From 3fa3e7c22ac2a9b150df69de1dac5be9ce288133 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Mon, 22 Jun 2015 13:52:08 +0200 Subject: [PATCH] New upstream release 1.13 alpha - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.0alpha --- .gitignore | 1 + ...Remove-unused-libraries-for-pysss.so.patch | 34 - 0002-BUILD-Remove-unused-variables.patch | 26 - ...-Remove-detection-of-type-Py_ssize_t.patch | 57 - ...ve-python-wrapper-sss_python_set_new.patch | 86 -- ...ve-python-wrapper-sss_python_set_add.patch | 93 -- ...-python-wrapper-sss_python_set_check.patch | 79 -- ...atibility-macro-PyModule_AddIntMacro.patch | 45 - ...on-wrapper-sss_python_unicode_from_s.patch | 160 --- ...se-python-config-for-detection-FLAGS.patch | 133 --- ...e-new-convention-for-python-packages.patch | 71 -- ...python-bindings-to-separate-packages.patch | 83 -- ...ibility-to-build-python-2-3-bindings.patch | 532 --------- ...-tests-with-all-supported-python-ver.patch | 146 --- ...Replace-python_-macros-with-python2_.patch | 91 -- ...hon3-bindings-on-available-platforms.patch | 378 ------ ...erent-default-attribute-for-group-na.patch | 39 - ...nd-command-line-option-to-test_autht.patch | 207 ---- 0018-utils-add-sss_authtok_-gs-et_2fa.patch | 765 ------------ ...uthentication-token-in-the-responder.patch | 32 - 0020-Add-pre-auth-request.patch | 112 -- ...-preauth-and-split-2fa-token-support.patch | 427 ------- ...te-preauth-indicator-file-at-startup.patch | 115 -- ...pam_sss-add-pre-auth-and-2fa-support.patch | 373 ------ ...tials_minimal_first_factor_length-co.patch | 145 --- 0025-sysdb-add-sysdb_cache_password_ex.patch | 174 --- ...f-the-first-authentication-factor-to.patch | 76 -- ...-online-authentication-only-for-sing.patch | 36 - 0028-2FA-offline-auth.patch | 173 --- ...-message-encoding-into-separate-file.patch | 502 -------- 0030-PAM-add-PAM-responder-unit-test.patch | 1060 ----------------- sources | 2 +- sssd.spec | 72 +- 33 files changed, 26 insertions(+), 6299 deletions(-) delete mode 100644 0001-BUILD-Remove-unused-libraries-for-pysss.so.patch delete mode 100644 0002-BUILD-Remove-unused-variables.patch delete mode 100644 0003-BUILD-Remove-detection-of-type-Py_ssize_t.patch delete mode 100644 0004-UTIL-Remove-python-wrapper-sss_python_set_new.patch delete mode 100644 0005-UTIL-Remove-python-wrapper-sss_python_set_add.patch delete mode 100644 0006-UTIL-Remove-python-wrapper-sss_python_set_check.patch delete mode 100644 0007-UTIL-Remove-compatibility-macro-PyModule_AddIntMacro.patch delete mode 100644 0008-UTIL-Remove-python-wrapper-sss_python_unicode_from_s.patch delete mode 100644 0009-BUILD-Use-python-config-for-detection-FLAGS.patch delete mode 100644 0010-SPEC-Use-new-convention-for-python-packages.patch delete mode 100644 0011-SPEC-Move-python-bindings-to-separate-packages.patch delete mode 100644 0012-BUILD-Add-possibility-to-build-python-2-3-bindings.patch delete mode 100644 0013-TESTS-Run-python-tests-with-all-supported-python-ver.patch delete mode 100644 0014-SPEC-Replace-python_-macros-with-python2_.patch delete mode 100644 0015-SPEC-Build-python3-bindings-on-available-platforms.patch delete mode 100644 0016-ad_opts-Use-different-default-attribute-for-group-na.patch delete mode 100644 0017-Add-leak-check-and-command-line-option-to-test_autht.patch delete mode 100644 0018-utils-add-sss_authtok_-gs-et_2fa.patch delete mode 100644 0019-pam-handle-2FA-authentication-token-in-the-responder.patch delete mode 100644 0020-Add-pre-auth-request.patch delete mode 100644 0021-krb5-child-add-preauth-and-split-2fa-token-support.patch delete mode 100644 0022-IPA-create-preauth-indicator-file-at-startup.patch delete mode 100644 0023-pam_sss-add-pre-auth-and-2fa-support.patch delete mode 100644 0024-Add-cache_credentials_minimal_first_factor_length-co.patch delete mode 100644 0025-sysdb-add-sysdb_cache_password_ex.patch delete mode 100644 0026-krb5-save-hash-of-the-first-authentication-factor-to.patch delete mode 100644 0027-krb5-try-delayed-online-authentication-only-for-sing.patch delete mode 100644 0028-2FA-offline-auth.patch delete mode 100644 0029-pam_sss-move-message-encoding-into-separate-file.patch delete mode 100644 0030-PAM-add-PAM-responder-unit-test.patch diff --git a/.gitignore b/.gitignore index 5657fb4..d64b3d6 100644 --- a/.gitignore +++ b/.gitignore @@ -62,3 +62,4 @@ sssd-1.2.91.tar.gz /sssd-1.12.3.tar.gz /sssd-1.12.4.tar.gz /sssd-1.12.5.tar.gz +/sssd-1.13.0alpha.tar.gz diff --git a/0001-BUILD-Remove-unused-libraries-for-pysss.so.patch b/0001-BUILD-Remove-unused-libraries-for-pysss.so.patch deleted file mode 100644 index 652145c..0000000 --- a/0001-BUILD-Remove-unused-libraries-for-pysss.so.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 07a71386a04d4b1860a4250ea57fd5866ea792fe Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Mon, 9 Feb 2015 17:40:07 +0100 -Subject: [PATCH 01/30] BUILD: Remove unused libraries for pysss.so - -Reviewed-by: Stephen Gallagher ---- - Makefile.am | 8 +------- - 1 file changed, 1 insertion(+), 7 deletions(-) - -diff --git a/Makefile.am b/Makefile.am -index ac6a358ea14239781c26e6f2ac02bdeb3007659f..bdca46a0548ddb98dde485a7786566eb623b181b 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -445,15 +445,9 @@ SSSD_LIBS = \ - - PYTHON_BINDINGS_LIBS = \ - $(TALLOC_LIBS) \ -- $(TEVENT_LIBS) \ - $(POPT_LIBS) \ - $(LDB_LIBS) \ -- $(DBUS_LIBS) \ -- $(PCRE_LIBS) \ -- $(DHASH_LIBS) \ -- $(SSS_CRYPT_LIBS) \ -- $(OPENLDAP_LIBS) \ -- $(TDB_LIBS) -+ $(NULL) - - TOOLS_LIBS = \ - $(LTLIBINTL) \ --- -2.4.3 - diff --git a/0002-BUILD-Remove-unused-variables.patch b/0002-BUILD-Remove-unused-variables.patch deleted file mode 100644 index 5648db7..0000000 --- a/0002-BUILD-Remove-unused-variables.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 8b57611326949037065899fa8f7f53d635700930 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Mon, 9 Feb 2015 18:46:16 +0100 -Subject: [PATCH 02/30] BUILD: Remove unused variables - -Reviewed-by: Stephen Gallagher ---- - src/external/python.m4 | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/src/external/python.m4 b/src/external/python.m4 -index a1bd87a0ee3a56ddd25c4aba7687ffc7540b4ec2..241de9fd0e401c40f8136861e7c7070c8a50cddd 100644 ---- a/src/external/python.m4 -+++ b/src/external/python.m4 -@@ -37,8 +37,6 @@ AC_DEFUN([AM_CHECK_PYTHON_HEADERS], - AC_MSG_CHECKING(for headers required to compile python extensions) - - dnl deduce PYTHON_INCLUDES -- py_prefix=`$PYTHON -c "import sys; print(sys.prefix)"` -- py_exec_prefix=`$PYTHON -c "import sys; print(sys.exec_prefix)"` - PYTHON_INCLUDES=-I`$PYTHON -c "from distutils import sysconfig; print(sysconfig.get_config_var('INCLUDEPY'))"` - - AC_SUBST(PYTHON_INCLUDES) --- -2.4.3 - diff --git a/0003-BUILD-Remove-detection-of-type-Py_ssize_t.patch b/0003-BUILD-Remove-detection-of-type-Py_ssize_t.patch deleted file mode 100644 index 0f24a8f..0000000 --- a/0003-BUILD-Remove-detection-of-type-Py_ssize_t.patch +++ /dev/null @@ -1,57 +0,0 @@ -From d95bbdfd54b8f752efb1d27a09a277aba46a1271 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Mon, 9 Feb 2015 19:16:30 +0100 -Subject: [PATCH 03/30] BUILD: Remove detection of type Py_ssize_t - -The type Py_ssize_t is defined in python >= 2.6 - -Reviewed-by: Stephen Gallagher ---- - src/external/python.m4 | 5 ----- - src/util/sss_python.h | 14 -------------- - 2 files changed, 19 deletions(-) - -diff --git a/src/external/python.m4 b/src/external/python.m4 -index 241de9fd0e401c40f8136861e7c7070c8a50cddd..858af3c197603fcda100eddcffc396dad674a9e6 100644 ---- a/src/external/python.m4 -+++ b/src/external/python.m4 -@@ -62,11 +62,6 @@ AC_DEFUN([AM_CHECK_PYTHON_COMPAT], - CPPFLAGS="$CPPFLAGS $PYTHON_INCLUDES" - LIBS="$LIBS $PYTHON_LIBS" - -- AC_CHECK_TYPE(Py_ssize_t, -- [ AC_DEFINE_UNQUOTED(HAVE_PY_SSIZE_T, 1, [Native Py_ssize_t type]) ], -- [], -- [[#include ]]) -- - AC_CHECK_FUNCS([PySet_New PySet_Add PyErr_NewExceptionWithDoc]) - AC_CHECK_DECLS([PySet_Check, PyModule_AddIntMacro, PyUnicode_FromString], [], [], [[#include ]]) - -diff --git a/src/util/sss_python.h b/src/util/sss_python.h -index 828bd22ec44fe9493bfaa246b072777b70c7b585..cf8c848482d82e0060cbfe748c05bd09c7492c4f 100644 ---- a/src/util/sss_python.h -+++ b/src/util/sss_python.h -@@ -25,20 +25,6 @@ - #define PYNUMBER_ASLONG(what) PyInt_AsLong(what) - #endif - --/* Py_ssize_t compatibility for python < 2.5 as per -- * http://www.python.org/dev/peps/pep-0353/ */ --#ifndef HAVE_PY_SSIZE_T --typedef int Py_ssize_t; --#endif -- --#ifndef PY_SSIZE_T_MAX --#define PY_SSIZE_T_MAX INT_MAX --#endif -- --#ifndef PY_SSIZE_T_MIN --#define PY_SSIZE_T_MIN INT_MIN --#endif -- - /* Wrappers providing the subset of C API for python's set objects we use */ - PyObject *sss_python_set_new(void); - int sss_python_set_add(PyObject *set, PyObject *key); --- -2.4.3 - diff --git a/0004-UTIL-Remove-python-wrapper-sss_python_set_new.patch b/0004-UTIL-Remove-python-wrapper-sss_python_set_new.patch deleted file mode 100644 index 5325364..0000000 --- a/0004-UTIL-Remove-python-wrapper-sss_python_set_new.patch +++ /dev/null @@ -1,86 +0,0 @@ -From ab725a8a098f2784a4f77d0d699ea593fa75f630 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Mon, 9 Feb 2015 19:19:55 +0100 -Subject: [PATCH 04/30] UTIL: Remove python wrapper sss_python_set_new - -The function PySet_New is available in python >= 2.6 - -Reviewed-by: Stephen Gallagher ---- - src/external/python.m4 | 2 +- - src/python/pyhbac.c | 4 ++-- - src/util/sss_python.c | 10 ---------- - src/util/sss_python.h | 1 - - 4 files changed, 3 insertions(+), 14 deletions(-) - -diff --git a/src/external/python.m4 b/src/external/python.m4 -index 858af3c197603fcda100eddcffc396dad674a9e6..440d2f97740e43c31c9a530daecb7c5ded92a0dd 100644 ---- a/src/external/python.m4 -+++ b/src/external/python.m4 -@@ -62,7 +62,7 @@ AC_DEFUN([AM_CHECK_PYTHON_COMPAT], - CPPFLAGS="$CPPFLAGS $PYTHON_INCLUDES" - LIBS="$LIBS $PYTHON_LIBS" - -- AC_CHECK_FUNCS([PySet_New PySet_Add PyErr_NewExceptionWithDoc]) -+ AC_CHECK_FUNCS([PySet_Add PyErr_NewExceptionWithDoc]) - AC_CHECK_DECLS([PySet_Check, PyModule_AddIntMacro, PyUnicode_FromString], [], [], [[#include ]]) - - CPPFLAGS="$save_CPPFLAGS" -diff --git a/src/python/pyhbac.c b/src/python/pyhbac.c -index c46f7c6b300df9eb82fa411673da3d77504080cd..58d906d138464c9f25e6b513ad41b985b510baa2 100644 ---- a/src/python/pyhbac.c -+++ b/src/python/pyhbac.c -@@ -303,7 +303,7 @@ HbacRuleElement_new(PyTypeObject *type, PyObject *args, PyObject *kwds) - return NULL; - } - -- self->category = sss_python_set_new(); -+ self->category = PySet_New(NULL); - self->names = PyList_New(0); - self->groups = PyList_New(0); - if (!self->names || !self->groups || !self->category) { -@@ -945,7 +945,7 @@ py_hbac_rule_validate(HbacRuleObject *self, PyObject *args) - } - - py_is_valid = PyBool_FromLong(is_valid); -- py_missing = sss_python_set_new(); -+ py_missing = PySet_New(NULL); - if (!py_missing || !py_is_valid) { - PyErr_NoMemory(); - goto fail; -diff --git a/src/util/sss_python.c b/src/util/sss_python.c -index 19717a55c986b6831234addfbf91a529d652f592..dad2a46d86f4243fb4a2d1fad94e49f66db23f0c 100644 ---- a/src/util/sss_python.c -+++ b/src/util/sss_python.c -@@ -21,16 +21,6 @@ - #include "src/util/sss_python.h" - #include "config.h" - --PyObject * --sss_python_set_new(void) --{ --#ifdef HAVE_PYSET_NEW -- return PySet_New(NULL); --#else -- return PyObject_CallObject((PyObject *) &PySet_Type, NULL); --#endif --} -- - int - sss_python_set_add(PyObject *set, PyObject *key) - { -diff --git a/src/util/sss_python.h b/src/util/sss_python.h -index cf8c848482d82e0060cbfe748c05bd09c7492c4f..6851a64e816ccf3bb84321bbeb9946ad2fbfbc41 100644 ---- a/src/util/sss_python.h -+++ b/src/util/sss_python.h -@@ -26,7 +26,6 @@ - #endif - - /* Wrappers providing the subset of C API for python's set objects we use */ --PyObject *sss_python_set_new(void); - int sss_python_set_add(PyObject *set, PyObject *key); - bool sss_python_set_check(PyObject *set); - --- -2.4.3 - diff --git a/0005-UTIL-Remove-python-wrapper-sss_python_set_add.patch b/0005-UTIL-Remove-python-wrapper-sss_python_set_add.patch deleted file mode 100644 index 72b906b..0000000 --- a/0005-UTIL-Remove-python-wrapper-sss_python_set_add.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 3ce5c930239870ba6435508dec8a68e3f7802830 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Mon, 9 Feb 2015 19:23:44 +0100 -Subject: [PATCH 05/30] UTIL: Remove python wrapper sss_python_set_add - -The function PySet_Add is available in python >= 2.6 - -Reviewed-by: Stephen Gallagher ---- - src/external/python.m4 | 2 +- - src/python/pyhbac.c | 4 ++-- - src/util/sss_python.c | 17 ----------------- - src/util/sss_python.h | 1 - - 4 files changed, 3 insertions(+), 21 deletions(-) - -diff --git a/src/external/python.m4 b/src/external/python.m4 -index 440d2f97740e43c31c9a530daecb7c5ded92a0dd..e3812a50406e7f6e2b2f143f3022ee07431ac120 100644 ---- a/src/external/python.m4 -+++ b/src/external/python.m4 -@@ -62,7 +62,7 @@ AC_DEFUN([AM_CHECK_PYTHON_COMPAT], - CPPFLAGS="$CPPFLAGS $PYTHON_INCLUDES" - LIBS="$LIBS $PYTHON_LIBS" - -- AC_CHECK_FUNCS([PySet_Add PyErr_NewExceptionWithDoc]) -+ AC_CHECK_FUNCS([PyErr_NewExceptionWithDoc]) - AC_CHECK_DECLS([PySet_Check, PyModule_AddIntMacro, PyUnicode_FromString], [], [], [[#include ]]) - - CPPFLAGS="$save_CPPFLAGS" -diff --git a/src/python/pyhbac.c b/src/python/pyhbac.c -index 58d906d138464c9f25e6b513ad41b985b510baa2..11cd40656bbeaf93c2b1717483e716ba45a78a69 100644 ---- a/src/python/pyhbac.c -+++ b/src/python/pyhbac.c -@@ -388,7 +388,7 @@ HbacRuleElement_init(HbacRuleElement *self, PyObject *args, PyObject *kwargs) - return -1; - } - -- if (sss_python_set_add(self->category, tmp) != 0) { -+ if (PySet_Add(self->category, tmp) != 0) { - Py_DECREF(tmp); - return -1; - } -@@ -962,7 +962,7 @@ py_hbac_rule_validate(HbacRuleObject *self, PyObject *args) - goto fail; - } - -- if (sss_python_set_add(py_missing, py_attr) != 0) { -+ if (PySet_Add(py_missing, py_attr) != 0) { - /* If the set-add succeeded, it would steal the reference */ - Py_DECREF(py_attr); - goto fail; -diff --git a/src/util/sss_python.c b/src/util/sss_python.c -index dad2a46d86f4243fb4a2d1fad94e49f66db23f0c..56850782a64314db70286ef67d76ae1227d8625f 100644 ---- a/src/util/sss_python.c -+++ b/src/util/sss_python.c -@@ -21,23 +21,6 @@ - #include "src/util/sss_python.h" - #include "config.h" - --int --sss_python_set_add(PyObject *set, PyObject *key) --{ --#ifdef HAVE_PYSET_ADD -- return PySet_Add(set, key); --#else -- PyObject *pyret; -- int ret; -- -- pyret = PyObject_CallMethod(set, sss_py_const_p(char, "add"), -- sss_py_const_p(char, "O"), key); -- ret = (pyret == NULL) ? -1 : 0; -- Py_XDECREF(pyret); -- return ret; --#endif --} -- - bool - sss_python_set_check(PyObject *set) - { -diff --git a/src/util/sss_python.h b/src/util/sss_python.h -index 6851a64e816ccf3bb84321bbeb9946ad2fbfbc41..1ff13c4ef4380ff791cf3cfbe12845fb26b3b873 100644 ---- a/src/util/sss_python.h -+++ b/src/util/sss_python.h -@@ -26,7 +26,6 @@ - #endif - - /* Wrappers providing the subset of C API for python's set objects we use */ --int sss_python_set_add(PyObject *set, PyObject *key); - bool sss_python_set_check(PyObject *set); - - /* Unicode compatibility */ --- -2.4.3 - diff --git a/0006-UTIL-Remove-python-wrapper-sss_python_set_check.patch b/0006-UTIL-Remove-python-wrapper-sss_python_set_check.patch deleted file mode 100644 index 05dd0f7..0000000 --- a/0006-UTIL-Remove-python-wrapper-sss_python_set_check.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 2505d3dd124f35cb9357a7082a7306925bb3ebbe Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Mon, 9 Feb 2015 19:30:39 +0100 -Subject: [PATCH 06/30] UTIL: Remove python wrapper sss_python_set_check - -The macro PySet_Check is defined in python >= 2.6 - -Reviewed-by: Stephen Gallagher ---- - src/external/python.m4 | 2 +- - src/python/pyhbac.c | 2 +- - src/util/sss_python.c | 10 ---------- - src/util/sss_python.h | 3 --- - 4 files changed, 2 insertions(+), 15 deletions(-) - -diff --git a/src/external/python.m4 b/src/external/python.m4 -index e3812a50406e7f6e2b2f143f3022ee07431ac120..e93f850092b0f54565e138b3235b9c29f89e5444 100644 ---- a/src/external/python.m4 -+++ b/src/external/python.m4 -@@ -63,7 +63,7 @@ AC_DEFUN([AM_CHECK_PYTHON_COMPAT], - LIBS="$LIBS $PYTHON_LIBS" - - AC_CHECK_FUNCS([PyErr_NewExceptionWithDoc]) -- AC_CHECK_DECLS([PySet_Check, PyModule_AddIntMacro, PyUnicode_FromString], [], [], [[#include ]]) -+ AC_CHECK_DECLS([PyModule_AddIntMacro, PyUnicode_FromString], [], [], [[#include ]]) - - CPPFLAGS="$save_CPPFLAGS" - LIBS="$save_LIBS" -diff --git a/src/python/pyhbac.c b/src/python/pyhbac.c -index 11cd40656bbeaf93c2b1717483e716ba45a78a69..bbdf2b9fb75e2be0d46749faa6aaf0698a5d5ebb 100644 ---- a/src/python/pyhbac.c -+++ b/src/python/pyhbac.c -@@ -452,7 +452,7 @@ hbac_rule_element_set_category(HbacRuleElement *self, - - CHECK_ATTRIBUTE_DELETE(category, "category"); - -- if (!sss_python_set_check(category)) { -+ if (!PySet_Check(category)) { - PyErr_Format(PyExc_TypeError, "The category must be a set type\n"); - return -1; - } -diff --git a/src/util/sss_python.c b/src/util/sss_python.c -index 56850782a64314db70286ef67d76ae1227d8625f..ba78bf9689c903713229395a49e5f3686e5e6f10 100644 ---- a/src/util/sss_python.c -+++ b/src/util/sss_python.c -@@ -21,16 +21,6 @@ - #include "src/util/sss_python.h" - #include "config.h" - --bool --sss_python_set_check(PyObject *set) --{ --#if HAVE_DECL_PYSET_CHECK -- return PySet_Check(set); --#else -- return PyObject_TypeCheck(set, &PySet_Type); --#endif --} -- - PyObject * - sss_python_unicode_from_string(const char *u) - { -diff --git a/src/util/sss_python.h b/src/util/sss_python.h -index 1ff13c4ef4380ff791cf3cfbe12845fb26b3b873..56c25ebb74bffc061688c3c32515d6e0288ac94d 100644 ---- a/src/util/sss_python.h -+++ b/src/util/sss_python.h -@@ -25,9 +25,6 @@ - #define PYNUMBER_ASLONG(what) PyInt_AsLong(what) - #endif - --/* Wrappers providing the subset of C API for python's set objects we use */ --bool sss_python_set_check(PyObject *set); -- - /* Unicode compatibility */ - PyObject *sss_python_unicode_from_string(const char *u); - --- -2.4.3 - diff --git a/0007-UTIL-Remove-compatibility-macro-PyModule_AddIntMacro.patch b/0007-UTIL-Remove-compatibility-macro-PyModule_AddIntMacro.patch deleted file mode 100644 index a78f586..0000000 --- a/0007-UTIL-Remove-compatibility-macro-PyModule_AddIntMacro.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 61311b000c5d36322a35103cee2eb304875d235f Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Mon, 9 Feb 2015 19:33:44 +0100 -Subject: [PATCH 07/30] UTIL: Remove compatibility macro PyModule_AddIntMacro - -The macro PyModule_AddIntMacro is defined in python >= 2.6 - -Reviewed-by: Stephen Gallagher ---- - src/external/python.m4 | 2 +- - src/util/sss_python.h | 5 ----- - 2 files changed, 1 insertion(+), 6 deletions(-) - -diff --git a/src/external/python.m4 b/src/external/python.m4 -index e93f850092b0f54565e138b3235b9c29f89e5444..ac427268d4ff8828314cefb43ce2af72d34bc295 100644 ---- a/src/external/python.m4 -+++ b/src/external/python.m4 -@@ -63,7 +63,7 @@ AC_DEFUN([AM_CHECK_PYTHON_COMPAT], - LIBS="$LIBS $PYTHON_LIBS" - - AC_CHECK_FUNCS([PyErr_NewExceptionWithDoc]) -- AC_CHECK_DECLS([PyModule_AddIntMacro, PyUnicode_FromString], [], [], [[#include ]]) -+ AC_CHECK_DECLS([PyUnicode_FromString], [], [], [[#include ]]) - - CPPFLAGS="$save_CPPFLAGS" - LIBS="$save_LIBS" -diff --git a/src/util/sss_python.h b/src/util/sss_python.h -index 56c25ebb74bffc061688c3c32515d6e0288ac94d..5521aa5cfd84acffc65edbe76a264b1f2a52e9fd 100644 ---- a/src/util/sss_python.h -+++ b/src/util/sss_python.h -@@ -32,11 +32,6 @@ PyObject *sss_python_unicode_from_string(const char *u); - PyObject * - sss_exception_with_doc(char *name, char *doc, PyObject *base, PyObject *dict); - --/* PyModule_AddIntMacro() compatibility */ --#if !HAVE_DECL_PYMODULE_ADDINTMACRO --#define PyModule_AddIntMacro(m, c) PyModule_AddIntConstant(m, sss_py_const_p(char, #c), c) --#endif -- - /* Convenience macros */ - #define TYPE_READY(module, type, name) do { \ - if (PyType_Ready(&type) < 0) \ --- -2.4.3 - diff --git a/0008-UTIL-Remove-python-wrapper-sss_python_unicode_from_s.patch b/0008-UTIL-Remove-python-wrapper-sss_python_unicode_from_s.patch deleted file mode 100644 index 7177f5f..0000000 --- a/0008-UTIL-Remove-python-wrapper-sss_python_unicode_from_s.patch +++ /dev/null @@ -1,160 +0,0 @@ -From 099738f89b0887a7aaaf542440383b6808ffd2db Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Mon, 9 Feb 2015 19:38:42 +0100 -Subject: [PATCH 08/30] UTIL: Remove python wrapper - sss_python_unicode_from_string - -The function PyUnicode_FromString is available in python >= 2.6 - -Reviewed-by: Stephen Gallagher ---- - src/external/python.m4 | 3 +-- - src/python/pyhbac.c | 18 +++++++++--------- - src/util/sss_python.c | 10 ---------- - src/util/sss_python.h | 3 --- - 4 files changed, 10 insertions(+), 24 deletions(-) - -diff --git a/src/external/python.m4 b/src/external/python.m4 -index ac427268d4ff8828314cefb43ce2af72d34bc295..d59233aa01ac591cfc86be974d8ae26ebbe4635d 100644 ---- a/src/external/python.m4 -+++ b/src/external/python.m4 -@@ -54,7 +54,7 @@ AC_DEFUN([AM_CHECK_PYTHON_HEADERS], - - - dnl Checks for a couple of functions we use that may not be defined --dnl in some older python versions used e.g. on RHEL5 -+dnl in some older python (< 2.6) versions used e.g. on RHEL6 - AC_DEFUN([AM_CHECK_PYTHON_COMPAT], - [AC_REQUIRE([AM_CHECK_PYTHON_HEADERS]) - save_CPPFLAGS="$CPPFLAGS" -@@ -63,7 +63,6 @@ AC_DEFUN([AM_CHECK_PYTHON_COMPAT], - LIBS="$LIBS $PYTHON_LIBS" - - AC_CHECK_FUNCS([PyErr_NewExceptionWithDoc]) -- AC_CHECK_DECLS([PyUnicode_FromString], [], [], [[#include ]]) - - CPPFLAGS="$save_CPPFLAGS" - LIBS="$save_LIBS" -diff --git a/src/python/pyhbac.c b/src/python/pyhbac.c -index bbdf2b9fb75e2be0d46749faa6aaf0698a5d5ebb..2ccff6856b5bb5fbbb4803633ae549481ebb6035 100644 ---- a/src/python/pyhbac.c -+++ b/src/python/pyhbac.c -@@ -493,7 +493,7 @@ HbacRuleElement_repr(HbacRuleElement *self) - uint32_t category; - PyObject *o, *format, *args; - -- format = sss_python_unicode_from_string(""); -+ format = PyUnicode_FromString(""); - if (format == NULL) { - return NULL; - } -@@ -651,7 +651,7 @@ HbacRule_new(PyTypeObject *type, PyObject *args, PyObject *kwds) - return NULL; - } - -- self->name = sss_python_unicode_from_string(""); -+ self->name = PyUnicode_FromString(""); - if (self->name == NULL) { - Py_DECREF(self); - PyErr_NoMemory(); -@@ -869,7 +869,7 @@ HbacRule_repr(HbacRuleObject *self) - PyObject *srchosts_repr; - PyObject *o, *format, *args; - -- format = sss_python_unicode_from_string(""); - if (format == NULL) { -@@ -1149,7 +1149,7 @@ HbacRequestElement_new(PyTypeObject *type, PyObject *args, PyObject *kwds) - return NULL; - } - -- self->name = sss_python_unicode_from_string(""); -+ self->name = PyUnicode_FromString(""); - if (self->name == NULL) { - PyErr_NoMemory(); - Py_DECREF(self); -@@ -1291,7 +1291,7 @@ HbacRequestElement_repr(HbacRequestElement *self) - char *strgroups; - PyObject *o, *format, *args; - -- format = sss_python_unicode_from_string(""); -+ format = PyUnicode_FromString(""); - if (format == NULL) { - return NULL; - } -@@ -1609,7 +1609,7 @@ py_hbac_evaluate(HbacRequest *self, PyObject *args) - eres = hbac_evaluate(rules, hbac_req, &info); - switch (eres) { - case HBAC_EVAL_ALLOW: -- self->rule_name = sss_python_unicode_from_string(info->rule_name); -+ self->rule_name = PyUnicode_FromString(info->rule_name); - if (!self->rule_name) { - PyErr_NoMemory(); - goto fail; -@@ -1662,7 +1662,7 @@ HbacRequest_repr(HbacRequest *self) - PyObject *srchost_repr; - PyObject *o, *format, *args; - -- format = sss_python_unicode_from_string(""); - if (format == NULL) { - return NULL; -@@ -1853,7 +1853,7 @@ py_hbac_result_string(PyObject *module, PyObject *args) - return Py_None; - } - -- return sss_python_unicode_from_string(str); -+ return PyUnicode_FromString(str); - } - - PyDoc_STRVAR(py_hbac_error_string__doc__, -@@ -1877,7 +1877,7 @@ py_hbac_error_string(PyObject *module, PyObject *args) - return Py_None; - } - -- return sss_python_unicode_from_string(str); -+ return PyUnicode_FromString(str); - } - - static PyMethodDef pyhbac_module_methods[] = { -diff --git a/src/util/sss_python.c b/src/util/sss_python.c -index ba78bf9689c903713229395a49e5f3686e5e6f10..560effc26d474bdb367784083cb354bb57ead412 100644 ---- a/src/util/sss_python.c -+++ b/src/util/sss_python.c -@@ -22,16 +22,6 @@ - #include "config.h" - - PyObject * --sss_python_unicode_from_string(const char *u) --{ --#ifdef HAVE_PYUNICODE_FROMSTRING -- return PyUnicode_FromString(u); --#else -- return PyUnicode_DecodeUTF8(u, strlen(u), NULL); --#endif --} -- --PyObject * - sss_exception_with_doc(char *name, char *doc, PyObject *base, PyObject *dict) - { - #ifdef HAVE_PYERR_NEWEXCEPTIONWITHDOC -diff --git a/src/util/sss_python.h b/src/util/sss_python.h -index 5521aa5cfd84acffc65edbe76a264b1f2a52e9fd..7e2bac33656dcbac91bb4f4d32ec9fbc44bb4e52 100644 ---- a/src/util/sss_python.h -+++ b/src/util/sss_python.h -@@ -25,9 +25,6 @@ - #define PYNUMBER_ASLONG(what) PyInt_AsLong(what) - #endif - --/* Unicode compatibility */ --PyObject *sss_python_unicode_from_string(const char *u); -- - /* Exceptions compatibility */ - PyObject * - sss_exception_with_doc(char *name, char *doc, PyObject *base, PyObject *dict); --- -2.4.3 - diff --git a/0009-BUILD-Use-python-config-for-detection-FLAGS.patch b/0009-BUILD-Use-python-config-for-detection-FLAGS.patch deleted file mode 100644 index 84ba79b..0000000 --- a/0009-BUILD-Use-python-config-for-detection-FLAGS.patch +++ /dev/null @@ -1,133 +0,0 @@ -From c0f7ae30d0b2b5d394d9cca88e7487ddc6394555 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Tue, 10 Feb 2015 16:14:59 +0100 -Subject: [PATCH 09/30] BUILD: Use python-config for detection *FLAGS - -The script python-config was not available in older versions of python. -This patch simplify detection of python CFLAGS and LDFLAGS and increase -minimal required version of python to 2.6 - -Reviewed-by: Stephen Gallagher ---- - configure.ac | 6 +++-- - src/external/python.m4 | 63 +++++++++++++++++++++++++------------------------- - 2 files changed, 36 insertions(+), 33 deletions(-) - -diff --git a/configure.ac b/configure.ac -index cdbe6f9bff3822bb80d8d43b593e02c39d729f64..f72e448528edcffb855504a38a179c400f98ac42 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -248,11 +248,13 @@ AM_CONDITIONAL([HAVE_MANPAGES], [test "x$HAVE_MANPAGES" != "x"]) - AM_CONDITIONAL([HAVE_PO4A], [test "x$PO4A" != "xno"]) - - if test x$HAVE_PYTHON_BINDINGS != x; then -- AM_PATH_PYTHON([2.4]) -+ AM_PATH_PYTHON([2.6]) -+ AM_PYTHON_CONFIG([python]) - AM_CHECK_PYTHON_HEADERS([], - AC_MSG_ERROR([Could not find python headers])) -- AM_PYTHON_CONFIG - AM_CHECK_PYTHON_COMPAT -+ AC_SUBST([PYTHON_CFLAGS]) -+ AC_SUBST([PYTHON_LIBS]) - fi - - if test x$HAVE_SELINUX != x; then -diff --git a/src/external/python.m4 b/src/external/python.m4 -index d59233aa01ac591cfc86be974d8ae26ebbe4635d..c91e8df17b0371538f02bfeb9cade1ce639074bd 100644 ---- a/src/external/python.m4 -+++ b/src/external/python.m4 -@@ -1,46 +1,33 @@ - dnl Check for python-config and substitute needed CFLAGS and LDFLAGS - dnl Usage: --dnl AM_PYTHON_CONFIG -+dnl AM_PYTHON_CONFIG(python_with_major_version) -+dnl argument python_with_major_version should be either python2 or python3 -+dnl This function sets the PYTHON_CFLAGS, PYTHON_LIBS and PYTHON_INCLUDES -+dnl variables - - AC_DEFUN([AM_PYTHON_CONFIG], --[ AC_SUBST(PYTHON_CFLAGS) -- AC_SUBST(PYTHON_LIBS) -+[ -+ AC_PATH_PROG([PYTHON_CONFIG], [python$PYTHON_VERSION-config]) -+ AS_IF([test x"$PYTHON_CONFIG" = x], -+ AC_MSG_ERROR([ -+The program python$PYTHON_VERSION-config was not found in search path. -+Please ensure that it is installed and its directory is included in the search -+path. If you want to build sssd without $1 bindings then specify -+--without-$1-bindings when running configure.])) - --dnl We need to check for python build flags using distutils.sysconfig --dnl We cannot use python-config, as it was not available on older --dnl versions of python -- AC_PATH_PROG(PYTHON, python) -- AC_MSG_CHECKING([for working python]) -- if test -x "$PYTHON"; then -- PYTHON_CFLAGS="`$PYTHON -c \"from distutils import sysconfig; \ -- print('-I' + sysconfig.get_python_inc() + \ -- ' -I' + sysconfig.get_python_inc(plat_specific=True) + ' ' + \ -- sysconfig.get_config_var('BASECFLAGS'))\"`" -- PYTHON_LIBS="`$PYTHON -c \"from distutils import sysconfig; \ -- print(' '.join(sysconfig.get_config_var('LIBS').split() + \ -- sysconfig.get_config_var('SYSLIBS').split()) + \ -- ' ' + sysconfig.get_config_var('BLDLIBRARY') + ' ' + \ -- ' -L' + sysconfig.get_config_var('LIBDIR'))\"`" -- AC_MSG_RESULT([yes]) -- else -- AC_MSG_RESULT([no]) -- AC_MSG_ERROR([Please install python devel package]) -- fi -+ PYTHON_CFLAGS="` $PYTHON_CONFIG --cflags`" -+ PYTHON_LIBS="` $PYTHON_CONFIG --libs`" -+ PYTHON_INCLUDES="` $PYTHON_CONFIG --includes`" - ]) - - dnl Taken from GNOME sources - dnl a macro to check for ability to create python extensions - dnl AM_CHECK_PYTHON_HEADERS([ACTION-IF-POSSIBLE], [ACTION-IF-NOT-POSSIBLE]) --dnl function also defines PYTHON_INCLUDES - AC_DEFUN([AM_CHECK_PYTHON_HEADERS], --[AC_REQUIRE([AM_PATH_PYTHON]) -+[ -+ AC_REQUIRE([AM_PATH_PYTHON]) - AC_MSG_CHECKING(for headers required to compile python extensions) - -- dnl deduce PYTHON_INCLUDES -- PYTHON_INCLUDES=-I`$PYTHON -c "from distutils import sysconfig; print(sysconfig.get_config_var('INCLUDEPY'))"` -- -- AC_SUBST(PYTHON_INCLUDES) -- - dnl check if the headers exist: - save_CPPFLAGS="$CPPFLAGS" - CPPFLAGS="$CPPFLAGS $PYTHON_INCLUDES" -@@ -56,7 +43,8 @@ AC_DEFUN([AM_CHECK_PYTHON_HEADERS], - dnl Checks for a couple of functions we use that may not be defined - dnl in some older python (< 2.6) versions used e.g. on RHEL6 - AC_DEFUN([AM_CHECK_PYTHON_COMPAT], --[AC_REQUIRE([AM_CHECK_PYTHON_HEADERS]) -+[ -+ AC_REQUIRE([AM_CHECK_PYTHON_HEADERS]) - save_CPPFLAGS="$CPPFLAGS" - save_LIBS="$LIBS" - CPPFLAGS="$CPPFLAGS $PYTHON_INCLUDES" -@@ -67,3 +55,16 @@ AC_DEFUN([AM_CHECK_PYTHON_COMPAT], - CPPFLAGS="$save_CPPFLAGS" - LIBS="$save_LIBS" - ]) -+ -+dnl Clean variables after detection of python -+AC_DEFUN([SSS_CLEAN_PYTHON_VARIABLES], -+[ -+ unset pyexecdir pkgpyexecdir pythondir pgkpythondir -+ unset PYTHON PYTHON_CFLAGS PYTHON_LIBS PYTHON_INCLUDES -+ unset PYTHON_PREFIX PYTHON_EXEC_PREFIX PYTHON_VERSION PYTHON_CONFIG -+ -+ dnl removed cached variables, required for reusing of AM_PATH_PYTHON -+ unset am_cv_pathless_PYTHON ac_cv_path_PYTHON am_cv_python_version -+ unset am_cv_python_platform am_cv_python_pythondir am_cv_python_pyexecdir -+ unset ac_cv_path_PYTHON_CONFIG -+]) --- -2.4.3 - diff --git a/0010-SPEC-Use-new-convention-for-python-packages.patch b/0010-SPEC-Use-new-convention-for-python-packages.patch deleted file mode 100644 index a9d3c16..0000000 --- a/0010-SPEC-Use-new-convention-for-python-packages.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 7a0b12ac7b5aa17794a97adcbde2bf0db19281a4 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Tue, 10 Feb 2015 16:33:04 +0100 -Subject: [PATCH 10/30] SPEC: Use new convention for python packages - -Reviewed-by: Stephen Gallagher ---- - contrib/sssd.spec.in | 20 ++++++++++++-------- - 1 file changed, 12 insertions(+), 8 deletions(-) - -diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in -index 2600438f3020abccc2bd376d274a0b251f2bcc80..c9e62b301aa9ac4109041a7a4425e13d4ad236ba 100644 ---- a/contrib/sssd.spec.in -+++ b/contrib/sssd.spec.in -@@ -339,14 +339,16 @@ Requires: libipa_hbac = %{version}-%{release} - %description -n libipa_hbac-devel - Utility library to validate FreeIPA HBAC rules for authorization requests - --%package -n libipa_hbac-python -+%package -n python-libipa_hbac - Summary: Python bindings for the FreeIPA HBAC Evaluator library - Group: Development/Libraries - License: LGPLv3+ - Requires: libipa_hbac = %{version}-%{release} -+Provides: libipa_hbac-python = %{version}-%{release} -+Obsoletes: libipa_hbac-python < 1.12.90 - --%description -n libipa_hbac-python --The libipa_hbac-python contains the bindings so that libipa_hbac can be -+%description -n python-libipa_hbac -+The python-libipa_hbac contains the bindings so that libipa_hbac can be - used by Python applications. - - %package -n libsss_nss_idmap -@@ -368,14 +370,16 @@ Requires: libsss_nss_idmap = %{version}-%{release} - %description -n libsss_nss_idmap-devel - Utility library for SID based lookups - --%package -n libsss_nss_idmap-python -+%package -n python-libsss_nss_idmap - Summary: Python bindings for libsss_nss_idmap - Group: Development/Libraries - License: LGPLv3+ - Requires: libsss_nss_idmap = %{version}-%{release} -+Provides: libsss_nss_idmap-python = %{version}-%{release} -+Obsoletes: libsss_nss_idmap-python < 1.12.90 - --%description -n libsss_nss_idmap-python --The libsss_nss_idmap-python contains the bindings so that libsss_nss_idmap can -+%description -n python-libsss_nss_idmap -+The python-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can - be used by Python applications. - - %package dbus -@@ -787,11 +791,11 @@ rm -rf $RPM_BUILD_ROOT - %{_libdir}/libsss_nss_idmap.so - %{_libdir}/pkgconfig/sss_nss_idmap.pc - --%files -n libsss_nss_idmap-python -+%files -n python-libsss_nss_idmap - %defattr(-,root,root,-) - %{python_sitearch}/pysss_nss_idmap.so - --%files -n libipa_hbac-python -+%files -n python-libipa_hbac - %defattr(-,root,root,-) - %{python_sitearch}/pyhbac.so - --- -2.4.3 - diff --git a/0011-SPEC-Move-python-bindings-to-separate-packages.patch b/0011-SPEC-Move-python-bindings-to-separate-packages.patch deleted file mode 100644 index e55abdc..0000000 --- a/0011-SPEC-Move-python-bindings-to-separate-packages.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 2641bd5495cdebe2652f26bbd3a5a93013446ef2 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Tue, 10 Feb 2015 16:50:12 +0100 -Subject: [PATCH 11/30] SPEC: Move python bindings to separate packages - -Some pyhton bindings pysss and pysss_murmur was in package sssd-common. -Therefore package sssd-common had python as a dependency. - -Reviewed-by: Stephen Gallagher ---- - contrib/sssd.spec.in | 35 +++++++++++++++++++++++++++++++++-- - 1 file changed, 33 insertions(+), 2 deletions(-) - -diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in -index c9e62b301aa9ac4109041a7a4425e13d4ad236ba..2dbcd9e40c03e46e4e132a4ef4560044e88ea853 100644 ---- a/contrib/sssd.spec.in -+++ b/contrib/sssd.spec.in -@@ -196,6 +196,9 @@ Summary: Userspace tools for use with the SSSD - Group: Applications/System - License: GPLv3+ - Requires: sssd-common = %{version}-%{release} -+# required by sss_obfuscate -+Requires: python-sss = %{version}-%{release} -+Requires: python-sssdconfig = %{version}-%{release} - - %description tools - Provides userspace tools for manipulating users, groups, and nested groups in -@@ -215,6 +218,28 @@ BuildArch: noarch - %description -n python-sssdconfig - Provides python files for manipulation SSSD and IPA configuration files. - -+%package -n python-sss -+Summary: Python bindings for sssd -+Group: Development/Libraries -+License: LGPLv3+ -+Requires: sssd-common = %{version}-%{release} -+ -+%description -n python-sss -+Provides python module for manipulating users, groups, and nested groups in -+SSSD when using id_provider = local in /etc/sssd/sssd.conf. -+ -+Also provides several other useful python bindings: -+ * function for retrieving list of groups user belongs to. -+ * class for obfuscation of passwords -+ -+%package -n python-sss-murmur -+Summary: Python bindings for murmur hash function -+Group: Development/Libraries -+License: LGPLv3+ -+ -+%description -n python-sss-murmur -+Provides python module for calculating the murmur hash version 3 -+ - %package ldap - Summary: The LDAP back end of the SSSD - Group: Applications/System -@@ -638,8 +663,6 @@ rm -rf $RPM_BUILD_ROOT - %{_mandir}/man8/sss_cache.8* - %{_mandir}/man1/sss_ssh_authorizedkeys.1* - %{_mandir}/man1/sss_ssh_knownhostsproxy.1* --%{python_sitearch}/pysss.so --%{python_sitearch}/pysss_murmur.so - - %files ldap -f sssd_ldap.lang - %defattr(-,root,root,-) -@@ -755,6 +778,14 @@ rm -rf $RPM_BUILD_ROOT - %dir %{python_sitelib}/SSSDConfig - %{python_sitelib}/SSSDConfig/*.py* - -+%files -n python-sss -+%defattr(-,root,root,-) -+%{python_sitearch}/pysss.so -+ -+%files -n python-sss-murmur -+%defattr(-,root,root,-) -+%{python_sitearch}/pysss_murmur.so -+ - %files -n libsss_idmap - %defattr(-,root,root,-) - %doc src/sss_client/COPYING src/sss_client/COPYING.LESSER --- -2.4.3 - diff --git a/0012-BUILD-Add-possibility-to-build-python-2-3-bindings.patch b/0012-BUILD-Add-possibility-to-build-python-2-3-bindings.patch deleted file mode 100644 index 8d79bcc..0000000 --- a/0012-BUILD-Add-possibility-to-build-python-2-3-bindings.patch +++ /dev/null @@ -1,532 +0,0 @@ -From e9e0f3a46fabc6ba9503e10dc2b685480b65a8e2 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Tue, 10 Feb 2015 17:22:03 +0100 -Subject: [PATCH 12/30] BUILD: Add possibility to build python{2,3} bindings - -Resolves: -https://fedorahosted.org/sssd/ticket/2574 - -Reviewed-by: Stephen Gallagher ---- - Makefile.am | 196 ++++++++++++++++++++++++++++++++--------- - configure.ac | 49 +++++++++-- - contrib/sssd.spec.in | 4 + - src/conf_macros.m4 | 39 +++++--- - src/tests/pyhbac-test.py | 22 ++++- - src/tests/pysss_murmur-test.py | 22 ++++- - 6 files changed, 267 insertions(+), 65 deletions(-) - -diff --git a/Makefile.am b/Makefile.am -index bdca46a0548ddb98dde485a7786566eb623b181b..0a1511c23ce844ce9963ac33ac3daadd31bdc27e 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -301,12 +301,22 @@ noinst_LTLIBRARIES = - - pkglib_LTLIBRARIES = - --if BUILD_PYTHON_BINDINGS --pyexec_LTLIBRARIES = \ -- pysss.la \ -- pyhbac.la \ -- pysss_murmur.la \ -- pysss_nss_idmap.la -+if BUILD_PYTHON2_BINDINGS -+py2exec_LTLIBRARIES = \ -+ _py2sss.la \ -+ _py2hbac.la \ -+ _py2sss_murmur.la \ -+ _py2sss_nss_idmap.la \ -+ $(NULL) -+endif -+ -+if BUILD_PYTHON3_BINDINGS -+py3exec_LTLIBRARIES = \ -+ _py3sss.la \ -+ _py3hbac.la \ -+ _py3sss_murmur.la \ -+ _py3sss_nss_idmap.la \ -+ $(NULL) - endif - - dist_noinst_SCRIPTS = \ -@@ -2841,58 +2851,109 @@ sssd_pac_plugin_la_LDFLAGS = \ - -avoid-version \ - -module - --if BUILD_PYTHON_BINDINGS -+# python[23] bindings - pysss_la_SOURCES = \ - $(SSSD_TOOLS_OBJ) \ - src/python/pysss.c --pysss_la_CFLAGS = \ -- $(AM_CFLAGS) \ -- $(PYTHON_CFLAGS) --pysss_la_LIBADD = \ -- $(SSSD_INTERNAL_LTLIBS) \ -- $(PYTHON_BINDINGS_LIBS) \ -- $(PYTHON_LIBS) - pysss_la_LDFLAGS = \ - -avoid-version \ - -module - -+_py2sss_la_SOURCES = $(pysss_la_SOURCES) -+_py2sss_la_CFLAGS = \ -+ $(AM_CFLAGS) \ -+ $(PYTHON2_CFLAGS) -+_py2sss_la_LIBADD = \ -+ $(SSSD_INTERNAL_LTLIBS) \ -+ $(PYTHON_BINDINGS_LIBS) \ -+ $(PYTHON2_LIBS) -+_py2sss_la_LDFLAGS = $(pysss_la_LDFLAGS) -+ -+_py3sss_la_SOURCES = $(pysss_la_SOURCES) -+_py3sss_la_CFLAGS = \ -+ $(AM_CFLAGS) \ -+ $(PYTHON3_CFLAGS) -+_py3sss_la_LIBADD = \ -+ $(SSSD_INTERNAL_LTLIBS) \ -+ $(PYTHON_BINDINGS_LIBS) \ -+ $(PYTHON3_LIBS) -+_py3sss_la_LDFLAGS = $(pysss_la_LDFLAGS) -+ -+ - pyhbac_la_SOURCES = \ - src/python/pyhbac.c \ - src/util/sss_python.c --pyhbac_la_CFLAGS = \ -- $(AM_CFLAGS) \ -- $(PYTHON_CFLAGS) --pyhbac_la_LIBADD = \ -- $(PYTHON_LIBS) \ -- libipa_hbac.la - pyhbac_la_LDFLAGS = \ - -avoid-version \ - -module - -+_py2hbac_la_SOURCES = $(pyhbac_la_SOURCES) -+_py2hbac_la_CFLAGS = \ -+ $(AM_CFLAGS) \ -+ $(PYTHON2_CFLAGS) -+_py2hbac_la_LIBADD = \ -+ $(PYTHON2_LIBS) \ -+ libipa_hbac.la -+_py2hbac_la_LDFLAGS = $(pyhbac_la_LDFLAGS) -+ -+_py3hbac_la_SOURCES = $(pyhbac_la_SOURCES) -+_py3hbac_la_CFLAGS = \ -+ $(AM_CFLAGS) \ -+ $(PYTHON3_CFLAGS) -+_py3hbac_la_LIBADD = \ -+ $(PYTHON3_LIBS) \ -+ libipa_hbac.la -+_py3hbac_la_LDFLAGS = $(pyhbac_la_LDFLAGS) -+ -+ - pysss_murmur_la_SOURCES = \ - src/python/pysss_murmur.c \ - src/util/murmurhash3.c --pysss_murmur_la_CFLAGS = \ -- $(AM_CFLAGS) \ -- $(PYTHON_CFLAGS) --pysss_murmur_la_LIBADD = \ -- $(PYTHON_LIBS) - pysss_murmur_la_LDFLAGS = \ - -avoid-version \ - -module - -+_py2sss_murmur_la_SOURCES = $(pysss_murmur_la_SOURCES) -+_py2sss_murmur_la_CFLAGS = \ -+ $(AM_CFLAGS) \ -+ $(PYTHON2_CFLAGS) -+_py2sss_murmur_la_LIBADD = \ -+ $(PYTHON2_LIBS) -+_py2sss_murmur_la_LDFLAGS = $(pysss_murmur_la_LDFLAGS) -+ -+_py3sss_murmur_la_SOURCES = $(pysss_murmur_la_SOURCES) -+_py3sss_murmur_la_CFLAGS = \ -+ $(AM_CFLAGS) \ -+ $(PYTHON3_CFLAGS) -+_py3sss_murmur_la_LIBADD = \ -+ $(PYTHON3_LIBS) -+_py3sss_murmur_la_LDFLAGS = $(pysss_murmur_la_LDFLAGS) -+ -+ - pysss_nss_idmap_la_SOURCES = \ - src/python/pysss_nss_idmap.c --pysss_nss_idmap_la_CFLAGS = \ -- $(AM_CFLAGS) \ -- $(PYTHON_CFLAGS) --pysss_nss_idmap_la_LIBADD = \ -- $(PYTHON_LIBS) \ -- libsss_nss_idmap.la - pysss_nss_idmap_la_LDFLAGS = \ - -avoid-version \ - -module --endif -+ -+_py2sss_nss_idmap_la_SOURCES = $(pysss_nss_idmap_la_SOURCES) -+_py2sss_nss_idmap_la_CFLAGS = \ -+ $(AM_CFLAGS) \ -+ $(PYTHON2_CFLAGS) -+_py2sss_nss_idmap_la_LIBADD = \ -+ $(PYTHON2_LIBS) \ -+ libsss_nss_idmap.la -+_py2sss_nss_idmap_la_LDFLAGS = $(pysss_nss_idmap_la_LDFLAGS) -+ -+_py3sss_nss_idmap_la_SOURCES = $(pysss_nss_idmap_la_SOURCES) -+_py3sss_nss_idmap_la_CFLAGS = \ -+ $(AM_CFLAGS) \ -+ $(PYTHON3_CFLAGS) -+_py3sss_nss_idmap_la_LIBADD = \ -+ $(PYTHON3_LIBS) \ -+ libsss_nss_idmap.la -+_py3sss_nss_idmap_la_LDFLAGS = $(pysss_nss_idmap_la_LDFLAGS) -+# end of python[23] bindings - - if BUILD_CIFS_IDMAP_PLUGIN - cifs_idmap_sss_la_SOURCES = \ -@@ -3054,17 +3115,51 @@ SSSSCONFIG_MODULES = - endif - - all-local: ldb_mod_test_dir $(SSSDCONFIG_MODULES) --if BUILD_PYTHON_BINDINGS -- cd $(builddir)/src/config; $(PYTHON) setup.py build --build-base $(abs_builddir)/src/config -+if BUILD_PYTHON2_BINDINGS -+ cd $(builddir)/src/config; \ -+ $(PYTHON2) setup.py build --build-base $(abs_builddir)/src/config -+endif -+if BUILD_PYTHON3_BINDINGS -+ cd $(builddir)/src/config; \ -+ $(PYTHON3) setup.py build --build-base $(abs_builddir)/src/config - endif - - install-exec-hook: installsssddirs --if BUILD_PYTHON_BINDINGS -+if BUILD_PYTHON2_BINDINGS - if [ "$(DESTDIR)" = "" ]; then \ -- cd $(builddir)/src/config; $(PYTHON) setup.py build --build-base $(abs_builddir)/src/config install $(DISTSETUPOPTS) --prefix=$(PYTHON_PREFIX) --record=$(abs_builddir)/src/config/.files; \ -+ cd $(builddir)/src/config; \ -+ $(PYTHON2) setup.py build --build-base $(abs_builddir)/src/config \ -+ install $(DISTSETUPOPTS) --prefix=$(PYTHON2_PREFIX) \ -+ --record=$(abs_builddir)/src/config/.files2; \ - else \ -- cd $(builddir)/src/config; $(PYTHON) setup.py build --build-base $(abs_builddir)/src/config install $(DISTSETUPOPTS) --prefix=$(PYTHON_PREFIX) --root=$(DESTDIR) --record=$(abs_builddir)/src/config/.files; \ -+ cd $(builddir)/src/config; \ -+ $(PYTHON2) setup.py build --build-base $(abs_builddir)/src/config \ -+ install $(DISTSETUPOPTS) --prefix=$(PYTHON2_PREFIX) \ -+ --record=$(abs_builddir)/src/config/.files2 --root=$(DESTDIR); \ - fi -+ cd $(DESTDIR)$(py2execdir) && \ -+ $(LN_S) _py2sss.so pysss.so ; \ -+ $(LN_S) _py2hbac.so pyhbac.so ; \ -+ $(LN_S) _py2sss_murmur.so pysss_murmur.so ; \ -+ $(LN_S) _py2sss_nss_idmap.so pysss_nss_idmap.so -+endif -+if BUILD_PYTHON3_BINDINGS -+ if [ "$(DESTDIR)" = "" ]; then \ -+ cd $(builddir)/src/config; \ -+ $(PYTHON3) setup.py build --build-base $(abs_builddir)/src/config \ -+ install $(DISTSETUPOPTS) --prefix=$(PYTHON3_PREFIX) \ -+ --record=$(abs_builddir)/src/config/.files3; \ -+ else \ -+ cd $(builddir)/src/config; \ -+ $(PYTHON3) setup.py build --build-base $(abs_builddir)/src/config \ -+ install $(DISTSETUPOPTS) --prefix=$(PYTHON3_PREFIX) \ -+ --record=$(abs_builddir)/src/config/.files3 --root=$(DESTDIR); \ -+ fi -+ cd $(DESTDIR)$(py3execdir) && \ -+ $(LN_S) _py3sss.so pysss.so ; \ -+ $(LN_S) _py3hbac.so pyhbac.so ; \ -+ $(LN_S) _py3sss_murmur.so pysss_murmur.so ; \ -+ $(LN_S) _py3sss_nss_idmap.so pysss_nss_idmap.so - endif - for doc in $(SSSD_DOCS); do \ - $(MKDIR_P) $$doc $(DESTDIR)/$(docdir); \ -@@ -3100,16 +3195,20 @@ install-data-hook: - fi - - uninstall-hook: -- if [ -f $(abs_builddir)/src/config/.files ]; then \ -- cat $(abs_builddir)/src/config/.files | xargs -iq rm -f $(DESTDIR)/q; \ -- rm $(abs_builddir)/src/config/.files ; \ -+ if [ -f $(abs_builddir)/src/config/.files2 ]; then \ -+ cat $(abs_builddir)/src/config/.files2 | xargs -iq rm -f $(DESTDIR)/q; \ -+ rm $(abs_builddir)/src/config/.files2 ; \ -+ fi -+ if [ -f $(abs_builddir)/src/config/.files3 ]; then \ -+ cat $(abs_builddir)/src/config/.files3 | xargs -iq rm -f $(DESTDIR)/q; \ -+ rm $(abs_builddir)/src/config/.files3 ; \ - fi - for doc in $(SSSD_DOCS); do \ - rm -Rf $(DESTDIR)/$(docdir)/$$doc; \ - done; - - clean-local: --if BUILD_PYTHON_BINDINGS -+if BUILD_PYTHON2_BINDINGS - if [ ! $(srcdir)/src/config/SSSDConfig/ipachangeconf.py -ef $(builddir)/src/config/SSSDConfig/ipachangeconf.py ]; then \ - rm -f $(builddir)/src/config/SSSDConfig/ipachangeconf.py ; \ - fi -@@ -3120,7 +3219,20 @@ if BUILD_PYTHON_BINDINGS - - rm -f $(builddir)/src/config/SSSDConfig/*.pyc - -- cd $(builddir)/src/config; $(PYTHON) setup.py build --build-base $(abs_builddir)/src/config clean --all -+ cd $(builddir)/src/config; $(PYTHON2) setup.py build --build-base $(abs_builddir)/src/config clean --all -+endif -+if BUILD_PYTHON3_BINDINGS -+ if [ ! $(srcdir)/src/config/SSSDConfig/ipachangeconf.py -ef $(builddir)/src/config/SSSDConfig/ipachangeconf.py ]; then \ -+ rm -f $(builddir)/src/config/SSSDConfig/ipachangeconf.py ; \ -+ fi -+ -+ if [ ! $(srcdir)/src/config/SSSDConfig/ipachangeconf.py -ef $(builddir)/src/config/SSSDConfig/ipachangeconf.py ]; then \ -+ rm -f $(builddir)/src/config/SSSDConfig/sssd_upgrade_config.py ; \ -+ fi -+ -+ rm -f $(builddir)/src/config/SSSDConfig/__pycache__/*.pyc -+ -+ cd $(builddir)/src/config; $(PYTHON3) setup.py build --build-base $(abs_builddir)/src/config clean --all - endif - for doc in $(SSSD_DOCS); do \ - rm -Rf $$doc; \ -diff --git a/configure.ac b/configure.ac -index f72e448528edcffb855504a38a179c400f98ac42..e30405f3a17ffd2c9899b6eb17af85ec9bc15234 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -117,7 +117,8 @@ WITH_KRB5_PLUGIN_PATH - WITH_KRB5_RCACHE_DIR - WITH_KRB5AUTHDATA_PLUGIN_PATH - WITH_KRB5_CONF --WITH_PYTHON_BINDINGS -+WITH_PYTHON2_BINDINGS -+WITH_PYTHON3_BINDINGS - WITH_CIFS_PLUGIN_PATH - WITH_SELINUX - WITH_NSCD -@@ -247,16 +248,52 @@ AM_CONDITIONAL([HAVE_PROFILE_CATALOGS], [test "x$HAVE_PROFILE_CATALOGS" != "x"]) - AM_CONDITIONAL([HAVE_MANPAGES], [test "x$HAVE_MANPAGES" != "x"]) - AM_CONDITIONAL([HAVE_PO4A], [test "x$PO4A" != "xno"]) - --if test x$HAVE_PYTHON_BINDINGS != x; then -+if test x$HAVE_PYTHON2_BINDINGS = x1; then -+ AC_PATH_PROG(PYTHON2, python2) -+ PYTHON=$PYTHON2 - AM_PATH_PYTHON([2.6]) -- AM_PYTHON_CONFIG([python]) -+ AM_PYTHON_CONFIG([python2]) - AM_CHECK_PYTHON_HEADERS([], -- AC_MSG_ERROR([Could not find python headers])) -+ AC_MSG_ERROR([Could not find python2 headers])) - AM_CHECK_PYTHON_COMPAT -- AC_SUBST([PYTHON_CFLAGS]) -- AC_SUBST([PYTHON_LIBS]) -+ -+ AC_SUBST([py2execdir], [$pyexecdir]) -+ AC_SUBST([python2dir], [$pythondir]) -+ AC_SUBST([PYTHON2_CFLAGS], [$PYTHON_CFLAGS]) -+ AC_SUBST([PYTHON2_LIBS], [$PYTHON_LIBS]) -+ AC_SUBST([PYTHON2_INCLUDES], [$PYTHON_INCLUDES]) -+ AC_SUBST([PYTHON2_VERSION], [$PYTHON_VERSION]) -+ AC_SUBST([PYTHON2_PREFIX], [$PYTHON_PREFIX]) -+ AC_SUBST([PYTHON2_EXEC_PREFIX], [$PYTHON_EXEC_PREFIX]) -+ -+ SSS_CLEAN_PYTHON_VARIABLES - fi - -+if test x$HAVE_PYTHON3_BINDINGS = x1; then -+ AC_PATH_PROG(PYTHON3, python3) -+ PYTHON=$PYTHON3 -+ AM_PATH_PYTHON([3.3]) -+ AM_PYTHON_CONFIG([python3]) -+ AM_CHECK_PYTHON_HEADERS([], -+ AC_MSG_ERROR([Could not find python3 headers])) -+ AM_CHECK_PYTHON_COMPAT -+ -+ AC_SUBST([py3execdir], [$pyexecdir]) -+ AC_SUBST([python3dir], [$pythondir]) -+ AC_SUBST([PYTHON3_CFLAGS], [$PYTHON_CFLAGS]) -+ AC_SUBST([PYTHON3_LIBS], [$PYTHON_LIBS]) -+ AC_SUBST([PYTHON3_INCLUDES], [$PYTHON_INCLUDES]) -+ AC_SUBST([PYTHON3_VERSION], [$PYTHON_VERSION]) -+ AC_SUBST([PYTHON3_PREFIX], [$PYTHON_PREFIX]) -+ AC_SUBST([PYTHON3_EXEC_PREFIX], [$PYTHON_EXEC_PREFIX]) -+ -+ SSS_CLEAN_PYTHON_VARIABLES -+fi -+ -+AM_CONDITIONAL([BUILD_PYTHON_BINDINGS], -+ [test x"$with_python2_bindings" = xyes \ -+ -o x"$with_python3_bindings" = xyes]) -+ - if test x$HAVE_SELINUX != x; then - AM_CHECK_SELINUX - AM_CHECK_SELINUX_LOGIN_DIR -diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in -index 2dbcd9e40c03e46e4e132a4ef4560044e88ea853..c50eebd193de5815eca55824670a319603b54501 100644 ---- a/contrib/sssd.spec.in -+++ b/contrib/sssd.spec.in -@@ -781,10 +781,12 @@ rm -rf $RPM_BUILD_ROOT - %files -n python-sss - %defattr(-,root,root,-) - %{python_sitearch}/pysss.so -+%{python_sitearch}/_py2sss.so - - %files -n python-sss-murmur - %defattr(-,root,root,-) - %{python_sitearch}/pysss_murmur.so -+%{python_sitearch}/_py2sss_murmur.so - - %files -n libsss_idmap - %defattr(-,root,root,-) -@@ -825,10 +827,12 @@ rm -rf $RPM_BUILD_ROOT - %files -n python-libsss_nss_idmap - %defattr(-,root,root,-) - %{python_sitearch}/pysss_nss_idmap.so -+%{python_sitearch}/_py2sss_nss_idmap.so - - %files -n python-libipa_hbac - %defattr(-,root,root,-) - %{python_sitearch}/pyhbac.so -+%{python_sitearch}/_py2hbac.so - - %files libwbclient - %defattr(-,root,root,-) -diff --git a/src/conf_macros.m4 b/src/conf_macros.m4 -index 86ecc446b4e27196298456b0dd63ab5516442c3b..48d1e6e7d6d1189c86d626a4509d919143aa6821 100644 ---- a/src/conf_macros.m4 -+++ b/src/conf_macros.m4 -@@ -360,21 +360,38 @@ AC_DEFUN([WITH_KRB5_CONF], - AC_DEFINE_UNQUOTED([KRB5_CONF_PATH], ["$KRB5_CONF_PATH"], [KRB5 configuration file]) - ]) - --AC_DEFUN([WITH_PYTHON_BINDINGS], -- [ AC_ARG_WITH([python-bindings], -- [AC_HELP_STRING([--with-python-bindings], -- [Whether to build python bindings [yes]] -- ) -+AC_DEFUN([WITH_PYTHON2_BINDINGS], -+ [ AC_ARG_WITH([python2-bindings], -+ [AC_HELP_STRING([--with-python2-bindings], -+ [Whether to build python2 bindings [yes]]) - ], - [], -- with_python_bindings=yes -+ [with_python2_bindings=yes] - ) -- if test x"$with_python_bindings" = xyes; then -- HAVE_PYTHON_BINDINGS=1 -- AC_SUBST(HAVE_PYTHON_BINDINGS) -- AC_DEFINE_UNQUOTED(HAVE_PYTHON_BINDINGS, 1, [Build with python bindings]) -+ if test x"$with_python2_bindings" = xyes; then -+ AC_SUBST([HAVE_PYTHON2_BINDINGS], [1]) -+ AC_DEFINE_UNQUOTED([HAVE_PYTHON2_BINDINGS], [1], -+ [Build with python2 bindings]) - fi -- AM_CONDITIONAL([BUILD_PYTHON_BINDINGS], [test x"$with_python_bindings" = xyes]) -+ AM_CONDITIONAL([BUILD_PYTHON2_BINDINGS], -+ [test x"$with_python2_bindings" = xyes]) -+ ]) -+ -+AC_DEFUN([WITH_PYTHON3_BINDINGS], -+ [ AC_ARG_WITH([python3-bindings], -+ [AC_HELP_STRING([--with-python3-bindings], -+ [Whether to build python3 bindings [yes]]) -+ ], -+ [], -+ [with_python3_bindings=no] -+ ) -+ if test x"$with_python3_bindings" = xyes; then -+ AC_SUBST([HAVE_PYTHON3_BINDINGS], [1]) -+ AC_DEFINE_UNQUOTED([HAVE_PYTHON3_BINDINGS], [1], -+ [Build with python3 bindings]) -+ fi -+ AM_CONDITIONAL([BUILD_PYTHON3_BINDINGS], -+ [test x"$with_python3_bindings" = xyes]) - ]) - - AC_DEFUN([WITH_SELINUX], -diff --git a/src/tests/pyhbac-test.py b/src/tests/pyhbac-test.py -index 0abc5703dedb2466b4d99718b5b524951b8af95c..83958d7bffcccea375c79166ee7dfca6f9956cff 100755 ---- a/src/tests/pyhbac-test.py -+++ b/src/tests/pyhbac-test.py -@@ -6,10 +6,9 @@ import sys - import os - import copy - import sys -+import errno - --srcdir = os.getenv('builddir') --if not srcdir: -- srcdir = "." -+srcdir = os.getenv('builddir') or "." - MODPATH = srcdir + "/.libs" #FIXME - is there a way to get this from libtool? - - if sys.version_info[0] > 2: -@@ -41,6 +40,23 @@ class PyHbacImport(unittest.TestCase): - def testImport(self): - " Import the module and assert it comes from tree " - try: -+ cwd_backup = os.getcwd() -+ -+ try: -+ os.unlink(MODPATH + "/pyhbac.so") -+ except OSError as e: -+ if e.errno == errno.ENOENT: -+ pass -+ else: -+ raise e -+ -+ os.chdir(MODPATH) -+ if sys.version_info[0] > 2: -+ os.symlink("_py3hbac.so", "pyhbac.so") -+ else: -+ os.symlink("_py2hbac.so", "pyhbac.so") -+ os.chdir(cwd_backup) -+ - import pyhbac - except ImportError as e: - print("Could not load the pyhbac module. Please check if it is compiled", file=sys.stderr) -diff --git a/src/tests/pysss_murmur-test.py b/src/tests/pysss_murmur-test.py -index 0b28f45e67cb4b033516a585867085dba7b412e6..faa8bb2d33b9d94d380b8f7045ba45aa06ac4793 100755 ---- a/src/tests/pysss_murmur-test.py -+++ b/src/tests/pysss_murmur-test.py -@@ -23,10 +23,9 @@ import unittest - import sys - import os - import copy -+import errno - --srcdir = os.getenv('builddir') --if not srcdir: -- srcdir = "." -+srcdir = os.getenv('builddir') or "." - MODPATH = srcdir + "/.libs" #FIXME - is there a way to get this from libtool? - - def compat_assertItemsEqual(this, expected_seq, actual_seq, msg=None): -@@ -57,6 +56,23 @@ class PySssMurmurImport(unittest.TestCase): - def testImport(self): - " Import the module and assert it comes from tree " - try: -+ cwd_backup = os.getcwd() -+ -+ try: -+ os.unlink(MODPATH + "/pysss_murmur.so") -+ except OSError as e: -+ if e.errno == errno.ENOENT: -+ pass -+ else: -+ raise e -+ -+ os.chdir(MODPATH) -+ if sys.version_info[0] > 2: -+ os.symlink("_py3sss_murmur.so", "pysss_murmur.so") -+ else: -+ os.symlink("_py2sss_murmur.so", "pysss_murmur.so") -+ os.chdir(cwd_backup) -+ - import pysss_murmur - except ImportError as e: - print("Could not load the pysss_murmur module. Please check if it is compiled", file=sys.stderr) --- -2.4.3 - diff --git a/0013-TESTS-Run-python-tests-with-all-supported-python-ver.patch b/0013-TESTS-Run-python-tests-with-all-supported-python-ver.patch deleted file mode 100644 index 17e3bbf..0000000 --- a/0013-TESTS-Run-python-tests-with-all-supported-python-ver.patch +++ /dev/null @@ -1,146 +0,0 @@ -From 72574d55a5604900cee99a0ea578abde33e9ad6b Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Mon, 23 Feb 2015 22:56:55 +0100 -Subject: [PATCH 13/30] TESTS: Run python tests with all supported python - versions - -This patch add simple bash wrappers for python tests. -They are executed either with python2 or python3. - -Reviewed-by: Stephen Gallagher ---- - Makefile.am | 23 ++++++++++++++++++----- - src/config/SSSDConfigTest.py2.sh | 5 +++++ - src/config/SSSDConfigTest.py3.sh | 5 +++++ - src/tests/pyhbac-test.py2.sh | 5 +++++ - src/tests/pyhbac-test.py3.sh | 5 +++++ - src/tests/pysss_murmur-test.py2.sh | 5 +++++ - src/tests/pysss_murmur-test.py3.sh | 5 +++++ - 7 files changed, 48 insertions(+), 5 deletions(-) - create mode 100755 src/config/SSSDConfigTest.py2.sh - create mode 100755 src/config/SSSDConfigTest.py3.sh - create mode 100755 src/tests/pyhbac-test.py2.sh - create mode 100755 src/tests/pyhbac-test.py3.sh - create mode 100755 src/tests/pysss_murmur-test.py2.sh - create mode 100755 src/tests/pysss_murmur-test.py3.sh - -diff --git a/Makefile.am b/Makefile.am -index 0a1511c23ce844ce9963ac33ac3daadd31bdc27e..7aa44d7dfc3a01334d6d4e68c96095df66dee324 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -250,13 +250,20 @@ endif # HAVE_CMOCKA - - PYTHON_TESTS = - --if BUILD_PYTHON_BINDINGS --PYTHON_TESTS += src/config/SSSDConfigTest.py \ -- src/tests/pyhbac-test.py \ -- src/tests/pysss_murmur-test.py -+if BUILD_PYTHON2_BINDINGS -+PYTHON_TESTS += src/config/SSSDConfigTest.py2.sh \ -+ src/tests/pyhbac-test.py2.sh \ -+ src/tests/pysss_murmur-test.py2.sh \ -+ $(NULL) -+endif -+if BUILD_PYTHON3_BINDINGS -+PYTHON_TESTS += src/config/SSSDConfigTest.py3.sh \ -+ src/tests/pyhbac-test.py3.sh \ -+ src/tests/pysss_murmur-test.py3.sh \ -+ $(NULL) - endif - --TEST_EXTENSIONS = .py -+TEST_EXTENSIONS = .sh - TESTS = \ - $(PYTHON_TESTS) \ - $(non_interactive_cmocka_based_tests) \ -@@ -325,6 +332,8 @@ dist_noinst_SCRIPTS = \ - src/config/SSSDConfig/ipachangeconf.py \ - src/config/SSSDConfig/__init__.py \ - src/config/SSSDConfigTest.py \ -+ src/config/SSSDConfigTest.py2.sh \ -+ src/config/SSSDConfigTest.py3.sh \ - src/config/SSSDConfig/sssd_upgrade_config.py \ - contrib/rhel/update_debug_levels.py \ - contrib/fedora/bashrc_sssd \ -@@ -335,7 +344,11 @@ dist_noinst_SCRIPTS = \ - contrib/ci/run \ - contrib/ci/valgrind-condense \ - src/tests/pyhbac-test.py \ -+ src/tests/pyhbac-test.py2.sh \ -+ src/tests/pyhbac-test.py3.sh \ - src/tests/pysss_murmur-test.py \ -+ src/tests/pysss_murmur-test.py2.sh \ -+ src/tests/pysss_murmur-test.py3.sh \ - src/tests/python-test.py \ - $(NULL) - -diff --git a/src/config/SSSDConfigTest.py2.sh b/src/config/SSSDConfigTest.py2.sh -new file mode 100755 -index 0000000000000000000000000000000000000000..7bbd82af3997b295d48f8ea6d1d59afd5eaba43f ---- /dev/null -+++ b/src/config/SSSDConfigTest.py2.sh -@@ -0,0 +1,5 @@ -+#!/bin/sh -+ -+SCRIPT=$(readlink -f "$0") -+SCRIPT_PATH=$(dirname "$SCRIPT") -+exec python2 $SCRIPT_PATH/SSSDConfigTest.py -diff --git a/src/config/SSSDConfigTest.py3.sh b/src/config/SSSDConfigTest.py3.sh -new file mode 100755 -index 0000000000000000000000000000000000000000..89b9f0720473904fe093ee4c065ae01579ee94ef ---- /dev/null -+++ b/src/config/SSSDConfigTest.py3.sh -@@ -0,0 +1,5 @@ -+#!/bin/sh -+ -+SCRIPT=$(readlink -f "$0") -+SCRIPT_PATH=$(dirname "$SCRIPT") -+exec python3 $SCRIPT_PATH/SSSDConfigTest.py -diff --git a/src/tests/pyhbac-test.py2.sh b/src/tests/pyhbac-test.py2.sh -new file mode 100755 -index 0000000000000000000000000000000000000000..48cd16908eaf9cf2c61f8e5fda1d954f116c68cc ---- /dev/null -+++ b/src/tests/pyhbac-test.py2.sh -@@ -0,0 +1,5 @@ -+#!/bin/sh -+ -+SCRIPT=$(readlink -f "$0") -+SCRIPT_PATH=$(dirname "$SCRIPT") -+exec python2 $SCRIPT_PATH/pyhbac-test.py -diff --git a/src/tests/pyhbac-test.py3.sh b/src/tests/pyhbac-test.py3.sh -new file mode 100755 -index 0000000000000000000000000000000000000000..862c7b23a87ea9d0b747dca12466175f0fd00b76 ---- /dev/null -+++ b/src/tests/pyhbac-test.py3.sh -@@ -0,0 +1,5 @@ -+#!/bin/sh -+ -+SCRIPT=$(readlink -f "$0") -+SCRIPT_PATH=$(dirname "$SCRIPT") -+exec python3 $SCRIPT_PATH/pyhbac-test.py -diff --git a/src/tests/pysss_murmur-test.py2.sh b/src/tests/pysss_murmur-test.py2.sh -new file mode 100755 -index 0000000000000000000000000000000000000000..714459786c19b69f738e91df77d9423eba2b72fd ---- /dev/null -+++ b/src/tests/pysss_murmur-test.py2.sh -@@ -0,0 +1,5 @@ -+#!/bin/sh -+ -+SCRIPT=$(readlink -f "$0") -+SCRIPT_PATH=$(dirname "$SCRIPT") -+exec python2 $SCRIPT_PATH/pysss_murmur-test.py -diff --git a/src/tests/pysss_murmur-test.py3.sh b/src/tests/pysss_murmur-test.py3.sh -new file mode 100755 -index 0000000000000000000000000000000000000000..00b352ad3e15ba7d53885b86129bf76ede7ca4e6 ---- /dev/null -+++ b/src/tests/pysss_murmur-test.py3.sh -@@ -0,0 +1,5 @@ -+#!/bin/sh -+ -+SCRIPT=$(readlink -f "$0") -+SCRIPT_PATH=$(dirname "$SCRIPT") -+exec python3 $SCRIPT_PATH/pysss_murmur-test.py --- -2.4.3 - diff --git a/0014-SPEC-Replace-python_-macros-with-python2_.patch b/0014-SPEC-Replace-python_-macros-with-python2_.patch deleted file mode 100644 index 8375bba..0000000 --- a/0014-SPEC-Replace-python_-macros-with-python2_.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 023ce335f80d03631c98e41cd6802bda09fb555a Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Tue, 10 Feb 2015 18:07:05 +0100 -Subject: [PATCH 14/30] SPEC: Replace python_ macros with python2_ - -Reviewed-by: Stephen Gallagher ---- - contrib/sssd.spec.in | 34 ++++++++++++++++++++-------------- - 1 file changed, 20 insertions(+), 14 deletions(-) - -diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in -index c50eebd193de5815eca55824670a319603b54501..6235bcf46fed96befbe035c7fe93026955dd0c3e 100644 ---- a/contrib/sssd.spec.in -+++ b/contrib/sssd.spec.in -@@ -1,8 +1,14 @@ - %global rhel7_minor %(%{__grep} -o "7.[0-9]*" /etc/redhat-release |%{__sed} -s 's/7.//') - -+%if 0%{?rhel} && 0%{?rhel} <= 6 -+%{!?__python2: %global __python2 /usr/bin/python2} -+%{!?python2_sitelib: %global python2_sitelib %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")} -+%{!?python2_sitearch: %global python2_sitearch %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} -+%endif -+ - # Fedora and RHEL 6+ - # we don't want to provide private python extension libs --%define __provides_exclude_from %{python_sitearch}/.*\.so$ -+%define __provides_exclude_from %{python2_sitearch}/.*\.so$ - - %if (0%{?fedora} || 0%{?rhel} >= 7) - %global use_systemd 1 -@@ -528,9 +534,9 @@ rm -Rf ${RPM_BUILD_ROOT}/%{_docdir}/%{name} - - # Older versions of rpmbuild can only handle one -f option - # So we need to append to the sssd*.lang file --for file in `ls $RPM_BUILD_ROOT/%{python_sitelib}/*.egg-info 2> /dev/null` -+for file in `ls $RPM_BUILD_ROOT/%{python2_sitelib}/*.egg-info 2> /dev/null` - do -- echo %{python_sitelib}/`basename $file` >> python_sssdconfig.lang -+ echo %{python2_sitelib}/`basename $file` >> python2_sssdconfig.lang - done - - touch sssd.lang -@@ -773,20 +779,20 @@ rm -rf $RPM_BUILD_ROOT - %{_mandir}/man8/sss_debuglevel.8* - %{_mandir}/man8/sss_seed.8* - --%files -n python-sssdconfig -f python_sssdconfig.lang -+%files -n python-sssdconfig -f python2_sssdconfig.lang - %defattr(-,root,root,-) --%dir %{python_sitelib}/SSSDConfig --%{python_sitelib}/SSSDConfig/*.py* -+%dir %{python2_sitelib}/SSSDConfig -+%{python2_sitelib}/SSSDConfig/*.py* - - %files -n python-sss - %defattr(-,root,root,-) --%{python_sitearch}/pysss.so --%{python_sitearch}/_py2sss.so -+%{python2_sitearch}/pysss.so -+%{python2_sitearch}/_py2sss.so - - %files -n python-sss-murmur - %defattr(-,root,root,-) --%{python_sitearch}/pysss_murmur.so --%{python_sitearch}/_py2sss_murmur.so -+%{python2_sitearch}/pysss_murmur.so -+%{python2_sitearch}/_py2sss_murmur.so - - %files -n libsss_idmap - %defattr(-,root,root,-) -@@ -826,13 +832,13 @@ rm -rf $RPM_BUILD_ROOT - - %files -n python-libsss_nss_idmap - %defattr(-,root,root,-) --%{python_sitearch}/pysss_nss_idmap.so --%{python_sitearch}/_py2sss_nss_idmap.so -+%{python2_sitearch}/pysss_nss_idmap.so -+%{python2_sitearch}/_py2sss_nss_idmap.so - - %files -n python-libipa_hbac - %defattr(-,root,root,-) --%{python_sitearch}/pyhbac.so --%{python_sitearch}/_py2hbac.so -+%{python2_sitearch}/pyhbac.so -+%{python2_sitearch}/_py2hbac.so - - %files libwbclient - %defattr(-,root,root,-) --- -2.4.3 - diff --git a/0015-SPEC-Build-python3-bindings-on-available-platforms.patch b/0015-SPEC-Build-python3-bindings-on-available-platforms.patch deleted file mode 100644 index 8d39711..0000000 --- a/0015-SPEC-Build-python3-bindings-on-available-platforms.patch +++ /dev/null @@ -1,378 +0,0 @@ -From 61bf76430dac157452e44da5fa66a4c4f268a806 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Tue, 10 Feb 2015 19:39:45 +0100 -Subject: [PATCH 15/30] SPEC: Build python3 bindings on available platforms - -Resolves: -https://fedorahosted.org/sssd/ticket/2574 - -Reviewed-by: Stephen Gallagher ---- - contrib/ci/configure.sh | 6 ++ - contrib/ci/deps.sh | 1 + - contrib/sssd.spec.in | 144 ++++++++++++++++++++++++++++++++++++++++++++--- - src/conf_macros.m4 | 2 +- - src/tests/dlopen-tests.c | 14 +++-- - 5 files changed, 154 insertions(+), 13 deletions(-) - -diff --git a/contrib/ci/configure.sh b/contrib/ci/configure.sh -index 8af273043a77556a2eee10224ff2a0baaf53d497..d5d4c791a35f3583416efd904ad5804bcbebf4c8 100644 ---- a/contrib/ci/configure.sh -+++ b/contrib/ci/configure.sh -@@ -35,9 +35,15 @@ if [[ "$DISTRO_BRANCH" == -redhat-redhatenterprise*-6.*- ]]; then - CONFIGURE_ARG_LIST+=( - "--disable-cifs-idmap-plugin" - "--with-syslog=syslog" -+ "--without-python3-bindings" - ) - fi - -+if [[ "$DISTRO_BRANCH" == -redhat-redhatenterprise*-7.*- ]]; then -+ CONFIGURE_ARG_LIST+=( -+ "--without-python3-bindings" -+ ) -+fi - declare -r -a CONFIGURE_ARG_LIST - - fi # _CONFIGURE_SH -diff --git a/contrib/ci/deps.sh b/contrib/ci/deps.sh -index 0cdb9962987edddf4dd2fff659e3262bbd50b045..4e0ce1e0328927f42b3849d9c39180b4064a9d4b 100644 ---- a/contrib/ci/deps.sh -+++ b/contrib/ci/deps.sh -@@ -92,6 +92,7 @@ if [[ "$DISTRO_BRANCH" == -debian-* ]]; then - libxml2-utils - make - python-dev -+ python3-dev - samba-dev - systemd - xml-core -diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in -index 6235bcf46fed96befbe035c7fe93026955dd0c3e..2d9c9b18c38f78956b516cb70cd42b9c62ccff8e 100644 ---- a/contrib/sssd.spec.in -+++ b/contrib/sssd.spec.in -@@ -9,6 +9,7 @@ - # Fedora and RHEL 6+ - # we don't want to provide private python extension libs - %define __provides_exclude_from %{python2_sitearch}/.*\.so$ -+%define __provides_exclude_from %{python3_sitearch}/.*\.so$ - - %if (0%{?fedora} || 0%{?rhel} >= 7) - %global use_systemd 1 -@@ -44,6 +45,12 @@ - %global with_krb5_localauth_plugin 1 - %endif - -+%if (0%{?fedora}) -+ %global with_python3 1 -+%else -+ %global with_python3_option --without-python3-bindings -+%endif -+ - Name: @PACKAGE_NAME@ - Version: @PACKAGE_VERSION@ - Release: 0@PRERELEASE_VERSION@%{?dist} -@@ -65,7 +72,11 @@ Requires: sssd-ipa = %{version}-%{release} - Requires: sssd-common-pac = %{version}-%{release} - Requires: sssd-ad = %{version}-%{release} - Requires: sssd-proxy = %{version}-%{release} -+%if (0%{?with_python3} == 1) -+Requires: python3-sssdconfig = %{version}-%{release} -+%else - Requires: python-sssdconfig = %{version}-%{release} -+%endif - - %global servicename sssd - %global sssdstatedir %{_localstatedir}/lib/sss -@@ -106,6 +117,9 @@ BuildRequires: krb5-devel - %endif - BuildRequires: c-ares-devel - BuildRequires: python-devel -+%if (0%{?with_python3} == 1) -+BuildRequires: python3-devel -+%endif - BuildRequires: check-devel - BuildRequires: doxygen - BuildRequires: libselinux-devel -@@ -203,8 +217,13 @@ Group: Applications/System - License: GPLv3+ - Requires: sssd-common = %{version}-%{release} - # required by sss_obfuscate -+%if (0%{?with_python3} == 1) -+Requires: python3-sss = %{version}-%{release} -+Requires: python3-sssdconfig = %{version}-%{release} -+%else - Requires: python-sss = %{version}-%{release} - Requires: python-sssdconfig = %{version}-%{release} -+%endif - - %description tools - Provides userspace tools for manipulating users, groups, and nested groups in -@@ -222,29 +241,66 @@ License: GPLv3+ - BuildArch: noarch - - %description -n python-sssdconfig --Provides python files for manipulation SSSD and IPA configuration files. -+Provides python2 files for manipulation SSSD and IPA configuration files. -+ -+%if (0%{?with_python3} == 1) -+%package -n python3-sssdconfig -+Summary: SSSD and IPA configuration file manipulation classes and functions -+Group: Applications/System -+License: GPLv3+ -+BuildArch: noarch -+ -+%description -n python3-sssdconfig -+Provides python3 files for manipulation SSSD and IPA configuration files. -+%endif - - %package -n python-sss --Summary: Python bindings for sssd -+Summary: Python2 bindings for sssd - Group: Development/Libraries - License: LGPLv3+ - Requires: sssd-common = %{version}-%{release} - - %description -n python-sss --Provides python module for manipulating users, groups, and nested groups in -+Provides python2 module for manipulating users, groups, and nested groups in - SSSD when using id_provider = local in /etc/sssd/sssd.conf. - --Also provides several other useful python bindings: -+Also provides several other useful python2 bindings: - * function for retrieving list of groups user belongs to. - * class for obfuscation of passwords - -+%if (0%{?with_python3} == 1) -+%package -n python3-sss -+Summary: Python3 bindings for sssd -+Group: Development/Libraries -+License: LGPLv3+ -+Requires: sssd-common = %{version}-%{release} -+ -+%description -n python3-sss -+Provides python3 module for manipulating users, groups, and nested groups in -+SSSD when using id_provider = local in /etc/sssd/sssd.conf. -+ -+Also provides several other useful python3 bindings: -+ * function for retrieving list of groups user belongs to. -+ * class for obfuscation of passwords -+%endif -+ - %package -n python-sss-murmur --Summary: Python bindings for murmur hash function -+Summary: Python2 bindings for murmur hash function - Group: Development/Libraries - License: LGPLv3+ - - %description -n python-sss-murmur --Provides python module for calculating the murmur hash version 3 -+Provides python2 module for calculating the murmur hash version 3 -+ -+%if (0%{?with_python3} == 1) -+%package -n python3-sss-murmur -+Summary: Python3 bindings for murmur hash function -+Group: Development/Libraries -+License: LGPLv3+ -+ -+%description -n python3-sss-murmur -+Provides python3 module for calculating the murmur hash version 3 -+%endif - - %package ldap - Summary: The LDAP back end of the SSSD -@@ -371,7 +427,7 @@ Requires: libipa_hbac = %{version}-%{release} - Utility library to validate FreeIPA HBAC rules for authorization requests - - %package -n python-libipa_hbac --Summary: Python bindings for the FreeIPA HBAC Evaluator library -+Summary: Python2 bindings for the FreeIPA HBAC Evaluator library - Group: Development/Libraries - License: LGPLv3+ - Requires: libipa_hbac = %{version}-%{release} -@@ -382,6 +438,18 @@ Obsoletes: libipa_hbac-python < 1.12.90 - The python-libipa_hbac contains the bindings so that libipa_hbac can be - used by Python applications. - -+%if (0%{?with_python3} == 1) -+%package -n python3-libipa_hbac -+Summary: Python3 bindings for the FreeIPA HBAC Evaluator library -+Group: Development/Libraries -+License: LGPLv3+ -+Requires: libipa_hbac = %{version}-%{release} -+ -+%description -n python3-libipa_hbac -+The python3-libipa_hbac contains the bindings so that libipa_hbac can be -+used by Python applications. -+%endif -+ - %package -n libsss_nss_idmap - Summary: Library for SID based lookups - Group: Development/Libraries -@@ -402,7 +470,7 @@ Requires: libsss_nss_idmap = %{version}-%{release} - Utility library for SID based lookups - - %package -n python-libsss_nss_idmap --Summary: Python bindings for libsss_nss_idmap -+Summary: Python2 bindings for libsss_nss_idmap - Group: Development/Libraries - License: LGPLv3+ - Requires: libsss_nss_idmap = %{version}-%{release} -@@ -413,6 +481,18 @@ Obsoletes: libsss_nss_idmap-python < 1.12.90 - The python-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can - be used by Python applications. - -+%if (0%{?with_python3} == 1) -+%package -n python3-libsss_nss_idmap -+Summary: Python3 bindings for libsss_nss_idmap -+Group: Development/Libraries -+License: LGPLv3+ -+Requires: libsss_nss_idmap = %{version}-%{release} -+ -+%description -n python3-libsss_nss_idmap -+The python3-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can -+be used by Python applications. -+%endif -+ - %package dbus - Summary: The D-Bus responder of the SSSD - Group: Applications/System -@@ -495,6 +575,7 @@ autoreconf -ivf - %{with_initscript} \ - %{?with_syslog} \ - %{?with_cifs_utils_plugin_option} \ -+ %{?with_python3_option} \ - %{?experimental} - - make %{?_smp_mflags} all -@@ -509,6 +590,10 @@ unset CK_TIMEOUT_MULTIPLIER - %install - rm -rf $RPM_BUILD_ROOT - -+%if (0%{?with_python3} == 1) -+sed -i -e 's:/usr/bin/python:/usr/bin/python3:' src/tools/sss_obfuscate -+%endif -+ - make install DESTDIR=$RPM_BUILD_ROOT - - # Prepare language files -@@ -539,6 +624,13 @@ do - echo %{python2_sitelib}/`basename $file` >> python2_sssdconfig.lang - done - -+%if (0%{?with_python3} == 1) -+for file in `ls $RPM_BUILD_ROOT/%{python3_sitelib}/*.egg-info 2> /dev/null` -+do -+ echo %{python3_sitelib}/`basename $file` >> python3_sssdconfig.lang -+done -+%endif -+ - touch sssd.lang - touch sssd_tools.lang - touch sssd_client.lang -@@ -784,16 +876,38 @@ rm -rf $RPM_BUILD_ROOT - %dir %{python2_sitelib}/SSSDConfig - %{python2_sitelib}/SSSDConfig/*.py* - -+%if (0%{?with_python3} == 1) -+%files -n python3-sssdconfig -f python3_sssdconfig.lang -+%defattr(-,root,root,-) -+%dir %{python3_sitelib}/SSSDConfig -+%{python3_sitelib}/SSSDConfig/*.py* -+%{python3_sitelib}/SSSDConfig/__pycache__/*.py* -+%endif -+ - %files -n python-sss - %defattr(-,root,root,-) - %{python2_sitearch}/pysss.so - %{python2_sitearch}/_py2sss.so - -+%if (0%{?with_python3} == 1) -+%files -n python3-sss -+%defattr(-,root,root,-) -+%{python3_sitearch}/pysss.so -+%{python3_sitearch}/_py3sss.so -+%endif -+ - %files -n python-sss-murmur - %defattr(-,root,root,-) - %{python2_sitearch}/pysss_murmur.so - %{python2_sitearch}/_py2sss_murmur.so - -+%if (0%{?with_python3} == 1) -+%files -n python3-sss-murmur -+%defattr(-,root,root,-) -+%{python3_sitearch}/pysss_murmur.so -+%{python3_sitearch}/_py3sss_murmur.so -+%endif -+ - %files -n libsss_idmap - %defattr(-,root,root,-) - %doc src/sss_client/COPYING src/sss_client/COPYING.LESSER -@@ -835,11 +949,25 @@ rm -rf $RPM_BUILD_ROOT - %{python2_sitearch}/pysss_nss_idmap.so - %{python2_sitearch}/_py2sss_nss_idmap.so - -+%if (0%{?with_python3} == 1) -+%files -n python3-libsss_nss_idmap -+%defattr(-,root,root,-) -+%{python3_sitearch}/pysss_nss_idmap.so -+%{python3_sitearch}/_py3sss_nss_idmap.so -+%endif -+ - %files -n python-libipa_hbac - %defattr(-,root,root,-) - %{python2_sitearch}/pyhbac.so - %{python2_sitearch}/_py2hbac.so - -+%if (0%{?with_python3} == 1) -+%files -n python3-libipa_hbac -+%defattr(-,root,root,-) -+%{python3_sitearch}/pyhbac.so -+%{python3_sitearch}/_py3hbac.so -+%endif -+ - %files libwbclient - %defattr(-,root,root,-) - %{_libdir}/%{name}/modules/libwbclient.so.* -diff --git a/src/conf_macros.m4 b/src/conf_macros.m4 -index 48d1e6e7d6d1189c86d626a4509d919143aa6821..86876fab8115c49f38ebef4e3037a8ba36a5b92e 100644 ---- a/src/conf_macros.m4 -+++ b/src/conf_macros.m4 -@@ -383,7 +383,7 @@ AC_DEFUN([WITH_PYTHON3_BINDINGS], - [Whether to build python3 bindings [yes]]) - ], - [], -- [with_python3_bindings=no] -+ [with_python3_bindings=yes] - ) - if test x"$with_python3_bindings" = xyes; then - AC_SUBST([HAVE_PYTHON3_BINDINGS], [1]) -diff --git a/src/tests/dlopen-tests.c b/src/tests/dlopen-tests.c -index 5cc6cae693f09adae12df0d2267e0868ae2f74c0..e808f23e7560241e3fc158d71da2dbdbe1543dfc 100644 ---- a/src/tests/dlopen-tests.c -+++ b/src/tests/dlopen-tests.c -@@ -96,10 +96,16 @@ struct so { - { "libdlopen_test_providers.so", { LIBPFX"libdlopen_test_providers.so", - NULL } }, - #ifdef HAVE_PYTHON_BINDINGS -- { "pyhbac.so", { LIBPFX"pyhbac.so", NULL } }, -- { "pysss.so", { LIBPFX"pysss.so", NULL } }, -- { "pysss_murmur.so", { LIBPFX"pysss_murmur.so", NULL } }, -- { "pysss_nss_idmap.so", { LIBPFX"pysss_nss_idmap.so", NULL } }, -+ { "_py2hbac.so", { LIBPFX"_py2hbac.so", NULL } }, -+ { "_py2sss.so", { LIBPFX"_py2sss.so", NULL } }, -+ { "_py2sss_murmur.so", { LIBPFX"_py2sss_murmur.so", NULL } }, -+ { "_py2sss_nss_idmap.so", { LIBPFX"_py2sss_nss_idmap.so", NULL } }, -+#endif -+#ifdef HAVE_PYTHON_BINDINGS -+ { "_py3hbac.so", { LIBPFX"_py3hbac.so", NULL } }, -+ { "_py3sss.so", { LIBPFX"_py3sss.so", NULL } }, -+ { "_py3sss_murmur.so", { LIBPFX"_py3sss_murmur.so", NULL } }, -+ { "_py3sss_nss_idmap.so", { LIBPFX"_py3sss_nss_idmap.so", NULL } }, - #endif - #ifdef HAVE_CONFIG_LIB - { "libsss_config.so", { LIBPFX"libsss_config.so", NULL } }, --- -2.4.3 - diff --git a/0016-ad_opts-Use-different-default-attribute-for-group-na.patch b/0016-ad_opts-Use-different-default-attribute-for-group-na.patch deleted file mode 100644 index 3800f9a..0000000 --- a/0016-ad_opts-Use-different-default-attribute-for-group-na.patch +++ /dev/null @@ -1,39 +0,0 @@ -From be0fb81d4720c590269d0fc747fcb31f53791bef Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Tue, 7 Apr 2015 09:47:17 +0200 -Subject: [PATCH 16/30] ad_opts: Use different default attribute for group name - -The MSFT docs [1,2] for LDAP attributes says: -samAccountName is mandotory for 'user' and 'group' objectclasses -via the 'Security-Principal' aux-class - -name is part of the 'top' class and *not* mandatory for 'user' or 'group'. - -[1] https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx -[2] https://msdn.microsoft.com/en-us/library/ms678697%28v=vs.85%29.aspx - -Resolves: -https://fedorahosted.org/sssd/ticket/2593 - -Reviewed-by: Sumit Bose -(cherry picked from commit b83620d6a2aaf988b353969ae12a47a616250f47) ---- - src/providers/ad/ad_opts.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h -index 4c287021c2d901999602621a4fe3b7af9c6b8c35..b03c74612d3141170dac84ab805529184fec5a49 100644 ---- a/src/providers/ad/ad_opts.h -+++ b/src/providers/ad/ad_opts.h -@@ -221,7 +221,7 @@ struct sdap_attr_map ad_2008r2_user_map[] = { - struct sdap_attr_map ad_2008r2_group_map[] = { - { "ldap_group_object_class", "group", SYSDB_GROUP_CLASS, NULL }, - { "ldap_group_object_class_alt", NULL, SYSDB_GROUP_CLASS, NULL }, -- { "ldap_group_name", "name", SYSDB_NAME, NULL }, -+ { "ldap_group_name", "sAMAccountName", SYSDB_NAME, NULL }, - { "ldap_group_pwd", NULL, SYSDB_PWD, NULL }, - { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, - { "ldap_group_member", "member", SYSDB_MEMBER, NULL }, --- -2.4.3 - diff --git a/0017-Add-leak-check-and-command-line-option-to-test_autht.patch b/0017-Add-leak-check-and-command-line-option-to-test_autht.patch deleted file mode 100644 index c4adacc..0000000 --- a/0017-Add-leak-check-and-command-line-option-to-test_autht.patch +++ /dev/null @@ -1,207 +0,0 @@ -From 0e5aa8439679a86c55694a49a3f123cba9a3c9e4 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 12 Feb 2015 21:53:15 +0100 -Subject: [PATCH 17/30] Add leak check and command line option to test_authtok -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Lukáš Slebodník -(cherry picked from commit 80b5dbe123ec94c5a8fcb99f9a4953c1513deb58) ---- - Makefile.am | 3 ++ - src/tests/cmocka/test_authtok.c | 67 +++++++++++++++++++++++++++++++++++------ - 2 files changed, 60 insertions(+), 10 deletions(-) - -diff --git a/Makefile.am b/Makefile.am -index 7aa44d7dfc3a01334d6d4e68c96095df66dee324..46c42171ab89a5c570858b85d9c3e5a7ef2ba0ce 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -1864,11 +1864,14 @@ test_authtok_SOURCES = \ - test_authtok_CFLAGS = \ - $(AM_CFLAGS) \ - $(TALLOC_CFLAGS) \ -+ $(POPT_CFLAGS) \ - $(DHASH_CFLAGS) - test_authtok_LDADD = \ - $(TALLOC_LIBS) \ - $(CMOCKA_LIBS) \ - $(DHASH_LIBS) \ -+ $(POPT_LIBS) \ -+ libsss_test_common.la \ - libsss_debug.la - - sss_nss_idmap_tests_SOURCES = \ -diff --git a/src/tests/cmocka/test_authtok.c b/src/tests/cmocka/test_authtok.c -index e37e92f68373d564f53b1267f078ea89c31ae051..0c7b7197fb2c03d69dc4df2310229ea100ad28d4 100644 ---- a/src/tests/cmocka/test_authtok.c -+++ b/src/tests/cmocka/test_authtok.c -@@ -22,11 +22,10 @@ - along with this program. If not, see . - */ - --#include --#include --#include --#include - #include -+#include -+ -+#include "tests/cmocka/common_mock.h" - - #include "util/authtok.h" - -@@ -39,12 +38,15 @@ static int setup(void **state) - { - struct test_state *ts = NULL; - -- ts = talloc(NULL, struct test_state); -+ assert_true(leak_check_setup()); -+ -+ ts = talloc(global_talloc_context, struct test_state); - assert_non_null(ts); - - ts->authtoken = sss_authtok_new(ts); - assert_non_null(ts->authtoken); - -+ check_leaks_push(ts); - *state = (void *)ts; - return 0; - } -@@ -52,7 +54,12 @@ static int setup(void **state) - static int teardown(void **state) - { - struct test_state *ts = talloc_get_type_abort(*state, struct test_state); -+ -+ assert_non_null(ts); -+ -+ assert_true(check_leaks_pop(ts) == true); - talloc_free(ts); -+ assert_true(leak_check_teardown()); - return 0; - } - -@@ -85,7 +92,7 @@ static void test_sss_authtok_password(void **state) - { - size_t len; - errno_t ret; -- const char *data; -+ char *data; - size_t ret_len; - const char *pwd; - struct test_state *ts; -@@ -117,6 +124,9 @@ static void test_sss_authtok_password(void **state) - assert_int_equal(ret, EOK); - assert_string_equal(data, pwd); - assert_int_equal(len - 1, ret_len); -+ -+ talloc_free(data); -+ sss_authtok_set_empty(ts->authtoken); - } - - /* Test when type has value SSS_AUTHTOK_TYPE_CCFILE */ -@@ -124,7 +134,7 @@ static void test_sss_authtok_ccfile(void **state) - { - size_t len; - errno_t ret; -- const char *data; -+ char *data; - size_t ret_len; - const char *pwd; - struct test_state *ts; -@@ -172,6 +182,9 @@ static void test_sss_authtok_ccfile(void **state) - assert_int_equal(ret, EOK); - assert_string_equal(data, pwd); - assert_int_equal(len - 1, ret_len); -+ -+ talloc_free(data); -+ sss_authtok_set_empty(ts->authtoken); - } - - /* Test when type has value SSS_AUTHTOK_TYPE_EMPTY */ -@@ -226,7 +239,7 @@ static void test_sss_authtok_wipe_password(void **state) - { - size_t len; - errno_t ret; -- const char *data; -+ char *data; - size_t ret_len; - const char *pwd; - struct test_state *ts; -@@ -249,13 +262,16 @@ static void test_sss_authtok_wipe_password(void **state) - assert_int_equal(ret, EOK); - assert_string_equal(pwd, ""); - assert_int_equal(len - 1, ret_len); -+ -+ sss_authtok_set_empty(ts->authtoken); -+ talloc_free(data); - } - - static void test_sss_authtok_copy(void **state) - { - size_t len; - errno_t ret; -- const char *data; -+ char *data; - struct test_state *ts; - enum sss_authtok_type type; - struct sss_auth_token *dest_authtoken; -@@ -276,6 +292,7 @@ static void test_sss_authtok_copy(void **state) - assert_int_equal(EOK, sss_authtok_copy(ts->authtoken, dest_authtoken)); - assert_int_equal(type, sss_authtok_get_type(dest_authtoken)); - -+ sss_authtok_set_empty(dest_authtoken); - type = SSS_AUTHTOK_TYPE_PASSWORD; - ret = sss_authtok_set(ts->authtoken, type, (const uint8_t *)data, len); - -@@ -287,10 +304,23 @@ static void test_sss_authtok_copy(void **state) - assert_int_equal(type, sss_authtok_get_type(dest_authtoken)); - assert_string_equal(data, sss_authtok_get_data(dest_authtoken)); - assert_int_equal(len, sss_authtok_get_size(dest_authtoken)); -+ -+ sss_authtok_set_empty(dest_authtoken); -+ talloc_free(dest_authtoken); -+ sss_authtok_set_empty(ts->authtoken); -+ talloc_free(data); - } - --int main(void) -+int main(int argc, const char *argv[]) - { -+ poptContext pc; -+ int opt; -+ struct poptOption long_options[] = { -+ POPT_AUTOHELP -+ SSSD_DEBUG_OPTS -+ POPT_TABLEEND -+ }; -+ - const struct CMUnitTest tests[] = { - cmocka_unit_test_setup_teardown(test_sss_authtok_new, - setup, teardown), -@@ -306,5 +336,22 @@ int main(void) - setup, teardown) - }; - -+ /* Set debug level to invalid value so we can deside if -d 0 was used. */ -+ debug_level = SSSDBG_INVALID; -+ -+ pc = poptGetContext(argv[0], argc, argv, long_options, 0); -+ while((opt = poptGetNextOpt(pc)) != -1) { -+ switch(opt) { -+ default: -+ fprintf(stderr, "\nInvalid option %s: %s\n\n", -+ poptBadOption(pc, 0), poptStrerror(opt)); -+ poptPrintUsage(pc, stderr, 0); -+ return 1; -+ } -+ } -+ poptFreeContext(pc); -+ -+ DEBUG_CLI_INIT(debug_level); -+ - return cmocka_run_group_tests(tests, NULL, NULL); - } --- -2.4.3 - diff --git a/0018-utils-add-sss_authtok_-gs-et_2fa.patch b/0018-utils-add-sss_authtok_-gs-et_2fa.patch deleted file mode 100644 index ae20ceb..0000000 --- a/0018-utils-add-sss_authtok_-gs-et_2fa.patch +++ /dev/null @@ -1,765 +0,0 @@ -From 4b0dc81aacba3317ccf6e79ce69e4331e74c3d1f Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 7 Jan 2015 18:11:16 +0100 -Subject: [PATCH 18/30] utils: add sss_authtok_[gs]et_2fa -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Lukáš Slebodník -(cherry picked from commit bc052ea17d858c19f9cb9c9e2bc602e754f68831) ---- - Makefile.am | 5 ++ - src/sss_client/pam_sss.c | 1 + - src/sss_client/sss_cli.h | 3 + - src/tests/cmocka/test_authtok.c | 189 +++++++++++++++++++++++++++++++++++++++- - src/util/authtok-utils.c | 74 ++++++++++++++++ - src/util/authtok-utils.h | 70 +++++++++++++++ - src/util/authtok.c | 181 ++++++++++++++++++++++++++++++++++++++ - src/util/authtok.h | 44 ++++++++++ - 8 files changed, 564 insertions(+), 3 deletions(-) - create mode 100644 src/util/authtok-utils.c - create mode 100644 src/util/authtok-utils.h - -diff --git a/Makefile.am b/Makefile.am -index 46c42171ab89a5c570858b85d9c3e5a7ef2ba0ce..d3fea94b206a538b86a0fb119ed186947fa8d8e6 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -519,6 +519,7 @@ dist_noinst_HEADERS = \ - src/util/atomic_io.h \ - src/util/auth_utils.h \ - src/util/authtok.h \ -+ src/util/authtok-utils.h \ - src/util/util_safealign.h \ - src/util/util_sss_idmap.h \ - src/monitor/monitor.h \ -@@ -752,6 +753,7 @@ libsss_util_la_SOURCES = \ - src/util/murmurhash3.c \ - src/util/atomic_io.c \ - src/util/authtok.c \ -+ src/util/authtok-utils.c \ - src/util/sss_selinux.c \ - src/util/domain_info_utils.c \ - src/util/util_lock.c \ -@@ -1860,6 +1862,7 @@ test_negcache_LDADD = \ - test_authtok_SOURCES = \ - src/tests/cmocka/test_authtok.c \ - src/util/authtok.c \ -+ src/util/authtok-utils.c \ - src/util/util.c - test_authtok_CFLAGS = \ - $(AM_CFLAGS) \ -@@ -2711,6 +2714,7 @@ krb5_child_SOURCES = \ - src/util/find_uid.c \ - src/util/atomic_io.c \ - src/util/authtok.c \ -+ src/util/authtok-utils.c \ - src/util/util.c \ - src/util/signal.c \ - src/util/strtonum.c \ -@@ -2742,6 +2746,7 @@ ldap_child_SOURCES = \ - src/util/sss_krb5.c \ - src/util/atomic_io.c \ - src/util/authtok.c \ -+ src/util/authtok-utils.c \ - src/util/util.c \ - src/util/signal.c \ - src/util/become_user.c \ -diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c -index 28a36d5af95297b394a74f39d6614f48831bb901..4007d125e34932dfb5ac6bc840f4d25306e3008f 100644 ---- a/src/sss_client/pam_sss.c -+++ b/src/sss_client/pam_sss.c -@@ -41,6 +41,7 @@ - - #include "sss_cli.h" - #include "util/atomic_io.h" -+#include "util/authtok-utils.h" - - #include - #define _(STRING) dgettext (PACKAGE, STRING) -diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h -index d508a0671cd1b3ee087e0967f7015628ceabe20f..9a19d7d47d0a9d7dabeac36dc2c866c3420ef501 100644 ---- a/src/sss_client/sss_cli.h -+++ b/src/sss_client/sss_cli.h -@@ -301,6 +301,9 @@ enum sss_authtok_type { - * a Kerberos credential cache file, - * it may or may no contain - * a trailing \\0 */ -+ SSS_AUTHTOK_TYPE_2FA = 0x0003, /**< Authentication token has two -+ * factors, they may or may no contain -+ * a trailing \\0 */ - }; - - /** -diff --git a/src/tests/cmocka/test_authtok.c b/src/tests/cmocka/test_authtok.c -index 0c7b7197fb2c03d69dc4df2310229ea100ad28d4..5aa47c7b6b8c955666a9c73d5f9627d6378d13e0 100644 ---- a/src/tests/cmocka/test_authtok.c -+++ b/src/tests/cmocka/test_authtok.c -@@ -57,7 +57,7 @@ static int teardown(void **state) - - assert_non_null(ts); - -- assert_true(check_leaks_pop(ts) == true); -+ assert_true(check_leaks_pop(ts)); - talloc_free(ts); - assert_true(leak_check_teardown()); - return 0; -@@ -118,8 +118,8 @@ static void test_sss_authtok_password(void **state) - assert_int_equal(len - 1, ret_len); - - ret = sss_authtok_set_password(ts->authtoken, data, len); -- - assert_int_equal(ret, EOK); -+ - ret = sss_authtok_get_password(ts->authtoken, &pwd, &ret_len); - assert_int_equal(ret, EOK); - assert_string_equal(data, pwd); -@@ -311,6 +311,183 @@ static void test_sss_authtok_copy(void **state) - talloc_free(data); - } - -+void test_sss_authtok_2fa(void **state) -+{ -+ int ret; -+ const char *fa1; -+ size_t fa1_size; -+ const char *fa2; -+ size_t fa2_size; -+ struct test_state *ts; -+ -+ ts = talloc_get_type_abort(*state, struct test_state); -+ -+ ret = sss_authtok_set_2fa(NULL, "a", 0, "b", 0); -+ assert_int_equal(ret, EINVAL); -+ -+ /* Test missing first factor */ -+ ret = sss_authtok_set_2fa(ts->authtoken, NULL, 1, "b", 1); -+ assert_int_equal(ret, EINVAL); -+ /* Test missing second factor */ -+ ret = sss_authtok_set_2fa(ts->authtoken, "a", 1, NULL, 1); -+ assert_int_equal(ret, EINVAL); -+ /* Test wrong first factor length */ -+ ret = sss_authtok_set_2fa(ts->authtoken, "ab", 1, "b", 1); -+ assert_int_equal(ret, EINVAL); -+ /* Test wrong second factor length */ -+ ret = sss_authtok_set_2fa(ts->authtoken, "a", 1, "bc", 1); -+ assert_int_equal(ret, EINVAL); -+ -+ ret = sss_authtok_set_2fa(ts->authtoken, "a", 1, "bc", 2); -+ assert_int_equal(ret, EOK); -+ assert_int_equal(sss_authtok_get_size(ts->authtoken), -+ 2 * sizeof(uint32_t) + 5); -+ assert_int_equal(sss_authtok_get_type(ts->authtoken), SSS_AUTHTOK_TYPE_2FA); -+#if __BYTE_ORDER == __LITTLE_ENDIAN -+ assert_memory_equal(sss_authtok_get_data(ts->authtoken), -+ "\2\0\0\0\3\0\0\0a\0bc\0", -+ 2 * sizeof(uint32_t) + 5); -+#else -+ assert_memory_equal(sss_authtok_get_data(ts->authtoken), -+ "\0\0\0\2\0\0\0\3a\0bc\0", -+ 2 * sizeof(uint32_t) + 5); -+#endif -+ -+ ret = sss_authtok_get_2fa(ts->authtoken, &fa1, &fa1_size, &fa2, &fa2_size); -+ assert_int_equal(ret, EOK); -+ assert_int_equal(fa1_size, 1); -+ assert_string_equal(fa1, "a"); -+ assert_int_equal(fa2_size, 2); -+ assert_string_equal(fa2, "bc"); -+ -+ sss_authtok_set_empty(ts->authtoken); -+ -+ /* check return code of empty token */ -+ ret = sss_authtok_get_2fa(ts->authtoken, &fa1, &fa1_size, &fa2, &fa2_size); -+ assert_int_equal(ret, ENOENT); -+ -+ /* check return code for other token type */ -+ ret = sss_authtok_set_password(ts->authtoken, "abc", 0); -+ assert_int_equal(ret, EOK); -+ -+ ret = sss_authtok_get_2fa(ts->authtoken, &fa1, &fa1_size, &fa2, &fa2_size); -+ assert_int_equal(ret, EACCES); -+ -+ sss_authtok_set_empty(ts->authtoken); -+ -+ /* check return code for garbage */ -+ ret = sss_authtok_set(ts->authtoken, SSS_AUTHTOK_TYPE_2FA, -+ (const uint8_t *) "1111222233334444", 16); -+ assert_int_equal(ret, EINVAL); -+ -+ sss_authtok_set_empty(ts->authtoken); -+} -+ -+void test_sss_authtok_2fa_blobs(void **state) -+{ -+ int ret; -+ struct test_state *ts; -+ size_t needed_size; -+ uint8_t *buf; -+ char *fa1; -+ size_t fa1_len; -+ char *fa2; -+ size_t fa2_len; -+ -+ ts = talloc_get_type_abort(*state, struct test_state); -+ -+ ret = sss_auth_pack_2fa_blob(NULL, 0, "defg", 0, NULL, 0, &needed_size); -+ assert_int_equal(ret, EINVAL); -+ -+ ret = sss_auth_pack_2fa_blob("abc", 0, NULL, 0, NULL, 0, &needed_size); -+ assert_int_equal(ret, EINVAL); -+ -+ ret = sss_auth_pack_2fa_blob("", 0, "defg", 0, NULL, 0, &needed_size); -+ assert_int_equal(ret, EINVAL); -+ -+ ret = sss_auth_pack_2fa_blob("abc", 0, "", 0, NULL, 0, &needed_size); -+ assert_int_equal(ret, EINVAL); -+ -+ ret = sss_auth_pack_2fa_blob("abc", 0, "defg", 0, NULL, 0, &needed_size); -+ assert_int_equal(ret, EAGAIN); -+ -+ buf = talloc_size(ts, needed_size); -+ assert_non_null(buf); -+ -+ ret = sss_auth_pack_2fa_blob("abc", 0, "defg", 0, buf, needed_size, -+ &needed_size); -+ assert_int_equal(ret, EOK); -+ -+#if __BYTE_ORDER == __LITTLE_ENDIAN -+ assert_memory_equal(buf, "\4\0\0\0\5\0\0\0abc\0defg\0", needed_size); -+#else -+ assert_memory_equal(buf, "\0\0\0\4\0\0\0\5abc\0defg\0", needed_size); -+#endif -+ -+ ret = sss_auth_unpack_2fa_blob(ts, buf, needed_size, &fa1, &fa1_len, &fa2, -+ &fa2_len); -+ assert_int_equal(ret, EOK); -+ assert_int_equal(fa1_len, 3); -+ assert_string_equal(fa1, "abc"); -+ assert_int_equal(fa2_len, 4); -+ assert_string_equal(fa2, "defg"); -+ -+ talloc_free(buf); -+ talloc_free(fa1); -+ talloc_free(fa2); -+} -+ -+#define MISSING_NULL_CHECK do { \ -+ assert_int_equal(ret, EOK); \ -+ assert_int_equal(fa1_len, 3); \ -+ assert_string_equal(fa1, "abc"); \ -+ assert_int_equal(fa2_len, 4); \ -+ assert_string_equal(fa2, "defg"); \ -+ \ -+ talloc_free(fa1); \ -+ talloc_free(fa2); \ -+} while (0) -+ -+void test_sss_authtok_2fa_blobs_missing_null(void **state) -+{ -+ int ret; -+ struct test_state *ts; -+ char *fa1; -+ size_t fa1_len; -+ char *fa2; -+ size_t fa2_len; -+#if __BYTE_ORDER == __LITTLE_ENDIAN -+ uint8_t b0[] = {0x04, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 'a', 'b', 'c', 0x00, 'd', 'e', 'f', 'g', 0x00}; -+ uint8_t b1[] = {0x03, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 'a', 'b', 'c', 'd', 'e', 'f', 'g', 0x00}; -+ uint8_t b2[] = {0x04, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 'a', 'b', 'c', 0x00, 'd', 'e', 'f', 'g'}; -+ uint8_t b3[] = {0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 'a', 'b', 'c', 'd', 'e', 'f', 'g'}; -+#else -+ uint8_t b0[] = {0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x05, 'a', 'b', 'c', 0x00, 'd', 'e', 'f', 'g', 0x00}; -+ uint8_t b1[] = {0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x05, 'a', 'b', 'c', 'd', 'e', 'f', 'g', 0x00}; -+ uint8_t b2[] = {0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x04, 'a', 'b', 'c', 0x00, 'd', 'e', 'f', 'g'}; -+ uint8_t b3[] = {0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 'a', 'b', 'c', 'd', 'e', 'f', 'g'}; -+#endif -+ -+ -+ ts = talloc_get_type_abort(*state, struct test_state); -+ -+ ret = sss_auth_unpack_2fa_blob(ts, b0, sizeof(b0), &fa1, &fa1_len, &fa2, -+ &fa2_len); -+ MISSING_NULL_CHECK; -+ -+ ret = sss_auth_unpack_2fa_blob(ts, b1, sizeof(b1), &fa1, &fa1_len, &fa2, -+ &fa2_len); -+ MISSING_NULL_CHECK; -+ -+ ret = sss_auth_unpack_2fa_blob(ts, b2, sizeof(b2), &fa1, &fa1_len, &fa2, -+ &fa2_len); -+ MISSING_NULL_CHECK; -+ -+ ret = sss_auth_unpack_2fa_blob(ts, b3, sizeof(b3), &fa1, &fa1_len, &fa2, -+ &fa2_len); -+ MISSING_NULL_CHECK; -+} -+ - int main(int argc, const char *argv[]) - { - poptContext pc; -@@ -333,7 +510,13 @@ int main(int argc, const char *argv[]) - cmocka_unit_test_setup_teardown(test_sss_authtok_wipe_password, - setup, teardown), - cmocka_unit_test_setup_teardown(test_sss_authtok_copy, -- setup, teardown) -+ setup, teardown), -+ cmocka_unit_test_setup_teardown(test_sss_authtok_2fa, -+ setup, teardown), -+ cmocka_unit_test_setup_teardown(test_sss_authtok_2fa_blobs, -+ setup, teardown), -+ cmocka_unit_test_setup_teardown(test_sss_authtok_2fa_blobs_missing_null, -+ setup, teardown), - }; - - /* Set debug level to invalid value so we can deside if -d 0 was used. */ -diff --git a/src/util/authtok-utils.c b/src/util/authtok-utils.c -new file mode 100644 -index 0000000000000000000000000000000000000000..65fba9022db11786c0c7e4dcab6fec89c9e0cb19 ---- /dev/null -+++ b/src/util/authtok-utils.c -@@ -0,0 +1,74 @@ -+/* -+ SSSD - auth utils helpers -+ -+ Copyright (C) Sumit Bose 2015 -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see . -+*/ -+ -+/* This file is use by SSSD clients and the main daemons. Please do not add -+ * code which is specific to only one of them. */ -+ -+#include -+ -+#include "sss_client/sss_cli.h" -+ -+errno_t sss_auth_pack_2fa_blob(const char *fa1, size_t fa1_len, -+ const char *fa2, size_t fa2_len, -+ uint8_t *buf, size_t buf_len, -+ size_t *_2fa_blob_len) -+{ -+ size_t c; -+ uint32_t tmp_uint32_t; -+ -+ if (fa1 == NULL || *fa1 == '\0' || fa1_len > UINT32_MAX -+ || fa2 == NULL || *fa2 == '\0' || fa2_len > UINT32_MAX -+ || (buf == NULL && buf_len != 0)) { -+ return EINVAL; -+ } -+ -+ if (fa1_len == 0) { -+ fa1_len = strlen(fa1); -+ } else { -+ if (fa1[fa1_len] != '\0') { -+ return EINVAL; -+ } -+ } -+ -+ if (fa2_len == 0) { -+ fa2_len = strlen(fa2); -+ } else { -+ if (fa2[fa2_len] != '\0') { -+ return EINVAL; -+ } -+ } -+ -+ *_2fa_blob_len = fa1_len + fa2_len + 2 + 2 * sizeof(uint32_t); -+ if (buf == NULL || buf_len < *_2fa_blob_len) { -+ return EAGAIN; -+ } -+ -+ c = 0; -+ tmp_uint32_t = (uint32_t) fa1_len + 1; -+ SAFEALIGN_COPY_UINT32(buf, &tmp_uint32_t, &c); -+ tmp_uint32_t = (uint32_t) fa2_len + 1; -+ SAFEALIGN_COPY_UINT32(buf + c, &tmp_uint32_t, &c); -+ -+ memcpy(buf + c, fa1, fa1_len + 1); -+ c += fa1_len + 1; -+ -+ memcpy(buf + c, fa2, fa2_len + 1); -+ -+ return 0; -+} -diff --git a/src/util/authtok-utils.h b/src/util/authtok-utils.h -new file mode 100644 -index 0000000000000000000000000000000000000000..07aef3c18395d6e967289f6e345f27e9ee868da2 ---- /dev/null -+++ b/src/util/authtok-utils.h -@@ -0,0 +1,70 @@ -+/* -+ SSSD - auth utils helpers -+ -+ Copyright (C) Sumit Bose 2015 -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see . -+*/ -+ -+#ifndef __AUTHTOK_UTILS_H__ -+#define __AUTHTOK_UTILS_H__ -+ -+#include -+ -+#include "sss_client/sss_cli.h" -+ -+/** -+ * @brief Fill memory buffer with 2FA blob -+ * -+ * @param[in] fa1 First authentication factor, null terminated -+ * @param[in] fa1_len Length of the first authentication factor, if 0 -+ * strlen() will be called internally -+ * @param[in] fa2 Second authentication factor, null terminated -+ * @param[in] fa2_len Length of the second authentication factor, if 0 -+ * strlen() will be called internally -+ * @param[in] buf memory buffer of size buf_len -+ * @param[in] buf_len size of memory buffer buf -+ * -+ * @param[out] _2fa_blob_len size of the 2FA blob -+ * -+ * @return EOK on success -+ * EINVAL if input data is not consistent -+ * EAGAIN if provided buffer is too small, _2fa_blob_len -+ * contains the size needed to store the 2FA blob -+ */ -+errno_t sss_auth_pack_2fa_blob(const char *fa1, size_t fa1_len, -+ const char *fa2, size_t fa2_len, -+ uint8_t *buf, size_t buf_len, -+ size_t *_2fa_blob_len); -+ -+/** -+ * @brief Extract 2FA data from memory buffer -+ * -+ * @param[in] mem_ctx Talloc memory context to allocate the 2FA data on -+ * @param[in] blob Memory buffer containing the 2FA data -+ * @param[in] blob_len Size of the memory buffer -+ * @param[out] _fa1 First authentication factor, null terminated -+ * @param[out] _fa1_len Length of the first authentication factor -+ * @param[out] _fa2 Second authentication factor, null terminated -+ * @param[out] _fa2_len Length of the second authentication factor -+ * -+ * @return EOK on success -+ * EINVAL if input data is not consistent -+ * EINVAL if no memory can be allocated -+ */ -+errno_t sss_auth_unpack_2fa_blob(TALLOC_CTX *mem_ctx, -+ const uint8_t *blob, size_t blob_len, -+ char **fa1, size_t *_fa1_len, -+ char **fa2, size_t *_fa2_len); -+#endif /* __AUTHTOK_UTILS_H__ */ -diff --git a/src/util/authtok.c b/src/util/authtok.c -index b7bc17ed0cdc5cfee7f455b0d7047803e628274a..45761df80175fded8a6c6e5dac8a90180b11d225 100644 ---- a/src/util/authtok.c -+++ b/src/util/authtok.c -@@ -38,6 +38,7 @@ size_t sss_authtok_get_size(struct sss_auth_token *tok) - switch (tok->type) { - case SSS_AUTHTOK_TYPE_PASSWORD: - case SSS_AUTHTOK_TYPE_CCFILE: -+ case SSS_AUTHTOK_TYPE_2FA: - return tok->length; - case SSS_AUTHTOK_TYPE_EMPTY: - return 0; -@@ -70,6 +71,7 @@ errno_t sss_authtok_get_password(struct sss_auth_token *tok, - } - return EOK; - case SSS_AUTHTOK_TYPE_CCFILE: -+ case SSS_AUTHTOK_TYPE_2FA: - return EACCES; - } - -@@ -92,6 +94,7 @@ errno_t sss_authtok_get_ccfile(struct sss_auth_token *tok, - } - return EOK; - case SSS_AUTHTOK_TYPE_PASSWORD: -+ case SSS_AUTHTOK_TYPE_2FA: - return EACCES; - } - -@@ -140,6 +143,7 @@ void sss_authtok_set_empty(struct sss_auth_token *tok) - case SSS_AUTHTOK_TYPE_EMPTY: - return; - case SSS_AUTHTOK_TYPE_PASSWORD: -+ case SSS_AUTHTOK_TYPE_2FA: - safezero(tok->data, tok->length); - break; - case SSS_AUTHTOK_TYPE_CCFILE: -@@ -169,6 +173,9 @@ errno_t sss_authtok_set_ccfile(struct sss_auth_token *tok, - "ccfile", ccfile, len); - } - -+static errno_t sss_authtok_set_2fa_from_blob(struct sss_auth_token *tok, -+ const uint8_t *data, size_t len); -+ - errno_t sss_authtok_set(struct sss_auth_token *tok, - enum sss_authtok_type type, - const uint8_t *data, size_t len) -@@ -178,6 +185,8 @@ errno_t sss_authtok_set(struct sss_auth_token *tok, - return sss_authtok_set_password(tok, (const char *)data, len); - case SSS_AUTHTOK_TYPE_CCFILE: - return sss_authtok_set_ccfile(tok, (const char *)data, len); -+ case SSS_AUTHTOK_TYPE_2FA: -+ return sss_authtok_set_2fa_from_blob(tok, data, len); - case SSS_AUTHTOK_TYPE_EMPTY: - sss_authtok_set_empty(tok); - return EOK; -@@ -230,3 +239,175 @@ void sss_authtok_wipe_password(struct sss_auth_token *tok) - safezero(tok->data, tok->length); - } - -+errno_t sss_auth_unpack_2fa_blob(TALLOC_CTX *mem_ctx, -+ const uint8_t *blob, size_t blob_len, -+ char **fa1, size_t *_fa1_len, -+ char **fa2, size_t *_fa2_len) -+{ -+ size_t c; -+ uint32_t fa1_len; -+ uint32_t fa2_len; -+ -+ if (blob_len < 2 * sizeof(uint32_t)) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Blob too small.\n"); -+ return EINVAL; -+ } -+ -+ c = 0; -+ SAFEALIGN_COPY_UINT32(&fa1_len, blob, &c); -+ SAFEALIGN_COPY_UINT32(&fa2_len, blob + c, &c); -+ -+ if (blob_len != 2 * sizeof(uint32_t) + fa1_len + fa2_len) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Blob size mismatch.\n"); -+ return EINVAL; -+ } -+ -+ if (fa1_len != 0) { -+ *fa1 = talloc_strndup(mem_ctx, (const char *) blob + c, fa1_len); -+ if (*fa1 == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n"); -+ return ENOMEM; -+ } -+ } else { -+ *fa1 = NULL; -+ } -+ -+ if (fa2_len != 0) { -+ *fa2 = talloc_strndup(mem_ctx, (const char *) blob + c + fa1_len, -+ fa2_len); -+ if (*fa2 == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n"); -+ talloc_free(*fa1); -+ return ENOMEM; -+ } -+ } else { -+ *fa2 = NULL; -+ } -+ -+ /* Re-calculate length for the case where \0 was missing in the blob */ -+ *_fa1_len = (*fa1 == NULL) ? 0 : strlen(*fa1); -+ *_fa2_len = (*fa2 == NULL) ? 0 : strlen(*fa2); -+ -+ return EOK; -+} -+ -+static errno_t sss_authtok_set_2fa_from_blob(struct sss_auth_token *tok, -+ const uint8_t *data, size_t len) -+{ -+ TALLOC_CTX *tmp_ctx; -+ int ret; -+ char *fa1; -+ size_t fa1_len; -+ char *fa2; -+ size_t fa2_len; -+ -+ tmp_ctx = talloc_new(NULL); -+ if (tmp_ctx == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ ret = sss_auth_unpack_2fa_blob(tmp_ctx, data, len, &fa1, &fa1_len, -+ &fa2, &fa2_len); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "sss_auth_unpack_2fa_blob failed.\n"); -+ goto done; -+ } -+ -+ ret = sss_authtok_set_2fa(tok, fa1, fa1_len, fa2, fa2_len); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_set_2fa failed.\n"); -+ goto done; -+ } -+ -+ ret = EOK; -+done: -+ talloc_free(tmp_ctx); -+ -+ if (ret != EOK) { -+ sss_authtok_set_empty(tok); -+ } -+ -+ return ret; -+} -+ -+errno_t sss_authtok_get_2fa(struct sss_auth_token *tok, -+ const char **fa1, size_t *fa1_len, -+ const char **fa2, size_t *fa2_len) -+{ -+ size_t c; -+ uint32_t tmp_uint32_t; -+ -+ if (tok->type != SSS_AUTHTOK_TYPE_2FA) { -+ return (tok->type == SSS_AUTHTOK_TYPE_EMPTY) ? ENOENT : EACCES; -+ } -+ -+ if (tok->length < 2 * sizeof(uint32_t)) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Blob too small.\n"); -+ return EINVAL; -+ } -+ -+ c = 0; -+ SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data, &c); -+ *fa1_len = tmp_uint32_t - 1; -+ SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data + c, &c); -+ *fa2_len = tmp_uint32_t - 1; -+ -+ if (*fa1_len == 0 || *fa2_len == 0 -+ || tok->length != 2 * sizeof(uint32_t) + *fa1_len + *fa2_len + 2) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Blob size mismatch.\n"); -+ return EINVAL; -+ } -+ -+ if (tok->data[c + *fa1_len] != '\0' -+ || tok->data[c + *fa1_len + 1 + *fa2_len] != '\0') { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Missing terminating null character.\n"); -+ return EINVAL; -+ } -+ -+ *fa1 = (const char *) tok->data + c; -+ *fa2 = (const char *) tok->data + c + *fa1_len + 1; -+ -+ return EOK; -+} -+ -+errno_t sss_authtok_set_2fa(struct sss_auth_token *tok, -+ const char *fa1, size_t fa1_len, -+ const char *fa2, size_t fa2_len) -+{ -+ int ret; -+ size_t needed_size; -+ -+ if (tok == NULL) { -+ return EINVAL; -+ } -+ -+ sss_authtok_set_empty(tok); -+ -+ ret = sss_auth_pack_2fa_blob(fa1, fa1_len, fa2, fa2_len, NULL, 0, -+ &needed_size); -+ if (ret != EAGAIN) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "sss_auth_pack_2fa_blob unexpectedly returned [%d].\n", ret); -+ return EINVAL; -+ } -+ -+ tok->data = talloc_size(tok, needed_size); -+ if (tok->data == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n"); -+ return ENOMEM; -+ } -+ -+ ret = sss_auth_pack_2fa_blob(fa1, fa1_len, fa2, fa2_len, tok->data, -+ needed_size, &needed_size); -+ if (ret != EOK) { -+ talloc_free(tok->data); -+ DEBUG(SSSDBG_OP_FAILURE, "sss_auth_pack_2fa_blob failed.\n"); -+ return ret; -+ } -+ tok->length = needed_size; -+ tok->type = SSS_AUTHTOK_TYPE_2FA; -+ -+ return EOK; -+} -diff --git a/src/util/authtok.h b/src/util/authtok.h -index 1f6def4c3b6a1cbf6c4f34bb76c496ddae6f9d5f..cb366270832852281a222018f8e27feb1500ff01 100644 ---- a/src/util/authtok.h -+++ b/src/util/authtok.h -@@ -21,6 +21,7 @@ - #define __AUTHTOK_H__ - - #include "util/util.h" -+#include "util/authtok-utils.h" - #include "sss_client/sss_cli.h" - - /* Use sss_authtok_* accesor functions instead of struct sss_auth_token -@@ -179,4 +180,47 @@ void sss_authtok_wipe_password(struct sss_auth_token *tok); - */ - struct sss_auth_token *sss_authtok_new(TALLOC_CTX *mem_ctx); - -+/** -+ * @brief Set authtoken with 2FA data -+ * -+ * @param tok A pointer to a sss_auth_token structure to change, also -+ * used as a memory context to allocate the internal data. -+ * @param[in] fa1 First authentication factor, null terminated -+ * @param[in] fa1_len Length of the first authentication factor, if 0 -+ * strlen() will be called internally -+ * @param[in] fa2 Second authentication factor, null terminated -+ * @param[in] fa2_len Length of the second authentication factor, if 0 -+ * strlen() will be called internally -+ * -+ * @return EOK on success -+ * ENOMEM if memory allocation failed -+ * EINVAL if input data is not consistent -+ */ -+errno_t sss_authtok_set_2fa(struct sss_auth_token *tok, -+ const char *fa1, size_t fa1_len, -+ const char *fa2, size_t fa2_len); -+ -+/** -+ * @brief Get 2FA factors from authtoken -+ * -+ * @param tok A pointer to a sss_auth_token structure to change, also -+ * used as a memory context to allocate the internal data. -+ * @param[out] fa1 A pointer to a const char *, that will point to a -+ * null terminated string holding the first -+ * authentication factor, may not be modified or freed -+ * @param[out] fa1_len Length of the first authentication factor -+ * @param[out] fa2 A pointer to a const char *, that will point to a -+ * null terminated string holding the second -+ * authentication factor, may not be modified or freed -+ * @param[out] fa2_len Length of the second authentication factor -+ * -+ * @return EOK on success -+ * ENOMEM if memory allocation failed -+ * EINVAL if input data is not consistent -+ * ENOENT if the token is empty -+ * EACCESS if the token is not a 2FA token -+ */ -+errno_t sss_authtok_get_2fa(struct sss_auth_token *tok, -+ const char **fa1, size_t *fa1_len, -+ const char **fa2, size_t *fa2_len); - #endif /* __AUTHTOK_H__ */ --- -2.4.3 - diff --git a/0019-pam-handle-2FA-authentication-token-in-the-responder.patch b/0019-pam-handle-2FA-authentication-token-in-the-responder.patch deleted file mode 100644 index 39b7d84..0000000 --- a/0019-pam-handle-2FA-authentication-token-in-the-responder.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 2860a08f325cd0d190f6ca02423b77ff8a4808f4 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 8 Jan 2015 17:10:42 +0100 -Subject: [PATCH 19/30] pam: handle 2FA authentication token in the responder -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Lukáš Slebodník -(cherry picked from commit ea98a7af0584d7667b6c07c19a4b22942c94ca5d) ---- - src/responder/pam/pamsrv_cmd.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c -index 0b54402729e77f22391c6bd17fd8c937ddea3592..2ca5aa789ab98aea9005b891be1a36ea91ab40f4 100644 ---- a/src/responder/pam/pamsrv_cmd.c -+++ b/src/responder/pam/pamsrv_cmd.c -@@ -143,6 +143,10 @@ static int extract_authtok_v2(struct sss_auth_token *tok, - auth_token_length); - } - break; -+ case SSS_AUTHTOK_TYPE_2FA: -+ ret = sss_authtok_set(tok, SSS_AUTHTOK_TYPE_2FA, -+ auth_token_data, auth_token_length); -+ break; - default: - return EINVAL; - } --- -2.4.3 - diff --git a/0020-Add-pre-auth-request.patch b/0020-Add-pre-auth-request.patch deleted file mode 100644 index 922fe9c..0000000 --- a/0020-Add-pre-auth-request.patch +++ /dev/null @@ -1,112 +0,0 @@ -From 81f4c515c85e6cb389a26a8cb10d8b2b8f6ee470 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 24 Mar 2015 17:24:50 +0100 -Subject: [PATCH 20/30] Add pre-auth request -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Lukáš Slebodník -(cherry picked from commit fb045f6e5a9a7f8936ad6f89c28862dcd035a4fe) ---- - src/providers/data_provider_be.c | 1 + - src/providers/dp_pam_data_util.c | 2 ++ - src/providers/ipa/ipa_auth.c | 1 + - src/providers/krb5/krb5_auth.c | 2 ++ - src/responder/pam/pamsrv_cmd.c | 7 +++++++ - src/sss_client/sss_cli.h | 4 ++++ - 6 files changed, 17 insertions(+) - -diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c -index 805f3ee81964ee7e7339627bb4d2a47c25218c73..1dbb63f61de07d81426832bb0304e1d5f15a4c98 100644 ---- a/src/providers/data_provider_be.c -+++ b/src/providers/data_provider_be.c -@@ -1374,6 +1374,7 @@ static int be_pam_handler(struct sbus_request *dbus_req, void *user_data) - - switch (pd->cmd) { - case SSS_PAM_AUTHENTICATE: -+ case SSS_PAM_PREAUTH: - target = BET_AUTH; - break; - case SSS_PAM_ACCT_MGMT: -diff --git a/src/providers/dp_pam_data_util.c b/src/providers/dp_pam_data_util.c -index 313948b369cf605c91eb608b9a394d32a1e128d1..8724bf936f3f46fb8393c8a3da57215a73b4191a 100644 ---- a/src/providers/dp_pam_data_util.c -+++ b/src/providers/dp_pam_data_util.c -@@ -43,6 +43,8 @@ static const char *pamcmd2str(int cmd) { - return "PAM_CHAUTHTOK"; - case SSS_PAM_CHAUTHTOK_PRELIM: - return "PAM_CHAUTHTOK_PRELIM"; -+ case SSS_PAM_PREAUTH: -+ return "SSS_PAM_PREAUTH"; - default: - return "UNKNOWN"; - } -diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c -index f9a0706be7c7fee2b8431cabad82e3c559795db4..f8badbdd16bfc4761ea177fdf5179ff2d4158080 100644 ---- a/src/providers/ipa/ipa_auth.c -+++ b/src/providers/ipa/ipa_auth.c -@@ -208,6 +208,7 @@ void ipa_auth(struct be_req *be_req) - - switch (state->pd->cmd) { - case SSS_PAM_AUTHENTICATE: -+ case SSS_PAM_PREAUTH: - state->ipa_auth_ctx = talloc_get_type( - be_ctx->bet_info[BET_AUTH].pvt_bet_data, - struct ipa_auth_ctx); -diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c -index 9f136041e98b9df607676c5d79799193038130ee..c0cfaf7cfae5e4aa897bf4fd915fb294c6c24161 100644 ---- a/src/providers/krb5/krb5_auth.c -+++ b/src/providers/krb5/krb5_auth.c -@@ -497,6 +497,8 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx, - goto done; - } - break; -+ case SSS_PAM_PREAUTH: -+ break; - default: - DEBUG(SSSDBG_CONF_SETTINGS, "Unexpected pam task %d.\n", pd->cmd); - state->pam_status = PAM_SYSTEM_ERR; -diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c -index 2ca5aa789ab98aea9005b891be1a36ea91ab40f4..c7eb697f29b6de9f7edaaf7715a58d2b7afdc733 100644 ---- a/src/responder/pam/pamsrv_cmd.c -+++ b/src/responder/pam/pamsrv_cmd.c -@@ -1454,6 +1454,12 @@ static int pam_cmd_chauthtok_prelim(struct cli_ctx *cctx) { - return pam_forwarder(cctx, SSS_PAM_CHAUTHTOK_PRELIM); - } - -+static int pam_cmd_preauth(struct cli_ctx *cctx) -+{ -+ DEBUG(SSSDBG_CONF_SETTINGS, "entering pam_cmd_preauth\n"); -+ return pam_forwarder(cctx, SSS_PAM_PREAUTH); -+} -+ - struct cli_protocol_version *register_cli_protocol_version(void) - { - static struct cli_protocol_version pam_cli_protocol_version[] = { -@@ -1477,6 +1483,7 @@ struct sss_cmd_table *get_pam_cmds(void) - {SSS_PAM_CLOSE_SESSION, pam_cmd_close_session}, - {SSS_PAM_CHAUTHTOK, pam_cmd_chauthtok}, - {SSS_PAM_CHAUTHTOK_PRELIM, pam_cmd_chauthtok_prelim}, -+ {SSS_PAM_PREAUTH, pam_cmd_preauth}, - {SSS_CLI_NULL, NULL} - }; - -diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h -index 9a19d7d47d0a9d7dabeac36dc2c866c3420ef501..2895659b9c3ed4ab520ca90846379c22fd9567f7 100644 ---- a/src/sss_client/sss_cli.h -+++ b/src/sss_client/sss_cli.h -@@ -220,6 +220,10 @@ enum sss_cli_command { - SSS_CMD_RENEW = 0x00F8, /**< Renew a credential with a limited - * lifetime, e.g. a Kerberos Ticket - * Granting Ticket (TGT) */ -+ SSS_PAM_PREAUTH = 0x00F9, /**< Request which can be run before -+ * an authentication request to find -+ * out which authentication methods -+ * are available for the given user. */ - - /* PAC responder calls */ - SSS_PAC_ADD_PAC_USER = 0x0101, --- -2.4.3 - diff --git a/0021-krb5-child-add-preauth-and-split-2fa-token-support.patch b/0021-krb5-child-add-preauth-and-split-2fa-token-support.patch deleted file mode 100644 index f9aa9d5..0000000 --- a/0021-krb5-child-add-preauth-and-split-2fa-token-support.patch +++ /dev/null @@ -1,427 +0,0 @@ -From 308a445c9e9c5eacd184fa6958a9753592e5eec4 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 24 Mar 2015 17:26:53 +0100 -Subject: [PATCH 21/30] krb5-child: add preauth and split 2fa token support -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Lukáš Slebodník -(cherry picked from commit 4b1b2e60d0764fed289eada9a7afbfd1993cadcd) ---- - src/providers/krb5/krb5_auth.c | 3 +- - src/providers/krb5/krb5_child.c | 265 +++++++++++++++++++++++++++++--- - src/providers/krb5/krb5_child_handler.c | 4 + - src/sss_client/sss_cli.h | 6 + - 4 files changed, 257 insertions(+), 21 deletions(-) - -diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c -index c0cfaf7cfae5e4aa897bf4fd915fb294c6c24161..6b818440717a9cfaa22a8332fc65440d21d79d00 100644 ---- a/src/providers/krb5/krb5_auth.c -+++ b/src/providers/krb5/krb5_auth.c -@@ -450,7 +450,8 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx, - switch (pd->cmd) { - case SSS_PAM_AUTHENTICATE: - case SSS_PAM_CHAUTHTOK: -- if (authtok_type != SSS_AUTHTOK_TYPE_PASSWORD) { -+ if (authtok_type != SSS_AUTHTOK_TYPE_PASSWORD -+ && authtok_type != SSS_AUTHTOK_TYPE_2FA) { - /* handle empty password gracefully */ - if (authtok_type == SSS_AUTHTOK_TYPE_EMPTY) { - DEBUG(SSSDBG_CRIT_FAILURE, -diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c -index 0fcec981633989593d7155a57811d02a997db251..4b976ddb86b7a1cf6fdc14f99d0b5f4b321814c0 100644 ---- a/src/providers/krb5/krb5_child.c -+++ b/src/providers/krb5/krb5_child.c -@@ -54,6 +54,9 @@ struct krb5_req { - char* name; - krb5_creds *creds; - bool otp; -+ char *otp_vendor; -+ char *otp_token_id; -+ char *otp_challenge; - krb5_get_init_creds_opt *options; - - struct pam_data *pd; -@@ -268,7 +271,87 @@ static int token_pin_destructor(char *mem) - return 0; - } - --static krb5_error_code tokeninfo_matches(TALLOC_CTX *mem_ctx, -+static krb5_error_code tokeninfo_matches_2fa(TALLOC_CTX *mem_ctx, -+ const krb5_responder_otp_tokeninfo *ti, -+ const char *fa1, size_t fa1_len, -+ const char *fa2, size_t fa2_len, -+ char **out_token, char **out_pin) -+{ -+ char *token = NULL, *pin = NULL; -+ checker check = NULL; -+ int i; -+ -+ if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_NEXTOTP) { -+ return ENOTSUP; -+ } -+ -+ if (ti->challenge != NULL) { -+ return ENOTSUP; -+ } -+ -+ /* This is a non-sensical value. */ -+ if (ti->length == 0) { -+ return EPROTO; -+ } -+ -+ if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN) { -+ if (ti->length > 0 && ti->length != fa2_len) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Expected [%d] and given [%zu] token size " -+ "do not match.\n", ti->length, fa2_len); -+ return EMSGSIZE; -+ } -+ -+ if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN) { -+ if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN) { -+ -+ pin = talloc_strndup(mem_ctx, fa1, fa1_len); -+ if (pin == NULL) { -+ talloc_free(token); -+ return ENOMEM; -+ } -+ talloc_set_destructor(pin, token_pin_destructor); -+ -+ token = talloc_strndup(mem_ctx, fa2, fa2_len); -+ if (token == NULL) { -+ return ENOMEM; -+ } -+ talloc_set_destructor(token, token_pin_destructor); -+ -+ check = pick_checker(ti->format); -+ } -+ } else { -+ token = talloc_asprintf(mem_ctx, "%s%s", fa1, fa2); -+ if (token == NULL) { -+ return ENOMEM; -+ } -+ talloc_set_destructor(token, token_pin_destructor); -+ -+ check = pick_checker(ti->format); -+ } -+ } else { -+ /* Assuming PIN only required */ -+ pin = talloc_strndup(mem_ctx, fa1, fa1_len); -+ if (pin == NULL) { -+ return ENOMEM; -+ } -+ talloc_set_destructor(pin, token_pin_destructor); -+ } -+ -+ /* If check is set, we need to verify the contents of the token. */ -+ for (i = 0; check != NULL && token[i] != '\0'; i++) { -+ if (!check(token[i])) { -+ talloc_free(token); -+ talloc_free(pin); -+ return EBADMSG; -+ } -+ } -+ -+ *out_token = token; -+ *out_pin = pin; -+ return 0; -+} -+static krb5_error_code tokeninfo_matches_pwd(TALLOC_CTX *mem_ctx, - const krb5_responder_otp_tokeninfo *ti, - const char *pwd, size_t len, - char **out_token, char **out_pin) -@@ -364,15 +447,52 @@ static krb5_error_code tokeninfo_matches(TALLOC_CTX *mem_ctx, - return 0; - } - -+static krb5_error_code tokeninfo_matches(TALLOC_CTX *mem_ctx, -+ const krb5_responder_otp_tokeninfo *ti, -+ struct sss_auth_token *auth_tok, -+ char **out_token, char **out_pin) -+{ -+ int ret; -+ const char *pwd; -+ size_t len; -+ const char *fa2; -+ size_t fa2_len; -+ -+ switch (sss_authtok_get_type(auth_tok)) { -+ case SSS_AUTHTOK_TYPE_PASSWORD: -+ ret = sss_authtok_get_password(auth_tok, &pwd, &len); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_password failed.\n"); -+ return ret; -+ } -+ -+ return tokeninfo_matches_pwd(mem_ctx, ti, pwd, len, out_token, out_pin); -+ break; -+ case SSS_AUTHTOK_TYPE_2FA: -+ ret = sss_authtok_get_2fa(auth_tok, &pwd, &len, &fa2, &fa2_len); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_2fa failed.\n"); -+ return ret; -+ } -+ -+ return tokeninfo_matches_2fa(mem_ctx, ti, pwd, len, fa2, fa2_len, -+ out_token, out_pin); -+ break; -+ default: -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported authtok type.\n"); -+ } -+ -+ return EINVAL; -+} -+ - static krb5_error_code answer_otp(krb5_context ctx, - struct krb5_req *kr, - krb5_responder_context rctx) - { - krb5_responder_otp_challenge *chl; - char *token = NULL, *pin = NULL; -- const char *pwd = NULL; - krb5_error_code ret; -- size_t i, len; -+ size_t i; - - ret = krb5_responder_otp_get_challenge(ctx, rctx, &chl); - if (ret != EOK || chl == NULL) { -@@ -388,14 +508,37 @@ static krb5_error_code answer_otp(krb5_context ctx, - - kr->otp = true; - -- /* Validate our assumptions about the contents of authtok. */ -- ret = sss_authtok_get_password(kr->pd->authtok, &pwd, &len); -- if (ret != EOK) -- goto done; -+ if (kr->pd->cmd == SSS_PAM_PREAUTH) { -+ for (i = 0; chl->tokeninfo[i] != NULL; i++) { -+ DEBUG(SSSDBG_TRACE_ALL, "[%zu] Vendor [%s].\n", -+ i, chl->tokeninfo[i]->vendor); -+ DEBUG(SSSDBG_TRACE_ALL, "[%zu] Token-ID [%s].\n", -+ i, chl->tokeninfo[i]->token_id); -+ DEBUG(SSSDBG_TRACE_ALL, "[%zu] Challenge [%s].\n", -+ i, chl->tokeninfo[i]->challenge); -+ DEBUG(SSSDBG_TRACE_ALL, "[%zu] Flags [%d].\n", -+ i, chl->tokeninfo[i]->flags); -+ } -+ -+ if (chl->tokeninfo[0]->vendor != NULL) { -+ kr->otp_vendor = talloc_strdup(kr, chl->tokeninfo[0]->vendor); -+ } -+ if (chl->tokeninfo[0]->token_id != NULL) { -+ kr->otp_token_id = talloc_strdup(kr, chl->tokeninfo[0]->token_id); -+ } -+ if (chl->tokeninfo[0]->challenge != NULL) { -+ kr->otp_challenge = talloc_strdup(kr, chl->tokeninfo[0]->challenge); -+ } -+ /* Allocation errors are ignored on purpose */ -+ -+ DEBUG(SSSDBG_TRACE_INTERNAL, "Exit answer_otp during pre-auth.\n"); -+ return EAGAIN; -+ } - - /* Find the first supported tokeninfo which matches our authtoken. */ - for (i = 0; chl->tokeninfo[i] != NULL; i++) { -- ret = tokeninfo_matches(kr, chl->tokeninfo[i], pwd, len, &token, &pin); -+ ret = tokeninfo_matches(kr, chl->tokeninfo[i], kr->pd->authtok, -+ &token, &pin); - if (ret == EOK) { - break; - } -@@ -683,6 +826,58 @@ static errno_t pack_response_packet(TALLOC_CTX *mem_ctx, errno_t error, - return EOK; - } - -+static errno_t k5c_attach_otp_info_msg(struct krb5_req *kr) -+{ -+ uint8_t *msg = NULL; -+ size_t msg_len; -+ int ret; -+ size_t vendor_len = 0; -+ size_t token_id_len = 0; -+ size_t challenge_len = 0; -+ size_t idx = 0; -+ -+ msg_len = 3; -+ if (kr->otp_vendor != NULL) { -+ vendor_len = strlen(kr->otp_vendor); -+ msg_len += vendor_len; -+ } -+ -+ if (kr->otp_token_id != NULL) { -+ token_id_len = strlen(kr->otp_token_id); -+ msg_len += token_id_len; -+ } -+ -+ if (kr->otp_challenge != NULL) { -+ challenge_len = strlen(kr->otp_challenge); -+ msg_len += challenge_len; -+ } -+ -+ msg = talloc_zero_size(kr, msg_len); -+ if (msg == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n"); -+ return ENOMEM; -+ } -+ -+ if (kr->otp_vendor != NULL) { -+ memcpy(msg, kr->otp_vendor, vendor_len); -+ } -+ idx += vendor_len +1; -+ -+ if (kr->otp_token_id != NULL) { -+ memcpy(msg + idx, kr->otp_token_id, token_id_len); -+ } -+ idx += token_id_len +1; -+ -+ if (kr->otp_challenge != NULL) { -+ memcpy(msg + idx, kr->otp_challenge, challenge_len); -+ } -+ -+ ret = pam_add_response(kr->pd, SSS_PAM_OTP_INFO, msg_len, msg); -+ talloc_zfree(msg); -+ -+ return ret; -+} -+ - static errno_t k5c_attach_ccname_msg(struct krb5_req *kr) - { - char *msg = NULL; -@@ -996,9 +1191,18 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr, - discard_const(password), - sss_krb5_prompter, kr, 0, - NULL, kr->options); -- if (kerr != 0) { -- KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); -- return kerr; -+ if (kr->pd->cmd == SSS_PAM_PREAUTH) { -+ /* Any errors are ignored during pre-auth, only data is collected to -+ * be send back to the client.*/ -+ DEBUG(SSSDBG_TRACE_FUNC, -+ "krb5_get_init_creds_password returned [%d} during pre-auth.\n", -+ kerr); -+ return 0; -+ } else { -+ if (kerr != 0) { -+ KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); -+ return kerr; -+ } - } - - if (kr->validate) { -@@ -1300,8 +1504,11 @@ static errno_t tgt_req_child(struct krb5_req *kr) - - DEBUG(SSSDBG_TRACE_LIBS, "Attempting to get a TGT\n"); - -- ret = sss_authtok_get_password(kr->pd->authtok, &password, NULL); -- switch (ret) { -+ /* No password is needed for pre-auth, or if we have 2FA */ -+ if (kr->pd->cmd != SSS_PAM_PREAUTH -+ && sss_authtok_get_type(kr->pd->authtok) != SSS_AUTHTOK_TYPE_2FA) { -+ ret = sss_authtok_get_password(kr->pd->authtok, &password, NULL); -+ switch (ret) { - case EOK: - break; - -@@ -1314,13 +1521,21 @@ static errno_t tgt_req_child(struct krb5_req *kr) - DEBUG(SSSDBG_OP_FAILURE, "No credentials available\n"); - return ERR_NO_CREDS; - break; -+ } - } - - kerr = get_and_save_tgt(kr, password); - - if (kerr != KRB5KDC_ERR_KEY_EXP) { -- if (kerr == 0) { -- kerr = k5c_attach_ccname_msg(kr); -+ if (kr->pd->cmd == SSS_PAM_PREAUTH) { -+ /* add OTP tokeninfo messge if available */ -+ if (kr->otp) { -+ kerr = k5c_attach_otp_info_msg(kr); -+ } -+ } else { -+ if (kerr == 0) { -+ kerr = k5c_attach_ccname_msg(kr); -+ } - } - ret = map_krb5_error(kerr); - goto done; -@@ -1523,6 +1738,10 @@ static errno_t unpack_authtok(struct sss_auth_token *tok, - case SSS_AUTHTOK_TYPE_CCFILE: - ret = sss_authtok_set_ccfile(tok, (char *)(buf + *p), 0); - break; -+ case SSS_AUTHTOK_TYPE_2FA: -+ ret = sss_authtok_set(tok, SSS_AUTHTOK_TYPE_2FA, (buf + *p), -+ auth_token_length); -+ break; - default: - return EINVAL; - } -@@ -2285,11 +2504,13 @@ static krb5_error_code privileged_krb5_setup(struct krb5_req *kr, - } - - /* For ccache types FILE: and DIR: we might need to create some directory -- * components as root */ -- ret = k5c_ccache_setup(kr, offline); -- if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "k5c_ccache_setup failed.\n"); -- return ret; -+ * components as root. Cache files are not needed during preauth. */ -+ if (kr->pd->cmd != SSS_PAM_PREAUTH) { -+ ret = k5c_ccache_setup(kr, offline); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "k5c_ccache_setup failed.\n"); -+ return ret; -+ } - } - - if (!(offline || -@@ -2464,6 +2685,10 @@ int main(int argc, const char *argv[]) - DEBUG(SSSDBG_TRACE_FUNC, "Will perform ticket renewal\n"); - ret = renew_tgt_child(kr); - break; -+ case SSS_PAM_PREAUTH: -+ DEBUG(SSSDBG_TRACE_FUNC, "Will perform pre-auth\n"); -+ ret = tgt_req_child(kr); -+ break; - default: - DEBUG(SSSDBG_CRIT_FAILURE, - "PAM command [%d] not supported.\n", kr->pd->cmd); -diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c -index 633cd917737d3f39526b049cc3d930b67f8b5c66..1f839ab5ebf93271556371b2f172f6c524da6270 100644 ---- a/src/providers/krb5/krb5_child_handler.c -+++ b/src/providers/krb5/krb5_child_handler.c -@@ -77,6 +77,10 @@ static errno_t pack_authtok(struct io_buffer *buf, size_t *rp, - ret = sss_authtok_get_ccfile(tok, &data, &len); - auth_token_length = len + 1; - break; -+ case SSS_AUTHTOK_TYPE_2FA: -+ data = (char *) sss_authtok_get_data(tok); -+ auth_token_length = sss_authtok_get_size(tok); -+ break; - default: - ret = EINVAL; - } -diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h -index 2895659b9c3ed4ab520ca90846379c22fd9567f7..1d7e8549cd548b00eeedba95080f346439afc3dd 100644 ---- a/src/sss_client/sss_cli.h -+++ b/src/sss_client/sss_cli.h -@@ -402,6 +402,12 @@ enum response_type { - * the user.This should only be used in the case where - * it is not possile to use SSS_PAM_USER_INFO. - * @param A zero terminated string. */ -+ SSS_PAM_OTP_INFO, /**< A message which optionally may contain the name -+ * of the vendor, the ID of an OTP token and a -+ * challenge. -+ * @param Three zero terminated strings, if one of the -+ * strings is missing the message will contain only -+ * an empty string (\0) for that component. */ - SSS_OTP, /**< Indicates that the autotok was a OTP, so don't - * cache it. There is no message. - * @param None. */ --- -2.4.3 - diff --git a/0022-IPA-create-preauth-indicator-file-at-startup.patch b/0022-IPA-create-preauth-indicator-file-at-startup.patch deleted file mode 100644 index 3b06d23..0000000 --- a/0022-IPA-create-preauth-indicator-file-at-startup.patch +++ /dev/null @@ -1,115 +0,0 @@ -From badabcb4536794f376fbbefec21fd821654481c5 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 24 Mar 2015 11:19:46 +0100 -Subject: [PATCH 22/30] IPA: create preauth indicator file at startup -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Lukáš Slebodník -(cherry picked from commit deb28a893c76f7c94b6cc8e596742665e23d97d5) ---- - src/providers/ipa/ipa_init.c | 66 ++++++++++++++++++++++++++++++++++++++++++++ - src/sss_client/sss_cli.h | 2 ++ - 2 files changed, 68 insertions(+) - -diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c -index 4b26e8baad4d0592729aec9a0b188ae89973fa98..15ec2339d95754db2e54f383bf8e423e780e9838 100644 ---- a/src/providers/ipa/ipa_init.c -+++ b/src/providers/ipa/ipa_init.c -@@ -371,6 +371,62 @@ done: - return ret; - } - -+void cleanup_ipa_preauth_indicator(void) -+{ -+ int ret; -+ -+ ret = unlink(PAM_PREAUTH_INDICATOR); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Failed to remove preauth indicator file [%s].\n", -+ PAM_PREAUTH_INDICATOR); -+ } -+} -+ -+static errno_t create_ipa_preauth_indicator(void) -+{ -+ int ret; -+ TALLOC_CTX *tmp_ctx = NULL; -+ int fd; -+ -+ tmp_ctx = talloc_new(NULL); -+ if (tmp_ctx == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); -+ return ENOMEM; -+ } -+ -+ fd = open(PAM_PREAUTH_INDICATOR, O_CREAT | O_EXCL | O_WRONLY | O_NOFOLLOW, -+ 0644); -+ if (fd < 0) { -+ if (errno != EEXIST) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Failed to create preauth indicator file [%s].\n", -+ PAM_PREAUTH_INDICATOR); -+ ret = EOK; -+ goto done; -+ } -+ -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Preauth indicator file [%s] already exists. " -+ "Maybe it is left after an unplanned exit. Continuing.\n", -+ PAM_PREAUTH_INDICATOR); -+ } else { -+ close(fd); -+ } -+ -+ ret = atexit(cleanup_ipa_preauth_indicator); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "atexit failed. Continuing.\n"); -+ } -+ -+ ret = EOK; -+ -+done: -+ talloc_free(tmp_ctx); -+ -+ return ret; -+} -+ - int sssm_ipa_auth_init(struct be_ctx *bectx, - struct bet_ops **ops, - void **pvt_data) -@@ -469,6 +525,16 @@ int sssm_ipa_auth_init(struct be_ctx *bectx, - goto done; - } - -+ ret = create_ipa_preauth_indicator(); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Failed to create preauth indicator file, special password " -+ "prompting might not be available.\n"); -+ sss_log(SSSDBG_CRIT_FAILURE, -+ "Failed to create preauth indicator file, special password " -+ "prompting might not be available.\n"); -+ } -+ - *ops = &ipa_auth_ops; - *pvt_data = ipa_auth_ctx; - ret = EOK; -diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h -index 1d7e8549cd548b00eeedba95080f346439afc3dd..317700ef8cfcbb1b58e2a7d1ffcc7f00658fe815 100644 ---- a/src/sss_client/sss_cli.h -+++ b/src/sss_client/sss_cli.h -@@ -317,6 +317,8 @@ enum sss_authtok_type { - #define SSS_START_OF_PAM_REQUEST 0x4d415049 - #define SSS_END_OF_PAM_REQUEST 0x4950414d - -+#define PAM_PREAUTH_INDICATOR PUBCONF_PATH"/pam_preauth_available" -+ - enum pam_item_type { - SSS_PAM_ITEM_EMPTY = 0x0000, - SSS_PAM_ITEM_USER, --- -2.4.3 - diff --git a/0023-pam_sss-add-pre-auth-and-2fa-support.patch b/0023-pam_sss-add-pre-auth-and-2fa-support.patch deleted file mode 100644 index 9189416..0000000 --- a/0023-pam_sss-add-pre-auth-and-2fa-support.patch +++ /dev/null @@ -1,373 +0,0 @@ -From ced64f67b32fdb513f29931f6dcc5ca482df1447 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 12 Feb 2015 23:08:12 +0100 -Subject: [PATCH 23/30] pam_sss: add pre-auth and 2fa support -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Lukáš Slebodník -(cherry picked from commit e5698314b87e147c0223d0d8bcac206733dfae8c) ---- - Makefile.am | 1 + - src/sss_client/pam_sss.c | 235 ++++++++++++++++++++++++++++++++++++++++++++++- - 2 files changed, 234 insertions(+), 2 deletions(-) - -diff --git a/Makefile.am b/Makefile.am -index d3fea94b206a538b86a0fb119ed186947fa8d8e6..793a2a67be11232aefa67e57b986f6304b8a68b3 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -2361,6 +2361,7 @@ pam_sss_la_SOURCES = \ - src/sss_client/common.c \ - src/sss_client/sss_cli.h \ - src/util/atomic_io.c \ -+ src/util/authtok-utils.c \ - src/sss_client/sss_pam_macros.h \ - src/sss_client/sss_pam_compat.h - -diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c -index 4007d125e34932dfb5ac6bc840f4d25306e3008f..f11871a47d1b29f44c179e57a33d8f41be79078d 100644 ---- a/src/sss_client/pam_sss.c -+++ b/src/sss_client/pam_sss.c -@@ -51,6 +51,7 @@ - #define FLAGS_USE_AUTHTOK (1 << 2) - #define FLAGS_IGNORE_UNKNOWN_USER (1 << 3) - #define FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4) -+#define FLAGS_USE_2FA (1 << 5) - - #define PWEXP_FLAG "pam_sss:password_expired_flag" - #define FD_DESTRUCTOR "pam_sss:fd_destructor" -@@ -88,6 +89,10 @@ struct pam_items { - char *domain_name; - const char *requested_domains; - size_t requested_domains_size; -+ char *otp_vendor; -+ char *otp_token_id; -+ char *otp_challenge; -+ char *first_factor; - }; - - #define DEBUG_MGS_LEN 1024 -@@ -224,6 +229,12 @@ static void overwrite_and_free_authtoks(struct pam_items *pi) - pi->pam_newauthtok = NULL; - } - -+ if (pi->first_factor != NULL) { -+ _pam_overwrite_n((void *)pi->first_factor, strlen(pi->first_factor)); -+ free((void *)pi->first_factor); -+ pi->first_factor = NULL; -+ } -+ - pi->pamstack_authtok = NULL; - pi->pamstack_oldauthtok = NULL; - } -@@ -234,6 +245,15 @@ static void overwrite_and_free_pam_items(struct pam_items *pi) - - free(pi->domain_name); - pi->domain_name = NULL; -+ -+ free(pi->otp_vendor); -+ pi->otp_vendor = NULL; -+ -+ free(pi->otp_token_id); -+ pi->otp_token_id = NULL; -+ -+ free(pi->otp_challenge); -+ pi->otp_challenge = NULL; - } - - static int pack_message_v3(struct pam_items *pi, size_t *size, -@@ -969,6 +989,7 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf, - int32_t type; - int32_t len; - int32_t pam_status; -+ size_t offset; - - if (buflen < (2*sizeof(int32_t))) { - D(("response buffer is too small")); -@@ -1075,6 +1096,45 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf, - pam_strerror(pamh,ret))); - } - break; -+ case SSS_PAM_OTP_INFO: -+ if (buf[p + (len - 1)] != '\0') { -+ D(("system info does not end with \\0.")); -+ break; -+ } -+ -+ pi->otp_vendor = strdup((char *) &buf[p]); -+ if (pi->otp_vendor == NULL) { -+ D(("strdup failed")); -+ break; -+ } -+ -+ offset = strlen(pi->otp_vendor) + 1; -+ if (offset >= len) { -+ D(("OTP message size mismatch")); -+ free(pi->otp_vendor); -+ pi->otp_vendor = NULL; -+ break; -+ } -+ pi->otp_token_id = strdup((char *) &buf[p + offset]); -+ if (pi->otp_token_id == NULL) { -+ D(("strdup failed")); -+ break; -+ } -+ -+ offset += strlen(pi->otp_token_id) + 1; -+ if (offset >= len) { -+ D(("OTP message size mismatch")); -+ free(pi->otp_token_id); -+ pi->otp_token_id = NULL; -+ break; -+ } -+ pi->otp_challenge = strdup((char *) &buf[p + offset]); -+ if (pi->otp_challenge == NULL) { -+ D(("strdup failed")); -+ break; -+ } -+ -+ break; - default: - D(("Unknown response type [%d]", type)); - } -@@ -1096,6 +1156,7 @@ static int get_pam_items(pam_handle_t *pamh, struct pam_items *pi) - pi->pam_newauthtok_type = SSS_AUTHTOK_TYPE_EMPTY; - pi->pam_newauthtok = NULL; - pi->pam_newauthtok_size = 0; -+ pi->first_factor = NULL; - - ret = pam_get_item(pamh, PAM_SERVICE, (const void **) &(pi->pam_service)); - if (ret != PAM_SUCCESS) return ret; -@@ -1150,6 +1211,10 @@ static int get_pam_items(pam_handle_t *pamh, struct pam_items *pi) - if (pi->requested_domains == NULL) pi->requested_domains = ""; - pi->requested_domains_size = strlen(pi->requested_domains) + 1; - -+ pi->otp_vendor = NULL; -+ pi->otp_token_id = NULL; -+ pi->otp_challenge = NULL; -+ - return PAM_SUCCESS; - } - -@@ -1281,6 +1346,7 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, - case SSS_PAM_OPEN_SESSION: - case SSS_PAM_SETCRED: - case SSS_PAM_CLOSE_SESSION: -+ case SSS_PAM_PREAUTH: - break; - default: - D(("Illegal task [%d]", task)); -@@ -1328,6 +1394,133 @@ static int prompt_password(pam_handle_t *pamh, struct pam_items *pi, - return PAM_SUCCESS; - } - -+static int prompt_2fa(pam_handle_t *pamh, struct pam_items *pi, -+ const char *prompt_fa1, const char *prompt_fa2) -+{ -+ int ret; -+ const struct pam_conv *conv; -+ const struct pam_message *mesg[2] = { NULL, NULL }; -+ struct pam_message *m1; -+ struct pam_message *m2; -+ struct pam_response *resp = NULL; -+ size_t needed_size; -+ -+ ret = pam_get_item(pamh, PAM_CONV, (const void **) &conv); -+ if (ret != PAM_SUCCESS) { -+ return ret; -+ } -+ -+ m1 = malloc(sizeof(struct pam_message)); -+ if (m1 == NULL) { -+ D(("Malloc failed.")); -+ return PAM_SYSTEM_ERR; -+ } -+ -+ m2 = malloc(sizeof(struct pam_message)); -+ if (m2 == NULL) { -+ D(("Malloc failed.")); -+ free(m1); -+ return PAM_SYSTEM_ERR; -+ } -+ m1->msg_style = PAM_PROMPT_ECHO_OFF; -+ m1->msg = prompt_fa1; -+ m2->msg_style = PAM_PROMPT_ECHO_OFF; -+ m2->msg = prompt_fa2; -+ -+ mesg[0] = (const struct pam_message *) m1; -+ mesg[1] = (const struct pam_message *) m2; -+ -+ ret = conv->conv(2, mesg, &resp, conv->appdata_ptr); -+ free(m1); -+ free(m2); -+ if (ret != PAM_SUCCESS) { -+ D(("Conversation failure: %s.", pam_strerror(pamh, ret))); -+ return ret; -+ } -+ -+ if (resp == NULL) { -+ D(("response expected, but resp==NULL")); -+ return PAM_SYSTEM_ERR; -+ } -+ -+ if (resp[0].resp == NULL || *(resp[0].resp) == '\0') { -+ D(("Missing factor.")); -+ ret = PAM_CRED_INSUFFICIENT; -+ goto done; -+ } -+ -+ if (resp[1].resp == NULL || *(resp[1].resp) == '\0' -+ || (pi->pam_service != NULL && strcmp(pi->pam_service, "sshd") == 0 -+ && strcmp(resp[0].resp, resp[1].resp) == 0)) { -+ /* Missing second factor, assume first factor contains combined 2FA -+ * credentials. -+ * Special handling for SSH with password authentication. Combined -+ * 2FA credentials are used but SSH puts them in both responses. */ -+ -+ pi->pam_authtok = strndup(resp[0].resp, MAX_AUTHTOK_SIZE); -+ if (pi->pam_authtok == NULL) { -+ D(("strndup failed.")); -+ ret = PAM_BUF_ERR; -+ goto done; -+ } -+ pi->pam_authtok_size = strlen(pi->pam_authtok) + 1; -+ pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD; -+ } else { -+ -+ ret = sss_auth_pack_2fa_blob(resp[0].resp, 0, resp[1].resp, 0, NULL, 0, -+ &needed_size); -+ if (ret != EAGAIN) { -+ D(("sss_auth_pack_2fa_blob failed.")); -+ ret = PAM_BUF_ERR; -+ goto done; -+ } -+ -+ pi->pam_authtok = malloc(needed_size); -+ if (pi->pam_authtok == NULL) { -+ D(("malloc failed.")); -+ ret = PAM_BUF_ERR; -+ goto done; -+ } -+ -+ ret = sss_auth_pack_2fa_blob(resp[0].resp, 0, resp[1].resp, 0, -+ (uint8_t *) pi->pam_authtok, needed_size, -+ &needed_size); -+ if (ret != EOK) { -+ D(("sss_auth_pack_2fa_blob failed.")); -+ ret = PAM_BUF_ERR; -+ goto done; -+ } -+ -+ pi->pam_authtok_size = needed_size; -+ pi->pam_authtok_type = SSS_AUTHTOK_TYPE_2FA; -+ pi->first_factor = strndup(resp[0].resp, MAX_AUTHTOK_SIZE); -+ if (pi->first_factor == NULL) { -+ D(("strndup failed.")); -+ ret = PAM_BUF_ERR; -+ goto done; -+ } -+ } -+ -+ ret = PAM_SUCCESS; -+ -+done: -+ if (resp != NULL) { -+ if (resp[0].resp != NULL) { -+ _pam_overwrite((void *)resp[0].resp); -+ free(resp[0].resp); -+ } -+ if (resp[1].resp != NULL) { -+ _pam_overwrite((void *)resp[1].resp); -+ free(resp[1].resp); -+ } -+ -+ free(resp); -+ resp = NULL; -+ } -+ -+ return ret; -+} -+ - static int prompt_new_password(pam_handle_t *pamh, struct pam_items *pi) - { - int ret; -@@ -1411,6 +1604,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv, - *flags |= FLAGS_IGNORE_UNKNOWN_USER; - } else if (strcmp(*argv, "ignore_authinfo_unavail") == 0) { - *flags |= FLAGS_IGNORE_AUTHINFO_UNAVAIL; -+ } else if (strcmp(*argv, "use_2fa") == 0) { -+ *flags |= FLAGS_USE_2FA; - } else { - logger(pamh, LOG_WARNING, "unknown option: %s", *argv); - } -@@ -1434,14 +1629,28 @@ static int get_authtok_for_authentication(pam_handle_t *pamh, - } - pi->pam_authtok_size = strlen(pi->pam_authtok); - } else { -- ret = prompt_password(pamh, pi, _("Password: ")); -+ if (flags & FLAGS_USE_2FA -+ || (pi->otp_vendor != NULL && pi->otp_token_id != NULL -+ && pi->otp_challenge != NULL)) { -+ ret = prompt_2fa(pamh, pi, _("First Factor: "), -+ _("Second Factor: ")); -+ } else { -+ ret = prompt_password(pamh, pi, _("Password: ")); -+ } - if (ret != PAM_SUCCESS) { - D(("failed to get password from user")); - return ret; - } - - if (flags & FLAGS_FORWARD_PASS) { -- ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_authtok); -+ if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_PASSWORD) { -+ ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_authtok); -+ } else if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA -+ && pi->first_factor != NULL) { -+ ret = pam_set_item(pamh, PAM_AUTHTOK, pi->first_factor); -+ } else { -+ ret = EINVAL; -+ } - if (ret != PAM_SUCCESS) { - D(("Failed to set PAM_AUTHTOK [%s], " - "authtok may not be available for other modules", -@@ -1576,6 +1785,27 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, - - switch(task) { - case SSS_PAM_AUTHENTICATE: -+ /* -+ * Only do preauth if -+ * - FLAGS_USE_FIRST_PASS is not set -+ * - no password is on the stack -+ * - preauth indicator file exists. -+ */ -+ if ( !(flags & FLAGS_USE_FIRST_PASS) && pi.pam_authtok == NULL -+ && access(PAM_PREAUTH_INDICATOR, F_OK) == 0) { -+ pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH, -+ quiet_mode); -+ if (pam_status != PAM_SUCCESS) { -+ D(("send_and_receive returned [%d] during pre-auth", -+ pam_status)); -+ /* -+ * Since we are only interested in the result message -+ * and will always use password authentication -+ * as a fallback, errors can be ignored here. -+ */ -+ } -+ } -+ - ret = get_authtok_for_authentication(pamh, &pi, flags); - if (ret != PAM_SUCCESS) { - D(("failed to get authentication token: %s", -@@ -1588,6 +1818,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, - if (ret != PAM_SUCCESS) { - D(("failed to get tokens for password change: %s", - pam_strerror(pamh, ret))); -+ overwrite_and_free_pam_items(&pi); - return ret; - } - if (pam_flags & PAM_PRELIM_CHECK) { --- -2.4.3 - diff --git a/0024-Add-cache_credentials_minimal_first_factor_length-co.patch b/0024-Add-cache_credentials_minimal_first_factor_length-co.patch deleted file mode 100644 index 1b68318..0000000 --- a/0024-Add-cache_credentials_minimal_first_factor_length-co.patch +++ /dev/null @@ -1,145 +0,0 @@ -From edf37611b0eacb47b4d72bac97b9281231b4476f Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 24 Mar 2015 13:00:14 +0100 -Subject: [PATCH 24/30] Add cache_credentials_minimal_first_factor_length - config option -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Lukáš Slebodník -(cherry picked from commit 932c3e22e3c59a9c33f30dcc09e6bef257e14320) ---- - src/confdb/confdb.c | 11 +++++++++++ - src/confdb/confdb.h | 4 ++++ - src/config/SSSDConfigTest.py | 2 ++ - src/config/etc/sssd.api.conf | 1 + - src/man/sssd.conf.5.xml | 22 ++++++++++++++++++++++ - src/util/domain_info_utils.c | 2 ++ - 6 files changed, 42 insertions(+) - -diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c -index 9ce7b13114e1336a4b8ffb8fdfa13c49d2c0c006..2ebf6c15e060ad5899a60629aa6b28021d0f408d 100644 ---- a/src/confdb/confdb.c -+++ b/src/confdb/confdb.c -@@ -956,6 +956,17 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, - goto done; - } - -+ ret = get_entry_as_uint32(res->msgs[0], -+ &domain->cache_credentials_min_ff_length, -+ CONFDB_DOMAIN_CACHE_CREDS_MIN_FF_LENGTH, -+ CONFDB_DEFAULT_CACHE_CREDS_MIN_FF_LENGTH); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_FATAL_FAILURE, -+ "Invalid value for %s\n", -+ CONFDB_DOMAIN_CACHE_CREDS_MIN_FF_LENGTH); -+ goto done; -+ } -+ - ret = get_entry_as_bool(res->msgs[0], &domain->legacy_passwords, - CONFDB_DOMAIN_LEGACY_PASS, 0); - if(ret != EOK) { -diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h -index e97c46b34e34a02f80903c204e3a1744b0a5977e..93fbce5e5e46e4a7517d971f2ab886ded65a68f3 100644 ---- a/src/confdb/confdb.h -+++ b/src/confdb/confdb.h -@@ -162,6 +162,9 @@ - #define CONFDB_DOMAIN_MINID "min_id" - #define CONFDB_DOMAIN_MAXID "max_id" - #define CONFDB_DOMAIN_CACHE_CREDS "cache_credentials" -+#define CONFDB_DOMAIN_CACHE_CREDS_MIN_FF_LENGTH \ -+ "cache_credentials_minimal_first_factor_length" -+#define CONFDB_DEFAULT_CACHE_CREDS_MIN_FF_LENGTH 8 - #define CONFDB_DOMAIN_LEGACY_PASS "store_legacy_passwords" - #define CONFDB_DOMAIN_MPG "magic_private_groups" - #define CONFDB_DOMAIN_FQ "use_fully_qualified_names" -@@ -222,6 +225,7 @@ struct sss_domain_info { - uint32_t id_max; - - bool cache_credentials; -+ uint32_t cache_credentials_min_ff_length; - bool legacy_passwords; - bool case_sensitive; - bool case_preserve; -diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py -index aed76e5a0dd695b1969f3946f245a80062627e24..2a5dc8d561ab88d888a0a33f091bac55be1d701f 100755 ---- a/src/config/SSSDConfigTest.py -+++ b/src/config/SSSDConfigTest.py -@@ -494,6 +494,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): - 'command', - 'enumerate', - 'cache_credentials', -+ 'cache_credentials_minimal_first_factor_length', - 'store_legacy_passwords', - 'use_fully_qualified_names', - 'ignore_group_members', -@@ -856,6 +857,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): - 'command', - 'enumerate', - 'cache_credentials', -+ 'cache_credentials_minimal_first_factor_length', - 'store_legacy_passwords', - 'use_fully_qualified_names', - 'ignore_group_members', -diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf -index 59d755c2668235d046781227568d7f9e805a45d0..7ad84cd826a648ca61d9d2ede70e7886049d469a 100644 ---- a/src/config/etc/sssd.api.conf -+++ b/src/config/etc/sssd.api.conf -@@ -110,6 +110,7 @@ subdomain_enumerate = str, None, false - force_timeout = int, None, false - offline_timeout = int, None, false - cache_credentials = bool, None, false -+cache_credentials_minimal_first_factor_length = int, None, false - store_legacy_passwords = bool, None, false - use_fully_qualified_names = bool, None, false - ignore_group_members = bool, None, false -diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml -index 4961d5b956f6d1736dc1e9967bd0115f4993ec77..fd05e3af20426121e2d6ec5943c9b70786a5db5f 100644 ---- a/src/man/sssd.conf.5.xml -+++ b/src/man/sssd.conf.5.xml -@@ -1420,6 +1420,28 @@ pam_account_expired_message = Account expired, please call help desk. - - - -+ -+ -+ cache_credentials_minimal_first_factor_length (int) -+ -+ -+ If 2-Factor-Authentication (2FA) is used and -+ credentials should be saved this value determines -+ the minimal lenght the first authentication factor -+ (long term password) must have to be saved as SHA512 -+ hash into the cache. -+ -+ -+ This should avoid that the short PINs of a PIN based -+ 2FA scheme are saved in the cache which would make -+ them easy targets for brute-force attacks. -+ -+ -+ Default: 8 -+ -+ -+ -+ - - account_cache_expiration (integer) - -diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c -index e2dec04354e62bc8d135567fdbac88ea5da8cc00..1e2a473a7571a37bff5f10d66f917ed1f176f172 100644 ---- a/src/util/domain_info_utils.c -+++ b/src/util/domain_info_utils.c -@@ -297,6 +297,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx, - dom->id_max = parent->id_max ? parent->id_max : 0xffffffff; - dom->pwd_expiration_warning = parent->pwd_expiration_warning; - dom->cache_credentials = parent->cache_credentials; -+ dom->cache_credentials_min_ff_length = -+ parent->cache_credentials_min_ff_length; - dom->case_sensitive = false; - dom->user_timeout = parent->user_timeout; - dom->group_timeout = parent->group_timeout; --- -2.4.3 - diff --git a/0025-sysdb-add-sysdb_cache_password_ex.patch b/0025-sysdb-add-sysdb_cache_password_ex.patch deleted file mode 100644 index b6f8bac..0000000 --- a/0025-sysdb-add-sysdb_cache_password_ex.patch +++ /dev/null @@ -1,174 +0,0 @@ -From fd92f2270544489149c4dae2aed513e506813c04 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 24 Mar 2015 15:35:01 +0100 -Subject: [PATCH 25/30] sysdb: add sysdb_cache_password_ex() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Lukáš Slebodník -(cherry picked from commit 55b7fdd837a780ab0f71cbfaa2403f4626993922) ---- - src/db/sysdb.h | 9 +++++++++ - src/db/sysdb_ops.c | 25 ++++++++++++++++++++--- - src/tests/sysdb-tests.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 84 insertions(+), 3 deletions(-) - -diff --git a/src/db/sysdb.h b/src/db/sysdb.h -index a1b6f207399555c85c14c8decf89edc498deb871..63d6d3cdc0baf49dff86a1aa62f61a4eacee7465 100644 ---- a/src/db/sysdb.h -+++ b/src/db/sysdb.h -@@ -24,6 +24,7 @@ - - #include "util/util.h" - #include "confdb/confdb.h" -+#include "sss_client/sss_cli.h" - #include - - #define CACHE_SYSDB_FILE "cache_%s.ldb" -@@ -105,6 +106,8 @@ - #define SYSDB_SERVERHOSTNAME "serverHostname" - - #define SYSDB_CACHEDPWD "cachedPassword" -+#define SYSDB_CACHEDPWD_TYPE "cachedPasswordType" -+#define SYSDB_CACHEDPWD_FA2_LEN "cachedPasswordSecondFactorLen" - - #define SYSDB_UUID "uniqueID" - #define SYSDB_SID "objectSID" -@@ -888,6 +891,12 @@ int sysdb_cache_password(struct sss_domain_info *domain, - const char *username, - const char *password); - -+int sysdb_cache_password_ex(struct sss_domain_info *domain, -+ const char *username, -+ const char *password, -+ enum sss_authtok_type authtok_type, -+ size_t second_factor_size); -+ - errno_t check_failed_login_attempts(struct confdb_ctx *cdb, - struct ldb_message *ldb_msg, - uint32_t *failed_login_attempts, -diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c -index ea786d59158eb8a82952c7e457ea83286abbf2c4..083d2778c97fe4d6149e4fc030885c482c511105 100644 ---- a/src/db/sysdb_ops.c -+++ b/src/db/sysdb_ops.c -@@ -2226,9 +2226,11 @@ int sysdb_remove_group_member(struct sss_domain_info *domain, - - /* =Password-Caching====================================================== */ - --int sysdb_cache_password(struct sss_domain_info *domain, -- const char *username, -- const char *password) -+int sysdb_cache_password_ex(struct sss_domain_info *domain, -+ const char *username, -+ const char *password, -+ enum sss_authtok_type authtok_type, -+ size_t second_factor_len) - { - TALLOC_CTX *tmp_ctx; - struct sysdb_attrs *attrs; -@@ -2261,6 +2263,15 @@ int sysdb_cache_password(struct sss_domain_info *domain, - ret = sysdb_attrs_add_string(attrs, SYSDB_CACHEDPWD, hash); - if (ret) goto fail; - -+ ret = sysdb_attrs_add_long(attrs, SYSDB_CACHEDPWD_TYPE, authtok_type); -+ if (ret) goto fail; -+ -+ if (authtok_type == SSS_AUTHTOK_TYPE_2FA && second_factor_len > 0) { -+ ret = sysdb_attrs_add_long(attrs, SYSDB_CACHEDPWD_FA2_LEN, -+ second_factor_len); -+ if (ret) goto fail; -+ } -+ - /* FIXME: should we use a different attribute for chache passwords ?? */ - ret = sysdb_attrs_add_long(attrs, "lastCachedPasswordChange", - (long)time(NULL)); -@@ -2285,6 +2296,14 @@ fail: - return ret; - } - -+int sysdb_cache_password(struct sss_domain_info *domain, -+ const char *username, -+ const char *password) -+{ -+ return sysdb_cache_password_ex(domain, username, password, -+ SSS_AUTHTOK_TYPE_PASSWORD, 0); -+} -+ - /* =Custom Search================== */ - - int sysdb_search_custom(TALLOC_CTX *mem_ctx, -diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c -index 450a9d1d693135c296f3433d905d1aba115548b8..3d5e97afbfaa5441281ef193d072122204db0514 100644 ---- a/src/tests/sysdb-tests.c -+++ b/src/tests/sysdb-tests.c -@@ -1808,6 +1808,57 @@ START_TEST (test_sysdb_cache_password) - } - END_TEST - -+START_TEST (test_sysdb_cache_password_ex) -+{ -+ struct sysdb_test_ctx *test_ctx; -+ struct test_data *data; -+ int ret; -+ struct ldb_result *res; -+ const char *attrs[] = { SYSDB_CACHEDPWD_TYPE, SYSDB_CACHEDPWD_FA2_LEN, -+ NULL }; -+ int val; -+ -+ /* Setup */ -+ ret = setup_sysdb_tests(&test_ctx); -+ fail_unless(ret == EOK, "Could not set up the test"); -+ -+ data = talloc_zero(test_ctx, struct test_data); -+ data->ctx = test_ctx; -+ data->ev = test_ctx->ev; -+ data->username = talloc_asprintf(data, "testuser%d", _i); -+ -+ ret = sysdb_get_user_attr(test_ctx, test_ctx->domain, data->username, -+ attrs, &res); -+ fail_unless(ret == EOK, "sysdb_get_user_attr request failed [%d].", ret); -+ -+ val = ldb_msg_find_attr_as_int(res->msgs[0], SYSDB_CACHEDPWD_TYPE, 0); -+ fail_unless(val == SSS_AUTHTOK_TYPE_PASSWORD, -+ "Unexptected authtok type, found [%d], expected [%d].", -+ val, SSS_AUTHTOK_TYPE_PASSWORD); -+ -+ ret = sysdb_cache_password_ex(test_ctx->domain, data->username, -+ data->username, SSS_AUTHTOK_TYPE_2FA, 12); -+ -+ fail_unless(ret == EOK, "sysdb_cache_password request failed [%d].", ret); -+ -+ ret = sysdb_get_user_attr(test_ctx, test_ctx->domain, data->username, -+ attrs, &res); -+ fail_unless(ret == EOK, "sysdb_get_user_attr request failed [%d].", ret); -+ -+ val = ldb_msg_find_attr_as_int(res->msgs[0], SYSDB_CACHEDPWD_TYPE, 0); -+ fail_unless(val == SSS_AUTHTOK_TYPE_2FA, -+ "Unexptected authtok type, found [%d], expected [%d].", -+ val, SSS_AUTHTOK_TYPE_2FA); -+ -+ val = ldb_msg_find_attr_as_int(res->msgs[0], SYSDB_CACHEDPWD_FA2_LEN, 0); -+ fail_unless(val == 12, -+ "Unexptected second factor lenght, found [%d], expected [%d].", -+ val, 12); -+ -+ talloc_free(test_ctx); -+} -+END_TEST -+ - static void cached_authentication_without_expiration(const char *username, - const char *password, - int expected_result) -@@ -6256,6 +6307,8 @@ Suite *create_sysdb_suite(void) - 27010, 27011); - tcase_add_loop_test(tc_sysdb, test_sysdb_cached_authentication, 27010, 27011); - -+ tcase_add_loop_test(tc_sysdb, test_sysdb_cache_password_ex, 27010, 27011); -+ - /* ASQ search test */ - tcase_add_loop_test(tc_sysdb, test_sysdb_prepare_asq_test_user, 28011, 28020); - tcase_add_test(tc_sysdb, test_sysdb_asq_search); --- -2.4.3 - diff --git a/0026-krb5-save-hash-of-the-first-authentication-factor-to.patch b/0026-krb5-save-hash-of-the-first-authentication-factor-to.patch deleted file mode 100644 index 945512c..0000000 --- a/0026-krb5-save-hash-of-the-first-authentication-factor-to.patch +++ /dev/null @@ -1,76 +0,0 @@ -From c14a1642229f20fe8a1ff1da1e33b8ad6a46686d Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 24 Mar 2015 15:53:17 +0100 -Subject: [PATCH 26/30] krb5: save hash of the first authentication factor to - the cache -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Lukáš Slebodník -(cherry picked from commit c5ae04b2da970a3991f21173acae3e892198ce0c) ---- - src/providers/krb5/krb5_auth.c | 26 +++++++++++++++++++++++--- - 1 file changed, 23 insertions(+), 3 deletions(-) - -diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c -index 6b818440717a9cfaa22a8332fc65440d21d79d00..5a946de4dba5081ed3b082e54af84e73b567a22f 100644 ---- a/src/providers/krb5/krb5_auth.c -+++ b/src/providers/krb5/krb5_auth.c -@@ -321,6 +321,9 @@ static void krb5_auth_store_creds(struct sss_domain_info *domain, - struct pam_data *pd) - { - const char *password = NULL; -+ const char *fa2; -+ size_t password_len; -+ size_t fa2_len = 0; - int ret = EOK; - - switch(pd->cmd) { -@@ -332,7 +335,20 @@ static void krb5_auth_store_creds(struct sss_domain_info *domain, - break; - case SSS_PAM_AUTHENTICATE: - case SSS_PAM_CHAUTHTOK_PRELIM: -- ret = sss_authtok_get_password(pd->authtok, &password, NULL); -+ if (sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_2FA) { -+ ret = sss_authtok_get_2fa(pd->authtok, &password, &password_len, -+ &fa2, &fa2_len); -+ if (ret == EOK && password_len < -+ domain->cache_credentials_min_ff_length) { -+ DEBUG(SSSDBG_FATAL_FAILURE, -+ "First factor is too short to be cache, " -+ "minimum length is [%u].\n", -+ domain->cache_credentials_min_ff_length); -+ ret = EINVAL; -+ } -+ } else { -+ ret = sss_authtok_get_password(pd->authtok, &password, NULL); -+ } - break; - case SSS_PAM_CHAUTHTOK: - ret = sss_authtok_get_password(pd->newauthtok, &password, NULL); -@@ -358,7 +374,8 @@ static void krb5_auth_store_creds(struct sss_domain_info *domain, - return; - } - -- ret = sysdb_cache_password(domain, pd->user, password); -+ ret = sysdb_cache_password_ex(domain, pd->user, password, -+ sss_authtok_get_type(pd->authtok), fa2_len); - if (ret) { - DEBUG(SSSDBG_OP_FAILURE, - "Failed to cache password, offline auth may not work." -@@ -1074,7 +1091,10 @@ static void krb5_auth_done(struct tevent_req *subreq) - goto done; - } - -- if (state->be_ctx->domain->cache_credentials == TRUE && !res->otp) { -+ if (state->be_ctx->domain->cache_credentials == TRUE -+ && (!res->otp -+ || (res->otp && sss_authtok_get_type(pd->authtok) == -+ SSS_AUTHTOK_TYPE_2FA))) { - krb5_auth_store_creds(state->domain, pd); - } - --- -2.4.3 - diff --git a/0027-krb5-try-delayed-online-authentication-only-for-sing.patch b/0027-krb5-try-delayed-online-authentication-only-for-sing.patch deleted file mode 100644 index 8472b2e..0000000 --- a/0027-krb5-try-delayed-online-authentication-only-for-sing.patch +++ /dev/null @@ -1,36 +0,0 @@ -From c1fce215b02fca5ed9df19bf66aaff3b52ed777b Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 25 Mar 2015 12:04:57 +0100 -Subject: [PATCH 27/30] krb5: try delayed online authentication only for single - factor auth -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Lukáš Slebodník -(cherry picked from commit 2d0e7658198d1aa6e3926bf967ff683660249114) ---- - src/providers/krb5/krb5_auth.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c -index 5a946de4dba5081ed3b082e54af84e73b567a22f..2cfb3a805ea1472cc725aca068edcc69b036daba 100644 ---- a/src/providers/krb5/krb5_auth.c -+++ b/src/providers/krb5/krb5_auth.c -@@ -263,6 +263,13 @@ static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx, - const char *password = NULL; - errno_t ret; - -+ if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { -+ DEBUG(SSSDBG_MINOR_FAILURE, -+ "Delayed authentication is only available for password " -+ "authentication (single factor).\n"); -+ return; -+ } -+ - ret = sss_authtok_get_password(pd->authtok, &password, NULL); - if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, --- -2.4.3 - diff --git a/0028-2FA-offline-auth.patch b/0028-2FA-offline-auth.patch deleted file mode 100644 index bc645b2..0000000 --- a/0028-2FA-offline-auth.patch +++ /dev/null @@ -1,173 +0,0 @@ -From 33a78367bb6812daf2b00c956d83653362d671e2 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 27 Mar 2015 15:20:13 +0100 -Subject: [PATCH 28/30] 2FA offline auth -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Lukáš Slebodník -(cherry picked from commit 219f5b698fa72c0d5a8da2b0dd99daec3f924c94) ---- - src/db/sysdb_ops.c | 77 ++++++++++++++++++++++++++++++++++++++++-- - src/responder/pam/pamsrv_cmd.c | 35 +++++++++++++++++-- - 2 files changed, 107 insertions(+), 5 deletions(-) - -diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c -index 083d2778c97fe4d6149e4fc030885c482c511105..ed936e0fbe4451e9813402466d4850f0f586c1f5 100644 ---- a/src/db/sysdb_ops.c -+++ b/src/db/sysdb_ops.c -@@ -3155,6 +3155,76 @@ done: - return ret; - } - -+static errno_t check_for_combined_2fa_password(struct sss_domain_info *domain, -+ struct ldb_message *ldb_msg, -+ const char *password, -+ const char *userhash) -+{ -+ -+ unsigned int cached_authtok_type; -+ unsigned int cached_fa2_len; -+ char *short_pw; -+ char *comphash; -+ size_t pw_len; -+ TALLOC_CTX *tmp_ctx; -+ int ret; -+ -+ cached_authtok_type = ldb_msg_find_attr_as_uint(ldb_msg, -+ SYSDB_CACHEDPWD_TYPE, -+ SSS_AUTHTOK_TYPE_EMPTY); -+ if (cached_authtok_type != SSS_AUTHTOK_TYPE_2FA) { -+ DEBUG(SSSDBG_TRACE_LIBS, "Wrong authtok type.\n"); -+ return EINVAL; -+ } -+ -+ cached_fa2_len = ldb_msg_find_attr_as_uint(ldb_msg, SYSDB_CACHEDPWD_FA2_LEN, -+ 0); -+ if (cached_fa2_len == 0) { -+ DEBUG(SSSDBG_TRACE_LIBS, "Second factor size not available.\n"); -+ return EINVAL; -+ } -+ -+ pw_len = strlen(password); -+ if (pw_len < cached_fa2_len + domain->cache_credentials_min_ff_length) { -+ DEBUG(SSSDBG_TRACE_LIBS, "Password too short.\n"); -+ return EINVAL; -+ } -+ -+ tmp_ctx = talloc_new(NULL); -+ if (tmp_ctx == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); -+ return ENOMEM; -+ } -+ -+ short_pw = talloc_strndup(tmp_ctx, password, (pw_len - cached_fa2_len)); -+ if (short_pw == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n"); -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ ret = s3crypt_sha512(tmp_ctx, short_pw, userhash, &comphash); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CONF_SETTINGS, "Failed to create password hash.\n"); -+ ret = ERR_INTERNAL; -+ goto done; -+ } -+ -+ if (strcmp(userhash, comphash) != 0) { -+ DEBUG(SSSDBG_MINOR_FAILURE, -+ "Hash of shorten password does not match.\n"); -+ ret = ERR_AUTH_FAILED; -+ goto done; -+ } -+ -+ ret = EOK; -+ -+done: -+ talloc_free(tmp_ctx); -+ -+ return ret; -+} -+ - int sysdb_cache_auth(struct sss_domain_info *domain, - const char *name, - const char *password, -@@ -3168,7 +3238,8 @@ int sysdb_cache_auth(struct sss_domain_info *domain, - SYSDB_LAST_LOGIN, SYSDB_LAST_ONLINE_AUTH, - "lastCachedPasswordChange", - "accountExpires", SYSDB_FAILED_LOGIN_ATTEMPTS, -- SYSDB_LAST_FAILED_LOGIN, NULL }; -+ SYSDB_LAST_FAILED_LOGIN, SYSDB_CACHEDPWD_TYPE, -+ SYSDB_CACHEDPWD_FA2_LEN, NULL }; - struct ldb_message *ldb_msg; - const char *userhash; - char *comphash; -@@ -3279,7 +3350,9 @@ int sysdb_cache_auth(struct sss_domain_info *domain, - goto done; - } - -- if (strcmp(userhash, comphash) == 0) { -+ if (strcmp(userhash, comphash) == 0 -+ || check_for_combined_2fa_password(domain, ldb_msg, -+ password, userhash) == EOK) { - /* TODO: probable good point for audit logging */ - DEBUG(SSSDBG_CONF_SETTINGS, "Hashes do match!\n"); - authentication_successful = true; -diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c -index c7eb697f29b6de9f7edaaf7715a58d2b7afdc733..e8d2b65fe429bcb390f33ef994934f9b82b1a4b7 100644 ---- a/src/responder/pam/pamsrv_cmd.c -+++ b/src/responder/pam/pamsrv_cmd.c -@@ -528,6 +528,34 @@ static void pam_reply_delay(struct tevent_context *ev, struct tevent_timer *te, - pam_reply(preq); - } - -+static errno_t get_password_for_cache_auth(struct sss_auth_token *authtok, -+ const char **password) -+{ -+ int ret; -+ size_t pw_len; -+ const char *fa2; -+ size_t fa2_len; -+ -+ switch (sss_authtok_get_type(authtok)) { -+ case SSS_AUTHTOK_TYPE_PASSWORD: -+ ret = sss_authtok_get_password(authtok, password, NULL); -+ break; -+ case SSS_AUTHTOK_TYPE_2FA: -+ ret = sss_authtok_get_2fa(authtok, password, &pw_len, &fa2, &fa2_len); -+ break; -+ default: -+ DEBUG(SSSDBG_FATAL_FAILURE, "Unsupported auth token type [%d].\n", -+ sss_authtok_get_type(authtok)); -+ ret = EINVAL; -+ } -+ if (ret != EOK) { -+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to get password.\n"); -+ return ret; -+ } -+ -+ return EOK; -+} -+ - static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd); - static void pam_handle_cached_login(struct pam_auth_req *preq, int ret, - time_t expire_date, time_t delayed_until); -@@ -586,9 +614,10 @@ static void pam_reply(struct pam_auth_req *preq) - goto done; - } - -- ret = sss_authtok_get_password(pd->authtok, &password, NULL); -- if (ret) { -- DEBUG(SSSDBG_FATAL_FAILURE, "Failed to get password.\n"); -+ ret = get_password_for_cache_auth(pd->authtok, &password); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_FATAL_FAILURE, -+ "get_password_and_type_for_cache_auth failed.\n"); - goto done; - } - --- -2.4.3 - diff --git a/0029-pam_sss-move-message-encoding-into-separate-file.patch b/0029-pam_sss-move-message-encoding-into-separate-file.patch deleted file mode 100644 index 7af9eac..0000000 --- a/0029-pam_sss-move-message-encoding-into-separate-file.patch +++ /dev/null @@ -1,502 +0,0 @@ -From 7eb1f0611ad5df755a981dcc86e10b01439e3618 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 18 Mar 2015 16:02:47 +0100 -Subject: [PATCH 29/30] pam_sss: move message encoding into separate file -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Lukáš Slebodník -(cherry picked from commit bf6c3f07d653d474da9e43b2b7cced57fc4ea069) ---- - Makefile.am | 2 + - src/sss_client/pam_message.c | 178 +++++++++++++++++++++++++++++++++++++++++++ - src/sss_client/pam_message.h | 61 +++++++++++++++ - src/sss_client/pam_sss.c | 177 +----------------------------------------- - 4 files changed, 242 insertions(+), 176 deletions(-) - create mode 100644 src/sss_client/pam_message.c - create mode 100644 src/sss_client/pam_message.h - -diff --git a/Makefile.am b/Makefile.am -index 793a2a67be11232aefa67e57b986f6304b8a68b3..e8bd8b3237a9b533a3a102059ab9ca083714abe0 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -614,6 +614,7 @@ dist_noinst_HEADERS = \ - src/tests/cmocka/common_mock_resp.h \ - src/tests/cmocka/common_mock_sdap.h \ - src/tests/cmocka/common_mock_sysdb_objects.h \ -+ src/sss_client/pam_message.h \ - src/sss_client/ssh/sss_ssh_client.h \ - src/sss_client/sudo/sss_sudo.h \ - src/sss_client/libwbclient/libwbclient.h \ -@@ -2358,6 +2359,7 @@ endif - pamlib_LTLIBRARIES = pam_sss.la - pam_sss_la_SOURCES = \ - src/sss_client/pam_sss.c \ -+ src/sss_client/pam_message.c \ - src/sss_client/common.c \ - src/sss_client/sss_cli.h \ - src/util/atomic_io.c \ -diff --git a/src/sss_client/pam_message.c b/src/sss_client/pam_message.c -new file mode 100644 -index 0000000000000000000000000000000000000000..b8104c680d0e733b713c665e6206dc4b0d379237 ---- /dev/null -+++ b/src/sss_client/pam_message.c -@@ -0,0 +1,178 @@ -+/* -+ Authors: -+ Sumit Bose -+ -+ PAM client - create message blob -+ -+ Copyright (C) 2015 Red Hat -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU Lesser General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU Lesser General Public License for more details. -+ -+ You should have received a copy of the GNU Lesser General Public License -+ along with this program. If not, see . -+*/ -+ -+#include -+#include -+ -+#include "sss_pam_compat.h" -+#include "sss_pam_macros.h" -+ -+#include "pam_message.h" -+ -+#include "sss_cli.h" -+ -+static size_t add_authtok_item(enum pam_item_type type, -+ enum sss_authtok_type authtok_type, -+ const char *tok, const size_t size, -+ uint8_t *buf) -+{ -+ size_t rp = 0; -+ uint32_t c; -+ -+ if (tok == NULL) return 0; -+ -+ c = type; -+ memcpy(&buf[rp], &c, sizeof(uint32_t)); -+ rp += sizeof(uint32_t); -+ -+ c = size + sizeof(uint32_t); -+ memcpy(&buf[rp], &c, sizeof(uint32_t)); -+ rp += sizeof(uint32_t); -+ -+ c = authtok_type; -+ memcpy(&buf[rp], &c, sizeof(uint32_t)); -+ rp += sizeof(uint32_t); -+ -+ memcpy(&buf[rp], tok, size); -+ rp += size; -+ -+ return rp; -+} -+ -+static size_t add_uint32_t_item(enum pam_item_type type, const uint32_t val, -+ uint8_t *buf) -+{ -+ size_t rp = 0; -+ uint32_t c; -+ -+ c = type; -+ memcpy(&buf[rp], &c, sizeof(uint32_t)); -+ rp += sizeof(uint32_t); -+ -+ c = sizeof(uint32_t); -+ memcpy(&buf[rp], &c, sizeof(uint32_t)); -+ rp += sizeof(uint32_t); -+ -+ c = val; -+ memcpy(&buf[rp], &c, sizeof(uint32_t)); -+ rp += sizeof(uint32_t); -+ -+ return rp; -+} -+ -+static size_t add_string_item(enum pam_item_type type, const char *str, -+ const size_t size, uint8_t *buf) -+{ -+ size_t rp = 0; -+ uint32_t c; -+ -+ if (str == NULL || *str == '\0') return 0; -+ -+ c = type; -+ memcpy(&buf[rp], &c, sizeof(uint32_t)); -+ rp += sizeof(uint32_t); -+ -+ c = size; -+ memcpy(&buf[rp], &c, sizeof(uint32_t)); -+ rp += sizeof(uint32_t); -+ -+ memcpy(&buf[rp], str, size); -+ rp += size; -+ -+ return rp; -+} -+ -+int pack_message_v3(struct pam_items *pi, size_t *size, uint8_t **buffer) -+{ -+ int len; -+ uint8_t *buf; -+ size_t rp; -+ -+ len = sizeof(uint32_t) + -+ 2*sizeof(uint32_t) + pi->pam_user_size + -+ sizeof(uint32_t); -+ len += *pi->pam_service != '\0' ? -+ 2*sizeof(uint32_t) + pi->pam_service_size : 0; -+ len += *pi->pam_tty != '\0' ? -+ 2*sizeof(uint32_t) + pi->pam_tty_size : 0; -+ len += *pi->pam_ruser != '\0' ? -+ 2*sizeof(uint32_t) + pi->pam_ruser_size : 0; -+ len += *pi->pam_rhost != '\0' ? -+ 2*sizeof(uint32_t) + pi->pam_rhost_size : 0; -+ len += pi->pam_authtok != NULL ? -+ 3*sizeof(uint32_t) + pi->pam_authtok_size : 0; -+ len += pi->pam_newauthtok != NULL ? -+ 3*sizeof(uint32_t) + pi->pam_newauthtok_size : 0; -+ len += 3*sizeof(uint32_t); /* cli_pid */ -+ len += *pi->requested_domains != '\0' ? -+ 2*sizeof(uint32_t) + pi->requested_domains_size : 0; -+ -+ buf = malloc(len); -+ if (buf == NULL) { -+ D(("malloc failed.")); -+ return PAM_BUF_ERR; -+ } -+ -+ rp = 0; -+ SAFEALIGN_SETMEM_UINT32(buf, SSS_START_OF_PAM_REQUEST, &rp); -+ -+ rp += add_string_item(SSS_PAM_ITEM_USER, pi->pam_user, pi->pam_user_size, -+ &buf[rp]); -+ -+ rp += add_string_item(SSS_PAM_ITEM_SERVICE, pi->pam_service, -+ pi->pam_service_size, &buf[rp]); -+ -+ rp += add_string_item(SSS_PAM_ITEM_TTY, pi->pam_tty, pi->pam_tty_size, -+ &buf[rp]); -+ -+ rp += add_string_item(SSS_PAM_ITEM_RUSER, pi->pam_ruser, pi->pam_ruser_size, -+ &buf[rp]); -+ -+ rp += add_string_item(SSS_PAM_ITEM_RHOST, pi->pam_rhost, pi->pam_rhost_size, -+ &buf[rp]); -+ -+ rp += add_string_item(SSS_PAM_ITEM_REQUESTED_DOMAINS, pi->requested_domains, pi->requested_domains_size, -+ &buf[rp]); -+ -+ rp += add_uint32_t_item(SSS_PAM_ITEM_CLI_PID, (uint32_t) pi->cli_pid, -+ &buf[rp]); -+ -+ rp += add_authtok_item(SSS_PAM_ITEM_AUTHTOK, pi->pam_authtok_type, -+ pi->pam_authtok, pi->pam_authtok_size, &buf[rp]); -+ -+ rp += add_authtok_item(SSS_PAM_ITEM_NEWAUTHTOK, pi->pam_newauthtok_type, -+ pi->pam_newauthtok, pi->pam_newauthtok_size, -+ &buf[rp]); -+ -+ SAFEALIGN_SETMEM_UINT32(buf + rp, SSS_END_OF_PAM_REQUEST, &rp); -+ -+ if (rp != len) { -+ D(("error during packet creation.")); -+ free(buf); -+ return PAM_BUF_ERR; -+ } -+ -+ *size = len; -+ *buffer = buf; -+ -+ return 0; -+} -diff --git a/src/sss_client/pam_message.h b/src/sss_client/pam_message.h -new file mode 100644 -index 0000000000000000000000000000000000000000..8ade6d871b840d4d0153bbf56e0d458861ab3816 ---- /dev/null -+++ b/src/sss_client/pam_message.h -@@ -0,0 +1,61 @@ -+/* -+ Authors: -+ Sumit Bose -+ -+ Copyright (C) 2015 Red Hat -+ -+ PAM client - create message blob -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU Lesser General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU Lesser General Public License for more details. -+ -+ You should have received a copy of the GNU Lesser General Public License -+ along with this program. If not, see . -+*/ -+ -+#ifndef _PAM_MESSAGE_H_ -+#define _PAM_MESSAGE_H_ -+ -+#include -+#include -+ -+struct pam_items { -+ const char *pam_service; -+ const char *pam_user; -+ const char *pam_tty; -+ const char *pam_ruser; -+ const char *pam_rhost; -+ char *pam_authtok; -+ char *pam_newauthtok; -+ const char *pamstack_authtok; -+ const char *pamstack_oldauthtok; -+ size_t pam_service_size; -+ size_t pam_user_size; -+ size_t pam_tty_size; -+ size_t pam_ruser_size; -+ size_t pam_rhost_size; -+ int pam_authtok_type; -+ size_t pam_authtok_size; -+ int pam_newauthtok_type; -+ size_t pam_newauthtok_size; -+ pid_t cli_pid; -+ const char *login_name; -+ char *domain_name; -+ const char *requested_domains; -+ size_t requested_domains_size; -+ char *otp_vendor; -+ char *otp_token_id; -+ char *otp_challenge; -+ char *first_factor; -+}; -+ -+int pack_message_v3(struct pam_items *pi, size_t *size, uint8_t **buffer); -+ -+#endif /* _PAM_MESSAGE_H_ */ -diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c -index f11871a47d1b29f44c179e57a33d8f41be79078d..e01c5031650d3837a23f8a7404d334a9d2f55441 100644 ---- a/src/sss_client/pam_sss.c -+++ b/src/sss_client/pam_sss.c -@@ -40,6 +40,7 @@ - #include "sss_pam_macros.h" - - #include "sss_cli.h" -+#include "pam_message.h" - #include "util/atomic_io.h" - #include "util/authtok-utils.h" - -@@ -65,36 +66,6 @@ - #define EXP_ACC_MSG _("Permission denied. ") - #define SRV_MSG _("Server message: ") - --struct pam_items { -- const char* pam_service; -- const char* pam_user; -- const char* pam_tty; -- const char* pam_ruser; -- const char* pam_rhost; -- char* pam_authtok; -- char* pam_newauthtok; -- const char* pamstack_authtok; -- const char* pamstack_oldauthtok; -- size_t pam_service_size; -- size_t pam_user_size; -- size_t pam_tty_size; -- size_t pam_ruser_size; -- size_t pam_rhost_size; -- int pam_authtok_type; -- size_t pam_authtok_size; -- int pam_newauthtok_type; -- size_t pam_newauthtok_size; -- pid_t cli_pid; -- const char *login_name; -- char *domain_name; -- const char *requested_domains; -- size_t requested_domains_size; -- char *otp_vendor; -- char *otp_token_id; -- char *otp_challenge; -- char *first_factor; --}; -- - #define DEBUG_MGS_LEN 1024 - #define MAX_AUTHTOK_SIZE (1024*1024) - #define CHECK_AND_RETURN_PI_STRING(s) ((s != NULL && *s != '\0')? s : "(not available)") -@@ -146,75 +117,6 @@ static void close_fd(pam_handle_t *pamh, void *ptr, int err) - sss_pam_close_fd(); - } - --static size_t add_authtok_item(enum pam_item_type type, -- enum sss_authtok_type authtok_type, -- const char *tok, const size_t size, -- uint8_t *buf) { -- size_t rp=0; -- uint32_t c; -- -- if (tok == NULL) return 0; -- -- c = type; -- memcpy(&buf[rp], &c, sizeof(uint32_t)); -- rp += sizeof(uint32_t); -- -- c = size + sizeof(uint32_t); -- memcpy(&buf[rp], &c, sizeof(uint32_t)); -- rp += sizeof(uint32_t); -- -- c = authtok_type; -- memcpy(&buf[rp], &c, sizeof(uint32_t)); -- rp += sizeof(uint32_t); -- -- memcpy(&buf[rp], tok, size); -- rp += size; -- -- return rp; --} -- -- --static size_t add_uint32_t_item(enum pam_item_type type, const uint32_t val, -- uint8_t *buf) { -- size_t rp=0; -- uint32_t c; -- -- c = type; -- memcpy(&buf[rp], &c, sizeof(uint32_t)); -- rp += sizeof(uint32_t); -- -- c = sizeof(uint32_t); -- memcpy(&buf[rp], &c, sizeof(uint32_t)); -- rp += sizeof(uint32_t); -- -- c = val; -- memcpy(&buf[rp], &c, sizeof(uint32_t)); -- rp += sizeof(uint32_t); -- -- return rp; --} -- --static size_t add_string_item(enum pam_item_type type, const char *str, -- const size_t size, uint8_t *buf) { -- size_t rp=0; -- uint32_t c; -- -- if (str == NULL || *str == '\0') return 0; -- -- c = type; -- memcpy(&buf[rp], &c, sizeof(uint32_t)); -- rp += sizeof(uint32_t); -- -- c = size; -- memcpy(&buf[rp], &c, sizeof(uint32_t)); -- rp += sizeof(uint32_t); -- -- memcpy(&buf[rp], str, size); -- rp += size; -- -- return rp; --} -- - static void overwrite_and_free_authtoks(struct pam_items *pi) - { - if (pi->pam_authtok != NULL) { -@@ -256,83 +158,6 @@ static void overwrite_and_free_pam_items(struct pam_items *pi) - pi->otp_challenge = NULL; - } - --static int pack_message_v3(struct pam_items *pi, size_t *size, -- uint8_t **buffer) { -- int len; -- uint8_t *buf; -- size_t rp; -- -- len = sizeof(uint32_t) + -- 2*sizeof(uint32_t) + pi->pam_user_size + -- sizeof(uint32_t); -- len += *pi->pam_service != '\0' ? -- 2*sizeof(uint32_t) + pi->pam_service_size : 0; -- len += *pi->pam_tty != '\0' ? -- 2*sizeof(uint32_t) + pi->pam_tty_size : 0; -- len += *pi->pam_ruser != '\0' ? -- 2*sizeof(uint32_t) + pi->pam_ruser_size : 0; -- len += *pi->pam_rhost != '\0' ? -- 2*sizeof(uint32_t) + pi->pam_rhost_size : 0; -- len += pi->pam_authtok != NULL ? -- 3*sizeof(uint32_t) + pi->pam_authtok_size : 0; -- len += pi->pam_newauthtok != NULL ? -- 3*sizeof(uint32_t) + pi->pam_newauthtok_size : 0; -- len += 3*sizeof(uint32_t); /* cli_pid */ -- len += *pi->requested_domains != '\0' ? -- 2*sizeof(uint32_t) + pi->requested_domains_size : 0; -- -- -- buf = malloc(len); -- if (buf == NULL) { -- D(("malloc failed.")); -- return PAM_BUF_ERR; -- } -- -- rp = 0; -- SAFEALIGN_SETMEM_UINT32(buf, SSS_START_OF_PAM_REQUEST, &rp); -- -- rp += add_string_item(SSS_PAM_ITEM_USER, pi->pam_user, pi->pam_user_size, -- &buf[rp]); -- -- rp += add_string_item(SSS_PAM_ITEM_SERVICE, pi->pam_service, -- pi->pam_service_size, &buf[rp]); -- -- rp += add_string_item(SSS_PAM_ITEM_TTY, pi->pam_tty, pi->pam_tty_size, -- &buf[rp]); -- -- rp += add_string_item(SSS_PAM_ITEM_RUSER, pi->pam_ruser, pi->pam_ruser_size, -- &buf[rp]); -- -- rp += add_string_item(SSS_PAM_ITEM_RHOST, pi->pam_rhost, pi->pam_rhost_size, -- &buf[rp]); -- -- rp += add_string_item(SSS_PAM_ITEM_REQUESTED_DOMAINS, pi->requested_domains, pi->requested_domains_size, -- &buf[rp]); -- -- rp += add_uint32_t_item(SSS_PAM_ITEM_CLI_PID, (uint32_t) pi->cli_pid, -- &buf[rp]); -- -- rp += add_authtok_item(SSS_PAM_ITEM_AUTHTOK, pi->pam_authtok_type, -- pi->pam_authtok, pi->pam_authtok_size, &buf[rp]); -- -- rp += add_authtok_item(SSS_PAM_ITEM_NEWAUTHTOK, pi->pam_newauthtok_type, -- pi->pam_newauthtok, pi->pam_newauthtok_size, -- &buf[rp]); -- -- SAFEALIGN_SETMEM_UINT32(buf + rp, SSS_END_OF_PAM_REQUEST, &rp); -- -- if (rp != len) { -- D(("error during packet creation.")); -- free(buf); -- return PAM_BUF_ERR; -- } -- -- *size = len; -- *buffer = buf; -- -- return 0; --} -- - static int null_strcmp(const char *s1, const char *s2) { - if (s1 == NULL && s2 == NULL) return 0; - if (s1 == NULL && s2 != NULL) return -1; --- -2.4.3 - diff --git a/0030-PAM-add-PAM-responder-unit-test.patch b/0030-PAM-add-PAM-responder-unit-test.patch deleted file mode 100644 index 8c79a7b..0000000 --- a/0030-PAM-add-PAM-responder-unit-test.patch +++ /dev/null @@ -1,1060 +0,0 @@ -From 21cd0d4ed996f67d51020f573947a6b2cd794771 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 19 Mar 2015 13:12:11 +0100 -Subject: [PATCH 30/30] PAM: add PAM responder unit test -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Lukáš Slebodník -(cherry picked from commit ea422c7061072c125eb53b40d7f3ca444d886913) ---- - Makefile.am | 32 ++ - src/sss_client/sss_cli.h | 4 +- - src/tests/cmocka/test_pam_srv.c | 965 ++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 999 insertions(+), 2 deletions(-) - create mode 100644 src/tests/cmocka/test_pam_srv.c - -diff --git a/Makefile.am b/Makefile.am -index e8bd8b3237a9b533a3a102059ab9ca083714abe0..251a3ae5846d5e906fb55477cd06bed1706f866a 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -220,6 +220,7 @@ if HAVE_CMOCKA - test_copy_keytab \ - test_child_common \ - test_fo_srv \ -+ pam-srv-tests \ - $(NULL) - - if HAVE_LIBRESOLV -@@ -1781,6 +1782,37 @@ nss_srv_tests_LDADD = \ - libsss_test_common.la \ - libsss_idmap.la - -+EXTRA_pam_srv_tests_DEPENDENCIES = \ -+ $(ldblib_LTLIBRARIES) \ -+ $(NULL) -+pam_srv_tests_SOURCES = \ -+ $(TEST_MOCK_RESP_OBJ) \ -+ src/tests/cmocka/test_pam_srv.c \ -+ src/sss_client/pam_message.c \ -+ src/responder/pam/pamsrv_cmd.c \ -+ src/responder/pam/pam_helpers.c \ -+ src/responder/pam/pamsrv_dp.c \ -+ src/responder/pam/pam_LOCAL_domain.c \ -+ $(NULL) -+pam_srv_tests_CFLAGS = \ -+ $(AM_CFLAGS) \ -+ $(NULL) -+pam_srv_tests_LDFLAGS = \ -+ -Wl,-wrap,sss_packet_get_body \ -+ -Wl,-wrap,sss_packet_get_cmd \ -+ -Wl,-wrap,sss_cmd_send_empty \ -+ -Wl,-wrap,sss_cmd_done \ -+ -Wl,-wrap,pam_dp_send_req \ -+ $(NULL) -+pam_srv_tests_LDADD = \ -+ $(CMOCKA_LIBS) \ -+ $(PAM_LIBS) \ -+ $(SSSD_LIBS) \ -+ $(SSSD_INTERNAL_LTLIBS) \ -+ libsss_test_common.la \ -+ libsss_idmap.la \ -+ $(NULL) -+ - EXTRA_responder_get_domains_tests_DEPENDENCIES = \ - $(ldblib_LTLIBRARIES) - responder_get_domains_tests_SOURCES = \ -diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h -index 317700ef8cfcbb1b58e2a7d1ffcc7f00658fe815..6902d711e30ef327f1c7bcf8348ff419d3f63092 100644 ---- a/src/sss_client/sss_cli.h -+++ b/src/sss_client/sss_cli.h -@@ -430,12 +430,12 @@ enum response_type { - * - #SSS_PAM_USER_INFO_OFFLINE_CHPASS - * uint32_t | uint32_t | uint32_t - * ----------|----------|---------- -- * 0x06 | 0x01 | 0x03 -+ * 0x06 | 0x04 | 0x03 - * - * - #SSS_PAM_USER_INFO_CHPASS_ERROR - * uint32_t | uint32_t | uint32_t | uint32_t | uint8_t[3] - * ----------|----------|----------|----------|------------ -- * 0x06 | 0x05 | 0x04 | 0x03 | abc -+ * 0x06 | 0x0B | 0x04 | 0x03 | abc - * @{ - */ - -diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c -new file mode 100644 -index 0000000000000000000000000000000000000000..03faea249a31359d721e82cfd5bc2f9f375d0592 ---- /dev/null -+++ b/src/tests/cmocka/test_pam_srv.c -@@ -0,0 +1,965 @@ -+/* -+ Authors: -+ Sumit Bose -+ -+ Copyright (C) 2015 Red Hat -+ -+ SSSD tests: PAM responder tests -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see . -+*/ -+ -+#include -+#include -+ -+#include "tests/cmocka/common_mock.h" -+#include "tests/cmocka/common_mock_resp.h" -+#include "responder/common/responder_packet.h" -+#include "responder/common/negcache.h" -+#include "responder/pam/pamsrv.h" -+#include "responder/pam/pam_helpers.h" -+#include "sss_client/pam_message.h" -+#include "sss_client/sss_cli.h" -+ -+#include "util/crypto/nss/nss_util.h" -+ -+#define TESTS_PATH "tests_pam" -+#define TEST_CONF_DB "test_pam_conf.ldb" -+#define TEST_DOM_NAME "pam_test" -+#define TEST_SUBDOM_NAME "test.subdomain" -+#define TEST_ID_PROVIDER "ldap" -+ -+struct pam_test_ctx { -+ struct sss_test_ctx *tctx; -+ struct sss_domain_info *subdom; -+ -+ struct resp_ctx *rctx; -+ struct cli_ctx *cctx; -+ struct sss_cmd_table *pam_cmds; -+ struct pam_ctx *pctx; -+ -+ int ncache_hits; -+ int exp_pam_status; -+}; -+ -+/* Must be global because it is needed in some wrappers */ -+struct pam_test_ctx *pam_test_ctx; -+ -+struct pam_ctx *mock_pctx(TALLOC_CTX *mem_ctx) -+{ -+ struct pam_ctx *pctx; -+ errno_t ret; -+ -+ pctx = talloc_zero(mem_ctx, struct pam_ctx); -+ assert_non_null(pctx); -+ -+ ret = sss_ncache_init(pctx, &pctx->ncache); -+ assert_int_equal(ret, EOK); -+ -+ pctx->neg_timeout = 10; -+ -+ ret = sss_hash_create(pctx, 10, &pctx->id_table); -+ assert_int_equal(ret, EOK); -+ -+ return pctx; -+} -+ -+void test_pam_setup(struct sss_test_conf_param params[], -+ void **state) -+{ -+ errno_t ret; -+ -+ pam_test_ctx = talloc_zero(NULL, struct pam_test_ctx); -+ assert_non_null(pam_test_ctx); -+ -+ pam_test_ctx->tctx = create_dom_test_ctx(pam_test_ctx, TESTS_PATH, -+ TEST_CONF_DB, TEST_DOM_NAME, -+ TEST_ID_PROVIDER, params); -+ assert_non_null(pam_test_ctx->tctx); -+ -+ pam_test_ctx->pam_cmds = get_pam_cmds(); -+ assert_non_null(pam_test_ctx->pam_cmds); -+ -+ /* FIXME - perhaps this should be folded into sssd_domain_init or stricty -+ * used together -+ */ -+ ret = sss_names_init(pam_test_ctx, pam_test_ctx->tctx->confdb, -+ TEST_DOM_NAME, &pam_test_ctx->tctx->dom->names); -+ assert_int_equal(ret, EOK); -+ -+ /* Initialize the PAM responder */ -+ pam_test_ctx->pctx = mock_pctx(pam_test_ctx); -+ assert_non_null(pam_test_ctx->pctx); -+ -+ pam_test_ctx->rctx = mock_rctx(pam_test_ctx, pam_test_ctx->tctx->ev, -+ pam_test_ctx->tctx->dom, pam_test_ctx->pctx); -+ assert_non_null(pam_test_ctx->rctx); -+ pam_test_ctx->rctx->cdb = pam_test_ctx->tctx->confdb; -+ pam_test_ctx->pctx->rctx = pam_test_ctx->rctx; -+ -+ /* Create client context */ -+ pam_test_ctx->cctx = mock_cctx(pam_test_ctx, pam_test_ctx->rctx); -+ assert_non_null(pam_test_ctx->cctx); -+ -+ pam_test_ctx->cctx->cli_protocol_version = register_cli_protocol_version(); -+} -+ -+static int pam_test_setup(void **state) -+{ -+ int ret; -+ -+ struct sss_test_conf_param params[] = { -+ { "enumerate", "false" }, -+ { "cache_credentials", "true" }, -+ { NULL, NULL }, /* Sentinel */ -+ }; -+ -+ test_pam_setup(params, state); -+ -+ /* Prime the cache with a valid user */ -+ ret = sysdb_add_user(pam_test_ctx->tctx->dom, -+ "pamuser", 123, 456, "pam user", -+ "/home/pamuser", "/bin/sh", NULL, -+ NULL, 300, 0); -+ assert_int_equal(ret, EOK); -+ -+ /* Add entry to the initgr cache to make sure no initgr request is sent to -+ * the backend */ -+ ret = pam_initgr_cache_set(pam_test_ctx->pctx->rctx->ev, -+ pam_test_ctx->pctx->id_table, -+ discard_const("pamuser"), -+ pam_test_ctx->pctx->id_timeout); -+ assert_int_equal(ret, EOK); -+ return 0; -+} -+ -+static int pam_test_teardown(void **state) -+{ -+ int ret; -+ -+ ret = sysdb_delete_user(pam_test_ctx->tctx->dom, "pamuser", 0); -+ assert_int_equal(ret, EOK); -+ -+ talloc_free(pam_test_ctx); -+ return 0; -+} -+ -+typedef int (*cmd_cb_fn_t)(uint32_t, uint8_t *, size_t); -+ -+void __real_sss_packet_get_body(struct sss_packet *packet, -+ uint8_t **body, size_t *blen); -+ -+void __wrap_sss_packet_get_body(struct sss_packet *packet, -+ uint8_t **body, size_t *blen) -+{ -+ enum sss_test_wrapper_call wtype = sss_mock_type(enum sss_test_wrapper_call); -+ size_t len; -+ -+ if (wtype == WRAP_CALL_REAL) { -+ return __real_sss_packet_get_body(packet, body, blen); -+ } -+ -+ *body = sss_mock_ptr_type(uint8_t *); -+ len = sss_mock_type(size_t); -+ if (len == 0) { -+ len = strlen((const char *) *body) + 1; -+ } -+ *blen = len; -+ return; -+} -+ -+void __real_sss_packet_get_body(struct sss_packet *packet, -+ uint8_t **body, size_t *blen); -+ -+void __wrap_sss_cmd_done(struct cli_ctx *cctx, void *freectx) -+{ -+ struct sss_packet *packet = cctx->creq->out; -+ uint8_t *body; -+ size_t blen; -+ cmd_cb_fn_t check_cb; -+ -+ assert_non_null(packet); -+ -+ check_cb = sss_mock_ptr_type(cmd_cb_fn_t); -+ -+ __real_sss_packet_get_body(packet, &body, &blen); -+ -+ pam_test_ctx->tctx->error = check_cb(sss_packet_get_status(packet), -+ body, blen); -+ pam_test_ctx->tctx->done = true; -+} -+ -+enum sss_cli_command __wrap_sss_packet_get_cmd(struct sss_packet *packet) -+{ -+ return sss_mock_type(enum sss_cli_command); -+} -+ -+int __wrap_sss_cmd_send_empty(struct cli_ctx *cctx, TALLOC_CTX *freectx) -+{ -+ pam_test_ctx->tctx->done = true; -+ pam_test_ctx->tctx->error = ENOENT; -+ return EOK; -+} -+ -+static void set_cmd_cb(cmd_cb_fn_t fn) -+{ -+ will_return(__wrap_sss_cmd_done, fn); -+} -+ -+int __wrap_pam_dp_send_req(struct pam_auth_req *preq, int timeout) -+{ -+ -+ /* Set expected status */ -+ preq->pd->pam_status = pam_test_ctx->exp_pam_status; -+ -+ preq->callback(preq); -+ -+ return EOK; -+} -+ -+static void mock_input_pam(TALLOC_CTX *mem_ctx, const char *name, -+ const char *pwd, const char *fa2) -+{ -+ size_t buf_size; -+ uint8_t *m_buf; -+ uint8_t *buf; -+ struct pam_items pi = { 0 }; -+ int ret; -+ size_t needed_size; -+ uint8_t *authtok; -+ -+ pi.pam_user = name; -+ pi.pam_user_size = strlen(pi.pam_user) + 1; -+ -+ if (pwd != NULL) { -+ if (fa2 != NULL) { -+ ret = sss_auth_pack_2fa_blob(pwd, 0, fa2, 0, NULL, 0, &needed_size); -+ assert_int_equal(ret, EAGAIN); -+ -+ authtok = talloc_size(mem_ctx, needed_size); -+ assert_non_null(authtok); -+ -+ ret = sss_auth_pack_2fa_blob(pwd, 0, fa2, 0, authtok, -+ needed_size, &needed_size); -+ assert_int_equal(ret, EOK); -+ -+ pi.pam_authtok = (char *) authtok; -+ pi.pam_authtok_size = needed_size; -+ pi.pam_authtok_type = SSS_AUTHTOK_TYPE_2FA; -+ } else { -+ pi.pam_authtok = discard_const(pwd); -+ pi.pam_authtok_size = strlen(pi.pam_authtok) + 1; -+ pi.pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD; -+ } -+ } -+ -+ pi.pam_service = "ssh"; -+ pi.pam_service_size = strlen(pi.pam_service) + 1; -+ pi.pam_tty = "/dev/tty"; -+ pi.pam_tty_size = strlen(pi.pam_tty) + 1; -+ pi.pam_ruser = "remuser"; -+ pi.pam_ruser_size = strlen(pi.pam_ruser) + 1; -+ pi.pam_rhost = "remhost"; -+ pi.pam_rhost_size = strlen(pi.pam_rhost) + 1; -+ pi.requested_domains = ""; -+ pi.cli_pid = 12345; -+ -+ ret = pack_message_v3(&pi, &buf_size, &m_buf); -+ assert_int_equal(ret, 0); -+ -+ buf = talloc_memdup(mem_ctx, m_buf, buf_size); -+ free(m_buf); -+ assert_non_null(buf); -+ -+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER); -+ will_return(__wrap_sss_packet_get_body, buf); -+ will_return(__wrap_sss_packet_get_body, buf_size); -+} -+ -+static int test_pam_simple_check(uint32_t status, uint8_t *body, size_t blen) -+{ -+ size_t rp = 0; -+ uint32_t val; -+ -+ assert_int_equal(status, 0); -+ -+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); -+ assert_int_equal(val, pam_test_ctx->exp_pam_status); -+ -+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); -+ assert_int_equal(val, 1); -+ -+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); -+ assert_int_equal(val, SSS_PAM_DOMAIN_NAME); -+ -+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); -+ assert_int_equal(val, 9); -+ -+ assert_int_equal(*(body + rp + val - 1), 0); -+ assert_string_equal(body + rp, TEST_DOM_NAME); -+ -+ return EOK; -+} -+ -+static int test_pam_offline_chauthtok_check(uint32_t status, -+ uint8_t *body, size_t blen) -+{ -+ size_t rp = 0; -+ uint32_t val; -+ -+ pam_test_ctx->exp_pam_status = PAM_AUTHTOK_ERR; -+ -+ assert_int_equal(status, 0); -+ -+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); -+ assert_int_equal(val, pam_test_ctx->exp_pam_status); -+ -+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); -+ assert_int_equal(val, 2); -+ -+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); -+ assert_int_equal(val, SSS_PAM_DOMAIN_NAME); -+ -+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); -+ assert_int_equal(val, 9); -+ -+ assert_int_equal(*(body + rp + val - 1), 0); -+ assert_string_equal(body + rp, TEST_DOM_NAME); -+ rp += val; -+ -+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); -+ assert_int_equal(val, SSS_PAM_USER_INFO); -+ -+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); -+ assert_int_equal(val, 4); -+ -+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); -+ assert_int_equal(val, SSS_PAM_USER_INFO_OFFLINE_CHPASS); -+ -+ return EOK; -+} -+ -+ -+static int test_pam_failed_offline_auth_check(uint32_t status, uint8_t *body, -+ size_t blen) -+{ -+ pam_test_ctx->exp_pam_status = PAM_PERM_DENIED; -+ return test_pam_simple_check(status, body, blen); -+} -+ -+static int test_pam_successful_offline_auth_check(uint32_t status, -+ uint8_t *body, size_t blen) -+{ -+ pam_test_ctx->exp_pam_status = PAM_SUCCESS; -+ return test_pam_simple_check(status, body, blen); -+} -+ -+static int test_pam_wrong_pw_offline_auth_check(uint32_t status, -+ uint8_t *body, size_t blen) -+{ -+ pam_test_ctx->exp_pam_status = PAM_AUTH_ERR; -+ return test_pam_simple_check(status, body, blen); -+} -+ -+void test_pam_authenticate(void **state) -+{ -+ int ret; -+ -+ mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL); -+ -+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); -+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -+ -+ set_cmd_cb(test_pam_simple_check); -+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, -+ pam_test_ctx->pam_cmds); -+ assert_int_equal(ret, EOK); -+ -+ /* Wait until the test finishes with EOK */ -+ ret = test_ev_loop(pam_test_ctx->tctx); -+ assert_int_equal(ret, EOK); -+} -+ -+void test_pam_setcreds(void **state) -+{ -+ int ret; -+ -+ mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL); -+ -+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_SETCRED); -+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -+ -+ set_cmd_cb(test_pam_simple_check); -+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_SETCRED, -+ pam_test_ctx->pam_cmds); -+ assert_int_equal(ret, EOK); -+ -+ /* Wait until the test finishes with EOK */ -+ ret = test_ev_loop(pam_test_ctx->tctx); -+ assert_int_equal(ret, EOK); -+} -+ -+void test_pam_acct_mgmt(void **state) -+{ -+ int ret; -+ -+ mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL); -+ -+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_ACCT_MGMT); -+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -+ -+ set_cmd_cb(test_pam_simple_check); -+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_ACCT_MGMT, -+ pam_test_ctx->pam_cmds); -+ assert_int_equal(ret, EOK); -+ -+ /* Wait until the test finishes with EOK */ -+ ret = test_ev_loop(pam_test_ctx->tctx); -+ assert_int_equal(ret, EOK); -+} -+ -+void test_pam_open_session(void **state) -+{ -+ int ret; -+ -+ mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL); -+ -+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_OPEN_SESSION); -+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -+ -+ pam_test_ctx->exp_pam_status = PAM_NO_MODULE_DATA; -+ set_cmd_cb(test_pam_simple_check); -+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_OPEN_SESSION, -+ pam_test_ctx->pam_cmds); -+ assert_int_equal(ret, EOK); -+ -+ /* Wait until the test finishes with EOK */ -+ ret = test_ev_loop(pam_test_ctx->tctx); -+ assert_int_equal(ret, EOK); -+} -+ -+void test_pam_close_session(void **state) -+{ -+ int ret; -+ -+ mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL); -+ -+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_CLOSE_SESSION); -+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -+ -+ set_cmd_cb(test_pam_simple_check); -+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_CLOSE_SESSION, -+ pam_test_ctx->pam_cmds); -+ assert_int_equal(ret, EOK); -+ -+ /* Wait until the test finishes with EOK */ -+ ret = test_ev_loop(pam_test_ctx->tctx); -+ assert_int_equal(ret, EOK); -+} -+ -+void test_pam_chauthtok(void **state) -+{ -+ int ret; -+ -+ mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL); -+ -+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_CHAUTHTOK); -+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -+ -+ set_cmd_cb(test_pam_simple_check); -+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_CHAUTHTOK, -+ pam_test_ctx->pam_cmds); -+ assert_int_equal(ret, EOK); -+ -+ /* Wait until the test finishes with EOK */ -+ ret = test_ev_loop(pam_test_ctx->tctx); -+ assert_int_equal(ret, EOK); -+} -+ -+void test_pam_chauthtok_prelim(void **state) -+{ -+ int ret; -+ -+ mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL); -+ -+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_CHAUTHTOK_PRELIM); -+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -+ -+ set_cmd_cb(test_pam_simple_check); -+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_CHAUTHTOK_PRELIM, -+ pam_test_ctx->pam_cmds); -+ assert_int_equal(ret, EOK); -+ -+ /* Wait until the test finishes with EOK */ -+ ret = test_ev_loop(pam_test_ctx->tctx); -+ assert_int_equal(ret, EOK); -+} -+ -+void test_pam_preauth(void **state) -+{ -+ int ret; -+ -+ mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL); -+ -+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); -+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -+ -+ set_cmd_cb(test_pam_simple_check); -+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH, -+ pam_test_ctx->pam_cmds); -+ assert_int_equal(ret, EOK); -+ -+ /* Wait until the test finishes with EOK */ -+ ret = test_ev_loop(pam_test_ctx->tctx); -+ assert_int_equal(ret, EOK); -+} -+ -+void test_pam_offline_auth_no_hash(void **state) -+{ -+ int ret; -+ -+ mock_input_pam(pam_test_ctx, "pamuser", "12345", NULL); -+ -+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); -+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -+ -+ pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL; -+ -+ set_cmd_cb(test_pam_failed_offline_auth_check); -+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, -+ pam_test_ctx->pam_cmds); -+ assert_int_equal(ret, EOK); -+ -+ /* Wait until the test finishes with EOK */ -+ ret = test_ev_loop(pam_test_ctx->tctx); -+ assert_int_equal(ret, EOK); -+} -+ -+void test_pam_offline_auth_success(void **state) -+{ -+ int ret; -+ -+ ret = sysdb_cache_password(pam_test_ctx->tctx->dom, "pamuser", "12345"); -+ assert_int_equal(ret, EOK); -+ -+ mock_input_pam(pam_test_ctx, "pamuser", "12345", NULL); -+ -+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); -+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -+ -+ pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL; -+ -+ set_cmd_cb(test_pam_successful_offline_auth_check); -+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, -+ pam_test_ctx->pam_cmds); -+ assert_int_equal(ret, EOK); -+ -+ /* Wait until the test finishes with EOK */ -+ ret = test_ev_loop(pam_test_ctx->tctx); -+ assert_int_equal(ret, EOK); -+} -+ -+void test_pam_offline_auth_wrong_pw(void **state) -+{ -+ int ret; -+ -+ ret = sysdb_cache_password(pam_test_ctx->tctx->dom, "pamuser", "12345"); -+ assert_int_equal(ret, EOK); -+ -+ mock_input_pam(pam_test_ctx, "pamuser", "11111", NULL); -+ -+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); -+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -+ -+ pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL; -+ -+ set_cmd_cb(test_pam_wrong_pw_offline_auth_check); -+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, -+ pam_test_ctx->pam_cmds); -+ assert_int_equal(ret, EOK); -+ -+ /* Wait until the test finishes with EOK */ -+ ret = test_ev_loop(pam_test_ctx->tctx); -+ assert_int_equal(ret, EOK); -+} -+ -+void test_pam_offline_auth_success_2fa(void **state) -+{ -+ int ret; -+ -+ ret = sysdb_cache_password(pam_test_ctx->tctx->dom, "pamuser", "12345"); -+ assert_int_equal(ret, EOK); -+ -+ mock_input_pam(pam_test_ctx, "pamuser", "12345", "abcde"); -+ -+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); -+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -+ -+ pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL; -+ -+ set_cmd_cb(test_pam_successful_offline_auth_check); -+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, -+ pam_test_ctx->pam_cmds); -+ assert_int_equal(ret, EOK); -+ -+ /* Wait until the test finishes with EOK */ -+ ret = test_ev_loop(pam_test_ctx->tctx); -+ assert_int_equal(ret, EOK); -+} -+ -+void test_pam_offline_auth_failed_2fa(void **state) -+{ -+ int ret; -+ -+ ret = sysdb_cache_password(pam_test_ctx->tctx->dom, "pamuser", "12345"); -+ assert_int_equal(ret, EOK); -+ -+ mock_input_pam(pam_test_ctx, "pamuser", "11111", "abcde"); -+ -+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); -+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -+ -+ pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL; -+ -+ set_cmd_cb(test_pam_wrong_pw_offline_auth_check); -+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, -+ pam_test_ctx->pam_cmds); -+ assert_int_equal(ret, EOK); -+ -+ /* Wait until the test finishes with EOK */ -+ ret = test_ev_loop(pam_test_ctx->tctx); -+ assert_int_equal(ret, EOK); -+} -+ -+void test_pam_offline_auth_success_2fa_with_cached_2fa(void **state) -+{ -+ int ret; -+ -+ ret = sysdb_cache_password_ex(pam_test_ctx->tctx->dom, "pamuser", "12345", -+ SSS_AUTHTOK_TYPE_2FA, 5); -+ assert_int_equal(ret, EOK); -+ -+ mock_input_pam(pam_test_ctx, "pamuser", "12345", "abcde"); -+ -+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); -+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -+ -+ pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL; -+ -+ set_cmd_cb(test_pam_successful_offline_auth_check); -+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, -+ pam_test_ctx->pam_cmds); -+ assert_int_equal(ret, EOK); -+ -+ /* Wait until the test finishes with EOK */ -+ ret = test_ev_loop(pam_test_ctx->tctx); -+ assert_int_equal(ret, EOK); -+} -+ -+void test_pam_offline_auth_failed_2fa_with_cached_2fa(void **state) -+{ -+ int ret; -+ -+ ret = sysdb_cache_password_ex(pam_test_ctx->tctx->dom, "pamuser", "12345", -+ SSS_AUTHTOK_TYPE_2FA, 5); -+ assert_int_equal(ret, EOK); -+ -+ mock_input_pam(pam_test_ctx, "pamuser", "11111", "abcde"); -+ -+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); -+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -+ -+ pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL; -+ -+ set_cmd_cb(test_pam_wrong_pw_offline_auth_check); -+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, -+ pam_test_ctx->pam_cmds); -+ assert_int_equal(ret, EOK); -+ -+ /* Wait until the test finishes with EOK */ -+ ret = test_ev_loop(pam_test_ctx->tctx); -+ assert_int_equal(ret, EOK); -+} -+ -+void test_pam_offline_auth_success_pw_with_cached_2fa(void **state) -+{ -+ int ret; -+ -+ ret = sysdb_cache_password_ex(pam_test_ctx->tctx->dom, "pamuser", "12345", -+ SSS_AUTHTOK_TYPE_2FA, 5); -+ assert_int_equal(ret, EOK); -+ -+ mock_input_pam(pam_test_ctx, "pamuser", "12345", NULL); -+ -+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); -+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -+ -+ pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL; -+ -+ set_cmd_cb(test_pam_successful_offline_auth_check); -+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, -+ pam_test_ctx->pam_cmds); -+ assert_int_equal(ret, EOK); -+ -+ /* Wait until the test finishes with EOK */ -+ ret = test_ev_loop(pam_test_ctx->tctx); -+ assert_int_equal(ret, EOK); -+} -+ -+void test_pam_offline_auth_failed_pw_with_cached_2fa(void **state) -+{ -+ int ret; -+ -+ ret = sysdb_cache_password_ex(pam_test_ctx->tctx->dom, "pamuser", "12345", -+ SSS_AUTHTOK_TYPE_2FA, 5); -+ assert_int_equal(ret, EOK); -+ -+ mock_input_pam(pam_test_ctx, "pamuser", "11111", NULL); -+ -+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); -+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -+ -+ pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL; -+ -+ set_cmd_cb(test_pam_wrong_pw_offline_auth_check); -+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, -+ pam_test_ctx->pam_cmds); -+ assert_int_equal(ret, EOK); -+ -+ /* Wait until the test finishes with EOK */ -+ ret = test_ev_loop(pam_test_ctx->tctx); -+ assert_int_equal(ret, EOK); -+} -+ -+void test_pam_offline_auth_success_combined_pw_with_cached_2fa(void **state) -+{ -+ int ret; -+ -+ ret = sysdb_cache_password_ex(pam_test_ctx->tctx->dom, "pamuser", -+ "12345678", SSS_AUTHTOK_TYPE_2FA, 5); -+ assert_int_equal(ret, EOK); -+ -+ mock_input_pam(pam_test_ctx, "pamuser", "12345678abcde", NULL); -+ -+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); -+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -+ -+ pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL; -+ -+ set_cmd_cb(test_pam_successful_offline_auth_check); -+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, -+ pam_test_ctx->pam_cmds); -+ assert_int_equal(ret, EOK); -+ -+ /* Wait until the test finishes with EOK */ -+ ret = test_ev_loop(pam_test_ctx->tctx); -+ assert_int_equal(ret, EOK); -+} -+ -+void test_pam_offline_auth_failed_combined_pw_with_cached_2fa(void **state) -+{ -+ int ret; -+ -+ ret = sysdb_cache_password_ex(pam_test_ctx->tctx->dom, "pamuser", -+ "12345678", SSS_AUTHTOK_TYPE_2FA, 5); -+ assert_int_equal(ret, EOK); -+ -+ mock_input_pam(pam_test_ctx, "pamuser", "11111111abcde", NULL); -+ -+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); -+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -+ -+ pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL; -+ -+ set_cmd_cb(test_pam_wrong_pw_offline_auth_check); -+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, -+ pam_test_ctx->pam_cmds); -+ assert_int_equal(ret, EOK); -+ -+ /* Wait until the test finishes with EOK */ -+ ret = test_ev_loop(pam_test_ctx->tctx); -+ assert_int_equal(ret, EOK); -+} -+ -+void test_pam_offline_auth_failed_wrong_2fa_size_with_cached_2fa(void **state) -+{ -+ int ret; -+ -+ ret = sysdb_cache_password_ex(pam_test_ctx->tctx->dom, "pamuser", -+ "12345678", SSS_AUTHTOK_TYPE_2FA, 5); -+ assert_int_equal(ret, EOK); -+ -+ mock_input_pam(pam_test_ctx, "pamuser", "12345678abcd", NULL); -+ -+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); -+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -+ -+ pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL; -+ -+ set_cmd_cb(test_pam_wrong_pw_offline_auth_check); -+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, -+ pam_test_ctx->pam_cmds); -+ assert_int_equal(ret, EOK); -+ -+ /* Wait until the test finishes with EOK */ -+ ret = test_ev_loop(pam_test_ctx->tctx); -+ assert_int_equal(ret, EOK); -+} -+ -+void test_pam_offline_chauthtok_prelim(void **state) -+{ -+ int ret; -+ -+ mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL); -+ -+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_CHAUTHTOK_PRELIM); -+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -+ -+ pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL; -+ -+ set_cmd_cb(test_pam_offline_chauthtok_check); -+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_CHAUTHTOK_PRELIM, -+ pam_test_ctx->pam_cmds); -+ assert_int_equal(ret, EOK); -+ -+ /* Wait until the test finishes with EOK */ -+ ret = test_ev_loop(pam_test_ctx->tctx); -+ assert_int_equal(ret, EOK); -+} -+ -+void test_pam_offline_chauthtok(void **state) -+{ -+ int ret; -+ -+ mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL); -+ -+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_CHAUTHTOK); -+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -+ -+ pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL; -+ -+ set_cmd_cb(test_pam_offline_chauthtok_check); -+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_CHAUTHTOK, -+ pam_test_ctx->pam_cmds); -+ assert_int_equal(ret, EOK); -+ -+ /* Wait until the test finishes with EOK */ -+ ret = test_ev_loop(pam_test_ctx->tctx); -+ assert_int_equal(ret, EOK); -+} -+ -+ -+int main(int argc, const char *argv[]) -+{ -+ int rv; -+ int no_cleanup = 0; -+ poptContext pc; -+ int opt; -+ struct poptOption long_options[] = { -+ POPT_AUTOHELP -+ SSSD_DEBUG_OPTS -+ { "no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0, -+ _("Do not delete the test database after a test run"), NULL }, -+ POPT_TABLEEND -+ }; -+ -+ const struct CMUnitTest tests[] = { -+ cmocka_unit_test_setup_teardown(test_pam_authenticate, -+ pam_test_setup, pam_test_teardown), -+ cmocka_unit_test_setup_teardown(test_pam_setcreds, -+ pam_test_setup, pam_test_teardown), -+ cmocka_unit_test_setup_teardown(test_pam_acct_mgmt, -+ pam_test_setup, pam_test_teardown), -+ cmocka_unit_test_setup_teardown(test_pam_open_session, -+ pam_test_setup, pam_test_teardown), -+ cmocka_unit_test_setup_teardown(test_pam_close_session, -+ pam_test_setup, pam_test_teardown), -+ cmocka_unit_test_setup_teardown(test_pam_chauthtok, -+ pam_test_setup, pam_test_teardown), -+ cmocka_unit_test_setup_teardown(test_pam_chauthtok_prelim, -+ pam_test_setup, pam_test_teardown), -+ cmocka_unit_test_setup_teardown(test_pam_preauth, -+ pam_test_setup, pam_test_teardown), -+ cmocka_unit_test_setup_teardown(test_pam_offline_auth_no_hash, -+ pam_test_setup, pam_test_teardown), -+ cmocka_unit_test_setup_teardown(test_pam_offline_auth_success, -+ pam_test_setup, pam_test_teardown), -+ cmocka_unit_test_setup_teardown(test_pam_offline_auth_wrong_pw, -+ pam_test_setup, pam_test_teardown), -+ cmocka_unit_test_setup_teardown(test_pam_offline_auth_success_2fa, -+ pam_test_setup, pam_test_teardown), -+ cmocka_unit_test_setup_teardown(test_pam_offline_auth_failed_2fa, -+ pam_test_setup, pam_test_teardown), -+ cmocka_unit_test_setup_teardown( -+ test_pam_offline_auth_success_2fa_with_cached_2fa, -+ pam_test_setup, pam_test_teardown), -+ cmocka_unit_test_setup_teardown( -+ test_pam_offline_auth_failed_2fa_with_cached_2fa, -+ pam_test_setup, pam_test_teardown), -+ cmocka_unit_test_setup_teardown( -+ test_pam_offline_auth_success_pw_with_cached_2fa, -+ pam_test_setup, pam_test_teardown), -+ cmocka_unit_test_setup_teardown( -+ test_pam_offline_auth_failed_pw_with_cached_2fa, -+ pam_test_setup, pam_test_teardown), -+ cmocka_unit_test_setup_teardown( -+ test_pam_offline_auth_success_combined_pw_with_cached_2fa, -+ pam_test_setup, pam_test_teardown), -+ cmocka_unit_test_setup_teardown( -+ test_pam_offline_auth_failed_combined_pw_with_cached_2fa, -+ pam_test_setup, pam_test_teardown), -+ cmocka_unit_test_setup_teardown( -+ test_pam_offline_auth_failed_wrong_2fa_size_with_cached_2fa, -+ pam_test_setup, pam_test_teardown), -+ cmocka_unit_test_setup_teardown(test_pam_offline_chauthtok_prelim, -+ pam_test_setup, pam_test_teardown), -+ cmocka_unit_test_setup_teardown(test_pam_offline_chauthtok, -+ pam_test_setup, pam_test_teardown), -+ }; -+ -+ /* Set debug level to invalid value so we can deside if -d 0 was used. */ -+ debug_level = SSSDBG_INVALID; -+ -+ pc = poptGetContext(argv[0], argc, argv, long_options, 0); -+ while ((opt = poptGetNextOpt(pc)) != -1) { -+ switch (opt) { -+ default: -+ fprintf(stderr, "\nInvalid option %s: %s\n\n", -+ poptBadOption(pc, 0), poptStrerror(opt)); -+ poptPrintUsage(pc, stderr, 0); -+ return 1; -+ } -+ } -+ poptFreeContext(pc); -+ -+ DEBUG_CLI_INIT(debug_level); -+ -+ /* Even though normally the tests should clean up after themselves -+ * they might not after a failed run. Remove the old db to be sure */ -+ tests_set_cwd(); -+ test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); -+ test_dom_suite_setup(TESTS_PATH); -+ -+ rv = cmocka_run_group_tests(tests, NULL, NULL); -+ if (rv == 0 && !no_cleanup) { -+ test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); -+ } -+ -+#ifdef HAVE_NSS -+ /* Cleanup NSS and NSPR to make valgrund happy. */ -+ nspr_nss_cleanup(); -+#endif -+ -+ return rv; -+} --- -2.4.3 - diff --git a/sources b/sources index 0165a02..63df876 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -4439852e76e221c9bcd60a8586c136e2 sssd-1.12.5.tar.gz +0ffa8d3b8d7d22acb9200e11b1f641dd sssd-1.13.0alpha.tar.gz diff --git a/sssd.spec b/sssd.spec index d622a5b..25643e9 100644 --- a/sssd.spec +++ b/sssd.spec @@ -28,46 +28,16 @@ %endif Name: sssd -Version: 1.12.5 -Release: 4%{?dist} +Version: 1.13.0 +Release: 1%{?dist}.alpha Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ URL: http://fedorahosted.org/sssd/ -Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz +Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}alpha.tar.gz BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) ### Patches ### -Patch0001: 0001-BUILD-Remove-unused-libraries-for-pysss.so.patch -Patch0002: 0002-BUILD-Remove-unused-variables.patch -Patch0003: 0003-BUILD-Remove-detection-of-type-Py_ssize_t.patch -Patch0004: 0004-UTIL-Remove-python-wrapper-sss_python_set_new.patch -Patch0005: 0005-UTIL-Remove-python-wrapper-sss_python_set_add.patch -Patch0006: 0006-UTIL-Remove-python-wrapper-sss_python_set_check.patch -Patch0007: 0007-UTIL-Remove-compatibility-macro-PyModule_AddIntMacro.patch -Patch0008: 0008-UTIL-Remove-python-wrapper-sss_python_unicode_from_s.patch -Patch0009: 0009-BUILD-Use-python-config-for-detection-FLAGS.patch -Patch0010: 0010-SPEC-Use-new-convention-for-python-packages.patch -Patch0011: 0011-SPEC-Move-python-bindings-to-separate-packages.patch -Patch0012: 0012-BUILD-Add-possibility-to-build-python-2-3-bindings.patch -Patch0013: 0013-TESTS-Run-python-tests-with-all-supported-python-ver.patch -Patch0014: 0014-SPEC-Replace-python_-macros-with-python2_.patch -Patch0015: 0015-SPEC-Build-python3-bindings-on-available-platforms.patch -Patch0016: 0016-ad_opts-Use-different-default-attribute-for-group-na.patch -Patch0017: 0017-Add-leak-check-and-command-line-option-to-test_autht.patch -Patch0018: 0018-utils-add-sss_authtok_-gs-et_2fa.patch -Patch0019: 0019-pam-handle-2FA-authentication-token-in-the-responder.patch -Patch0020: 0020-Add-pre-auth-request.patch -Patch0021: 0021-krb5-child-add-preauth-and-split-2fa-token-support.patch -Patch0022: 0022-IPA-create-preauth-indicator-file-at-startup.patch -Patch0023: 0023-pam_sss-add-pre-auth-and-2fa-support.patch -Patch0024: 0024-Add-cache_credentials_minimal_first_factor_length-co.patch -Patch0025: 0025-sysdb-add-sysdb_cache_password_ex.patch -Patch0026: 0026-krb5-save-hash-of-the-first-authentication-factor-to.patch -Patch0027: 0027-krb5-try-delayed-online-authentication-only-for-sing.patch -Patch0028: 0028-2FA-offline-auth.patch -Patch0029: 0029-pam_sss-move-message-encoding-into-separate-file.patch -Patch0030: 0030-PAM-add-PAM-responder-unit-test.patch ### Dependencies ### Requires: sssd-common = %{version}-%{release} @@ -82,6 +52,7 @@ Requires: python3-sssdconfig = %{version}-%{release} %global servicename sssd %global sssdstatedir %{_localstatedir}/lib/sss %global dbpath %{sssdstatedir}/db +%global keytabdir %{sssdstatedir}/keytabs %global pipepath %{sssdstatedir}/pipes %global mcpath %{sssdstatedir}/mc %global pubconfpath %{sssdstatedir}/pubconf @@ -107,6 +78,7 @@ BuildRequires: dbus-libs BuildRequires: openldap-devel BuildRequires: pam-devel BuildRequires: nss-devel +BuildRequires: openssl-devel BuildRequires: nspr-devel BuildRequires: pcre-devel BuildRequires: libxslt @@ -407,14 +379,16 @@ Requires: libipa_hbac = %{version}-%{release} %description -n libipa_hbac-devel Utility library to validate FreeIPA HBAC rules for authorization requests -%package -n libipa_hbac-python +%package -n python-libipa_hbac Summary: Python2 bindings for the FreeIPA HBAC Evaluator library Group: Development/Libraries License: LGPLv3+ Requires: libipa_hbac = %{version}-%{release} +Provides: libipa_hbac-python = %{version}-%{release} +Obsoletes: libipa_hbac-python < 1.13.0 -%description -n libipa_hbac-python -The libipa_hbac-python contains the bindings so that libipa_hbac can be +%description -n python-libipa_hbac +The python-libipa_hbac contains the bindings so that libipa_hbac can be used by Python applications. %package -n python3-libipa_hbac @@ -446,14 +420,16 @@ Requires: libsss_nss_idmap = %{version}-%{release} %description -n libsss_nss_idmap-devel Utility library for SID based lookups -%package -n libsss_nss_idmap-python +%package -n python-libsss_nss_idmap Summary: Python2 bindings for libsss_nss_idmap Group: Development/Libraries License: LGPLv3+ Requires: libsss_nss_idmap = %{version}-%{release} +Provides: libsss_nss_idmap-python = %{version}-%{release} +Obsoletes: libsss_nss_idmap-python < 1.13.0 -%description -n libsss_nss_idmap-python -The libsss_nss_idmap-python contains the bindings so that libsss_nss_idmap can +%description -n python-libsss_nss_idmap +The python-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can be used by Python applications. %package -n python3-libsss_nss_idmap @@ -534,7 +510,7 @@ UpdateTimestamps() { done } -%setup -q +%setup -q -n %{name}-1.12.90 for p in %patches ; do %__patch -p1 -i $p @@ -566,12 +542,6 @@ autoreconf -ivf make %{?_smp_mflags} all docs %check - -# the utility patch did not apply changes in file permissions -chmod 755 src/config/SSSDConfigTest.py*.sh \ - src/tests/pyhbac-test.py*.sh \ - src/tests/pysss_murmur-test.py*.sh - export CK_TIMEOUT_MULTIPLIER=10 make %{?_smp_mflags} check VERBOSE=yes unset CK_TIMEOUT_MULTIPLIER @@ -708,6 +678,7 @@ rm -rf $RPM_BUILD_ROOT #Internal shared libraries %{_libdir}/%{name}/libsss_child.so %{_libdir}/%{name}/libsss_crypt.so +%{_libdir}/%{name}/libsss_cert.so %{_libdir}/%{name}/libsss_debug.so %{_libdir}/%{name}/libsss_krb5_common.so %{_libdir}/%{name}/libsss_ldap_common.so @@ -781,6 +752,7 @@ rm -rf $RPM_BUILD_ROOT %defattr(-,root,root,-) %doc COPYING %attr(755,root,root) %dir %{pubconfpath}/krb5.include.d +%attr(700,root,root) %dir %{keytabdir} %{_libdir}/%{name}/libsss_ipa.so %{_libexecdir}/%{servicename}/selinux_child %{_mandir}/man5/sssd-ipa.5* @@ -929,7 +901,7 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/libsss_nss_idmap.so %{_libdir}/pkgconfig/sss_nss_idmap.pc -%files -n libsss_nss_idmap-python +%files -n python-libsss_nss_idmap %defattr(-,root,root,-) %{python2_sitearch}/pysss_nss_idmap.so %{python2_sitearch}/_py2sss_nss_idmap.so @@ -939,7 +911,7 @@ rm -rf $RPM_BUILD_ROOT %{python3_sitearch}/pysss_nss_idmap.so %{python3_sitearch}/_py3sss_nss_idmap.so -%files -n libipa_hbac-python +%files -n python-libipa_hbac %defattr(-,root,root,-) %{python2_sitearch}/pyhbac.so %{python2_sitearch}/_py2hbac.so @@ -1038,6 +1010,10 @@ fi %{_libdir}/%{name}/modules/libwbclient.so %changelog +* Mon Jun 22 2015 Lukas Slebodnik - 1.13.0-1.alpha +- New upstream release 1.13 alpha +- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.0alpha + * Fri Jun 19 2015 Fedora Release Engineering - 1.12.5-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild