import sssd-2.7.3-4.el8_7.3
This commit is contained in:
parent
3b446ac03c
commit
bbe71de11d
141
SOURCES/0012-Analyzer-Optimize-list-verbose-output.patch
Normal file
141
SOURCES/0012-Analyzer-Optimize-list-verbose-output.patch
Normal file
@ -0,0 +1,141 @@
|
||||
From 70e254653edb21923d7565c80704e1ce6865d991 Mon Sep 17 00:00:00 2001
|
||||
From: Justin Stephenson <jstephen@redhat.com>
|
||||
Date: Wed, 12 Oct 2022 08:48:45 -0400
|
||||
Subject: [PATCH] Analyzer: Optimize list verbose output
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Modify the analyzer to parse the responder log file in one pass. This
|
||||
avoids repeated parsing of a single log file. This operation will now
|
||||
store log lines in a dictionary on a single pass then format and print
|
||||
the output accordingly. Does not affect 'list' or 'show' output.
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
---
|
||||
src/tools/analyzer/modules/request.py | 71 ++++++++++++++++++---------
|
||||
1 file changed, 48 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
|
||||
index b9fe3caf8..15c8e6bfb 100644
|
||||
--- a/src/tools/analyzer/modules/request.py
|
||||
+++ b/src/tools/analyzer/modules/request.py
|
||||
@@ -148,36 +148,57 @@ class RequestAnalyzer:
|
||||
print(line)
|
||||
return found_results
|
||||
|
||||
- def print_formatted_verbose(self, source, patterns):
|
||||
+ def print_formatted_verbose(self, source):
|
||||
"""
|
||||
- Parse line and print formatted verbose list_requests output
|
||||
+ Parse log file and print formatted verbose list_requests output
|
||||
|
||||
Args:
|
||||
source (Reader): source Reader object
|
||||
- patterns (list): List of regex patterns to use for
|
||||
- matching lines
|
||||
"""
|
||||
- # Get CID number, and print the basic line first
|
||||
- for line in self.matched_line(source, patterns):
|
||||
- cid = self.print_formatted(line)
|
||||
-
|
||||
- # Loop through each line with this CID number to extract and
|
||||
- # print the verbose data needed
|
||||
- verbose_patterns = ["(cache_req_send|cache_req_process_input|"
|
||||
- "cache_req_search_send)"]
|
||||
- for cidline in self.matched_line(source, verbose_patterns):
|
||||
+ data = {}
|
||||
+ # collect cid log lines from single run through of parsing the log
|
||||
+ # into dictionary # (cid, ts) -> logline_output
|
||||
+ for line in source:
|
||||
+ if "CID#" not in line:
|
||||
+ continue
|
||||
+
|
||||
+ # parse CID and ts from line, key is a tuple of (cid,ts)
|
||||
+ fields = line.split("[")
|
||||
+ # timestamp to the minute, cut off seconds, ms
|
||||
+ ts = fields[0][:17]
|
||||
+ result = re.search('CID#[0-9]*', fields[3])
|
||||
+ cid = result.group(0)
|
||||
+
|
||||
+ # if mapping exists, append line to output. Otherwise create new mapping
|
||||
+ if (cid, ts) in data.keys():
|
||||
+ data[(cid, ts)] += line
|
||||
+ else:
|
||||
+ data[(cid, ts)] = line
|
||||
+
|
||||
+ # pretty print the data
|
||||
+ for k, v in data.items():
|
||||
+ cr_done = []
|
||||
+ id_done = []
|
||||
+ for cidline in v.splitlines():
|
||||
plugin = ""
|
||||
name = ""
|
||||
id = ""
|
||||
|
||||
- # skip any lines not pertaining to this CID
|
||||
- if f"CID#{cid}]" not in cidline:
|
||||
- continue
|
||||
- if "refreshed" in cidline:
|
||||
- continue
|
||||
+ # CR number
|
||||
+ fields = cidline.split("[")
|
||||
+ cr_field = fields[3][7:]
|
||||
+ cr = cr_field.split(":")[0][4:]
|
||||
+ # Client connected, top-level info line
|
||||
+ if re.search(r'\[cmd', cidline):
|
||||
+ self.print_formatted(cidline)
|
||||
# CR Plugin name
|
||||
if re.search("cache_req_send", cidline):
|
||||
plugin = cidline.split('\'')[1]
|
||||
+ id_done.clear()
|
||||
+ # Extract CR number
|
||||
+ fields = cidline.split("[")
|
||||
+ cr_field = fields[3][7:]
|
||||
+ cr = cr_field.split(":")[0][4:]
|
||||
# CR Input name
|
||||
elif re.search("cache_req_process_input", cidline):
|
||||
name = cidline.rsplit('[')[-1]
|
||||
@@ -188,9 +209,14 @@ class RequestAnalyzer:
|
||||
if plugin:
|
||||
print(" - " + plugin)
|
||||
if name:
|
||||
- print(" - " + name[:-2])
|
||||
+ # Avoid duplicate output with the same CR #
|
||||
+ if cr not in cr_done:
|
||||
+ print(" - " + name[:-1])
|
||||
+ cr_done.append(cr)
|
||||
if (id and ("UID" in cidline or "GID" in cidline)):
|
||||
- print(" - " + id)
|
||||
+ if id not in id_done:
|
||||
+ print(" - " + id)
|
||||
+ id_done.append(id)
|
||||
|
||||
def print_formatted(self, line):
|
||||
"""
|
||||
@@ -237,7 +263,7 @@ class RequestAnalyzer:
|
||||
logger.info(f"******** Listing {resp} client requests ********")
|
||||
source.set_component(component, False)
|
||||
if args.verbose:
|
||||
- self.print_formatted_verbose(source, patterns)
|
||||
+ self.print_formatted_verbose(source)
|
||||
else:
|
||||
for line in self.matched_line(source, patterns):
|
||||
if isinstance(source, Journald):
|
||||
@@ -258,8 +284,7 @@ class RequestAnalyzer:
|
||||
be_results = False
|
||||
component = source.Component.NSS
|
||||
resp = "nss"
|
||||
- pattern = [rf'REQ_TRACE.*\[CID #{cid}\]']
|
||||
- pattern.append(rf"\[CID#{cid}\]")
|
||||
+ pattern = [rf"\[CID#{cid}\]"]
|
||||
|
||||
if args.pam:
|
||||
component = source.Component.PAM
|
||||
--
|
||||
2.37.3
|
||||
|
43
SOURCES/0013-Analyzer-Ensure-parsed-id-contains-digit.patch
Normal file
43
SOURCES/0013-Analyzer-Ensure-parsed-id-contains-digit.patch
Normal file
@ -0,0 +1,43 @@
|
||||
From 89ea4a5feaf30f80a79ca3ba8166f304cc414e07 Mon Sep 17 00:00:00 2001
|
||||
From: Justin Stephenson <jstephen@redhat.com>
|
||||
Date: Tue, 15 Nov 2022 12:47:51 -0500
|
||||
Subject: [PATCH] Analyzer: Ensure parsed id contains digit
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
In analyzer list verbose output, we parse the last field of cache_req_search_send() lines.
|
||||
Certain log messages need to be filtered out by ensuring the parsed field is
|
||||
a digit, such as the last line below.
|
||||
|
||||
[cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119@testrealm.test
|
||||
[cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119@testrealm.test
|
||||
[cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119@domain-zflo.com
|
||||
[cache_req_search_send] (0x0400): [CID#1] CR #1: Returning [GID:1031401119@domain-zflo.com] from cache
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit bfa8d50c479cf8ef7b299eb5848309a3a9ea7f12)
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
---
|
||||
src/tools/analyzer/modules/request.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
|
||||
index 15c8e6bfb..bf279ea75 100644
|
||||
--- a/src/tools/analyzer/modules/request.py
|
||||
+++ b/src/tools/analyzer/modules/request.py
|
||||
@@ -214,7 +214,7 @@ class RequestAnalyzer:
|
||||
print(" - " + name[:-1])
|
||||
cr_done.append(cr)
|
||||
if (id and ("UID" in cidline or "GID" in cidline)):
|
||||
- if id not in id_done:
|
||||
+ if id not in id_done and bool(re.search(r'\d', id)):
|
||||
print(" - " + id)
|
||||
id_done.append(id)
|
||||
|
||||
--
|
||||
2.37.3
|
||||
|
94
SOURCES/0014-TOOLS-don-t-export-internal-helpers.patch
Normal file
94
SOURCES/0014-TOOLS-don-t-export-internal-helpers.patch
Normal file
@ -0,0 +1,94 @@
|
||||
From 7e23e6394b518dd013c6b03a1a63715899180935 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Sun, 6 Nov 2022 11:22:22 +0100
|
||||
Subject: [PATCH 14/16] TOOLS: don't export internal helpers
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit 6ef3aade0394e32540242f902c9f21bb8d6c41f2)
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
---
|
||||
src/tools/common/sss_tools.c | 16 ++++++++--------
|
||||
src/tools/common/sss_tools.h | 12 ------------
|
||||
2 files changed, 8 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
|
||||
index c066ddc5c..47b85bdd2 100644
|
||||
--- a/src/tools/common/sss_tools.c
|
||||
+++ b/src/tools/common/sss_tools.c
|
||||
@@ -178,9 +178,9 @@ static errno_t sss_tool_domains_init(TALLOC_CTX *mem_ctx,
|
||||
return ret;
|
||||
}
|
||||
|
||||
-errno_t sss_tool_init(TALLOC_CTX *mem_ctx,
|
||||
- int *argc, const char **argv,
|
||||
- struct sss_tool_ctx **_tool_ctx)
|
||||
+static errno_t sss_tool_init(TALLOC_CTX *mem_ctx,
|
||||
+ int *argc, const char **argv,
|
||||
+ struct sss_tool_ctx **_tool_ctx)
|
||||
{
|
||||
struct sss_tool_ctx *tool_ctx;
|
||||
|
||||
@@ -235,7 +235,7 @@ static size_t sss_tool_max_length(struct sss_route_cmd *commands)
|
||||
return max;
|
||||
}
|
||||
|
||||
-void sss_tool_usage(const char *tool_name, struct sss_route_cmd *commands)
|
||||
+static void sss_tool_usage(const char *tool_name, struct sss_route_cmd *commands)
|
||||
{
|
||||
int min_len;
|
||||
int i;
|
||||
@@ -304,10 +304,10 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
-errno_t sss_tool_route(int argc, const char **argv,
|
||||
- struct sss_tool_ctx *tool_ctx,
|
||||
- struct sss_route_cmd *commands,
|
||||
- void *pvt)
|
||||
+static errno_t sss_tool_route(int argc, const char **argv,
|
||||
+ struct sss_tool_ctx *tool_ctx,
|
||||
+ struct sss_route_cmd *commands,
|
||||
+ void *pvt)
|
||||
{
|
||||
struct sss_cmdline cmdline;
|
||||
const char *cmd;
|
||||
diff --git a/src/tools/common/sss_tools.h b/src/tools/common/sss_tools.h
|
||||
index 0e4308ee6..578186633 100644
|
||||
--- a/src/tools/common/sss_tools.h
|
||||
+++ b/src/tools/common/sss_tools.h
|
||||
@@ -35,10 +35,6 @@ struct sss_tool_ctx {
|
||||
struct sss_domain_info *domains;
|
||||
};
|
||||
|
||||
-errno_t sss_tool_init(TALLOC_CTX *mem_ctx,
|
||||
- int *argc, const char **argv,
|
||||
- struct sss_tool_ctx **_tool_ctx);
|
||||
-
|
||||
struct sss_cmdline {
|
||||
const char *exec; /* argv[0] */
|
||||
const char *command; /* command name */
|
||||
@@ -69,14 +65,6 @@ struct sss_route_cmd {
|
||||
int flags;
|
||||
};
|
||||
|
||||
-void sss_tool_usage(const char *tool_name,
|
||||
- struct sss_route_cmd *commands);
|
||||
-
|
||||
-errno_t sss_tool_route(int argc, const char **argv,
|
||||
- struct sss_tool_ctx *tool_ctx,
|
||||
- struct sss_route_cmd *commands,
|
||||
- void *pvt);
|
||||
-
|
||||
typedef errno_t (*sss_popt_fn)(poptContext pc, char option, void *pvt);
|
||||
|
||||
enum sss_tool_opt {
|
||||
--
|
||||
2.37.3
|
||||
|
71
SOURCES/0015-TOOLS-fixed-handling-of-init-error.patch
Normal file
71
SOURCES/0015-TOOLS-fixed-handling-of-init-error.patch
Normal file
@ -0,0 +1,71 @@
|
||||
From bd16242ef6780fd2808bf03f79eda5d940094bc5 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Sun, 6 Nov 2022 12:25:37 +0100
|
||||
Subject: [PATCH 15/16] TOOLS: fixed handling of init error
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Before execution of `tool_cmd_init()` `init_err` wasn't set,
|
||||
so `sss_tools_handles_init_error()` check was a no-op.
|
||||
|
||||
Consequently, a proper check after `tool_cmd_init()` was missing.
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit 7af46ba0e925da61b7b4003c3fa6d51c05c1116e)
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
---
|
||||
src/tools/common/sss_tools.c | 17 ++++-------------
|
||||
src/tools/common/sss_tools.h | 1 -
|
||||
2 files changed, 4 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
|
||||
index 47b85bdd2..38ae88306 100644
|
||||
--- a/src/tools/common/sss_tools.c
|
||||
+++ b/src/tools/common/sss_tools.c
|
||||
@@ -336,22 +336,13 @@ static errno_t sss_tool_route(int argc, const char **argv,
|
||||
cmdline.argc = argc - 2;
|
||||
cmdline.argv = argv + 2;
|
||||
|
||||
- if (!sss_tools_handles_init_error(&commands[i], tool_ctx->init_err)) {
|
||||
- DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
- "Command %s does not handle initialization error [%d] %s\n",
|
||||
- cmdline.command, tool_ctx->init_err,
|
||||
- sss_strerror(tool_ctx->init_err));
|
||||
- return tool_ctx->init_err;
|
||||
- }
|
||||
-
|
||||
if (!tool_ctx->print_help) {
|
||||
ret = tool_cmd_init(tool_ctx, &commands[i]);
|
||||
- if (ret == ERR_SYSDB_VERSION_TOO_OLD) {
|
||||
- tool_ctx->init_err = ret;
|
||||
- } else if (ret != EOK) {
|
||||
+
|
||||
+ if (!sss_tools_handles_init_error(&commands[i], ret)) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
- "Command initialization failed [%d] %s\n",
|
||||
- ret, sss_strerror(ret));
|
||||
+ "Command %s does not handle initialization error [%d] %s\n",
|
||||
+ cmdline.command, ret, sss_strerror(ret));
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
diff --git a/src/tools/common/sss_tools.h b/src/tools/common/sss_tools.h
|
||||
index 578186633..75dc15391 100644
|
||||
--- a/src/tools/common/sss_tools.h
|
||||
+++ b/src/tools/common/sss_tools.h
|
||||
@@ -30,7 +30,6 @@ struct sss_tool_ctx {
|
||||
struct confdb_ctx *confdb;
|
||||
|
||||
bool print_help;
|
||||
- errno_t init_err;
|
||||
char *default_domain;
|
||||
struct sss_domain_info *domains;
|
||||
};
|
||||
--
|
||||
2.37.3
|
||||
|
89
SOURCES/0016-SSSCTL-don-t-require-root-for-analyze-cmd.patch
Normal file
89
SOURCES/0016-SSSCTL-don-t-require-root-for-analyze-cmd.patch
Normal file
@ -0,0 +1,89 @@
|
||||
From 66c318d212d56e26f303fc52d5fecbde4a6b9589 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Thu, 10 Nov 2022 22:18:06 +0100
|
||||
Subject: [PATCH 16/16] SSSCTL: don't require 'root' for "analyze" cmd
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
:relnote: `sssctl analyze` tool doesn't require anymore to be run under root.
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit 99791400bec1054cf0081884e013a3cbed75fe8a)
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
---
|
||||
src/tools/common/sss_tools.c | 16 +++++++++-------
|
||||
src/tools/common/sss_tools.h | 3 ++-
|
||||
src/tools/sssctl/sssctl.c | 2 +-
|
||||
3 files changed, 12 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
|
||||
index 38ae88306..d16de7c4d 100644
|
||||
--- a/src/tools/common/sss_tools.c
|
||||
+++ b/src/tools/common/sss_tools.c
|
||||
@@ -267,6 +267,15 @@ static int tool_cmd_init(struct sss_tool_ctx *tool_ctx,
|
||||
struct sss_route_cmd *command)
|
||||
{
|
||||
int ret;
|
||||
+ uid_t uid;
|
||||
+
|
||||
+ if (!(command->flags & SSS_TOOL_FLAG_SKIP_ROOT_CHECK)) {
|
||||
+ uid = getuid();
|
||||
+ if (uid != 0) {
|
||||
+ ERROR("'%s' must be run as root\n", command->command);
|
||||
+ return EXIT_FAILURE;
|
||||
+ }
|
||||
+ }
|
||||
|
||||
if (command->flags & SSS_TOOL_FLAG_SKIP_CMD_INIT) {
|
||||
return EOK;
|
||||
@@ -515,15 +524,8 @@ int sss_tool_main(int argc, const char **argv,
|
||||
void *pvt)
|
||||
{
|
||||
struct sss_tool_ctx *tool_ctx;
|
||||
- uid_t uid;
|
||||
errno_t ret;
|
||||
|
||||
- uid = getuid();
|
||||
- if (uid != 0) {
|
||||
- ERROR("%1$s must be run as root\n", argv[0]);
|
||||
- return EXIT_FAILURE;
|
||||
- }
|
||||
-
|
||||
ret = sss_tool_init(NULL, &argc, argv, &tool_ctx);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tool context\n");
|
||||
diff --git a/src/tools/common/sss_tools.h b/src/tools/common/sss_tools.h
|
||||
index 75dc15391..24dd4b559 100644
|
||||
--- a/src/tools/common/sss_tools.h
|
||||
+++ b/src/tools/common/sss_tools.h
|
||||
@@ -54,7 +54,8 @@ typedef errno_t
|
||||
#define SSS_TOOL_DELIMITER(message) {"", _(message), 0, NULL, 0}
|
||||
#define SSS_TOOL_LAST {NULL, NULL, 0, NULL, 0}
|
||||
|
||||
-#define SSS_TOOL_FLAG_SKIP_CMD_INIT 0x01
|
||||
+#define SSS_TOOL_FLAG_SKIP_CMD_INIT 0x01
|
||||
+#define SSS_TOOL_FLAG_SKIP_ROOT_CHECK 0x02
|
||||
|
||||
struct sss_route_cmd {
|
||||
const char *command;
|
||||
diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
|
||||
index f18689f9f..b73d19ffe 100644
|
||||
--- a/src/tools/sssctl/sssctl.c
|
||||
+++ b/src/tools/sssctl/sssctl.c
|
||||
@@ -296,7 +296,7 @@ int main(int argc, const char **argv)
|
||||
SSS_TOOL_COMMAND("logs-remove", "Remove existing SSSD log files", 0, sssctl_logs_remove),
|
||||
SSS_TOOL_COMMAND("logs-fetch", "Archive SSSD log files in tarball", 0, sssctl_logs_fetch),
|
||||
SSS_TOOL_COMMAND("debug-level", "Change SSSD debug level", 0, sssctl_debug_level),
|
||||
- SSS_TOOL_COMMAND_FLAGS("analyze", "Analyze logged data", 0, sssctl_analyze, SSS_TOOL_FLAG_SKIP_CMD_INIT),
|
||||
+ SSS_TOOL_COMMAND_FLAGS("analyze", "Analyze logged data", 0, sssctl_analyze, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK),
|
||||
#ifdef HAVE_LIBINI_CONFIG_V1_3
|
||||
SSS_TOOL_DELIMITER("Configuration files tools:"),
|
||||
SSS_TOOL_COMMAND_FLAGS("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check, SSS_TOOL_FLAG_SKIP_CMD_INIT),
|
||||
--
|
||||
2.37.3
|
||||
|
49
SOURCES/0017-PAC-allow-to-disable-UPN-check.patch
Normal file
49
SOURCES/0017-PAC-allow-to-disable-UPN-check.patch
Normal file
@ -0,0 +1,49 @@
|
||||
From a86d1740167031bf6444ff821a201164c11ba09c Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 16 Nov 2022 09:28:54 +0100
|
||||
Subject: [PATCH 17/19] PAC: allow to disable UPN check
|
||||
|
||||
Currently it was not possible to skip the UPN check which checks if the
|
||||
UPN in the PAC and the one stored in SSSD's cache are different.
|
||||
Additionally the related debug message will show both principals if they
|
||||
differ.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6451
|
||||
|
||||
(cherry picked from commit 91789449b7a8b20056e1edfedd8f8cf92f7a0a2a)
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_pac_common.c | 16 +++++++++++++---
|
||||
1 file changed, 13 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_pac_common.c b/src/providers/ad/ad_pac_common.c
|
||||
index 0ed817111..79f79b7a7 100644
|
||||
--- a/src/providers/ad/ad_pac_common.c
|
||||
+++ b/src/providers/ad/ad_pac_common.c
|
||||
@@ -224,9 +224,19 @@ errno_t check_upn_and_sid_from_user_and_pac(struct ldb_message *msg,
|
||||
|
||||
if (user_data != NULL) {
|
||||
if (strcasecmp(user_data, upn_dns_info->upn_name) != 0) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "UPN of user entry and PAC do not match.\n");
|
||||
- return ERR_CHECK_PAC_FAILED;
|
||||
+ if (pac_check_opts & CHECK_PAC_CHECK_UPN) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "UPN of user entry [%s] and "
|
||||
+ "PAC [%s] do not match.\n",
|
||||
+ user_data,
|
||||
+ upn_dns_info->upn_name);
|
||||
+ return ERR_CHECK_PAC_FAILED;
|
||||
+ } else {
|
||||
+ DEBUG(SSSDBG_IMPORTANT_INFO, "UPN of user entry [%s] and "
|
||||
+ "PAC [%s] do not match, "
|
||||
+ "ignored.\n", user_data,
|
||||
+ upn_dns_info->upn_name);
|
||||
+ return EOK;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.37.3
|
||||
|
@ -0,0 +1,90 @@
|
||||
From 29aa434816ce6ae2aaf3b0bcf24b89f05f426d1b Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 22 Nov 2022 13:39:26 +0100
|
||||
Subject: [PATCH 18/19] ipa: do not add guessed principal to the cache
|
||||
|
||||
Currently on IPA clients a calculated principal based on the user name
|
||||
and the Kerberos realm is added to the cached user object. This code is
|
||||
quite old and might have been necessary at times when sub-domain support
|
||||
was added to SSSD. But since quite some time SSSD is capable of
|
||||
generating the principal on the fly during authentication if nothing is
|
||||
stored in the cache.
|
||||
|
||||
Removing the code makes the cache more consistent with other use-cases,
|
||||
e.g. with the IPA server where this attribute is empty, and allows to
|
||||
properly detect a missing UPN, e.g. during the PAC validation.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6451
|
||||
|
||||
(cherry picked from commit b3d7a4f6d4e1d4fa1bd33b296cd4301973f1860c)
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/providers/ipa/ipa_s2n_exop.c | 44 --------------------------------
|
||||
1 file changed, 44 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
|
||||
index c68c1de26..81927a6b8 100644
|
||||
--- a/src/providers/ipa/ipa_s2n_exop.c
|
||||
+++ b/src/providers/ipa/ipa_s2n_exop.c
|
||||
@@ -2467,8 +2467,6 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
|
||||
time_t now;
|
||||
struct sss_nss_homedir_ctx homedir_ctx;
|
||||
char *name = NULL;
|
||||
- char *realm;
|
||||
- char *short_name = NULL;
|
||||
char *upn = NULL;
|
||||
gid_t gid;
|
||||
gid_t orig_gid = 0;
|
||||
@@ -2607,48 +2605,6 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- if (upn == NULL) {
|
||||
- /* We also have to store a fake UPN here, because otherwise the
|
||||
- * krb5 child later won't be able to properly construct one as
|
||||
- * the username is fully qualified but the child doesn't have
|
||||
- * access to the regex to deconstruct it */
|
||||
- /* FIXME: The real UPN is available from the PAC, we should get
|
||||
- * it from there. */
|
||||
- realm = get_uppercase_realm(tmp_ctx, dom->name);
|
||||
- if (!realm) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "failed to get realm.\n");
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- ret = sss_parse_internal_fqname(tmp_ctx, attrs->a.user.pw_name,
|
||||
- &short_name, NULL);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Cannot parse internal name %s\n",
|
||||
- attrs->a.user.pw_name);
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- upn = talloc_asprintf(tmp_ctx, "%s@%s", short_name, realm);
|
||||
- if (!upn) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "failed to format UPN.\n");
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- /* We might already have the SID or the UPN from other sources
|
||||
- * hence sysdb_attrs_add_string_safe is used to avoid double
|
||||
- * entries. */
|
||||
- ret = sysdb_attrs_add_string_safe(attrs->sysdb_attrs, SYSDB_UPN,
|
||||
- upn);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE,
|
||||
- "sysdb_attrs_add_string failed.\n");
|
||||
- goto done;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
if (req_input->type == REQ_INP_SECID) {
|
||||
ret = sysdb_attrs_add_string_safe(attrs->sysdb_attrs,
|
||||
SYSDB_SID_STR,
|
||||
--
|
||||
2.37.3
|
||||
|
164
SOURCES/0019-pac-relax-default-check.patch
Normal file
164
SOURCES/0019-pac-relax-default-check.patch
Normal file
@ -0,0 +1,164 @@
|
||||
From 0e618c36ed74c240f7acd071ccb7bfd405b2d827 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 22 Nov 2022 14:43:21 +0100
|
||||
Subject: [PATCH 19/19] pac: relax default check
|
||||
|
||||
To avoid issues with the UPN check during PAC validation when
|
||||
'ldap_user_principal' is set to a not existing attribute to skip reading
|
||||
user principals a new 'pac_check' option, 'check_upn_allow_missing' is
|
||||
added to the default options. With this option only a log message is
|
||||
shown but the check will not fail.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6451
|
||||
|
||||
(cherry picked from commit 51b11db8b99a77ba5ccf6f850c2e81b5a6ee9f79)
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/confdb/confdb.h | 2 +-
|
||||
src/man/sssd.conf.5.xml | 30 +++++++++++++++++++++++++++++-
|
||||
src/providers/ad/ad_pac_common.c | 24 ++++++++++++++++++++----
|
||||
src/util/pac_utils.c | 10 ++++++++++
|
||||
src/util/util.h | 2 ++
|
||||
5 files changed, 62 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
||||
index 83f6be7f9..5fda67585 100644
|
||||
--- a/src/confdb/confdb.h
|
||||
+++ b/src/confdb/confdb.h
|
||||
@@ -181,7 +181,7 @@
|
||||
#define CONFDB_PAC_LIFETIME "pac_lifetime"
|
||||
#define CONFDB_PAC_CHECK "pac_check"
|
||||
#define CONFDB_PAC_CHECK_DEFAULT "no_check"
|
||||
-#define CONFDB_PAC_CHECK_IPA_AD_DEFAULT "check_upn, check_upn_dns_info_ex"
|
||||
+#define CONFDB_PAC_CHECK_IPA_AD_DEFAULT "check_upn, check_upn_allow_missing, check_upn_dns_info_ex"
|
||||
|
||||
/* InfoPipe */
|
||||
#define CONFDB_IFP_CONF_ENTRY "config/ifp"
|
||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||||
index 7a9920815..d9f4a7481 100644
|
||||
--- a/src/man/sssd.conf.5.xml
|
||||
+++ b/src/man/sssd.conf.5.xml
|
||||
@@ -2275,6 +2275,34 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
|
||||
consistent.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>check_upn_allow_missing</term>
|
||||
+ <listitem>
|
||||
+ <para>This option should be used together
|
||||
+ with 'check_upn' and handles the case where
|
||||
+ a UPN is set on the server-side but is not
|
||||
+ read by SSSD. The typical example is a
|
||||
+ FreeIPA domain where 'ldap_user_principal'
|
||||
+ is set to a not existing attribute name.
|
||||
+ This was typically done to work-around
|
||||
+ issues in the handling of enterprise
|
||||
+ principals. But this is fixed since quite
|
||||
+ some time and FreeIPA can handle enterprise
|
||||
+ principals just fine and there is no need
|
||||
+ anymore to set 'ldap_user_principal'.</para>
|
||||
+ <para>Currently this option is set by
|
||||
+ default to avoid regressions in such
|
||||
+ environments. A log message will be added
|
||||
+ to the system log and SSSD's debug log in
|
||||
+ case a UPN is found in the PAC but not in
|
||||
+ SSSD's cache. To avoid this log message it
|
||||
+ would be best to evaluate if the
|
||||
+ 'ldap_user_principal' option can be removed.
|
||||
+ If this is not possible, removing
|
||||
+ 'check_upn' will skip the test and avoid the
|
||||
+ log message.</para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
<varlistentry>
|
||||
<term>upn_dns_info_present</term>
|
||||
<listitem>
|
||||
@@ -2305,7 +2333,7 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
|
||||
</para>
|
||||
<para>
|
||||
Default: no_check (AD and IPA provider
|
||||
- 'check_upn, check_upn_dns_info_ex')
|
||||
+ 'check_upn, check_upn_allow_missing, check_upn_dns_info_ex')
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
diff --git a/src/providers/ad/ad_pac_common.c b/src/providers/ad/ad_pac_common.c
|
||||
index 79f79b7a7..fcb54cd2c 100644
|
||||
--- a/src/providers/ad/ad_pac_common.c
|
||||
+++ b/src/providers/ad/ad_pac_common.c
|
||||
@@ -215,10 +215,26 @@ errno_t check_upn_and_sid_from_user_and_pac(struct ldb_message *msg,
|
||||
DEBUG(SSSDBG_MINOR_FAILURE, "User object does not have a UPN but PAC "
|
||||
"says otherwise, maybe ldap_user_principal option is set.\n");
|
||||
if (pac_check_opts & CHECK_PAC_CHECK_UPN) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "UPN is missing but PAC UPN check required, "
|
||||
- "PAC validation failed.\n");
|
||||
- return ERR_CHECK_PAC_FAILED;
|
||||
+ if (pac_check_opts & CHECK_PAC_CHECK_UPN_ALLOW_MISSING) {
|
||||
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||
+ "UPN is missing but PAC UPN check required, "
|
||||
+ "PAC validation failed. However, "
|
||||
+ "'check_upn_allow_missing' is set and the error is "
|
||||
+ "ignored. To make this message go away please check "
|
||||
+ "why the UPN is not read from the server. In FreeIPA "
|
||||
+ "environments 'ldap_user_principal' is most probably "
|
||||
+ "set to a non-existing attribute name to avoid "
|
||||
+ "issues with enterprise principals. This is not "
|
||||
+ "needed anymore with recent versions of FreeIPA.\n");
|
||||
+ sss_log(SSS_LOG_CRIT, "PAC validation issue, please check "
|
||||
+ "sssd_pac.log for details");
|
||||
+ return EOK;
|
||||
+ } else {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "UPN is missing but PAC UPN check required, "
|
||||
+ "PAC validation failed.\n");
|
||||
+ return ERR_CHECK_PAC_FAILED;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/src/util/pac_utils.c b/src/util/pac_utils.c
|
||||
index c53b0c082..4499d8dfd 100644
|
||||
--- a/src/util/pac_utils.c
|
||||
+++ b/src/util/pac_utils.c
|
||||
@@ -64,6 +64,8 @@ static errno_t check_check_pac_opt(const char *inp, uint32_t *check_pac_flags)
|
||||
flags |= CHECK_PAC_CHECK_UPN_DNS_INFO_EX;
|
||||
flags |= CHECK_PAC_UPN_DNS_INFO_PRESENT;
|
||||
flags |= CHECK_PAC_CHECK_UPN;
|
||||
+ } else if (strcasecmp(list[c], CHECK_PAC_CHECK_UPN_ALLOW_MISSING_STR) == 0) {
|
||||
+ flags |= CHECK_PAC_CHECK_UPN_ALLOW_MISSING;
|
||||
} else {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "Unknown value [%s] for pac_check.\n",
|
||||
list[c]);
|
||||
@@ -72,6 +74,14 @@ static errno_t check_check_pac_opt(const char *inp, uint32_t *check_pac_flags)
|
||||
}
|
||||
}
|
||||
|
||||
+ if ((flags & CHECK_PAC_CHECK_UPN_ALLOW_MISSING)
|
||||
+ && !(flags & CHECK_PAC_CHECK_UPN)) {
|
||||
+ DEBUG(SSSDBG_CONF_SETTINGS,
|
||||
+ "pac_check option '%s' is set but '%s' is not set, this means "
|
||||
+ "the UPN is not checked.\n",
|
||||
+ CHECK_PAC_CHECK_UPN_ALLOW_MISSING_STR, CHECK_PAC_CHECK_UPN_STR);
|
||||
+ }
|
||||
+
|
||||
ret = EOK;
|
||||
|
||||
done:
|
||||
diff --git a/src/util/util.h b/src/util/util.h
|
||||
index 6d9111874..4b2651c2c 100644
|
||||
--- a/src/util/util.h
|
||||
+++ b/src/util/util.h
|
||||
@@ -818,6 +818,8 @@ uint64_t get_spend_time_us(uint64_t st);
|
||||
#define CHECK_PAC_CHECK_UPN_DNS_INFO_EX (1 << 3)
|
||||
#define CHECK_PAC_UPN_DNS_INFO_EX_PRESENT_STR "upn_dns_info_ex_present"
|
||||
#define CHECK_PAC_UPN_DNS_INFO_EX_PRESENT (1 << 4)
|
||||
+#define CHECK_PAC_CHECK_UPN_ALLOW_MISSING_STR "check_upn_allow_missing"
|
||||
+#define CHECK_PAC_CHECK_UPN_ALLOW_MISSING (1 << 5)
|
||||
|
||||
errno_t get_pac_check_config(struct confdb_ctx *cdb, uint32_t *pac_check_opts);
|
||||
#endif /* __SSSD_UTIL_H__ */
|
||||
--
|
||||
2.37.3
|
||||
|
102
SOURCES/0020-oidc_child-escape-scopes.patch
Normal file
102
SOURCES/0020-oidc_child-escape-scopes.patch
Normal file
@ -0,0 +1,102 @@
|
||||
From ace43c8ce02d19cf536ce35749aa2ed734089189 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 18 Aug 2022 13:55:21 +0200
|
||||
Subject: [PATCH 20/23] oidc_child: escape scopes
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Before using the user provided scopes in the HTTP request they should be
|
||||
properly escaped according to RFC-3986.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6146
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit 12d5c6344ee304c1f3bc155a76ab37fcd20e78cb)
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/oidc_child/oidc_child.c | 4 ++--
|
||||
src/oidc_child/oidc_child_curl.c | 35 ++++++++++++++++++++++++++++++++
|
||||
src/oidc_child/oidc_child_util.h | 2 ++
|
||||
3 files changed, 39 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/oidc_child/oidc_child.c b/src/oidc_child/oidc_child.c
|
||||
index e58afccd3..aeeac3595 100644
|
||||
--- a/src/oidc_child/oidc_child.c
|
||||
+++ b/src/oidc_child/oidc_child.c
|
||||
@@ -119,9 +119,9 @@ static errno_t set_endpoints(struct devicecode_ctx *dc_ctx,
|
||||
}
|
||||
|
||||
if (scope != NULL && *scope != '\0') {
|
||||
- dc_ctx->scope = talloc_strdup(dc_ctx, scope);
|
||||
+ dc_ctx->scope = url_encode_string(dc_ctx, scope);
|
||||
if (dc_ctx->scope == NULL) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to copy scopes.\n");
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to encode and copy scopes.\n");
|
||||
ret = ENOMEM;
|
||||
goto done;
|
||||
}
|
||||
diff --git a/src/oidc_child/oidc_child_curl.c b/src/oidc_child/oidc_child_curl.c
|
||||
index 20e17a566..df438e007 100644
|
||||
--- a/src/oidc_child/oidc_child_curl.c
|
||||
+++ b/src/oidc_child/oidc_child_curl.c
|
||||
@@ -26,6 +26,41 @@
|
||||
#include <curl/curl.h>
|
||||
#include "oidc_child/oidc_child_util.h"
|
||||
|
||||
+char *url_encode_string(TALLOC_CTX *mem_ctx, const char *inp)
|
||||
+{
|
||||
+ CURL *curl_ctx = NULL;
|
||||
+ char *tmp;
|
||||
+ char *out = NULL;
|
||||
+
|
||||
+ if (inp == NULL) {
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Empty input.\n");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ curl_ctx = curl_easy_init();
|
||||
+ if (curl_ctx == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to initialize curl.\n");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ tmp = curl_easy_escape(curl_ctx, inp, 0);
|
||||
+ if (tmp == NULL) {
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "curl_easy_escape failed for [%s].\n", inp);
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ out = talloc_strdup(mem_ctx, tmp);
|
||||
+ curl_free(tmp);
|
||||
+ if (out == NULL) {
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "talloc_strdup failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+done:
|
||||
+ curl_easy_cleanup(curl_ctx);
|
||||
+ return (out);
|
||||
+}
|
||||
+
|
||||
/* The curl write_callback will always append the received data. To start a
|
||||
* new string call clean_http_data() before the curl request.*/
|
||||
void clean_http_data(struct devicecode_ctx *dc_ctx)
|
||||
diff --git a/src/oidc_child/oidc_child_util.h b/src/oidc_child/oidc_child_util.h
|
||||
index c781bf1b1..ae5a72bc2 100644
|
||||
--- a/src/oidc_child/oidc_child_util.h
|
||||
+++ b/src/oidc_child/oidc_child_util.h
|
||||
@@ -61,6 +61,8 @@ struct devicecode_ctx {
|
||||
};
|
||||
|
||||
/* oidc_child_curl.c */
|
||||
+char *url_encode_string(TALLOC_CTX *mem_ctx, const char *inp);
|
||||
+
|
||||
errno_t init_curl(void *p);
|
||||
|
||||
void clean_http_data(struct devicecode_ctx *dc_ctx);
|
||||
--
|
||||
2.37.3
|
||||
|
@ -0,0 +1,89 @@
|
||||
From 3e296c70d56e2aa83ce882d2ac1738f85606fd7a Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 18 Aug 2022 14:01:34 +0200
|
||||
Subject: [PATCH 21/23] oidc_child: use client secret if available to get
|
||||
device code
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Some IdP have the concept of confidential client, i.e. clients where the
|
||||
client's secret can be stored safely by the related application. For a
|
||||
confidential client some IdPs expects that the client secret is used in
|
||||
all requests together with the client ID although OAuth2 specs currently
|
||||
only mention this explicitly for the token request. To make sure the
|
||||
device code can be requested in this case the client secret is added to
|
||||
the device code request if the secret is provided.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6146
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit a4d4617efeff871c5d2762e35f9dec57fa24fb1a)
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/oidc_child/oidc_child.c | 2 +-
|
||||
src/oidc_child/oidc_child_curl.c | 12 +++++++++++-
|
||||
src/oidc_child/oidc_child_util.h | 2 +-
|
||||
3 files changed, 13 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/oidc_child/oidc_child.c b/src/oidc_child/oidc_child.c
|
||||
index aeeac3595..c8d35d5d8 100644
|
||||
--- a/src/oidc_child/oidc_child.c
|
||||
+++ b/src/oidc_child/oidc_child.c
|
||||
@@ -454,7 +454,7 @@ int main(int argc, const char *argv[])
|
||||
}
|
||||
|
||||
if (opts.get_device_code) {
|
||||
- ret = get_devicecode(dc_ctx, opts.client_id);
|
||||
+ ret = get_devicecode(dc_ctx, opts.client_id, opts.client_secret);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "Failed to get device code.\n");
|
||||
goto done;
|
||||
diff --git a/src/oidc_child/oidc_child_curl.c b/src/oidc_child/oidc_child_curl.c
|
||||
index df438e007..6e80c3abf 100644
|
||||
--- a/src/oidc_child/oidc_child_curl.c
|
||||
+++ b/src/oidc_child/oidc_child_curl.c
|
||||
@@ -428,7 +428,7 @@ done:
|
||||
#define DEFAULT_SCOPE "user"
|
||||
|
||||
errno_t get_devicecode(struct devicecode_ctx *dc_ctx,
|
||||
- const char *client_id)
|
||||
+ const char *client_id, const char *client_secret)
|
||||
{
|
||||
int ret;
|
||||
|
||||
@@ -443,6 +443,16 @@ errno_t get_devicecode(struct devicecode_ctx *dc_ctx,
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
+ if (client_secret != NULL) {
|
||||
+ post_data = talloc_asprintf_append(post_data, "&client_secret=%s",
|
||||
+ client_secret);
|
||||
+ if (post_data == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Failed to add client secret to POST data.\n");
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
clean_http_data(dc_ctx);
|
||||
ret = do_http_request(dc_ctx, dc_ctx->device_authorization_endpoint,
|
||||
post_data, NULL);
|
||||
diff --git a/src/oidc_child/oidc_child_util.h b/src/oidc_child/oidc_child_util.h
|
||||
index ae5a72bc2..8b106ae79 100644
|
||||
--- a/src/oidc_child/oidc_child_util.h
|
||||
+++ b/src/oidc_child/oidc_child_util.h
|
||||
@@ -73,7 +73,7 @@ errno_t get_openid_configuration(struct devicecode_ctx *dc_ctx,
|
||||
errno_t get_jwks(struct devicecode_ctx *dc_ctx);
|
||||
|
||||
errno_t get_devicecode(struct devicecode_ctx *dc_ctx,
|
||||
- const char *client_id);
|
||||
+ const char *client_id, const char *client_secret);
|
||||
|
||||
errno_t get_token(TALLOC_CTX *mem_ctx,
|
||||
struct devicecode_ctx *dc_ctx, const char *client_id,
|
||||
--
|
||||
2.37.3
|
||||
|
@ -0,0 +1,67 @@
|
||||
From 55bfa944ad0197ae294d85ac42abf98297fa3a5d Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 18 Aug 2022 14:19:59 +0200
|
||||
Subject: [PATCH 22/23] oidc_child: increase wait interval by 5s if 'slow_down'
|
||||
is returned
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
While waiting for the user to authenticate with the IdP oidc_child
|
||||
currently only handles the error code 'authorization_pending' and waits
|
||||
for the given interval until a new request is send. But there is also
|
||||
'slow_down' which should not be treated as fatal error but should just
|
||||
increase the waiting time permanently for 5s.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6146
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit 5ed7670766483040211713f8182510775c76b962)
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/oidc_child/oidc_child_curl.c | 8 +++++++-
|
||||
src/oidc_child/oidc_child_json.c | 6 ++++++
|
||||
2 files changed, 13 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/oidc_child/oidc_child_curl.c b/src/oidc_child/oidc_child_curl.c
|
||||
index 6e80c3abf..cf0976021 100644
|
||||
--- a/src/oidc_child/oidc_child_curl.c
|
||||
+++ b/src/oidc_child/oidc_child_curl.c
|
||||
@@ -378,8 +378,14 @@ errno_t get_token(TALLOC_CTX *mem_ctx,
|
||||
break;
|
||||
}
|
||||
|
||||
- sleep(dc_ctx->interval);
|
||||
waiting_time += dc_ctx->interval;
|
||||
+ if (waiting_time >= dc_ctx->expires_in) {
|
||||
+ /* Next sleep will end after the request is expired on the
|
||||
+ * server side, so we can just error out now. */
|
||||
+ ret = ETIMEDOUT;
|
||||
+ break;
|
||||
+ }
|
||||
+ sleep(dc_ctx->interval);
|
||||
} while (waiting_time < dc_ctx->expires_in);
|
||||
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/oidc_child/oidc_child_json.c b/src/oidc_child/oidc_child_json.c
|
||||
index efc1997aa..a89794c4c 100644
|
||||
--- a/src/oidc_child/oidc_child_json.c
|
||||
+++ b/src/oidc_child/oidc_child_json.c
|
||||
@@ -413,6 +413,12 @@ errno_t parse_token_result(struct devicecode_ctx *dc_ctx,
|
||||
if (strcmp(json_string_value(tmp), "authorization_pending") == 0) {
|
||||
json_decref(result);
|
||||
return EAGAIN;
|
||||
+ } else if (strcmp(json_string_value(tmp), "slow_down") == 0) {
|
||||
+ /* RFC 8628: "... the interval MUST be increased by 5 seconds for"
|
||||
+ * "this and all subsequent requests." */
|
||||
+ dc_ctx->interval += 5;
|
||||
+ json_decref(result);
|
||||
+ return EAGAIN;
|
||||
} else {
|
||||
*error_description = get_json_string(dc_ctx, result,
|
||||
"error_description");
|
||||
--
|
||||
2.37.3
|
||||
|
194
SOURCES/0023-oidc_child-add-client-secret-stdin-option.patch
Normal file
194
SOURCES/0023-oidc_child-add-client-secret-stdin-option.patch
Normal file
@ -0,0 +1,194 @@
|
||||
From 2f3cd781879e7063fcd996389071458587623e1c Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 22 Aug 2022 11:37:07 +0200
|
||||
Subject: [PATCH 23/23] oidc_child: add --client-secret-stdin option
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Since there is the use-case of confidential client which requires that
|
||||
the client secret must be sent to the IdP we should handle it
|
||||
confidentially by not putting it on the command line but sending it via
|
||||
stdin.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6146
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit 1a475e0c537c905c80406ceb88c7b34e6400bc40)
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/oidc_child/oidc_child.c | 89 ++++++++++++++++++++++++++++++++++---
|
||||
1 file changed, 82 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/oidc_child/oidc_child.c b/src/oidc_child/oidc_child.c
|
||||
index c8d35d5d8..7758cdc25 100644
|
||||
--- a/src/oidc_child/oidc_child.c
|
||||
+++ b/src/oidc_child/oidc_child.c
|
||||
@@ -34,7 +34,7 @@
|
||||
#include "util/atomic_io.h"
|
||||
|
||||
#define IN_BUF_SIZE 4096
|
||||
-static errno_t read_device_code_from_stdin(struct devicecode_ctx *dc_ctx)
|
||||
+static errno_t read_from_stdin(TALLOC_CTX *mem_ctx, char **out)
|
||||
{
|
||||
uint8_t buf[IN_BUF_SIZE];
|
||||
ssize_t len;
|
||||
@@ -56,7 +56,7 @@ static errno_t read_device_code_from_stdin(struct devicecode_ctx *dc_ctx)
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
- str = talloc_strndup(dc_ctx, (char *) buf, len);
|
||||
+ str = talloc_strndup(mem_ctx, (char *) buf, len);
|
||||
sss_erase_mem_securely(buf, IN_BUF_SIZE);
|
||||
if (str == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strndup failed.\n");
|
||||
@@ -65,21 +65,72 @@ static errno_t read_device_code_from_stdin(struct devicecode_ctx *dc_ctx)
|
||||
talloc_set_destructor((void *) str, sss_erase_talloc_mem_securely);
|
||||
|
||||
if (strlen(str) != len) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Input contains additional data, "
|
||||
- "only JSON encoded device code expected.\n");
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Input contains additional data.\n");
|
||||
talloc_free(str);
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
+ *out = str;
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
+static errno_t read_device_code_from_stdin(struct devicecode_ctx *dc_ctx,
|
||||
+ const char **out)
|
||||
+{
|
||||
+ char *str;
|
||||
+ errno_t ret;
|
||||
+ char *sep;
|
||||
+
|
||||
+ ret = read_from_stdin(dc_ctx, &str);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "read_from_stdin failed.\n");
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ if (out != NULL) {
|
||||
+ /* expect the client secret in the first line */
|
||||
+ sep = strchr(str, '\n');
|
||||
+ if (sep == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Format error, expecting client secret and JSON data.\n");
|
||||
+ talloc_free(str);
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+ *sep = '\0';
|
||||
+ *out = str;
|
||||
+ sep++;
|
||||
+ } else {
|
||||
+ sep = str;
|
||||
+ }
|
||||
+
|
||||
clean_http_data(dc_ctx);
|
||||
- dc_ctx->http_data = str;
|
||||
+ dc_ctx->http_data = talloc_strdup(dc_ctx, sep);
|
||||
|
||||
DEBUG(SSSDBG_TRACE_ALL, "JSON device code: [%s].\n", dc_ctx->http_data);
|
||||
|
||||
return EOK;
|
||||
}
|
||||
|
||||
+static errno_t read_client_secret_from_stdin(struct devicecode_ctx *dc_ctx,
|
||||
+ const char **out)
|
||||
+{
|
||||
+ char *str;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ ret = read_from_stdin(dc_ctx, &str);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "read_from_stdin failed.\n");
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ *out = str;
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Client secret: [%s].\n", *out);
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
static errno_t set_endpoints(struct devicecode_ctx *dc_ctx,
|
||||
const char *device_auth_endpoint,
|
||||
const char *token_endpoint,
|
||||
@@ -210,6 +261,7 @@ struct cli_opts {
|
||||
const char *jwks_uri;
|
||||
const char *scope;
|
||||
const char *client_secret;
|
||||
+ bool client_secret_stdin;
|
||||
const char *ca_db;
|
||||
const char *user_identifier_attr;
|
||||
bool libcurl_debug;
|
||||
@@ -253,6 +305,8 @@ static int parse_cli(int argc, const char *argv[], struct cli_opts *opts)
|
||||
{"client-id", 0, POPT_ARG_STRING, &opts->client_id, 0, _("Client ID"), NULL},
|
||||
{"client-secret", 0, POPT_ARG_STRING, &opts->client_secret, 0,
|
||||
_("Client secret (if needed)"), NULL},
|
||||
+ {"client-secret-stdin", 0, POPT_ARG_NONE, NULL, 's',
|
||||
+ _("Read client secret from standard input"), NULL},
|
||||
{"ca-db", 0, POPT_ARG_STRING, &opts->ca_db, 0,
|
||||
_("Path to PEM file with CA certificates"), NULL},
|
||||
{"libcurl-debug", 0, POPT_ARG_NONE, NULL, 'c',
|
||||
@@ -280,6 +334,9 @@ static int parse_cli(int argc, const char *argv[], struct cli_opts *opts)
|
||||
case 'c':
|
||||
opts->libcurl_debug = true;
|
||||
break;
|
||||
+ case 's':
|
||||
+ opts->client_secret_stdin = true;
|
||||
+ break;
|
||||
default:
|
||||
fprintf(stderr, "\nInvalid option %s: %s\n\n",
|
||||
poptBadOption(pc, 0), poptStrerror(opt));
|
||||
@@ -324,6 +381,12 @@ static int parse_cli(int argc, const char *argv[], struct cli_opts *opts)
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ if (opts->client_secret != NULL && opts->client_secret_stdin) {
|
||||
+ fprintf(stderr, "\n--client-secret and --client-secret-stdin are "
|
||||
+ "mutually exclusive.\n\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
poptFreeContext(pc);
|
||||
print_usage = false;
|
||||
|
||||
@@ -454,6 +517,15 @@ int main(int argc, const char *argv[])
|
||||
}
|
||||
|
||||
if (opts.get_device_code) {
|
||||
+ if (opts.client_secret_stdin) {
|
||||
+ ret = read_client_secret_from_stdin(dc_ctx, &opts.client_secret);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Failed to read client secret from stdin.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
ret = get_devicecode(dc_ctx, opts.client_id, opts.client_secret);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "Failed to get device code.\n");
|
||||
@@ -463,7 +535,10 @@ int main(int argc, const char *argv[])
|
||||
|
||||
if (opts.get_access_token) {
|
||||
if (dc_ctx->device_code == NULL) {
|
||||
- ret = read_device_code_from_stdin(dc_ctx);
|
||||
+ ret = read_device_code_from_stdin(dc_ctx,
|
||||
+ opts.client_secret_stdin
|
||||
+ ? &opts.client_secret
|
||||
+ : NULL);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
"Failed to read device code from stdin.\n");
|
||||
--
|
||||
2.37.3
|
||||
|
@ -19,7 +19,7 @@
|
||||
|
||||
Name: sssd
|
||||
Version: 2.7.3
|
||||
Release: 4%{?dist}.1
|
||||
Release: 4%{?dist}.3
|
||||
Group: Applications/System
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
@ -38,6 +38,18 @@ Patch0008: 0008-RESPONDER-Fix-client-ID-tracking.patch
|
||||
Patch0009: 0009-Analyzer-support-parallel-requests-parsing.patch
|
||||
Patch0010: 0010-CLIENT-fix-client-fd-leak.patch
|
||||
Patch0011: 0011-krb5-respect-krb5_validate-for-PAC-checks.patch
|
||||
Patch0012: 0012-Analyzer-Optimize-list-verbose-output.patch
|
||||
Patch0013: 0013-Analyzer-Ensure-parsed-id-contains-digit.patch
|
||||
Patch0014: 0014-TOOLS-don-t-export-internal-helpers.patch
|
||||
Patch0015: 0015-TOOLS-fixed-handling-of-init-error.patch
|
||||
Patch0016: 0016-SSSCTL-don-t-require-root-for-analyze-cmd.patch
|
||||
Patch0017: 0017-PAC-allow-to-disable-UPN-check.patch
|
||||
Patch0018: 0018-ipa-do-not-add-guessed-principal-to-the-cache.patch
|
||||
Patch0019: 0019-pac-relax-default-check.patch
|
||||
Patch0020: 0020-oidc_child-escape-scopes.patch
|
||||
Patch0021: 0021-oidc_child-use-client-secret-if-available-to-get-dev.patch
|
||||
Patch0022: 0022-oidc_child-increase-wait-interval-by-5s-if-slow_down.patch
|
||||
Patch0023: 0023-oidc_child-add-client-secret-stdin-option.patch
|
||||
|
||||
### Downstream Patches ###
|
||||
|
||||
@ -1188,6 +1200,14 @@ fi
|
||||
%systemd_postun_with_restart sssd.service
|
||||
|
||||
%changelog
|
||||
* Thu Dec 15 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-4.3
|
||||
- Resolves: rhbz#2152883 - authenticating against external IdP services okta (native app) with OAuth client secret failed [rhel-8.7.0.z]
|
||||
|
||||
* Fri Dec 9 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-4.2
|
||||
- Resolves: rhbz#2139871 - Analyzer: Optimize and remove duplicate messages in verbose list [rhel-8.7.0.z]
|
||||
- Resolves: rhbz#2142961 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged [rhel-8.7.0.z]
|
||||
- Resolves: rhbz#2148989 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around [rhel-8.7.0.z]
|
||||
|
||||
* Thu Oct 13 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.7.3-4.1
|
||||
- Resolves: rhbz#2128544 - Cannot SSH with AD user to ipa-client (`krb5_validate` and `pac_check` settings conflict) [rhel-8.7.0.z]
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user