Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9

2023-05-16 18:21:23 +02:00 · 2023-05-16 18:21:23 +02:00 · f274eb9a46
commit f274eb9a46
parent a994a882f1
6 changed files with 224 additions and 54 deletions
--- a/0002-MAN-fix-issue-with-multithread-build.patch
+++ b/0002-MAN-fix-issue-with-multithread-build.patch
@ -0,0 +1,71 @@
 From 713c646ec054b72cfaadd21f3faaa9c5acb96222 Mon Sep 17 00:00:00 2001
 From: Alexey Tikhonov <atikhono@redhat.com>
 Date: Tue, 16 May 2023 15:22:04 +0200
 Subject: [PATCH] MAN: fix issue with multithread build
 When 'make' runs using multiple threads it can build several man pages
 in parallel, executing the same '.5.xml.5:' rule. This can result in
 a race condition where multiple threads access the same 'sssd_user_name.include'
 file.
 To avoid this make 'sssd_user_name.include' file a rule dependency.
 But "Suffix rules cannot have any prerequisites of their own", and suffix
 rules are obsolete anyway, so change it to pattern rules.
 ---
 src/man/Makefile.am | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)
 diff --git a/src/man/Makefile.am b/src/man/Makefile.am
 index ee44dff97..1e51aebfd 100644
 --- a/src/man/Makefile.am
 +++ b/src/man/Makefile.am
@@ -117,23 +117,23 @@ man_MANS += sssd-files.5
 endif # BUILD_FILES_PROVIDER
 endif
 -SUFFIXES = .1.xml .1 .3.xml .3 .5.xml .5 .8.xml .8
 -.1.xml.1:
 +$(builddir)/src/man/sssd_user_name.include:
 +	@mkdir -p $(builddir)/src/man
 +	@echo -n $(SSSD_USER) > $(builddir)/src/man/sssd_user_name.include
 +
 +%.1: %.1.xml
 	$(XMLLINT) $(XMLLINT_FLAGS) $<
 	$(XSLTPROC) -o $@  $(XSLTPROC_FLAGS) $(DOCBOOK_XSLT) $<
 -.3.xml.3:
 +%.3: %.3.xml
 	$(XMLLINT) $(XMLLINT_FLAGS) $<
 	$(XSLTPROC) -o $@  $(XSLTPROC_FLAGS) $(DOCBOOK_XSLT) $<
 -.5.xml.5:
 -	@mkdir -p $(builddir)/src/man
 -	@echo -n $(SSSD_USER) > $(builddir)/src/man/sssd_user_name.include
 +%.5: %.5.xml $(builddir)/src/man/sssd_user_name.include
 	$(XMLLINT) --path "$(srcdir)/src/man:$(builddir)/src/man" $(XMLLINT_FLAGS) $<
 	$(XSLTPROC) --path "$(srcdir)/src/man:$(builddir)/src/man" -o $@  $(XSLTPROC_FLAGS) $(DOCBOOK_XSLT) $<
 -	@rm -f $(builddir)/src/man/sssd_user_name.include
 -.8.xml.8:
 +%.8: %.8.xml
 	$(XMLLINT) $(XMLLINT_FLAGS) $<
 	$(XSLTPROC) -o $@  $(XSLTPROC_FLAGS) $(DOCBOOK_XSLT) $<
@@ -215,6 +215,7 @@ clean-local:
 	done
 	rm -f $(man_MANS)
 	rm -f man.stamp
 +	rm -f $(builddir)/src/man/sssd_user_name.include
 else
@@ -224,6 +225,7 @@ man.stamp: $(XML_DOC)
 clean-local:
 	rm -f $(man_MANS)
 	rm -f man.stamp
 +	rm -f $(builddir)/src/man/sssd_user_name.include
 endif
 -- 
 2.38.1
--- a/0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch
+++ b/0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch
@ -1,53 +0,0 @@
 From 1fd7a5ecb46a02a29ebf42039575b5344307bfbb Mon Sep 17 00:00:00 2001
 From: Alexey Tikhonov <atikhono@redhat.com>
 Date: Wed, 8 Feb 2023 18:58:37 +0100
 Subject: [PATCH 4/4] PAM_SSS: close(sss_cli_sd) should also be protected with
 mutex. Otherwise a thread calling pam_end() can close socket mid pam
 transaction in another thread.
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Bug only manifested on platforms where "lockfree client"
 feature wasn't built.
 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
 Reviewed-by: Sumit Bose <sbose@redhat.com>
 (cherry picked from commit bf3f73ea0ee123fe4e7c4bdd2287ac5a5e6d9082)
 ---
 src/sss_client/pam_sss.c     | 3 +++
 src/sss_client/pam_sss_gss.c | 2 ++
 2 files changed, 5 insertions(+)
 diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
 index afbdef59a..39ad17188 100644
 --- a/src/sss_client/pam_sss.c
 +++ b/src/sss_client/pam_sss.c
@@ -117,7 +117,10 @@ static void close_fd(pam_handle_t *pamh, void *ptr, int err)
 #endif /* PAM_DATA_REPLACE */
     D(("Closing the fd"));
 +
 +    sss_pam_lock();
     sss_cli_close_socket();
 +    sss_pam_unlock();
 }
 struct cert_auth_info {
 diff --git a/src/sss_client/pam_sss_gss.c b/src/sss_client/pam_sss_gss.c
 index 1109ec570..dd578ae5d 100644
 --- a/src/sss_client/pam_sss_gss.c
 +++ b/src/sss_client/pam_sss_gss.c
@@ -581,7 +581,9 @@ int pam_sm_authenticate(pam_handle_t *pamh,
     }
 done:
 +    sss_pam_lock();
     sss_cli_close_socket();
 +    sss_pam_unlock();
     free(username);
     free(domain);
     free(target);
 -- 
 2.37.3
--- a/sssd.spec
+++ b/sssd.spec
@ -19,7 +19,7 @@
 Name: sssd
 Version: 2.9.0
-Release: 1%{?dist}
+Release: 2%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@ -28,6 +28,7 @@ Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{versio
 ### Patches ###
 Patch0001: 0001-FILE-WATCH-Callback-not-executed-on-link-or-relative.patch
 Patch0002: 0002-MAN-fix-issue-with-multithread-build.patch
 ### Downstream Patches ###
--- a/tests/sssd-tasks.yml
+++ b/tests/sssd-tasks.yml
@ -0,0 +1,136 @@
 ---
 - name: Set ansible_python_interpreter to /usr/libexec/platform-python3.6
  set_fact:
     ansible_python_interpreter: '/usr/libexec/platform-python3.6'
 - name: Define remote_artificats
  set_fact:
    remote_artifacts: /tmp/artifacts
  when: remote_artifacts is not defined
 - name: Install testing requirements
  package: name={{ item }} state=present
  with_items:
    - rsync
  when: ansible_pkg_mgr != 'unknown'
 - name: Add epel repo
  yum_repository:
    name: epel8
    file: epel8
    description: EPEL Repo of RHEL 8 because RHEL 9 is not available
    baseurl: https://download.fedoraproject.org/pub/epel/8/Everything/x86_64/
    enabled: no
    gpgcheck: no
 - name: Install sshpass from epel
  yum:
    name: sshpass
    enablerepo: epel8
    state: present
 - name: Install required packages
  dnf:
    name: >
      git, gcc, redhat-rpm-config.noarch, openldap-devel,
      openldap-clients, python36-devel, python3-virtualenv,
      python3-pip, krb5-devel, make, sssd, sssd-kcm, libsss_sudo,
      ldb-tools, sssd-tools, nss-tools, sssd-dbus
 - name: Install idm modules
  shell: |
      yum -y module enable idm:DL1
 - name: Install 389-ds-base krb5 server and workstation
  dnf:
    name: >
      389-ds-base, krb5-server, krb5-workstation
 - name: clone upstream sssd git to run tests
  git:
    repo: "{{ upstream_sssd_git }}"
    dest: "{{ upstream_src_dir }}"
    version: "{{ upstream_git_branch }}"
 - name: Update /etc/hosts file with current hostname
  lineinfile:
    path: /etc/hosts
    line: "{{ ansible_default_ipv4.address }} {{ ansible_hostname }}"
 - name: Create Multihost configuration files
  blockinfile:
    dest: /tmp/mhc.yaml
    block: |
       windows_test_dir: '/home/Administrator'
       root_password: 'foobar'
       domains:
         - name: testrealm.test
           type: sssd
           hosts:
             - name: {{ ansible_hostname }}
               external_hostname: {{ ansible_hostname }}
               role: master
    create: yes
    marker: ""
 - name: Install pytest-multihost and other test dependencies
  pip:
    virtualenv: "{{ venv_dir }}"
    virtualenv_command: /usr/bin/virtualenv-3.6
    requirements: "{{ upstream_src_dir }}/src/tests/multihost/requirements.txt"
 - name: Find directory python searches for path
  shell: python3 -m site --user-site
  register: pypath
 - name: Create Python path dir
  file:
    path: "{{ pypath.stdout }}"
    state: directory
 - name: Create file with sssd testlib path
  copy:
    dest: "{{ pypath.stdout }}/sssdlib.pth"
    content: "{{ upstream_src_dir }}/src/tests/multihost"
 - name: create artifacts directory
  file:
    path: "{{ remote_artifacts }}"
    state: directory
    mode: 0755
 - name: Test block
  block:
    - name: Execute pytest
      shell: |
         PYTESTMULTIHOST_SSH_TRANSPORT=openssh \
         "{{ venv_dir }}/bin/pytest" -v \
         --junit-xml="{{ remote_artifacts }}/junit.xml" \
         --multihost-config=/tmp/mhc.yaml \
         "{{ test_dir }}" 1> "{{ remote_artifacts }}/test.log"
    - name: Prepare results.yml in STI format
      shell: |
         echo "results:" > "{{ remote_artifacts }}/results.yml"
         IFS=$'\n'
         for i in `awk '/collected /,/=====/' "{{ remote_artifacts }}/test.log" | sed '1d;$d'`
         do
           echo $i | grep -q PASSED && res=pass
           echo $i | grep -q FAILED && res=fail
           echo $i | grep -q ERROR && res=error
           testname=`echo $i |awk -F\:\: '{print $3}' | cut -f1 -d" "`
           echo "- {result: $res, test: $testname}" >> "{{ remote_artifacts }}/results.yml"
         done
         unset IFS
  always:
    - name: copy sssd logs to "{{ remote_artifacts }}"
      command: cp -a /var/log/sssd {{ remote_artifacts }}
    - name: Pull out logs
      synchronize:
        dest: "{{ artifacts }}"
        src: "{{ remote_artifacts }}/"
        mode: pull
        ssh_args: "-o UserKnownHostsFile=/dev/null"
      when: artifacts|default("") != ""
--- a/tests/sssd-vars.yml
+++ b/tests/sssd-vars.yml
@ -0,0 +1,7 @@
 ---
 upstream_sssd_git: 'https://github.com/SSSD/sssd.git'
 upstream_git_branch: 'master'
 artifacts: "{{ lookup('env', 'TEST_ARTIFACTS')|default('./artifacts', true) }}"
 venv_dir: /opt/sssd_venv
 upstream_src_dir: /opt/sssd
 test_dir: "{{ upstream_src_dir }}/src/tests/multihost/basic"
--- a/tests/tests.yml
+++ b/tests/tests.yml
@ -0,0 +1,8 @@
 ---
 - hosts: localhost
  gather_facts: "True"
  tags:
    - classic
  tasks:
    - include_vars: sssd-vars.yml
    - include_tasks: sssd-tasks.yml