sssd/0014-TESTS-Add-a-regression-test-for-SIGHUP-handling-in-s.patch

From 0adf4f50e9773afda2dc422b04163f19d946c150 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 19 Jun 2018 11:39:02 +0200
Subject: [PATCH] TESTS: Add a regression test for SIGHUP handling in
 sss_ssh_authorizedkeys
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

A regression test for:
https://pagure.io/SSSD/sssd/issue/3747

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 4cc3c1a1b1070c12bcc4351880d8207e47b37496)
---
 src/tests/intg/test_ssh_pubkey.py | 58 +++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)

diff --git a/src/tests/intg/test_ssh_pubkey.py b/src/tests/intg/test_ssh_pubkey.py
index fbf55566e341373873057ec4e3af1d7f83202aa7..8fb41c62d87ec210c9aad8582023fe1cb00f2b4e 100644
--- a/src/tests/intg/test_ssh_pubkey.py
+++ b/src/tests/intg/test_ssh_pubkey.py
@@ -24,6 +24,8 @@ import time
 import ldap
 import ldap.modlist
 import pytest
+import string
+import random
 
 import config
 import ds_openldap
@@ -230,3 +232,59 @@ def test_ssh_pubkey_retrieve(add_user_with_ssh_key):
 
     sshpubkey = get_call_output(["sss_ssh_authorizedkeys", "user2"])
     assert len(sshpubkey) == 0
+
+
+@pytest.fixture()
+def sighup_client(request):
+    test_ssh_cli_path = os.path.join(config.ABS_BUILDDIR,
+                                     "..", "..", "..", "test_ssh_client")
+    assert os.access(test_ssh_cli_path, os.X_OK)
+    return test_ssh_cli_path
+
+
+@pytest.fixture
+def add_user_with_many_keys(request, ldap_conn):
+    # Generate a large list of unique ssh pubkeys
+    pubkey_list = []
+    while len(pubkey_list) < 50:
+        new_pubkey = list(USER1_PUBKEY1)
+        new_pubkey[10] = random.choice(string.ascii_uppercase)
+        new_pubkey[11] = random.choice(string.ascii_uppercase)
+        new_pubkey[12] = random.choice(string.ascii_uppercase)
+        str_new_pubkey = ''.join(c for c in new_pubkey)
+        if str_new_pubkey in pubkey_list:
+            continue
+        pubkey_list.append(str_new_pubkey)
+
+    ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+    ent_list.add_user("user1", 1001, 2001, sshPubKey=pubkey_list)
+    create_ldap_fixture(request, ldap_conn, ent_list)
+
+    conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
+    create_conf_fixture(request, conf)
+    create_sssd_fixture(request)
+    return None
+
+
+def test_ssh_sighup(add_user_with_many_keys, sighup_client):
+    """
+    A regression test for https://pagure.io/SSSD/sssd/issue/3747
+
+    OpenSSH can close its end of the pipe towards sss_ssh_authorizedkeys
+    before all of the output is read. In that case, older versions
+    of sss_ssh_authorizedkeys were receiving a SIGPIPE
+    """
+    cli_path = sighup_client
+
+    # python actually does the sensible, but unexpected (for a C programmer)
+    # thing and handles SIGPIPE. In order to reproduce the bug, we need
+    # to unset the SIGPIPE handler
+    signal.signal(signal.SIGPIPE, signal.SIG_DFL)
+
+    process = subprocess.Popen([cli_path, "user1"],
+                               stdout=subprocess.PIPE,
+                               stderr=subprocess.PIPE)
+    _, _ = process.communicate()
+    # If the test tool detects that sss_ssh_authorizedkeys was killed with a
+    # signal, it would have returned 1
+    assert process.returncode == 0
-- 
2.17.1
Resolves: upstream#3766 - CVE-2018-10852: information leak from the sssd-sudo responder And also ... - Related: upstream#941 - return multiple server addresses to the Kerberos locator plugin - Related: upstream#3652 - kdcinfo doesn't get populated for other domains - Resolves: upstream#3747 - sss_ssh_authorizedkeys exits abruptly if SSHD closes its end of the pipe before reading all the SSH keys - Resolves: upstream#3607 - Handle conflicting e-mail addresses more gracefully - Resolves: upstream#3754 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries - Related: upstream#3219 - [RFE] Regular expression used in sssd.conf not being able to consume an @-sign in the user/group name. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> 2018-06-25 07:36:46 +00:00			`From 0adf4f50e9773afda2dc422b04163f19d946c150 Mon Sep 17 00:00:00 2001`
			`From: Jakub Hrozek <jhrozek@redhat.com>`
			`Date: Tue, 19 Jun 2018 11:39:02 +0200`
			`Subject: [PATCH] TESTS: Add a regression test for SIGHUP handling in`
			`sss_ssh_authorizedkeys`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`A regression test for:`
			`https://pagure.io/SSSD/sssd/issue/3747`

			`Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>`
			`(cherry picked from commit 4cc3c1a1b1070c12bcc4351880d8207e47b37496)`
			`---`
			`src/tests/intg/test_ssh_pubkey.py \| 58 +++++++++++++++++++++++++++++++`
			`1 file changed, 58 insertions(+)`

			`diff --git a/src/tests/intg/test_ssh_pubkey.py b/src/tests/intg/test_ssh_pubkey.py`
			`index fbf55566e341373873057ec4e3af1d7f83202aa7..8fb41c62d87ec210c9aad8582023fe1cb00f2b4e 100644`
			`--- a/src/tests/intg/test_ssh_pubkey.py`
			`+++ b/src/tests/intg/test_ssh_pubkey.py`
			`@@ -24,6 +24,8 @@ import time`
			`import ldap`
			`import ldap.modlist`
			`import pytest`
			`+import string`
			`+import random`

			`import config`
			`import ds_openldap`
			`@@ -230,3 +232,59 @@ def test_ssh_pubkey_retrieve(add_user_with_ssh_key):`

			`sshpubkey = get_call_output(["sss_ssh_authorizedkeys", "user2"])`
			`assert len(sshpubkey) == 0`
			`+`
			`+`
			`+@pytest.fixture()`
			`+def sighup_client(request):`
			`+ test_ssh_cli_path = os.path.join(config.ABS_BUILDDIR,`
			`+ "..", "..", "..", "test_ssh_client")`
			`+ assert os.access(test_ssh_cli_path, os.X_OK)`
			`+ return test_ssh_cli_path`
			`+`
			`+`
			`+@pytest.fixture`
			`+def add_user_with_many_keys(request, ldap_conn):`
			`+ # Generate a large list of unique ssh pubkeys`
			`+ pubkey_list = []`
			`+ while len(pubkey_list) < 50:`
			`+ new_pubkey = list(USER1_PUBKEY1)`
			`+ new_pubkey[10] = random.choice(string.ascii_uppercase)`
			`+ new_pubkey[11] = random.choice(string.ascii_uppercase)`
			`+ new_pubkey[12] = random.choice(string.ascii_uppercase)`
			`+ str_new_pubkey = ''.join(c for c in new_pubkey)`
			`+ if str_new_pubkey in pubkey_list:`
			`+ continue`
			`+ pubkey_list.append(str_new_pubkey)`
			`+`
			`+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)`
			`+ ent_list.add_user("user1", 1001, 2001, sshPubKey=pubkey_list)`
			`+ create_ldap_fixture(request, ldap_conn, ent_list)`
			`+`
			`+ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)`
			`+ create_conf_fixture(request, conf)`
			`+ create_sssd_fixture(request)`
			`+ return None`
			`+`
			`+`
			`+def test_ssh_sighup(add_user_with_many_keys, sighup_client):`
			`+ """`
			`+ A regression test for https://pagure.io/SSSD/sssd/issue/3747`
			`+`
			`+ OpenSSH can close its end of the pipe towards sss_ssh_authorizedkeys`
			`+ before all of the output is read. In that case, older versions`
			`+ of sss_ssh_authorizedkeys were receiving a SIGPIPE`
			`+ """`
			`+ cli_path = sighup_client`
			`+`
			`+ # python actually does the sensible, but unexpected (for a C programmer)`
			`+ # thing and handles SIGPIPE. In order to reproduce the bug, we need`
			`+ # to unset the SIGPIPE handler`
			`+ signal.signal(signal.SIGPIPE, signal.SIG_DFL)`
			`+`
			`+ process = subprocess.Popen([cli_path, "user1"],`
			`+ stdout=subprocess.PIPE,`
			`+ stderr=subprocess.PIPE)`
			`+ _, _ = process.communicate()`
			`+ # If the test tool detects that sss_ssh_authorizedkeys was killed with a`
			`+ # signal, it would have returned 1`
			`+ assert process.returncode == 0`
			`--`
			`2.17.1`