sssd/0024-responder-make-sure-SSS_DP_CERT-is-passed-to-files-p.patch

From 9fdc5f1d87a133885e6a22810a7eb980c60dcb55 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 9 Jul 2018 18:45:21 +0200
Subject: [PATCH 29/83] responder: make sure SSS_DP_CERT is passed to files
 provider

Currently the files provider is only contacted once in a while to update
the full cache with fresh data from the passwd file. To allow rule based
certificate mapping the lookup by certificate request must be always
send to the file provider so that it can evaluate the rules and add the
certificate to cached entry of the matching user.

Related to https://pagure.io/SSSD/sssd/issue/3500

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/responder/common/responder_dp.c | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
index 878aa1d..39f0f20 100644
--- a/src/responder/common/responder_dp.c
+++ b/src/responder/common/responder_dp.c
@@ -34,15 +34,17 @@ sss_dp_account_files_params(struct sss_domain_info *dom,
                             enum sss_dp_acct_type *_type_out,
                             const char **_opt_name_out)
 {
-    if (sss_domain_get_state(dom) != DOM_INCONSISTENT) {
+    if (type_in != SSS_DP_CERT) {
+        if (sss_domain_get_state(dom) != DOM_INCONSISTENT) {
+            DEBUG(SSSDBG_TRACE_INTERNAL,
+                  "The entries in the files domain are up-to-date\n");
+            return EOK;
+        }
+
         DEBUG(SSSDBG_TRACE_INTERNAL,
-              "The entries in the files domain are up-to-date\n");
-        return EOK;
+              "Domain files is not consistent, issuing update\n");
     }
 
-    DEBUG(SSSDBG_TRACE_INTERNAL,
-          "Domain files is not consistent, issuing update\n");
-
     switch(type_in) {
     case SSS_DP_USER:
     case SSS_DP_GROUP:
@@ -56,12 +58,16 @@ sss_dp_account_files_params(struct sss_domain_info *dom,
         *_type_out = type_in;
         *_opt_name_out = DP_REQ_OPT_FILES_INITGR;
         return EAGAIN;
+    case SSS_DP_CERT:
+        /* Let the backend handle certificate mapping for local users */
+        *_type_out = type_in;
+        *_opt_name_out = opt_name_in;
+        return EAGAIN;
     /* These are not handled by the files provider, just fall back */
     case SSS_DP_NETGR:
     case SSS_DP_SERVICES:
     case SSS_DP_SECID:
     case SSS_DP_USER_AND_GROUP:
-    case SSS_DP_CERT:
     case SSS_DP_WILDCARD_USER:
     case SSS_DP_WILDCARD_GROUP:
         return EOK;
-- 
2.9.5
Backport a bunch of upstream fixes - Resolves: upstream#3821 - crash related to sbus_router_destructor() - Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref - Resolves: upstream#3819 - sssd only sets the SELinux login context if it differs from the default - Resolves: upstream#3807 - The sbus codegen script relies on "python" which might not be available on all distributions - Resolves: upstream#3820 - sudo: search with lower cased name for case insensitive domains - Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from an allow-any default to a deny-any default when it can't find any GPOs to apply to a user login. - Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort startup - Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11 also for local account authentication - Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup - Resolves: upstream#3826 - Remove references of sss_user/group/add/del commands in man pages since local provider is deprecated - Resolves: upstream#3827 - SSSD should log to syslog if a domain is not started due to a misconfiguration - Resolves: upstream#3830 - Printing incorrect information about domain with sssctl utility - Resolves: upstream#3489 - p11_child should work wit openssl1.0+ - Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary changes in nsswitch.conf - Resovles: upstream#3650 - RFE: Require smartcard authentication - Resolves: upstream#3334 - sssctl config-check does not check any special characters in domain name of domain section - Resolves: upstream#3849 - Files: The files provider always enumerates which causes duplicate when running getent passwd - Related: upstream#3855 - session not recording for local user when groups defined - Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb - Related: upstream#3493 - Remove the pysss.local interface 2018-10-24 08:34:15 +00:00			`From 9fdc5f1d87a133885e6a22810a7eb980c60dcb55 Mon Sep 17 00:00:00 2001`
			`From: Sumit Bose <sbose@redhat.com>`
			`Date: Mon, 9 Jul 2018 18:45:21 +0200`
			`Subject: [PATCH 29/83] responder: make sure SSS_DP_CERT is passed to files`
			`provider`

			`Currently the files provider is only contacted once in a while to update`
			`the full cache with fresh data from the passwd file. To allow rule based`
			`certificate mapping the lookup by certificate request must be always`
			`send to the file provider so that it can evaluate the rules and add the`
			`certificate to cached entry of the matching user.`

			`Related to https://pagure.io/SSSD/sssd/issue/3500`

			`Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>`
			`---`
			`src/responder/common/responder_dp.c \| 20 +++++++++++++-------`
			`1 file changed, 13 insertions(+), 7 deletions(-)`

			`diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c`
			`index 878aa1d..39f0f20 100644`
			`--- a/src/responder/common/responder_dp.c`
			`+++ b/src/responder/common/responder_dp.c`
			`@@ -34,15 +34,17 @@ sss_dp_account_files_params(struct sss_domain_info *dom,`
			`enum sss_dp_acct_type *_type_out,`
			`const char **_opt_name_out)`
			`{`
			`- if (sss_domain_get_state(dom) != DOM_INCONSISTENT) {`
			`+ if (type_in != SSS_DP_CERT) {`
			`+ if (sss_domain_get_state(dom) != DOM_INCONSISTENT) {`
			`+ DEBUG(SSSDBG_TRACE_INTERNAL,`
			`+ "The entries in the files domain are up-to-date\n");`
			`+ return EOK;`
			`+ }`
			`+`
			`DEBUG(SSSDBG_TRACE_INTERNAL,`
			`- "The entries in the files domain are up-to-date\n");`
			`- return EOK;`
			`+ "Domain files is not consistent, issuing update\n");`
			`}`

			`- DEBUG(SSSDBG_TRACE_INTERNAL,`
			`- "Domain files is not consistent, issuing update\n");`
			`-`
			`switch(type_in) {`
			`case SSS_DP_USER:`
			`case SSS_DP_GROUP:`
			`@@ -56,12 +58,16 @@ sss_dp_account_files_params(struct sss_domain_info *dom,`
			`*_type_out = type_in;`
			`*_opt_name_out = DP_REQ_OPT_FILES_INITGR;`
			`return EAGAIN;`
			`+ case SSS_DP_CERT:`
			`+ /* Let the backend handle certificate mapping for local users */`
			`+ *_type_out = type_in;`
			`+ *_opt_name_out = opt_name_in;`
			`+ return EAGAIN;`
			`/* These are not handled by the files provider, just fall back */`
			`case SSS_DP_NETGR:`
			`case SSS_DP_SERVICES:`
			`case SSS_DP_SECID:`
			`case SSS_DP_USER_AND_GROUP:`
			`- case SSS_DP_CERT:`
			`case SSS_DP_WILDCARD_USER:`
			`case SSS_DP_WILDCARD_GROUP:`
			`return EOK;`
			`--`
			`2.9.5`