Backport a bunch of upstream fixes
- Resolves: upstream#3821 - crash related to sbus_router_destructor() - Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref - Resolves: upstream#3819 - sssd only sets the SELinux login context if it differs from the default - Resolves: upstream#3807 - The sbus codegen script relies on "python" which might not be available on all distributions - Resolves: upstream#3820 - sudo: search with lower cased name for case insensitive domains - Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from an allow-any default to a deny-any default when it can't find any GPOs to apply to a user login. - Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort startup - Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11 also for local account authentication - Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup - Resolves: upstream#3826 - Remove references of sss_user/group/add/del commands in man pages since local provider is deprecated - Resolves: upstream#3827 - SSSD should log to syslog if a domain is not started due to a misconfiguration - Resolves: upstream#3830 - Printing incorrect information about domain with sssctl utility - Resolves: upstream#3489 - p11_child should work wit openssl1.0+ - Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary changes in nsswitch.conf - Resovles: upstream#3650 - RFE: Require smartcard authentication - Resolves: upstream#3334 - sssctl config-check does not check any special characters in domain name of domain section - Resolves: upstream#3849 - Files: The files provider always enumerates which causes duplicate when running getent passwd - Related: upstream#3855 - session not recording for local user when groups defined - Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb - Related: upstream#3493 - Remove the pysss.local interface
This commit is contained in:
parent
129efc7839
commit
c0971b7e39
48
0005-sbus-register-filter-on-new-connection.patch
Normal file
48
0005-sbus-register-filter-on-new-connection.patch
Normal file
@ -0,0 +1,48 @@
|
||||
From 55d5b43543b5ef62322fe635fe8108410cb4ea77 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Wed, 5 Sep 2018 15:08:52 +0200
|
||||
Subject: [PATCH 08/83] sbus: register filter on new connection
|
||||
|
||||
The filter is not again registered on new connection when the old connection
|
||||
was lost. This caused a segfault when the router is destroyed during shutdown.
|
||||
|
||||
It also would not allow to recieve and process any messages as the filter
|
||||
function is needed for that. However, this was not very visible with
|
||||
current sssd architecture.
|
||||
|
||||
Steps to reproduce:
|
||||
1. Run SSSD
|
||||
2. pkill sssd_be
|
||||
3. Wait for responders to reconnect to backend
|
||||
4. Shutdown SSSD
|
||||
5. It will crash without this patch
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3821
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/sbus/router/sbus_router.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/src/sbus/router/sbus_router.c b/src/sbus/router/sbus_router.c
|
||||
index 24c2c76..d31cef1 100644
|
||||
--- a/src/sbus/router/sbus_router.c
|
||||
+++ b/src/sbus/router/sbus_router.c
|
||||
@@ -364,6 +364,13 @@ errno_t
|
||||
sbus_router_reset(struct sbus_connection *conn)
|
||||
{
|
||||
errno_t ret;
|
||||
+ bool bret;
|
||||
+
|
||||
+ bret = sbus_router_filter_add(conn->router);
|
||||
+ if (!bret) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to register message filter!\n");
|
||||
+ return EFAULT;
|
||||
+ }
|
||||
|
||||
ret = sbus_router_reset_listeners(conn);
|
||||
if (ret != EOK) {
|
||||
--
|
||||
2.9.5
|
||||
|
26
0006-sbus-fix-typo.patch
Normal file
26
0006-sbus-fix-typo.patch
Normal file
@ -0,0 +1,26 @@
|
||||
From 8c8f74b0dfa29643279d31b12300ced47d5c2ab5 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Thu, 16 Aug 2018 11:42:44 +0200
|
||||
Subject: [PATCH 09/83] sbus: fix typo
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/sbus/sbus_message.h | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/sbus/sbus_message.h b/src/sbus/sbus_message.h
|
||||
index 99dd930..92d5cea 100644
|
||||
--- a/src/sbus/sbus_message.h
|
||||
+++ b/src/sbus/sbus_message.h
|
||||
@@ -49,7 +49,7 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg);
|
||||
*
|
||||
* DO NOT USE dbus_message_unref() on such message anymore since it would not
|
||||
* release internal data about the bound. The message will be automatically
|
||||
- * unreferenced whent the talloc context is freed.
|
||||
+ * unreferenced when the talloc context is freed.
|
||||
*
|
||||
* @param mem_ctx Memory context to bound the message with. It can not be NULL.
|
||||
* @param msg Message to be bound with memory context.
|
||||
--
|
||||
2.9.5
|
||||
|
41
0007-sbus-check-for-null-message-in-sbus_message_bound.patch
Normal file
41
0007-sbus-check-for-null-message-in-sbus_message_bound.patch
Normal file
@ -0,0 +1,41 @@
|
||||
From 30f4adf874aff174734ad77902a79fc5727ab495 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Thu, 16 Aug 2018 12:57:47 +0200
|
||||
Subject: [PATCH 10/83] sbus: check for null message in sbus_message_bound
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/sbus/request/sbus_message.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/src/sbus/request/sbus_message.c b/src/sbus/request/sbus_message.c
|
||||
index 950be91..7314fd7 100644
|
||||
--- a/src/sbus/request/sbus_message.c
|
||||
+++ b/src/sbus/request/sbus_message.c
|
||||
@@ -83,6 +83,11 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg)
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
+ if (msg == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Message can not be NULL!\n");
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
/* Create a talloc context that will unreference this message when
|
||||
* the parent context is freed. */
|
||||
talloc_msg = talloc(mem_ctx, struct sbus_talloc_msg);
|
||||
@@ -122,6 +127,11 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg)
|
||||
errno_t
|
||||
sbus_message_bound_ref(TALLOC_CTX *mem_ctx, DBusMessage *msg)
|
||||
{
|
||||
+ if (msg == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Message can not be NULL!\n");
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
dbus_message_ref(msg);
|
||||
return sbus_message_bound(mem_ctx, msg);
|
||||
}
|
||||
--
|
||||
2.9.5
|
||||
|
336
0008-sbus-replace-sbus_message_bound_ref-with-sbus_messag.patch
Normal file
336
0008-sbus-replace-sbus_message_bound_ref-with-sbus_messag.patch
Normal file
@ -0,0 +1,336 @@
|
||||
From ca50c40511f08c0f7c786598e5793a06789c6cce Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Thu, 16 Aug 2018 13:17:13 +0200
|
||||
Subject: [PATCH 11/83] sbus: replace sbus_message_bound_ref with
|
||||
sbus_message_bound_steal
|
||||
|
||||
The memory context used to new message reference accidentally overwrote
|
||||
the one use by the initial sbus_message_bound call. This caused a memory
|
||||
leak of message as its reference counter got increased but number of
|
||||
talloc contexts bound this this message decreased at the same time.
|
||||
|
||||
Fixing this is non-trival and it would require separate data slot for
|
||||
each reference. Because we do not have any existing use case for this
|
||||
and we use it only as an equivalent of talloc_steal it is better to
|
||||
provide a real equivalent for this talloc function.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3810
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/ifp/ifp_iface/sbus_ifp_client_sync.c | 4 +-
|
||||
src/sbus/codegen/templates/client_async.c.tpl | 4 +-
|
||||
src/sbus/codegen/templates/client_sync.c.tpl | 4 +-
|
||||
src/sbus/interface_dbus/sbus_dbus_client_async.c | 8 ++--
|
||||
src/sbus/interface_dbus/sbus_dbus_client_sync.c | 8 ++--
|
||||
src/sbus/request/sbus_message.c | 51 +++++++++++++++++-----
|
||||
src/sbus/request/sbus_request.c | 10 ++---
|
||||
src/sbus/request/sbus_request_call.c | 5 +--
|
||||
src/sbus/sbus_message.h | 8 +---
|
||||
src/sbus/sync/sbus_sync_call.c | 5 +--
|
||||
10 files changed, 65 insertions(+), 42 deletions(-)
|
||||
|
||||
diff --git a/src/responder/ifp/ifp_iface/sbus_ifp_client_sync.c b/src/responder/ifp/ifp_iface/sbus_ifp_client_sync.c
|
||||
index 4859b93..1f0a8e3 100644
|
||||
--- a/src/responder/ifp/ifp_iface/sbus_ifp_client_sync.c
|
||||
+++ b/src/responder/ifp/ifp_iface/sbus_ifp_client_sync.c
|
||||
@@ -526,9 +526,9 @@ sbus_method_in_sas_out_raw
|
||||
goto done;
|
||||
}
|
||||
|
||||
- ret = sbus_message_bound_ref(mem_ctx, reply);
|
||||
+ ret = sbus_message_bound_steal(mem_ctx, reply);
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
|
||||
ret, sss_strerror(ret));
|
||||
goto done;
|
||||
}
|
||||
diff --git a/src/sbus/codegen/templates/client_async.c.tpl b/src/sbus/codegen/templates/client_async.c.tpl
|
||||
index 6ffb4f8..e16ce42 100644
|
||||
--- a/src/sbus/codegen/templates/client_async.c.tpl
|
||||
+++ b/src/sbus/codegen/templates/client_async.c.tpl
|
||||
@@ -193,9 +193,9 @@
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
- ret = sbus_message_bound_ref(mem_ctx, state->reply);
|
||||
+ ret = sbus_message_bound_steal(mem_ctx, state->reply);
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
|
||||
ret, sss_strerror(ret));
|
||||
return ret;
|
||||
}
|
||||
diff --git a/src/sbus/codegen/templates/client_sync.c.tpl b/src/sbus/codegen/templates/client_sync.c.tpl
|
||||
index 30fa009..fe9a3a4 100644
|
||||
--- a/src/sbus/codegen/templates/client_sync.c.tpl
|
||||
+++ b/src/sbus/codegen/templates/client_sync.c.tpl
|
||||
@@ -110,9 +110,9 @@
|
||||
goto done;
|
||||
}
|
||||
|
||||
- ret = sbus_message_bound_ref(mem_ctx, reply);
|
||||
+ ret = sbus_message_bound_steal(mem_ctx, reply);
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
|
||||
ret, sss_strerror(ret));
|
||||
goto done;
|
||||
}
|
||||
diff --git a/src/sbus/interface_dbus/sbus_dbus_client_async.c b/src/sbus/interface_dbus/sbus_dbus_client_async.c
|
||||
index 9dbd72c..0060e8b 100644
|
||||
--- a/src/sbus/interface_dbus/sbus_dbus_client_async.c
|
||||
+++ b/src/sbus/interface_dbus/sbus_dbus_client_async.c
|
||||
@@ -301,9 +301,9 @@ sbus_method_in_s_out_raw_recv
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
- ret = sbus_message_bound_ref(mem_ctx, state->reply);
|
||||
+ ret = sbus_message_bound_steal(mem_ctx, state->reply);
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
|
||||
ret, sss_strerror(ret));
|
||||
return ret;
|
||||
}
|
||||
@@ -513,9 +513,9 @@ sbus_method_in_ss_out_raw_recv
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
- ret = sbus_message_bound_ref(mem_ctx, state->reply);
|
||||
+ ret = sbus_message_bound_steal(mem_ctx, state->reply);
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
|
||||
ret, sss_strerror(ret));
|
||||
return ret;
|
||||
}
|
||||
diff --git a/src/sbus/interface_dbus/sbus_dbus_client_sync.c b/src/sbus/interface_dbus/sbus_dbus_client_sync.c
|
||||
index a0473cd..3ab0aab 100644
|
||||
--- a/src/sbus/interface_dbus/sbus_dbus_client_sync.c
|
||||
+++ b/src/sbus/interface_dbus/sbus_dbus_client_sync.c
|
||||
@@ -101,9 +101,9 @@ sbus_method_in_s_out_raw
|
||||
goto done;
|
||||
}
|
||||
|
||||
- ret = sbus_message_bound_ref(mem_ctx, reply);
|
||||
+ ret = sbus_message_bound_steal(mem_ctx, reply);
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
|
||||
ret, sss_strerror(ret));
|
||||
goto done;
|
||||
}
|
||||
@@ -159,9 +159,9 @@ sbus_method_in_ss_out_raw
|
||||
goto done;
|
||||
}
|
||||
|
||||
- ret = sbus_message_bound_ref(mem_ctx, reply);
|
||||
+ ret = sbus_message_bound_steal(mem_ctx, reply);
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
|
||||
ret, sss_strerror(ret));
|
||||
goto done;
|
||||
}
|
||||
diff --git a/src/sbus/request/sbus_message.c b/src/sbus/request/sbus_message.c
|
||||
index 7314fd7..90c6df4 100644
|
||||
--- a/src/sbus/request/sbus_message.c
|
||||
+++ b/src/sbus/request/sbus_message.c
|
||||
@@ -29,8 +29,9 @@
|
||||
#include "sbus/interface/sbus_iterator_writers.h"
|
||||
|
||||
/* Data slot that is used for message data. The slot is shared for all
|
||||
- * messages. */
|
||||
-dbus_int32_t data_slot = -1;
|
||||
+ * messages, i.e. when a data slot is allocated all messages have the
|
||||
+ * slot available. */
|
||||
+dbus_int32_t global_data_slot = -1;
|
||||
|
||||
struct sbus_talloc_msg {
|
||||
DBusMessage *msg;
|
||||
@@ -48,7 +49,7 @@ static int sbus_talloc_msg_destructor(struct sbus_talloc_msg *talloc_msg)
|
||||
/* There may exist more references to this message but this talloc
|
||||
* context is no longer valid. We remove dbus message data to invoke
|
||||
* dbus destructor now. */
|
||||
- dbus_message_set_data(talloc_msg->msg, data_slot, NULL, NULL);
|
||||
+ dbus_message_set_data(talloc_msg->msg, global_data_slot, NULL, NULL);
|
||||
dbus_message_unref(talloc_msg->msg);
|
||||
return 0;
|
||||
}
|
||||
@@ -60,7 +61,7 @@ static void sbus_msg_data_destructor(void *ctx)
|
||||
talloc_msg = talloc_get_type(ctx, struct sbus_talloc_msg);
|
||||
|
||||
/* Decrement ref counter on data slot. */
|
||||
- dbus_message_free_data_slot(&data_slot);
|
||||
+ dbus_message_free_data_slot(&global_data_slot);
|
||||
|
||||
if (!talloc_msg->in_talloc_destructor) {
|
||||
/* References to this message dropped to zero but through
|
||||
@@ -100,7 +101,8 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg)
|
||||
/* Allocate a dbus message data slot that will contain pointer to the
|
||||
* talloc context so we can pick up cases when the dbus message is
|
||||
* freed through dbus api. */
|
||||
- bret = dbus_message_allocate_data_slot(&data_slot);
|
||||
+
|
||||
+ bret = dbus_message_allocate_data_slot(&global_data_slot);
|
||||
if (!bret) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to allocate data slot!\n");
|
||||
talloc_free(talloc_msg);
|
||||
@@ -108,11 +110,11 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg)
|
||||
}
|
||||
|
||||
free_fn = sbus_msg_data_destructor;
|
||||
- bret = dbus_message_set_data(msg, data_slot, talloc_msg, free_fn);
|
||||
+ bret = dbus_message_set_data(msg, global_data_slot, talloc_msg, free_fn);
|
||||
if (!bret) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set message data!\n");
|
||||
talloc_free(talloc_msg);
|
||||
- dbus_message_free_data_slot(&data_slot);
|
||||
+ dbus_message_free_data_slot(&global_data_slot);
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
@@ -125,15 +127,44 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg)
|
||||
}
|
||||
|
||||
errno_t
|
||||
-sbus_message_bound_ref(TALLOC_CTX *mem_ctx, DBusMessage *msg)
|
||||
+sbus_message_bound_steal(TALLOC_CTX *mem_ctx, DBusMessage *msg)
|
||||
{
|
||||
+ struct sbus_talloc_msg *talloc_msg;
|
||||
+ void *data;
|
||||
+
|
||||
+ if (mem_ctx == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Warning: bounding to NULL context!\n");
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
if (msg == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Message can not be NULL!\n");
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
- dbus_message_ref(msg);
|
||||
- return sbus_message_bound(mem_ctx, msg);
|
||||
+ if (global_data_slot < 0) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "This message is not talloc-bound! "
|
||||
+ "(data slot < 0)\n");
|
||||
+ return ERR_INTERNAL;
|
||||
+ }
|
||||
+
|
||||
+ data = dbus_message_get_data(msg, global_data_slot);
|
||||
+ if (data == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "This message is not talloc-bound! "
|
||||
+ "(returned data is NULL)\n");
|
||||
+ return ERR_INTERNAL;
|
||||
+ }
|
||||
+
|
||||
+ talloc_msg = talloc_get_type(data, struct sbus_talloc_msg);
|
||||
+ if (talloc_msg == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "This message is not talloc-bound! "
|
||||
+ "(invalid data)\n");
|
||||
+ return ERR_INTERNAL;
|
||||
+ }
|
||||
+
|
||||
+ talloc_steal(mem_ctx, talloc_msg);
|
||||
+
|
||||
+ return EOK;
|
||||
}
|
||||
|
||||
DBusMessage *
|
||||
diff --git a/src/sbus/request/sbus_request.c b/src/sbus/request/sbus_request.c
|
||||
index 3d0e2f9..1ccd01e 100644
|
||||
--- a/src/sbus/request/sbus_request.c
|
||||
+++ b/src/sbus/request/sbus_request.c
|
||||
@@ -564,10 +564,9 @@ sbus_incoming_request_recv(TALLOC_CTX *mem_ctx,
|
||||
return EOK;
|
||||
}
|
||||
|
||||
- /* Create new reference to the reply and bound it with caller mem_ctx. */
|
||||
- ret = sbus_message_bound_ref(mem_ctx, state->reply);
|
||||
+ ret = sbus_message_bound_steal(mem_ctx, state->reply);
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
|
||||
ret, sss_strerror(ret));
|
||||
return ret;
|
||||
}
|
||||
@@ -709,10 +708,9 @@ sbus_outgoing_request_recv(TALLOC_CTX *mem_ctx,
|
||||
|
||||
TEVENT_REQ_RETURN_ON_ERROR(req);
|
||||
|
||||
- /* Create new reference to the reply and bound it with caller mem_ctx. */
|
||||
- ret = sbus_message_bound_ref(mem_ctx, state->reply);
|
||||
+ ret = sbus_message_bound_steal(mem_ctx, state->reply);
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
|
||||
ret, sss_strerror(ret));
|
||||
return ret;
|
||||
}
|
||||
diff --git a/src/sbus/request/sbus_request_call.c b/src/sbus/request/sbus_request_call.c
|
||||
index 1cf58bd..cf2a6e5 100644
|
||||
--- a/src/sbus/request/sbus_request_call.c
|
||||
+++ b/src/sbus/request/sbus_request_call.c
|
||||
@@ -126,10 +126,9 @@ sbus_call_method_recv(TALLOC_CTX *mem_ctx,
|
||||
|
||||
TEVENT_REQ_RETURN_ON_ERROR(req);
|
||||
|
||||
- /* Create new reference to the reply and bound it with caller mem_ctx. */
|
||||
- ret = sbus_message_bound_ref(mem_ctx, state->reply);
|
||||
+ ret = sbus_message_bound_steal(mem_ctx, state->reply);
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
|
||||
ret, sss_strerror(ret));
|
||||
return ret;
|
||||
}
|
||||
diff --git a/src/sbus/sbus_message.h b/src/sbus/sbus_message.h
|
||||
index 92d5cea..e7b8fe5 100644
|
||||
--- a/src/sbus/sbus_message.h
|
||||
+++ b/src/sbus/sbus_message.h
|
||||
@@ -45,11 +45,7 @@ errno_t
|
||||
sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg);
|
||||
|
||||
/**
|
||||
- * Reference the message and bound it with talloc context.
|
||||
- *
|
||||
- * DO NOT USE dbus_message_unref() on such message anymore since it would not
|
||||
- * release internal data about the bound. The message will be automatically
|
||||
- * unreferenced when the talloc context is freed.
|
||||
+ * Steal previously bound D-Bus message to a new talloc parent.
|
||||
*
|
||||
* @param mem_ctx Memory context to bound the message with. It can not be NULL.
|
||||
* @param msg Message to be bound with memory context.
|
||||
@@ -57,7 +53,7 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg);
|
||||
* @return EOK on success, other errno code on error.
|
||||
*/
|
||||
errno_t
|
||||
-sbus_message_bound_ref(TALLOC_CTX *mem_ctx, DBusMessage *msg);
|
||||
+sbus_message_bound_steal(TALLOC_CTX *mem_ctx, DBusMessage *msg);
|
||||
|
||||
/**
|
||||
* Create an empty D-Bus method call.
|
||||
diff --git a/src/sbus/sync/sbus_sync_call.c b/src/sbus/sync/sbus_sync_call.c
|
||||
index 8549e58..a4f8a5c 100644
|
||||
--- a/src/sbus/sync/sbus_sync_call.c
|
||||
+++ b/src/sbus/sync/sbus_sync_call.c
|
||||
@@ -63,10 +63,9 @@ sbus_sync_call_method(TALLOC_CTX *mem_ctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- /* Create new reference to the reply and bound it with caller mem_ctx. */
|
||||
- ret = sbus_message_bound_ref(mem_ctx, reply);
|
||||
+ ret = sbus_message_bound_steal(mem_ctx, reply);
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
|
||||
ret, sss_strerror(ret));
|
||||
goto done;
|
||||
}
|
||||
--
|
||||
2.9.5
|
||||
|
663
0009-sbus-add-unit-tests-for-public-sbus_message-module.patch
Normal file
663
0009-sbus-add-unit-tests-for-public-sbus_message-module.patch
Normal file
@ -0,0 +1,663 @@
|
||||
From c895fa2449900f4abd1dce6bb62a45c52bbb12cf Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Thu, 16 Aug 2018 13:20:55 +0200
|
||||
Subject: [PATCH 12/83] sbus: add unit tests for public sbus_message module
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
Makefile.am | 14 +
|
||||
src/tests/cmocka/sbus/test_sbus_message.c | 610 ++++++++++++++++++++++++++++++
|
||||
2 files changed, 624 insertions(+)
|
||||
create mode 100644 src/tests/cmocka/sbus/test_sbus_message.c
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 1b4f044..11d0405 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -270,6 +270,7 @@ if HAVE_CMOCKA
|
||||
test_copy_keytab \
|
||||
test_child_common \
|
||||
responder_cache_req-tests \
|
||||
+ test_sbus_message \
|
||||
test_sbus_opath \
|
||||
test_fo_srv \
|
||||
pam-srv-tests \
|
||||
@@ -2594,6 +2595,19 @@ test_ssh_client_LDADD = \
|
||||
$(SSSD_LIBS) \
|
||||
$(NULL)
|
||||
|
||||
+test_sbus_message_SOURCES = \
|
||||
+ src/tests/cmocka/sbus/test_sbus_message.c \
|
||||
+ $(NULL)
|
||||
+test_sbus_message_CFLAGS = \
|
||||
+ $(AM_CFLAGS)
|
||||
+test_sbus_message_LDADD = \
|
||||
+ $(CMOCKA_LIBS) \
|
||||
+ $(POPT_LIBS) \
|
||||
+ libsss_debug.la \
|
||||
+ libsss_test_common.la \
|
||||
+ libsss_sbus.la \
|
||||
+ $(NULL)
|
||||
+
|
||||
test_sbus_opath_SOURCES = \
|
||||
src/tests/cmocka/sbus/test_sbus_opath.c \
|
||||
$(NULL)
|
||||
diff --git a/src/tests/cmocka/sbus/test_sbus_message.c b/src/tests/cmocka/sbus/test_sbus_message.c
|
||||
new file mode 100644
|
||||
index 0000000..c01e168
|
||||
--- /dev/null
|
||||
+++ b/src/tests/cmocka/sbus/test_sbus_message.c
|
||||
@@ -0,0 +1,610 @@
|
||||
+/*
|
||||
+ Authors:
|
||||
+ Jakub Hrozek <jhrozek@redhat.com>
|
||||
+ Pavel Březina <pbrezina@redhat.com>
|
||||
+
|
||||
+ Copyright (C) 2014 Red Hat
|
||||
+
|
||||
+ This program is free software; you can redistribute it and/or modify
|
||||
+ it under the terms of the GNU General Public License as published by
|
||||
+ the Free Software Foundation; either version 3 of the License, or
|
||||
+ (at your option) any later version.
|
||||
+
|
||||
+ This program is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ GNU General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU General Public License
|
||||
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+*/
|
||||
+
|
||||
+#include "config.h"
|
||||
+
|
||||
+#include <talloc.h>
|
||||
+#include <errno.h>
|
||||
+#include <popt.h>
|
||||
+
|
||||
+#include "util/util.h"
|
||||
+#include "sbus/sbus_message.h"
|
||||
+#include "tests/cmocka/common_mock.h"
|
||||
+#include "tests/common.h"
|
||||
+
|
||||
+#define BASE_PATH "/some/path"
|
||||
+
|
||||
+struct test_ctx {
|
||||
+ bool msg_removed;
|
||||
+};
|
||||
+
|
||||
+static void helper_msg_removed(void *state)
|
||||
+{
|
||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(state, struct test_ctx);
|
||||
+
|
||||
+ test_ctx->msg_removed = true;
|
||||
+}
|
||||
+
|
||||
+static void helper_msg_watch(struct test_ctx *test_ctx, DBusMessage *msg)
|
||||
+{
|
||||
+ DBusFreeFunction free_fn;
|
||||
+ dbus_int32_t data_slot = -1;
|
||||
+ dbus_bool_t bret;
|
||||
+
|
||||
+ assert_non_null(msg);
|
||||
+
|
||||
+ bret = dbus_message_allocate_data_slot(&data_slot);
|
||||
+ assert_true(bret);
|
||||
+
|
||||
+ free_fn = helper_msg_removed;
|
||||
+ bret = dbus_message_set_data(msg, data_slot, test_ctx, free_fn);
|
||||
+ assert_true(bret);
|
||||
+}
|
||||
+
|
||||
+static int test_setup(void **state)
|
||||
+{
|
||||
+ struct test_ctx *test_ctx;
|
||||
+
|
||||
+ assert_true(leak_check_setup());
|
||||
+
|
||||
+ test_ctx = talloc_zero(global_talloc_context, struct test_ctx);
|
||||
+ assert_non_null(test_ctx);
|
||||
+ *state = test_ctx;
|
||||
+
|
||||
+ check_leaks_push(test_ctx);
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+int test_teardown(void **state)
|
||||
+{
|
||||
+ struct test_ctx *test_ctx;
|
||||
+
|
||||
+ test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
||||
+
|
||||
+ assert_true(check_leaks_pop(test_ctx));
|
||||
+ talloc_zfree(test_ctx);
|
||||
+ assert_true(leak_check_teardown());
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+void test_sbus_message_bound__null(void **state)
|
||||
+{
|
||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
||||
+ DBusMessage *msg;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
|
||||
+ assert_non_null(msg);
|
||||
+
|
||||
+ ret = sbus_message_bound(NULL, msg);
|
||||
+ assert_int_equal(ret, EINVAL);
|
||||
+
|
||||
+ ret = sbus_message_bound(test_ctx, NULL);
|
||||
+ assert_int_equal(ret, EINVAL);
|
||||
+
|
||||
+ dbus_message_unref(msg);
|
||||
+}
|
||||
+
|
||||
+void test_sbus_message_bound__unref(void **state)
|
||||
+{
|
||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
||||
+ DBusMessage *msg;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
|
||||
+ assert_non_null(msg);
|
||||
+ helper_msg_watch(test_ctx, msg);
|
||||
+
|
||||
+ ret = sbus_message_bound(test_ctx, msg);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ /* no memory leak should be detected in teardown */
|
||||
+ dbus_message_unref(msg);
|
||||
+ assert_true(test_ctx->msg_removed);
|
||||
+}
|
||||
+
|
||||
+void test_sbus_message_bound__free(void **state)
|
||||
+{
|
||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
||||
+ TALLOC_CTX *tmp_ctx;
|
||||
+ DBusMessage *msg;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ tmp_ctx = talloc_new(test_ctx);
|
||||
+ assert_non_null(tmp_ctx);
|
||||
+
|
||||
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
|
||||
+ assert_non_null(msg);
|
||||
+ helper_msg_watch(test_ctx, msg);
|
||||
+
|
||||
+ ret = sbus_message_bound(tmp_ctx, msg);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ talloc_free(tmp_ctx);
|
||||
+ assert_true(test_ctx->msg_removed);
|
||||
+}
|
||||
+
|
||||
+void test_sbus_message_bound_steal__null(void **state)
|
||||
+{
|
||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
||||
+ DBusMessage *msg;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
|
||||
+ assert_non_null(msg);
|
||||
+ helper_msg_watch(test_ctx, msg);
|
||||
+
|
||||
+ ret = sbus_message_bound_steal(NULL, msg);
|
||||
+ assert_int_equal(ret, EINVAL);
|
||||
+
|
||||
+ ret = sbus_message_bound_steal(test_ctx, NULL);
|
||||
+ assert_int_equal(ret, EINVAL);
|
||||
+
|
||||
+ dbus_message_unref(msg);
|
||||
+ assert_true(test_ctx->msg_removed);
|
||||
+}
|
||||
+
|
||||
+void test_sbus_message_bound_steal__invalid(void **state)
|
||||
+{
|
||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
||||
+ DBusMessage *msg;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
|
||||
+ assert_non_null(msg);
|
||||
+ helper_msg_watch(test_ctx, msg);
|
||||
+
|
||||
+ ret = sbus_message_bound_steal(test_ctx, msg);
|
||||
+ assert_int_equal(ret, ERR_INTERNAL);
|
||||
+
|
||||
+ dbus_message_unref(msg);
|
||||
+ assert_true(test_ctx->msg_removed);
|
||||
+}
|
||||
+
|
||||
+void test_sbus_message_bound_steal__free(void **state)
|
||||
+{
|
||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
||||
+ TALLOC_CTX *tmp_ctx;
|
||||
+ TALLOC_CTX *tmp_ctx_steal;
|
||||
+ DBusMessage *msg;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ tmp_ctx = talloc_new(test_ctx);
|
||||
+ assert_non_null(tmp_ctx);
|
||||
+
|
||||
+ tmp_ctx_steal = talloc_new(test_ctx);
|
||||
+ assert_non_null(tmp_ctx_steal);
|
||||
+
|
||||
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
|
||||
+ assert_non_null(msg);
|
||||
+ helper_msg_watch(test_ctx, msg);
|
||||
+
|
||||
+ ret = sbus_message_bound(tmp_ctx, msg);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ /* this will increase ref counter of message and add new talloc bound */
|
||||
+ ret = sbus_message_bound_steal(tmp_ctx_steal, msg);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ talloc_free(tmp_ctx);
|
||||
+ assert_false(test_ctx->msg_removed);
|
||||
+ talloc_free(tmp_ctx_steal);
|
||||
+ assert_true(test_ctx->msg_removed);
|
||||
+}
|
||||
+
|
||||
+void test_sbus_method_create_empty__unref(void **state)
|
||||
+{
|
||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
||||
+ DBusMessage *msg;
|
||||
+
|
||||
+ msg = sbus_method_create_empty(NULL, "bus.test", "/", "iface.test", "method");
|
||||
+ assert_non_null(msg);
|
||||
+ helper_msg_watch(test_ctx, msg);
|
||||
+
|
||||
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_METHOD_CALL);
|
||||
+ assert_string_equal(dbus_message_get_destination(msg), "bus.test");
|
||||
+ assert_string_equal(dbus_message_get_path(msg), "/");
|
||||
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
|
||||
+ assert_string_equal(dbus_message_get_member(msg), "method");
|
||||
+
|
||||
+ dbus_message_unref(msg);
|
||||
+ assert_true(test_ctx->msg_removed);
|
||||
+}
|
||||
+
|
||||
+void test_sbus_method_create_empty__free(void **state)
|
||||
+{
|
||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
||||
+ TALLOC_CTX *tmp_ctx;
|
||||
+ DBusMessage *msg;
|
||||
+
|
||||
+ tmp_ctx = talloc_new(test_ctx);
|
||||
+ assert_non_null(tmp_ctx);
|
||||
+
|
||||
+ msg = sbus_method_create_empty(tmp_ctx, "bus.test", "/", "iface.test", "method");
|
||||
+ assert_non_null(msg);
|
||||
+ helper_msg_watch(test_ctx, msg);
|
||||
+
|
||||
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_METHOD_CALL);
|
||||
+ assert_string_equal(dbus_message_get_destination(msg), "bus.test");
|
||||
+ assert_string_equal(dbus_message_get_path(msg), "/");
|
||||
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
|
||||
+ assert_string_equal(dbus_message_get_member(msg), "method");
|
||||
+
|
||||
+ talloc_free(tmp_ctx);
|
||||
+ assert_true(test_ctx->msg_removed);
|
||||
+}
|
||||
+
|
||||
+void test_sbus_method_create__unref(void **state)
|
||||
+{
|
||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
||||
+ DBusMessage *msg;
|
||||
+ dbus_bool_t dbret;
|
||||
+ uint32_t in_value = 32;
|
||||
+ uint32_t out_value;
|
||||
+
|
||||
+ msg = sbus_method_create(NULL, "bus.test", "/", "iface.test", "method",
|
||||
+ DBUS_TYPE_UINT32, &in_value);
|
||||
+ assert_non_null(msg);
|
||||
+ helper_msg_watch(test_ctx, msg);
|
||||
+
|
||||
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_METHOD_CALL);
|
||||
+ assert_string_equal(dbus_message_get_destination(msg), "bus.test");
|
||||
+ assert_string_equal(dbus_message_get_path(msg), "/");
|
||||
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
|
||||
+ assert_string_equal(dbus_message_get_member(msg), "method");
|
||||
+
|
||||
+ dbret = dbus_message_get_args(msg, NULL,
|
||||
+ DBUS_TYPE_UINT32, &out_value,
|
||||
+ DBUS_TYPE_INVALID);
|
||||
+ assert_true(dbret);
|
||||
+ assert_int_equal(out_value, 32);
|
||||
+
|
||||
+ dbus_message_unref(msg);
|
||||
+ assert_true(test_ctx->msg_removed);
|
||||
+}
|
||||
+
|
||||
+void test_sbus_method_create__free(void **state)
|
||||
+{
|
||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
||||
+ TALLOC_CTX *tmp_ctx;
|
||||
+ DBusMessage *msg;
|
||||
+
|
||||
+ tmp_ctx = talloc_new(test_ctx);
|
||||
+ assert_non_null(tmp_ctx);
|
||||
+
|
||||
+ msg = sbus_method_create_empty(tmp_ctx, "bus.test", "/", "iface.test", "method");
|
||||
+ assert_non_null(msg);
|
||||
+ helper_msg_watch(test_ctx, msg);
|
||||
+
|
||||
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_METHOD_CALL);
|
||||
+ assert_string_equal(dbus_message_get_destination(msg), "bus.test");
|
||||
+ assert_string_equal(dbus_message_get_path(msg), "/");
|
||||
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
|
||||
+ assert_string_equal(dbus_message_get_member(msg), "method");
|
||||
+
|
||||
+ talloc_free(tmp_ctx);
|
||||
+ assert_true(test_ctx->msg_removed);
|
||||
+}
|
||||
+
|
||||
+void test_sbus_signal_create_empty__unref(void **state)
|
||||
+{
|
||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
||||
+ DBusMessage *msg;
|
||||
+
|
||||
+ msg = sbus_signal_create_empty(NULL, "/", "iface.test", "method");
|
||||
+ assert_non_null(msg);
|
||||
+ helper_msg_watch(test_ctx, msg);
|
||||
+
|
||||
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_SIGNAL);
|
||||
+ assert_null(dbus_message_get_destination(msg));
|
||||
+ assert_string_equal(dbus_message_get_path(msg), "/");
|
||||
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
|
||||
+ assert_string_equal(dbus_message_get_member(msg), "method");
|
||||
+
|
||||
+ dbus_message_unref(msg);
|
||||
+ assert_true(test_ctx->msg_removed);
|
||||
+}
|
||||
+
|
||||
+void test_sbus_signal_create_empty__free(void **state)
|
||||
+{
|
||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
||||
+ TALLOC_CTX *tmp_ctx;
|
||||
+ DBusMessage *msg;
|
||||
+
|
||||
+ tmp_ctx = talloc_new(test_ctx);
|
||||
+ assert_non_null(tmp_ctx);
|
||||
+
|
||||
+ msg = sbus_signal_create_empty(tmp_ctx, "/", "iface.test", "method");
|
||||
+ assert_non_null(msg);
|
||||
+ helper_msg_watch(test_ctx, msg);
|
||||
+
|
||||
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_SIGNAL);
|
||||
+ assert_null(dbus_message_get_destination(msg));
|
||||
+ assert_string_equal(dbus_message_get_path(msg), "/");
|
||||
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
|
||||
+ assert_string_equal(dbus_message_get_member(msg), "method");
|
||||
+
|
||||
+ talloc_free(tmp_ctx);
|
||||
+ assert_true(test_ctx->msg_removed);
|
||||
+}
|
||||
+
|
||||
+void test_sbus_signal_create__unref(void **state)
|
||||
+{
|
||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
||||
+ DBusMessage *msg;
|
||||
+ dbus_bool_t dbret;
|
||||
+ uint32_t in_value = 32;
|
||||
+ uint32_t out_value;
|
||||
+
|
||||
+ msg = sbus_signal_create(NULL, "/", "iface.test", "method",
|
||||
+ DBUS_TYPE_UINT32, &in_value);
|
||||
+ assert_non_null(msg);
|
||||
+ helper_msg_watch(test_ctx, msg);
|
||||
+
|
||||
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_SIGNAL);
|
||||
+ assert_null(dbus_message_get_destination(msg));
|
||||
+ assert_string_equal(dbus_message_get_path(msg), "/");
|
||||
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
|
||||
+ assert_string_equal(dbus_message_get_member(msg), "method");
|
||||
+
|
||||
+ dbret = dbus_message_get_args(msg, NULL,
|
||||
+ DBUS_TYPE_UINT32, &out_value,
|
||||
+ DBUS_TYPE_INVALID);
|
||||
+ assert_true(dbret);
|
||||
+ assert_int_equal(out_value, 32);
|
||||
+
|
||||
+ dbus_message_unref(msg);
|
||||
+ assert_true(test_ctx->msg_removed);
|
||||
+}
|
||||
+
|
||||
+void test_sbus_signal_create__free(void **state)
|
||||
+{
|
||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
||||
+ TALLOC_CTX *tmp_ctx;
|
||||
+ DBusMessage *msg;
|
||||
+ dbus_bool_t dbret;
|
||||
+ uint32_t in_value = 32;
|
||||
+ uint32_t out_value;
|
||||
+
|
||||
+ tmp_ctx = talloc_new(test_ctx);
|
||||
+ assert_non_null(tmp_ctx);
|
||||
+
|
||||
+ msg = sbus_signal_create(tmp_ctx, "/", "iface.test", "method",
|
||||
+ DBUS_TYPE_UINT32, &in_value);
|
||||
+ assert_non_null(msg);
|
||||
+ helper_msg_watch(test_ctx, msg);
|
||||
+
|
||||
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_SIGNAL);
|
||||
+ assert_null(dbus_message_get_destination(msg));
|
||||
+ assert_string_equal(dbus_message_get_path(msg), "/");
|
||||
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
|
||||
+ assert_string_equal(dbus_message_get_member(msg), "method");
|
||||
+
|
||||
+ dbret = dbus_message_get_args(msg, NULL,
|
||||
+ DBUS_TYPE_UINT32, &out_value,
|
||||
+ DBUS_TYPE_INVALID);
|
||||
+ assert_true(dbret);
|
||||
+ assert_int_equal(out_value, 32);
|
||||
+
|
||||
+ talloc_free(tmp_ctx);
|
||||
+ assert_true(test_ctx->msg_removed);
|
||||
+}
|
||||
+
|
||||
+void test_sbus_reply_parse__ok(void **state)
|
||||
+{
|
||||
+ DBusMessage *msg;
|
||||
+ DBusMessage *reply;
|
||||
+ dbus_bool_t dbret;
|
||||
+ uint32_t in_value1 = 32;
|
||||
+ uint32_t in_value2 = 64;
|
||||
+ uint32_t out_value1;
|
||||
+ uint32_t out_value2;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
|
||||
+ assert_non_null(msg);
|
||||
+ dbus_message_set_serial(msg, 1);
|
||||
+
|
||||
+ reply = dbus_message_new_method_return(msg);
|
||||
+ assert_non_null(reply);
|
||||
+
|
||||
+ dbret = dbus_message_append_args(reply, DBUS_TYPE_UINT32, &in_value1,
|
||||
+ DBUS_TYPE_UINT32, &in_value2,
|
||||
+ DBUS_TYPE_INVALID);
|
||||
+ assert_true(dbret);
|
||||
+
|
||||
+ ret = sbus_reply_parse(reply, DBUS_TYPE_UINT32, &out_value1,
|
||||
+ DBUS_TYPE_UINT32, &out_value2);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+ assert_int_equal(out_value1, in_value1);
|
||||
+ assert_int_equal(out_value2, in_value2);
|
||||
+
|
||||
+ dbus_message_unref(msg);
|
||||
+ dbus_message_unref(reply);
|
||||
+}
|
||||
+
|
||||
+void test_sbus_reply_parse__error(void **state)
|
||||
+{
|
||||
+ DBusMessage *msg;
|
||||
+ DBusMessage *reply;
|
||||
+ uint32_t out_value1;
|
||||
+ uint32_t out_value2;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
|
||||
+ assert_non_null(msg);
|
||||
+ dbus_message_set_serial(msg, 1);
|
||||
+
|
||||
+ reply = dbus_message_new_error(msg, SBUS_ERROR_KILLED, "Test error!");
|
||||
+ assert_non_null(reply);
|
||||
+
|
||||
+ ret = sbus_reply_parse(reply, DBUS_TYPE_UINT32, &out_value1,
|
||||
+ DBUS_TYPE_UINT32, &out_value2);
|
||||
+ assert_int_equal(ret, ERR_SBUS_KILL_CONNECTION);
|
||||
+
|
||||
+ dbus_message_unref(msg);
|
||||
+ dbus_message_unref(reply);
|
||||
+}
|
||||
+
|
||||
+void test_sbus_reply_parse__wrong_type(void **state)
|
||||
+{
|
||||
+ DBusMessage *msg;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
|
||||
+ assert_non_null(msg);
|
||||
+ dbus_message_set_serial(msg, 1);
|
||||
+
|
||||
+ ret = sbus_reply_parse(msg);
|
||||
+ assert_int_not_equal(ret, EOK);
|
||||
+
|
||||
+ dbus_message_unref(msg);
|
||||
+}
|
||||
+
|
||||
+void test_sbus_reply_check__ok(void **state)
|
||||
+{
|
||||
+ DBusMessage *msg;
|
||||
+ DBusMessage *reply;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
|
||||
+ assert_non_null(msg);
|
||||
+ dbus_message_set_serial(msg, 1);
|
||||
+
|
||||
+ reply = dbus_message_new_method_return(msg);
|
||||
+ assert_non_null(reply);
|
||||
+
|
||||
+ ret = sbus_reply_check(reply);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ dbus_message_unref(msg);
|
||||
+ dbus_message_unref(reply);
|
||||
+}
|
||||
+
|
||||
+void test_sbus_reply_check__error(void **state)
|
||||
+{
|
||||
+ DBusMessage *msg;
|
||||
+ DBusMessage *reply;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
|
||||
+ assert_non_null(msg);
|
||||
+ dbus_message_set_serial(msg, 1);
|
||||
+
|
||||
+ reply = dbus_message_new_error(msg, SBUS_ERROR_KILLED, "Test error!");
|
||||
+ assert_non_null(reply);
|
||||
+
|
||||
+ ret = sbus_reply_check(reply);
|
||||
+ assert_int_equal(ret, ERR_SBUS_KILL_CONNECTION);
|
||||
+
|
||||
+ dbus_message_unref(msg);
|
||||
+ dbus_message_unref(reply);
|
||||
+}
|
||||
+
|
||||
+void test_sbus_reply_check__wrong_type(void **state)
|
||||
+{
|
||||
+ DBusMessage *msg;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
|
||||
+ assert_non_null(msg);
|
||||
+ dbus_message_set_serial(msg, 1);
|
||||
+
|
||||
+ ret = sbus_reply_check(msg);
|
||||
+ assert_int_not_equal(ret, EOK);
|
||||
+
|
||||
+ dbus_message_unref(msg);
|
||||
+}
|
||||
+
|
||||
+int main(int argc, const char *argv[])
|
||||
+{
|
||||
+ poptContext pc;
|
||||
+ int opt;
|
||||
+ struct poptOption long_options[] = {
|
||||
+ POPT_AUTOHELP
|
||||
+ SSSD_DEBUG_OPTS
|
||||
+ POPT_TABLEEND
|
||||
+ };
|
||||
+
|
||||
+ const struct CMUnitTest tests[] = {
|
||||
+ cmocka_unit_test_setup_teardown(test_sbus_message_bound__null,
|
||||
+ test_setup, test_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sbus_message_bound__unref,
|
||||
+ test_setup, test_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sbus_message_bound__free,
|
||||
+ test_setup, test_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sbus_message_bound_steal__null,
|
||||
+ test_setup, test_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sbus_message_bound_steal__invalid,
|
||||
+ test_setup, test_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sbus_message_bound_steal__free,
|
||||
+ test_setup, test_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sbus_method_create_empty__unref,
|
||||
+ test_setup, test_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sbus_method_create_empty__free,
|
||||
+ test_setup, test_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sbus_method_create__unref,
|
||||
+ test_setup, test_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sbus_method_create__free,
|
||||
+ test_setup, test_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sbus_signal_create_empty__unref,
|
||||
+ test_setup, test_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sbus_signal_create_empty__free,
|
||||
+ test_setup, test_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sbus_signal_create__unref,
|
||||
+ test_setup, test_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sbus_signal_create__free,
|
||||
+ test_setup, test_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sbus_reply_parse__ok,
|
||||
+ test_setup, test_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sbus_reply_parse__error,
|
||||
+ test_setup, test_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sbus_reply_parse__wrong_type,
|
||||
+ test_setup, test_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sbus_reply_check__ok,
|
||||
+ test_setup, test_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sbus_reply_check__error,
|
||||
+ test_setup, test_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sbus_reply_check__wrong_type,
|
||||
+ test_setup, test_teardown),
|
||||
+ };
|
||||
+
|
||||
+ /* Set debug level to invalid value so we can decide if -d 0 was used. */
|
||||
+ debug_level = SSSDBG_INVALID;
|
||||
+
|
||||
+ pc = poptGetContext(argv[0], argc, argv, long_options, 0);
|
||||
+ while((opt = poptGetNextOpt(pc)) != -1) {
|
||||
+ switch(opt) {
|
||||
+ default:
|
||||
+ fprintf(stderr, "\nInvalid option %s: %s\n\n",
|
||||
+ poptBadOption(pc, 0), poptStrerror(opt));
|
||||
+ poptPrintUsage(pc, stderr, 0);
|
||||
+ return 1;
|
||||
+ }
|
||||
+ }
|
||||
+ poptFreeContext(pc);
|
||||
+
|
||||
+ DEBUG_CLI_INIT(debug_level);
|
||||
+
|
||||
+ return cmocka_run_group_tests(tests, NULL, NULL);
|
||||
+}
|
||||
--
|
||||
2.9.5
|
||||
|
145
0010-SELINUX-Always-add-SELinux-user-to-the-semanage-data.patch
Normal file
145
0010-SELINUX-Always-add-SELinux-user-to-the-semanage-data.patch
Normal file
@ -0,0 +1,145 @@
|
||||
From 945865ae16120ffade267227ca48cefd58822fd2 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Thu, 23 Aug 2018 13:55:51 +0200
|
||||
Subject: [PATCH 13/83] SELINUX: Always add SELinux user to the semanage
|
||||
database if it doesn't exist
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Previously, we tried to optimize too much and only set the SELinux user
|
||||
to Linux user mapping in case the SELinux user was different from the
|
||||
system default. But this doesn't work for the case where the Linux user
|
||||
has a non-standard home directory, because then SELinux would not have
|
||||
any idea that this user's home directory should be labeled as a home
|
||||
directory.
|
||||
|
||||
This patch relaxes the optimization in the sense that on the first
|
||||
login, the SELinux context is saved regardless of whether it is the same
|
||||
as the default or different.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3819
|
||||
|
||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||
---
|
||||
src/providers/ipa/selinux_child.c | 10 ++++++++--
|
||||
src/util/sss_semanage.c | 30 ++++++++++++++++++++++++++++++
|
||||
src/util/util.h | 1 +
|
||||
src/util/util_errors.c | 1 +
|
||||
src/util/util_errors.h | 1 +
|
||||
5 files changed, 41 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
|
||||
index d061417..925591e 100644
|
||||
--- a/src/providers/ipa/selinux_child.c
|
||||
+++ b/src/providers/ipa/selinux_child.c
|
||||
@@ -176,13 +176,16 @@ static bool seuser_needs_update(const char *username,
|
||||
|
||||
ret = sss_get_seuser(username, &db_seuser, &db_mls_range);
|
||||
DEBUG(SSSDBG_TRACE_INTERNAL,
|
||||
- "getseuserbyname: ret: %d seuser: %s mls: %s\n",
|
||||
+ "sss_get_seuser: ret: %d seuser: %s mls: %s\n",
|
||||
ret, db_seuser ? db_seuser : "unknown",
|
||||
db_mls_range ? db_mls_range : "unknown");
|
||||
if (ret == EOK && db_seuser && db_mls_range &&
|
||||
strcmp(db_seuser, seuser) == 0 &&
|
||||
strcmp(db_mls_range, mls_range) == 0) {
|
||||
- needs_update = false;
|
||||
+ ret = sss_seuser_exists(username);
|
||||
+ if (ret == EOK) {
|
||||
+ needs_update = false;
|
||||
+ }
|
||||
}
|
||||
/* OR */
|
||||
if (ret == ERR_SELINUX_NOT_MANAGED) {
|
||||
@@ -191,6 +194,9 @@ static bool seuser_needs_update(const char *username,
|
||||
|
||||
free(db_seuser);
|
||||
free(db_mls_range);
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC,
|
||||
+ "The SELinux user does %sneed an update\n",
|
||||
+ needs_update ? "" : "not ");
|
||||
return needs_update;
|
||||
}
|
||||
|
||||
diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c
|
||||
index bcce57b..aea0385 100644
|
||||
--- a/src/util/sss_semanage.c
|
||||
+++ b/src/util/sss_semanage.c
|
||||
@@ -248,6 +248,36 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+int sss_seuser_exists(const char *linuxuser)
|
||||
+{
|
||||
+ int ret;
|
||||
+ int exists;
|
||||
+ semanage_seuser_key_t *sm_key = NULL;
|
||||
+ semanage_handle_t *sm_handle = NULL;
|
||||
+
|
||||
+ ret = sss_semanage_init(&sm_handle);
|
||||
+ if (ret != EOK) {
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ ret = semanage_seuser_key_create(sm_handle, linuxuser, &sm_key);
|
||||
+ if (ret < 0) {
|
||||
+ sss_semanage_close(sm_handle);
|
||||
+ return EIO;
|
||||
+ }
|
||||
+
|
||||
+ ret = semanage_seuser_exists(sm_handle, sm_key, &exists);
|
||||
+ semanage_seuser_key_free(sm_key);
|
||||
+ sss_semanage_close(sm_handle);
|
||||
+ if (ret < 0) {
|
||||
+ return EIO;
|
||||
+ }
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC, "seuser exists: %s\n", exists ? "yes" : "no");
|
||||
+
|
||||
+ return exists ? EOK : ERR_SELINUX_USER_NOT_FOUND;
|
||||
+}
|
||||
+
|
||||
int sss_get_seuser(const char *linuxuser,
|
||||
char **selinuxuser,
|
||||
char **level)
|
||||
diff --git a/src/util/util.h b/src/util/util.h
|
||||
index 867acf2..59e7a96 100644
|
||||
--- a/src/util/util.h
|
||||
+++ b/src/util/util.h
|
||||
@@ -663,6 +663,7 @@ int sss_del_seuser(const char *login_name);
|
||||
int sss_get_seuser(const char *linuxuser,
|
||||
char **selinuxuser,
|
||||
char **level);
|
||||
+int sss_seuser_exists(const char *linuxuser);
|
||||
|
||||
/* convert time from generalized form to unix time */
|
||||
errno_t sss_utc_to_time_t(const char *str, const char *format, time_t *unix_time);
|
||||
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
|
||||
index 920a178..5f8a2a2 100644
|
||||
--- a/src/util/util_errors.c
|
||||
+++ b/src/util/util_errors.c
|
||||
@@ -75,6 +75,7 @@ struct err_string error_to_str[] = {
|
||||
{ "LDAP search returned a referral" }, /* ERR_REFERRAL */
|
||||
{ "Error setting SELinux user context" }, /* ERR_SELINUX_CONTEXT */
|
||||
{ "SELinux is not managed by libsemanage" }, /* ERR_SELINUX_NOT_MANAGED */
|
||||
+ { "SELinux user does not exist" }, /* ERR_SELINUX_USER_NOT_FOUND */
|
||||
{ "Username format not allowed by re_expression" }, /* ERR_REGEX_NOMATCH */
|
||||
{ "Time specification not supported" }, /* ERR_TIMESPEC_NOT_SUPPORTED */
|
||||
{ "Invalid SSSD configuration detected" }, /* ERR_INVALID_CONFIG */
|
||||
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
|
||||
index 5a50936..c6731d4 100644
|
||||
--- a/src/util/util_errors.h
|
||||
+++ b/src/util/util_errors.h
|
||||
@@ -97,6 +97,7 @@ enum sssd_errors {
|
||||
ERR_REFERRAL,
|
||||
ERR_SELINUX_CONTEXT,
|
||||
ERR_SELINUX_NOT_MANAGED,
|
||||
+ ERR_SELINUX_USER_NOT_FOUND,
|
||||
ERR_REGEX_NOMATCH,
|
||||
ERR_TIMESPEC_NOT_SUPPORTED,
|
||||
ERR_INVALID_CONFIG,
|
||||
--
|
||||
2.9.5
|
||||
|
44
0011-intg-flush-the-SSSD-caches-to-sync-with-files.patch
Normal file
44
0011-intg-flush-the-SSSD-caches-to-sync-with-files.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From 1e2398870e8aa512ead3012d46cbe6252429467a Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 10 Sep 2018 15:35:45 +0200
|
||||
Subject: [PATCH 16/83] intg: flush the SSSD caches to sync with files
|
||||
|
||||
To make sure that SSSD has synced with the latest data added to the
|
||||
passwd file sss_cache is called in two places where the current sync
|
||||
scheme was not reliable. This was mainly observed when running the
|
||||
integration tests on Debian.
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/tests/intg/test_files_provider.py | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
|
||||
index 9f30d2b..ead1cc4 100644
|
||||
--- a/src/tests/intg/test_files_provider.py
|
||||
+++ b/src/tests/intg/test_files_provider.py
|
||||
@@ -644,6 +644,10 @@ def test_enum_users(setup_pw_with_canary, files_domain_only):
|
||||
user = user_generator(i)
|
||||
setup_pw_with_canary.useradd(**user)
|
||||
|
||||
+ # syncing with the help of the canary is not reliable after adding
|
||||
+ # multiple users because the canary might still be in some caches so that
|
||||
+ # the data is not refreshed properly.
|
||||
+ subprocess.call(["sss_cache", "-E"])
|
||||
sssd_getpwnam_sync(CANARY["name"])
|
||||
user_list = call_sssd_enumeration()
|
||||
# +1 because the canary is added
|
||||
@@ -1043,6 +1047,10 @@ def test_getgrnam_add_remove_ghosts(setup_pw_with_canary,
|
||||
|
||||
# Add this user and verify it's been added as a member
|
||||
pwd_ops.useradd(**USER2)
|
||||
+ # The negative cache might still have user2 from the previous request,
|
||||
+ # flushing the caches might help to prevent a failed lookup after adding
|
||||
+ # the user.
|
||||
+ subprocess.call(["sss_cache", "-E"])
|
||||
res, groups = sssd_id_sync('user2')
|
||||
assert res == sssd_id.NssReturnCode.SUCCESS
|
||||
assert len(groups) == 2
|
||||
--
|
||||
2.9.5
|
||||
|
87
0012-sbus-dectect-python-binary-for-sbus_generate.sh.patch
Normal file
87
0012-sbus-dectect-python-binary-for-sbus_generate.sh.patch
Normal file
@ -0,0 +1,87 @@
|
||||
From b03179ead11db7dbfd6a00d3eeef3dac0990f826 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 10 Sep 2018 15:40:14 +0200
|
||||
Subject: [PATCH 17/83] sbus: dectect python binary for sbus_generate.sh
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
We already detect python2 and python3 binaries during configure. With
|
||||
this patch PYTHON_EXEC is set to the python3 binary if python3 bindings
|
||||
are generated and to the python2 binary otherwise. With the help of an
|
||||
environment variable sbus_generate.sh is made aware of it.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3807
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
Makefile.am | 4 ++--
|
||||
configure.ac | 8 ++++++++
|
||||
sbus_generate.sh => sbus_generate.sh.in | 2 +-
|
||||
3 files changed, 11 insertions(+), 3 deletions(-)
|
||||
rename sbus_generate.sh => sbus_generate.sh.in (93%)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 11d0405..deb9ce3 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -1020,14 +1020,14 @@ libsss_cert_la_LDFLAGS = \
|
||||
$(NULL)
|
||||
|
||||
generate-sbus-code:
|
||||
- $(srcdir)/sbus_generate.sh $(abs_srcdir)
|
||||
+ $(builddir)/sbus_generate.sh $(abs_srcdir)
|
||||
|
||||
.PHONY: generate-sbus-code
|
||||
|
||||
BUILT_SOURCES += generate-sbus-code
|
||||
|
||||
EXTRA_DIST += \
|
||||
- sbus_generate.sh \
|
||||
+ sbus_generate.sh.in \
|
||||
src/sbus/codegen/dbus.xml \
|
||||
src/sbus/codegen/sbus_CodeGen.py \
|
||||
src/sbus/codegen/sbus_DataType.py \
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 1aac65f..bb18ad4 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -373,6 +373,13 @@ them please use argument --without-python3-bindings when running configure.])])
|
||||
SSS_CLEAN_PYTHON_VARIABLES
|
||||
fi
|
||||
|
||||
+if test x$HAVE_PYTHON3_BINDINGS = x1; then
|
||||
+ PYTHON_EXEC=$PYTHON3
|
||||
+else
|
||||
+ PYTHON_EXEC=$PYTHON2
|
||||
+fi
|
||||
+AC_SUBST(PYTHON_EXEC)
|
||||
+
|
||||
AM_CONDITIONAL([BUILD_PYTHON_BINDINGS],
|
||||
[test x"$with_python2_bindings" = xyes \
|
||||
-o x"$with_python3_bindings" = xyes])
|
||||
@@ -524,4 +531,5 @@ AC_CONFIG_FILES([Makefile contrib/sssd.spec src/examples/rwtab src/doxy.config
|
||||
src/config/setup.py
|
||||
src/systemtap/sssd.stp
|
||||
src/config/SSSDConfig/__init__.py])
|
||||
+AC_CONFIG_FILES([sbus_generate.sh], [chmod +x sbus_generate.sh])
|
||||
AC_OUTPUT
|
||||
diff --git a/sbus_generate.sh b/sbus_generate.sh.in
|
||||
similarity index 93%
|
||||
rename from sbus_generate.sh
|
||||
rename to sbus_generate.sh.in
|
||||
index 338fd9d..b2c695e 100755
|
||||
--- a/sbus_generate.sh
|
||||
+++ b/sbus_generate.sh.in
|
||||
@@ -13,7 +13,7 @@ generate() {
|
||||
|
||||
echo "Generating sbus code for: $XML"
|
||||
|
||||
- python $CODEGEN --sbus sbus --util util \
|
||||
+ @PYTHON_EXEC@ $CODEGEN --sbus sbus --util util \
|
||||
--headers "$HEADERS" \
|
||||
--dest "$SRCDIR/src/$DEST" \
|
||||
--fileprefix "sbus_${PREFIX}_" \
|
||||
--
|
||||
2.9.5
|
||||
|
68
0013-sudo-respect-case-sensitivity-in-sudo-responder.patch
Normal file
68
0013-sudo-respect-case-sensitivity-in-sudo-responder.patch
Normal file
@ -0,0 +1,68 @@
|
||||
From d7f0b58e2896ed2ef9ed5a390815c1e4df6caaee Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Thu, 6 Sep 2018 13:38:56 +0200
|
||||
Subject: [PATCH 18/83] sudo: respect case sensitivity in sudo responder
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If the domain is not case sensitive and the case of the original user
|
||||
or group name differs from the name in the rule we failed to find the
|
||||
rule.
|
||||
|
||||
Now we filter the rule only with lower cased values in such domain.
|
||||
|
||||
Steps to reproduce:
|
||||
1. Add user/group with upper case, e.g. USER-1
|
||||
2. Add sudo rule with lower cased name, e.g. sudoUser: user-1
|
||||
3. Login to system with lower case, e.g. user-1
|
||||
4. Run sudo -l
|
||||
|
||||
Without the patch, rule is not found.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3820
|
||||
|
||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||
---
|
||||
src/db/sysdb_sudo.c | 17 ++++++++++++++---
|
||||
1 file changed, 14 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
|
||||
index 3ad462d..19ed97b 100644
|
||||
--- a/src/db/sysdb_sudo.c
|
||||
+++ b/src/db/sysdb_sudo.c
|
||||
@@ -418,7 +418,17 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
|
||||
ret = EINVAL;
|
||||
goto done;
|
||||
}
|
||||
- DEBUG(SSSDBG_TRACE_FUNC, "original name: %s\n", orig_name);
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC, "Original name: %s\n", orig_name);
|
||||
+
|
||||
+ orig_name = sss_get_cased_name(tmp_ctx, orig_name, domain->case_sensitive);
|
||||
+ if (orig_name == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC, "Cased name: %s\n", orig_name);
|
||||
|
||||
if (_uid != NULL) {
|
||||
uid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_UIDNUM, 0);
|
||||
@@ -450,8 +460,9 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
|
||||
continue;
|
||||
}
|
||||
|
||||
- sysdb_groupnames[num_groups] = talloc_strdup(sysdb_groupnames,
|
||||
- groupname);
|
||||
+ sysdb_groupnames[num_groups] = \
|
||||
+ sss_get_cased_name(sysdb_groupnames, groupname,
|
||||
+ domain->case_sensitive);
|
||||
if (sysdb_groupnames[num_groups] == NULL) {
|
||||
DEBUG(SSSDBG_MINOR_FAILURE, "Cannot strdup %s\n", groupname);
|
||||
continue;
|
||||
--
|
||||
2.9.5
|
||||
|
130
0014-GPO-Add-gpo_implicit_deny-option.patch
Normal file
130
0014-GPO-Add-gpo_implicit_deny-option.patch
Normal file
@ -0,0 +1,130 @@
|
||||
From 3bd67c772c951f33422261ef658a104ccecc9561 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
||||
Date: Tue, 3 Jul 2018 20:03:39 +0200
|
||||
Subject: [PATCH 19/83] GPO: Add gpo_implicit_deny option
|
||||
|
||||
This option (when set to True) can be used to deny access to
|
||||
users even if there is not applicable GPO. Normally users are
|
||||
allowed access in this situation.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3701
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/config/cfg_rules.ini | 1 +
|
||||
src/man/sssd-ad.5.xml | 21 +++++++++++++++++++++
|
||||
src/providers/ad/ad_common.h | 1 +
|
||||
src/providers/ad/ad_gpo.c | 13 ++++++++++++-
|
||||
src/providers/ad/ad_opts.c | 1 +
|
||||
5 files changed, 36 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
||||
index 36e83a9..78f215e 100644
|
||||
--- a/src/config/cfg_rules.ini
|
||||
+++ b/src/config/cfg_rules.ini
|
||||
@@ -437,6 +437,7 @@ option = ad_enable_dns_sites
|
||||
option = ad_enabled_domains
|
||||
option = ad_enable_gc
|
||||
option = ad_gpo_access_control
|
||||
+option = ad_gpo_implicit_deny
|
||||
option = ad_gpo_cache_timeout
|
||||
option = ad_gpo_default_right
|
||||
option = ad_gpo_map_batch
|
||||
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
|
||||
index f43c7fc..0eac382 100644
|
||||
--- a/src/man/sssd-ad.5.xml
|
||||
+++ b/src/man/sssd-ad.5.xml
|
||||
@@ -418,6 +418,27 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
+ <term>ad_gpo_implicit_deny (boolean)</term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ Normally when no applicable GPOs are found the
|
||||
+ users are allowed access. When this option is set
|
||||
+ to True users will be allowed access only when
|
||||
+ explicitly allowed by a GPO rule. Otherwise users
|
||||
+ will be denied access. This can be used to harden
|
||||
+ security but be careful when using this option
|
||||
+ because it can deny access even to users in the
|
||||
+ built-in Administrators group if no GPO rules
|
||||
+ apply to them.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Default: False (seconds)
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
+
|
||||
+ <varlistentry>
|
||||
<term>ad_gpo_cache_timeout (integer)</term>
|
||||
<listitem>
|
||||
<para>
|
||||
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
|
||||
index dd440da..2c52c99 100644
|
||||
--- a/src/providers/ad/ad_common.h
|
||||
+++ b/src/providers/ad/ad_common.h
|
||||
@@ -52,6 +52,7 @@ enum ad_basic_opt {
|
||||
AD_ACCESS_FILTER,
|
||||
AD_ENABLE_GC,
|
||||
AD_GPO_ACCESS_CONTROL,
|
||||
+ AD_GPO_IMPLICIT_DENY,
|
||||
AD_GPO_CACHE_TIMEOUT,
|
||||
AD_GPO_MAP_INTERACTIVE,
|
||||
AD_GPO_MAP_REMOTE_INTERACTIVE,
|
||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||||
index d568643..f3be723 100644
|
||||
--- a/src/providers/ad/ad_gpo.c
|
||||
+++ b/src/providers/ad/ad_gpo.c
|
||||
@@ -1586,6 +1586,7 @@ struct ad_gpo_access_state {
|
||||
struct ldb_context *ldb_ctx;
|
||||
struct ad_access_ctx *access_ctx;
|
||||
enum gpo_access_control_mode gpo_mode;
|
||||
+ bool gpo_implicit_deny;
|
||||
enum gpo_map_type gpo_map_type;
|
||||
struct sdap_id_conn_ctx *conn;
|
||||
struct sdap_id_op *sdap_op;
|
||||
@@ -1712,6 +1713,8 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
|
||||
state->gpo_mode = ctx->gpo_access_control_mode;
|
||||
state->gpo_timeout_option = ctx->gpo_cache_timeout;
|
||||
state->ad_hostname = dp_opt_get_string(ctx->ad_options, AD_HOSTNAME);
|
||||
+ state->gpo_implicit_deny = dp_opt_get_bool(ctx->ad_options,
|
||||
+ AD_GPO_IMPLICIT_DENY);
|
||||
state->access_ctx = ctx;
|
||||
state->opts = ctx->sdap_access_ctx->id_ctx->opts;
|
||||
state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT);
|
||||
@@ -2171,7 +2174,15 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
|
||||
}
|
||||
}
|
||||
|
||||
- ret = EOK;
|
||||
+ if (state->gpo_implicit_deny == true) {
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC,
|
||||
+ "No applicable GPOs have been found and ad_gpo_implicit_deny"
|
||||
+ " is set to 'true'. The user will be denied access.\n");
|
||||
+ ret = ERR_ACCESS_DENIED;
|
||||
+ } else {
|
||||
+ ret = EOK;
|
||||
+ }
|
||||
+
|
||||
goto done;
|
||||
}
|
||||
|
||||
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
|
||||
index ac93327..c1d9cd7 100644
|
||||
--- a/src/providers/ad/ad_opts.c
|
||||
+++ b/src/providers/ad/ad_opts.c
|
||||
@@ -38,6 +38,7 @@ struct dp_option ad_basic_opts[] = {
|
||||
{ "ad_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING},
|
||||
{ "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
|
||||
{ "ad_gpo_access_control", DP_OPT_STRING, { AD_GPO_ACCESS_MODE_DEFAULT }, NULL_STRING },
|
||||
+ { "ad_gpo_implicit_deny", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
||||
{ "ad_gpo_cache_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
|
||||
{ "ad_gpo_map_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
||||
{ "ad_gpo_map_remote_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
||||
--
|
||||
2.9.5
|
||||
|
41
0015-Skip-local-domain-if-not-supported.patch
Normal file
41
0015-Skip-local-domain-if-not-supported.patch
Normal file
@ -0,0 +1,41 @@
|
||||
From 10fa27eddb9bbe135277d587c6a2de4b311da6df Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
||||
Date: Tue, 18 Sep 2018 15:23:54 +0200
|
||||
Subject: [PATCH 20/83] CONFDB: Skip 'local' domain if not supported
|
||||
|
||||
When SSSD is built without the support for local
|
||||
domain, we should gracegully skip local domains
|
||||
and let other domains start.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3828
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/confdb/confdb.c | 10 ++++++++--
|
||||
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
||||
index 22068ca..621647e 100644
|
||||
--- a/src/confdb/confdb.c
|
||||
+++ b/src/confdb/confdb.c
|
||||
@@ -945,8 +945,14 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- if (local_provider_is_built()
|
||||
- && strcasecmp(domain->provider, "local") == 0) {
|
||||
+ if (strcasecmp(domain->provider, "local") == 0) {
|
||||
+ if (!local_provider_is_built()) {
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
+ "ID provider 'local' no longer supported, disabling\n");
|
||||
+ ret = EINVAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
/* If this is the local provider, we need to ensure that
|
||||
* no other provider was specified for other types, since
|
||||
* the local provider cannot load them.
|
||||
--
|
||||
2.9.5
|
||||
|
259
0016-sysdb-extract-sysdb_ldb_msg_attr_to_certmap_info-cal.patch
Normal file
259
0016-sysdb-extract-sysdb_ldb_msg_attr_to_certmap_info-cal.patch
Normal file
@ -0,0 +1,259 @@
|
||||
From 7c619ae08f05a7595d15cf11b64461a7d19cfaa7 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 29 Jun 2018 17:49:50 +0200
|
||||
Subject: [PATCH 21/83] sysdb: extract sysdb_ldb_msg_attr_to_certmap_info()
|
||||
call
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/db/sysdb.h | 4 ++
|
||||
src/db/sysdb_certmap.c | 191 ++++++++++++++++++++++++++++---------------------
|
||||
2 files changed, 112 insertions(+), 83 deletions(-)
|
||||
|
||||
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
|
||||
index d72af5a..cb04e1b 100644
|
||||
--- a/src/db/sysdb.h
|
||||
+++ b/src/db/sysdb.h
|
||||
@@ -702,6 +702,10 @@ errno_t sysdb_update_certmap(struct sysdb_ctx *sysdb,
|
||||
struct certmap_info **certmaps,
|
||||
bool user_name_hint);
|
||||
|
||||
+errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
|
||||
+ struct ldb_message *msg,
|
||||
+ struct certmap_info **certmap);
|
||||
+
|
||||
errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
|
||||
struct certmap_info ***certmaps,
|
||||
bool *user_name_hint);
|
||||
diff --git a/src/db/sysdb_certmap.c b/src/db/sysdb_certmap.c
|
||||
index 6d83ba0..e61cc05 100644
|
||||
--- a/src/db/sysdb_certmap.c
|
||||
+++ b/src/db/sysdb_certmap.c
|
||||
@@ -262,19 +262,119 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
|
||||
+ struct ldb_message *msg,
|
||||
+ struct certmap_info **certmap)
|
||||
+{
|
||||
+ int ret;
|
||||
+ size_t d;
|
||||
+ size_t num_values;
|
||||
+ struct certmap_info *map = NULL;
|
||||
+ const char *tmp_str;
|
||||
+ uint64_t tmp_uint;
|
||||
+ struct ldb_message_element *tmp_el;
|
||||
+
|
||||
+
|
||||
+ map = talloc_zero(mem_ctx, struct certmap_info);
|
||||
+ if (map == NULL) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
|
||||
+ if (tmp_str == NULL) {
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE, "The object [%s] doesn't have a name.\n",
|
||||
+ ldb_dn_get_linearized(msg->dn));
|
||||
+ ret = EINVAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ map->name = talloc_strdup(map, tmp_str);
|
||||
+ if (map->name == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_CERTMAP_MAPPING_RULE,
|
||||
+ NULL);
|
||||
+ if (tmp_str != NULL) {
|
||||
+ map->map_rule = talloc_strdup(map, tmp_str);
|
||||
+ if (map->map_rule == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_CERTMAP_MATCHING_RULE,
|
||||
+ NULL);
|
||||
+ if (tmp_str != NULL) {
|
||||
+ map->match_rule = talloc_strdup(map, tmp_str);
|
||||
+ if (map->match_rule == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ tmp_uint = ldb_msg_find_attr_as_uint64(msg, SYSDB_CERTMAP_PRIORITY,
|
||||
+ (uint64_t) -1);
|
||||
+ if (tmp_uint != (uint64_t) -1) {
|
||||
+ if (tmp_uint > UINT32_MAX) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Priority value [%lu] too large.\n",
|
||||
+ (unsigned long) tmp_uint);
|
||||
+ ret = EINVAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ map->priority = (uint32_t) tmp_uint;
|
||||
+ }
|
||||
+
|
||||
+ tmp_el = ldb_msg_find_element(msg, SYSDB_CERTMAP_DOMAINS);
|
||||
+ if (tmp_el != NULL) {
|
||||
+ num_values = tmp_el->num_values;
|
||||
+ } else {
|
||||
+ num_values = 0;
|
||||
+ }
|
||||
+
|
||||
+ map->domains = talloc_zero_array(map, const char *, num_values + 1);
|
||||
+ if (map->domains == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ for (d = 0; d < num_values; d++) {
|
||||
+ map->domains[d] = talloc_strndup(map->domains,
|
||||
+ (char *) tmp_el->values[d].data,
|
||||
+ tmp_el->values[d].length);
|
||||
+ if (map->domains[d] == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ *certmap = map;
|
||||
+
|
||||
+ ret = EOK;
|
||||
+
|
||||
+done:
|
||||
+ if (ret != EOK) {
|
||||
+ talloc_free(map);
|
||||
+ }
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
|
||||
struct certmap_info ***certmaps, bool *user_name_hint)
|
||||
{
|
||||
size_t c;
|
||||
- size_t d;
|
||||
struct ldb_dn *container_dn = NULL;
|
||||
int ret;
|
||||
struct certmap_info **maps = NULL;
|
||||
TALLOC_CTX *tmp_ctx = NULL;
|
||||
struct ldb_result *res;
|
||||
- const char *tmp_str;
|
||||
- uint64_t tmp_uint;
|
||||
- struct ldb_message_element *tmp_el;
|
||||
const char *attrs[] = {SYSDB_NAME,
|
||||
SYSDB_CERTMAP_PRIORITY,
|
||||
SYSDB_CERTMAP_MATCHING_RULE,
|
||||
@@ -283,7 +383,6 @@ errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
|
||||
NULL};
|
||||
const char *config_attrs[] = {SYSDB_CERTMAP_USER_NAME_HINT,
|
||||
NULL};
|
||||
- size_t num_values;
|
||||
bool hint = false;
|
||||
|
||||
tmp_ctx = talloc_new(NULL);
|
||||
@@ -332,86 +431,12 @@ errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
|
||||
}
|
||||
|
||||
for (c = 0; c < res->count; c++) {
|
||||
- maps[c] = talloc_zero(maps, struct certmap_info);
|
||||
- if (maps[c] == NULL) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
- tmp_str = ldb_msg_find_attr_as_string(res->msgs[c], SYSDB_NAME, NULL);
|
||||
- if (tmp_str == NULL) {
|
||||
- DEBUG(SSSDBG_MINOR_FAILURE, "The object [%s] doesn't have a name.\n",
|
||||
- ldb_dn_get_linearized(res->msgs[c]->dn));
|
||||
- ret = EINVAL;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- maps[c]->name = talloc_strdup(maps, tmp_str);
|
||||
- if (maps[c]->name == NULL) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- tmp_str = ldb_msg_find_attr_as_string(res->msgs[c],
|
||||
- SYSDB_CERTMAP_MAPPING_RULE, NULL);
|
||||
- if (tmp_str != NULL) {
|
||||
- maps[c]->map_rule = talloc_strdup(maps, tmp_str);
|
||||
- if (maps[c]->map_rule == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- tmp_str = ldb_msg_find_attr_as_string(res->msgs[c],
|
||||
- SYSDB_CERTMAP_MATCHING_RULE, NULL);
|
||||
- if (tmp_str != NULL) {
|
||||
- maps[c]->match_rule = talloc_strdup(maps, tmp_str);
|
||||
- if (maps[c]->match_rule == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- tmp_uint = ldb_msg_find_attr_as_uint64(res->msgs[c],
|
||||
- SYSDB_CERTMAP_PRIORITY,
|
||||
- (uint64_t) -1);
|
||||
- if (tmp_uint != (uint64_t) -1) {
|
||||
- if (tmp_uint > UINT32_MAX) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "Priority value [%lu] too large.\n",
|
||||
- (unsigned long) tmp_uint);
|
||||
- ret = EINVAL;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- maps[c]->priority = (uint32_t) tmp_uint;
|
||||
- }
|
||||
-
|
||||
- tmp_el = ldb_msg_find_element(res->msgs[c], SYSDB_CERTMAP_DOMAINS);
|
||||
- if (tmp_el != NULL) {
|
||||
- num_values = tmp_el->num_values;
|
||||
- } else {
|
||||
- num_values = 0;
|
||||
- }
|
||||
-
|
||||
- maps[c]->domains = talloc_zero_array(maps[c], const char *,
|
||||
- num_values + 1);
|
||||
- if (maps[c]->domains == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n");
|
||||
- ret = ENOMEM;
|
||||
+ ret = sysdb_ldb_msg_attr_to_certmap_info(maps, res->msgs[c], &maps[c]);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "sysdb_ldb_msg_attr_to_certmap_info failed.\n");
|
||||
goto done;
|
||||
}
|
||||
-
|
||||
- for (d = 0; d < num_values; d++) {
|
||||
- maps[c]->domains[d] = talloc_strndup(maps[c]->domains,
|
||||
- (char *) tmp_el->values[d].data,
|
||||
- tmp_el->values[d].length);
|
||||
- if (maps[c]->domains[d] == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
- }
|
||||
}
|
||||
|
||||
ret = EOK;
|
||||
--
|
||||
2.9.5
|
||||
|
@ -0,0 +1,39 @@
|
||||
From d1dd7f7703b4f40d2fbb830e28969b31b8a1673e Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 3 Jul 2018 11:30:07 +0200
|
||||
Subject: [PATCH 22/83] sysdb_ldb_msg_attr_to_certmap_info: set
|
||||
SSS_CERTMAP_MIN_PRIO
|
||||
|
||||
Make sure that priority is always set.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/db/sysdb_certmap.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/src/db/sysdb_certmap.c b/src/db/sysdb_certmap.c
|
||||
index e61cc05..0bb7ebc 100644
|
||||
--- a/src/db/sysdb_certmap.c
|
||||
+++ b/src/db/sysdb_certmap.c
|
||||
@@ -22,6 +22,7 @@
|
||||
|
||||
#include "util/util.h"
|
||||
#include "db/sysdb_private.h"
|
||||
+#include "lib/certmap/sss_certmap.h"
|
||||
|
||||
static errno_t sysdb_create_certmap_container(struct sysdb_ctx *sysdb,
|
||||
bool user_name_hint)
|
||||
@@ -327,6 +328,8 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
map->priority = (uint32_t) tmp_uint;
|
||||
+ } else {
|
||||
+ map->priority = SSS_CERTMAP_MIN_PRIO;
|
||||
}
|
||||
|
||||
tmp_el = ldb_msg_find_element(msg, SYSDB_CERTMAP_DOMAINS);
|
||||
--
|
||||
2.9.5
|
||||
|
140
0018-sysdb-add-attr_map-attribute-to-sysdb_ldb_msg_attr_t.patch
Normal file
140
0018-sysdb-add-attr_map-attribute-to-sysdb_ldb_msg_attr_t.patch
Normal file
@ -0,0 +1,140 @@
|
||||
From 0bf709ad348ca115443bd21e4e369abd5d7698c4 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 29 Jun 2018 18:13:59 +0200
|
||||
Subject: [PATCH 23/83] sysdb: add attr_map attribute to
|
||||
sysdb_ldb_msg_attr_to_certmap_info()
|
||||
|
||||
Allow more flexible attribute mapping in
|
||||
sysdb_ldb_msg_attr_to_certmap_info()
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/db/sysdb.h | 1 +
|
||||
src/db/sysdb_certmap.c | 39 +++++++++++++++++++++++++++++++--------
|
||||
2 files changed, 32 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
|
||||
index cb04e1b..2187947 100644
|
||||
--- a/src/db/sysdb.h
|
||||
+++ b/src/db/sysdb.h
|
||||
@@ -704,6 +704,7 @@ errno_t sysdb_update_certmap(struct sysdb_ctx *sysdb,
|
||||
|
||||
errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
|
||||
struct ldb_message *msg,
|
||||
+ const char **attr_map,
|
||||
struct certmap_info **certmap);
|
||||
|
||||
errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
|
||||
diff --git a/src/db/sysdb_certmap.c b/src/db/sysdb_certmap.c
|
||||
index 0bb7ebc..e37f1ba 100644
|
||||
--- a/src/db/sysdb_certmap.c
|
||||
+++ b/src/db/sysdb_certmap.c
|
||||
@@ -263,8 +263,19 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+enum certmap_info_member {
|
||||
+ SSS_CMIM_NAME = 0,
|
||||
+ SSS_CMIM_MAPPING_RULE,
|
||||
+ SSS_CMIM_MATCHING_RULE,
|
||||
+ SSS_CMIM_PRIORITY,
|
||||
+ SSS_CMIM_DOMAINS,
|
||||
+
|
||||
+ SSS_CMIM_SENTINEL
|
||||
+};
|
||||
+
|
||||
errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
|
||||
struct ldb_message *msg,
|
||||
+ const char **attr_map,
|
||||
struct certmap_info **certmap)
|
||||
{
|
||||
int ret;
|
||||
@@ -275,13 +286,24 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
|
||||
uint64_t tmp_uint;
|
||||
struct ldb_message_element *tmp_el;
|
||||
|
||||
+ if (msg == NULL || attr_map == NULL || certmap == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Invalid input.\n");
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ for (d = 0; d < SSS_CMIM_SENTINEL; d++) {
|
||||
+ if (attr_map[d] == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Invalid attribute map");
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+ }
|
||||
|
||||
map = talloc_zero(mem_ctx, struct certmap_info);
|
||||
if (map == NULL) {
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
- tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
|
||||
+ tmp_str = ldb_msg_find_attr_as_string(msg, attr_map[SSS_CMIM_NAME], NULL);
|
||||
if (tmp_str == NULL) {
|
||||
DEBUG(SSSDBG_MINOR_FAILURE, "The object [%s] doesn't have a name.\n",
|
||||
ldb_dn_get_linearized(msg->dn));
|
||||
@@ -295,7 +317,7 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_CERTMAP_MAPPING_RULE,
|
||||
+ tmp_str = ldb_msg_find_attr_as_string(msg, attr_map[SSS_CMIM_MAPPING_RULE],
|
||||
NULL);
|
||||
if (tmp_str != NULL) {
|
||||
map->map_rule = talloc_strdup(map, tmp_str);
|
||||
@@ -306,7 +328,7 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
}
|
||||
|
||||
- tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_CERTMAP_MATCHING_RULE,
|
||||
+ tmp_str = ldb_msg_find_attr_as_string(msg, attr_map[SSS_CMIM_MATCHING_RULE],
|
||||
NULL);
|
||||
if (tmp_str != NULL) {
|
||||
map->match_rule = talloc_strdup(map, tmp_str);
|
||||
@@ -317,7 +339,7 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
}
|
||||
|
||||
- tmp_uint = ldb_msg_find_attr_as_uint64(msg, SYSDB_CERTMAP_PRIORITY,
|
||||
+ tmp_uint = ldb_msg_find_attr_as_uint64(msg, attr_map[SSS_CMIM_PRIORITY],
|
||||
(uint64_t) -1);
|
||||
if (tmp_uint != (uint64_t) -1) {
|
||||
if (tmp_uint > UINT32_MAX) {
|
||||
@@ -332,7 +354,7 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
|
||||
map->priority = SSS_CERTMAP_MIN_PRIO;
|
||||
}
|
||||
|
||||
- tmp_el = ldb_msg_find_element(msg, SYSDB_CERTMAP_DOMAINS);
|
||||
+ tmp_el = ldb_msg_find_element(msg, attr_map[SSS_CMIM_DOMAINS]);
|
||||
if (tmp_el != NULL) {
|
||||
num_values = tmp_el->num_values;
|
||||
} else {
|
||||
@@ -379,9 +401,9 @@ errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
|
||||
TALLOC_CTX *tmp_ctx = NULL;
|
||||
struct ldb_result *res;
|
||||
const char *attrs[] = {SYSDB_NAME,
|
||||
- SYSDB_CERTMAP_PRIORITY,
|
||||
- SYSDB_CERTMAP_MATCHING_RULE,
|
||||
SYSDB_CERTMAP_MAPPING_RULE,
|
||||
+ SYSDB_CERTMAP_MATCHING_RULE,
|
||||
+ SYSDB_CERTMAP_PRIORITY,
|
||||
SYSDB_CERTMAP_DOMAINS,
|
||||
NULL};
|
||||
const char *config_attrs[] = {SYSDB_CERTMAP_USER_NAME_HINT,
|
||||
@@ -434,7 +456,8 @@ errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
|
||||
}
|
||||
|
||||
for (c = 0; c < res->count; c++) {
|
||||
- ret = sysdb_ldb_msg_attr_to_certmap_info(maps, res->msgs[c], &maps[c]);
|
||||
+ ret = sysdb_ldb_msg_attr_to_certmap_info(maps, res->msgs[c], attrs,
|
||||
+ &maps[c]);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
"sysdb_ldb_msg_attr_to_certmap_info failed.\n");
|
||||
--
|
||||
2.9.5
|
||||
|
167
0019-confdb-add-confdb_certmap_to_sysdb.patch
Normal file
167
0019-confdb-add-confdb_certmap_to_sysdb.patch
Normal file
@ -0,0 +1,167 @@
|
||||
From d9cc38008a51a8a5189904f175e4d10cbde4a974 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 2 Jul 2018 10:38:54 +0200
|
||||
Subject: [PATCH 24/83] confdb: add confdb_certmap_to_sysdb()
|
||||
|
||||
Add a function to write certificate mapping and matching rules from the
|
||||
config database to the cache of a domain.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/confdb/confdb.c | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
src/confdb/confdb.h | 23 +++++++++++++
|
||||
2 files changed, 122 insertions(+)
|
||||
|
||||
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
||||
index 621647e..26415ca 100644
|
||||
--- a/src/confdb/confdb.c
|
||||
+++ b/src/confdb/confdb.c
|
||||
@@ -2202,3 +2202,102 @@ done:
|
||||
talloc_free(tmp_ctx);
|
||||
return ret;
|
||||
}
|
||||
+
|
||||
+static errno_t confdb_get_all_certmaps(TALLOC_CTX *mem_ctx,
|
||||
+ struct confdb_ctx *cdb,
|
||||
+ struct sss_domain_info *dom,
|
||||
+ struct certmap_info ***_certmap_list)
|
||||
+{
|
||||
+ TALLOC_CTX *tmp_ctx = NULL;
|
||||
+ struct ldb_dn *dn = NULL;
|
||||
+ struct ldb_result *res = NULL;
|
||||
+ /* The attributte order is important, because it is used in
|
||||
+ * sysdb_ldb_msg_attr_to_certmap_info and must match
|
||||
+ * enum certmap_info_member. */
|
||||
+ static const char *attrs[] = { CONFDB_CERTMAP_NAME,
|
||||
+ CONFDB_CERTMAP_MAPRULE,
|
||||
+ CONFDB_CERTMAP_MATCHRULE,
|
||||
+ CONFDB_CERTMAP_PRIORITY,
|
||||
+ CONFDB_CERTMAP_DOMAINS,
|
||||
+ NULL};
|
||||
+ struct certmap_info **certmap_list = NULL;
|
||||
+ size_t c;
|
||||
+ int ret;
|
||||
+
|
||||
+ tmp_ctx = talloc_new(NULL);
|
||||
+ if (tmp_ctx == NULL) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ dn = ldb_dn_new_fmt(tmp_ctx, cdb->ldb, "cn=%s,%s", dom->name,
|
||||
+ CONFDB_CERTMAP_BASEDN);
|
||||
+ if (dn == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = ldb_search(cdb->ldb, tmp_ctx, &res, dn, LDB_SCOPE_ONELEVEL,
|
||||
+ attrs, NULL);
|
||||
+ if (ret != LDB_SUCCESS) {
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ certmap_list = talloc_zero_array(tmp_ctx, struct certmap_info *,
|
||||
+ res->count + 1);
|
||||
+ if (certmap_list == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ for (c = 0; c < res->count; c++) {
|
||||
+ ret = sysdb_ldb_msg_attr_to_certmap_info(certmap_list, res->msgs[c],
|
||||
+ attrs, &certmap_list[c]);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "sysdb_ldb_msg_attr_to_certmap_info failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ *_certmap_list = talloc_steal(mem_ctx, certmap_list);
|
||||
+
|
||||
+ ret = EOK;
|
||||
+
|
||||
+done:
|
||||
+ talloc_free(tmp_ctx);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+int confdb_certmap_to_sysdb(struct confdb_ctx *cdb,
|
||||
+ struct sss_domain_info *dom)
|
||||
+{
|
||||
+ int ret;
|
||||
+ TALLOC_CTX *tmp_ctx;
|
||||
+ struct certmap_info **certmap_list;
|
||||
+
|
||||
+ tmp_ctx = talloc_new(NULL);
|
||||
+ if (tmp_ctx == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ ret = confdb_get_all_certmaps(tmp_ctx, cdb, dom, &certmap_list);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "confdb_get_all_certmaps failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = sysdb_update_certmap(dom->sysdb, certmap_list, false /* TODO */);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_update_certmap failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = EOK;
|
||||
+
|
||||
+done:
|
||||
+ talloc_free(tmp_ctx);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
||||
index 2266501..2aae93a 100644
|
||||
--- a/src/confdb/confdb.h
|
||||
+++ b/src/confdb/confdb.h
|
||||
@@ -265,6 +265,15 @@
|
||||
#define CONFDB_KCM_SOCKET "socket_path"
|
||||
#define CONFDB_KCM_DB "ccache_storage" /* Undocumented on purpose */
|
||||
|
||||
+/* Certificate mapping rules */
|
||||
+#define CONFDB_CERTMAP_BASEDN "cn=certmap,cn=config"
|
||||
+#define CONFDB_CERTMAP_NAME "cn"
|
||||
+#define CONFDB_CERTMAP_MAPRULE "maprule"
|
||||
+#define CONFDB_CERTMAP_MATCHRULE "matchrule"
|
||||
+#define CONFDB_CERTMAP_DOMAINS "domains"
|
||||
+#define CONFDB_CERTMAP_PRIORITY "priority"
|
||||
+
|
||||
+
|
||||
struct confdb_ctx;
|
||||
struct config_file_ctx;
|
||||
|
||||
@@ -662,6 +671,20 @@ int confdb_get_sub_sections(TALLOC_CTX *mem_ctx,
|
||||
const char *section,
|
||||
char ***sections,
|
||||
int *num_sections);
|
||||
+
|
||||
+/**
|
||||
+ * @brief Convenience function to write the certificate mapping and matching
|
||||
+ * rules from the configuration database to the cache of a domain
|
||||
+ *
|
||||
+ * @param[in] cdb The connection object to the confdb
|
||||
+ * @param[in] dom Target domain where to rules should be written to
|
||||
+ *
|
||||
+ * @return 0 - Successfully retrieved the entry (or used the default)
|
||||
+ * @return ENOMEM - There was insufficient memory to complete the operation
|
||||
+ * @return EINVAL - Typically internal processing error
|
||||
+ */
|
||||
+int confdb_certmap_to_sysdb(struct confdb_ctx *cdb,
|
||||
+ struct sss_domain_info *dom);
|
||||
/**
|
||||
* @}
|
||||
*/
|
||||
--
|
||||
2.9.5
|
||||
|
@ -0,0 +1,71 @@
|
||||
From 15301db1dc1e5e2aafc1805a30e3b28756218c9b Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 2 Jul 2018 12:20:53 +0200
|
||||
Subject: [PATCH 25/83] AD/LDAP: read certificate mapping rules from config
|
||||
file
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_init.c | 16 ++++++++++++++++
|
||||
src/providers/ldap/ldap_init.c | 16 ++++++++++++++++
|
||||
2 files changed, 32 insertions(+)
|
||||
|
||||
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
|
||||
index 637efb7..a908571 100644
|
||||
--- a/src/providers/ad/ad_init.c
|
||||
+++ b/src/providers/ad/ad_init.c
|
||||
@@ -419,6 +419,22 @@ static errno_t ad_init_misc(struct be_ctx *be_ctx,
|
||||
return ret;
|
||||
}
|
||||
|
||||
+ ret = confdb_certmap_to_sysdb(be_ctx->cdb, be_ctx->domain);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to initialize certificate mapping rules. "
|
||||
+ "Authentication with certificates/Smartcards might not work "
|
||||
+ "as expected.\n");
|
||||
+ /* not fatal, ignored */
|
||||
+ }
|
||||
+
|
||||
+ ret = sdap_init_certmap(sdap_id_ctx, sdap_id_ctx);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to initialized certificate mapping.\n");
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
return EOK;
|
||||
}
|
||||
|
||||
diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c
|
||||
index 44b3e9a..95e6561 100644
|
||||
--- a/src/providers/ldap/ldap_init.c
|
||||
+++ b/src/providers/ldap/ldap_init.c
|
||||
@@ -438,6 +438,22 @@ static errno_t ldap_init_misc(struct be_ctx *be_ctx,
|
||||
"[%d]: %s\n", ret, sss_strerror(ret));
|
||||
}
|
||||
|
||||
+ ret = confdb_certmap_to_sysdb(be_ctx->cdb, be_ctx->domain);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to initialize certificate mapping rules. "
|
||||
+ "Authentication with certificates/Smartcards might not work "
|
||||
+ "as expected.\n");
|
||||
+ /* not fatal, ignored */
|
||||
+ }
|
||||
+
|
||||
+ ret = sdap_init_certmap(id_ctx, id_ctx);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to initialized certificate mapping.\n");
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
return EOK;
|
||||
}
|
||||
|
||||
--
|
||||
2.9.5
|
||||
|
@ -0,0 +1,32 @@
|
||||
From 06f7005d38d164879b727708feff80004b422f91 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 3 Jul 2018 11:31:12 +0200
|
||||
Subject: [PATCH 26/83] sysdb: sysdb_certmap_add() handle domains more flexible
|
||||
|
||||
sysdb_ldb_msg_attr_to_certmap_info() creates an empty list if there are
|
||||
no domains defined, sysdb_certmap_add() should be able to handle both a
|
||||
missing or an empty domains list.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/db/sysdb_certmap.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/db/sysdb_certmap.c b/src/db/sysdb_certmap.c
|
||||
index e37f1ba..0bcc54c 100644
|
||||
--- a/src/db/sysdb_certmap.c
|
||||
+++ b/src/db/sysdb_certmap.c
|
||||
@@ -131,7 +131,7 @@ static errno_t sysdb_certmap_add(struct sysdb_ctx *sysdb,
|
||||
}
|
||||
}
|
||||
|
||||
- if (certmap->domains != NULL) {
|
||||
+ if (certmap->domains != NULL && certmap->domains[0] != NULL) {
|
||||
for (c = 0; certmap->domains[c] != NULL; c++);
|
||||
el = talloc_zero(tmp_ctx, struct ldb_message_element);
|
||||
if (el == NULL) {
|
||||
--
|
||||
2.9.5
|
||||
|
131
0022-confdb-add-special-handling-for-rules-for-the-files-.patch
Normal file
131
0022-confdb-add-special-handling-for-rules-for-the-files-.patch
Normal file
@ -0,0 +1,131 @@
|
||||
From 9386ef605ffbc03abe2bc273efddbc099441fe3b Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 6 Jul 2018 15:17:10 +0200
|
||||
Subject: [PATCH 27/83] confdb: add special handling for rules for the files
|
||||
provider
|
||||
|
||||
To make the configuration more simple there are some special assumption
|
||||
for local users, i.e. user managed by the files provider.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/confdb/confdb.c | 59 ++++++++++++++++++++++++++++++++++++++++
|
||||
src/confdb/confdb.h | 1 +
|
||||
src/providers/files/files_init.c | 10 +++++++
|
||||
3 files changed, 70 insertions(+)
|
||||
|
||||
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
||||
index 26415ca..954c3ba 100644
|
||||
--- a/src/confdb/confdb.c
|
||||
+++ b/src/confdb/confdb.c
|
||||
@@ -2203,6 +2203,56 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static errno_t certmap_local_check(struct ldb_message *msg)
|
||||
+{
|
||||
+ const char *rule_name;
|
||||
+ const char *tmp_str;
|
||||
+ int ret;
|
||||
+
|
||||
+ rule_name = ldb_msg_find_attr_as_string(msg, CONFDB_CERTMAP_NAME, NULL);
|
||||
+ if (rule_name == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Certficate mapping rule [%s] has no name.",
|
||||
+ ldb_dn_get_linearized(msg->dn));
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ tmp_str = ldb_msg_find_attr_as_string(msg, CONFDB_CERTMAP_DOMAINS, NULL);
|
||||
+ if (tmp_str != NULL) {
|
||||
+ DEBUG(SSSDBG_CONF_SETTINGS,
|
||||
+ "Option [%s] is ignored for local certmap rules.\n",
|
||||
+ CONFDB_CERTMAP_DOMAINS);
|
||||
+ }
|
||||
+
|
||||
+ tmp_str = ldb_msg_find_attr_as_string(msg, CONFDB_CERTMAP_MAPRULE, NULL);
|
||||
+ if (tmp_str != NULL) {
|
||||
+ if (tmp_str[0] != '(' || tmp_str[strlen(tmp_str) - 1] != ')') {
|
||||
+ DEBUG(SSSDBG_CONF_SETTINGS,
|
||||
+ "Mapping rule must be in braces (...).\n");
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Using [%s] mapping rule of [%s].\n",
|
||||
+ tmp_str, ldb_dn_get_linearized(msg->dn));
|
||||
+ return EOK;
|
||||
+ }
|
||||
+
|
||||
+ tmp_str = talloc_asprintf(msg, "(%s)", rule_name);
|
||||
+ if (tmp_str == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+ ret = ldb_msg_add_string(msg, CONFDB_CERTMAP_MAPRULE, tmp_str);
|
||||
+ if (ret != LDB_SUCCESS) {
|
||||
+ talloc_free(discard_const(tmp_str));
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_add_string failed.\n");
|
||||
+ return EIO;
|
||||
+ }
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Using [%s] as mapping rule for [%s].\n",
|
||||
+ tmp_str, ldb_dn_get_linearized(msg->dn));
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
static errno_t confdb_get_all_certmaps(TALLOC_CTX *mem_ctx,
|
||||
struct confdb_ctx *cdb,
|
||||
struct sss_domain_info *dom,
|
||||
@@ -2251,6 +2301,15 @@ static errno_t confdb_get_all_certmaps(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
for (c = 0; c < res->count; c++) {
|
||||
+ if (is_files_provider(dom)) {
|
||||
+ ret = certmap_local_check(res->msgs[c]);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CONF_SETTINGS,
|
||||
+ "Invalid certificate mapping [%s] for local user, "
|
||||
+ "ignored.\n", ldb_dn_get_linearized(res->msgs[c]->dn));
|
||||
+ continue;
|
||||
+ }
|
||||
+ }
|
||||
ret = sysdb_ldb_msg_attr_to_certmap_info(certmap_list, res->msgs[c],
|
||||
attrs, &certmap_list[c]);
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
||||
index 2aae93a..625d156 100644
|
||||
--- a/src/confdb/confdb.h
|
||||
+++ b/src/confdb/confdb.h
|
||||
@@ -685,6 +685,7 @@ int confdb_get_sub_sections(TALLOC_CTX *mem_ctx,
|
||||
*/
|
||||
int confdb_certmap_to_sysdb(struct confdb_ctx *cdb,
|
||||
struct sss_domain_info *dom);
|
||||
+
|
||||
/**
|
||||
* @}
|
||||
*/
|
||||
diff --git a/src/providers/files/files_init.c b/src/providers/files/files_init.c
|
||||
index 746c04a..c793bed 100644
|
||||
--- a/src/providers/files/files_init.c
|
||||
+++ b/src/providers/files/files_init.c
|
||||
@@ -189,6 +189,16 @@ int sssm_files_init(TALLOC_CTX *mem_ctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ ret = confdb_certmap_to_sysdb(be_ctx->cdb, be_ctx->domain);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to initialize certificate mapping rules. "
|
||||
+ "Authentication with certificates/Smartcards might not work "
|
||||
+ "as expected.\n");
|
||||
+ /* not fatal, ignored */
|
||||
+ }
|
||||
+
|
||||
+
|
||||
*_module_data = ctx;
|
||||
ret = EOK;
|
||||
done:
|
||||
--
|
||||
2.9.5
|
||||
|
414
0023-files-add-support-for-Smartcard-authentication.patch
Normal file
414
0023-files-add-support-for-Smartcard-authentication.patch
Normal file
@ -0,0 +1,414 @@
|
||||
From 275eeed24adc31f3df51cf278f509a4be76a3a3c Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 9 Jul 2018 18:37:46 +0200
|
||||
Subject: [PATCH 28/83] files: add support for Smartcard authentication
|
||||
|
||||
To support certificate based authentication the files provider must be
|
||||
able to map a certificate to a user during a BE_REQ_BY_CERT request.
|
||||
|
||||
Additionally the authentication request should be handled by the PAM
|
||||
responder code which is responsible for the local Smartcard
|
||||
authentication. To be consistent with the other backend an authentication
|
||||
handler is added to the files provider which unconditionally returns the
|
||||
offline error code telling the PAM responder to handle the
|
||||
authentication if it has access to the needed credentials.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
Makefile.am | 2 +
|
||||
src/providers/files/files_auth.c | 69 +++++++++++++
|
||||
src/providers/files/files_certmap.c | 186 ++++++++++++++++++++++++++++++++++++
|
||||
src/providers/files/files_id.c | 20 ++++
|
||||
src/providers/files/files_init.c | 21 +++-
|
||||
src/providers/files/files_private.h | 17 ++++
|
||||
6 files changed, 314 insertions(+), 1 deletion(-)
|
||||
create mode 100644 src/providers/files/files_auth.c
|
||||
create mode 100644 src/providers/files/files_certmap.c
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index deb9ce3..3667856 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -4285,6 +4285,8 @@ libsss_proxy_la_LDFLAGS = \
|
||||
libsss_files_la_SOURCES = \
|
||||
src/providers/files/files_init.c \
|
||||
src/providers/files/files_id.c \
|
||||
+ src/providers/files/files_auth.c \
|
||||
+ src/providers/files/files_certmap.c \
|
||||
src/providers/files/files_ops.c \
|
||||
src/util/inotify.c \
|
||||
$(NULL)
|
||||
diff --git a/src/providers/files/files_auth.c b/src/providers/files/files_auth.c
|
||||
new file mode 100644
|
||||
index 0000000..b71de69
|
||||
--- /dev/null
|
||||
+++ b/src/providers/files/files_auth.c
|
||||
@@ -0,0 +1,69 @@
|
||||
+/*
|
||||
+ SSSD
|
||||
+
|
||||
+ files_auth.c - PAM operations on the files provider
|
||||
+
|
||||
+ Copyright (C) 2018 Red Hat
|
||||
+
|
||||
+ This program is free software; you can redistribute it and/or modify
|
||||
+ it under the terms of the GNU General Public License as published by
|
||||
+ the Free Software Foundation; either version 3 of the License, or
|
||||
+ (at your option) any later version.
|
||||
+
|
||||
+ This program is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ GNU General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU General Public License
|
||||
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+*/
|
||||
+
|
||||
+#include <security/pam_modules.h>
|
||||
+
|
||||
+#include "providers/data_provider/dp.h"
|
||||
+#include "providers/data_provider.h"
|
||||
+#include "providers/files/files_private.h"
|
||||
+#include "util/cert.h"
|
||||
+
|
||||
+struct files_auth_ctx {
|
||||
+ struct pam_data *pd;
|
||||
+};
|
||||
+
|
||||
+struct tevent_req *
|
||||
+files_auth_handler_send(TALLOC_CTX *mem_ctx,
|
||||
+ void *unused,
|
||||
+ struct pam_data *pd,
|
||||
+ struct dp_req_params *params)
|
||||
+{
|
||||
+ struct files_auth_ctx *state;
|
||||
+ struct tevent_req *req;
|
||||
+
|
||||
+ req = tevent_req_create(mem_ctx, &state, struct files_auth_ctx);
|
||||
+ if (req == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ state->pd = pd;
|
||||
+ state->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
|
||||
+
|
||||
+ tevent_req_done(req);
|
||||
+ tevent_req_post(req, params->ev);
|
||||
+ return req;
|
||||
+}
|
||||
+
|
||||
+errno_t files_auth_handler_recv(TALLOC_CTX *mem_ctx,
|
||||
+ struct tevent_req *req,
|
||||
+ struct pam_data **_data)
|
||||
+{
|
||||
+ struct files_auth_ctx *state = NULL;
|
||||
+
|
||||
+ state = tevent_req_data(req, struct files_auth_ctx);
|
||||
+
|
||||
+ TEVENT_REQ_RETURN_ON_ERROR(req);
|
||||
+
|
||||
+ *_data = talloc_steal(mem_ctx, state->pd);
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
diff --git a/src/providers/files/files_certmap.c b/src/providers/files/files_certmap.c
|
||||
new file mode 100644
|
||||
index 0000000..7d90a1f
|
||||
--- /dev/null
|
||||
+++ b/src/providers/files/files_certmap.c
|
||||
@@ -0,0 +1,186 @@
|
||||
+/*
|
||||
+ SSSD
|
||||
+
|
||||
+ files_init.c - Initialization of the files provider
|
||||
+
|
||||
+ Copyright (C) 2018 Red Hat
|
||||
+
|
||||
+ This program is free software; you can redistribute it and/or modify
|
||||
+ it under the terms of the GNU General Public License as published by
|
||||
+ the Free Software Foundation; either version 3 of the License, or
|
||||
+ (at your option) any later version.
|
||||
+
|
||||
+ This program is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ GNU General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU General Public License
|
||||
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+*/
|
||||
+
|
||||
+#include "providers/files/files_private.h"
|
||||
+#include "util/util.h"
|
||||
+#include "util/cert.h"
|
||||
+#include "lib/certmap/sss_certmap.h"
|
||||
+
|
||||
+struct priv_sss_debug {
|
||||
+ int level;
|
||||
+};
|
||||
+
|
||||
+static void ext_debug(void *private, const char *file, long line,
|
||||
+ const char *function, const char *format, ...)
|
||||
+{
|
||||
+ va_list ap;
|
||||
+ struct priv_sss_debug *data = private;
|
||||
+ int level = SSSDBG_OP_FAILURE;
|
||||
+
|
||||
+ if (data != NULL) {
|
||||
+ level = data->level;
|
||||
+ }
|
||||
+
|
||||
+ if (DEBUG_IS_SET(level)) {
|
||||
+ va_start(ap, format);
|
||||
+ sss_vdebug_fn(file, line, function, level, APPEND_LINE_FEED,
|
||||
+ format, ap);
|
||||
+ va_end(ap);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+errno_t files_init_certmap(TALLOC_CTX *mem_ctx, struct files_id_ctx *id_ctx)
|
||||
+{
|
||||
+ int ret;
|
||||
+ bool hint;
|
||||
+ struct certmap_info **certmap_list = NULL;
|
||||
+ size_t c;
|
||||
+
|
||||
+ ret = sysdb_get_certmap(mem_ctx, id_ctx->be->domain->sysdb,
|
||||
+ &certmap_list, &hint);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_certmap failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (certmap_list == NULL || *certmap_list == NULL) {
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "No certmap data, nothing to do.\n");
|
||||
+ ret = EOK;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = sss_certmap_init(mem_ctx, ext_debug, NULL, &id_ctx->sss_certmap_ctx);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sss_certmap_init failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ for (c = 0; certmap_list[c] != NULL; c++) {
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Trying to add rule [%s][%d][%s][%s].\n",
|
||||
+ certmap_list[c]->name,
|
||||
+ certmap_list[c]->priority,
|
||||
+ certmap_list[c]->match_rule,
|
||||
+ certmap_list[c]->map_rule);
|
||||
+
|
||||
+ ret = sss_certmap_add_rule(id_ctx->sss_certmap_ctx,
|
||||
+ certmap_list[c]->priority,
|
||||
+ certmap_list[c]->match_rule,
|
||||
+ certmap_list[c]->map_rule,
|
||||
+ certmap_list[c]->domains);
|
||||
+ if (ret != 0) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "sss_certmap_add_rule failed for rule [%s] "
|
||||
+ "with error [%d][%s], skipping. "
|
||||
+ "Please check for typos and if rule syntax is supported.\n",
|
||||
+ certmap_list[c]->name, ret, sss_strerror(ret));
|
||||
+ continue;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ ret = EOK;
|
||||
+
|
||||
+done:
|
||||
+ talloc_free(certmap_list);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+errno_t files_map_cert_to_user(struct files_id_ctx *id_ctx,
|
||||
+ struct dp_id_data *data)
|
||||
+{
|
||||
+ errno_t ret;
|
||||
+ char *filter;
|
||||
+ char *user;
|
||||
+ struct ldb_message *msg = NULL;
|
||||
+ struct sysdb_attrs *attrs = NULL;
|
||||
+ TALLOC_CTX *tmp_ctx;
|
||||
+
|
||||
+ tmp_ctx = talloc_new(NULL);
|
||||
+ if (tmp_ctx == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ ret = sss_cert_derb64_to_ldap_filter(tmp_ctx, data->filter_value, "",
|
||||
+ id_ctx->sss_certmap_ctx,
|
||||
+ id_ctx->domain, &filter);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "sss_cert_derb64_to_ldap_filter failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+ if (filter == NULL || filter[0] != '('
|
||||
+ || filter[strlen(filter) - 1] != ')') {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "sss_cert_derb64_to_ldap_filter returned bad filter [%s].\n",
|
||||
+ filter);
|
||||
+ ret = EINVAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ filter[strlen(filter) - 1] = '\0';
|
||||
+ user = sss_create_internal_fqname(tmp_ctx, &filter[1],
|
||||
+ id_ctx->domain->name);
|
||||
+ if (user == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sss_create_internal_fqname failed.\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Certificate mapped to user: [%s].\n", user);
|
||||
+
|
||||
+ ret = sysdb_search_user_by_name(tmp_ctx, id_ctx->domain, user, NULL, &msg);
|
||||
+ if (ret == EOK) {
|
||||
+ attrs = sysdb_new_attrs(tmp_ctx);
|
||||
+ if (attrs == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = sysdb_attrs_add_base64_blob(attrs, SYSDB_USER_MAPPED_CERT,
|
||||
+ data->filter_value);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_base64_blob failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = sysdb_set_entry_attr(id_ctx->domain->sysdb, msg->dn, attrs,
|
||||
+ SYSDB_MOD_ADD);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_entry_attr failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+ } else if (ret == ENOENT) {
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Mapped user [%s] not found.\n", user);
|
||||
+ ret = EOK;
|
||||
+ goto done;
|
||||
+ } else {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_user_by_name failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = EOK;
|
||||
+
|
||||
+done:
|
||||
+ talloc_free(tmp_ctx);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
diff --git a/src/providers/files/files_id.c b/src/providers/files/files_id.c
|
||||
index 41314c6..f6f8c73 100644
|
||||
--- a/src/providers/files/files_id.c
|
||||
+++ b/src/providers/files/files_id.c
|
||||
@@ -87,6 +87,26 @@ files_account_info_handler_send(TALLOC_CTX *mem_ctx,
|
||||
? true \
|
||||
: false;
|
||||
break;
|
||||
+ case BE_REQ_BY_CERT:
|
||||
+ if (data->filter_type != BE_FILTER_CERT) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Unexpected filter type for lookup by cert: %d\n",
|
||||
+ data->filter_type);
|
||||
+ ret = EINVAL;
|
||||
+ goto immediate;
|
||||
+ }
|
||||
+ if (id_ctx->sss_certmap_ctx == NULL) {
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Certificate mapping not configured.\n");
|
||||
+ ret = EOK;
|
||||
+ goto immediate;
|
||||
+ }
|
||||
+
|
||||
+ ret = files_map_cert_to_user(id_ctx, data);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "files_map_cert_to_user failed");
|
||||
+ }
|
||||
+ goto immediate;
|
||||
+ break;
|
||||
default:
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"Unexpected entry type: %d\n", data->entry_type & BE_REQ_TYPE_MASK);
|
||||
diff --git a/src/providers/files/files_init.c b/src/providers/files/files_init.c
|
||||
index c793bed..1ce4bcf 100644
|
||||
--- a/src/providers/files/files_init.c
|
||||
+++ b/src/providers/files/files_init.c
|
||||
@@ -196,9 +196,16 @@ int sssm_files_init(TALLOC_CTX *mem_ctx,
|
||||
"Authentication with certificates/Smartcards might not work "
|
||||
"as expected.\n");
|
||||
/* not fatal, ignored */
|
||||
+ } else {
|
||||
+ ret = files_init_certmap(ctx, ctx);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "files_init_certmap failed. "
|
||||
+ "Authentication with certificates/Smartcards might not work "
|
||||
+ "as expected.\n");
|
||||
+ /* not fatal, ignored */
|
||||
+ }
|
||||
}
|
||||
|
||||
-
|
||||
*_module_data = ctx;
|
||||
ret = EOK;
|
||||
done:
|
||||
@@ -234,3 +241,15 @@ int sssm_files_id_init(TALLOC_CTX *mem_ctx,
|
||||
|
||||
return EOK;
|
||||
}
|
||||
+
|
||||
+int sssm_files_auth_init(TALLOC_CTX *mem_ctx,
|
||||
+ struct be_ctx *be_ctx,
|
||||
+ void *module_data,
|
||||
+ struct dp_method *dp_methods)
|
||||
+{
|
||||
+ dp_set_method(dp_methods, DPM_AUTH_HANDLER,
|
||||
+ files_auth_handler_send, files_auth_handler_recv, NULL, void,
|
||||
+ struct pam_data, struct pam_data *);
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
diff --git a/src/providers/files/files_private.h b/src/providers/files/files_private.h
|
||||
index f44e6d4..fd17819 100644
|
||||
--- a/src/providers/files/files_private.h
|
||||
+++ b/src/providers/files/files_private.h
|
||||
@@ -38,6 +38,7 @@ struct files_id_ctx {
|
||||
struct be_ctx *be;
|
||||
struct sss_domain_info *domain;
|
||||
struct files_ctx *fctx;
|
||||
+ struct sss_certmap_ctx *sss_certmap_ctx;
|
||||
|
||||
const char **passwd_files;
|
||||
const char **group_files;
|
||||
@@ -71,4 +72,20 @@ errno_t files_account_info_handler_recv(TALLOC_CTX *mem_ctx,
|
||||
void files_account_info_finished(struct files_id_ctx *id_ctx,
|
||||
int req_type,
|
||||
errno_t ret);
|
||||
+
|
||||
+/* files_auth.c */
|
||||
+struct tevent_req *files_auth_handler_send(TALLOC_CTX *mem_ctx,
|
||||
+ void *unused,
|
||||
+ struct pam_data *pd,
|
||||
+ struct dp_req_params *params);
|
||||
+
|
||||
+errno_t files_auth_handler_recv(TALLOC_CTX *mem_ctx,
|
||||
+ struct tevent_req *req,
|
||||
+ struct pam_data **_data);
|
||||
+
|
||||
+/* files_certmap.c */
|
||||
+errno_t files_init_certmap(TALLOC_CTX *mem_ctx, struct files_id_ctx *id_ctx);
|
||||
+
|
||||
+errno_t files_map_cert_to_user(struct files_id_ctx *id_ctx,
|
||||
+ struct dp_id_data *data);
|
||||
#endif /* __FILES_PRIVATE_H_ */
|
||||
--
|
||||
2.9.5
|
||||
|
@ -0,0 +1,68 @@
|
||||
From 9fdc5f1d87a133885e6a22810a7eb980c60dcb55 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 9 Jul 2018 18:45:21 +0200
|
||||
Subject: [PATCH 29/83] responder: make sure SSS_DP_CERT is passed to files
|
||||
provider
|
||||
|
||||
Currently the files provider is only contacted once in a while to update
|
||||
the full cache with fresh data from the passwd file. To allow rule based
|
||||
certificate mapping the lookup by certificate request must be always
|
||||
send to the file provider so that it can evaluate the rules and add the
|
||||
certificate to cached entry of the matching user.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/common/responder_dp.c | 20 +++++++++++++-------
|
||||
1 file changed, 13 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
|
||||
index 878aa1d..39f0f20 100644
|
||||
--- a/src/responder/common/responder_dp.c
|
||||
+++ b/src/responder/common/responder_dp.c
|
||||
@@ -34,15 +34,17 @@ sss_dp_account_files_params(struct sss_domain_info *dom,
|
||||
enum sss_dp_acct_type *_type_out,
|
||||
const char **_opt_name_out)
|
||||
{
|
||||
- if (sss_domain_get_state(dom) != DOM_INCONSISTENT) {
|
||||
+ if (type_in != SSS_DP_CERT) {
|
||||
+ if (sss_domain_get_state(dom) != DOM_INCONSISTENT) {
|
||||
+ DEBUG(SSSDBG_TRACE_INTERNAL,
|
||||
+ "The entries in the files domain are up-to-date\n");
|
||||
+ return EOK;
|
||||
+ }
|
||||
+
|
||||
DEBUG(SSSDBG_TRACE_INTERNAL,
|
||||
- "The entries in the files domain are up-to-date\n");
|
||||
- return EOK;
|
||||
+ "Domain files is not consistent, issuing update\n");
|
||||
}
|
||||
|
||||
- DEBUG(SSSDBG_TRACE_INTERNAL,
|
||||
- "Domain files is not consistent, issuing update\n");
|
||||
-
|
||||
switch(type_in) {
|
||||
case SSS_DP_USER:
|
||||
case SSS_DP_GROUP:
|
||||
@@ -56,12 +58,16 @@ sss_dp_account_files_params(struct sss_domain_info *dom,
|
||||
*_type_out = type_in;
|
||||
*_opt_name_out = DP_REQ_OPT_FILES_INITGR;
|
||||
return EAGAIN;
|
||||
+ case SSS_DP_CERT:
|
||||
+ /* Let the backend handle certificate mapping for local users */
|
||||
+ *_type_out = type_in;
|
||||
+ *_opt_name_out = opt_name_in;
|
||||
+ return EAGAIN;
|
||||
/* These are not handled by the files provider, just fall back */
|
||||
case SSS_DP_NETGR:
|
||||
case SSS_DP_SERVICES:
|
||||
case SSS_DP_SECID:
|
||||
case SSS_DP_USER_AND_GROUP:
|
||||
- case SSS_DP_CERT:
|
||||
case SSS_DP_WILDCARD_USER:
|
||||
case SSS_DP_WILDCARD_GROUP:
|
||||
return EOK;
|
||||
--
|
||||
2.9.5
|
||||
|
166
0025-PAM-add-certificate-matching-rules-from-all-domains.patch
Normal file
166
0025-PAM-add-certificate-matching-rules-from-all-domains.patch
Normal file
@ -0,0 +1,166 @@
|
||||
From d42f44d54453d3ddb54875374c1b61dc1e7cd821 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 9 Jul 2018 18:56:26 +0200
|
||||
Subject: [PATCH 30/83] PAM: add certificate matching rules from all domains
|
||||
|
||||
Currently the PAM responder only reads the certificate mapping and
|
||||
matching rules from the first domain. To support Smartcard
|
||||
authentication for local and remote users all configured domains must be
|
||||
taken into account.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/pam/pamsrv.h | 2 +-
|
||||
src/responder/pam/pamsrv_cmd.c | 2 +-
|
||||
src/responder/pam/pamsrv_p11.c | 77 +++++++++++++++++++++++++++---------------
|
||||
3 files changed, 51 insertions(+), 30 deletions(-)
|
||||
|
||||
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
|
||||
index d189ccc..5d87756 100644
|
||||
--- a/src/responder/pam/pamsrv.h
|
||||
+++ b/src/responder/pam/pamsrv.h
|
||||
@@ -114,7 +114,7 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
|
||||
bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd);
|
||||
|
||||
errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
|
||||
- struct certmap_info **certmap_list);
|
||||
+ struct sss_domain_info *domains);
|
||||
|
||||
errno_t
|
||||
pam_set_last_online_auth_with_curr_token(struct sss_domain_info *domain,
|
||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
||||
index a6bb289..ed9ad57 100644
|
||||
--- a/src/responder/pam/pamsrv_cmd.c
|
||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
||||
@@ -1737,7 +1737,7 @@ static void pam_forwarder_cb(struct tevent_req *req)
|
||||
goto done;
|
||||
}
|
||||
|
||||
- ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains->certmaps);
|
||||
+ ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
"p11_refresh_certmap_ctx failed, "
|
||||
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
|
||||
index bf72207..ffa6787 100644
|
||||
--- a/src/responder/pam/pamsrv_p11.c
|
||||
+++ b/src/responder/pam/pamsrv_p11.c
|
||||
@@ -142,11 +142,14 @@ static void ext_debug(void *private, const char *file, long line,
|
||||
}
|
||||
|
||||
errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
|
||||
- struct certmap_info **certmap_list)
|
||||
+ struct sss_domain_info *domains)
|
||||
{
|
||||
int ret;
|
||||
struct sss_certmap_ctx *sss_certmap_ctx = NULL;
|
||||
size_t c;
|
||||
+ struct sss_domain_info *dom;
|
||||
+ bool certmap_found = false;
|
||||
+ struct certmap_info **certmap_list;
|
||||
|
||||
ret = sss_certmap_init(pctx, ext_debug, NULL, &sss_certmap_ctx);
|
||||
if (ret != EOK) {
|
||||
@@ -154,7 +157,15 @@ errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- if (certmap_list == NULL || *certmap_list == NULL) {
|
||||
+ DLIST_FOR_EACH(dom, domains) {
|
||||
+ certmap_list = dom->certmaps;
|
||||
+ if (certmap_list != NULL && *certmap_list != NULL) {
|
||||
+ certmap_found = true;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (!certmap_found) {
|
||||
/* Try to add default matching rule */
|
||||
ret = sss_certmap_add_rule(sss_certmap_ctx, SSS_CERTMAP_MIN_PRIO,
|
||||
CERT_AUTH_DEFAULT_MATCHING_RULE, NULL, NULL);
|
||||
@@ -166,24 +177,32 @@ errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- for (c = 0; certmap_list[c] != NULL; c++) {
|
||||
- DEBUG(SSSDBG_TRACE_ALL,
|
||||
- "Trying to add rule [%s][%d][%s][%s].\n",
|
||||
- certmap_list[c]->name, certmap_list[c]->priority,
|
||||
- certmap_list[c]->match_rule, certmap_list[c]->map_rule);
|
||||
-
|
||||
- ret = sss_certmap_add_rule(sss_certmap_ctx, certmap_list[c]->priority,
|
||||
- certmap_list[c]->match_rule,
|
||||
- certmap_list[c]->map_rule,
|
||||
- certmap_list[c]->domains);
|
||||
- if (ret != 0) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "sss_certmap_add_rule failed for rule [%s] "
|
||||
- "with error [%d][%s], skipping. "
|
||||
- "Please check for typos and if rule syntax is supported.\n",
|
||||
- certmap_list[c]->name, ret, sss_strerror(ret));
|
||||
+ DLIST_FOR_EACH(dom, domains) {
|
||||
+ certmap_list = dom->certmaps;
|
||||
+ if (certmap_list == NULL || *certmap_list == NULL) {
|
||||
continue;
|
||||
}
|
||||
+
|
||||
+ for (c = 0; certmap_list[c] != NULL; c++) {
|
||||
+ DEBUG(SSSDBG_TRACE_ALL,
|
||||
+ "Trying to add rule [%s][%d][%s][%s].\n",
|
||||
+ certmap_list[c]->name, certmap_list[c]->priority,
|
||||
+ certmap_list[c]->match_rule, certmap_list[c]->map_rule);
|
||||
+
|
||||
+ ret = sss_certmap_add_rule(sss_certmap_ctx,
|
||||
+ certmap_list[c]->priority,
|
||||
+ certmap_list[c]->match_rule,
|
||||
+ certmap_list[c]->map_rule,
|
||||
+ certmap_list[c]->domains);
|
||||
+ if (ret != 0) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "sss_certmap_add_rule failed for rule [%s] "
|
||||
+ "with error [%d][%s], skipping. "
|
||||
+ "Please check for typos and if rule syntax is supported.\n",
|
||||
+ certmap_list[c]->name, ret, sss_strerror(ret));
|
||||
+ continue;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
|
||||
ret = EOK;
|
||||
@@ -204,19 +223,21 @@ errno_t p11_child_init(struct pam_ctx *pctx)
|
||||
int ret;
|
||||
struct certmap_info **certmaps;
|
||||
bool user_name_hint;
|
||||
- struct sss_domain_info *dom = pctx->rctx->domains;
|
||||
+ struct sss_domain_info *dom;
|
||||
|
||||
- ret = sysdb_get_certmap(dom, dom->sysdb, &certmaps, &user_name_hint);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_certmap failed.\n");
|
||||
- return ret;
|
||||
- }
|
||||
+ DLIST_FOR_EACH(dom, pctx->rctx->domains) {
|
||||
+ ret = sysdb_get_certmap(dom, dom->sysdb, &certmaps, &user_name_hint);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_certmap failed.\n");
|
||||
+ return ret;
|
||||
+ }
|
||||
|
||||
- dom->user_name_hint = user_name_hint;
|
||||
- talloc_free(dom->certmaps);
|
||||
- dom->certmaps = certmaps;
|
||||
+ dom->user_name_hint = user_name_hint;
|
||||
+ talloc_free(dom->certmaps);
|
||||
+ dom->certmaps = certmaps;
|
||||
+ }
|
||||
|
||||
- ret = p11_refresh_certmap_ctx(pctx, dom->certmaps);
|
||||
+ ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "p11_refresh_certmap_ctx failed.\n");
|
||||
return ret;
|
||||
--
|
||||
2.9.5
|
||||
|
182
0026-doc-add-certificate-mapping-section-to-man-page.patch
Normal file
182
0026-doc-add-certificate-mapping-section-to-man-page.patch
Normal file
@ -0,0 +1,182 @@
|
||||
From 0c739e969a617bdb4c06cdfd63772bf6d283c518 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 3 Sep 2018 18:38:42 +0200
|
||||
Subject: [PATCH 31/83] doc: add certificate mapping section to man page
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/man/sssd.conf.5.xml | 149 ++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 149 insertions(+)
|
||||
|
||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||||
index 881ffc6..04143f1 100644
|
||||
--- a/src/man/sssd.conf.5.xml
|
||||
+++ b/src/man/sssd.conf.5.xml
|
||||
@@ -3299,6 +3299,135 @@ ldap_user_extra_attrs = phone:telephoneNumber
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
+ <refsect1 id='certmap'>
|
||||
+ <title>CERTIFICATE MAPPING SECTION</title>
|
||||
+ <para>
|
||||
+ To allow authentication with Smartcards and certificates SSSD must
|
||||
+ be able to map certificates to users. This can be done by adding the
|
||||
+ full certificate to the LDAP object of the user or to a local
|
||||
+ override. While using the full certificate is required to use the
|
||||
+ Smartcard authentication feature of SSH (see
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>sss_ssh_authorizedkeys</refentrytitle>
|
||||
+ <manvolnum>8</manvolnum>
|
||||
+ </citerefentry>
|
||||
+ for details) it might be cumbersome or not even possible to do this
|
||||
+ for the general case where local services use PAM for
|
||||
+ authentication.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ To make the mapping more flexible mapping and matching rules were
|
||||
+ added to SSSD (see
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>sss-certmap</refentrytitle>
|
||||
+ <manvolnum>5</manvolnum>
|
||||
+ </citerefentry>
|
||||
+ for details).
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ A mapping and matching rule can be added to the SSSD configuration
|
||||
+ in a section on its own with a name like
|
||||
+ <quote>[certmap/<replaceable>DOMAIN_NAME</replaceable>/<replaceable>RULE_NAME</replaceable>]</quote>.
|
||||
+ In this section the following options are allowed:
|
||||
+ </para>
|
||||
+ <variablelist>
|
||||
+ <varlistentry>
|
||||
+ <term>matchrule (string)</term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ Only certificates from the Smartcard which matches this
|
||||
+ rule will be processed, all others are ignored.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Default: KRB5:<EKU>clientAuth, i.e. only
|
||||
+ certificates which have the Extended Key Usage
|
||||
+ <quote>clientAuth</quote>
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>maprule (string)</term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ Defines how the user is found for a given certificate.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Default:
|
||||
+ <itemizedlist>
|
||||
+ <listitem>
|
||||
+ <para>LDAP:(userCertificate;binary={cert!bin})
|
||||
+ for LDAP based providers like
|
||||
+ <quote>ldap</quote>, <quote>AD</quote> or
|
||||
+ <quote>ipa</quote>.</para>
|
||||
+ </listitem>
|
||||
+ <listitem>
|
||||
+ <para>The RULE_NAME for the <quote>files</quote>
|
||||
+ provider which tries to find a user with the
|
||||
+ same name.</para>
|
||||
+ </listitem>
|
||||
+ </itemizedlist>
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>domains (string)</term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ Comma separated list of domain names the rule should be
|
||||
+ applied. By default a rule is only valid in the domain
|
||||
+ configured in sssd.conf. If the provider supports
|
||||
+ subdomains this option can be used to add the rule to
|
||||
+ subdomains as well.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Default: the configured domain in sssd.conf
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>priority (integer)</term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ Unsigned integer value defining the priority of the
|
||||
+ rule. The higher the number the lower the priority.
|
||||
+ <quote>0</quote> stands for the highest priority while
|
||||
+ <quote>4294967295</quote> is the lowest.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Default: the lowest priority
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+ </variablelist>
|
||||
+ <para>
|
||||
+ To make the configuration simple and reduce the amount of
|
||||
+ configuration options the <quote>files</quote> provider has some
|
||||
+ special properties:
|
||||
+ <itemizedlist>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ if maprule is not set the RULE_NAME name is assumed to
|
||||
+ be the name of the matching user
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ if a maprule is used both a single user name or a
|
||||
+ template like
|
||||
+ <quote>{subject_rfc822_name.short_name}</quote> must
|
||||
+ be in braces like e.g. <quote>(username)</quote> or
|
||||
+ <quote>({subject_rfc822_name.short_name})</quote>
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ the <quote>domains</quote> option is ignored
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </itemizedlist>
|
||||
+ </para>
|
||||
+ </refsect1>
|
||||
+
|
||||
<refsect1 id='example'>
|
||||
<title>EXAMPLES</title>
|
||||
<para>
|
||||
@@ -3343,6 +3472,26 @@ enumerate = False
|
||||
use_fully_qualified_names = false
|
||||
</programlisting>
|
||||
</para>
|
||||
+ <para>
|
||||
+ 3. The following example shows the configuration for two certificate
|
||||
+ mapping rules. The first is valid for the configured domain
|
||||
+ <quote>my.domain</quote> and additionally for the subdomains
|
||||
+ <quote>your.domain</quote> and uses the full certificate in the
|
||||
+ search filter. The second example is valid for the domain
|
||||
+ <quote>files</quote> where it is assumed the files provider is used
|
||||
+ for this domain and contains a matching rule for the local user
|
||||
+ <quote>myname</quote>.
|
||||
+<programlisting>
|
||||
+[certmap/my.domain/rule_name]
|
||||
+matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$
|
||||
+maprule = (userCertificate;binary={cert!bin})
|
||||
+domains = my.domain, your.domain
|
||||
+priority = 10
|
||||
+
|
||||
+[certmap/files/myname]
|
||||
+matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$<SUBJECT>^CN=User.Name,DC=MY,DC=DOMAIN$
|
||||
+</programlisting>
|
||||
+ </para>
|
||||
</refsect1>
|
||||
|
||||
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
|
||||
--
|
||||
2.9.5
|
||||
|
30
0027-intg-user-default-locale.patch
Normal file
30
0027-intg-user-default-locale.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From 16941c47a6f0fc2f1679725d55cde221f3c3a6ef Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 7 Sep 2018 22:12:02 +0200
|
||||
Subject: [PATCH 32/83] intg: user default locale
|
||||
|
||||
Some checks depend on english error messages so checks should be always
|
||||
run with the default locale.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/tests/intg/Makefile.am | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
|
||||
index 65da9ca..6f7605b 100644
|
||||
--- a/src/tests/intg/Makefile.am
|
||||
+++ b/src/tests/intg/Makefile.am
|
||||
@@ -126,6 +126,7 @@ intgcheck-installed: config.py passwd group
|
||||
PATH="$$(dirname -- $(SLAPD)):$$PATH" \
|
||||
PATH="$(DESTDIR)$(sbindir):$(DESTDIR)$(bindir):$$PATH" \
|
||||
PATH="$$PATH:$(abs_builddir):$(abs_srcdir)" \
|
||||
+ LANG=C \
|
||||
PYTHONPATH="$(abs_builddir):$(abs_srcdir)" \
|
||||
LDB_MODULES_PATH="$(DESTDIR)$(ldblibdir)" \
|
||||
NON_WRAPPED_UID=$$(id -u) \
|
||||
--
|
||||
2.9.5
|
||||
|
@ -0,0 +1,34 @@
|
||||
From 442ae7b1d0704cdd667d4f1ba4c165ce3f3ffed4 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 7 Sep 2018 22:16:50 +0200
|
||||
Subject: [PATCH 33/83] PAM: use better PAM error code for failed Smartcard
|
||||
authentication
|
||||
|
||||
If the user enters a wrong PIN the PAM responder currently returns
|
||||
PAM_USER_UNKNOWN better is PAM_AUTH_ERR.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/pam/pamsrv_cmd.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
||||
index ed9ad57..817f3c5 100644
|
||||
--- a/src/responder/pam/pamsrv_cmd.c
|
||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
||||
@@ -1436,7 +1436,9 @@ static void pam_forwarder_cert_cb(struct tevent_req *req)
|
||||
if (pd->cmd == SSS_PAM_AUTHENTICATE) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"No certificate returned, authentication failed.\n");
|
||||
- ret = ENOENT;
|
||||
+ preq->pd->pam_status = PAM_AUTH_ERR;
|
||||
+ pam_reply(preq);
|
||||
+ return;
|
||||
} else {
|
||||
ret = pam_check_user_search(preq);
|
||||
}
|
||||
--
|
||||
2.9.5
|
||||
|
31
0029-test_ca-test-library-only-for-readable.patch
Normal file
31
0029-test_ca-test-library-only-for-readable.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From 91aea762d02731193eb66a00b930ff1fe8bc5ab8 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 10 Sep 2018 22:03:55 +0200
|
||||
Subject: [PATCH 34/83] test_ca: test library only for readable
|
||||
|
||||
On Debian libraries typically do not have the execute-bit set so it is
|
||||
better to only check for readability.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/external/test_ca.m4 | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/external/test_ca.m4 b/src/external/test_ca.m4
|
||||
index 2cdb3c7..bb48726 100644
|
||||
--- a/src/external/test_ca.m4
|
||||
+++ b/src/external/test_ca.m4
|
||||
@@ -58,7 +58,7 @@ AC_DEFUN([AM_CHECK_TEST_CA],
|
||||
AC_MSG_NOTICE([Could not find p11tool])
|
||||
fi
|
||||
|
||||
- AM_CONDITIONAL([BUILD_TEST_CA], [test -x "$OPENSSL" -a -x "$SSH_KEYGEN" -a -x "$SOFTHSM2_PATH" -a -x "$SOFTHSM2_UTIL" -a -x "$P11TOOL"])
|
||||
+ AM_CONDITIONAL([BUILD_TEST_CA], [test -x "$OPENSSL" -a -x "$SSH_KEYGEN" -a -r "$SOFTHSM2_PATH" -a -x "$SOFTHSM2_UTIL" -a -x "$P11TOOL"])
|
||||
fi
|
||||
|
||||
AM_COND_IF([BUILD_TEST_CA],
|
||||
--
|
||||
2.9.5
|
||||
|
57
0030-test_ca-set-a-password-PIN-to-nss-databases.patch
Normal file
57
0030-test_ca-set-a-password-PIN-to-nss-databases.patch
Normal file
@ -0,0 +1,57 @@
|
||||
From a45a410dc7fa7cf84bcac541e693ee8781e25431 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 7 Sep 2018 22:17:47 +0200
|
||||
Subject: [PATCH 35/83] test_ca: set a password/PIN to nss databases
|
||||
|
||||
To make sure the PIN is properly checked during tests the NSS databases
|
||||
need a password.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/tests/test_CA/Makefile.am | 16 ++++++++--------
|
||||
1 file changed, 8 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am
|
||||
index 0c70993..1bce2c3 100644
|
||||
--- a/src/tests/test_CA/Makefile.am
|
||||
+++ b/src/tests/test_CA/Makefile.am
|
||||
@@ -33,7 +33,7 @@ endif
|
||||
ca_all: clean serial SSSD_test_CA.pem $(certs) $(certs_h) $(pubkeys) $(pubkeys_h) $(pkcs12) $(extra)
|
||||
|
||||
$(pwdfile):
|
||||
- @echo "12345678" > $@
|
||||
+ @echo "123456" > $@
|
||||
|
||||
SSSD_test_CA.pem: $(openssl_ca_key) $(openssl_ca_config) serial
|
||||
$(OPENSSL) req -batch -config ${openssl_ca_config} -x509 -new -nodes -key $< -sha256 -days 1024 -set_serial 0 -extensions v3_ca -out $@
|
||||
@@ -65,18 +65,18 @@ SSSD_test_cert_pubsshkey_%.h: SSSD_test_cert_pubsshkey_%.pub
|
||||
# - src/tests/cmocka/test_pam_srv.c
|
||||
p11_nssdb: SSSD_test_cert_pkcs12_0001.pem SSSD_test_CA.pem $(pwdfile)
|
||||
mkdir $@
|
||||
- $(CERTUTIL) -d sql:./$@ -N --empty-password
|
||||
- $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem
|
||||
- $(PK12UTIL) -d sql:./$@ -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile)
|
||||
+ $(CERTUTIL) -d sql:./$@ -N -f $(pwdfile)
|
||||
+ $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem -f $(pwdfile)
|
||||
+ $(PK12UTIL) -d sql:./$@ -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile) -k $(pwdfile)
|
||||
|
||||
# This nss db is used in
|
||||
# - src/tests/cmocka/test_pam_srv.c
|
||||
p11_nssdb_2certs: SSSD_test_cert_pkcs12_0001.pem SSSD_test_cert_pkcs12_0002.pem SSSD_test_CA.pem $(pwdfile)
|
||||
mkdir $@
|
||||
- $(CERTUTIL) -d sql:./$@ -N --empty-password
|
||||
- $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem
|
||||
- $(PK12UTIL) -d sql:./$@ p11_nssdb -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile)
|
||||
- $(PK12UTIL) -d sql:./$@ p11_nssdb -i SSSD_test_cert_pkcs12_0002.pem -w $(pwdfile)
|
||||
+ $(CERTUTIL) -d sql:./$@ -N -f $(pwdfile)
|
||||
+ $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem -f $(pwdfile)
|
||||
+ $(PK12UTIL) -d sql:./$@ -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile) -k $(pwdfile)
|
||||
+ $(PK12UTIL) -d sql:./$@ -i SSSD_test_cert_pkcs12_0002.pem -w $(pwdfile) -k $(pwdfile)
|
||||
|
||||
# The softhsm2 PKCS#11 setups are used in
|
||||
# - src/tests/cmocka/test_pam_srv.c
|
||||
--
|
||||
2.9.5
|
||||
|
78
0031-getsockopt_wrapper-add-support-for-PAM-clients.patch
Normal file
78
0031-getsockopt_wrapper-add-support-for-PAM-clients.patch
Normal file
@ -0,0 +1,78 @@
|
||||
From d332c8a0e7a4c7f0b3ee1b2110145a23cbd61c2a Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 7 Sep 2018 22:19:26 +0200
|
||||
Subject: [PATCH 36/83] getsockopt_wrapper: add support for PAM clients
|
||||
|
||||
PAM clients expect that the private socket of the PAM responder is
|
||||
handled by root. With this patch getsockopt_wrapper can return the
|
||||
expected UID and GID to PAM clients.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/tests/intg/getsockopt_wrapper.c | 34 ++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 34 insertions(+)
|
||||
|
||||
diff --git a/src/tests/intg/getsockopt_wrapper.c b/src/tests/intg/getsockopt_wrapper.c
|
||||
index 5109123..2f50889 100644
|
||||
--- a/src/tests/intg/getsockopt_wrapper.c
|
||||
+++ b/src/tests/intg/getsockopt_wrapper.c
|
||||
@@ -45,6 +45,23 @@ static bool is_secrets_socket(int fd)
|
||||
return NULL != strstr(unix_socket->sun_path, "secrets.socket");
|
||||
}
|
||||
|
||||
+static bool peer_is_private_pam(int fd)
|
||||
+{
|
||||
+ int ret;
|
||||
+ struct sockaddr_storage addr = { 0 };
|
||||
+ socklen_t addrlen = sizeof(addr);
|
||||
+ struct sockaddr_un *unix_socket;
|
||||
+
|
||||
+ ret = getpeername(fd, (struct sockaddr *)&addr, &addrlen);
|
||||
+ if (ret != 0) return false;
|
||||
+
|
||||
+ if (addr.ss_family != AF_UNIX) return false;
|
||||
+
|
||||
+ unix_socket = (struct sockaddr_un *)&addr;
|
||||
+
|
||||
+ return NULL != strstr(unix_socket->sun_path, "private/pam");
|
||||
+}
|
||||
+
|
||||
static uid_t fake_secret_peer(uid_t orig_id)
|
||||
{
|
||||
char *val;
|
||||
@@ -57,6 +74,21 @@ static uid_t fake_secret_peer(uid_t orig_id)
|
||||
return atoi(val);
|
||||
}
|
||||
|
||||
+static void fake_peer_uid_gid(uid_t *uid, gid_t *gid)
|
||||
+{
|
||||
+ char *val;
|
||||
+
|
||||
+ val = getenv("SSSD_INTG_PEER_UID");
|
||||
+ if (val != NULL) {
|
||||
+ *uid = atoi(val);
|
||||
+ }
|
||||
+
|
||||
+ val = getenv("SSSD_INTG_PEER_GID");
|
||||
+ if (val != NULL) {
|
||||
+ *gid = atoi(val);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
typedef typeof(getsockopt) getsockopt_fn_t;
|
||||
|
||||
static getsockopt_fn_t *orig_getsockopt = NULL;
|
||||
@@ -84,6 +116,8 @@ int getsockopt(int sockfd, int level, int optname,
|
||||
cr->uid = 0;
|
||||
} else if (is_secrets_socket(sockfd)) {
|
||||
cr->uid = fake_secret_peer(cr->uid);
|
||||
+ } else if (peer_is_private_pam(sockfd)) {
|
||||
+ fake_peer_uid_gid(&cr->uid, &cr->gid);
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.9.5
|
||||
|
330
0032-intg-add-Smartcard-authentication-tests.patch
Normal file
330
0032-intg-add-Smartcard-authentication-tests.patch
Normal file
@ -0,0 +1,330 @@
|
||||
From 657f3b89bca9adfb13f0867c91f1d76845d2d6dd Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 7 Sep 2018 22:26:21 +0200
|
||||
Subject: [PATCH 37/83] intg: add Smartcard authentication tests
|
||||
|
||||
Two test for Smartcard authentication of a local user, i.e. a user
|
||||
managed by the files provider, are added. One for a successful
|
||||
authentication, the other for a failed authentication with a wrong PIN.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
configure.ac | 1 +
|
||||
contrib/ci/deps.sh | 2 +
|
||||
contrib/sssd.spec.in | 1 +
|
||||
src/external/cwrap.m4 | 5 ++
|
||||
src/external/intgcheck.m4 | 1 +
|
||||
src/tests/intg/Makefile.am | 24 ++++++-
|
||||
src/tests/intg/test_pam_responder.py | 131 ++++++++++++++++++++++++++++++++---
|
||||
7 files changed, 155 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index bb18ad4..5816b04 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -495,6 +495,7 @@ AM_CONDITIONAL([HAVE_CHECK], [test x$have_check != x])
|
||||
AM_CHECK_CMOCKA
|
||||
AM_CHECK_UID_WRAPPER
|
||||
AM_CHECK_NSS_WRAPPER
|
||||
+AM_CHECK_PAM_WRAPPER
|
||||
AM_CHECK_TEST_CA
|
||||
|
||||
# Check if the user wants SSSD to be compiled with systemtap probes
|
||||
diff --git a/contrib/ci/deps.sh b/contrib/ci/deps.sh
|
||||
index 5906e53..c04c7aa 100644
|
||||
--- a/contrib/ci/deps.sh
|
||||
+++ b/contrib/ci/deps.sh
|
||||
@@ -46,6 +46,7 @@ if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then
|
||||
pyldb
|
||||
rpm-build
|
||||
uid_wrapper
|
||||
+ pam_wrapper
|
||||
python-requests
|
||||
curl-devel
|
||||
krb5-server
|
||||
@@ -117,6 +118,7 @@ if [[ "$DISTRO_BRANCH" == -debian-* ]]; then
|
||||
fakeroot
|
||||
libnss-wrapper
|
||||
libuid-wrapper
|
||||
+ libpam-wrapper
|
||||
python-pytest
|
||||
python-ldap
|
||||
python-ldb
|
||||
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
|
||||
index 5ebd51f..26fae6d 100644
|
||||
--- a/contrib/sssd.spec.in
|
||||
+++ b/contrib/sssd.spec.in
|
||||
@@ -237,6 +237,7 @@ BuildRequires: selinux-policy-targeted
|
||||
BuildRequires: libcmocka-devel >= 1.0.0
|
||||
BuildRequires: uid_wrapper
|
||||
BuildRequires: nss_wrapper
|
||||
+BuildRequires: pam_wrapper
|
||||
|
||||
# Test CA requires openssl independent if SSSD is build with NSS or openssl,
|
||||
# openssh is needed for ssh-keygen and NSS builds need nss-tools for certutil.
|
||||
diff --git a/src/external/cwrap.m4 b/src/external/cwrap.m4
|
||||
index b8489cc..6e3487c 100644
|
||||
--- a/src/external/cwrap.m4
|
||||
+++ b/src/external/cwrap.m4
|
||||
@@ -28,3 +28,8 @@ AC_DEFUN([AM_CHECK_NSS_WRAPPER],
|
||||
[
|
||||
AM_CHECK_WRAPPER(nss_wrapper, HAVE_NSS_WRAPPER)
|
||||
])
|
||||
+
|
||||
+AC_DEFUN([AM_CHECK_PAM_WRAPPER],
|
||||
+[
|
||||
+ AM_CHECK_WRAPPER(pam_wrapper, HAVE_PAM_WRAPPER)
|
||||
+])
|
||||
diff --git a/src/external/intgcheck.m4 b/src/external/intgcheck.m4
|
||||
index 60a7bf3..c14f669 100644
|
||||
--- a/src/external/intgcheck.m4
|
||||
+++ b/src/external/intgcheck.m4
|
||||
@@ -22,6 +22,7 @@ AC_DEFUN([SSS_ENABLE_INTGCHECK_REQS], [
|
||||
if test x"$enable_intgcheck_reqs" = xyes; then
|
||||
SSS_INTGCHECK_REQ([HAVE_UID_WRAPPER], [uid_wrapper])
|
||||
SSS_INTGCHECK_REQ([HAVE_NSS_WRAPPER], [nss_wrapper])
|
||||
+ SSS_INTGCHECK_REQ([HAVE_PAM_WRAPPER], [pam_wrapper])
|
||||
SSS_INTGCHECK_REQ([HAVE_SLAPD], [slapd])
|
||||
SSS_INTGCHECK_REQ([HAVE_LDAPMODIFY], [ldapmodify])
|
||||
SSS_INTGCHECK_REQ([HAVE_FAKEROOT], [fakeroot])
|
||||
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
|
||||
index 6f7605b..bb3a7f0 100644
|
||||
--- a/src/tests/intg/Makefile.am
|
||||
+++ b/src/tests/intg/Makefile.am
|
||||
@@ -105,13 +105,29 @@ passwd: root
|
||||
group:
|
||||
echo "root:x:0:" > $@
|
||||
|
||||
+PAM_SERVICE_DIR=pam_service_dir
|
||||
+pam_sss_service:
|
||||
+ $(MKDIR_P) $(PAM_SERVICE_DIR)
|
||||
+ echo "auth required $(DESTDIR)$(pammoddir)/pam_sss.so" > $(PAM_SERVICE_DIR)/$@
|
||||
+ echo "account required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
||||
+ echo "password required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
||||
+ echo "session required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
||||
+
|
||||
CLEANFILES=config.py config.pyc passwd group
|
||||
|
||||
clean-local:
|
||||
rm -Rf root
|
||||
rm -f $(builddir)/cwrap-dbus-system.conf
|
||||
|
||||
-intgcheck-installed: config.py passwd group
|
||||
+if HAVE_NSS
|
||||
+PAM_CERT_DB_PATH="sql:$(DESTDIR)$(sysconfdir)/pki/nssdb"
|
||||
+SOFTHSM2_CONF=""
|
||||
+else
|
||||
+PAM_CERT_DB_PATH="$(abs_builddir)/../test_CA/SSSD_test_CA.pem"
|
||||
+SOFTHSM2_CONF="$(abs_builddir)/../test_CA/softhsm2_one.conf"
|
||||
+endif
|
||||
+
|
||||
+intgcheck-installed: config.py passwd group pam_sss_service
|
||||
pipepath="$(DESTDIR)$(pipepath)"; \
|
||||
if test $${#pipepath} -gt 80; then \
|
||||
echo "error: Pipe directory path too long," \
|
||||
@@ -131,12 +147,18 @@ intgcheck-installed: config.py passwd group
|
||||
LDB_MODULES_PATH="$(DESTDIR)$(ldblibdir)" \
|
||||
NON_WRAPPED_UID=$$(id -u) \
|
||||
LD_PRELOAD="$(libdir)/getsockopt_wrapper.so:$$nss_wrapper:$$uid_wrapper" \
|
||||
+ LD_LIBRARY_PATH="$$LD_LIBRARY_PATH:$(DESTDIR)$(nsslibdir)" \
|
||||
NSS_WRAPPER_PASSWD="$(abs_builddir)/passwd" \
|
||||
NSS_WRAPPER_GROUP="$(abs_builddir)/group" \
|
||||
NSS_WRAPPER_MODULE_SO_PATH="$(DESTDIR)$(nsslibdir)/libnss_sss.so.2" \
|
||||
NSS_WRAPPER_MODULE_FN_PREFIX="sss" \
|
||||
UID_WRAPPER=1 \
|
||||
UID_WRAPPER_ROOT=1 \
|
||||
+ PAM_WRAPPER=0 \
|
||||
+ PAM_WRAPPER_SERVICE_DIR="$(abs_builddir)/$(PAM_SERVICE_DIR)" \
|
||||
+ PAM_WRAPPER_PATH=$$(pkg-config --libs pam_wrapper) \
|
||||
+ PAM_CERT_DB_PATH=$(PAM_CERT_DB_PATH) \
|
||||
+ SOFTHSM2_CONF=$(SOFTHSM2_CONF) \
|
||||
DBUS_SOCK_DIR="$(DESTDIR)$(runstatedir)/dbus/" \
|
||||
DBUS_SESSION_BUS_ADDRESS="unix:path=$$DBUS_SOCK_DIR/fake_socket" \
|
||||
DBUS_SYSTEM_BUS_ADDRESS="unix:path=$$DBUS_SOCK_DIR/system_bus_socket" \
|
||||
diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py
|
||||
index cf6fff2..c6d048c 100644
|
||||
--- a/src/tests/intg/test_pam_responder.py
|
||||
+++ b/src/tests/intg/test_pam_responder.py
|
||||
@@ -27,31 +27,44 @@ import signal
|
||||
import errno
|
||||
import subprocess
|
||||
import time
|
||||
-import pytest
|
||||
+import shutil
|
||||
|
||||
import config
|
||||
|
||||
-from util import unindent
|
||||
+import pytest
|
||||
+
|
||||
+from intg.util import unindent
|
||||
+from intg.files_ops import passwd_ops_setup
|
||||
|
||||
+USER1 = dict(name='user1', passwd='x', uid=10001, gid=20001,
|
||||
+ gecos='User for tests',
|
||||
+ dir='/home/user1',
|
||||
+ shell='/bin/bash')
|
||||
|
||||
-def format_pam_cert_auth_conf():
|
||||
+
|
||||
+def format_pam_cert_auth_conf(config):
|
||||
"""Format a basic SSSD configuration"""
|
||||
return unindent("""\
|
||||
[sssd]
|
||||
+ debug_level = 10
|
||||
domains = auth_only
|
||||
- services = pam
|
||||
+ services = pam, nss
|
||||
|
||||
[nss]
|
||||
+ debug_level = 10
|
||||
|
||||
[pam]
|
||||
pam_cert_auth = True
|
||||
+ pam_p11_allowed_services = +pam_sss_service
|
||||
+ pam_cert_db_path = {config.PAM_CERT_DB_PATH}
|
||||
debug_level = 10
|
||||
|
||||
[domain/auth_only]
|
||||
- id_provider = ldap
|
||||
- auth_provider = ldap
|
||||
- chpass_provider = ldap
|
||||
- access_provider = ldap
|
||||
+ debug_level = 10
|
||||
+ id_provider = files
|
||||
+
|
||||
+ [certmap/auth_only/user1]
|
||||
+ matchrule = <SUBJECT>.*CN=SSSD test cert 0001.*
|
||||
""").format(**locals())
|
||||
|
||||
|
||||
@@ -79,6 +92,8 @@ def create_conf_fixture(request, contents):
|
||||
|
||||
def create_sssd_process():
|
||||
"""Start the SSSD process"""
|
||||
+ os.environ["SSS_FILES_PASSWD"] = os.environ["NSS_WRAPPER_PASSWD"]
|
||||
+ os.environ["SSS_FILES_GROUP"] = os.environ["NSS_WRAPPER_GROUP"]
|
||||
if subprocess.call(["sssd", "-D", "-f"]) != 0:
|
||||
raise Exception("sssd start failed")
|
||||
|
||||
@@ -116,12 +131,41 @@ def create_sssd_fixture(request):
|
||||
request.addfinalizer(cleanup_sssd_process)
|
||||
|
||||
|
||||
+def create_nssdb():
|
||||
+ os.mkdir(config.SYSCONFDIR + "/pki")
|
||||
+ os.mkdir(config.SYSCONFDIR + "/pki/nssdb")
|
||||
+ if subprocess.call(["certutil", "-N", "-d",
|
||||
+ "sql:" + config.SYSCONFDIR + "/pki/nssdb/",
|
||||
+ "--empty-password"]) != 0:
|
||||
+ raise Exception("certutil failed")
|
||||
+
|
||||
+ pkcs11_txt = open(config.SYSCONFDIR + "/pki/nssdb/pkcs11.txt", "w")
|
||||
+ pkcs11_txt.write("library=libsoftokn3.so\nname=soft\n" +
|
||||
+ "parameters=configdir='sql:" + config.ABS_BUILDDIR +
|
||||
+ "/../test_CA/p11_nssdb' " +
|
||||
+ "dbSlotDescription='SSSD Test Slot' " +
|
||||
+ "dbTokenDescription='SSSD Test Token' " +
|
||||
+ "secmod='secmod.db' flags=readOnly)\n\n")
|
||||
+ pkcs11_txt.close()
|
||||
+
|
||||
+
|
||||
+def cleanup_nssdb():
|
||||
+ shutil.rmtree(config.SYSCONFDIR + "/pki")
|
||||
+
|
||||
+
|
||||
+def create_nssdb_fixture(request):
|
||||
+ create_nssdb()
|
||||
+ request.addfinalizer(cleanup_nssdb)
|
||||
+
|
||||
+
|
||||
@pytest.fixture
|
||||
def simple_pam_cert_auth(request):
|
||||
"""Setup SSSD with pam_cert_auth=True"""
|
||||
- conf = format_pam_cert_auth_conf()
|
||||
+ config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
|
||||
+ conf = format_pam_cert_auth_conf(config)
|
||||
create_conf_fixture(request, conf)
|
||||
create_sssd_fixture(request)
|
||||
+ create_nssdb_fixture(request)
|
||||
return None
|
||||
|
||||
|
||||
@@ -129,3 +173,72 @@ def test_preauth_indicator(simple_pam_cert_auth):
|
||||
"""Check if preauth indicator file is created"""
|
||||
statinfo = os.stat(config.PUBCONF_PATH + "/pam_preauth_available")
|
||||
assert stat.S_ISREG(statinfo.st_mode)
|
||||
+
|
||||
+
|
||||
+@pytest.fixture
|
||||
+def pam_wrapper_setup(request):
|
||||
+ pwrap_runtimedir = os.getenv("PAM_WRAPPER_SERVICE_DIR")
|
||||
+ if pwrap_runtimedir is None:
|
||||
+ raise ValueError("The PAM_WRAPPER_SERVICE_DIR variable is unset\n")
|
||||
+
|
||||
+
|
||||
+def test_sc_auth_wrong_pin(simple_pam_cert_auth, pam_wrapper_setup,
|
||||
+ passwd_ops_setup):
|
||||
+
|
||||
+ passwd_ops_setup.useradd(**USER1)
|
||||
+ current_env = os.environ.copy()
|
||||
+ current_env['PAM_WRAPPER'] = "1"
|
||||
+ current_env['SSSD_INTG_PEER_UID'] = "0"
|
||||
+ current_env['SSSD_INTG_PEER_GID'] = "0"
|
||||
+ current_env['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
|
||||
+
|
||||
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
|
||||
+ "--action=auth", "--service=pam_sss_service"],
|
||||
+ universal_newlines=True,
|
||||
+ env=current_env, stdin=subprocess.PIPE,
|
||||
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||
+
|
||||
+ try:
|
||||
+ out, err = sssctl.communicate(input="111")
|
||||
+ except:
|
||||
+ sssctl.kill()
|
||||
+ out, err = sssctl.communicate()
|
||||
+
|
||||
+ sssctl.stdin.close()
|
||||
+ sssctl.stdout.close()
|
||||
+
|
||||
+ if sssctl.wait() != 0:
|
||||
+ raise Exception("sssctl failed")
|
||||
+
|
||||
+ assert err.find("pam_authenticate for user [user1]: " +
|
||||
+ "Authentication failure") != -1
|
||||
+
|
||||
+
|
||||
+def test_sc_auth(simple_pam_cert_auth, pam_wrapper_setup, passwd_ops_setup):
|
||||
+
|
||||
+ passwd_ops_setup.useradd(**USER1)
|
||||
+ current_env = os.environ.copy()
|
||||
+ current_env['PAM_WRAPPER'] = "1"
|
||||
+ current_env['SSSD_INTG_PEER_UID'] = "0"
|
||||
+ current_env['SSSD_INTG_PEER_GID'] = "0"
|
||||
+ current_env['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
|
||||
+
|
||||
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
|
||||
+ "--action=auth", "--service=pam_sss_service"],
|
||||
+ universal_newlines=True,
|
||||
+ env=current_env, stdin=subprocess.PIPE,
|
||||
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||
+
|
||||
+ try:
|
||||
+ out, err = sssctl.communicate(input="123456")
|
||||
+ except:
|
||||
+ sssctl.kill()
|
||||
+ out, err = sssctl.communicate()
|
||||
+
|
||||
+ sssctl.stdin.close()
|
||||
+ sssctl.stdout.close()
|
||||
+
|
||||
+ if sssctl.wait() != 0:
|
||||
+ raise Exception("sssctl failed")
|
||||
+
|
||||
+ assert err.find("pam_authenticate for user [user1]: Success") != -1
|
||||
--
|
||||
2.9.5
|
||||
|
49
0033-proxy-access-provider-directly-not-through-be_ctx.patch
Normal file
49
0033-proxy-access-provider-directly-not-through-be_ctx.patch
Normal file
@ -0,0 +1,49 @@
|
||||
From 4ffe3ab9023ff858410256bc5c38a03d9cd88cf9 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Wed, 5 Sep 2018 13:35:54 +0200
|
||||
Subject: [PATCH 39/83] proxy: access provider directly not through be_ctx
|
||||
|
||||
Modules are initialized as part of dp_init_send() but be_ctx->provider is set
|
||||
only after this request is finished therefore it is not available here.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3812
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/providers/proxy/proxy_init.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/providers/proxy/proxy_init.c b/src/providers/proxy/proxy_init.c
|
||||
index cf4f82e..98c6dd1 100644
|
||||
--- a/src/providers/proxy/proxy_init.c
|
||||
+++ b/src/providers/proxy/proxy_init.c
|
||||
@@ -192,6 +192,7 @@ static errno_t proxy_auth_conf(TALLOC_CTX *mem_ctx,
|
||||
|
||||
static errno_t proxy_init_auth_ctx(TALLOC_CTX *mem_ctx,
|
||||
struct be_ctx *be_ctx,
|
||||
+ struct data_provider *provider,
|
||||
struct proxy_auth_ctx **_auth_ctx)
|
||||
{
|
||||
struct proxy_auth_ctx *auth_ctx;
|
||||
@@ -213,7 +214,7 @@ static errno_t proxy_init_auth_ctx(TALLOC_CTX *mem_ctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- ret = proxy_client_init(dp_sbus_conn(be_ctx->provider), auth_ctx);
|
||||
+ ret = proxy_client_init(dp_sbus_conn(provider), auth_ctx);
|
||||
if (ret != EOK) {
|
||||
goto done;
|
||||
}
|
||||
@@ -273,7 +274,7 @@ errno_t sssm_proxy_init(TALLOC_CTX *mem_ctx,
|
||||
|
||||
/* Initialize auth_ctx since one of the access, auth or chpass is set. */
|
||||
|
||||
- ret = proxy_init_auth_ctx(mem_ctx, be_ctx, &auth_ctx);
|
||||
+ ret = proxy_init_auth_ctx(mem_ctx, be_ctx, provider, &auth_ctx);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create auth context [%d]: %s\n",
|
||||
ret, sss_strerror(ret));
|
||||
--
|
||||
2.9.5
|
||||
|
144
0034-dp-set-be_ctx-provider-as-part-of-dp_init-request.patch
Normal file
144
0034-dp-set-be_ctx-provider-as-part-of-dp_init-request.patch
Normal file
@ -0,0 +1,144 @@
|
||||
From 4c5a1afa0df41aac05d34455c6e54a6f52a8dd28 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Wed, 5 Sep 2018 13:51:55 +0200
|
||||
Subject: [PATCH 40/83] dp: set be_ctx->provider as part of dp_init request
|
||||
|
||||
Backend context is overused inside sssd code even during its initialization.
|
||||
Some parts of initialization code requires access to be_ctx->provider so we
|
||||
must make it available as soon as possible.
|
||||
|
||||
Better solution would be to always use 'provider' directly in initialization
|
||||
but this makes it safer for any future changes as one does not have to keep
|
||||
in mind when it is safe to use be_ctx->provider and when not. Now it is
|
||||
always safe.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3812
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/providers/data_provider/dp.c | 21 +++++++++++++--------
|
||||
src/providers/data_provider/dp.h | 1 -
|
||||
src/providers/data_provider_be.c | 2 +-
|
||||
src/providers/proxy/proxy_init.c | 2 +-
|
||||
4 files changed, 15 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/src/providers/data_provider/dp.c b/src/providers/data_provider/dp.c
|
||||
index fd19d28..bd003c8 100644
|
||||
--- a/src/providers/data_provider/dp.c
|
||||
+++ b/src/providers/data_provider/dp.c
|
||||
@@ -120,6 +120,7 @@ static int dp_destructor(struct data_provider *provider)
|
||||
}
|
||||
|
||||
struct dp_init_state {
|
||||
+ struct be_ctx *be_ctx;
|
||||
struct data_provider *provider;
|
||||
char *sbus_name;
|
||||
};
|
||||
@@ -158,6 +159,7 @@ dp_init_send(TALLOC_CTX *mem_ctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ state->be_ctx = be_ctx;
|
||||
state->provider->ev = ev;
|
||||
state->provider->uid = uid;
|
||||
state->provider->gid = gid;
|
||||
@@ -224,12 +226,14 @@ static void dp_init_done(struct tevent_req *subreq)
|
||||
sbus_server_set_on_connection(state->provider->sbus_server,
|
||||
dp_client_init, state->provider);
|
||||
|
||||
+ /* be_ctx->provider must be accessible from modules and targets */
|
||||
+ state->be_ctx->provider = talloc_steal(state->be_ctx, state->provider);
|
||||
+
|
||||
ret = dp_init_modules(state->provider, &state->provider->modules);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize DP modules "
|
||||
"[%d]: %s\n", ret, sss_strerror(ret));
|
||||
- tevent_req_error(req, ret);
|
||||
- return;
|
||||
+ goto done;
|
||||
}
|
||||
|
||||
ret = dp_init_targets(state->provider, state->provider->be_ctx,
|
||||
@@ -237,25 +241,27 @@ static void dp_init_done(struct tevent_req *subreq)
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize DP targets "
|
||||
"[%d]: %s\n", ret, sss_strerror(ret));
|
||||
- tevent_req_error(req, ret);
|
||||
- return;
|
||||
+ goto done;
|
||||
}
|
||||
|
||||
ret = dp_init_interface(state->provider);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize DP interface "
|
||||
"[%d]: %s\n", ret, sss_strerror(ret));
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+done:
|
||||
+ if (ret != EOK) {
|
||||
+ talloc_zfree(state->be_ctx->provider);
|
||||
tevent_req_error(req, ret);
|
||||
- return;
|
||||
}
|
||||
|
||||
tevent_req_done(req);
|
||||
- return;
|
||||
}
|
||||
|
||||
errno_t dp_init_recv(TALLOC_CTX *mem_ctx,
|
||||
struct tevent_req *req,
|
||||
- struct data_provider **_provider,
|
||||
const char **_sbus_name)
|
||||
{
|
||||
struct dp_init_state *state;
|
||||
@@ -263,7 +269,6 @@ errno_t dp_init_recv(TALLOC_CTX *mem_ctx,
|
||||
|
||||
TEVENT_REQ_RETURN_ON_ERROR(req);
|
||||
|
||||
- *_provider = talloc_steal(mem_ctx, state->provider);
|
||||
*_sbus_name = talloc_steal(mem_ctx, state->sbus_name);
|
||||
|
||||
return EOK;
|
||||
diff --git a/src/providers/data_provider/dp.h b/src/providers/data_provider/dp.h
|
||||
index 33e6e65..0028eb1 100644
|
||||
--- a/src/providers/data_provider/dp.h
|
||||
+++ b/src/providers/data_provider/dp.h
|
||||
@@ -117,7 +117,6 @@ dp_init_send(TALLOC_CTX *mem_ctx,
|
||||
|
||||
errno_t dp_init_recv(TALLOC_CTX *mem_ctx,
|
||||
struct tevent_req *req,
|
||||
- struct data_provider **_provider,
|
||||
const char **_sbus_name);
|
||||
|
||||
bool _dp_target_enabled(struct data_provider *provider,
|
||||
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
|
||||
index 670ddb4..6d2477e 100644
|
||||
--- a/src/providers/data_provider_be.c
|
||||
+++ b/src/providers/data_provider_be.c
|
||||
@@ -541,7 +541,7 @@ static void dp_initialized(struct tevent_req *req)
|
||||
|
||||
be_ctx = tevent_req_callback_data(req, struct be_ctx);
|
||||
|
||||
- ret = dp_init_recv(be_ctx, req, &be_ctx->provider, &be_ctx->sbus_name);
|
||||
+ ret = dp_init_recv(be_ctx, req, &be_ctx->sbus_name);
|
||||
talloc_zfree(req);
|
||||
if (ret != EOK) {
|
||||
goto done;
|
||||
diff --git a/src/providers/proxy/proxy_init.c b/src/providers/proxy/proxy_init.c
|
||||
index 98c6dd1..32343a3 100644
|
||||
--- a/src/providers/proxy/proxy_init.c
|
||||
+++ b/src/providers/proxy/proxy_init.c
|
||||
@@ -214,7 +214,7 @@ static errno_t proxy_init_auth_ctx(TALLOC_CTX *mem_ctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- ret = proxy_client_init(dp_sbus_conn(provider), auth_ctx);
|
||||
+ ret = proxy_client_init(dp_sbus_conn(be_ctx->provider), auth_ctx);
|
||||
if (ret != EOK) {
|
||||
goto done;
|
||||
}
|
||||
--
|
||||
2.9.5
|
||||
|
42
0035-sbus-read-destination-after-sender-is-set.patch
Normal file
42
0035-sbus-read-destination-after-sender-is-set.patch
Normal file
@ -0,0 +1,42 @@
|
||||
From 9245bf1afe6767a0412212bc0040e606ee850e7d Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Wed, 12 Sep 2018 13:21:11 +0200
|
||||
Subject: [PATCH 41/83] sbus: read destination after sender is set
|
||||
|
||||
dbus_message_set_sender may reallocate internal fields which will yield pointer
|
||||
obtained by dbus_message_get_* invalid.
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/sbus/server/sbus_server_handler.c | 8 +++++---
|
||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/sbus/server/sbus_server_handler.c b/src/sbus/server/sbus_server_handler.c
|
||||
index c300d81..d4e4547 100644
|
||||
--- a/src/sbus/server/sbus_server_handler.c
|
||||
+++ b/src/sbus/server/sbus_server_handler.c
|
||||
@@ -148,9 +148,6 @@ sbus_server_filter(DBusConnection *dbus_conn,
|
||||
return DBUS_HANDLER_RESULT_HANDLED;
|
||||
}
|
||||
|
||||
- destination = dbus_message_get_destination(message);
|
||||
- type = dbus_message_get_type(message);
|
||||
-
|
||||
conn = dbus_connection_get_data(dbus_conn, server->data_slot);
|
||||
if (conn == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unknown connection!\n");
|
||||
@@ -173,6 +170,11 @@ sbus_server_filter(DBusConnection *dbus_conn,
|
||||
return DBUS_HANDLER_RESULT_HANDLED;
|
||||
}
|
||||
|
||||
+ /* Set sender may reallocate internal fields so this needs to be read
|
||||
+ * after we call dbus_message_set_sender(). */
|
||||
+ destination = dbus_message_get_destination(message);
|
||||
+ type = dbus_message_get_type(message);
|
||||
+
|
||||
if (type == DBUS_MESSAGE_TYPE_SIGNAL) {
|
||||
return sbus_server_route_signal(server, conn, message, destination);
|
||||
}
|
||||
--
|
||||
2.9.5
|
||||
|
@ -0,0 +1,34 @@
|
||||
From b821ee3ca93beb94a7a9b22b6f7a205e4900212e Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Wed, 12 Sep 2018 13:22:34 +0200
|
||||
Subject: [PATCH 42/83] sbus: do not try to remove signal listeners when
|
||||
disconnecting
|
||||
|
||||
This may cause some troubles if the dbus connection was dropped
|
||||
as dbus will try to actually send the messages. Also when the
|
||||
connectin is being freed, tevent integration is already disabled
|
||||
so there is no point in doing this.
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/sbus/router/sbus_router_hash.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/src/sbus/router/sbus_router_hash.c b/src/sbus/router/sbus_router_hash.c
|
||||
index 186dc61..2d407b2 100644
|
||||
--- a/src/sbus/router/sbus_router_hash.c
|
||||
+++ b/src/sbus/router/sbus_router_hash.c
|
||||
@@ -384,6 +384,10 @@ sbus_router_listeners_delete_cb(hash_entry_t *item,
|
||||
return;
|
||||
}
|
||||
|
||||
+ if (conn->disconnecting) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
/* If we still have the D-Bus connection available, we try to unregister
|
||||
* the previously registered listener when its removed from table. */
|
||||
|
||||
--
|
||||
2.9.5
|
||||
|
29
0037-sbus-free-watch_fd-fdevent-explicitly.patch
Normal file
29
0037-sbus-free-watch_fd-fdevent-explicitly.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From f1f9af528f71f42ac41bb7a272f4f7d940fd3a0f Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Wed, 12 Sep 2018 13:24:27 +0200
|
||||
Subject: [PATCH 43/83] sbus: free watch_fd->fdevent explicitly
|
||||
|
||||
We never reproduced this with gdb but valgrind shows invalid read in sbus_watch_handler
|
||||
after the watch_fd was freed. This should not be needed since watch_fd is memory parent
|
||||
of fdevent but it seems to help.
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/sbus/connection/sbus_watch.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/sbus/connection/sbus_watch.c b/src/sbus/connection/sbus_watch.c
|
||||
index 3898311..0e4bd01 100644
|
||||
--- a/src/sbus/connection/sbus_watch.c
|
||||
+++ b/src/sbus/connection/sbus_watch.c
|
||||
@@ -280,6 +280,7 @@ sbus_watch_remove(DBusWatch *dbus_watch, void *data)
|
||||
|
||||
if (watch_fd->dbus_watch.read == NULL
|
||||
&& watch_fd->dbus_watch.write == NULL) {
|
||||
+ talloc_free(watch_fd->fdevent);
|
||||
talloc_free(watch_fd);
|
||||
}
|
||||
}
|
||||
--
|
||||
2.9.5
|
||||
|
139
0038-doc-remove-local-provider-reference-from-manpages.patch
Normal file
139
0038-doc-remove-local-provider-reference-from-manpages.patch
Normal file
@ -0,0 +1,139 @@
|
||||
From de8c9caf61e7b971cda9563cc5851ea222db5830 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Halman <thalman@redhat.com>
|
||||
Date: Thu, 27 Sep 2018 16:03:40 +0200
|
||||
Subject: [PATCH 44/83] doc: remove local provider reference from manpages
|
||||
|
||||
Introduce new condition for documentation build. Related part of
|
||||
documentation is excluded, if build is done without local provider.
|
||||
|
||||
Resolves https://pagure.io/SSSD/sssd/issue/3826
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/man/Makefile.am | 6 +++++-
|
||||
src/man/include/seealso.xml | 44 +++++++++++++++++++++++---------------------
|
||||
src/man/sssd.conf.5.xml | 15 +++++++++------
|
||||
3 files changed, 37 insertions(+), 28 deletions(-)
|
||||
|
||||
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
|
||||
index b4c20d8..54a30d1 100644
|
||||
--- a/src/man/Makefile.am
|
||||
+++ b/src/man/Makefile.am
|
||||
@@ -51,7 +51,11 @@ CRYPTO_CONDS = ;with_nss
|
||||
else
|
||||
CRYPTO_CONDS = ;with_openssl
|
||||
endif
|
||||
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SEC_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(CRYPTO_CONDS)
|
||||
+if BUILD_LOCAL_PROVIDER
|
||||
+LOCAL_PROVIDER_CONDS = ;enable_local_provider
|
||||
+endif
|
||||
+
|
||||
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SEC_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(CRYPTO_CONDS)$(LOCAL_PROVIDER_CONDS)
|
||||
|
||||
|
||||
#Special Rules:
|
||||
diff --git a/src/man/include/seealso.xml b/src/man/include/seealso.xml
|
||||
index 52798e4..f324b66 100644
|
||||
--- a/src/man/include/seealso.xml
|
||||
+++ b/src/man/include/seealso.xml
|
||||
@@ -44,27 +44,29 @@
|
||||
<citerefentry>
|
||||
<refentrytitle>sss_debuglevel</refentrytitle><manvolnum>8</manvolnum>
|
||||
</citerefentry>,
|
||||
- <citerefentry>
|
||||
- <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum>
|
||||
- </citerefentry>,
|
||||
- <citerefentry>
|
||||
- <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum>
|
||||
- </citerefentry>,
|
||||
- <citerefentry>
|
||||
- <refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum>
|
||||
- </citerefentry>,
|
||||
- <citerefentry>
|
||||
- <refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum>
|
||||
- </citerefentry>,
|
||||
- <citerefentry>
|
||||
- <refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum>
|
||||
- </citerefentry>,
|
||||
- <citerefentry>
|
||||
- <refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum>
|
||||
- </citerefentry>,
|
||||
- <citerefentry>
|
||||
- <refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum>
|
||||
- </citerefentry>,
|
||||
+ <phrase condition="enable_local_provider">
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum>
|
||||
+ </citerefentry>,
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum>
|
||||
+ </citerefentry>,
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum>
|
||||
+ </citerefentry>,
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum>
|
||||
+ </citerefentry>,
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum>
|
||||
+ </citerefentry>,
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum>
|
||||
+ </citerefentry>,
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum>
|
||||
+ </citerefentry>,
|
||||
+ </phrase>
|
||||
<citerefentry>
|
||||
<refentrytitle>sss_obfuscate</refentrytitle><manvolnum>8</manvolnum>
|
||||
</citerefentry>,
|
||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||||
index 04143f1..c1e3895 100644
|
||||
--- a/src/man/sssd.conf.5.xml
|
||||
+++ b/src/man/sssd.conf.5.xml
|
||||
@@ -2179,7 +2179,7 @@ pam_p11_allowed_services = +my_pam_service, -login
|
||||
<para>
|
||||
<quote>proxy</quote>: Support a legacy NSS provider.
|
||||
</para>
|
||||
- <para>
|
||||
+ <para condition="enable_local_provider">
|
||||
<quote>local</quote>: SSSD internal provider for
|
||||
local users (DEPRECATED).
|
||||
</para>
|
||||
@@ -2324,7 +2324,7 @@ pam_p11_allowed_services = +my_pam_service, -login
|
||||
<para>
|
||||
<quote>proxy</quote> for relaying authentication to some other PAM target.
|
||||
</para>
|
||||
- <para>
|
||||
+ <para condition="enable_local_provider">
|
||||
<quote>local</quote>: SSSD internal provider for
|
||||
local users
|
||||
</para>
|
||||
@@ -2836,9 +2836,12 @@ pam_p11_allowed_services = +my_pam_service, -login
|
||||
<term>case_sensitive (string)</term>
|
||||
<listitem>
|
||||
<para>
|
||||
- Treat user and group names as case sensitive. At
|
||||
- the moment, this option is not supported in
|
||||
- the local provider. Possible option values are:
|
||||
+ Treat user and group names as case sensitive.
|
||||
+ <phrase condition="enable_local_provider">
|
||||
+ At the moment, this option is not supported in
|
||||
+ the local provider.
|
||||
+ </phrase>
|
||||
+ Possible option values are:
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>True</term>
|
||||
@@ -3148,7 +3151,7 @@ ldap_user_extra_attrs = phone:telephoneNumber
|
||||
</programlisting>
|
||||
</refsect2>
|
||||
|
||||
- <refsect2 id='local_domain'>
|
||||
+ <refsect2 id='local_domain' condition="enable_local_provider">
|
||||
<title>The local domain section</title>
|
||||
<para>
|
||||
This section contains settings for domain that stores users and
|
||||
--
|
||||
2.9.5
|
||||
|
47
0039-confdb-log-an-error-when-domain-is-misconfigured.patch
Normal file
47
0039-confdb-log-an-error-when-domain-is-misconfigured.patch
Normal file
@ -0,0 +1,47 @@
|
||||
From 081b18e75c746f9a2ad1fb412c825293090311f8 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Halman <thalman@redhat.com>
|
||||
Date: Mon, 1 Oct 2018 15:49:06 +0200
|
||||
Subject: [PATCH 54/83] confdb: log an error when domain is misconfigured
|
||||
|
||||
We need to inform user that there is misconfiguration
|
||||
and particular domain will not be started.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3827
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/confdb/confdb.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
||||
index 954c3ba..2f3d900 100644
|
||||
--- a/src/confdb/confdb.c
|
||||
+++ b/src/confdb/confdb.c
|
||||
@@ -39,6 +39,9 @@
|
||||
#define SAME_DOMAINS_ERROR_MSG "Domain '%s' is the same as or differs only "\
|
||||
"in case from domain '%s'.\n"
|
||||
|
||||
+#define RETRIEVE_DOMAIN_ERROR_MSG "Error (%d [%s]) retrieving domain [%s], "\
|
||||
+ "skipping!\n"
|
||||
+
|
||||
static char *prepend_cn(char *str, int *slen, const char *comp, int clen)
|
||||
{
|
||||
char *ret;
|
||||
@@ -1522,8 +1525,12 @@ int confdb_get_domains(struct confdb_ctx *cdb,
|
||||
ret = confdb_get_domain_internal(cdb, cdb, domlist[i], &domain);
|
||||
if (ret) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
- "Error (%d [%s]) retrieving domain [%s], skipping!\n",
|
||||
+ RETRIEVE_DOMAIN_ERROR_MSG,
|
||||
ret, sss_strerror(ret), domlist[i]);
|
||||
+ sss_log(SSS_LOG_CRIT,
|
||||
+ RETRIEVE_DOMAIN_ERROR_MSG,
|
||||
+ ret, sss_strerror(ret), domlist[i]);
|
||||
+
|
||||
continue;
|
||||
}
|
||||
|
||||
--
|
||||
2.9.5
|
||||
|
@ -0,0 +1,57 @@
|
||||
From dfa7bf1133f002a9fbbd3495a70909913db25b16 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Fri, 14 Sep 2018 12:30:57 +0200
|
||||
Subject: [PATCH 55/83] be: use be_is_offline for the main domain when asking
|
||||
for domain status
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The DOM_ACTIVE/INACTIVE flag is not used with the main domain as it
|
||||
is used only for subdomains.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3830
|
||||
|
||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||
---
|
||||
src/providers/data_provider/dp_iface_backend.c | 20 ++++++++++++++------
|
||||
1 file changed, 14 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/providers/data_provider/dp_iface_backend.c b/src/providers/data_provider/dp_iface_backend.c
|
||||
index 25a00f3..85159a7 100644
|
||||
--- a/src/providers/data_provider/dp_iface_backend.c
|
||||
+++ b/src/providers/data_provider/dp_iface_backend.c
|
||||
@@ -37,15 +37,23 @@ dp_backend_is_online(TALLOC_CTX *mem_ctx,
|
||||
struct sss_domain_info *domain;
|
||||
|
||||
if (SBUS_REQ_STRING_IS_EMPTY(domname)) {
|
||||
- *_is_online = be_is_offline(be_ctx);
|
||||
- return EOK;
|
||||
+ domain = be_ctx->domain;
|
||||
+ } else {
|
||||
+ domain = find_domain_by_name(be_ctx->domain, domname, false);
|
||||
+ if (domain == NULL) {
|
||||
+ return ERR_DOMAIN_NOT_FOUND;
|
||||
+ }
|
||||
}
|
||||
|
||||
- domain = find_domain_by_name(be_ctx->domain, domname, false);
|
||||
- if (domain == NULL) {
|
||||
- return ERR_DOMAIN_NOT_FOUND;
|
||||
+ /**
|
||||
+ * FIXME: https://pagure.io/SSSD/sssd/issue/3831
|
||||
+ * domain->state is set only for subdomains not for the main domain
|
||||
+ */
|
||||
+ if (be_ctx->domain == domain) {
|
||||
+ *_is_online = be_is_offline(be_ctx) == false;
|
||||
+ } else {
|
||||
+ *_is_online = domain->state == DOM_ACTIVE;
|
||||
}
|
||||
|
||||
- *_is_online = domain->state == DOM_ACTIVE;
|
||||
return EOK;
|
||||
}
|
||||
--
|
||||
2.9.5
|
||||
|
146
0041-p11-handle-multiple-certs-during-auth-with-OpenSSL.patch
Normal file
146
0041-p11-handle-multiple-certs-during-auth-with-OpenSSL.patch
Normal file
@ -0,0 +1,146 @@
|
||||
From e29b82077a78157a1e4d90e2308c1272d7612f3d Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 2 Oct 2018 12:13:29 +0200
|
||||
Subject: [PATCH 56/83] p11: handle multiple certs during auth with OpenSSL
|
||||
|
||||
This patch adds missing code already available in the NSS version to
|
||||
select a certificate for authentication if multiple certificates are
|
||||
available on the Smartcard. A unit test to check this feature is added
|
||||
as well.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3489
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/p11_child/p11_child_openssl.c | 46 ++++++++++++++++++++++++++++++++++++++-
|
||||
src/tests/cmocka/test_pam_srv.c | 36 ++++++++++++++++++++++++++++++
|
||||
2 files changed, 81 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
|
||||
index be58726..bf4418f 100644
|
||||
--- a/src/p11_child/p11_child_openssl.c
|
||||
+++ b/src/p11_child/p11_child_openssl.c
|
||||
@@ -572,8 +572,10 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
||||
char *slot_name = NULL;
|
||||
char *token_name = NULL;
|
||||
CK_SESSION_HANDLE session = 0;
|
||||
+ struct cert_list *all_cert_list = NULL;
|
||||
struct cert_list *cert_list = NULL;
|
||||
struct cert_list *item = NULL;
|
||||
+ struct cert_list *tmp_cert = NULL;
|
||||
char *multi = NULL;
|
||||
bool pkcs11_session = false;
|
||||
bool pkcs11_login = false;
|
||||
@@ -691,12 +693,54 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
||||
DEBUG(SSSDBG_TRACE_ALL, "Login NOT required.\n");
|
||||
}
|
||||
|
||||
- ret = read_certs(mem_ctx, module, session, p11_ctx, &cert_list);
|
||||
+ ret = read_certs(mem_ctx, module, session, p11_ctx, &all_cert_list);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "read_certs failed.\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ DLIST_FOR_EACH(item, all_cert_list) {
|
||||
+ /* Check if we found the certificates we needed for authentication or
|
||||
+ * the requested ones for pre-auth. For authentication all attributes
|
||||
+ * must be given and match, for pre-auth only the given ones must
|
||||
+ * match. */
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "%s %s %s %s %s %s.\n",
|
||||
+ module_name_in, module_file_name, token_name_in, token_name,
|
||||
+ key_id_in, item->id);
|
||||
+
|
||||
+ if ((mode == OP_AUTH
|
||||
+ && module_name_in != NULL
|
||||
+ && token_name_in != NULL
|
||||
+ && key_id_in != NULL
|
||||
+ && item->id != NULL
|
||||
+ && strcmp(key_id_in, item->id) == 0
|
||||
+ && strcmp(token_name_in, token_name) == 0
|
||||
+ && strcmp(module_name_in, module_file_name) == 0)
|
||||
+ || (mode == OP_PREAUTH
|
||||
+ && (module_name_in == NULL
|
||||
+ || (module_name_in != NULL
|
||||
+ && strcmp(module_name_in, module_file_name) == 0))
|
||||
+ && (token_name_in == NULL
|
||||
+ || (token_name_in != NULL
|
||||
+ && strcmp(token_name_in, token_name) == 0))
|
||||
+ && (key_id_in == NULL
|
||||
+ || (key_id_in != NULL && item->id != NULL
|
||||
+ && strcmp(key_id_in, item->id) == 0)))) {
|
||||
+
|
||||
+ tmp_cert = talloc_memdup(mem_ctx, item, sizeof(struct cert_list));
|
||||
+ if (tmp_cert == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_memdup failed.\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ tmp_cert->prev = NULL;
|
||||
+ tmp_cert->next = NULL;
|
||||
+
|
||||
+ DLIST_ADD(cert_list, tmp_cert);
|
||||
+
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
/* TODO: check module_name_in, token_name_in, key_id_in */
|
||||
|
||||
if (cert_list == NULL) {
|
||||
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
|
||||
index 446985d..2b02ac2 100644
|
||||
--- a/src/tests/cmocka/test_pam_srv.c
|
||||
+++ b/src/tests/cmocka/test_pam_srv.c
|
||||
@@ -2443,6 +2443,40 @@ void test_pam_cert_preauth_2certs_two_mappings(void **state)
|
||||
assert_int_equal(ret, EOK);
|
||||
}
|
||||
|
||||
+void test_pam_cert_auth_2certs_one_mapping(void **state)
|
||||
+{
|
||||
+ int ret;
|
||||
+
|
||||
+#ifdef HAVE_NSS
|
||||
+ set_cert_auth_param(pam_test_ctx->pctx, NSS_DB_2CERTS);
|
||||
+#else
|
||||
+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
|
||||
+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_two.conf"));
|
||||
+#endif
|
||||
+
|
||||
+ mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token",
|
||||
+ TEST_MODULE_NAME,
|
||||
+ "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL,
|
||||
+ test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001,
|
||||
+ true);
|
||||
+
|
||||
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
|
||||
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
||||
+
|
||||
+ /* Assume backend cannot handle Smartcard credentials */
|
||||
+ pam_test_ctx->exp_pam_status = PAM_BAD_ITEM;
|
||||
+
|
||||
+ set_cmd_cb(test_pam_simple_check_success);
|
||||
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
|
||||
+ pam_test_ctx->pam_cmds);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ /* Wait until the test finishes with EOK */
|
||||
+ ret = test_ev_loop(pam_test_ctx->tctx);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+}
|
||||
+
|
||||
+
|
||||
void test_filter_response(void **state)
|
||||
{
|
||||
int ret;
|
||||
@@ -2875,6 +2909,8 @@ int main(int argc, const char *argv[])
|
||||
pam_test_setup, pam_test_teardown),
|
||||
cmocka_unit_test_setup_teardown(test_pam_cert_preauth_2certs_two_mappings,
|
||||
pam_test_setup, pam_test_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_one_mapping,
|
||||
+ pam_test_setup, pam_test_teardown),
|
||||
cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name,
|
||||
pam_test_setup, pam_test_teardown),
|
||||
cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name_no_key_id,
|
||||
--
|
||||
2.9.5
|
||||
|
74
0042-doc-Add-nsswitch.conf-note-to-manpage.patch
Normal file
74
0042-doc-Add-nsswitch.conf-note-to-manpage.patch
Normal file
@ -0,0 +1,74 @@
|
||||
From 0be037bbedd0aed6a7eccead6aabe0d07258242a Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Halman <thalman@redhat.com>
|
||||
Date: Mon, 1 Oct 2018 13:45:52 +0200
|
||||
Subject: [PATCH 57/83] doc: Add nsswitch.conf note to manpage
|
||||
|
||||
We want to add note about nsswitch.conf configuration
|
||||
into sssd-files manpage.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3750
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
---
|
||||
src/man/sssd-files.5.xml | 34 +++++++++++++++++++++++++++++++++-
|
||||
1 file changed, 33 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/man/sssd-files.5.xml b/src/man/sssd-files.5.xml
|
||||
index 59e1b65..067e219 100644
|
||||
--- a/src/man/sssd-files.5.xml
|
||||
+++ b/src/man/sssd-files.5.xml
|
||||
@@ -51,6 +51,27 @@
|
||||
<manvolnum>5</manvolnum>
|
||||
</citerefentry>.
|
||||
</para>
|
||||
+ <para>
|
||||
+ Another reason is to provide efficient caching of local users and groups.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Please note that some distributions enable the files domain automatically,
|
||||
+ prepending the domain before any explicitly configured domains.
|
||||
+ See enable_files_domain in
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>sssd.conf</refentrytitle>
|
||||
+ <manvolnum>5</manvolnum>
|
||||
+ </citerefentry>.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ SSSD never handles resolution of user/group "root". Also resolution of
|
||||
+ UID/GID 0 is not handled by SSSD. Such requests are passed to next
|
||||
+ NSS module (usually files).
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ When SSSD is not running or responding, nss_sss returns the UNAVAIL code
|
||||
+ which causes the request to be passed to the next module.
|
||||
+ </para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1 id='configuration-options'>
|
||||
@@ -112,9 +133,20 @@
|
||||
id_provider = files
|
||||
</programlisting>
|
||||
</para>
|
||||
+ <para>
|
||||
+ To leverage caching of local users and groups by SSSD
|
||||
+ nss_sss module must be listed before nss_files module
|
||||
+ in /etc/nsswitch.conf.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+<programlisting>
|
||||
+passwd: sss files
|
||||
+group: sss files
|
||||
+</programlisting>
|
||||
+ </para>
|
||||
</refsect1>
|
||||
|
||||
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
|
||||
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
|
||||
|
||||
</refentry>
|
||||
</reference>
|
||||
--
|
||||
2.9.5
|
||||
|
@ -0,0 +1,31 @@
|
||||
From e5dc30e0092b240a32f2004966eeecdc57d50fb8 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Mon, 8 Oct 2018 07:45:45 +0000
|
||||
Subject: [PATCH 58/83] MAN: Fix typo in ad_gpo_implicit_deny default value
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Merges: https://pagure.io/SSSD/sssd/pull-request/3846
|
||||
|
||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||
---
|
||||
src/man/sssd-ad.5.xml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
|
||||
index 0eac382..ea0adf7 100644
|
||||
--- a/src/man/sssd-ad.5.xml
|
||||
+++ b/src/man/sssd-ad.5.xml
|
||||
@@ -432,7 +432,7 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,
|
||||
apply to them.
|
||||
</para>
|
||||
<para>
|
||||
- Default: False (seconds)
|
||||
+ Default: False
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
--
|
||||
2.9.5
|
||||
|
470
0044-p11_child-add-wait_for_card-option.patch
Normal file
470
0044-p11_child-add-wait_for_card-option.patch
Normal file
@ -0,0 +1,470 @@
|
||||
From 42f69e26e5b858dd03492cc2a148d02c2ccc2161 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Fri, 14 Sep 2018 12:47:00 +0200
|
||||
Subject: [PATCH 59/83] p11_child: add --wait_for_card option
|
||||
|
||||
The --wait_for_card option will let the p11_child wait until a
|
||||
Smartcard/token is available in a slot with the removable flag.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3650
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/p11_child/p11_child.h | 5 +-
|
||||
src/p11_child/p11_child_common.c | 12 +++-
|
||||
src/p11_child/p11_child_nss.c | 105 ++++++++++++++++++++---------
|
||||
src/p11_child/p11_child_openssl.c | 136 ++++++++++++++++++++++++++++++--------
|
||||
4 files changed, 196 insertions(+), 62 deletions(-)
|
||||
|
||||
diff --git a/src/p11_child/p11_child.h b/src/p11_child/p11_child.h
|
||||
index 1e9fc3d..dd8fdea 100644
|
||||
--- a/src/p11_child/p11_child.h
|
||||
+++ b/src/p11_child/p11_child.h
|
||||
@@ -25,6 +25,9 @@
|
||||
#ifndef __P11_CHILD_H__
|
||||
#define __P11_CHILD_H__
|
||||
|
||||
+/* Time to wait during a C_Finalize C_Initialize cycle to discover
|
||||
+ * new slots. */
|
||||
+#define PKCS11_FINIALIZE_INITIALIZE_WAIT_TIME 3
|
||||
struct p11_ctx;
|
||||
|
||||
enum op_mode {
|
||||
@@ -41,7 +44,7 @@ enum pin_mode {
|
||||
};
|
||||
|
||||
errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *nss_db,
|
||||
- struct p11_ctx **p11_ctx);
|
||||
+ bool wait_for_card, struct p11_ctx **p11_ctx);
|
||||
|
||||
errno_t init_verification(struct p11_ctx *p11_ctx,
|
||||
struct cert_verify_opts *cert_verify_opts);
|
||||
diff --git a/src/p11_child/p11_child_common.c b/src/p11_child/p11_child_common.c
|
||||
index 125430d..bc5f6b0 100644
|
||||
--- a/src/p11_child/p11_child_common.c
|
||||
+++ b/src/p11_child/p11_child_common.c
|
||||
@@ -57,6 +57,7 @@ static const char *op_mode_str(enum op_mode mode)
|
||||
|
||||
static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db,
|
||||
struct cert_verify_opts *cert_verify_opts,
|
||||
+ bool wait_for_card,
|
||||
const char *cert_b64, const char *pin,
|
||||
const char *module_name, const char *token_name,
|
||||
const char *key_id, char **multi)
|
||||
@@ -64,7 +65,7 @@ static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db,
|
||||
int ret;
|
||||
struct p11_ctx *p11_ctx;
|
||||
|
||||
- ret = init_p11_ctx(mem_ctx, ca_db, &p11_ctx);
|
||||
+ ret = init_p11_ctx(mem_ctx, ca_db, wait_for_card, &p11_ctx);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "init_p11_ctx failed.\n");
|
||||
return ret;
|
||||
@@ -157,6 +158,7 @@ int main(int argc, const char *argv[])
|
||||
char *token_name = NULL;
|
||||
char *key_id = NULL;
|
||||
char *cert_b64 = NULL;
|
||||
+ bool wait_for_card = false;
|
||||
|
||||
struct poptOption long_options[] = {
|
||||
POPT_AUTOHELP
|
||||
@@ -174,6 +176,7 @@ int main(int argc, const char *argv[])
|
||||
SSSD_LOGGER_OPTS
|
||||
{"auth", 0, POPT_ARG_NONE, NULL, 'a', _("Run in auth mode"), NULL},
|
||||
{"pre", 0, POPT_ARG_NONE, NULL, 'p', _("Run in pre-auth mode"), NULL},
|
||||
+ {"wait_for_card", 0, POPT_ARG_NONE, NULL, 'w', _("Wait until card is available"), NULL},
|
||||
{"verification", 0, POPT_ARG_NONE, NULL, 'v', _("Run in verification mode"),
|
||||
NULL},
|
||||
{"pin", 0, POPT_ARG_NONE, NULL, 'i', _("Expect PIN on stdin"), NULL},
|
||||
@@ -258,6 +261,9 @@ int main(int argc, const char *argv[])
|
||||
}
|
||||
pin_mode = PIN_KEYPAD;
|
||||
break;
|
||||
+ case 'w':
|
||||
+ wait_for_card = true;
|
||||
+ break;
|
||||
default:
|
||||
fprintf(stderr, "\nInvalid option %s: %s\n\n",
|
||||
poptBadOption(pc, 0), poptStrerror(opt));
|
||||
@@ -360,8 +366,8 @@ int main(int argc, const char *argv[])
|
||||
}
|
||||
}
|
||||
|
||||
- ret = do_work(main_ctx, mode, nss_db, cert_verify_opts, cert_b64,
|
||||
- pin, module_name, token_name, key_id, &multi);
|
||||
+ ret = do_work(main_ctx, mode, nss_db, cert_verify_opts, wait_for_card,
|
||||
+ cert_b64, pin, module_name, token_name, key_id, &multi);
|
||||
if (ret != 0) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "do_work failed.\n");
|
||||
goto fail;
|
||||
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
|
||||
index d6a0b80..b2777d1 100644
|
||||
--- a/src/p11_child/p11_child_nss.c
|
||||
+++ b/src/p11_child/p11_child_nss.c
|
||||
@@ -51,6 +51,7 @@ struct p11_ctx {
|
||||
CERTCertDBHandle *handle;
|
||||
struct cert_verify_opts *cert_verify_opts;
|
||||
const char *nss_db;
|
||||
+ bool wait_for_card;
|
||||
};
|
||||
|
||||
#define EXP_USAGES ( certificateUsageSSLClient \
|
||||
@@ -141,6 +142,19 @@ static int talloc_free_handle(struct p11_ctx *p11_ctx)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static NSSInitContext *get_nss_ctx(const char *nss_db)
|
||||
+{
|
||||
+ uint32_t flags = NSS_INIT_READONLY
|
||||
+ | NSS_INIT_FORCEOPEN
|
||||
+ | NSS_INIT_NOROOTINIT
|
||||
+ | NSS_INIT_OPTIMIZESPACE
|
||||
+ | NSS_INIT_PK11RELOAD;
|
||||
+ NSSInitParameters parameters = { 0 };
|
||||
+ parameters.length = sizeof (parameters);
|
||||
+
|
||||
+ return NSS_InitContext(nss_db, "", "", SECMOD_DB, ¶meters, flags);
|
||||
+}
|
||||
+
|
||||
errno_t init_verification(struct p11_ctx *p11_ctx,
|
||||
struct cert_verify_opts *cert_verify_opts)
|
||||
{
|
||||
@@ -256,14 +270,15 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
||||
SECItem signed_random_value = {0};
|
||||
SECKEYPublicKey *pub_key;
|
||||
CERTCertificate *found_cert = NULL;
|
||||
- PK11SlotList *list = NULL;
|
||||
- PK11SlotListElement *le;
|
||||
const char *label;
|
||||
char *key_id_str = NULL;
|
||||
CERTCertList *valid_certs = NULL;
|
||||
char *cert_b64 = NULL;
|
||||
char *multi = NULL;
|
||||
PRCList *node;
|
||||
+ CK_SLOT_INFO slInfo;
|
||||
+ PK11TokenStatus token_status;
|
||||
+ size_t s;
|
||||
|
||||
PK11_SetPasswordFunc(password_passthrough);
|
||||
|
||||
@@ -297,28 +312,50 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
||||
mod_list_item->module->dllName);
|
||||
}
|
||||
|
||||
- list = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE,
|
||||
- NULL);
|
||||
- if (list == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "PK11_GetAllTokens failed.\n");
|
||||
- ret = EIO;
|
||||
- goto done;
|
||||
- }
|
||||
+ for (;;) {
|
||||
+ mod_list = SECMOD_GetDefaultModuleList();
|
||||
+ for (mod_list_item = mod_list; mod_list_item != NULL;
|
||||
+ mod_list_item = mod_list_item->next) {
|
||||
+ for (s = 0; s < mod_list_item->module->slotCount; s++) {
|
||||
+ slInfo.flags = 0;
|
||||
+ rv = PK11_GetSlotInfo(mod_list_item->module->slots[s], &slInfo);
|
||||
+ DEBUG(SSSDBG_TRACE_ALL,
|
||||
+ "Description [%s] Manufacturer [%s] flags [%lu] "
|
||||
+ "removable [%s] token present [%s].\n",
|
||||
+ slInfo.slotDescription, slInfo.manufacturerID,
|
||||
+ slInfo.flags,
|
||||
+ (slInfo.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
|
||||
+ (slInfo.flags & CKF_TOKEN_PRESENT) ? "true": "false");
|
||||
+
|
||||
+ if (rv == SECSuccess && (slInfo.flags & CKF_REMOVABLE_DEVICE)) {
|
||||
+ slot = PK11_ReferenceSlot(mod_list_item->module->slots[s]);
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
|
||||
- for (le = list->head; le; le = le->next) {
|
||||
- CK_SLOT_INFO slInfo;
|
||||
+ /* When e.g. using Yubikeys the slot isn't present until the device is
|
||||
+ * inserted, so we should wait for a slot as well. */
|
||||
+ if (p11_ctx->wait_for_card && slot == NULL) {
|
||||
+ rv = NSS_ShutdownContext(p11_ctx->nss_ctx);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "NSS_ShutdownContext failed [%d][%s].\n",
|
||||
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
||||
+ }
|
||||
|
||||
- slInfo.flags = 0;
|
||||
- rv = PK11_GetSlotInfo(le->slot, &slInfo);
|
||||
- DEBUG(SSSDBG_TRACE_ALL,
|
||||
- "Description [%s] Manufacturer [%s] flags [%lu].\n",
|
||||
- slInfo.slotDescription, slInfo.manufacturerID, slInfo.flags);
|
||||
- if (rv == SECSuccess && (slInfo.flags & CKF_REMOVABLE_DEVICE)) {
|
||||
- slot = PK11_ReferenceSlot(le->slot);
|
||||
+ sleep(PKCS11_FINIALIZE_INITIALIZE_WAIT_TIME);
|
||||
+
|
||||
+ p11_ctx->nss_ctx = get_nss_ctx(p11_ctx->nss_db);
|
||||
+ if (p11_ctx->nss_ctx == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "NSS_InitContext failed [%d][%s].\n",
|
||||
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
||||
+ return EIO;
|
||||
+ }
|
||||
+ } else {
|
||||
break;
|
||||
}
|
||||
}
|
||||
- PK11_FreeSlotList(list);
|
||||
+
|
||||
if (slot == NULL) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "No removable slots found.\n");
|
||||
ret = EIO;
|
||||
@@ -332,6 +369,22 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
||||
module = PK11_GetModule(slot);
|
||||
module_name = module->dllName == NULL ? "NSS-Internal" : module->dllName;
|
||||
|
||||
+ if (!(slInfo.flags & CKF_TOKEN_PRESENT)) {
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Token not present.\n");
|
||||
+ if (p11_ctx->wait_for_card) {
|
||||
+ token_status = PK11_WaitForTokenEvent(slot, PK11TokenPresentEvent,
|
||||
+ PR_INTERVAL_NO_TIMEOUT, 0, 0);
|
||||
+ if (token_status != PK11TokenPresent) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "PK11_WaitForTokenEvent failed.\n");
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ } else {
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
DEBUG(SSSDBG_TRACE_ALL, "Found [%s] in slot [%s][%d] of module [%d][%s].\n",
|
||||
token_name, slot_name, (int) slot_id, (int) module_id, module_name);
|
||||
|
||||
@@ -651,26 +704,18 @@ static int talloc_nss_shutdown(struct p11_ctx *p11_ctx)
|
||||
}
|
||||
|
||||
errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *nss_db,
|
||||
- struct p11_ctx **p11_ctx)
|
||||
+ bool wait_for_card, struct p11_ctx **p11_ctx)
|
||||
{
|
||||
struct p11_ctx *ctx;
|
||||
- uint32_t flags = NSS_INIT_READONLY
|
||||
- | NSS_INIT_FORCEOPEN
|
||||
- | NSS_INIT_NOROOTINIT
|
||||
- | NSS_INIT_OPTIMIZESPACE
|
||||
- | NSS_INIT_PK11RELOAD;
|
||||
- NSSInitParameters parameters = { 0 };
|
||||
- parameters.length = sizeof (parameters);
|
||||
-
|
||||
ctx = talloc_zero(mem_ctx, struct p11_ctx);
|
||||
if (ctx == NULL) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "talloc_zero failed.\n");
|
||||
return ENOMEM;
|
||||
}
|
||||
ctx->nss_db = nss_db;
|
||||
+ ctx->wait_for_card = wait_for_card;
|
||||
|
||||
- ctx->nss_ctx = NSS_InitContext(nss_db, "", "", SECMOD_DB, ¶meters,
|
||||
- flags);
|
||||
+ ctx->nss_ctx = get_nss_ctx(nss_db);
|
||||
if (ctx->nss_ctx == NULL) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "NSS_InitContext failed [%d][%s].\n",
|
||||
PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
||||
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
|
||||
index bf4418f..d4572d9 100644
|
||||
--- a/src/p11_child/p11_child_openssl.c
|
||||
+++ b/src/p11_child/p11_child_openssl.c
|
||||
@@ -40,6 +40,7 @@
|
||||
struct p11_ctx {
|
||||
X509_STORE *x509_store;
|
||||
const char *ca_db;
|
||||
+ bool wait_for_card;
|
||||
};
|
||||
|
||||
static int talloc_cleanup_openssl(struct p11_ctx *p11_ctx)
|
||||
@@ -48,8 +49,9 @@ static int talloc_cleanup_openssl(struct p11_ctx *p11_ctx)
|
||||
|
||||
return 0;
|
||||
}
|
||||
+
|
||||
errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *ca_db,
|
||||
- struct p11_ctx **p11_ctx)
|
||||
+ bool wait_for_card, struct p11_ctx **p11_ctx)
|
||||
{
|
||||
int ret;
|
||||
struct p11_ctx *ctx;
|
||||
@@ -73,6 +75,7 @@ errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *ca_db,
|
||||
}
|
||||
|
||||
ctx->ca_db = ca_db;
|
||||
+ ctx->wait_for_card = wait_for_card;
|
||||
talloc_set_destructor(ctx, talloc_cleanup_openssl);
|
||||
|
||||
*p11_ctx = ctx;
|
||||
@@ -547,6 +550,45 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static errno_t wait_for_card(CK_FUNCTION_LIST *module, CK_SLOT_ID *slot_id)
|
||||
+{
|
||||
+ CK_FLAGS wait_flags = 0;
|
||||
+ CK_RV rv;
|
||||
+ CK_SLOT_INFO info;
|
||||
+
|
||||
+ rv = module->C_WaitForSlotEvent(wait_flags, slot_id, NULL);
|
||||
+ if (rv != CKR_OK) {
|
||||
+ if (rv != CKR_FUNCTION_NOT_SUPPORTED) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "C_WaitForSlotEvent failed [%lu][%s].\n",
|
||||
+ rv, p11_kit_strerror(rv));
|
||||
+ return EIO;
|
||||
+ }
|
||||
+
|
||||
+ /* Poor man's wait */
|
||||
+ do {
|
||||
+ sleep(10);
|
||||
+ rv = module->C_GetSlotInfo(*slot_id, &info);
|
||||
+ if (rv != CKR_OK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotInfo failed\n");
|
||||
+ return EIO;
|
||||
+ }
|
||||
+ DEBUG(SSSDBG_TRACE_ALL,
|
||||
+ "Description [%s] Manufacturer [%s] flags [%lu] "
|
||||
+ "removable [%s] token present [%s].\n",
|
||||
+ info.slotDescription, info.manufacturerID, info.flags,
|
||||
+ (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
|
||||
+ (info.flags & CKF_TOKEN_PRESENT) ? "true": "false");
|
||||
+ if ((info.flags & CKF_REMOVABLE_DEVICE)
|
||||
+ && (info.flags & CKF_TOKEN_PRESENT)) {
|
||||
+ break;
|
||||
+ }
|
||||
+ } while (true);
|
||||
+ }
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
#define MAX_SLOTS 64
|
||||
|
||||
errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
||||
@@ -588,39 +630,62 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
||||
return EIO;
|
||||
}
|
||||
|
||||
- DEBUG(SSSDBG_TRACE_ALL, "Module List:\n");
|
||||
- for (c = 0; modules[c] != NULL; c++) {
|
||||
- mod_name = p11_kit_module_get_name(modules[c]);
|
||||
- mod_file_name = p11_kit_module_get_filename(modules[c]);
|
||||
- DEBUG(SSSDBG_TRACE_ALL, "common name: [%s].\n", mod_name);
|
||||
- DEBUG(SSSDBG_TRACE_ALL, "dll name: [%s].\n", mod_file_name);
|
||||
- free(mod_name);
|
||||
- free(mod_file_name);
|
||||
+ for (;;) {
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Module List:\n");
|
||||
+ for (c = 0; modules[c] != NULL; c++) {
|
||||
+ mod_name = p11_kit_module_get_name(modules[c]);
|
||||
+ mod_file_name = p11_kit_module_get_filename(modules[c]);
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "common name: [%s].\n", mod_name);
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "dll name: [%s].\n", mod_file_name);
|
||||
+ free(mod_name);
|
||||
+ free(mod_file_name);
|
||||
|
||||
- num_slots = MAX_SLOTS;
|
||||
- rv = modules[c]->C_GetSlotList(CK_TRUE, slots, &num_slots);
|
||||
- if (rv != CKR_OK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotList failed.\n");
|
||||
- ret = EIO;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- for (s = 0; s < num_slots; s++) {
|
||||
- rv = modules[c]->C_GetSlotInfo(slots[s], &info);
|
||||
+ num_slots = MAX_SLOTS;
|
||||
+ rv = modules[c]->C_GetSlotList(CK_FALSE, slots, &num_slots);
|
||||
if (rv != CKR_OK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotInfo failed\n");
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotList failed.\n");
|
||||
ret = EIO;
|
||||
goto done;
|
||||
}
|
||||
- DEBUG(SSSDBG_TRACE_ALL,
|
||||
- "Description [%s] Manufacturer [%s] flags [%lu] removable [%s].\n",
|
||||
- info.slotDescription, info.manufacturerID, info.flags,
|
||||
- (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false");
|
||||
- if ((info.flags & CKF_REMOVABLE_DEVICE)) {
|
||||
+
|
||||
+ for (s = 0; s < num_slots; s++) {
|
||||
+ rv = modules[c]->C_GetSlotInfo(slots[s], &info);
|
||||
+ if (rv != CKR_OK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotInfo failed\n");
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ DEBUG(SSSDBG_TRACE_ALL,
|
||||
+ "Description [%s] Manufacturer [%s] flags [%lu] "
|
||||
+ "removable [%s] token present [%s].\n",
|
||||
+ info.slotDescription, info.manufacturerID, info.flags,
|
||||
+ (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
|
||||
+ (info.flags & CKF_TOKEN_PRESENT) ? "true": "false");
|
||||
+ if ((info.flags & CKF_REMOVABLE_DEVICE)) {
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ if (s != num_slots) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
- if (s != num_slots) {
|
||||
+
|
||||
+ /* When e.g. using Yubikeys the slot isn't present until the device is
|
||||
+ * inserted, so we should wait for a slot as well. */
|
||||
+ if (p11_ctx->wait_for_card && modules[c] == NULL) {
|
||||
+ p11_kit_modules_finalize_and_release(modules);
|
||||
+
|
||||
+ sleep(PKCS11_FINIALIZE_INITIALIZE_WAIT_TIME);
|
||||
+
|
||||
+ modules = p11_kit_modules_load_and_initialize(0);
|
||||
+ if (modules == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "p11_kit_modules_load_and_initialize failed.\n");
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ } else {
|
||||
break;
|
||||
}
|
||||
}
|
||||
@@ -631,14 +696,29 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- rv = modules[c]->C_GetTokenInfo(slots[s], &token_info);
|
||||
+ slot_id = slots[s];
|
||||
+
|
||||
+ if (!(info.flags & CKF_TOKEN_PRESENT)) {
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Token not present.\n");
|
||||
+ if (p11_ctx->wait_for_card) {
|
||||
+ ret = wait_for_card(modules[c], &slot_id);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "wait_for_card failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+ } else {
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ rv = modules[c]->C_GetTokenInfo(slot_id, &token_info);
|
||||
if (rv != CKR_OK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "C_GetTokenInfo failed.\n");
|
||||
ret = EIO;
|
||||
goto done;
|
||||
}
|
||||
|
||||
- slot_id = slots[s];
|
||||
module_id = c;
|
||||
slot_name = p11_kit_space_strdup(info.slotDescription,
|
||||
sizeof(info.slotDescription));
|
||||
--
|
||||
2.9.5
|
||||
|
143
0045-PAM-add-p11_wait_for_card_timeout-option.patch
Normal file
143
0045-PAM-add-p11_wait_for_card_timeout-option.patch
Normal file
@ -0,0 +1,143 @@
|
||||
From 2e4ecf5a866b212bef44e262fd90c67a88dc616a Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 18 Sep 2018 18:15:02 +0200
|
||||
Subject: [PATCH 60/83] PAM: add p11_wait_for_card_timeout option
|
||||
|
||||
If the --wait_for_card is used to call p11_child the PAM responder
|
||||
should be prepared to wait longer until p11_child can return
|
||||
successfully.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3650
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/confdb/confdb.h | 1 +
|
||||
src/config/SSSDConfig/__init__.py.in | 1 +
|
||||
src/config/cfg_rules.ini | 1 +
|
||||
src/config/etc/sssd.api.conf | 1 +
|
||||
src/man/sssd.conf.5.xml | 14 ++++++++++++++
|
||||
src/responder/pam/pamsrv_cmd.c | 15 +++++++++++++++
|
||||
src/util/util.h | 1 +
|
||||
7 files changed, 34 insertions(+)
|
||||
|
||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
||||
index 625d156..87904c2 100644
|
||||
--- a/src/confdb/confdb.h
|
||||
+++ b/src/confdb/confdb.h
|
||||
@@ -130,6 +130,7 @@
|
||||
#define CONFDB_PAM_CERT_AUTH "pam_cert_auth"
|
||||
#define CONFDB_PAM_CERT_DB_PATH "pam_cert_db_path"
|
||||
#define CONFDB_PAM_P11_CHILD_TIMEOUT "p11_child_timeout"
|
||||
+#define CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT "p11_wait_for_card_timeout"
|
||||
#define CONFDB_PAM_APP_SERVICES "pam_app_services"
|
||||
#define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services"
|
||||
|
||||
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
||||
index 81a03ad..4d1dba2 100644
|
||||
--- a/src/config/SSSDConfig/__init__.py.in
|
||||
+++ b/src/config/SSSDConfig/__init__.py.in
|
||||
@@ -104,6 +104,7 @@ option_strings = {
|
||||
'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'),
|
||||
'pam_app_services' : _('Which PAM services are permitted to contact application domains'),
|
||||
'pam_p11_allowed_services' : _('Allowed services for using smartcards'),
|
||||
+ 'p11_wait_for_card_timeout' : _('Additional timeout to wait for a card if requested'),
|
||||
|
||||
# [sudo]
|
||||
'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
|
||||
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
||||
index 78f215e..50a8f1d 100644
|
||||
--- a/src/config/cfg_rules.ini
|
||||
+++ b/src/config/cfg_rules.ini
|
||||
@@ -127,6 +127,7 @@ option = pam_cert_db_path
|
||||
option = p11_child_timeout
|
||||
option = pam_app_services
|
||||
option = pam_p11_allowed_services
|
||||
+option = p11_wait_for_card_timeout
|
||||
|
||||
[rule/allowed_sudo_options]
|
||||
validator = ini_allowed_options
|
||||
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
|
||||
index 52494c0..bb686c3 100644
|
||||
--- a/src/config/etc/sssd.api.conf
|
||||
+++ b/src/config/etc/sssd.api.conf
|
||||
@@ -76,6 +76,7 @@ pam_cert_db_path = str, None, false
|
||||
p11_child_timeout = int, None, false
|
||||
pam_app_services = str, None, false
|
||||
pam_p11_allowed_services = str, None, false
|
||||
+p11_wait_for_card_timeout = int, None, false
|
||||
|
||||
[sudo]
|
||||
# sudo service
|
||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||||
index c1e3895..4df0163 100644
|
||||
--- a/src/man/sssd.conf.5.xml
|
||||
+++ b/src/man/sssd.conf.5.xml
|
||||
@@ -1464,6 +1464,20 @@ pam_p11_allowed_services = +my_pam_service, -login
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>p11_wait_for_card_timeout (integer)</term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ If Smartcard authentication is required how many
|
||||
+ extra seconds in addition to p11_child_timeout
|
||||
+ should the PAM responder wait until a Smartcard is
|
||||
+ inserted.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Default: 60
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
</variablelist>
|
||||
</refsect2>
|
||||
|
||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
||||
index 817f3c5..c8df32d 100644
|
||||
--- a/src/responder/pam/pamsrv_cmd.c
|
||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
||||
@@ -1297,6 +1297,7 @@ static errno_t check_cert(TALLOC_CTX *mctx,
|
||||
struct pam_data *pd)
|
||||
{
|
||||
int p11_child_timeout;
|
||||
+ int wait_for_card_timeout;
|
||||
char *cert_verification_opts;
|
||||
errno_t ret;
|
||||
struct tevent_req *req;
|
||||
@@ -1311,6 +1312,20 @@ static errno_t check_cert(TALLOC_CTX *mctx,
|
||||
ret, sss_strerror(ret));
|
||||
return ret;
|
||||
}
|
||||
+ if ((pd->cli_flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) && pd->priv == 1) {
|
||||
+ ret = confdb_get_int(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY,
|
||||
+ CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT,
|
||||
+ P11_WAIT_FOR_CARD_TIMEOUT_DEFAULT,
|
||||
+ &wait_for_card_timeout);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to read wait_for_card_timeout from confdb: [%d]: %s\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ p11_child_timeout += wait_for_card_timeout;
|
||||
+ }
|
||||
|
||||
ret = confdb_get_string(pctx->rctx->cdb, mctx, CONFDB_MONITOR_CONF_ENTRY,
|
||||
CONFDB_MONITOR_CERT_VERIFICATION, NULL,
|
||||
diff --git a/src/util/util.h b/src/util/util.h
|
||||
index 59e7a96..e3e9100 100644
|
||||
--- a/src/util/util.h
|
||||
+++ b/src/util/util.h
|
||||
@@ -724,6 +724,7 @@ errno_t create_preauth_indicator(void);
|
||||
#define P11_CHILD_LOG_FILE "p11_child"
|
||||
#define P11_CHILD_PATH SSSD_LIBEXEC_PATH"/p11_child"
|
||||
#define P11_CHILD_TIMEOUT_DEFAULT 10
|
||||
+#define P11_WAIT_FOR_CARD_TIMEOUT_DEFAULT 60
|
||||
#endif /* SSSD_LIBEXEC_PATH */
|
||||
|
||||
#endif /* __SSSD_UTIL_H__ */
|
||||
--
|
||||
2.9.5
|
||||
|
244
0046-pam_sss-make-flags-public.patch
Normal file
244
0046-pam_sss-make-flags-public.patch
Normal file
@ -0,0 +1,244 @@
|
||||
From d33a8bed5aad9135426c9ebdf101cf600685ab81 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 18 Sep 2018 10:11:02 +0200
|
||||
Subject: [PATCH 61/83] pam_sss: make flags public
|
||||
|
||||
To allow the PAM responder to act on the config flags set for pam_sss
|
||||
the flags have to be made public first.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3650
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/sss_client/pam_sss.c | 71 +++++++++++++++++++++---------------------------
|
||||
src/sss_client/sss_cli.h | 9 ++++++
|
||||
2 files changed, 40 insertions(+), 40 deletions(-)
|
||||
|
||||
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
||||
index 59081cc..b336d1f 100644
|
||||
--- a/src/sss_client/pam_sss.c
|
||||
+++ b/src/sss_client/pam_sss.c
|
||||
@@ -52,15 +52,6 @@
|
||||
#include <libintl.h>
|
||||
#define _(STRING) dgettext (PACKAGE, STRING)
|
||||
|
||||
-#define FLAGS_USE_FIRST_PASS (1 << 0)
|
||||
-#define FLAGS_FORWARD_PASS (1 << 1)
|
||||
-#define FLAGS_USE_AUTHTOK (1 << 2)
|
||||
-#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
|
||||
-#define FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
|
||||
-#define FLAGS_USE_2FA (1 << 5)
|
||||
-#define FLAGS_ALLOW_MISSING_NAME (1 << 6)
|
||||
-#define FLAGS_PROMPT_ALWAYS (1 << 7)
|
||||
-
|
||||
#define PWEXP_FLAG "pam_sss:password_expired_flag"
|
||||
#define FD_DESTRUCTOR "pam_sss:fd_destructor"
|
||||
#define PAM_SSS_AUTHOK_TYPE "pam_sss:authtok_type"
|
||||
@@ -1193,13 +1184,13 @@ static int get_pam_items(pam_handle_t *pamh, uint32_t flags,
|
||||
pi->pam_service_size=strlen(pi->pam_service)+1;
|
||||
|
||||
ret = pam_get_item(pamh, PAM_USER, (const void **) &(pi->pam_user));
|
||||
- if (ret == PAM_PERM_DENIED && (flags & FLAGS_ALLOW_MISSING_NAME)) {
|
||||
+ if (ret == PAM_PERM_DENIED && (flags & PAM_CLI_FLAGS_ALLOW_MISSING_NAME)) {
|
||||
pi->pam_user = "";
|
||||
ret = PAM_SUCCESS;
|
||||
}
|
||||
if (ret != PAM_SUCCESS) return ret;
|
||||
if (pi->pam_user == NULL) {
|
||||
- if (flags & FLAGS_ALLOW_MISSING_NAME) {
|
||||
+ if (flags & PAM_CLI_FLAGS_ALLOW_MISSING_NAME) {
|
||||
pi->pam_user = "";
|
||||
} else {
|
||||
D(("No user found, aborting."));
|
||||
@@ -1959,11 +1950,11 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
|
||||
|
||||
for (; argc-- > 0; ++argv) {
|
||||
if (strcmp(*argv, "forward_pass") == 0) {
|
||||
- *flags |= FLAGS_FORWARD_PASS;
|
||||
+ *flags |= PAM_CLI_FLAGS_FORWARD_PASS;
|
||||
} else if (strcmp(*argv, "use_first_pass") == 0) {
|
||||
- *flags |= FLAGS_USE_FIRST_PASS;
|
||||
+ *flags |= PAM_CLI_FLAGS_USE_FIRST_PASS;
|
||||
} else if (strcmp(*argv, "use_authtok") == 0) {
|
||||
- *flags |= FLAGS_USE_AUTHTOK;
|
||||
+ *flags |= PAM_CLI_FLAGS_USE_AUTHTOK;
|
||||
} else if (strncmp(*argv, OPT_DOMAINS_KEY, strlen(OPT_DOMAINS_KEY)) == 0) {
|
||||
if (*(*argv+strlen(OPT_DOMAINS_KEY)) == '\0') {
|
||||
logger(pamh, LOG_ERR, "Missing argument to option domains.");
|
||||
@@ -1997,15 +1988,15 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
|
||||
} else if (strcmp(*argv, "quiet") == 0) {
|
||||
*quiet_mode = true;
|
||||
} else if (strcmp(*argv, "ignore_unknown_user") == 0) {
|
||||
- *flags |= FLAGS_IGNORE_UNKNOWN_USER;
|
||||
+ *flags |= PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER;
|
||||
} else if (strcmp(*argv, "ignore_authinfo_unavail") == 0) {
|
||||
- *flags |= FLAGS_IGNORE_AUTHINFO_UNAVAIL;
|
||||
+ *flags |= PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL;
|
||||
} else if (strcmp(*argv, "use_2fa") == 0) {
|
||||
- *flags |= FLAGS_USE_2FA;
|
||||
+ *flags |= PAM_CLI_FLAGS_USE_2FA;
|
||||
} else if (strcmp(*argv, "allow_missing_name") == 0) {
|
||||
- *flags |= FLAGS_ALLOW_MISSING_NAME;
|
||||
+ *flags |= PAM_CLI_FLAGS_ALLOW_MISSING_NAME;
|
||||
} else if (strcmp(*argv, "prompt_always") == 0) {
|
||||
- *flags |= FLAGS_PROMPT_ALWAYS;
|
||||
+ *flags |= PAM_CLI_FLAGS_PROMPT_ALWAYS;
|
||||
} else {
|
||||
logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
|
||||
}
|
||||
@@ -2020,10 +2011,10 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
|
||||
{
|
||||
int ret;
|
||||
|
||||
- if ((flags & FLAGS_USE_FIRST_PASS)
|
||||
+ if ((flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
|
||||
|| ( pi->pamstack_authtok != NULL
|
||||
&& *(pi->pamstack_authtok) != '\0'
|
||||
- && !(flags & FLAGS_PROMPT_ALWAYS))) {
|
||||
+ && !(flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))) {
|
||||
pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
|
||||
pi->pam_authtok = strdup(pi->pamstack_authtok);
|
||||
if (pi->pam_authtok == NULL) {
|
||||
@@ -2032,7 +2023,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
|
||||
}
|
||||
pi->pam_authtok_size = strlen(pi->pam_authtok);
|
||||
} else {
|
||||
- if (flags & FLAGS_USE_2FA
|
||||
+ if (flags & PAM_CLI_FLAGS_USE_2FA
|
||||
|| (pi->otp_vendor != NULL && pi->otp_token_id != NULL
|
||||
&& pi->otp_challenge != NULL)) {
|
||||
if (pi->password_prompting) {
|
||||
@@ -2062,7 +2053,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
|
||||
return ret;
|
||||
}
|
||||
|
||||
- if (flags & FLAGS_FORWARD_PASS) {
|
||||
+ if (flags & PAM_CLI_FLAGS_FORWARD_PASS) {
|
||||
if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_PASSWORD) {
|
||||
ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_authtok);
|
||||
} else if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA
|
||||
@@ -2193,8 +2184,8 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
|
||||
/* we query for the old password during PAM_PRELIM_CHECK to make
|
||||
* pam_sss work e.g. with pam_cracklib */
|
||||
if (pam_flags & PAM_PRELIM_CHECK) {
|
||||
- if ( (getuid() != 0 || exp_data ) && !(flags & FLAGS_USE_FIRST_PASS)) {
|
||||
- if (flags & FLAGS_USE_2FA
|
||||
+ if ( (getuid() != 0 || exp_data ) && !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)) {
|
||||
+ if (flags & PAM_CLI_FLAGS_USE_2FA
|
||||
|| (pi->otp_vendor != NULL && pi->otp_token_id != NULL
|
||||
&& pi->otp_challenge != NULL)) {
|
||||
if (pi->password_prompting) {
|
||||
@@ -2253,7 +2244,7 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
|
||||
}
|
||||
}
|
||||
|
||||
- if (flags & FLAGS_USE_AUTHTOK) {
|
||||
+ if (flags & PAM_CLI_FLAGS_USE_AUTHTOK) {
|
||||
pi->pam_newauthtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
|
||||
pi->pam_newauthtok = strdup(pi->pamstack_authtok);
|
||||
if (pi->pam_newauthtok == NULL) {
|
||||
@@ -2268,7 +2259,7 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
|
||||
return ret;
|
||||
}
|
||||
|
||||
- if (flags & FLAGS_FORWARD_PASS) {
|
||||
+ if (flags & PAM_CLI_FLAGS_FORWARD_PASS) {
|
||||
ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_newauthtok);
|
||||
if (ret != PAM_SUCCESS) {
|
||||
D(("Failed to set PAM_AUTHTOK [%s], "
|
||||
@@ -2376,10 +2367,10 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
||||
ret = get_pam_items(pamh, flags, &pi);
|
||||
if (ret != PAM_SUCCESS) {
|
||||
D(("get items returned error: %s", pam_strerror(pamh,ret)));
|
||||
- if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
|
||||
+ if (flags & PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
|
||||
ret = PAM_IGNORE;
|
||||
}
|
||||
- if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
|
||||
+ if (flags & PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL
|
||||
&& ret == PAM_AUTHINFO_UNAVAIL) {
|
||||
ret = PAM_IGNORE;
|
||||
}
|
||||
@@ -2393,13 +2384,13 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
||||
case SSS_PAM_AUTHENTICATE:
|
||||
/*
|
||||
* Only do preauth if
|
||||
- * - FLAGS_USE_FIRST_PASS is not set
|
||||
- * - no password is on the stack or FLAGS_PROMPT_ALWAYS is set
|
||||
+ * - PAM_CLI_FLAGS_USE_FIRST_PASS is not set
|
||||
+ * - no password is on the stack or PAM_CLI_FLAGS_PROMPT_ALWAYS is set
|
||||
* - preauth indicator file exists.
|
||||
*/
|
||||
- if ( !(flags & FLAGS_USE_FIRST_PASS)
|
||||
+ if ( !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
|
||||
&& (pi.pam_authtok == NULL
|
||||
- || (flags & FLAGS_PROMPT_ALWAYS))
|
||||
+ || (flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))
|
||||
&& access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
|
||||
pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
|
||||
quiet_mode);
|
||||
@@ -2443,14 +2434,14 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
||||
* The means the preauth step has to be done here as well but
|
||||
* only if
|
||||
* - PAM_PRELIM_CHECK is set
|
||||
- * - FLAGS_USE_FIRST_PASS is not set
|
||||
- * - no password is on the stack or FLAGS_PROMPT_ALWAYS is set
|
||||
+ * - PAM_CLI_FLAGS_USE_FIRST_PASS is not set
|
||||
+ * - no password is on the stack or PAM_CLI_FLAGS_PROMPT_ALWAYS is set
|
||||
* - preauth indicator file exists.
|
||||
*/
|
||||
if ( (pam_flags & PAM_PRELIM_CHECK)
|
||||
- && !(flags & FLAGS_USE_FIRST_PASS)
|
||||
+ && !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
|
||||
&& (pi.pam_authtok == NULL
|
||||
- || (flags & FLAGS_PROMPT_ALWAYS))
|
||||
+ || (flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))
|
||||
&& access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
|
||||
pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
|
||||
quiet_mode);
|
||||
@@ -2497,11 +2488,11 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
||||
|
||||
pam_status = send_and_receive(pamh, &pi, task, quiet_mode);
|
||||
|
||||
- if (flags & FLAGS_IGNORE_UNKNOWN_USER
|
||||
+ if (flags & PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER
|
||||
&& pam_status == PAM_USER_UNKNOWN) {
|
||||
pam_status = PAM_IGNORE;
|
||||
}
|
||||
- if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
|
||||
+ if (flags & PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL
|
||||
&& pam_status == PAM_AUTHINFO_UNAVAIL) {
|
||||
pam_status = PAM_IGNORE;
|
||||
}
|
||||
@@ -2581,7 +2572,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
||||
retry = true;
|
||||
retries--;
|
||||
|
||||
- flags &= ~FLAGS_USE_FIRST_PASS;
|
||||
+ flags &= ~PAM_CLI_FLAGS_USE_FIRST_PASS;
|
||||
ret = pam_set_item(pamh, PAM_AUTHTOK, NULL);
|
||||
if (ret != PAM_SUCCESS) {
|
||||
D(("Failed to unset PAM_AUTHTOK [%s]",
|
||||
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
|
||||
index 24d28ed..3404715 100644
|
||||
--- a/src/sss_client/sss_cli.h
|
||||
+++ b/src/sss_client/sss_cli.h
|
||||
@@ -365,6 +365,15 @@ enum pam_item_type {
|
||||
SSS_PAM_ITEM_REQUESTED_DOMAINS,
|
||||
};
|
||||
|
||||
+#define PAM_CLI_FLAGS_USE_FIRST_PASS (1 << 0)
|
||||
+#define PAM_CLI_FLAGS_FORWARD_PASS (1 << 1)
|
||||
+#define PAM_CLI_FLAGS_USE_AUTHTOK (1 << 2)
|
||||
+#define PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
|
||||
+#define PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
|
||||
+#define PAM_CLI_FLAGS_USE_2FA (1 << 5)
|
||||
+#define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)
|
||||
+#define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
|
||||
+
|
||||
#define SSS_NSS_MAX_ENTRIES 256
|
||||
#define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
|
||||
struct sss_cli_req_data {
|
||||
--
|
||||
2.9.5
|
||||
|
100
0047-pam_sss-add-try_cert_auth-option.patch
Normal file
100
0047-pam_sss-add-try_cert_auth-option.patch
Normal file
@ -0,0 +1,100 @@
|
||||
From d3a18f06162b9585d2db936472b75fdbff37162d Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 17 Sep 2018 17:54:26 +0200
|
||||
Subject: [PATCH 62/83] pam_sss: add try_cert_auth option
|
||||
|
||||
With this new option pam_sss can be configured to only do Smartcard
|
||||
authentication or return an error if this is not possible.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3650
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/man/pam_sss.8.xml | 23 +++++++++++++++++++++++
|
||||
src/sss_client/pam_sss.c | 9 +++++++++
|
||||
src/sss_client/sss_cli.h | 1 +
|
||||
3 files changed, 33 insertions(+)
|
||||
|
||||
diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml
|
||||
index d8e6a20..ca2e8e2 100644
|
||||
--- a/src/man/pam_sss.8.xml
|
||||
+++ b/src/man/pam_sss.8.xml
|
||||
@@ -50,6 +50,9 @@
|
||||
<arg choice='opt'>
|
||||
<replaceable>prompt_always</replaceable>
|
||||
</arg>
|
||||
+ <arg choice='opt'>
|
||||
+ <replaceable>try_cert_auth</replaceable>
|
||||
+ </arg>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
@@ -200,6 +203,26 @@ auth sufficient pam_sss.so allow_missing_name
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>
|
||||
+ <option>try_cert_auth</option>
|
||||
+ </term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ Try to use certificate based authentication, i.e.
|
||||
+ authentication with a Smartcard or similar devices. If a
|
||||
+ Smartcard is available and the service is allowed for
|
||||
+ Smartcard authentication the use will be prompted for a
|
||||
+ PIN and the certificate based authentication will
|
||||
+ continue
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ If no Smartcard is available or certificate based
|
||||
+ authentication is not allowed for the current service
|
||||
+ PAM_AUTHINFO_UNAVAIL is returned.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
||||
index b336d1f..96ff15a 100644
|
||||
--- a/src/sss_client/pam_sss.c
|
||||
+++ b/src/sss_client/pam_sss.c
|
||||
@@ -1997,6 +1997,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
|
||||
*flags |= PAM_CLI_FLAGS_ALLOW_MISSING_NAME;
|
||||
} else if (strcmp(*argv, "prompt_always") == 0) {
|
||||
*flags |= PAM_CLI_FLAGS_PROMPT_ALWAYS;
|
||||
+ } else if (strcmp(*argv, "try_cert_auth") == 0) {
|
||||
+ *flags |= PAM_CLI_FLAGS_TRY_CERT_AUTH;
|
||||
} else {
|
||||
logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
|
||||
}
|
||||
@@ -2405,6 +2407,13 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
||||
}
|
||||
}
|
||||
|
||||
+ if (flags & PAM_CLI_FLAGS_TRY_CERT_AUTH
|
||||
+ && pi.cert_list == NULL) {
|
||||
+ D(("No certificates for authentication available."));
|
||||
+ overwrite_and_free_pam_items(&pi);
|
||||
+ return PAM_AUTHINFO_UNAVAIL;
|
||||
+ }
|
||||
+
|
||||
if (strcmp(pi.pam_service, "gdm-smartcard") == 0) {
|
||||
ret = check_login_token_name(pamh, &pi, quiet_mode);
|
||||
if (ret != PAM_SUCCESS) {
|
||||
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
|
||||
index 3404715..38e3f99 100644
|
||||
--- a/src/sss_client/sss_cli.h
|
||||
+++ b/src/sss_client/sss_cli.h
|
||||
@@ -373,6 +373,7 @@ enum pam_item_type {
|
||||
#define PAM_CLI_FLAGS_USE_2FA (1 << 5)
|
||||
#define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)
|
||||
#define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
|
||||
+#define PAM_CLI_FLAGS_TRY_CERT_AUTH (1 << 8)
|
||||
|
||||
#define SSS_NSS_MAX_ENTRIES 256
|
||||
#define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
|
||||
--
|
||||
2.9.5
|
||||
|
370
0048-pam_sss-add-option-require_cert_auth.patch
Normal file
370
0048-pam_sss-add-option-require_cert_auth.patch
Normal file
@ -0,0 +1,370 @@
|
||||
From 49be8974b490c368d349752f3196af0c9ed28dd5 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 18 Sep 2018 09:53:37 +0200
|
||||
Subject: [PATCH 63/83] pam_sss: add option require_cert_auth
|
||||
|
||||
With this new option pam_sss will wait until a Smartcard is available
|
||||
and then try to authenticate with the help of the Smartcard.
|
||||
|
||||
Related https://pagure.io/SSSD/sssd/issue/3650
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/man/pam_sss.8.xml | 25 ++++++++++++
|
||||
src/responder/pam/pamsrv_cmd.c | 12 ++++++
|
||||
src/responder/pam/pamsrv_p11.c | 5 ++-
|
||||
src/sss_client/pam_message.c | 4 ++
|
||||
src/sss_client/pam_message.h | 1 +
|
||||
src/sss_client/pam_sss.c | 90 ++++++++++++++++++++++++++----------------
|
||||
src/sss_client/sss_cli.h | 2 +
|
||||
src/util/sss_pam_data.c | 1 +
|
||||
src/util/sss_pam_data.h | 1 +
|
||||
9 files changed, 106 insertions(+), 35 deletions(-)
|
||||
|
||||
diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml
|
||||
index ca2e8e2..9998519 100644
|
||||
--- a/src/man/pam_sss.8.xml
|
||||
+++ b/src/man/pam_sss.8.xml
|
||||
@@ -53,6 +53,9 @@
|
||||
<arg choice='opt'>
|
||||
<replaceable>try_cert_auth</replaceable>
|
||||
</arg>
|
||||
+ <arg choice='opt'>
|
||||
+ <replaceable>require_cert_auth</replaceable>
|
||||
+ </arg>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
@@ -223,6 +226,28 @@ auth sufficient pam_sss.so allow_missing_name
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>
|
||||
+ <option>require_cert_auth</option>
|
||||
+ </term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ Do certificate based authentication, i.e.
|
||||
+ authentication with a Smartcard or similar devices. If a
|
||||
+ Smartcard is not available the user will be prompted to
|
||||
+ insert one. SSSD will wait for a Smartcard until the
|
||||
+ timeout defined by p11_wait_for_card_timeout passed,
|
||||
+ please see
|
||||
+ <citerefentry><refentrytitle>sssd.conf</refentrytitle>
|
||||
+ <manvolnum>5</manvolnum></citerefentry> for details.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ If no Smartcard is available after the timeout or
|
||||
+ certificate based authentication is not allowed for the
|
||||
+ current service PAM_AUTHINFO_UNAVAIL is returned.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
||||
index c8df32d..6e37f83 100644
|
||||
--- a/src/responder/pam/pamsrv_cmd.c
|
||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
||||
@@ -317,6 +317,11 @@ static int pam_parse_in_data_v2(struct pam_data *pd,
|
||||
size, body, blen, &c);
|
||||
if (ret != EOK) return ret;
|
||||
break;
|
||||
+ case SSS_PAM_ITEM_FLAGS:
|
||||
+ ret = extract_uint32_t(&pd->cli_flags, size,
|
||||
+ body, blen, &c);
|
||||
+ if (ret != EOK) return ret;
|
||||
+ break;
|
||||
default:
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"Ignoring unknown data type [%d].\n", type);
|
||||
@@ -1447,6 +1452,13 @@ static void pam_forwarder_cert_cb(struct tevent_req *req)
|
||||
"No certificate found and no logon name given, " \
|
||||
"authentication not possible.\n");
|
||||
ret = ENOENT;
|
||||
+ } else if (pd->cli_flags & PAM_CLI_FLAGS_TRY_CERT_AUTH) {
|
||||
+ DEBUG(SSSDBG_TRACE_ALL,
|
||||
+ "try_cert_auth flag set but no certificate available, "
|
||||
+ "request finished.\n");
|
||||
+ preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
|
||||
+ pam_reply(preq);
|
||||
+ return;
|
||||
} else {
|
||||
if (pd->cmd == SSS_PAM_AUTHENTICATE) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
|
||||
index ffa6787..8b8859d 100644
|
||||
--- a/src/responder/pam/pamsrv_p11.c
|
||||
+++ b/src/responder/pam/pamsrv_p11.c
|
||||
@@ -721,7 +721,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
|
||||
struct timeval tv;
|
||||
int pipefd_to_child[2] = PIPE_INIT;
|
||||
int pipefd_from_child[2] = PIPE_INIT;
|
||||
- const char *extra_args[13] = { NULL };
|
||||
+ const char *extra_args[14] = { NULL };
|
||||
uint8_t *write_buf = NULL;
|
||||
size_t write_buf_len = 0;
|
||||
size_t arg_c;
|
||||
@@ -748,6 +748,9 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
|
||||
|
||||
/* extra_args are added in revers order */
|
||||
arg_c = 0;
|
||||
+ if ((pd->cli_flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) && pd->priv == 1) {
|
||||
+ extra_args[arg_c++] = "--wait_for_card";
|
||||
+ }
|
||||
extra_args[arg_c++] = nss_db;
|
||||
extra_args[arg_c++] = "--nssdb";
|
||||
if (verify_opts != NULL) {
|
||||
diff --git a/src/sss_client/pam_message.c b/src/sss_client/pam_message.c
|
||||
index b239f6f..036ae2a 100644
|
||||
--- a/src/sss_client/pam_message.c
|
||||
+++ b/src/sss_client/pam_message.c
|
||||
@@ -126,6 +126,7 @@ int pack_message_v3(struct pam_items *pi, size_t *size, uint8_t **buffer)
|
||||
len += 3*sizeof(uint32_t); /* cli_pid */
|
||||
len += *pi->requested_domains != '\0' ?
|
||||
2*sizeof(uint32_t) + pi->requested_domains_size : 0;
|
||||
+ len += 3*sizeof(uint32_t); /* flags */
|
||||
|
||||
buf = malloc(len);
|
||||
if (buf == NULL) {
|
||||
@@ -164,6 +165,9 @@ int pack_message_v3(struct pam_items *pi, size_t *size, uint8_t **buffer)
|
||||
pi->pam_newauthtok, pi->pam_newauthtok_size,
|
||||
&buf[rp]);
|
||||
|
||||
+ rp += add_uint32_t_item(SSS_PAM_ITEM_FLAGS, (uint32_t) pi->flags,
|
||||
+ &buf[rp]);
|
||||
+
|
||||
SAFEALIGN_SETMEM_UINT32(buf + rp, SSS_END_OF_PAM_REQUEST, &rp);
|
||||
|
||||
if (rp != len) {
|
||||
diff --git a/src/sss_client/pam_message.h b/src/sss_client/pam_message.h
|
||||
index 11526a8..50fedcd 100644
|
||||
--- a/src/sss_client/pam_message.h
|
||||
+++ b/src/sss_client/pam_message.h
|
||||
@@ -51,6 +51,7 @@ struct pam_items {
|
||||
enum sss_authtok_type pam_newauthtok_type;
|
||||
size_t pam_newauthtok_size;
|
||||
pid_t cli_pid;
|
||||
+ uint32_t flags;
|
||||
const char *login_name;
|
||||
char *domain_name;
|
||||
const char *requested_domains;
|
||||
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
||||
index 96ff15a..b4c1036 100644
|
||||
--- a/src/sss_client/pam_sss.c
|
||||
+++ b/src/sss_client/pam_sss.c
|
||||
@@ -134,6 +134,7 @@ static void free_cai(struct cert_auth_info *cai)
|
||||
free(cai->cert_user);
|
||||
free(cai->cert);
|
||||
free(cai->token_name);
|
||||
+ free(cai->module_name);
|
||||
free(cai->key_id);
|
||||
free(cai->prompt_str);
|
||||
free(cai);
|
||||
@@ -1247,6 +1248,8 @@ static int get_pam_items(pam_handle_t *pamh, uint32_t flags,
|
||||
pi->cert_list = NULL;
|
||||
pi->selected_cert = NULL;
|
||||
|
||||
+ pi->flags = flags;
|
||||
+
|
||||
return PAM_SUCCESS;
|
||||
}
|
||||
|
||||
@@ -1267,6 +1270,7 @@ static void print_pam_items(struct pam_items *pi)
|
||||
D(("Newauthtok: %s", CHECK_AND_RETURN_PI_STRING(pi->pam_newauthtok)));
|
||||
D(("Cli_PID: %d", pi->cli_pid));
|
||||
D(("Requested domains: %s", pi->requested_domains));
|
||||
+ D(("Flags: %d", pi->flags));
|
||||
}
|
||||
|
||||
static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
|
||||
@@ -1999,6 +2003,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
|
||||
*flags |= PAM_CLI_FLAGS_PROMPT_ALWAYS;
|
||||
} else if (strcmp(*argv, "try_cert_auth") == 0) {
|
||||
*flags |= PAM_CLI_FLAGS_TRY_CERT_AUTH;
|
||||
+ } else if (strcmp(*argv, "require_cert_auth") == 0) {
|
||||
+ *flags |= PAM_CLI_FLAGS_REQUIRE_CERT_AUTH;
|
||||
} else {
|
||||
logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
|
||||
}
|
||||
@@ -2274,55 +2280,51 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
|
||||
return PAM_SUCCESS;
|
||||
}
|
||||
|
||||
-#define SC_ENTER_FMT "Please enter smart card labeled\n %s\nand press enter"
|
||||
+#define SC_ENTER_LABEL_FMT "Please enter smart card labeled\n %s"
|
||||
+#define SC_ENTER_FMT "Please enter smart card"
|
||||
|
||||
static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi,
|
||||
- bool quiet_mode)
|
||||
+ int retries, bool quiet_mode)
|
||||
{
|
||||
int ret;
|
||||
int pam_status;
|
||||
char *login_token_name;
|
||||
char *prompt = NULL;
|
||||
- size_t size;
|
||||
- char *answer = NULL;
|
||||
- /* TODO: check multiple cert case */
|
||||
- struct cert_auth_info *cai = pi->cert_list;
|
||||
+ uint32_t orig_flags = pi->flags;
|
||||
|
||||
- if (cai == NULL) {
|
||||
- D(("No certificate information available"));
|
||||
- return EINVAL;
|
||||
+ login_token_name = getenv("PKCS11_LOGIN_TOKEN_NAME");
|
||||
+ if (login_token_name == NULL
|
||||
+ && !(pi->flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH)) {
|
||||
+ return PAM_SUCCESS;
|
||||
}
|
||||
|
||||
- login_token_name = getenv("PKCS11_LOGIN_TOKEN_NAME");
|
||||
if (login_token_name == NULL) {
|
||||
- return PAM_SUCCESS;
|
||||
+ ret = asprintf(&prompt, SC_ENTER_FMT);
|
||||
+ } else {
|
||||
+ ret = asprintf(&prompt, SC_ENTER_LABEL_FMT, login_token_name);
|
||||
+ }
|
||||
+ if (ret == -1) {
|
||||
+ return ENOMEM;
|
||||
}
|
||||
|
||||
- while (cai->token_name == NULL
|
||||
- || strcmp(login_token_name, cai->token_name) != 0) {
|
||||
- size = sizeof(SC_ENTER_FMT) + strlen(login_token_name);
|
||||
- prompt = malloc(size);
|
||||
- if (prompt == NULL) {
|
||||
- D(("malloc failed."));
|
||||
- return ENOMEM;
|
||||
- }
|
||||
+ pi->flags |= PAM_CLI_FLAGS_REQUIRE_CERT_AUTH;
|
||||
|
||||
- ret = snprintf(prompt, size, SC_ENTER_FMT,
|
||||
- login_token_name);
|
||||
- if (ret < 0 || ret >= size) {
|
||||
- D(("snprintf failed."));
|
||||
- free(prompt);
|
||||
- return EFAULT;
|
||||
+ /* TODO: check multiple cert case */
|
||||
+ while (pi->cert_list == NULL || pi->cert_list->token_name == NULL
|
||||
+ || (login_token_name != NULL
|
||||
+ && strcmp(login_token_name,
|
||||
+ pi->cert_list->token_name) != 0)) {
|
||||
+
|
||||
+ if (retries < 0) {
|
||||
+ ret = PAM_AUTHINFO_UNAVAIL;
|
||||
+ goto done;
|
||||
}
|
||||
+ retries--;
|
||||
|
||||
- ret = do_pam_conversation(pamh, PAM_PROMPT_ECHO_OFF, prompt,
|
||||
- NULL, &answer);
|
||||
- free(prompt);
|
||||
+ ret = do_pam_conversation(pamh, PAM_TEXT_INFO, prompt, NULL, NULL);
|
||||
if (ret != PAM_SUCCESS) {
|
||||
D(("do_pam_conversation failed."));
|
||||
- return ret;
|
||||
- } else {
|
||||
- free(answer);
|
||||
+ goto done;
|
||||
}
|
||||
|
||||
pam_status = send_and_receive(pamh, pi, SSS_PAM_PREAUTH, quiet_mode);
|
||||
@@ -2335,7 +2337,14 @@ static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi,
|
||||
}
|
||||
}
|
||||
|
||||
- return PAM_SUCCESS;
|
||||
+ ret = PAM_SUCCESS;
|
||||
+
|
||||
+done:
|
||||
+
|
||||
+ pi->flags = orig_flags;
|
||||
+ free(prompt);
|
||||
+
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
||||
@@ -2394,8 +2403,19 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
||||
&& (pi.pam_authtok == NULL
|
||||
|| (flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))
|
||||
&& access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
|
||||
+
|
||||
+ if (flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) {
|
||||
+ /* Do not use PAM_CLI_FLAGS_REQUIRE_CERT_AUTH in the first
|
||||
+ * SSS_PAM_PREAUTH run. In case a card is already inserted
|
||||
+ * we do not have to prompt to insert a card. */
|
||||
+ pi.flags &= ~PAM_CLI_FLAGS_REQUIRE_CERT_AUTH;
|
||||
+ pi.flags |= PAM_CLI_FLAGS_TRY_CERT_AUTH;
|
||||
+ }
|
||||
+
|
||||
pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
|
||||
quiet_mode);
|
||||
+
|
||||
+ pi.flags = flags;
|
||||
if (pam_status != PAM_SUCCESS) {
|
||||
D(("send_and_receive returned [%d] during pre-auth",
|
||||
pam_status));
|
||||
@@ -2414,8 +2434,10 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
||||
return PAM_AUTHINFO_UNAVAIL;
|
||||
}
|
||||
|
||||
- if (strcmp(pi.pam_service, "gdm-smartcard") == 0) {
|
||||
- ret = check_login_token_name(pamh, &pi, quiet_mode);
|
||||
+ if (strcmp(pi.pam_service, "gdm-smartcard") == 0
|
||||
+ || (flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH)) {
|
||||
+ ret = check_login_token_name(pamh, &pi, retries,
|
||||
+ quiet_mode);
|
||||
if (ret != PAM_SUCCESS) {
|
||||
D(("check_login_token_name failed.\n"));
|
||||
return ret;
|
||||
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
|
||||
index 38e3f99..af8a439 100644
|
||||
--- a/src/sss_client/sss_cli.h
|
||||
+++ b/src/sss_client/sss_cli.h
|
||||
@@ -363,6 +363,7 @@ enum pam_item_type {
|
||||
SSS_PAM_ITEM_CLI_LOCALE,
|
||||
SSS_PAM_ITEM_CLI_PID,
|
||||
SSS_PAM_ITEM_REQUESTED_DOMAINS,
|
||||
+ SSS_PAM_ITEM_FLAGS,
|
||||
};
|
||||
|
||||
#define PAM_CLI_FLAGS_USE_FIRST_PASS (1 << 0)
|
||||
@@ -374,6 +375,7 @@ enum pam_item_type {
|
||||
#define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)
|
||||
#define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
|
||||
#define PAM_CLI_FLAGS_TRY_CERT_AUTH (1 << 8)
|
||||
+#define PAM_CLI_FLAGS_REQUIRE_CERT_AUTH (1 << 9)
|
||||
|
||||
#define SSS_NSS_MAX_ENTRIES 256
|
||||
#define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
|
||||
diff --git a/src/util/sss_pam_data.c b/src/util/sss_pam_data.c
|
||||
index 5e41349..cb8779c 100644
|
||||
--- a/src/util/sss_pam_data.c
|
||||
+++ b/src/util/sss_pam_data.c
|
||||
@@ -176,6 +176,7 @@ void pam_print_data(int l, struct pam_data *pd)
|
||||
DEBUG(l, "priv: %d\n", pd->priv);
|
||||
DEBUG(l, "cli_pid: %d\n", pd->cli_pid);
|
||||
DEBUG(l, "logon name: %s\n", PAM_SAFE_ITEM(pd->logon_name));
|
||||
+ DEBUG(l, "flags: %d\n", pd->cli_flags);
|
||||
}
|
||||
|
||||
int pam_add_response(struct pam_data *pd, enum response_type type,
|
||||
diff --git a/src/util/sss_pam_data.h b/src/util/sss_pam_data.h
|
||||
index 7d74fa6..c989810 100644
|
||||
--- a/src/util/sss_pam_data.h
|
||||
+++ b/src/util/sss_pam_data.h
|
||||
@@ -58,6 +58,7 @@ struct pam_data {
|
||||
struct sss_auth_token *newauthtok;
|
||||
uint32_t cli_pid;
|
||||
char *logon_name;
|
||||
+ uint32_t cli_flags;
|
||||
|
||||
int pam_status;
|
||||
int response_delay;
|
||||
--
|
||||
2.9.5
|
||||
|
309
0049-intg-require-SC-tests.patch
Normal file
309
0049-intg-require-SC-tests.patch
Normal file
@ -0,0 +1,309 @@
|
||||
From 5cdb6968f407c7bcaba69f4892f51fd6426dddb2 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 26 Sep 2018 11:48:37 +0200
|
||||
Subject: [PATCH 64/83] intg: require SC tests
|
||||
|
||||
Integration test for the new try_cert_auth and require_cert_auth option
|
||||
for pam_sss.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3650
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/tests/intg/Makefile.am | 16 ++-
|
||||
src/tests/intg/test_pam_responder.py | 188 +++++++++++++++++++++++++++++++----
|
||||
2 files changed, 182 insertions(+), 22 deletions(-)
|
||||
|
||||
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
|
||||
index bb3a7f0..44fb635 100644
|
||||
--- a/src/tests/intg/Makefile.am
|
||||
+++ b/src/tests/intg/Makefile.am
|
||||
@@ -113,6 +113,20 @@ pam_sss_service:
|
||||
echo "password required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
||||
echo "session required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
||||
|
||||
+pam_sss_sc_required:
|
||||
+ $(MKDIR_P) $(PAM_SERVICE_DIR)
|
||||
+ echo "auth required $(DESTDIR)$(pammoddir)/pam_sss.so require_cert_auth retry=1" > $(PAM_SERVICE_DIR)/$@
|
||||
+ echo "account required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
||||
+ echo "password required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
||||
+ echo "session required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
||||
+
|
||||
+pam_sss_try_sc:
|
||||
+ $(MKDIR_P) $(PAM_SERVICE_DIR)
|
||||
+ echo "auth required $(DESTDIR)$(pammoddir)/pam_sss.so try_cert_auth" > $(PAM_SERVICE_DIR)/$@
|
||||
+ echo "account required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
||||
+ echo "password required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
||||
+ echo "session required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
||||
+
|
||||
CLEANFILES=config.py config.pyc passwd group
|
||||
|
||||
clean-local:
|
||||
@@ -127,7 +141,7 @@ PAM_CERT_DB_PATH="$(abs_builddir)/../test_CA/SSSD_test_CA.pem"
|
||||
SOFTHSM2_CONF="$(abs_builddir)/../test_CA/softhsm2_one.conf"
|
||||
endif
|
||||
|
||||
-intgcheck-installed: config.py passwd group pam_sss_service
|
||||
+intgcheck-installed: config.py passwd group pam_sss_service pam_sss_sc_required pam_sss_try_sc
|
||||
pipepath="$(DESTDIR)$(pipepath)"; \
|
||||
if test $${#pipepath} -gt 80; then \
|
||||
echo "error: Pipe directory path too long," \
|
||||
diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py
|
||||
index c6d048c..06f69a3 100644
|
||||
--- a/src/tests/intg/test_pam_responder.py
|
||||
+++ b/src/tests/intg/test_pam_responder.py
|
||||
@@ -41,6 +41,11 @@ USER1 = dict(name='user1', passwd='x', uid=10001, gid=20001,
|
||||
dir='/home/user1',
|
||||
shell='/bin/bash')
|
||||
|
||||
+USER2 = dict(name='user2', passwd='x', uid=10002, gid=20002,
|
||||
+ gecos='User with no Smartcard mapping',
|
||||
+ dir='/home/user2',
|
||||
+ shell='/bin/bash')
|
||||
+
|
||||
|
||||
def format_pam_cert_auth_conf(config):
|
||||
"""Format a basic SSSD configuration"""
|
||||
@@ -55,8 +60,11 @@ def format_pam_cert_auth_conf(config):
|
||||
|
||||
[pam]
|
||||
pam_cert_auth = True
|
||||
- pam_p11_allowed_services = +pam_sss_service
|
||||
+ pam_p11_allowed_services = +pam_sss_service, +pam_sss_sc_required, \
|
||||
+ +pam_sss_try_sc
|
||||
pam_cert_db_path = {config.PAM_CERT_DB_PATH}
|
||||
+ p11_child_timeout = 5
|
||||
+ p11_wait_for_card_timeout = 5
|
||||
debug_level = 10
|
||||
|
||||
[domain/auth_only]
|
||||
@@ -149,6 +157,15 @@ def create_nssdb():
|
||||
pkcs11_txt.close()
|
||||
|
||||
|
||||
+def create_nssdb_no_cert():
|
||||
+ os.mkdir(config.SYSCONFDIR + "/pki")
|
||||
+ os.mkdir(config.SYSCONFDIR + "/pki/nssdb")
|
||||
+ if subprocess.call(["certutil", "-N", "-d",
|
||||
+ "sql:" + config.SYSCONFDIR + "/pki/nssdb/",
|
||||
+ "--empty-password"]) != 0:
|
||||
+ raise Exception("certutil failed")
|
||||
+
|
||||
+
|
||||
def cleanup_nssdb():
|
||||
shutil.rmtree(config.SYSCONFDIR + "/pki")
|
||||
|
||||
@@ -158,14 +175,42 @@ def create_nssdb_fixture(request):
|
||||
request.addfinalizer(cleanup_nssdb)
|
||||
|
||||
|
||||
+def create_nssdb_no_cert_fixture(request):
|
||||
+ create_nssdb_no_cert()
|
||||
+ request.addfinalizer(cleanup_nssdb)
|
||||
+
|
||||
+
|
||||
@pytest.fixture
|
||||
-def simple_pam_cert_auth(request):
|
||||
+def simple_pam_cert_auth(request, passwd_ops_setup):
|
||||
"""Setup SSSD with pam_cert_auth=True"""
|
||||
config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
|
||||
conf = format_pam_cert_auth_conf(config)
|
||||
create_conf_fixture(request, conf)
|
||||
create_sssd_fixture(request)
|
||||
create_nssdb_fixture(request)
|
||||
+ passwd_ops_setup.useradd(**USER1)
|
||||
+ passwd_ops_setup.useradd(**USER2)
|
||||
+ return None
|
||||
+
|
||||
+
|
||||
+@pytest.fixture
|
||||
+def simple_pam_cert_auth_no_cert(request, passwd_ops_setup):
|
||||
+ """Setup SSSD with pam_cert_auth=True"""
|
||||
+ config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
|
||||
+
|
||||
+ old_softhsm2_conf = os.environ['SOFTHSM2_CONF']
|
||||
+ del os.environ['SOFTHSM2_CONF']
|
||||
+
|
||||
+ conf = format_pam_cert_auth_conf(config)
|
||||
+ create_conf_fixture(request, conf)
|
||||
+ create_sssd_fixture(request)
|
||||
+ create_nssdb_no_cert_fixture(request)
|
||||
+
|
||||
+ os.environ['SOFTHSM2_CONF'] = old_softhsm2_conf
|
||||
+
|
||||
+ passwd_ops_setup.useradd(**USER1)
|
||||
+ passwd_ops_setup.useradd(**USER2)
|
||||
+
|
||||
return None
|
||||
|
||||
|
||||
@@ -176,26 +221,26 @@ def test_preauth_indicator(simple_pam_cert_auth):
|
||||
|
||||
|
||||
@pytest.fixture
|
||||
-def pam_wrapper_setup(request):
|
||||
+def env_for_sssctl(request):
|
||||
pwrap_runtimedir = os.getenv("PAM_WRAPPER_SERVICE_DIR")
|
||||
if pwrap_runtimedir is None:
|
||||
raise ValueError("The PAM_WRAPPER_SERVICE_DIR variable is unset\n")
|
||||
|
||||
+ env_for_sssctl = os.environ.copy()
|
||||
+ env_for_sssctl['PAM_WRAPPER'] = "1"
|
||||
+ env_for_sssctl['SSSD_INTG_PEER_UID'] = "0"
|
||||
+ env_for_sssctl['SSSD_INTG_PEER_GID'] = "0"
|
||||
+ env_for_sssctl['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
|
||||
|
||||
-def test_sc_auth_wrong_pin(simple_pam_cert_auth, pam_wrapper_setup,
|
||||
- passwd_ops_setup):
|
||||
+ return env_for_sssctl
|
||||
|
||||
- passwd_ops_setup.useradd(**USER1)
|
||||
- current_env = os.environ.copy()
|
||||
- current_env['PAM_WRAPPER'] = "1"
|
||||
- current_env['SSSD_INTG_PEER_UID'] = "0"
|
||||
- current_env['SSSD_INTG_PEER_GID'] = "0"
|
||||
- current_env['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
|
||||
+
|
||||
+def test_sc_auth_wrong_pin(simple_pam_cert_auth, env_for_sssctl):
|
||||
|
||||
sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
|
||||
"--action=auth", "--service=pam_sss_service"],
|
||||
universal_newlines=True,
|
||||
- env=current_env, stdin=subprocess.PIPE,
|
||||
+ env=env_for_sssctl, stdin=subprocess.PIPE,
|
||||
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||
|
||||
try:
|
||||
@@ -214,19 +259,120 @@ def test_sc_auth_wrong_pin(simple_pam_cert_auth, pam_wrapper_setup,
|
||||
"Authentication failure") != -1
|
||||
|
||||
|
||||
-def test_sc_auth(simple_pam_cert_auth, pam_wrapper_setup, passwd_ops_setup):
|
||||
-
|
||||
- passwd_ops_setup.useradd(**USER1)
|
||||
- current_env = os.environ.copy()
|
||||
- current_env['PAM_WRAPPER'] = "1"
|
||||
- current_env['SSSD_INTG_PEER_UID'] = "0"
|
||||
- current_env['SSSD_INTG_PEER_GID'] = "0"
|
||||
- current_env['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
|
||||
+def test_sc_auth(simple_pam_cert_auth, env_for_sssctl):
|
||||
|
||||
sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
|
||||
"--action=auth", "--service=pam_sss_service"],
|
||||
universal_newlines=True,
|
||||
- env=current_env, stdin=subprocess.PIPE,
|
||||
+ env=env_for_sssctl, stdin=subprocess.PIPE,
|
||||
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||
+
|
||||
+ try:
|
||||
+ out, err = sssctl.communicate(input="123456")
|
||||
+ except:
|
||||
+ sssctl.kill()
|
||||
+ out, err = sssctl.communicate()
|
||||
+
|
||||
+ sssctl.stdin.close()
|
||||
+ sssctl.stdout.close()
|
||||
+
|
||||
+ if sssctl.wait() != 0:
|
||||
+ raise Exception("sssctl failed")
|
||||
+
|
||||
+ assert err.find("pam_authenticate for user [user1]: Success") != -1
|
||||
+
|
||||
+
|
||||
+def test_require_sc_auth(simple_pam_cert_auth, env_for_sssctl):
|
||||
+
|
||||
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
|
||||
+ "--action=auth",
|
||||
+ "--service=pam_sss_sc_required"],
|
||||
+ universal_newlines=True,
|
||||
+ env=env_for_sssctl, stdin=subprocess.PIPE,
|
||||
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||
+
|
||||
+ try:
|
||||
+ out, err = sssctl.communicate(input="123456")
|
||||
+ except:
|
||||
+ sssctl.kill()
|
||||
+ out, err = sssctl.communicate()
|
||||
+
|
||||
+ sssctl.stdin.close()
|
||||
+ sssctl.stdout.close()
|
||||
+
|
||||
+ if sssctl.wait() != 0:
|
||||
+ raise Exception("sssctl failed")
|
||||
+
|
||||
+ assert err.find("pam_authenticate for user [user1]: Success") != -1
|
||||
+
|
||||
+
|
||||
+def test_require_sc_auth_no_cert(simple_pam_cert_auth_no_cert, env_for_sssctl):
|
||||
+
|
||||
+ # We have to wait about 20s before the command returns because there will
|
||||
+ # be 2 run since retry=1 in the PAM configuration and both
|
||||
+ # p11_child_timeout and p11_wait_for_card_timeout are 5s in sssd.conf,
|
||||
+ # so 2*(5+5)=20. */
|
||||
+ start_time = time.time()
|
||||
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
|
||||
+ "--action=auth",
|
||||
+ "--service=pam_sss_sc_required"],
|
||||
+ universal_newlines=True,
|
||||
+ env=env_for_sssctl, stdin=subprocess.PIPE,
|
||||
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||
+
|
||||
+ try:
|
||||
+ out, err = sssctl.communicate(input="123456")
|
||||
+ except:
|
||||
+ sssctl.kill()
|
||||
+ out, err = sssctl.communicate()
|
||||
+
|
||||
+ sssctl.stdin.close()
|
||||
+ sssctl.stdout.close()
|
||||
+
|
||||
+ if sssctl.wait() != 0:
|
||||
+ raise Exception("sssctl failed")
|
||||
+
|
||||
+ end_time = time.time()
|
||||
+ assert end_time > start_time and \
|
||||
+ (end_time - start_time) >= 20 and \
|
||||
+ (end_time - start_time) < 40
|
||||
+ assert out.find("Please enter smart card\nPlease enter smart card") != -1
|
||||
+ assert err.find("pam_authenticate for user [user1]: Authentication " +
|
||||
+ "service cannot retrieve authentication info") != -1
|
||||
+
|
||||
+
|
||||
+def test_try_sc_auth_no_map(simple_pam_cert_auth, env_for_sssctl):
|
||||
+
|
||||
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user2",
|
||||
+ "--action=auth",
|
||||
+ "--service=pam_sss_try_sc"],
|
||||
+ universal_newlines=True,
|
||||
+ env=env_for_sssctl, stdin=subprocess.PIPE,
|
||||
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||
+
|
||||
+ try:
|
||||
+ out, err = sssctl.communicate(input="123456")
|
||||
+ except:
|
||||
+ sssctl.kill()
|
||||
+ out, err = sssctl.communicate()
|
||||
+
|
||||
+ sssctl.stdin.close()
|
||||
+ sssctl.stdout.close()
|
||||
+
|
||||
+ if sssctl.wait() != 0:
|
||||
+ raise Exception("sssctl failed")
|
||||
+
|
||||
+ assert err.find("pam_authenticate for user [user2]: Authentication " +
|
||||
+ "service cannot retrieve authentication info") != -1
|
||||
+
|
||||
+
|
||||
+def test_try_sc_auth(simple_pam_cert_auth, env_for_sssctl):
|
||||
+
|
||||
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
|
||||
+ "--action=auth",
|
||||
+ "--service=pam_sss_try_sc"],
|
||||
+ universal_newlines=True,
|
||||
+ env=env_for_sssctl, stdin=subprocess.PIPE,
|
||||
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||
|
||||
try:
|
||||
--
|
||||
2.9.5
|
||||
|
407
0050-p11_child-show-PKCS-11-URI-in-debug-output.patch
Normal file
407
0050-p11_child-show-PKCS-11-URI-in-debug-output.patch
Normal file
@ -0,0 +1,407 @@
|
||||
From 46fd681a73ffef062cd027e7018e1a02d7a0a9df Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 8 Oct 2018 10:45:28 +0200
|
||||
Subject: [PATCH 65/83] p11_child: show PKCS#11 URI in debug output
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3814
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/p11_child/p11_child_nss.c | 240 ++++++++++++++++++++++++++++++++++++++
|
||||
src/p11_child/p11_child_openssl.c | 80 +++++++++++++
|
||||
2 files changed, 320 insertions(+)
|
||||
|
||||
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
|
||||
index b2777d1..fff1f25 100644
|
||||
--- a/src/p11_child/p11_child_nss.c
|
||||
+++ b/src/p11_child/p11_child_nss.c
|
||||
@@ -39,6 +39,7 @@
|
||||
#include <pk11pub.h>
|
||||
#include <prerror.h>
|
||||
#include <ocsp.h>
|
||||
+#include <pkcs11uri.h>
|
||||
|
||||
#include "util/child_common.h"
|
||||
#include "providers/backend.h"
|
||||
@@ -63,6 +64,239 @@ struct p11_ctx {
|
||||
| certificateUsageStatusResponder \
|
||||
| certificateUsageSSLCA )
|
||||
|
||||
+
|
||||
+static char *get_pkcs11_string(TALLOC_CTX *mem_ctx, const char *in, size_t len)
|
||||
+{
|
||||
+ size_t c = len;
|
||||
+
|
||||
+ if (in == NULL || len == 0) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ while(c > 0 && in[c - 1] == ' ') {
|
||||
+ c--;
|
||||
+ }
|
||||
+
|
||||
+ return talloc_strndup(mem_ctx, in, c);
|
||||
+}
|
||||
+
|
||||
+static char *pct_encode(TALLOC_CTX *mem_ctx, SECItem *data)
|
||||
+{
|
||||
+ char *pct;
|
||||
+ size_t c;
|
||||
+ int ret;
|
||||
+
|
||||
+ pct = talloc_zero_size(mem_ctx, sizeof(char) * (3*data->len + 1));
|
||||
+ if (pct == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_size failed.\n");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ for (c = 0; c < data->len; c++) {
|
||||
+ ret = snprintf(pct + 3*c, 4, "%%%02X", data->data[c]);
|
||||
+ if (ret != 3) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "snprintf failed.\n");
|
||||
+ talloc_free(pct);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return pct;
|
||||
+}
|
||||
+
|
||||
+static char *get_key_id_pct(TALLOC_CTX *mem_ctx, PK11SlotInfo *slot,
|
||||
+ CERTCertificate *cert)
|
||||
+{
|
||||
+ SECItem *key_id = NULL;
|
||||
+ char *key_id_str = NULL;
|
||||
+
|
||||
+ key_id = PK11_GetLowLevelKeyIDForCert(slot, cert, NULL);
|
||||
+ if (key_id == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "PK11_GetLowLevelKeyIDForCert failed [%d][%s].\n",
|
||||
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ key_id_str = pct_encode(mem_ctx, key_id);
|
||||
+ SECITEM_FreeItem(key_id, PR_TRUE);
|
||||
+ if (key_id_str == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "pct_encode failed.\n");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ return key_id_str;
|
||||
+}
|
||||
+
|
||||
+static char *get_pkcs11_uri(TALLOC_CTX *mem_ctx, SECMODModule *mod,
|
||||
+ PK11SlotInfo *slot,
|
||||
+ const char *label, CERTCertificate *cert)
|
||||
+{
|
||||
+ CK_INFO module_info;
|
||||
+ CK_SLOT_INFO slot_info;
|
||||
+ CK_TOKEN_INFO token_info;
|
||||
+ char *values[13];
|
||||
+ PK11URIAttribute attrs[13];
|
||||
+ size_t nattrs = 0;
|
||||
+ SECStatus rv;
|
||||
+ char *tmp_str;
|
||||
+ char *uri_str;
|
||||
+ PK11URI *uri;
|
||||
+ CK_SLOT_ID slot_id;
|
||||
+ char *id_pct;
|
||||
+
|
||||
+ rv = PK11_GetModInfo(mod, &module_info);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "PK11_GetModInfo failed.\n");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ rv = PK11_GetSlotInfo(slot, &slot_info);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "PK11_GetSlotInfo failed.\n");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ rv = PK11_GetTokenInfo(slot, &token_info);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "PK11_GetTokenInfo failed.\n");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ values[nattrs] = get_pkcs11_string(mem_ctx,
|
||||
+ (char *)module_info.libraryDescription,
|
||||
+ sizeof(module_info.libraryDescription));
|
||||
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
|
||||
+ attrs[nattrs].name = PK11URI_PATTR_LIBRARY_DESCRIPTION;
|
||||
+ attrs[nattrs].value = values[nattrs];
|
||||
+ nattrs++;
|
||||
+ }
|
||||
+
|
||||
+ values[nattrs] = get_pkcs11_string(mem_ctx,
|
||||
+ (char *)module_info.manufacturerID,
|
||||
+ sizeof(module_info.manufacturerID));
|
||||
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
|
||||
+ attrs[nattrs].name = PK11URI_PATTR_LIBRARY_MANUFACTURER;
|
||||
+ attrs[nattrs].value = values[nattrs];
|
||||
+ nattrs++;
|
||||
+ }
|
||||
+
|
||||
+ values[nattrs] = talloc_asprintf(mem_ctx, "%d.%d",
|
||||
+ module_info.libraryVersion.major,
|
||||
+ module_info.libraryVersion.minor);
|
||||
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
|
||||
+ attrs[nattrs].name = PK11URI_PATTR_LIBRARY_VERSION;
|
||||
+ attrs[nattrs].value = values[nattrs];
|
||||
+ nattrs++;
|
||||
+ }
|
||||
+
|
||||
+ values[nattrs] = get_pkcs11_string(mem_ctx,
|
||||
+ (char *)slot_info.slotDescription,
|
||||
+ sizeof(slot_info.slotDescription));
|
||||
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
|
||||
+ attrs[nattrs].name = PK11URI_PATTR_SLOT_DESCRIPTION;
|
||||
+ attrs[nattrs].value = values[nattrs];
|
||||
+ nattrs++;
|
||||
+ }
|
||||
+
|
||||
+ values[nattrs] = get_pkcs11_string(mem_ctx,
|
||||
+ (char *)slot_info.manufacturerID,
|
||||
+ sizeof(slot_info.manufacturerID));
|
||||
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
|
||||
+ attrs[nattrs].name = PK11URI_PATTR_SLOT_MANUFACTURER;
|
||||
+ attrs[nattrs].value = values[nattrs];
|
||||
+ nattrs++;
|
||||
+ }
|
||||
+
|
||||
+ slot_id = PK11_GetSlotID(slot);
|
||||
+ values[nattrs] = talloc_asprintf(mem_ctx, "%d", (int) slot_id);
|
||||
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
|
||||
+ attrs[nattrs].name = PK11URI_PATTR_SLOT_ID;
|
||||
+ attrs[nattrs].value = values[nattrs];
|
||||
+ nattrs++;
|
||||
+ }
|
||||
+
|
||||
+ values[nattrs] = get_pkcs11_string(mem_ctx, (char *)token_info.model,
|
||||
+ sizeof(token_info.model));
|
||||
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
|
||||
+ attrs[nattrs].name = PK11URI_PATTR_MODEL;
|
||||
+ attrs[nattrs].value = values[nattrs];
|
||||
+ nattrs++;
|
||||
+ }
|
||||
+
|
||||
+ values[nattrs] = get_pkcs11_string(mem_ctx,
|
||||
+ (char *)token_info.manufacturerID,
|
||||
+ sizeof(token_info.manufacturerID));
|
||||
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
|
||||
+ attrs[nattrs].name = PK11URI_PATTR_MANUFACTURER;
|
||||
+ attrs[nattrs].value = values[nattrs];
|
||||
+ nattrs++;
|
||||
+ }
|
||||
+
|
||||
+ values[nattrs] = get_pkcs11_string(mem_ctx,
|
||||
+ (char *)token_info.serialNumber,
|
||||
+ sizeof(token_info.serialNumber));
|
||||
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
|
||||
+ attrs[nattrs].name = PK11URI_PATTR_SERIAL;
|
||||
+ attrs[nattrs].value = values[nattrs];
|
||||
+ nattrs++;
|
||||
+ }
|
||||
+
|
||||
+ values[nattrs] = get_pkcs11_string(mem_ctx, (char *)token_info.label,
|
||||
+ sizeof(token_info.label));
|
||||
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
|
||||
+ attrs[nattrs].name = PK11URI_PATTR_TOKEN;
|
||||
+ attrs[nattrs].value = values[nattrs];
|
||||
+ nattrs++;
|
||||
+ }
|
||||
+
|
||||
+ if (label != NULL && *label != '\0') {
|
||||
+ attrs[nattrs].name = PK11URI_PATTR_OBJECT;
|
||||
+ attrs[nattrs].value = label;
|
||||
+ nattrs++;
|
||||
+ }
|
||||
+
|
||||
+ attrs[nattrs].name = PK11URI_PATTR_TYPE;
|
||||
+ attrs[nattrs].value = "cert";
|
||||
+ nattrs++;
|
||||
+
|
||||
+ uri = PK11URI_CreateURI(attrs, nattrs, NULL, 0);
|
||||
+ if (uri == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "PK11URI_CreateURI failed.\n");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ tmp_str = PK11URI_FormatURI(NULL, uri);
|
||||
+ PK11URI_DestroyURI(uri);
|
||||
+ if (tmp_str == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "PK11URI_FormatURI failed.\n");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ /* Currently I have no idea how to get the ID properly formatted with the
|
||||
+ * NSS PK11 calls. Since all attribute values are treated as strings zeros
|
||||
+ * in the IDs cannot be handled. And the IDs cannot be set percent-encoded
|
||||
+ * since all attribute values will be escaped which means the '%' sign
|
||||
+ * will be escaped to '%25'. Hence for the time being the ID is added
|
||||
+ * manually to the end of the URI. */
|
||||
+ id_pct = get_key_id_pct(mem_ctx, slot, cert);
|
||||
+ if (id_pct == NULL || *id_pct == '\0') {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "get_key_id_pct failed.\n");
|
||||
+ PORT_Free(tmp_str);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ uri_str = talloc_asprintf(mem_ctx, "%s;%s=%s", tmp_str,
|
||||
+ PK11URI_PATTR_ID, id_pct);
|
||||
+ talloc_free(id_pct);
|
||||
+ if (uri_str == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ return uri_str;
|
||||
+
|
||||
+}
|
||||
+
|
||||
static char *password_passthrough(PK11SlotInfo *slot, PRBool retry, void *arg)
|
||||
{
|
||||
/* give up if 1) no password was supplied, or 2) the password has already
|
||||
@@ -465,6 +699,9 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
||||
cert_list_node->cert->nickname,
|
||||
cert_list_node->cert->subjectName);
|
||||
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "module uri: %s.\n", PK11_GetModuleURI(module));
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "token uri: %s.\n", PK11_GetTokenURI(slot));
|
||||
+
|
||||
if (p11_ctx->handle != NULL) {
|
||||
if (!do_verification(p11_ctx, cert_list_node->cert)) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
@@ -651,6 +888,9 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
||||
|
||||
DEBUG(SSSDBG_TRACE_ALL, "Found certificate has key id [%s].\n",
|
||||
key_id_str);
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "uri: %s.\n", get_pkcs11_uri(mem_ctx, module,
|
||||
+ slot, label,
|
||||
+ found_cert));
|
||||
|
||||
multi = talloc_asprintf_append(multi, "%s\n%s\n%s\n%s\n%s\n",
|
||||
token_name, module_name, key_id_str,
|
||||
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
|
||||
index d4572d9..09edeef 100644
|
||||
--- a/src/p11_child/p11_child_openssl.c
|
||||
+++ b/src/p11_child/p11_child_openssl.c
|
||||
@@ -29,6 +29,7 @@
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/rand.h>
|
||||
#include <p11-kit/p11-kit.h>
|
||||
+#include <p11-kit/uri.h>
|
||||
|
||||
#include <popt.h>
|
||||
|
||||
@@ -43,6 +44,72 @@ struct p11_ctx {
|
||||
bool wait_for_card;
|
||||
};
|
||||
|
||||
+
|
||||
+static char *get_pkcs11_uri(TALLOC_CTX *mem_ctx, CK_INFO *module_info,
|
||||
+ CK_SLOT_INFO *slot_info, CK_SLOT_ID slot_id,
|
||||
+ CK_TOKEN_INFO *token_info, CK_ATTRIBUTE *label,
|
||||
+ CK_ATTRIBUTE *id)
|
||||
+{
|
||||
+ P11KitUri *uri;
|
||||
+ char *uri_str = NULL;
|
||||
+ char *tmp_str = NULL;
|
||||
+ int ret;
|
||||
+ CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE;
|
||||
+ CK_ATTRIBUTE class_attr = {CKA_CLASS, &cert_class, sizeof(CK_OBJECT_CLASS)};
|
||||
+
|
||||
+ uri = p11_kit_uri_new();
|
||||
+ if (uri == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_new failed.\n");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ ret = p11_kit_uri_set_attribute(uri, label);
|
||||
+ if (ret != P11_KIT_URI_OK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_set_attribute failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = p11_kit_uri_set_attribute(uri, id);
|
||||
+ if (ret != P11_KIT_URI_OK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_set_attribute failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = p11_kit_uri_set_attribute(uri, &class_attr);
|
||||
+ if (ret != P11_KIT_URI_OK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_set_attribute failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+
|
||||
+ memcpy(p11_kit_uri_get_token_info(uri), token_info, sizeof(CK_TOKEN_INFO));
|
||||
+
|
||||
+ memcpy(p11_kit_uri_get_slot_info(uri), slot_info, sizeof(CK_SLOT_INFO));
|
||||
+ ret = p11_kit_uri_set_slot_id(uri, slot_id);
|
||||
+
|
||||
+ memcpy(p11_kit_uri_get_module_info(uri), module_info, sizeof(CK_INFO));
|
||||
+
|
||||
+ ret = p11_kit_uri_format(uri, P11_KIT_URI_FOR_ANY, &tmp_str);
|
||||
+ if (ret != P11_KIT_URI_OK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_format failed [%s].\n",
|
||||
+ p11_kit_uri_message(ret));
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (tmp_str != NULL) {
|
||||
+ uri_str = talloc_strdup(mem_ctx, tmp_str);
|
||||
+ free(tmp_str);
|
||||
+ if (uri_str == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+done:
|
||||
+ p11_kit_uri_free(uri);
|
||||
+
|
||||
+ return uri_str;
|
||||
+}
|
||||
+
|
||||
static int talloc_cleanup_openssl(struct p11_ctx *p11_ctx)
|
||||
{
|
||||
CRYPTO_cleanup_all_ex_data();
|
||||
@@ -234,6 +301,7 @@ struct cert_list {
|
||||
X509 *cert;
|
||||
char *subject_dn;
|
||||
char *cert_b64;
|
||||
+ char *uri;
|
||||
CK_KEY_TYPE key_type;
|
||||
CK_OBJECT_HANDLE private_key;
|
||||
};
|
||||
@@ -608,6 +676,7 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
||||
CK_SLOT_ID slot_id;
|
||||
CK_SLOT_INFO info;
|
||||
CK_TOKEN_INFO token_info;
|
||||
+ CK_INFO module_info;
|
||||
CK_RV rv;
|
||||
size_t module_id;
|
||||
char *module_file_name = NULL;
|
||||
@@ -821,6 +890,17 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
||||
}
|
||||
}
|
||||
|
||||
+ memset(&module_info, 0, sizeof(CK_INFO));
|
||||
+ module->C_GetInfo(&module_info);
|
||||
+
|
||||
+ DLIST_FOR_EACH(item, cert_list) {
|
||||
+ item->uri = get_pkcs11_uri(mem_ctx, &module_info, &info, slot_id,
|
||||
+ &token_info,
|
||||
+ &item->attributes[1] /* label */,
|
||||
+ &item->attributes[0] /* id */);
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "uri: %s.\n", item->uri);
|
||||
+ }
|
||||
+
|
||||
/* TODO: check module_name_in, token_name_in, key_id_in */
|
||||
|
||||
if (cert_list == NULL) {
|
||||
--
|
||||
2.9.5
|
||||
|
238
0051-p11_child-add-PKCS-11-uri-to-restrict-selection.patch
Normal file
238
0051-p11_child-add-PKCS-11-uri-to-restrict-selection.patch
Normal file
@ -0,0 +1,238 @@
|
||||
From f7b2152a4c3c816a5bc4226a0e01791313accef3 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 8 Oct 2018 12:47:25 +0200
|
||||
Subject: [PATCH 66/83] p11_child: add PKCS#11 uri to restrict selection
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3814
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/p11_child/p11_child.h | 2 +-
|
||||
src/p11_child/p11_child_common.c | 9 +++--
|
||||
src/p11_child/p11_child_nss.c | 2 +-
|
||||
src/p11_child/p11_child_openssl.c | 81 +++++++++++++++++++++++++++++++++++++--
|
||||
4 files changed, 86 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/p11_child/p11_child.h b/src/p11_child/p11_child.h
|
||||
index dd8fdea..92ecf74 100644
|
||||
--- a/src/p11_child/p11_child.h
|
||||
+++ b/src/p11_child/p11_child.h
|
||||
@@ -54,5 +54,5 @@ bool do_verification_b64(struct p11_ctx *p11_ctx, const char *cert_b64);
|
||||
errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
||||
enum op_mode mode, const char *pin,
|
||||
const char *module_name_in, const char *token_name_in,
|
||||
- const char *key_id_in, char **_multi);
|
||||
+ const char *key_id_in, const char *uri, char **_multi);
|
||||
#endif /* __P11_CHILD_H__ */
|
||||
diff --git a/src/p11_child/p11_child_common.c b/src/p11_child/p11_child_common.c
|
||||
index bc5f6b0..097e7fa 100644
|
||||
--- a/src/p11_child/p11_child_common.c
|
||||
+++ b/src/p11_child/p11_child_common.c
|
||||
@@ -60,7 +60,7 @@ static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db,
|
||||
bool wait_for_card,
|
||||
const char *cert_b64, const char *pin,
|
||||
const char *module_name, const char *token_name,
|
||||
- const char *key_id, char **multi)
|
||||
+ const char *key_id, const char *uri, char **multi)
|
||||
{
|
||||
int ret;
|
||||
struct p11_ctx *p11_ctx;
|
||||
@@ -90,7 +90,7 @@ static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db,
|
||||
}
|
||||
} else {
|
||||
ret = do_card(mem_ctx, p11_ctx, mode, pin,
|
||||
- module_name, token_name, key_id, multi);
|
||||
+ module_name, token_name, key_id, uri, multi);
|
||||
}
|
||||
|
||||
done:
|
||||
@@ -159,6 +159,7 @@ int main(int argc, const char *argv[])
|
||||
char *key_id = NULL;
|
||||
char *cert_b64 = NULL;
|
||||
bool wait_for_card = false;
|
||||
+ char *uri = NULL;
|
||||
|
||||
struct poptOption long_options[] = {
|
||||
POPT_AUTOHELP
|
||||
@@ -194,6 +195,8 @@ int main(int argc, const char *argv[])
|
||||
_("Key ID for authentication"), NULL},
|
||||
{"certificate", 0, POPT_ARG_STRING, &cert_b64, 0,
|
||||
_("certificate to verify, base64 encoded"), NULL},
|
||||
+ {"uri", 0, POPT_ARG_STRING, &uri, 0,
|
||||
+ _("PKCS#11 URI to restrict selection"), NULL},
|
||||
POPT_TABLEEND
|
||||
};
|
||||
|
||||
@@ -367,7 +370,7 @@ int main(int argc, const char *argv[])
|
||||
}
|
||||
|
||||
ret = do_work(main_ctx, mode, nss_db, cert_verify_opts, wait_for_card,
|
||||
- cert_b64, pin, module_name, token_name, key_id, &multi);
|
||||
+ cert_b64, pin, module_name, token_name, key_id, uri, &multi);
|
||||
if (ret != 0) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "do_work failed.\n");
|
||||
goto fail;
|
||||
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
|
||||
index fff1f25..f9cbf3f 100644
|
||||
--- a/src/p11_child/p11_child_nss.c
|
||||
+++ b/src/p11_child/p11_child_nss.c
|
||||
@@ -480,7 +480,7 @@ bool do_verification_b64(struct p11_ctx *p11_ctx, const char *cert_b64)
|
||||
errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
||||
enum op_mode mode, const char *pin,
|
||||
const char *module_name_in, const char *token_name_in,
|
||||
- const char *key_id_in, char **_multi)
|
||||
+ const char *key_id_in, const char *uri, char **_multi)
|
||||
{
|
||||
int ret;
|
||||
SECStatus rv;
|
||||
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
|
||||
index 09edeef..000e1c9 100644
|
||||
--- a/src/p11_child/p11_child_openssl.c
|
||||
+++ b/src/p11_child/p11_child_openssl.c
|
||||
@@ -85,7 +85,7 @@ static char *get_pkcs11_uri(TALLOC_CTX *mem_ctx, CK_INFO *module_info,
|
||||
memcpy(p11_kit_uri_get_token_info(uri), token_info, sizeof(CK_TOKEN_INFO));
|
||||
|
||||
memcpy(p11_kit_uri_get_slot_info(uri), slot_info, sizeof(CK_SLOT_INFO));
|
||||
- ret = p11_kit_uri_set_slot_id(uri, slot_id);
|
||||
+ p11_kit_uri_set_slot_id(uri, slot_id);
|
||||
|
||||
memcpy(p11_kit_uri_get_module_info(uri), module_info, sizeof(CK_INFO));
|
||||
|
||||
@@ -662,7 +662,7 @@ static errno_t wait_for_card(CK_FUNCTION_LIST *module, CK_SLOT_ID *slot_id)
|
||||
errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
||||
enum op_mode mode, const char *pin,
|
||||
const char *module_name_in, const char *token_name_in,
|
||||
- const char *key_id_in, char **_multi)
|
||||
+ const char *key_id_in, const char *uri_str, char **_multi)
|
||||
{
|
||||
int ret;
|
||||
size_t c;
|
||||
@@ -674,6 +674,7 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
||||
CK_ULONG num_slots;
|
||||
CK_SLOT_ID slots[MAX_SLOTS];
|
||||
CK_SLOT_ID slot_id;
|
||||
+ CK_SLOT_ID uri_slot_id;
|
||||
CK_SLOT_INFO info;
|
||||
CK_TOKEN_INFO token_info;
|
||||
CK_INFO module_info;
|
||||
@@ -690,6 +691,19 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
||||
char *multi = NULL;
|
||||
bool pkcs11_session = false;
|
||||
bool pkcs11_login = false;
|
||||
+ P11KitUri *uri = NULL;
|
||||
+
|
||||
+ if (uri_str != NULL) {
|
||||
+ uri = p11_kit_uri_new();
|
||||
+ ret = p11_kit_uri_parse(uri_str, P11_KIT_URI_FOR_ANY, uri);
|
||||
+ if (ret != P11_KIT_URI_OK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_parse failed [%d][%s].\n",
|
||||
+ ret, p11_kit_uri_message(ret));
|
||||
+ ret = EINVAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
|
||||
/* Maybe use P11_KIT_MODULE_TRUSTED ? */
|
||||
modules = p11_kit_modules_load_and_initialize(0);
|
||||
@@ -709,6 +723,23 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
||||
free(mod_name);
|
||||
free(mod_file_name);
|
||||
|
||||
+ if (uri != NULL) {
|
||||
+ memset(&module_info, 0, sizeof(CK_INFO));
|
||||
+ rv = modules[c]->C_GetInfo(&module_info);
|
||||
+ if (rv != CKR_OK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetInfo failed.\n");
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* Skip modules which do not match the PKCS#11 URI */
|
||||
+ if (p11_kit_uri_match_module_info(uri, &module_info) != 1) {
|
||||
+ DEBUG(SSSDBG_TRACE_ALL,
|
||||
+ "Not matching URI [%s], skipping.\n", uri_str);
|
||||
+ continue;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
num_slots = MAX_SLOTS;
|
||||
rv = modules[c]->C_GetSlotList(CK_FALSE, slots, &num_slots);
|
||||
if (rv != CKR_OK) {
|
||||
@@ -730,6 +761,37 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
||||
info.slotDescription, info.manufacturerID, info.flags,
|
||||
(info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
|
||||
(info.flags & CKF_TOKEN_PRESENT) ? "true": "false");
|
||||
+
|
||||
+ /* Skip slots which do not match the PKCS#11 URI */
|
||||
+ if (uri != NULL) {
|
||||
+ uri_slot_id = p11_kit_uri_get_slot_id(uri);
|
||||
+ if ((uri_slot_id != (CK_SLOT_ID)-1
|
||||
+ && uri_slot_id != slots[s])
|
||||
+ || p11_kit_uri_match_slot_info(uri, &info) != 1) {
|
||||
+ DEBUG(SSSDBG_TRACE_ALL,
|
||||
+ "Not matching URI [%s], skipping.\n", uri_str);
|
||||
+ continue;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if ((info.flags & CKF_TOKEN_PRESENT) && uri != NULL) {
|
||||
+ rv = modules[c]->C_GetTokenInfo(slots[s], &token_info);
|
||||
+ if (rv != CKR_OK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetTokenInfo failed.\n");
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Token label [%s].\n",
|
||||
+ token_info.label);
|
||||
+
|
||||
+ if (p11_kit_uri_match_token_info(uri, &token_info) != 1) {
|
||||
+ DEBUG(SSSDBG_CONF_SETTINGS,
|
||||
+ "No matching uri [%s], skipping.\n", uri_str);
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ }
|
||||
+
|
||||
if ((info.flags & CKF_REMOVABLE_DEVICE)) {
|
||||
break;
|
||||
}
|
||||
@@ -788,6 +850,13 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ if (uri != NULL && p11_kit_uri_match_token_info(uri, &token_info) != 1) {
|
||||
+ DEBUG(SSSDBG_CONF_SETTINGS, "No token matching uri [%s] found.",
|
||||
+ uri_str);
|
||||
+ ret = ENOENT;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
module_id = c;
|
||||
slot_name = p11_kit_space_strdup(info.slotDescription,
|
||||
sizeof(info.slotDescription));
|
||||
@@ -891,7 +960,12 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
||||
}
|
||||
|
||||
memset(&module_info, 0, sizeof(CK_INFO));
|
||||
- module->C_GetInfo(&module_info);
|
||||
+ rv = module->C_GetInfo(&module_info);
|
||||
+ if (rv != CKR_OK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetInfo failed.\n");
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
+ }
|
||||
|
||||
DLIST_FOR_EACH(item, cert_list) {
|
||||
item->uri = get_pkcs11_uri(mem_ctx, &module_info, &info, slot_id,
|
||||
@@ -970,6 +1044,7 @@ done:
|
||||
free(token_name);
|
||||
free(module_file_name);
|
||||
p11_kit_modules_finalize_and_release(modules);
|
||||
+ p11_kit_uri_free(uri);
|
||||
|
||||
return ret;
|
||||
}
|
||||
--
|
||||
2.9.5
|
||||
|
193
0052-PAM-add-p11_uri-option.patch
Normal file
193
0052-PAM-add-p11_uri-option.patch
Normal file
@ -0,0 +1,193 @@
|
||||
From 725b65081d19da658b16338686c53dcf16d49de0 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 9 Oct 2018 10:47:04 +0200
|
||||
Subject: [PATCH 67/83] PAM: add p11_uri option
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3814
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/confdb/confdb.h | 1 +
|
||||
src/config/SSSDConfig/__init__.py.in | 1 +
|
||||
src/config/cfg_rules.ini | 1 +
|
||||
src/config/etc/sssd.api.conf | 1 +
|
||||
src/man/sssd.conf.5.xml | 33 +++++++++++++++++++++++++++++++++
|
||||
src/responder/pam/pamsrv.h | 1 +
|
||||
src/responder/pam/pamsrv_cmd.c | 12 +++++++++++-
|
||||
src/responder/pam/pamsrv_p11.c | 9 ++++++++-
|
||||
8 files changed, 57 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
||||
index 87904c2..741d4bc 100644
|
||||
--- a/src/confdb/confdb.h
|
||||
+++ b/src/confdb/confdb.h
|
||||
@@ -133,6 +133,7 @@
|
||||
#define CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT "p11_wait_for_card_timeout"
|
||||
#define CONFDB_PAM_APP_SERVICES "pam_app_services"
|
||||
#define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services"
|
||||
+#define CONFDB_PAM_P11_URI "p11_uri"
|
||||
|
||||
/* SUDO */
|
||||
#define CONFDB_SUDO_CONF_ENTRY "config/sudo"
|
||||
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
||||
index 4d1dba2..a20157c 100644
|
||||
--- a/src/config/SSSDConfig/__init__.py.in
|
||||
+++ b/src/config/SSSDConfig/__init__.py.in
|
||||
@@ -105,6 +105,7 @@ option_strings = {
|
||||
'pam_app_services' : _('Which PAM services are permitted to contact application domains'),
|
||||
'pam_p11_allowed_services' : _('Allowed services for using smartcards'),
|
||||
'p11_wait_for_card_timeout' : _('Additional timeout to wait for a card if requested'),
|
||||
+ 'p11_uri' : _('PKCS#11 URI to restrict the selection of devices for Smartcard authentication'),
|
||||
|
||||
# [sudo]
|
||||
'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
|
||||
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
||||
index 50a8f1d..09a52df 100644
|
||||
--- a/src/config/cfg_rules.ini
|
||||
+++ b/src/config/cfg_rules.ini
|
||||
@@ -128,6 +128,7 @@ option = p11_child_timeout
|
||||
option = pam_app_services
|
||||
option = pam_p11_allowed_services
|
||||
option = p11_wait_for_card_timeout
|
||||
+option = p11_uri
|
||||
|
||||
[rule/allowed_sudo_options]
|
||||
validator = ini_allowed_options
|
||||
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
|
||||
index bb686c3..c6d6690 100644
|
||||
--- a/src/config/etc/sssd.api.conf
|
||||
+++ b/src/config/etc/sssd.api.conf
|
||||
@@ -77,6 +77,7 @@ p11_child_timeout = int, None, false
|
||||
pam_app_services = str, None, false
|
||||
pam_p11_allowed_services = str, None, false
|
||||
p11_wait_for_card_timeout = int, None, false
|
||||
+p11_uri = str, None, false
|
||||
|
||||
[sudo]
|
||||
# sudo service
|
||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||||
index 4df0163..c8d53f0 100644
|
||||
--- a/src/man/sssd.conf.5.xml
|
||||
+++ b/src/man/sssd.conf.5.xml
|
||||
@@ -1478,6 +1478,39 @@ pam_p11_allowed_services = +my_pam_service, -login
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>p11_uri (string)</term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ PKCS#11 URI (see RFC-7512 for details) which can be
|
||||
+ used to restrict the selection of devices used for
|
||||
+ Smartcard authentication. By default SSSD's
|
||||
+ p11_child will search for a PKCS#11 slot (reader)
|
||||
+ where the 'removable' flags is set and read the
|
||||
+ certificates from the inserted token from the first
|
||||
+ slot found. If multiple readers are connected
|
||||
+ p11_uri can be use to tell p11_child to use a
|
||||
+ specific reader.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Example:
|
||||
+ <programlisting>
|
||||
+p11_uri = slot-description=My%20Smartcar%20Reader
|
||||
+ </programlisting>
|
||||
+ or
|
||||
+ <programlisting>
|
||||
+p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2
|
||||
+ </programlisting>
|
||||
+ To find suitable URI please check the debug output
|
||||
+ of p11_child. As an alternative the GnuTLS utility
|
||||
+ 'p11tool' with e.g. the '--list-all' will show
|
||||
+ PKCS#11 URIs as well.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Default: none
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
</variablelist>
|
||||
</refsect2>
|
||||
|
||||
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
|
||||
index 5d87756..60aa979 100644
|
||||
--- a/src/responder/pam/pamsrv.h
|
||||
+++ b/src/responder/pam/pamsrv.h
|
||||
@@ -103,6 +103,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
|
||||
time_t timeout,
|
||||
const char *verify_opts,
|
||||
struct sss_certmap_ctx *sss_certmap_ctx,
|
||||
+ const char *uri,
|
||||
struct pam_data *pd);
|
||||
errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
|
||||
struct cert_auth_info **cert_list);
|
||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
||||
index 6e37f83..a22afd2 100644
|
||||
--- a/src/responder/pam/pamsrv_cmd.c
|
||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
||||
@@ -1306,6 +1306,7 @@ static errno_t check_cert(TALLOC_CTX *mctx,
|
||||
char *cert_verification_opts;
|
||||
errno_t ret;
|
||||
struct tevent_req *req;
|
||||
+ char *uri = NULL;
|
||||
|
||||
ret = confdb_get_int(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY,
|
||||
CONFDB_PAM_P11_CHILD_TIMEOUT,
|
||||
@@ -1342,10 +1343,19 @@ static errno_t check_cert(TALLOC_CTX *mctx,
|
||||
return ret;
|
||||
}
|
||||
|
||||
+ ret = confdb_get_string(pctx->rctx->cdb, mctx, CONFDB_PAM_CONF_ENTRY,
|
||||
+ CONFDB_PAM_P11_URI, NULL, &uri);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to read certificate_verification from confdb: [%d]: %s\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
req = pam_check_cert_send(mctx, ev, pctx->p11_child_debug_fd,
|
||||
pctx->nss_db, p11_child_timeout,
|
||||
cert_verification_opts, pctx->sss_certmap_ctx,
|
||||
- pd);
|
||||
+ uri, pd);
|
||||
if (req == NULL) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "pam_check_cert_send failed.\n");
|
||||
return ENOMEM;
|
||||
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
|
||||
index 8b8859d..491bd2b 100644
|
||||
--- a/src/responder/pam/pamsrv_p11.c
|
||||
+++ b/src/responder/pam/pamsrv_p11.c
|
||||
@@ -711,6 +711,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
|
||||
time_t timeout,
|
||||
const char *verify_opts,
|
||||
struct sss_certmap_ctx *sss_certmap_ctx,
|
||||
+ const char *uri,
|
||||
struct pam_data *pd)
|
||||
{
|
||||
errno_t ret;
|
||||
@@ -721,7 +722,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
|
||||
struct timeval tv;
|
||||
int pipefd_to_child[2] = PIPE_INIT;
|
||||
int pipefd_from_child[2] = PIPE_INIT;
|
||||
- const char *extra_args[14] = { NULL };
|
||||
+ const char *extra_args[16] = { NULL };
|
||||
uint8_t *write_buf = NULL;
|
||||
size_t write_buf_len = 0;
|
||||
size_t arg_c;
|
||||
@@ -748,6 +749,12 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
|
||||
|
||||
/* extra_args are added in revers order */
|
||||
arg_c = 0;
|
||||
+ if (uri != NULL) {
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Adding PKCS#11 URI [%s].\n", uri);
|
||||
+ extra_args[arg_c++] = uri;
|
||||
+ extra_args[arg_c++] = "--uri";
|
||||
+ }
|
||||
+
|
||||
if ((pd->cli_flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) && pd->priv == 1) {
|
||||
extra_args[arg_c++] = "--wait_for_card";
|
||||
}
|
||||
--
|
||||
2.9.5
|
||||
|
209
0053-tests-add-PKCS-11-URI-tests.patch
Normal file
209
0053-tests-add-PKCS-11-URI-tests.patch
Normal file
@ -0,0 +1,209 @@
|
||||
From 4a22fb6bba6662ad628f6e17203e8ccf20eb9666 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 9 Oct 2018 10:46:43 +0200
|
||||
Subject: [PATCH 68/83] tests: add PKCS#11 URI tests
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3814
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/tests/cmocka/test_pam_srv.c | 120 ++++++++++++++++++++++++++++++++++++++++
|
||||
src/tests/test_CA/Makefile.am | 16 +++++-
|
||||
2 files changed, 135 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
|
||||
index 2b02ac2..7fc9224 100644
|
||||
--- a/src/tests/cmocka/test_pam_srv.c
|
||||
+++ b/src/tests/cmocka/test_pam_srv.c
|
||||
@@ -65,6 +65,7 @@
|
||||
#endif
|
||||
|
||||
#define TEST_TOKEN_NAME "SSSD Test Token"
|
||||
+#define TEST_TOKEN2_NAME "SSSD Test Token Number 2"
|
||||
#define TEST_KEY_ID "C554C9F82C2A9D58B70921C143304153A8A42F17"
|
||||
#ifdef HAVE_NSS
|
||||
#define TEST_MODULE_NAME "NSS-Internal"
|
||||
@@ -961,6 +962,54 @@ static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen,
|
||||
return EOK;
|
||||
}
|
||||
|
||||
+static int test_pam_cert2_token2_check_ex(uint32_t status, uint8_t *body,
|
||||
+ size_t blen, enum response_type type,
|
||||
+ const char *name)
|
||||
+{
|
||||
+ size_t rp = 0;
|
||||
+ uint32_t val;
|
||||
+ size_t check2_len = 0;
|
||||
+ char const *check2_strings[] = { NULL,
|
||||
+ TEST_TOKEN2_NAME,
|
||||
+ TEST_MODULE_NAME,
|
||||
+ TEST2_KEY_ID,
|
||||
+ TEST2_PROMPT,
|
||||
+ NULL };
|
||||
+
|
||||
+ assert_int_equal(status, 0);
|
||||
+
|
||||
+ check2_strings[0] = name;
|
||||
+ check2_len = check_string_array_len(check2_strings);
|
||||
+
|
||||
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
||||
+ assert_int_equal(val, pam_test_ctx->exp_pam_status);
|
||||
+
|
||||
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
||||
+ assert_int_equal(val, 2);
|
||||
+
|
||||
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
||||
+ assert_int_equal(val, SSS_PAM_DOMAIN_NAME);
|
||||
+
|
||||
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
||||
+ assert_int_equal(val, 9);
|
||||
+
|
||||
+ assert_int_equal(*(body + rp + val - 1), 0);
|
||||
+ assert_string_equal(body + rp, TEST_DOM_NAME);
|
||||
+ rp += val;
|
||||
+
|
||||
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
||||
+ assert_int_equal(val, type);
|
||||
+
|
||||
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
||||
+ assert_int_equal(val, check2_len);
|
||||
+
|
||||
+ check_string_array(check2_strings, body, &rp);
|
||||
+
|
||||
+ assert_int_equal(rp, blen);
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
|
||||
{
|
||||
return test_pam_cert_check_ex(status, body, blen,
|
||||
@@ -968,6 +1017,12 @@ static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
|
||||
NULL);
|
||||
}
|
||||
|
||||
+static int test_pam_cert2_check(uint32_t status, uint8_t *body, size_t blen)
|
||||
+{
|
||||
+ return test_pam_cert2_token2_check_ex(status, body, blen, SSS_PAM_CERT_INFO,
|
||||
+ "pamuser@"TEST_DOM_NAME);
|
||||
+}
|
||||
+
|
||||
static int test_pam_cert_check_auth_success(uint32_t status, uint8_t *body,
|
||||
size_t blen)
|
||||
{
|
||||
@@ -2476,6 +2531,65 @@ void test_pam_cert_auth_2certs_one_mapping(void **state)
|
||||
assert_int_equal(ret, EOK);
|
||||
}
|
||||
|
||||
+void test_pam_cert_preauth_uri_token1(void **state)
|
||||
+{
|
||||
+ int ret;
|
||||
+
|
||||
+ struct sss_test_conf_param pam_params[] = {
|
||||
+ { CONFDB_PAM_P11_URI, "pkcs11:token=SSSD%20Test%20Token" },
|
||||
+ { NULL, NULL }, /* Sentinel */
|
||||
+ };
|
||||
+
|
||||
+ ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
|
||||
+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2tokens.conf"));
|
||||
+
|
||||
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,
|
||||
+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false);
|
||||
+
|
||||
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
|
||||
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
||||
+
|
||||
+ set_cmd_cb(test_pam_cert_check);
|
||||
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
|
||||
+ pam_test_ctx->pam_cmds);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ /* Wait until the test finishes with EOK */
|
||||
+ ret = test_ev_loop(pam_test_ctx->tctx);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+}
|
||||
+
|
||||
+void test_pam_cert_preauth_uri_token2(void **state)
|
||||
+{
|
||||
+ int ret;
|
||||
+
|
||||
+ struct sss_test_conf_param pam_params[] = {
|
||||
+ { CONFDB_PAM_P11_URI, "pkcs11:token=SSSD%20Test%20Token%20Number%202" },
|
||||
+ { NULL, NULL }, /* Sentinel */
|
||||
+ };
|
||||
+
|
||||
+ ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
|
||||
+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2tokens.conf"));
|
||||
+
|
||||
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,
|
||||
+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0002, false);
|
||||
+
|
||||
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
|
||||
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
||||
+
|
||||
+ set_cmd_cb(test_pam_cert2_check);
|
||||
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
|
||||
+ pam_test_ctx->pam_cmds);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ /* Wait until the test finishes with EOK */
|
||||
+ ret = test_ev_loop(pam_test_ctx->tctx);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+}
|
||||
|
||||
void test_filter_response(void **state)
|
||||
{
|
||||
@@ -2915,6 +3029,12 @@ int main(int argc, const char *argv[])
|
||||
pam_test_setup, pam_test_teardown),
|
||||
cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name_no_key_id,
|
||||
pam_test_setup, pam_test_teardown),
|
||||
+#ifndef HAVE_NSS
|
||||
+ cmocka_unit_test_setup_teardown(test_pam_cert_preauth_uri_token1,
|
||||
+ pam_test_setup, pam_test_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_pam_cert_preauth_uri_token2,
|
||||
+ pam_test_setup, pam_test_teardown),
|
||||
+#endif /* ! HAVE_NSS */
|
||||
#endif /* HAVE_TEST_CA */
|
||||
|
||||
cmocka_unit_test_setup_teardown(test_filter_response,
|
||||
diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am
|
||||
index 1bce2c3..b574c76 100644
|
||||
--- a/src/tests/test_CA/Makefile.am
|
||||
+++ b/src/tests/test_CA/Makefile.am
|
||||
@@ -24,7 +24,7 @@ pkcs12 = $(addprefix SSSD_test_cert_pkcs12_,$(addsuffix .pem,$(ids)))
|
||||
if HAVE_NSS
|
||||
extra = p11_nssdb p11_nssdb_2certs
|
||||
else
|
||||
-extra = softhsm2_none softhsm2_one softhsm2_two
|
||||
+extra = softhsm2_none softhsm2_one softhsm2_two softhsm2_2tokens
|
||||
endif
|
||||
|
||||
# If openssl is run in parallel there might be conflicts with the serial
|
||||
@@ -114,6 +114,20 @@ softhsm2_two.conf:
|
||||
@echo "objectstore.backend = file" >> $@
|
||||
@echo "slots.removable = true" >> $@
|
||||
|
||||
+softhsm2_2tokens: softhsm2_2tokens.conf
|
||||
+ mkdir $@
|
||||
+ SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token" --pin 123456 --so-pin 123456 --free
|
||||
+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0001.pem --login --label 'SSSD test cert 0001' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' pkcs11:token=SSSD%20Test%20Token
|
||||
+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0001.pem --login --label 'SSSD test cert 0001' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' pkcs11:token=SSSD%20Test%20Token
|
||||
+ SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token Number 2" --pin 654321 --so-pin 654321 --free
|
||||
+ GNUTLS_PIN=654321 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0002.pem --login --label 'SSSD test cert 0002' --id '5405842D56CF31F0BB025A695C5F3E907051C5B9' pkcs11:token=SSSD%20Test%20Token%20Number%202
|
||||
+ GNUTLS_PIN=654321 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0002.pem --login --label 'SSSD test cert 0002' --id '5405842D56CF31F0BB025A695C5F3E907051C5B9' pkcs11:token=SSSD%20Test%20Token%20Number%202
|
||||
+
|
||||
+softhsm2_2tokens.conf:
|
||||
+ @echo "directories.tokendir = "$(abs_top_builddir)"/src/tests/test_CA/softhsm2_2tokens" > $@
|
||||
+ @echo "objectstore.backend = file" >> $@
|
||||
+ @echo "slots.removable = true" >> $@
|
||||
+
|
||||
CLEANFILES = \
|
||||
index.txt index.txt.attr \
|
||||
index.txt.attr.old index.txt.old \
|
||||
--
|
||||
2.9.5
|
||||
|
53
0054-test_config-Test-for-invalid-characker-in-domain.patch
Normal file
53
0054-test_config-Test-for-invalid-characker-in-domain.patch
Normal file
@ -0,0 +1,53 @@
|
||||
From 7a2e56d061085c155a51253bd612255a4d24cb57 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Halman <thalman@redhat.com>
|
||||
Date: Mon, 8 Oct 2018 12:47:40 +0200
|
||||
Subject: [PATCH 69/83] test_config: Test for invalid characker in domain
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
There was bug allowing forbidden characters in config file section name.
|
||||
Bug has been fixed meantime but we decided to write the test to avoid
|
||||
regeression.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3334
|
||||
|
||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||
---
|
||||
src/tests/cmocka/test_config_check.c | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/src/tests/cmocka/test_config_check.c b/src/tests/cmocka/test_config_check.c
|
||||
index a2958de..61c7886 100644
|
||||
--- a/src/tests/cmocka/test_config_check.c
|
||||
+++ b/src/tests/cmocka/test_config_check.c
|
||||
@@ -106,6 +106,17 @@ void config_check_test_bad_section_name(void **state)
|
||||
config_check_test_common(cfg_str, 1, expected_errors);
|
||||
}
|
||||
|
||||
+void config_check_test_bad_chars_in_section_name(void **state)
|
||||
+{
|
||||
+ char cfg_str[] = "[domain/LD@P]";
|
||||
+ const char *expected_errors[] = {
|
||||
+ "[rule/allowed_sections]: Section [domain/LD@P] is not allowed. "
|
||||
+ "Check for typos.",
|
||||
+ };
|
||||
+
|
||||
+ config_check_test_common(cfg_str, 1, expected_errors);
|
||||
+}
|
||||
+
|
||||
void config_check_test_too_many_subdomains(void **state)
|
||||
{
|
||||
char cfg_str[] = "[domain/ad.test/b.test/c.test]";
|
||||
@@ -264,6 +275,7 @@ int main(int argc, const char *argv[])
|
||||
|
||||
const struct CMUnitTest tests[] = {
|
||||
cmocka_unit_test(config_check_test_bad_section_name),
|
||||
+ cmocka_unit_test(config_check_test_bad_chars_in_section_name),
|
||||
cmocka_unit_test(config_check_test_too_many_subdomains),
|
||||
cmocka_unit_test(config_check_test_bad_sssd_option_name),
|
||||
cmocka_unit_test(config_check_test_bad_pam_option_name),
|
||||
--
|
||||
2.9.5
|
||||
|
147
0055-PAM-return-short-name-for-files-provider-users.patch
Normal file
147
0055-PAM-return-short-name-for-files-provider-users.patch
Normal file
@ -0,0 +1,147 @@
|
||||
From dbd717fe5b7d8dd640b6ade435b49edb3db5280a Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 9 Oct 2018 13:25:35 +0200
|
||||
Subject: [PATCH 70/83] PAM: return short name for files provider users
|
||||
|
||||
If the 'allow_missing_name' option is used with pam_sss and the user
|
||||
name will be determined based on the certificate content and the mapping
|
||||
rules the PAM responder will by default return the fully-qualified name
|
||||
of the user which is then later used by other PAM modules as well.
|
||||
|
||||
For local users which are configured to use SSSD for Smartcard
|
||||
authentication this might cause issues in other PAM modules because they
|
||||
are not aware of the fully-qualified name and will treat the user as
|
||||
unknown.
|
||||
|
||||
With this patch the PAM responder will return the short name for all
|
||||
users handled by the files provider.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3848
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/pam/pamsrv.h | 3 ++-
|
||||
src/responder/pam/pamsrv_cmd.c | 13 +++++++++----
|
||||
src/responder/pam/pamsrv_p11.c | 32 +++++++++++++++++++++++++++++---
|
||||
3 files changed, 40 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
|
||||
index 60aa979..3a927bb 100644
|
||||
--- a/src/responder/pam/pamsrv.h
|
||||
+++ b/src/responder/pam/pamsrv.h
|
||||
@@ -108,7 +108,8 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
|
||||
errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
|
||||
struct cert_auth_info **cert_list);
|
||||
|
||||
-errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
|
||||
+errno_t add_pam_cert_response(struct pam_data *pd, struct sss_domain_info *dom,
|
||||
+ const char *sysdb_username,
|
||||
struct cert_auth_info *cert_info,
|
||||
enum response_type type);
|
||||
|
||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
||||
index a22afd2..553bf8f 100644
|
||||
--- a/src/responder/pam/pamsrv_cmd.c
|
||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
||||
@@ -1645,7 +1645,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
|
||||
preq->current_cert != NULL;
|
||||
preq->current_cert = sss_cai_get_next(preq->current_cert)) {
|
||||
|
||||
- ret = add_pam_cert_response(preq->pd, "",
|
||||
+ ret = add_pam_cert_response(preq->pd,
|
||||
+ preq->cctx->rctx->domains, "",
|
||||
preq->current_cert,
|
||||
preq->cctx->rctx->domains->user_name_hint
|
||||
? SSS_PAM_CERT_INFO_WITH_HINT
|
||||
@@ -1699,7 +1700,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
|
||||
|
||||
if (preq->cctx->rctx->domains->user_name_hint
|
||||
&& preq->pd->cmd == SSS_PAM_PREAUTH) {
|
||||
- ret = add_pam_cert_response(preq->pd, cert_user,
|
||||
+ ret = add_pam_cert_response(preq->pd,
|
||||
+ preq->cctx->rctx->domains, cert_user,
|
||||
preq->cert_list,
|
||||
SSS_PAM_CERT_INFO_WITH_HINT);
|
||||
preq->pd->pam_status = PAM_SUCCESS;
|
||||
@@ -1725,7 +1727,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
|
||||
* SSS_PAM_CERT_INFO message to send the name to the caller. */
|
||||
if (preq->pd->cmd == SSS_PAM_AUTHENTICATE
|
||||
&& preq->pd->logon_name == NULL) {
|
||||
- ret = add_pam_cert_response(preq->pd, cert_user,
|
||||
+ ret = add_pam_cert_response(preq->pd,
|
||||
+ preq->cctx->rctx->domains, cert_user,
|
||||
preq->cert_list,
|
||||
SSS_PAM_CERT_INFO);
|
||||
if (ret != EOK) {
|
||||
@@ -2117,7 +2120,9 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
|
||||
"the backend.\n");
|
||||
}
|
||||
|
||||
- ret = add_pam_cert_response(preq->pd, cert_user,
|
||||
+ ret = add_pam_cert_response(preq->pd,
|
||||
+ preq->cctx->rctx->domains,
|
||||
+ cert_user,
|
||||
preq->current_cert,
|
||||
SSS_PAM_CERT_INFO);
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
|
||||
index 491bd2b..785b29c 100644
|
||||
--- a/src/responder/pam/pamsrv_p11.c
|
||||
+++ b/src/responder/pam/pamsrv_p11.c
|
||||
@@ -1145,7 +1145,8 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username,
|
||||
* used when running gdm-password. */
|
||||
#define PKCS11_LOGIN_TOKEN_ENV_NAME "PKCS11_LOGIN_TOKEN_NAME"
|
||||
|
||||
-errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
|
||||
+errno_t add_pam_cert_response(struct pam_data *pd, struct sss_domain_info *dom,
|
||||
+ const char *sysdb_username,
|
||||
struct cert_auth_info *cert_info,
|
||||
enum response_type type)
|
||||
{
|
||||
@@ -1153,6 +1154,10 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
|
||||
char *env = NULL;
|
||||
size_t msg_len;
|
||||
int ret;
|
||||
+ char *short_name = NULL;
|
||||
+ char *domain_name = NULL;
|
||||
+ const char *cert_info_name = sysdb_username;
|
||||
+
|
||||
|
||||
if (type != SSS_PAM_CERT_INFO && type != SSS_PAM_CERT_INFO_WITH_HINT) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Invalid response type [%d].\n", type);
|
||||
@@ -1174,9 +1179,30 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
|
||||
* Smartcard. If this type of name is irritating at the PIN prompt or the
|
||||
* re_expression config option was set in a way that user@domain cannot be
|
||||
* handled anymore some more logic has to be added here. But for the time
|
||||
- * being I think using sysdb_username is fine. */
|
||||
+ * being I think using sysdb_username is fine.
|
||||
+ * As special case is the files provider which handles local users which
|
||||
+ * by definition only have a short name. To avoid confusion by other
|
||||
+ * modules on the PAM stack the short name is returned in this case. */
|
||||
+
|
||||
+ if (sysdb_username != NULL) {
|
||||
+ ret = sss_parse_internal_fqname(pd, sysdb_username,
|
||||
+ &short_name, &domain_name);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse name '%s' [%d]: %s, "
|
||||
+ "using full name.\n",
|
||||
+ sysdb_username, ret, sss_strerror(ret));
|
||||
+ } else {
|
||||
+ if (domain_name != NULL
|
||||
+ && is_files_provider(find_domain_by_name(dom, domain_name,
|
||||
+ false))) {
|
||||
+ cert_info_name = short_name;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
|
||||
- ret = pack_cert_data(pd, sysdb_username, cert_info, &msg, &msg_len);
|
||||
+ ret = pack_cert_data(pd, cert_info_name, cert_info, &msg, &msg_len);
|
||||
+ talloc_free(short_name);
|
||||
+ talloc_free(domain_name);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "pack_cert_data failed.\n");
|
||||
return ret;
|
||||
--
|
||||
2.9.5
|
||||
|
181
0056-TESTS-Add-a-test-for-whitespace-trimming-in-netgroup.patch
Normal file
181
0056-TESTS-Add-a-test-for-whitespace-trimming-in-netgroup.patch
Normal file
@ -0,0 +1,181 @@
|
||||
From 941e67b0bbb780aadb6461b60b4e3554dfb893db Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Wed, 16 May 2018 10:23:49 +0200
|
||||
Subject: [PATCH 71/83] TESTS: Add a test for whitespace trimming in netgroup
|
||||
entries
|
||||
|
||||
This is a unit test for commit dbb1abae6eaa9df24f61e3a9f855e2461a66a197
|
||||
|
||||
Reviewed-by: Tomas Halman <thalman@redhat.com>
|
||||
---
|
||||
src/tests/sysdb-tests.c | 132 +++++++++++++++++++++++++++++++++++++++++++++++-
|
||||
1 file changed, 130 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
|
||||
index 933a07e..d3117cd 100644
|
||||
--- a/src/tests/sysdb-tests.c
|
||||
+++ b/src/tests/sysdb-tests.c
|
||||
@@ -4388,6 +4388,125 @@ START_TEST (test_netgroup_base_dn)
|
||||
}
|
||||
END_TEST
|
||||
|
||||
+static errno_t netgr_triple_to_attrs(struct sysdb_attrs *attrs,
|
||||
+ struct sysdb_netgroup_ctx *netgrent)
|
||||
+{
|
||||
+ int ret;
|
||||
+ char *dummy;
|
||||
+
|
||||
+ dummy = talloc_asprintf(attrs, "(%s,%s,%s)",
|
||||
+ netgrent->value.triple.hostname,
|
||||
+ netgrent->value.triple.username,
|
||||
+ netgrent->value.triple.domainname);
|
||||
+ if (dummy == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ ret = sysdb_attrs_add_string(attrs, SYSDB_NETGROUP_TRIPLE, dummy);
|
||||
+ talloc_zfree(dummy);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_attrs_add_string failed.\n");
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
+static errno_t store_netgr(struct sysdb_test_ctx *test_ctx,
|
||||
+ const char *name,
|
||||
+ struct sysdb_netgroup_ctx *netgrent)
|
||||
+{
|
||||
+ struct sysdb_attrs *attrs;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ attrs = sysdb_new_attrs(test_ctx);
|
||||
+ if (attrs == NULL) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ ret = netgr_triple_to_attrs(attrs, netgrent);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_add_netgroup failed.\n");
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ ret = sysdb_add_netgroup(test_ctx->domain, name, NULL, attrs, NULL,
|
||||
+ 0, 0);
|
||||
+ talloc_zfree(attrs);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_add_netgroup failed.\n");
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
+static bool sysdb_netgr_ctx_cmp(struct sysdb_netgroup_ctx *a,
|
||||
+ struct sysdb_netgroup_ctx *b)
|
||||
+{
|
||||
+ return a->type == b->type &&
|
||||
+ strcmp(a->value.triple.username, b->value.triple.username) == 0 &&
|
||||
+ strcmp(a->value.triple.hostname, b->value.triple.hostname) == 0 &&
|
||||
+ strcmp(a->value.triple.domainname, b->value.triple.domainname) == 0;
|
||||
+}
|
||||
+
|
||||
+START_TEST (test_sysdb_netgr_to_entries)
|
||||
+{
|
||||
+ errno_t ret;
|
||||
+ bool bret;
|
||||
+ struct sysdb_test_ctx *test_ctx;
|
||||
+ struct sysdb_netgroup_ctx simple_netgroup = {
|
||||
+ .type = SYSDB_NETGROUP_TRIPLE_VAL,
|
||||
+ .value.triple.hostname = discard_const("host"),
|
||||
+ .value.triple.username = discard_const("user"),
|
||||
+ .value.triple.domainname = discard_const("domain"),
|
||||
+ };
|
||||
+ struct sysdb_netgroup_ctx ws_netgroup = {
|
||||
+ .type = SYSDB_NETGROUP_TRIPLE_VAL,
|
||||
+ .value.triple.hostname = discard_const(" host "),
|
||||
+ .value.triple.username = discard_const(" user "),
|
||||
+ .value.triple.domainname = discard_const(" domain "),
|
||||
+ };
|
||||
+ struct ldb_result *res;
|
||||
+ struct sysdb_netgroup_ctx **entries;
|
||||
+ size_t netgroup_count;
|
||||
+
|
||||
+ ret = setup_sysdb_tests(&test_ctx);
|
||||
+ fail_if(ret != EOK, "Could not set up the test");
|
||||
+
|
||||
+ ret = store_netgr(test_ctx, "simple_netgroup", &simple_netgroup);
|
||||
+ fail_if(ret != EOK, "Could not store the netgr");
|
||||
+
|
||||
+ ret = sysdb_getnetgr(test_ctx, test_ctx->domain, "simple_netgroup", &res);
|
||||
+ fail_unless(ret == EOK, "sysdb_getnetgr error [%d][%s]",
|
||||
+ ret, strerror(ret));
|
||||
+ fail_unless(res->count == 1, "Received [%d] responses",
|
||||
+ res->count);
|
||||
+ ret = sysdb_netgr_to_entries(test_ctx, res, &entries, &netgroup_count);
|
||||
+ fail_unless(ret == EOK, "sysdb_netgr_to_entries error [%d][%s]",
|
||||
+ ret, strerror(ret));
|
||||
+ fail_unless(netgroup_count == 1, "Received [%d] triples", netgroup_count);
|
||||
+ bret = sysdb_netgr_ctx_cmp(entries[0], &simple_netgroup);
|
||||
+ fail_unless(bret == true, "Netgroup triples do not match");
|
||||
+
|
||||
+ ret = store_netgr(test_ctx, "ws_netgroup", &ws_netgroup);
|
||||
+ fail_if(ret != EOK, "Could not store the netgr");
|
||||
+
|
||||
+ ret = sysdb_getnetgr(test_ctx, test_ctx->domain, "ws_netgroup", &res);
|
||||
+ fail_unless(ret == EOK, "sysdb_getnetgr error [%d][%s]",
|
||||
+ ret, strerror(ret));
|
||||
+ fail_unless(res->count == 1, "Received [%d] responses",
|
||||
+ res->count);
|
||||
+ ret = sysdb_netgr_to_entries(test_ctx, res, &entries, &netgroup_count);
|
||||
+ fail_unless(ret == EOK, "sysdb_netgr_to_entries error [%d][%s]",
|
||||
+ ret, strerror(ret));
|
||||
+ fail_unless(netgroup_count == 1, "Received [%d] triples", netgroup_count);
|
||||
+ bret = sysdb_netgr_ctx_cmp(entries[0], &simple_netgroup);
|
||||
+ fail_unless(bret == true, "Netgroup triples do not match");
|
||||
+}
|
||||
+END_TEST
|
||||
+
|
||||
START_TEST(test_odd_characters)
|
||||
{
|
||||
errno_t ret;
|
||||
@@ -4404,6 +4523,8 @@ START_TEST(test_odd_characters)
|
||||
const char *received_group;
|
||||
static const char *user_attrs[] = SYSDB_PW_ATTRS;
|
||||
static const char *netgr_attrs[] = SYSDB_NETGR_ATTRS;
|
||||
+ struct sysdb_netgroup_ctx **entries;
|
||||
+ size_t netgroup_count;
|
||||
|
||||
/* Setup */
|
||||
ret = setup_sysdb_tests(&test_ctx);
|
||||
@@ -4546,9 +4667,13 @@ START_TEST(test_odd_characters)
|
||||
ret, strerror(ret));
|
||||
fail_unless(res->count == 1, "Received [%d] responses",
|
||||
res->count);
|
||||
- talloc_zfree(res);
|
||||
|
||||
- /* ===== Arbitrary Entries ===== */
|
||||
+ /* Parse */
|
||||
+ ret = sysdb_netgr_to_entries(test_ctx, res, &entries, &netgroup_count);
|
||||
+ fail_unless(ret == EOK, "sysdb_netgr_to_entries error [%d][%s]",
|
||||
+ ret, strerror(ret));
|
||||
+
|
||||
+ talloc_zfree(res);
|
||||
|
||||
talloc_free(test_ctx);
|
||||
}
|
||||
@@ -7418,6 +7543,9 @@ Suite *create_sysdb_suite(void)
|
||||
|
||||
tcase_add_test(tc_sysdb, test_netgroup_base_dn);
|
||||
|
||||
+ /* Test splitting the netgroup triple */
|
||||
+ tcase_add_test(tc_sysdb, test_sysdb_netgr_to_entries);
|
||||
+
|
||||
/* ===== SERVICE TESTS ===== */
|
||||
|
||||
/* Create a new service */
|
||||
--
|
||||
2.9.5
|
||||
|
57
0057-FILES-The-files-provider-should-not-enumerate.patch
Normal file
57
0057-FILES-The-files-provider-should-not-enumerate.patch
Normal file
@ -0,0 +1,57 @@
|
||||
From 7b3794fbe5e4f0888d4faeba12e6c5268f8cca42 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Tue, 9 Oct 2018 12:12:44 +0200
|
||||
Subject: [PATCH 73/83] FILES: The files provider should not enumerate
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3849
|
||||
|
||||
For reason I cannot explain now, the files provider always enumerates.
|
||||
There is commit a60e6ec which implements this, but it's clearly wrong,
|
||||
because then the plain getent passwd output contains duplicates from
|
||||
nss_files and nss_sss:
|
||||
|
||||
$ getent passwd | sort
|
||||
adm:x:3:4:adm:/var/adm:/sbin/nologin
|
||||
adm:x:3:4:adm:/var/adm:/sbin/nologin
|
||||
bin:x:1:1:bin:/bin:/sbin/nologin
|
||||
bin:x:1:1:bin:/bin:/sbin/nologin
|
||||
certuser:x:10329:10330::/home/certuser:/bin/bash
|
||||
certuser:x:10329:10330::/home/certuser:/bin/bash
|
||||
chrony:x:997:994::/var/lib/chrony:/sbin/nologin
|
||||
chrony:x:997:994::/var/lib/chrony:/sbin/nologin
|
||||
daemon:x:2:2:daemon:/sbin:/sbin/nologin
|
||||
daemon:x:2:2:daemon:/sbin:/sbin/nologin
|
||||
|
||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||
---
|
||||
src/confdb/confdb.c | 5 +----
|
||||
1 files changed, 1 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
||||
index 2f3d900..fdc6122 100644
|
||||
--- a/src/confdb/confdb.c
|
||||
+++ b/src/confdb/confdb.c
|
||||
@@ -875,7 +875,6 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
||||
char *default_domain;
|
||||
bool fqnames_default = false;
|
||||
int memcache_timeout;
|
||||
- bool enum_default;
|
||||
|
||||
tmp_ctx = talloc_new(mem_ctx);
|
||||
if (!tmp_ctx) return ENOMEM;
|
||||
@@ -1009,10 +1008,8 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
||||
"Interpreting as true\n", domain->name);
|
||||
domain->enumerate = true;
|
||||
} else { /* assume the new format */
|
||||
- enum_default = is_files_provider(domain);
|
||||
-
|
||||
ret = get_entry_as_bool(res->msgs[0], &domain->enumerate,
|
||||
- CONFDB_DOMAIN_ENUMERATE, enum_default);
|
||||
+ CONFDB_DOMAIN_ENUMERATE, 0);
|
||||
if(ret != EOK) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
"Invalid value for %s\n", CONFDB_DOMAIN_ENUMERATE);
|
489
0058-p11_child-add-OCSP-check-ot-the-OpenSSL-version.patch
Normal file
489
0058-p11_child-add-OCSP-check-ot-the-OpenSSL-version.patch
Normal file
@ -0,0 +1,489 @@
|
||||
From 91c608d0eb48435b5b5d2f3631a4bb2a40b8d519 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 10 Oct 2018 15:37:16 +0200
|
||||
Subject: [PATCH 74/83] p11_child: add OCSP check ot the OpenSSL version
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3489
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/man/sssd.conf.5.xml | 26 ++-
|
||||
src/p11_child/p11_child_openssl.c | 346 ++++++++++++++++++++++++++++++++++++++
|
||||
src/tests/cmocka/test_utils.c | 3 +
|
||||
src/util/util.c | 2 +
|
||||
4 files changed, 370 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||||
index c8d53f0..5e3ae48 100644
|
||||
--- a/src/man/sssd.conf.5.xml
|
||||
+++ b/src/man/sssd.conf.5.xml
|
||||
@@ -479,8 +479,8 @@
|
||||
be replaced with the URL of the OCSP
|
||||
default responder e.g.
|
||||
http://example.com:80/ocsp.</para>
|
||||
- <para>This option must be used together
|
||||
- with
|
||||
+ <para>(NSS Version) This option must be
|
||||
+ used together with
|
||||
ocsp_default_responder_signing_cert.
|
||||
</para>
|
||||
</listitem>
|
||||
@@ -489,17 +489,29 @@
|
||||
<term>
|
||||
ocsp_default_responder_signing_cert=NAME</term>
|
||||
<listitem>
|
||||
- <para>The nickname of the cert to trust
|
||||
- (expected) to sign the OCSP responses.
|
||||
- The certificate with the given nickname
|
||||
- must be available in the systems NSS
|
||||
- database.</para>
|
||||
+ <para>(NSS Version) The nickname of the
|
||||
+ cert to trust (expected) to sign the
|
||||
+ OCSP responses. The certificate with
|
||||
+ the given nickname must be available in
|
||||
+ the systems NSS database.</para>
|
||||
<para>This option must be used together
|
||||
with ocsp_default_responder.</para>
|
||||
+ <para>(OpenSSL version) This option is
|
||||
+ currently ignored. All needed
|
||||
+ certificates must be available in the
|
||||
+ PEM file given by
|
||||
+ pam_cert_db_path.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</para>
|
||||
+ <para condition="with_nss">
|
||||
+ This man page was generated for the NSS version.
|
||||
+ </para>
|
||||
+ <para condition="with_openssl">
|
||||
+ This man page was generated for the OpenSSL
|
||||
+ version.
|
||||
+ </para>
|
||||
<para>
|
||||
Unknown options are reported but ignored.
|
||||
</para>
|
||||
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
|
||||
index 000e1c9..d66a2f8 100644
|
||||
--- a/src/p11_child/p11_child_openssl.c
|
||||
+++ b/src/p11_child/p11_child_openssl.c
|
||||
@@ -28,6 +28,7 @@
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/rand.h>
|
||||
+#include <openssl/ocsp.h>
|
||||
#include <p11-kit/p11-kit.h>
|
||||
#include <p11-kit/uri.h>
|
||||
|
||||
@@ -42,8 +43,344 @@ struct p11_ctx {
|
||||
X509_STORE *x509_store;
|
||||
const char *ca_db;
|
||||
bool wait_for_card;
|
||||
+ struct cert_verify_opts *cert_verify_opts;
|
||||
};
|
||||
|
||||
+static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host,
|
||||
+ const char *path,
|
||||
+ OCSP_REQUEST *req, int req_timeout)
|
||||
+{
|
||||
+ int fd;
|
||||
+ int rv;
|
||||
+ OCSP_REQ_CTX *ctx = NULL;
|
||||
+ OCSP_RESPONSE *rsp = NULL;
|
||||
+ fd_set confds;
|
||||
+ struct timeval tv;
|
||||
+
|
||||
+ if (req_timeout != -1) {
|
||||
+ BIO_set_nbio(cbio, 1);
|
||||
+ }
|
||||
+
|
||||
+ rv = BIO_do_connect(cbio);
|
||||
+
|
||||
+ if ((rv <= 0) && ((req_timeout == -1) || !BIO_should_retry(cbio))) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Error connecting BIO\n");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ if (BIO_get_fd(cbio, &fd) < 0) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Can't get connection fd\n");
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ if (req_timeout != -1 && rv <= 0) {
|
||||
+ FD_ZERO(&confds);
|
||||
+ FD_SET(fd, &confds);
|
||||
+ tv.tv_usec = 0;
|
||||
+ tv.tv_sec = req_timeout;
|
||||
+ rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
|
||||
+ if (rv == 0) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Timeout on connect\n");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ ctx = OCSP_sendreq_new(cbio, path, NULL, -1);
|
||||
+ if (ctx == NULL) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ if (OCSP_REQ_CTX_add1_header(ctx, "Host", host) == 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ if (!OCSP_REQ_CTX_set1_req(ctx, req)) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ for (;;) {
|
||||
+ rv = OCSP_sendreq_nbio(&rsp, ctx);
|
||||
+ if (rv != -1)
|
||||
+ break;
|
||||
+ if (req_timeout == -1)
|
||||
+ continue;
|
||||
+ FD_ZERO(&confds);
|
||||
+ FD_SET(fd, &confds);
|
||||
+ tv.tv_usec = 0;
|
||||
+ tv.tv_sec = req_timeout;
|
||||
+ if (BIO_should_read(cbio)) {
|
||||
+ rv = select(fd + 1, (void *)&confds, NULL, NULL, &tv);
|
||||
+ } else if (BIO_should_write(cbio)) {
|
||||
+ rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
|
||||
+ } else {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Unexpected retry condition\n");
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (rv == 0) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Timeout on request\n");
|
||||
+ break;
|
||||
+ }
|
||||
+ if (rv == -1) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Select error\n");
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ }
|
||||
+ err:
|
||||
+ OCSP_REQ_CTX_free(ctx);
|
||||
+
|
||||
+ return rsp;
|
||||
+}
|
||||
+
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
+#define TLS_client_method SSLv23_client_method
|
||||
+#define X509_STORE_get0_objects(store) (store->objs)
|
||||
+#define X509_OBJECT_get_type(object) (object->type)
|
||||
+#define X509_OBJECT_get0_X509(object) (object->data.x509)
|
||||
+#endif
|
||||
+
|
||||
+OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
|
||||
+ const char *host, const char *path,
|
||||
+ const char *port, int use_ssl,
|
||||
+ int req_timeout)
|
||||
+{
|
||||
+ BIO *cbio = NULL;
|
||||
+ SSL_CTX *ctx = NULL;
|
||||
+ OCSP_RESPONSE *resp = NULL;
|
||||
+
|
||||
+ cbio = BIO_new_connect(host);
|
||||
+ if (cbio == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Error creating connect BIO\n");
|
||||
+ goto end;
|
||||
+ }
|
||||
+ if (port != NULL)
|
||||
+ BIO_set_conn_port(cbio, port);
|
||||
+ if (use_ssl == 1) {
|
||||
+ BIO *sbio;
|
||||
+ ctx = SSL_CTX_new(TLS_client_method());
|
||||
+ if (ctx == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Error creating SSL context.\n");
|
||||
+ goto end;
|
||||
+ }
|
||||
+ SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
|
||||
+ sbio = BIO_new_ssl(ctx, 1);
|
||||
+ cbio = BIO_push(sbio, cbio);
|
||||
+ }
|
||||
+
|
||||
+ resp = query_responder(cbio, host, path, req, req_timeout);
|
||||
+ if (resp == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Error querying OCSP responder\n");
|
||||
+ }
|
||||
+
|
||||
+ end:
|
||||
+ BIO_free_all(cbio);
|
||||
+ SSL_CTX_free(ctx);
|
||||
+ return resp;
|
||||
+}
|
||||
+
|
||||
+static errno_t do_ocsp(struct p11_ctx *p11_ctx, X509 *cert)
|
||||
+{
|
||||
+ OCSP_REQUEST *ocsp_req = NULL;
|
||||
+ OCSP_RESPONSE *ocsp_resp = NULL;
|
||||
+ OCSP_BASICRESP *ocsp_basic = NULL;
|
||||
+ OCSP_CERTID *cid = NULL;
|
||||
+ STACK_OF(OPENSSL_STRING) *ocsp_urls = NULL;
|
||||
+ char *url_str;
|
||||
+ X509 *issuer = NULL;
|
||||
+ int req_timeout = -1;
|
||||
+ int status;
|
||||
+ int ret = EIO;
|
||||
+ int reason;
|
||||
+ ASN1_GENERALIZEDTIME *revtime;
|
||||
+ ASN1_GENERALIZEDTIME *thisupd;
|
||||
+ ASN1_GENERALIZEDTIME *nextupd;
|
||||
+ long grace_time = (5 * 60); /* Allow 5 minutes time difference when
|
||||
+ * checking the validity of the OCSP response */
|
||||
+ char *host = NULL;
|
||||
+ char *path = NULL;
|
||||
+ char *port = NULL;
|
||||
+ int use_ssl;
|
||||
+ X509_NAME *issuer_name = NULL;
|
||||
+ X509_OBJECT *x509_obj;
|
||||
+ STACK_OF(X509_OBJECT) *store_objects;
|
||||
+
|
||||
+ ocsp_urls = X509_get1_ocsp(cert);
|
||||
+ if (ocsp_urls == NULL
|
||||
+ && p11_ctx->cert_verify_opts->ocsp_default_responder == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "No OCSP URL in certificate and no default responder defined, "
|
||||
+ "skipping OCSP check.\n");
|
||||
+ return EOK;
|
||||
+ }
|
||||
+
|
||||
+ if (p11_ctx->cert_verify_opts->ocsp_default_responder != NULL) {
|
||||
+ url_str = p11_ctx->cert_verify_opts->ocsp_default_responder;
|
||||
+ } else {
|
||||
+ if (sk_OPENSSL_STRING_num(ocsp_urls) > 1) {
|
||||
+ DEBUG(SSSDBG_CONF_SETTINGS,
|
||||
+ "Found more than 1 OCSP URLs, just using the first.\n");
|
||||
+ }
|
||||
+
|
||||
+ url_str = sk_OPENSSL_STRING_value(ocsp_urls, 0);
|
||||
+ }
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Using OCSP URL [%s].\n", url_str);
|
||||
+
|
||||
+ ret = OCSP_parse_url(url_str, &host, &port, &path, &use_ssl);
|
||||
+ if (ret != 1) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "OCSP_parse_url failed to parse [%s].\n",
|
||||
+ url_str);
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ issuer_name = X509_get_issuer_name(cert);
|
||||
+ if (issuer_name == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Certificate has no issuer, "
|
||||
+ "cannot run OCSP check.\n");
|
||||
+ ret = EINVAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ store_objects = X509_STORE_get0_objects(p11_ctx->x509_store);
|
||||
+ if (store_objects == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "No objects found in certificate store, OCSP failed.\n");
|
||||
+ ret = EINVAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ x509_obj = X509_OBJECT_retrieve_by_subject(store_objects, X509_LU_X509,
|
||||
+ issuer_name);
|
||||
+ if (x509_obj == NULL || X509_OBJECT_get_type(x509_obj) != X509_LU_X509) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Issuer not found.\n");
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ issuer = X509_OBJECT_get0_X509(x509_obj);
|
||||
+
|
||||
+ ocsp_req = OCSP_REQUEST_new();
|
||||
+ if (ocsp_req == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "OCSP_REQUEST_new failed.\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ cid = OCSP_cert_to_id(EVP_sha1(), cert, issuer);
|
||||
+ if (cid == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "OCSP_cert_to_id failed.\n");
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (OCSP_request_add0_id(ocsp_req, cid) == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "OCSP_request_add0_id failed.\n");
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ OCSP_request_add1_nonce(ocsp_req, NULL, -1);
|
||||
+
|
||||
+ ocsp_resp = process_responder(ocsp_req, host, path, port, use_ssl,
|
||||
+ req_timeout);
|
||||
+ if (ocsp_resp == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "process_responder failed.\n");
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ status = OCSP_response_status(ocsp_resp);
|
||||
+ if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "OCSP response error: [%d][%s].\n",
|
||||
+ status, OCSP_response_status_str(status));
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ocsp_basic = OCSP_response_get1_basic(ocsp_resp);
|
||||
+ if (ocsp_resp == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "OCSP_response_get1_basic failed.\n");
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ switch (OCSP_check_nonce(ocsp_req, ocsp_basic)) {
|
||||
+ case -1:
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "No nonce in OCSP response. This might "
|
||||
+ "indicate a replay attack or an OCSP responder which does not "
|
||||
+ "support nonces. Accepting response.\n");
|
||||
+ break;
|
||||
+ case 0:
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Nonce in OCSP response does not match the "
|
||||
+ "one used in the request.\n");
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
+ break;
|
||||
+ case 1:
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Nonce in OCSP response is the same as the one "
|
||||
+ "used in the request.\n");
|
||||
+ break;
|
||||
+ case 2:
|
||||
+ case 3:
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Missing nonce in OCSP request, this should"
|
||||
+ "never happen.\n");
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
+ break;
|
||||
+ default:
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected result of OCSP_check_nonce.\n");
|
||||
+ }
|
||||
+
|
||||
+ status = OCSP_basic_verify(ocsp_basic, NULL, p11_ctx->x509_store, 0);
|
||||
+ if (status != 1) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "OCSP_base_verify failed to verify OCSP "
|
||||
+ "response.\n");
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = OCSP_resp_find_status(ocsp_basic, cid, &status, &reason,
|
||||
+ &revtime, &thisupd, &nextupd);
|
||||
+ if (ret != 1) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "OCSP response does not contain status of "
|
||||
+ "our certificate.\n");
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (status != V_OCSP_CERTSTATUS_GOOD) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "OCSP check failed with [%d][%s].\n",
|
||||
+ status, OCSP_cert_status_str(status));
|
||||
+ if (status == V_OCSP_CERTSTATUS_REVOKED) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Certificate is revoked [%d][%s].\n",
|
||||
+ reason, OCSP_crl_reason_str(reason));
|
||||
+ }
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (OCSP_check_validity(thisupd, nextupd, grace_time, -1) != 1) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "OCSP response is not valid anymore.\n");
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "OCSP check was successful.\n");
|
||||
+ ret = EOK;
|
||||
+
|
||||
+done:
|
||||
+ OCSP_BASICRESP_free(ocsp_basic);
|
||||
+ OCSP_RESPONSE_free(ocsp_resp);
|
||||
+ OCSP_REQUEST_free(ocsp_req);
|
||||
+
|
||||
+ OPENSSL_free(host);
|
||||
+ OPENSSL_free(port);
|
||||
+ OPENSSL_free(path);
|
||||
+ X509_email_free(ocsp_urls);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
|
||||
static char *get_pkcs11_uri(TALLOC_CTX *mem_ctx, CK_INFO *module_info,
|
||||
CK_SLOT_INFO *slot_info, CK_SLOT_ID slot_id,
|
||||
@@ -191,6 +528,7 @@ errno_t init_verification(struct p11_ctx *p11_ctx,
|
||||
}
|
||||
|
||||
p11_ctx->x509_store = store;
|
||||
+ p11_ctx->cert_verify_opts = cert_verify_opts;
|
||||
talloc_set_destructor(p11_ctx, talloc_free_x509_store);
|
||||
|
||||
ret = EOK;
|
||||
@@ -262,6 +600,14 @@ bool do_verification(struct p11_ctx *p11_ctx, X509 *cert)
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ if (p11_ctx->cert_verify_opts->do_ocsp) {
|
||||
+ ret = do_ocsp(p11_ctx, cert);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "do_ocsp failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
res = true;
|
||||
|
||||
done:
|
||||
diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
|
||||
index 1a8699a..c86e526 100644
|
||||
--- a/src/tests/cmocka/test_utils.c
|
||||
+++ b/src/tests/cmocka/test_utils.c
|
||||
@@ -1612,6 +1612,8 @@ static void test_parse_cert_verify_opts(void **state)
|
||||
&cv_opts);
|
||||
assert_int_equal(ret, EINVAL);
|
||||
|
||||
+/* Only NSS requires that both are set */
|
||||
+#ifdef HAVE_NSS
|
||||
ret = parse_cert_verify_opts(global_talloc_context,
|
||||
"ocsp_default_responder=abc", &cv_opts);
|
||||
assert_int_equal(ret, EINVAL);
|
||||
@@ -1620,6 +1622,7 @@ static void test_parse_cert_verify_opts(void **state)
|
||||
"ocsp_default_responder_signing_cert=def",
|
||||
&cv_opts);
|
||||
assert_int_equal(ret, EINVAL);
|
||||
+#endif
|
||||
|
||||
ret = parse_cert_verify_opts(global_talloc_context,
|
||||
"ocsp_default_responder=abc,"
|
||||
diff --git a/src/util/util.c b/src/util/util.c
|
||||
index 53dd9a1..7f475fa 100644
|
||||
--- a/src/util/util.c
|
||||
+++ b/src/util/util.c
|
||||
@@ -1123,6 +1123,7 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
|
||||
}
|
||||
}
|
||||
|
||||
+#ifdef HAVE_NSS
|
||||
if ((cert_verify_opts->ocsp_default_responder == NULL
|
||||
&& cert_verify_opts->ocsp_default_responder_signing_cert != NULL)
|
||||
|| (cert_verify_opts->ocsp_default_responder != NULL
|
||||
@@ -1135,6 +1136,7 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
|
||||
ret = EINVAL;
|
||||
goto done;
|
||||
}
|
||||
+#endif
|
||||
|
||||
ret = EOK;
|
||||
|
||||
--
|
||||
2.9.5
|
||||
|
279
0059-p11_child-add-crl_file-option-for-the-OpenSSL-build.patch
Normal file
279
0059-p11_child-add-crl_file-option-for-the-OpenSSL-build.patch
Normal file
@ -0,0 +1,279 @@
|
||||
From 3c096c9ad6dad911d035cfdd802b5dda4710fc68 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 11 Oct 2018 17:35:24 +0200
|
||||
Subject: [PATCH 75/83] p11_child: add crl_file option for the OpenSSL build
|
||||
|
||||
In the NSS build a Certificate Revocation List (CRL) can just be added
|
||||
to the NSS database. For OpenSSL a separate file is needed.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3489
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/man/sssd.conf.5.xml | 24 ++++++++++++++++++++++++
|
||||
src/p11_child/p11_child_common.c | 12 ++++++------
|
||||
src/p11_child/p11_child_openssl.c | 26 +++++++++++++++++++++++++-
|
||||
src/tests/cmocka/test_utils.c | 16 ++++++++++++++++
|
||||
src/util/util.c | 13 +++++++++++++
|
||||
src/util/util.h | 1 +
|
||||
6 files changed, 85 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||||
index 5e3ae48..bea25c6 100644
|
||||
--- a/src/man/sssd.conf.5.xml
|
||||
+++ b/src/man/sssd.conf.5.xml
|
||||
@@ -503,6 +503,30 @@
|
||||
pam_cert_db_path.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>crl_file=/PATH/TO/CRL/FILE</term>
|
||||
+ <listitem>
|
||||
+ <para>(NSS Version) This option is
|
||||
+ ignored, please see
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>crlutil</refentrytitle>
|
||||
+ <manvolnum>1</manvolnum>
|
||||
+ </citerefentry>
|
||||
+ how to import a Certificate Revocation
|
||||
+ List (CRL) into a NSS database.</para>
|
||||
+
|
||||
+ <para>(OpenSSL Version) Use the
|
||||
+ Certificate Revocation List (CRL) from
|
||||
+ the given file during the verification
|
||||
+ of the certificate. The CRL must be
|
||||
+ given in PEM format, see
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>crl</refentrytitle>
|
||||
+ <manvolnum>1ssl</manvolnum>
|
||||
+ </citerefentry>
|
||||
+ for details.</para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
</variablelist>
|
||||
</para>
|
||||
<para condition="with_nss">
|
||||
diff --git a/src/p11_child/p11_child_common.c b/src/p11_child/p11_child_common.c
|
||||
index 097e7fa..b992aeb 100644
|
||||
--- a/src/p11_child/p11_child_common.c
|
||||
+++ b/src/p11_child/p11_child_common.c
|
||||
@@ -48,7 +48,7 @@ static const char *op_mode_str(enum op_mode mode)
|
||||
return "pre-auth";
|
||||
break;
|
||||
case OP_VERIFIY:
|
||||
- return "verifiy";
|
||||
+ return "verify";
|
||||
break;
|
||||
default:
|
||||
return "unknown";
|
||||
@@ -219,7 +219,7 @@ int main(int argc, const char *argv[])
|
||||
case 'a':
|
||||
if (mode != OP_NONE) {
|
||||
fprintf(stderr,
|
||||
- "\n--verifiy, --auth and --pre are mutually " \
|
||||
+ "\n--verify, --auth and --pre are mutually " \
|
||||
"exclusive and should be only used once.\n\n");
|
||||
poptPrintUsage(pc, stderr, 0);
|
||||
_exit(-1);
|
||||
@@ -229,7 +229,7 @@ int main(int argc, const char *argv[])
|
||||
case 'p':
|
||||
if (mode != OP_NONE) {
|
||||
fprintf(stderr,
|
||||
- "\n--verifiy, --auth and --pre are mutually " \
|
||||
+ "\n--verify, --auth and --pre are mutually " \
|
||||
"exclusive and should be only used once.\n\n");
|
||||
poptPrintUsage(pc, stderr, 0);
|
||||
_exit(-1);
|
||||
@@ -239,7 +239,7 @@ int main(int argc, const char *argv[])
|
||||
case 'v':
|
||||
if (mode != OP_NONE) {
|
||||
fprintf(stderr,
|
||||
- "\n--verifiy, --auth and --pre are mutually " \
|
||||
+ "\n--verify, --auth and --pre are mutually " \
|
||||
"exclusive and should be only used once.\n\n");
|
||||
poptPrintUsage(pc, stderr, 0);
|
||||
_exit(-1);
|
||||
@@ -283,7 +283,7 @@ int main(int argc, const char *argv[])
|
||||
|
||||
if (mode == OP_NONE) {
|
||||
fprintf(stderr, "\nMissing operation mode, either " \
|
||||
- "--verifiy, --auth or --pre must be specified.\n\n");
|
||||
+ "--verify, --auth or --pre must be specified.\n\n");
|
||||
poptPrintUsage(pc, stderr, 0);
|
||||
_exit(-1);
|
||||
} else if (mode == OP_AUTH && pin_mode == PIN_NONE) {
|
||||
@@ -350,7 +350,7 @@ int main(int argc, const char *argv[])
|
||||
|
||||
ret = parse_cert_verify_opts(main_ctx, verify_opts, &cert_verify_opts);
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse verifiy option.\n");
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse verify option.\n");
|
||||
goto fail;
|
||||
}
|
||||
|
||||
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
|
||||
index d66a2f8..9defdfc 100644
|
||||
--- a/src/p11_child/p11_child_openssl.c
|
||||
+++ b/src/p11_child/p11_child_openssl.c
|
||||
@@ -501,6 +501,7 @@ errno_t init_verification(struct p11_ctx *p11_ctx,
|
||||
X509_STORE *store = NULL;
|
||||
unsigned long err;
|
||||
X509_LOOKUP *lookup = NULL;
|
||||
+ X509_VERIFY_PARAM *verify_param = NULL;
|
||||
|
||||
store = X509_STORE_new();
|
||||
if (store == NULL) {
|
||||
@@ -527,6 +528,30 @@ errno_t init_verification(struct p11_ctx *p11_ctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ if (cert_verify_opts->crl_file != NULL) {
|
||||
+ verify_param = X509_VERIFY_PARAM_new();
|
||||
+ if (verify_param == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "X509_VERIFY_PARAM_new failed.\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ X509_VERIFY_PARAM_set_flags(verify_param, (X509_V_FLAG_CRL_CHECK
|
||||
+ | X509_V_FLAG_CRL_CHECK_ALL));
|
||||
+
|
||||
+ X509_STORE_set1_param(store, verify_param);
|
||||
+
|
||||
+ ret = X509_load_crl_file(lookup, cert_verify_opts->crl_file,
|
||||
+ X509_FILETYPE_PEM);
|
||||
+ if (ret == 0) {
|
||||
+ err = ERR_get_error();
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "X509_load_crl_file failed [%lu][%s].\n",
|
||||
+ err, ERR_error_string(err, NULL));
|
||||
+ ret = EIO;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
p11_ctx->x509_store = store;
|
||||
p11_ctx->cert_verify_opts = cert_verify_opts;
|
||||
talloc_set_destructor(p11_ctx, talloc_free_x509_store);
|
||||
@@ -536,7 +561,6 @@ errno_t init_verification(struct p11_ctx *p11_ctx,
|
||||
done:
|
||||
if (ret != EOK) {
|
||||
X509_STORE_free(store);
|
||||
- X509_LOOKUP_free(lookup);
|
||||
}
|
||||
|
||||
return ret;
|
||||
diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
|
||||
index c86e526..cf1c2ae 100644
|
||||
--- a/src/tests/cmocka/test_utils.c
|
||||
+++ b/src/tests/cmocka/test_utils.c
|
||||
@@ -1567,6 +1567,7 @@ static void test_parse_cert_verify_opts(void **state)
|
||||
assert_true(cv_opts->do_ocsp);
|
||||
assert_null(cv_opts->ocsp_default_responder);
|
||||
assert_null(cv_opts->ocsp_default_responder_signing_cert);
|
||||
+ assert_null(cv_opts->crl_file);
|
||||
talloc_free(cv_opts);
|
||||
|
||||
ret = parse_cert_verify_opts(global_talloc_context, "wedfkwefjk", &cv_opts);
|
||||
@@ -1575,6 +1576,7 @@ static void test_parse_cert_verify_opts(void **state)
|
||||
assert_true(cv_opts->do_ocsp);
|
||||
assert_null(cv_opts->ocsp_default_responder);
|
||||
assert_null(cv_opts->ocsp_default_responder_signing_cert);
|
||||
+ assert_null(cv_opts->crl_file);
|
||||
talloc_free(cv_opts);
|
||||
|
||||
ret = parse_cert_verify_opts(global_talloc_context, "no_ocsp", &cv_opts);
|
||||
@@ -1583,6 +1585,7 @@ static void test_parse_cert_verify_opts(void **state)
|
||||
assert_false(cv_opts->do_ocsp);
|
||||
assert_null(cv_opts->ocsp_default_responder);
|
||||
assert_null(cv_opts->ocsp_default_responder_signing_cert);
|
||||
+ assert_null(cv_opts->crl_file);
|
||||
talloc_free(cv_opts);
|
||||
|
||||
ret = parse_cert_verify_opts(global_talloc_context, "no_verification",
|
||||
@@ -1592,6 +1595,7 @@ static void test_parse_cert_verify_opts(void **state)
|
||||
assert_true(cv_opts->do_ocsp);
|
||||
assert_null(cv_opts->ocsp_default_responder);
|
||||
assert_null(cv_opts->ocsp_default_responder_signing_cert);
|
||||
+ assert_null(cv_opts->crl_file);
|
||||
talloc_free(cv_opts);
|
||||
|
||||
ret = parse_cert_verify_opts(global_talloc_context,
|
||||
@@ -1601,6 +1605,7 @@ static void test_parse_cert_verify_opts(void **state)
|
||||
assert_false(cv_opts->do_ocsp);
|
||||
assert_null(cv_opts->ocsp_default_responder);
|
||||
assert_null(cv_opts->ocsp_default_responder_signing_cert);
|
||||
+ assert_null(cv_opts->crl_file);
|
||||
talloc_free(cv_opts);
|
||||
|
||||
ret = parse_cert_verify_opts(global_talloc_context,
|
||||
@@ -1633,6 +1638,17 @@ static void test_parse_cert_verify_opts(void **state)
|
||||
assert_true(cv_opts->do_ocsp);
|
||||
assert_string_equal(cv_opts->ocsp_default_responder, "abc");
|
||||
assert_string_equal(cv_opts->ocsp_default_responder_signing_cert, "def");
|
||||
+ assert_null(cv_opts->crl_file);
|
||||
+ talloc_free(cv_opts);
|
||||
+
|
||||
+ ret = parse_cert_verify_opts(global_talloc_context, "crl_file=hij",
|
||||
+ &cv_opts);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+ assert_true(cv_opts->do_verification);
|
||||
+ assert_true(cv_opts->do_ocsp);
|
||||
+ assert_null(cv_opts->ocsp_default_responder);
|
||||
+ assert_null(cv_opts->ocsp_default_responder_signing_cert);
|
||||
+ assert_string_equal(cv_opts->crl_file, "hij");
|
||||
talloc_free(cv_opts);
|
||||
}
|
||||
|
||||
diff --git a/src/util/util.c b/src/util/util.c
|
||||
index 7f475fa..cbe6a28 100644
|
||||
--- a/src/util/util.c
|
||||
+++ b/src/util/util.c
|
||||
@@ -1024,6 +1024,7 @@ static struct cert_verify_opts *init_cert_verify_opts(TALLOC_CTX *mem_ctx)
|
||||
cert_verify_opts->do_verification = true;
|
||||
cert_verify_opts->ocsp_default_responder = NULL;
|
||||
cert_verify_opts->ocsp_default_responder_signing_cert = NULL;
|
||||
+ cert_verify_opts->crl_file = NULL;
|
||||
|
||||
return cert_verify_opts;
|
||||
}
|
||||
@@ -1035,6 +1036,8 @@ static struct cert_verify_opts *init_cert_verify_opts(TALLOC_CTX *mem_ctx)
|
||||
"ocsp_default_responder_signing_cert="
|
||||
#define OCSP_DEFAUL_RESPONDER_SIGNING_CERT_LEN \
|
||||
(sizeof(OCSP_DEFAUL_RESPONDER_SIGNING_CERT) - 1)
|
||||
+#define CRL_FILE "crl_file="
|
||||
+#define CRL_FILE_LEN (sizeof(CRL_FILE) -1)
|
||||
|
||||
errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
|
||||
struct cert_verify_opts **_cert_verify_opts)
|
||||
@@ -1116,6 +1119,16 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
|
||||
DEBUG(SSSDBG_TRACE_ALL,
|
||||
"Using OCSP default responder signing cert nickname [%s]\n",
|
||||
cert_verify_opts->ocsp_default_responder_signing_cert);
|
||||
+ } else if (strncasecmp(opts[c], CRL_FILE, CRL_FILE_LEN) == 0) {
|
||||
+ cert_verify_opts->crl_file = talloc_strdup(cert_verify_opts,
|
||||
+ &opts[c][CRL_FILE_LEN]);
|
||||
+ if (cert_verify_opts->crl_file == NULL
|
||||
+ || *cert_verify_opts->crl_file == '\0') {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to parse crl_file option [%s].\n", opts[c]);
|
||||
+ ret = EINVAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
} else {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"Unsupported certificate verification option [%s], " \
|
||||
diff --git a/src/util/util.h b/src/util/util.h
|
||||
index e3e9100..7e9b3d6 100644
|
||||
--- a/src/util/util.h
|
||||
+++ b/src/util/util.h
|
||||
@@ -371,6 +371,7 @@ struct cert_verify_opts {
|
||||
bool do_verification;
|
||||
char *ocsp_default_responder;
|
||||
char *ocsp_default_responder_signing_cert;
|
||||
+ char *crl_file;
|
||||
};
|
||||
|
||||
errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
|
||||
--
|
||||
2.9.5
|
||||
|
@ -0,0 +1,37 @@
|
||||
From 7794caec36e7142423491d90aaade7e49b9df1c1 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Fri, 12 Oct 2018 09:32:11 +0200
|
||||
Subject: [PATCH 76/83] p11: Fix two instances of -Wmaybe-uninitialized in
|
||||
p11_child_openssl.c
|
||||
|
||||
If uri_str was passed to the p11_child and parsing the URI failed, then
|
||||
modules would be uninitialized, but freed in the done handler with
|
||||
p11_kit_modules_finalize_and_release()
|
||||
|
||||
Also, another warning is suppressed by setting the 's' variable to zero.
|
||||
While it cannot happen that the variable will be uninitialized, we
|
||||
should help the compiler by setting a value explicitly.
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/p11_child/p11_child_openssl.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
|
||||
index 9defdfc..adfe272 100644
|
||||
--- a/src/p11_child/p11_child_openssl.c
|
||||
+++ b/src/p11_child/p11_child_openssl.c
|
||||
@@ -1036,8 +1036,8 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
||||
{
|
||||
int ret;
|
||||
size_t c;
|
||||
- size_t s;
|
||||
- CK_FUNCTION_LIST **modules;
|
||||
+ size_t s = 0;
|
||||
+ CK_FUNCTION_LIST **modules = NULL;
|
||||
CK_FUNCTION_LIST *module = NULL;
|
||||
char *mod_name;
|
||||
char *mod_file_name;
|
||||
--
|
||||
2.9.5
|
||||
|
31
0061-sudo-use-correct-sbus-interface.patch
Normal file
31
0061-sudo-use-correct-sbus-interface.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From 250e82252b53991e2902b292cfa6029ab28a10fb Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Mon, 15 Oct 2018 12:46:35 +0200
|
||||
Subject: [PATCH 77/83] sudo: use correct sbus interface
|
||||
|
||||
Internal dbus interfaces were renamed to shorter names in sbus2.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3854
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/sudo/sudosrv_dp.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/sudo/sudosrv_dp.c b/src/responder/sudo/sudosrv_dp.c
|
||||
index 2c6b26e..78dd296 100644
|
||||
--- a/src/responder/sudo/sudosrv_dp.c
|
||||
+++ b/src/responder/sudo/sudosrv_dp.c
|
||||
@@ -66,7 +66,7 @@ sss_dp_get_sudoers_msg(TALLOC_CTX *mem_ctx,
|
||||
|
||||
msg = dbus_message_new_method_call(bus_name,
|
||||
SSS_BUS_PATH,
|
||||
- "org.freedesktop.sssd.dataprovider",
|
||||
+ "sssd.dataprovider",
|
||||
"sudoHandler");
|
||||
if (msg == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n");
|
||||
--
|
||||
2.9.5
|
||||
|
@ -0,0 +1,40 @@
|
||||
From 8fbaf224193b9ca8b82a290bd52265c2f9b40315 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Mon, 15 Oct 2018 13:01:34 +0200
|
||||
Subject: [PATCH 78/83] sudo: fix error handling in sudosrv_refresh_rules_done
|
||||
|
||||
If sbus returns non-zero code then the output variables are not set and
|
||||
therefore we access uninitialized memory.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3854
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/sudo/sudosrv_get_sudorules.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c
|
||||
index 14bd824..76faef0 100644
|
||||
--- a/src/responder/sudo/sudosrv_get_sudorules.c
|
||||
+++ b/src/responder/sudo/sudosrv_get_sudorules.c
|
||||
@@ -576,10 +576,15 @@ static void sudosrv_refresh_rules_done(struct tevent_req *subreq)
|
||||
ret = sss_dp_get_sudoers_recv(state, subreq, &err_maj, &err_min, &err_msg);
|
||||
talloc_zfree(subreq);
|
||||
if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to refresh rules [%d]: %s\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
+ goto done;
|
||||
+ } else if (err_maj != 0 || err_min != 0) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"Unable to get information from Data Provider, "
|
||||
"Error: %u, %u, %s\n",
|
||||
- (unsigned int)err_maj, (unsigned int)err_min, err_msg);
|
||||
+ (unsigned int)err_maj, (unsigned int)err_min,
|
||||
+ (err_msg == NULL ? "(null)" : err_msg));
|
||||
goto done;
|
||||
}
|
||||
|
||||
--
|
||||
2.9.5
|
||||
|
@ -0,0 +1,64 @@
|
||||
From c74b430ba95d99b245b6347328024e4b4815b35e Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Mon, 15 Oct 2018 12:48:41 +0200
|
||||
Subject: [PATCH 79/83] sbus: remove leftovers from previous implementation
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/providers/data_provider/dp_iface.h | 8 +--
|
||||
src/providers/data_provider_be.c | 2 +-
|
||||
5 files changed, 5 insertions(+), 26 deletions(-)
|
||||
|
||||
diff --git a/src/providers/data_provider/dp_iface.h b/src/providers/data_provider/dp_iface.h
|
||||
index 0b0855d..d1382cd 100644
|
||||
--- a/src/providers/data_provider/dp_iface.h
|
||||
+++ b/src/providers/data_provider/dp_iface.h
|
||||
@@ -141,21 +141,21 @@ dp_get_account_domain_recv(TALLOC_CTX *mem_ctx,
|
||||
uint32_t *_error,
|
||||
const char **_err_msg);
|
||||
|
||||
-/* org.freedesktop.sssd.DataProvider.Client */
|
||||
+/* sssd.DataProvider.Client */
|
||||
errno_t
|
||||
dp_client_register(TALLOC_CTX *mem_ctx,
|
||||
struct sbus_request *sbus_req,
|
||||
struct data_provider *provider,
|
||||
const char *name);
|
||||
|
||||
-/* org.freedesktop.sssd.DataProvider.Backend */
|
||||
+/* sssd.DataProvider.Backend */
|
||||
errno_t dp_backend_is_online(TALLOC_CTX *mem_ctx,
|
||||
struct sbus_request *sbus_req,
|
||||
struct be_ctx *be_ctx,
|
||||
const char *domname,
|
||||
bool *_is_online);
|
||||
|
||||
-/* org.freedesktop.sssd.DataProvider.Failover */
|
||||
+/* sssd.DataProvider.Failover */
|
||||
errno_t
|
||||
dp_failover_list_services(TALLOC_CTX *mem_ctx,
|
||||
struct sbus_request *sbus_req,
|
||||
@@ -177,7 +177,7 @@ dp_failover_list_servers(TALLOC_CTX *mem_ctx,
|
||||
const char *service_name,
|
||||
const char ***_servers);
|
||||
|
||||
-/* org.freedesktop.sssd.DataProvider.AccessControl */
|
||||
+/* sssd.DataProvider.AccessControl */
|
||||
struct tevent_req *
|
||||
dp_access_control_refresh_rules_send(TALLOC_CTX *mem_ctx,
|
||||
struct tevent_context *ev,
|
||||
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
|
||||
index 6d2477e..7043e7a 100644
|
||||
--- a/src/providers/data_provider_be.c
|
||||
+++ b/src/providers/data_provider_be.c
|
||||
@@ -48,7 +48,7 @@
|
||||
#include "resolv/async_resolv.h"
|
||||
#include "sss_iface/sss_iface_async.h"
|
||||
|
||||
-/* org.freedesktop.sssd.service */
|
||||
+/* sssd.service */
|
||||
static errno_t
|
||||
data_provider_res_init(TALLOC_CTX *mem_ctx,
|
||||
struct sbus_request *sbus_req,
|
||||
2.9.5
|
||||
|
@ -0,0 +1,44 @@
|
||||
From 05ba237af582c1ca3780e5fe06ab3320494efe52 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Sat, 13 Oct 2018 16:22:13 +0000
|
||||
Subject: [PATCH 80/83] CONFIGURE: Add minimal required version for p11-kit
|
||||
|
||||
There are few functions which were added in upstream p11-kit 0.23.3.
|
||||
And there are compilation failures with older versions.
|
||||
|
||||
src/p11_child/p11_child_openssl.c: In function 'get_pkcs11_uri':
|
||||
src/p11_child/p11_child_openssl.c:87:12: error: implicit declaration of function 'p11_kit_uri_get_slot_info' [-Werror=implicit-function-declaration]
|
||||
memcpy(p11_kit_uri_get_slot_info(uri), slot_info, sizeof(CK_SLOT_INFO));
|
||||
^
|
||||
|
||||
src/p11_child/p11_child_openssl.c:88:5: error: implicit declaration of function 'p11_kit_uri_set_slot_id' [-Werror=implicit-function-declaration]
|
||||
p11_kit_uri_set_slot_id(uri, slot_id);
|
||||
^
|
||||
|
||||
src/p11_child/p11_child_openssl.c: In function 'do_card':
|
||||
src/p11_child/p11_child_openssl.c:767:35: error: implicit declaration of function 'p11_kit_uri_get_slot_id' [-Werror=implicit-function-declaration]
|
||||
uri_slot_id = p11_kit_uri_get_slot_id(uri);
|
||||
^
|
||||
src/p11_child/p11_child_openssl.c:770:32: error: implicit declaration of function 'p11_kit_uri_match_slot_info' [-Werror=implicit-function-declaration]
|
||||
|| p11_kit_uri_match_slot_info(uri, &info) != 1) {
|
||||
^
|
||||
Merges: https://pagure.io/SSSD/sssd/pull-request/3852
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/external/p11-kit.m4 | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/external/p11-kit.m4 b/src/external/p11-kit.m4
|
||||
index a959f43..eb0474f 100644
|
||||
--- a/src/external/p11-kit.m4
|
||||
+++ b/src/external/p11-kit.m4
|
||||
@@ -1,4 +1,4 @@
|
||||
AC_SUBST(P11_KIT_CFLAGS)
|
||||
AC_SUBST(P11_KIT_LIBS)
|
||||
|
||||
-PKG_CHECK_MODULES([P11_KIT], [p11-kit-1])
|
||||
+PKG_CHECK_MODULES([P11_KIT], [p11-kit-1 >= 0.23.3])
|
||||
--
|
||||
2.9.5
|
||||
|
46
0065-SBUS-Silence-warning-maybe-uninitialized.patch
Normal file
46
0065-SBUS-Silence-warning-maybe-uninitialized.patch
Normal file
@ -0,0 +1,46 @@
|
||||
From d143319bce8fc778df93fe7cd7ef4d03b7a3fc92 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Sat, 13 Oct 2018 16:24:56 +0000
|
||||
Subject: [PATCH 81/83] SBUS: Silence warning maybe-uninitialized
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
It should not happen because function sbus_interface_find_property
|
||||
should return NULL for access different than SBUS_PROPERTY_READABLE
|
||||
or SBUS_PROPERTY_WRITABLE. And thus we would return ERR_SBUS_UNKNOWN_PROPERTY
|
||||
from the function sbus_request_property.
|
||||
|
||||
src/sbus/interface/sbus_properties.c: In function 'sbus_request_property.isra.0':
|
||||
src/sbus/interface/sbus_properties.c:360:14:
|
||||
error: 'type' may be used uninitialized in this function
|
||||
[-Werror=maybe-uninitialized]
|
||||
sbus_req = sbus_request_create(mem_ctx, conn, type, destination,
|
||||
~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
interface_name, property_name, path);
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
cc1: all warnings being treated as errors
|
||||
|
||||
Merges: https://pagure.io/SSSD/sssd/pull-request/3851
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/sbus/interface/sbus_properties.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/src/sbus/interface/sbus_properties.c b/src/sbus/interface/sbus_properties.c
|
||||
index bd15807..906e6db 100644
|
||||
--- a/src/sbus/interface/sbus_properties.c
|
||||
+++ b/src/sbus/interface/sbus_properties.c
|
||||
@@ -355,6 +355,8 @@ sbus_request_property(TALLOC_CTX *mem_ctx,
|
||||
case SBUS_PROPERTY_WRITABLE:
|
||||
type = SBUS_REQUEST_PROPERTY_SET;
|
||||
break;
|
||||
+ default:
|
||||
+ return EINVAL;
|
||||
}
|
||||
|
||||
sbus_req = sbus_request_create(mem_ctx, conn, type, destination,
|
||||
--
|
||||
2.9.5
|
||||
|
136
0066-files-add-session-recording-flag.patch
Normal file
136
0066-files-add-session-recording-flag.patch
Normal file
@ -0,0 +1,136 @@
|
||||
From 46c483c09b85cecf8d1cc72618da993d8948c894 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 15 Oct 2018 20:05:09 +0200
|
||||
Subject: [PATCH 82/83] files: add session recording flag
|
||||
|
||||
If session recording is configured for a group the NSS ans PAM
|
||||
responder rely on a attribute in the cache set by the backend to
|
||||
determine is session recording is configured for the user or not. This
|
||||
flag is typically set during the initgroups request.
|
||||
|
||||
Since the files provider does not have a dedicated initgroups request
|
||||
the attribute must be set otherwise. This patch sets is for all users
|
||||
after the files are reloaded.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3855
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/providers/data_provider/dp_iface.h | 3 ++
|
||||
src/providers/data_provider/dp_target_id.c | 62 ++++++++++++++++++++++++++++++
|
||||
src/providers/files/files_ops.c | 7 ++++
|
||||
3 files changed, 72 insertions(+)
|
||||
|
||||
diff --git a/src/providers/data_provider/dp_iface.h b/src/providers/data_provider/dp_iface.h
|
||||
index d1382cd..8635ae0 100644
|
||||
--- a/src/providers/data_provider/dp_iface.h
|
||||
+++ b/src/providers/data_provider/dp_iface.h
|
||||
@@ -188,4 +188,7 @@ errno_t
|
||||
dp_access_control_refresh_rules_recv(TALLOC_CTX *mem_ctx,
|
||||
struct tevent_req *req);
|
||||
|
||||
+
|
||||
+errno_t
|
||||
+dp_add_sr_attribute(struct be_ctx *be_ctx);
|
||||
#endif /* DP_IFACE_H_ */
|
||||
diff --git a/src/providers/data_provider/dp_target_id.c b/src/providers/data_provider/dp_target_id.c
|
||||
index 265788b..748d886 100644
|
||||
--- a/src/providers/data_provider/dp_target_id.c
|
||||
+++ b/src/providers/data_provider/dp_target_id.c
|
||||
@@ -328,6 +328,68 @@ done:
|
||||
talloc_free(tmp_ctx);
|
||||
}
|
||||
|
||||
+errno_t dp_add_sr_attribute(struct be_ctx *be_ctx)
|
||||
+{
|
||||
+ int ret;
|
||||
+ struct dp_initgr_ctx *dp_initgr_ctx = NULL;
|
||||
+ TALLOC_CTX *tmp_ctx = NULL;
|
||||
+ struct dp_id_data *data;
|
||||
+ size_t msgs_count;
|
||||
+ struct ldb_message **msgs = NULL;
|
||||
+ const char *attrs[] = {SYSDB_NAME, NULL};
|
||||
+ size_t c;
|
||||
+
|
||||
+ tmp_ctx = talloc_new(NULL);
|
||||
+ if (tmp_ctx == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ ret = sysdb_search_users(tmp_ctx, be_ctx->domain, "("SYSDB_NAME "=*)", attrs,
|
||||
+ &msgs_count, &msgs);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_users failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ data = talloc_zero(tmp_ctx, struct dp_id_data);
|
||||
+ if (data == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ data->entry_type = BE_REQ_INITGROUPS;
|
||||
+ data->filter_type = BE_FILTER_NAME;
|
||||
+ data->filter_value = NULL;
|
||||
+ data->extra_value = NULL;
|
||||
+ data->domain = be_ctx->domain->name;
|
||||
+
|
||||
+ for (c = 0; c < msgs_count; c++) {
|
||||
+ data->filter_value = ldb_msg_find_attr_as_string(msgs[c], SYSDB_NAME,
|
||||
+ NULL);
|
||||
+ if (data->filter_value == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Cache object [%s] does not have a name, skipping.\n",
|
||||
+ ldb_dn_get_linearized(msgs[c]->dn));
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ talloc_free(dp_initgr_ctx);
|
||||
+ ret = dp_create_initgroups_ctx(tmp_ctx, be_ctx, data, &dp_initgr_ctx);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "dp_create_initgroups_ctx failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ dp_req_initgr_pp_sr_overlay(be_ctx->provider, dp_initgr_ctx);
|
||||
+ }
|
||||
+
|
||||
+done:
|
||||
+ talloc_free(tmp_ctx);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
static errno_t set_initgroups_expire_attribute(struct sss_domain_info *domain,
|
||||
const char *name)
|
||||
{
|
||||
diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c
|
||||
index f5a4029..74f77b5 100644
|
||||
--- a/src/providers/files/files_ops.c
|
||||
+++ b/src/providers/files/files_ops.c
|
||||
@@ -26,6 +26,7 @@
|
||||
#include "db/sysdb.h"
|
||||
#include "util/inotify.h"
|
||||
#include "util/util.h"
|
||||
+#include "providers/data_provider/dp_iface.h"
|
||||
|
||||
/* When changing this constant, make sure to also adjust the files integration
|
||||
* test for reallocation branch
|
||||
@@ -771,6 +772,12 @@ static errno_t sf_enum_files(struct files_id_ctx *id_ctx,
|
||||
}
|
||||
}
|
||||
|
||||
+ ret = dp_add_sr_attribute(id_ctx->be);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to add session recording attribute, ignored.\n");
|
||||
+ }
|
||||
+
|
||||
ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
|
||||
if (ret != EOK) {
|
||||
goto done;
|
||||
--
|
||||
2.9.5
|
||||
|
43
0067-UTIL-Suppress-Coverity-warning.patch
Normal file
43
0067-UTIL-Suppress-Coverity-warning.patch
Normal file
@ -0,0 +1,43 @@
|
||||
From fc29c3eb9750c5e7def4e1ab6eb18f4f5024f567 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Tue, 16 Oct 2018 10:42:43 +0200
|
||||
Subject: [PATCH 83/83] UTIL: Suppress Coverity warning
|
||||
|
||||
We recently added this code:
|
||||
if (domain_name != NULL
|
||||
&& is_files_provider(find_domain_by_name(dom,
|
||||
domain_name,
|
||||
false)))
|
||||
|
||||
find_domain_by_name returns NULL if the domain_name can't be found. This
|
||||
of course makes mostly sense for trusted domains that can appear and
|
||||
disappear. And is_files_provider() didn't handle the situation where the
|
||||
domain pointer was NULL and would directly dereference it.
|
||||
|
||||
This commit just adds a NULL check for the domain pointer so that
|
||||
is_files_provider() returns 'false' if the domain pointer was NULL.
|
||||
|
||||
Another alternative might be to check the return value of
|
||||
find_domain_by_name(), but I don't think it's worth the trouble.
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/util/domain_info_utils.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
|
||||
index 8bef6c9..ffb8cdf 100644
|
||||
--- a/src/util/domain_info_utils.c
|
||||
+++ b/src/util/domain_info_utils.c
|
||||
@@ -931,6 +931,7 @@ bool sss_domain_info_get_output_fqnames(struct sss_domain_info *domain)
|
||||
|
||||
bool is_files_provider(struct sss_domain_info *domain)
|
||||
{
|
||||
- return domain->provider != NULL &&
|
||||
+ return domain != NULL &&
|
||||
+ domain->provider != NULL &&
|
||||
strcasecmp(domain->provider, "files") == 0;
|
||||
}
|
||||
--
|
||||
2.9.5
|
||||
|
360
0068-UTIL-move-and-rename-sysdb_error_to_errno-to-utils.patch
Normal file
360
0068-UTIL-move-and-rename-sysdb_error_to_errno-to-utils.patch
Normal file
@ -0,0 +1,360 @@
|
||||
From f62f3b290cb5393bf9c4a9c2c424fd5c5185fe44 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Halman <thalman@redhat.com>
|
||||
Date: Wed, 3 Oct 2018 11:44:13 +0200
|
||||
Subject: [PATCH 1/5] UTIL: move and rename sysdb_error_to_errno to utils
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The function sysdb_error_to_errno() is used by multiple component,
|
||||
so we want to move it to shared place. Function is renamed to
|
||||
sss_ldb_error_to_errno() and moved to util/util_errors.c.
|
||||
|
||||
Old name is still #defined in sysdb.h and points to new
|
||||
name.
|
||||
|
||||
Also few places where ldb error code was handled manually
|
||||
has been updated to use sss_ldb_error_to_errno.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3802
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||
---
|
||||
src/confdb/confdb.c | 6 ++---
|
||||
src/confdb/confdb_setup.c | 6 ++---
|
||||
src/db/sysdb.c | 25 ---------------------
|
||||
src/db/sysdb.h | 6 ++---
|
||||
.../common/cache_req/cache_req_sr_overlay.c | 4 ++--
|
||||
src/responder/ifp/ifp_cache.c | 2 +-
|
||||
src/tools/sss_override.c | 6 ++---
|
||||
src/util/secrets/secrets.c | 26 +++++++---------------
|
||||
src/util/util_errors.c | 25 +++++++++++++++++++++
|
||||
src/util/util_errors.h | 3 +++
|
||||
10 files changed, 51 insertions(+), 58 deletions(-)
|
||||
|
||||
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
||||
index fdc6122..b0d886c 100644
|
||||
--- a/src/confdb/confdb.c
|
||||
+++ b/src/confdb/confdb.c
|
||||
@@ -842,7 +842,7 @@ static int confdb_get_domain_section(TALLOC_CTX *mem_ctx,
|
||||
ret = ldb_search(cdb->ldb, tmp_ctx, &res, dn,
|
||||
LDB_SCOPE_BASE, NULL, NULL);
|
||||
if (ret != LDB_SUCCESS) {
|
||||
- ret = sysdb_error_to_errno(ret);
|
||||
+ ret = sss_ldb_error_to_errno(ret);
|
||||
goto done;
|
||||
}
|
||||
|
||||
@@ -2076,7 +2076,7 @@ static int confdb_merge_parent_domain(const char *name,
|
||||
|
||||
ret = ldb_modify(cdb->ldb, replace_msg);
|
||||
if (ret != LDB_SUCCESS) {
|
||||
- ret = sysdb_error_to_errno(ret);
|
||||
+ ret = sss_ldb_error_to_errno(ret);
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
"Inheriting options from parent domain failed [%d]: %s\n",
|
||||
ret, sss_strerror(ret));
|
||||
@@ -2131,7 +2131,7 @@ static int confdb_merge_parent_domain(const char *name,
|
||||
*/
|
||||
ret = sss_ldb_modify_permissive(cdb->ldb, app_msg);
|
||||
if (ret != LDB_SUCCESS) {
|
||||
- ret = sysdb_error_to_errno(ret);
|
||||
+ ret = sss_ldb_error_to_errno(ret);
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
"Adding app-specific options failed [%d]: %s\n",
|
||||
ret, sss_strerror(ret));
|
||||
diff --git a/src/confdb/confdb_setup.c b/src/confdb/confdb_setup.c
|
||||
index 5e35589..c2b7f9f 100644
|
||||
--- a/src/confdb/confdb_setup.c
|
||||
+++ b/src/confdb/confdb_setup.c
|
||||
@@ -96,7 +96,7 @@ static int confdb_purge(struct confdb_ctx *cdb)
|
||||
ret = ldb_search(cdb->ldb, tmp_ctx, &res, dn,
|
||||
LDB_SCOPE_SUBTREE, attrs, NULL);
|
||||
if (ret != LDB_SUCCESS) {
|
||||
- ret = sysdb_error_to_errno(ret);
|
||||
+ ret = sss_ldb_error_to_errno(ret);
|
||||
goto done;
|
||||
}
|
||||
|
||||
@@ -104,7 +104,7 @@ static int confdb_purge(struct confdb_ctx *cdb)
|
||||
/* Delete this DN */
|
||||
ret = ldb_delete(cdb->ldb, res->msgs[i]->dn);
|
||||
if (ret != LDB_SUCCESS) {
|
||||
- ret = sysdb_error_to_errno(ret);
|
||||
+ ret = sss_ldb_error_to_errno(ret);
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
@@ -313,7 +313,7 @@ static int confdb_init_db(const char *config_file, const char *config_dir,
|
||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
"Failed to start a transaction for "
|
||||
"updating the configuration\n");
|
||||
- ret = sysdb_error_to_errno(ret);
|
||||
+ ret = sss_ldb_error_to_errno(ret);
|
||||
goto done;
|
||||
}
|
||||
in_transaction = true;
|
||||
diff --git a/src/db/sysdb.c b/src/db/sysdb.c
|
||||
index 06d7f27..51acb86 100644
|
||||
--- a/src/db/sysdb.c
|
||||
+++ b/src/db/sysdb.c
|
||||
@@ -871,31 +871,6 @@ char *sysdb_group_strdn(TALLOC_CTX *mem_ctx,
|
||||
return build_dom_dn_str_escape(mem_ctx, SYSDB_TMPL_GROUP, domain, name);
|
||||
}
|
||||
|
||||
-/* TODO: make a more complete and precise mapping */
|
||||
-int sysdb_error_to_errno(int ldberr)
|
||||
-{
|
||||
- switch (ldberr) {
|
||||
- case LDB_SUCCESS:
|
||||
- return EOK;
|
||||
- case LDB_ERR_OPERATIONS_ERROR:
|
||||
- return EIO;
|
||||
- case LDB_ERR_NO_SUCH_OBJECT:
|
||||
- return ENOENT;
|
||||
- case LDB_ERR_BUSY:
|
||||
- return EBUSY;
|
||||
- case LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS:
|
||||
- case LDB_ERR_ENTRY_ALREADY_EXISTS:
|
||||
- return EEXIST;
|
||||
- case LDB_ERR_INVALID_ATTRIBUTE_SYNTAX:
|
||||
- return EINVAL;
|
||||
- default:
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "LDB returned unexpected error: [%s]\n",
|
||||
- ldb_strerror(ldberr));
|
||||
- return EFAULT;
|
||||
- }
|
||||
-}
|
||||
-
|
||||
/* =Transactions========================================================== */
|
||||
|
||||
int sysdb_transaction_start(struct sysdb_ctx *sysdb)
|
||||
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
|
||||
index 2187947..f6e3160 100644
|
||||
--- a/src/db/sysdb.h
|
||||
+++ b/src/db/sysdb.h
|
||||
@@ -454,9 +454,6 @@ errno_t sysdb_get_highest_usn(TALLOC_CTX *mem_ctx,
|
||||
size_t num_attrs,
|
||||
char **_usn);
|
||||
|
||||
-/* convert an ldb error into an errno error */
|
||||
-int sysdb_error_to_errno(int ldberr);
|
||||
-
|
||||
/* DNs related helper functions */
|
||||
errno_t sysdb_get_rdn(struct sysdb_ctx *sysdb, TALLOC_CTX *mem_ctx,
|
||||
const char *dn, char **_name, char **_val);
|
||||
@@ -1434,4 +1431,7 @@ errno_t sysdb_handle_original_uuid(const char *orig_name,
|
||||
struct sysdb_attrs *dest_attrs,
|
||||
const char *dest_name);
|
||||
|
||||
+/* define old name for backward compatibility */
|
||||
+#define sysdb_error_to_errno(ldberr) sss_ldb_error_to_errno(ldberr)
|
||||
+
|
||||
#endif /* __SYS_DB_H__ */
|
||||
diff --git a/src/responder/common/cache_req/cache_req_sr_overlay.c b/src/responder/common/cache_req/cache_req_sr_overlay.c
|
||||
index 60da26f..b06a80a 100644
|
||||
--- a/src/responder/common/cache_req/cache_req_sr_overlay.c
|
||||
+++ b/src/responder/common/cache_req/cache_req_sr_overlay.c
|
||||
@@ -192,7 +192,7 @@ static errno_t cache_req_sr_overlay_match_users(
|
||||
}
|
||||
lret = ldb_msg_add_string(msg, SYSDB_SESSION_RECORDING, enabled_str);
|
||||
if (lret != LDB_SUCCESS) {
|
||||
- ret = sysdb_error_to_errno(lret);
|
||||
+ ret = sss_ldb_error_to_errno(lret);
|
||||
CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr,
|
||||
"Failed adding %s attribute: %s\n",
|
||||
SYSDB_SESSION_RECORDING, sss_strerror(ret));
|
||||
@@ -279,7 +279,7 @@ static void cache_req_sr_overlay_match_all_step_done(
|
||||
}
|
||||
lret = ldb_msg_add_string(msg, SYSDB_SESSION_RECORDING, enabled_copy);
|
||||
if (lret != LDB_SUCCESS) {
|
||||
- ret = sysdb_error_to_errno(lret);
|
||||
+ ret = sss_ldb_error_to_errno(lret);
|
||||
CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, state->cr,
|
||||
"Failed adding %s attribute: %s\n",
|
||||
SYSDB_SESSION_RECORDING, sss_strerror(ret));
|
||||
diff --git a/src/responder/ifp/ifp_cache.c b/src/responder/ifp/ifp_cache.c
|
||||
index 083f274..27681d0 100644
|
||||
--- a/src/responder/ifp/ifp_cache.c
|
||||
+++ b/src/responder/ifp/ifp_cache.c
|
||||
@@ -119,7 +119,7 @@ ifp_cache_get_cached_objects(TALLOC_CTX *mem_ctx,
|
||||
SYSDB_IFP_CACHED);
|
||||
if (ldb_ret != LDB_SUCCESS) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to search the cache\n");
|
||||
- ret = sysdb_error_to_errno(ldb_ret);
|
||||
+ ret = sss_ldb_error_to_errno(ldb_ret);
|
||||
goto done;
|
||||
}
|
||||
|
||||
diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c
|
||||
index 21fe62d..a12aa27 100644
|
||||
--- a/src/tools/sss_override.c
|
||||
+++ b/src/tools/sss_override.c
|
||||
@@ -936,7 +936,7 @@ static errno_t override_object_del(struct sss_domain_info *domain,
|
||||
ret = ldb_msg_add_empty(msg, SYSDB_OVERRIDE_DN, LDB_FLAG_MOD_DELETE, NULL);
|
||||
if (ret != LDB_SUCCESS) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_add_empty() failed\n");
|
||||
- ret = sysdb_error_to_errno(ret);
|
||||
+ ret = sss_ldb_error_to_errno(ret);
|
||||
goto done;
|
||||
}
|
||||
|
||||
@@ -945,7 +945,7 @@ static errno_t override_object_del(struct sss_domain_info *domain,
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
"ldb_modify() failed: [%s](%d)[%s]\n",
|
||||
ldb_strerror(ret), ret, ldb_errstring(ldb));
|
||||
- ret = sysdb_error_to_errno(ret);
|
||||
+ ret = sss_ldb_error_to_errno(ret);
|
||||
goto done;
|
||||
}
|
||||
|
||||
@@ -1025,7 +1025,7 @@ static errno_t append_name(struct sss_domain_info *domain,
|
||||
|
||||
ret = ldb_msg_add_string(override, ORIGNAME, fqname);
|
||||
if (ret != LDB_SUCCESS) {
|
||||
- ret = sysdb_error_to_errno(ret);
|
||||
+ ret = sss_ldb_error_to_errno(ret);
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add attribute to msg\n");
|
||||
goto done;
|
||||
}
|
||||
diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c
|
||||
index ca3e657..6a317a0 100644
|
||||
--- a/src/util/secrets/secrets.c
|
||||
+++ b/src/util/secrets/secrets.c
|
||||
@@ -417,17 +417,16 @@ static int local_db_create(struct sss_sec_req *req)
|
||||
}
|
||||
|
||||
ret = ldb_add(req->sctx->ldb, msg);
|
||||
- if (ret != EOK) {
|
||||
+ if (ret != LDB_SUCCESS) {
|
||||
if (ret == LDB_ERR_ENTRY_ALREADY_EXISTS) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
"Secret %s already exists\n", ldb_dn_get_linearized(msg->dn));
|
||||
- ret = EEXIST;
|
||||
} else {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"Failed to add secret [%s]: [%d]: %s\n",
|
||||
ldb_dn_get_linearized(msg->dn), ret, ldb_strerror(ret));
|
||||
- ret = EIO;
|
||||
}
|
||||
+ ret = sss_ldb_error_to_errno (ret);
|
||||
goto done;
|
||||
}
|
||||
|
||||
@@ -1109,17 +1108,16 @@ errno_t sss_sec_put(struct sss_sec_req *req,
|
||||
}
|
||||
|
||||
ret = ldb_add(req->sctx->ldb, msg);
|
||||
- if (ret != EOK) {
|
||||
+ if (ret != LDB_SUCCESS) {
|
||||
if (ret == LDB_ERR_ENTRY_ALREADY_EXISTS) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
"Secret %s already exists\n", ldb_dn_get_linearized(msg->dn));
|
||||
- ret = EEXIST;
|
||||
} else {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"Failed to add secret [%s]: [%d]: %s\n",
|
||||
ldb_dn_get_linearized(msg->dn), ret, ldb_strerror(ret));
|
||||
- ret = EIO;
|
||||
}
|
||||
+ ret = sss_ldb_error_to_errno (ret);
|
||||
goto done;
|
||||
}
|
||||
|
||||
@@ -1210,13 +1208,13 @@ errno_t sss_sec_update(struct sss_sec_req *req,
|
||||
ret = ldb_modify(req->sctx->ldb, msg);
|
||||
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
|
||||
DEBUG(SSSDBG_MINOR_FAILURE, "No such object to modify\n");
|
||||
- ret = ENOENT;
|
||||
+ ret = sss_ldb_error_to_errno (ret);
|
||||
goto done;
|
||||
} else if (ret != LDB_SUCCESS) {
|
||||
DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
"ldb_modify failed: [%s](%d)[%s]\n",
|
||||
ldb_strerror(ret), ret, ldb_errstring(req->sctx->ldb));
|
||||
- ret = EIO;
|
||||
+ ret = sss_ldb_error_to_errno (ret);
|
||||
goto done;
|
||||
}
|
||||
|
||||
@@ -1282,20 +1280,12 @@ errno_t sss_sec_delete(struct sss_sec_req *req)
|
||||
/* fall through */
|
||||
}
|
||||
|
||||
- switch (ret) {
|
||||
- case LDB_SUCCESS:
|
||||
- ret = EOK;
|
||||
- break;
|
||||
- case LDB_ERR_NO_SUCH_OBJECT:
|
||||
- ret = ENOENT;
|
||||
- break;
|
||||
- default:
|
||||
+ if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_OBJECT) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"LDB returned unexpected error: [%s]\n",
|
||||
ldb_strerror(ret));
|
||||
- ret = EFAULT;
|
||||
- break;
|
||||
}
|
||||
+ ret = sss_ldb_error_to_errno (ret);
|
||||
|
||||
done:
|
||||
talloc_free(tmp_ctx);
|
||||
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
|
||||
index 5f8a2a2..d3f5e89 100644
|
||||
--- a/src/util/util_errors.c
|
||||
+++ b/src/util/util_errors.c
|
||||
@@ -19,6 +19,7 @@
|
||||
*/
|
||||
|
||||
#include "util/util.h"
|
||||
+#include <ldb.h>
|
||||
|
||||
struct err_string {
|
||||
const char *msg;
|
||||
@@ -146,3 +147,27 @@ const char *sss_strerror(errno_t error)
|
||||
return strerror(error);
|
||||
}
|
||||
|
||||
+/* TODO: make a more complete and precise mapping */
|
||||
+errno_t sss_ldb_error_to_errno(int ldberr)
|
||||
+{
|
||||
+ switch (ldberr) {
|
||||
+ case LDB_SUCCESS:
|
||||
+ return EOK;
|
||||
+ case LDB_ERR_OPERATIONS_ERROR:
|
||||
+ return EIO;
|
||||
+ case LDB_ERR_NO_SUCH_OBJECT:
|
||||
+ return ENOENT;
|
||||
+ case LDB_ERR_BUSY:
|
||||
+ return EBUSY;
|
||||
+ case LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS:
|
||||
+ case LDB_ERR_ENTRY_ALREADY_EXISTS:
|
||||
+ return EEXIST;
|
||||
+ case LDB_ERR_INVALID_ATTRIBUTE_SYNTAX:
|
||||
+ return EINVAL;
|
||||
+ default:
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "LDB returned unexpected error: [%i]\n",
|
||||
+ ldberr);
|
||||
+ return EFAULT;
|
||||
+ }
|
||||
+}
|
||||
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
|
||||
index c6731d4..a799bba 100644
|
||||
--- a/src/util/util_errors.h
|
||||
+++ b/src/util/util_errors.h
|
||||
@@ -178,4 +178,7 @@ enum sssd_errors {
|
||||
*/
|
||||
const char *sss_strerror(errno_t error);
|
||||
|
||||
+/* return ldb error converted to an errno */
|
||||
+errno_t sss_ldb_error_to_errno(int ldberr);
|
||||
+
|
||||
#endif /* __SSSD_UTIL_ERRORS_H__ */
|
||||
--
|
||||
2.9.5
|
||||
|
121
0069-PYSSS-Re-add-the-pysss.getgrouplist-interface.patch
Normal file
121
0069-PYSSS-Re-add-the-pysss.getgrouplist-interface.patch
Normal file
@ -0,0 +1,121 @@
|
||||
From f0603645f5ea5f707875807b4f815400f4b79e41 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Wed, 24 Oct 2018 09:41:44 +0200
|
||||
Subject: [PATCH 5/5] PYSSS: Re-add the pysss.getgrouplist() interface
|
||||
|
||||
Related:
|
||||
https://pagure.io/SSSD/sssd/issue/3493
|
||||
|
||||
Commit 0e211b8ba30c3adcdeef21ca1339b194cbfffb04 was supposed to remove
|
||||
only the parts of the pysss API that relate to the local domain. But it
|
||||
removed also the getgrouplist() method by accident. This method is very
|
||||
important to IPA, so we need to add it back.
|
||||
|
||||
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
src/python/pysss.c | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 83 insertions(+)
|
||||
|
||||
diff --git a/src/python/pysss.c b/src/python/pysss.c
|
||||
index e92653a..78b8de0 100644
|
||||
--- a/src/python/pysss.c
|
||||
+++ b/src/python/pysss.c
|
||||
@@ -215,12 +215,95 @@ static PyTypeObject pysss_password_type = {
|
||||
.tp_doc = sss_py_const_p(char, "SSS password obfuscation"),
|
||||
};
|
||||
|
||||
+/*
|
||||
+ * Get list of groups user belongs to
|
||||
+ */
|
||||
+PyDoc_STRVAR(py_sss_getgrouplist__doc__,
|
||||
+ "Get list of groups user belongs to.\n\n"
|
||||
+ "NOTE: The interface uses the system NSS calls and is not limited to "
|
||||
+ "users served by the SSSD!\n"
|
||||
+ ":param username: name of user to get list for\n");
|
||||
+
|
||||
+static PyObject *py_sss_getgrouplist(PyObject *self, PyObject *args)
|
||||
+{
|
||||
+ char *username = NULL;
|
||||
+ gid_t *groups = NULL;
|
||||
+ struct passwd *pw;
|
||||
+ struct group *gr;
|
||||
+ int ngroups;
|
||||
+ int ret;
|
||||
+ Py_ssize_t i, idx;
|
||||
+ PyObject *groups_tuple;
|
||||
+
|
||||
+ if(!PyArg_ParseTuple(args, discard_const_p(char, "s"), &username)) {
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ pw = getpwnam(username);
|
||||
+ if (pw == NULL) {
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ ngroups = 32;
|
||||
+ groups = malloc(sizeof(gid_t) * ngroups);
|
||||
+ if (groups == NULL) {
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ do {
|
||||
+ ret = getgrouplist(username, pw->pw_gid, groups, &ngroups);
|
||||
+ if (ret < ngroups) {
|
||||
+ gid_t *tmp_groups = realloc(groups, ngroups * sizeof(gid_t));
|
||||
+ if (tmp_groups == NULL) {
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ groups = tmp_groups;
|
||||
+ }
|
||||
+ } while (ret != ngroups);
|
||||
+
|
||||
+ groups_tuple = PyTuple_New((Py_ssize_t) ngroups);
|
||||
+ if (groups_tuple == NULL) {
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ /* Populate a tuple with names of groups
|
||||
+ * In unlikely case of group not being able to resolve, skip it
|
||||
+ * We also need to resize resulting tuple to avoid empty elements there */
|
||||
+ idx = 0;
|
||||
+ for (i = 0; i < ngroups; i++) {
|
||||
+ gr = getgrgid(groups[i]);
|
||||
+ if (gr) {
|
||||
+ PyTuple_SetItem(groups_tuple, idx,
|
||||
+#ifdef IS_PY3K
|
||||
+ PyUnicode_FromString(gr->gr_name)
|
||||
+#else
|
||||
+ PyString_FromString(gr->gr_name)
|
||||
+#endif
|
||||
+ );
|
||||
+ idx++;
|
||||
+ }
|
||||
+ }
|
||||
+ free(groups);
|
||||
+ groups = NULL;
|
||||
+
|
||||
+ if (i != idx) {
|
||||
+ _PyTuple_Resize(&groups_tuple, idx);
|
||||
+ }
|
||||
+
|
||||
+ return groups_tuple;
|
||||
+
|
||||
+fail:
|
||||
+ free(groups);
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
/* ==================== the sss module initialization =======================*/
|
||||
|
||||
/*
|
||||
* Module methods
|
||||
*/
|
||||
static PyMethodDef module_methods[] = {
|
||||
+ {"getgrouplist", py_sss_getgrouplist, METH_VARARGS, py_sss_getgrouplist__doc__},
|
||||
{NULL, NULL, 0, NULL} /* Sentinel */
|
||||
};
|
||||
|
||||
--
|
||||
2.9.5
|
||||
|
@ -1,39 +0,0 @@
|
||||
From 232305dd10b81955a3ee9dfc6d56c2d76ad5706f Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@fedoraproject.org>
|
||||
Date: Fri, 3 Nov 2017 16:18:14 +0100
|
||||
Subject: [PATCH] Disable stopping idle socket activated responders
|
||||
|
||||
---
|
||||
src/confdb/confdb.h | 2 +-
|
||||
src/man/sssd.conf.5.xml | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
||||
index 1471949623e9dd7a8536e3ac3048a10227a5d857..e30e77bf50b7312b3f660241c92a1b3c03e88259 100644
|
||||
--- a/src/confdb/confdb.h
|
||||
+++ b/src/confdb/confdb.h
|
||||
@@ -85,7 +85,7 @@
|
||||
/* Responders */
|
||||
#define CONFDB_RESPONDER_GET_DOMAINS_TIMEOUT "get_domains_timeout"
|
||||
#define CONFDB_RESPONDER_CLI_IDLE_TIMEOUT "client_idle_timeout"
|
||||
-#define CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT 60
|
||||
+#define CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT 0
|
||||
#define CONFDB_RESPONDER_LOCAL_NEG_TIMEOUT "local_negative_timeout"
|
||||
#define CONFDB_RESPONDER_IDLE_TIMEOUT "responder_idle_timeout"
|
||||
#define CONFDB_RESPONDER_IDLE_DEFAULT_TIMEOUT 300
|
||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||||
index 6be3cd47463ec054276a0b6b2be7ec03eef1f0be..d362ba71cfbeb6271fc87abd9743ca7a77f9f3ec 100644
|
||||
--- a/src/man/sssd.conf.5.xml
|
||||
+++ b/src/man/sssd.conf.5.xml
|
||||
@@ -706,7 +706,7 @@
|
||||
or dbus activated.
|
||||
</para>
|
||||
<para>
|
||||
- Default: 300
|
||||
+ Default: 0
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,25 +0,0 @@
|
||||
From 7459b3326e99e5d2e6ea924100705ef56525cb96 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Mon, 13 Aug 2018 19:34:47 +0200
|
||||
Subject: [PATCH] sbus_generate: python -> platform-python
|
||||
|
||||
---
|
||||
sbus_generate.sh | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/sbus_generate.sh b/sbus_generate.sh
|
||||
index 338fd9d33..1eefa4cb5 100755
|
||||
--- a/sbus_generate.sh
|
||||
+++ b/sbus_generate.sh
|
||||
@@ -13,7 +13,7 @@ generate() {
|
||||
|
||||
echo "Generating sbus code for: $XML"
|
||||
|
||||
- python $CODEGEN --sbus sbus --util util \
|
||||
+ python3 $CODEGEN --sbus sbus --util util \
|
||||
--headers "$HEADERS" \
|
||||
--dest "$SRCDIR/src/$DEST" \
|
||||
--fileprefix "sbus_${PREFIX}_" \
|
||||
--
|
||||
2.17.1
|
||||
|
110
sssd.spec
110
sssd.spec
@ -36,7 +36,7 @@
|
||||
|
||||
Name: sssd
|
||||
Version: 2.0.0
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Group: Applications/System
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
@ -48,11 +48,74 @@ Patch0001: 0001-BUILD-Fix-issue-with-installation-of-libsss_secrets.patch
|
||||
Patch0002: 0002-BUILD-Add-missing-deps-to-libsss_sbus-.so.patch
|
||||
Patch0003: 0003-BUILD-Reduce-compilation-of-unnecessary-files.patch
|
||||
Patch0004: 0004-KCM-Don-t-error-out-if-creating-a-new-ID-as-the-firs.patch
|
||||
Patch0005: 0005-sbus-register-filter-on-new-connection.patch
|
||||
Patch0006: 0006-sbus-fix-typo.patch
|
||||
Patch0007: 0007-sbus-check-for-null-message-in-sbus_message_bound.patch
|
||||
Patch0008: 0008-sbus-replace-sbus_message_bound_ref-with-sbus_messag.patch
|
||||
Patch0009: 0009-sbus-add-unit-tests-for-public-sbus_message-module.patch
|
||||
Patch0010: 0010-SELINUX-Always-add-SELinux-user-to-the-semanage-data.patch
|
||||
Patch0011: 0011-intg-flush-the-SSSD-caches-to-sync-with-files.patch
|
||||
Patch0012: 0012-sbus-dectect-python-binary-for-sbus_generate.sh.patch
|
||||
Patch0013: 0013-sudo-respect-case-sensitivity-in-sudo-responder.patch
|
||||
Patch0014: 0014-GPO-Add-gpo_implicit_deny-option.patch
|
||||
Patch0015: 0015-Skip-local-domain-if-not-supported.patch
|
||||
Patch0016: 0016-sysdb-extract-sysdb_ldb_msg_attr_to_certmap_info-cal.patch
|
||||
Patch0017: 0017-sysdb_ldb_msg_attr_to_certmap_info-set-SSS_CERTMAP_M.patch
|
||||
Patch0018: 0018-sysdb-add-attr_map-attribute-to-sysdb_ldb_msg_attr_t.patch
|
||||
Patch0019: 0019-confdb-add-confdb_certmap_to_sysdb.patch
|
||||
Patch0020: 0020-AD-LDAP-read-certificate-mapping-rules-from-config-f.patch
|
||||
Patch0021: 0021-sysdb-sysdb_certmap_add-handle-domains-more-flexible.patch
|
||||
Patch0022: 0022-confdb-add-special-handling-for-rules-for-the-files-.patch
|
||||
Patch0023: 0023-files-add-support-for-Smartcard-authentication.patch
|
||||
Patch0024: 0024-responder-make-sure-SSS_DP_CERT-is-passed-to-files-p.patch
|
||||
Patch0025: 0025-PAM-add-certificate-matching-rules-from-all-domains.patch
|
||||
Patch0026: 0026-doc-add-certificate-mapping-section-to-man-page.patch
|
||||
Patch0027: 0027-intg-user-default-locale.patch
|
||||
Patch0028: 0028-PAM-use-better-PAM-error-code-for-failed-Smartcard-a.patch
|
||||
Patch0029: 0029-test_ca-test-library-only-for-readable.patch
|
||||
Patch0030: 0030-test_ca-set-a-password-PIN-to-nss-databases.patch
|
||||
Patch0031: 0031-getsockopt_wrapper-add-support-for-PAM-clients.patch
|
||||
Patch0032: 0032-intg-add-Smartcard-authentication-tests.patch
|
||||
Patch0033: 0033-proxy-access-provider-directly-not-through-be_ctx.patch
|
||||
Patch0034: 0034-dp-set-be_ctx-provider-as-part-of-dp_init-request.patch
|
||||
Patch0035: 0035-sbus-read-destination-after-sender-is-set.patch
|
||||
Patch0036: 0036-sbus-do-not-try-to-remove-signal-listeners-when-disc.patch
|
||||
Patch0037: 0037-sbus-free-watch_fd-fdevent-explicitly.patch
|
||||
Patch0038: 0038-doc-remove-local-provider-reference-from-manpages.patch
|
||||
Patch0039: 0039-confdb-log-an-error-when-domain-is-misconfigured.patch
|
||||
Patch0040: 0040-be-use-be_is_offline-for-the-main-domain-when-asking.patch
|
||||
Patch0041: 0041-p11-handle-multiple-certs-during-auth-with-OpenSSL.patch
|
||||
Patch0042: 0042-doc-Add-nsswitch.conf-note-to-manpage.patch
|
||||
Patch0043: 0043-MAN-Fix-typo-in-ad_gpo_implicit_deny-default-value.patch
|
||||
Patch0044: 0044-p11_child-add-wait_for_card-option.patch
|
||||
Patch0045: 0045-PAM-add-p11_wait_for_card_timeout-option.patch
|
||||
Patch0046: 0046-pam_sss-make-flags-public.patch
|
||||
Patch0047: 0047-pam_sss-add-try_cert_auth-option.patch
|
||||
Patch0048: 0048-pam_sss-add-option-require_cert_auth.patch
|
||||
Patch0049: 0049-intg-require-SC-tests.patch
|
||||
Patch0050: 0050-p11_child-show-PKCS-11-URI-in-debug-output.patch
|
||||
Patch0051: 0051-p11_child-add-PKCS-11-uri-to-restrict-selection.patch
|
||||
Patch0052: 0052-PAM-add-p11_uri-option.patch
|
||||
Patch0053: 0053-tests-add-PKCS-11-URI-tests.patch
|
||||
Patch0054: 0054-test_config-Test-for-invalid-characker-in-domain.patch
|
||||
Patch0055: 0055-PAM-return-short-name-for-files-provider-users.patch
|
||||
Patch0056: 0056-TESTS-Add-a-test-for-whitespace-trimming-in-netgroup.patch
|
||||
Patch0057: 0057-FILES-The-files-provider-should-not-enumerate.patch
|
||||
Patch0058: 0058-p11_child-add-OCSP-check-ot-the-OpenSSL-version.patch
|
||||
Patch0059: 0059-p11_child-add-crl_file-option-for-the-OpenSSL-build.patch
|
||||
Patch0060: 0060-p11-Fix-two-instances-of-Wmaybe-uninitialized-in-p11.patch
|
||||
Patch0061: 0061-sudo-use-correct-sbus-interface.patch
|
||||
Patch0062: 0062-sudo-fix-error-handling-in-sudosrv_refresh_rules_don.patch
|
||||
Patch0063: 0063-sbus-remove-leftovers-from-previous-implementation.patch
|
||||
Patch0064: 0064-CONFIGURE-Add-minimal-required-version-for-p11-kit.patch
|
||||
Patch0065: 0065-SBUS-Silence-warning-maybe-uninitialized.patch
|
||||
Patch0066: 0066-files-add-session-recording-flag.patch
|
||||
Patch0067: 0067-UTIL-Suppress-Coverity-warning.patch
|
||||
Patch0068: 0068-UTIL-move-and-rename-sysdb_error_to_errno-to-utils.patch
|
||||
Patch0069: 0069-PYSSS-Re-add-the-pysss.getgrouplist-interface.patch
|
||||
|
||||
### Downstream only patches ###
|
||||
Patch0502: 0502-SYSTEMD-Use-capabilities.patch
|
||||
Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch
|
||||
Patch0504: 0504-sbus_generate-python-platform-python.patch
|
||||
|
||||
### Dependencies ###
|
||||
|
||||
@ -1215,8 +1278,47 @@ fi
|
||||
%{_libdir}/%{name}/modules/libwbclient.so
|
||||
|
||||
%changelog
|
||||
|
||||
* Wed Aug 29 2018 Michal Židek <mzidek@redhat.com> - 2.0.0-4
|
||||
- Resolves: upstream#3821 - crash related to sbus_router_destructor()
|
||||
- Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref
|
||||
- Resolves: upstream#3819 - sssd only sets the SELinux login context if it
|
||||
differs from the default
|
||||
- Resolves: upstream#3807 - The sbus codegen script relies on "python" which
|
||||
might not be available on all distributions
|
||||
- Resolves: upstream#3820 - sudo: search with lower cased name for case
|
||||
insensitive domains
|
||||
- Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from
|
||||
an allow-any default to a deny-any default when it
|
||||
can't find any GPOs to apply to a user login.
|
||||
- Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort
|
||||
startup
|
||||
- Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11
|
||||
also for local account authentication
|
||||
- Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup
|
||||
- Resolves: upstream#3826 - Remove references of sss_user/group/add/del
|
||||
commands in man pages since local provider is
|
||||
deprecated
|
||||
- Resolves: upstream#3827 - SSSD should log to syslog if a domain is not
|
||||
started due to a misconfiguration
|
||||
- Resolves: upstream#3830 - Printing incorrect information about domain with
|
||||
sssctl utility
|
||||
- Resolves: upstream#3489 - p11_child should work wit openssl1.0+
|
||||
- Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary
|
||||
changes in nsswitch.conf
|
||||
- Resovles: upstream#3650 - RFE: Require smartcard authentication
|
||||
- Resolves: upstream#3334 - sssctl config-check does not check any special
|
||||
characters in domain name of domain section
|
||||
- Resolves: upstream#3849 - Files: The files provider always enumerates
|
||||
which causes duplicate when running getent passwd
|
||||
- Related: upstream#3855 - session not recording for local user when groups
|
||||
defined
|
||||
- Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb
|
||||
- Related: upstream#3493 - Remove the pysss.local interface
|
||||
|
||||
* Wed Aug 29 2018 Michal Židek <mzidek@redhat.com> - 2.0.0-3
|
||||
- Resolves: rhbz#1622760 - Console login as FreeIPA domain user fails in current Fedora Rawhide / 29
|
||||
- Resolves: rhbz#1622760 - Console login as FreeIPA domain user fails in
|
||||
current Fedora Rawhide / 29
|
||||
|
||||
* Wed Aug 29 2018 Michal Židek <mzidek@redhat.com> - 2.0.0-2
|
||||
- Fix linking issues
|
||||
|
Loading…
Reference in New Issue
Block a user