from GNOME sources
dnl a macro to check for ability to create python extensions
dnl AM_CHECK_PYTHON_HEADERS([ACTION-IF-POSSIBLE], [ACTION-IF-NOT-POSSIBLE])
-dnl function also defines PYTHON_INCLUDES
AC_DEFUN([AM_CHECK_PYTHON_HEADERS],
-[AC_REQUIRE([AM_PATH_PYTHON])
+[
+ AC_REQUIRE([AM_PATH_PYTHON])
AC_MSG_CHECKING(for headers required to compile python extensions)
- dnl deduce PYTHON_INCLUDES
- PYTHON_INCLUDES=-I`$PYTHON -c "from distutils import sysconfig; print(sysconfig.get_config_var('INCLUDEPY'))"`
-
- AC_SUBST(PYTHON_INCLUDES)
-
dnl check if the headers exist:
save_CPPFLAGS="$CPPFLAGS"
CPPFLAGS="$CPPFLAGS $PYTHON_INCLUDES"
@@ -56,7 +43,8 @@ AC_DEFUN([AM_CHECK_PYTHON_HEADERS],
dnl Checks for a couple of functions we use that may not be defined
dnl in some older python (< 2.6) versions used e.g. on RHEL6
AC_DEFUN([AM_CHECK_PYTHON_COMPAT],
-[AC_REQUIRE([AM_CHECK_PYTHON_HEADERS])
+[
+ AC_REQUIRE([AM_CHECK_PYTHON_HEADERS])
save_CPPFLAGS="$CPPFLAGS"
save_LIBS="$LIBS"
CPPFLAGS="$CPPFLAGS $PYTHON_INCLUDES"
@@ -67,3 +55,16 @@ AC_DEFUN([AM_CHECK_PYTHON_COMPAT],
CPPFLAGS="$save_CPPFLAGS"
LIBS="$save_LIBS"
])
+
+dnl Clean variables after detection of python
+AC_DEFUN([SSS_CLEAN_PYTHON_VARIABLES],
+[
+ unset pyexecdir pkgpyexecdir pythondir pgkpythondir
+ unset PYTHON PYTHON_CFLAGS PYTHON_LIBS PYTHON_INCLUDES
+ unset PYTHON_PREFIX PYTHON_EXEC_PREFIX PYTHON_VERSION PYTHON_CONFIG
+
+ dnl removed cached variables, required for reusing of AM_PATH_PYTHON
+ unset am_cv_pathless_PYTHON ac_cv_path_PYTHON am_cv_python_version
+ unset am_cv_python_platform am_cv_python_pythondir am_cv_python_pyexecdir
+ unset ac_cv_path_PYTHON_CONFIG
+])
--
2.4.3

71
0010-SPEC-Use-new-convention-for-python-packages.patch
View File

@ -1,71 +0,0 @@
From 7a0b12ac7b5aa17794a97adcbde2bf0db19281a4 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 10 Feb 2015 16:33:04 +0100
Subject: [PATCH 10/30] SPEC: Use new convention for python packages
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
---
contrib/sssd.spec.in | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 2600438f3020abccc2bd376d274a0b251f2bcc80..c9e62b301aa9ac4109041a7a4425e13d4ad236ba 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -339,14 +339,16 @@ Requires: libipa_hbac = %{version}-%{release}
%description -n libipa_hbac-devel
Utility library to validate FreeIPA HBAC rules for authorization requests
-%package -n libipa_hbac-python
+%package -n python-libipa_hbac
Summary: Python bindings for the FreeIPA HBAC Evaluator library
Group: Development/Libraries
License: LGPLv3+
Requires: libipa_hbac = %{version}-%{release}
+Provides: libipa_hbac-python = %{version}-%{release}
+Obsoletes: libipa_hbac-python < 1.12.90
-%description -n libipa_hbac-python
-The libipa_hbac-python contains the bindings so that libipa_hbac can be
+%description -n python-libipa_hbac
+The python-libipa_hbac contains the bindings so that libipa_hbac can be
used by Python applications.
%package -n libsss_nss_idmap
@@ -368,14 +370,16 @@ Requires: libsss_nss_idmap = %{version}-%{release}
%description -n libsss_nss_idmap-devel
Utility library for SID based lookups
-%package -n libsss_nss_idmap-python
+%package -n python-libsss_nss_idmap
Summary: Python bindings for libsss_nss_idmap
Group: Development/Libraries
License: LGPLv3+
Requires: libsss_nss_idmap = %{version}-%{release}
+Provides: libsss_nss_idmap-python = %{version}-%{release}
+Obsoletes: libsss_nss_idmap-python < 1.12.90
-%description -n libsss_nss_idmap-python
-The libsss_nss_idmap-python contains the bindings so that libsss_nss_idmap can
+%description -n python-libsss_nss_idmap
+The python-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can
be used by Python applications.
%package dbus
@@ -787,11 +791,11 @@ rm -rf $RPM_BUILD_ROOT
%{_libdir}/libsss_nss_idmap.so
%{_libdir}/pkgconfig/sss_nss_idmap.pc
-%files -n libsss_nss_idmap-python
+%files -n python-libsss_nss_idmap
%defattr(-,root,root,-)
%{python_sitearch}/pysss_nss_idmap.so
-%files -n libipa_hbac-python
+%files -n python-libipa_hbac
%defattr(-,root,root,-)
%{python_sitearch}/pyhbac.so
--
2.4.3

83
0011-SPEC-Move-python-bindings-to-separate-packages.patch
View File

@ -1,83 +0,0 @@
From 2641bd5495cdebe2652f26bbd3a5a93013446ef2 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 10 Feb 2015 16:50:12 +0100
Subject: [PATCH 11/30] SPEC: Move python bindings to separate packages
Some pyhton bindings pysss and pysss_murmur was in package sssd-common.
Therefore package sssd-common had python as a dependency.
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
---
contrib/sssd.spec.in | 35 +++++++++++++++++++++++++++++++++--
1 file changed, 33 insertions(+), 2 deletions(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index c9e62b301aa9ac4109041a7a4425e13d4ad236ba..2dbcd9e40c03e46e4e132a4ef4560044e88ea853 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -196,6 +196,9 @@ Summary: Userspace tools for use with the SSSD
Group: Applications/System
License: GPLv3+
Requires: sssd-common = %{version}-%{release}
+# required by sss_obfuscate
+Requires: python-sss = %{version}-%{release}
+Requires: python-sssdconfig = %{version}-%{release}
%description tools
Provides userspace tools for manipulating users, groups, and nested groups in
@@ -215,6 +218,28 @@ BuildArch: noarch
%description -n python-sssdconfig
Provides python files for manipulation SSSD and IPA configuration files.
+%package -n python-sss
+Summary: Python bindings for sssd
+Group: Development/Libraries
+License: LGPLv3+
+Requires: sssd-common = %{version}-%{release}
+
+%description -n python-sss
+Provides python module for manipulating users, groups, and nested groups in
+SSSD when using id_provider = local in /etc/sssd/sssd.conf.
+
+Also provides several other useful python bindings:
+ * function for retrieving list of groups user belongs to.
+ * class for obfuscation of passwords
+
+%package -n python-sss-murmur
+Summary: Python bindings for murmur hash function
+Group: Development/Libraries
+License: LGPLv3+
+
+%description -n python-sss-murmur
+Provides python module for calculating the murmur hash version 3
+
%package ldap
Summary: The LDAP back end of the SSSD
Group: Applications/System
@@ -638,8 +663,6 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/sss_cache.8*
%{_mandir}/man1/sss_ssh_authorizedkeys.1*
%{_mandir}/man1/sss_ssh_knownhostsproxy.1*
-%{python_sitearch}/pysss.so
-%{python_sitearch}/pysss_murmur.so
%files ldap -f sssd_ldap.lang
%defattr(-,root,root,-)
@@ -755,6 +778,14 @@ rm -rf $RPM_BUILD_ROOT
%dir %{python_sitelib}/SSSDConfig
%{python_sitelib}/SSSDConfig/*.py*
+%files -n python-sss
+%defattr(-,root,root,-)
+%{python_sitearch}/pysss.so
+
+%files -n python-sss-murmur
+%defattr(-,root,root,-)
+%{python_sitearch}/pysss_murmur.so
+
%files -n libsss_idmap
%defattr(-,root,root,-)
%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
--
2.4.3

532
0012-BUILD-Add-possibility-to-build-python-2-3-bindings.patch
View File

@ -1,532 +0,0 @@
From e9e0f3a46fabc6ba9503e10dc2b685480b65a8e2 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 10 Feb 2015 17:22:03 +0100
Subject: [PATCH 12/30] BUILD: Add possibility to build python{2,3} bindings
Resolves:
https://fedorahosted.org/sssd/ticket/2574
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
---
Makefile.am | 196 ++++++++++++++++++++++++++++++++---------
configure.ac | 49 +++++++++--
contrib/sssd.spec.in | 4 +
src/conf_macros.m4 | 39 +++++---
src/tests/pyhbac-test.py | 22 ++++-
src/tests/pysss_murmur-test.py | 22 ++++-
6 files changed, 267 insertions(+), 65 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index bdca46a0548ddb98dde485a7786566eb623b181b..0a1511c23ce844ce9963ac33ac3daadd31bdc27e 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -301,12 +301,22 @@ noinst_LTLIBRARIES =
pkglib_LTLIBRARIES =
-if BUILD_PYTHON_BINDINGS
-pyexec_LTLIBRARIES = \
- pysss.la \
- pyhbac.la \
- pysss_murmur.la \
- pysss_nss_idmap.la
+if BUILD_PYTHON2_BINDINGS
+py2exec_LTLIBRARIES = \
+ _py2sss.la \
+ _py2hbac.la \
+ _py2sss_murmur.la \
+ _py2sss_nss_idmap.la \
+ $(NULL)
+endif
+
+if BUILD_PYTHON3_BINDINGS
+py3exec_LTLIBRARIES = \
+ _py3sss.la \
+ _py3hbac.la \
+ _py3sss_murmur.la \
+ _py3sss_nss_idmap.la \
+ $(NULL)
endif
dist_noinst_SCRIPTS = \
@@ -2841,58 +2851,109 @@ sssd_pac_plugin_la_LDFLAGS = \
-avoid-version \
-module
-if BUILD_PYTHON_BINDINGS
+# python[23] bindings
pysss_la_SOURCES = \
$(SSSD_TOOLS_OBJ) \
src/python/pysss.c
-pysss_la_CFLAGS = \
- $(AM_CFLAGS) \
- $(PYTHON_CFLAGS)
-pysss_la_LIBADD = \
- $(SSSD_INTERNAL_LTLIBS) \
- $(PYTHON_BINDINGS_LIBS) \
- $(PYTHON_LIBS)
pysss_la_LDFLAGS = \
-avoid-version \
-module
+_py2sss_la_SOURCES = $(pysss_la_SOURCES)
+_py2sss_la_CFLAGS = \
+ $(AM_CFLAGS) \
+ $(PYTHON2_CFLAGS)
+_py2sss_la_LIBADD = \
+ $(SSSD_INTERNAL_LTLIBS) \
+ $(PYTHON_BINDINGS_LIBS) \
+ $(PYTHON2_LIBS)
+_py2sss_la_LDFLAGS = $(pysss_la_LDFLAGS)
+
+_py3sss_la_SOURCES = $(pysss_la_SOURCES)
+_py3sss_la_CFLAGS = \
+ $(AM_CFLAGS) \
+ $(PYTHON3_CFLAGS)
+_py3sss_la_LIBADD = \
+ $(SSSD_INTERNAL_LTLIBS) \
+ $(PYTHON_BINDINGS_LIBS) \
+ $(PYTHON3_LIBS)
+_py3sss_la_LDFLAGS = $(pysss_la_LDFLAGS)
+
+
pyhbac_la_SOURCES = \
src/python/pyhbac.c \
src/util/sss_python.c
-pyhbac_la_CFLAGS = \
- $(AM_CFLAGS) \
- $(PYTHON_CFLAGS)
-pyhbac_la_LIBADD = \
- $(PYTHON_LIBS) \
- libipa_hbac.la
pyhbac_la_LDFLAGS = \
-avoid-version \
-module
+_py2hbac_la_SOURCES = $(pyhbac_la_SOURCES)
+_py2hbac_la_CFLAGS = \
+ $(AM_CFLAGS) \
+ $(PYTHON2_CFLAGS)
+_py2hbac_la_LIBADD = \
+ $(PYTHON2_LIBS) \
+ libipa_hbac.la
+_py2hbac_la_LDFLAGS = $(pyhbac_la_LDFLAGS)
+
+_py3hbac_la_SOURCES = $(pyhbac_la_SOURCES)
+_py3hbac_la_CFLAGS = \
+ $(AM_CFLAGS) \
+ $(PYTHON3_CFLAGS)
+_py3hbac_la_LIBADD = \
+ $(PYTHON3_LIBS) \
+ libipa_hbac.la
+_py3hbac_la_LDFLAGS = $(pyhbac_la_LDFLAGS)
+
+
pysss_murmur_la_SOURCES = \
src/python/pysss_murmur.c \
src/util/murmurhash3.c
-pysss_murmur_la_CFLAGS = \
- $(AM_CFLAGS) \
- $(PYTHON_CFLAGS)
-pysss_murmur_la_LIBADD = \
- $(PYTHON_LIBS)
pysss_murmur_la_LDFLAGS = \
-avoid-version \
-module
+_py2sss_murmur_la_SOURCES = $(pysss_murmur_la_SOURCES)
+_py2sss_murmur_la_CFLAGS = \
+ $(AM_CFLAGS) \
+ $(PYTHON2_CFLAGS)
+_py2sss_murmur_la_LIBADD = \
+ $(PYTHON2_LIBS)
+_py2sss_murmur_la_LDFLAGS = $(pysss_murmur_la_LDFLAGS)
+
+_py3sss_murmur_la_SOURCES = $(pysss_murmur_la_SOURCES)
+_py3sss_murmur_la_CFLAGS = \
+ $(AM_CFLAGS) \
+ $(PYTHON3_CFLAGS)
+_py3sss_murmur_la_LIBADD = \
+ $(PYTHON3_LIBS)
+_py3sss_murmur_la_LDFLAGS = $(pysss_murmur_la_LDFLAGS)
+
+
pysss_nss_idmap_la_SOURCES = \
src/python/pysss_nss_idmap.c
-pysss_nss_idmap_la_CFLAGS = \
- $(AM_CFLAGS) \
- $(PYTHON_CFLAGS)
-pysss_nss_idmap_la_LIBADD = \
- $(PYTHON_LIBS) \
- libsss_nss_idmap.la
pysss_nss_idmap_la_LDFLAGS = \
-avoid-version \
-module
-endif
+
+_py2sss_nss_idmap_la_SOURCES = $(pysss_nss_idmap_la_SOURCES)
+_py2sss_nss_idmap_la_CFLAGS = \
+ $(AM_CFLAGS) \
+ $(PYTHON2_CFLAGS)
+_py2sss_nss_idmap_la_LIBADD = \
+ $(PYTHON2_LIBS) \
+ libsss_nss_idmap.la
+_py2sss_nss_idmap_la_LDFLAGS = $(pysss_nss_idmap_la_LDFLAGS)
+
+_py3sss_nss_idmap_la_SOURCES = $(pysss_nss_idmap_la_SOURCES)
+_py3sss_nss_idmap_la_CFLAGS = \
+ $(AM_CFLAGS) \
+ $(PYTHON3_CFLAGS)
+_py3sss_nss_idmap_la_LIBADD = \
+ $(PYTHON3_LIBS) \
+ libsss_nss_idmap.la
+_py3sss_nss_idmap_la_LDFLAGS = $(pysss_nss_idmap_la_LDFLAGS)
+# end of python[23] bindings
if BUILD_CIFS_IDMAP_PLUGIN
cifs_idmap_sss_la_SOURCES = \
@@ -3054,17 +3115,51 @@ SSSSCONFIG_MODULES =
endif
all-local: ldb_mod_test_dir $(SSSDCONFIG_MODULES)
-if BUILD_PYTHON_BINDINGS
- cd $(builddir)/src/config; $(PYTHON) setup.py build --build-base $(abs_builddir)/src/config
+if BUILD_PYTHON2_BINDINGS
+ cd $(builddir)/src/config; \
+ $(PYTHON2) setup.py build --build-base $(abs_builddir)/src/config
+endif
+if BUILD_PYTHON3_BINDINGS
+ cd $(builddir)/src/config; \
+ $(PYTHON3) setup.py build --build-base $(abs_builddir)/src/config
endif
install-exec-hook: installsssddirs
-if BUILD_PYTHON_BINDINGS
+if BUILD_PYTHON2_BINDINGS
if [ "$(DESTDIR)" = "" ]; then \
- cd $(builddir)/src/config; $(PYTHON) setup.py build --build-base $(abs_builddir)/src/config install $(DISTSETUPOPTS) --prefix=$(PYTHON_PREFIX) --record=$(abs_builddir)/src/config/.files; \
+ cd $(builddir)/src/config; \
+ $(PYTHON2) setup.py build --build-base $(abs_builddir)/src/config \
+ install $(DISTSETUPOPTS) --prefix=$(PYTHON2_PREFIX) \
+ --record=$(abs_builddir)/src/config/.files2; \
else \
- cd $(builddir)/src/config; $(PYTHON) setup.py build --build-base $(abs_builddir)/src/config install $(DISTSETUPOPTS) --prefix=$(PYTHON_PREFIX) --root=$(DESTDIR) --record=$(abs_builddir)/src/config/.files; \
+ cd $(builddir)/src/config; \
+ $(PYTHON2) setup.py build --build-base $(abs_builddir)/src/config \
+ install $(DISTSETUPOPTS) --prefix=$(PYTHON2_PREFIX) \
+ --record=$(abs_builddir)/src/config/.files2 --root=$(DESTDIR); \
fi
+ cd $(DESTDIR)$(py2execdir) && \
+ $(LN_S) _py2sss.so pysss.so ; \
+ $(LN_S) _py2hbac.so pyhbac.so ; \
+ $(LN_S) _py2sss_murmur.so pysss_murmur.so ; \
+ $(LN_S) _py2sss_nss_idmap.so pysss_nss_idmap.so
+endif
+if BUILD_PYTHON3_BINDINGS
+ if [ "$(DESTDIR)" = "" ]; then \
+ cd $(builddir)/src/config; \
+ $(PYTHON3) setup.py build --build-base $(abs_builddir)/src/config \
+ install $(DISTSETUPOPTS) --prefix=$(PYTHON3_PREFIX) \
+ --record=$(abs_builddir)/src/config/.files3; \
+ else \
+ cd $(builddir)/src/config; \
+ $(PYTHON3) setup.py build --build-base $(abs_builddir)/src/config \
+ install $(DISTSETUPOPTS) --prefix=$(PYTHON3_PREFIX) \
+ --record=$(abs_builddir)/src/config/.files3 --root=$(DESTDIR); \
+ fi
+ cd $(DESTDIR)$(py3execdir) && \
+ $(LN_S) _py3sss.so pysss.so ; \
+ $(LN_S) _py3hbac.so pyhbac.so ; \
+ $(LN_S) _py3sss_murmur.so pysss_murmur.so ; \
+ $(LN_S) _py3sss_nss_idmap.so pysss_nss_idmap.so
endif
for doc in $(SSSD_DOCS); do \
$(MKDIR_P) $$doc $(DESTDIR)/$(docdir); \
@@ -3100,16 +3195,20 @@ install-data-hook:
fi
uninstall-hook:
- if [ -f $(abs_builddir)/src/config/.files ]; then \
- cat $(abs_builddir)/src/config/.files | xargs -iq rm -f $(DESTDIR)/q; \
- rm $(abs_builddir)/src/config/.files ; \
+ if [ -f $(abs_builddir)/src/config/.files2 ]; then \
+ cat $(abs_builddir)/src/config/.files2 | xargs -iq rm -f $(DESTDIR)/q; \
+ rm $(abs_builddir)/src/config/.files2 ; \
+ fi
+ if [ -f $(abs_builddir)/src/config/.files3 ]; then \
+ cat $(abs_builddir)/src/config/.files3 | xargs -iq rm -f $(DESTDIR)/q; \
+ rm $(abs_builddir)/src/config/.files3 ; \
fi
for doc in $(SSSD_DOCS); do \
rm -Rf $(DESTDIR)/$(docdir)/$$doc; \
done;
clean-local:
-if BUILD_PYTHON_BINDINGS
+if BUILD_PYTHON2_BINDINGS
if [ ! $(srcdir)/src/config/SSSDConfig/ipachangeconf.py -ef $(builddir)/src/config/SSSDConfig/ipachangeconf.py ]; then \
rm -f $(builddir)/src/config/SSSDConfig/ipachangeconf.py ; \
fi
@@ -3120,7 +3219,20 @@ if BUILD_PYTHON_BINDINGS
rm -f $(builddir)/src/config/SSSDConfig/*.pyc
- cd $(builddir)/src/config; $(PYTHON) setup.py build --build-base $(abs_builddir)/src/config clean --all
+ cd $(builddir)/src/config; $(PYTHON2) setup.py build --build-base $(abs_builddir)/src/config clean --all
+endif
+if BUILD_PYTHON3_BINDINGS
+ if [ ! $(srcdir)/src/config/SSSDConfig/ipachangeconf.py -ef $(builddir)/src/config/SSSDConfig/ipachangeconf.py ]; then \
+ rm -f $(builddir)/src/config/SSSDConfig/ipachangeconf.py ; \
+ fi
+
+ if [ ! $(srcdir)/src/config/SSSDConfig/ipachangeconf.py -ef $(builddir)/src/config/SSSDConfig/ipachangeconf.py ]; then \
+ rm -f $(builddir)/src/config/SSSDConfig/sssd_upgrade_config.py ; \
+ fi
+
+ rm -f $(builddir)/src/config/SSSDConfig/__pycache__/*.pyc
+
+ cd $(builddir)/src/config; $(PYTHON3) setup.py build --build-base $(abs_builddir)/src/config clean --all
endif
for doc in $(SSSD_DOCS); do \
rm -Rf $$doc; \
diff --git a/configure.ac b/configure.ac
index f72e448528edcffb855504a38a179c400f98ac42..e30405f3a17ffd2c9899b6eb17af85ec9bc15234 100644
--- a/configure.ac
+++ b/configure.ac
@@ -117,7 +117,8 @@ WITH_KRB5_PLUGIN_PATH
WITH_KRB5_RCACHE_DIR
WITH_KRB5AUTHDATA_PLUGIN_PATH
WITH_KRB5_CONF
-WITH_PYTHON_BINDINGS
+WITH_PYTHON2_BINDINGS
+WITH_PYTHON3_BINDINGS
WITH_CIFS_PLUGIN_PATH
WITH_SELINUX
WITH_NSCD
@@ -247,16 +248,52 @@ AM_CONDITIONAL([HAVE_PROFILE_CATALOGS], [test "x$HAVE_PROFILE_CATALOGS" != "x"])
AM_CONDITIONAL([HAVE_MANPAGES], [test "x$HAVE_MANPAGES" != "x"])
AM_CONDITIONAL([HAVE_PO4A], [test "x$PO4A" != "xno"])
-if test x$HAVE_PYTHON_BINDINGS != x; then
+if test x$HAVE_PYTHON2_BINDINGS = x1; then
+ AC_PATH_PROG(PYTHON2, python2)
+ PYTHON=$PYTHON2
AM_PATH_PYTHON([2.6])
- AM_PYTHON_CONFIG([python])
+ AM_PYTHON_CONFIG([python2])
AM_CHECK_PYTHON_HEADERS([],
- AC_MSG_ERROR([Could not find python headers]))
+ AC_MSG_ERROR([Could not find python2 headers]))
AM_CHECK_PYTHON_COMPAT
- AC_SUBST([PYTHON_CFLAGS])
- AC_SUBST([PYTHON_LIBS])
+
+ AC_SUBST([py2execdir], [$pyexecdir])
+ AC_SUBST([python2dir], [$pythondir])
+ AC_SUBST([PYTHON2_CFLAGS], [$PYTHON_CFLAGS])
+ AC_SUBST([PYTHON2_LIBS], [$PYTHON_LIBS])
+ AC_SUBST([PYTHON2_INCLUDES], [$PYTHON_INCLUDES])
+ AC_SUBST([PYTHON2_VERSION], [$PYTHON_VERSION])
+ AC_SUBST([PYTHON2_PREFIX], [$PYTHON_PREFIX])
+ AC_SUBST([PYTHON2_EXEC_PREFIX], [$PYTHON_EXEC_PREFIX])
+
+ SSS_CLEAN_PYTHON_VARIABLES
fi
+if test x$HAVE_PYTHON3_BINDINGS = x1; then
+ AC_PATH_PROG(PYTHON3, python3)
+ PYTHON=$PYTHON3
+ AM_PATH_PYTHON([3.3])
+ AM_PYTHON_CONFIG([python3])
+ AM_CHECK_PYTHON_HEADERS([],
+ AC_MSG_ERROR([Could not find python3 headers]))
+ AM_CHECK_PYTHON_COMPAT
+
+ AC_SUBST([py3execdir], [$pyexecdir])
+ AC_SUBST([python3dir], [$pythondir])
+ AC_SUBST([PYTHON3_CFLAGS], [$PYTHON_CFLAGS])
+ AC_SUBST([PYTHON3_LIBS], [$PYTHON_LIBS])
+ AC_SUBST([PYTHON3_INCLUDES], [$PYTHON_INCLUDES])
+ AC_SUBST([PYTHON3_VERSION], [$PYTHON_VERSION])
+ AC_SUBST([PYTHON3_PREFIX], [$PYTHON_PREFIX])
+ AC_SUBST([PYTHON3_EXEC_PREFIX], [$PYTHON_EXEC_PREFIX])
+
+ SSS_CLEAN_PYTHON_VARIABLES
+fi
+
+AM_CONDITIONAL([BUILD_PYTHON_BINDINGS],
+ [test x"$with_python2_bindings" = xyes \
+ -o x"$with_python3_bindings" = xyes])
+
if test x$HAVE_SELINUX != x; then
AM_CHECK_SELINUX
AM_CHECK_SELINUX_LOGIN_DIR
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 2dbcd9e40c03e46e4e132a4ef4560044e88ea853..c50eebd193de5815eca55824670a319603b54501 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -781,10 +781,12 @@ rm -rf $RPM_BUILD_ROOT
%files -n python-sss
%defattr(-,root,root,-)
%{python_sitearch}/pysss.so
+%{python_sitearch}/_py2sss.so
%files -n python-sss-murmur
%defattr(-,root,root,-)
%{python_sitearch}/pysss_murmur.so
+%{python_sitearch}/_py2sss_murmur.so
%files -n libsss_idmap
%defattr(-,root,root,-)
@@ -825,10 +827,12 @@ rm -rf $RPM_BUILD_ROOT
%files -n python-libsss_nss_idmap
%defattr(-,root,root,-)
%{python_sitearch}/pysss_nss_idmap.so
+%{python_sitearch}/_py2sss_nss_idmap.so
%files -n python-libipa_hbac
%defattr(-,root,root,-)
%{python_sitearch}/pyhbac.so
+%{python_sitearch}/_py2hbac.so
%files libwbclient
%defattr(-,root,root,-)
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
index 86ecc446b4e27196298456b0dd63ab5516442c3b..48d1e6e7d6d1189c86d626a4509d919143aa6821 100644
--- a/src/conf_macros.m4
+++ b/src/conf_macros.m4
@@ -360,21 +360,38 @@ AC_DEFUN([WITH_KRB5_CONF],
AC_DEFINE_UNQUOTED([KRB5_CONF_PATH], ["$KRB5_CONF_PATH"], [KRB5 configuration file])
])
-AC_DEFUN([WITH_PYTHON_BINDINGS],
- [ AC_ARG_WITH([python-bindings],
- [AC_HELP_STRING([--with-python-bindings],
- [Whether to build python bindings [yes]]
- )
+AC_DEFUN([WITH_PYTHON2_BINDINGS],
+ [ AC_ARG_WITH([python2-bindings],
+ [AC_HELP_STRING([--with-python2-bindings],
+ [Whether to build python2 bindings [yes]])
],
[],
- with_python_bindings=yes
+ [with_python2_bindings=yes]
)
- if test x"$with_python_bindings" = xyes; then
- HAVE_PYTHON_BINDINGS=1
- AC_SUBST(HAVE_PYTHON_BINDINGS)
- AC_DEFINE_UNQUOTED(HAVE_PYTHON_BINDINGS, 1, [Build with python bindings])
+ if test x"$with_python2_bindings" = xyes; then
+ AC_SUBST([HAVE_PYTHON2_BINDINGS], [1])
+ AC_DEFINE_UNQUOTED([HAVE_PYTHON2_BINDINGS], [1],
+ [Build with python2 bindings])
fi
- AM_CONDITIONAL([BUILD_PYTHON_BINDINGS], [test x"$with_python_bindings" = xyes])
+ AM_CONDITIONAL([BUILD_PYTHON2_BINDINGS],
+ [test x"$with_python2_bindings" = xyes])
+ ])
+
+AC_DEFUN([WITH_PYTHON3_BINDINGS],
+ [ AC_ARG_WITH([python3-bindings],
+ [AC_HELP_STRING([--with-python3-bindings],
+ [Whether to build python3 bindings [yes]])
+ ],
+ [],
+ [with_python3_bindings=no]
+ )
+ if test x"$with_python3_bindings" = xyes; then
+ AC_SUBST([HAVE_PYTHON3_BINDINGS], [1])
+ AC_DEFINE_UNQUOTED([HAVE_PYTHON3_BINDINGS], [1],
+ [Build with python3 bindings])
+ fi
+ AM_CONDITIONAL([BUILD_PYTHON3_BINDINGS],
+ [test x"$with_python3_bindings" = xyes])
])
AC_DEFUN([WITH_SELINUX],
diff --git a/src/tests/pyhbac-test.py b/src/tests/pyhbac-test.py
index 0abc5703dedb2466b4d99718b5b524951b8af95c..83958d7bffcccea375c79166ee7dfca6f9956cff 100755
--- a/src/tests/pyhbac-test.py
+++ b/src/tests/pyhbac-test.py
@@ -6,10 +6,9 @@ import sys
import os
import copy
import sys
+import errno
-srcdir = os.getenv('builddir')
-if not srcdir:
- srcdir = "."
+srcdir = os.getenv('builddir') or "."
MODPATH = srcdir + "/.libs" #FIXME - is there a way to get this from libtool?
if sys.version_info[0] > 2:
@@ -41,6 +40,23 @@ class PyHbacImport(unittest.TestCase):
def testImport(self):
" Import the module and assert it comes from tree "
try:
+ cwd_backup = os.getcwd()
+
+ try:
+ os.unlink(MODPATH + "/pyhbac.so")
+ except OSError as e:
+ if e.errno == errno.ENOENT:
+ pass
+ else:
+ raise e
+
+ os.chdir(MODPATH)
+ if sys.version_info[0] > 2:
+ os.symlink("_py3hbac.so", "pyhbac.so")
+ else:
+ os.symlink("_py2hbac.so", "pyhbac.so")
+ os.chdir(cwd_backup)
+
import pyhbac
except ImportError as e:
print("Could not load the pyhbac module. Please check if it is compiled", file=sys.stderr)
diff --git a/src/tests/pysss_murmur-test.py b/src/tests/pysss_murmur-test.py
index 0b28f45e67cb4b033516a585867085dba7b412e6..faa8bb2d33b9d94d380b8f7045ba45aa06ac4793 100755
--- a/src/tests/pysss_murmur-test.py
+++ b/src/tests/pysss_murmur-test.py
@@ -23,10 +23,9 @@ import unittest
import sys
import os
import copy
+import errno
-srcdir = os.getenv('builddir')
-if not srcdir:
- srcdir = "."
+srcdir = os.getenv('builddir') or "."
MODPATH = srcdir + "/.libs" #FIXME - is there a way to get this from libtool?
def compat_assertItemsEqual(this, expected_seq, actual_seq, msg=None):
@@ -57,6 +56,23 @@ class PySssMurmurImport(unittest.TestCase):
def testImport(self):
" Import the module and assert it comes from tree "
try:
+ cwd_backup = os.getcwd()
+
+ try:
+ os.unlink(MODPATH + "/pysss_murmur.so")
+ except OSError as e:
+ if e.errno == errno.ENOENT:
+ pass
+ else:
+ raise e
+
+ os.chdir(MODPATH)
+ if sys.version_info[0] > 2:
+ os.symlink("_py3sss_murmur.so", "pysss_murmur.so")
+ else:
+ os.symlink("_py2sss_murmur.so", "pysss_murmur.so")
+ os.chdir(cwd_backup)
+
import pysss_murmur
except ImportError as e:
print("Could not load the pysss_murmur module. Please check if it is compiled", file=sys.stderr)
--
2.4.3

146
0013-TESTS-Run-python-tests-with-all-supported-python-ver.patch
View File

@ -1,146 +0,0 @@
From 72574d55a5604900cee99a0ea578abde33e9ad6b Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 23 Feb 2015 22:56:55 +0100
Subject: [PATCH 13/30] TESTS: Run python tests with all supported python
versions
This patch add simple bash wrappers for python tests.
They are executed either with python2 or python3.
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
---
Makefile.am | 23 ++++++++++++++++++-----
src/config/SSSDConfigTest.py2.sh | 5 +++++
src/config/SSSDConfigTest.py3.sh | 5 +++++
src/tests/pyhbac-test.py2.sh | 5 +++++
src/tests/pyhbac-test.py3.sh | 5 +++++
src/tests/pysss_murmur-test.py2.sh | 5 +++++
src/tests/pysss_murmur-test.py3.sh | 5 +++++
7 files changed, 48 insertions(+), 5 deletions(-)
create mode 100755 src/config/SSSDConfigTest.py2.sh
create mode 100755 src/config/SSSDConfigTest.py3.sh
create mode 100755 src/tests/pyhbac-test.py2.sh
create mode 100755 src/tests/pyhbac-test.py3.sh
create mode 100755 src/tests/pysss_murmur-test.py2.sh
create mode 100755 src/tests/pysss_murmur-test.py3.sh
diff --git a/Makefile.am b/Makefile.am
index 0a1511c23ce844ce9963ac33ac3daadd31bdc27e..7aa44d7dfc3a01334d6d4e68c96095df66dee324 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -250,13 +250,20 @@ endif # HAVE_CMOCKA
PYTHON_TESTS =
-if BUILD_PYTHON_BINDINGS
-PYTHON_TESTS += src/config/SSSDConfigTest.py \
- src/tests/pyhbac-test.py \
- src/tests/pysss_murmur-test.py
+if BUILD_PYTHON2_BINDINGS
+PYTHON_TESTS += src/config/SSSDConfigTest.py2.sh \
+ src/tests/pyhbac-test.py2.sh \
+ src/tests/pysss_murmur-test.py2.sh \
+ $(NULL)
+endif
+if BUILD_PYTHON3_BINDINGS
+PYTHON_TESTS += src/config/SSSDConfigTest.py3.sh \
+ src/tests/pyhbac-test.py3.sh \
+ src/tests/pysss_murmur-test.py3.sh \
+ $(NULL)
endif
-TEST_EXTENSIONS = .py
+TEST_EXTENSIONS = .sh
TESTS = \
$(PYTHON_TESTS) \
$(non_interactive_cmocka_based_tests) \
@@ -325,6 +332,8 @@ dist_noinst_SCRIPTS = \
src/config/SSSDConfig/ipachangeconf.py \
src/config/SSSDConfig/__init__.py \
src/config/SSSDConfigTest.py \
+ src/config/SSSDConfigTest.py2.sh \
+ src/config/SSSDConfigTest.py3.sh \
src/config/SSSDConfig/sssd_upgrade_config.py \
contrib/rhel/update_debug_levels.py \
contrib/fedora/bashrc_sssd \
@@ -335,7 +344,11 @@ dist_noinst_SCRIPTS = \
contrib/ci/run \
contrib/ci/valgrind-condense \
src/tests/pyhbac-test.py \
+ src/tests/pyhbac-test.py2.sh \
+ src/tests/pyhbac-test.py3.sh \
src/tests/pysss_murmur-test.py \
+ src/tests/pysss_murmur-test.py2.sh \
+ src/tests/pysss_murmur-test.py3.sh \
src/tests/python-test.py \
$(NULL)
diff --git a/src/config/SSSDConfigTest.py2.sh b/src/config/SSSDConfigTest.py2.sh
new file mode 100755
index 0000000000000000000000000000000000000000..7bbd82af3997b295d48f8ea6d1d59afd5eaba43f
--- /dev/null
+++ b/src/config/SSSDConfigTest.py2.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+SCRIPT=$(readlink -f "$0")
+SCRIPT_PATH=$(dirname "$SCRIPT")
+exec python2 $SCRIPT_PATH/SSSDConfigTest.py
diff --git a/src/config/SSSDConfigTest.py3.sh b/src/config/SSSDConfigTest.py3.sh
new file mode 100755
index 0000000000000000000000000000000000000000..89b9f0720473904fe093ee4c065ae01579ee94ef
--- /dev/null
+++ b/src/config/SSSDConfigTest.py3.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+SCRIPT=$(readlink -f "$0")
+SCRIPT_PATH=$(dirname "$SCRIPT")
+exec python3 $SCRIPT_PATH/SSSDConfigTest.py
diff --git a/src/tests/pyhbac-test.py2.sh b/src/tests/pyhbac-test.py2.sh
new file mode 100755
index 0000000000000000000000000000000000000000..48cd16908eaf9cf2c61f8e5fda1d954f116c68cc
--- /dev/null
+++ b/src/tests/pyhbac-test.py2.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+SCRIPT=$(readlink -f "$0")
+SCRIPT_PATH=$(dirname "$SCRIPT")
+exec python2 $SCRIPT_PATH/pyhbac-test.py
diff --git a/src/tests/pyhbac-test.py3.sh b/src/tests/pyhbac-test.py3.sh
new file mode 100755
index 0000000000000000000000000000000000000000..862c7b23a87ea9d0b747dca12466175f0fd00b76
--- /dev/null
+++ b/src/tests/pyhbac-test.py3.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+SCRIPT=$(readlink -f "$0")
+SCRIPT_PATH=$(dirname "$SCRIPT")
+exec python3 $SCRIPT_PATH/pyhbac-test.py
diff --git a/src/tests/pysss_murmur-test.py2.sh b/src/tests/pysss_murmur-test.py2.sh
new file mode 100755
index 0000000000000000000000000000000000000000..714459786c19b69f738e91df77d9423eba2b72fd
--- /dev/null
+++ b/src/tests/pysss_murmur-test.py2.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+SCRIPT=$(readlink -f "$0")
+SCRIPT_PATH=$(dirname "$SCRIPT")
+exec python2 $SCRIPT_PATH/pysss_murmur-test.py
diff --git a/src/tests/pysss_murmur-test.py3.sh b/src/tests/pysss_murmur-test.py3.sh
new file mode 100755
index 0000000000000000000000000000000000000000..00b352ad3e15ba7d53885b86129bf76ede7ca4e6
--- /dev/null
+++ b/src/tests/pysss_murmur-test.py3.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+SCRIPT=$(readlink -f "$0")
+SCRIPT_PATH=$(dirname "$SCRIPT")
+exec python3 $SCRIPT_PATH/pysss_murmur-test.py
--
2.4.3

91
0014-SPEC-Replace-python_-macros-with-python2_.patch
View File

@ -1,91 +0,0 @@
From 023ce335f80d03631c98e41cd6802bda09fb555a Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 10 Feb 2015 18:07:05 +0100
Subject: [PATCH 14/30] SPEC: Replace python_ macros with python2_
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
---
contrib/sssd.spec.in | 34 ++++++++++++++++++++--------------
1 file changed, 20 insertions(+), 14 deletions(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index c50eebd193de5815eca55824670a319603b54501..6235bcf46fed96befbe035c7fe93026955dd0c3e 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -1,8 +1,14 @@
%global rhel7_minor %(%{__grep} -o "7.[0-9]*" /etc/redhat-release |%{__sed} -s 's/7.//')
+%if 0%{?rhel} && 0%{?rhel} <= 6
+%{!?__python2: %global __python2 /usr/bin/python2}
+%{!?python2_sitelib: %global python2_sitelib %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")}
+%{!?python2_sitearch: %global python2_sitearch %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
+%endif
+
# Fedora and RHEL 6+
# we don't want to provide private python extension libs
-%define __provides_exclude_from %{python_sitearch}/.*\.so$
+%define __provides_exclude_from %{python2_sitearch}/.*\.so$
%if (0%{?fedora} || 0%{?rhel} >= 7)
%global use_systemd 1
@@ -528,9 +534,9 @@ rm -Rf ${RPM_BUILD_ROOT}/%{_docdir}/%{name}
# Older versions of rpmbuild can only handle one -f option
# So we need to append to the sssd*.lang file
-for file in `ls $RPM_BUILD_ROOT/%{python_sitelib}/*.egg-info 2> /dev/null`
+for file in `ls $RPM_BUILD_ROOT/%{python2_sitelib}/*.egg-info 2> /dev/null`
do
- echo %{python_sitelib}/`basename $file` >> python_sssdconfig.lang
+ echo %{python2_sitelib}/`basename $file` >> python2_sssdconfig.lang
done
touch sssd.lang
@@ -773,20 +779,20 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/sss_debuglevel.8*
%{_mandir}/man8/sss_seed.8*
-%files -n python-sssdconfig -f python_sssdconfig.lang
+%files -n python-sssdconfig -f python2_sssdconfig.lang
%defattr(-,root,root,-)
-%dir %{python_sitelib}/SSSDConfig
-%{python_sitelib}/SSSDConfig/*.py*
+%dir %{python2_sitelib}/SSSDConfig
+%{python2_sitelib}/SSSDConfig/*.py*
%files -n python-sss
%defattr(-,root,root,-)
-%{python_sitearch}/pysss.so
-%{python_sitearch}/_py2sss.so
+%{python2_sitearch}/pysss.so
+%{python2_sitearch}/_py2sss.so
%files -n python-sss-murmur
%defattr(-,root,root,-)
-%{python_sitearch}/pysss_murmur.so
-%{python_sitearch}/_py2sss_murmur.so
+%{python2_sitearch}/pysss_murmur.so
+%{python2_sitearch}/_py2sss_murmur.so
%files -n libsss_idmap
%defattr(-,root,root,-)
@@ -826,13 +832,13 @@ rm -rf $RPM_BUILD_ROOT
%files -n python-libsss_nss_idmap
%defattr(-,root,root,-)
-%{python_sitearch}/pysss_nss_idmap.so
-%{python_sitearch}/_py2sss_nss_idmap.so
+%{python2_sitearch}/pysss_nss_idmap.so
+%{python2_sitearch}/_py2sss_nss_idmap.so
%files -n python-libipa_hbac
%defattr(-,root,root,-)
-%{python_sitearch}/pyhbac.so
-%{python_sitearch}/_py2hbac.so
+%{python2_sitearch}/pyhbac.so
+%{python2_sitearch}/_py2hbac.so
%files libwbclient
%defattr(-,root,root,-)
--
2.4.3

378
0015-SPEC-Build-python3-bindings-on-available-platforms.patch
View File

@ -1,378 +0,0 @@
From 61bf76430dac157452e44da5fa66a4c4f268a806 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 10 Feb 2015 19:39:45 +0100
Subject: [PATCH 15/30] SPEC: Build python3 bindings on available platforms
Resolves:
https://fedorahosted.org/sssd/ticket/2574
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
---
contrib/ci/configure.sh | 6 ++
contrib/ci/deps.sh | 1 +
contrib/sssd.spec.in | 144 ++++++++++++++++++++++++++++++++++++++++++++---
src/conf_macros.m4 | 2 +-
src/tests/dlopen-tests.c | 14 +++--
5 files changed, 154 insertions(+), 13 deletions(-)
diff --git a/contrib/ci/configure.sh b/contrib/ci/configure.sh
index 8af273043a77556a2eee10224ff2a0baaf53d497..d5d4c791a35f3583416efd904ad5804bcbebf4c8 100644
--- a/contrib/ci/configure.sh
+++ b/contrib/ci/configure.sh
@@ -35,9 +35,15 @@ if [[ "$DISTRO_BRANCH" == -redhat-redhatenterprise*-6.*- ]]; then
CONFIGURE_ARG_LIST+=(
"--disable-cifs-idmap-plugin"
"--with-syslog=syslog"
+ "--without-python3-bindings"
)
fi
+if [[ "$DISTRO_BRANCH" == -redhat-redhatenterprise*-7.*- ]]; then
+ CONFIGURE_ARG_LIST+=(
+ "--without-python3-bindings"
+ )
+fi
declare -r -a CONFIGURE_ARG_LIST
fi # _CONFIGURE_SH
diff --git a/contrib/ci/deps.sh b/contrib/ci/deps.sh
index 0cdb9962987edddf4dd2fff659e3262bbd50b045..4e0ce1e0328927f42b3849d9c39180b4064a9d4b 100644
--- a/contrib/ci/deps.sh
+++ b/contrib/ci/deps.sh
@@ -92,6 +92,7 @@ if [[ "$DISTRO_BRANCH" == -debian-* ]]; then
libxml2-utils
make
python-dev
+ python3-dev
samba-dev
systemd
xml-core
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 6235bcf46fed96befbe035c7fe93026955dd0c3e..2d9c9b18c38f78956b516cb70cd42b9c62ccff8e 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -9,6 +9,7 @@
# Fedora and RHEL 6+
# we don't want to provide private python extension libs
%define __provides_exclude_from %{python2_sitearch}/.*\.so$
+%define __provides_exclude_from %{python3_sitearch}/.*\.so$
%if (0%{?fedora} || 0%{?rhel} >= 7)
%global use_systemd 1
@@ -44,6 +45,12 @@
%global with_krb5_localauth_plugin 1
%endif
+%if (0%{?fedora})
+ %global with_python3 1
+%else
+ %global with_python3_option --without-python3-bindings
+%endif
+
Name: @PACKAGE_NAME@
Version: @PACKAGE_VERSION@
Release: 0@PRERELEASE_VERSION@%{?dist}
@@ -65,7 +72,11 @@ Requires: sssd-ipa = %{version}-%{release}
Requires: sssd-common-pac = %{version}-%{release}
Requires: sssd-ad = %{version}-%{release}
Requires: sssd-proxy = %{version}-%{release}
+%if (0%{?with_python3} == 1)
+Requires: python3-sssdconfig = %{version}-%{release}
+%else
Requires: python-sssdconfig = %{version}-%{release}
+%endif
%global servicename sssd
%global sssdstatedir %{_localstatedir}/lib/sss
@@ -106,6 +117,9 @@ BuildRequires: krb5-devel
%endif
BuildRequires: c-ares-devel
BuildRequires: python-devel
+%if (0%{?with_python3} == 1)
+BuildRequires: python3-devel
+%endif
BuildRequires: check-devel
BuildRequires: doxygen
BuildRequires: libselinux-devel
@@ -203,8 +217,13 @@ Group: Applications/System
License: GPLv3+
Requires: sssd-common = %{version}-%{release}
# required by sss_obfuscate
+%if (0%{?with_python3} == 1)
+Requires: python3-sss = %{version}-%{release}
+Requires: python3-sssdconfig = %{version}-%{release}
+%else
Requires: python-sss = %{version}-%{release}
Requires: python-sssdconfig = %{version}-%{release}
+%endif
%description tools
Provides userspace tools for manipulating users, groups, and nested groups in
@@ -222,29 +241,66 @@ License: GPLv3+
BuildArch: noarch
%description -n python-sssdconfig
-Provides python files for manipulation SSSD and IPA configuration files.
+Provides python2 files for manipulation SSSD and IPA configuration files.
+
+%if (0%{?with_python3} == 1)
+%package -n python3-sssdconfig
+Summary: SSSD and IPA configuration file manipulation classes and functions
+Group: Applications/System
+License: GPLv3+
+BuildArch: noarch
+
+%description -n python3-sssdconfig
+Provides python3 files for manipulation SSSD and IPA configuration files.
+%endif
%package -n python-sss
-Summary: Python bindings for sssd
+Summary: Python2 bindings for sssd
Group: Development/Libraries
License: LGPLv3+
Requires: sssd-common = %{version}-%{release}
%description -n python-sss
-Provides python module for manipulating users, groups, and nested groups in
+Provides python2 module for manipulating users, groups, and nested groups in
SSSD when using id_provider = local in /etc/sssd/sssd.conf.
-Also provides several other useful python bindings:
+Also provides several other useful python2 bindings:
* function for retrieving list of groups user belongs to.
* class for obfuscation of passwords
+%if (0%{?with_python3} == 1)
+%package -n python3-sss
+Summary: Python3 bindings for sssd
+Group: Development/Libraries
+License: LGPLv3+
+Requires: sssd-common = %{version}-%{release}
+
+%description -n python3-sss
+Provides python3 module for manipulating users, groups, and nested groups in
+SSSD when using id_provider = local in /etc/sssd/sssd.conf.
+
+Also provides several other useful python3 bindings:
+ * function for retrieving list of groups user belongs to.
+ * class for obfuscation of passwords
+%endif
+
%package -n python-sss-murmur
-Summary: Python bindings for murmur hash function
+Summary: Python2 bindings for murmur hash function
Group: Development/Libraries
License: LGPLv3+
%description -n python-sss-murmur
-Provides python module for calculating the murmur hash version 3
+Provides python2 module for calculating the murmur hash version 3
+
+%if (0%{?with_python3} == 1)
+%package -n python3-sss-murmur
+Summary: Python3 bindings for murmur hash function
+Group: Development/Libraries
+License: LGPLv3+
+
+%description -n python3-sss-murmur
+Provides python3 module for calculating the murmur hash version 3
+%endif
%package ldap
Summary: The LDAP back end of the SSSD
@@ -371,7 +427,7 @@ Requires: libipa_hbac = %{version}-%{release}
Utility library to validate FreeIPA HBAC rules for authorization requests
%package -n python-libipa_hbac
-Summary: Python bindings for the FreeIPA HBAC Evaluator library
+Summary: Python2 bindings for the FreeIPA HBAC Evaluator library
Group: Development/Libraries
License: LGPLv3+
Requires: libipa_hbac = %{version}-%{release}
@@ -382,6 +438,18 @@ Obsoletes: libipa_hbac-python < 1.12.90
The python-libipa_hbac contains the bindings so that libipa_hbac can be
used by Python applications.
+%if (0%{?with_python3} == 1)
+%package -n python3-libipa_hbac
+Summary: Python3 bindings for the FreeIPA HBAC Evaluator library
+Group: Development/Libraries
+License: LGPLv3+
+Requires: libipa_hbac = %{version}-%{release}
+
+%description -n python3-libipa_hbac
+The python3-libipa_hbac contains the bindings so that libipa_hbac can be
+used by Python applications.
+%endif
+
%package -n libsss_nss_idmap
Summary: Library for SID based lookups
Group: Development/Libraries
@@ -402,7 +470,7 @@ Requires: libsss_nss_idmap = %{version}-%{release}
Utility library for SID based lookups
%package -n python-libsss_nss_idmap
-Summary: Python bindings for libsss_nss_idmap
+Summary: Python2 bindings for libsss_nss_idmap
Group: Development/Libraries
License: LGPLv3+
Requires: libsss_nss_idmap = %{version}-%{release}
@@ -413,6 +481,18 @@ Obsoletes: libsss_nss_idmap-python < 1.12.90
The python-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can
be used by Python applications.
+%if (0%{?with_python3} == 1)
+%package -n python3-libsss_nss_idmap
+Summary: Python3 bindings for libsss_nss_idmap
+Group: Development/Libraries
+License: LGPLv3+
+Requires: libsss_nss_idmap = %{version}-%{release}
+
+%description -n python3-libsss_nss_idmap
+The python3-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can
+be used by Python applications.
+%endif
+
%package dbus
Summary: The D-Bus responder of the SSSD
Group: Applications/System
@@ -495,6 +575,7 @@ autoreconf -ivf
%{with_initscript} \
%{?with_syslog} \
%{?with_cifs_utils_plugin_option} \
+ %{?with_python3_option} \
%{?experimental}
make %{?_smp_mflags} all
@@ -509,6 +590,10 @@ unset CK_TIMEOUT_MULTIPLIER
%install
rm -rf $RPM_BUILD_ROOT
+%if (0%{?with_python3} == 1)
+sed -i -e 's:/usr/bin/python:/usr/bin/python3:' src/tools/sss_obfuscate
+%endif
+
make install DESTDIR=$RPM_BUILD_ROOT
# Prepare language files
@@ -539,6 +624,13 @@ do
echo %{python2_sitelib}/`basename $file` >> python2_sssdconfig.lang
done
+%if (0%{?with_python3} == 1)
+for file in `ls $RPM_BUILD_ROOT/%{python3_sitelib}/*.egg-info 2> /dev/null`
+do
+ echo %{python3_sitelib}/`basename $file` >> python3_sssdconfig.lang
+done
+%endif
+
touch sssd.lang
touch sssd_tools.lang
touch sssd_client.lang
@@ -784,16 +876,38 @@ rm -rf $RPM_BUILD_ROOT
%dir %{python2_sitelib}/SSSDConfig
%{python2_sitelib}/SSSDConfig/*.py*
+%if (0%{?with_python3} == 1)
+%files -n python3-sssdconfig -f python3_sssdconfig.lang
+%defattr(-,root,root,-)
+%dir %{python3_sitelib}/SSSDConfig
+%{python3_sitelib}/SSSDConfig/*.py*
+%{python3_sitelib}/SSSDConfig/__pycache__/*.py*
+%endif
+
%files -n python-sss
%defattr(-,root,root,-)
%{python2_sitearch}/pysss.so
%{python2_sitearch}/_py2sss.so
+%if (0%{?with_python3} == 1)
+%files -n python3-sss
+%defattr(-,root,root,-)
+%{python3_sitearch}/pysss.so
+%{python3_sitearch}/_py3sss.so
+%endif
+
%files -n python-sss-murmur
%defattr(-,root,root,-)
%{python2_sitearch}/pysss_murmur.so
%{python2_sitearch}/_py2sss_murmur.so
+%if (0%{?with_python3} == 1)
+%files -n python3-sss-murmur
+%defattr(-,root,root,-)
+%{python3_sitearch}/pysss_murmur.so
+%{python3_sitearch}/_py3sss_murmur.so
+%endif
+
%files -n libsss_idmap
%defattr(-,root,root,-)
%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
@@ -835,11 +949,25 @@ rm -rf $RPM_BUILD_ROOT
%{python2_sitearch}/pysss_nss_idmap.so
%{python2_sitearch}/_py2sss_nss_idmap.so
+%if (0%{?with_python3} == 1)
+%files -n python3-libsss_nss_idmap
+%defattr(-,root,root,-)
+%{python3_sitearch}/pysss_nss_idmap.so
+%{python3_sitearch}/_py3sss_nss_idmap.so
+%endif
+
%files -n python-libipa_hbac
%defattr(-,root,root,-)
%{python2_sitearch}/pyhbac.so
%{python2_sitearch}/_py2hbac.so
+%if (0%{?with_python3} == 1)
+%files -n python3-libipa_hbac
+%defattr(-,root,root,-)
+%{python3_sitearch}/pyhbac.so
+%{python3_sitearch}/_py3hbac.so
+%endif
+
%files libwbclient
%defattr(-,root,root,-)
%{_libdir}/%{name}/modules/libwbclient.so.*
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
index 48d1e6e7d6d1189c86d626a4509d919143aa6821..86876fab8115c49f38ebef4e3037a8ba36a5b92e 100644
--- a/src/conf_macros.m4
+++ b/src/conf_macros.m4
@@ -383,7 +383,7 @@ AC_DEFUN([WITH_PYTHON3_BINDINGS],
[Whether to build python3 bindings [yes]])
],
[],
- [with_python3_bindings=no]
+ [with_python3_bindings=yes]
)
if test x"$with_python3_bindings" = xyes; then
AC_SUBST([HAVE_PYTHON3_BINDINGS], [1])
diff --git a/src/tests/dlopen-tests.c b/src/tests/dlopen-tests.c
index 5cc6cae693f09adae12df0d2267e0868ae2f74c0..e808f23e7560241e3fc158d71da2dbdbe1543dfc 100644
--- a/src/tests/dlopen-tests.c
+++ b/src/tests/dlopen-tests.c
@@ -96,10 +96,16 @@ struct so {
{ "libdlopen_test_providers.so", { LIBPFX"libdlopen_test_providers.so",
NULL } },
#ifdef HAVE_PYTHON_BINDINGS
- { "pyhbac.so", { LIBPFX"pyhbac.so", NULL } },
- { "pysss.so", { LIBPFX"pysss.so", NULL } },
- { "pysss_murmur.so", { LIBPFX"pysss_murmur.so", NULL } },
- { "pysss_nss_idmap.so", { LIBPFX"pysss_nss_idmap.so", NULL } },
+ { "_py2hbac.so", { LIBPFX"_py2hbac.so", NULL } },
+ { "_py2sss.so", { LIBPFX"_py2sss.so", NULL } },
+ { "_py2sss_murmur.so", { LIBPFX"_py2sss_murmur.so", NULL } },
+ { "_py2sss_nss_idmap.so", { LIBPFX"_py2sss_nss_idmap.so", NULL } },
+#endif
+#ifdef HAVE_PYTHON_BINDINGS
+ { "_py3hbac.so", { LIBPFX"_py3hbac.so", NULL } },
+ { "_py3sss.so", { LIBPFX"_py3sss.so", NULL } },
+ { "_py3sss_murmur.so", { LIBPFX"_py3sss_murmur.so", NULL } },
+ { "_py3sss_nss_idmap.so", { LIBPFX"_py3sss_nss_idmap.so", NULL } },
#endif
#ifdef HAVE_CONFIG_LIB
{ "libsss_config.so", { LIBPFX"libsss_config.so", NULL } },
--
2.4.3

39
0016-ad_opts-Use-different-default-attribute-for-group-na.patch
View File

@ -1,39 +0,0 @@
From be0fb81d4720c590269d0fc747fcb31f53791bef Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 7 Apr 2015 09:47:17 +0200
Subject: [PATCH 16/30] ad_opts: Use different default attribute for group name
The MSFT docs [1,2] for LDAP attributes says:
samAccountName is mandotory for 'user' and 'group' objectclasses
via the 'Security-Principal' aux-class
name is part of the 'top' class and *not* mandatory for 'user' or 'group'.
[1] https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx
[2] https://msdn.microsoft.com/en-us/library/ms678697%28v=vs.85%29.aspx
Resolves:
https://fedorahosted.org/sssd/ticket/2593
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit b83620d6a2aaf988b353969ae12a47a616250f47)
---
src/providers/ad/ad_opts.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
index 4c287021c2d901999602621a4fe3b7af9c6b8c35..b03c74612d3141170dac84ab805529184fec5a49 100644
--- a/src/providers/ad/ad_opts.h
+++ b/src/providers/ad/ad_opts.h
@@ -221,7 +221,7 @@ struct sdap_attr_map ad_2008r2_user_map[] = {
struct sdap_attr_map ad_2008r2_group_map[] = {
{ "ldap_group_object_class", "group", SYSDB_GROUP_CLASS, NULL },
{ "ldap_group_object_class_alt", NULL, SYSDB_GROUP_CLASS, NULL },
- { "ldap_group_name", "name", SYSDB_NAME, NULL },
+ { "ldap_group_name", "sAMAccountName", SYSDB_NAME, NULL },
{ "ldap_group_pwd", NULL, SYSDB_PWD, NULL },
{ "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL },
{ "ldap_group_member", "member", SYSDB_MEMBER, NULL },
--
2.4.3

207
0017-Add-leak-check-and-command-line-option-to-test_autht.patch
View File

@ -1,207 +0,0 @@
From 0e5aa8439679a86c55694a49a3f123cba9a3c9e4 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 12 Feb 2015 21:53:15 +0100
Subject: [PATCH 17/30] Add leak check and command line option to test_authtok
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 80b5dbe123ec94c5a8fcb99f9a4953c1513deb58)
---
Makefile.am | 3 ++
src/tests/cmocka/test_authtok.c | 67 +++++++++++++++++++++++++++++++++++------
2 files changed, 60 insertions(+), 10 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 7aa44d7dfc3a01334d6d4e68c96095df66dee324..46c42171ab89a5c570858b85d9c3e5a7ef2ba0ce 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1864,11 +1864,14 @@ test_authtok_SOURCES = \
test_authtok_CFLAGS = \
$(AM_CFLAGS) \
$(TALLOC_CFLAGS) \
+ $(POPT_CFLAGS) \
$(DHASH_CFLAGS)
test_authtok_LDADD = \
$(TALLOC_LIBS) \
$(CMOCKA_LIBS) \
$(DHASH_LIBS) \
+ $(POPT_LIBS) \
+ libsss_test_common.la \
libsss_debug.la
sss_nss_idmap_tests_SOURCES = \
diff --git a/src/tests/cmocka/test_authtok.c b/src/tests/cmocka/test_authtok.c
index e37e92f68373d564f53b1267f078ea89c31ae051..0c7b7197fb2c03d69dc4df2310229ea100ad28d4 100644
--- a/src/tests/cmocka/test_authtok.c
+++ b/src/tests/cmocka/test_authtok.c
@@ -22,11 +22,10 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-#include <stdarg.h>
-#include <stddef.h>
-#include <setjmp.h>
-#include <cmocka.h>
#include <string.h>
+#include <popt.h>
+
+#include "tests/cmocka/common_mock.h"
#include "util/authtok.h"
@@ -39,12 +38,15 @@ static int setup(void **state)
{
struct test_state *ts = NULL;
- ts = talloc(NULL, struct test_state);
+ assert_true(leak_check_setup());
+
+ ts = talloc(global_talloc_context, struct test_state);
assert_non_null(ts);
ts->authtoken = sss_authtok_new(ts);
assert_non_null(ts->authtoken);
+ check_leaks_push(ts);
*state = (void *)ts;
return 0;
}
@@ -52,7 +54,12 @@ static int setup(void **state)
static int teardown(void **state)
{
struct test_state *ts = talloc_get_type_abort(*state, struct test_state);
+
+ assert_non_null(ts);
+
+ assert_true(check_leaks_pop(ts) == true);
talloc_free(ts);
+ assert_true(leak_check_teardown());
return 0;
}
@@ -85,7 +92,7 @@ static void test_sss_authtok_password(void **state)
{
size_t len;
errno_t ret;
- const char *data;
+ char *data;
size_t ret_len;
const char *pwd;
struct test_state *ts;
@@ -117,6 +124,9 @@ static void test_sss_authtok_password(void **state)
assert_int_equal(ret, EOK);
assert_string_equal(data, pwd);
assert_int_equal(len - 1, ret_len);
+
+ talloc_free(data);
+ sss_authtok_set_empty(ts->authtoken);
}
/* Test when type has value SSS_AUTHTOK_TYPE_CCFILE */
@@ -124,7 +134,7 @@ static void test_sss_authtok_ccfile(void **state)
{
size_t len;
errno_t ret;
- const char *data;
+ char *data;
size_t ret_len;
const char *pwd;
struct test_state *ts;
@@ -172,6 +182,9 @@ static void test_sss_authtok_ccfile(void **state)
assert_int_equal(ret, EOK);
assert_string_equal(data, pwd);
assert_int_equal(len - 1, ret_len);
+
+ talloc_free(data);
+ sss_authtok_set_empty(ts->authtoken);
}
/* Test when type has value SSS_AUTHTOK_TYPE_EMPTY */
@@ -226,7 +239,7 @@ static void test_sss_authtok_wipe_password(void **state)
{
size_t len;
errno_t ret;
- const char *data;
+ char *data;
size_t ret_len;
const char *pwd;
struct test_state *ts;
@@ -249,13 +262,16 @@ static void test_sss_authtok_wipe_password(void **state)
assert_int_equal(ret, EOK);
assert_string_equal(pwd, "");
assert_int_equal(len - 1, ret_len);
+
+ sss_authtok_set_empty(ts->authtoken);
+ talloc_free(data);
}
static void test_sss_authtok_copy(void **state)
{
size_t len;
errno_t ret;
- const char *data;
+ char *data;
struct test_state *ts;
enum sss_authtok_type type;
struct sss_auth_token *dest_authtoken;
@@ -276,6 +292,7 @@ static void test_sss_authtok_copy(void **state)
assert_int_equal(EOK, sss_authtok_copy(ts->authtoken, dest_authtoken));
assert_int_equal(type, sss_authtok_get_type(dest_authtoken));
+ sss_authtok_set_empty(dest_authtoken);
type = SSS_AUTHTOK_TYPE_PASSWORD;
ret = sss_authtok_set(ts->authtoken, type, (const uint8_t *)data, len);
@@ -287,10 +304,23 @@ static void test_sss_authtok_copy(void **state)
assert_int_equal(type, sss_authtok_get_type(dest_authtoken));
assert_string_equal(data, sss_authtok_get_data(dest_authtoken));
assert_int_equal(len, sss_authtok_get_size(dest_authtoken));
+
+ sss_authtok_set_empty(dest_authtoken);
+ talloc_free(dest_authtoken);
+ sss_authtok_set_empty(ts->authtoken);
+ talloc_free(data);
}
-int main(void)
+int main(int argc, const char *argv[])
{
+ poptContext pc;
+ int opt;
+ struct poptOption long_options[] = {
+ POPT_AUTOHELP
+ SSSD_DEBUG_OPTS
+ POPT_TABLEEND
+ };
+
const struct CMUnitTest tests[] = {
cmocka_unit_test_setup_teardown(test_sss_authtok_new,
setup, teardown),
@@ -306,5 +336,22 @@ int main(void)
setup, teardown)
};
+ /* Set debug level to invalid value so we can deside if -d 0 was used. */
+ debug_level = SSSDBG_INVALID;
+
+ pc = poptGetContext(argv[0], argc, argv, long_options, 0);
+ while((opt = poptGetNextOpt(pc)) != -1) {
+ switch(opt) {
+ default:
+ fprintf(stderr, "\nInvalid option %s: %s\n\n",
+ poptBadOption(pc, 0), poptStrerror(opt));
+ poptPrintUsage(pc, stderr, 0);
+ return 1;
+ }
+ }
+ poptFreeContext(pc);
+
+ DEBUG_CLI_INIT(debug_level);
+
return cmocka_run_group_tests(tests, NULL, NULL);
}
--
2.4.3

765
0018-utils-add-sss_authtok_-gs-et_2fa.patch
View File

@ -1,765 +0,0 @@
From 4b0dc81aacba3317ccf6e79ce69e4331e74c3d1f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 7 Jan 2015 18:11:16 +0100
Subject: [PATCH 18/30] utils: add sss_authtok_[gs]et_2fa
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit bc052ea17d858c19f9cb9c9e2bc602e754f68831)
---
Makefile.am | 5 ++
src/sss_client/pam_sss.c | 1 +
src/sss_client/sss_cli.h | 3 +
src/tests/cmocka/test_authtok.c | 189 +++++++++++++++++++++++++++++++++++++++-
src/util/authtok-utils.c | 74 ++++++++++++++++
src/util/authtok-utils.h | 70 +++++++++++++++
src/util/authtok.c | 181 ++++++++++++++++++++++++++++++++++++++
src/util/authtok.h | 44 ++++++++++
8 files changed, 564 insertions(+), 3 deletions(-)
create mode 100644 src/util/authtok-utils.c
create mode 100644 src/util/authtok-utils.h
diff --git a/Makefile.am b/Makefile.am
index 46c42171ab89a5c570858b85d9c3e5a7ef2ba0ce..d3fea94b206a538b86a0fb119ed186947fa8d8e6 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -519,6 +519,7 @@ dist_noinst_HEADERS = \
src/util/atomic_io.h \
src/util/auth_utils.h \
src/util/authtok.h \
+ src/util/authtok-utils.h \
src/util/util_safealign.h \
src/util/util_sss_idmap.h \
src/monitor/monitor.h \
@@ -752,6 +753,7 @@ libsss_util_la_SOURCES = \
src/util/murmurhash3.c \
src/util/atomic_io.c \
src/util/authtok.c \
+ src/util/authtok-utils.c \
src/util/sss_selinux.c \
src/util/domain_info_utils.c \
src/util/util_lock.c \
@@ -1860,6 +1862,7 @@ test_negcache_LDADD = \
test_authtok_SOURCES = \
src/tests/cmocka/test_authtok.c \
src/util/authtok.c \
+ src/util/authtok-utils.c \
src/util/util.c
test_authtok_CFLAGS = \
$(AM_CFLAGS) \
@@ -2711,6 +2714,7 @@ krb5_child_SOURCES = \
src/util/find_uid.c \
src/util/atomic_io.c \
src/util/authtok.c \
+ src/util/authtok-utils.c \
src/util/util.c \
src/util/signal.c \
src/util/strtonum.c \
@@ -2742,6 +2746,7 @@ ldap_child_SOURCES = \
src/util/sss_krb5.c \
src/util/atomic_io.c \
src/util/authtok.c \
+ src/util/authtok-utils.c \
src/util/util.c \
src/util/signal.c \
src/util/become_user.c \
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 28a36d5af95297b394a74f39d6614f48831bb901..4007d125e34932dfb5ac6bc840f4d25306e3008f 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -41,6 +41,7 @@
#include "sss_cli.h"
#include "util/atomic_io.h"
+#include "util/authtok-utils.h"
#include <libintl.h>
#define _(STRING) dgettext (PACKAGE, STRING)
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index d508a0671cd1b3ee087e0967f7015628ceabe20f..9a19d7d47d0a9d7dabeac36dc2c866c3420ef501 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -301,6 +301,9 @@ enum sss_authtok_type {
* a Kerberos credential cache file,
* it may or may no contain
* a trailing \\0 */
+ SSS_AUTHTOK_TYPE_2FA = 0x0003, /**< Authentication token has two
+ * factors, they may or may no contain
+ * a trailing \\0 */
};
/**
diff --git a/src/tests/cmocka/test_authtok.c b/src/tests/cmocka/test_authtok.c
index 0c7b7197fb2c03d69dc4df2310229ea100ad28d4..5aa47c7b6b8c955666a9c73d5f9627d6378d13e0 100644
--- a/src/tests/cmocka/test_authtok.c
+++ b/src/tests/cmocka/test_authtok.c
@@ -57,7 +57,7 @@ static int teardown(void **state)
assert_non_null(ts);
- assert_true(check_leaks_pop(ts) == true);
+ assert_true(check_leaks_pop(ts));
talloc_free(ts);
assert_true(leak_check_teardown());
return 0;
@@ -118,8 +118,8 @@ static void test_sss_authtok_password(void **state)
assert_int_equal(len - 1, ret_len);
ret = sss_authtok_set_password(ts->authtoken, data, len);
-
assert_int_equal(ret, EOK);
+
ret = sss_authtok_get_password(ts->authtoken, &pwd, &ret_len);
assert_int_equal(ret, EOK);
assert_string_equal(data, pwd);
@@ -311,6 +311,183 @@ static void test_sss_authtok_copy(void **state)
talloc_free(data);
}
+void test_sss_authtok_2fa(void **state)
+{
+ int ret;
+ const char *fa1;
+ size_t fa1_size;
+ const char *fa2;
+ size_t fa2_size;
+ struct test_state *ts;
+
+ ts = talloc_get_type_abort(*state, struct test_state);
+
+ ret = sss_authtok_set_2fa(NULL, "a", 0, "b", 0);
+ assert_int_equal(ret, EINVAL);
+
+ /* Test missing first factor */
+ ret = sss_authtok_set_2fa(ts->authtoken, NULL, 1, "b", 1);
+ assert_int_equal(ret, EINVAL);
+ /* Test missing second factor */
+ ret = sss_authtok_set_2fa(ts->authtoken, "a", 1, NULL, 1);
+ assert_int_equal(ret, EINVAL);
+ /* Test wrong first factor length */
+ ret = sss_authtok_set_2fa(ts->authtoken, "ab", 1, "b", 1);
+ assert_int_equal(ret, EINVAL);
+ /* Test wrong second factor length */
+ ret = sss_authtok_set_2fa(ts->authtoken, "a", 1, "bc", 1);
+ assert_int_equal(ret, EINVAL);
+
+ ret = sss_authtok_set_2fa(ts->authtoken, "a", 1, "bc", 2);
+ assert_int_equal(ret, EOK);
+ assert_int_equal(sss_authtok_get_size(ts->authtoken),
+ 2 * sizeof(uint32_t) + 5);
+ assert_int_equal(sss_authtok_get_type(ts->authtoken), SSS_AUTHTOK_TYPE_2FA);
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+ assert_memory_equal(sss_authtok_get_data(ts->authtoken),
+ "\2\0\0\0\3\0\0\0a\0bc\0",
+ 2 * sizeof(uint32_t) + 5);
+#else
+ assert_memory_equal(sss_authtok_get_data(ts->authtoken),
+ "\0\0\0\2\0\0\0\3a\0bc\0",
+ 2 * sizeof(uint32_t) + 5);
+#endif
+
+ ret = sss_authtok_get_2fa(ts->authtoken, &fa1, &fa1_size, &fa2, &fa2_size);
+ assert_int_equal(ret, EOK);
+ assert_int_equal(fa1_size, 1);
+ assert_string_equal(fa1, "a");
+ assert_int_equal(fa2_size, 2);
+ assert_string_equal(fa2, "bc");
+
+ sss_authtok_set_empty(ts->authtoken);
+
+ /* check return code of empty token */
+ ret = sss_authtok_get_2fa(ts->authtoken, &fa1, &fa1_size, &fa2, &fa2_size);
+ assert_int_equal(ret, ENOENT);
+
+ /* check return code for other token type */
+ ret = sss_authtok_set_password(ts->authtoken, "abc", 0);
+ assert_int_equal(ret, EOK);
+
+ ret = sss_authtok_get_2fa(ts->authtoken, &fa1, &fa1_size, &fa2, &fa2_size);
+ assert_int_equal(ret, EACCES);
+
+ sss_authtok_set_empty(ts->authtoken);
+
+ /* check return code for garbage */
+ ret = sss_authtok_set(ts->authtoken, SSS_AUTHTOK_TYPE_2FA,
+ (const uint8_t *) "1111222233334444", 16);
+ assert_int_equal(ret, EINVAL);
+
+ sss_authtok_set_empty(ts->authtoken);
+}
+
+void test_sss_authtok_2fa_blobs(void **state)
+{
+ int ret;
+ struct test_state *ts;
+ size_t needed_size;
+ uint8_t *buf;
+ char *fa1;
+ size_t fa1_len;
+ char *fa2;
+ size_t fa2_len;
+
+ ts = talloc_get_type_abort(*state, struct test_state);
+
+ ret = sss_auth_pack_2fa_blob(NULL, 0, "defg", 0, NULL, 0, &needed_size);
+ assert_int_equal(ret, EINVAL);
+
+ ret = sss_auth_pack_2fa_blob("abc", 0, NULL, 0, NULL, 0, &needed_size);
+ assert_int_equal(ret, EINVAL);
+
+ ret = sss_auth_pack_2fa_blob("", 0, "defg", 0, NULL, 0, &needed_size);
+ assert_int_equal(ret, EINVAL);
+
+ ret = sss_auth_pack_2fa_blob("abc", 0, "", 0, NULL, 0, &needed_size);
+ assert_int_equal(ret, EINVAL);
+
+ ret = sss_auth_pack_2fa_blob("abc", 0, "defg", 0, NULL, 0, &needed_size);
+ assert_int_equal(ret, EAGAIN);
+
+ buf = talloc_size(ts, needed_size);
+ assert_non_null(buf);
+
+ ret = sss_auth_pack_2fa_blob("abc", 0, "defg", 0, buf, needed_size,
+ &needed_size);
+ assert_int_equal(ret, EOK);
+
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+ assert_memory_equal(buf, "\4\0\0\0\5\0\0\0abc\0defg\0", needed_size);
+#else
+ assert_memory_equal(buf, "\0\0\0\4\0\0\0\5abc\0defg\0", needed_size);
+#endif
+
+ ret = sss_auth_unpack_2fa_blob(ts, buf, needed_size, &fa1, &fa1_len, &fa2,
+ &fa2_len);
+ assert_int_equal(ret, EOK);
+ assert_int_equal(fa1_len, 3);
+ assert_string_equal(fa1, "abc");
+ assert_int_equal(fa2_len, 4);
+ assert_string_equal(fa2, "defg");
+
+ talloc_free(buf);
+ talloc_free(fa1);
+ talloc_free(fa2);
+}
+
+#define MISSING_NULL_CHECK do { \
+ assert_int_equal(ret, EOK); \
+ assert_int_equal(fa1_len, 3); \
+ assert_string_equal(fa1, "abc"); \
+ assert_int_equal(fa2_len, 4); \
+ assert_string_equal(fa2, "defg"); \
+ \
+ talloc_free(fa1); \
+ talloc_free(fa2); \
+} while (0)
+
+void test_sss_authtok_2fa_blobs_missing_null(void **state)
+{
+ int ret;
+ struct test_state *ts;
+ char *fa1;
+ size_t fa1_len;
+ char *fa2;
+ size_t fa2_len;
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+ uint8_t b0[] = {0x04, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 'a', 'b', 'c', 0x00, 'd', 'e', 'f', 'g', 0x00};
+ uint8_t b1[] = {0x03, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 'a', 'b', 'c', 'd', 'e', 'f', 'g', 0x00};
+ uint8_t b2[] = {0x04, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 'a', 'b', 'c', 0x00, 'd', 'e', 'f', 'g'};
+ uint8_t b3[] = {0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 'a', 'b', 'c', 'd', 'e', 'f', 'g'};
+#else
+ uint8_t b0[] = {0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x05, 'a', 'b', 'c', 0x00, 'd', 'e', 'f', 'g', 0x00};
+ uint8_t b1[] = {0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x05, 'a', 'b', 'c', 'd', 'e', 'f', 'g', 0x00};
+ uint8_t b2[] = {0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x04, 'a', 'b', 'c', 0x00, 'd', 'e', 'f', 'g'};
+ uint8_t b3[] = {0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 'a', 'b', 'c', 'd', 'e', 'f', 'g'};
+#endif
+
+
+ ts = talloc_get_type_abort(*state, struct test_state);
+
+ ret = sss_auth_unpack_2fa_blob(ts, b0, sizeof(b0), &fa1, &fa1_len, &fa2,
+ &fa2_len);
+ MISSING_NULL_CHECK;
+
+ ret = sss_auth_unpack_2fa_blob(ts, b1, sizeof(b1), &fa1, &fa1_len, &fa2,
+ &fa2_len);
+ MISSING_NULL_CHECK;
+
+ ret = sss_auth_unpack_2fa_blob(ts, b2, sizeof(b2), &fa1, &fa1_len, &fa2,
+ &fa2_len);
+ MISSING_NULL_CHECK;
+
+ ret = sss_auth_unpack_2fa_blob(ts, b3, sizeof(b3), &fa1, &fa1_len, &fa2,
+ &fa2_len);
+ MISSING_NULL_CHECK;
+}
+
int main(int argc, const char *argv[])
{
poptContext pc;
@@ -333,7 +510,13 @@ int main(int argc, const char *argv[])
cmocka_unit_test_setup_teardown(test_sss_authtok_wipe_password,
setup, teardown),
cmocka_unit_test_setup_teardown(test_sss_authtok_copy,
- setup, teardown)
+ setup, teardown),
+ cmocka_unit_test_setup_teardown(test_sss_authtok_2fa,
+ setup, teardown),
+ cmocka_unit_test_setup_teardown(test_sss_authtok_2fa_blobs,
+ setup, teardown),
+ cmocka_unit_test_setup_teardown(test_sss_authtok_2fa_blobs_missing_null,
+ setup, teardown),
};
/* Set debug level to invalid value so we can deside if -d 0 was used. */
diff --git a/src/util/authtok-utils.c b/src/util/authtok-utils.c
new file mode 100644
index 0000000000000000000000000000000000000000..65fba9022db11786c0c7e4dcab6fec89c9e0cb19
--- /dev/null
+++ b/src/util/authtok-utils.c
@@ -0,0 +1,74 @@
+/*
+ SSSD - auth utils helpers
+
+ Copyright (C) Sumit Bose <sbose@redhat.com> 2015
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/* This file is use by SSSD clients and the main daemons. Please do not add
+ * code which is specific to only one of them. */
+
+#include <errno.h>
+
+#include "sss_client/sss_cli.h"
+
+errno_t sss_auth_pack_2fa_blob(const char *fa1, size_t fa1_len,
+ const char *fa2, size_t fa2_len,
+ uint8_t *buf, size_t buf_len,
+ size_t *_2fa_blob_len)
+{
+ size_t c;
+ uint32_t tmp_uint32_t;
+
+ if (fa1 == NULL || *fa1 == '\0' || fa1_len > UINT32_MAX
+ || fa2 == NULL || *fa2 == '\0' || fa2_len > UINT32_MAX
+ || (buf == NULL && buf_len != 0)) {
+ return EINVAL;
+ }
+
+ if (fa1_len == 0) {
+ fa1_len = strlen(fa1);
+ } else {
+ if (fa1[fa1_len] != '\0') {
+ return EINVAL;
+ }
+ }
+
+ if (fa2_len == 0) {
+ fa2_len = strlen(fa2);
+ } else {
+ if (fa2[fa2_len] != '\0') {
+ return EINVAL;
+ }
+ }
+
+ *_2fa_blob_len = fa1_len + fa2_len + 2 + 2 * sizeof(uint32_t);
+ if (buf == NULL || buf_len < *_2fa_blob_len) {
+ return EAGAIN;
+ }
+
+ c = 0;
+ tmp_uint32_t = (uint32_t) fa1_len + 1;
+ SAFEALIGN_COPY_UINT32(buf, &tmp_uint32_t, &c);
+ tmp_uint32_t = (uint32_t) fa2_len + 1;
+ SAFEALIGN_COPY_UINT32(buf + c, &tmp_uint32_t, &c);
+
+ memcpy(buf + c, fa1, fa1_len + 1);
+ c += fa1_len + 1;
+
+ memcpy(buf + c, fa2, fa2_len + 1);
+
+ return 0;
+}
diff --git a/src/util/authtok-utils.h b/src/util/authtok-utils.h
new file mode 100644
index 0000000000000000000000000000000000000000..07aef3c18395d6e967289f6e345f27e9ee868da2
--- /dev/null
+++ b/src/util/authtok-utils.h
@@ -0,0 +1,70 @@
+/*
+ SSSD - auth utils helpers
+
+ Copyright (C) Sumit Bose <simo@redhat.com> 2015
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef __AUTHTOK_UTILS_H__
+#define __AUTHTOK_UTILS_H__
+
+#include <talloc.h>
+
+#include "sss_client/sss_cli.h"
+
+/**
+ * @brief Fill memory buffer with 2FA blob
+ *
+ * @param[in] fa1 First authentication factor, null terminated
+ * @param[in] fa1_len Length of the first authentication factor, if 0
+ * strlen() will be called internally
+ * @param[in] fa2 Second authentication factor, null terminated
+ * @param[in] fa2_len Length of the second authentication factor, if 0
+ * strlen() will be called internally
+ * @param[in] buf memory buffer of size buf_len
+ * @param[in] buf_len size of memory buffer buf
+ *
+ * @param[out] _2fa_blob_len size of the 2FA blob
+ *
+ * @return EOK on success
+ * EINVAL if input data is not consistent
+ * EAGAIN if provided buffer is too small, _2fa_blob_len
+ * contains the size needed to store the 2FA blob
+ */
+errno_t sss_auth_pack_2fa_blob(const char *fa1, size_t fa1_len,
+ const char *fa2, size_t fa2_len,
+ uint8_t *buf, size_t buf_len,
+ size_t *_2fa_blob_len);
+
+/**
+ * @brief Extract 2FA data from memory buffer
+ *
+ * @param[in] mem_ctx Talloc memory context to allocate the 2FA data on
+ * @param[in] blob Memory buffer containing the 2FA data
+ * @param[in] blob_len Size of the memory buffer
+ * @param[out] _fa1 First authentication factor, null terminated
+ * @param[out] _fa1_len Length of the first authentication factor
+ * @param[out] _fa2 Second authentication factor, null terminated
+ * @param[out] _fa2_len Length of the second authentication factor
+ *
+ * @return EOK on success
+ * EINVAL if input data is not consistent
+ * EINVAL if no memory can be allocated
+ */
+errno_t sss_auth_unpack_2fa_blob(TALLOC_CTX *mem_ctx,
+ const uint8_t *blob, size_t blob_len,
+ char **fa1, size_t *_fa1_len,
+ char **fa2, size_t *_fa2_len);
+#endif /* __AUTHTOK_UTILS_H__ */
diff --git a/src/util/authtok.c b/src/util/authtok.c
index b7bc17ed0cdc5cfee7f455b0d7047803e628274a..45761df80175fded8a6c6e5dac8a90180b11d225 100644
--- a/src/util/authtok.c
+++ b/src/util/authtok.c
@@ -38,6 +38,7 @@ size_t sss_authtok_get_size(struct sss_auth_token *tok)
switch (tok->type) {
case SSS_AUTHTOK_TYPE_PASSWORD:
case SSS_AUTHTOK_TYPE_CCFILE:
+ case SSS_AUTHTOK_TYPE_2FA:
return tok->length;
case SSS_AUTHTOK_TYPE_EMPTY:
return 0;
@@ -70,6 +71,7 @@ errno_t sss_authtok_get_password(struct sss_auth_token *tok,
}
return EOK;
case SSS_AUTHTOK_TYPE_CCFILE:
+ case SSS_AUTHTOK_TYPE_2FA:
return EACCES;
}
@@ -92,6 +94,7 @@ errno_t sss_authtok_get_ccfile(struct sss_auth_token *tok,
}
return EOK;
case SSS_AUTHTOK_TYPE_PASSWORD:
+ case SSS_AUTHTOK_TYPE_2FA:
return EACCES;
}
@@ -140,6 +143,7 @@ void sss_authtok_set_empty(struct sss_auth_token *tok)
case SSS_AUTHTOK_TYPE_EMPTY:
return;
case SSS_AUTHTOK_TYPE_PASSWORD:
+ case SSS_AUTHTOK_TYPE_2FA:
safezero(tok->data, tok->length);
break;
case SSS_AUTHTOK_TYPE_CCFILE:
@@ -169,6 +173,9 @@ errno_t sss_authtok_set_ccfile(struct sss_auth_token *tok,
"ccfile", ccfile, len);
}
+static errno_t sss_authtok_set_2fa_from_blob(struct sss_auth_token *tok,
+ const uint8_t *data, size_t len);
+
errno_t sss_authtok_set(struct sss_auth_token *tok,
enum sss_authtok_type type,
const uint8_t *data, size_t len)
@@ -178,6 +185,8 @@ errno_t sss_authtok_set(struct sss_auth_token *tok,
return sss_authtok_set_password(tok, (const char *)data, len);
case SSS_AUTHTOK_TYPE_CCFILE:
return sss_authtok_set_ccfile(tok, (const char *)data, len);
+ case SSS_AUTHTOK_TYPE_2FA:
+ return sss_authtok_set_2fa_from_blob(tok, data, len);
case SSS_AUTHTOK_TYPE_EMPTY:
sss_authtok_set_empty(tok);
return EOK;
@@ -230,3 +239,175 @@ void sss_authtok_wipe_password(struct sss_auth_token *tok)
safezero(tok->data, tok->length);
}
+errno_t sss_auth_unpack_2fa_blob(TALLOC_CTX *mem_ctx,
+ const uint8_t *blob, size_t blob_len,
+ char **fa1, size_t *_fa1_len,
+ char **fa2, size_t *_fa2_len)
+{
+ size_t c;
+ uint32_t fa1_len;
+ uint32_t fa2_len;
+
+ if (blob_len < 2 * sizeof(uint32_t)) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Blob too small.\n");
+ return EINVAL;
+ }
+
+ c = 0;
+ SAFEALIGN_COPY_UINT32(&fa1_len, blob, &c);
+ SAFEALIGN_COPY_UINT32(&fa2_len, blob + c, &c);
+
+ if (blob_len != 2 * sizeof(uint32_t) + fa1_len + fa2_len) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Blob size mismatch.\n");
+ return EINVAL;
+ }
+
+ if (fa1_len != 0) {
+ *fa1 = talloc_strndup(mem_ctx, (const char *) blob + c, fa1_len);
+ if (*fa1 == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
+ return ENOMEM;
+ }
+ } else {
+ *fa1 = NULL;
+ }
+
+ if (fa2_len != 0) {
+ *fa2 = talloc_strndup(mem_ctx, (const char *) blob + c + fa1_len,
+ fa2_len);
+ if (*fa2 == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
+ talloc_free(*fa1);
+ return ENOMEM;
+ }
+ } else {
+ *fa2 = NULL;
+ }
+
+ /* Re-calculate length for the case where \0 was missing in the blob */
+ *_fa1_len = (*fa1 == NULL) ? 0 : strlen(*fa1);
+ *_fa2_len = (*fa2 == NULL) ? 0 : strlen(*fa2);
+
+ return EOK;
+}
+
+static errno_t sss_authtok_set_2fa_from_blob(struct sss_auth_token *tok,
+ const uint8_t *data, size_t len)
+{
+ TALLOC_CTX *tmp_ctx;
+ int ret;
+ char *fa1;
+ size_t fa1_len;
+ char *fa2;
+ size_t fa2_len;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sss_auth_unpack_2fa_blob(tmp_ctx, data, len, &fa1, &fa1_len,
+ &fa2, &fa2_len);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_auth_unpack_2fa_blob failed.\n");
+ goto done;
+ }
+
+ ret = sss_authtok_set_2fa(tok, fa1, fa1_len, fa2, fa2_len);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_set_2fa failed.\n");
+ goto done;
+ }
+
+ ret = EOK;
+done:
+ talloc_free(tmp_ctx);
+
+ if (ret != EOK) {
+ sss_authtok_set_empty(tok);
+ }
+
+ return ret;
+}
+
+errno_t sss_authtok_get_2fa(struct sss_auth_token *tok,
+ const char **fa1, size_t *fa1_len,
+ const char **fa2, size_t *fa2_len)
+{
+ size_t c;
+ uint32_t tmp_uint32_t;
+
+ if (tok->type != SSS_AUTHTOK_TYPE_2FA) {
+ return (tok->type == SSS_AUTHTOK_TYPE_EMPTY) ? ENOENT : EACCES;
+ }
+
+ if (tok->length < 2 * sizeof(uint32_t)) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Blob too small.\n");
+ return EINVAL;
+ }
+
+ c = 0;
+ SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data, &c);
+ *fa1_len = tmp_uint32_t - 1;
+ SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data + c, &c);
+ *fa2_len = tmp_uint32_t - 1;
+
+ if (*fa1_len == 0 || *fa2_len == 0
+ || tok->length != 2 * sizeof(uint32_t) + *fa1_len + *fa2_len + 2) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Blob size mismatch.\n");
+ return EINVAL;
+ }
+
+ if (tok->data[c + *fa1_len] != '\0'
+ || tok->data[c + *fa1_len + 1 + *fa2_len] != '\0') {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Missing terminating null character.\n");
+ return EINVAL;
+ }
+
+ *fa1 = (const char *) tok->data + c;
+ *fa2 = (const char *) tok->data + c + *fa1_len + 1;
+
+ return EOK;
+}
+
+errno_t sss_authtok_set_2fa(struct sss_auth_token *tok,
+ const char *fa1, size_t fa1_len,
+ const char *fa2, size_t fa2_len)
+{
+ int ret;
+ size_t needed_size;
+
+ if (tok == NULL) {
+ return EINVAL;
+ }
+
+ sss_authtok_set_empty(tok);
+
+ ret = sss_auth_pack_2fa_blob(fa1, fa1_len, fa2, fa2_len, NULL, 0,
+ &needed_size);
+ if (ret != EAGAIN) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "sss_auth_pack_2fa_blob unexpectedly returned [%d].\n", ret);
+ return EINVAL;
+ }
+
+ tok->data = talloc_size(tok, needed_size);
+ if (tok->data == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n");
+ return ENOMEM;
+ }
+
+ ret = sss_auth_pack_2fa_blob(fa1, fa1_len, fa2, fa2_len, tok->data,
+ needed_size, &needed_size);
+ if (ret != EOK) {
+ talloc_free(tok->data);
+ DEBUG(SSSDBG_OP_FAILURE, "sss_auth_pack_2fa_blob failed.\n");
+ return ret;
+ }
+ tok->length = needed_size;
+ tok->type = SSS_AUTHTOK_TYPE_2FA;
+
+ return EOK;
+}
diff --git a/src/util/authtok.h b/src/util/authtok.h
index 1f6def4c3b6a1cbf6c4f34bb76c496ddae6f9d5f..cb366270832852281a222018f8e27feb1500ff01 100644
--- a/src/util/authtok.h
+++ b/src/util/authtok.h
@@ -21,6 +21,7 @@
#define __AUTHTOK_H__
#include "util/util.h"
+#include "util/authtok-utils.h"
#include "sss_client/sss_cli.h"
/* Use sss_authtok_* accesor functions instead of struct sss_auth_token
@@ -179,4 +180,47 @@ void sss_authtok_wipe_password(struct sss_auth_token *tok);
*/
struct sss_auth_token *sss_authtok_new(TALLOC_CTX *mem_ctx);
+/**
+ * @brief Set authtoken with 2FA data
+ *
+ * @param tok A pointer to a sss_auth_token structure to change, also
+ * used as a memory context to allocate the internal data.
+ * @param[in] fa1 First authentication factor, null terminated
+ * @param[in] fa1_len Length of the first authentication factor, if 0
+ * strlen() will be called internally
+ * @param[in] fa2 Second authentication factor, null terminated
+ * @param[in] fa2_len Length of the second authentication factor, if 0
+ * strlen() will be called internally
+ *
+ * @return EOK on success
+ * ENOMEM if memory allocation failed
+ * EINVAL if input data is not consistent
+ */
+errno_t sss_authtok_set_2fa(struct sss_auth_token *tok,
+ const char *fa1, size_t fa1_len,
+ const char *fa2, size_t fa2_len);
+
+/**
+ * @brief Get 2FA factors from authtoken
+ *
+ * @param tok A pointer to a sss_auth_token structure to change, also
+ * used as a memory context to allocate the internal data.
+ * @param[out] fa1 A pointer to a const char *, that will point to a
+ * null terminated string holding the first
+ * authentication factor, may not be modified or freed
+ * @param[out] fa1_len Length of the first authentication factor
+ * @param[out] fa2 A pointer to a const char *, that will point to a
+ * null terminated string holding the second
+ * authentication factor, may not be modified or freed
+ * @param[out] fa2_len Length of the second authentication factor
+ *
+ * @return EOK on success
+ * ENOMEM if memory allocation failed
+ * EINVAL if input data is not consistent
+ * ENOENT if the token is empty
+ * EACCESS if the token is not a 2FA token
+ */
+errno_t sss_authtok_get_2fa(struct sss_auth_token *tok,
+ const char **fa1, size_t *fa1_len,
+ const char **fa2, size_t *fa2_len);
#endif /* __AUTHTOK_H__ */
--
2.4.3

32
0019-pam-handle-2FA-authentication-token-in-the-responder.patch
View File

@ -1,32 +0,0 @@
From 2860a08f325cd0d190f6ca02423b77ff8a4808f4 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 8 Jan 2015 17:10:42 +0100
Subject: [PATCH 19/30] pam: handle 2FA authentication token in the responder
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit ea98a7af0584d7667b6c07c19a4b22942c94ca5d)
---
src/responder/pam/pamsrv_cmd.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 0b54402729e77f22391c6bd17fd8c937ddea3592..2ca5aa789ab98aea9005b891be1a36ea91ab40f4 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -143,6 +143,10 @@ static int extract_authtok_v2(struct sss_auth_token *tok,
auth_token_length);
}
break;
+ case SSS_AUTHTOK_TYPE_2FA:
+ ret = sss_authtok_set(tok, SSS_AUTHTOK_TYPE_2FA,
+ auth_token_data, auth_token_length);
+ break;
default:
return EINVAL;
}
--
2.4.3

112
0020-Add-pre-auth-request.patch
View File

@ -1,112 +0,0 @@
From 81f4c515c85e6cb389a26a8cb10d8b2b8f6ee470 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 24 Mar 2015 17:24:50 +0100
Subject: [PATCH 20/30] Add pre-auth request
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit fb045f6e5a9a7f8936ad6f89c28862dcd035a4fe)
---
src/providers/data_provider_be.c | 1 +
src/providers/dp_pam_data_util.c | 2 ++
src/providers/ipa/ipa_auth.c | 1 +
src/providers/krb5/krb5_auth.c | 2 ++
src/responder/pam/pamsrv_cmd.c | 7 +++++++
src/sss_client/sss_cli.h | 4 ++++
6 files changed, 17 insertions(+)
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index 805f3ee81964ee7e7339627bb4d2a47c25218c73..1dbb63f61de07d81426832bb0304e1d5f15a4c98 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -1374,6 +1374,7 @@ static int be_pam_handler(struct sbus_request *dbus_req, void *user_data)
switch (pd->cmd) {
case SSS_PAM_AUTHENTICATE:
+ case SSS_PAM_PREAUTH:
target = BET_AUTH;
break;
case SSS_PAM_ACCT_MGMT:
diff --git a/src/providers/dp_pam_data_util.c b/src/providers/dp_pam_data_util.c
index 313948b369cf605c91eb608b9a394d32a1e128d1..8724bf936f3f46fb8393c8a3da57215a73b4191a 100644
--- a/src/providers/dp_pam_data_util.c
+++ b/src/providers/dp_pam_data_util.c
@@ -43,6 +43,8 @@ static const char *pamcmd2str(int cmd) {
return "PAM_CHAUTHTOK";
case SSS_PAM_CHAUTHTOK_PRELIM:
return "PAM_CHAUTHTOK_PRELIM";
+ case SSS_PAM_PREAUTH:
+ return "SSS_PAM_PREAUTH";
default:
return "UNKNOWN";
}
diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
index f9a0706be7c7fee2b8431cabad82e3c559795db4..f8badbdd16bfc4761ea177fdf5179ff2d4158080 100644
--- a/src/providers/ipa/ipa_auth.c
+++ b/src/providers/ipa/ipa_auth.c
@@ -208,6 +208,7 @@ void ipa_auth(struct be_req *be_req)
switch (state->pd->cmd) {
case SSS_PAM_AUTHENTICATE:
+ case SSS_PAM_PREAUTH:
state->ipa_auth_ctx = talloc_get_type(
be_ctx->bet_info[BET_AUTH].pvt_bet_data,
struct ipa_auth_ctx);
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 9f136041e98b9df607676c5d79799193038130ee..c0cfaf7cfae5e4aa897bf4fd915fb294c6c24161 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -497,6 +497,8 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
goto done;
}
break;
+ case SSS_PAM_PREAUTH:
+ break;
default:
DEBUG(SSSDBG_CONF_SETTINGS, "Unexpected pam task %d.\n", pd->cmd);
state->pam_status = PAM_SYSTEM_ERR;
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 2ca5aa789ab98aea9005b891be1a36ea91ab40f4..c7eb697f29b6de9f7edaaf7715a58d2b7afdc733 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1454,6 +1454,12 @@ static int pam_cmd_chauthtok_prelim(struct cli_ctx *cctx) {
return pam_forwarder(cctx, SSS_PAM_CHAUTHTOK_PRELIM);
}
+static int pam_cmd_preauth(struct cli_ctx *cctx)
+{
+ DEBUG(SSSDBG_CONF_SETTINGS, "entering pam_cmd_preauth\n");
+ return pam_forwarder(cctx, SSS_PAM_PREAUTH);
+}
+
struct cli_protocol_version *register_cli_protocol_version(void)
{
static struct cli_protocol_version pam_cli_protocol_version[] = {
@@ -1477,6 +1483,7 @@ struct sss_cmd_table *get_pam_cmds(void)
{SSS_PAM_CLOSE_SESSION, pam_cmd_close_session},
{SSS_PAM_CHAUTHTOK, pam_cmd_chauthtok},
{SSS_PAM_CHAUTHTOK_PRELIM, pam_cmd_chauthtok_prelim},
+ {SSS_PAM_PREAUTH, pam_cmd_preauth},
{SSS_CLI_NULL, NULL}
};
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index 9a19d7d47d0a9d7dabeac36dc2c866c3420ef501..2895659b9c3ed4ab520ca90846379c22fd9567f7 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -220,6 +220,10 @@ enum sss_cli_command {
SSS_CMD_RENEW = 0x00F8, /**< Renew a credential with a limited
* lifetime, e.g. a Kerberos Ticket
* Granting Ticket (TGT) */
+ SSS_PAM_PREAUTH = 0x00F9, /**< Request which can be run before
+ * an authentication request to find
+ * out which authentication methods
+ * are available for the given user. */
/* PAC responder calls */
SSS_PAC_ADD_PAC_USER = 0x0101,
--
2.4.3

427
0021-krb5-child-add-preauth-and-split-2fa-token-support.patch
View File

@ -1,427 +0,0 @@
From 308a445c9e9c5eacd184fa6958a9753592e5eec4 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 24 Mar 2015 17:26:53 +0100
Subject: [PATCH 21/30] krb5-child: add preauth and split 2fa token support
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 4b1b2e60d0764fed289eada9a7afbfd1993cadcd)
---
src/providers/krb5/krb5_auth.c | 3 +-
src/providers/krb5/krb5_child.c | 265 +++++++++++++++++++++++++++++---
src/providers/krb5/krb5_child_handler.c | 4 +
src/sss_client/sss_cli.h | 6 +
4 files changed, 257 insertions(+), 21 deletions(-)
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index c0cfaf7cfae5e4aa897bf4fd915fb294c6c24161..6b818440717a9cfaa22a8332fc65440d21d79d00 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -450,7 +450,8 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
switch (pd->cmd) {
case SSS_PAM_AUTHENTICATE:
case SSS_PAM_CHAUTHTOK:
- if (authtok_type != SSS_AUTHTOK_TYPE_PASSWORD) {
+ if (authtok_type != SSS_AUTHTOK_TYPE_PASSWORD
+ && authtok_type != SSS_AUTHTOK_TYPE_2FA) {
/* handle empty password gracefully */
if (authtok_type == SSS_AUTHTOK_TYPE_EMPTY) {
DEBUG(SSSDBG_CRIT_FAILURE,
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 0fcec981633989593d7155a57811d02a997db251..4b976ddb86b7a1cf6fdc14f99d0b5f4b321814c0 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -54,6 +54,9 @@ struct krb5_req {
char* name;
krb5_creds *creds;
bool otp;
+ char *otp_vendor;
+ char *otp_token_id;
+ char *otp_challenge;
krb5_get_init_creds_opt *options;
struct pam_data *pd;
@@ -268,7 +271,87 @@ static int token_pin_destructor(char *mem)
return 0;
}
-static krb5_error_code tokeninfo_matches(TALLOC_CTX *mem_ctx,
+static krb5_error_code tokeninfo_matches_2fa(TALLOC_CTX *mem_ctx,
+ const krb5_responder_otp_tokeninfo *ti,
+ const char *fa1, size_t fa1_len,
+ const char *fa2, size_t fa2_len,
+ char **out_token, char **out_pin)
+{
+ char *token = NULL, *pin = NULL;
+ checker check = NULL;
+ int i;
+
+ if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_NEXTOTP) {
+ return ENOTSUP;
+ }
+
+ if (ti->challenge != NULL) {
+ return ENOTSUP;
+ }
+
+ /* This is a non-sensical value. */
+ if (ti->length == 0) {
+ return EPROTO;
+ }
+
+ if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN) {
+ if (ti->length > 0 && ti->length != fa2_len) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Expected [%d] and given [%zu] token size "
+ "do not match.\n", ti->length, fa2_len);
+ return EMSGSIZE;
+ }
+
+ if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN) {
+ if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN) {
+
+ pin = talloc_strndup(mem_ctx, fa1, fa1_len);
+ if (pin == NULL) {
+ talloc_free(token);
+ return ENOMEM;
+ }
+ talloc_set_destructor(pin, token_pin_destructor);
+
+ token = talloc_strndup(mem_ctx, fa2, fa2_len);
+ if (token == NULL) {
+ return ENOMEM;
+ }
+ talloc_set_destructor(token, token_pin_destructor);
+
+ check = pick_checker(ti->format);
+ }
+ } else {
+ token = talloc_asprintf(mem_ctx, "%s%s", fa1, fa2);
+ if (token == NULL) {
+ return ENOMEM;
+ }
+ talloc_set_destructor(token, token_pin_destructor);
+
+ check = pick_checker(ti->format);
+ }
+ } else {
+ /* Assuming PIN only required */
+ pin = talloc_strndup(mem_ctx, fa1, fa1_len);
+ if (pin == NULL) {
+ return ENOMEM;
+ }
+ talloc_set_destructor(pin, token_pin_destructor);
+ }
+
+ /* If check is set, we need to verify the contents of the token. */
+ for (i = 0; check != NULL && token[i] != '\0'; i++) {
+ if (!check(token[i])) {
+ talloc_free(token);
+ talloc_free(pin);
+ return EBADMSG;
+ }
+ }
+
+ *out_token = token;
+ *out_pin = pin;
+ return 0;
+}
+static krb5_error_code tokeninfo_matches_pwd(TALLOC_CTX *mem_ctx,
const krb5_responder_otp_tokeninfo *ti,
const char *pwd, size_t len,
char **out_token, char **out_pin)
@@ -364,15 +447,52 @@ static krb5_error_code tokeninfo_matches(TALLOC_CTX *mem_ctx,
return 0;
}
+static krb5_error_code tokeninfo_matches(TALLOC_CTX *mem_ctx,
+ const krb5_responder_otp_tokeninfo *ti,
+ struct sss_auth_token *auth_tok,
+ char **out_token, char **out_pin)
+{
+ int ret;
+ const char *pwd;
+ size_t len;
+ const char *fa2;
+ size_t fa2_len;
+
+ switch (sss_authtok_get_type(auth_tok)) {
+ case SSS_AUTHTOK_TYPE_PASSWORD:
+ ret = sss_authtok_get_password(auth_tok, &pwd, &len);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_password failed.\n");
+ return ret;
+ }
+
+ return tokeninfo_matches_pwd(mem_ctx, ti, pwd, len, out_token, out_pin);
+ break;
+ case SSS_AUTHTOK_TYPE_2FA:
+ ret = sss_authtok_get_2fa(auth_tok, &pwd, &len, &fa2, &fa2_len);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_2fa failed.\n");
+ return ret;
+ }
+
+ return tokeninfo_matches_2fa(mem_ctx, ti, pwd, len, fa2, fa2_len,
+ out_token, out_pin);
+ break;
+ default:
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported authtok type.\n");
+ }
+
+ return EINVAL;
+}
+
static krb5_error_code answer_otp(krb5_context ctx,
struct krb5_req *kr,
krb5_responder_context rctx)
{
krb5_responder_otp_challenge *chl;
char *token = NULL, *pin = NULL;
- const char *pwd = NULL;
krb5_error_code ret;
- size_t i, len;
+ size_t i;
ret = krb5_responder_otp_get_challenge(ctx, rctx, &chl);
if (ret != EOK || chl == NULL) {
@@ -388,14 +508,37 @@ static krb5_error_code answer_otp(krb5_context ctx,
kr->otp = true;
- /* Validate our assumptions about the contents of authtok. */
- ret = sss_authtok_get_password(kr->pd->authtok, &pwd, &len);
- if (ret != EOK)
- goto done;
+ if (kr->pd->cmd == SSS_PAM_PREAUTH) {
+ for (i = 0; chl->tokeninfo[i] != NULL; i++) {
+ DEBUG(SSSDBG_TRACE_ALL, "[%zu] Vendor [%s].\n",
+ i, chl->tokeninfo[i]->vendor);
+ DEBUG(SSSDBG_TRACE_ALL, "[%zu] Token-ID [%s].\n",
+ i, chl->tokeninfo[i]->token_id);
+ DEBUG(SSSDBG_TRACE_ALL, "[%zu] Challenge [%s].\n",
+ i, chl->tokeninfo[i]->challenge);
+ DEBUG(SSSDBG_TRACE_ALL, "[%zu] Flags [%d].\n",
+ i, chl->tokeninfo[i]->flags);
+ }
+
+ if (chl->tokeninfo[0]->vendor != NULL) {
+ kr->otp_vendor = talloc_strdup(kr, chl->tokeninfo[0]->vendor);
+ }
+ if (chl->tokeninfo[0]->token_id != NULL) {
+ kr->otp_token_id = talloc_strdup(kr, chl->tokeninfo[0]->token_id);
+ }
+ if (chl->tokeninfo[0]->challenge != NULL) {
+ kr->otp_challenge = talloc_strdup(kr, chl->tokeninfo[0]->challenge);
+ }
+ /* Allocation errors are ignored on purpose */
+
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Exit answer_otp during pre-auth.\n");
+ return EAGAIN;
+ }
/* Find the first supported tokeninfo which matches our authtoken. */
for (i = 0; chl->tokeninfo[i] != NULL; i++) {
- ret = tokeninfo_matches(kr, chl->tokeninfo[i], pwd, len, &token, &pin);
+ ret = tokeninfo_matches(kr, chl->tokeninfo[i], kr->pd->authtok,
+ &token, &pin);
if (ret == EOK) {
break;
}
@@ -683,6 +826,58 @@ static errno_t pack_response_packet(TALLOC_CTX *mem_ctx, errno_t error,
return EOK;
}
+static errno_t k5c_attach_otp_info_msg(struct krb5_req *kr)
+{
+ uint8_t *msg = NULL;
+ size_t msg_len;
+ int ret;
+ size_t vendor_len = 0;
+ size_t token_id_len = 0;
+ size_t challenge_len = 0;
+ size_t idx = 0;
+
+ msg_len = 3;
+ if (kr->otp_vendor != NULL) {
+ vendor_len = strlen(kr->otp_vendor);
+ msg_len += vendor_len;
+ }
+
+ if (kr->otp_token_id != NULL) {
+ token_id_len = strlen(kr->otp_token_id);
+ msg_len += token_id_len;
+ }
+
+ if (kr->otp_challenge != NULL) {
+ challenge_len = strlen(kr->otp_challenge);
+ msg_len += challenge_len;
+ }
+
+ msg = talloc_zero_size(kr, msg_len);
+ if (msg == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n");
+ return ENOMEM;
+ }
+
+ if (kr->otp_vendor != NULL) {
+ memcpy(msg, kr->otp_vendor, vendor_len);
+ }
+ idx += vendor_len +1;
+
+ if (kr->otp_token_id != NULL) {
+ memcpy(msg + idx, kr->otp_token_id, token_id_len);
+ }
+ idx += token_id_len +1;
+
+ if (kr->otp_challenge != NULL) {
+ memcpy(msg + idx, kr->otp_challenge, challenge_len);
+ }
+
+ ret = pam_add_response(kr->pd, SSS_PAM_OTP_INFO, msg_len, msg);
+ talloc_zfree(msg);
+
+ return ret;
+}
+
static errno_t k5c_attach_ccname_msg(struct krb5_req *kr)
{
char *msg = NULL;
@@ -996,9 +1191,18 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
discard_const(password),
sss_krb5_prompter, kr, 0,
NULL, kr->options);
- if (kerr != 0) {
- KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
- return kerr;
+ if (kr->pd->cmd == SSS_PAM_PREAUTH) {
+ /* Any errors are ignored during pre-auth, only data is collected to
+ * be send back to the client.*/
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "krb5_get_init_creds_password returned [%d} during pre-auth.\n",
+ kerr);
+ return 0;
+ } else {
+ if (kerr != 0) {
+ KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
+ return kerr;
+ }
}
if (kr->validate) {
@@ -1300,8 +1504,11 @@ static errno_t tgt_req_child(struct krb5_req *kr)
DEBUG(SSSDBG_TRACE_LIBS, "Attempting to get a TGT\n");
- ret = sss_authtok_get_password(kr->pd->authtok, &password, NULL);
- switch (ret) {
+ /* No password is needed for pre-auth, or if we have 2FA */
+ if (kr->pd->cmd != SSS_PAM_PREAUTH
+ && sss_authtok_get_type(kr->pd->authtok) != SSS_AUTHTOK_TYPE_2FA) {
+ ret = sss_authtok_get_password(kr->pd->authtok, &password, NULL);
+ switch (ret) {
case EOK:
break;
@@ -1314,13 +1521,21 @@ static errno_t tgt_req_child(struct krb5_req *kr)
DEBUG(SSSDBG_OP_FAILURE, "No credentials available\n");
return ERR_NO_CREDS;
break;
+ }
}
kerr = get_and_save_tgt(kr, password);
if (kerr != KRB5KDC_ERR_KEY_EXP) {
- if (kerr == 0) {
- kerr = k5c_attach_ccname_msg(kr);
+ if (kr->pd->cmd == SSS_PAM_PREAUTH) {
+ /* add OTP tokeninfo messge if available */
+ if (kr->otp) {
+ kerr = k5c_attach_otp_info_msg(kr);
+ }
+ } else {
+ if (kerr == 0) {
+ kerr = k5c_attach_ccname_msg(kr);
+ }
}
ret = map_krb5_error(kerr);
goto done;
@@ -1523,6 +1738,10 @@ static errno_t unpack_authtok(struct sss_auth_token *tok,
case SSS_AUTHTOK_TYPE_CCFILE:
ret = sss_authtok_set_ccfile(tok, (char *)(buf + *p), 0);
break;
+ case SSS_AUTHTOK_TYPE_2FA:
+ ret = sss_authtok_set(tok, SSS_AUTHTOK_TYPE_2FA, (buf + *p),
+ auth_token_length);
+ break;
default:
return EINVAL;
}
@@ -2285,11 +2504,13 @@ static krb5_error_code privileged_krb5_setup(struct krb5_req *kr,
}
/* For ccache types FILE: and DIR: we might need to create some directory
- * components as root */
- ret = k5c_ccache_setup(kr, offline);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "k5c_ccache_setup failed.\n");
- return ret;
+ * components as root. Cache files are not needed during preauth. */
+ if (kr->pd->cmd != SSS_PAM_PREAUTH) {
+ ret = k5c_ccache_setup(kr, offline);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "k5c_ccache_setup failed.\n");
+ return ret;
+ }
}
if (!(offline ||
@@ -2464,6 +2685,10 @@ int main(int argc, const char *argv[])
DEBUG(SSSDBG_TRACE_FUNC, "Will perform ticket renewal\n");
ret = renew_tgt_child(kr);
break;
+ case SSS_PAM_PREAUTH:
+ DEBUG(SSSDBG_TRACE_FUNC, "Will perform pre-auth\n");
+ ret = tgt_req_child(kr);
+ break;
default:
DEBUG(SSSDBG_CRIT_FAILURE,
"PAM command [%d] not supported.\n", kr->pd->cmd);
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
index 633cd917737d3f39526b049cc3d930b67f8b5c66..1f839ab5ebf93271556371b2f172f6c524da6270 100644
--- a/src/providers/krb5/krb5_child_handler.c
+++ b/src/providers/krb5/krb5_child_handler.c
@@ -77,6 +77,10 @@ static errno_t pack_authtok(struct io_buffer *buf, size_t *rp,
ret = sss_authtok_get_ccfile(tok, &data, &len);
auth_token_length = len + 1;
break;
+ case SSS_AUTHTOK_TYPE_2FA:
+ data = (char *) sss_authtok_get_data(tok);
+ auth_token_length = sss_authtok_get_size(tok);
+ break;
default:
ret = EINVAL;
}
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index 2895659b9c3ed4ab520ca90846379c22fd9567f7..1d7e8549cd548b00eeedba95080f346439afc3dd 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -402,6 +402,12 @@ enum response_type {
* the user.This should only be used in the case where
* it is not possile to use SSS_PAM_USER_INFO.
* @param A zero terminated string. */
+ SSS_PAM_OTP_INFO, /**< A message which optionally may contain the name
+ * of the vendor, the ID of an OTP token and a
+ * challenge.
+ * @param Three zero terminated strings, if one of the
+ * strings is missing the message will contain only
+ * an empty string (\0) for that component. */
SSS_OTP, /**< Indicates that the autotok was a OTP, so don't
* cache it. There is no message.
* @param None. */
--
2.4.3

115
0022-IPA-create-preauth-indicator-file-at-startup.patch
View File

@ -1,115 +0,0 @@
From badabcb4536794f376fbbefec21fd821654481c5 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 24 Mar 2015 11:19:46 +0100
Subject: [PATCH 22/30] IPA: create preauth indicator file at startup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit deb28a893c76f7c94b6cc8e596742665e23d97d5)
---
src/providers/ipa/ipa_init.c | 66 ++++++++++++++++++++++++++++++++++++++++++++
src/sss_client/sss_cli.h | 2 ++
2 files changed, 68 insertions(+)
diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
index 4b26e8baad4d0592729aec9a0b188ae89973fa98..15ec2339d95754db2e54f383bf8e423e780e9838 100644
--- a/src/providers/ipa/ipa_init.c
+++ b/src/providers/ipa/ipa_init.c
@@ -371,6 +371,62 @@ done:
return ret;
}
+void cleanup_ipa_preauth_indicator(void)
+{
+ int ret;
+
+ ret = unlink(PAM_PREAUTH_INDICATOR);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Failed to remove preauth indicator file [%s].\n",
+ PAM_PREAUTH_INDICATOR);
+ }
+}
+
+static errno_t create_ipa_preauth_indicator(void)
+{
+ int ret;
+ TALLOC_CTX *tmp_ctx = NULL;
+ int fd;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
+ return ENOMEM;
+ }
+
+ fd = open(PAM_PREAUTH_INDICATOR, O_CREAT | O_EXCL | O_WRONLY | O_NOFOLLOW,
+ 0644);
+ if (fd < 0) {
+ if (errno != EEXIST) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Failed to create preauth indicator file [%s].\n",
+ PAM_PREAUTH_INDICATOR);
+ ret = EOK;
+ goto done;
+ }
+
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Preauth indicator file [%s] already exists. "
+ "Maybe it is left after an unplanned exit. Continuing.\n",
+ PAM_PREAUTH_INDICATOR);
+ } else {
+ close(fd);
+ }
+
+ ret = atexit(cleanup_ipa_preauth_indicator);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "atexit failed. Continuing.\n");
+ }
+
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+
+ return ret;
+}
+
int sssm_ipa_auth_init(struct be_ctx *bectx,
struct bet_ops **ops,
void **pvt_data)
@@ -469,6 +525,16 @@ int sssm_ipa_auth_init(struct be_ctx *bectx,
goto done;
}
+ ret = create_ipa_preauth_indicator();
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to create preauth indicator file, special password "
+ "prompting might not be available.\n");
+ sss_log(SSSDBG_CRIT_FAILURE,
+ "Failed to create preauth indicator file, special password "
+ "prompting might not be available.\n");
+ }
+
*ops = &ipa_auth_ops;
*pvt_data = ipa_auth_ctx;
ret = EOK;
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index 1d7e8549cd548b00eeedba95080f346439afc3dd..317700ef8cfcbb1b58e2a7d1ffcc7f00658fe815 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -317,6 +317,8 @@ enum sss_authtok_type {
#define SSS_START_OF_PAM_REQUEST 0x4d415049
#define SSS_END_OF_PAM_REQUEST 0x4950414d
+#define PAM_PREAUTH_INDICATOR PUBCONF_PATH"/pam_preauth_available"
+
enum pam_item_type {
SSS_PAM_ITEM_EMPTY = 0x0000,
SSS_PAM_ITEM_USER,
--
2.4.3

373
0023-pam_sss-add-pre-auth-and-2fa-support.patch
View File

@ -1,373 +0,0 @@
From ced64f67b32fdb513f29931f6dcc5ca482df1447 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 12 Feb 2015 23:08:12 +0100
Subject: [PATCH 23/30] pam_sss: add pre-auth and 2fa support
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit e5698314b87e147c0223d0d8bcac206733dfae8c)
---
Makefile.am | 1 +
src/sss_client/pam_sss.c | 235 ++++++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 234 insertions(+), 2 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index d3fea94b206a538b86a0fb119ed186947fa8d8e6..793a2a67be11232aefa67e57b986f6304b8a68b3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2361,6 +2361,7 @@ pam_sss_la_SOURCES = \
src/sss_client/common.c \
src/sss_client/sss_cli.h \
src/util/atomic_io.c \
+ src/util/authtok-utils.c \
src/sss_client/sss_pam_macros.h \
src/sss_client/sss_pam_compat.h
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 4007d125e34932dfb5ac6bc840f4d25306e3008f..f11871a47d1b29f44c179e57a33d8f41be79078d 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -51,6 +51,7 @@
#define FLAGS_USE_AUTHTOK (1 << 2)
#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
#define FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
+#define FLAGS_USE_2FA (1 << 5)
#define PWEXP_FLAG "pam_sss:password_expired_flag"
#define FD_DESTRUCTOR "pam_sss:fd_destructor"
@@ -88,6 +89,10 @@ struct pam_items {
char *domain_name;
const char *requested_domains;
size_t requested_domains_size;
+ char *otp_vendor;
+ char *otp_token_id;
+ char *otp_challenge;
+ char *first_factor;
};
#define DEBUG_MGS_LEN 1024
@@ -224,6 +229,12 @@ static void overwrite_and_free_authtoks(struct pam_items *pi)
pi->pam_newauthtok = NULL;
}
+ if (pi->first_factor != NULL) {
+ _pam_overwrite_n((void *)pi->first_factor, strlen(pi->first_factor));
+ free((void *)pi->first_factor);
+ pi->first_factor = NULL;
+ }
+
pi->pamstack_authtok = NULL;
pi->pamstack_oldauthtok = NULL;
}
@@ -234,6 +245,15 @@ static void overwrite_and_free_pam_items(struct pam_items *pi)
free(pi->domain_name);
pi->domain_name = NULL;
+
+ free(pi->otp_vendor);
+ pi->otp_vendor = NULL;
+
+ free(pi->otp_token_id);
+ pi->otp_token_id = NULL;
+
+ free(pi->otp_challenge);
+ pi->otp_challenge = NULL;
}
static int pack_message_v3(struct pam_items *pi, size_t *size,
@@ -969,6 +989,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
int32_t type;
int32_t len;
int32_t pam_status;
+ size_t offset;
if (buflen < (2*sizeof(int32_t))) {
D(("response buffer is too small"));
@@ -1075,6 +1096,45 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
pam_strerror(pamh,ret)));
}
break;
+ case SSS_PAM_OTP_INFO:
+ if (buf[p + (len - 1)] != '\0') {
+ D(("system info does not end with \\0."));
+ break;
+ }
+
+ pi->otp_vendor = strdup((char *) &buf[p]);
+ if (pi->otp_vendor == NULL) {
+ D(("strdup failed"));
+ break;
+ }
+
+ offset = strlen(pi->otp_vendor) + 1;
+ if (offset >= len) {
+ D(("OTP message size mismatch"));
+ free(pi->otp_vendor);
+ pi->otp_vendor = NULL;
+ break;
+ }
+ pi->otp_token_id = strdup((char *) &buf[p + offset]);
+ if (pi->otp_token_id == NULL) {
+ D(("strdup failed"));
+ break;
+ }
+
+ offset += strlen(pi->otp_token_id) + 1;
+ if (offset >= len) {
+ D(("OTP message size mismatch"));
+ free(pi->otp_token_id);
+ pi->otp_token_id = NULL;
+ break;
+ }
+ pi->otp_challenge = strdup((char *) &buf[p + offset]);
+ if (pi->otp_challenge == NULL) {
+ D(("strdup failed"));
+ break;
+ }
+
+ break;
default:
D(("Unknown response type [%d]", type));
}
@@ -1096,6 +1156,7 @@ static int get_pam_items(pam_handle_t *pamh, struct pam_items *pi)
pi->pam_newauthtok_type = SSS_AUTHTOK_TYPE_EMPTY;
pi->pam_newauthtok = NULL;
pi->pam_newauthtok_size = 0;
+ pi->first_factor = NULL;
ret = pam_get_item(pamh, PAM_SERVICE, (const void **) &(pi->pam_service));
if (ret != PAM_SUCCESS) return ret;
@@ -1150,6 +1211,10 @@ static int get_pam_items(pam_handle_t *pamh, struct pam_items *pi)
if (pi->requested_domains == NULL) pi->requested_domains = "";
pi->requested_domains_size = strlen(pi->requested_domains) + 1;
+ pi->otp_vendor = NULL;
+ pi->otp_token_id = NULL;
+ pi->otp_challenge = NULL;
+
return PAM_SUCCESS;
}
@@ -1281,6 +1346,7 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
case SSS_PAM_OPEN_SESSION:
case SSS_PAM_SETCRED:
case SSS_PAM_CLOSE_SESSION:
+ case SSS_PAM_PREAUTH:
break;
default:
D(("Illegal task [%d]", task));
@@ -1328,6 +1394,133 @@ static int prompt_password(pam_handle_t *pamh, struct pam_items *pi,
return PAM_SUCCESS;
}
+static int prompt_2fa(pam_handle_t *pamh, struct pam_items *pi,
+ const char *prompt_fa1, const char *prompt_fa2)
+{
+ int ret;
+ const struct pam_conv *conv;
+ const struct pam_message *mesg[2] = { NULL, NULL };
+ struct pam_message *m1;
+ struct pam_message *m2;
+ struct pam_response *resp = NULL;
+ size_t needed_size;
+
+ ret = pam_get_item(pamh, PAM_CONV, (const void **) &conv);
+ if (ret != PAM_SUCCESS) {
+ return ret;
+ }
+
+ m1 = malloc(sizeof(struct pam_message));
+ if (m1 == NULL) {
+ D(("Malloc failed."));
+ return PAM_SYSTEM_ERR;
+ }
+
+ m2 = malloc(sizeof(struct pam_message));
+ if (m2 == NULL) {
+ D(("Malloc failed."));
+ free(m1);
+ return PAM_SYSTEM_ERR;
+ }
+ m1->msg_style = PAM_PROMPT_ECHO_OFF;
+ m1->msg = prompt_fa1;
+ m2->msg_style = PAM_PROMPT_ECHO_OFF;
+ m2->msg = prompt_fa2;
+
+ mesg[0] = (const struct pam_message *) m1;
+ mesg[1] = (const struct pam_message *) m2;
+
+ ret = conv->conv(2, mesg, &resp, conv->appdata_ptr);
+ free(m1);
+ free(m2);
+ if (ret != PAM_SUCCESS) {
+ D(("Conversation failure: %s.", pam_strerror(pamh, ret)));
+ return ret;
+ }
+
+ if (resp == NULL) {
+ D(("response expected, but resp==NULL"));
+ return PAM_SYSTEM_ERR;
+ }
+
+ if (resp[0].resp == NULL || *(resp[0].resp) == '\0') {
+ D(("Missing factor."));
+ ret = PAM_CRED_INSUFFICIENT;
+ goto done;
+ }
+
+ if (resp[1].resp == NULL || *(resp[1].resp) == '\0'
+ || (pi->pam_service != NULL && strcmp(pi->pam_service, "sshd") == 0
+ && strcmp(resp[0].resp, resp[1].resp) == 0)) {
+ /* Missing second factor, assume first factor contains combined 2FA
+ * credentials.
+ * Special handling for SSH with password authentication. Combined
+ * 2FA credentials are used but SSH puts them in both responses. */
+
+ pi->pam_authtok = strndup(resp[0].resp, MAX_AUTHTOK_SIZE);
+ if (pi->pam_authtok == NULL) {
+ D(("strndup failed."));
+ ret = PAM_BUF_ERR;
+ goto done;
+ }
+ pi->pam_authtok_size = strlen(pi->pam_authtok) + 1;
+ pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
+ } else {
+
+ ret = sss_auth_pack_2fa_blob(resp[0].resp, 0, resp[1].resp, 0, NULL, 0,
+ &needed_size);
+ if (ret != EAGAIN) {
+ D(("sss_auth_pack_2fa_blob failed."));
+ ret = PAM_BUF_ERR;
+ goto done;
+ }
+
+ pi->pam_authtok = malloc(needed_size);
+ if (pi->pam_authtok == NULL) {
+ D(("malloc failed."));
+ ret = PAM_BUF_ERR;
+ goto done;
+ }
+
+ ret = sss_auth_pack_2fa_blob(resp[0].resp, 0, resp[1].resp, 0,
+ (uint8_t *) pi->pam_authtok, needed_size,
+ &needed_size);
+ if (ret != EOK) {
+ D(("sss_auth_pack_2fa_blob failed."));
+ ret = PAM_BUF_ERR;
+ goto done;
+ }
+
+ pi->pam_authtok_size = needed_size;
+ pi->pam_authtok_type = SSS_AUTHTOK_TYPE_2FA;
+ pi->first_factor = strndup(resp[0].resp, MAX_AUTHTOK_SIZE);
+ if (pi->first_factor == NULL) {
+ D(("strndup failed."));
+ ret = PAM_BUF_ERR;
+ goto done;
+ }
+ }
+
+ ret = PAM_SUCCESS;
+
+done:
+ if (resp != NULL) {
+ if (resp[0].resp != NULL) {
+ _pam_overwrite((void *)resp[0].resp);
+ free(resp[0].resp);
+ }
+ if (resp[1].resp != NULL) {
+ _pam_overwrite((void *)resp[1].resp);
+ free(resp[1].resp);
+ }
+
+ free(resp);
+ resp = NULL;
+ }
+
+ return ret;
+}
+
static int prompt_new_password(pam_handle_t *pamh, struct pam_items *pi)
{
int ret;
@@ -1411,6 +1604,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
*flags |= FLAGS_IGNORE_UNKNOWN_USER;
} else if (strcmp(*argv, "ignore_authinfo_unavail") == 0) {
*flags |= FLAGS_IGNORE_AUTHINFO_UNAVAIL;
+ } else if (strcmp(*argv, "use_2fa") == 0) {
+ *flags |= FLAGS_USE_2FA;
} else {
logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
}
@@ -1434,14 +1629,28 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
}
pi->pam_authtok_size = strlen(pi->pam_authtok);
} else {
- ret = prompt_password(pamh, pi, _("Password: "));
+ if (flags & FLAGS_USE_2FA
+ || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
+ && pi->otp_challenge != NULL)) {
+ ret = prompt_2fa(pamh, pi, _("First Factor: "),
+ _("Second Factor: "));
+ } else {
+ ret = prompt_password(pamh, pi, _("Password: "));
+ }
if (ret != PAM_SUCCESS) {
D(("failed to get password from user"));
return ret;
}
if (flags & FLAGS_FORWARD_PASS) {
- ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_authtok);
+ if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_PASSWORD) {
+ ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_authtok);
+ } else if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA
+ && pi->first_factor != NULL) {
+ ret = pam_set_item(pamh, PAM_AUTHTOK, pi->first_factor);
+ } else {
+ ret = EINVAL;
+ }
if (ret != PAM_SUCCESS) {
D(("Failed to set PAM_AUTHTOK [%s], "
"authtok may not be available for other modules",
@@ -1576,6 +1785,27 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
switch(task) {
case SSS_PAM_AUTHENTICATE:
+ /*
+ * Only do preauth if
+ * - FLAGS_USE_FIRST_PASS is not set
+ * - no password is on the stack
+ * - preauth indicator file exists.
+ */
+ if ( !(flags & FLAGS_USE_FIRST_PASS) && pi.pam_authtok == NULL
+ && access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
+ pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
+ quiet_mode);
+ if (pam_status != PAM_SUCCESS) {
+ D(("send_and_receive returned [%d] during pre-auth",
+ pam_status));
+ /*
+ * Since we are only interested in the result message
+ * and will always use password authentication
+ * as a fallback, errors can be ignored here.
+ */
+ }
+ }
+
ret = get_authtok_for_authentication(pamh, &pi, flags);
if (ret != PAM_SUCCESS) {
D(("failed to get authentication token: %s",
@@ -1588,6 +1818,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
if (ret != PAM_SUCCESS) {
D(("failed to get tokens for password change: %s",
pam_strerror(pamh, ret)));
+ overwrite_and_free_pam_items(&pi);
return ret;
}
if (pam_flags & PAM_PRELIM_CHECK) {
--
2.4.3

145
0024-Add-cache_credentials_minimal_first_factor_length-co.patch
View File

@ -1,145 +0,0 @@
From edf37611b0eacb47b4d72bac97b9281231b4476f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 24 Mar 2015 13:00:14 +0100
Subject: [PATCH 24/30] Add cache_credentials_minimal_first_factor_length
config option
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 932c3e22e3c59a9c33f30dcc09e6bef257e14320)
---
src/confdb/confdb.c | 11 +++++++++++
src/confdb/confdb.h | 4 ++++
src/config/SSSDConfigTest.py | 2 ++
src/config/etc/sssd.api.conf | 1 +
src/man/sssd.conf.5.xml | 22 ++++++++++++++++++++++
src/util/domain_info_utils.c | 2 ++
6 files changed, 42 insertions(+)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 9ce7b13114e1336a4b8ffb8fdfa13c49d2c0c006..2ebf6c15e060ad5899a60629aa6b28021d0f408d 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -956,6 +956,17 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
goto done;
}
+ ret = get_entry_as_uint32(res->msgs[0],
+ &domain->cache_credentials_min_ff_length,
+ CONFDB_DOMAIN_CACHE_CREDS_MIN_FF_LENGTH,
+ CONFDB_DEFAULT_CACHE_CREDS_MIN_FF_LENGTH);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Invalid value for %s\n",
+ CONFDB_DOMAIN_CACHE_CREDS_MIN_FF_LENGTH);
+ goto done;
+ }
+
ret = get_entry_as_bool(res->msgs[0], &domain->legacy_passwords,
CONFDB_DOMAIN_LEGACY_PASS, 0);
if(ret != EOK) {
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index e97c46b34e34a02f80903c204e3a1744b0a5977e..93fbce5e5e46e4a7517d971f2ab886ded65a68f3 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -162,6 +162,9 @@
#define CONFDB_DOMAIN_MINID "min_id"
#define CONFDB_DOMAIN_MAXID "max_id"
#define CONFDB_DOMAIN_CACHE_CREDS "cache_credentials"
+#define CONFDB_DOMAIN_CACHE_CREDS_MIN_FF_LENGTH \
+ "cache_credentials_minimal_first_factor_length"
+#define CONFDB_DEFAULT_CACHE_CREDS_MIN_FF_LENGTH 8
#define CONFDB_DOMAIN_LEGACY_PASS "store_legacy_passwords"
#define CONFDB_DOMAIN_MPG "magic_private_groups"
#define CONFDB_DOMAIN_FQ "use_fully_qualified_names"
@@ -222,6 +225,7 @@ struct sss_domain_info {
uint32_t id_max;
bool cache_credentials;
+ uint32_t cache_credentials_min_ff_length;
bool legacy_passwords;
bool case_sensitive;
bool case_preserve;
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index aed76e5a0dd695b1969f3946f245a80062627e24..2a5dc8d561ab88d888a0a33f091bac55be1d701f 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -494,6 +494,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'command',
'enumerate',
'cache_credentials',
+ 'cache_credentials_minimal_first_factor_length',
'store_legacy_passwords',
'use_fully_qualified_names',
'ignore_group_members',
@@ -856,6 +857,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'command',
'enumerate',
'cache_credentials',
+ 'cache_credentials_minimal_first_factor_length',
'store_legacy_passwords',
'use_fully_qualified_names',
'ignore_group_members',
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 59d755c2668235d046781227568d7f9e805a45d0..7ad84cd826a648ca61d9d2ede70e7886049d469a 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -110,6 +110,7 @@ subdomain_enumerate = str, None, false
force_timeout = int, None, false
offline_timeout = int, None, false
cache_credentials = bool, None, false
+cache_credentials_minimal_first_factor_length = int, None, false
store_legacy_passwords = bool, None, false
use_fully_qualified_names = bool, None, false
ignore_group_members = bool, None, false
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 4961d5b956f6d1736dc1e9967bd0115f4993ec77..fd05e3af20426121e2d6ec5943c9b70786a5db5f 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1420,6 +1420,28 @@ pam_account_expired_message = Account expired, please call help desk.
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term>cache_credentials_minimal_first_factor_length (int)</term>
+ <listitem>
+ <para>
+ If 2-Factor-Authentication (2FA) is used and
+ credentials should be saved this value determines
+ the minimal lenght the first authentication factor
+ (long term password) must have to be saved as SHA512
+ hash into the cache.
+ </para>
+ <para>
+ This should avoid that the short PINs of a PIN based
+ 2FA scheme are saved in the cache which would make
+ them easy targets for brute-force attacks.
+ </para>
+ <para>
+ Default: 8
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>account_cache_expiration (integer)</term>
<listitem>
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index e2dec04354e62bc8d135567fdbac88ea5da8cc00..1e2a473a7571a37bff5f10d66f917ed1f176f172 100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -297,6 +297,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
dom->id_max = parent->id_max ? parent->id_max : 0xffffffff;
dom->pwd_expiration_warning = parent->pwd_expiration_warning;
dom->cache_credentials = parent->cache_credentials;
+ dom->cache_credentials_min_ff_length =
+ parent->cache_credentials_min_ff_length;
dom->case_sensitive = false;
dom->user_timeout = parent->user_timeout;
dom->group_timeout = parent->group_timeout;
--
2.4.3

174
0025-sysdb-add-sysdb_cache_password_ex.patch
View File

@ -1,174 +0,0 @@
From fd92f2270544489149c4dae2aed513e506813c04 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 24 Mar 2015 15:35:01 +0100
Subject: [PATCH 25/30] sysdb: add sysdb_cache_password_ex()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 55b7fdd837a780ab0f71cbfaa2403f4626993922)
---
src/db/sysdb.h | 9 +++++++++
src/db/sysdb_ops.c | 25 ++++++++++++++++++++---
src/tests/sysdb-tests.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 84 insertions(+), 3 deletions(-)
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index a1b6f207399555c85c14c8decf89edc498deb871..63d6d3cdc0baf49dff86a1aa62f61a4eacee7465 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -24,6 +24,7 @@
#include "util/util.h"
#include "confdb/confdb.h"
+#include "sss_client/sss_cli.h"
#include <tevent.h>
#define CACHE_SYSDB_FILE "cache_%s.ldb"
@@ -105,6 +106,8 @@
#define SYSDB_SERVERHOSTNAME "serverHostname"
#define SYSDB_CACHEDPWD "cachedPassword"
+#define SYSDB_CACHEDPWD_TYPE "cachedPasswordType"
+#define SYSDB_CACHEDPWD_FA2_LEN "cachedPasswordSecondFactorLen"
#define SYSDB_UUID "uniqueID"
#define SYSDB_SID "objectSID"
@@ -888,6 +891,12 @@ int sysdb_cache_password(struct sss_domain_info *domain,
const char *username,
const char *password);
+int sysdb_cache_password_ex(struct sss_domain_info *domain,
+ const char *username,
+ const char *password,
+ enum sss_authtok_type authtok_type,
+ size_t second_factor_size);
+
errno_t check_failed_login_attempts(struct confdb_ctx *cdb,
struct ldb_message *ldb_msg,
uint32_t *failed_login_attempts,
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index ea786d59158eb8a82952c7e457ea83286abbf2c4..083d2778c97fe4d6149e4fc030885c482c511105 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -2226,9 +2226,11 @@ int sysdb_remove_group_member(struct sss_domain_info *domain,
/* =Password-Caching====================================================== */
-int sysdb_cache_password(struct sss_domain_info *domain,
- const char *username,
- const char *password)
+int sysdb_cache_password_ex(struct sss_domain_info *domain,
+ const char *username,
+ const char *password,
+ enum sss_authtok_type authtok_type,
+ size_t second_factor_len)
{
TALLOC_CTX *tmp_ctx;
struct sysdb_attrs *attrs;
@@ -2261,6 +2263,15 @@ int sysdb_cache_password(struct sss_domain_info *domain,
ret = sysdb_attrs_add_string(attrs, SYSDB_CACHEDPWD, hash);
if (ret) goto fail;
+ ret = sysdb_attrs_add_long(attrs, SYSDB_CACHEDPWD_TYPE, authtok_type);
+ if (ret) goto fail;
+
+ if (authtok_type == SSS_AUTHTOK_TYPE_2FA && second_factor_len > 0) {
+ ret = sysdb_attrs_add_long(attrs, SYSDB_CACHEDPWD_FA2_LEN,
+ second_factor_len);
+ if (ret) goto fail;
+ }
+
/* FIXME: should we use a different attribute for chache passwords ?? */
ret = sysdb_attrs_add_long(attrs, "lastCachedPasswordChange",
(long)time(NULL));
@@ -2285,6 +2296,14 @@ fail:
return ret;
}
+int sysdb_cache_password(struct sss_domain_info *domain,
+ const char *username,
+ const char *password)
+{
+ return sysdb_cache_password_ex(domain, username, password,
+ SSS_AUTHTOK_TYPE_PASSWORD, 0);
+}
+
/* =Custom Search================== */
int sysdb_search_custom(TALLOC_CTX *mem_ctx,
diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
index 450a9d1d693135c296f3433d905d1aba115548b8..3d5e97afbfaa5441281ef193d072122204db0514 100644
--- a/src/tests/sysdb-tests.c
+++ b/src/tests/sysdb-tests.c
@@ -1808,6 +1808,57 @@ START_TEST (test_sysdb_cache_password)
}
END_TEST
+START_TEST (test_sysdb_cache_password_ex)
+{
+ struct sysdb_test_ctx *test_ctx;
+ struct test_data *data;
+ int ret;
+ struct ldb_result *res;
+ const char *attrs[] = { SYSDB_CACHEDPWD_TYPE, SYSDB_CACHEDPWD_FA2_LEN,
+ NULL };
+ int val;
+
+ /* Setup */
+ ret = setup_sysdb_tests(&test_ctx);
+ fail_unless(ret == EOK, "Could not set up the test");
+
+ data = talloc_zero(test_ctx, struct test_data);
+ data->ctx = test_ctx;
+ data->ev = test_ctx->ev;
+ data->username = talloc_asprintf(data, "testuser%d", _i);
+
+ ret = sysdb_get_user_attr(test_ctx, test_ctx->domain, data->username,
+ attrs, &res);
+ fail_unless(ret == EOK, "sysdb_get_user_attr request failed [%d].", ret);
+
+ val = ldb_msg_find_attr_as_int(res->msgs[0], SYSDB_CACHEDPWD_TYPE, 0);
+ fail_unless(val == SSS_AUTHTOK_TYPE_PASSWORD,
+ "Unexptected authtok type, found [%d], expected [%d].",
+ val, SSS_AUTHTOK_TYPE_PASSWORD);
+
+ ret = sysdb_cache_password_ex(test_ctx->domain, data->username,
+ data->username, SSS_AUTHTOK_TYPE_2FA, 12);
+
+ fail_unless(ret == EOK, "sysdb_cache_password request failed [%d].", ret);
+
+ ret = sysdb_get_user_attr(test_ctx, test_ctx->domain, data->username,
+ attrs, &res);
+ fail_unless(ret == EOK, "sysdb_get_user_attr request failed [%d].", ret);
+
+ val = ldb_msg_find_attr_as_int(res->msgs[0], SYSDB_CACHEDPWD_TYPE, 0);
+ fail_unless(val == SSS_AUTHTOK_TYPE_2FA,
+ "Unexptected authtok type, found [%d], expected [%d].",
+ val, SSS_AUTHTOK_TYPE_2FA);
+
+ val = ldb_msg_find_attr_as_int(res->msgs[0], SYSDB_CACHEDPWD_FA2_LEN, 0);
+ fail_unless(val == 12,
+ "Unexptected second factor lenght, found [%d], expected [%d].",
+ val, 12);
+
+ talloc_free(test_ctx);
+}
+END_TEST
+
static void cached_authentication_without_expiration(const char *username,
const char *password,
int expected_result)
@@ -6256,6 +6307,8 @@ Suite *create_sysdb_suite(void)
27010, 27011);
tcase_add_loop_test(tc_sysdb, test_sysdb_cached_authentication, 27010, 27011);
+ tcase_add_loop_test(tc_sysdb, test_sysdb_cache_password_ex, 27010, 27011);
+
/* ASQ search test */
tcase_add_loop_test(tc_sysdb, test_sysdb_prepare_asq_test_user, 28011, 28020);
tcase_add_test(tc_sysdb, test_sysdb_asq_search);
--
2.4.3

76
0026-krb5-save-hash-of-the-first-authentication-factor-to.patch
View File

@ -1,76 +0,0 @@
From c14a1642229f20fe8a1ff1da1e33b8ad6a46686d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 24 Mar 2015 15:53:17 +0100
Subject: [PATCH 26/30] krb5: save hash of the first authentication factor to
the cache
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit c5ae04b2da970a3991f21173acae3e892198ce0c)
---
src/providers/krb5/krb5_auth.c | 26 +++++++++++++++++++++++---
1 file changed, 23 insertions(+), 3 deletions(-)
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 6b818440717a9cfaa22a8332fc65440d21d79d00..5a946de4dba5081ed3b082e54af84e73b567a22f 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -321,6 +321,9 @@ static void krb5_auth_store_creds(struct sss_domain_info *domain,
struct pam_data *pd)
{
const char *password = NULL;
+ const char *fa2;
+ size_t password_len;
+ size_t fa2_len = 0;
int ret = EOK;
switch(pd->cmd) {
@@ -332,7 +335,20 @@ static void krb5_auth_store_creds(struct sss_domain_info *domain,
break;
case SSS_PAM_AUTHENTICATE:
case SSS_PAM_CHAUTHTOK_PRELIM:
- ret = sss_authtok_get_password(pd->authtok, &password, NULL);
+ if (sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_2FA) {
+ ret = sss_authtok_get_2fa(pd->authtok, &password, &password_len,
+ &fa2, &fa2_len);
+ if (ret == EOK && password_len <
+ domain->cache_credentials_min_ff_length) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "First factor is too short to be cache, "
+ "minimum length is [%u].\n",
+ domain->cache_credentials_min_ff_length);
+ ret = EINVAL;
+ }
+ } else {
+ ret = sss_authtok_get_password(pd->authtok, &password, NULL);
+ }
break;
case SSS_PAM_CHAUTHTOK:
ret = sss_authtok_get_password(pd->newauthtok, &password, NULL);
@@ -358,7 +374,8 @@ static void krb5_auth_store_creds(struct sss_domain_info *domain,
return;
}
- ret = sysdb_cache_password(domain, pd->user, password);
+ ret = sysdb_cache_password_ex(domain, pd->user, password,
+ sss_authtok_get_type(pd->authtok), fa2_len);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE,
"Failed to cache password, offline auth may not work."
@@ -1074,7 +1091,10 @@ static void krb5_auth_done(struct tevent_req *subreq)
goto done;
}
- if (state->be_ctx->domain->cache_credentials == TRUE && !res->otp) {
+ if (state->be_ctx->domain->cache_credentials == TRUE
+ && (!res->otp
+ || (res->otp && sss_authtok_get_type(pd->authtok) ==
+ SSS_AUTHTOK_TYPE_2FA))) {
krb5_auth_store_creds(state->domain, pd);
}
--
2.4.3

36
0027-krb5-try-delayed-online-authentication-only-for-sing.patch
View File

@ -1,36 +0,0 @@
From c1fce215b02fca5ed9df19bf66aaff3b52ed777b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 25 Mar 2015 12:04:57 +0100
Subject: [PATCH 27/30] krb5: try delayed online authentication only for single
factor auth
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 2d0e7658198d1aa6e3926bf967ff683660249114)
---
src/providers/krb5/krb5_auth.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 5a946de4dba5081ed3b082e54af84e73b567a22f..2cfb3a805ea1472cc725aca068edcc69b036daba 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -263,6 +263,13 @@ static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx,
const char *password = NULL;
errno_t ret;
+ if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Delayed authentication is only available for password "
+ "authentication (single factor).\n");
+ return;
+ }
+
ret = sss_authtok_get_password(pd->authtok, &password, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
--
2.4.3

173
0028-2FA-offline-auth.patch
View File

@ -1,173 +0,0 @@
From 33a78367bb6812daf2b00c956d83653362d671e2 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 27 Mar 2015 15:20:13 +0100
Subject: [PATCH 28/30] 2FA offline auth
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 219f5b698fa72c0d5a8da2b0dd99daec3f924c94)
---
src/db/sysdb_ops.c | 77 ++++++++++++++++++++++++++++++++++++++++--
src/responder/pam/pamsrv_cmd.c | 35 +++++++++++++++++--
2 files changed, 107 insertions(+), 5 deletions(-)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 083d2778c97fe4d6149e4fc030885c482c511105..ed936e0fbe4451e9813402466d4850f0f586c1f5 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -3155,6 +3155,76 @@ done:
return ret;
}
+static errno_t check_for_combined_2fa_password(struct sss_domain_info *domain,
+ struct ldb_message *ldb_msg,
+ const char *password,
+ const char *userhash)
+{
+
+ unsigned int cached_authtok_type;
+ unsigned int cached_fa2_len;
+ char *short_pw;
+ char *comphash;
+ size_t pw_len;
+ TALLOC_CTX *tmp_ctx;
+ int ret;
+
+ cached_authtok_type = ldb_msg_find_attr_as_uint(ldb_msg,
+ SYSDB_CACHEDPWD_TYPE,
+ SSS_AUTHTOK_TYPE_EMPTY);
+ if (cached_authtok_type != SSS_AUTHTOK_TYPE_2FA) {
+ DEBUG(SSSDBG_TRACE_LIBS, "Wrong authtok type.\n");
+ return EINVAL;
+ }
+
+ cached_fa2_len = ldb_msg_find_attr_as_uint(ldb_msg, SYSDB_CACHEDPWD_FA2_LEN,
+ 0);
+ if (cached_fa2_len == 0) {
+ DEBUG(SSSDBG_TRACE_LIBS, "Second factor size not available.\n");
+ return EINVAL;
+ }
+
+ pw_len = strlen(password);
+ if (pw_len < cached_fa2_len + domain->cache_credentials_min_ff_length) {
+ DEBUG(SSSDBG_TRACE_LIBS, "Password too short.\n");
+ return EINVAL;
+ }
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
+ return ENOMEM;
+ }
+
+ short_pw = talloc_strndup(tmp_ctx, password, (pw_len - cached_fa2_len));
+ if (short_pw == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = s3crypt_sha512(tmp_ctx, short_pw, userhash, &comphash);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CONF_SETTINGS, "Failed to create password hash.\n");
+ ret = ERR_INTERNAL;
+ goto done;
+ }
+
+ if (strcmp(userhash, comphash) != 0) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Hash of shorten password does not match.\n");
+ ret = ERR_AUTH_FAILED;
+ goto done;
+ }
+
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+
+ return ret;
+}
+
int sysdb_cache_auth(struct sss_domain_info *domain,
const char *name,
const char *password,
@@ -3168,7 +3238,8 @@ int sysdb_cache_auth(struct sss_domain_info *domain,
SYSDB_LAST_LOGIN, SYSDB_LAST_ONLINE_AUTH,
"lastCachedPasswordChange",
"accountExpires", SYSDB_FAILED_LOGIN_ATTEMPTS,
- SYSDB_LAST_FAILED_LOGIN, NULL };
+ SYSDB_LAST_FAILED_LOGIN, SYSDB_CACHEDPWD_TYPE,
+ SYSDB_CACHEDPWD_FA2_LEN, NULL };
struct ldb_message *ldb_msg;
const char *userhash;
char *comphash;
@@ -3279,7 +3350,9 @@ int sysdb_cache_auth(struct sss_domain_info *domain,
goto done;
}
- if (strcmp(userhash, comphash) == 0) {
+ if (strcmp(userhash, comphash) == 0
+ || check_for_combined_2fa_password(domain, ldb_msg,
+ password, userhash) == EOK) {
/* TODO: probable good point for audit logging */
DEBUG(SSSDBG_CONF_SETTINGS, "Hashes do match!\n");
authentication_successful = true;
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index c7eb697f29b6de9f7edaaf7715a58d2b7afdc733..e8d2b65fe429bcb390f33ef994934f9b82b1a4b7 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -528,6 +528,34 @@ static void pam_reply_delay(struct tevent_context *ev, struct tevent_timer *te,
pam_reply(preq);
}
+static errno_t get_password_for_cache_auth(struct sss_auth_token *authtok,
+ const char **password)
+{
+ int ret;
+ size_t pw_len;
+ const char *fa2;
+ size_t fa2_len;
+
+ switch (sss_authtok_get_type(authtok)) {
+ case SSS_AUTHTOK_TYPE_PASSWORD:
+ ret = sss_authtok_get_password(authtok, password, NULL);
+ break;
+ case SSS_AUTHTOK_TYPE_2FA:
+ ret = sss_authtok_get_2fa(authtok, password, &pw_len, &fa2, &fa2_len);
+ break;
+ default:
+ DEBUG(SSSDBG_FATAL_FAILURE, "Unsupported auth token type [%d].\n",
+ sss_authtok_get_type(authtok));
+ ret = EINVAL;
+ }
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to get password.\n");
+ return ret;
+ }
+
+ return EOK;
+}
+
static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd);
static void pam_handle_cached_login(struct pam_auth_req *preq, int ret,
time_t expire_date, time_t delayed_until);
@@ -586,9 +614,10 @@ static void pam_reply(struct pam_auth_req *preq)
goto done;
}
- ret = sss_authtok_get_password(pd->authtok, &password, NULL);
- if (ret) {
- DEBUG(SSSDBG_FATAL_FAILURE, "Failed to get password.\n");
+ ret = get_password_for_cache_auth(pd->authtok, &password);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "get_password_and_type_for_cache_auth failed.\n");
goto done;
}
--
2.4.3

502
0029-pam_sss-move-message-encoding-into-separate-file.patch
View File

@ -1,502 +0,0 @@
From 7eb1f0611ad5df755a981dcc86e10b01439e3618 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 18 Mar 2015 16:02:47 +0100
Subject: [PATCH 29/30] pam_sss: move message encoding into separate file
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit bf6c3f07d653d474da9e43b2b7cced57fc4ea069)
---
Makefile.am | 2 +
src/sss_client/pam_message.c | 178 +++++++++++++++++++++++++++++++++++++++++++
src/sss_client/pam_message.h | 61 +++++++++++++++
src/sss_client/pam_sss.c | 177 +-----------------------------------------
4 files changed, 242 insertions(+), 176 deletions(-)
create mode 100644 src/sss_client/pam_message.c
create mode 100644 src/sss_client/pam_message.h
diff --git a/Makefile.am b/Makefile.am
index 793a2a67be11232aefa67e57b986f6304b8a68b3..e8bd8b3237a9b533a3a102059ab9ca083714abe0 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -614,6 +614,7 @@ dist_noinst_HEADERS = \
src/tests/cmocka/common_mock_resp.h \
src/tests/cmocka/common_mock_sdap.h \
src/tests/cmocka/common_mock_sysdb_objects.h \
+ src/sss_client/pam_message.h \
src/sss_client/ssh/sss_ssh_client.h \
src/sss_client/sudo/sss_sudo.h \
src/sss_client/libwbclient/libwbclient.h \
@@ -2358,6 +2359,7 @@ endif
pamlib_LTLIBRARIES = pam_sss.la
pam_sss_la_SOURCES = \
src/sss_client/pam_sss.c \
+ src/sss_client/pam_message.c \
src/sss_client/common.c \
src/sss_client/sss_cli.h \
src/util/atomic_io.c \
diff --git a/src/sss_client/pam_message.c b/src/sss_client/pam_message.c
new file mode 100644
index 0000000000000000000000000000000000000000..b8104c680d0e733b713c665e6206dc4b0d379237
--- /dev/null
+++ b/src/sss_client/pam_message.c
@@ -0,0 +1,178 @@
+/*
+ Authors:
+ Sumit Bose <sbose@redhat.com>
+
+ PAM client - create message blob
+
+ Copyright (C) 2015 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <stdlib.h>
+#include <security/pam_modules.h>
+
+#include "sss_pam_compat.h"
+#include "sss_pam_macros.h"
+
+#include "pam_message.h"
+
+#include "sss_cli.h"
+
+static size_t add_authtok_item(enum pam_item_type type,
+ enum sss_authtok_type authtok_type,
+ const char *tok, const size_t size,
+ uint8_t *buf)
+{
+ size_t rp = 0;
+ uint32_t c;
+
+ if (tok == NULL) return 0;
+
+ c = type;
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
+ rp += sizeof(uint32_t);
+
+ c = size + sizeof(uint32_t);
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
+ rp += sizeof(uint32_t);
+
+ c = authtok_type;
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
+ rp += sizeof(uint32_t);
+
+ memcpy(&buf[rp], tok, size);
+ rp += size;
+
+ return rp;
+}
+
+static size_t add_uint32_t_item(enum pam_item_type type, const uint32_t val,
+ uint8_t *buf)
+{
+ size_t rp = 0;
+ uint32_t c;
+
+ c = type;
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
+ rp += sizeof(uint32_t);
+
+ c = sizeof(uint32_t);
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
+ rp += sizeof(uint32_t);
+
+ c = val;
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
+ rp += sizeof(uint32_t);
+
+ return rp;
+}
+
+static size_t add_string_item(enum pam_item_type type, const char *str,
+ const size_t size, uint8_t *buf)
+{
+ size_t rp = 0;
+ uint32_t c;
+
+ if (str == NULL || *str == '\0') return 0;
+
+ c = type;
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
+ rp += sizeof(uint32_t);
+
+ c = size;
+ memcpy(&buf[rp], &c, sizeof(uint32_t));
+ rp += sizeof(uint32_t);
+
+ memcpy(&buf[rp], str, size);
+ rp += size;
+
+ return rp;
+}
+
+int pack_message_v3(struct pam_items *pi, size_t *size, uint8_t **buffer)
+{
+ int len;
+ uint8_t *buf;
+ size_t rp;
+
+ len = sizeof(uint32_t) +
+ 2*sizeof(uint32_t) + pi->pam_user_size +
+ sizeof(uint32_t);
+ len += *pi->pam_service != '\0' ?
+ 2*sizeof(uint32_t) + pi->pam_service_size : 0;
+ len += *pi->pam_tty != '\0' ?
+ 2*sizeof(uint32_t) + pi->pam_tty_size : 0;
+ len += *pi->pam_ruser != '\0' ?
+ 2*sizeof(uint32_t) + pi->pam_ruser_size : 0;
+ len += *pi->pam_rhost != '\0' ?
+ 2*sizeof(uint32_t) + pi->pam_rhost_size : 0;
+ len += pi->pam_authtok != NULL ?
+ 3*sizeof(uint32_t) + pi->pam_authtok_size : 0;
+ len += pi->pam_newauthtok != NULL ?
+ 3*sizeof(uint32_t) + pi->pam_newauthtok_size : 0;
+ len += 3*sizeof(uint32_t); /* cli_pid */
+ len += *pi->requested_domains != '\0' ?
+ 2*sizeof(uint32_t) + pi->requested_domains_size : 0;
+
+ buf = malloc(len);
+ if (buf == NULL) {
+ D(("malloc failed."));
+ return PAM_BUF_ERR;
+ }
+
+ rp = 0;
+ SAFEALIGN_SETMEM_UINT32(buf, SSS_START_OF_PAM_REQUEST, &rp);
+
+ rp += add_string_item(SSS_PAM_ITEM_USER, pi->pam_user, pi->pam_user_size,
+ &buf[rp]);
+
+ rp += add_string_item(SSS_PAM_ITEM_SERVICE, pi->pam_service,
+ pi->pam_service_size, &buf[rp]);
+
+ rp += add_string_item(SSS_PAM_ITEM_TTY, pi->pam_tty, pi->pam_tty_size,
+ &buf[rp]);
+
+ rp += add_string_item(SSS_PAM_ITEM_RUSER, pi->pam_ruser, pi->pam_ruser_size,
+ &buf[rp]);
+
+ rp += add_string_item(SSS_PAM_ITEM_RHOST, pi->pam_rhost, pi->pam_rhost_size,
+ &buf[rp]);
+
+ rp += add_string_item(SSS_PAM_ITEM_REQUESTED_DOMAINS, pi->requested_domains, pi->requested_domains_size,
+ &buf[rp]);
+
+ rp += add_uint32_t_item(SSS_PAM_ITEM_CLI_PID, (uint32_t) pi->cli_pid,
+ &buf[rp]);
+
+ rp += add_authtok_item(SSS_PAM_ITEM_AUTHTOK, pi->pam_authtok_type,
+ pi->pam_authtok, pi->pam_authtok_size, &buf[rp]);
+
+ rp += add_authtok_item(SSS_PAM_ITEM_NEWAUTHTOK, pi->pam_newauthtok_type,
+ pi->pam_newauthtok, pi->pam_newauthtok_size,
+ &buf[rp]);
+
+ SAFEALIGN_SETMEM_UINT32(buf + rp, SSS_END_OF_PAM_REQUEST, &rp);
+
+ if (rp != len) {
+ D(("error during packet creation."));
+ free(buf);
+ return PAM_BUF_ERR;
+ }
+
+ *size = len;
+ *buffer = buf;
+
+ return 0;
+}
diff --git a/src/sss_client/pam_message.h b/src/sss_client/pam_message.h
new file mode 100644
index 0000000000000000000000000000000000000000..8ade6d871b840d4d0153bbf56e0d458861ab3816
--- /dev/null
+++ b/src/sss_client/pam_message.h
@@ -0,0 +1,61 @@
+/*
+ Authors:
+ Sumit Bose <sbose@redhat.com>
+
+ Copyright (C) 2015 Red Hat
+
+ PAM client - create message blob
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _PAM_MESSAGE_H_
+#define _PAM_MESSAGE_H_
+
+#include <unistd.h>
+#include <stdint.h>
+
+struct pam_items {
+ const char *pam_service;
+ const char *pam_user;
+ const char *pam_tty;
+ const char *pam_ruser;
+ const char *pam_rhost;
+ char *pam_authtok;
+ char *pam_newauthtok;
+ const char *pamstack_authtok;
+ const char *pamstack_oldauthtok;
+ size_t pam_service_size;
+ size_t pam_user_size;
+ size_t pam_tty_size;
+ size_t pam_ruser_size;
+ size_t pam_rhost_size;
+ int pam_authtok_type;
+ size_t pam_authtok_size;
+ int pam_newauthtok_type;
+ size_t pam_newauthtok_size;
+ pid_t cli_pid;
+ const char *login_name;
+ char *domain_name;
+ const char *requested_domains;
+ size_t requested_domains_size;
+ char *otp_vendor;
+ char *otp_token_id;
+ char *otp_challenge;
+ char *first_factor;
+};
+
+int pack_message_v3(struct pam_items *pi, size_t *size, uint8_t **buffer);
+
+#endif /* _PAM_MESSAGE_H_ */
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index f11871a47d1b29f44c179e57a33d8f41be79078d..e01c5031650d3837a23f8a7404d334a9d2f55441 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -40,6 +40,7 @@
#include "sss_pam_macros.h"
#include "sss_cli.h"
+#include "pam_message.h"
#include "util/atomic_io.h"
#include "util/authtok-utils.h"
@@ -65,36 +66,6 @@
#define EXP_ACC_MSG _("Permission denied. ")
#define SRV_MSG _("Server message: ")
-struct pam_items {
- const char* pam_service;
- const char* pam_user;
- const char* pam_tty;
- const char* pam_ruser;
- const char* pam_rhost;
- char* pam_authtok;
- char* pam_newauthtok;
- const char* pamstack_authtok;
- const char* pamstack_oldauthtok;
- size_t pam_service_size;
- size_t pam_user_size;
- size_t pam_tty_size;
- size_t pam_ruser_size;
- size_t pam_rhost_size;
- int pam_authtok_type;
- size_t pam_authtok_size;
- int pam_newauthtok_type;
- size_t pam_newauthtok_size;
- pid_t cli_pid;
- const char *login_name;
- char *domain_name;
- const char *requested_domains;
- size_t requested_domains_size;
- char *otp_vendor;
- char *otp_token_id;
- char *otp_challenge;
- char *first_factor;
-};
-
#define DEBUG_MGS_LEN 1024
#define MAX_AUTHTOK_SIZE (1024*1024)
#define CHECK_AND_RETURN_PI_STRING(s) ((s != NULL && *s != '\0')? s : "(not available)")
@@ -146,75 +117,6 @@ static void close_fd(pam_handle_t *pamh, void *ptr, int err)
sss_pam_close_fd();
}
-static size_t add_authtok_item(enum pam_item_type type,
- enum sss_authtok_type authtok_type,
- const char *tok, const size_t size,
- uint8_t *buf) {
- size_t rp=0;
- uint32_t c;
-
- if (tok == NULL) return 0;
-
- c = type;
- memcpy(&buf[rp], &c, sizeof(uint32_t));
- rp += sizeof(uint32_t);
-
- c = size + sizeof(uint32_t);
- memcpy(&buf[rp], &c, sizeof(uint32_t));
- rp += sizeof(uint32_t);
-
- c = authtok_type;
- memcpy(&buf[rp], &c, sizeof(uint32_t));
- rp += sizeof(uint32_t);
-
- memcpy(&buf[rp], tok, size);
- rp += size;
-
- return rp;
-}
-
-
-static size_t add_uint32_t_item(enum pam_item_type type, const uint32_t val,
- uint8_t *buf) {
- size_t rp=0;
- uint32_t c;
-
- c = type;
- memcpy(&buf[rp], &c, sizeof(uint32_t));
- rp += sizeof(uint32_t);
-
- c = sizeof(uint32_t);
- memcpy(&buf[rp], &c, sizeof(uint32_t));
- rp += sizeof(uint32_t);
-
- c = val;
- memcpy(&buf[rp], &c, sizeof(uint32_t));
- rp += sizeof(uint32_t);
-
- return rp;
-}
-
-static size_t add_string_item(enum pam_item_type type, const char *str,
- const size_t size, uint8_t *buf) {
- size_t rp=0;
- uint32_t c;
-
- if (str == NULL || *str == '\0') return 0;
-
- c = type;
- memcpy(&buf[rp], &c, sizeof(uint32_t));
- rp += sizeof(uint32_t);
-
- c = size;
- memcpy(&buf[rp], &c, sizeof(uint32_t));
- rp += sizeof(uint32_t);
-
- memcpy(&buf[rp], str, size);
- rp += size;
-
- return rp;
-}
-
static void overwrite_and_free_authtoks(struct pam_items *pi)
{
if (pi->pam_authtok != NULL) {
@@ -256,83 +158,6 @@ static void overwrite_and_free_pam_items(struct pam_items *pi)
pi->otp_challenge = NULL;
}
-static int pack_message_v3(struct pam_items *pi, size_t *size,
- uint8_t **buffer) {
- int len;
- uint8_t *buf;
- size_t rp;
-
- len = sizeof(uint32_t) +
- 2*sizeof(uint32_t) + pi->pam_user_size +
- sizeof(uint32_t);
- len += *pi->pam_service != '\0' ?
- 2*sizeof(uint32_t) + pi->pam_service_size : 0;
- len += *pi->pam_tty != '\0' ?
- 2*sizeof(uint32_t) + pi->pam_tty_size : 0;
- len += *pi->pam_ruser != '\0' ?
- 2*sizeof(uint32_t) + pi->pam_ruser_size : 0;
- len += *pi->pam_rhost != '\0' ?
- 2*sizeof(uint32_t) + pi->pam_rhost_size : 0;
- len += pi->pam_authtok != NULL ?
- 3*sizeof(uint32_t) + pi->pam_authtok_size : 0;
- len += pi->pam_newauthtok != NULL ?
- 3*sizeof(uint32_t) + pi->pam_newauthtok_size : 0;
- len += 3*sizeof(uint32_t); /* cli_pid */
- len += *pi->requested_domains != '\0' ?
- 2*sizeof(uint32_t) + pi->requested_domains_size : 0;
-
-
- buf = malloc(len);
- if (buf == NULL) {
- D(("malloc failed."));
- return PAM_BUF_ERR;
- }
-
- rp = 0;
- SAFEALIGN_SETMEM_UINT32(buf, SSS_START_OF_PAM_REQUEST, &rp);
-
- rp += add_string_item(SSS_PAM_ITEM_USER, pi->pam_user, pi->pam_user_size,
- &buf[rp]);
-
- rp += add_string_item(SSS_PAM_ITEM_SERVICE, pi->pam_service,
- pi->pam_service_size, &buf[rp]);
-
- rp += add_string_item(SSS_PAM_ITEM_TTY, pi->pam_tty, pi->pam_tty_size,
- &buf[rp]);
-
- rp += add_string_item(SSS_PAM_ITEM_RUSER, pi->pam_ruser, pi->pam_ruser_size,
- &buf[rp]);
-
- rp += add_string_item(SSS_PAM_ITEM_RHOST, pi->pam_rhost, pi->pam_rhost_size,
- &buf[rp]);
-
- rp += add_string_item(SSS_PAM_ITEM_REQUESTED_DOMAINS, pi->requested_domains, pi->requested_domains_size,
- &buf[rp]);
-
- rp += add_uint32_t_item(SSS_PAM_ITEM_CLI_PID, (uint32_t) pi->cli_pid,
- &buf[rp]);
-
- rp += add_authtok_item(SSS_PAM_ITEM_AUTHTOK, pi->pam_authtok_type,
- pi->pam_authtok, pi->pam_authtok_size, &buf[rp]);
-
- rp += add_authtok_item(SSS_PAM_ITEM_NEWAUTHTOK, pi->pam_newauthtok_type,
- pi->pam_newauthtok, pi->pam_newauthtok_size,
- &buf[rp]);
-
- SAFEALIGN_SETMEM_UINT32(buf + rp, SSS_END_OF_PAM_REQUEST, &rp);
-
- if (rp != len) {
- D(("error during packet creation."));
- free(buf);
- return PAM_BUF_ERR;
- }
-
- *size = len;
- *buffer = buf;
-
- return 0;
-}
-
static int null_strcmp(const char *s1, const char *s2) {
if (s1 == NULL && s2 == NULL) return 0;
if (s1 == NULL && s2 != NULL) return -1;
--
2.4.3

1060
0030-PAM-add-PAM-responder-unit-test.patch
View File

File diff suppressed because it is too large Load Diff

2
sources
View File

@ -1 +1 @@
4439852e76e221c9bcd60a8586c136e2 sssd-1.12.5.tar.gz 0ffa8d3b8d7d22acb9200e11b1f641dd sssd-1.13.0alpha.tar.gz

72
sssd.spec
View File

@ -28,46 +28,16 @@
%endif %endif
Name: sssd Name: sssd
Version: 1.12.5 Version: 1.13.0
Release: 4%{?dist} Release: 1%{?dist}.alpha
Group: Applications/System Group: Applications/System
Summary: System Security Services Daemon Summary: System Security Services Daemon
License: GPLv3+ License: GPLv3+
URL: http://fedorahosted.org/sssd/ URL: http://fedorahosted.org/sssd/
Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}alpha.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ### ### Patches ###
Patch0001: 0001-BUILD-Remove-unused-libraries-for-pysss.so.patch
Patch0002: 0002-BUILD-Remove-unused-variables.patch
Patch0003: 0003-BUILD-Remove-detection-of-type-Py_ssize_t.patch
Patch0004: 0004-UTIL-Remove-python-wrapper-sss_python_set_new.patch
Patch0005: 0005-UTIL-Remove-python-wrapper-sss_python_set_add.patch
Patch0006: 0006-UTIL-Remove-python-wrapper-sss_python_set_check.patch
Patch0007: 0007-UTIL-Remove-compatibility-macro-PyModule_AddIntMacro.patch
Patch0008: 0008-UTIL-Remove-python-wrapper-sss_python_unicode_from_s.patch
Patch0009: 0009-BUILD-Use-python-config-for-detection-FLAGS.patch
Patch0010: 0010-SPEC-Use-new-convention-for-python-packages.patch
Patch0011: 0011-SPEC-Move-python-bindings-to-separate-packages.patch
Patch0012: 0012-BUILD-Add-possibility-to-build-python-2-3-bindings.patch
Patch0013: 0013-TESTS-Run-python-tests-with-all-supported-python-ver.patch
Patch0014: 0014-SPEC-Replace-python_-macros-with-python2_.patch
Patch0015: 0015-SPEC-Build-python3-bindings-on-available-platforms.patch
Patch0016: 0016-ad_opts-Use-different-default-attribute-for-group-na.patch
Patch0017: 0017-Add-leak-check-and-command-line-option-to-test_autht.patch
Patch0018: 0018-utils-add-sss_authtok_-gs-et_2fa.patch
Patch0019: 0019-pam-handle-2FA-authentication-token-in-the-responder.patch
Patch0020: 0020-Add-pre-auth-request.patch
Patch0021: 0021-krb5-child-add-preauth-and-split-2fa-token-support.patch
Patch0022: 0022-IPA-create-preauth-indicator-file-at-startup.patch
Patch0023: 0023-pam_sss-add-pre-auth-and-2fa-support.patch
Patch0024: 0024-Add-cache_credentials_minimal_first_factor_length-co.patch
Patch0025: 0025-sysdb-add-sysdb_cache_password_ex.patch
Patch0026: 0026-krb5-save-hash-of-the-first-authentication-factor-to.patch
Patch0027: 0027-krb5-try-delayed-online-authentication-only-for-sing.patch
Patch0028: 0028-2FA-offline-auth.patch
Patch0029: 0029-pam_sss-move-message-encoding-into-separate-file.patch
Patch0030: 0030-PAM-add-PAM-responder-unit-test.patch
### Dependencies ### ### Dependencies ###
Requires: sssd-common = %{version}-%{release} Requires: sssd-common = %{version}-%{release}
@ -82,6 +52,7 @@ Requires: python3-sssdconfig = %{version}-%{release}
%global servicename sssd %global servicename sssd
%global sssdstatedir %{_localstatedir}/lib/sss %global sssdstatedir %{_localstatedir}/lib/sss
%global dbpath %{sssdstatedir}/db %global dbpath %{sssdstatedir}/db
%global keytabdir %{sssdstatedir}/keytabs
%global pipepath %{sssdstatedir}/pipes %global pipepath %{sssdstatedir}/pipes
%global mcpath %{sssdstatedir}/mc %global mcpath %{sssdstatedir}/mc
%global pubconfpath %{sssdstatedir}/pubconf %global pubconfpath %{sssdstatedir}/pubconf
@ -107,6 +78,7 @@ BuildRequires: dbus-libs
BuildRequires: openldap-devel BuildRequires: openldap-devel
BuildRequires: pam-devel BuildRequires: pam-devel
BuildRequires: nss-devel BuildRequires: nss-devel
BuildRequires: openssl-devel
BuildRequires: nspr-devel BuildRequires: nspr-devel
BuildRequires: pcre-devel BuildRequires: pcre-devel
BuildRequires: libxslt BuildRequires: libxslt
@ -407,14 +379,16 @@ Requires: libipa_hbac = %{version}-%{release}
%description -n libipa_hbac-devel %description -n libipa_hbac-devel
Utility library to validate FreeIPA HBAC rules for authorization requests Utility library to validate FreeIPA HBAC rules for authorization requests
%package -n libipa_hbac-python %package -n python-libipa_hbac
Summary: Python2 bindings for the FreeIPA HBAC Evaluator library Summary: Python2 bindings for the FreeIPA HBAC Evaluator library
Group: Development/Libraries Group: Development/Libraries
License: LGPLv3+ License: LGPLv3+
Requires: libipa_hbac = %{version}-%{release} Requires: libipa_hbac = %{version}-%{release}
Provides: libipa_hbac-python = %{version}-%{release}
Obsoletes: libipa_hbac-python < 1.13.0
%description -n libipa_hbac-python %description -n python-libipa_hbac
The libipa_hbac-python contains the bindings so that libipa_hbac can be The python-libipa_hbac contains the bindings so that libipa_hbac can be
used by Python applications. used by Python applications.
%package -n python3-libipa_hbac %package -n python3-libipa_hbac
@ -446,14 +420,16 @@ Requires: libsss_nss_idmap = %{version}-%{release}
%description -n libsss_nss_idmap-devel %description -n libsss_nss_idmap-devel
Utility library for SID based lookups Utility library for SID based lookups
%package -n libsss_nss_idmap-python %package -n python-libsss_nss_idmap
Summary: Python2 bindings for libsss_nss_idmap Summary: Python2 bindings for libsss_nss_idmap
Group: Development/Libraries Group: Development/Libraries
License: LGPLv3+ License: LGPLv3+
Requires: libsss_nss_idmap = %{version}-%{release} Requires: libsss_nss_idmap = %{version}-%{release}
Provides: libsss_nss_idmap-python = %{version}-%{release}
Obsoletes: libsss_nss_idmap-python < 1.13.0
%description -n libsss_nss_idmap-python %description -n python-libsss_nss_idmap
The libsss_nss_idmap-python contains the bindings so that libsss_nss_idmap can The python-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can
be used by Python applications. be used by Python applications.
%package -n python3-libsss_nss_idmap %package -n python3-libsss_nss_idmap
@ -534,7 +510,7 @@ UpdateTimestamps() {
done done
} }
%setup -q %setup -q -n %{name}-1.12.90
for p in %patches ; do for p in %patches ; do
%__patch -p1 -i $p %__patch -p1 -i $p
@ -566,12 +542,6 @@ autoreconf -ivf
make %{?_smp_mflags} all docs make %{?_smp_mflags} all docs
%check %check
# the utility patch did not apply changes in file permissions
chmod 755 src/config/SSSDConfigTest.py*.sh \
src/tests/pyhbac-test.py*.sh \
src/tests/pysss_murmur-test.py*.sh
export CK_TIMEOUT_MULTIPLIER=10 export CK_TIMEOUT_MULTIPLIER=10
make %{?_smp_mflags} check VERBOSE=yes make %{?_smp_mflags} check VERBOSE=yes
unset CK_TIMEOUT_MULTIPLIER unset CK_TIMEOUT_MULTIPLIER
@ -708,6 +678,7 @@ rm -rf $RPM_BUILD_ROOT
#Internal shared libraries #Internal shared libraries
%{_libdir}/%{name}/libsss_child.so %{_libdir}/%{name}/libsss_child.so
%{_libdir}/%{name}/libsss_crypt.so %{_libdir}/%{name}/libsss_crypt.so
%{_libdir}/%{name}/libsss_cert.so
%{_libdir}/%{name}/libsss_debug.so %{_libdir}/%{name}/libsss_debug.so
%{_libdir}/%{name}/libsss_krb5_common.so %{_libdir}/%{name}/libsss_krb5_common.so
%{_libdir}/%{name}/libsss_ldap_common.so %{_libdir}/%{name}/libsss_ldap_common.so
@ -781,6 +752,7 @@ rm -rf $RPM_BUILD_ROOT
%defattr(-,root,root,-) %defattr(-,root,root,-)
%doc COPYING %doc COPYING
%attr(755,root,root) %dir %{pubconfpath}/krb5.include.d %attr(755,root,root) %dir %{pubconfpath}/krb5.include.d
%attr(700,root,root) %dir %{keytabdir}
%{_libdir}/%{name}/libsss_ipa.so %{_libdir}/%{name}/libsss_ipa.so
%{_libexecdir}/%{servicename}/selinux_child %{_libexecdir}/%{servicename}/selinux_child
%{_mandir}/man5/sssd-ipa.5* %{_mandir}/man5/sssd-ipa.5*
@ -929,7 +901,7 @@ rm -rf $RPM_BUILD_ROOT
%{_libdir}/libsss_nss_idmap.so %{_libdir}/libsss_nss_idmap.so
%{_libdir}/pkgconfig/sss_nss_idmap.pc %{_libdir}/pkgconfig/sss_nss_idmap.pc
%files -n libsss_nss_idmap-python %files -n python-libsss_nss_idmap
%defattr(-,root,root,-) %defattr(-,root,root,-)
%{python2_sitearch}/pysss_nss_idmap.so %{python2_sitearch}/pysss_nss_idmap.so
%{python2_sitearch}/_py2sss_nss_idmap.so %{python2_sitearch}/_py2sss_nss_idmap.so
@ -939,7 +911,7 @@ rm -rf $RPM_BUILD_ROOT
%{python3_sitearch}/pysss_nss_idmap.so %{python3_sitearch}/pysss_nss_idmap.so
%{python3_sitearch}/_py3sss_nss_idmap.so %{python3_sitearch}/_py3sss_nss_idmap.so
%files -n libipa_hbac-python %files -n python-libipa_hbac
%defattr(-,root,root,-) %defattr(-,root,root,-)
%{python2_sitearch}/pyhbac.so %{python2_sitearch}/pyhbac.so
%{python2_sitearch}/_py2hbac.so %{python2_sitearch}/_py2hbac.so
@ -1038,6 +1010,10 @@ fi
%{_libdir}/%{name}/modules/libwbclient.so %{_libdir}/%{name}/modules/libwbclient.so
%changelog %changelog
* Mon Jun 22 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.13.0-1.alpha
- New upstream release 1.13 alpha
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.0alpha
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.12.5-4 * Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.12.5-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild