Backport a bunch of upstream fixes

- Resolves: upstream#3821 - crash related to sbus_router_destructor()
- Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref
- Resolves: upstream#3819 - sssd only sets the SELinux login context if it
                            differs from the default
- Resolves: upstream#3807 - The sbus codegen script relies on "python" which
                            might not be available on all distributions
- Resolves: upstream#3820 - sudo: search with lower cased name for case
                            insensitive domains
- Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from
                            an allow-any default to a deny-any default when it
                            can't find any GPOs to apply to a user login.
- Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort
                            startup
- Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11
                            also for local account authentication
- Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup
- Resolves: upstream#3826 - Remove references of sss_user/group/add/del
                            commands in man pages since local provider is
                            deprecated
- Resolves: upstream#3827 - SSSD should log to syslog if a domain is not
                            started due to a misconfiguration
- Resolves: upstream#3830 - Printing incorrect information about domain with
                            sssctl utility
- Resolves: upstream#3489 - p11_child should work wit openssl1.0+
- Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary
                            changes in nsswitch.conf
- Resovles: upstream#3650 - RFE: Require smartcard authentication
- Resolves: upstream#3334 - sssctl config-check does not check any special
                            characters in domain name of domain section
- Resolves: upstream#3849 - Files: The files provider always enumerates
                            which causes duplicate when running getent passwd
- Related: upstream#3855 - session not recording for local user when groups
                           defined
- Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb
- Related: upstream#3493 - Remove the pysss.local interface
This commit is contained in:
Michal Židek 2018-10-24 10:34:15 +02:00
parent 129efc7839
commit c0971b7e39
68 changed files with 9567 additions and 68 deletions

View File

@ -0,0 +1,48 @@
From 55d5b43543b5ef62322fe635fe8108410cb4ea77 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 5 Sep 2018 15:08:52 +0200
Subject: [PATCH 08/83] sbus: register filter on new connection
The filter is not again registered on new connection when the old connection
was lost. This caused a segfault when the router is destroyed during shutdown.
It also would not allow to recieve and process any messages as the filter
function is needed for that. However, this was not very visible with
current sssd architecture.
Steps to reproduce:
1. Run SSSD
2. pkill sssd_be
3. Wait for responders to reconnect to backend
4. Shutdown SSSD
5. It will crash without this patch
Resolves:
https://pagure.io/SSSD/sssd/issue/3821
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/sbus/router/sbus_router.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/sbus/router/sbus_router.c b/src/sbus/router/sbus_router.c
index 24c2c76..d31cef1 100644
--- a/src/sbus/router/sbus_router.c
+++ b/src/sbus/router/sbus_router.c
@@ -364,6 +364,13 @@ errno_t
sbus_router_reset(struct sbus_connection *conn)
{
errno_t ret;
+ bool bret;
+
+ bret = sbus_router_filter_add(conn->router);
+ if (!bret) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to register message filter!\n");
+ return EFAULT;
+ }
ret = sbus_router_reset_listeners(conn);
if (ret != EOK) {
--
2.9.5

26
0006-sbus-fix-typo.patch Normal file
View File

@ -0,0 +1,26 @@
From 8c8f74b0dfa29643279d31b12300ced47d5c2ab5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 16 Aug 2018 11:42:44 +0200
Subject: [PATCH 09/83] sbus: fix typo
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/sbus/sbus_message.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/sbus/sbus_message.h b/src/sbus/sbus_message.h
index 99dd930..92d5cea 100644
--- a/src/sbus/sbus_message.h
+++ b/src/sbus/sbus_message.h
@@ -49,7 +49,7 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg);
*
* DO NOT USE dbus_message_unref() on such message anymore since it would not
* release internal data about the bound. The message will be automatically
- * unreferenced whent the talloc context is freed.
+ * unreferenced when the talloc context is freed.
*
* @param mem_ctx Memory context to bound the message with. It can not be NULL.
* @param msg Message to be bound with memory context.
--
2.9.5

View File

@ -0,0 +1,41 @@
From 30f4adf874aff174734ad77902a79fc5727ab495 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 16 Aug 2018 12:57:47 +0200
Subject: [PATCH 10/83] sbus: check for null message in sbus_message_bound
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/sbus/request/sbus_message.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/sbus/request/sbus_message.c b/src/sbus/request/sbus_message.c
index 950be91..7314fd7 100644
--- a/src/sbus/request/sbus_message.c
+++ b/src/sbus/request/sbus_message.c
@@ -83,6 +83,11 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg)
return EINVAL;
}
+ if (msg == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Message can not be NULL!\n");
+ return EINVAL;
+ }
+
/* Create a talloc context that will unreference this message when
* the parent context is freed. */
talloc_msg = talloc(mem_ctx, struct sbus_talloc_msg);
@@ -122,6 +127,11 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg)
errno_t
sbus_message_bound_ref(TALLOC_CTX *mem_ctx, DBusMessage *msg)
{
+ if (msg == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Message can not be NULL!\n");
+ return EINVAL;
+ }
+
dbus_message_ref(msg);
return sbus_message_bound(mem_ctx, msg);
}
--
2.9.5

View File

@ -0,0 +1,336 @@
From ca50c40511f08c0f7c786598e5793a06789c6cce Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 16 Aug 2018 13:17:13 +0200
Subject: [PATCH 11/83] sbus: replace sbus_message_bound_ref with
sbus_message_bound_steal
The memory context used to new message reference accidentally overwrote
the one use by the initial sbus_message_bound call. This caused a memory
leak of message as its reference counter got increased but number of
talloc contexts bound this this message decreased at the same time.
Fixing this is non-trival and it would require separate data slot for
each reference. Because we do not have any existing use case for this
and we use it only as an equivalent of talloc_steal it is better to
provide a real equivalent for this talloc function.
Resolves:
https://pagure.io/SSSD/sssd/issue/3810
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/ifp/ifp_iface/sbus_ifp_client_sync.c | 4 +-
src/sbus/codegen/templates/client_async.c.tpl | 4 +-
src/sbus/codegen/templates/client_sync.c.tpl | 4 +-
src/sbus/interface_dbus/sbus_dbus_client_async.c | 8 ++--
src/sbus/interface_dbus/sbus_dbus_client_sync.c | 8 ++--
src/sbus/request/sbus_message.c | 51 +++++++++++++++++-----
src/sbus/request/sbus_request.c | 10 ++---
src/sbus/request/sbus_request_call.c | 5 +--
src/sbus/sbus_message.h | 8 +---
src/sbus/sync/sbus_sync_call.c | 5 +--
10 files changed, 65 insertions(+), 42 deletions(-)
diff --git a/src/responder/ifp/ifp_iface/sbus_ifp_client_sync.c b/src/responder/ifp/ifp_iface/sbus_ifp_client_sync.c
index 4859b93..1f0a8e3 100644
--- a/src/responder/ifp/ifp_iface/sbus_ifp_client_sync.c
+++ b/src/responder/ifp/ifp_iface/sbus_ifp_client_sync.c
@@ -526,9 +526,9 @@ sbus_method_in_sas_out_raw
goto done;
}
- ret = sbus_message_bound_ref(mem_ctx, reply);
+ ret = sbus_message_bound_steal(mem_ctx, reply);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
ret, sss_strerror(ret));
goto done;
}
diff --git a/src/sbus/codegen/templates/client_async.c.tpl b/src/sbus/codegen/templates/client_async.c.tpl
index 6ffb4f8..e16ce42 100644
--- a/src/sbus/codegen/templates/client_async.c.tpl
+++ b/src/sbus/codegen/templates/client_async.c.tpl
@@ -193,9 +193,9 @@
return EINVAL;
}
- ret = sbus_message_bound_ref(mem_ctx, state->reply);
+ ret = sbus_message_bound_steal(mem_ctx, state->reply);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
ret, sss_strerror(ret));
return ret;
}
diff --git a/src/sbus/codegen/templates/client_sync.c.tpl b/src/sbus/codegen/templates/client_sync.c.tpl
index 30fa009..fe9a3a4 100644
--- a/src/sbus/codegen/templates/client_sync.c.tpl
+++ b/src/sbus/codegen/templates/client_sync.c.tpl
@@ -110,9 +110,9 @@
goto done;
}
- ret = sbus_message_bound_ref(mem_ctx, reply);
+ ret = sbus_message_bound_steal(mem_ctx, reply);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
ret, sss_strerror(ret));
goto done;
}
diff --git a/src/sbus/interface_dbus/sbus_dbus_client_async.c b/src/sbus/interface_dbus/sbus_dbus_client_async.c
index 9dbd72c..0060e8b 100644
--- a/src/sbus/interface_dbus/sbus_dbus_client_async.c
+++ b/src/sbus/interface_dbus/sbus_dbus_client_async.c
@@ -301,9 +301,9 @@ sbus_method_in_s_out_raw_recv
return EINVAL;
}
- ret = sbus_message_bound_ref(mem_ctx, state->reply);
+ ret = sbus_message_bound_steal(mem_ctx, state->reply);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
ret, sss_strerror(ret));
return ret;
}
@@ -513,9 +513,9 @@ sbus_method_in_ss_out_raw_recv
return EINVAL;
}
- ret = sbus_message_bound_ref(mem_ctx, state->reply);
+ ret = sbus_message_bound_steal(mem_ctx, state->reply);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
ret, sss_strerror(ret));
return ret;
}
diff --git a/src/sbus/interface_dbus/sbus_dbus_client_sync.c b/src/sbus/interface_dbus/sbus_dbus_client_sync.c
index a0473cd..3ab0aab 100644
--- a/src/sbus/interface_dbus/sbus_dbus_client_sync.c
+++ b/src/sbus/interface_dbus/sbus_dbus_client_sync.c
@@ -101,9 +101,9 @@ sbus_method_in_s_out_raw
goto done;
}
- ret = sbus_message_bound_ref(mem_ctx, reply);
+ ret = sbus_message_bound_steal(mem_ctx, reply);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
ret, sss_strerror(ret));
goto done;
}
@@ -159,9 +159,9 @@ sbus_method_in_ss_out_raw
goto done;
}
- ret = sbus_message_bound_ref(mem_ctx, reply);
+ ret = sbus_message_bound_steal(mem_ctx, reply);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
ret, sss_strerror(ret));
goto done;
}
diff --git a/src/sbus/request/sbus_message.c b/src/sbus/request/sbus_message.c
index 7314fd7..90c6df4 100644
--- a/src/sbus/request/sbus_message.c
+++ b/src/sbus/request/sbus_message.c
@@ -29,8 +29,9 @@
#include "sbus/interface/sbus_iterator_writers.h"
/* Data slot that is used for message data. The slot is shared for all
- * messages. */
-dbus_int32_t data_slot = -1;
+ * messages, i.e. when a data slot is allocated all messages have the
+ * slot available. */
+dbus_int32_t global_data_slot = -1;
struct sbus_talloc_msg {
DBusMessage *msg;
@@ -48,7 +49,7 @@ static int sbus_talloc_msg_destructor(struct sbus_talloc_msg *talloc_msg)
/* There may exist more references to this message but this talloc
* context is no longer valid. We remove dbus message data to invoke
* dbus destructor now. */
- dbus_message_set_data(talloc_msg->msg, data_slot, NULL, NULL);
+ dbus_message_set_data(talloc_msg->msg, global_data_slot, NULL, NULL);
dbus_message_unref(talloc_msg->msg);
return 0;
}
@@ -60,7 +61,7 @@ static void sbus_msg_data_destructor(void *ctx)
talloc_msg = talloc_get_type(ctx, struct sbus_talloc_msg);
/* Decrement ref counter on data slot. */
- dbus_message_free_data_slot(&data_slot);
+ dbus_message_free_data_slot(&global_data_slot);
if (!talloc_msg->in_talloc_destructor) {
/* References to this message dropped to zero but through
@@ -100,7 +101,8 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg)
/* Allocate a dbus message data slot that will contain pointer to the
* talloc context so we can pick up cases when the dbus message is
* freed through dbus api. */
- bret = dbus_message_allocate_data_slot(&data_slot);
+
+ bret = dbus_message_allocate_data_slot(&global_data_slot);
if (!bret) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to allocate data slot!\n");
talloc_free(talloc_msg);
@@ -108,11 +110,11 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg)
}
free_fn = sbus_msg_data_destructor;
- bret = dbus_message_set_data(msg, data_slot, talloc_msg, free_fn);
+ bret = dbus_message_set_data(msg, global_data_slot, talloc_msg, free_fn);
if (!bret) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set message data!\n");
talloc_free(talloc_msg);
- dbus_message_free_data_slot(&data_slot);
+ dbus_message_free_data_slot(&global_data_slot);
return ENOMEM;
}
@@ -125,15 +127,44 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg)
}
errno_t
-sbus_message_bound_ref(TALLOC_CTX *mem_ctx, DBusMessage *msg)
+sbus_message_bound_steal(TALLOC_CTX *mem_ctx, DBusMessage *msg)
{
+ struct sbus_talloc_msg *talloc_msg;
+ void *data;
+
+ if (mem_ctx == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Warning: bounding to NULL context!\n");
+ return EINVAL;
+ }
+
if (msg == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Message can not be NULL!\n");
return EINVAL;
}
- dbus_message_ref(msg);
- return sbus_message_bound(mem_ctx, msg);
+ if (global_data_slot < 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "This message is not talloc-bound! "
+ "(data slot < 0)\n");
+ return ERR_INTERNAL;
+ }
+
+ data = dbus_message_get_data(msg, global_data_slot);
+ if (data == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "This message is not talloc-bound! "
+ "(returned data is NULL)\n");
+ return ERR_INTERNAL;
+ }
+
+ talloc_msg = talloc_get_type(data, struct sbus_talloc_msg);
+ if (talloc_msg == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "This message is not talloc-bound! "
+ "(invalid data)\n");
+ return ERR_INTERNAL;
+ }
+
+ talloc_steal(mem_ctx, talloc_msg);
+
+ return EOK;
}
DBusMessage *
diff --git a/src/sbus/request/sbus_request.c b/src/sbus/request/sbus_request.c
index 3d0e2f9..1ccd01e 100644
--- a/src/sbus/request/sbus_request.c
+++ b/src/sbus/request/sbus_request.c
@@ -564,10 +564,9 @@ sbus_incoming_request_recv(TALLOC_CTX *mem_ctx,
return EOK;
}
- /* Create new reference to the reply and bound it with caller mem_ctx. */
- ret = sbus_message_bound_ref(mem_ctx, state->reply);
+ ret = sbus_message_bound_steal(mem_ctx, state->reply);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
ret, sss_strerror(ret));
return ret;
}
@@ -709,10 +708,9 @@ sbus_outgoing_request_recv(TALLOC_CTX *mem_ctx,
TEVENT_REQ_RETURN_ON_ERROR(req);
- /* Create new reference to the reply and bound it with caller mem_ctx. */
- ret = sbus_message_bound_ref(mem_ctx, state->reply);
+ ret = sbus_message_bound_steal(mem_ctx, state->reply);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
ret, sss_strerror(ret));
return ret;
}
diff --git a/src/sbus/request/sbus_request_call.c b/src/sbus/request/sbus_request_call.c
index 1cf58bd..cf2a6e5 100644
--- a/src/sbus/request/sbus_request_call.c
+++ b/src/sbus/request/sbus_request_call.c
@@ -126,10 +126,9 @@ sbus_call_method_recv(TALLOC_CTX *mem_ctx,
TEVENT_REQ_RETURN_ON_ERROR(req);
- /* Create new reference to the reply and bound it with caller mem_ctx. */
- ret = sbus_message_bound_ref(mem_ctx, state->reply);
+ ret = sbus_message_bound_steal(mem_ctx, state->reply);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
ret, sss_strerror(ret));
return ret;
}
diff --git a/src/sbus/sbus_message.h b/src/sbus/sbus_message.h
index 92d5cea..e7b8fe5 100644
--- a/src/sbus/sbus_message.h
+++ b/src/sbus/sbus_message.h
@@ -45,11 +45,7 @@ errno_t
sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg);
/**
- * Reference the message and bound it with talloc context.
- *
- * DO NOT USE dbus_message_unref() on such message anymore since it would not
- * release internal data about the bound. The message will be automatically
- * unreferenced when the talloc context is freed.
+ * Steal previously bound D-Bus message to a new talloc parent.
*
* @param mem_ctx Memory context to bound the message with. It can not be NULL.
* @param msg Message to be bound with memory context.
@@ -57,7 +53,7 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg);
* @return EOK on success, other errno code on error.
*/
errno_t
-sbus_message_bound_ref(TALLOC_CTX *mem_ctx, DBusMessage *msg);
+sbus_message_bound_steal(TALLOC_CTX *mem_ctx, DBusMessage *msg);
/**
* Create an empty D-Bus method call.
diff --git a/src/sbus/sync/sbus_sync_call.c b/src/sbus/sync/sbus_sync_call.c
index 8549e58..a4f8a5c 100644
--- a/src/sbus/sync/sbus_sync_call.c
+++ b/src/sbus/sync/sbus_sync_call.c
@@ -63,10 +63,9 @@ sbus_sync_call_method(TALLOC_CTX *mem_ctx,
goto done;
}
- /* Create new reference to the reply and bound it with caller mem_ctx. */
- ret = sbus_message_bound_ref(mem_ctx, reply);
+ ret = sbus_message_bound_steal(mem_ctx, reply);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
ret, sss_strerror(ret));
goto done;
}
--
2.9.5

View File

@ -0,0 +1,663 @@
From c895fa2449900f4abd1dce6bb62a45c52bbb12cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 16 Aug 2018 13:20:55 +0200
Subject: [PATCH 12/83] sbus: add unit tests for public sbus_message module
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
Makefile.am | 14 +
src/tests/cmocka/sbus/test_sbus_message.c | 610 ++++++++++++++++++++++++++++++
2 files changed, 624 insertions(+)
create mode 100644 src/tests/cmocka/sbus/test_sbus_message.c
diff --git a/Makefile.am b/Makefile.am
index 1b4f044..11d0405 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -270,6 +270,7 @@ if HAVE_CMOCKA
test_copy_keytab \
test_child_common \
responder_cache_req-tests \
+ test_sbus_message \
test_sbus_opath \
test_fo_srv \
pam-srv-tests \
@@ -2594,6 +2595,19 @@ test_ssh_client_LDADD = \
$(SSSD_LIBS) \
$(NULL)
+test_sbus_message_SOURCES = \
+ src/tests/cmocka/sbus/test_sbus_message.c \
+ $(NULL)
+test_sbus_message_CFLAGS = \
+ $(AM_CFLAGS)
+test_sbus_message_LDADD = \
+ $(CMOCKA_LIBS) \
+ $(POPT_LIBS) \
+ libsss_debug.la \
+ libsss_test_common.la \
+ libsss_sbus.la \
+ $(NULL)
+
test_sbus_opath_SOURCES = \
src/tests/cmocka/sbus/test_sbus_opath.c \
$(NULL)
diff --git a/src/tests/cmocka/sbus/test_sbus_message.c b/src/tests/cmocka/sbus/test_sbus_message.c
new file mode 100644
index 0000000..c01e168
--- /dev/null
+++ b/src/tests/cmocka/sbus/test_sbus_message.c
@@ -0,0 +1,610 @@
+/*
+ Authors:
+ Jakub Hrozek <jhrozek@redhat.com>
+ Pavel Březina <pbrezina@redhat.com>
+
+ Copyright (C) 2014 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "config.h"
+
+#include <talloc.h>
+#include <errno.h>
+#include <popt.h>
+
+#include "util/util.h"
+#include "sbus/sbus_message.h"
+#include "tests/cmocka/common_mock.h"
+#include "tests/common.h"
+
+#define BASE_PATH "/some/path"
+
+struct test_ctx {
+ bool msg_removed;
+};
+
+static void helper_msg_removed(void *state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(state, struct test_ctx);
+
+ test_ctx->msg_removed = true;
+}
+
+static void helper_msg_watch(struct test_ctx *test_ctx, DBusMessage *msg)
+{
+ DBusFreeFunction free_fn;
+ dbus_int32_t data_slot = -1;
+ dbus_bool_t bret;
+
+ assert_non_null(msg);
+
+ bret = dbus_message_allocate_data_slot(&data_slot);
+ assert_true(bret);
+
+ free_fn = helper_msg_removed;
+ bret = dbus_message_set_data(msg, data_slot, test_ctx, free_fn);
+ assert_true(bret);
+}
+
+static int test_setup(void **state)
+{
+ struct test_ctx *test_ctx;
+
+ assert_true(leak_check_setup());
+
+ test_ctx = talloc_zero(global_talloc_context, struct test_ctx);
+ assert_non_null(test_ctx);
+ *state = test_ctx;
+
+ check_leaks_push(test_ctx);
+
+ return 0;
+}
+
+int test_teardown(void **state)
+{
+ struct test_ctx *test_ctx;
+
+ test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+
+ assert_true(check_leaks_pop(test_ctx));
+ talloc_zfree(test_ctx);
+ assert_true(leak_check_teardown());
+
+ return 0;
+}
+
+void test_sbus_message_bound__null(void **state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+ DBusMessage *msg;
+ errno_t ret;
+
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+
+ ret = sbus_message_bound(NULL, msg);
+ assert_int_equal(ret, EINVAL);
+
+ ret = sbus_message_bound(test_ctx, NULL);
+ assert_int_equal(ret, EINVAL);
+
+ dbus_message_unref(msg);
+}
+
+void test_sbus_message_bound__unref(void **state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+ DBusMessage *msg;
+ errno_t ret;
+
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+ helper_msg_watch(test_ctx, msg);
+
+ ret = sbus_message_bound(test_ctx, msg);
+ assert_int_equal(ret, EOK);
+
+ /* no memory leak should be detected in teardown */
+ dbus_message_unref(msg);
+ assert_true(test_ctx->msg_removed);
+}
+
+void test_sbus_message_bound__free(void **state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+ TALLOC_CTX *tmp_ctx;
+ DBusMessage *msg;
+ errno_t ret;
+
+ tmp_ctx = talloc_new(test_ctx);
+ assert_non_null(tmp_ctx);
+
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+ helper_msg_watch(test_ctx, msg);
+
+ ret = sbus_message_bound(tmp_ctx, msg);
+ assert_int_equal(ret, EOK);
+
+ talloc_free(tmp_ctx);
+ assert_true(test_ctx->msg_removed);
+}
+
+void test_sbus_message_bound_steal__null(void **state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+ DBusMessage *msg;
+ errno_t ret;
+
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+ helper_msg_watch(test_ctx, msg);
+
+ ret = sbus_message_bound_steal(NULL, msg);
+ assert_int_equal(ret, EINVAL);
+
+ ret = sbus_message_bound_steal(test_ctx, NULL);
+ assert_int_equal(ret, EINVAL);
+
+ dbus_message_unref(msg);
+ assert_true(test_ctx->msg_removed);
+}
+
+void test_sbus_message_bound_steal__invalid(void **state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+ DBusMessage *msg;
+ errno_t ret;
+
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+ helper_msg_watch(test_ctx, msg);
+
+ ret = sbus_message_bound_steal(test_ctx, msg);
+ assert_int_equal(ret, ERR_INTERNAL);
+
+ dbus_message_unref(msg);
+ assert_true(test_ctx->msg_removed);
+}
+
+void test_sbus_message_bound_steal__free(void **state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+ TALLOC_CTX *tmp_ctx;
+ TALLOC_CTX *tmp_ctx_steal;
+ DBusMessage *msg;
+ errno_t ret;
+
+ tmp_ctx = talloc_new(test_ctx);
+ assert_non_null(tmp_ctx);
+
+ tmp_ctx_steal = talloc_new(test_ctx);
+ assert_non_null(tmp_ctx_steal);
+
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+ helper_msg_watch(test_ctx, msg);
+
+ ret = sbus_message_bound(tmp_ctx, msg);
+ assert_int_equal(ret, EOK);
+
+ /* this will increase ref counter of message and add new talloc bound */
+ ret = sbus_message_bound_steal(tmp_ctx_steal, msg);
+ assert_int_equal(ret, EOK);
+
+ talloc_free(tmp_ctx);
+ assert_false(test_ctx->msg_removed);
+ talloc_free(tmp_ctx_steal);
+ assert_true(test_ctx->msg_removed);
+}
+
+void test_sbus_method_create_empty__unref(void **state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+ DBusMessage *msg;
+
+ msg = sbus_method_create_empty(NULL, "bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+ helper_msg_watch(test_ctx, msg);
+
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_METHOD_CALL);
+ assert_string_equal(dbus_message_get_destination(msg), "bus.test");
+ assert_string_equal(dbus_message_get_path(msg), "/");
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
+ assert_string_equal(dbus_message_get_member(msg), "method");
+
+ dbus_message_unref(msg);
+ assert_true(test_ctx->msg_removed);
+}
+
+void test_sbus_method_create_empty__free(void **state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+ TALLOC_CTX *tmp_ctx;
+ DBusMessage *msg;
+
+ tmp_ctx = talloc_new(test_ctx);
+ assert_non_null(tmp_ctx);
+
+ msg = sbus_method_create_empty(tmp_ctx, "bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+ helper_msg_watch(test_ctx, msg);
+
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_METHOD_CALL);
+ assert_string_equal(dbus_message_get_destination(msg), "bus.test");
+ assert_string_equal(dbus_message_get_path(msg), "/");
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
+ assert_string_equal(dbus_message_get_member(msg), "method");
+
+ talloc_free(tmp_ctx);
+ assert_true(test_ctx->msg_removed);
+}
+
+void test_sbus_method_create__unref(void **state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+ DBusMessage *msg;
+ dbus_bool_t dbret;
+ uint32_t in_value = 32;
+ uint32_t out_value;
+
+ msg = sbus_method_create(NULL, "bus.test", "/", "iface.test", "method",
+ DBUS_TYPE_UINT32, &in_value);
+ assert_non_null(msg);
+ helper_msg_watch(test_ctx, msg);
+
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_METHOD_CALL);
+ assert_string_equal(dbus_message_get_destination(msg), "bus.test");
+ assert_string_equal(dbus_message_get_path(msg), "/");
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
+ assert_string_equal(dbus_message_get_member(msg), "method");
+
+ dbret = dbus_message_get_args(msg, NULL,
+ DBUS_TYPE_UINT32, &out_value,
+ DBUS_TYPE_INVALID);
+ assert_true(dbret);
+ assert_int_equal(out_value, 32);
+
+ dbus_message_unref(msg);
+ assert_true(test_ctx->msg_removed);
+}
+
+void test_sbus_method_create__free(void **state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+ TALLOC_CTX *tmp_ctx;
+ DBusMessage *msg;
+
+ tmp_ctx = talloc_new(test_ctx);
+ assert_non_null(tmp_ctx);
+
+ msg = sbus_method_create_empty(tmp_ctx, "bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+ helper_msg_watch(test_ctx, msg);
+
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_METHOD_CALL);
+ assert_string_equal(dbus_message_get_destination(msg), "bus.test");
+ assert_string_equal(dbus_message_get_path(msg), "/");
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
+ assert_string_equal(dbus_message_get_member(msg), "method");
+
+ talloc_free(tmp_ctx);
+ assert_true(test_ctx->msg_removed);
+}
+
+void test_sbus_signal_create_empty__unref(void **state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+ DBusMessage *msg;
+
+ msg = sbus_signal_create_empty(NULL, "/", "iface.test", "method");
+ assert_non_null(msg);
+ helper_msg_watch(test_ctx, msg);
+
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_SIGNAL);
+ assert_null(dbus_message_get_destination(msg));
+ assert_string_equal(dbus_message_get_path(msg), "/");
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
+ assert_string_equal(dbus_message_get_member(msg), "method");
+
+ dbus_message_unref(msg);
+ assert_true(test_ctx->msg_removed);
+}
+
+void test_sbus_signal_create_empty__free(void **state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+ TALLOC_CTX *tmp_ctx;
+ DBusMessage *msg;
+
+ tmp_ctx = talloc_new(test_ctx);
+ assert_non_null(tmp_ctx);
+
+ msg = sbus_signal_create_empty(tmp_ctx, "/", "iface.test", "method");
+ assert_non_null(msg);
+ helper_msg_watch(test_ctx, msg);
+
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_SIGNAL);
+ assert_null(dbus_message_get_destination(msg));
+ assert_string_equal(dbus_message_get_path(msg), "/");
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
+ assert_string_equal(dbus_message_get_member(msg), "method");
+
+ talloc_free(tmp_ctx);
+ assert_true(test_ctx->msg_removed);
+}
+
+void test_sbus_signal_create__unref(void **state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+ DBusMessage *msg;
+ dbus_bool_t dbret;
+ uint32_t in_value = 32;
+ uint32_t out_value;
+
+ msg = sbus_signal_create(NULL, "/", "iface.test", "method",
+ DBUS_TYPE_UINT32, &in_value);
+ assert_non_null(msg);
+ helper_msg_watch(test_ctx, msg);
+
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_SIGNAL);
+ assert_null(dbus_message_get_destination(msg));
+ assert_string_equal(dbus_message_get_path(msg), "/");
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
+ assert_string_equal(dbus_message_get_member(msg), "method");
+
+ dbret = dbus_message_get_args(msg, NULL,
+ DBUS_TYPE_UINT32, &out_value,
+ DBUS_TYPE_INVALID);
+ assert_true(dbret);
+ assert_int_equal(out_value, 32);
+
+ dbus_message_unref(msg);
+ assert_true(test_ctx->msg_removed);
+}
+
+void test_sbus_signal_create__free(void **state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+ TALLOC_CTX *tmp_ctx;
+ DBusMessage *msg;
+ dbus_bool_t dbret;
+ uint32_t in_value = 32;
+ uint32_t out_value;
+
+ tmp_ctx = talloc_new(test_ctx);
+ assert_non_null(tmp_ctx);
+
+ msg = sbus_signal_create(tmp_ctx, "/", "iface.test", "method",
+ DBUS_TYPE_UINT32, &in_value);
+ assert_non_null(msg);
+ helper_msg_watch(test_ctx, msg);
+
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_SIGNAL);
+ assert_null(dbus_message_get_destination(msg));
+ assert_string_equal(dbus_message_get_path(msg), "/");
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
+ assert_string_equal(dbus_message_get_member(msg), "method");
+
+ dbret = dbus_message_get_args(msg, NULL,
+ DBUS_TYPE_UINT32, &out_value,
+ DBUS_TYPE_INVALID);
+ assert_true(dbret);
+ assert_int_equal(out_value, 32);
+
+ talloc_free(tmp_ctx);
+ assert_true(test_ctx->msg_removed);
+}
+
+void test_sbus_reply_parse__ok(void **state)
+{
+ DBusMessage *msg;
+ DBusMessage *reply;
+ dbus_bool_t dbret;
+ uint32_t in_value1 = 32;
+ uint32_t in_value2 = 64;
+ uint32_t out_value1;
+ uint32_t out_value2;
+ errno_t ret;
+
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+ dbus_message_set_serial(msg, 1);
+
+ reply = dbus_message_new_method_return(msg);
+ assert_non_null(reply);
+
+ dbret = dbus_message_append_args(reply, DBUS_TYPE_UINT32, &in_value1,
+ DBUS_TYPE_UINT32, &in_value2,
+ DBUS_TYPE_INVALID);
+ assert_true(dbret);
+
+ ret = sbus_reply_parse(reply, DBUS_TYPE_UINT32, &out_value1,
+ DBUS_TYPE_UINT32, &out_value2);
+ assert_int_equal(ret, EOK);
+ assert_int_equal(out_value1, in_value1);
+ assert_int_equal(out_value2, in_value2);
+
+ dbus_message_unref(msg);
+ dbus_message_unref(reply);
+}
+
+void test_sbus_reply_parse__error(void **state)
+{
+ DBusMessage *msg;
+ DBusMessage *reply;
+ uint32_t out_value1;
+ uint32_t out_value2;
+ errno_t ret;
+
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+ dbus_message_set_serial(msg, 1);
+
+ reply = dbus_message_new_error(msg, SBUS_ERROR_KILLED, "Test error!");
+ assert_non_null(reply);
+
+ ret = sbus_reply_parse(reply, DBUS_TYPE_UINT32, &out_value1,
+ DBUS_TYPE_UINT32, &out_value2);
+ assert_int_equal(ret, ERR_SBUS_KILL_CONNECTION);
+
+ dbus_message_unref(msg);
+ dbus_message_unref(reply);
+}
+
+void test_sbus_reply_parse__wrong_type(void **state)
+{
+ DBusMessage *msg;
+ errno_t ret;
+
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+ dbus_message_set_serial(msg, 1);
+
+ ret = sbus_reply_parse(msg);
+ assert_int_not_equal(ret, EOK);
+
+ dbus_message_unref(msg);
+}
+
+void test_sbus_reply_check__ok(void **state)
+{
+ DBusMessage *msg;
+ DBusMessage *reply;
+ errno_t ret;
+
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+ dbus_message_set_serial(msg, 1);
+
+ reply = dbus_message_new_method_return(msg);
+ assert_non_null(reply);
+
+ ret = sbus_reply_check(reply);
+ assert_int_equal(ret, EOK);
+
+ dbus_message_unref(msg);
+ dbus_message_unref(reply);
+}
+
+void test_sbus_reply_check__error(void **state)
+{
+ DBusMessage *msg;
+ DBusMessage *reply;
+ errno_t ret;
+
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+ dbus_message_set_serial(msg, 1);
+
+ reply = dbus_message_new_error(msg, SBUS_ERROR_KILLED, "Test error!");
+ assert_non_null(reply);
+
+ ret = sbus_reply_check(reply);
+ assert_int_equal(ret, ERR_SBUS_KILL_CONNECTION);
+
+ dbus_message_unref(msg);
+ dbus_message_unref(reply);
+}
+
+void test_sbus_reply_check__wrong_type(void **state)
+{
+ DBusMessage *msg;
+ errno_t ret;
+
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+ dbus_message_set_serial(msg, 1);
+
+ ret = sbus_reply_check(msg);
+ assert_int_not_equal(ret, EOK);
+
+ dbus_message_unref(msg);
+}
+
+int main(int argc, const char *argv[])
+{
+ poptContext pc;
+ int opt;
+ struct poptOption long_options[] = {
+ POPT_AUTOHELP
+ SSSD_DEBUG_OPTS
+ POPT_TABLEEND
+ };
+
+ const struct CMUnitTest tests[] = {
+ cmocka_unit_test_setup_teardown(test_sbus_message_bound__null,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_message_bound__unref,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_message_bound__free,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_message_bound_steal__null,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_message_bound_steal__invalid,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_message_bound_steal__free,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_method_create_empty__unref,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_method_create_empty__free,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_method_create__unref,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_method_create__free,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_signal_create_empty__unref,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_signal_create_empty__free,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_signal_create__unref,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_signal_create__free,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_reply_parse__ok,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_reply_parse__error,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_reply_parse__wrong_type,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_reply_check__ok,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_reply_check__error,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_reply_check__wrong_type,
+ test_setup, test_teardown),
+ };
+
+ /* Set debug level to invalid value so we can decide if -d 0 was used. */
+ debug_level = SSSDBG_INVALID;
+
+ pc = poptGetContext(argv[0], argc, argv, long_options, 0);
+ while((opt = poptGetNextOpt(pc)) != -1) {
+ switch(opt) {
+ default:
+ fprintf(stderr, "\nInvalid option %s: %s\n\n",
+ poptBadOption(pc, 0), poptStrerror(opt));
+ poptPrintUsage(pc, stderr, 0);
+ return 1;
+ }
+ }
+ poptFreeContext(pc);
+
+ DEBUG_CLI_INIT(debug_level);
+
+ return cmocka_run_group_tests(tests, NULL, NULL);
+}
--
2.9.5

View File

@ -0,0 +1,145 @@
From 945865ae16120ffade267227ca48cefd58822fd2 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Thu, 23 Aug 2018 13:55:51 +0200
Subject: [PATCH 13/83] SELINUX: Always add SELinux user to the semanage
database if it doesn't exist
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Previously, we tried to optimize too much and only set the SELinux user
to Linux user mapping in case the SELinux user was different from the
system default. But this doesn't work for the case where the Linux user
has a non-standard home directory, because then SELinux would not have
any idea that this user's home directory should be labeled as a home
directory.
This patch relaxes the optimization in the sense that on the first
login, the SELinux context is saved regardless of whether it is the same
as the default or different.
Resolves:
https://pagure.io/SSSD/sssd/issue/3819
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/providers/ipa/selinux_child.c | 10 ++++++++--
src/util/sss_semanage.c | 30 ++++++++++++++++++++++++++++++
src/util/util.h | 1 +
src/util/util_errors.c | 1 +
src/util/util_errors.h | 1 +
5 files changed, 41 insertions(+), 2 deletions(-)
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
index d061417..925591e 100644
--- a/src/providers/ipa/selinux_child.c
+++ b/src/providers/ipa/selinux_child.c
@@ -176,13 +176,16 @@ static bool seuser_needs_update(const char *username,
ret = sss_get_seuser(username, &db_seuser, &db_mls_range);
DEBUG(SSSDBG_TRACE_INTERNAL,
- "getseuserbyname: ret: %d seuser: %s mls: %s\n",
+ "sss_get_seuser: ret: %d seuser: %s mls: %s\n",
ret, db_seuser ? db_seuser : "unknown",
db_mls_range ? db_mls_range : "unknown");
if (ret == EOK && db_seuser && db_mls_range &&
strcmp(db_seuser, seuser) == 0 &&
strcmp(db_mls_range, mls_range) == 0) {
- needs_update = false;
+ ret = sss_seuser_exists(username);
+ if (ret == EOK) {
+ needs_update = false;
+ }
}
/* OR */
if (ret == ERR_SELINUX_NOT_MANAGED) {
@@ -191,6 +194,9 @@ static bool seuser_needs_update(const char *username,
free(db_seuser);
free(db_mls_range);
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "The SELinux user does %sneed an update\n",
+ needs_update ? "" : "not ");
return needs_update;
}
diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c
index bcce57b..aea0385 100644
--- a/src/util/sss_semanage.c
+++ b/src/util/sss_semanage.c
@@ -248,6 +248,36 @@ done:
return ret;
}
+int sss_seuser_exists(const char *linuxuser)
+{
+ int ret;
+ int exists;
+ semanage_seuser_key_t *sm_key = NULL;
+ semanage_handle_t *sm_handle = NULL;
+
+ ret = sss_semanage_init(&sm_handle);
+ if (ret != EOK) {
+ return ret;
+ }
+
+ ret = semanage_seuser_key_create(sm_handle, linuxuser, &sm_key);
+ if (ret < 0) {
+ sss_semanage_close(sm_handle);
+ return EIO;
+ }
+
+ ret = semanage_seuser_exists(sm_handle, sm_key, &exists);
+ semanage_seuser_key_free(sm_key);
+ sss_semanage_close(sm_handle);
+ if (ret < 0) {
+ return EIO;
+ }
+
+ DEBUG(SSSDBG_TRACE_FUNC, "seuser exists: %s\n", exists ? "yes" : "no");
+
+ return exists ? EOK : ERR_SELINUX_USER_NOT_FOUND;
+}
+
int sss_get_seuser(const char *linuxuser,
char **selinuxuser,
char **level)
diff --git a/src/util/util.h b/src/util/util.h
index 867acf2..59e7a96 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -663,6 +663,7 @@ int sss_del_seuser(const char *login_name);
int sss_get_seuser(const char *linuxuser,
char **selinuxuser,
char **level);
+int sss_seuser_exists(const char *linuxuser);
/* convert time from generalized form to unix time */
errno_t sss_utc_to_time_t(const char *str, const char *format, time_t *unix_time);
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
index 920a178..5f8a2a2 100644
--- a/src/util/util_errors.c
+++ b/src/util/util_errors.c
@@ -75,6 +75,7 @@ struct err_string error_to_str[] = {
{ "LDAP search returned a referral" }, /* ERR_REFERRAL */
{ "Error setting SELinux user context" }, /* ERR_SELINUX_CONTEXT */
{ "SELinux is not managed by libsemanage" }, /* ERR_SELINUX_NOT_MANAGED */
+ { "SELinux user does not exist" }, /* ERR_SELINUX_USER_NOT_FOUND */
{ "Username format not allowed by re_expression" }, /* ERR_REGEX_NOMATCH */
{ "Time specification not supported" }, /* ERR_TIMESPEC_NOT_SUPPORTED */
{ "Invalid SSSD configuration detected" }, /* ERR_INVALID_CONFIG */
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
index 5a50936..c6731d4 100644
--- a/src/util/util_errors.h
+++ b/src/util/util_errors.h
@@ -97,6 +97,7 @@ enum sssd_errors {
ERR_REFERRAL,
ERR_SELINUX_CONTEXT,
ERR_SELINUX_NOT_MANAGED,
+ ERR_SELINUX_USER_NOT_FOUND,
ERR_REGEX_NOMATCH,
ERR_TIMESPEC_NOT_SUPPORTED,
ERR_INVALID_CONFIG,
--
2.9.5

View File

@ -0,0 +1,44 @@
From 1e2398870e8aa512ead3012d46cbe6252429467a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 10 Sep 2018 15:35:45 +0200
Subject: [PATCH 16/83] intg: flush the SSSD caches to sync with files
To make sure that SSSD has synced with the latest data added to the
passwd file sss_cache is called in two places where the current sync
scheme was not reliable. This was mainly observed when running the
integration tests on Debian.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/tests/intg/test_files_provider.py | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
index 9f30d2b..ead1cc4 100644
--- a/src/tests/intg/test_files_provider.py
+++ b/src/tests/intg/test_files_provider.py
@@ -644,6 +644,10 @@ def test_enum_users(setup_pw_with_canary, files_domain_only):
user = user_generator(i)
setup_pw_with_canary.useradd(**user)
+ # syncing with the help of the canary is not reliable after adding
+ # multiple users because the canary might still be in some caches so that
+ # the data is not refreshed properly.
+ subprocess.call(["sss_cache", "-E"])
sssd_getpwnam_sync(CANARY["name"])
user_list = call_sssd_enumeration()
# +1 because the canary is added
@@ -1043,6 +1047,10 @@ def test_getgrnam_add_remove_ghosts(setup_pw_with_canary,
# Add this user and verify it's been added as a member
pwd_ops.useradd(**USER2)
+ # The negative cache might still have user2 from the previous request,
+ # flushing the caches might help to prevent a failed lookup after adding
+ # the user.
+ subprocess.call(["sss_cache", "-E"])
res, groups = sssd_id_sync('user2')
assert res == sssd_id.NssReturnCode.SUCCESS
assert len(groups) == 2
--
2.9.5

View File

@ -0,0 +1,87 @@
From b03179ead11db7dbfd6a00d3eeef3dac0990f826 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 10 Sep 2018 15:40:14 +0200
Subject: [PATCH 17/83] sbus: dectect python binary for sbus_generate.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We already detect python2 and python3 binaries during configure. With
this patch PYTHON_EXEC is set to the python3 binary if python3 bindings
are generated and to the python2 binary otherwise. With the help of an
environment variable sbus_generate.sh is made aware of it.
Related to https://pagure.io/SSSD/sssd/issue/3807
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
Makefile.am | 4 ++--
configure.ac | 8 ++++++++
sbus_generate.sh => sbus_generate.sh.in | 2 +-
3 files changed, 11 insertions(+), 3 deletions(-)
rename sbus_generate.sh => sbus_generate.sh.in (93%)
diff --git a/Makefile.am b/Makefile.am
index 11d0405..deb9ce3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1020,14 +1020,14 @@ libsss_cert_la_LDFLAGS = \
$(NULL)
generate-sbus-code:
- $(srcdir)/sbus_generate.sh $(abs_srcdir)
+ $(builddir)/sbus_generate.sh $(abs_srcdir)
.PHONY: generate-sbus-code
BUILT_SOURCES += generate-sbus-code
EXTRA_DIST += \
- sbus_generate.sh \
+ sbus_generate.sh.in \
src/sbus/codegen/dbus.xml \
src/sbus/codegen/sbus_CodeGen.py \
src/sbus/codegen/sbus_DataType.py \
diff --git a/configure.ac b/configure.ac
index 1aac65f..bb18ad4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -373,6 +373,13 @@ them please use argument --without-python3-bindings when running configure.])])
SSS_CLEAN_PYTHON_VARIABLES
fi
+if test x$HAVE_PYTHON3_BINDINGS = x1; then
+ PYTHON_EXEC=$PYTHON3
+else
+ PYTHON_EXEC=$PYTHON2
+fi
+AC_SUBST(PYTHON_EXEC)
+
AM_CONDITIONAL([BUILD_PYTHON_BINDINGS],
[test x"$with_python2_bindings" = xyes \
-o x"$with_python3_bindings" = xyes])
@@ -524,4 +531,5 @@ AC_CONFIG_FILES([Makefile contrib/sssd.spec src/examples/rwtab src/doxy.config
src/config/setup.py
src/systemtap/sssd.stp
src/config/SSSDConfig/__init__.py])
+AC_CONFIG_FILES([sbus_generate.sh], [chmod +x sbus_generate.sh])
AC_OUTPUT
diff --git a/sbus_generate.sh b/sbus_generate.sh.in
similarity index 93%
rename from sbus_generate.sh
rename to sbus_generate.sh.in
index 338fd9d..b2c695e 100755
--- a/sbus_generate.sh
+++ b/sbus_generate.sh.in
@@ -13,7 +13,7 @@ generate() {
echo "Generating sbus code for: $XML"
- python $CODEGEN --sbus sbus --util util \
+ @PYTHON_EXEC@ $CODEGEN --sbus sbus --util util \
--headers "$HEADERS" \
--dest "$SRCDIR/src/$DEST" \
--fileprefix "sbus_${PREFIX}_" \
--
2.9.5

View File

@ -0,0 +1,68 @@
From d7f0b58e2896ed2ef9ed5a390815c1e4df6caaee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 6 Sep 2018 13:38:56 +0200
Subject: [PATCH 18/83] sudo: respect case sensitivity in sudo responder
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If the domain is not case sensitive and the case of the original user
or group name differs from the name in the rule we failed to find the
rule.
Now we filter the rule only with lower cased values in such domain.
Steps to reproduce:
1. Add user/group with upper case, e.g. USER-1
2. Add sudo rule with lower cased name, e.g. sudoUser: user-1
3. Login to system with lower case, e.g. user-1
4. Run sudo -l
Without the patch, rule is not found.
Resolves:
https://pagure.io/SSSD/sssd/issue/3820
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/db/sysdb_sudo.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
index 3ad462d..19ed97b 100644
--- a/src/db/sysdb_sudo.c
+++ b/src/db/sysdb_sudo.c
@@ -418,7 +418,17 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
ret = EINVAL;
goto done;
}
- DEBUG(SSSDBG_TRACE_FUNC, "original name: %s\n", orig_name);
+
+ DEBUG(SSSDBG_TRACE_FUNC, "Original name: %s\n", orig_name);
+
+ orig_name = sss_get_cased_name(tmp_ctx, orig_name, domain->case_sensitive);
+ if (orig_name == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ DEBUG(SSSDBG_TRACE_FUNC, "Cased name: %s\n", orig_name);
if (_uid != NULL) {
uid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_UIDNUM, 0);
@@ -450,8 +460,9 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
continue;
}
- sysdb_groupnames[num_groups] = talloc_strdup(sysdb_groupnames,
- groupname);
+ sysdb_groupnames[num_groups] = \
+ sss_get_cased_name(sysdb_groupnames, groupname,
+ domain->case_sensitive);
if (sysdb_groupnames[num_groups] == NULL) {
DEBUG(SSSDBG_MINOR_FAILURE, "Cannot strdup %s\n", groupname);
continue;
--
2.9.5

View File

@ -0,0 +1,130 @@
From 3bd67c772c951f33422261ef658a104ccecc9561 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Tue, 3 Jul 2018 20:03:39 +0200
Subject: [PATCH 19/83] GPO: Add gpo_implicit_deny option
This option (when set to True) can be used to deny access to
users even if there is not applicable GPO. Normally users are
allowed access in this situation.
Resolves:
https://pagure.io/SSSD/sssd/issue/3701
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/config/cfg_rules.ini | 1 +
src/man/sssd-ad.5.xml | 21 +++++++++++++++++++++
src/providers/ad/ad_common.h | 1 +
src/providers/ad/ad_gpo.c | 13 ++++++++++++-
src/providers/ad/ad_opts.c | 1 +
5 files changed, 36 insertions(+), 1 deletion(-)
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 36e83a9..78f215e 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -437,6 +437,7 @@ option = ad_enable_dns_sites
option = ad_enabled_domains
option = ad_enable_gc
option = ad_gpo_access_control
+option = ad_gpo_implicit_deny
option = ad_gpo_cache_timeout
option = ad_gpo_default_right
option = ad_gpo_map_batch
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index f43c7fc..0eac382 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -418,6 +418,27 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,
</varlistentry>
<varlistentry>
+ <term>ad_gpo_implicit_deny (boolean)</term>
+ <listitem>
+ <para>
+ Normally when no applicable GPOs are found the
+ users are allowed access. When this option is set
+ to True users will be allowed access only when
+ explicitly allowed by a GPO rule. Otherwise users
+ will be denied access. This can be used to harden
+ security but be careful when using this option
+ because it can deny access even to users in the
+ built-in Administrators group if no GPO rules
+ apply to them.
+ </para>
+ <para>
+ Default: False (seconds)
+ </para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
<term>ad_gpo_cache_timeout (integer)</term>
<listitem>
<para>
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index dd440da..2c52c99 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -52,6 +52,7 @@ enum ad_basic_opt {
AD_ACCESS_FILTER,
AD_ENABLE_GC,
AD_GPO_ACCESS_CONTROL,
+ AD_GPO_IMPLICIT_DENY,
AD_GPO_CACHE_TIMEOUT,
AD_GPO_MAP_INTERACTIVE,
AD_GPO_MAP_REMOTE_INTERACTIVE,
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index d568643..f3be723 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -1586,6 +1586,7 @@ struct ad_gpo_access_state {
struct ldb_context *ldb_ctx;
struct ad_access_ctx *access_ctx;
enum gpo_access_control_mode gpo_mode;
+ bool gpo_implicit_deny;
enum gpo_map_type gpo_map_type;
struct sdap_id_conn_ctx *conn;
struct sdap_id_op *sdap_op;
@@ -1712,6 +1713,8 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
state->gpo_mode = ctx->gpo_access_control_mode;
state->gpo_timeout_option = ctx->gpo_cache_timeout;
state->ad_hostname = dp_opt_get_string(ctx->ad_options, AD_HOSTNAME);
+ state->gpo_implicit_deny = dp_opt_get_bool(ctx->ad_options,
+ AD_GPO_IMPLICIT_DENY);
state->access_ctx = ctx;
state->opts = ctx->sdap_access_ctx->id_ctx->opts;
state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT);
@@ -2171,7 +2174,15 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
}
}
- ret = EOK;
+ if (state->gpo_implicit_deny == true) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "No applicable GPOs have been found and ad_gpo_implicit_deny"
+ " is set to 'true'. The user will be denied access.\n");
+ ret = ERR_ACCESS_DENIED;
+ } else {
+ ret = EOK;
+ }
+
goto done;
}
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
index ac93327..c1d9cd7 100644
--- a/src/providers/ad/ad_opts.c
+++ b/src/providers/ad/ad_opts.c
@@ -38,6 +38,7 @@ struct dp_option ad_basic_opts[] = {
{ "ad_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING},
{ "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "ad_gpo_access_control", DP_OPT_STRING, { AD_GPO_ACCESS_MODE_DEFAULT }, NULL_STRING },
+ { "ad_gpo_implicit_deny", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ad_gpo_cache_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
{ "ad_gpo_map_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ad_gpo_map_remote_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
--
2.9.5

View File

@ -0,0 +1,41 @@
From 10fa27eddb9bbe135277d587c6a2de4b311da6df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Tue, 18 Sep 2018 15:23:54 +0200
Subject: [PATCH 20/83] CONFDB: Skip 'local' domain if not supported
When SSSD is built without the support for local
domain, we should gracegully skip local domains
and let other domains start.
Resolves:
https://pagure.io/SSSD/sssd/issue/3828
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/confdb/confdb.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 22068ca..621647e 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -945,8 +945,14 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
goto done;
}
- if (local_provider_is_built()
- && strcasecmp(domain->provider, "local") == 0) {
+ if (strcasecmp(domain->provider, "local") == 0) {
+ if (!local_provider_is_built()) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "ID provider 'local' no longer supported, disabling\n");
+ ret = EINVAL;
+ goto done;
+ }
+
/* If this is the local provider, we need to ensure that
* no other provider was specified for other types, since
* the local provider cannot load them.
--
2.9.5

View File

@ -0,0 +1,259 @@
From 7c619ae08f05a7595d15cf11b64461a7d19cfaa7 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 29 Jun 2018 17:49:50 +0200
Subject: [PATCH 21/83] sysdb: extract sysdb_ldb_msg_attr_to_certmap_info()
call
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/db/sysdb.h | 4 ++
src/db/sysdb_certmap.c | 191 ++++++++++++++++++++++++++++---------------------
2 files changed, 112 insertions(+), 83 deletions(-)
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index d72af5a..cb04e1b 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -702,6 +702,10 @@ errno_t sysdb_update_certmap(struct sysdb_ctx *sysdb,
struct certmap_info **certmaps,
bool user_name_hint);
+errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
+ struct ldb_message *msg,
+ struct certmap_info **certmap);
+
errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
struct certmap_info ***certmaps,
bool *user_name_hint);
diff --git a/src/db/sysdb_certmap.c b/src/db/sysdb_certmap.c
index 6d83ba0..e61cc05 100644
--- a/src/db/sysdb_certmap.c
+++ b/src/db/sysdb_certmap.c
@@ -262,19 +262,119 @@ done:
return ret;
}
+errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
+ struct ldb_message *msg,
+ struct certmap_info **certmap)
+{
+ int ret;
+ size_t d;
+ size_t num_values;
+ struct certmap_info *map = NULL;
+ const char *tmp_str;
+ uint64_t tmp_uint;
+ struct ldb_message_element *tmp_el;
+
+
+ map = talloc_zero(mem_ctx, struct certmap_info);
+ if (map == NULL) {
+ return ENOMEM;
+ }
+
+ tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
+ if (tmp_str == NULL) {
+ DEBUG(SSSDBG_MINOR_FAILURE, "The object [%s] doesn't have a name.\n",
+ ldb_dn_get_linearized(msg->dn));
+ ret = EINVAL;
+ goto done;
+ }
+
+ map->name = talloc_strdup(map, tmp_str);
+ if (map->name == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_CERTMAP_MAPPING_RULE,
+ NULL);
+ if (tmp_str != NULL) {
+ map->map_rule = talloc_strdup(map, tmp_str);
+ if (map->map_rule == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ }
+
+ tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_CERTMAP_MATCHING_RULE,
+ NULL);
+ if (tmp_str != NULL) {
+ map->match_rule = talloc_strdup(map, tmp_str);
+ if (map->match_rule == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ }
+
+ tmp_uint = ldb_msg_find_attr_as_uint64(msg, SYSDB_CERTMAP_PRIORITY,
+ (uint64_t) -1);
+ if (tmp_uint != (uint64_t) -1) {
+ if (tmp_uint > UINT32_MAX) {
+ DEBUG(SSSDBG_OP_FAILURE, "Priority value [%lu] too large.\n",
+ (unsigned long) tmp_uint);
+ ret = EINVAL;
+ goto done;
+ }
+
+ map->priority = (uint32_t) tmp_uint;
+ }
+
+ tmp_el = ldb_msg_find_element(msg, SYSDB_CERTMAP_DOMAINS);
+ if (tmp_el != NULL) {
+ num_values = tmp_el->num_values;
+ } else {
+ num_values = 0;
+ }
+
+ map->domains = talloc_zero_array(map, const char *, num_values + 1);
+ if (map->domains == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ for (d = 0; d < num_values; d++) {
+ map->domains[d] = talloc_strndup(map->domains,
+ (char *) tmp_el->values[d].data,
+ tmp_el->values[d].length);
+ if (map->domains[d] == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ }
+
+ *certmap = map;
+
+ ret = EOK;
+
+done:
+ if (ret != EOK) {
+ talloc_free(map);
+ }
+
+ return ret;
+}
+
errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
struct certmap_info ***certmaps, bool *user_name_hint)
{
size_t c;
- size_t d;
struct ldb_dn *container_dn = NULL;
int ret;
struct certmap_info **maps = NULL;
TALLOC_CTX *tmp_ctx = NULL;
struct ldb_result *res;
- const char *tmp_str;
- uint64_t tmp_uint;
- struct ldb_message_element *tmp_el;
const char *attrs[] = {SYSDB_NAME,
SYSDB_CERTMAP_PRIORITY,
SYSDB_CERTMAP_MATCHING_RULE,
@@ -283,7 +383,6 @@ errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
NULL};
const char *config_attrs[] = {SYSDB_CERTMAP_USER_NAME_HINT,
NULL};
- size_t num_values;
bool hint = false;
tmp_ctx = talloc_new(NULL);
@@ -332,86 +431,12 @@ errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
}
for (c = 0; c < res->count; c++) {
- maps[c] = talloc_zero(maps, struct certmap_info);
- if (maps[c] == NULL) {
- ret = ENOMEM;
- goto done;
- }
- tmp_str = ldb_msg_find_attr_as_string(res->msgs[c], SYSDB_NAME, NULL);
- if (tmp_str == NULL) {
- DEBUG(SSSDBG_MINOR_FAILURE, "The object [%s] doesn't have a name.\n",
- ldb_dn_get_linearized(res->msgs[c]->dn));
- ret = EINVAL;
- goto done;
- }
-
- maps[c]->name = talloc_strdup(maps, tmp_str);
- if (maps[c]->name == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- tmp_str = ldb_msg_find_attr_as_string(res->msgs[c],
- SYSDB_CERTMAP_MAPPING_RULE, NULL);
- if (tmp_str != NULL) {
- maps[c]->map_rule = talloc_strdup(maps, tmp_str);
- if (maps[c]->map_rule == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
- ret = ENOMEM;
- goto done;
- }
- }
-
- tmp_str = ldb_msg_find_attr_as_string(res->msgs[c],
- SYSDB_CERTMAP_MATCHING_RULE, NULL);
- if (tmp_str != NULL) {
- maps[c]->match_rule = talloc_strdup(maps, tmp_str);
- if (maps[c]->match_rule == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
- ret = ENOMEM;
- goto done;
- }
- }
-
- tmp_uint = ldb_msg_find_attr_as_uint64(res->msgs[c],
- SYSDB_CERTMAP_PRIORITY,
- (uint64_t) -1);
- if (tmp_uint != (uint64_t) -1) {
- if (tmp_uint > UINT32_MAX) {
- DEBUG(SSSDBG_OP_FAILURE, "Priority value [%lu] too large.\n",
- (unsigned long) tmp_uint);
- ret = EINVAL;
- goto done;
- }
-
- maps[c]->priority = (uint32_t) tmp_uint;
- }
-
- tmp_el = ldb_msg_find_element(res->msgs[c], SYSDB_CERTMAP_DOMAINS);
- if (tmp_el != NULL) {
- num_values = tmp_el->num_values;
- } else {
- num_values = 0;
- }
-
- maps[c]->domains = talloc_zero_array(maps[c], const char *,
- num_values + 1);
- if (maps[c]->domains == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n");
- ret = ENOMEM;
+ ret = sysdb_ldb_msg_attr_to_certmap_info(maps, res->msgs[c], &maps[c]);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_ldb_msg_attr_to_certmap_info failed.\n");
goto done;
}
-
- for (d = 0; d < num_values; d++) {
- maps[c]->domains[d] = talloc_strndup(maps[c]->domains,
- (char *) tmp_el->values[d].data,
- tmp_el->values[d].length);
- if (maps[c]->domains[d] == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
- ret = ENOMEM;
- goto done;
- }
- }
}
ret = EOK;
--
2.9.5

View File

@ -0,0 +1,39 @@
From d1dd7f7703b4f40d2fbb830e28969b31b8a1673e Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 3 Jul 2018 11:30:07 +0200
Subject: [PATCH 22/83] sysdb_ldb_msg_attr_to_certmap_info: set
SSS_CERTMAP_MIN_PRIO
Make sure that priority is always set.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/db/sysdb_certmap.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/db/sysdb_certmap.c b/src/db/sysdb_certmap.c
index e61cc05..0bb7ebc 100644
--- a/src/db/sysdb_certmap.c
+++ b/src/db/sysdb_certmap.c
@@ -22,6 +22,7 @@
#include "util/util.h"
#include "db/sysdb_private.h"
+#include "lib/certmap/sss_certmap.h"
static errno_t sysdb_create_certmap_container(struct sysdb_ctx *sysdb,
bool user_name_hint)
@@ -327,6 +328,8 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
}
map->priority = (uint32_t) tmp_uint;
+ } else {
+ map->priority = SSS_CERTMAP_MIN_PRIO;
}
tmp_el = ldb_msg_find_element(msg, SYSDB_CERTMAP_DOMAINS);
--
2.9.5

View File

@ -0,0 +1,140 @@
From 0bf709ad348ca115443bd21e4e369abd5d7698c4 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 29 Jun 2018 18:13:59 +0200
Subject: [PATCH 23/83] sysdb: add attr_map attribute to
sysdb_ldb_msg_attr_to_certmap_info()
Allow more flexible attribute mapping in
sysdb_ldb_msg_attr_to_certmap_info()
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/db/sysdb.h | 1 +
src/db/sysdb_certmap.c | 39 +++++++++++++++++++++++++++++++--------
2 files changed, 32 insertions(+), 8 deletions(-)
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index cb04e1b..2187947 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -704,6 +704,7 @@ errno_t sysdb_update_certmap(struct sysdb_ctx *sysdb,
errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
struct ldb_message *msg,
+ const char **attr_map,
struct certmap_info **certmap);
errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
diff --git a/src/db/sysdb_certmap.c b/src/db/sysdb_certmap.c
index 0bb7ebc..e37f1ba 100644
--- a/src/db/sysdb_certmap.c
+++ b/src/db/sysdb_certmap.c
@@ -263,8 +263,19 @@ done:
return ret;
}
+enum certmap_info_member {
+ SSS_CMIM_NAME = 0,
+ SSS_CMIM_MAPPING_RULE,
+ SSS_CMIM_MATCHING_RULE,
+ SSS_CMIM_PRIORITY,
+ SSS_CMIM_DOMAINS,
+
+ SSS_CMIM_SENTINEL
+};
+
errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
struct ldb_message *msg,
+ const char **attr_map,
struct certmap_info **certmap)
{
int ret;
@@ -275,13 +286,24 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
uint64_t tmp_uint;
struct ldb_message_element *tmp_el;
+ if (msg == NULL || attr_map == NULL || certmap == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Invalid input.\n");
+ return EINVAL;
+ }
+
+ for (d = 0; d < SSS_CMIM_SENTINEL; d++) {
+ if (attr_map[d] == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Invalid attribute map");
+ return EINVAL;
+ }
+ }
map = talloc_zero(mem_ctx, struct certmap_info);
if (map == NULL) {
return ENOMEM;
}
- tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
+ tmp_str = ldb_msg_find_attr_as_string(msg, attr_map[SSS_CMIM_NAME], NULL);
if (tmp_str == NULL) {
DEBUG(SSSDBG_MINOR_FAILURE, "The object [%s] doesn't have a name.\n",
ldb_dn_get_linearized(msg->dn));
@@ -295,7 +317,7 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
goto done;
}
- tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_CERTMAP_MAPPING_RULE,
+ tmp_str = ldb_msg_find_attr_as_string(msg, attr_map[SSS_CMIM_MAPPING_RULE],
NULL);
if (tmp_str != NULL) {
map->map_rule = talloc_strdup(map, tmp_str);
@@ -306,7 +328,7 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
}
}
- tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_CERTMAP_MATCHING_RULE,
+ tmp_str = ldb_msg_find_attr_as_string(msg, attr_map[SSS_CMIM_MATCHING_RULE],
NULL);
if (tmp_str != NULL) {
map->match_rule = talloc_strdup(map, tmp_str);
@@ -317,7 +339,7 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
}
}
- tmp_uint = ldb_msg_find_attr_as_uint64(msg, SYSDB_CERTMAP_PRIORITY,
+ tmp_uint = ldb_msg_find_attr_as_uint64(msg, attr_map[SSS_CMIM_PRIORITY],
(uint64_t) -1);
if (tmp_uint != (uint64_t) -1) {
if (tmp_uint > UINT32_MAX) {
@@ -332,7 +354,7 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
map->priority = SSS_CERTMAP_MIN_PRIO;
}
- tmp_el = ldb_msg_find_element(msg, SYSDB_CERTMAP_DOMAINS);
+ tmp_el = ldb_msg_find_element(msg, attr_map[SSS_CMIM_DOMAINS]);
if (tmp_el != NULL) {
num_values = tmp_el->num_values;
} else {
@@ -379,9 +401,9 @@ errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
TALLOC_CTX *tmp_ctx = NULL;
struct ldb_result *res;
const char *attrs[] = {SYSDB_NAME,
- SYSDB_CERTMAP_PRIORITY,
- SYSDB_CERTMAP_MATCHING_RULE,
SYSDB_CERTMAP_MAPPING_RULE,
+ SYSDB_CERTMAP_MATCHING_RULE,
+ SYSDB_CERTMAP_PRIORITY,
SYSDB_CERTMAP_DOMAINS,
NULL};
const char *config_attrs[] = {SYSDB_CERTMAP_USER_NAME_HINT,
@@ -434,7 +456,8 @@ errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
}
for (c = 0; c < res->count; c++) {
- ret = sysdb_ldb_msg_attr_to_certmap_info(maps, res->msgs[c], &maps[c]);
+ ret = sysdb_ldb_msg_attr_to_certmap_info(maps, res->msgs[c], attrs,
+ &maps[c]);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"sysdb_ldb_msg_attr_to_certmap_info failed.\n");
--
2.9.5

View File

@ -0,0 +1,167 @@
From d9cc38008a51a8a5189904f175e4d10cbde4a974 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 2 Jul 2018 10:38:54 +0200
Subject: [PATCH 24/83] confdb: add confdb_certmap_to_sysdb()
Add a function to write certificate mapping and matching rules from the
config database to the cache of a domain.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/confdb/confdb.c | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++
src/confdb/confdb.h | 23 +++++++++++++
2 files changed, 122 insertions(+)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 621647e..26415ca 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -2202,3 +2202,102 @@ done:
talloc_free(tmp_ctx);
return ret;
}
+
+static errno_t confdb_get_all_certmaps(TALLOC_CTX *mem_ctx,
+ struct confdb_ctx *cdb,
+ struct sss_domain_info *dom,
+ struct certmap_info ***_certmap_list)
+{
+ TALLOC_CTX *tmp_ctx = NULL;
+ struct ldb_dn *dn = NULL;
+ struct ldb_result *res = NULL;
+ /* The attributte order is important, because it is used in
+ * sysdb_ldb_msg_attr_to_certmap_info and must match
+ * enum certmap_info_member. */
+ static const char *attrs[] = { CONFDB_CERTMAP_NAME,
+ CONFDB_CERTMAP_MAPRULE,
+ CONFDB_CERTMAP_MATCHRULE,
+ CONFDB_CERTMAP_PRIORITY,
+ CONFDB_CERTMAP_DOMAINS,
+ NULL};
+ struct certmap_info **certmap_list = NULL;
+ size_t c;
+ int ret;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ return ENOMEM;
+ }
+
+ dn = ldb_dn_new_fmt(tmp_ctx, cdb->ldb, "cn=%s,%s", dom->name,
+ CONFDB_CERTMAP_BASEDN);
+ if (dn == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = ldb_search(cdb->ldb, tmp_ctx, &res, dn, LDB_SCOPE_ONELEVEL,
+ attrs, NULL);
+ if (ret != LDB_SUCCESS) {
+ ret = EIO;
+ goto done;
+ }
+
+ certmap_list = talloc_zero_array(tmp_ctx, struct certmap_info *,
+ res->count + 1);
+ if (certmap_list == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ for (c = 0; c < res->count; c++) {
+ ret = sysdb_ldb_msg_attr_to_certmap_info(certmap_list, res->msgs[c],
+ attrs, &certmap_list[c]);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_ldb_msg_attr_to_certmap_info failed.\n");
+ goto done;
+ }
+ }
+
+ *_certmap_list = talloc_steal(mem_ctx, certmap_list);
+
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+ return ret;
+}
+
+int confdb_certmap_to_sysdb(struct confdb_ctx *cdb,
+ struct sss_domain_info *dom)
+{
+ int ret;
+ TALLOC_CTX *tmp_ctx;
+ struct certmap_info **certmap_list;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
+ return ENOMEM;
+ }
+
+ ret = confdb_get_all_certmaps(tmp_ctx, cdb, dom, &certmap_list);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "confdb_get_all_certmaps failed.\n");
+ goto done;
+ }
+
+ ret = sysdb_update_certmap(dom->sysdb, certmap_list, false /* TODO */);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_update_certmap failed.\n");
+ goto done;
+ }
+
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+
+ return ret;
+}
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 2266501..2aae93a 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -265,6 +265,15 @@
#define CONFDB_KCM_SOCKET "socket_path"
#define CONFDB_KCM_DB "ccache_storage" /* Undocumented on purpose */
+/* Certificate mapping rules */
+#define CONFDB_CERTMAP_BASEDN "cn=certmap,cn=config"
+#define CONFDB_CERTMAP_NAME "cn"
+#define CONFDB_CERTMAP_MAPRULE "maprule"
+#define CONFDB_CERTMAP_MATCHRULE "matchrule"
+#define CONFDB_CERTMAP_DOMAINS "domains"
+#define CONFDB_CERTMAP_PRIORITY "priority"
+
+
struct confdb_ctx;
struct config_file_ctx;
@@ -662,6 +671,20 @@ int confdb_get_sub_sections(TALLOC_CTX *mem_ctx,
const char *section,
char ***sections,
int *num_sections);
+
+/**
+ * @brief Convenience function to write the certificate mapping and matching
+ * rules from the configuration database to the cache of a domain
+ *
+ * @param[in] cdb The connection object to the confdb
+ * @param[in] dom Target domain where to rules should be written to
+ *
+ * @return 0 - Successfully retrieved the entry (or used the default)
+ * @return ENOMEM - There was insufficient memory to complete the operation
+ * @return EINVAL - Typically internal processing error
+ */
+int confdb_certmap_to_sysdb(struct confdb_ctx *cdb,
+ struct sss_domain_info *dom);
/**
* @}
*/
--
2.9.5

View File

@ -0,0 +1,71 @@
From 15301db1dc1e5e2aafc1805a30e3b28756218c9b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 2 Jul 2018 12:20:53 +0200
Subject: [PATCH 25/83] AD/LDAP: read certificate mapping rules from config
file
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/providers/ad/ad_init.c | 16 ++++++++++++++++
src/providers/ldap/ldap_init.c | 16 ++++++++++++++++
2 files changed, 32 insertions(+)
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
index 637efb7..a908571 100644
--- a/src/providers/ad/ad_init.c
+++ b/src/providers/ad/ad_init.c
@@ -419,6 +419,22 @@ static errno_t ad_init_misc(struct be_ctx *be_ctx,
return ret;
}
+ ret = confdb_certmap_to_sysdb(be_ctx->cdb, be_ctx->domain);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to initialize certificate mapping rules. "
+ "Authentication with certificates/Smartcards might not work "
+ "as expected.\n");
+ /* not fatal, ignored */
+ }
+
+ ret = sdap_init_certmap(sdap_id_ctx, sdap_id_ctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to initialized certificate mapping.\n");
+ return ret;
+ }
+
return EOK;
}
diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c
index 44b3e9a..95e6561 100644
--- a/src/providers/ldap/ldap_init.c
+++ b/src/providers/ldap/ldap_init.c
@@ -438,6 +438,22 @@ static errno_t ldap_init_misc(struct be_ctx *be_ctx,
"[%d]: %s\n", ret, sss_strerror(ret));
}
+ ret = confdb_certmap_to_sysdb(be_ctx->cdb, be_ctx->domain);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to initialize certificate mapping rules. "
+ "Authentication with certificates/Smartcards might not work "
+ "as expected.\n");
+ /* not fatal, ignored */
+ }
+
+ ret = sdap_init_certmap(id_ctx, id_ctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to initialized certificate mapping.\n");
+ return ret;
+ }
+
return EOK;
}
--
2.9.5

View File

@ -0,0 +1,32 @@
From 06f7005d38d164879b727708feff80004b422f91 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 3 Jul 2018 11:31:12 +0200
Subject: [PATCH 26/83] sysdb: sysdb_certmap_add() handle domains more flexible
sysdb_ldb_msg_attr_to_certmap_info() creates an empty list if there are
no domains defined, sysdb_certmap_add() should be able to handle both a
missing or an empty domains list.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/db/sysdb_certmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/db/sysdb_certmap.c b/src/db/sysdb_certmap.c
index e37f1ba..0bcc54c 100644
--- a/src/db/sysdb_certmap.c
+++ b/src/db/sysdb_certmap.c
@@ -131,7 +131,7 @@ static errno_t sysdb_certmap_add(struct sysdb_ctx *sysdb,
}
}
- if (certmap->domains != NULL) {
+ if (certmap->domains != NULL && certmap->domains[0] != NULL) {
for (c = 0; certmap->domains[c] != NULL; c++);
el = talloc_zero(tmp_ctx, struct ldb_message_element);
if (el == NULL) {
--
2.9.5

View File

@ -0,0 +1,131 @@
From 9386ef605ffbc03abe2bc273efddbc099441fe3b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 6 Jul 2018 15:17:10 +0200
Subject: [PATCH 27/83] confdb: add special handling for rules for the files
provider
To make the configuration more simple there are some special assumption
for local users, i.e. user managed by the files provider.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/confdb/confdb.c | 59 ++++++++++++++++++++++++++++++++++++++++
src/confdb/confdb.h | 1 +
src/providers/files/files_init.c | 10 +++++++
3 files changed, 70 insertions(+)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 26415ca..954c3ba 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -2203,6 +2203,56 @@ done:
return ret;
}
+static errno_t certmap_local_check(struct ldb_message *msg)
+{
+ const char *rule_name;
+ const char *tmp_str;
+ int ret;
+
+ rule_name = ldb_msg_find_attr_as_string(msg, CONFDB_CERTMAP_NAME, NULL);
+ if (rule_name == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Certficate mapping rule [%s] has no name.",
+ ldb_dn_get_linearized(msg->dn));
+ return EINVAL;
+ }
+
+ tmp_str = ldb_msg_find_attr_as_string(msg, CONFDB_CERTMAP_DOMAINS, NULL);
+ if (tmp_str != NULL) {
+ DEBUG(SSSDBG_CONF_SETTINGS,
+ "Option [%s] is ignored for local certmap rules.\n",
+ CONFDB_CERTMAP_DOMAINS);
+ }
+
+ tmp_str = ldb_msg_find_attr_as_string(msg, CONFDB_CERTMAP_MAPRULE, NULL);
+ if (tmp_str != NULL) {
+ if (tmp_str[0] != '(' || tmp_str[strlen(tmp_str) - 1] != ')') {
+ DEBUG(SSSDBG_CONF_SETTINGS,
+ "Mapping rule must be in braces (...).\n");
+ return EINVAL;
+ }
+ DEBUG(SSSDBG_TRACE_ALL, "Using [%s] mapping rule of [%s].\n",
+ tmp_str, ldb_dn_get_linearized(msg->dn));
+ return EOK;
+ }
+
+ tmp_str = talloc_asprintf(msg, "(%s)", rule_name);
+ if (tmp_str == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
+ return ENOMEM;
+ }
+ ret = ldb_msg_add_string(msg, CONFDB_CERTMAP_MAPRULE, tmp_str);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(discard_const(tmp_str));
+ DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_add_string failed.\n");
+ return EIO;
+ }
+
+ DEBUG(SSSDBG_TRACE_ALL, "Using [%s] as mapping rule for [%s].\n",
+ tmp_str, ldb_dn_get_linearized(msg->dn));
+
+ return EOK;
+}
+
static errno_t confdb_get_all_certmaps(TALLOC_CTX *mem_ctx,
struct confdb_ctx *cdb,
struct sss_domain_info *dom,
@@ -2251,6 +2301,15 @@ static errno_t confdb_get_all_certmaps(TALLOC_CTX *mem_ctx,
}
for (c = 0; c < res->count; c++) {
+ if (is_files_provider(dom)) {
+ ret = certmap_local_check(res->msgs[c]);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CONF_SETTINGS,
+ "Invalid certificate mapping [%s] for local user, "
+ "ignored.\n", ldb_dn_get_linearized(res->msgs[c]->dn));
+ continue;
+ }
+ }
ret = sysdb_ldb_msg_attr_to_certmap_info(certmap_list, res->msgs[c],
attrs, &certmap_list[c]);
if (ret != EOK) {
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 2aae93a..625d156 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -685,6 +685,7 @@ int confdb_get_sub_sections(TALLOC_CTX *mem_ctx,
*/
int confdb_certmap_to_sysdb(struct confdb_ctx *cdb,
struct sss_domain_info *dom);
+
/**
* @}
*/
diff --git a/src/providers/files/files_init.c b/src/providers/files/files_init.c
index 746c04a..c793bed 100644
--- a/src/providers/files/files_init.c
+++ b/src/providers/files/files_init.c
@@ -189,6 +189,16 @@ int sssm_files_init(TALLOC_CTX *mem_ctx,
goto done;
}
+ ret = confdb_certmap_to_sysdb(be_ctx->cdb, be_ctx->domain);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to initialize certificate mapping rules. "
+ "Authentication with certificates/Smartcards might not work "
+ "as expected.\n");
+ /* not fatal, ignored */
+ }
+
+
*_module_data = ctx;
ret = EOK;
done:
--
2.9.5

View File

@ -0,0 +1,414 @@
From 275eeed24adc31f3df51cf278f509a4be76a3a3c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 9 Jul 2018 18:37:46 +0200
Subject: [PATCH 28/83] files: add support for Smartcard authentication
To support certificate based authentication the files provider must be
able to map a certificate to a user during a BE_REQ_BY_CERT request.
Additionally the authentication request should be handled by the PAM
responder code which is responsible for the local Smartcard
authentication. To be consistent with the other backend an authentication
handler is added to the files provider which unconditionally returns the
offline error code telling the PAM responder to handle the
authentication if it has access to the needed credentials.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
Makefile.am | 2 +
src/providers/files/files_auth.c | 69 +++++++++++++
src/providers/files/files_certmap.c | 186 ++++++++++++++++++++++++++++++++++++
src/providers/files/files_id.c | 20 ++++
src/providers/files/files_init.c | 21 +++-
src/providers/files/files_private.h | 17 ++++
6 files changed, 314 insertions(+), 1 deletion(-)
create mode 100644 src/providers/files/files_auth.c
create mode 100644 src/providers/files/files_certmap.c
diff --git a/Makefile.am b/Makefile.am
index deb9ce3..3667856 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4285,6 +4285,8 @@ libsss_proxy_la_LDFLAGS = \
libsss_files_la_SOURCES = \
src/providers/files/files_init.c \
src/providers/files/files_id.c \
+ src/providers/files/files_auth.c \
+ src/providers/files/files_certmap.c \
src/providers/files/files_ops.c \
src/util/inotify.c \
$(NULL)
diff --git a/src/providers/files/files_auth.c b/src/providers/files/files_auth.c
new file mode 100644
index 0000000..b71de69
--- /dev/null
+++ b/src/providers/files/files_auth.c
@@ -0,0 +1,69 @@
+/*
+ SSSD
+
+ files_auth.c - PAM operations on the files provider
+
+ Copyright (C) 2018 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <security/pam_modules.h>
+
+#include "providers/data_provider/dp.h"
+#include "providers/data_provider.h"
+#include "providers/files/files_private.h"
+#include "util/cert.h"
+
+struct files_auth_ctx {
+ struct pam_data *pd;
+};
+
+struct tevent_req *
+files_auth_handler_send(TALLOC_CTX *mem_ctx,
+ void *unused,
+ struct pam_data *pd,
+ struct dp_req_params *params)
+{
+ struct files_auth_ctx *state;
+ struct tevent_req *req;
+
+ req = tevent_req_create(mem_ctx, &state, struct files_auth_ctx);
+ if (req == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n");
+ return NULL;
+ }
+
+ state->pd = pd;
+ state->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
+
+ tevent_req_done(req);
+ tevent_req_post(req, params->ev);
+ return req;
+}
+
+errno_t files_auth_handler_recv(TALLOC_CTX *mem_ctx,
+ struct tevent_req *req,
+ struct pam_data **_data)
+{
+ struct files_auth_ctx *state = NULL;
+
+ state = tevent_req_data(req, struct files_auth_ctx);
+
+ TEVENT_REQ_RETURN_ON_ERROR(req);
+
+ *_data = talloc_steal(mem_ctx, state->pd);
+
+ return EOK;
+}
diff --git a/src/providers/files/files_certmap.c b/src/providers/files/files_certmap.c
new file mode 100644
index 0000000..7d90a1f
--- /dev/null
+++ b/src/providers/files/files_certmap.c
@@ -0,0 +1,186 @@
+/*
+ SSSD
+
+ files_init.c - Initialization of the files provider
+
+ Copyright (C) 2018 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "providers/files/files_private.h"
+#include "util/util.h"
+#include "util/cert.h"
+#include "lib/certmap/sss_certmap.h"
+
+struct priv_sss_debug {
+ int level;
+};
+
+static void ext_debug(void *private, const char *file, long line,
+ const char *function, const char *format, ...)
+{
+ va_list ap;
+ struct priv_sss_debug *data = private;
+ int level = SSSDBG_OP_FAILURE;
+
+ if (data != NULL) {
+ level = data->level;
+ }
+
+ if (DEBUG_IS_SET(level)) {
+ va_start(ap, format);
+ sss_vdebug_fn(file, line, function, level, APPEND_LINE_FEED,
+ format, ap);
+ va_end(ap);
+ }
+}
+
+errno_t files_init_certmap(TALLOC_CTX *mem_ctx, struct files_id_ctx *id_ctx)
+{
+ int ret;
+ bool hint;
+ struct certmap_info **certmap_list = NULL;
+ size_t c;
+
+ ret = sysdb_get_certmap(mem_ctx, id_ctx->be->domain->sysdb,
+ &certmap_list, &hint);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_certmap failed.\n");
+ goto done;
+ }
+
+ if (certmap_list == NULL || *certmap_list == NULL) {
+ DEBUG(SSSDBG_TRACE_ALL, "No certmap data, nothing to do.\n");
+ ret = EOK;
+ goto done;
+ }
+
+ ret = sss_certmap_init(mem_ctx, ext_debug, NULL, &id_ctx->sss_certmap_ctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_certmap_init failed.\n");
+ goto done;
+ }
+
+ for (c = 0; certmap_list[c] != NULL; c++) {
+ DEBUG(SSSDBG_TRACE_ALL, "Trying to add rule [%s][%d][%s][%s].\n",
+ certmap_list[c]->name,
+ certmap_list[c]->priority,
+ certmap_list[c]->match_rule,
+ certmap_list[c]->map_rule);
+
+ ret = sss_certmap_add_rule(id_ctx->sss_certmap_ctx,
+ certmap_list[c]->priority,
+ certmap_list[c]->match_rule,
+ certmap_list[c]->map_rule,
+ certmap_list[c]->domains);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "sss_certmap_add_rule failed for rule [%s] "
+ "with error [%d][%s], skipping. "
+ "Please check for typos and if rule syntax is supported.\n",
+ certmap_list[c]->name, ret, sss_strerror(ret));
+ continue;
+ }
+ }
+
+ ret = EOK;
+
+done:
+ talloc_free(certmap_list);
+
+ return ret;
+}
+
+errno_t files_map_cert_to_user(struct files_id_ctx *id_ctx,
+ struct dp_id_data *data)
+{
+ errno_t ret;
+ char *filter;
+ char *user;
+ struct ldb_message *msg = NULL;
+ struct sysdb_attrs *attrs = NULL;
+ TALLOC_CTX *tmp_ctx;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
+ return ENOMEM;
+ }
+
+ ret = sss_cert_derb64_to_ldap_filter(tmp_ctx, data->filter_value, "",
+ id_ctx->sss_certmap_ctx,
+ id_ctx->domain, &filter);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sss_cert_derb64_to_ldap_filter failed.\n");
+ goto done;
+ }
+ if (filter == NULL || filter[0] != '('
+ || filter[strlen(filter) - 1] != ')') {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sss_cert_derb64_to_ldap_filter returned bad filter [%s].\n",
+ filter);
+ ret = EINVAL;
+ goto done;
+ }
+
+ filter[strlen(filter) - 1] = '\0';
+ user = sss_create_internal_fqname(tmp_ctx, &filter[1],
+ id_ctx->domain->name);
+ if (user == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_create_internal_fqname failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ DEBUG(SSSDBG_TRACE_ALL, "Certificate mapped to user: [%s].\n", user);
+
+ ret = sysdb_search_user_by_name(tmp_ctx, id_ctx->domain, user, NULL, &msg);
+ if (ret == EOK) {
+ attrs = sysdb_new_attrs(tmp_ctx);
+ if (attrs == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sysdb_attrs_add_base64_blob(attrs, SYSDB_USER_MAPPED_CERT,
+ data->filter_value);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_base64_blob failed.\n");
+ goto done;
+ }
+
+ ret = sysdb_set_entry_attr(id_ctx->domain->sysdb, msg->dn, attrs,
+ SYSDB_MOD_ADD);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_entry_attr failed.\n");
+ goto done;
+ }
+ } else if (ret == ENOENT) {
+ DEBUG(SSSDBG_TRACE_ALL, "Mapped user [%s] not found.\n", user);
+ ret = EOK;
+ goto done;
+ } else {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_user_by_name failed.\n");
+ goto done;
+ }
+
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+
+ return ret;
+}
diff --git a/src/providers/files/files_id.c b/src/providers/files/files_id.c
index 41314c6..f6f8c73 100644
--- a/src/providers/files/files_id.c
+++ b/src/providers/files/files_id.c
@@ -87,6 +87,26 @@ files_account_info_handler_send(TALLOC_CTX *mem_ctx,
? true \
: false;
break;
+ case BE_REQ_BY_CERT:
+ if (data->filter_type != BE_FILTER_CERT) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Unexpected filter type for lookup by cert: %d\n",
+ data->filter_type);
+ ret = EINVAL;
+ goto immediate;
+ }
+ if (id_ctx->sss_certmap_ctx == NULL) {
+ DEBUG(SSSDBG_TRACE_ALL, "Certificate mapping not configured.\n");
+ ret = EOK;
+ goto immediate;
+ }
+
+ ret = files_map_cert_to_user(id_ctx, data);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "files_map_cert_to_user failed");
+ }
+ goto immediate;
+ break;
default:
DEBUG(SSSDBG_CRIT_FAILURE,
"Unexpected entry type: %d\n", data->entry_type & BE_REQ_TYPE_MASK);
diff --git a/src/providers/files/files_init.c b/src/providers/files/files_init.c
index c793bed..1ce4bcf 100644
--- a/src/providers/files/files_init.c
+++ b/src/providers/files/files_init.c
@@ -196,9 +196,16 @@ int sssm_files_init(TALLOC_CTX *mem_ctx,
"Authentication with certificates/Smartcards might not work "
"as expected.\n");
/* not fatal, ignored */
+ } else {
+ ret = files_init_certmap(ctx, ctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "files_init_certmap failed. "
+ "Authentication with certificates/Smartcards might not work "
+ "as expected.\n");
+ /* not fatal, ignored */
+ }
}
-
*_module_data = ctx;
ret = EOK;
done:
@@ -234,3 +241,15 @@ int sssm_files_id_init(TALLOC_CTX *mem_ctx,
return EOK;
}
+
+int sssm_files_auth_init(TALLOC_CTX *mem_ctx,
+ struct be_ctx *be_ctx,
+ void *module_data,
+ struct dp_method *dp_methods)
+{
+ dp_set_method(dp_methods, DPM_AUTH_HANDLER,
+ files_auth_handler_send, files_auth_handler_recv, NULL, void,
+ struct pam_data, struct pam_data *);
+
+ return EOK;
+}
diff --git a/src/providers/files/files_private.h b/src/providers/files/files_private.h
index f44e6d4..fd17819 100644
--- a/src/providers/files/files_private.h
+++ b/src/providers/files/files_private.h
@@ -38,6 +38,7 @@ struct files_id_ctx {
struct be_ctx *be;
struct sss_domain_info *domain;
struct files_ctx *fctx;
+ struct sss_certmap_ctx *sss_certmap_ctx;
const char **passwd_files;
const char **group_files;
@@ -71,4 +72,20 @@ errno_t files_account_info_handler_recv(TALLOC_CTX *mem_ctx,
void files_account_info_finished(struct files_id_ctx *id_ctx,
int req_type,
errno_t ret);
+
+/* files_auth.c */
+struct tevent_req *files_auth_handler_send(TALLOC_CTX *mem_ctx,
+ void *unused,
+ struct pam_data *pd,
+ struct dp_req_params *params);
+
+errno_t files_auth_handler_recv(TALLOC_CTX *mem_ctx,
+ struct tevent_req *req,
+ struct pam_data **_data);
+
+/* files_certmap.c */
+errno_t files_init_certmap(TALLOC_CTX *mem_ctx, struct files_id_ctx *id_ctx);
+
+errno_t files_map_cert_to_user(struct files_id_ctx *id_ctx,
+ struct dp_id_data *data);
#endif /* __FILES_PRIVATE_H_ */
--
2.9.5

View File

@ -0,0 +1,68 @@
From 9fdc5f1d87a133885e6a22810a7eb980c60dcb55 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 9 Jul 2018 18:45:21 +0200
Subject: [PATCH 29/83] responder: make sure SSS_DP_CERT is passed to files
provider
Currently the files provider is only contacted once in a while to update
the full cache with fresh data from the passwd file. To allow rule based
certificate mapping the lookup by certificate request must be always
send to the file provider so that it can evaluate the rules and add the
certificate to cached entry of the matching user.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/common/responder_dp.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
index 878aa1d..39f0f20 100644
--- a/src/responder/common/responder_dp.c
+++ b/src/responder/common/responder_dp.c
@@ -34,15 +34,17 @@ sss_dp_account_files_params(struct sss_domain_info *dom,
enum sss_dp_acct_type *_type_out,
const char **_opt_name_out)
{
- if (sss_domain_get_state(dom) != DOM_INCONSISTENT) {
+ if (type_in != SSS_DP_CERT) {
+ if (sss_domain_get_state(dom) != DOM_INCONSISTENT) {
+ DEBUG(SSSDBG_TRACE_INTERNAL,
+ "The entries in the files domain are up-to-date\n");
+ return EOK;
+ }
+
DEBUG(SSSDBG_TRACE_INTERNAL,
- "The entries in the files domain are up-to-date\n");
- return EOK;
+ "Domain files is not consistent, issuing update\n");
}
- DEBUG(SSSDBG_TRACE_INTERNAL,
- "Domain files is not consistent, issuing update\n");
-
switch(type_in) {
case SSS_DP_USER:
case SSS_DP_GROUP:
@@ -56,12 +58,16 @@ sss_dp_account_files_params(struct sss_domain_info *dom,
*_type_out = type_in;
*_opt_name_out = DP_REQ_OPT_FILES_INITGR;
return EAGAIN;
+ case SSS_DP_CERT:
+ /* Let the backend handle certificate mapping for local users */
+ *_type_out = type_in;
+ *_opt_name_out = opt_name_in;
+ return EAGAIN;
/* These are not handled by the files provider, just fall back */
case SSS_DP_NETGR:
case SSS_DP_SERVICES:
case SSS_DP_SECID:
case SSS_DP_USER_AND_GROUP:
- case SSS_DP_CERT:
case SSS_DP_WILDCARD_USER:
case SSS_DP_WILDCARD_GROUP:
return EOK;
--
2.9.5

View File

@ -0,0 +1,166 @@
From d42f44d54453d3ddb54875374c1b61dc1e7cd821 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 9 Jul 2018 18:56:26 +0200
Subject: [PATCH 30/83] PAM: add certificate matching rules from all domains
Currently the PAM responder only reads the certificate mapping and
matching rules from the first domain. To support Smartcard
authentication for local and remote users all configured domains must be
taken into account.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/pam/pamsrv.h | 2 +-
src/responder/pam/pamsrv_cmd.c | 2 +-
src/responder/pam/pamsrv_p11.c | 77 +++++++++++++++++++++++++++---------------
3 files changed, 51 insertions(+), 30 deletions(-)
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index d189ccc..5d87756 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -114,7 +114,7 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd);
errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
- struct certmap_info **certmap_list);
+ struct sss_domain_info *domains);
errno_t
pam_set_last_online_auth_with_curr_token(struct sss_domain_info *domain,
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index a6bb289..ed9ad57 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1737,7 +1737,7 @@ static void pam_forwarder_cb(struct tevent_req *req)
goto done;
}
- ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains->certmaps);
+ ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"p11_refresh_certmap_ctx failed, "
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
index bf72207..ffa6787 100644
--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
@@ -142,11 +142,14 @@ static void ext_debug(void *private, const char *file, long line,
}
errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
- struct certmap_info **certmap_list)
+ struct sss_domain_info *domains)
{
int ret;
struct sss_certmap_ctx *sss_certmap_ctx = NULL;
size_t c;
+ struct sss_domain_info *dom;
+ bool certmap_found = false;
+ struct certmap_info **certmap_list;
ret = sss_certmap_init(pctx, ext_debug, NULL, &sss_certmap_ctx);
if (ret != EOK) {
@@ -154,7 +157,15 @@ errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
goto done;
}
- if (certmap_list == NULL || *certmap_list == NULL) {
+ DLIST_FOR_EACH(dom, domains) {
+ certmap_list = dom->certmaps;
+ if (certmap_list != NULL && *certmap_list != NULL) {
+ certmap_found = true;
+ break;
+ }
+ }
+
+ if (!certmap_found) {
/* Try to add default matching rule */
ret = sss_certmap_add_rule(sss_certmap_ctx, SSS_CERTMAP_MIN_PRIO,
CERT_AUTH_DEFAULT_MATCHING_RULE, NULL, NULL);
@@ -166,24 +177,32 @@ errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
goto done;
}
- for (c = 0; certmap_list[c] != NULL; c++) {
- DEBUG(SSSDBG_TRACE_ALL,
- "Trying to add rule [%s][%d][%s][%s].\n",
- certmap_list[c]->name, certmap_list[c]->priority,
- certmap_list[c]->match_rule, certmap_list[c]->map_rule);
-
- ret = sss_certmap_add_rule(sss_certmap_ctx, certmap_list[c]->priority,
- certmap_list[c]->match_rule,
- certmap_list[c]->map_rule,
- certmap_list[c]->domains);
- if (ret != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "sss_certmap_add_rule failed for rule [%s] "
- "with error [%d][%s], skipping. "
- "Please check for typos and if rule syntax is supported.\n",
- certmap_list[c]->name, ret, sss_strerror(ret));
+ DLIST_FOR_EACH(dom, domains) {
+ certmap_list = dom->certmaps;
+ if (certmap_list == NULL || *certmap_list == NULL) {
continue;
}
+
+ for (c = 0; certmap_list[c] != NULL; c++) {
+ DEBUG(SSSDBG_TRACE_ALL,
+ "Trying to add rule [%s][%d][%s][%s].\n",
+ certmap_list[c]->name, certmap_list[c]->priority,
+ certmap_list[c]->match_rule, certmap_list[c]->map_rule);
+
+ ret = sss_certmap_add_rule(sss_certmap_ctx,
+ certmap_list[c]->priority,
+ certmap_list[c]->match_rule,
+ certmap_list[c]->map_rule,
+ certmap_list[c]->domains);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "sss_certmap_add_rule failed for rule [%s] "
+ "with error [%d][%s], skipping. "
+ "Please check for typos and if rule syntax is supported.\n",
+ certmap_list[c]->name, ret, sss_strerror(ret));
+ continue;
+ }
+ }
}
ret = EOK;
@@ -204,19 +223,21 @@ errno_t p11_child_init(struct pam_ctx *pctx)
int ret;
struct certmap_info **certmaps;
bool user_name_hint;
- struct sss_domain_info *dom = pctx->rctx->domains;
+ struct sss_domain_info *dom;
- ret = sysdb_get_certmap(dom, dom->sysdb, &certmaps, &user_name_hint);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_certmap failed.\n");
- return ret;
- }
+ DLIST_FOR_EACH(dom, pctx->rctx->domains) {
+ ret = sysdb_get_certmap(dom, dom->sysdb, &certmaps, &user_name_hint);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_certmap failed.\n");
+ return ret;
+ }
- dom->user_name_hint = user_name_hint;
- talloc_free(dom->certmaps);
- dom->certmaps = certmaps;
+ dom->user_name_hint = user_name_hint;
+ talloc_free(dom->certmaps);
+ dom->certmaps = certmaps;
+ }
- ret = p11_refresh_certmap_ctx(pctx, dom->certmaps);
+ ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "p11_refresh_certmap_ctx failed.\n");
return ret;
--
2.9.5

View File

@ -0,0 +1,182 @@
From 0c739e969a617bdb4c06cdfd63772bf6d283c518 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 3 Sep 2018 18:38:42 +0200
Subject: [PATCH 31/83] doc: add certificate mapping section to man page
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/man/sssd.conf.5.xml | 149 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 149 insertions(+)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 881ffc6..04143f1 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -3299,6 +3299,135 @@ ldap_user_extra_attrs = phone:telephoneNumber
</para>
</refsect1>
+ <refsect1 id='certmap'>
+ <title>CERTIFICATE MAPPING SECTION</title>
+ <para>
+ To allow authentication with Smartcards and certificates SSSD must
+ be able to map certificates to users. This can be done by adding the
+ full certificate to the LDAP object of the user or to a local
+ override. While using the full certificate is required to use the
+ Smartcard authentication feature of SSH (see
+ <citerefentry>
+ <refentrytitle>sss_ssh_authorizedkeys</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>
+ for details) it might be cumbersome or not even possible to do this
+ for the general case where local services use PAM for
+ authentication.
+ </para>
+ <para>
+ To make the mapping more flexible mapping and matching rules were
+ added to SSSD (see
+ <citerefentry>
+ <refentrytitle>sss-certmap</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry>
+ for details).
+ </para>
+ <para>
+ A mapping and matching rule can be added to the SSSD configuration
+ in a section on its own with a name like
+ <quote>[certmap/<replaceable>DOMAIN_NAME</replaceable>/<replaceable>RULE_NAME</replaceable>]</quote>.
+ In this section the following options are allowed:
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term>matchrule (string)</term>
+ <listitem>
+ <para>
+ Only certificates from the Smartcard which matches this
+ rule will be processed, all others are ignored.
+ </para>
+ <para>
+ Default: KRB5:&lt;EKU&gt;clientAuth, i.e. only
+ certificates which have the Extended Key Usage
+ <quote>clientAuth</quote>
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>maprule (string)</term>
+ <listitem>
+ <para>
+ Defines how the user is found for a given certificate.
+ </para>
+ <para>
+ Default:
+ <itemizedlist>
+ <listitem>
+ <para>LDAP:(userCertificate;binary={cert!bin})
+ for LDAP based providers like
+ <quote>ldap</quote>, <quote>AD</quote> or
+ <quote>ipa</quote>.</para>
+ </listitem>
+ <listitem>
+ <para>The RULE_NAME for the <quote>files</quote>
+ provider which tries to find a user with the
+ same name.</para>
+ </listitem>
+ </itemizedlist>
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>domains (string)</term>
+ <listitem>
+ <para>
+ Comma separated list of domain names the rule should be
+ applied. By default a rule is only valid in the domain
+ configured in sssd.conf. If the provider supports
+ subdomains this option can be used to add the rule to
+ subdomains as well.
+ </para>
+ <para>
+ Default: the configured domain in sssd.conf
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>priority (integer)</term>
+ <listitem>
+ <para>
+ Unsigned integer value defining the priority of the
+ rule. The higher the number the lower the priority.
+ <quote>0</quote> stands for the highest priority while
+ <quote>4294967295</quote> is the lowest.
+ </para>
+ <para>
+ Default: the lowest priority
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ <para>
+ To make the configuration simple and reduce the amount of
+ configuration options the <quote>files</quote> provider has some
+ special properties:
+ <itemizedlist>
+ <listitem>
+ <para>
+ if maprule is not set the RULE_NAME name is assumed to
+ be the name of the matching user
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ if a maprule is used both a single user name or a
+ template like
+ <quote>{subject_rfc822_name.short_name}</quote> must
+ be in braces like e.g. <quote>(username)</quote> or
+ <quote>({subject_rfc822_name.short_name})</quote>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ the <quote>domains</quote> option is ignored
+ </para>
+ </listitem>
+ </itemizedlist>
+ </para>
+ </refsect1>
+
<refsect1 id='example'>
<title>EXAMPLES</title>
<para>
@@ -3343,6 +3472,26 @@ enumerate = False
use_fully_qualified_names = false
</programlisting>
</para>
+ <para>
+ 3. The following example shows the configuration for two certificate
+ mapping rules. The first is valid for the configured domain
+ <quote>my.domain</quote> and additionally for the subdomains
+ <quote>your.domain</quote> and uses the full certificate in the
+ search filter. The second example is valid for the domain
+ <quote>files</quote> where it is assumed the files provider is used
+ for this domain and contains a matching rule for the local user
+ <quote>myname</quote>.
+<programlisting>
+[certmap/my.domain/rule_name]
+matchrule = &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$
+maprule = (userCertificate;binary={cert!bin})
+domains = my.domain, your.domain
+priority = 10
+
+[certmap/files/myname]
+matchrule = &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$&lt;SUBJECT&gt;^CN=User.Name,DC=MY,DC=DOMAIN$
+</programlisting>
+ </para>
</refsect1>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
--
2.9.5

View File

@ -0,0 +1,30 @@
From 16941c47a6f0fc2f1679725d55cde221f3c3a6ef Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 7 Sep 2018 22:12:02 +0200
Subject: [PATCH 32/83] intg: user default locale
Some checks depend on english error messages so checks should be always
run with the default locale.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/tests/intg/Makefile.am | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index 65da9ca..6f7605b 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -126,6 +126,7 @@ intgcheck-installed: config.py passwd group
PATH="$$(dirname -- $(SLAPD)):$$PATH" \
PATH="$(DESTDIR)$(sbindir):$(DESTDIR)$(bindir):$$PATH" \
PATH="$$PATH:$(abs_builddir):$(abs_srcdir)" \
+ LANG=C \
PYTHONPATH="$(abs_builddir):$(abs_srcdir)" \
LDB_MODULES_PATH="$(DESTDIR)$(ldblibdir)" \
NON_WRAPPED_UID=$$(id -u) \
--
2.9.5

View File

@ -0,0 +1,34 @@
From 442ae7b1d0704cdd667d4f1ba4c165ce3f3ffed4 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 7 Sep 2018 22:16:50 +0200
Subject: [PATCH 33/83] PAM: use better PAM error code for failed Smartcard
authentication
If the user enters a wrong PIN the PAM responder currently returns
PAM_USER_UNKNOWN better is PAM_AUTH_ERR.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/pam/pamsrv_cmd.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index ed9ad57..817f3c5 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1436,7 +1436,9 @@ static void pam_forwarder_cert_cb(struct tevent_req *req)
if (pd->cmd == SSS_PAM_AUTHENTICATE) {
DEBUG(SSSDBG_CRIT_FAILURE,
"No certificate returned, authentication failed.\n");
- ret = ENOENT;
+ preq->pd->pam_status = PAM_AUTH_ERR;
+ pam_reply(preq);
+ return;
} else {
ret = pam_check_user_search(preq);
}
--
2.9.5

View File

@ -0,0 +1,31 @@
From 91aea762d02731193eb66a00b930ff1fe8bc5ab8 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 10 Sep 2018 22:03:55 +0200
Subject: [PATCH 34/83] test_ca: test library only for readable
On Debian libraries typically do not have the execute-bit set so it is
better to only check for readability.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/external/test_ca.m4 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/external/test_ca.m4 b/src/external/test_ca.m4
index 2cdb3c7..bb48726 100644
--- a/src/external/test_ca.m4
+++ b/src/external/test_ca.m4
@@ -58,7 +58,7 @@ AC_DEFUN([AM_CHECK_TEST_CA],
AC_MSG_NOTICE([Could not find p11tool])
fi
- AM_CONDITIONAL([BUILD_TEST_CA], [test -x "$OPENSSL" -a -x "$SSH_KEYGEN" -a -x "$SOFTHSM2_PATH" -a -x "$SOFTHSM2_UTIL" -a -x "$P11TOOL"])
+ AM_CONDITIONAL([BUILD_TEST_CA], [test -x "$OPENSSL" -a -x "$SSH_KEYGEN" -a -r "$SOFTHSM2_PATH" -a -x "$SOFTHSM2_UTIL" -a -x "$P11TOOL"])
fi
AM_COND_IF([BUILD_TEST_CA],
--
2.9.5

View File

@ -0,0 +1,57 @@
From a45a410dc7fa7cf84bcac541e693ee8781e25431 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 7 Sep 2018 22:17:47 +0200
Subject: [PATCH 35/83] test_ca: set a password/PIN to nss databases
To make sure the PIN is properly checked during tests the NSS databases
need a password.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/tests/test_CA/Makefile.am | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am
index 0c70993..1bce2c3 100644
--- a/src/tests/test_CA/Makefile.am
+++ b/src/tests/test_CA/Makefile.am
@@ -33,7 +33,7 @@ endif
ca_all: clean serial SSSD_test_CA.pem $(certs) $(certs_h) $(pubkeys) $(pubkeys_h) $(pkcs12) $(extra)
$(pwdfile):
- @echo "12345678" > $@
+ @echo "123456" > $@
SSSD_test_CA.pem: $(openssl_ca_key) $(openssl_ca_config) serial
$(OPENSSL) req -batch -config ${openssl_ca_config} -x509 -new -nodes -key $< -sha256 -days 1024 -set_serial 0 -extensions v3_ca -out $@
@@ -65,18 +65,18 @@ SSSD_test_cert_pubsshkey_%.h: SSSD_test_cert_pubsshkey_%.pub
# - src/tests/cmocka/test_pam_srv.c
p11_nssdb: SSSD_test_cert_pkcs12_0001.pem SSSD_test_CA.pem $(pwdfile)
mkdir $@
- $(CERTUTIL) -d sql:./$@ -N --empty-password
- $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem
- $(PK12UTIL) -d sql:./$@ -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile)
+ $(CERTUTIL) -d sql:./$@ -N -f $(pwdfile)
+ $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem -f $(pwdfile)
+ $(PK12UTIL) -d sql:./$@ -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile) -k $(pwdfile)
# This nss db is used in
# - src/tests/cmocka/test_pam_srv.c
p11_nssdb_2certs: SSSD_test_cert_pkcs12_0001.pem SSSD_test_cert_pkcs12_0002.pem SSSD_test_CA.pem $(pwdfile)
mkdir $@
- $(CERTUTIL) -d sql:./$@ -N --empty-password
- $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem
- $(PK12UTIL) -d sql:./$@ p11_nssdb -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile)
- $(PK12UTIL) -d sql:./$@ p11_nssdb -i SSSD_test_cert_pkcs12_0002.pem -w $(pwdfile)
+ $(CERTUTIL) -d sql:./$@ -N -f $(pwdfile)
+ $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem -f $(pwdfile)
+ $(PK12UTIL) -d sql:./$@ -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile) -k $(pwdfile)
+ $(PK12UTIL) -d sql:./$@ -i SSSD_test_cert_pkcs12_0002.pem -w $(pwdfile) -k $(pwdfile)
# The softhsm2 PKCS#11 setups are used in
# - src/tests/cmocka/test_pam_srv.c
--
2.9.5

View File

@ -0,0 +1,78 @@
From d332c8a0e7a4c7f0b3ee1b2110145a23cbd61c2a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 7 Sep 2018 22:19:26 +0200
Subject: [PATCH 36/83] getsockopt_wrapper: add support for PAM clients
PAM clients expect that the private socket of the PAM responder is
handled by root. With this patch getsockopt_wrapper can return the
expected UID and GID to PAM clients.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/tests/intg/getsockopt_wrapper.c | 34 ++++++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/src/tests/intg/getsockopt_wrapper.c b/src/tests/intg/getsockopt_wrapper.c
index 5109123..2f50889 100644
--- a/src/tests/intg/getsockopt_wrapper.c
+++ b/src/tests/intg/getsockopt_wrapper.c
@@ -45,6 +45,23 @@ static bool is_secrets_socket(int fd)
return NULL != strstr(unix_socket->sun_path, "secrets.socket");
}
+static bool peer_is_private_pam(int fd)
+{
+ int ret;
+ struct sockaddr_storage addr = { 0 };
+ socklen_t addrlen = sizeof(addr);
+ struct sockaddr_un *unix_socket;
+
+ ret = getpeername(fd, (struct sockaddr *)&addr, &addrlen);
+ if (ret != 0) return false;
+
+ if (addr.ss_family != AF_UNIX) return false;
+
+ unix_socket = (struct sockaddr_un *)&addr;
+
+ return NULL != strstr(unix_socket->sun_path, "private/pam");
+}
+
static uid_t fake_secret_peer(uid_t orig_id)
{
char *val;
@@ -57,6 +74,21 @@ static uid_t fake_secret_peer(uid_t orig_id)
return atoi(val);
}
+static void fake_peer_uid_gid(uid_t *uid, gid_t *gid)
+{
+ char *val;
+
+ val = getenv("SSSD_INTG_PEER_UID");
+ if (val != NULL) {
+ *uid = atoi(val);
+ }
+
+ val = getenv("SSSD_INTG_PEER_GID");
+ if (val != NULL) {
+ *gid = atoi(val);
+ }
+}
+
typedef typeof(getsockopt) getsockopt_fn_t;
static getsockopt_fn_t *orig_getsockopt = NULL;
@@ -84,6 +116,8 @@ int getsockopt(int sockfd, int level, int optname,
cr->uid = 0;
} else if (is_secrets_socket(sockfd)) {
cr->uid = fake_secret_peer(cr->uid);
+ } else if (peer_is_private_pam(sockfd)) {
+ fake_peer_uid_gid(&cr->uid, &cr->gid);
}
}
--
2.9.5

View File

@ -0,0 +1,330 @@
From 657f3b89bca9adfb13f0867c91f1d76845d2d6dd Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 7 Sep 2018 22:26:21 +0200
Subject: [PATCH 37/83] intg: add Smartcard authentication tests
Two test for Smartcard authentication of a local user, i.e. a user
managed by the files provider, are added. One for a successful
authentication, the other for a failed authentication with a wrong PIN.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
configure.ac | 1 +
contrib/ci/deps.sh | 2 +
contrib/sssd.spec.in | 1 +
src/external/cwrap.m4 | 5 ++
src/external/intgcheck.m4 | 1 +
src/tests/intg/Makefile.am | 24 ++++++-
src/tests/intg/test_pam_responder.py | 131 ++++++++++++++++++++++++++++++++---
7 files changed, 155 insertions(+), 10 deletions(-)
diff --git a/configure.ac b/configure.ac
index bb18ad4..5816b04 100644
--- a/configure.ac
+++ b/configure.ac
@@ -495,6 +495,7 @@ AM_CONDITIONAL([HAVE_CHECK], [test x$have_check != x])
AM_CHECK_CMOCKA
AM_CHECK_UID_WRAPPER
AM_CHECK_NSS_WRAPPER
+AM_CHECK_PAM_WRAPPER
AM_CHECK_TEST_CA
# Check if the user wants SSSD to be compiled with systemtap probes
diff --git a/contrib/ci/deps.sh b/contrib/ci/deps.sh
index 5906e53..c04c7aa 100644
--- a/contrib/ci/deps.sh
+++ b/contrib/ci/deps.sh
@@ -46,6 +46,7 @@ if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then
pyldb
rpm-build
uid_wrapper
+ pam_wrapper
python-requests
curl-devel
krb5-server
@@ -117,6 +118,7 @@ if [[ "$DISTRO_BRANCH" == -debian-* ]]; then
fakeroot
libnss-wrapper
libuid-wrapper
+ libpam-wrapper
python-pytest
python-ldap
python-ldb
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 5ebd51f..26fae6d 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -237,6 +237,7 @@ BuildRequires: selinux-policy-targeted
BuildRequires: libcmocka-devel >= 1.0.0
BuildRequires: uid_wrapper
BuildRequires: nss_wrapper
+BuildRequires: pam_wrapper
# Test CA requires openssl independent if SSSD is build with NSS or openssl,
# openssh is needed for ssh-keygen and NSS builds need nss-tools for certutil.
diff --git a/src/external/cwrap.m4 b/src/external/cwrap.m4
index b8489cc..6e3487c 100644
--- a/src/external/cwrap.m4
+++ b/src/external/cwrap.m4
@@ -28,3 +28,8 @@ AC_DEFUN([AM_CHECK_NSS_WRAPPER],
[
AM_CHECK_WRAPPER(nss_wrapper, HAVE_NSS_WRAPPER)
])
+
+AC_DEFUN([AM_CHECK_PAM_WRAPPER],
+[
+ AM_CHECK_WRAPPER(pam_wrapper, HAVE_PAM_WRAPPER)
+])
diff --git a/src/external/intgcheck.m4 b/src/external/intgcheck.m4
index 60a7bf3..c14f669 100644
--- a/src/external/intgcheck.m4
+++ b/src/external/intgcheck.m4
@@ -22,6 +22,7 @@ AC_DEFUN([SSS_ENABLE_INTGCHECK_REQS], [
if test x"$enable_intgcheck_reqs" = xyes; then
SSS_INTGCHECK_REQ([HAVE_UID_WRAPPER], [uid_wrapper])
SSS_INTGCHECK_REQ([HAVE_NSS_WRAPPER], [nss_wrapper])
+ SSS_INTGCHECK_REQ([HAVE_PAM_WRAPPER], [pam_wrapper])
SSS_INTGCHECK_REQ([HAVE_SLAPD], [slapd])
SSS_INTGCHECK_REQ([HAVE_LDAPMODIFY], [ldapmodify])
SSS_INTGCHECK_REQ([HAVE_FAKEROOT], [fakeroot])
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index 6f7605b..bb3a7f0 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -105,13 +105,29 @@ passwd: root
group:
echo "root:x:0:" > $@
+PAM_SERVICE_DIR=pam_service_dir
+pam_sss_service:
+ $(MKDIR_P) $(PAM_SERVICE_DIR)
+ echo "auth required $(DESTDIR)$(pammoddir)/pam_sss.so" > $(PAM_SERVICE_DIR)/$@
+ echo "account required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
+ echo "password required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
+ echo "session required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
+
CLEANFILES=config.py config.pyc passwd group
clean-local:
rm -Rf root
rm -f $(builddir)/cwrap-dbus-system.conf
-intgcheck-installed: config.py passwd group
+if HAVE_NSS
+PAM_CERT_DB_PATH="sql:$(DESTDIR)$(sysconfdir)/pki/nssdb"
+SOFTHSM2_CONF=""
+else
+PAM_CERT_DB_PATH="$(abs_builddir)/../test_CA/SSSD_test_CA.pem"
+SOFTHSM2_CONF="$(abs_builddir)/../test_CA/softhsm2_one.conf"
+endif
+
+intgcheck-installed: config.py passwd group pam_sss_service
pipepath="$(DESTDIR)$(pipepath)"; \
if test $${#pipepath} -gt 80; then \
echo "error: Pipe directory path too long," \
@@ -131,12 +147,18 @@ intgcheck-installed: config.py passwd group
LDB_MODULES_PATH="$(DESTDIR)$(ldblibdir)" \
NON_WRAPPED_UID=$$(id -u) \
LD_PRELOAD="$(libdir)/getsockopt_wrapper.so:$$nss_wrapper:$$uid_wrapper" \
+ LD_LIBRARY_PATH="$$LD_LIBRARY_PATH:$(DESTDIR)$(nsslibdir)" \
NSS_WRAPPER_PASSWD="$(abs_builddir)/passwd" \
NSS_WRAPPER_GROUP="$(abs_builddir)/group" \
NSS_WRAPPER_MODULE_SO_PATH="$(DESTDIR)$(nsslibdir)/libnss_sss.so.2" \
NSS_WRAPPER_MODULE_FN_PREFIX="sss" \
UID_WRAPPER=1 \
UID_WRAPPER_ROOT=1 \
+ PAM_WRAPPER=0 \
+ PAM_WRAPPER_SERVICE_DIR="$(abs_builddir)/$(PAM_SERVICE_DIR)" \
+ PAM_WRAPPER_PATH=$$(pkg-config --libs pam_wrapper) \
+ PAM_CERT_DB_PATH=$(PAM_CERT_DB_PATH) \
+ SOFTHSM2_CONF=$(SOFTHSM2_CONF) \
DBUS_SOCK_DIR="$(DESTDIR)$(runstatedir)/dbus/" \
DBUS_SESSION_BUS_ADDRESS="unix:path=$$DBUS_SOCK_DIR/fake_socket" \
DBUS_SYSTEM_BUS_ADDRESS="unix:path=$$DBUS_SOCK_DIR/system_bus_socket" \
diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py
index cf6fff2..c6d048c 100644
--- a/src/tests/intg/test_pam_responder.py
+++ b/src/tests/intg/test_pam_responder.py
@@ -27,31 +27,44 @@ import signal
import errno
import subprocess
import time
-import pytest
+import shutil
import config
-from util import unindent
+import pytest
+
+from intg.util import unindent
+from intg.files_ops import passwd_ops_setup
+USER1 = dict(name='user1', passwd='x', uid=10001, gid=20001,
+ gecos='User for tests',
+ dir='/home/user1',
+ shell='/bin/bash')
-def format_pam_cert_auth_conf():
+
+def format_pam_cert_auth_conf(config):
"""Format a basic SSSD configuration"""
return unindent("""\
[sssd]
+ debug_level = 10
domains = auth_only
- services = pam
+ services = pam, nss
[nss]
+ debug_level = 10
[pam]
pam_cert_auth = True
+ pam_p11_allowed_services = +pam_sss_service
+ pam_cert_db_path = {config.PAM_CERT_DB_PATH}
debug_level = 10
[domain/auth_only]
- id_provider = ldap
- auth_provider = ldap
- chpass_provider = ldap
- access_provider = ldap
+ debug_level = 10
+ id_provider = files
+
+ [certmap/auth_only/user1]
+ matchrule = <SUBJECT>.*CN=SSSD test cert 0001.*
""").format(**locals())
@@ -79,6 +92,8 @@ def create_conf_fixture(request, contents):
def create_sssd_process():
"""Start the SSSD process"""
+ os.environ["SSS_FILES_PASSWD"] = os.environ["NSS_WRAPPER_PASSWD"]
+ os.environ["SSS_FILES_GROUP"] = os.environ["NSS_WRAPPER_GROUP"]
if subprocess.call(["sssd", "-D", "-f"]) != 0:
raise Exception("sssd start failed")
@@ -116,12 +131,41 @@ def create_sssd_fixture(request):
request.addfinalizer(cleanup_sssd_process)
+def create_nssdb():
+ os.mkdir(config.SYSCONFDIR + "/pki")
+ os.mkdir(config.SYSCONFDIR + "/pki/nssdb")
+ if subprocess.call(["certutil", "-N", "-d",
+ "sql:" + config.SYSCONFDIR + "/pki/nssdb/",
+ "--empty-password"]) != 0:
+ raise Exception("certutil failed")
+
+ pkcs11_txt = open(config.SYSCONFDIR + "/pki/nssdb/pkcs11.txt", "w")
+ pkcs11_txt.write("library=libsoftokn3.so\nname=soft\n" +
+ "parameters=configdir='sql:" + config.ABS_BUILDDIR +
+ "/../test_CA/p11_nssdb' " +
+ "dbSlotDescription='SSSD Test Slot' " +
+ "dbTokenDescription='SSSD Test Token' " +
+ "secmod='secmod.db' flags=readOnly)\n\n")
+ pkcs11_txt.close()
+
+
+def cleanup_nssdb():
+ shutil.rmtree(config.SYSCONFDIR + "/pki")
+
+
+def create_nssdb_fixture(request):
+ create_nssdb()
+ request.addfinalizer(cleanup_nssdb)
+
+
@pytest.fixture
def simple_pam_cert_auth(request):
"""Setup SSSD with pam_cert_auth=True"""
- conf = format_pam_cert_auth_conf()
+ config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
+ conf = format_pam_cert_auth_conf(config)
create_conf_fixture(request, conf)
create_sssd_fixture(request)
+ create_nssdb_fixture(request)
return None
@@ -129,3 +173,72 @@ def test_preauth_indicator(simple_pam_cert_auth):
"""Check if preauth indicator file is created"""
statinfo = os.stat(config.PUBCONF_PATH + "/pam_preauth_available")
assert stat.S_ISREG(statinfo.st_mode)
+
+
+@pytest.fixture
+def pam_wrapper_setup(request):
+ pwrap_runtimedir = os.getenv("PAM_WRAPPER_SERVICE_DIR")
+ if pwrap_runtimedir is None:
+ raise ValueError("The PAM_WRAPPER_SERVICE_DIR variable is unset\n")
+
+
+def test_sc_auth_wrong_pin(simple_pam_cert_auth, pam_wrapper_setup,
+ passwd_ops_setup):
+
+ passwd_ops_setup.useradd(**USER1)
+ current_env = os.environ.copy()
+ current_env['PAM_WRAPPER'] = "1"
+ current_env['SSSD_INTG_PEER_UID'] = "0"
+ current_env['SSSD_INTG_PEER_GID'] = "0"
+ current_env['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
+
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
+ "--action=auth", "--service=pam_sss_service"],
+ universal_newlines=True,
+ env=current_env, stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+
+ try:
+ out, err = sssctl.communicate(input="111")
+ except:
+ sssctl.kill()
+ out, err = sssctl.communicate()
+
+ sssctl.stdin.close()
+ sssctl.stdout.close()
+
+ if sssctl.wait() != 0:
+ raise Exception("sssctl failed")
+
+ assert err.find("pam_authenticate for user [user1]: " +
+ "Authentication failure") != -1
+
+
+def test_sc_auth(simple_pam_cert_auth, pam_wrapper_setup, passwd_ops_setup):
+
+ passwd_ops_setup.useradd(**USER1)
+ current_env = os.environ.copy()
+ current_env['PAM_WRAPPER'] = "1"
+ current_env['SSSD_INTG_PEER_UID'] = "0"
+ current_env['SSSD_INTG_PEER_GID'] = "0"
+ current_env['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
+
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
+ "--action=auth", "--service=pam_sss_service"],
+ universal_newlines=True,
+ env=current_env, stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+
+ try:
+ out, err = sssctl.communicate(input="123456")
+ except:
+ sssctl.kill()
+ out, err = sssctl.communicate()
+
+ sssctl.stdin.close()
+ sssctl.stdout.close()
+
+ if sssctl.wait() != 0:
+ raise Exception("sssctl failed")
+
+ assert err.find("pam_authenticate for user [user1]: Success") != -1
--
2.9.5

View File

@ -0,0 +1,49 @@
From 4ffe3ab9023ff858410256bc5c38a03d9cd88cf9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 5 Sep 2018 13:35:54 +0200
Subject: [PATCH 39/83] proxy: access provider directly not through be_ctx
Modules are initialized as part of dp_init_send() but be_ctx->provider is set
only after this request is finished therefore it is not available here.
Resolves:
https://pagure.io/SSSD/sssd/issue/3812
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/providers/proxy/proxy_init.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/providers/proxy/proxy_init.c b/src/providers/proxy/proxy_init.c
index cf4f82e..98c6dd1 100644
--- a/src/providers/proxy/proxy_init.c
+++ b/src/providers/proxy/proxy_init.c
@@ -192,6 +192,7 @@ static errno_t proxy_auth_conf(TALLOC_CTX *mem_ctx,
static errno_t proxy_init_auth_ctx(TALLOC_CTX *mem_ctx,
struct be_ctx *be_ctx,
+ struct data_provider *provider,
struct proxy_auth_ctx **_auth_ctx)
{
struct proxy_auth_ctx *auth_ctx;
@@ -213,7 +214,7 @@ static errno_t proxy_init_auth_ctx(TALLOC_CTX *mem_ctx,
goto done;
}
- ret = proxy_client_init(dp_sbus_conn(be_ctx->provider), auth_ctx);
+ ret = proxy_client_init(dp_sbus_conn(provider), auth_ctx);
if (ret != EOK) {
goto done;
}
@@ -273,7 +274,7 @@ errno_t sssm_proxy_init(TALLOC_CTX *mem_ctx,
/* Initialize auth_ctx since one of the access, auth or chpass is set. */
- ret = proxy_init_auth_ctx(mem_ctx, be_ctx, &auth_ctx);
+ ret = proxy_init_auth_ctx(mem_ctx, be_ctx, provider, &auth_ctx);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create auth context [%d]: %s\n",
ret, sss_strerror(ret));
--
2.9.5

View File

@ -0,0 +1,144 @@
From 4c5a1afa0df41aac05d34455c6e54a6f52a8dd28 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 5 Sep 2018 13:51:55 +0200
Subject: [PATCH 40/83] dp: set be_ctx->provider as part of dp_init request
Backend context is overused inside sssd code even during its initialization.
Some parts of initialization code requires access to be_ctx->provider so we
must make it available as soon as possible.
Better solution would be to always use 'provider' directly in initialization
but this makes it safer for any future changes as one does not have to keep
in mind when it is safe to use be_ctx->provider and when not. Now it is
always safe.
Resolves:
https://pagure.io/SSSD/sssd/issue/3812
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/providers/data_provider/dp.c | 21 +++++++++++++--------
src/providers/data_provider/dp.h | 1 -
src/providers/data_provider_be.c | 2 +-
src/providers/proxy/proxy_init.c | 2 +-
4 files changed, 15 insertions(+), 11 deletions(-)
diff --git a/src/providers/data_provider/dp.c b/src/providers/data_provider/dp.c
index fd19d28..bd003c8 100644
--- a/src/providers/data_provider/dp.c
+++ b/src/providers/data_provider/dp.c
@@ -120,6 +120,7 @@ static int dp_destructor(struct data_provider *provider)
}
struct dp_init_state {
+ struct be_ctx *be_ctx;
struct data_provider *provider;
char *sbus_name;
};
@@ -158,6 +159,7 @@ dp_init_send(TALLOC_CTX *mem_ctx,
goto done;
}
+ state->be_ctx = be_ctx;
state->provider->ev = ev;
state->provider->uid = uid;
state->provider->gid = gid;
@@ -224,12 +226,14 @@ static void dp_init_done(struct tevent_req *subreq)
sbus_server_set_on_connection(state->provider->sbus_server,
dp_client_init, state->provider);
+ /* be_ctx->provider must be accessible from modules and targets */
+ state->be_ctx->provider = talloc_steal(state->be_ctx, state->provider);
+
ret = dp_init_modules(state->provider, &state->provider->modules);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize DP modules "
"[%d]: %s\n", ret, sss_strerror(ret));
- tevent_req_error(req, ret);
- return;
+ goto done;
}
ret = dp_init_targets(state->provider, state->provider->be_ctx,
@@ -237,25 +241,27 @@ static void dp_init_done(struct tevent_req *subreq)
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize DP targets "
"[%d]: %s\n", ret, sss_strerror(ret));
- tevent_req_error(req, ret);
- return;
+ goto done;
}
ret = dp_init_interface(state->provider);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize DP interface "
"[%d]: %s\n", ret, sss_strerror(ret));
+ goto done;
+ }
+
+done:
+ if (ret != EOK) {
+ talloc_zfree(state->be_ctx->provider);
tevent_req_error(req, ret);
- return;
}
tevent_req_done(req);
- return;
}
errno_t dp_init_recv(TALLOC_CTX *mem_ctx,
struct tevent_req *req,
- struct data_provider **_provider,
const char **_sbus_name)
{
struct dp_init_state *state;
@@ -263,7 +269,6 @@ errno_t dp_init_recv(TALLOC_CTX *mem_ctx,
TEVENT_REQ_RETURN_ON_ERROR(req);
- *_provider = talloc_steal(mem_ctx, state->provider);
*_sbus_name = talloc_steal(mem_ctx, state->sbus_name);
return EOK;
diff --git a/src/providers/data_provider/dp.h b/src/providers/data_provider/dp.h
index 33e6e65..0028eb1 100644
--- a/src/providers/data_provider/dp.h
+++ b/src/providers/data_provider/dp.h
@@ -117,7 +117,6 @@ dp_init_send(TALLOC_CTX *mem_ctx,
errno_t dp_init_recv(TALLOC_CTX *mem_ctx,
struct tevent_req *req,
- struct data_provider **_provider,
const char **_sbus_name);
bool _dp_target_enabled(struct data_provider *provider,
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index 670ddb4..6d2477e 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -541,7 +541,7 @@ static void dp_initialized(struct tevent_req *req)
be_ctx = tevent_req_callback_data(req, struct be_ctx);
- ret = dp_init_recv(be_ctx, req, &be_ctx->provider, &be_ctx->sbus_name);
+ ret = dp_init_recv(be_ctx, req, &be_ctx->sbus_name);
talloc_zfree(req);
if (ret != EOK) {
goto done;
diff --git a/src/providers/proxy/proxy_init.c b/src/providers/proxy/proxy_init.c
index 98c6dd1..32343a3 100644
--- a/src/providers/proxy/proxy_init.c
+++ b/src/providers/proxy/proxy_init.c
@@ -214,7 +214,7 @@ static errno_t proxy_init_auth_ctx(TALLOC_CTX *mem_ctx,
goto done;
}
- ret = proxy_client_init(dp_sbus_conn(provider), auth_ctx);
+ ret = proxy_client_init(dp_sbus_conn(be_ctx->provider), auth_ctx);
if (ret != EOK) {
goto done;
}
--
2.9.5

View File

@ -0,0 +1,42 @@
From 9245bf1afe6767a0412212bc0040e606ee850e7d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 12 Sep 2018 13:21:11 +0200
Subject: [PATCH 41/83] sbus: read destination after sender is set
dbus_message_set_sender may reallocate internal fields which will yield pointer
obtained by dbus_message_get_* invalid.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/sbus/server/sbus_server_handler.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/sbus/server/sbus_server_handler.c b/src/sbus/server/sbus_server_handler.c
index c300d81..d4e4547 100644
--- a/src/sbus/server/sbus_server_handler.c
+++ b/src/sbus/server/sbus_server_handler.c
@@ -148,9 +148,6 @@ sbus_server_filter(DBusConnection *dbus_conn,
return DBUS_HANDLER_RESULT_HANDLED;
}
- destination = dbus_message_get_destination(message);
- type = dbus_message_get_type(message);
-
conn = dbus_connection_get_data(dbus_conn, server->data_slot);
if (conn == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unknown connection!\n");
@@ -173,6 +170,11 @@ sbus_server_filter(DBusConnection *dbus_conn,
return DBUS_HANDLER_RESULT_HANDLED;
}
+ /* Set sender may reallocate internal fields so this needs to be read
+ * after we call dbus_message_set_sender(). */
+ destination = dbus_message_get_destination(message);
+ type = dbus_message_get_type(message);
+
if (type == DBUS_MESSAGE_TYPE_SIGNAL) {
return sbus_server_route_signal(server, conn, message, destination);
}
--
2.9.5

View File

@ -0,0 +1,34 @@
From b821ee3ca93beb94a7a9b22b6f7a205e4900212e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 12 Sep 2018 13:22:34 +0200
Subject: [PATCH 42/83] sbus: do not try to remove signal listeners when
disconnecting
This may cause some troubles if the dbus connection was dropped
as dbus will try to actually send the messages. Also when the
connectin is being freed, tevent integration is already disabled
so there is no point in doing this.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/sbus/router/sbus_router_hash.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/sbus/router/sbus_router_hash.c b/src/sbus/router/sbus_router_hash.c
index 186dc61..2d407b2 100644
--- a/src/sbus/router/sbus_router_hash.c
+++ b/src/sbus/router/sbus_router_hash.c
@@ -384,6 +384,10 @@ sbus_router_listeners_delete_cb(hash_entry_t *item,
return;
}
+ if (conn->disconnecting) {
+ return;
+ }
+
/* If we still have the D-Bus connection available, we try to unregister
* the previously registered listener when its removed from table. */
--
2.9.5

View File

@ -0,0 +1,29 @@
From f1f9af528f71f42ac41bb7a272f4f7d940fd3a0f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 12 Sep 2018 13:24:27 +0200
Subject: [PATCH 43/83] sbus: free watch_fd->fdevent explicitly
We never reproduced this with gdb but valgrind shows invalid read in sbus_watch_handler
after the watch_fd was freed. This should not be needed since watch_fd is memory parent
of fdevent but it seems to help.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/sbus/connection/sbus_watch.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/sbus/connection/sbus_watch.c b/src/sbus/connection/sbus_watch.c
index 3898311..0e4bd01 100644
--- a/src/sbus/connection/sbus_watch.c
+++ b/src/sbus/connection/sbus_watch.c
@@ -280,6 +280,7 @@ sbus_watch_remove(DBusWatch *dbus_watch, void *data)
if (watch_fd->dbus_watch.read == NULL
&& watch_fd->dbus_watch.write == NULL) {
+ talloc_free(watch_fd->fdevent);
talloc_free(watch_fd);
}
}
--
2.9.5

View File

@ -0,0 +1,139 @@
From de8c9caf61e7b971cda9563cc5851ea222db5830 Mon Sep 17 00:00:00 2001
From: Tomas Halman <thalman@redhat.com>
Date: Thu, 27 Sep 2018 16:03:40 +0200
Subject: [PATCH 44/83] doc: remove local provider reference from manpages
Introduce new condition for documentation build. Related part of
documentation is excluded, if build is done without local provider.
Resolves https://pagure.io/SSSD/sssd/issue/3826
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/man/Makefile.am | 6 +++++-
src/man/include/seealso.xml | 44 +++++++++++++++++++++++---------------------
src/man/sssd.conf.5.xml | 15 +++++++++------
3 files changed, 37 insertions(+), 28 deletions(-)
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
index b4c20d8..54a30d1 100644
--- a/src/man/Makefile.am
+++ b/src/man/Makefile.am
@@ -51,7 +51,11 @@ CRYPTO_CONDS = ;with_nss
else
CRYPTO_CONDS = ;with_openssl
endif
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SEC_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(CRYPTO_CONDS)
+if BUILD_LOCAL_PROVIDER
+LOCAL_PROVIDER_CONDS = ;enable_local_provider
+endif
+
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SEC_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(CRYPTO_CONDS)$(LOCAL_PROVIDER_CONDS)
#Special Rules:
diff --git a/src/man/include/seealso.xml b/src/man/include/seealso.xml
index 52798e4..f324b66 100644
--- a/src/man/include/seealso.xml
+++ b/src/man/include/seealso.xml
@@ -44,27 +44,29 @@
<citerefentry>
<refentrytitle>sss_debuglevel</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
- <citerefentry>
- <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
+ <phrase condition="enable_local_provider">
+ <citerefentry>
+ <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ </phrase>
<citerefentry>
<refentrytitle>sss_obfuscate</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 04143f1..c1e3895 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -2179,7 +2179,7 @@ pam_p11_allowed_services = +my_pam_service, -login
<para>
<quote>proxy</quote>: Support a legacy NSS provider.
</para>
- <para>
+ <para condition="enable_local_provider">
<quote>local</quote>: SSSD internal provider for
local users (DEPRECATED).
</para>
@@ -2324,7 +2324,7 @@ pam_p11_allowed_services = +my_pam_service, -login
<para>
<quote>proxy</quote> for relaying authentication to some other PAM target.
</para>
- <para>
+ <para condition="enable_local_provider">
<quote>local</quote>: SSSD internal provider for
local users
</para>
@@ -2836,9 +2836,12 @@ pam_p11_allowed_services = +my_pam_service, -login
<term>case_sensitive (string)</term>
<listitem>
<para>
- Treat user and group names as case sensitive. At
- the moment, this option is not supported in
- the local provider. Possible option values are:
+ Treat user and group names as case sensitive.
+ <phrase condition="enable_local_provider">
+ At the moment, this option is not supported in
+ the local provider.
+ </phrase>
+ Possible option values are:
<variablelist>
<varlistentry>
<term>True</term>
@@ -3148,7 +3151,7 @@ ldap_user_extra_attrs = phone:telephoneNumber
</programlisting>
</refsect2>
- <refsect2 id='local_domain'>
+ <refsect2 id='local_domain' condition="enable_local_provider">
<title>The local domain section</title>
<para>
This section contains settings for domain that stores users and
--
2.9.5

View File

@ -0,0 +1,47 @@
From 081b18e75c746f9a2ad1fb412c825293090311f8 Mon Sep 17 00:00:00 2001
From: Tomas Halman <thalman@redhat.com>
Date: Mon, 1 Oct 2018 15:49:06 +0200
Subject: [PATCH 54/83] confdb: log an error when domain is misconfigured
We need to inform user that there is misconfiguration
and particular domain will not be started.
Resolves:
https://pagure.io/SSSD/sssd/issue/3827
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/confdb/confdb.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 954c3ba..2f3d900 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -39,6 +39,9 @@
#define SAME_DOMAINS_ERROR_MSG "Domain '%s' is the same as or differs only "\
"in case from domain '%s'.\n"
+#define RETRIEVE_DOMAIN_ERROR_MSG "Error (%d [%s]) retrieving domain [%s], "\
+ "skipping!\n"
+
static char *prepend_cn(char *str, int *slen, const char *comp, int clen)
{
char *ret;
@@ -1522,8 +1525,12 @@ int confdb_get_domains(struct confdb_ctx *cdb,
ret = confdb_get_domain_internal(cdb, cdb, domlist[i], &domain);
if (ret) {
DEBUG(SSSDBG_FATAL_FAILURE,
- "Error (%d [%s]) retrieving domain [%s], skipping!\n",
+ RETRIEVE_DOMAIN_ERROR_MSG,
ret, sss_strerror(ret), domlist[i]);
+ sss_log(SSS_LOG_CRIT,
+ RETRIEVE_DOMAIN_ERROR_MSG,
+ ret, sss_strerror(ret), domlist[i]);
+
continue;
}
--
2.9.5

View File

@ -0,0 +1,57 @@
From dfa7bf1133f002a9fbbd3495a70909913db25b16 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 14 Sep 2018 12:30:57 +0200
Subject: [PATCH 55/83] be: use be_is_offline for the main domain when asking
for domain status
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The DOM_ACTIVE/INACTIVE flag is not used with the main domain as it
is used only for subdomains.
Resolves:
https://pagure.io/SSSD/sssd/issue/3830
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/providers/data_provider/dp_iface_backend.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/src/providers/data_provider/dp_iface_backend.c b/src/providers/data_provider/dp_iface_backend.c
index 25a00f3..85159a7 100644
--- a/src/providers/data_provider/dp_iface_backend.c
+++ b/src/providers/data_provider/dp_iface_backend.c
@@ -37,15 +37,23 @@ dp_backend_is_online(TALLOC_CTX *mem_ctx,
struct sss_domain_info *domain;
if (SBUS_REQ_STRING_IS_EMPTY(domname)) {
- *_is_online = be_is_offline(be_ctx);
- return EOK;
+ domain = be_ctx->domain;
+ } else {
+ domain = find_domain_by_name(be_ctx->domain, domname, false);
+ if (domain == NULL) {
+ return ERR_DOMAIN_NOT_FOUND;
+ }
}
- domain = find_domain_by_name(be_ctx->domain, domname, false);
- if (domain == NULL) {
- return ERR_DOMAIN_NOT_FOUND;
+ /**
+ * FIXME: https://pagure.io/SSSD/sssd/issue/3831
+ * domain->state is set only for subdomains not for the main domain
+ */
+ if (be_ctx->domain == domain) {
+ *_is_online = be_is_offline(be_ctx) == false;
+ } else {
+ *_is_online = domain->state == DOM_ACTIVE;
}
- *_is_online = domain->state == DOM_ACTIVE;
return EOK;
}
--
2.9.5

View File

@ -0,0 +1,146 @@
From e29b82077a78157a1e4d90e2308c1272d7612f3d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 2 Oct 2018 12:13:29 +0200
Subject: [PATCH 56/83] p11: handle multiple certs during auth with OpenSSL
This patch adds missing code already available in the NSS version to
select a certificate for authentication if multiple certificates are
available on the Smartcard. A unit test to check this feature is added
as well.
Related to https://pagure.io/SSSD/sssd/issue/3489
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/p11_child/p11_child_openssl.c | 46 ++++++++++++++++++++++++++++++++++++++-
src/tests/cmocka/test_pam_srv.c | 36 ++++++++++++++++++++++++++++++
2 files changed, 81 insertions(+), 1 deletion(-)
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
index be58726..bf4418f 100644
--- a/src/p11_child/p11_child_openssl.c
+++ b/src/p11_child/p11_child_openssl.c
@@ -572,8 +572,10 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
char *slot_name = NULL;
char *token_name = NULL;
CK_SESSION_HANDLE session = 0;
+ struct cert_list *all_cert_list = NULL;
struct cert_list *cert_list = NULL;
struct cert_list *item = NULL;
+ struct cert_list *tmp_cert = NULL;
char *multi = NULL;
bool pkcs11_session = false;
bool pkcs11_login = false;
@@ -691,12 +693,54 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
DEBUG(SSSDBG_TRACE_ALL, "Login NOT required.\n");
}
- ret = read_certs(mem_ctx, module, session, p11_ctx, &cert_list);
+ ret = read_certs(mem_ctx, module, session, p11_ctx, &all_cert_list);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "read_certs failed.\n");
goto done;
}
+ DLIST_FOR_EACH(item, all_cert_list) {
+ /* Check if we found the certificates we needed for authentication or
+ * the requested ones for pre-auth. For authentication all attributes
+ * must be given and match, for pre-auth only the given ones must
+ * match. */
+ DEBUG(SSSDBG_TRACE_ALL, "%s %s %s %s %s %s.\n",
+ module_name_in, module_file_name, token_name_in, token_name,
+ key_id_in, item->id);
+
+ if ((mode == OP_AUTH
+ && module_name_in != NULL
+ && token_name_in != NULL
+ && key_id_in != NULL
+ && item->id != NULL
+ && strcmp(key_id_in, item->id) == 0
+ && strcmp(token_name_in, token_name) == 0
+ && strcmp(module_name_in, module_file_name) == 0)
+ || (mode == OP_PREAUTH
+ && (module_name_in == NULL
+ || (module_name_in != NULL
+ && strcmp(module_name_in, module_file_name) == 0))
+ && (token_name_in == NULL
+ || (token_name_in != NULL
+ && strcmp(token_name_in, token_name) == 0))
+ && (key_id_in == NULL
+ || (key_id_in != NULL && item->id != NULL
+ && strcmp(key_id_in, item->id) == 0)))) {
+
+ tmp_cert = talloc_memdup(mem_ctx, item, sizeof(struct cert_list));
+ if (tmp_cert == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_memdup failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ tmp_cert->prev = NULL;
+ tmp_cert->next = NULL;
+
+ DLIST_ADD(cert_list, tmp_cert);
+
+ }
+ }
+
/* TODO: check module_name_in, token_name_in, key_id_in */
if (cert_list == NULL) {
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index 446985d..2b02ac2 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -2443,6 +2443,40 @@ void test_pam_cert_preauth_2certs_two_mappings(void **state)
assert_int_equal(ret, EOK);
}
+void test_pam_cert_auth_2certs_one_mapping(void **state)
+{
+ int ret;
+
+#ifdef HAVE_NSS
+ set_cert_auth_param(pam_test_ctx->pctx, NSS_DB_2CERTS);
+#else
+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_two.conf"));
+#endif
+
+ mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token",
+ TEST_MODULE_NAME,
+ "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL,
+ test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001,
+ true);
+
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+
+ /* Assume backend cannot handle Smartcard credentials */
+ pam_test_ctx->exp_pam_status = PAM_BAD_ITEM;
+
+ set_cmd_cb(test_pam_simple_check_success);
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
+ pam_test_ctx->pam_cmds);
+ assert_int_equal(ret, EOK);
+
+ /* Wait until the test finishes with EOK */
+ ret = test_ev_loop(pam_test_ctx->tctx);
+ assert_int_equal(ret, EOK);
+}
+
+
void test_filter_response(void **state)
{
int ret;
@@ -2875,6 +2909,8 @@ int main(int argc, const char *argv[])
pam_test_setup, pam_test_teardown),
cmocka_unit_test_setup_teardown(test_pam_cert_preauth_2certs_two_mappings,
pam_test_setup, pam_test_teardown),
+ cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_one_mapping,
+ pam_test_setup, pam_test_teardown),
cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name,
pam_test_setup, pam_test_teardown),
cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name_no_key_id,
--
2.9.5

View File

@ -0,0 +1,74 @@
From 0be037bbedd0aed6a7eccead6aabe0d07258242a Mon Sep 17 00:00:00 2001
From: Tomas Halman <thalman@redhat.com>
Date: Mon, 1 Oct 2018 13:45:52 +0200
Subject: [PATCH 57/83] doc: Add nsswitch.conf note to manpage
We want to add note about nsswitch.conf configuration
into sssd-files manpage.
Resolves:
https://pagure.io/SSSD/sssd/issue/3750
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
---
src/man/sssd-files.5.xml | 34 +++++++++++++++++++++++++++++++++-
1 file changed, 33 insertions(+), 1 deletion(-)
diff --git a/src/man/sssd-files.5.xml b/src/man/sssd-files.5.xml
index 59e1b65..067e219 100644
--- a/src/man/sssd-files.5.xml
+++ b/src/man/sssd-files.5.xml
@@ -51,6 +51,27 @@
<manvolnum>5</manvolnum>
</citerefentry>.
</para>
+ <para>
+ Another reason is to provide efficient caching of local users and groups.
+ </para>
+ <para>
+ Please note that some distributions enable the files domain automatically,
+ prepending the domain before any explicitly configured domains.
+ See enable_files_domain in
+ <citerefentry>
+ <refentrytitle>sssd.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry>.
+ </para>
+ <para>
+ SSSD never handles resolution of user/group "root". Also resolution of
+ UID/GID 0 is not handled by SSSD. Such requests are passed to next
+ NSS module (usually files).
+ </para>
+ <para>
+ When SSSD is not running or responding, nss_sss returns the UNAVAIL code
+ which causes the request to be passed to the next module.
+ </para>
</refsect1>
<refsect1 id='configuration-options'>
@@ -112,9 +133,20 @@
id_provider = files
</programlisting>
</para>
+ <para>
+ To leverage caching of local users and groups by SSSD
+ nss_sss module must be listed before nss_files module
+ in /etc/nsswitch.conf.
+ </para>
+ <para>
+<programlisting>
+passwd: sss files
+group: sss files
+</programlisting>
+ </para>
</refsect1>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
</refentry>
</reference>
--
2.9.5

View File

@ -0,0 +1,31 @@
From e5dc30e0092b240a32f2004966eeecdc57d50fb8 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 8 Oct 2018 07:45:45 +0000
Subject: [PATCH 58/83] MAN: Fix typo in ad_gpo_implicit_deny default value
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Merges: https://pagure.io/SSSD/sssd/pull-request/3846
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/man/sssd-ad.5.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 0eac382..ea0adf7 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -432,7 +432,7 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,
apply to them.
</para>
<para>
- Default: False (seconds)
+ Default: False
</para>
</listitem>
</varlistentry>
--
2.9.5

View File

@ -0,0 +1,470 @@
From 42f69e26e5b858dd03492cc2a148d02c2ccc2161 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 14 Sep 2018 12:47:00 +0200
Subject: [PATCH 59/83] p11_child: add --wait_for_card option
The --wait_for_card option will let the p11_child wait until a
Smartcard/token is available in a slot with the removable flag.
Related to https://pagure.io/SSSD/sssd/issue/3650
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/p11_child/p11_child.h | 5 +-
src/p11_child/p11_child_common.c | 12 +++-
src/p11_child/p11_child_nss.c | 105 ++++++++++++++++++++---------
src/p11_child/p11_child_openssl.c | 136 ++++++++++++++++++++++++++++++--------
4 files changed, 196 insertions(+), 62 deletions(-)
diff --git a/src/p11_child/p11_child.h b/src/p11_child/p11_child.h
index 1e9fc3d..dd8fdea 100644
--- a/src/p11_child/p11_child.h
+++ b/src/p11_child/p11_child.h
@@ -25,6 +25,9 @@
#ifndef __P11_CHILD_H__
#define __P11_CHILD_H__
+/* Time to wait during a C_Finalize C_Initialize cycle to discover
+ * new slots. */
+#define PKCS11_FINIALIZE_INITIALIZE_WAIT_TIME 3
struct p11_ctx;
enum op_mode {
@@ -41,7 +44,7 @@ enum pin_mode {
};
errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *nss_db,
- struct p11_ctx **p11_ctx);
+ bool wait_for_card, struct p11_ctx **p11_ctx);
errno_t init_verification(struct p11_ctx *p11_ctx,
struct cert_verify_opts *cert_verify_opts);
diff --git a/src/p11_child/p11_child_common.c b/src/p11_child/p11_child_common.c
index 125430d..bc5f6b0 100644
--- a/src/p11_child/p11_child_common.c
+++ b/src/p11_child/p11_child_common.c
@@ -57,6 +57,7 @@ static const char *op_mode_str(enum op_mode mode)
static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db,
struct cert_verify_opts *cert_verify_opts,
+ bool wait_for_card,
const char *cert_b64, const char *pin,
const char *module_name, const char *token_name,
const char *key_id, char **multi)
@@ -64,7 +65,7 @@ static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db,
int ret;
struct p11_ctx *p11_ctx;
- ret = init_p11_ctx(mem_ctx, ca_db, &p11_ctx);
+ ret = init_p11_ctx(mem_ctx, ca_db, wait_for_card, &p11_ctx);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "init_p11_ctx failed.\n");
return ret;
@@ -157,6 +158,7 @@ int main(int argc, const char *argv[])
char *token_name = NULL;
char *key_id = NULL;
char *cert_b64 = NULL;
+ bool wait_for_card = false;
struct poptOption long_options[] = {
POPT_AUTOHELP
@@ -174,6 +176,7 @@ int main(int argc, const char *argv[])
SSSD_LOGGER_OPTS
{"auth", 0, POPT_ARG_NONE, NULL, 'a', _("Run in auth mode"), NULL},
{"pre", 0, POPT_ARG_NONE, NULL, 'p', _("Run in pre-auth mode"), NULL},
+ {"wait_for_card", 0, POPT_ARG_NONE, NULL, 'w', _("Wait until card is available"), NULL},
{"verification", 0, POPT_ARG_NONE, NULL, 'v', _("Run in verification mode"),
NULL},
{"pin", 0, POPT_ARG_NONE, NULL, 'i', _("Expect PIN on stdin"), NULL},
@@ -258,6 +261,9 @@ int main(int argc, const char *argv[])
}
pin_mode = PIN_KEYPAD;
break;
+ case 'w':
+ wait_for_card = true;
+ break;
default:
fprintf(stderr, "\nInvalid option %s: %s\n\n",
poptBadOption(pc, 0), poptStrerror(opt));
@@ -360,8 +366,8 @@ int main(int argc, const char *argv[])
}
}
- ret = do_work(main_ctx, mode, nss_db, cert_verify_opts, cert_b64,
- pin, module_name, token_name, key_id, &multi);
+ ret = do_work(main_ctx, mode, nss_db, cert_verify_opts, wait_for_card,
+ cert_b64, pin, module_name, token_name, key_id, &multi);
if (ret != 0) {
DEBUG(SSSDBG_OP_FAILURE, "do_work failed.\n");
goto fail;
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
index d6a0b80..b2777d1 100644
--- a/src/p11_child/p11_child_nss.c
+++ b/src/p11_child/p11_child_nss.c
@@ -51,6 +51,7 @@ struct p11_ctx {
CERTCertDBHandle *handle;
struct cert_verify_opts *cert_verify_opts;
const char *nss_db;
+ bool wait_for_card;
};
#define EXP_USAGES ( certificateUsageSSLClient \
@@ -141,6 +142,19 @@ static int talloc_free_handle(struct p11_ctx *p11_ctx)
return 0;
}
+static NSSInitContext *get_nss_ctx(const char *nss_db)
+{
+ uint32_t flags = NSS_INIT_READONLY
+ | NSS_INIT_FORCEOPEN
+ | NSS_INIT_NOROOTINIT
+ | NSS_INIT_OPTIMIZESPACE
+ | NSS_INIT_PK11RELOAD;
+ NSSInitParameters parameters = { 0 };
+ parameters.length = sizeof (parameters);
+
+ return NSS_InitContext(nss_db, "", "", SECMOD_DB, &parameters, flags);
+}
+
errno_t init_verification(struct p11_ctx *p11_ctx,
struct cert_verify_opts *cert_verify_opts)
{
@@ -256,14 +270,15 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
SECItem signed_random_value = {0};
SECKEYPublicKey *pub_key;
CERTCertificate *found_cert = NULL;
- PK11SlotList *list = NULL;
- PK11SlotListElement *le;
const char *label;
char *key_id_str = NULL;
CERTCertList *valid_certs = NULL;
char *cert_b64 = NULL;
char *multi = NULL;
PRCList *node;
+ CK_SLOT_INFO slInfo;
+ PK11TokenStatus token_status;
+ size_t s;
PK11_SetPasswordFunc(password_passthrough);
@@ -297,28 +312,50 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
mod_list_item->module->dllName);
}
- list = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE,
- NULL);
- if (list == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "PK11_GetAllTokens failed.\n");
- ret = EIO;
- goto done;
- }
+ for (;;) {
+ mod_list = SECMOD_GetDefaultModuleList();
+ for (mod_list_item = mod_list; mod_list_item != NULL;
+ mod_list_item = mod_list_item->next) {
+ for (s = 0; s < mod_list_item->module->slotCount; s++) {
+ slInfo.flags = 0;
+ rv = PK11_GetSlotInfo(mod_list_item->module->slots[s], &slInfo);
+ DEBUG(SSSDBG_TRACE_ALL,
+ "Description [%s] Manufacturer [%s] flags [%lu] "
+ "removable [%s] token present [%s].\n",
+ slInfo.slotDescription, slInfo.manufacturerID,
+ slInfo.flags,
+ (slInfo.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
+ (slInfo.flags & CKF_TOKEN_PRESENT) ? "true": "false");
+
+ if (rv == SECSuccess && (slInfo.flags & CKF_REMOVABLE_DEVICE)) {
+ slot = PK11_ReferenceSlot(mod_list_item->module->slots[s]);
+ break;
+ }
+ }
+ }
- for (le = list->head; le; le = le->next) {
- CK_SLOT_INFO slInfo;
+ /* When e.g. using Yubikeys the slot isn't present until the device is
+ * inserted, so we should wait for a slot as well. */
+ if (p11_ctx->wait_for_card && slot == NULL) {
+ rv = NSS_ShutdownContext(p11_ctx->nss_ctx);
+ if (rv != SECSuccess) {
+ DEBUG(SSSDBG_OP_FAILURE, "NSS_ShutdownContext failed [%d][%s].\n",
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
+ }
- slInfo.flags = 0;
- rv = PK11_GetSlotInfo(le->slot, &slInfo);
- DEBUG(SSSDBG_TRACE_ALL,
- "Description [%s] Manufacturer [%s] flags [%lu].\n",
- slInfo.slotDescription, slInfo.manufacturerID, slInfo.flags);
- if (rv == SECSuccess && (slInfo.flags & CKF_REMOVABLE_DEVICE)) {
- slot = PK11_ReferenceSlot(le->slot);
+ sleep(PKCS11_FINIALIZE_INITIALIZE_WAIT_TIME);
+
+ p11_ctx->nss_ctx = get_nss_ctx(p11_ctx->nss_db);
+ if (p11_ctx->nss_ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "NSS_InitContext failed [%d][%s].\n",
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
+ return EIO;
+ }
+ } else {
break;
}
}
- PK11_FreeSlotList(list);
+
if (slot == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "No removable slots found.\n");
ret = EIO;
@@ -332,6 +369,22 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
module = PK11_GetModule(slot);
module_name = module->dllName == NULL ? "NSS-Internal" : module->dllName;
+ if (!(slInfo.flags & CKF_TOKEN_PRESENT)) {
+ DEBUG(SSSDBG_TRACE_ALL, "Token not present.\n");
+ if (p11_ctx->wait_for_card) {
+ token_status = PK11_WaitForTokenEvent(slot, PK11TokenPresentEvent,
+ PR_INTERVAL_NO_TIMEOUT, 0, 0);
+ if (token_status != PK11TokenPresent) {
+ DEBUG(SSSDBG_OP_FAILURE, "PK11_WaitForTokenEvent failed.\n");
+ ret = EIO;
+ goto done;
+ }
+ } else {
+ ret = EIO;
+ goto done;
+ }
+ }
+
DEBUG(SSSDBG_TRACE_ALL, "Found [%s] in slot [%s][%d] of module [%d][%s].\n",
token_name, slot_name, (int) slot_id, (int) module_id, module_name);
@@ -651,26 +704,18 @@ static int talloc_nss_shutdown(struct p11_ctx *p11_ctx)
}
errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *nss_db,
- struct p11_ctx **p11_ctx)
+ bool wait_for_card, struct p11_ctx **p11_ctx)
{
struct p11_ctx *ctx;
- uint32_t flags = NSS_INIT_READONLY
- | NSS_INIT_FORCEOPEN
- | NSS_INIT_NOROOTINIT
- | NSS_INIT_OPTIMIZESPACE
- | NSS_INIT_PK11RELOAD;
- NSSInitParameters parameters = { 0 };
- parameters.length = sizeof (parameters);
-
ctx = talloc_zero(mem_ctx, struct p11_ctx);
if (ctx == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_zero failed.\n");
return ENOMEM;
}
ctx->nss_db = nss_db;
+ ctx->wait_for_card = wait_for_card;
- ctx->nss_ctx = NSS_InitContext(nss_db, "", "", SECMOD_DB, &parameters,
- flags);
+ ctx->nss_ctx = get_nss_ctx(nss_db);
if (ctx->nss_ctx == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "NSS_InitContext failed [%d][%s].\n",
PR_GetError(), PORT_ErrorToString(PR_GetError()));
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
index bf4418f..d4572d9 100644
--- a/src/p11_child/p11_child_openssl.c
+++ b/src/p11_child/p11_child_openssl.c
@@ -40,6 +40,7 @@
struct p11_ctx {
X509_STORE *x509_store;
const char *ca_db;
+ bool wait_for_card;
};
static int talloc_cleanup_openssl(struct p11_ctx *p11_ctx)
@@ -48,8 +49,9 @@ static int talloc_cleanup_openssl(struct p11_ctx *p11_ctx)
return 0;
}
+
errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *ca_db,
- struct p11_ctx **p11_ctx)
+ bool wait_for_card, struct p11_ctx **p11_ctx)
{
int ret;
struct p11_ctx *ctx;
@@ -73,6 +75,7 @@ errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *ca_db,
}
ctx->ca_db = ca_db;
+ ctx->wait_for_card = wait_for_card;
talloc_set_destructor(ctx, talloc_cleanup_openssl);
*p11_ctx = ctx;
@@ -547,6 +550,45 @@ done:
return ret;
}
+static errno_t wait_for_card(CK_FUNCTION_LIST *module, CK_SLOT_ID *slot_id)
+{
+ CK_FLAGS wait_flags = 0;
+ CK_RV rv;
+ CK_SLOT_INFO info;
+
+ rv = module->C_WaitForSlotEvent(wait_flags, slot_id, NULL);
+ if (rv != CKR_OK) {
+ if (rv != CKR_FUNCTION_NOT_SUPPORTED) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "C_WaitForSlotEvent failed [%lu][%s].\n",
+ rv, p11_kit_strerror(rv));
+ return EIO;
+ }
+
+ /* Poor man's wait */
+ do {
+ sleep(10);
+ rv = module->C_GetSlotInfo(*slot_id, &info);
+ if (rv != CKR_OK) {
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotInfo failed\n");
+ return EIO;
+ }
+ DEBUG(SSSDBG_TRACE_ALL,
+ "Description [%s] Manufacturer [%s] flags [%lu] "
+ "removable [%s] token present [%s].\n",
+ info.slotDescription, info.manufacturerID, info.flags,
+ (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
+ (info.flags & CKF_TOKEN_PRESENT) ? "true": "false");
+ if ((info.flags & CKF_REMOVABLE_DEVICE)
+ && (info.flags & CKF_TOKEN_PRESENT)) {
+ break;
+ }
+ } while (true);
+ }
+
+ return EOK;
+}
+
#define MAX_SLOTS 64
errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
@@ -588,39 +630,62 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
return EIO;
}
- DEBUG(SSSDBG_TRACE_ALL, "Module List:\n");
- for (c = 0; modules[c] != NULL; c++) {
- mod_name = p11_kit_module_get_name(modules[c]);
- mod_file_name = p11_kit_module_get_filename(modules[c]);
- DEBUG(SSSDBG_TRACE_ALL, "common name: [%s].\n", mod_name);
- DEBUG(SSSDBG_TRACE_ALL, "dll name: [%s].\n", mod_file_name);
- free(mod_name);
- free(mod_file_name);
+ for (;;) {
+ DEBUG(SSSDBG_TRACE_ALL, "Module List:\n");
+ for (c = 0; modules[c] != NULL; c++) {
+ mod_name = p11_kit_module_get_name(modules[c]);
+ mod_file_name = p11_kit_module_get_filename(modules[c]);
+ DEBUG(SSSDBG_TRACE_ALL, "common name: [%s].\n", mod_name);
+ DEBUG(SSSDBG_TRACE_ALL, "dll name: [%s].\n", mod_file_name);
+ free(mod_name);
+ free(mod_file_name);
- num_slots = MAX_SLOTS;
- rv = modules[c]->C_GetSlotList(CK_TRUE, slots, &num_slots);
- if (rv != CKR_OK) {
- DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotList failed.\n");
- ret = EIO;
- goto done;
- }
-
- for (s = 0; s < num_slots; s++) {
- rv = modules[c]->C_GetSlotInfo(slots[s], &info);
+ num_slots = MAX_SLOTS;
+ rv = modules[c]->C_GetSlotList(CK_FALSE, slots, &num_slots);
if (rv != CKR_OK) {
- DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotInfo failed\n");
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotList failed.\n");
ret = EIO;
goto done;
}
- DEBUG(SSSDBG_TRACE_ALL,
- "Description [%s] Manufacturer [%s] flags [%lu] removable [%s].\n",
- info.slotDescription, info.manufacturerID, info.flags,
- (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false");
- if ((info.flags & CKF_REMOVABLE_DEVICE)) {
+
+ for (s = 0; s < num_slots; s++) {
+ rv = modules[c]->C_GetSlotInfo(slots[s], &info);
+ if (rv != CKR_OK) {
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotInfo failed\n");
+ ret = EIO;
+ goto done;
+ }
+ DEBUG(SSSDBG_TRACE_ALL,
+ "Description [%s] Manufacturer [%s] flags [%lu] "
+ "removable [%s] token present [%s].\n",
+ info.slotDescription, info.manufacturerID, info.flags,
+ (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
+ (info.flags & CKF_TOKEN_PRESENT) ? "true": "false");
+ if ((info.flags & CKF_REMOVABLE_DEVICE)) {
+ break;
+ }
+ }
+ if (s != num_slots) {
break;
}
}
- if (s != num_slots) {
+
+ /* When e.g. using Yubikeys the slot isn't present until the device is
+ * inserted, so we should wait for a slot as well. */
+ if (p11_ctx->wait_for_card && modules[c] == NULL) {
+ p11_kit_modules_finalize_and_release(modules);
+
+ sleep(PKCS11_FINIALIZE_INITIALIZE_WAIT_TIME);
+
+ modules = p11_kit_modules_load_and_initialize(0);
+ if (modules == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "p11_kit_modules_load_and_initialize failed.\n");
+ ret = EIO;
+ goto done;
+ }
+
+ } else {
break;
}
}
@@ -631,14 +696,29 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
goto done;
}
- rv = modules[c]->C_GetTokenInfo(slots[s], &token_info);
+ slot_id = slots[s];
+
+ if (!(info.flags & CKF_TOKEN_PRESENT)) {
+ DEBUG(SSSDBG_TRACE_ALL, "Token not present.\n");
+ if (p11_ctx->wait_for_card) {
+ ret = wait_for_card(modules[c], &slot_id);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "wait_for_card failed.\n");
+ goto done;
+ }
+ } else {
+ ret = EIO;
+ goto done;
+ }
+ }
+
+ rv = modules[c]->C_GetTokenInfo(slot_id, &token_info);
if (rv != CKR_OK) {
DEBUG(SSSDBG_OP_FAILURE, "C_GetTokenInfo failed.\n");
ret = EIO;
goto done;
}
- slot_id = slots[s];
module_id = c;
slot_name = p11_kit_space_strdup(info.slotDescription,
sizeof(info.slotDescription));
--
2.9.5

View File

@ -0,0 +1,143 @@
From 2e4ecf5a866b212bef44e262fd90c67a88dc616a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 18 Sep 2018 18:15:02 +0200
Subject: [PATCH 60/83] PAM: add p11_wait_for_card_timeout option
If the --wait_for_card is used to call p11_child the PAM responder
should be prepared to wait longer until p11_child can return
successfully.
Related to https://pagure.io/SSSD/sssd/issue/3650
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/confdb/confdb.h | 1 +
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/cfg_rules.ini | 1 +
src/config/etc/sssd.api.conf | 1 +
src/man/sssd.conf.5.xml | 14 ++++++++++++++
src/responder/pam/pamsrv_cmd.c | 15 +++++++++++++++
src/util/util.h | 1 +
7 files changed, 34 insertions(+)
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 625d156..87904c2 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -130,6 +130,7 @@
#define CONFDB_PAM_CERT_AUTH "pam_cert_auth"
#define CONFDB_PAM_CERT_DB_PATH "pam_cert_db_path"
#define CONFDB_PAM_P11_CHILD_TIMEOUT "p11_child_timeout"
+#define CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT "p11_wait_for_card_timeout"
#define CONFDB_PAM_APP_SERVICES "pam_app_services"
#define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 81a03ad..4d1dba2 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -104,6 +104,7 @@ option_strings = {
'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'),
'pam_app_services' : _('Which PAM services are permitted to contact application domains'),
'pam_p11_allowed_services' : _('Allowed services for using smartcards'),
+ 'p11_wait_for_card_timeout' : _('Additional timeout to wait for a card if requested'),
# [sudo]
'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 78f215e..50a8f1d 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -127,6 +127,7 @@ option = pam_cert_db_path
option = p11_child_timeout
option = pam_app_services
option = pam_p11_allowed_services
+option = p11_wait_for_card_timeout
[rule/allowed_sudo_options]
validator = ini_allowed_options
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 52494c0..bb686c3 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -76,6 +76,7 @@ pam_cert_db_path = str, None, false
p11_child_timeout = int, None, false
pam_app_services = str, None, false
pam_p11_allowed_services = str, None, false
+p11_wait_for_card_timeout = int, None, false
[sudo]
# sudo service
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index c1e3895..4df0163 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1464,6 +1464,20 @@ pam_p11_allowed_services = +my_pam_service, -login
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>p11_wait_for_card_timeout (integer)</term>
+ <listitem>
+ <para>
+ If Smartcard authentication is required how many
+ extra seconds in addition to p11_child_timeout
+ should the PAM responder wait until a Smartcard is
+ inserted.
+ </para>
+ <para>
+ Default: 60
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 817f3c5..c8df32d 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1297,6 +1297,7 @@ static errno_t check_cert(TALLOC_CTX *mctx,
struct pam_data *pd)
{
int p11_child_timeout;
+ int wait_for_card_timeout;
char *cert_verification_opts;
errno_t ret;
struct tevent_req *req;
@@ -1311,6 +1312,20 @@ static errno_t check_cert(TALLOC_CTX *mctx,
ret, sss_strerror(ret));
return ret;
}
+ if ((pd->cli_flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) && pd->priv == 1) {
+ ret = confdb_get_int(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT,
+ P11_WAIT_FOR_CARD_TIMEOUT_DEFAULT,
+ &wait_for_card_timeout);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to read wait_for_card_timeout from confdb: [%d]: %s\n",
+ ret, sss_strerror(ret));
+ return ret;
+ }
+
+ p11_child_timeout += wait_for_card_timeout;
+ }
ret = confdb_get_string(pctx->rctx->cdb, mctx, CONFDB_MONITOR_CONF_ENTRY,
CONFDB_MONITOR_CERT_VERIFICATION, NULL,
diff --git a/src/util/util.h b/src/util/util.h
index 59e7a96..e3e9100 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -724,6 +724,7 @@ errno_t create_preauth_indicator(void);
#define P11_CHILD_LOG_FILE "p11_child"
#define P11_CHILD_PATH SSSD_LIBEXEC_PATH"/p11_child"
#define P11_CHILD_TIMEOUT_DEFAULT 10
+#define P11_WAIT_FOR_CARD_TIMEOUT_DEFAULT 60
#endif /* SSSD_LIBEXEC_PATH */
#endif /* __SSSD_UTIL_H__ */
--
2.9.5

View File

@ -0,0 +1,244 @@
From d33a8bed5aad9135426c9ebdf101cf600685ab81 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 18 Sep 2018 10:11:02 +0200
Subject: [PATCH 61/83] pam_sss: make flags public
To allow the PAM responder to act on the config flags set for pam_sss
the flags have to be made public first.
Related to https://pagure.io/SSSD/sssd/issue/3650
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/sss_client/pam_sss.c | 71 +++++++++++++++++++++---------------------------
src/sss_client/sss_cli.h | 9 ++++++
2 files changed, 40 insertions(+), 40 deletions(-)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 59081cc..b336d1f 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -52,15 +52,6 @@
#include <libintl.h>
#define _(STRING) dgettext (PACKAGE, STRING)
-#define FLAGS_USE_FIRST_PASS (1 << 0)
-#define FLAGS_FORWARD_PASS (1 << 1)
-#define FLAGS_USE_AUTHTOK (1 << 2)
-#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
-#define FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
-#define FLAGS_USE_2FA (1 << 5)
-#define FLAGS_ALLOW_MISSING_NAME (1 << 6)
-#define FLAGS_PROMPT_ALWAYS (1 << 7)
-
#define PWEXP_FLAG "pam_sss:password_expired_flag"
#define FD_DESTRUCTOR "pam_sss:fd_destructor"
#define PAM_SSS_AUTHOK_TYPE "pam_sss:authtok_type"
@@ -1193,13 +1184,13 @@ static int get_pam_items(pam_handle_t *pamh, uint32_t flags,
pi->pam_service_size=strlen(pi->pam_service)+1;
ret = pam_get_item(pamh, PAM_USER, (const void **) &(pi->pam_user));
- if (ret == PAM_PERM_DENIED && (flags & FLAGS_ALLOW_MISSING_NAME)) {
+ if (ret == PAM_PERM_DENIED && (flags & PAM_CLI_FLAGS_ALLOW_MISSING_NAME)) {
pi->pam_user = "";
ret = PAM_SUCCESS;
}
if (ret != PAM_SUCCESS) return ret;
if (pi->pam_user == NULL) {
- if (flags & FLAGS_ALLOW_MISSING_NAME) {
+ if (flags & PAM_CLI_FLAGS_ALLOW_MISSING_NAME) {
pi->pam_user = "";
} else {
D(("No user found, aborting."));
@@ -1959,11 +1950,11 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
for (; argc-- > 0; ++argv) {
if (strcmp(*argv, "forward_pass") == 0) {
- *flags |= FLAGS_FORWARD_PASS;
+ *flags |= PAM_CLI_FLAGS_FORWARD_PASS;
} else if (strcmp(*argv, "use_first_pass") == 0) {
- *flags |= FLAGS_USE_FIRST_PASS;
+ *flags |= PAM_CLI_FLAGS_USE_FIRST_PASS;
} else if (strcmp(*argv, "use_authtok") == 0) {
- *flags |= FLAGS_USE_AUTHTOK;
+ *flags |= PAM_CLI_FLAGS_USE_AUTHTOK;
} else if (strncmp(*argv, OPT_DOMAINS_KEY, strlen(OPT_DOMAINS_KEY)) == 0) {
if (*(*argv+strlen(OPT_DOMAINS_KEY)) == '\0') {
logger(pamh, LOG_ERR, "Missing argument to option domains.");
@@ -1997,15 +1988,15 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
} else if (strcmp(*argv, "quiet") == 0) {
*quiet_mode = true;
} else if (strcmp(*argv, "ignore_unknown_user") == 0) {
- *flags |= FLAGS_IGNORE_UNKNOWN_USER;
+ *flags |= PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER;
} else if (strcmp(*argv, "ignore_authinfo_unavail") == 0) {
- *flags |= FLAGS_IGNORE_AUTHINFO_UNAVAIL;
+ *flags |= PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL;
} else if (strcmp(*argv, "use_2fa") == 0) {
- *flags |= FLAGS_USE_2FA;
+ *flags |= PAM_CLI_FLAGS_USE_2FA;
} else if (strcmp(*argv, "allow_missing_name") == 0) {
- *flags |= FLAGS_ALLOW_MISSING_NAME;
+ *flags |= PAM_CLI_FLAGS_ALLOW_MISSING_NAME;
} else if (strcmp(*argv, "prompt_always") == 0) {
- *flags |= FLAGS_PROMPT_ALWAYS;
+ *flags |= PAM_CLI_FLAGS_PROMPT_ALWAYS;
} else {
logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
}
@@ -2020,10 +2011,10 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
{
int ret;
- if ((flags & FLAGS_USE_FIRST_PASS)
+ if ((flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
|| ( pi->pamstack_authtok != NULL
&& *(pi->pamstack_authtok) != '\0'
- && !(flags & FLAGS_PROMPT_ALWAYS))) {
+ && !(flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))) {
pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
pi->pam_authtok = strdup(pi->pamstack_authtok);
if (pi->pam_authtok == NULL) {
@@ -2032,7 +2023,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
}
pi->pam_authtok_size = strlen(pi->pam_authtok);
} else {
- if (flags & FLAGS_USE_2FA
+ if (flags & PAM_CLI_FLAGS_USE_2FA
|| (pi->otp_vendor != NULL && pi->otp_token_id != NULL
&& pi->otp_challenge != NULL)) {
if (pi->password_prompting) {
@@ -2062,7 +2053,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
return ret;
}
- if (flags & FLAGS_FORWARD_PASS) {
+ if (flags & PAM_CLI_FLAGS_FORWARD_PASS) {
if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_PASSWORD) {
ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_authtok);
} else if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA
@@ -2193,8 +2184,8 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
/* we query for the old password during PAM_PRELIM_CHECK to make
* pam_sss work e.g. with pam_cracklib */
if (pam_flags & PAM_PRELIM_CHECK) {
- if ( (getuid() != 0 || exp_data ) && !(flags & FLAGS_USE_FIRST_PASS)) {
- if (flags & FLAGS_USE_2FA
+ if ( (getuid() != 0 || exp_data ) && !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)) {
+ if (flags & PAM_CLI_FLAGS_USE_2FA
|| (pi->otp_vendor != NULL && pi->otp_token_id != NULL
&& pi->otp_challenge != NULL)) {
if (pi->password_prompting) {
@@ -2253,7 +2244,7 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
}
}
- if (flags & FLAGS_USE_AUTHTOK) {
+ if (flags & PAM_CLI_FLAGS_USE_AUTHTOK) {
pi->pam_newauthtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
pi->pam_newauthtok = strdup(pi->pamstack_authtok);
if (pi->pam_newauthtok == NULL) {
@@ -2268,7 +2259,7 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
return ret;
}
- if (flags & FLAGS_FORWARD_PASS) {
+ if (flags & PAM_CLI_FLAGS_FORWARD_PASS) {
ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_newauthtok);
if (ret != PAM_SUCCESS) {
D(("Failed to set PAM_AUTHTOK [%s], "
@@ -2376,10 +2367,10 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
ret = get_pam_items(pamh, flags, &pi);
if (ret != PAM_SUCCESS) {
D(("get items returned error: %s", pam_strerror(pamh,ret)));
- if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
+ if (flags & PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
ret = PAM_IGNORE;
}
- if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
+ if (flags & PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL
&& ret == PAM_AUTHINFO_UNAVAIL) {
ret = PAM_IGNORE;
}
@@ -2393,13 +2384,13 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
case SSS_PAM_AUTHENTICATE:
/*
* Only do preauth if
- * - FLAGS_USE_FIRST_PASS is not set
- * - no password is on the stack or FLAGS_PROMPT_ALWAYS is set
+ * - PAM_CLI_FLAGS_USE_FIRST_PASS is not set
+ * - no password is on the stack or PAM_CLI_FLAGS_PROMPT_ALWAYS is set
* - preauth indicator file exists.
*/
- if ( !(flags & FLAGS_USE_FIRST_PASS)
+ if ( !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
&& (pi.pam_authtok == NULL
- || (flags & FLAGS_PROMPT_ALWAYS))
+ || (flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))
&& access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
quiet_mode);
@@ -2443,14 +2434,14 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
* The means the preauth step has to be done here as well but
* only if
* - PAM_PRELIM_CHECK is set
- * - FLAGS_USE_FIRST_PASS is not set
- * - no password is on the stack or FLAGS_PROMPT_ALWAYS is set
+ * - PAM_CLI_FLAGS_USE_FIRST_PASS is not set
+ * - no password is on the stack or PAM_CLI_FLAGS_PROMPT_ALWAYS is set
* - preauth indicator file exists.
*/
if ( (pam_flags & PAM_PRELIM_CHECK)
- && !(flags & FLAGS_USE_FIRST_PASS)
+ && !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
&& (pi.pam_authtok == NULL
- || (flags & FLAGS_PROMPT_ALWAYS))
+ || (flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))
&& access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
quiet_mode);
@@ -2497,11 +2488,11 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
pam_status = send_and_receive(pamh, &pi, task, quiet_mode);
- if (flags & FLAGS_IGNORE_UNKNOWN_USER
+ if (flags & PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER
&& pam_status == PAM_USER_UNKNOWN) {
pam_status = PAM_IGNORE;
}
- if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
+ if (flags & PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL
&& pam_status == PAM_AUTHINFO_UNAVAIL) {
pam_status = PAM_IGNORE;
}
@@ -2581,7 +2572,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
retry = true;
retries--;
- flags &= ~FLAGS_USE_FIRST_PASS;
+ flags &= ~PAM_CLI_FLAGS_USE_FIRST_PASS;
ret = pam_set_item(pamh, PAM_AUTHTOK, NULL);
if (ret != PAM_SUCCESS) {
D(("Failed to unset PAM_AUTHTOK [%s]",
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index 24d28ed..3404715 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -365,6 +365,15 @@ enum pam_item_type {
SSS_PAM_ITEM_REQUESTED_DOMAINS,
};
+#define PAM_CLI_FLAGS_USE_FIRST_PASS (1 << 0)
+#define PAM_CLI_FLAGS_FORWARD_PASS (1 << 1)
+#define PAM_CLI_FLAGS_USE_AUTHTOK (1 << 2)
+#define PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
+#define PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
+#define PAM_CLI_FLAGS_USE_2FA (1 << 5)
+#define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)
+#define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
+
#define SSS_NSS_MAX_ENTRIES 256
#define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
struct sss_cli_req_data {
--
2.9.5

View File

@ -0,0 +1,100 @@
From d3a18f06162b9585d2db936472b75fdbff37162d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 17 Sep 2018 17:54:26 +0200
Subject: [PATCH 62/83] pam_sss: add try_cert_auth option
With this new option pam_sss can be configured to only do Smartcard
authentication or return an error if this is not possible.
Related to https://pagure.io/SSSD/sssd/issue/3650
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/man/pam_sss.8.xml | 23 +++++++++++++++++++++++
src/sss_client/pam_sss.c | 9 +++++++++
src/sss_client/sss_cli.h | 1 +
3 files changed, 33 insertions(+)
diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml
index d8e6a20..ca2e8e2 100644
--- a/src/man/pam_sss.8.xml
+++ b/src/man/pam_sss.8.xml
@@ -50,6 +50,9 @@
<arg choice='opt'>
<replaceable>prompt_always</replaceable>
</arg>
+ <arg choice='opt'>
+ <replaceable>try_cert_auth</replaceable>
+ </arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -200,6 +203,26 @@ auth sufficient pam_sss.so allow_missing_name
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>try_cert_auth</option>
+ </term>
+ <listitem>
+ <para>
+ Try to use certificate based authentication, i.e.
+ authentication with a Smartcard or similar devices. If a
+ Smartcard is available and the service is allowed for
+ Smartcard authentication the use will be prompted for a
+ PIN and the certificate based authentication will
+ continue
+ </para>
+ <para>
+ If no Smartcard is available or certificate based
+ authentication is not allowed for the current service
+ PAM_AUTHINFO_UNAVAIL is returned.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index b336d1f..96ff15a 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1997,6 +1997,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
*flags |= PAM_CLI_FLAGS_ALLOW_MISSING_NAME;
} else if (strcmp(*argv, "prompt_always") == 0) {
*flags |= PAM_CLI_FLAGS_PROMPT_ALWAYS;
+ } else if (strcmp(*argv, "try_cert_auth") == 0) {
+ *flags |= PAM_CLI_FLAGS_TRY_CERT_AUTH;
} else {
logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
}
@@ -2405,6 +2407,13 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
}
}
+ if (flags & PAM_CLI_FLAGS_TRY_CERT_AUTH
+ && pi.cert_list == NULL) {
+ D(("No certificates for authentication available."));
+ overwrite_and_free_pam_items(&pi);
+ return PAM_AUTHINFO_UNAVAIL;
+ }
+
if (strcmp(pi.pam_service, "gdm-smartcard") == 0) {
ret = check_login_token_name(pamh, &pi, quiet_mode);
if (ret != PAM_SUCCESS) {
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index 3404715..38e3f99 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -373,6 +373,7 @@ enum pam_item_type {
#define PAM_CLI_FLAGS_USE_2FA (1 << 5)
#define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)
#define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
+#define PAM_CLI_FLAGS_TRY_CERT_AUTH (1 << 8)
#define SSS_NSS_MAX_ENTRIES 256
#define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
--
2.9.5

View File

@ -0,0 +1,370 @@
From 49be8974b490c368d349752f3196af0c9ed28dd5 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 18 Sep 2018 09:53:37 +0200
Subject: [PATCH 63/83] pam_sss: add option require_cert_auth
With this new option pam_sss will wait until a Smartcard is available
and then try to authenticate with the help of the Smartcard.
Related https://pagure.io/SSSD/sssd/issue/3650
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/man/pam_sss.8.xml | 25 ++++++++++++
src/responder/pam/pamsrv_cmd.c | 12 ++++++
src/responder/pam/pamsrv_p11.c | 5 ++-
src/sss_client/pam_message.c | 4 ++
src/sss_client/pam_message.h | 1 +
src/sss_client/pam_sss.c | 90 ++++++++++++++++++++++++++----------------
src/sss_client/sss_cli.h | 2 +
src/util/sss_pam_data.c | 1 +
src/util/sss_pam_data.h | 1 +
9 files changed, 106 insertions(+), 35 deletions(-)
diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml
index ca2e8e2..9998519 100644
--- a/src/man/pam_sss.8.xml
+++ b/src/man/pam_sss.8.xml
@@ -53,6 +53,9 @@
<arg choice='opt'>
<replaceable>try_cert_auth</replaceable>
</arg>
+ <arg choice='opt'>
+ <replaceable>require_cert_auth</replaceable>
+ </arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -223,6 +226,28 @@ auth sufficient pam_sss.so allow_missing_name
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>require_cert_auth</option>
+ </term>
+ <listitem>
+ <para>
+ Do certificate based authentication, i.e.
+ authentication with a Smartcard or similar devices. If a
+ Smartcard is not available the user will be prompted to
+ insert one. SSSD will wait for a Smartcard until the
+ timeout defined by p11_wait_for_card_timeout passed,
+ please see
+ <citerefentry><refentrytitle>sssd.conf</refentrytitle>
+ <manvolnum>5</manvolnum></citerefentry> for details.
+ </para>
+ <para>
+ If no Smartcard is available after the timeout or
+ certificate based authentication is not allowed for the
+ current service PAM_AUTHINFO_UNAVAIL is returned.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index c8df32d..6e37f83 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -317,6 +317,11 @@ static int pam_parse_in_data_v2(struct pam_data *pd,
size, body, blen, &c);
if (ret != EOK) return ret;
break;
+ case SSS_PAM_ITEM_FLAGS:
+ ret = extract_uint32_t(&pd->cli_flags, size,
+ body, blen, &c);
+ if (ret != EOK) return ret;
+ break;
default:
DEBUG(SSSDBG_CRIT_FAILURE,
"Ignoring unknown data type [%d].\n", type);
@@ -1447,6 +1452,13 @@ static void pam_forwarder_cert_cb(struct tevent_req *req)
"No certificate found and no logon name given, " \
"authentication not possible.\n");
ret = ENOENT;
+ } else if (pd->cli_flags & PAM_CLI_FLAGS_TRY_CERT_AUTH) {
+ DEBUG(SSSDBG_TRACE_ALL,
+ "try_cert_auth flag set but no certificate available, "
+ "request finished.\n");
+ preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
+ pam_reply(preq);
+ return;
} else {
if (pd->cmd == SSS_PAM_AUTHENTICATE) {
DEBUG(SSSDBG_CRIT_FAILURE,
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
index ffa6787..8b8859d 100644
--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
@@ -721,7 +721,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
struct timeval tv;
int pipefd_to_child[2] = PIPE_INIT;
int pipefd_from_child[2] = PIPE_INIT;
- const char *extra_args[13] = { NULL };
+ const char *extra_args[14] = { NULL };
uint8_t *write_buf = NULL;
size_t write_buf_len = 0;
size_t arg_c;
@@ -748,6 +748,9 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
/* extra_args are added in revers order */
arg_c = 0;
+ if ((pd->cli_flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) && pd->priv == 1) {
+ extra_args[arg_c++] = "--wait_for_card";
+ }
extra_args[arg_c++] = nss_db;
extra_args[arg_c++] = "--nssdb";
if (verify_opts != NULL) {
diff --git a/src/sss_client/pam_message.c b/src/sss_client/pam_message.c
index b239f6f..036ae2a 100644
--- a/src/sss_client/pam_message.c
+++ b/src/sss_client/pam_message.c
@@ -126,6 +126,7 @@ int pack_message_v3(struct pam_items *pi, size_t *size, uint8_t **buffer)
len += 3*sizeof(uint32_t); /* cli_pid */
len += *pi->requested_domains != '\0' ?
2*sizeof(uint32_t) + pi->requested_domains_size : 0;
+ len += 3*sizeof(uint32_t); /* flags */
buf = malloc(len);
if (buf == NULL) {
@@ -164,6 +165,9 @@ int pack_message_v3(struct pam_items *pi, size_t *size, uint8_t **buffer)
pi->pam_newauthtok, pi->pam_newauthtok_size,
&buf[rp]);
+ rp += add_uint32_t_item(SSS_PAM_ITEM_FLAGS, (uint32_t) pi->flags,
+ &buf[rp]);
+
SAFEALIGN_SETMEM_UINT32(buf + rp, SSS_END_OF_PAM_REQUEST, &rp);
if (rp != len) {
diff --git a/src/sss_client/pam_message.h b/src/sss_client/pam_message.h
index 11526a8..50fedcd 100644
--- a/src/sss_client/pam_message.h
+++ b/src/sss_client/pam_message.h
@@ -51,6 +51,7 @@ struct pam_items {
enum sss_authtok_type pam_newauthtok_type;
size_t pam_newauthtok_size;
pid_t cli_pid;
+ uint32_t flags;
const char *login_name;
char *domain_name;
const char *requested_domains;
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 96ff15a..b4c1036 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -134,6 +134,7 @@ static void free_cai(struct cert_auth_info *cai)
free(cai->cert_user);
free(cai->cert);
free(cai->token_name);
+ free(cai->module_name);
free(cai->key_id);
free(cai->prompt_str);
free(cai);
@@ -1247,6 +1248,8 @@ static int get_pam_items(pam_handle_t *pamh, uint32_t flags,
pi->cert_list = NULL;
pi->selected_cert = NULL;
+ pi->flags = flags;
+
return PAM_SUCCESS;
}
@@ -1267,6 +1270,7 @@ static void print_pam_items(struct pam_items *pi)
D(("Newauthtok: %s", CHECK_AND_RETURN_PI_STRING(pi->pam_newauthtok)));
D(("Cli_PID: %d", pi->cli_pid));
D(("Requested domains: %s", pi->requested_domains));
+ D(("Flags: %d", pi->flags));
}
static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
@@ -1999,6 +2003,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
*flags |= PAM_CLI_FLAGS_PROMPT_ALWAYS;
} else if (strcmp(*argv, "try_cert_auth") == 0) {
*flags |= PAM_CLI_FLAGS_TRY_CERT_AUTH;
+ } else if (strcmp(*argv, "require_cert_auth") == 0) {
+ *flags |= PAM_CLI_FLAGS_REQUIRE_CERT_AUTH;
} else {
logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
}
@@ -2274,55 +2280,51 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
return PAM_SUCCESS;
}
-#define SC_ENTER_FMT "Please enter smart card labeled\n %s\nand press enter"
+#define SC_ENTER_LABEL_FMT "Please enter smart card labeled\n %s"
+#define SC_ENTER_FMT "Please enter smart card"
static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi,
- bool quiet_mode)
+ int retries, bool quiet_mode)
{
int ret;
int pam_status;
char *login_token_name;
char *prompt = NULL;
- size_t size;
- char *answer = NULL;
- /* TODO: check multiple cert case */
- struct cert_auth_info *cai = pi->cert_list;
+ uint32_t orig_flags = pi->flags;
- if (cai == NULL) {
- D(("No certificate information available"));
- return EINVAL;
+ login_token_name = getenv("PKCS11_LOGIN_TOKEN_NAME");
+ if (login_token_name == NULL
+ && !(pi->flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH)) {
+ return PAM_SUCCESS;
}
- login_token_name = getenv("PKCS11_LOGIN_TOKEN_NAME");
if (login_token_name == NULL) {
- return PAM_SUCCESS;
+ ret = asprintf(&prompt, SC_ENTER_FMT);
+ } else {
+ ret = asprintf(&prompt, SC_ENTER_LABEL_FMT, login_token_name);
+ }
+ if (ret == -1) {
+ return ENOMEM;
}
- while (cai->token_name == NULL
- || strcmp(login_token_name, cai->token_name) != 0) {
- size = sizeof(SC_ENTER_FMT) + strlen(login_token_name);
- prompt = malloc(size);
- if (prompt == NULL) {
- D(("malloc failed."));
- return ENOMEM;
- }
+ pi->flags |= PAM_CLI_FLAGS_REQUIRE_CERT_AUTH;
- ret = snprintf(prompt, size, SC_ENTER_FMT,
- login_token_name);
- if (ret < 0 || ret >= size) {
- D(("snprintf failed."));
- free(prompt);
- return EFAULT;
+ /* TODO: check multiple cert case */
+ while (pi->cert_list == NULL || pi->cert_list->token_name == NULL
+ || (login_token_name != NULL
+ && strcmp(login_token_name,
+ pi->cert_list->token_name) != 0)) {
+
+ if (retries < 0) {
+ ret = PAM_AUTHINFO_UNAVAIL;
+ goto done;
}
+ retries--;
- ret = do_pam_conversation(pamh, PAM_PROMPT_ECHO_OFF, prompt,
- NULL, &answer);
- free(prompt);
+ ret = do_pam_conversation(pamh, PAM_TEXT_INFO, prompt, NULL, NULL);
if (ret != PAM_SUCCESS) {
D(("do_pam_conversation failed."));
- return ret;
- } else {
- free(answer);
+ goto done;
}
pam_status = send_and_receive(pamh, pi, SSS_PAM_PREAUTH, quiet_mode);
@@ -2335,7 +2337,14 @@ static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi,
}
}
- return PAM_SUCCESS;
+ ret = PAM_SUCCESS;
+
+done:
+
+ pi->flags = orig_flags;
+ free(prompt);
+
+ return ret;
}
static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
@@ -2394,8 +2403,19 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
&& (pi.pam_authtok == NULL
|| (flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))
&& access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
+
+ if (flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) {
+ /* Do not use PAM_CLI_FLAGS_REQUIRE_CERT_AUTH in the first
+ * SSS_PAM_PREAUTH run. In case a card is already inserted
+ * we do not have to prompt to insert a card. */
+ pi.flags &= ~PAM_CLI_FLAGS_REQUIRE_CERT_AUTH;
+ pi.flags |= PAM_CLI_FLAGS_TRY_CERT_AUTH;
+ }
+
pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
quiet_mode);
+
+ pi.flags = flags;
if (pam_status != PAM_SUCCESS) {
D(("send_and_receive returned [%d] during pre-auth",
pam_status));
@@ -2414,8 +2434,10 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
return PAM_AUTHINFO_UNAVAIL;
}
- if (strcmp(pi.pam_service, "gdm-smartcard") == 0) {
- ret = check_login_token_name(pamh, &pi, quiet_mode);
+ if (strcmp(pi.pam_service, "gdm-smartcard") == 0
+ || (flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH)) {
+ ret = check_login_token_name(pamh, &pi, retries,
+ quiet_mode);
if (ret != PAM_SUCCESS) {
D(("check_login_token_name failed.\n"));
return ret;
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index 38e3f99..af8a439 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -363,6 +363,7 @@ enum pam_item_type {
SSS_PAM_ITEM_CLI_LOCALE,
SSS_PAM_ITEM_CLI_PID,
SSS_PAM_ITEM_REQUESTED_DOMAINS,
+ SSS_PAM_ITEM_FLAGS,
};
#define PAM_CLI_FLAGS_USE_FIRST_PASS (1 << 0)
@@ -374,6 +375,7 @@ enum pam_item_type {
#define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)
#define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
#define PAM_CLI_FLAGS_TRY_CERT_AUTH (1 << 8)
+#define PAM_CLI_FLAGS_REQUIRE_CERT_AUTH (1 << 9)
#define SSS_NSS_MAX_ENTRIES 256
#define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
diff --git a/src/util/sss_pam_data.c b/src/util/sss_pam_data.c
index 5e41349..cb8779c 100644
--- a/src/util/sss_pam_data.c
+++ b/src/util/sss_pam_data.c
@@ -176,6 +176,7 @@ void pam_print_data(int l, struct pam_data *pd)
DEBUG(l, "priv: %d\n", pd->priv);
DEBUG(l, "cli_pid: %d\n", pd->cli_pid);
DEBUG(l, "logon name: %s\n", PAM_SAFE_ITEM(pd->logon_name));
+ DEBUG(l, "flags: %d\n", pd->cli_flags);
}
int pam_add_response(struct pam_data *pd, enum response_type type,
diff --git a/src/util/sss_pam_data.h b/src/util/sss_pam_data.h
index 7d74fa6..c989810 100644
--- a/src/util/sss_pam_data.h
+++ b/src/util/sss_pam_data.h
@@ -58,6 +58,7 @@ struct pam_data {
struct sss_auth_token *newauthtok;
uint32_t cli_pid;
char *logon_name;
+ uint32_t cli_flags;
int pam_status;
int response_delay;
--
2.9.5

View File

@ -0,0 +1,309 @@
From 5cdb6968f407c7bcaba69f4892f51fd6426dddb2 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 26 Sep 2018 11:48:37 +0200
Subject: [PATCH 64/83] intg: require SC tests
Integration test for the new try_cert_auth and require_cert_auth option
for pam_sss.
Related to https://pagure.io/SSSD/sssd/issue/3650
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/tests/intg/Makefile.am | 16 ++-
src/tests/intg/test_pam_responder.py | 188 +++++++++++++++++++++++++++++++----
2 files changed, 182 insertions(+), 22 deletions(-)
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index bb3a7f0..44fb635 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -113,6 +113,20 @@ pam_sss_service:
echo "password required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
echo "session required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
+pam_sss_sc_required:
+ $(MKDIR_P) $(PAM_SERVICE_DIR)
+ echo "auth required $(DESTDIR)$(pammoddir)/pam_sss.so require_cert_auth retry=1" > $(PAM_SERVICE_DIR)/$@
+ echo "account required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
+ echo "password required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
+ echo "session required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
+
+pam_sss_try_sc:
+ $(MKDIR_P) $(PAM_SERVICE_DIR)
+ echo "auth required $(DESTDIR)$(pammoddir)/pam_sss.so try_cert_auth" > $(PAM_SERVICE_DIR)/$@
+ echo "account required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
+ echo "password required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
+ echo "session required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
+
CLEANFILES=config.py config.pyc passwd group
clean-local:
@@ -127,7 +141,7 @@ PAM_CERT_DB_PATH="$(abs_builddir)/../test_CA/SSSD_test_CA.pem"
SOFTHSM2_CONF="$(abs_builddir)/../test_CA/softhsm2_one.conf"
endif
-intgcheck-installed: config.py passwd group pam_sss_service
+intgcheck-installed: config.py passwd group pam_sss_service pam_sss_sc_required pam_sss_try_sc
pipepath="$(DESTDIR)$(pipepath)"; \
if test $${#pipepath} -gt 80; then \
echo "error: Pipe directory path too long," \
diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py
index c6d048c..06f69a3 100644
--- a/src/tests/intg/test_pam_responder.py
+++ b/src/tests/intg/test_pam_responder.py
@@ -41,6 +41,11 @@ USER1 = dict(name='user1', passwd='x', uid=10001, gid=20001,
dir='/home/user1',
shell='/bin/bash')
+USER2 = dict(name='user2', passwd='x', uid=10002, gid=20002,
+ gecos='User with no Smartcard mapping',
+ dir='/home/user2',
+ shell='/bin/bash')
+
def format_pam_cert_auth_conf(config):
"""Format a basic SSSD configuration"""
@@ -55,8 +60,11 @@ def format_pam_cert_auth_conf(config):
[pam]
pam_cert_auth = True
- pam_p11_allowed_services = +pam_sss_service
+ pam_p11_allowed_services = +pam_sss_service, +pam_sss_sc_required, \
+ +pam_sss_try_sc
pam_cert_db_path = {config.PAM_CERT_DB_PATH}
+ p11_child_timeout = 5
+ p11_wait_for_card_timeout = 5
debug_level = 10
[domain/auth_only]
@@ -149,6 +157,15 @@ def create_nssdb():
pkcs11_txt.close()
+def create_nssdb_no_cert():
+ os.mkdir(config.SYSCONFDIR + "/pki")
+ os.mkdir(config.SYSCONFDIR + "/pki/nssdb")
+ if subprocess.call(["certutil", "-N", "-d",
+ "sql:" + config.SYSCONFDIR + "/pki/nssdb/",
+ "--empty-password"]) != 0:
+ raise Exception("certutil failed")
+
+
def cleanup_nssdb():
shutil.rmtree(config.SYSCONFDIR + "/pki")
@@ -158,14 +175,42 @@ def create_nssdb_fixture(request):
request.addfinalizer(cleanup_nssdb)
+def create_nssdb_no_cert_fixture(request):
+ create_nssdb_no_cert()
+ request.addfinalizer(cleanup_nssdb)
+
+
@pytest.fixture
-def simple_pam_cert_auth(request):
+def simple_pam_cert_auth(request, passwd_ops_setup):
"""Setup SSSD with pam_cert_auth=True"""
config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
conf = format_pam_cert_auth_conf(config)
create_conf_fixture(request, conf)
create_sssd_fixture(request)
create_nssdb_fixture(request)
+ passwd_ops_setup.useradd(**USER1)
+ passwd_ops_setup.useradd(**USER2)
+ return None
+
+
+@pytest.fixture
+def simple_pam_cert_auth_no_cert(request, passwd_ops_setup):
+ """Setup SSSD with pam_cert_auth=True"""
+ config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
+
+ old_softhsm2_conf = os.environ['SOFTHSM2_CONF']
+ del os.environ['SOFTHSM2_CONF']
+
+ conf = format_pam_cert_auth_conf(config)
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ create_nssdb_no_cert_fixture(request)
+
+ os.environ['SOFTHSM2_CONF'] = old_softhsm2_conf
+
+ passwd_ops_setup.useradd(**USER1)
+ passwd_ops_setup.useradd(**USER2)
+
return None
@@ -176,26 +221,26 @@ def test_preauth_indicator(simple_pam_cert_auth):
@pytest.fixture
-def pam_wrapper_setup(request):
+def env_for_sssctl(request):
pwrap_runtimedir = os.getenv("PAM_WRAPPER_SERVICE_DIR")
if pwrap_runtimedir is None:
raise ValueError("The PAM_WRAPPER_SERVICE_DIR variable is unset\n")
+ env_for_sssctl = os.environ.copy()
+ env_for_sssctl['PAM_WRAPPER'] = "1"
+ env_for_sssctl['SSSD_INTG_PEER_UID'] = "0"
+ env_for_sssctl['SSSD_INTG_PEER_GID'] = "0"
+ env_for_sssctl['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
-def test_sc_auth_wrong_pin(simple_pam_cert_auth, pam_wrapper_setup,
- passwd_ops_setup):
+ return env_for_sssctl
- passwd_ops_setup.useradd(**USER1)
- current_env = os.environ.copy()
- current_env['PAM_WRAPPER'] = "1"
- current_env['SSSD_INTG_PEER_UID'] = "0"
- current_env['SSSD_INTG_PEER_GID'] = "0"
- current_env['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
+
+def test_sc_auth_wrong_pin(simple_pam_cert_auth, env_for_sssctl):
sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
"--action=auth", "--service=pam_sss_service"],
universal_newlines=True,
- env=current_env, stdin=subprocess.PIPE,
+ env=env_for_sssctl, stdin=subprocess.PIPE,
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
try:
@@ -214,19 +259,120 @@ def test_sc_auth_wrong_pin(simple_pam_cert_auth, pam_wrapper_setup,
"Authentication failure") != -1
-def test_sc_auth(simple_pam_cert_auth, pam_wrapper_setup, passwd_ops_setup):
-
- passwd_ops_setup.useradd(**USER1)
- current_env = os.environ.copy()
- current_env['PAM_WRAPPER'] = "1"
- current_env['SSSD_INTG_PEER_UID'] = "0"
- current_env['SSSD_INTG_PEER_GID'] = "0"
- current_env['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
+def test_sc_auth(simple_pam_cert_auth, env_for_sssctl):
sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
"--action=auth", "--service=pam_sss_service"],
universal_newlines=True,
- env=current_env, stdin=subprocess.PIPE,
+ env=env_for_sssctl, stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+
+ try:
+ out, err = sssctl.communicate(input="123456")
+ except:
+ sssctl.kill()
+ out, err = sssctl.communicate()
+
+ sssctl.stdin.close()
+ sssctl.stdout.close()
+
+ if sssctl.wait() != 0:
+ raise Exception("sssctl failed")
+
+ assert err.find("pam_authenticate for user [user1]: Success") != -1
+
+
+def test_require_sc_auth(simple_pam_cert_auth, env_for_sssctl):
+
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
+ "--action=auth",
+ "--service=pam_sss_sc_required"],
+ universal_newlines=True,
+ env=env_for_sssctl, stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+
+ try:
+ out, err = sssctl.communicate(input="123456")
+ except:
+ sssctl.kill()
+ out, err = sssctl.communicate()
+
+ sssctl.stdin.close()
+ sssctl.stdout.close()
+
+ if sssctl.wait() != 0:
+ raise Exception("sssctl failed")
+
+ assert err.find("pam_authenticate for user [user1]: Success") != -1
+
+
+def test_require_sc_auth_no_cert(simple_pam_cert_auth_no_cert, env_for_sssctl):
+
+ # We have to wait about 20s before the command returns because there will
+ # be 2 run since retry=1 in the PAM configuration and both
+ # p11_child_timeout and p11_wait_for_card_timeout are 5s in sssd.conf,
+ # so 2*(5+5)=20. */
+ start_time = time.time()
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
+ "--action=auth",
+ "--service=pam_sss_sc_required"],
+ universal_newlines=True,
+ env=env_for_sssctl, stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+
+ try:
+ out, err = sssctl.communicate(input="123456")
+ except:
+ sssctl.kill()
+ out, err = sssctl.communicate()
+
+ sssctl.stdin.close()
+ sssctl.stdout.close()
+
+ if sssctl.wait() != 0:
+ raise Exception("sssctl failed")
+
+ end_time = time.time()
+ assert end_time > start_time and \
+ (end_time - start_time) >= 20 and \
+ (end_time - start_time) < 40
+ assert out.find("Please enter smart card\nPlease enter smart card") != -1
+ assert err.find("pam_authenticate for user [user1]: Authentication " +
+ "service cannot retrieve authentication info") != -1
+
+
+def test_try_sc_auth_no_map(simple_pam_cert_auth, env_for_sssctl):
+
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user2",
+ "--action=auth",
+ "--service=pam_sss_try_sc"],
+ universal_newlines=True,
+ env=env_for_sssctl, stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+
+ try:
+ out, err = sssctl.communicate(input="123456")
+ except:
+ sssctl.kill()
+ out, err = sssctl.communicate()
+
+ sssctl.stdin.close()
+ sssctl.stdout.close()
+
+ if sssctl.wait() != 0:
+ raise Exception("sssctl failed")
+
+ assert err.find("pam_authenticate for user [user2]: Authentication " +
+ "service cannot retrieve authentication info") != -1
+
+
+def test_try_sc_auth(simple_pam_cert_auth, env_for_sssctl):
+
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
+ "--action=auth",
+ "--service=pam_sss_try_sc"],
+ universal_newlines=True,
+ env=env_for_sssctl, stdin=subprocess.PIPE,
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
try:
--
2.9.5

View File

@ -0,0 +1,407 @@
From 46fd681a73ffef062cd027e7018e1a02d7a0a9df Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 8 Oct 2018 10:45:28 +0200
Subject: [PATCH 65/83] p11_child: show PKCS#11 URI in debug output
Related to https://pagure.io/SSSD/sssd/issue/3814
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/p11_child/p11_child_nss.c | 240 ++++++++++++++++++++++++++++++++++++++
src/p11_child/p11_child_openssl.c | 80 +++++++++++++
2 files changed, 320 insertions(+)
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
index b2777d1..fff1f25 100644
--- a/src/p11_child/p11_child_nss.c
+++ b/src/p11_child/p11_child_nss.c
@@ -39,6 +39,7 @@
#include <pk11pub.h>
#include <prerror.h>
#include <ocsp.h>
+#include <pkcs11uri.h>
#include "util/child_common.h"
#include "providers/backend.h"
@@ -63,6 +64,239 @@ struct p11_ctx {
| certificateUsageStatusResponder \
| certificateUsageSSLCA )
+
+static char *get_pkcs11_string(TALLOC_CTX *mem_ctx, const char *in, size_t len)
+{
+ size_t c = len;
+
+ if (in == NULL || len == 0) {
+ return NULL;
+ }
+
+ while(c > 0 && in[c - 1] == ' ') {
+ c--;
+ }
+
+ return talloc_strndup(mem_ctx, in, c);
+}
+
+static char *pct_encode(TALLOC_CTX *mem_ctx, SECItem *data)
+{
+ char *pct;
+ size_t c;
+ int ret;
+
+ pct = talloc_zero_size(mem_ctx, sizeof(char) * (3*data->len + 1));
+ if (pct == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_size failed.\n");
+ return NULL;
+ }
+
+ for (c = 0; c < data->len; c++) {
+ ret = snprintf(pct + 3*c, 4, "%%%02X", data->data[c]);
+ if (ret != 3) {
+ DEBUG(SSSDBG_OP_FAILURE, "snprintf failed.\n");
+ talloc_free(pct);
+ return NULL;
+ }
+ }
+
+ return pct;
+}
+
+static char *get_key_id_pct(TALLOC_CTX *mem_ctx, PK11SlotInfo *slot,
+ CERTCertificate *cert)
+{
+ SECItem *key_id = NULL;
+ char *key_id_str = NULL;
+
+ key_id = PK11_GetLowLevelKeyIDForCert(slot, cert, NULL);
+ if (key_id == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "PK11_GetLowLevelKeyIDForCert failed [%d][%s].\n",
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
+ return NULL;
+ }
+
+ key_id_str = pct_encode(mem_ctx, key_id);
+ SECITEM_FreeItem(key_id, PR_TRUE);
+ if (key_id_str == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "pct_encode failed.\n");
+ return NULL;
+ }
+
+ return key_id_str;
+}
+
+static char *get_pkcs11_uri(TALLOC_CTX *mem_ctx, SECMODModule *mod,
+ PK11SlotInfo *slot,
+ const char *label, CERTCertificate *cert)
+{
+ CK_INFO module_info;
+ CK_SLOT_INFO slot_info;
+ CK_TOKEN_INFO token_info;
+ char *values[13];
+ PK11URIAttribute attrs[13];
+ size_t nattrs = 0;
+ SECStatus rv;
+ char *tmp_str;
+ char *uri_str;
+ PK11URI *uri;
+ CK_SLOT_ID slot_id;
+ char *id_pct;
+
+ rv = PK11_GetModInfo(mod, &module_info);
+ if (rv != SECSuccess) {
+ DEBUG(SSSDBG_OP_FAILURE, "PK11_GetModInfo failed.\n");
+ return NULL;
+ }
+
+ rv = PK11_GetSlotInfo(slot, &slot_info);
+ if (rv != SECSuccess) {
+ DEBUG(SSSDBG_OP_FAILURE, "PK11_GetSlotInfo failed.\n");
+ return NULL;
+ }
+
+ rv = PK11_GetTokenInfo(slot, &token_info);
+ if (rv != SECSuccess) {
+ DEBUG(SSSDBG_OP_FAILURE, "PK11_GetTokenInfo failed.\n");
+ return NULL;
+ }
+ values[nattrs] = get_pkcs11_string(mem_ctx,
+ (char *)module_info.libraryDescription,
+ sizeof(module_info.libraryDescription));
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
+ attrs[nattrs].name = PK11URI_PATTR_LIBRARY_DESCRIPTION;
+ attrs[nattrs].value = values[nattrs];
+ nattrs++;
+ }
+
+ values[nattrs] = get_pkcs11_string(mem_ctx,
+ (char *)module_info.manufacturerID,
+ sizeof(module_info.manufacturerID));
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
+ attrs[nattrs].name = PK11URI_PATTR_LIBRARY_MANUFACTURER;
+ attrs[nattrs].value = values[nattrs];
+ nattrs++;
+ }
+
+ values[nattrs] = talloc_asprintf(mem_ctx, "%d.%d",
+ module_info.libraryVersion.major,
+ module_info.libraryVersion.minor);
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
+ attrs[nattrs].name = PK11URI_PATTR_LIBRARY_VERSION;
+ attrs[nattrs].value = values[nattrs];
+ nattrs++;
+ }
+
+ values[nattrs] = get_pkcs11_string(mem_ctx,
+ (char *)slot_info.slotDescription,
+ sizeof(slot_info.slotDescription));
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
+ attrs[nattrs].name = PK11URI_PATTR_SLOT_DESCRIPTION;
+ attrs[nattrs].value = values[nattrs];
+ nattrs++;
+ }
+
+ values[nattrs] = get_pkcs11_string(mem_ctx,
+ (char *)slot_info.manufacturerID,
+ sizeof(slot_info.manufacturerID));
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
+ attrs[nattrs].name = PK11URI_PATTR_SLOT_MANUFACTURER;
+ attrs[nattrs].value = values[nattrs];
+ nattrs++;
+ }
+
+ slot_id = PK11_GetSlotID(slot);
+ values[nattrs] = talloc_asprintf(mem_ctx, "%d", (int) slot_id);
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
+ attrs[nattrs].name = PK11URI_PATTR_SLOT_ID;
+ attrs[nattrs].value = values[nattrs];
+ nattrs++;
+ }
+
+ values[nattrs] = get_pkcs11_string(mem_ctx, (char *)token_info.model,
+ sizeof(token_info.model));
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
+ attrs[nattrs].name = PK11URI_PATTR_MODEL;
+ attrs[nattrs].value = values[nattrs];
+ nattrs++;
+ }
+
+ values[nattrs] = get_pkcs11_string(mem_ctx,
+ (char *)token_info.manufacturerID,
+ sizeof(token_info.manufacturerID));
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
+ attrs[nattrs].name = PK11URI_PATTR_MANUFACTURER;
+ attrs[nattrs].value = values[nattrs];
+ nattrs++;
+ }
+
+ values[nattrs] = get_pkcs11_string(mem_ctx,
+ (char *)token_info.serialNumber,
+ sizeof(token_info.serialNumber));
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
+ attrs[nattrs].name = PK11URI_PATTR_SERIAL;
+ attrs[nattrs].value = values[nattrs];
+ nattrs++;
+ }
+
+ values[nattrs] = get_pkcs11_string(mem_ctx, (char *)token_info.label,
+ sizeof(token_info.label));
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
+ attrs[nattrs].name = PK11URI_PATTR_TOKEN;
+ attrs[nattrs].value = values[nattrs];
+ nattrs++;
+ }
+
+ if (label != NULL && *label != '\0') {
+ attrs[nattrs].name = PK11URI_PATTR_OBJECT;
+ attrs[nattrs].value = label;
+ nattrs++;
+ }
+
+ attrs[nattrs].name = PK11URI_PATTR_TYPE;
+ attrs[nattrs].value = "cert";
+ nattrs++;
+
+ uri = PK11URI_CreateURI(attrs, nattrs, NULL, 0);
+ if (uri == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "PK11URI_CreateURI failed.\n");
+ return NULL;
+ }
+
+ tmp_str = PK11URI_FormatURI(NULL, uri);
+ PK11URI_DestroyURI(uri);
+ if (tmp_str == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "PK11URI_FormatURI failed.\n");
+ return NULL;
+ }
+
+ /* Currently I have no idea how to get the ID properly formatted with the
+ * NSS PK11 calls. Since all attribute values are treated as strings zeros
+ * in the IDs cannot be handled. And the IDs cannot be set percent-encoded
+ * since all attribute values will be escaped which means the '%' sign
+ * will be escaped to '%25'. Hence for the time being the ID is added
+ * manually to the end of the URI. */
+ id_pct = get_key_id_pct(mem_ctx, slot, cert);
+ if (id_pct == NULL || *id_pct == '\0') {
+ DEBUG(SSSDBG_OP_FAILURE, "get_key_id_pct failed.\n");
+ PORT_Free(tmp_str);
+ return NULL;
+ }
+
+ uri_str = talloc_asprintf(mem_ctx, "%s;%s=%s", tmp_str,
+ PK11URI_PATTR_ID, id_pct);
+ talloc_free(id_pct);
+ if (uri_str == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
+ return NULL;
+ }
+
+ return uri_str;
+
+}
+
static char *password_passthrough(PK11SlotInfo *slot, PRBool retry, void *arg)
{
/* give up if 1) no password was supplied, or 2) the password has already
@@ -465,6 +699,9 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
cert_list_node->cert->nickname,
cert_list_node->cert->subjectName);
+ DEBUG(SSSDBG_TRACE_ALL, "module uri: %s.\n", PK11_GetModuleURI(module));
+ DEBUG(SSSDBG_TRACE_ALL, "token uri: %s.\n", PK11_GetTokenURI(slot));
+
if (p11_ctx->handle != NULL) {
if (!do_verification(p11_ctx, cert_list_node->cert)) {
DEBUG(SSSDBG_OP_FAILURE,
@@ -651,6 +888,9 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
DEBUG(SSSDBG_TRACE_ALL, "Found certificate has key id [%s].\n",
key_id_str);
+ DEBUG(SSSDBG_TRACE_ALL, "uri: %s.\n", get_pkcs11_uri(mem_ctx, module,
+ slot, label,
+ found_cert));
multi = talloc_asprintf_append(multi, "%s\n%s\n%s\n%s\n%s\n",
token_name, module_name, key_id_str,
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
index d4572d9..09edeef 100644
--- a/src/p11_child/p11_child_openssl.c
+++ b/src/p11_child/p11_child_openssl.c
@@ -29,6 +29,7 @@
#include <openssl/err.h>
#include <openssl/rand.h>
#include <p11-kit/p11-kit.h>
+#include <p11-kit/uri.h>
#include <popt.h>
@@ -43,6 +44,72 @@ struct p11_ctx {
bool wait_for_card;
};
+
+static char *get_pkcs11_uri(TALLOC_CTX *mem_ctx, CK_INFO *module_info,
+ CK_SLOT_INFO *slot_info, CK_SLOT_ID slot_id,
+ CK_TOKEN_INFO *token_info, CK_ATTRIBUTE *label,
+ CK_ATTRIBUTE *id)
+{
+ P11KitUri *uri;
+ char *uri_str = NULL;
+ char *tmp_str = NULL;
+ int ret;
+ CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE;
+ CK_ATTRIBUTE class_attr = {CKA_CLASS, &cert_class, sizeof(CK_OBJECT_CLASS)};
+
+ uri = p11_kit_uri_new();
+ if (uri == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_new failed.\n");
+ return NULL;
+ }
+
+ ret = p11_kit_uri_set_attribute(uri, label);
+ if (ret != P11_KIT_URI_OK) {
+ DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_set_attribute failed.\n");
+ goto done;
+ }
+
+ ret = p11_kit_uri_set_attribute(uri, id);
+ if (ret != P11_KIT_URI_OK) {
+ DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_set_attribute failed.\n");
+ goto done;
+ }
+
+ ret = p11_kit_uri_set_attribute(uri, &class_attr);
+ if (ret != P11_KIT_URI_OK) {
+ DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_set_attribute failed.\n");
+ goto done;
+ }
+
+
+ memcpy(p11_kit_uri_get_token_info(uri), token_info, sizeof(CK_TOKEN_INFO));
+
+ memcpy(p11_kit_uri_get_slot_info(uri), slot_info, sizeof(CK_SLOT_INFO));
+ ret = p11_kit_uri_set_slot_id(uri, slot_id);
+
+ memcpy(p11_kit_uri_get_module_info(uri), module_info, sizeof(CK_INFO));
+
+ ret = p11_kit_uri_format(uri, P11_KIT_URI_FOR_ANY, &tmp_str);
+ if (ret != P11_KIT_URI_OK) {
+ DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_format failed [%s].\n",
+ p11_kit_uri_message(ret));
+ goto done;
+ }
+
+ if (tmp_str != NULL) {
+ uri_str = talloc_strdup(mem_ctx, tmp_str);
+ free(tmp_str);
+ if (uri_str == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
+ }
+ }
+
+done:
+ p11_kit_uri_free(uri);
+
+ return uri_str;
+}
+
static int talloc_cleanup_openssl(struct p11_ctx *p11_ctx)
{
CRYPTO_cleanup_all_ex_data();
@@ -234,6 +301,7 @@ struct cert_list {
X509 *cert;
char *subject_dn;
char *cert_b64;
+ char *uri;
CK_KEY_TYPE key_type;
CK_OBJECT_HANDLE private_key;
};
@@ -608,6 +676,7 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
CK_SLOT_ID slot_id;
CK_SLOT_INFO info;
CK_TOKEN_INFO token_info;
+ CK_INFO module_info;
CK_RV rv;
size_t module_id;
char *module_file_name = NULL;
@@ -821,6 +890,17 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
}
}
+ memset(&module_info, 0, sizeof(CK_INFO));
+ module->C_GetInfo(&module_info);
+
+ DLIST_FOR_EACH(item, cert_list) {
+ item->uri = get_pkcs11_uri(mem_ctx, &module_info, &info, slot_id,
+ &token_info,
+ &item->attributes[1] /* label */,
+ &item->attributes[0] /* id */);
+ DEBUG(SSSDBG_TRACE_ALL, "uri: %s.\n", item->uri);
+ }
+
/* TODO: check module_name_in, token_name_in, key_id_in */
if (cert_list == NULL) {
--
2.9.5

View File

@ -0,0 +1,238 @@
From f7b2152a4c3c816a5bc4226a0e01791313accef3 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 8 Oct 2018 12:47:25 +0200
Subject: [PATCH 66/83] p11_child: add PKCS#11 uri to restrict selection
Related to https://pagure.io/SSSD/sssd/issue/3814
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/p11_child/p11_child.h | 2 +-
src/p11_child/p11_child_common.c | 9 +++--
src/p11_child/p11_child_nss.c | 2 +-
src/p11_child/p11_child_openssl.c | 81 +++++++++++++++++++++++++++++++++++++--
4 files changed, 86 insertions(+), 8 deletions(-)
diff --git a/src/p11_child/p11_child.h b/src/p11_child/p11_child.h
index dd8fdea..92ecf74 100644
--- a/src/p11_child/p11_child.h
+++ b/src/p11_child/p11_child.h
@@ -54,5 +54,5 @@ bool do_verification_b64(struct p11_ctx *p11_ctx, const char *cert_b64);
errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
enum op_mode mode, const char *pin,
const char *module_name_in, const char *token_name_in,
- const char *key_id_in, char **_multi);
+ const char *key_id_in, const char *uri, char **_multi);
#endif /* __P11_CHILD_H__ */
diff --git a/src/p11_child/p11_child_common.c b/src/p11_child/p11_child_common.c
index bc5f6b0..097e7fa 100644
--- a/src/p11_child/p11_child_common.c
+++ b/src/p11_child/p11_child_common.c
@@ -60,7 +60,7 @@ static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db,
bool wait_for_card,
const char *cert_b64, const char *pin,
const char *module_name, const char *token_name,
- const char *key_id, char **multi)
+ const char *key_id, const char *uri, char **multi)
{
int ret;
struct p11_ctx *p11_ctx;
@@ -90,7 +90,7 @@ static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db,
}
} else {
ret = do_card(mem_ctx, p11_ctx, mode, pin,
- module_name, token_name, key_id, multi);
+ module_name, token_name, key_id, uri, multi);
}
done:
@@ -159,6 +159,7 @@ int main(int argc, const char *argv[])
char *key_id = NULL;
char *cert_b64 = NULL;
bool wait_for_card = false;
+ char *uri = NULL;
struct poptOption long_options[] = {
POPT_AUTOHELP
@@ -194,6 +195,8 @@ int main(int argc, const char *argv[])
_("Key ID for authentication"), NULL},
{"certificate", 0, POPT_ARG_STRING, &cert_b64, 0,
_("certificate to verify, base64 encoded"), NULL},
+ {"uri", 0, POPT_ARG_STRING, &uri, 0,
+ _("PKCS#11 URI to restrict selection"), NULL},
POPT_TABLEEND
};
@@ -367,7 +370,7 @@ int main(int argc, const char *argv[])
}
ret = do_work(main_ctx, mode, nss_db, cert_verify_opts, wait_for_card,
- cert_b64, pin, module_name, token_name, key_id, &multi);
+ cert_b64, pin, module_name, token_name, key_id, uri, &multi);
if (ret != 0) {
DEBUG(SSSDBG_OP_FAILURE, "do_work failed.\n");
goto fail;
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
index fff1f25..f9cbf3f 100644
--- a/src/p11_child/p11_child_nss.c
+++ b/src/p11_child/p11_child_nss.c
@@ -480,7 +480,7 @@ bool do_verification_b64(struct p11_ctx *p11_ctx, const char *cert_b64)
errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
enum op_mode mode, const char *pin,
const char *module_name_in, const char *token_name_in,
- const char *key_id_in, char **_multi)
+ const char *key_id_in, const char *uri, char **_multi)
{
int ret;
SECStatus rv;
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
index 09edeef..000e1c9 100644
--- a/src/p11_child/p11_child_openssl.c
+++ b/src/p11_child/p11_child_openssl.c
@@ -85,7 +85,7 @@ static char *get_pkcs11_uri(TALLOC_CTX *mem_ctx, CK_INFO *module_info,
memcpy(p11_kit_uri_get_token_info(uri), token_info, sizeof(CK_TOKEN_INFO));
memcpy(p11_kit_uri_get_slot_info(uri), slot_info, sizeof(CK_SLOT_INFO));
- ret = p11_kit_uri_set_slot_id(uri, slot_id);
+ p11_kit_uri_set_slot_id(uri, slot_id);
memcpy(p11_kit_uri_get_module_info(uri), module_info, sizeof(CK_INFO));
@@ -662,7 +662,7 @@ static errno_t wait_for_card(CK_FUNCTION_LIST *module, CK_SLOT_ID *slot_id)
errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
enum op_mode mode, const char *pin,
const char *module_name_in, const char *token_name_in,
- const char *key_id_in, char **_multi)
+ const char *key_id_in, const char *uri_str, char **_multi)
{
int ret;
size_t c;
@@ -674,6 +674,7 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
CK_ULONG num_slots;
CK_SLOT_ID slots[MAX_SLOTS];
CK_SLOT_ID slot_id;
+ CK_SLOT_ID uri_slot_id;
CK_SLOT_INFO info;
CK_TOKEN_INFO token_info;
CK_INFO module_info;
@@ -690,6 +691,19 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
char *multi = NULL;
bool pkcs11_session = false;
bool pkcs11_login = false;
+ P11KitUri *uri = NULL;
+
+ if (uri_str != NULL) {
+ uri = p11_kit_uri_new();
+ ret = p11_kit_uri_parse(uri_str, P11_KIT_URI_FOR_ANY, uri);
+ if (ret != P11_KIT_URI_OK) {
+ DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_parse failed [%d][%s].\n",
+ ret, p11_kit_uri_message(ret));
+ ret = EINVAL;
+ goto done;
+ }
+ }
+
/* Maybe use P11_KIT_MODULE_TRUSTED ? */
modules = p11_kit_modules_load_and_initialize(0);
@@ -709,6 +723,23 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
free(mod_name);
free(mod_file_name);
+ if (uri != NULL) {
+ memset(&module_info, 0, sizeof(CK_INFO));
+ rv = modules[c]->C_GetInfo(&module_info);
+ if (rv != CKR_OK) {
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetInfo failed.\n");
+ ret = EIO;
+ goto done;
+ }
+
+ /* Skip modules which do not match the PKCS#11 URI */
+ if (p11_kit_uri_match_module_info(uri, &module_info) != 1) {
+ DEBUG(SSSDBG_TRACE_ALL,
+ "Not matching URI [%s], skipping.\n", uri_str);
+ continue;
+ }
+ }
+
num_slots = MAX_SLOTS;
rv = modules[c]->C_GetSlotList(CK_FALSE, slots, &num_slots);
if (rv != CKR_OK) {
@@ -730,6 +761,37 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
info.slotDescription, info.manufacturerID, info.flags,
(info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
(info.flags & CKF_TOKEN_PRESENT) ? "true": "false");
+
+ /* Skip slots which do not match the PKCS#11 URI */
+ if (uri != NULL) {
+ uri_slot_id = p11_kit_uri_get_slot_id(uri);
+ if ((uri_slot_id != (CK_SLOT_ID)-1
+ && uri_slot_id != slots[s])
+ || p11_kit_uri_match_slot_info(uri, &info) != 1) {
+ DEBUG(SSSDBG_TRACE_ALL,
+ "Not matching URI [%s], skipping.\n", uri_str);
+ continue;
+ }
+ }
+
+ if ((info.flags & CKF_TOKEN_PRESENT) && uri != NULL) {
+ rv = modules[c]->C_GetTokenInfo(slots[s], &token_info);
+ if (rv != CKR_OK) {
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetTokenInfo failed.\n");
+ ret = EIO;
+ goto done;
+ }
+ DEBUG(SSSDBG_TRACE_ALL, "Token label [%s].\n",
+ token_info.label);
+
+ if (p11_kit_uri_match_token_info(uri, &token_info) != 1) {
+ DEBUG(SSSDBG_CONF_SETTINGS,
+ "No matching uri [%s], skipping.\n", uri_str);
+ continue;
+ }
+
+ }
+
if ((info.flags & CKF_REMOVABLE_DEVICE)) {
break;
}
@@ -788,6 +850,13 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
goto done;
}
+ if (uri != NULL && p11_kit_uri_match_token_info(uri, &token_info) != 1) {
+ DEBUG(SSSDBG_CONF_SETTINGS, "No token matching uri [%s] found.",
+ uri_str);
+ ret = ENOENT;
+ goto done;
+ }
+
module_id = c;
slot_name = p11_kit_space_strdup(info.slotDescription,
sizeof(info.slotDescription));
@@ -891,7 +960,12 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
}
memset(&module_info, 0, sizeof(CK_INFO));
- module->C_GetInfo(&module_info);
+ rv = module->C_GetInfo(&module_info);
+ if (rv != CKR_OK) {
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetInfo failed.\n");
+ ret = EIO;
+ goto done;
+ }
DLIST_FOR_EACH(item, cert_list) {
item->uri = get_pkcs11_uri(mem_ctx, &module_info, &info, slot_id,
@@ -970,6 +1044,7 @@ done:
free(token_name);
free(module_file_name);
p11_kit_modules_finalize_and_release(modules);
+ p11_kit_uri_free(uri);
return ret;
}
--
2.9.5

View File

@ -0,0 +1,193 @@
From 725b65081d19da658b16338686c53dcf16d49de0 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 9 Oct 2018 10:47:04 +0200
Subject: [PATCH 67/83] PAM: add p11_uri option
Related to https://pagure.io/SSSD/sssd/issue/3814
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/confdb/confdb.h | 1 +
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/cfg_rules.ini | 1 +
src/config/etc/sssd.api.conf | 1 +
src/man/sssd.conf.5.xml | 33 +++++++++++++++++++++++++++++++++
src/responder/pam/pamsrv.h | 1 +
src/responder/pam/pamsrv_cmd.c | 12 +++++++++++-
src/responder/pam/pamsrv_p11.c | 9 ++++++++-
8 files changed, 57 insertions(+), 2 deletions(-)
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 87904c2..741d4bc 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -133,6 +133,7 @@
#define CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT "p11_wait_for_card_timeout"
#define CONFDB_PAM_APP_SERVICES "pam_app_services"
#define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services"
+#define CONFDB_PAM_P11_URI "p11_uri"
/* SUDO */
#define CONFDB_SUDO_CONF_ENTRY "config/sudo"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 4d1dba2..a20157c 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -105,6 +105,7 @@ option_strings = {
'pam_app_services' : _('Which PAM services are permitted to contact application domains'),
'pam_p11_allowed_services' : _('Allowed services for using smartcards'),
'p11_wait_for_card_timeout' : _('Additional timeout to wait for a card if requested'),
+ 'p11_uri' : _('PKCS#11 URI to restrict the selection of devices for Smartcard authentication'),
# [sudo]
'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 50a8f1d..09a52df 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -128,6 +128,7 @@ option = p11_child_timeout
option = pam_app_services
option = pam_p11_allowed_services
option = p11_wait_for_card_timeout
+option = p11_uri
[rule/allowed_sudo_options]
validator = ini_allowed_options
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index bb686c3..c6d6690 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -77,6 +77,7 @@ p11_child_timeout = int, None, false
pam_app_services = str, None, false
pam_p11_allowed_services = str, None, false
p11_wait_for_card_timeout = int, None, false
+p11_uri = str, None, false
[sudo]
# sudo service
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 4df0163..c8d53f0 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1478,6 +1478,39 @@ pam_p11_allowed_services = +my_pam_service, -login
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>p11_uri (string)</term>
+ <listitem>
+ <para>
+ PKCS#11 URI (see RFC-7512 for details) which can be
+ used to restrict the selection of devices used for
+ Smartcard authentication. By default SSSD's
+ p11_child will search for a PKCS#11 slot (reader)
+ where the 'removable' flags is set and read the
+ certificates from the inserted token from the first
+ slot found. If multiple readers are connected
+ p11_uri can be use to tell p11_child to use a
+ specific reader.
+ </para>
+ <para>
+ Example:
+ <programlisting>
+p11_uri = slot-description=My%20Smartcar%20Reader
+ </programlisting>
+ or
+ <programlisting>
+p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2
+ </programlisting>
+ To find suitable URI please check the debug output
+ of p11_child. As an alternative the GnuTLS utility
+ 'p11tool' with e.g. the '--list-all' will show
+ PKCS#11 URIs as well.
+ </para>
+ <para>
+ Default: none
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 5d87756..60aa979 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -103,6 +103,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
time_t timeout,
const char *verify_opts,
struct sss_certmap_ctx *sss_certmap_ctx,
+ const char *uri,
struct pam_data *pd);
errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
struct cert_auth_info **cert_list);
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 6e37f83..a22afd2 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1306,6 +1306,7 @@ static errno_t check_cert(TALLOC_CTX *mctx,
char *cert_verification_opts;
errno_t ret;
struct tevent_req *req;
+ char *uri = NULL;
ret = confdb_get_int(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY,
CONFDB_PAM_P11_CHILD_TIMEOUT,
@@ -1342,10 +1343,19 @@ static errno_t check_cert(TALLOC_CTX *mctx,
return ret;
}
+ ret = confdb_get_string(pctx->rctx->cdb, mctx, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_P11_URI, NULL, &uri);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to read certificate_verification from confdb: [%d]: %s\n",
+ ret, sss_strerror(ret));
+ return ret;
+ }
+
req = pam_check_cert_send(mctx, ev, pctx->p11_child_debug_fd,
pctx->nss_db, p11_child_timeout,
cert_verification_opts, pctx->sss_certmap_ctx,
- pd);
+ uri, pd);
if (req == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "pam_check_cert_send failed.\n");
return ENOMEM;
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
index 8b8859d..491bd2b 100644
--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
@@ -711,6 +711,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
time_t timeout,
const char *verify_opts,
struct sss_certmap_ctx *sss_certmap_ctx,
+ const char *uri,
struct pam_data *pd)
{
errno_t ret;
@@ -721,7 +722,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
struct timeval tv;
int pipefd_to_child[2] = PIPE_INIT;
int pipefd_from_child[2] = PIPE_INIT;
- const char *extra_args[14] = { NULL };
+ const char *extra_args[16] = { NULL };
uint8_t *write_buf = NULL;
size_t write_buf_len = 0;
size_t arg_c;
@@ -748,6 +749,12 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
/* extra_args are added in revers order */
arg_c = 0;
+ if (uri != NULL) {
+ DEBUG(SSSDBG_TRACE_ALL, "Adding PKCS#11 URI [%s].\n", uri);
+ extra_args[arg_c++] = uri;
+ extra_args[arg_c++] = "--uri";
+ }
+
if ((pd->cli_flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) && pd->priv == 1) {
extra_args[arg_c++] = "--wait_for_card";
}
--
2.9.5

View File

@ -0,0 +1,209 @@
From 4a22fb6bba6662ad628f6e17203e8ccf20eb9666 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 9 Oct 2018 10:46:43 +0200
Subject: [PATCH 68/83] tests: add PKCS#11 URI tests
Related to https://pagure.io/SSSD/sssd/issue/3814
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/tests/cmocka/test_pam_srv.c | 120 ++++++++++++++++++++++++++++++++++++++++
src/tests/test_CA/Makefile.am | 16 +++++-
2 files changed, 135 insertions(+), 1 deletion(-)
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index 2b02ac2..7fc9224 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -65,6 +65,7 @@
#endif
#define TEST_TOKEN_NAME "SSSD Test Token"
+#define TEST_TOKEN2_NAME "SSSD Test Token Number 2"
#define TEST_KEY_ID "C554C9F82C2A9D58B70921C143304153A8A42F17"
#ifdef HAVE_NSS
#define TEST_MODULE_NAME "NSS-Internal"
@@ -961,6 +962,54 @@ static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen,
return EOK;
}
+static int test_pam_cert2_token2_check_ex(uint32_t status, uint8_t *body,
+ size_t blen, enum response_type type,
+ const char *name)
+{
+ size_t rp = 0;
+ uint32_t val;
+ size_t check2_len = 0;
+ char const *check2_strings[] = { NULL,
+ TEST_TOKEN2_NAME,
+ TEST_MODULE_NAME,
+ TEST2_KEY_ID,
+ TEST2_PROMPT,
+ NULL };
+
+ assert_int_equal(status, 0);
+
+ check2_strings[0] = name;
+ check2_len = check_string_array_len(check2_strings);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, pam_test_ctx->exp_pam_status);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, 2);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, SSS_PAM_DOMAIN_NAME);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, 9);
+
+ assert_int_equal(*(body + rp + val - 1), 0);
+ assert_string_equal(body + rp, TEST_DOM_NAME);
+ rp += val;
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, type);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, check2_len);
+
+ check_string_array(check2_strings, body, &rp);
+
+ assert_int_equal(rp, blen);
+
+ return EOK;
+}
+
static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
{
return test_pam_cert_check_ex(status, body, blen,
@@ -968,6 +1017,12 @@ static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
NULL);
}
+static int test_pam_cert2_check(uint32_t status, uint8_t *body, size_t blen)
+{
+ return test_pam_cert2_token2_check_ex(status, body, blen, SSS_PAM_CERT_INFO,
+ "pamuser@"TEST_DOM_NAME);
+}
+
static int test_pam_cert_check_auth_success(uint32_t status, uint8_t *body,
size_t blen)
{
@@ -2476,6 +2531,65 @@ void test_pam_cert_auth_2certs_one_mapping(void **state)
assert_int_equal(ret, EOK);
}
+void test_pam_cert_preauth_uri_token1(void **state)
+{
+ int ret;
+
+ struct sss_test_conf_param pam_params[] = {
+ { CONFDB_PAM_P11_URI, "pkcs11:token=SSSD%20Test%20Token" },
+ { NULL, NULL }, /* Sentinel */
+ };
+
+ ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
+ assert_int_equal(ret, EOK);
+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2tokens.conf"));
+
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,
+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false);
+
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+
+ set_cmd_cb(test_pam_cert_check);
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
+ pam_test_ctx->pam_cmds);
+ assert_int_equal(ret, EOK);
+
+ /* Wait until the test finishes with EOK */
+ ret = test_ev_loop(pam_test_ctx->tctx);
+ assert_int_equal(ret, EOK);
+}
+
+void test_pam_cert_preauth_uri_token2(void **state)
+{
+ int ret;
+
+ struct sss_test_conf_param pam_params[] = {
+ { CONFDB_PAM_P11_URI, "pkcs11:token=SSSD%20Test%20Token%20Number%202" },
+ { NULL, NULL }, /* Sentinel */
+ };
+
+ ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
+ assert_int_equal(ret, EOK);
+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2tokens.conf"));
+
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,
+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0002, false);
+
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+
+ set_cmd_cb(test_pam_cert2_check);
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
+ pam_test_ctx->pam_cmds);
+ assert_int_equal(ret, EOK);
+
+ /* Wait until the test finishes with EOK */
+ ret = test_ev_loop(pam_test_ctx->tctx);
+ assert_int_equal(ret, EOK);
+}
void test_filter_response(void **state)
{
@@ -2915,6 +3029,12 @@ int main(int argc, const char *argv[])
pam_test_setup, pam_test_teardown),
cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name_no_key_id,
pam_test_setup, pam_test_teardown),
+#ifndef HAVE_NSS
+ cmocka_unit_test_setup_teardown(test_pam_cert_preauth_uri_token1,
+ pam_test_setup, pam_test_teardown),
+ cmocka_unit_test_setup_teardown(test_pam_cert_preauth_uri_token2,
+ pam_test_setup, pam_test_teardown),
+#endif /* ! HAVE_NSS */
#endif /* HAVE_TEST_CA */
cmocka_unit_test_setup_teardown(test_filter_response,
diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am
index 1bce2c3..b574c76 100644
--- a/src/tests/test_CA/Makefile.am
+++ b/src/tests/test_CA/Makefile.am
@@ -24,7 +24,7 @@ pkcs12 = $(addprefix SSSD_test_cert_pkcs12_,$(addsuffix .pem,$(ids)))
if HAVE_NSS
extra = p11_nssdb p11_nssdb_2certs
else
-extra = softhsm2_none softhsm2_one softhsm2_two
+extra = softhsm2_none softhsm2_one softhsm2_two softhsm2_2tokens
endif
# If openssl is run in parallel there might be conflicts with the serial
@@ -114,6 +114,20 @@ softhsm2_two.conf:
@echo "objectstore.backend = file" >> $@
@echo "slots.removable = true" >> $@
+softhsm2_2tokens: softhsm2_2tokens.conf
+ mkdir $@
+ SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token" --pin 123456 --so-pin 123456 --free
+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0001.pem --login --label 'SSSD test cert 0001' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' pkcs11:token=SSSD%20Test%20Token
+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0001.pem --login --label 'SSSD test cert 0001' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' pkcs11:token=SSSD%20Test%20Token
+ SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token Number 2" --pin 654321 --so-pin 654321 --free
+ GNUTLS_PIN=654321 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0002.pem --login --label 'SSSD test cert 0002' --id '5405842D56CF31F0BB025A695C5F3E907051C5B9' pkcs11:token=SSSD%20Test%20Token%20Number%202
+ GNUTLS_PIN=654321 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0002.pem --login --label 'SSSD test cert 0002' --id '5405842D56CF31F0BB025A695C5F3E907051C5B9' pkcs11:token=SSSD%20Test%20Token%20Number%202
+
+softhsm2_2tokens.conf:
+ @echo "directories.tokendir = "$(abs_top_builddir)"/src/tests/test_CA/softhsm2_2tokens" > $@
+ @echo "objectstore.backend = file" >> $@
+ @echo "slots.removable = true" >> $@
+
CLEANFILES = \
index.txt index.txt.attr \
index.txt.attr.old index.txt.old \
--
2.9.5

View File

@ -0,0 +1,53 @@
From 7a2e56d061085c155a51253bd612255a4d24cb57 Mon Sep 17 00:00:00 2001
From: Tomas Halman <thalman@redhat.com>
Date: Mon, 8 Oct 2018 12:47:40 +0200
Subject: [PATCH 69/83] test_config: Test for invalid characker in domain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
There was bug allowing forbidden characters in config file section name.
Bug has been fixed meantime but we decided to write the test to avoid
regeression.
Resolves:
https://pagure.io/SSSD/sssd/issue/3334
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/tests/cmocka/test_config_check.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/tests/cmocka/test_config_check.c b/src/tests/cmocka/test_config_check.c
index a2958de..61c7886 100644
--- a/src/tests/cmocka/test_config_check.c
+++ b/src/tests/cmocka/test_config_check.c
@@ -106,6 +106,17 @@ void config_check_test_bad_section_name(void **state)
config_check_test_common(cfg_str, 1, expected_errors);
}
+void config_check_test_bad_chars_in_section_name(void **state)
+{
+ char cfg_str[] = "[domain/LD@P]";
+ const char *expected_errors[] = {
+ "[rule/allowed_sections]: Section [domain/LD@P] is not allowed. "
+ "Check for typos.",
+ };
+
+ config_check_test_common(cfg_str, 1, expected_errors);
+}
+
void config_check_test_too_many_subdomains(void **state)
{
char cfg_str[] = "[domain/ad.test/b.test/c.test]";
@@ -264,6 +275,7 @@ int main(int argc, const char *argv[])
const struct CMUnitTest tests[] = {
cmocka_unit_test(config_check_test_bad_section_name),
+ cmocka_unit_test(config_check_test_bad_chars_in_section_name),
cmocka_unit_test(config_check_test_too_many_subdomains),
cmocka_unit_test(config_check_test_bad_sssd_option_name),
cmocka_unit_test(config_check_test_bad_pam_option_name),
--
2.9.5

View File

@ -0,0 +1,147 @@
From dbd717fe5b7d8dd640b6ade435b49edb3db5280a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 9 Oct 2018 13:25:35 +0200
Subject: [PATCH 70/83] PAM: return short name for files provider users
If the 'allow_missing_name' option is used with pam_sss and the user
name will be determined based on the certificate content and the mapping
rules the PAM responder will by default return the fully-qualified name
of the user which is then later used by other PAM modules as well.
For local users which are configured to use SSSD for Smartcard
authentication this might cause issues in other PAM modules because they
are not aware of the fully-qualified name and will treat the user as
unknown.
With this patch the PAM responder will return the short name for all
users handled by the files provider.
Related to https://pagure.io/SSSD/sssd/issue/3848
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/pam/pamsrv.h | 3 ++-
src/responder/pam/pamsrv_cmd.c | 13 +++++++++----
src/responder/pam/pamsrv_p11.c | 32 +++++++++++++++++++++++++++++---
3 files changed, 40 insertions(+), 8 deletions(-)
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 60aa979..3a927bb 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -108,7 +108,8 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
struct cert_auth_info **cert_list);
-errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
+errno_t add_pam_cert_response(struct pam_data *pd, struct sss_domain_info *dom,
+ const char *sysdb_username,
struct cert_auth_info *cert_info,
enum response_type type);
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index a22afd2..553bf8f 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1645,7 +1645,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
preq->current_cert != NULL;
preq->current_cert = sss_cai_get_next(preq->current_cert)) {
- ret = add_pam_cert_response(preq->pd, "",
+ ret = add_pam_cert_response(preq->pd,
+ preq->cctx->rctx->domains, "",
preq->current_cert,
preq->cctx->rctx->domains->user_name_hint
? SSS_PAM_CERT_INFO_WITH_HINT
@@ -1699,7 +1700,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
if (preq->cctx->rctx->domains->user_name_hint
&& preq->pd->cmd == SSS_PAM_PREAUTH) {
- ret = add_pam_cert_response(preq->pd, cert_user,
+ ret = add_pam_cert_response(preq->pd,
+ preq->cctx->rctx->domains, cert_user,
preq->cert_list,
SSS_PAM_CERT_INFO_WITH_HINT);
preq->pd->pam_status = PAM_SUCCESS;
@@ -1725,7 +1727,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
* SSS_PAM_CERT_INFO message to send the name to the caller. */
if (preq->pd->cmd == SSS_PAM_AUTHENTICATE
&& preq->pd->logon_name == NULL) {
- ret = add_pam_cert_response(preq->pd, cert_user,
+ ret = add_pam_cert_response(preq->pd,
+ preq->cctx->rctx->domains, cert_user,
preq->cert_list,
SSS_PAM_CERT_INFO);
if (ret != EOK) {
@@ -2117,7 +2120,9 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
"the backend.\n");
}
- ret = add_pam_cert_response(preq->pd, cert_user,
+ ret = add_pam_cert_response(preq->pd,
+ preq->cctx->rctx->domains,
+ cert_user,
preq->current_cert,
SSS_PAM_CERT_INFO);
if (ret != EOK) {
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
index 491bd2b..785b29c 100644
--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
@@ -1145,7 +1145,8 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username,
* used when running gdm-password. */
#define PKCS11_LOGIN_TOKEN_ENV_NAME "PKCS11_LOGIN_TOKEN_NAME"
-errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
+errno_t add_pam_cert_response(struct pam_data *pd, struct sss_domain_info *dom,
+ const char *sysdb_username,
struct cert_auth_info *cert_info,
enum response_type type)
{
@@ -1153,6 +1154,10 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
char *env = NULL;
size_t msg_len;
int ret;
+ char *short_name = NULL;
+ char *domain_name = NULL;
+ const char *cert_info_name = sysdb_username;
+
if (type != SSS_PAM_CERT_INFO && type != SSS_PAM_CERT_INFO_WITH_HINT) {
DEBUG(SSSDBG_CRIT_FAILURE, "Invalid response type [%d].\n", type);
@@ -1174,9 +1179,30 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
* Smartcard. If this type of name is irritating at the PIN prompt or the
* re_expression config option was set in a way that user@domain cannot be
* handled anymore some more logic has to be added here. But for the time
- * being I think using sysdb_username is fine. */
+ * being I think using sysdb_username is fine.
+ * As special case is the files provider which handles local users which
+ * by definition only have a short name. To avoid confusion by other
+ * modules on the PAM stack the short name is returned in this case. */
+
+ if (sysdb_username != NULL) {
+ ret = sss_parse_internal_fqname(pd, sysdb_username,
+ &short_name, &domain_name);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse name '%s' [%d]: %s, "
+ "using full name.\n",
+ sysdb_username, ret, sss_strerror(ret));
+ } else {
+ if (domain_name != NULL
+ && is_files_provider(find_domain_by_name(dom, domain_name,
+ false))) {
+ cert_info_name = short_name;
+ }
+ }
+ }
- ret = pack_cert_data(pd, sysdb_username, cert_info, &msg, &msg_len);
+ ret = pack_cert_data(pd, cert_info_name, cert_info, &msg, &msg_len);
+ talloc_free(short_name);
+ talloc_free(domain_name);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "pack_cert_data failed.\n");
return ret;
--
2.9.5

View File

@ -0,0 +1,181 @@
From 941e67b0bbb780aadb6461b60b4e3554dfb893db Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 16 May 2018 10:23:49 +0200
Subject: [PATCH 71/83] TESTS: Add a test for whitespace trimming in netgroup
entries
This is a unit test for commit dbb1abae6eaa9df24f61e3a9f855e2461a66a197
Reviewed-by: Tomas Halman <thalman@redhat.com>
---
src/tests/sysdb-tests.c | 132 +++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 130 insertions(+), 2 deletions(-)
diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
index 933a07e..d3117cd 100644
--- a/src/tests/sysdb-tests.c
+++ b/src/tests/sysdb-tests.c
@@ -4388,6 +4388,125 @@ START_TEST (test_netgroup_base_dn)
}
END_TEST
+static errno_t netgr_triple_to_attrs(struct sysdb_attrs *attrs,
+ struct sysdb_netgroup_ctx *netgrent)
+{
+ int ret;
+ char *dummy;
+
+ dummy = talloc_asprintf(attrs, "(%s,%s,%s)",
+ netgrent->value.triple.hostname,
+ netgrent->value.triple.username,
+ netgrent->value.triple.domainname);
+ if (dummy == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
+ return ENOMEM;
+ }
+
+ ret = sysdb_attrs_add_string(attrs, SYSDB_NETGROUP_TRIPLE, dummy);
+ talloc_zfree(dummy);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_attrs_add_string failed.\n");
+ return ret;
+ }
+
+ return EOK;
+}
+
+static errno_t store_netgr(struct sysdb_test_ctx *test_ctx,
+ const char *name,
+ struct sysdb_netgroup_ctx *netgrent)
+{
+ struct sysdb_attrs *attrs;
+ errno_t ret;
+
+ attrs = sysdb_new_attrs(test_ctx);
+ if (attrs == NULL) {
+ return ENOMEM;
+ }
+
+ ret = netgr_triple_to_attrs(attrs, netgrent);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_add_netgroup failed.\n");
+ return ret;
+ }
+
+ ret = sysdb_add_netgroup(test_ctx->domain, name, NULL, attrs, NULL,
+ 0, 0);
+ talloc_zfree(attrs);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_add_netgroup failed.\n");
+ return ret;
+ }
+
+ return EOK;
+}
+
+static bool sysdb_netgr_ctx_cmp(struct sysdb_netgroup_ctx *a,
+ struct sysdb_netgroup_ctx *b)
+{
+ return a->type == b->type &&
+ strcmp(a->value.triple.username, b->value.triple.username) == 0 &&
+ strcmp(a->value.triple.hostname, b->value.triple.hostname) == 0 &&
+ strcmp(a->value.triple.domainname, b->value.triple.domainname) == 0;
+}
+
+START_TEST (test_sysdb_netgr_to_entries)
+{
+ errno_t ret;
+ bool bret;
+ struct sysdb_test_ctx *test_ctx;
+ struct sysdb_netgroup_ctx simple_netgroup = {
+ .type = SYSDB_NETGROUP_TRIPLE_VAL,
+ .value.triple.hostname = discard_const("host"),
+ .value.triple.username = discard_const("user"),
+ .value.triple.domainname = discard_const("domain"),
+ };
+ struct sysdb_netgroup_ctx ws_netgroup = {
+ .type = SYSDB_NETGROUP_TRIPLE_VAL,
+ .value.triple.hostname = discard_const(" host "),
+ .value.triple.username = discard_const(" user "),
+ .value.triple.domainname = discard_const(" domain "),
+ };
+ struct ldb_result *res;
+ struct sysdb_netgroup_ctx **entries;
+ size_t netgroup_count;
+
+ ret = setup_sysdb_tests(&test_ctx);
+ fail_if(ret != EOK, "Could not set up the test");
+
+ ret = store_netgr(test_ctx, "simple_netgroup", &simple_netgroup);
+ fail_if(ret != EOK, "Could not store the netgr");
+
+ ret = sysdb_getnetgr(test_ctx, test_ctx->domain, "simple_netgroup", &res);
+ fail_unless(ret == EOK, "sysdb_getnetgr error [%d][%s]",
+ ret, strerror(ret));
+ fail_unless(res->count == 1, "Received [%d] responses",
+ res->count);
+ ret = sysdb_netgr_to_entries(test_ctx, res, &entries, &netgroup_count);
+ fail_unless(ret == EOK, "sysdb_netgr_to_entries error [%d][%s]",
+ ret, strerror(ret));
+ fail_unless(netgroup_count == 1, "Received [%d] triples", netgroup_count);
+ bret = sysdb_netgr_ctx_cmp(entries[0], &simple_netgroup);
+ fail_unless(bret == true, "Netgroup triples do not match");
+
+ ret = store_netgr(test_ctx, "ws_netgroup", &ws_netgroup);
+ fail_if(ret != EOK, "Could not store the netgr");
+
+ ret = sysdb_getnetgr(test_ctx, test_ctx->domain, "ws_netgroup", &res);
+ fail_unless(ret == EOK, "sysdb_getnetgr error [%d][%s]",
+ ret, strerror(ret));
+ fail_unless(res->count == 1, "Received [%d] responses",
+ res->count);
+ ret = sysdb_netgr_to_entries(test_ctx, res, &entries, &netgroup_count);
+ fail_unless(ret == EOK, "sysdb_netgr_to_entries error [%d][%s]",
+ ret, strerror(ret));
+ fail_unless(netgroup_count == 1, "Received [%d] triples", netgroup_count);
+ bret = sysdb_netgr_ctx_cmp(entries[0], &simple_netgroup);
+ fail_unless(bret == true, "Netgroup triples do not match");
+}
+END_TEST
+
START_TEST(test_odd_characters)
{
errno_t ret;
@@ -4404,6 +4523,8 @@ START_TEST(test_odd_characters)
const char *received_group;
static const char *user_attrs[] = SYSDB_PW_ATTRS;
static const char *netgr_attrs[] = SYSDB_NETGR_ATTRS;
+ struct sysdb_netgroup_ctx **entries;
+ size_t netgroup_count;
/* Setup */
ret = setup_sysdb_tests(&test_ctx);
@@ -4546,9 +4667,13 @@ START_TEST(test_odd_characters)
ret, strerror(ret));
fail_unless(res->count == 1, "Received [%d] responses",
res->count);
- talloc_zfree(res);
- /* ===== Arbitrary Entries ===== */
+ /* Parse */
+ ret = sysdb_netgr_to_entries(test_ctx, res, &entries, &netgroup_count);
+ fail_unless(ret == EOK, "sysdb_netgr_to_entries error [%d][%s]",
+ ret, strerror(ret));
+
+ talloc_zfree(res);
talloc_free(test_ctx);
}
@@ -7418,6 +7543,9 @@ Suite *create_sysdb_suite(void)
tcase_add_test(tc_sysdb, test_netgroup_base_dn);
+ /* Test splitting the netgroup triple */
+ tcase_add_test(tc_sysdb, test_sysdb_netgr_to_entries);
+
/* ===== SERVICE TESTS ===== */
/* Create a new service */
--
2.9.5

View File

@ -0,0 +1,57 @@
From 7b3794fbe5e4f0888d4faeba12e6c5268f8cca42 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 9 Oct 2018 12:12:44 +0200
Subject: [PATCH 73/83] FILES: The files provider should not enumerate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves:
https://pagure.io/SSSD/sssd/issue/3849
For reason I cannot explain now, the files provider always enumerates.
There is commit a60e6ec which implements this, but it's clearly wrong,
because then the plain getent passwd output contains duplicates from
nss_files and nss_sss:
$ getent passwd | sort
adm:x:3:4:adm:/var/adm:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
bin:x:1:1:bin:/bin:/sbin/nologin
bin:x:1:1:bin:/bin:/sbin/nologin
certuser:x:10329:10330::/home/certuser:/bin/bash
certuser:x:10329:10330::/home/certuser:/bin/bash
chrony:x:997:994::/var/lib/chrony:/sbin/nologin
chrony:x:997:994::/var/lib/chrony:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/confdb/confdb.c | 5 +----
1 files changed, 1 insertions(+), 4 deletions(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 2f3d900..fdc6122 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -875,7 +875,6 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
char *default_domain;
bool fqnames_default = false;
int memcache_timeout;
- bool enum_default;
tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) return ENOMEM;
@@ -1009,10 +1008,8 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
"Interpreting as true\n", domain->name);
domain->enumerate = true;
} else { /* assume the new format */
- enum_default = is_files_provider(domain);
-
ret = get_entry_as_bool(res->msgs[0], &domain->enumerate,
- CONFDB_DOMAIN_ENUMERATE, enum_default);
+ CONFDB_DOMAIN_ENUMERATE, 0);
if(ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Invalid value for %s\n", CONFDB_DOMAIN_ENUMERATE);

View File

@ -0,0 +1,489 @@
From 91c608d0eb48435b5b5d2f3631a4bb2a40b8d519 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 10 Oct 2018 15:37:16 +0200
Subject: [PATCH 74/83] p11_child: add OCSP check ot the OpenSSL version
Related to https://pagure.io/SSSD/sssd/issue/3489
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/man/sssd.conf.5.xml | 26 ++-
src/p11_child/p11_child_openssl.c | 346 ++++++++++++++++++++++++++++++++++++++
src/tests/cmocka/test_utils.c | 3 +
src/util/util.c | 2 +
4 files changed, 370 insertions(+), 7 deletions(-)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index c8d53f0..5e3ae48 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -479,8 +479,8 @@
be replaced with the URL of the OCSP
default responder e.g.
http://example.com:80/ocsp.</para>
- <para>This option must be used together
- with
+ <para>(NSS Version) This option must be
+ used together with
ocsp_default_responder_signing_cert.
</para>
</listitem>
@@ -489,17 +489,29 @@
<term>
ocsp_default_responder_signing_cert=NAME</term>
<listitem>
- <para>The nickname of the cert to trust
- (expected) to sign the OCSP responses.
- The certificate with the given nickname
- must be available in the systems NSS
- database.</para>
+ <para>(NSS Version) The nickname of the
+ cert to trust (expected) to sign the
+ OCSP responses. The certificate with
+ the given nickname must be available in
+ the systems NSS database.</para>
<para>This option must be used together
with ocsp_default_responder.</para>
+ <para>(OpenSSL version) This option is
+ currently ignored. All needed
+ certificates must be available in the
+ PEM file given by
+ pam_cert_db_path.</para>
</listitem>
</varlistentry>
</variablelist>
</para>
+ <para condition="with_nss">
+ This man page was generated for the NSS version.
+ </para>
+ <para condition="with_openssl">
+ This man page was generated for the OpenSSL
+ version.
+ </para>
<para>
Unknown options are reported but ignored.
</para>
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
index 000e1c9..d66a2f8 100644
--- a/src/p11_child/p11_child_openssl.c
+++ b/src/p11_child/p11_child_openssl.c
@@ -28,6 +28,7 @@
#include <openssl/x509.h>
#include <openssl/err.h>
#include <openssl/rand.h>
+#include <openssl/ocsp.h>
#include <p11-kit/p11-kit.h>
#include <p11-kit/uri.h>
@@ -42,8 +43,344 @@ struct p11_ctx {
X509_STORE *x509_store;
const char *ca_db;
bool wait_for_card;
+ struct cert_verify_opts *cert_verify_opts;
};
+static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host,
+ const char *path,
+ OCSP_REQUEST *req, int req_timeout)
+{
+ int fd;
+ int rv;
+ OCSP_REQ_CTX *ctx = NULL;
+ OCSP_RESPONSE *rsp = NULL;
+ fd_set confds;
+ struct timeval tv;
+
+ if (req_timeout != -1) {
+ BIO_set_nbio(cbio, 1);
+ }
+
+ rv = BIO_do_connect(cbio);
+
+ if ((rv <= 0) && ((req_timeout == -1) || !BIO_should_retry(cbio))) {
+ DEBUG(SSSDBG_OP_FAILURE, "Error connecting BIO\n");
+ return NULL;
+ }
+
+ if (BIO_get_fd(cbio, &fd) < 0) {
+ DEBUG(SSSDBG_OP_FAILURE, "Can't get connection fd\n");
+ goto err;
+ }
+
+ if (req_timeout != -1 && rv <= 0) {
+ FD_ZERO(&confds);
+ FD_SET(fd, &confds);
+ tv.tv_usec = 0;
+ tv.tv_sec = req_timeout;
+ rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
+ if (rv == 0) {
+ DEBUG(SSSDBG_OP_FAILURE, "Timeout on connect\n");
+ return NULL;
+ }
+ }
+
+ ctx = OCSP_sendreq_new(cbio, path, NULL, -1);
+ if (ctx == NULL) {
+ return NULL;
+ }
+
+ if (OCSP_REQ_CTX_add1_header(ctx, "Host", host) == 0) {
+ goto err;
+ }
+
+ if (!OCSP_REQ_CTX_set1_req(ctx, req)) {
+ goto err;
+ }
+
+ for (;;) {
+ rv = OCSP_sendreq_nbio(&rsp, ctx);
+ if (rv != -1)
+ break;
+ if (req_timeout == -1)
+ continue;
+ FD_ZERO(&confds);
+ FD_SET(fd, &confds);
+ tv.tv_usec = 0;
+ tv.tv_sec = req_timeout;
+ if (BIO_should_read(cbio)) {
+ rv = select(fd + 1, (void *)&confds, NULL, NULL, &tv);
+ } else if (BIO_should_write(cbio)) {
+ rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
+ } else {
+ DEBUG(SSSDBG_OP_FAILURE, "Unexpected retry condition\n");
+ goto err;
+ }
+ if (rv == 0) {
+ DEBUG(SSSDBG_OP_FAILURE, "Timeout on request\n");
+ break;
+ }
+ if (rv == -1) {
+ DEBUG(SSSDBG_OP_FAILURE, "Select error\n");
+ break;
+ }
+
+ }
+ err:
+ OCSP_REQ_CTX_free(ctx);
+
+ return rsp;
+}
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define TLS_client_method SSLv23_client_method
+#define X509_STORE_get0_objects(store) (store->objs)
+#define X509_OBJECT_get_type(object) (object->type)
+#define X509_OBJECT_get0_X509(object) (object->data.x509)
+#endif
+
+OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
+ const char *host, const char *path,
+ const char *port, int use_ssl,
+ int req_timeout)
+{
+ BIO *cbio = NULL;
+ SSL_CTX *ctx = NULL;
+ OCSP_RESPONSE *resp = NULL;
+
+ cbio = BIO_new_connect(host);
+ if (cbio == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Error creating connect BIO\n");
+ goto end;
+ }
+ if (port != NULL)
+ BIO_set_conn_port(cbio, port);
+ if (use_ssl == 1) {
+ BIO *sbio;
+ ctx = SSL_CTX_new(TLS_client_method());
+ if (ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Error creating SSL context.\n");
+ goto end;
+ }
+ SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
+ sbio = BIO_new_ssl(ctx, 1);
+ cbio = BIO_push(sbio, cbio);
+ }
+
+ resp = query_responder(cbio, host, path, req, req_timeout);
+ if (resp == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Error querying OCSP responder\n");
+ }
+
+ end:
+ BIO_free_all(cbio);
+ SSL_CTX_free(ctx);
+ return resp;
+}
+
+static errno_t do_ocsp(struct p11_ctx *p11_ctx, X509 *cert)
+{
+ OCSP_REQUEST *ocsp_req = NULL;
+ OCSP_RESPONSE *ocsp_resp = NULL;
+ OCSP_BASICRESP *ocsp_basic = NULL;
+ OCSP_CERTID *cid = NULL;
+ STACK_OF(OPENSSL_STRING) *ocsp_urls = NULL;
+ char *url_str;
+ X509 *issuer = NULL;
+ int req_timeout = -1;
+ int status;
+ int ret = EIO;
+ int reason;
+ ASN1_GENERALIZEDTIME *revtime;
+ ASN1_GENERALIZEDTIME *thisupd;
+ ASN1_GENERALIZEDTIME *nextupd;
+ long grace_time = (5 * 60); /* Allow 5 minutes time difference when
+ * checking the validity of the OCSP response */
+ char *host = NULL;
+ char *path = NULL;
+ char *port = NULL;
+ int use_ssl;
+ X509_NAME *issuer_name = NULL;
+ X509_OBJECT *x509_obj;
+ STACK_OF(X509_OBJECT) *store_objects;
+
+ ocsp_urls = X509_get1_ocsp(cert);
+ if (ocsp_urls == NULL
+ && p11_ctx->cert_verify_opts->ocsp_default_responder == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "No OCSP URL in certificate and no default responder defined, "
+ "skipping OCSP check.\n");
+ return EOK;
+ }
+
+ if (p11_ctx->cert_verify_opts->ocsp_default_responder != NULL) {
+ url_str = p11_ctx->cert_verify_opts->ocsp_default_responder;
+ } else {
+ if (sk_OPENSSL_STRING_num(ocsp_urls) > 1) {
+ DEBUG(SSSDBG_CONF_SETTINGS,
+ "Found more than 1 OCSP URLs, just using the first.\n");
+ }
+
+ url_str = sk_OPENSSL_STRING_value(ocsp_urls, 0);
+ }
+
+ DEBUG(SSSDBG_TRACE_ALL, "Using OCSP URL [%s].\n", url_str);
+
+ ret = OCSP_parse_url(url_str, &host, &port, &path, &use_ssl);
+ if (ret != 1) {
+ DEBUG(SSSDBG_OP_FAILURE, "OCSP_parse_url failed to parse [%s].\n",
+ url_str);
+ ret = EIO;
+ goto done;
+ }
+
+ issuer_name = X509_get_issuer_name(cert);
+ if (issuer_name == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Certificate has no issuer, "
+ "cannot run OCSP check.\n");
+ ret = EINVAL;
+ goto done;
+ }
+
+ store_objects = X509_STORE_get0_objects(p11_ctx->x509_store);
+ if (store_objects == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "No objects found in certificate store, OCSP failed.\n");
+ ret = EINVAL;
+ goto done;
+ }
+
+ x509_obj = X509_OBJECT_retrieve_by_subject(store_objects, X509_LU_X509,
+ issuer_name);
+ if (x509_obj == NULL || X509_OBJECT_get_type(x509_obj) != X509_LU_X509) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Issuer not found.\n");
+ ret = EIO;
+ goto done;
+ }
+
+ issuer = X509_OBJECT_get0_X509(x509_obj);
+
+ ocsp_req = OCSP_REQUEST_new();
+ if (ocsp_req == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "OCSP_REQUEST_new failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ cid = OCSP_cert_to_id(EVP_sha1(), cert, issuer);
+ if (cid == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "OCSP_cert_to_id failed.\n");
+ ret = EIO;
+ goto done;
+ }
+
+ if (OCSP_request_add0_id(ocsp_req, cid) == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "OCSP_request_add0_id failed.\n");
+ ret = EIO;
+ goto done;
+ }
+
+ OCSP_request_add1_nonce(ocsp_req, NULL, -1);
+
+ ocsp_resp = process_responder(ocsp_req, host, path, port, use_ssl,
+ req_timeout);
+ if (ocsp_resp == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "process_responder failed.\n");
+ ret = EIO;
+ goto done;
+ }
+
+ status = OCSP_response_status(ocsp_resp);
+ if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "OCSP response error: [%d][%s].\n",
+ status, OCSP_response_status_str(status));
+ ret = EIO;
+ goto done;
+ }
+
+ ocsp_basic = OCSP_response_get1_basic(ocsp_resp);
+ if (ocsp_resp == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "OCSP_response_get1_basic failed.\n");
+ ret = EIO;
+ goto done;
+ }
+
+ switch (OCSP_check_nonce(ocsp_req, ocsp_basic)) {
+ case -1:
+ DEBUG(SSSDBG_CRIT_FAILURE, "No nonce in OCSP response. This might "
+ "indicate a replay attack or an OCSP responder which does not "
+ "support nonces. Accepting response.\n");
+ break;
+ case 0:
+ DEBUG(SSSDBG_CRIT_FAILURE, "Nonce in OCSP response does not match the "
+ "one used in the request.\n");
+ ret = EIO;
+ goto done;
+ break;
+ case 1:
+ DEBUG(SSSDBG_TRACE_ALL, "Nonce in OCSP response is the same as the one "
+ "used in the request.\n");
+ break;
+ case 2:
+ case 3:
+ DEBUG(SSSDBG_CRIT_FAILURE, "Missing nonce in OCSP request, this should"
+ "never happen.\n");
+ ret = EIO;
+ goto done;
+ break;
+ default:
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected result of OCSP_check_nonce.\n");
+ }
+
+ status = OCSP_basic_verify(ocsp_basic, NULL, p11_ctx->x509_store, 0);
+ if (status != 1) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "OCSP_base_verify failed to verify OCSP "
+ "response.\n");
+ ret = EIO;
+ goto done;
+ }
+
+ ret = OCSP_resp_find_status(ocsp_basic, cid, &status, &reason,
+ &revtime, &thisupd, &nextupd);
+ if (ret != 1) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "OCSP response does not contain status of "
+ "our certificate.\n");
+ ret = EIO;
+ goto done;
+ }
+
+ if (status != V_OCSP_CERTSTATUS_GOOD) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "OCSP check failed with [%d][%s].\n",
+ status, OCSP_cert_status_str(status));
+ if (status == V_OCSP_CERTSTATUS_REVOKED) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Certificate is revoked [%d][%s].\n",
+ reason, OCSP_crl_reason_str(reason));
+ }
+ ret = EIO;
+ goto done;
+ }
+
+ if (OCSP_check_validity(thisupd, nextupd, grace_time, -1) != 1) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "OCSP response is not valid anymore.\n");
+ ret = EIO;
+ goto done;
+ }
+
+ DEBUG(SSSDBG_TRACE_ALL, "OCSP check was successful.\n");
+ ret = EOK;
+
+done:
+ OCSP_BASICRESP_free(ocsp_basic);
+ OCSP_RESPONSE_free(ocsp_resp);
+ OCSP_REQUEST_free(ocsp_req);
+
+ OPENSSL_free(host);
+ OPENSSL_free(port);
+ OPENSSL_free(path);
+ X509_email_free(ocsp_urls);
+
+ return ret;
+}
static char *get_pkcs11_uri(TALLOC_CTX *mem_ctx, CK_INFO *module_info,
CK_SLOT_INFO *slot_info, CK_SLOT_ID slot_id,
@@ -191,6 +528,7 @@ errno_t init_verification(struct p11_ctx *p11_ctx,
}
p11_ctx->x509_store = store;
+ p11_ctx->cert_verify_opts = cert_verify_opts;
talloc_set_destructor(p11_ctx, talloc_free_x509_store);
ret = EOK;
@@ -262,6 +600,14 @@ bool do_verification(struct p11_ctx *p11_ctx, X509 *cert)
goto done;
}
+ if (p11_ctx->cert_verify_opts->do_ocsp) {
+ ret = do_ocsp(p11_ctx, cert);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "do_ocsp failed.\n");
+ goto done;
+ }
+ }
+
res = true;
done:
diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
index 1a8699a..c86e526 100644
--- a/src/tests/cmocka/test_utils.c
+++ b/src/tests/cmocka/test_utils.c
@@ -1612,6 +1612,8 @@ static void test_parse_cert_verify_opts(void **state)
&cv_opts);
assert_int_equal(ret, EINVAL);
+/* Only NSS requires that both are set */
+#ifdef HAVE_NSS
ret = parse_cert_verify_opts(global_talloc_context,
"ocsp_default_responder=abc", &cv_opts);
assert_int_equal(ret, EINVAL);
@@ -1620,6 +1622,7 @@ static void test_parse_cert_verify_opts(void **state)
"ocsp_default_responder_signing_cert=def",
&cv_opts);
assert_int_equal(ret, EINVAL);
+#endif
ret = parse_cert_verify_opts(global_talloc_context,
"ocsp_default_responder=abc,"
diff --git a/src/util/util.c b/src/util/util.c
index 53dd9a1..7f475fa 100644
--- a/src/util/util.c
+++ b/src/util/util.c
@@ -1123,6 +1123,7 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
}
}
+#ifdef HAVE_NSS
if ((cert_verify_opts->ocsp_default_responder == NULL
&& cert_verify_opts->ocsp_default_responder_signing_cert != NULL)
|| (cert_verify_opts->ocsp_default_responder != NULL
@@ -1135,6 +1136,7 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
ret = EINVAL;
goto done;
}
+#endif
ret = EOK;
--
2.9.5

View File

@ -0,0 +1,279 @@
From 3c096c9ad6dad911d035cfdd802b5dda4710fc68 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 11 Oct 2018 17:35:24 +0200
Subject: [PATCH 75/83] p11_child: add crl_file option for the OpenSSL build
In the NSS build a Certificate Revocation List (CRL) can just be added
to the NSS database. For OpenSSL a separate file is needed.
Related to https://pagure.io/SSSD/sssd/issue/3489
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/man/sssd.conf.5.xml | 24 ++++++++++++++++++++++++
src/p11_child/p11_child_common.c | 12 ++++++------
src/p11_child/p11_child_openssl.c | 26 +++++++++++++++++++++++++-
src/tests/cmocka/test_utils.c | 16 ++++++++++++++++
src/util/util.c | 13 +++++++++++++
src/util/util.h | 1 +
6 files changed, 85 insertions(+), 7 deletions(-)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 5e3ae48..bea25c6 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -503,6 +503,30 @@
pam_cert_db_path.</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>crl_file=/PATH/TO/CRL/FILE</term>
+ <listitem>
+ <para>(NSS Version) This option is
+ ignored, please see
+ <citerefentry>
+ <refentrytitle>crlutil</refentrytitle>
+ <manvolnum>1</manvolnum>
+ </citerefentry>
+ how to import a Certificate Revocation
+ List (CRL) into a NSS database.</para>
+
+ <para>(OpenSSL Version) Use the
+ Certificate Revocation List (CRL) from
+ the given file during the verification
+ of the certificate. The CRL must be
+ given in PEM format, see
+ <citerefentry>
+ <refentrytitle>crl</refentrytitle>
+ <manvolnum>1ssl</manvolnum>
+ </citerefentry>
+ for details.</para>
+ </listitem>
+ </varlistentry>
</variablelist>
</para>
<para condition="with_nss">
diff --git a/src/p11_child/p11_child_common.c b/src/p11_child/p11_child_common.c
index 097e7fa..b992aeb 100644
--- a/src/p11_child/p11_child_common.c
+++ b/src/p11_child/p11_child_common.c
@@ -48,7 +48,7 @@ static const char *op_mode_str(enum op_mode mode)
return "pre-auth";
break;
case OP_VERIFIY:
- return "verifiy";
+ return "verify";
break;
default:
return "unknown";
@@ -219,7 +219,7 @@ int main(int argc, const char *argv[])
case 'a':
if (mode != OP_NONE) {
fprintf(stderr,
- "\n--verifiy, --auth and --pre are mutually " \
+ "\n--verify, --auth and --pre are mutually " \
"exclusive and should be only used once.\n\n");
poptPrintUsage(pc, stderr, 0);
_exit(-1);
@@ -229,7 +229,7 @@ int main(int argc, const char *argv[])
case 'p':
if (mode != OP_NONE) {
fprintf(stderr,
- "\n--verifiy, --auth and --pre are mutually " \
+ "\n--verify, --auth and --pre are mutually " \
"exclusive and should be only used once.\n\n");
poptPrintUsage(pc, stderr, 0);
_exit(-1);
@@ -239,7 +239,7 @@ int main(int argc, const char *argv[])
case 'v':
if (mode != OP_NONE) {
fprintf(stderr,
- "\n--verifiy, --auth and --pre are mutually " \
+ "\n--verify, --auth and --pre are mutually " \
"exclusive and should be only used once.\n\n");
poptPrintUsage(pc, stderr, 0);
_exit(-1);
@@ -283,7 +283,7 @@ int main(int argc, const char *argv[])
if (mode == OP_NONE) {
fprintf(stderr, "\nMissing operation mode, either " \
- "--verifiy, --auth or --pre must be specified.\n\n");
+ "--verify, --auth or --pre must be specified.\n\n");
poptPrintUsage(pc, stderr, 0);
_exit(-1);
} else if (mode == OP_AUTH && pin_mode == PIN_NONE) {
@@ -350,7 +350,7 @@ int main(int argc, const char *argv[])
ret = parse_cert_verify_opts(main_ctx, verify_opts, &cert_verify_opts);
if (ret != EOK) {
- DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse verifiy option.\n");
+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse verify option.\n");
goto fail;
}
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
index d66a2f8..9defdfc 100644
--- a/src/p11_child/p11_child_openssl.c
+++ b/src/p11_child/p11_child_openssl.c
@@ -501,6 +501,7 @@ errno_t init_verification(struct p11_ctx *p11_ctx,
X509_STORE *store = NULL;
unsigned long err;
X509_LOOKUP *lookup = NULL;
+ X509_VERIFY_PARAM *verify_param = NULL;
store = X509_STORE_new();
if (store == NULL) {
@@ -527,6 +528,30 @@ errno_t init_verification(struct p11_ctx *p11_ctx,
goto done;
}
+ if (cert_verify_opts->crl_file != NULL) {
+ verify_param = X509_VERIFY_PARAM_new();
+ if (verify_param == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "X509_VERIFY_PARAM_new failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ X509_VERIFY_PARAM_set_flags(verify_param, (X509_V_FLAG_CRL_CHECK
+ | X509_V_FLAG_CRL_CHECK_ALL));
+
+ X509_STORE_set1_param(store, verify_param);
+
+ ret = X509_load_crl_file(lookup, cert_verify_opts->crl_file,
+ X509_FILETYPE_PEM);
+ if (ret == 0) {
+ err = ERR_get_error();
+ DEBUG(SSSDBG_OP_FAILURE, "X509_load_crl_file failed [%lu][%s].\n",
+ err, ERR_error_string(err, NULL));
+ ret = EIO;
+ goto done;
+ }
+ }
+
p11_ctx->x509_store = store;
p11_ctx->cert_verify_opts = cert_verify_opts;
talloc_set_destructor(p11_ctx, talloc_free_x509_store);
@@ -536,7 +561,6 @@ errno_t init_verification(struct p11_ctx *p11_ctx,
done:
if (ret != EOK) {
X509_STORE_free(store);
- X509_LOOKUP_free(lookup);
}
return ret;
diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
index c86e526..cf1c2ae 100644
--- a/src/tests/cmocka/test_utils.c
+++ b/src/tests/cmocka/test_utils.c
@@ -1567,6 +1567,7 @@ static void test_parse_cert_verify_opts(void **state)
assert_true(cv_opts->do_ocsp);
assert_null(cv_opts->ocsp_default_responder);
assert_null(cv_opts->ocsp_default_responder_signing_cert);
+ assert_null(cv_opts->crl_file);
talloc_free(cv_opts);
ret = parse_cert_verify_opts(global_talloc_context, "wedfkwefjk", &cv_opts);
@@ -1575,6 +1576,7 @@ static void test_parse_cert_verify_opts(void **state)
assert_true(cv_opts->do_ocsp);
assert_null(cv_opts->ocsp_default_responder);
assert_null(cv_opts->ocsp_default_responder_signing_cert);
+ assert_null(cv_opts->crl_file);
talloc_free(cv_opts);
ret = parse_cert_verify_opts(global_talloc_context, "no_ocsp", &cv_opts);
@@ -1583,6 +1585,7 @@ static void test_parse_cert_verify_opts(void **state)
assert_false(cv_opts->do_ocsp);
assert_null(cv_opts->ocsp_default_responder);
assert_null(cv_opts->ocsp_default_responder_signing_cert);
+ assert_null(cv_opts->crl_file);
talloc_free(cv_opts);
ret = parse_cert_verify_opts(global_talloc_context, "no_verification",
@@ -1592,6 +1595,7 @@ static void test_parse_cert_verify_opts(void **state)
assert_true(cv_opts->do_ocsp);
assert_null(cv_opts->ocsp_default_responder);
assert_null(cv_opts->ocsp_default_responder_signing_cert);
+ assert_null(cv_opts->crl_file);
talloc_free(cv_opts);
ret = parse_cert_verify_opts(global_talloc_context,
@@ -1601,6 +1605,7 @@ static void test_parse_cert_verify_opts(void **state)
assert_false(cv_opts->do_ocsp);
assert_null(cv_opts->ocsp_default_responder);
assert_null(cv_opts->ocsp_default_responder_signing_cert);
+ assert_null(cv_opts->crl_file);
talloc_free(cv_opts);
ret = parse_cert_verify_opts(global_talloc_context,
@@ -1633,6 +1638,17 @@ static void test_parse_cert_verify_opts(void **state)
assert_true(cv_opts->do_ocsp);
assert_string_equal(cv_opts->ocsp_default_responder, "abc");
assert_string_equal(cv_opts->ocsp_default_responder_signing_cert, "def");
+ assert_null(cv_opts->crl_file);
+ talloc_free(cv_opts);
+
+ ret = parse_cert_verify_opts(global_talloc_context, "crl_file=hij",
+ &cv_opts);
+ assert_int_equal(ret, EOK);
+ assert_true(cv_opts->do_verification);
+ assert_true(cv_opts->do_ocsp);
+ assert_null(cv_opts->ocsp_default_responder);
+ assert_null(cv_opts->ocsp_default_responder_signing_cert);
+ assert_string_equal(cv_opts->crl_file, "hij");
talloc_free(cv_opts);
}
diff --git a/src/util/util.c b/src/util/util.c
index 7f475fa..cbe6a28 100644
--- a/src/util/util.c
+++ b/src/util/util.c
@@ -1024,6 +1024,7 @@ static struct cert_verify_opts *init_cert_verify_opts(TALLOC_CTX *mem_ctx)
cert_verify_opts->do_verification = true;
cert_verify_opts->ocsp_default_responder = NULL;
cert_verify_opts->ocsp_default_responder_signing_cert = NULL;
+ cert_verify_opts->crl_file = NULL;
return cert_verify_opts;
}
@@ -1035,6 +1036,8 @@ static struct cert_verify_opts *init_cert_verify_opts(TALLOC_CTX *mem_ctx)
"ocsp_default_responder_signing_cert="
#define OCSP_DEFAUL_RESPONDER_SIGNING_CERT_LEN \
(sizeof(OCSP_DEFAUL_RESPONDER_SIGNING_CERT) - 1)
+#define CRL_FILE "crl_file="
+#define CRL_FILE_LEN (sizeof(CRL_FILE) -1)
errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
struct cert_verify_opts **_cert_verify_opts)
@@ -1116,6 +1119,16 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
DEBUG(SSSDBG_TRACE_ALL,
"Using OCSP default responder signing cert nickname [%s]\n",
cert_verify_opts->ocsp_default_responder_signing_cert);
+ } else if (strncasecmp(opts[c], CRL_FILE, CRL_FILE_LEN) == 0) {
+ cert_verify_opts->crl_file = talloc_strdup(cert_verify_opts,
+ &opts[c][CRL_FILE_LEN]);
+ if (cert_verify_opts->crl_file == NULL
+ || *cert_verify_opts->crl_file == '\0') {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to parse crl_file option [%s].\n", opts[c]);
+ ret = EINVAL;
+ goto done;
+ }
} else {
DEBUG(SSSDBG_CRIT_FAILURE,
"Unsupported certificate verification option [%s], " \
diff --git a/src/util/util.h b/src/util/util.h
index e3e9100..7e9b3d6 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -371,6 +371,7 @@ struct cert_verify_opts {
bool do_verification;
char *ocsp_default_responder;
char *ocsp_default_responder_signing_cert;
+ char *crl_file;
};
errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
--
2.9.5

View File

@ -0,0 +1,37 @@
From 7794caec36e7142423491d90aaade7e49b9df1c1 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 12 Oct 2018 09:32:11 +0200
Subject: [PATCH 76/83] p11: Fix two instances of -Wmaybe-uninitialized in
p11_child_openssl.c
If uri_str was passed to the p11_child and parsing the URI failed, then
modules would be uninitialized, but freed in the done handler with
p11_kit_modules_finalize_and_release()
Also, another warning is suppressed by setting the 's' variable to zero.
While it cannot happen that the variable will be uninitialized, we
should help the compiler by setting a value explicitly.
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/p11_child/p11_child_openssl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
index 9defdfc..adfe272 100644
--- a/src/p11_child/p11_child_openssl.c
+++ b/src/p11_child/p11_child_openssl.c
@@ -1036,8 +1036,8 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
{
int ret;
size_t c;
- size_t s;
- CK_FUNCTION_LIST **modules;
+ size_t s = 0;
+ CK_FUNCTION_LIST **modules = NULL;
CK_FUNCTION_LIST *module = NULL;
char *mod_name;
char *mod_file_name;
--
2.9.5

View File

@ -0,0 +1,31 @@
From 250e82252b53991e2902b292cfa6029ab28a10fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 15 Oct 2018 12:46:35 +0200
Subject: [PATCH 77/83] sudo: use correct sbus interface
Internal dbus interfaces were renamed to shorter names in sbus2.
Resolves:
https://pagure.io/SSSD/sssd/issue/3854
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/sudo/sudosrv_dp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/responder/sudo/sudosrv_dp.c b/src/responder/sudo/sudosrv_dp.c
index 2c6b26e..78dd296 100644
--- a/src/responder/sudo/sudosrv_dp.c
+++ b/src/responder/sudo/sudosrv_dp.c
@@ -66,7 +66,7 @@ sss_dp_get_sudoers_msg(TALLOC_CTX *mem_ctx,
msg = dbus_message_new_method_call(bus_name,
SSS_BUS_PATH,
- "org.freedesktop.sssd.dataprovider",
+ "sssd.dataprovider",
"sudoHandler");
if (msg == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n");
--
2.9.5

View File

@ -0,0 +1,40 @@
From 8fbaf224193b9ca8b82a290bd52265c2f9b40315 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 15 Oct 2018 13:01:34 +0200
Subject: [PATCH 78/83] sudo: fix error handling in sudosrv_refresh_rules_done
If sbus returns non-zero code then the output variables are not set and
therefore we access uninitialized memory.
Resolves:
https://pagure.io/SSSD/sssd/issue/3854
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/sudo/sudosrv_get_sudorules.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c
index 14bd824..76faef0 100644
--- a/src/responder/sudo/sudosrv_get_sudorules.c
+++ b/src/responder/sudo/sudosrv_get_sudorules.c
@@ -576,10 +576,15 @@ static void sudosrv_refresh_rules_done(struct tevent_req *subreq)
ret = sss_dp_get_sudoers_recv(state, subreq, &err_maj, &err_min, &err_msg);
talloc_zfree(subreq);
if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to refresh rules [%d]: %s\n",
+ ret, sss_strerror(ret));
+ goto done;
+ } else if (err_maj != 0 || err_min != 0) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Unable to get information from Data Provider, "
"Error: %u, %u, %s\n",
- (unsigned int)err_maj, (unsigned int)err_min, err_msg);
+ (unsigned int)err_maj, (unsigned int)err_min,
+ (err_msg == NULL ? "(null)" : err_msg));
goto done;
}
--
2.9.5

View File

@ -0,0 +1,64 @@
From c74b430ba95d99b245b6347328024e4b4815b35e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 15 Oct 2018 12:48:41 +0200
Subject: [PATCH 79/83] sbus: remove leftovers from previous implementation
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/providers/data_provider/dp_iface.h | 8 +--
src/providers/data_provider_be.c | 2 +-
5 files changed, 5 insertions(+), 26 deletions(-)
diff --git a/src/providers/data_provider/dp_iface.h b/src/providers/data_provider/dp_iface.h
index 0b0855d..d1382cd 100644
--- a/src/providers/data_provider/dp_iface.h
+++ b/src/providers/data_provider/dp_iface.h
@@ -141,21 +141,21 @@ dp_get_account_domain_recv(TALLOC_CTX *mem_ctx,
uint32_t *_error,
const char **_err_msg);
-/* org.freedesktop.sssd.DataProvider.Client */
+/* sssd.DataProvider.Client */
errno_t
dp_client_register(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct data_provider *provider,
const char *name);
-/* org.freedesktop.sssd.DataProvider.Backend */
+/* sssd.DataProvider.Backend */
errno_t dp_backend_is_online(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct be_ctx *be_ctx,
const char *domname,
bool *_is_online);
-/* org.freedesktop.sssd.DataProvider.Failover */
+/* sssd.DataProvider.Failover */
errno_t
dp_failover_list_services(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
@@ -177,7 +177,7 @@ dp_failover_list_servers(TALLOC_CTX *mem_ctx,
const char *service_name,
const char ***_servers);
-/* org.freedesktop.sssd.DataProvider.AccessControl */
+/* sssd.DataProvider.AccessControl */
struct tevent_req *
dp_access_control_refresh_rules_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index 6d2477e..7043e7a 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -48,7 +48,7 @@
#include "resolv/async_resolv.h"
#include "sss_iface/sss_iface_async.h"
-/* org.freedesktop.sssd.service */
+/* sssd.service */
static errno_t
data_provider_res_init(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
2.9.5

View File

@ -0,0 +1,44 @@
From 05ba237af582c1ca3780e5fe06ab3320494efe52 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Sat, 13 Oct 2018 16:22:13 +0000
Subject: [PATCH 80/83] CONFIGURE: Add minimal required version for p11-kit
There are few functions which were added in upstream p11-kit 0.23.3.
And there are compilation failures with older versions.
src/p11_child/p11_child_openssl.c: In function 'get_pkcs11_uri':
src/p11_child/p11_child_openssl.c:87:12: error: implicit declaration of function 'p11_kit_uri_get_slot_info' [-Werror=implicit-function-declaration]
memcpy(p11_kit_uri_get_slot_info(uri), slot_info, sizeof(CK_SLOT_INFO));
^
src/p11_child/p11_child_openssl.c:88:5: error: implicit declaration of function 'p11_kit_uri_set_slot_id' [-Werror=implicit-function-declaration]
p11_kit_uri_set_slot_id(uri, slot_id);
^
src/p11_child/p11_child_openssl.c: In function 'do_card':
src/p11_child/p11_child_openssl.c:767:35: error: implicit declaration of function 'p11_kit_uri_get_slot_id' [-Werror=implicit-function-declaration]
uri_slot_id = p11_kit_uri_get_slot_id(uri);
^
src/p11_child/p11_child_openssl.c:770:32: error: implicit declaration of function 'p11_kit_uri_match_slot_info' [-Werror=implicit-function-declaration]
|| p11_kit_uri_match_slot_info(uri, &info) != 1) {
^
Merges: https://pagure.io/SSSD/sssd/pull-request/3852
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/external/p11-kit.m4 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/external/p11-kit.m4 b/src/external/p11-kit.m4
index a959f43..eb0474f 100644
--- a/src/external/p11-kit.m4
+++ b/src/external/p11-kit.m4
@@ -1,4 +1,4 @@
AC_SUBST(P11_KIT_CFLAGS)
AC_SUBST(P11_KIT_LIBS)
-PKG_CHECK_MODULES([P11_KIT], [p11-kit-1])
+PKG_CHECK_MODULES([P11_KIT], [p11-kit-1 >= 0.23.3])
--
2.9.5

View File

@ -0,0 +1,46 @@
From d143319bce8fc778df93fe7cd7ef4d03b7a3fc92 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Sat, 13 Oct 2018 16:24:56 +0000
Subject: [PATCH 81/83] SBUS: Silence warning maybe-uninitialized
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
It should not happen because function sbus_interface_find_property
should return NULL for access different than SBUS_PROPERTY_READABLE
or SBUS_PROPERTY_WRITABLE. And thus we would return ERR_SBUS_UNKNOWN_PROPERTY
from the function sbus_request_property.
src/sbus/interface/sbus_properties.c: In function 'sbus_request_property.isra.0':
src/sbus/interface/sbus_properties.c:360:14:
error: 'type' may be used uninitialized in this function
[-Werror=maybe-uninitialized]
sbus_req = sbus_request_create(mem_ctx, conn, type, destination,
~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
interface_name, property_name, path);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
Merges: https://pagure.io/SSSD/sssd/pull-request/3851
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/sbus/interface/sbus_properties.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/sbus/interface/sbus_properties.c b/src/sbus/interface/sbus_properties.c
index bd15807..906e6db 100644
--- a/src/sbus/interface/sbus_properties.c
+++ b/src/sbus/interface/sbus_properties.c
@@ -355,6 +355,8 @@ sbus_request_property(TALLOC_CTX *mem_ctx,
case SBUS_PROPERTY_WRITABLE:
type = SBUS_REQUEST_PROPERTY_SET;
break;
+ default:
+ return EINVAL;
}
sbus_req = sbus_request_create(mem_ctx, conn, type, destination,
--
2.9.5

View File

@ -0,0 +1,136 @@
From 46c483c09b85cecf8d1cc72618da993d8948c894 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 15 Oct 2018 20:05:09 +0200
Subject: [PATCH 82/83] files: add session recording flag
If session recording is configured for a group the NSS ans PAM
responder rely on a attribute in the cache set by the backend to
determine is session recording is configured for the user or not. This
flag is typically set during the initgroups request.
Since the files provider does not have a dedicated initgroups request
the attribute must be set otherwise. This patch sets is for all users
after the files are reloaded.
Related to https://pagure.io/SSSD/sssd/issue/3855
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/providers/data_provider/dp_iface.h | 3 ++
src/providers/data_provider/dp_target_id.c | 62 ++++++++++++++++++++++++++++++
src/providers/files/files_ops.c | 7 ++++
3 files changed, 72 insertions(+)
diff --git a/src/providers/data_provider/dp_iface.h b/src/providers/data_provider/dp_iface.h
index d1382cd..8635ae0 100644
--- a/src/providers/data_provider/dp_iface.h
+++ b/src/providers/data_provider/dp_iface.h
@@ -188,4 +188,7 @@ errno_t
dp_access_control_refresh_rules_recv(TALLOC_CTX *mem_ctx,
struct tevent_req *req);
+
+errno_t
+dp_add_sr_attribute(struct be_ctx *be_ctx);
#endif /* DP_IFACE_H_ */
diff --git a/src/providers/data_provider/dp_target_id.c b/src/providers/data_provider/dp_target_id.c
index 265788b..748d886 100644
--- a/src/providers/data_provider/dp_target_id.c
+++ b/src/providers/data_provider/dp_target_id.c
@@ -328,6 +328,68 @@ done:
talloc_free(tmp_ctx);
}
+errno_t dp_add_sr_attribute(struct be_ctx *be_ctx)
+{
+ int ret;
+ struct dp_initgr_ctx *dp_initgr_ctx = NULL;
+ TALLOC_CTX *tmp_ctx = NULL;
+ struct dp_id_data *data;
+ size_t msgs_count;
+ struct ldb_message **msgs = NULL;
+ const char *attrs[] = {SYSDB_NAME, NULL};
+ size_t c;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
+ return ENOMEM;
+ }
+
+ ret = sysdb_search_users(tmp_ctx, be_ctx->domain, "("SYSDB_NAME "=*)", attrs,
+ &msgs_count, &msgs);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_users failed.\n");
+ goto done;
+ }
+
+ data = talloc_zero(tmp_ctx, struct dp_id_data);
+ if (data == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ data->entry_type = BE_REQ_INITGROUPS;
+ data->filter_type = BE_FILTER_NAME;
+ data->filter_value = NULL;
+ data->extra_value = NULL;
+ data->domain = be_ctx->domain->name;
+
+ for (c = 0; c < msgs_count; c++) {
+ data->filter_value = ldb_msg_find_attr_as_string(msgs[c], SYSDB_NAME,
+ NULL);
+ if (data->filter_value == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Cache object [%s] does not have a name, skipping.\n",
+ ldb_dn_get_linearized(msgs[c]->dn));
+ continue;
+ }
+
+ talloc_free(dp_initgr_ctx);
+ ret = dp_create_initgroups_ctx(tmp_ctx, be_ctx, data, &dp_initgr_ctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "dp_create_initgroups_ctx failed.\n");
+ goto done;
+ }
+
+ dp_req_initgr_pp_sr_overlay(be_ctx->provider, dp_initgr_ctx);
+ }
+
+done:
+ talloc_free(tmp_ctx);
+
+ return ret;
+}
+
static errno_t set_initgroups_expire_attribute(struct sss_domain_info *domain,
const char *name)
{
diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c
index f5a4029..74f77b5 100644
--- a/src/providers/files/files_ops.c
+++ b/src/providers/files/files_ops.c
@@ -26,6 +26,7 @@
#include "db/sysdb.h"
#include "util/inotify.h"
#include "util/util.h"
+#include "providers/data_provider/dp_iface.h"
/* When changing this constant, make sure to also adjust the files integration
* test for reallocation branch
@@ -771,6 +772,12 @@ static errno_t sf_enum_files(struct files_id_ctx *id_ctx,
}
}
+ ret = dp_add_sr_attribute(id_ctx->be);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to add session recording attribute, ignored.\n");
+ }
+
ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
if (ret != EOK) {
goto done;
--
2.9.5

View File

@ -0,0 +1,43 @@
From fc29c3eb9750c5e7def4e1ab6eb18f4f5024f567 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 16 Oct 2018 10:42:43 +0200
Subject: [PATCH 83/83] UTIL: Suppress Coverity warning
We recently added this code:
if (domain_name != NULL
&& is_files_provider(find_domain_by_name(dom,
domain_name,
false)))
find_domain_by_name returns NULL if the domain_name can't be found. This
of course makes mostly sense for trusted domains that can appear and
disappear. And is_files_provider() didn't handle the situation where the
domain pointer was NULL and would directly dereference it.
This commit just adds a NULL check for the domain pointer so that
is_files_provider() returns 'false' if the domain pointer was NULL.
Another alternative might be to check the return value of
find_domain_by_name(), but I don't think it's worth the trouble.
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/util/domain_info_utils.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index 8bef6c9..ffb8cdf 100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -931,6 +931,7 @@ bool sss_domain_info_get_output_fqnames(struct sss_domain_info *domain)
bool is_files_provider(struct sss_domain_info *domain)
{
- return domain->provider != NULL &&
+ return domain != NULL &&
+ domain->provider != NULL &&
strcasecmp(domain->provider, "files") == 0;
}
--
2.9.5

View File

@ -0,0 +1,360 @@
From f62f3b290cb5393bf9c4a9c2c424fd5c5185fe44 Mon Sep 17 00:00:00 2001
From: Tomas Halman <thalman@redhat.com>
Date: Wed, 3 Oct 2018 11:44:13 +0200
Subject: [PATCH 1/5] UTIL: move and rename sysdb_error_to_errno to utils
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The function sysdb_error_to_errno() is used by multiple component,
so we want to move it to shared place. Function is renamed to
sss_ldb_error_to_errno() and moved to util/util_errors.c.
Old name is still #defined in sysdb.h and points to new
name.
Also few places where ldb error code was handled manually
has been updated to use sss_ldb_error_to_errno.
Resolves:
https://pagure.io/SSSD/sssd/issue/3802
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/confdb/confdb.c | 6 ++---
src/confdb/confdb_setup.c | 6 ++---
src/db/sysdb.c | 25 ---------------------
src/db/sysdb.h | 6 ++---
.../common/cache_req/cache_req_sr_overlay.c | 4 ++--
src/responder/ifp/ifp_cache.c | 2 +-
src/tools/sss_override.c | 6 ++---
src/util/secrets/secrets.c | 26 +++++++---------------
src/util/util_errors.c | 25 +++++++++++++++++++++
src/util/util_errors.h | 3 +++
10 files changed, 51 insertions(+), 58 deletions(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index fdc6122..b0d886c 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -842,7 +842,7 @@ static int confdb_get_domain_section(TALLOC_CTX *mem_ctx,
ret = ldb_search(cdb->ldb, tmp_ctx, &res, dn,
LDB_SCOPE_BASE, NULL, NULL);
if (ret != LDB_SUCCESS) {
- ret = sysdb_error_to_errno(ret);
+ ret = sss_ldb_error_to_errno(ret);
goto done;
}
@@ -2076,7 +2076,7 @@ static int confdb_merge_parent_domain(const char *name,
ret = ldb_modify(cdb->ldb, replace_msg);
if (ret != LDB_SUCCESS) {
- ret = sysdb_error_to_errno(ret);
+ ret = sss_ldb_error_to_errno(ret);
DEBUG(SSSDBG_OP_FAILURE,
"Inheriting options from parent domain failed [%d]: %s\n",
ret, sss_strerror(ret));
@@ -2131,7 +2131,7 @@ static int confdb_merge_parent_domain(const char *name,
*/
ret = sss_ldb_modify_permissive(cdb->ldb, app_msg);
if (ret != LDB_SUCCESS) {
- ret = sysdb_error_to_errno(ret);
+ ret = sss_ldb_error_to_errno(ret);
DEBUG(SSSDBG_OP_FAILURE,
"Adding app-specific options failed [%d]: %s\n",
ret, sss_strerror(ret));
diff --git a/src/confdb/confdb_setup.c b/src/confdb/confdb_setup.c
index 5e35589..c2b7f9f 100644
--- a/src/confdb/confdb_setup.c
+++ b/src/confdb/confdb_setup.c
@@ -96,7 +96,7 @@ static int confdb_purge(struct confdb_ctx *cdb)
ret = ldb_search(cdb->ldb, tmp_ctx, &res, dn,
LDB_SCOPE_SUBTREE, attrs, NULL);
if (ret != LDB_SUCCESS) {
- ret = sysdb_error_to_errno(ret);
+ ret = sss_ldb_error_to_errno(ret);
goto done;
}
@@ -104,7 +104,7 @@ static int confdb_purge(struct confdb_ctx *cdb)
/* Delete this DN */
ret = ldb_delete(cdb->ldb, res->msgs[i]->dn);
if (ret != LDB_SUCCESS) {
- ret = sysdb_error_to_errno(ret);
+ ret = sss_ldb_error_to_errno(ret);
goto done;
}
}
@@ -313,7 +313,7 @@ static int confdb_init_db(const char *config_file, const char *config_dir,
DEBUG(SSSDBG_FATAL_FAILURE,
"Failed to start a transaction for "
"updating the configuration\n");
- ret = sysdb_error_to_errno(ret);
+ ret = sss_ldb_error_to_errno(ret);
goto done;
}
in_transaction = true;
diff --git a/src/db/sysdb.c b/src/db/sysdb.c
index 06d7f27..51acb86 100644
--- a/src/db/sysdb.c
+++ b/src/db/sysdb.c
@@ -871,31 +871,6 @@ char *sysdb_group_strdn(TALLOC_CTX *mem_ctx,
return build_dom_dn_str_escape(mem_ctx, SYSDB_TMPL_GROUP, domain, name);
}
-/* TODO: make a more complete and precise mapping */
-int sysdb_error_to_errno(int ldberr)
-{
- switch (ldberr) {
- case LDB_SUCCESS:
- return EOK;
- case LDB_ERR_OPERATIONS_ERROR:
- return EIO;
- case LDB_ERR_NO_SUCH_OBJECT:
- return ENOENT;
- case LDB_ERR_BUSY:
- return EBUSY;
- case LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS:
- case LDB_ERR_ENTRY_ALREADY_EXISTS:
- return EEXIST;
- case LDB_ERR_INVALID_ATTRIBUTE_SYNTAX:
- return EINVAL;
- default:
- DEBUG(SSSDBG_CRIT_FAILURE,
- "LDB returned unexpected error: [%s]\n",
- ldb_strerror(ldberr));
- return EFAULT;
- }
-}
-
/* =Transactions========================================================== */
int sysdb_transaction_start(struct sysdb_ctx *sysdb)
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 2187947..f6e3160 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -454,9 +454,6 @@ errno_t sysdb_get_highest_usn(TALLOC_CTX *mem_ctx,
size_t num_attrs,
char **_usn);
-/* convert an ldb error into an errno error */
-int sysdb_error_to_errno(int ldberr);
-
/* DNs related helper functions */
errno_t sysdb_get_rdn(struct sysdb_ctx *sysdb, TALLOC_CTX *mem_ctx,
const char *dn, char **_name, char **_val);
@@ -1434,4 +1431,7 @@ errno_t sysdb_handle_original_uuid(const char *orig_name,
struct sysdb_attrs *dest_attrs,
const char *dest_name);
+/* define old name for backward compatibility */
+#define sysdb_error_to_errno(ldberr) sss_ldb_error_to_errno(ldberr)
+
#endif /* __SYS_DB_H__ */
diff --git a/src/responder/common/cache_req/cache_req_sr_overlay.c b/src/responder/common/cache_req/cache_req_sr_overlay.c
index 60da26f..b06a80a 100644
--- a/src/responder/common/cache_req/cache_req_sr_overlay.c
+++ b/src/responder/common/cache_req/cache_req_sr_overlay.c
@@ -192,7 +192,7 @@ static errno_t cache_req_sr_overlay_match_users(
}
lret = ldb_msg_add_string(msg, SYSDB_SESSION_RECORDING, enabled_str);
if (lret != LDB_SUCCESS) {
- ret = sysdb_error_to_errno(lret);
+ ret = sss_ldb_error_to_errno(lret);
CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr,
"Failed adding %s attribute: %s\n",
SYSDB_SESSION_RECORDING, sss_strerror(ret));
@@ -279,7 +279,7 @@ static void cache_req_sr_overlay_match_all_step_done(
}
lret = ldb_msg_add_string(msg, SYSDB_SESSION_RECORDING, enabled_copy);
if (lret != LDB_SUCCESS) {
- ret = sysdb_error_to_errno(lret);
+ ret = sss_ldb_error_to_errno(lret);
CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, state->cr,
"Failed adding %s attribute: %s\n",
SYSDB_SESSION_RECORDING, sss_strerror(ret));
diff --git a/src/responder/ifp/ifp_cache.c b/src/responder/ifp/ifp_cache.c
index 083f274..27681d0 100644
--- a/src/responder/ifp/ifp_cache.c
+++ b/src/responder/ifp/ifp_cache.c
@@ -119,7 +119,7 @@ ifp_cache_get_cached_objects(TALLOC_CTX *mem_ctx,
SYSDB_IFP_CACHED);
if (ldb_ret != LDB_SUCCESS) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to search the cache\n");
- ret = sysdb_error_to_errno(ldb_ret);
+ ret = sss_ldb_error_to_errno(ldb_ret);
goto done;
}
diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c
index 21fe62d..a12aa27 100644
--- a/src/tools/sss_override.c
+++ b/src/tools/sss_override.c
@@ -936,7 +936,7 @@ static errno_t override_object_del(struct sss_domain_info *domain,
ret = ldb_msg_add_empty(msg, SYSDB_OVERRIDE_DN, LDB_FLAG_MOD_DELETE, NULL);
if (ret != LDB_SUCCESS) {
DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_add_empty() failed\n");
- ret = sysdb_error_to_errno(ret);
+ ret = sss_ldb_error_to_errno(ret);
goto done;
}
@@ -945,7 +945,7 @@ static errno_t override_object_del(struct sss_domain_info *domain,
DEBUG(SSSDBG_OP_FAILURE,
"ldb_modify() failed: [%s](%d)[%s]\n",
ldb_strerror(ret), ret, ldb_errstring(ldb));
- ret = sysdb_error_to_errno(ret);
+ ret = sss_ldb_error_to_errno(ret);
goto done;
}
@@ -1025,7 +1025,7 @@ static errno_t append_name(struct sss_domain_info *domain,
ret = ldb_msg_add_string(override, ORIGNAME, fqname);
if (ret != LDB_SUCCESS) {
- ret = sysdb_error_to_errno(ret);
+ ret = sss_ldb_error_to_errno(ret);
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add attribute to msg\n");
goto done;
}
diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c
index ca3e657..6a317a0 100644
--- a/src/util/secrets/secrets.c
+++ b/src/util/secrets/secrets.c
@@ -417,17 +417,16 @@ static int local_db_create(struct sss_sec_req *req)
}
ret = ldb_add(req->sctx->ldb, msg);
- if (ret != EOK) {
+ if (ret != LDB_SUCCESS) {
if (ret == LDB_ERR_ENTRY_ALREADY_EXISTS) {
DEBUG(SSSDBG_OP_FAILURE,
"Secret %s already exists\n", ldb_dn_get_linearized(msg->dn));
- ret = EEXIST;
} else {
DEBUG(SSSDBG_CRIT_FAILURE,
"Failed to add secret [%s]: [%d]: %s\n",
ldb_dn_get_linearized(msg->dn), ret, ldb_strerror(ret));
- ret = EIO;
}
+ ret = sss_ldb_error_to_errno (ret);
goto done;
}
@@ -1109,17 +1108,16 @@ errno_t sss_sec_put(struct sss_sec_req *req,
}
ret = ldb_add(req->sctx->ldb, msg);
- if (ret != EOK) {
+ if (ret != LDB_SUCCESS) {
if (ret == LDB_ERR_ENTRY_ALREADY_EXISTS) {
DEBUG(SSSDBG_OP_FAILURE,
"Secret %s already exists\n", ldb_dn_get_linearized(msg->dn));
- ret = EEXIST;
} else {
DEBUG(SSSDBG_CRIT_FAILURE,
"Failed to add secret [%s]: [%d]: %s\n",
ldb_dn_get_linearized(msg->dn), ret, ldb_strerror(ret));
- ret = EIO;
}
+ ret = sss_ldb_error_to_errno (ret);
goto done;
}
@@ -1210,13 +1208,13 @@ errno_t sss_sec_update(struct sss_sec_req *req,
ret = ldb_modify(req->sctx->ldb, msg);
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
DEBUG(SSSDBG_MINOR_FAILURE, "No such object to modify\n");
- ret = ENOENT;
+ ret = sss_ldb_error_to_errno (ret);
goto done;
} else if (ret != LDB_SUCCESS) {
DEBUG(SSSDBG_MINOR_FAILURE,
"ldb_modify failed: [%s](%d)[%s]\n",
ldb_strerror(ret), ret, ldb_errstring(req->sctx->ldb));
- ret = EIO;
+ ret = sss_ldb_error_to_errno (ret);
goto done;
}
@@ -1282,20 +1280,12 @@ errno_t sss_sec_delete(struct sss_sec_req *req)
/* fall through */
}
- switch (ret) {
- case LDB_SUCCESS:
- ret = EOK;
- break;
- case LDB_ERR_NO_SUCH_OBJECT:
- ret = ENOENT;
- break;
- default:
+ if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_OBJECT) {
DEBUG(SSSDBG_CRIT_FAILURE,
"LDB returned unexpected error: [%s]\n",
ldb_strerror(ret));
- ret = EFAULT;
- break;
}
+ ret = sss_ldb_error_to_errno (ret);
done:
talloc_free(tmp_ctx);
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
index 5f8a2a2..d3f5e89 100644
--- a/src/util/util_errors.c
+++ b/src/util/util_errors.c
@@ -19,6 +19,7 @@
*/
#include "util/util.h"
+#include <ldb.h>
struct err_string {
const char *msg;
@@ -146,3 +147,27 @@ const char *sss_strerror(errno_t error)
return strerror(error);
}
+/* TODO: make a more complete and precise mapping */
+errno_t sss_ldb_error_to_errno(int ldberr)
+{
+ switch (ldberr) {
+ case LDB_SUCCESS:
+ return EOK;
+ case LDB_ERR_OPERATIONS_ERROR:
+ return EIO;
+ case LDB_ERR_NO_SUCH_OBJECT:
+ return ENOENT;
+ case LDB_ERR_BUSY:
+ return EBUSY;
+ case LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS:
+ case LDB_ERR_ENTRY_ALREADY_EXISTS:
+ return EEXIST;
+ case LDB_ERR_INVALID_ATTRIBUTE_SYNTAX:
+ return EINVAL;
+ default:
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "LDB returned unexpected error: [%i]\n",
+ ldberr);
+ return EFAULT;
+ }
+}
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
index c6731d4..a799bba 100644
--- a/src/util/util_errors.h
+++ b/src/util/util_errors.h
@@ -178,4 +178,7 @@ enum sssd_errors {
*/
const char *sss_strerror(errno_t error);
+/* return ldb error converted to an errno */
+errno_t sss_ldb_error_to_errno(int ldberr);
+
#endif /* __SSSD_UTIL_ERRORS_H__ */
--
2.9.5

View File

@ -0,0 +1,121 @@
From f0603645f5ea5f707875807b4f815400f4b79e41 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 24 Oct 2018 09:41:44 +0200
Subject: [PATCH 5/5] PYSSS: Re-add the pysss.getgrouplist() interface
Related:
https://pagure.io/SSSD/sssd/issue/3493
Commit 0e211b8ba30c3adcdeef21ca1339b194cbfffb04 was supposed to remove
only the parts of the pysss API that relate to the local domain. But it
removed also the getgrouplist() method by accident. This method is very
important to IPA, so we need to add it back.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
---
src/python/pysss.c | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 83 insertions(+)
diff --git a/src/python/pysss.c b/src/python/pysss.c
index e92653a..78b8de0 100644
--- a/src/python/pysss.c
+++ b/src/python/pysss.c
@@ -215,12 +215,95 @@ static PyTypeObject pysss_password_type = {
.tp_doc = sss_py_const_p(char, "SSS password obfuscation"),
};
+/*
+ * Get list of groups user belongs to
+ */
+PyDoc_STRVAR(py_sss_getgrouplist__doc__,
+ "Get list of groups user belongs to.\n\n"
+ "NOTE: The interface uses the system NSS calls and is not limited to "
+ "users served by the SSSD!\n"
+ ":param username: name of user to get list for\n");
+
+static PyObject *py_sss_getgrouplist(PyObject *self, PyObject *args)
+{
+ char *username = NULL;
+ gid_t *groups = NULL;
+ struct passwd *pw;
+ struct group *gr;
+ int ngroups;
+ int ret;
+ Py_ssize_t i, idx;
+ PyObject *groups_tuple;
+
+ if(!PyArg_ParseTuple(args, discard_const_p(char, "s"), &username)) {
+ goto fail;
+ }
+
+ pw = getpwnam(username);
+ if (pw == NULL) {
+ goto fail;
+ }
+
+ ngroups = 32;
+ groups = malloc(sizeof(gid_t) * ngroups);
+ if (groups == NULL) {
+ goto fail;
+ }
+
+ do {
+ ret = getgrouplist(username, pw->pw_gid, groups, &ngroups);
+ if (ret < ngroups) {
+ gid_t *tmp_groups = realloc(groups, ngroups * sizeof(gid_t));
+ if (tmp_groups == NULL) {
+ goto fail;
+ }
+ groups = tmp_groups;
+ }
+ } while (ret != ngroups);
+
+ groups_tuple = PyTuple_New((Py_ssize_t) ngroups);
+ if (groups_tuple == NULL) {
+ goto fail;
+ }
+
+ /* Populate a tuple with names of groups
+ * In unlikely case of group not being able to resolve, skip it
+ * We also need to resize resulting tuple to avoid empty elements there */
+ idx = 0;
+ for (i = 0; i < ngroups; i++) {
+ gr = getgrgid(groups[i]);
+ if (gr) {
+ PyTuple_SetItem(groups_tuple, idx,
+#ifdef IS_PY3K
+ PyUnicode_FromString(gr->gr_name)
+#else
+ PyString_FromString(gr->gr_name)
+#endif
+ );
+ idx++;
+ }
+ }
+ free(groups);
+ groups = NULL;
+
+ if (i != idx) {
+ _PyTuple_Resize(&groups_tuple, idx);
+ }
+
+ return groups_tuple;
+
+fail:
+ free(groups);
+ return NULL;
+}
+
/* ==================== the sss module initialization =======================*/
/*
* Module methods
*/
static PyMethodDef module_methods[] = {
+ {"getgrouplist", py_sss_getgrouplist, METH_VARARGS, py_sss_getgrouplist__doc__},
{NULL, NULL, 0, NULL} /* Sentinel */
};
--
2.9.5

View File

@ -1,39 +0,0 @@
From 232305dd10b81955a3ee9dfc6d56c2d76ad5706f Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@fedoraproject.org>
Date: Fri, 3 Nov 2017 16:18:14 +0100
Subject: [PATCH] Disable stopping idle socket activated responders
---
src/confdb/confdb.h | 2 +-
src/man/sssd.conf.5.xml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 1471949623e9dd7a8536e3ac3048a10227a5d857..e30e77bf50b7312b3f660241c92a1b3c03e88259 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -85,7 +85,7 @@
/* Responders */
#define CONFDB_RESPONDER_GET_DOMAINS_TIMEOUT "get_domains_timeout"
#define CONFDB_RESPONDER_CLI_IDLE_TIMEOUT "client_idle_timeout"
-#define CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT 60
+#define CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT 0
#define CONFDB_RESPONDER_LOCAL_NEG_TIMEOUT "local_negative_timeout"
#define CONFDB_RESPONDER_IDLE_TIMEOUT "responder_idle_timeout"
#define CONFDB_RESPONDER_IDLE_DEFAULT_TIMEOUT 300
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 6be3cd47463ec054276a0b6b2be7ec03eef1f0be..d362ba71cfbeb6271fc87abd9743ca7a77f9f3ec 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -706,7 +706,7 @@
or dbus activated.
</para>
<para>
- Default: 300
+ Default: 0
</para>
</listitem>
</varlistentry>
--
2.14.3

View File

@ -1,25 +0,0 @@
From 7459b3326e99e5d2e6ea924100705ef56525cb96 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Mon, 13 Aug 2018 19:34:47 +0200
Subject: [PATCH] sbus_generate: python -> platform-python
---
sbus_generate.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sbus_generate.sh b/sbus_generate.sh
index 338fd9d33..1eefa4cb5 100755
--- a/sbus_generate.sh
+++ b/sbus_generate.sh
@@ -13,7 +13,7 @@ generate() {
echo "Generating sbus code for: $XML"
- python $CODEGEN --sbus sbus --util util \
+ python3 $CODEGEN --sbus sbus --util util \
--headers "$HEADERS" \
--dest "$SRCDIR/src/$DEST" \
--fileprefix "sbus_${PREFIX}_" \
--
2.17.1

110
sssd.spec
View File

@ -36,7 +36,7 @@
Name: sssd
Version: 2.0.0
Release: 3%{?dist}
Release: 4%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -48,11 +48,74 @@ Patch0001: 0001-BUILD-Fix-issue-with-installation-of-libsss_secrets.patch
Patch0002: 0002-BUILD-Add-missing-deps-to-libsss_sbus-.so.patch
Patch0003: 0003-BUILD-Reduce-compilation-of-unnecessary-files.patch
Patch0004: 0004-KCM-Don-t-error-out-if-creating-a-new-ID-as-the-firs.patch
Patch0005: 0005-sbus-register-filter-on-new-connection.patch
Patch0006: 0006-sbus-fix-typo.patch
Patch0007: 0007-sbus-check-for-null-message-in-sbus_message_bound.patch
Patch0008: 0008-sbus-replace-sbus_message_bound_ref-with-sbus_messag.patch
Patch0009: 0009-sbus-add-unit-tests-for-public-sbus_message-module.patch
Patch0010: 0010-SELINUX-Always-add-SELinux-user-to-the-semanage-data.patch
Patch0011: 0011-intg-flush-the-SSSD-caches-to-sync-with-files.patch
Patch0012: 0012-sbus-dectect-python-binary-for-sbus_generate.sh.patch
Patch0013: 0013-sudo-respect-case-sensitivity-in-sudo-responder.patch
Patch0014: 0014-GPO-Add-gpo_implicit_deny-option.patch
Patch0015: 0015-Skip-local-domain-if-not-supported.patch
Patch0016: 0016-sysdb-extract-sysdb_ldb_msg_attr_to_certmap_info-cal.patch
Patch0017: 0017-sysdb_ldb_msg_attr_to_certmap_info-set-SSS_CERTMAP_M.patch
Patch0018: 0018-sysdb-add-attr_map-attribute-to-sysdb_ldb_msg_attr_t.patch
Patch0019: 0019-confdb-add-confdb_certmap_to_sysdb.patch
Patch0020: 0020-AD-LDAP-read-certificate-mapping-rules-from-config-f.patch
Patch0021: 0021-sysdb-sysdb_certmap_add-handle-domains-more-flexible.patch
Patch0022: 0022-confdb-add-special-handling-for-rules-for-the-files-.patch
Patch0023: 0023-files-add-support-for-Smartcard-authentication.patch
Patch0024: 0024-responder-make-sure-SSS_DP_CERT-is-passed-to-files-p.patch
Patch0025: 0025-PAM-add-certificate-matching-rules-from-all-domains.patch
Patch0026: 0026-doc-add-certificate-mapping-section-to-man-page.patch
Patch0027: 0027-intg-user-default-locale.patch
Patch0028: 0028-PAM-use-better-PAM-error-code-for-failed-Smartcard-a.patch
Patch0029: 0029-test_ca-test-library-only-for-readable.patch
Patch0030: 0030-test_ca-set-a-password-PIN-to-nss-databases.patch
Patch0031: 0031-getsockopt_wrapper-add-support-for-PAM-clients.patch
Patch0032: 0032-intg-add-Smartcard-authentication-tests.patch
Patch0033: 0033-proxy-access-provider-directly-not-through-be_ctx.patch
Patch0034: 0034-dp-set-be_ctx-provider-as-part-of-dp_init-request.patch
Patch0035: 0035-sbus-read-destination-after-sender-is-set.patch
Patch0036: 0036-sbus-do-not-try-to-remove-signal-listeners-when-disc.patch
Patch0037: 0037-sbus-free-watch_fd-fdevent-explicitly.patch
Patch0038: 0038-doc-remove-local-provider-reference-from-manpages.patch
Patch0039: 0039-confdb-log-an-error-when-domain-is-misconfigured.patch
Patch0040: 0040-be-use-be_is_offline-for-the-main-domain-when-asking.patch
Patch0041: 0041-p11-handle-multiple-certs-during-auth-with-OpenSSL.patch
Patch0042: 0042-doc-Add-nsswitch.conf-note-to-manpage.patch
Patch0043: 0043-MAN-Fix-typo-in-ad_gpo_implicit_deny-default-value.patch
Patch0044: 0044-p11_child-add-wait_for_card-option.patch
Patch0045: 0045-PAM-add-p11_wait_for_card_timeout-option.patch
Patch0046: 0046-pam_sss-make-flags-public.patch
Patch0047: 0047-pam_sss-add-try_cert_auth-option.patch
Patch0048: 0048-pam_sss-add-option-require_cert_auth.patch
Patch0049: 0049-intg-require-SC-tests.patch
Patch0050: 0050-p11_child-show-PKCS-11-URI-in-debug-output.patch
Patch0051: 0051-p11_child-add-PKCS-11-uri-to-restrict-selection.patch
Patch0052: 0052-PAM-add-p11_uri-option.patch
Patch0053: 0053-tests-add-PKCS-11-URI-tests.patch
Patch0054: 0054-test_config-Test-for-invalid-characker-in-domain.patch
Patch0055: 0055-PAM-return-short-name-for-files-provider-users.patch
Patch0056: 0056-TESTS-Add-a-test-for-whitespace-trimming-in-netgroup.patch
Patch0057: 0057-FILES-The-files-provider-should-not-enumerate.patch
Patch0058: 0058-p11_child-add-OCSP-check-ot-the-OpenSSL-version.patch
Patch0059: 0059-p11_child-add-crl_file-option-for-the-OpenSSL-build.patch
Patch0060: 0060-p11-Fix-two-instances-of-Wmaybe-uninitialized-in-p11.patch
Patch0061: 0061-sudo-use-correct-sbus-interface.patch
Patch0062: 0062-sudo-fix-error-handling-in-sudosrv_refresh_rules_don.patch
Patch0063: 0063-sbus-remove-leftovers-from-previous-implementation.patch
Patch0064: 0064-CONFIGURE-Add-minimal-required-version-for-p11-kit.patch
Patch0065: 0065-SBUS-Silence-warning-maybe-uninitialized.patch
Patch0066: 0066-files-add-session-recording-flag.patch
Patch0067: 0067-UTIL-Suppress-Coverity-warning.patch
Patch0068: 0068-UTIL-move-and-rename-sysdb_error_to_errno-to-utils.patch
Patch0069: 0069-PYSSS-Re-add-the-pysss.getgrouplist-interface.patch
### Downstream only patches ###
Patch0502: 0502-SYSTEMD-Use-capabilities.patch
Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch
Patch0504: 0504-sbus_generate-python-platform-python.patch
### Dependencies ###
@ -1215,8 +1278,47 @@ fi
%{_libdir}/%{name}/modules/libwbclient.so
%changelog
* Wed Aug 29 2018 Michal Židek <mzidek@redhat.com> - 2.0.0-4
- Resolves: upstream#3821 - crash related to sbus_router_destructor()
- Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref
- Resolves: upstream#3819 - sssd only sets the SELinux login context if it
differs from the default
- Resolves: upstream#3807 - The sbus codegen script relies on "python" which
might not be available on all distributions
- Resolves: upstream#3820 - sudo: search with lower cased name for case
insensitive domains
- Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from
an allow-any default to a deny-any default when it
can't find any GPOs to apply to a user login.
- Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort
startup
- Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11
also for local account authentication
- Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup
- Resolves: upstream#3826 - Remove references of sss_user/group/add/del
commands in man pages since local provider is
deprecated
- Resolves: upstream#3827 - SSSD should log to syslog if a domain is not
started due to a misconfiguration
- Resolves: upstream#3830 - Printing incorrect information about domain with
sssctl utility
- Resolves: upstream#3489 - p11_child should work wit openssl1.0+
- Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary
changes in nsswitch.conf
- Resovles: upstream#3650 - RFE: Require smartcard authentication
- Resolves: upstream#3334 - sssctl config-check does not check any special
characters in domain name of domain section
- Resolves: upstream#3849 - Files: The files provider always enumerates
which causes duplicate when running getent passwd
- Related: upstream#3855 - session not recording for local user when groups
defined
- Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb
- Related: upstream#3493 - Remove the pysss.local interface
* Wed Aug 29 2018 Michal Židek <mzidek@redhat.com> - 2.0.0-3
- Resolves: rhbz#1622760 - Console login as FreeIPA domain user fails in current Fedora Rawhide / 29
- Resolves: rhbz#1622760 - Console login as FreeIPA domain user fails in
current Fedora Rawhide / 29
* Wed Aug 29 2018 Michal Židek <mzidek@redhat.com> - 2.0.0-2
- Fix linking issues