From f274eb9a46cfa3eb2987c8e1545845c73651cbea Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Tue, 16 May 2023 18:21:23 +0200
Subject: [PATCH] Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9

---
 ...MAN-fix-issue-with-multithread-build.patch |  71 +++++++++
 ...s_cli_sd-should-also-be-protected-wi.patch |  53 -------
 sssd.spec                                     |   3 +-
 tests/sssd-tasks.yml                          | 136 ++++++++++++++++++
 tests/sssd-vars.yml                           |   7 +
 tests/tests.yml                               |   8 ++
 6 files changed, 224 insertions(+), 54 deletions(-)
 create mode 100644 0002-MAN-fix-issue-with-multithread-build.patch
 delete mode 100644 0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch
 create mode 100644 tests/sssd-tasks.yml
 create mode 100644 tests/sssd-vars.yml
 create mode 100644 tests/tests.yml

diff --git a/0002-MAN-fix-issue-with-multithread-build.patch b/0002-MAN-fix-issue-with-multithread-build.patch
new file mode 100644
index 0000000..3c8b1d5
--- /dev/null
+++ b/0002-MAN-fix-issue-with-multithread-build.patch
@@ -0,0 +1,71 @@
+From 713c646ec054b72cfaadd21f3faaa9c5acb96222 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Tue, 16 May 2023 15:22:04 +0200
+Subject: [PATCH] MAN: fix issue with multithread build
+
+When 'make' runs using multiple threads it can build several man pages
+in parallel, executing the same '.5.xml.5:' rule. This can result in
+a race condition where multiple threads access the same 'sssd_user_name.include'
+file.
+To avoid this make 'sssd_user_name.include' file a rule dependency.
+But "Suffix rules cannot have any prerequisites of their own", and suffix
+rules are obsolete anyway, so change it to pattern rules.
+---
+ src/man/Makefile.am | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/src/man/Makefile.am b/src/man/Makefile.am
+index ee44dff97..1e51aebfd 100644
+--- a/src/man/Makefile.am
++++ b/src/man/Makefile.am
+@@ -117,23 +117,23 @@ man_MANS += sssd-files.5
+ endif # BUILD_FILES_PROVIDER
+ endif
+ 
+-SUFFIXES = .1.xml .1 .3.xml .3 .5.xml .5 .8.xml .8
+-.1.xml.1:
++$(builddir)/src/man/sssd_user_name.include:
++	@mkdir -p $(builddir)/src/man
++	@echo -n $(SSSD_USER) > $(builddir)/src/man/sssd_user_name.include
++
++%.1: %.1.xml
+ 	$(XMLLINT) $(XMLLINT_FLAGS) $<
+ 	$(XSLTPROC) -o $@  $(XSLTPROC_FLAGS) $(DOCBOOK_XSLT) $<
+ 
+-.3.xml.3:
++%.3: %.3.xml
+ 	$(XMLLINT) $(XMLLINT_FLAGS) $<
+ 	$(XSLTPROC) -o $@  $(XSLTPROC_FLAGS) $(DOCBOOK_XSLT) $<
+ 
+-.5.xml.5:
+-	@mkdir -p $(builddir)/src/man
+-	@echo -n $(SSSD_USER) > $(builddir)/src/man/sssd_user_name.include
++%.5: %.5.xml $(builddir)/src/man/sssd_user_name.include
+ 	$(XMLLINT) --path "$(srcdir)/src/man:$(builddir)/src/man" $(XMLLINT_FLAGS) $<
+ 	$(XSLTPROC) --path "$(srcdir)/src/man:$(builddir)/src/man" -o $@  $(XSLTPROC_FLAGS) $(DOCBOOK_XSLT) $<
+-	@rm -f $(builddir)/src/man/sssd_user_name.include
+ 
+-.8.xml.8:
++%.8: %.8.xml
+ 	$(XMLLINT) $(XMLLINT_FLAGS) $<
+ 	$(XSLTPROC) -o $@  $(XSLTPROC_FLAGS) $(DOCBOOK_XSLT) $<
+ 
+@@ -215,6 +215,7 @@ clean-local:
+ 	done
+ 	rm -f $(man_MANS)
+ 	rm -f man.stamp
++	rm -f $(builddir)/src/man/sssd_user_name.include
+ 
+ else
+ 
+@@ -224,6 +225,7 @@ man.stamp: $(XML_DOC)
+ clean-local:
+ 	rm -f $(man_MANS)
+ 	rm -f man.stamp
++	rm -f $(builddir)/src/man/sssd_user_name.include
+ 
+ endif
+ 
+-- 
+2.38.1
+
diff --git a/0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch b/0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch
deleted file mode 100644
index dee9c9d..0000000
--- a/0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 1fd7a5ecb46a02a29ebf42039575b5344307bfbb Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Wed, 8 Feb 2023 18:58:37 +0100
-Subject: [PATCH 4/4] PAM_SSS: close(sss_cli_sd) should also be protected with
- mutex. Otherwise a thread calling pam_end() can close socket mid pam
- transaction in another thread.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Bug only manifested on platforms where "lockfree client"
-feature wasn't built.
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-(cherry picked from commit bf3f73ea0ee123fe4e7c4bdd2287ac5a5e6d9082)
----
- src/sss_client/pam_sss.c     | 3 +++
- src/sss_client/pam_sss_gss.c | 2 ++
- 2 files changed, 5 insertions(+)
-
-diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
-index afbdef59a..39ad17188 100644
---- a/src/sss_client/pam_sss.c
-+++ b/src/sss_client/pam_sss.c
-@@ -117,7 +117,10 @@ static void close_fd(pam_handle_t *pamh, void *ptr, int err)
- #endif /* PAM_DATA_REPLACE */
- 
-     D(("Closing the fd"));
-+
-+    sss_pam_lock();
-     sss_cli_close_socket();
-+    sss_pam_unlock();
- }
- 
- struct cert_auth_info {
-diff --git a/src/sss_client/pam_sss_gss.c b/src/sss_client/pam_sss_gss.c
-index 1109ec570..dd578ae5d 100644
---- a/src/sss_client/pam_sss_gss.c
-+++ b/src/sss_client/pam_sss_gss.c
-@@ -581,7 +581,9 @@ int pam_sm_authenticate(pam_handle_t *pamh,
-     }
- 
- done:
-+    sss_pam_lock();
-     sss_cli_close_socket();
-+    sss_pam_unlock();
-     free(username);
-     free(domain);
-     free(target);
--- 
-2.37.3
-
diff --git a/sssd.spec b/sssd.spec
index d7a98ea..01807be 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -19,7 +19,7 @@
 
 Name: sssd
 Version: 2.9.0
-Release: 1%{?dist}
+Release: 2%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@@ -28,6 +28,7 @@ Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{versio
 
 ### Patches ###
 Patch0001: 0001-FILE-WATCH-Callback-not-executed-on-link-or-relative.patch
+Patch0002: 0002-MAN-fix-issue-with-multithread-build.patch
 
 ### Downstream Patches ###
 
diff --git a/tests/sssd-tasks.yml b/tests/sssd-tasks.yml
new file mode 100644
index 0000000..ca078ab
--- /dev/null
+++ b/tests/sssd-tasks.yml
@@ -0,0 +1,136 @@
+---
+- name: Set ansible_python_interpreter to /usr/libexec/platform-python3.6
+  set_fact:
+     ansible_python_interpreter: '/usr/libexec/platform-python3.6'
+
+- name: Define remote_artificats
+  set_fact:
+    remote_artifacts: /tmp/artifacts
+  when: remote_artifacts is not defined
+
+- name: Install testing requirements
+  package: name={{ item }} state=present
+  with_items:
+    - rsync
+  when: ansible_pkg_mgr != 'unknown'
+
+- name: Add epel repo
+  yum_repository:
+    name: epel8
+    file: epel8
+    description: EPEL Repo of RHEL 8 because RHEL 9 is not available
+    baseurl: https://download.fedoraproject.org/pub/epel/8/Everything/x86_64/
+    enabled: no
+    gpgcheck: no
+
+- name: Install sshpass from epel
+  yum:
+    name: sshpass
+    enablerepo: epel8
+    state: present
+
+- name: Install required packages
+  dnf:
+    name: >
+      git, gcc, redhat-rpm-config.noarch, openldap-devel,
+      openldap-clients, python36-devel, python3-virtualenv,
+      python3-pip, krb5-devel, make, sssd, sssd-kcm, libsss_sudo,
+      ldb-tools, sssd-tools, nss-tools, sssd-dbus
+
+- name: Install idm modules
+  shell: |
+      yum -y module enable idm:DL1
+
+- name: Install 389-ds-base krb5 server and workstation
+  dnf:
+    name: >
+      389-ds-base, krb5-server, krb5-workstation
+
+- name: clone upstream sssd git to run tests
+  git:
+    repo: "{{ upstream_sssd_git }}"
+    dest: "{{ upstream_src_dir }}"
+    version: "{{ upstream_git_branch }}"
+
+- name: Update /etc/hosts file with current hostname
+  lineinfile:
+    path: /etc/hosts
+    line: "{{ ansible_default_ipv4.address }} {{ ansible_hostname }}"
+
+- name: Create Multihost configuration files
+  blockinfile:
+    dest: /tmp/mhc.yaml
+    block: |
+       windows_test_dir: '/home/Administrator'
+       root_password: 'foobar'
+       domains:
+         - name: testrealm.test
+           type: sssd
+           hosts:
+             - name: {{ ansible_hostname }}
+               external_hostname: {{ ansible_hostname }}
+               role: master
+    create: yes
+    marker: ""
+
+- name: Install pytest-multihost and other test dependencies
+  pip:
+    virtualenv: "{{ venv_dir }}"
+    virtualenv_command: /usr/bin/virtualenv-3.6
+    requirements: "{{ upstream_src_dir }}/src/tests/multihost/requirements.txt"
+
+- name: Find directory python searches for path
+  shell: python3 -m site --user-site
+  register: pypath
+
+- name: Create Python path dir
+  file:
+    path: "{{ pypath.stdout }}"
+    state: directory
+
+- name: Create file with sssd testlib path
+  copy:
+    dest: "{{ pypath.stdout }}/sssdlib.pth"
+    content: "{{ upstream_src_dir }}/src/tests/multihost"
+
+- name: create artifacts directory
+  file:
+    path: "{{ remote_artifacts }}"
+    state: directory
+    mode: 0755
+
+- name: Test block
+  block:
+    - name: Execute pytest
+      shell: |
+         PYTESTMULTIHOST_SSH_TRANSPORT=openssh \
+         "{{ venv_dir }}/bin/pytest" -v \
+         --junit-xml="{{ remote_artifacts }}/junit.xml" \
+         --multihost-config=/tmp/mhc.yaml \
+         "{{ test_dir }}" 1> "{{ remote_artifacts }}/test.log"
+
+    - name: Prepare results.yml in STI format
+      shell: |
+         echo "results:" > "{{ remote_artifacts }}/results.yml"
+         IFS=$'\n'
+         for i in `awk '/collected /,/=====/' "{{ remote_artifacts }}/test.log" | sed '1d;$d'`
+         do
+           echo $i | grep -q PASSED && res=pass
+           echo $i | grep -q FAILED && res=fail
+           echo $i | grep -q ERROR && res=error
+           testname=`echo $i |awk -F\:\: '{print $3}' | cut -f1 -d" "`
+           echo "- {result: $res, test: $testname}" >> "{{ remote_artifacts }}/results.yml"
+         done
+         unset IFS
+
+  always:
+    - name: copy sssd logs to "{{ remote_artifacts }}"
+      command: cp -a /var/log/sssd {{ remote_artifacts }}
+
+    - name: Pull out logs
+      synchronize:
+        dest: "{{ artifacts }}"
+        src: "{{ remote_artifacts }}/"
+        mode: pull
+        ssh_args: "-o UserKnownHostsFile=/dev/null"
+      when: artifacts|default("") != ""
diff --git a/tests/sssd-vars.yml b/tests/sssd-vars.yml
new file mode 100644
index 0000000..cb460a0
--- /dev/null
+++ b/tests/sssd-vars.yml
@@ -0,0 +1,7 @@
+---
+upstream_sssd_git: 'https://github.com/SSSD/sssd.git'
+upstream_git_branch: 'master'
+artifacts: "{{ lookup('env', 'TEST_ARTIFACTS')|default('./artifacts', true) }}"
+venv_dir: /opt/sssd_venv
+upstream_src_dir: /opt/sssd
+test_dir: "{{ upstream_src_dir }}/src/tests/multihost/basic"
diff --git a/tests/tests.yml b/tests/tests.yml
new file mode 100644
index 0000000..ab9c94a
--- /dev/null
+++ b/tests/tests.yml
@@ -0,0 +1,8 @@
+---
+- hosts: localhost
+  gather_facts: "True"
+  tags:
+    - classic
+  tasks:
+    - include_vars: sssd-vars.yml
+    - include_tasks: sssd-tasks.yml