rpms
/
sssd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:rawhide
Branches Tags
rpms:rawhide
rpms:f38-riscv64
rpms:main
rpms:f38
rpms:f37-riscv64
rpms:f35
rpms:f36
rpms:f37
rpms:sssd-2.6.2
rpms:f34
rpms:f33
rpms:f32
rpms:f31
rpms:f30
rpms:f29
rpms:f28
rpms:f27
rpms:f26
rpms:f25
rpms:f24
rpms:f23
rpms:f22
rpms:f21
rpms:f20
rpms:el5
rpms:f19
rpms:f18
rpms:f17
rpms:f16
rpms:f15
rpms:f14
rpms:f13
rpms:f12
rpms:f11
rpms:sssd-1.16.2-4.fc27
rpms:sssd-1.16.2-4.fc28
rpms:sssd-1.16.2-4.fc29
rpms:sssd-1.16.2-3.fc29
rpms:d8abd616d9e1519351239a8858263851f2361203
rpms:sssd-1.16.2-2.fc29
rpms:sssd-1.16.2-1.fc27
rpms:sssd-1.16.2-1.fc28
rpms:sssd-1.16.2-1.fc29
rpms:sssd-1.16.1-9.fc26
rpms:sssd-1.16.1-9.fc27
rpms:sssd-1.16.1-9.fc28
rpms:sssd-1.16.1-9.fc29
rpms:sssd-1.16.1-8.fc26
rpms:sssd-1.16.1-8.fc27
rpms:sssd-1.16.1-8.fc28
rpms:sssd-1.16.1-8.fc29
rpms:sssd-1.16.1-7.fc26
rpms:sssd-1.16.1-6.fc26
rpms:sssd-1.16.1-5.fc26
rpms:sssd-1.16.1-5.fc27
rpms:sssd-1.16.1-6.fc27
rpms:sssd-1.16.1-7.fc27
rpms:sssd-1.16.1-7.fc28
rpms:sssd-1.16.1-7.fc29
rpms:sssd-1.16.1-5.fc28
rpms:sssd-1.16.1-6.fc28
rpms:sssd-1.16.1-6.fc29
rpms:sssd-1.16.1-5.fc29
rpms:sssd-1.16.1-4.fc26
rpms:sssd-1.16.1-4.fc27
rpms:sssd-1.16.1-4.fc28
rpms:sssd-1.16.1-4.fc29
rpms:sssd-1.16.1-3.fc26
rpms:sssd-1.16.1-3.fc27
rpms:sssd-1.16.1-3.fc29
rpms:sssd-1.16.1-3.fc28
rpms:sssd-1.16.1-2.fc26
rpms:sssd-1.16.1-1.fc26
rpms:sssd-1.16.1-2.fc27
rpms:sssd-1.16.1-1.fc27
rpms:sssd-1.16.1-2.fc28
rpms:sssd-1.16.1-1.fc28
rpms:sssd-1.16.1-1.fc29
rpms:sssd-1.16.1-2.fc29
rpms:sssd-1_2_91-21_fc14
rpms:sssd-1_2_91-20_fc14
rpms:sssd-1_2_1-17_el5
rpms:sssd-1_2_1-16_el5
rpms:sssd-1_2_1-16_fc12
rpms:sssd-1_2_1-15_fc13
rpms:sssd-1_2_1-15_fc14
rpms:sssd-1_2_0-13_fc13
rpms:sssd-1_2_0-13_el5
rpms:sssd-1_2_0-12_el5
rpms:sssd-1_2_0-11_fc12
rpms:sssd-1_2_0-12_fc13
rpms:sssd-1_2_0-12_fc14
rpms:sssd-1_1_92-11_fc13
rpms:sssd-1_1_92-11_fc14
rpms:sssd-1_1_91-10_fc12
rpms:sssd-1_1_91-10_fc13
rpms:sssd-1_1_91-10_fc14
rpms:sssd-1_1_1-5_el5
rpms:sssd-1_1_1-3_fc12
rpms:sssd-1_1_1-3_fc13
rpms:sssd-1_1_1-3_fc14
rpms:sssd-1_1_1-1_fc12
rpms:sssd-1_1_1-1_fc13
rpms:sssd-1_1_1-1_fc14
rpms:sssd-1_1_0-4_el5
rpms:sssd-1_1_0-2_fc12
rpms:sssd-1_1_0-2_fc13
rpms:sssd-1_1_0-2_fc14
rpms:sssd-1_1_0-1_pre20100317git0ea7f19_fc13
rpms:sssd-1_1_0-1_pre20100317git0ea7f19_fc12
rpms:sssd-1_1_0-1_pre20100317git0ea7f19_fc14
rpms:sssd-1_0_5-2_fc14
rpms:EL-5-start
rpms:EL-5-split
rpms:sssd-1_0_5-1_fc11
rpms:sssd-1_0_5-1_fc12
rpms:sssd-1_0_5-1_fc13
rpms:sssd-1_0_5-1_fc14
rpms:sssd-1_0_4-1_fc11
rpms:sssd-1_0_4-1_fc12
rpms:sssd-1_0_4-1_fc13
rpms:F-13-start
rpms:F-13-split
rpms:sssd-1_0_3-1_fc11
rpms:sssd-1_0_3-1_fc12
rpms:sssd-1_0_3-1_fc13
rpms:sssd-1_0_2-1_fc11
rpms:sssd-1_0_2-1_fc12
rpms:sssd-1_0_2-1_fc13
rpms:sssd-1_0_1-1_fc11
rpms:sssd-1_0_1-1_fc12
rpms:sssd-1_0_1-1_fc13
rpms:sssd-1_0_0-2_fc11
rpms:sssd-1_0_0-2_fc12
rpms:sssd-1_0_0-2_fc13
rpms:sssd-1_0_0-1_fc11
rpms:sssd-1_0_0-1_fc12
rpms:sssd-1_0_0-1_fc13
rpms:sssd-0_99_1-1_fc11
rpms:sssd-0_99_1-1_fc12
rpms:sssd-0_99_1-1_fc13
rpms:sssd-0_99_0-1_fc12
rpms:sssd-0_99_0-1_fc13
rpms:sssd-0_7_1-1_fc11
rpms:sssd-0_7_1-1_fc12
rpms:sssd-0_7_1-1_fc13
rpms:sssd-0_7_0-2_fc11
rpms:sssd-0_7_0-2_fc12
rpms:sssd-0_7_0-2_fc13
rpms:sssd-0_7_0-1_fc11
rpms:sssd-0_7_0-1_fc12
rpms:sssd-0_7_0-1_fc13
rpms:sssd-0_6_1-2_fc13
rpms:sssd-0_6_1-2_fc12
rpms:sssd-0_6_1-1_fc12
rpms:sssd-0_6_1-1_fc13
rpms:sssd-0_6_0-1_fc13
rpms:sssd-0_6_0-1_fc12
rpms:sssd-0_6_0-0_fc12
rpms:F-12-start
rpms:F-12-split
rpms:sssd-0_5_0-0_fc11
rpms:sssd-0_5_0-0_fc12
rpms:sssd-0_4_1-3_fc11
rpms:sssd-0_4_1-4_fc12
rpms:sssd-0_4_1-3_fc12
rpms:sssd-0_4_1-2_fc12
rpms:sssd-0_4_1-2_fc11
rpms:sssd-0_4_1-1_fc11
rpms:sssd-0_4_1-1_fc12
rpms:sssd-0_4_1-0_fc11
rpms:sssd-0_4_1-0_fc12
rpms:sssd-0_3_3-3_fc11
rpms:sssd-0_3_3-2_fc11
rpms:sssd-0_3_3-1_fc11
rpms:sssd-0_3_3-0_fc11
rpms:sssd-0_3_2-2_fc12
rpms:sssd-0_3_2-2_fc11
rpms:sssd-0_3_2-1_fc11
rpms:sssd-0_3_2-1_fc12
rpms:sssd-0_3_1-2_fc11
rpms:F-11-start
rpms:F-11-split
rpms:sssd-0_3_1-1_fc11
rpms:sssd-0_3_0-2_fc11
rpms:sssd-0_3_0-1_fc11
rpms:sssd-0_2_1-1_fc11
rpms:sssd-0_2_0-1_fc11
rpms:sssd-0_1_0-5_20090309git691c9b3_fc11
...
pull from: rpms:f30
Branches Tags
rpms:f38-riscv64
rpms:main
rpms:rawhide
rpms:f38
rpms:f37-riscv64
rpms:f35
rpms:f36
rpms:f37
rpms:sssd-2.6.2
rpms:f34
rpms:f33
rpms:f32
rpms:f31
rpms:f30
rpms:f29
rpms:f28
rpms:f27
rpms:f26
rpms:f25
rpms:f24
rpms:f23
rpms:f22
rpms:f21
rpms:f20
rpms:el5
rpms:f19
rpms:f18
rpms:f17
rpms:f16
rpms:f15
rpms:f14
rpms:f13
rpms:f12
rpms:f11
rpms:sssd-1.16.2-4.fc27
rpms:sssd-1.16.2-4.fc28
rpms:sssd-1.16.2-4.fc29
rpms:sssd-1.16.2-3.fc29
rpms:d8abd616d9e1519351239a8858263851f2361203
rpms:sssd-1.16.2-2.fc29
rpms:sssd-1.16.2-1.fc27
rpms:sssd-1.16.2-1.fc28
rpms:sssd-1.16.2-1.fc29
rpms:sssd-1.16.1-9.fc26
rpms:sssd-1.16.1-9.fc27
rpms:sssd-1.16.1-9.fc28
rpms:sssd-1.16.1-9.fc29
rpms:sssd-1.16.1-8.fc26
rpms:sssd-1.16.1-8.fc27
rpms:sssd-1.16.1-8.fc28
rpms:sssd-1.16.1-8.fc29
rpms:sssd-1.16.1-7.fc26
rpms:sssd-1.16.1-6.fc26
rpms:sssd-1.16.1-5.fc26
rpms:sssd-1.16.1-5.fc27
rpms:sssd-1.16.1-6.fc27
rpms:sssd-1.16.1-7.fc27
rpms:sssd-1.16.1-7.fc28
rpms:sssd-1.16.1-7.fc29
rpms:sssd-1.16.1-5.fc28
rpms:sssd-1.16.1-6.fc28
rpms:sssd-1.16.1-6.fc29
rpms:sssd-1.16.1-5.fc29
rpms:sssd-1.16.1-4.fc26
rpms:sssd-1.16.1-4.fc27
rpms:sssd-1.16.1-4.fc28
rpms:sssd-1.16.1-4.fc29
rpms:sssd-1.16.1-3.fc26
rpms:sssd-1.16.1-3.fc27
rpms:sssd-1.16.1-3.fc29
rpms:sssd-1.16.1-3.fc28
rpms:sssd-1.16.1-2.fc26
rpms:sssd-1.16.1-1.fc26
rpms:sssd-1.16.1-2.fc27
rpms:sssd-1.16.1-1.fc27
rpms:sssd-1.16.1-2.fc28
rpms:sssd-1.16.1-1.fc28
rpms:sssd-1.16.1-1.fc29
rpms:sssd-1.16.1-2.fc29
rpms:sssd-1_2_91-21_fc14
rpms:sssd-1_2_91-20_fc14
rpms:sssd-1_2_1-17_el5
rpms:sssd-1_2_1-16_el5
rpms:sssd-1_2_1-16_fc12
rpms:sssd-1_2_1-15_fc13
rpms:sssd-1_2_1-15_fc14
rpms:sssd-1_2_0-13_fc13
rpms:sssd-1_2_0-13_el5
rpms:sssd-1_2_0-12_el5
rpms:sssd-1_2_0-11_fc12
rpms:sssd-1_2_0-12_fc13
rpms:sssd-1_2_0-12_fc14
rpms:sssd-1_1_92-11_fc13
rpms:sssd-1_1_92-11_fc14
rpms:sssd-1_1_91-10_fc12
rpms:sssd-1_1_91-10_fc13
rpms:sssd-1_1_91-10_fc14
rpms:sssd-1_1_1-5_el5
rpms:sssd-1_1_1-3_fc12
rpms:sssd-1_1_1-3_fc13
rpms:sssd-1_1_1-3_fc14
rpms:sssd-1_1_1-1_fc12
rpms:sssd-1_1_1-1_fc13
rpms:sssd-1_1_1-1_fc14
rpms:sssd-1_1_0-4_el5
rpms:sssd-1_1_0-2_fc12
rpms:sssd-1_1_0-2_fc13
rpms:sssd-1_1_0-2_fc14
rpms:sssd-1_1_0-1_pre20100317git0ea7f19_fc13
rpms:sssd-1_1_0-1_pre20100317git0ea7f19_fc12
rpms:sssd-1_1_0-1_pre20100317git0ea7f19_fc14
rpms:sssd-1_0_5-2_fc14
rpms:EL-5-start
rpms:EL-5-split
rpms:sssd-1_0_5-1_fc11
rpms:sssd-1_0_5-1_fc12
rpms:sssd-1_0_5-1_fc13
rpms:sssd-1_0_5-1_fc14
rpms:sssd-1_0_4-1_fc11
rpms:sssd-1_0_4-1_fc12
rpms:sssd-1_0_4-1_fc13
rpms:F-13-start
rpms:F-13-split
rpms:sssd-1_0_3-1_fc11
rpms:sssd-1_0_3-1_fc12
rpms:sssd-1_0_3-1_fc13
rpms:sssd-1_0_2-1_fc11
rpms:sssd-1_0_2-1_fc12
rpms:sssd-1_0_2-1_fc13
rpms:sssd-1_0_1-1_fc11
rpms:sssd-1_0_1-1_fc12
rpms:sssd-1_0_1-1_fc13
rpms:sssd-1_0_0-2_fc11
rpms:sssd-1_0_0-2_fc12
rpms:sssd-1_0_0-2_fc13
rpms:sssd-1_0_0-1_fc11
rpms:sssd-1_0_0-1_fc12
rpms:sssd-1_0_0-1_fc13
rpms:sssd-0_99_1-1_fc11
rpms:sssd-0_99_1-1_fc12
rpms:sssd-0_99_1-1_fc13
rpms:sssd-0_99_0-1_fc12
rpms:sssd-0_99_0-1_fc13
rpms:sssd-0_7_1-1_fc11
rpms:sssd-0_7_1-1_fc12
rpms:sssd-0_7_1-1_fc13
rpms:sssd-0_7_0-2_fc11
rpms:sssd-0_7_0-2_fc12
rpms:sssd-0_7_0-2_fc13
rpms:sssd-0_7_0-1_fc11
rpms:sssd-0_7_0-1_fc12
rpms:sssd-0_7_0-1_fc13
rpms:sssd-0_6_1-2_fc13
rpms:sssd-0_6_1-2_fc12
rpms:sssd-0_6_1-1_fc12
rpms:sssd-0_6_1-1_fc13
rpms:sssd-0_6_0-1_fc13
rpms:sssd-0_6_0-1_fc12
rpms:sssd-0_6_0-0_fc12
rpms:F-12-start
rpms:F-12-split
rpms:sssd-0_5_0-0_fc11
rpms:sssd-0_5_0-0_fc12
rpms:sssd-0_4_1-3_fc11
rpms:sssd-0_4_1-4_fc12
rpms:sssd-0_4_1-3_fc12
rpms:sssd-0_4_1-2_fc12
rpms:sssd-0_4_1-2_fc11
rpms:sssd-0_4_1-1_fc11
rpms:sssd-0_4_1-1_fc12
rpms:sssd-0_4_1-0_fc11
rpms:sssd-0_4_1-0_fc12
rpms:sssd-0_3_3-3_fc11
rpms:sssd-0_3_3-2_fc11
rpms:sssd-0_3_3-1_fc11
rpms:sssd-0_3_3-0_fc11
rpms:sssd-0_3_2-2_fc12
rpms:sssd-0_3_2-2_fc11
rpms:sssd-0_3_2-1_fc11
rpms:sssd-0_3_2-1_fc12
rpms:sssd-0_3_1-2_fc11
rpms:F-11-start
rpms:F-11-split
rpms:sssd-0_3_1-1_fc11
rpms:sssd-0_3_0-2_fc11
rpms:sssd-0_3_0-1_fc11
rpms:sssd-0_2_1-1_fc11
rpms:sssd-0_2_0-1_fc11
rpms:sssd-0_1_0-5_20090309git691c9b3_fc11

22 Commits
rawhide ... f30

Author SHA1 Message Date
Michal Židek b62cbca7ed Resolves: upstream#4159 - p11_child should have an option to skip C_WaitForSlotEvent if the PKCS#11 module does not implement it properly 2020-02-27 06:13:20 +01:00
Michal Židek 69547de9a4 Resolves: upstream#4135 - util/sss_ptr_hash.c: potential double free in `sss_ptr_hash_delete_cb()` 2020-02-27 06:13:20 +01:00
Michal Židek 379f80d2ca Resolves: upstream#4118 sssd requires timed sudoers ldap entries to be specified up to the seconds 2020-02-27 06:13:20 +01:00
Michal Židek 8915b3954f Add sssd-dbus package as a dependency of sssd-tools 2020-02-27 06:13:20 +01:00
Michal Židek ff7c4a21d0 Resolves: upstream#4142 - sssd_be frequent crash 2020-02-27 06:13:20 +01:00
Michal Židek 9af45e39cd Resolves: upstream#4131 Force LDAPS over 636 with AD Provider 2020-02-27 06:13:20 +01:00
Michal Židek f4f3a2dcca Resolves: upstream#3630 - Randomize ldap_connection_expire_timeout either by default or w/ a configure option 2020-02-27 06:13:20 +01:00
Michal Židek ed1f57da00 Resolves: upstream#4135 - util/sss_ptr_hash.c: potential double free in `sss_ptr_hash_delete_cb()` 2020-02-27 06:13:20 +01:00
Michal Židek 5fb22adfc9 Resolves: upstream#4088 - server/be: SIGTERM handling is incorrect 2020-02-27 06:13:20 +01:00
Michal Židek 57935c4a32 Resolves: upstream##4089 Watchdog implementation or usage is incorrect 2020-02-27 06:13:20 +01:00
Michal Židek a574fcb984 Resolves: upstream#4126 pcscd rejecting sssd ldap_child as unauthorized 2020-02-27 06:13:20 +01:00
Michal Židek ee8fde703d Resolves: upstream#4127 - [Doc]Provide explanation on escape character for match rules sss-certmap 2020-02-27 06:13:20 +01:00
Michal Židek eb491b5232 Resolves: upstream#4129 - sssctl config-check command does not give proper error messages with line numbers 2020-02-27 06:13:20 +01:00
Michal Židek 3f232d02e9 Update to latest released upstream version 2.2.3 2020-02-27 06:13:20 +01:00
Adam Williamson 7e00e587f6 Backport PR #900 to fix RHBZ #1755643 2019-10-22 11:31:57 -07:00
Adam Williamson 374a7c5781 Backport PR #904 to fix RHBZ #1757224 2019-10-22 10:33:21 -07:00
Michal Židek 252666a315 Update to latest released upstream version 2.2.2 2019-09-17 14:36:40 +02:00
Jakub Hrozek 9fb549e162 Resolves: rhbz#1721636 - sssd-kcm calls sssd-genconf which triggers nscd warning 
(cherry picked from commit 7f0d43352a)
 2019-07-05 17:39:42 +02:00
Jakub Hrozek 7d2f8acb2e Resolves: rhbz#1724717 - sssd-proxy crashes resolving groups with no members 
(cherry picked from commit d757370f98)
 2019-07-05 17:39:42 +02:00
Michal Židek 80b558654c Update to latest released upstream version 2.2.0 2019-06-17 14:50:50 +02:00
Michal Židek 125adf7606 Resolves: upstream#3867 - [RFE] Need an option in SSSD so that it will skip GPOs that have groupPolicyContainers unreadable by SSSD. 
- CVE-2018-16838

(cherry picked from commit 1d0af0b97b)
 2019-03-28 10:40:12 +01:00
Michal Židek 6625bffdcb Update to latest released upstream version 2.1.0 
(cherry picked from commit 27d612fd39)
 2019-03-28 10:39:12 +01:00
105 changed files with 2770 additions and 10754 deletions
Show Stats Expand all files Collapse all files

5
.gitignore vendored
View File

@ -81,3 +81,8 @@ sssd-1.2.91.tar.gz
/sssd-1.16.1.tar.gz
/sssd-1.16.2.tar.gz
/sssd-2.0.0.tar.gz
/sssd-2.1.0.tar.gz
/sssd-2.2.0.tar.gz
/sssd-2.2.1.tar.gz
/sssd-2.2.2.tar.gz
/sssd-2.2.3.tar.gz

27
0001-BUILD-Accept-krb5-1.17-for-building-the-PAC-plugin.patch
View File

@ -1,27 +0,0 @@
From 53e6fdfd881f051898e85448832eafdd2ea09454 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 22 Nov 2018 11:33:20 +0100
Subject: [PATCH] BUILD: Accept krb5 1.17 for building the PAC plugin
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/external/pac_responder.m4 | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4
index e0685f0ce..dc986a1b8 100644
--- a/src/external/pac_responder.m4
+++ b/src/external/pac_responder.m4
@@ -18,7 +18,8 @@ then
Kerberos\ 5\ release\ 1.13* | \
Kerberos\ 5\ release\ 1.14* | \
Kerberos\ 5\ release\ 1.15* | \
- Kerberos\ 5\ release\ 1.16*)
+ Kerberos\ 5\ release\ 1.16* | \
+ Kerberos\ 5\ release\ 1.17*)
krb5_version_ok=yes
AC_MSG_RESULT([yes])
;;
--
2.20.0

109
0001-BUILD-Fix-issue-with-installation-of-libsss_secrets.patch
View File

@ -1,109 +0,0 @@
From 101934f29e6b76931b1499adc19ae7f7a976789d Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 14 Aug 2018 08:20:57 +0000
Subject: [PATCH 1/4] BUILD: Fix issue with installation of libsss_secrets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
libsss_secret.so is linked with libsss_util.so therefore it shoudl be
added into pkglib_LTLIBRARIES after libsss_util.so.
Otherwise there can failure in linking phase.
libtool: warning: relinking 'libsss_secrets.la'
libtool: install: (cd /home/build/sssd/ci-build-debug/intg/bld; /bin/sh
"/home/build/sssd/ci-build-debug/intg/bld/libtool" --tag CC
--mode=relink gcc -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith
-Wcast-qual -Wcast-align -Wwrite-strings -Wundef
-Werror-implicit-function-declaration -Winit-self -Wmissing-include-dirs
-fno-strict-aliasing -std=gnu99 -O2 -g -g3 -O2 -Werror
-D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
-D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
-avoid-version -o libsss_secrets.la -rpath
/tmp/sssd-intg.l7nl5pgb/lib/sssd
src/util/secrets/libsss_secrets_la-secrets.lo
src/util/secrets/libsss_secrets_la-config.lo -ltalloc -lldb
libsss_crypt.la libsss_debug.la libsss_util.la )
libtool: relink: gcc -shared -fPIC -DPIC
src/util/secrets/.libs/libsss_secrets_la-secrets.o
src/util/secrets/.libs/libsss_secrets_la-config.o -Wl,-rpath
-Wl,/tmp/sssd-intg.l7nl5pgb/lib/sssd -ltalloc -lldb
-L/tmp/sssd-intg.l7nl5pgb/lib/sssd -lsss_crypt -lsss_debug -lsss_util
-O2 -g -g3 -O2 -Wl,-soname -Wl,libsss_secrets.so -o
.libs/libsss_secrets.so
/usr/bin/ld: cannot find -lsss_util
collect2: error: ld returned 1 exit status
libtool: error: error: relink 'libsss_secrets.la' with the above
command before installing it
Merges: https://pagure.io/SSSD/sssd/pull-request/3808
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
Makefile.am | 43 +++++++++++++++++++++----------------------
1 file changed, 21 insertions(+), 22 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index d313957..a2d8ea4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1209,28 +1209,6 @@ libsss_iface_sync_la_LDFLAGS = \
-avoid-version \
$(NULL)
-if BUILD_WITH_LIBSECRET
-pkglib_LTLIBRARIES += libsss_secrets.la
-
-libsss_secrets_la_SOURCES = \
- src/util/secrets/secrets.c \
- src/util/secrets/config.c \
- $(NULL)
-libsss_secrets_la_CFLAGS = \
- $(AM_CFLAGS) \
- $(NULL)
-libsss_secrets_la_LIBADD = \
- $(TALLOC_LIBS) \
- $(LDB_LIBS) \
- libsss_crypt.la \
- libsss_debug.la \
- libsss_util.la \
- $(NULL)
-libsss_secrets_la_LDFLAGS = \
- -avoid-version \
- $(NULL)
-endif
-
pkglib_LTLIBRARIES += libsss_util.la
libsss_util_la_SOURCES = \
src/confdb/confdb.c \
@@ -1314,6 +1292,27 @@ libsss_util_la_LIBADD += stap_generated_probes.lo
endif
libsss_util_la_LDFLAGS = -avoid-version
+if BUILD_WITH_LIBSECRET
+pkglib_LTLIBRARIES += libsss_secrets.la
+libsss_secrets_la_SOURCES = \
+ src/util/secrets/secrets.c \
+ src/util/secrets/config.c \
+ $(NULL)
+libsss_secrets_la_CFLAGS = \
+ $(AM_CFLAGS) \
+ $(NULL)
+libsss_secrets_la_LIBADD = \
+ $(TALLOC_LIBS) \
+ $(LDB_LIBS) \
+ libsss_crypt.la \
+ libsss_debug.la \
+ libsss_util.la \
+ $(NULL)
+libsss_secrets_la_LDFLAGS = \
+ -avoid-version \
+ $(NULL)
+endif
+
pkglib_LTLIBRARIES += libsss_semanage.la
libsss_semanage_la_CFLAGS = \
$(AM_CFLAGS) \
--
2.9.5

53
0001-Fix-build-failure-against-samba-4.12.0rc1.patch Normal file
View File

@ -0,0 +1,53 @@
From bc56b10aea999284458dcc293b54cf65288e325d Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Fri, 24 Jan 2020 15:17:39 +0100
Subject: [PATCH] Fix build failure against samba 4.12.0rc1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The ndr_pull_get_switch() function was dropped, but it was just a wrapper
around the ndr_token_peek() function, so we can use this approach on both
old and new versions of libndr.
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ad/ad_gpo_ndr.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c
index d57303349..8f405aa62 100644
--- a/src/providers/ad/ad_gpo_ndr.c
+++ b/src/providers/ad/ad_gpo_ndr.c
@@ -105,7 +105,7 @@ ndr_pull_security_ace_object_type(struct ndr_pull *ndr,
union security_ace_object_type *r)
{
uint32_t level;
- level = ndr_pull_get_switch_value(ndr, r);
+ level = ndr_token_peek(&ndr->switch_list, r);
NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
if (ndr_flags & NDR_SCALARS) {
NDR_CHECK(ndr_pull_union_align(ndr, 4));
@@ -135,7 +135,7 @@ ndr_pull_security_ace_object_inherited_type(struct ndr_pull *ndr,
union security_ace_object_inherited_type *r)
{
uint32_t level;
- level = ndr_pull_get_switch_value(ndr, r);
+ level = ndr_token_peek(&ndr->switch_list, r);
NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
if (ndr_flags & NDR_SCALARS) {
NDR_CHECK(ndr_pull_union_align(ndr, 4));
@@ -198,7 +198,7 @@ ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr,
union security_ace_object_ctr *r)
{
uint32_t level;
- level = ndr_pull_get_switch_value(ndr, r);
+ level = ndr_token_peek(&ndr->switch_list, r);
NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
if (ndr_flags & NDR_SCALARS) {
NDR_CHECK(ndr_pull_union_align(ndr, 4));
--
2.20.1

459
0001-sbus-avoid-using-invalid-stack-point-in-SBUS_INTERFA.patch
View File

@ -1,459 +0,0 @@
From 194438830cdd729e317c1e1baf93da7201dfd39b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 4 Feb 2019 12:00:01 +0100
Subject: [PATCH 1/3] sbus: avoid using invalid stack point in SBUS_INTERFACE
SBUS_INTERFACE macros expanded as:
struct sbus_interface bus =
({ sbus_interface(
"org.freedesktop.DBus",
((void *)0),
(((const struct sbus_method[])
{
({
/* ... compile time check of function signature omitted */ ;
sbus_method_sync(/* ... full list of params omitted */);
}),
...
This however includes an issue that methods/properties/signals are returned
by value, however stored in sbus_interface as pointers. Once we return out
of the top-level block and assign resulting sbus_interface into 'bus' variable
those objects allocated on stack becomes invalid and can be overwritten by other
allocations on stack.
This patch overcomes this issue by changing declaration of SBUS_INTERFACE and
avoiding using this top-level block. This still keeps the declarative structure
and simplifies the code as it does not require any memory handling and
tests for successful allocations.
const struct sbus_method __ ## varname ## _m[] = methods; \
const struct sbus_signal __ ## varname ## _s[] = signals; \
const struct sbus_property __ ## varname ## _p[] = properties; \
struct sbus_interface varname = SBUS_IFACE_ ## iface( \
(__ ## varname ## _m), \
(__ ## varname ## _s), \
(__ ## varname ## _p) \
)
Resolves:
https://pagure.io/SSSD/sssd/issue/3924
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/monitor/monitor.c | 2 +-
src/providers/data_provider/dp.c | 10 +++++-----
src/providers/data_provider_be.c | 2 +-
src/providers/proxy/proxy_child.c | 2 +-
src/providers/proxy/proxy_client.c | 2 +-
src/responder/autofs/autofssrv.c | 2 +-
src/responder/common/responder_iface.c | 6 +++---
src/responder/ifp/ifp_iface/ifp_iface.c | 24 ++++++++++++------------
src/responder/ifp/ifpsrv.c | 2 +-
src/responder/nss/nss_iface.c | 2 +-
src/responder/nss/nsssrv.c | 2 +-
src/sbus/interface/sbus_introspection.c | 2 +-
src/sbus/interface/sbus_properties.c | 2 +-
src/sbus/sbus_interface.h | 22 +++++++++++++++++-----
src/sbus/server/sbus_server_interface.c | 2 +-
15 files changed, 48 insertions(+), 36 deletions(-)
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 136cf8f27..8d12f8133 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -2018,7 +2018,7 @@ static void monitor_sbus_connected(struct tevent_req *req)
goto done;
}
- struct sbus_interface iface = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface,
sssd_monitor,
SBUS_METHODS(
SBUS_SYNC(METHOD, sssd_monitor, RegisterService, monitor_sbus_RegisterService, ctx)
diff --git a/src/providers/data_provider/dp.c b/src/providers/data_provider/dp.c
index bd003c8b3..e79d6f294 100644
--- a/src/providers/data_provider/dp.c
+++ b/src/providers/data_provider/dp.c
@@ -33,7 +33,7 @@ dp_init_interface(struct data_provider *provider)
{
errno_t ret;
- struct sbus_interface iface_dp_client = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface_dp_client,
sssd_DataProvider_Client,
SBUS_METHODS(
SBUS_SYNC(METHOD, sssd_DataProvider_Client, Register, dp_client_register, provider)
@@ -42,7 +42,7 @@ dp_init_interface(struct data_provider *provider)
SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
);
- struct sbus_interface iface_dp_backend = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface_dp_backend,
sssd_DataProvider_Backend,
SBUS_METHODS(
SBUS_SYNC(METHOD, sssd_DataProvider_Backend, IsOnline, dp_backend_is_online, provider->be_ctx)
@@ -51,7 +51,7 @@ dp_init_interface(struct data_provider *provider)
SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
);
- struct sbus_interface iface_dp_failover = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface_dp_failover,
sssd_DataProvider_Failover,
SBUS_METHODS(
SBUS_SYNC(METHOD, sssd_DataProvider_Failover, ListServices, dp_failover_list_services, provider->be_ctx),
@@ -62,7 +62,7 @@ dp_init_interface(struct data_provider *provider)
SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
);
- struct sbus_interface iface_dp_access = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface_dp_access,
sssd_DataProvider_AccessControl,
SBUS_METHODS(
SBUS_ASYNC(METHOD, sssd_DataProvider_AccessControl, RefreshRules, dp_access_control_refresh_rules_send, dp_access_control_refresh_rules_recv, provider)
@@ -71,7 +71,7 @@ dp_init_interface(struct data_provider *provider)
SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
);
- struct sbus_interface iface_dp = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface_dp,
sssd_dataprovider,
SBUS_METHODS(
SBUS_ASYNC(METHOD, sssd_dataprovider, pamHandler, dp_pam_handler_send, dp_pam_handler_recv, provider),
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index 7043e7a5f..942952b24 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -382,7 +382,7 @@ static void signal_be_reset_offline(struct tevent_context *ev,
static errno_t
be_register_monitor_iface(struct sbus_connection *conn, struct be_ctx *be_ctx)
{
- struct sbus_interface iface_service = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface_service,
sssd_service,
SBUS_METHODS(
SBUS_SYNC(METHOD, sssd_service, resInit, data_provider_res_init, be_ctx),
diff --git a/src/providers/proxy/proxy_child.c b/src/providers/proxy/proxy_child.c
index 134f96f82..4f06d42aa 100644
--- a/src/providers/proxy/proxy_child.c
+++ b/src/providers/proxy/proxy_child.c
@@ -348,7 +348,7 @@ proxy_cli_init(struct pc_ctx *ctx)
return ENOMEM;
}
- struct sbus_interface iface = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface,
sssd_ProxyChild_Auth,
SBUS_METHODS(
SBUS_SYNC(METHOD, sssd_ProxyChild_Auth, PAM, pc_pam_handler, ctx)
diff --git a/src/providers/proxy/proxy_client.c b/src/providers/proxy/proxy_client.c
index 1c325eee5..09ebf3bda 100644
--- a/src/providers/proxy/proxy_client.c
+++ b/src/providers/proxy/proxy_client.c
@@ -100,7 +100,7 @@ proxy_client_init(struct sbus_connection *conn,
{
errno_t ret;
- struct sbus_interface iface = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface,
sssd_ProxyChild_Client,
SBUS_METHODS(
SBUS_SYNC(METHOD, sssd_ProxyChild_Client, Register, proxy_client_register, auth_ctx)
diff --git a/src/responder/autofs/autofssrv.c b/src/responder/autofs/autofssrv.c
index 614e901e7..230bd2aac 100644
--- a/src/responder/autofs/autofssrv.c
+++ b/src/responder/autofs/autofssrv.c
@@ -62,7 +62,7 @@ autofs_register_service_iface(struct autofs_ctx *autofs_ctx,
{
errno_t ret;
- struct sbus_interface iface_svc = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface_svc,
sssd_service,
SBUS_METHODS(
SBUS_SYNC(METHOD, sssd_service, resInit, monitor_common_res_init, NULL),
diff --git a/src/responder/common/responder_iface.c b/src/responder/common/responder_iface.c
index 79b632c05..911cd6cc0 100644
--- a/src/responder/common/responder_iface.c
+++ b/src/responder/common/responder_iface.c
@@ -99,7 +99,7 @@ sss_resp_register_sbus_iface(struct sbus_connection *conn,
{
errno_t ret;
- struct sbus_interface iface_resp_domain = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface_resp_domain,
sssd_Responder_Domain,
SBUS_METHODS(
SBUS_SYNC(METHOD, sssd_Responder_Domain, SetActive, sss_resp_domain_active, rctx),
@@ -109,7 +109,7 @@ sss_resp_register_sbus_iface(struct sbus_connection *conn,
SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
);
- struct sbus_interface iface_resp_negcache = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface_resp_negcache,
sssd_Responder_NegativeCache,
SBUS_METHODS(
SBUS_SYNC(METHOD, sssd_Responder_NegativeCache, ResetUsers, sss_resp_reset_ncache_users, rctx),
@@ -139,7 +139,7 @@ sss_resp_register_service_iface(struct resp_ctx *rctx)
{
errno_t ret;
- struct sbus_interface iface_svc = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface_svc,
sssd_service,
SBUS_METHODS(
SBUS_SYNC(METHOD, sssd_service, resInit, monitor_common_res_init, NULL),
diff --git a/src/responder/ifp/ifp_iface/ifp_iface.c b/src/responder/ifp/ifp_iface/ifp_iface.c
index fa9f9ba53..a3385091b 100644
--- a/src/responder/ifp/ifp_iface/ifp_iface.c
+++ b/src/responder/ifp/ifp_iface/ifp_iface.c
@@ -77,7 +77,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
{
errno_t ret;
- struct sbus_interface iface_ifp = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface_ifp,
org_freedesktop_sssd_infopipe,
SBUS_METHODS(
SBUS_SYNC(METHOD, org_freedesktop_sssd_infopipe, Ping, ifp_ping, ctx),
@@ -96,7 +96,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
);
- struct sbus_interface iface_ifp_components = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface_ifp_components,
org_freedesktop_sssd_infopipe_Components,
SBUS_METHODS(SBUS_NO_METHODS),
SBUS_SIGNALS(SBUS_NO_SIGNALS),
@@ -109,7 +109,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
)
);
- struct sbus_interface iface_ifp_domains = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface_ifp_domains,
org_freedesktop_sssd_infopipe_Domains,
SBUS_METHODS(SBUS_NO_METHODS),
SBUS_SIGNALS(SBUS_NO_SIGNALS),
@@ -131,7 +131,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
)
);
- struct sbus_interface iface_ifp_domains_domain = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface_ifp_domains_domain,
org_freedesktop_sssd_infopipe_Domains_Domain,
SBUS_METHODS(
SBUS_ASYNC(METHOD, org_freedesktop_sssd_infopipe_Domains_Domain, IsOnline, ifp_domains_domain_is_online_send, ifp_domains_domain_is_online_recv, ctx),
@@ -144,7 +144,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
);
- struct sbus_interface iface_ifp_users = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface_ifp_users,
org_freedesktop_sssd_infopipe_Users,
SBUS_METHODS(
SBUS_ASYNC(METHOD, org_freedesktop_sssd_infopipe_Users, FindByName, ifp_users_find_by_name_send, ifp_users_find_by_name_recv, ctx),
@@ -159,7 +159,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
);
- struct sbus_interface iface_ifp_users_user = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface_ifp_users_user,
org_freedesktop_sssd_infopipe_Users_User,
SBUS_METHODS(SBUS_NO_METHODS),
SBUS_SIGNALS(SBUS_NO_SIGNALS),
@@ -178,7 +178,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
)
);
- struct sbus_interface iface_ifp_cache_user = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface_ifp_cache_user,
org_freedesktop_sssd_infopipe_Cache,
SBUS_METHODS(
SBUS_SYNC(METHOD, org_freedesktop_sssd_infopipe_Cache, List, ifp_cache_list_user, ctx),
@@ -188,7 +188,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
);
- struct sbus_interface iface_ifp_cache_object_user = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface_ifp_cache_object_user,
org_freedesktop_sssd_infopipe_Cache_Object,
SBUS_METHODS(
SBUS_SYNC(METHOD, org_freedesktop_sssd_infopipe_Cache_Object, Store, ifp_cache_object_store_user, ctx),
@@ -198,7 +198,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
);
- struct sbus_interface iface_ifp_groups = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface_ifp_groups,
org_freedesktop_sssd_infopipe_Groups,
SBUS_METHODS(
SBUS_ASYNC(METHOD, org_freedesktop_sssd_infopipe_Groups, FindByName, ifp_groups_find_by_name_send, ifp_groups_find_by_name_recv, ctx),
@@ -210,7 +210,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
);
- struct sbus_interface iface_ifp_groups_group = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface_ifp_groups_group,
org_freedesktop_sssd_infopipe_Groups_Group,
SBUS_METHODS(
SBUS_ASYNC(METHOD, org_freedesktop_sssd_infopipe_Groups_Group, UpdateMemberList, ifp_groups_group_update_member_list_send, ifp_groups_group_update_member_list_recv, ctx)
@@ -225,7 +225,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
)
);
- struct sbus_interface iface_ifp_cache_group = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface_ifp_cache_group,
org_freedesktop_sssd_infopipe_Cache,
SBUS_METHODS(
SBUS_SYNC(METHOD, org_freedesktop_sssd_infopipe_Cache, List, ifp_cache_list_group, ctx),
@@ -235,7 +235,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
);
- struct sbus_interface iface_ifp_cache_object_group = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface_ifp_cache_object_group,
org_freedesktop_sssd_infopipe_Cache_Object,
SBUS_METHODS(
SBUS_SYNC(METHOD, org_freedesktop_sssd_infopipe_Cache_Object, Store, ifp_cache_object_store_group, ctx),
diff --git a/src/responder/ifp/ifpsrv.c b/src/responder/ifp/ifpsrv.c
index 61072aad1..0c53534e4 100644
--- a/src/responder/ifp/ifpsrv.c
+++ b/src/responder/ifp/ifpsrv.c
@@ -135,7 +135,7 @@ ifp_register_service_iface(struct ifp_ctx *ifp_ctx,
{
errno_t ret;
- struct sbus_interface iface_svc = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface_svc,
sssd_service,
SBUS_METHODS(
SBUS_SYNC(METHOD, sssd_service, resInit, monitor_common_res_init, NULL),
diff --git a/src/responder/nss/nss_iface.c b/src/responder/nss/nss_iface.c
index f39c3d370..a47b35fca 100644
--- a/src/responder/nss/nss_iface.c
+++ b/src/responder/nss/nss_iface.c
@@ -219,7 +219,7 @@ nss_register_backend_iface(struct sbus_connection *conn,
{
errno_t ret;
- struct sbus_interface iface = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface,
sssd_nss_MemoryCache,
SBUS_METHODS(
SBUS_SYNC(METHOD, sssd_nss_MemoryCache, UpdateInitgroups, nss_memorycache_update_initgroups, nss_ctx),
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
index daaf3c06c..9cc9c5d35 100644
--- a/src/responder/nss/nsssrv.c
+++ b/src/responder/nss/nsssrv.c
@@ -276,7 +276,7 @@ nss_register_service_iface(struct nss_ctx *nss_ctx,
{
errno_t ret;
- struct sbus_interface iface_svc = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface_svc,
sssd_service,
SBUS_METHODS(
SBUS_SYNC(METHOD, sssd_service, resInit, monitor_common_res_init, NULL),
diff --git a/src/sbus/interface/sbus_introspection.c b/src/sbus/interface/sbus_introspection.c
index b2de9a9ac..863383719 100644
--- a/src/sbus/interface/sbus_introspection.c
+++ b/src/sbus/interface/sbus_introspection.c
@@ -658,7 +658,7 @@ errno_t
sbus_register_introspection(struct sbus_router *router)
{
- struct sbus_interface iface = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface,
org_freedesktop_DBus_Introspectable,
SBUS_METHODS(
SBUS_ASYNC(METHOD, org_freedesktop_DBus_Introspectable, Introspect,
diff --git a/src/sbus/interface/sbus_properties.c b/src/sbus/interface/sbus_properties.c
index 9df4c6bd6..8be933caa 100644
--- a/src/sbus/interface/sbus_properties.c
+++ b/src/sbus/interface/sbus_properties.c
@@ -867,7 +867,7 @@ errno_t
sbus_register_properties(struct sbus_router *router)
{
- struct sbus_interface iface = SBUS_INTERFACE(
+ SBUS_INTERFACE(iface,
org_freedesktop_DBus_Properties,
SBUS_METHODS(
SBUS_ASYNC(METHOD, org_freedesktop_DBus_Properties, Get,
diff --git a/src/sbus/sbus_interface.h b/src/sbus/sbus_interface.h
index eb1462dd2..45ab4b5ad 100644
--- a/src/sbus/sbus_interface.h
+++ b/src/sbus/sbus_interface.h
@@ -80,7 +80,7 @@ struct sbus_node;
* };
*/
#define SBUS_METHODS(...) \
- (const struct sbus_method[]) { \
+ { \
__VA_ARGS__, \
SBUS_INTERFACE_SENTINEL \
}
@@ -117,7 +117,7 @@ struct sbus_node;
* };
*/
#define SBUS_SIGNALS(...) \
- (const struct sbus_signal[]) { \
+ { \
__VA_ARGS__, \
SBUS_INTERFACE_SENTINEL \
}
@@ -159,7 +159,7 @@ struct sbus_node;
* };
*/
#define SBUS_PROPERTIES(...) \
- (const struct sbus_property[]) { \
+ { \
__VA_ARGS__, \
SBUS_INTERFACE_SENTINEL \
}
@@ -228,6 +228,11 @@ struct sbus_node;
/**
* Create and sbus interface.
*
+ * @param varname Name of the variable that will hold the interface
+ * description. It is created as:
+ * struct sbus_interface varname;
+ * You can refer to it later when creating 'sbus_path'
+ * structure as &varname.
* @param iface Name of the interface with dots replaced
* with underscore. (token, not a string)
* @param methods Methods on the interface.
@@ -239,8 +244,15 @@ struct sbus_node;
*
* @see SBUS_METHODS, SBUS_SIGNALS, SBUS_PROPERTIES to create those arguments.
*/
-#define SBUS_INTERFACE(iface, methods, signals, properties) \
- SBUS_IFACE_ ## iface((methods), (signals), (properties))
+#define SBUS_INTERFACE(varname, iface, methods, signals, properties) \
+ const struct sbus_method __ ## varname ## _m[] = methods; \
+ const struct sbus_signal __ ## varname ## _s[] = signals; \
+ const struct sbus_property __ ## varname ## _p[] = properties; \
+ struct sbus_interface varname = SBUS_IFACE_ ## iface( \
+ (__ ## varname ## _m), \
+ (__ ## varname ## _s), \
+ (__ ## varname ## _p) \
+ )
/**
* Create a new sbus synchronous handler.
diff --git a/src/sbus/server/sbus_server_interface.c b/src/sbus/server/sbus_server_interface.c
index 695d4d09b..9c0ba0abb 100644
--- a/src/sbus/server/sbus_server_interface.c
+++ b/src/sbus/server/sbus_server_interface.c
@@ -387,7 +387,7 @@ sbus_server_setup_interface(struct sbus_server *server)
{
errno_t ret;
- struct sbus_interface bus = SBUS_INTERFACE(
+ SBUS_INTERFACE(bus,
org_freedesktop_DBus,
SBUS_METHODS(
SBUS_SYNC(METHOD, org_freedesktop_DBus, Hello, sbus_server_bus_hello, server),
--
2.20.1

42
0001-sbus-use-120-second-default-timeout.patch
View File

@ -1,42 +0,0 @@
From 04c1909a0c1c13eee10141f08eff2048decc2e49 Mon Sep 17 00:00:00 2001
From: Adam Williamson <awilliam@redhat.com>
Date: Wed, 12 Dec 2018 22:28:15 -0800
Subject: [PATCH] sbus: use 120 second default timeout
As discussed in #1654537, first login to a system as a FreeIPA
domain user now usually causes an expensive SELinux operation
to happen; this can take longer than the default bus message
timeout of 25 seconds. To deal with this for now, let's use a
120 second default timeout; this is a big hammer, but unless we
can refactor things to use a longer timeout just for that one
call, or make the actual operation take less time, there's not
much else we can do.
Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=1654537
Signed-off-by: Adam Williamson <awilliam@redhat.com>
---
src/sbus/sbus_message.h | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/sbus/sbus_message.h b/src/sbus/sbus_message.h
index e7b8fe594..7ae634ece 100644
--- a/src/sbus/sbus_message.h
+++ b/src/sbus/sbus_message.h
@@ -27,8 +27,10 @@
#include "util/util.h"
#include "sbus/sbus_errors.h"
-/* Use reasonable default timeout which is computed in libdbus */
-#define SBUS_MESSAGE_TIMEOUT -1
+/* Use longer default timeout than libdbus default due to expensive
+ * selinux operation: see https://bugzilla.redhat.com/show_bug.cgi?id=1654537
+ */
+#define SBUS_MESSAGE_TIMEOUT 120000
/**
* Bound message with a talloc context.
--
2.20.0

33
0001-tests-fix-mocking-krb5_creds-in-test_copy_ccache.patch
View File

@ -1,33 +0,0 @@
From 08bba3a6e3e4e21f2e20b71cca463d50420aa9ee Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 22 Nov 2018 11:36:57 +0100
Subject: [PATCH] tests: fix mocking krb5_creds in test_copy_ccache
To just test some ccache related functionality without talking to an
actual KDC to get the tickets some needed libkrb5 structs were mocked
based on tests from the MIT Kerberos source code. One struct member
(is_skey) was so far not regarded by libkrb5 for out test case. But a
recent fix for http://krbdev.mit.edu/rt/Ticket/Display.html?id=8718
changed this and we have to change the mocking.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/tests/cmocka/test_copy_ccache.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tests/cmocka/test_copy_ccache.c b/src/tests/cmocka/test_copy_ccache.c
index 84225b6bf..7c76c00e8 100644
--- a/src/tests/cmocka/test_copy_ccache.c
+++ b/src/tests/cmocka/test_copy_ccache.c
@@ -88,7 +88,7 @@ static int setup_ccache(void **state)
test_creds.times.starttime = 2222;
test_creds.times.endtime = 3333;
test_creds.times.renew_till = 4444;
- test_creds.is_skey = 1;
+ test_creds.is_skey = 0;
test_creds.ticket_flags = 5555;
test_creds.addresses = addrs;
--
2.20.0

29
0002-BUILD-Accept-krb5-1.18-for-building-the-PAC-plugin.patch Normal file
View File

@ -0,0 +1,29 @@
From 399ee9d1af9cca4026ce50c58ce25c45a30c85c2 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Sat, 1 Feb 2020 17:39:07 +0000
Subject: [PATCH] BUILD: Accept krb5 1.18 for building the PAC plugin
Merges: https://pagure.io/SSSD/sssd/pull-request/4152
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/external/pac_responder.m4 | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4
index dc986a1b8..114d8470f 100644
--- a/src/external/pac_responder.m4
+++ b/src/external/pac_responder.m4
@@ -19,7 +19,8 @@ then
Kerberos\ 5\ release\ 1.14* | \
Kerberos\ 5\ release\ 1.15* | \
Kerberos\ 5\ release\ 1.16* | \
- Kerberos\ 5\ release\ 1.17*)
+ Kerberos\ 5\ release\ 1.17* | \
+ Kerberos\ 5\ release\ 1.18*)
krb5_version_ok=yes
AC_MSG_RESULT([yes])
;;
--
2.20.1

49
0002-BUILD-Add-missing-deps-to-libsss_sbus-.so.patch
View File

@ -1,49 +0,0 @@
From 677a93372e4b7359d19d7e55467fa5ccea4a80a3 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Wed, 15 Aug 2018 22:07:40 +0200
Subject: [PATCH 2/4] BUILD: Add missing deps to libsss_sbus*.so
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
It indirectly caused failures when linking unit test.
CCLD test_sbus_opath
/usr/bin/ld: ./.libs/libsss_sbus.so: undefined reference to `g_utf8_validate'
/usr/bin/ld: ./.libs/libsss_sbus.so: undefined reference to `g_free'
/usr/bin/ld: ./.libs/libsss_sbus.so: undefined reference to `g_malloc'
/usr/bin/ld: ./.libs/libsss_sbus.so: undefined reference to `g_utf8_casefold'
/usr/bin/ld: ./.libs/libsss_sbus.so: undefined reference to `g_utf8_collate'
/usr/bin/ld: ./.libs/libsss_sbus.so: undefined reference to `g_utf8_strlen'
/usr/bin/ld: ./.libs/libsss_sbus.so: undefined reference to `g_utf8_strdown'
Merges: https://pagure.io/SSSD/sssd/pull-request/3808
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
Makefile.am | 2 ++
1 file changed, 2 insertions(+)
diff --git a/Makefile.am b/Makefile.am
index a2d8ea4..1b4f044 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1105,6 +1105,7 @@ libsss_sbus_la_LIBADD = \
$(TALLOC_LIBS) \
$(TEVENT_LIBS) \
$(DBUS_LIBS) \
+ $(UNICODE_LIBS) \
$(NULL)
libsss_sbus_la_CFLAGS = \
$(AM_CFLAGS) \
@@ -1146,6 +1147,7 @@ libsss_sbus_sync_la_CFLAGS = \
$(AM_CFLAGS) \
$(TALLOC_CFLAGS) \
$(DBUS_CFLAGS) \
+ $(UNICODE_LIBS) \
$(NULL)
libsss_sbus_sync_la_LDFLAGS = \
-avoid-version \
--
2.9.5

267
0002-sbus-improve-documentation-of-SBUS_INTERFACE.patch
View File

@ -1,267 +0,0 @@
From e185b039468ec27bbc905c61c57dffc5496af521 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 5 Feb 2019 10:36:13 +0100
Subject: [PATCH 2/3] sbus: improve documentation of SBUS_INTERFACE
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/sbus/sbus_interface.h | 195 +++++++++++++++++++++++++++-----------
1 file changed, 138 insertions(+), 57 deletions(-)
diff --git a/src/sbus/sbus_interface.h b/src/sbus/sbus_interface.h
index 45ab4b5ad..2312fde68 100644
--- a/src/sbus/sbus_interface.h
+++ b/src/sbus/sbus_interface.h
@@ -49,35 +49,47 @@ struct sbus_node;
*
* @see SBUS_SYNC, SBUS_ASYNC, SBUS_NO_METHODS, SBUS_WITHOUT_METHODS
*
+ * The following examples demonstrate the intended usage of this macro.
+ * Do not use it in any other way.
+ *
* @example Interface with two methods, one with synchronous handler,
* one with asynchronous handler.
*
- * struct sbus_interface iface = {
- * .name = SBUS_IFACE_ORG_FREEDESKTOP_SSSD,
- * SBUS_METHODS(
- * SBUS_SYNC (METHOD, org_freedekstop_sssd, UpdateMembers,
- * update_members_sync, pvt_data),
- * SBUS_ASYNC(METHOD, org_freedekstop_sssd, UpdateMembersAsync,
- * update_members_send, update_members_recv,
- * pvt_data)
- * )
- * };
+ * SBUS_INTERFACE(
+ * iface_variable,
+ * org_freedesktop_sssd,
+ * SBUS_METHODS(
+ * SBUS_SYNC (METHOD, org_freedekstop_sssd, UpdateMembers,
+ * update_members_sync, pvt_data),
+ * SBUS_ASYNC(METHOD, org_freedekstop_sssd, UpdateMembersAsync,
+ * update_members_send, update_members_recv,
+ * pvt_data)
+ * ),
+ * @signals,
+ * @properties
+ * );
*
* @example Interface with no methods.
*
- * struct sbus_interface empty_iface = {
- * .name = SBUS_IFACE_ORG_FREEDESKTOP_SSSD,
- * SBUS_METHODS(
- * SBUS_NO_METHODS
- * )
- * };
+ * SBUS_INTERFACE(
+ * iface_variable,
+ * org_freedesktop_sssd,
+ * SBUS_METHODS(
+ * SBUS_NO_METHODS
+ * ),
+ * @signals,
+ * @properties
+ * );
*
* or
*
- * struct sbus_interface empty_iface = {
- * .name = SBUS_IFACE_ORG_FREEDESKTOP_SSSD,
- * SBUS_WITHOUT_METHODS
- * };
+ * SBUS_INTERFACE(
+ * iface_variable,
+ * org_freedesktop_sssd,
+ * SBUS_WITHOUT_METHODS,
+ * @signals,
+ * @properties
+ * );
*/
#define SBUS_METHODS(...) \
{ \
@@ -91,30 +103,42 @@ struct sbus_node;
*
* @see SBUS_EMIT, SBUS_NO_SIGNALS, SBUS_WITHOUT_SIGNALS
*
+ * The following examples demonstrate the intended usage of this macro.
+ * Do not use it in any other way.
+ *
* @example Interface that can emit a PropertyChanged signal.
*
- * struct sbus_interface iface = {
- * .name = SBUS_IFACE_ORG_FREEDESKTOP_SSSD,
- * SBUS_SIGNALS(
- * SBUS_EMIT(org_freedekstop_sssd, PropertyChanged)
- * )
- * };
+ * SBUS_INTERFACE(
+ * iface_variable,
+ * org_freedesktop_sssd,
+ * @methods,
+ * SBUS_SIGNALS(
+ * SBUS_EMIT(org_freedekstop_sssd, PropertyChanged)
+ * ),
+ * @properties
+ * );
*
* @example Interface with no signals.
*
- * struct sbus_interface empty_iface = {
- * .name = SBUS_IFACE_ORG_FREEDESKTOP_SSSD,
- * SBUS_SIGNALS(
- * SBUS_NO_SIGNALS
- * )
- * };
+ * SBUS_INTERFACE(
+ * iface_variable,
+ * org_freedesktop_sssd,
+ * @methods,
+ * SBUS_SIGNALS(
+ * SBUS_NO_SIGNALS
+ * ),
+ * @properties
+ * );
*
* or
*
- * struct sbus_interface empty_iface = {
- * .name = SBUS_IFACE_ORG_FREEDESKTOP_SSSD,
- * SBUS_WITHOUT_SIGNALS
- * };
+ * SBUS_INTERFACE(
+ * iface_variable,
+ * org_freedesktop_sssd,
+ * @methods,
+ * SBUS_WITHOUT_SIGNALS,
+ * @properties
+ * );
*/
#define SBUS_SIGNALS(...) \
{ \
@@ -128,35 +152,47 @@ struct sbus_node;
*
* @see SBUS_SYNC, SBUS_ASYNC, SBUS_NO_PROPERTIES, SBUS_WITHOUT_PROPERTIES
*
+ * The following examples demonstrate the intended usage of this macro.
+ * Do not use it in any other way.
+ *
* @example Interface with one property with asynchronous getter and
* synchronous setter.
*
- * struct sbus_interface iface = {
- * .name = SBUS_IFACE_ORG_FREEDESKTOP_SSSD,
- * SBUS_PROPERTIES(
- * SBUS_SYNC (GETTER, org_freedekstop_sssd, domain_name,
- * set_domain_name, pvt_data),
- * SBUS_ASYNC(GETTER, org_freedekstop_sssd, domain_name,
- * get_domain_name_send, get_domain_name_recv,
- * pvt_data)
- * )
- * };
+ * SBUS_INTERFACE(
+ * iface_variable,
+ * org_freedesktop_sssd,
+ * @methods,
+ * @signals,
+ * SBUS_PROPERTIES(
+ * SBUS_SYNC (GETTER, org_freedekstop_sssd, domain_name,
+ * set_domain_name, pvt_data),
+ * SBUS_ASYNC(GETTER, org_freedekstop_sssd, domain_name,
+ * get_domain_name_send, get_domain_name_recv,
+ * pvt_data)
+ * )
+ * );
*
* @example Interface with no properties.
*
- * struct sbus_interface empty_iface = {
- * .name = SBUS_IFACE_ORG_FREEDESKTOP_SSSD,
- * SBUS_PROPERTIES(
- * SBUS_NO_PROPERTIES
- * )
- * };
+ * SBUS_INTERFACE(
+ * iface_variable,
+ * org_freedesktop_sssd,
+ * @methods,
+ * @signals,
+ * SBUS_PROPERTIES(
+ * SBUS_NO_PROPERTIES
+ * )
+ * );
*
* or
*
- * struct sbus_interface empty_iface = {
- * .name = SBUS_IFACE_ORG_FREEDESKTOP_SSSD,
- * SBUS_WITHOUT_PROPERTIES
- * };
+ * SBUS_INTERFACE(
+ * iface_variable,
+ * org_freedesktop_sssd,
+ * @methods,
+ * @signals,
+ * SBUS_WITHOUT_PROPERTIES
+ * );
*/
#define SBUS_PROPERTIES(...) \
{ \
@@ -239,8 +275,53 @@ struct sbus_node;
* @param signals Signals on the interface.
* @param properties Properties on the interface.
*
+ * Please note that the following macro introduced to the scope these variables:
+ * - __varname_m
+ * - __varname_s
+ * - __varname_p
+ *
+ * These variables are intended for internal purpose only and should not be
+ * used outside this macro. They are allocated on stack and will be destroyed
+ * with it.
+ *
+ * Additionally, it creates 'struct sbus_interface varname'. This variable
+ * holds the information about the interfaces you created. The structure and
+ * all its data are allocated on stack and will be destroyed with it.
+ *
+ * The only intended usage of this variable is to assign it to an sbus path
+ * and then register this path inside the same function where the interface
+ * is defined. It should not be used in any other way.
+ *
+ * The following example demonstrates the intended usage of this macro.
+ * Do not use it in any other way.
+ *
* @example
- * SBUS_INTERFACE(org_freedesktop_sssd, @methods, @signals, @properties)
+ * SBUS_INTERFACE(
+ * iface_bus,
+ * org_freedesktop_DBus,
+ * SBUS_METHODS(
+ * SBUS_SYNC(METHOD, org_freedesktop_DBus, Hello, sbus_server_bus_hello, server),
+ * SBUS_SYNC(METHOD, org_freedesktop_DBus, RequestName, sbus_server_bus_request_name, server),
+ * ),
+ * SBUS_SIGNALS(
+ * SBUS_EMITS(org_freedesktop_DBus, NameOwnerChanged),
+ * SBUS_EMITS(org_freedesktop_DBus, NameAcquired),
+ * SBUS_EMITS(org_freedesktop_DBus, NameLost)
+ * ),
+ * SBUS_WITHOUT_PROPERTIES
+ * );
+ *
+ * struct sbus_path paths[] = {
+ * {"/org/freedesktop/dbus", &iface_bus},
+ * {NULL, NULL}
+ * };
+ *
+ * ret = sbus_router_add_path_map(server->router, paths);
+ * if (ret != EOK) {
+ * DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add paths [%d]: %s\n",
+ * ret, sss_strerror(ret));
+ * return ret;
+ * }
*
* @see SBUS_METHODS, SBUS_SIGNALS, SBUS_PROPERTIES to create those arguments.
*/
--
2.20.1

118
0003-BUILD-Reduce-compilation-of-unnecessary-files.patch
View File

@ -1,118 +0,0 @@
From 53ed60b878d3737d4c174644b69df960595479da Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Wed, 15 Aug 2018 22:23:42 +0200
Subject: [PATCH 3/4] BUILD: Reduce compilation of unnecessary files
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We safe compilation of 52 files 2 times with linking to existing
internal libraries.
It also fixes issue with multiple definition of the same symbol
CCLD responder_common-tests
/usr/bin/ld: .libs/libsss_debug.so and ../../../src/util/responder_common_tests-debug.o:
warning: multiple common of `sss_logger'
collect2: error: ld returned 1 exit status
Merges: https://pagure.io/SSSD/sssd/pull-request/3808
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/tests/cwrap/Makefile.am | 64 +++------------------------------------------
1 file changed, 4 insertions(+), 60 deletions(-)
diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am
index d5778d1..b63c695 100644
--- a/src/tests/cwrap/Makefile.am
+++ b/src/tests/cwrap/Makefile.am
@@ -66,67 +66,7 @@ SSSD_CACHE_REQ_OBJ = \
../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c \
$(NULL)
-SSSD_SBUS_OBJ = \
- ../../../src/util/check_and_open.c \
- ../../../src/util/debug.c \
- ../../../src/util/sss_ptr_hash.c \
- ../../../src/util/sss_ptr_list.c \
- ../../../src/util/sss_utf8.c \
- ../../../src/util/util.c \
- ../../../src/util/util_errors.c \
- ../../../src/util/util_ext.c \
- ../../../src/util/strtonum.c \
- ../../../src/sbus/sbus_errors.c \
- ../../../src/sbus/sbus_opath.c \
- ../../../src/sbus/connection/sbus_connection.c \
- ../../../src/sbus/connection/sbus_connection_connect.c \
- ../../../src/sbus/connection/sbus_dbus.c \
- ../../../src/sbus/connection/sbus_dispatcher.c \
- ../../../src/sbus/connection/sbus_reconnect.c \
- ../../../src/sbus/connection/sbus_send.c \
- ../../../src/sbus/connection/sbus_watch.c \
- ../../../src/sbus/interface_dbus/sbus_dbus_arguments.c \
- ../../../src/sbus/interface_dbus/sbus_dbus_client_async.c \
- ../../../src/sbus/interface_dbus/sbus_dbus_invokers.c \
- ../../../src/sbus/interface_dbus/sbus_dbus_keygens.c \
- ../../../src/sbus/interface_dbus/sbus_dbus_symbols.c \
- ../../../src/sbus/interface/sbus_interface.c \
- ../../../src/sbus/interface/sbus_introspection.c \
- ../../../src/sbus/interface/sbus_iterator_readers.c \
- ../../../src/sbus/interface/sbus_iterator_writers.c \
- ../../../src/sbus/interface/sbus_properties.c \
- ../../../src/sbus/interface/sbus_properties_parser.c \
- ../../../src/sbus/interface/sbus_std_signals.c \
- ../../../src/sbus/request/sbus_message.c \
- ../../../src/sbus/request/sbus_request.c \
- ../../../src/sbus/request/sbus_request_call.c \
- ../../../src/sbus/request/sbus_request_hash.c \
- ../../../src/sbus/request/sbus_request_sender.c \
- ../../../src/sbus/request/sbus_request_util.c \
- ../../../src/sbus/router/sbus_router.c \
- ../../../src/sbus/router/sbus_router_handler.c \
- ../../../src/sbus/router/sbus_router_hash.c \
- ../../../src/sbus/server/sbus_server_handler.c \
- ../../../src/sbus/server/sbus_server_interface.c \
- ../../../src/sbus/server/sbus_server_match.c \
- ../../../src/sbus/server/sbus_server.c \
- $(NULL)
-
-SSSD_IFACE_OBJ = \
- ../../../src/sss_iface/sbus_sss_arguments.c \
- ../../../src/sss_iface/sbus_sss_client_async.c \
- ../../../src/sss_iface/sbus_sss_invokers.c \
- ../../../src/sss_iface/sbus_sss_keygens.c \
- ../../../src/sss_iface/sbus_sss_symbols.c \
- ../../../src/sss_iface/sss_iface_types.c \
- ../../../src/sss_iface/sss_iface.c \
- ../../../src/util/domain_info_utils.c \
- ../../../src/util/sss_pam_data.c \
- $(NULL)
-
SSSD_RESPONDER_IFACE_OBJ = \
- $(SSSD_SBUS_OBJ) \
- $(SSSD_IFACE_OBJ) \
../../../src/responder/common/responder_iface.c \
$(NULL)
@@ -244,6 +184,8 @@ responder_common_tests_LDADD = \
$(abs_top_builddir)/libsss_util.la \
$(abs_top_builddir)/libsss_debug.la \
$(abs_top_builddir)/libsss_test_common.la \
+ $(abs_top_builddir)/libsss_iface.la \
+ $(abs_top_builddir)/libsss_sbus.la \
$(NULL)
negcache_tests_SOURCES =\
@@ -262,6 +204,8 @@ negcache_tests_LDADD = \
$(abs_top_builddir)/libsss_util.la \
$(abs_top_builddir)/libsss_debug.la \
$(abs_top_builddir)/libsss_test_common.la \
+ $(abs_top_builddir)/libsss_iface.la \
+ $(abs_top_builddir)/libsss_sbus.la \
$(NULL)
tests: $(check_PROGRAMS)
--
2.9.5

35
0003-INI-sssctl-config-check-command-error-messages.patch Normal file
View File

@ -0,0 +1,35 @@
From b626651847e188e89a332b8ac4bfaaa5047e1b3d Mon Sep 17 00:00:00 2001
From: Tomas Halman <thalman@redhat.com>
Date: Tue, 10 Dec 2019 16:30:32 +0100
Subject: [PATCH] INI: sssctl config-check command error messages
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In case of parsing error sssctl config-check command does not give
proper error messages with line number. With this patch the error
message is printed again.
Resolves:
https://pagure.io/SSSD/sssd/issue/4129
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/util/sss_ini.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
index e3699805d..5d91602cd 100644
--- a/src/util/sss_ini.c
+++ b/src/util/sss_ini.c
@@ -865,6 +865,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
ret = sss_ini_parse(self);
if (ret != EOK) {
+ sss_ini_config_print_errors(self->error_list);
DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration.\n");
return ERR_INI_PARSE_FAILED;
}
--
2.20.1

58
0003-sbus-interface-fixed-interface-copy-helpers.patch
View File

@ -1,58 +0,0 @@
From 38ebae7e0ea889fa9022670a3e08e7352b624677 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 4 Feb 2019 18:13:14 +0100
Subject: [PATCH 3/3] sbus/interface: fixed interface copy helpers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In `sbus_method_copy()` and other copy helpers there was code like:
```
copy = talloc_zero_array(mem_ctx, struct sbus_method, count + 1);
memcpy(copy, input, sizeof(struct sbus_method) * count + 1);
```
Copy of one byte of "sentinel" doesn't make a sense.
We can either rely on the fact that sentinel is zero-initialized struct
*and* `talloc_zero_array()` zero-initializes memory (so copying of
sentinel may be omitted at all) or just copy sentinel in a whole.
Opted for second option as more clear variant.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/sbus/interface/sbus_interface.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/sbus/interface/sbus_interface.c b/src/sbus/interface/sbus_interface.c
index ed1b5fd79..afd54dd81 100644
--- a/src/sbus/interface/sbus_interface.c
+++ b/src/sbus/interface/sbus_interface.c
@@ -109,7 +109,7 @@ sbus_method_copy(TALLOC_CTX *mem_ctx,
/* All data is either pointer to a static data or it is not a pointer.
* We can just copy it. */
- memcpy(copy, input, sizeof(struct sbus_method) * count + 1);
+ memcpy(copy, input, sizeof(struct sbus_method) * (count + 1));
return copy;
}
@@ -144,7 +144,7 @@ sbus_signal_copy(TALLOC_CTX *mem_ctx,
/* All data is either pointer to a static data or it is not a pointer.
* We can just copy it. */
- memcpy(copy, input, sizeof(struct sbus_signal) * count + 1);
+ memcpy(copy, input, sizeof(struct sbus_signal) * (count + 1));
return copy;
}
@@ -208,7 +208,7 @@ sbus_property_copy(TALLOC_CTX *mem_ctx,
/* All data is either pointer to a static data or it is not a pointer.
* We can just copy it. */
- memcpy(copy, input, sizeof(struct sbus_property) * count + 1);
+ memcpy(copy, input, sizeof(struct sbus_property) * (count + 1));
return copy;
}
--
2.20.1

39
0004-KCM-Don-t-error-out-if-creating-a-new-ID-as-the-firs.patch
View File

@ -1,39 +0,0 @@
From 81dce19792cf300950411722d16b72f8816aecb0 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 28 Aug 2018 14:47:44 +0200
Subject: [PATCH] KCM: Don't error out if creating a new ID as the first step
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We need to handle the case where the nextID operation is ran, but the
secdb is totally empty, otherwise logins with sssd's krb5_child would
fail.
Resolves:
https://pagure.io/SSSD/sssd/issue/3815
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/responder/kcm/kcmsrv_ccache_secdb.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c
index 0f1c037..a61d7b1 100644
--- a/src/responder/kcm/kcmsrv_ccache_secdb.c
+++ b/src/responder/kcm/kcmsrv_ccache_secdb.c
@@ -595,7 +595,10 @@ static struct tevent_req *ccdb_secdb_nextid_send(TALLOC_CTX *mem_ctx,
}
ret = sss_sec_list(state, sreq, &keys, &nkeys);
- if (ret != EOK) {
+ if (ret == ENOENT) {
+ keys = NULL;
+ nkeys = 0;
+ } else if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"Cannot list keys [%d]: %s\n",
ret, sss_strerror(ret));
--
2.9.5

42
0004-certmap-mention-special-regex-characters-in-man-page.patch Normal file
View File

@ -0,0 +1,42 @@
From 21cb9fb28db1f2eb4ee770eb029bfe20233e4392 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 12 Dec 2019 13:10:16 +0100
Subject: [PATCH] certmap: mention special regex characters in man page
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Since some of the matching rules use regular expressions some characters
must be escaped so that they can be used a ordinary characters in the
rules.
Related to https://pagure.io/SSSD/sssd/issue/4127
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/man/sss-certmap.5.xml | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/man/sss-certmap.5.xml b/src/man/sss-certmap.5.xml
index db258d14a..10343625e 100644
--- a/src/man/sss-certmap.5.xml
+++ b/src/man/sss-certmap.5.xml
@@ -92,6 +92,15 @@
<para>
Example: &lt;SUBJECT&gt;.*,DC=MY,DC=DOMAIN
</para>
+ <para>
+ Please note that the characters "^.[$()|*+?{\" have a
+ special meaning in regular expressions and must be
+ escaped with the help of the '\' character so that they
+ are matched as ordinary characters.
+ </para>
+ <para>
+ Example: &lt;SUBJECT&gt;^CN=.* \(Admin\),DC=MY,DC=DOMAIN$
+ </para>
</listitem>
</varlistentry>
<varlistentry>
--
2.20.1

98
0005-ldap_child-do-not-try-PKINIT.patch Normal file
View File

@ -0,0 +1,98 @@
From 580d61884b6c0a81357d8f9fa69fe69d1f017185 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 6 Dec 2019 12:29:49 +0100
Subject: [PATCH] ldap_child: do not try PKINIT
if the PKINIT plugin is installed and pkinit_identities is set in
/etc/krb5.conf libkrb5 will try to do PKINIT although ldap_child only
wants to authenticate with a keytab. As a result ldap_child might try to
access a Smartcard which is either not allowed at all or might cause
unexpected delays.
To avoid this the current patch sets pkinit_identities for LDAP child
explicitly to make the PKINIT plugin fail because if installed libkrb5
will always use it.
It turned out the setting pre-authentication options requires some
internal flags to be set and krb5_get_init_creds_opt_alloc() must be
used to initialize the options struct.
Related to https://pagure.io/SSSD/sssd/issue/4126
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/providers/ldap/ldap_child.c | 30 ++++++++++++++++++++++--------
1 file changed, 22 insertions(+), 8 deletions(-)
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
index 408d64db4..b081df90f 100644
--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
@@ -277,7 +277,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
krb5_ccache ccache = NULL;
krb5_principal kprinc;
krb5_creds my_creds;
- krb5_get_init_creds_opt options;
+ krb5_get_init_creds_opt *options = NULL;
krb5_error_code krberr;
krb5_timestamp kdc_time_offset;
int canonicalize = 0;
@@ -392,19 +392,32 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
}
memset(&my_creds, 0, sizeof(my_creds));
- memset(&options, 0, sizeof(options));
- krb5_get_init_creds_opt_set_address_list(&options, NULL);
- krb5_get_init_creds_opt_set_forwardable(&options, 0);
- krb5_get_init_creds_opt_set_proxiable(&options, 0);
- krb5_get_init_creds_opt_set_tkt_life(&options, lifetime);
+ krberr = krb5_get_init_creds_opt_alloc(context, &options);
+ if (krberr != 0) {
+ DEBUG(SSSDBG_OP_FAILURE, "krb5_get_init_creds_opt_alloc failed.\n");
+ goto done;
+ }
+
+ krb5_get_init_creds_opt_set_address_list(options, NULL);
+ krb5_get_init_creds_opt_set_forwardable(options, 0);
+ krb5_get_init_creds_opt_set_proxiable(options, 0);
+ krb5_get_init_creds_opt_set_tkt_life(options, lifetime);
+ krberr = krb5_get_init_creds_opt_set_pa(context, options,
+ "X509_user_identity", "");
+ if (krberr != 0) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "krb5_get_init_creds_opt_set_pa failed [%d], ignored.\n",
+ krberr);
+ }
+
tmp_str = getenv("KRB5_CANONICALIZE");
if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) {
DEBUG(SSSDBG_CONF_SETTINGS, "Will canonicalize principals\n");
canonicalize = 1;
}
- sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize);
+ sss_krb5_get_init_creds_opt_set_canonicalize(options, canonicalize);
ccname_file = talloc_asprintf(tmp_ctx, "%s/ccache_%s",
DB_PATH, realm_name);
@@ -433,7 +446,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
}
krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc,
- keytab, 0, NULL, &options);
+ keytab, 0, NULL, options);
if (krberr != 0) {
DEBUG(SSSDBG_OP_FAILURE,
"krb5_get_init_creds_keytab() failed: %d\n", krberr);
@@ -513,6 +526,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
*expire_time_out = my_creds.times.endtime - kdc_time_offset;
done:
+ krb5_get_init_creds_opt_free(context, options);
if (krberr != 0) {
if (*_krb5_msg == NULL) {
/* no custom error message provided hence get one from libkrb5 */
--
2.20.1

48
0005-sbus-register-filter-on-new-connection.patch
View File

@ -1,48 +0,0 @@
From 55d5b43543b5ef62322fe635fe8108410cb4ea77 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 5 Sep 2018 15:08:52 +0200
Subject: [PATCH 08/83] sbus: register filter on new connection
The filter is not again registered on new connection when the old connection
was lost. This caused a segfault when the router is destroyed during shutdown.
It also would not allow to recieve and process any messages as the filter
function is needed for that. However, this was not very visible with
current sssd architecture.
Steps to reproduce:
1. Run SSSD
2. pkill sssd_be
3. Wait for responders to reconnect to backend
4. Shutdown SSSD
5. It will crash without this patch
Resolves:
https://pagure.io/SSSD/sssd/issue/3821
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/sbus/router/sbus_router.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/sbus/router/sbus_router.c b/src/sbus/router/sbus_router.c
index 24c2c76..d31cef1 100644
--- a/src/sbus/router/sbus_router.c
+++ b/src/sbus/router/sbus_router.c
@@ -364,6 +364,13 @@ errno_t
sbus_router_reset(struct sbus_connection *conn)
{
errno_t ret;
+ bool bret;
+
+ bret = sbus_router_filter_add(conn->router);
+ if (!bret) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to register message filter!\n");
+ return EFAULT;
+ }
ret = sbus_router_reset_listeners(conn);
if (ret != EOK) {
--
2.9.5

26
0006-sbus-fix-typo.patch
View File

@ -1,26 +0,0 @@
From 8c8f74b0dfa29643279d31b12300ced47d5c2ab5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 16 Aug 2018 11:42:44 +0200
Subject: [PATCH 09/83] sbus: fix typo
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/sbus/sbus_message.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/sbus/sbus_message.h b/src/sbus/sbus_message.h
index 99dd930..92d5cea 100644
--- a/src/sbus/sbus_message.h
+++ b/src/sbus/sbus_message.h
@@ -49,7 +49,7 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg);
*
* DO NOT USE dbus_message_unref() on such message anymore since it would not
* release internal data about the bound. The message will be automatically
- * unreferenced whent the talloc context is freed.
+ * unreferenced when the talloc context is freed.
*
* @param mem_ctx Memory context to bound the message with. It can not be NULL.
* @param msg Message to be bound with memory context.
--
2.9.5

52
0006-util-watchdog-fixed-watchdog-implementation.patch Normal file
View File

@ -0,0 +1,52 @@
From 2c13d8bd00f1e8ff30e9fc81f183f6450303ac30 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 11 Dec 2019 18:42:49 +0100
Subject: [PATCH] util/watchdog: fixed watchdog implementation
In case watchdog detected locked process and this process was parent
process it just sent SIGTERM to the whole group of processes, including
itself.
This handling was wrong: generic `server_setup()` installs custom
libtevent handler for SIGTERM signal so this signal is only processed
in the context of tevent mainloop. But if tevent mainloop is stuck
(exactly the case that triggers WD) then event is not processed
and this made watchdog useless.
`watchdog_handler()` and `watchdog_detect_timeshift()` were amended to do
unconditional `_exit()` after optionally sending a signal to the group.
Resolves: https://pagure.io/SSSD/sssd/issue/4089
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/util/util_watchdog.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c
index a07275b19..38c248271 100644
--- a/src/util/util_watchdog.c
+++ b/src/util/util_watchdog.c
@@ -54,9 +54,8 @@ static void watchdog_detect_timeshift(void)
if (write(watchdog_ctx.pipefd[1], "1", 1) != 1) {
if (getpid() == getpgrp()) {
kill(-getpgrp(), SIGTERM);
- } else {
- _exit(1);
}
+ _exit(1);
}
}
}
@@ -75,9 +74,8 @@ static void watchdog_handler(int sig)
if (__sync_add_and_fetch(&watchdog_ctx.ticks, 1) > WATCHDOG_MAX_TICKS) {
if (getpid() == getpgrp()) {
kill(-getpgrp(), SIGTERM);
- } else {
- _exit(1);
}
+ _exit(1);
}
}
--
2.20.1

56
0007-providers-krb5-got-rid-of-unused-code.patch Normal file
View File

@ -0,0 +1,56 @@
From 1d4a7ffdcf8b303a40058db49d5e1be4bfb8271a Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 9 Dec 2019 17:20:28 +0100
Subject: [PATCH 7/9] providers/krb5: got rid of unused code
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/providers/krb5/krb5_common.c | 10 ----------
src/providers/krb5/krb5_common.h | 7 -------
2 files changed, 17 deletions(-)
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index bfda561c1..5c11c347b 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -1133,16 +1133,6 @@ void remove_krb5_info_files_callback(void *pvt)
talloc_free(ctx);
}
-void krb5_finalize(struct tevent_context *ev,
- struct tevent_signal *se,
- int signum,
- int count,
- void *siginfo,
- void *private_data)
-{
- orderly_shutdown(0);
-}
-
errno_t krb5_get_simple_upn(TALLOC_CTX *mem_ctx, struct krb5_ctx *krb5_ctx,
struct sss_domain_info *dom, const char *username,
const char *user_dom, char **_upn)
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index cc9313115..493d12e5f 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -196,13 +196,6 @@ int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx,
void remove_krb5_info_files_callback(void *pvt);
-void krb5_finalize(struct tevent_context *ev,
- struct tevent_signal *se,
- int signum,
- int count,
- void *siginfo,
- void *private_data);
-
errno_t remove_krb5_info_files(TALLOC_CTX *mem_ctx, const char *realm);
errno_t krb5_get_simple_upn(TALLOC_CTX *mem_ctx, struct krb5_ctx *krb5_ctx,
--
2.20.1

41
0007-sbus-check-for-null-message-in-sbus_message_bound.patch
View File

@ -1,41 +0,0 @@
From 30f4adf874aff174734ad77902a79fc5727ab495 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 16 Aug 2018 12:57:47 +0200
Subject: [PATCH 10/83] sbus: check for null message in sbus_message_bound
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/sbus/request/sbus_message.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/sbus/request/sbus_message.c b/src/sbus/request/sbus_message.c
index 950be91..7314fd7 100644
--- a/src/sbus/request/sbus_message.c
+++ b/src/sbus/request/sbus_message.c
@@ -83,6 +83,11 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg)
return EINVAL;
}
+ if (msg == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Message can not be NULL!\n");
+ return EINVAL;
+ }
+
/* Create a talloc context that will unreference this message when
* the parent context is freed. */
talloc_msg = talloc(mem_ctx, struct sbus_talloc_msg);
@@ -122,6 +127,11 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg)
errno_t
sbus_message_bound_ref(TALLOC_CTX *mem_ctx, DBusMessage *msg)
{
+ if (msg == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Message can not be NULL!\n");
+ return EINVAL;
+ }
+
dbus_message_ref(msg);
return sbus_message_bound(mem_ctx, msg);
}
--
2.9.5

84
0008-data_provider_be-got-rid-of-duplicating-SIGTERM-hand.patch Normal file
View File

@ -0,0 +1,84 @@
From e41e9b37e4d3fcd8544fb6c591dafbaef0954438 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 9 Dec 2019 17:48:14 +0100
Subject: [PATCH 8/9] data_provider_be: got rid of duplicating SIGTERM handler
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
It was wrong to install two libtevent SIGTERM handlers both of which did
orderly_shutdown()->exit(). Naturally only one of the handlers was executed
(as process was terminated with exit()) and libtevent docs doesn't say
anything about order of execution. But chances are, be_process_finalize()
was executed first so default_quit() was not executed and main_ctx was not
freed.
Moreover there is just no reason to have separate be_process_finalize()
at all: default server handler default_quit() frees main_ctx. And be_ctx
is linked to main_ctx so will be freed by default handler as well.
Resolves: https://pagure.io/SSSD/sssd/issue/4088
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/providers/data_provider_be.c | 37 --------------------------------
1 file changed, 37 deletions(-)
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index cfcf0268d..ce00231ff 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -445,36 +445,6 @@ be_register_monitor_iface(struct sbus_connection *conn, struct be_ctx *be_ctx)
return sbus_connection_add_path_map(be_ctx->mon_conn, paths);
}
-static void be_process_finalize(struct tevent_context *ev,
- struct tevent_signal *se,
- int signum,
- int count,
- void *siginfo,
- void *private_data)
-{
- struct be_ctx *be_ctx;
-
- be_ctx = talloc_get_type(private_data, struct be_ctx);
- talloc_free(be_ctx);
- orderly_shutdown(0);
-}
-
-static errno_t be_process_install_sigterm_handler(struct be_ctx *be_ctx)
-{
- struct tevent_signal *sige;
-
- BlockSignals(false, SIGTERM);
-
- sige = tevent_add_signal(be_ctx->ev, be_ctx, SIGTERM, SA_SIGINFO,
- be_process_finalize, be_ctx);
- if (sige == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_signal failed.\n");
- return ENOMEM;
- }
-
- return EOK;
-}
-
static void dp_initialized(struct tevent_req *req);
errno_t be_process_init(TALLOC_CTX *mem_ctx,
@@ -566,13 +536,6 @@ errno_t be_process_init(TALLOC_CTX *mem_ctx,
goto done;
}
- /* Install signal handler */
- ret = be_process_install_sigterm_handler(be_ctx);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "be_install_sigterm_handler failed.\n");
- goto done;
- }
-
req = dp_init_send(be_ctx, be_ctx->ev, be_ctx, be_ctx->uid, be_ctx->gid);
if (req == NULL) {
ret = ENOMEM;
--
2.20.1

336
0008-sbus-replace-sbus_message_bound_ref-with-sbus_messag.patch
View File

@ -1,336 +0,0 @@
From ca50c40511f08c0f7c786598e5793a06789c6cce Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 16 Aug 2018 13:17:13 +0200
Subject: [PATCH 11/83] sbus: replace sbus_message_bound_ref with
sbus_message_bound_steal
The memory context used to new message reference accidentally overwrote
the one use by the initial sbus_message_bound call. This caused a memory
leak of message as its reference counter got increased but number of
talloc contexts bound this this message decreased at the same time.
Fixing this is non-trival and it would require separate data slot for
each reference. Because we do not have any existing use case for this
and we use it only as an equivalent of talloc_steal it is better to
provide a real equivalent for this talloc function.
Resolves:
https://pagure.io/SSSD/sssd/issue/3810
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/ifp/ifp_iface/sbus_ifp_client_sync.c | 4 +-
src/sbus/codegen/templates/client_async.c.tpl | 4 +-
src/sbus/codegen/templates/client_sync.c.tpl | 4 +-
src/sbus/interface_dbus/sbus_dbus_client_async.c | 8 ++--
src/sbus/interface_dbus/sbus_dbus_client_sync.c | 8 ++--
src/sbus/request/sbus_message.c | 51 +++++++++++++++++-----
src/sbus/request/sbus_request.c | 10 ++---
src/sbus/request/sbus_request_call.c | 5 +--
src/sbus/sbus_message.h | 8 +---
src/sbus/sync/sbus_sync_call.c | 5 +--
10 files changed, 65 insertions(+), 42 deletions(-)
diff --git a/src/responder/ifp/ifp_iface/sbus_ifp_client_sync.c b/src/responder/ifp/ifp_iface/sbus_ifp_client_sync.c
index 4859b93..1f0a8e3 100644
--- a/src/responder/ifp/ifp_iface/sbus_ifp_client_sync.c
+++ b/src/responder/ifp/ifp_iface/sbus_ifp_client_sync.c
@@ -526,9 +526,9 @@ sbus_method_in_sas_out_raw
goto done;
}
- ret = sbus_message_bound_ref(mem_ctx, reply);
+ ret = sbus_message_bound_steal(mem_ctx, reply);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
ret, sss_strerror(ret));
goto done;
}
diff --git a/src/sbus/codegen/templates/client_async.c.tpl b/src/sbus/codegen/templates/client_async.c.tpl
index 6ffb4f8..e16ce42 100644
--- a/src/sbus/codegen/templates/client_async.c.tpl
+++ b/src/sbus/codegen/templates/client_async.c.tpl
@@ -193,9 +193,9 @@
return EINVAL;
}
- ret = sbus_message_bound_ref(mem_ctx, state->reply);
+ ret = sbus_message_bound_steal(mem_ctx, state->reply);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
ret, sss_strerror(ret));
return ret;
}
diff --git a/src/sbus/codegen/templates/client_sync.c.tpl b/src/sbus/codegen/templates/client_sync.c.tpl
index 30fa009..fe9a3a4 100644
--- a/src/sbus/codegen/templates/client_sync.c.tpl
+++ b/src/sbus/codegen/templates/client_sync.c.tpl
@@ -110,9 +110,9 @@
goto done;
}
- ret = sbus_message_bound_ref(mem_ctx, reply);
+ ret = sbus_message_bound_steal(mem_ctx, reply);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
ret, sss_strerror(ret));
goto done;
}
diff --git a/src/sbus/interface_dbus/sbus_dbus_client_async.c b/src/sbus/interface_dbus/sbus_dbus_client_async.c
index 9dbd72c..0060e8b 100644
--- a/src/sbus/interface_dbus/sbus_dbus_client_async.c
+++ b/src/sbus/interface_dbus/sbus_dbus_client_async.c
@@ -301,9 +301,9 @@ sbus_method_in_s_out_raw_recv
return EINVAL;
}
- ret = sbus_message_bound_ref(mem_ctx, state->reply);
+ ret = sbus_message_bound_steal(mem_ctx, state->reply);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
ret, sss_strerror(ret));
return ret;
}
@@ -513,9 +513,9 @@ sbus_method_in_ss_out_raw_recv
return EINVAL;
}
- ret = sbus_message_bound_ref(mem_ctx, state->reply);
+ ret = sbus_message_bound_steal(mem_ctx, state->reply);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
ret, sss_strerror(ret));
return ret;
}
diff --git a/src/sbus/interface_dbus/sbus_dbus_client_sync.c b/src/sbus/interface_dbus/sbus_dbus_client_sync.c
index a0473cd..3ab0aab 100644
--- a/src/sbus/interface_dbus/sbus_dbus_client_sync.c
+++ b/src/sbus/interface_dbus/sbus_dbus_client_sync.c
@@ -101,9 +101,9 @@ sbus_method_in_s_out_raw
goto done;
}
- ret = sbus_message_bound_ref(mem_ctx, reply);
+ ret = sbus_message_bound_steal(mem_ctx, reply);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
ret, sss_strerror(ret));
goto done;
}
@@ -159,9 +159,9 @@ sbus_method_in_ss_out_raw
goto done;
}
- ret = sbus_message_bound_ref(mem_ctx, reply);
+ ret = sbus_message_bound_steal(mem_ctx, reply);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
ret, sss_strerror(ret));
goto done;
}
diff --git a/src/sbus/request/sbus_message.c b/src/sbus/request/sbus_message.c
index 7314fd7..90c6df4 100644
--- a/src/sbus/request/sbus_message.c
+++ b/src/sbus/request/sbus_message.c
@@ -29,8 +29,9 @@
#include "sbus/interface/sbus_iterator_writers.h"
/* Data slot that is used for message data. The slot is shared for all
- * messages. */
-dbus_int32_t data_slot = -1;
+ * messages, i.e. when a data slot is allocated all messages have the
+ * slot available. */
+dbus_int32_t global_data_slot = -1;
struct sbus_talloc_msg {
DBusMessage *msg;
@@ -48,7 +49,7 @@ static int sbus_talloc_msg_destructor(struct sbus_talloc_msg *talloc_msg)
/* There may exist more references to this message but this talloc
* context is no longer valid. We remove dbus message data to invoke
* dbus destructor now. */
- dbus_message_set_data(talloc_msg->msg, data_slot, NULL, NULL);
+ dbus_message_set_data(talloc_msg->msg, global_data_slot, NULL, NULL);
dbus_message_unref(talloc_msg->msg);
return 0;
}
@@ -60,7 +61,7 @@ static void sbus_msg_data_destructor(void *ctx)
talloc_msg = talloc_get_type(ctx, struct sbus_talloc_msg);
/* Decrement ref counter on data slot. */
- dbus_message_free_data_slot(&data_slot);
+ dbus_message_free_data_slot(&global_data_slot);
if (!talloc_msg->in_talloc_destructor) {
/* References to this message dropped to zero but through
@@ -100,7 +101,8 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg)
/* Allocate a dbus message data slot that will contain pointer to the
* talloc context so we can pick up cases when the dbus message is
* freed through dbus api. */
- bret = dbus_message_allocate_data_slot(&data_slot);
+
+ bret = dbus_message_allocate_data_slot(&global_data_slot);
if (!bret) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to allocate data slot!\n");
talloc_free(talloc_msg);
@@ -108,11 +110,11 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg)
}
free_fn = sbus_msg_data_destructor;
- bret = dbus_message_set_data(msg, data_slot, talloc_msg, free_fn);
+ bret = dbus_message_set_data(msg, global_data_slot, talloc_msg, free_fn);
if (!bret) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set message data!\n");
talloc_free(talloc_msg);
- dbus_message_free_data_slot(&data_slot);
+ dbus_message_free_data_slot(&global_data_slot);
return ENOMEM;
}
@@ -125,15 +127,44 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg)
}
errno_t
-sbus_message_bound_ref(TALLOC_CTX *mem_ctx, DBusMessage *msg)
+sbus_message_bound_steal(TALLOC_CTX *mem_ctx, DBusMessage *msg)
{
+ struct sbus_talloc_msg *talloc_msg;
+ void *data;
+
+ if (mem_ctx == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Warning: bounding to NULL context!\n");
+ return EINVAL;
+ }
+
if (msg == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Message can not be NULL!\n");
return EINVAL;
}
- dbus_message_ref(msg);
- return sbus_message_bound(mem_ctx, msg);
+ if (global_data_slot < 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "This message is not talloc-bound! "
+ "(data slot < 0)\n");
+ return ERR_INTERNAL;
+ }
+
+ data = dbus_message_get_data(msg, global_data_slot);
+ if (data == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "This message is not talloc-bound! "
+ "(returned data is NULL)\n");
+ return ERR_INTERNAL;
+ }
+
+ talloc_msg = talloc_get_type(data, struct sbus_talloc_msg);
+ if (talloc_msg == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "This message is not talloc-bound! "
+ "(invalid data)\n");
+ return ERR_INTERNAL;
+ }
+
+ talloc_steal(mem_ctx, talloc_msg);
+
+ return EOK;
}
DBusMessage *
diff --git a/src/sbus/request/sbus_request.c b/src/sbus/request/sbus_request.c
index 3d0e2f9..1ccd01e 100644
--- a/src/sbus/request/sbus_request.c
+++ b/src/sbus/request/sbus_request.c
@@ -564,10 +564,9 @@ sbus_incoming_request_recv(TALLOC_CTX *mem_ctx,
return EOK;
}
- /* Create new reference to the reply and bound it with caller mem_ctx. */
- ret = sbus_message_bound_ref(mem_ctx, state->reply);
+ ret = sbus_message_bound_steal(mem_ctx, state->reply);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
ret, sss_strerror(ret));
return ret;
}
@@ -709,10 +708,9 @@ sbus_outgoing_request_recv(TALLOC_CTX *mem_ctx,
TEVENT_REQ_RETURN_ON_ERROR(req);
- /* Create new reference to the reply and bound it with caller mem_ctx. */
- ret = sbus_message_bound_ref(mem_ctx, state->reply);
+ ret = sbus_message_bound_steal(mem_ctx, state->reply);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
ret, sss_strerror(ret));
return ret;
}
diff --git a/src/sbus/request/sbus_request_call.c b/src/sbus/request/sbus_request_call.c
index 1cf58bd..cf2a6e5 100644
--- a/src/sbus/request/sbus_request_call.c
+++ b/src/sbus/request/sbus_request_call.c
@@ -126,10 +126,9 @@ sbus_call_method_recv(TALLOC_CTX *mem_ctx,
TEVENT_REQ_RETURN_ON_ERROR(req);
- /* Create new reference to the reply and bound it with caller mem_ctx. */
- ret = sbus_message_bound_ref(mem_ctx, state->reply);
+ ret = sbus_message_bound_steal(mem_ctx, state->reply);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
ret, sss_strerror(ret));
return ret;
}
diff --git a/src/sbus/sbus_message.h b/src/sbus/sbus_message.h
index 92d5cea..e7b8fe5 100644
--- a/src/sbus/sbus_message.h
+++ b/src/sbus/sbus_message.h
@@ -45,11 +45,7 @@ errno_t
sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg);
/**
- * Reference the message and bound it with talloc context.
- *
- * DO NOT USE dbus_message_unref() on such message anymore since it would not
- * release internal data about the bound. The message will be automatically
- * unreferenced when the talloc context is freed.
+ * Steal previously bound D-Bus message to a new talloc parent.
*
* @param mem_ctx Memory context to bound the message with. It can not be NULL.
* @param msg Message to be bound with memory context.
@@ -57,7 +53,7 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg);
* @return EOK on success, other errno code on error.
*/
errno_t
-sbus_message_bound_ref(TALLOC_CTX *mem_ctx, DBusMessage *msg);
+sbus_message_bound_steal(TALLOC_CTX *mem_ctx, DBusMessage *msg);
/**
* Create an empty D-Bus method call.
diff --git a/src/sbus/sync/sbus_sync_call.c b/src/sbus/sync/sbus_sync_call.c
index 8549e58..a4f8a5c 100644
--- a/src/sbus/sync/sbus_sync_call.c
+++ b/src/sbus/sync/sbus_sync_call.c
@@ -63,10 +63,9 @@ sbus_sync_call_method(TALLOC_CTX *mem_ctx,
goto done;
}
- /* Create new reference to the reply and bound it with caller mem_ctx. */
- ret = sbus_message_bound_ref(mem_ctx, reply);
+ ret = sbus_message_bound_steal(mem_ctx, reply);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
ret, sss_strerror(ret));
goto done;
}
--
2.9.5

663
0009-sbus-add-unit-tests-for-public-sbus_message-module.patch
View File

@ -1,663 +0,0 @@
From c895fa2449900f4abd1dce6bb62a45c52bbb12cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 16 Aug 2018 13:20:55 +0200
Subject: [PATCH 12/83] sbus: add unit tests for public sbus_message module
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
Makefile.am | 14 +
src/tests/cmocka/sbus/test_sbus_message.c | 610 ++++++++++++++++++++++++++++++
2 files changed, 624 insertions(+)
create mode 100644 src/tests/cmocka/sbus/test_sbus_message.c
diff --git a/Makefile.am b/Makefile.am
index 1b4f044..11d0405 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -270,6 +270,7 @@ if HAVE_CMOCKA
test_copy_keytab \
test_child_common \
responder_cache_req-tests \
+ test_sbus_message \
test_sbus_opath \
test_fo_srv \
pam-srv-tests \
@@ -2594,6 +2595,19 @@ test_ssh_client_LDADD = \
$(SSSD_LIBS) \
$(NULL)
+test_sbus_message_SOURCES = \
+ src/tests/cmocka/sbus/test_sbus_message.c \
+ $(NULL)
+test_sbus_message_CFLAGS = \
+ $(AM_CFLAGS)
+test_sbus_message_LDADD = \
+ $(CMOCKA_LIBS) \
+ $(POPT_LIBS) \
+ libsss_debug.la \
+ libsss_test_common.la \
+ libsss_sbus.la \
+ $(NULL)
+
test_sbus_opath_SOURCES = \
src/tests/cmocka/sbus/test_sbus_opath.c \
$(NULL)
diff --git a/src/tests/cmocka/sbus/test_sbus_message.c b/src/tests/cmocka/sbus/test_sbus_message.c
new file mode 100644
index 0000000..c01e168
--- /dev/null
+++ b/src/tests/cmocka/sbus/test_sbus_message.c
@@ -0,0 +1,610 @@
+/*
+ Authors:
+ Jakub Hrozek <jhrozek@redhat.com>
+ Pavel Březina <pbrezina@redhat.com>
+
+ Copyright (C) 2014 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "config.h"
+
+#include <talloc.h>
+#include <errno.h>
+#include <popt.h>
+
+#include "util/util.h"
+#include "sbus/sbus_message.h"
+#include "tests/cmocka/common_mock.h"
+#include "tests/common.h"
+
+#define BASE_PATH "/some/path"
+
+struct test_ctx {
+ bool msg_removed;
+};
+
+static void helper_msg_removed(void *state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(state, struct test_ctx);
+
+ test_ctx->msg_removed = true;
+}
+
+static void helper_msg_watch(struct test_ctx *test_ctx, DBusMessage *msg)
+{
+ DBusFreeFunction free_fn;
+ dbus_int32_t data_slot = -1;
+ dbus_bool_t bret;
+
+ assert_non_null(msg);
+
+ bret = dbus_message_allocate_data_slot(&data_slot);
+ assert_true(bret);
+
+ free_fn = helper_msg_removed;
+ bret = dbus_message_set_data(msg, data_slot, test_ctx, free_fn);
+ assert_true(bret);
+}
+
+static int test_setup(void **state)
+{
+ struct test_ctx *test_ctx;
+
+ assert_true(leak_check_setup());
+
+ test_ctx = talloc_zero(global_talloc_context, struct test_ctx);
+ assert_non_null(test_ctx);
+ *state = test_ctx;
+
+ check_leaks_push(test_ctx);
+
+ return 0;
+}
+
+int test_teardown(void **state)
+{
+ struct test_ctx *test_ctx;
+
+ test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+
+ assert_true(check_leaks_pop(test_ctx));
+ talloc_zfree(test_ctx);
+ assert_true(leak_check_teardown());
+
+ return 0;
+}
+
+void test_sbus_message_bound__null(void **state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+ DBusMessage *msg;
+ errno_t ret;
+
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+
+ ret = sbus_message_bound(NULL, msg);
+ assert_int_equal(ret, EINVAL);
+
+ ret = sbus_message_bound(test_ctx, NULL);
+ assert_int_equal(ret, EINVAL);
+
+ dbus_message_unref(msg);
+}
+
+void test_sbus_message_bound__unref(void **state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+ DBusMessage *msg;
+ errno_t ret;
+
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+ helper_msg_watch(test_ctx, msg);
+
+ ret = sbus_message_bound(test_ctx, msg);
+ assert_int_equal(ret, EOK);
+
+ /* no memory leak should be detected in teardown */
+ dbus_message_unref(msg);
+ assert_true(test_ctx->msg_removed);
+}
+
+void test_sbus_message_bound__free(void **state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+ TALLOC_CTX *tmp_ctx;
+ DBusMessage *msg;
+ errno_t ret;
+
+ tmp_ctx = talloc_new(test_ctx);
+ assert_non_null(tmp_ctx);
+
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+ helper_msg_watch(test_ctx, msg);
+
+ ret = sbus_message_bound(tmp_ctx, msg);
+ assert_int_equal(ret, EOK);
+
+ talloc_free(tmp_ctx);
+ assert_true(test_ctx->msg_removed);
+}
+
+void test_sbus_message_bound_steal__null(void **state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+ DBusMessage *msg;
+ errno_t ret;
+
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+ helper_msg_watch(test_ctx, msg);
+
+ ret = sbus_message_bound_steal(NULL, msg);
+ assert_int_equal(ret, EINVAL);
+
+ ret = sbus_message_bound_steal(test_ctx, NULL);
+ assert_int_equal(ret, EINVAL);
+
+ dbus_message_unref(msg);
+ assert_true(test_ctx->msg_removed);
+}
+
+void test_sbus_message_bound_steal__invalid(void **state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+ DBusMessage *msg;
+ errno_t ret;
+
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+ helper_msg_watch(test_ctx, msg);
+
+ ret = sbus_message_bound_steal(test_ctx, msg);
+ assert_int_equal(ret, ERR_INTERNAL);
+
+ dbus_message_unref(msg);
+ assert_true(test_ctx->msg_removed);
+}
+
+void test_sbus_message_bound_steal__free(void **state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+ TALLOC_CTX *tmp_ctx;
+ TALLOC_CTX *tmp_ctx_steal;
+ DBusMessage *msg;
+ errno_t ret;
+
+ tmp_ctx = talloc_new(test_ctx);
+ assert_non_null(tmp_ctx);
+
+ tmp_ctx_steal = talloc_new(test_ctx);
+ assert_non_null(tmp_ctx_steal);
+
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+ helper_msg_watch(test_ctx, msg);
+
+ ret = sbus_message_bound(tmp_ctx, msg);
+ assert_int_equal(ret, EOK);
+
+ /* this will increase ref counter of message and add new talloc bound */
+ ret = sbus_message_bound_steal(tmp_ctx_steal, msg);
+ assert_int_equal(ret, EOK);
+
+ talloc_free(tmp_ctx);
+ assert_false(test_ctx->msg_removed);
+ talloc_free(tmp_ctx_steal);
+ assert_true(test_ctx->msg_removed);
+}
+
+void test_sbus_method_create_empty__unref(void **state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+ DBusMessage *msg;
+
+ msg = sbus_method_create_empty(NULL, "bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+ helper_msg_watch(test_ctx, msg);
+
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_METHOD_CALL);
+ assert_string_equal(dbus_message_get_destination(msg), "bus.test");
+ assert_string_equal(dbus_message_get_path(msg), "/");
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
+ assert_string_equal(dbus_message_get_member(msg), "method");
+
+ dbus_message_unref(msg);
+ assert_true(test_ctx->msg_removed);
+}
+
+void test_sbus_method_create_empty__free(void **state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+ TALLOC_CTX *tmp_ctx;
+ DBusMessage *msg;
+
+ tmp_ctx = talloc_new(test_ctx);
+ assert_non_null(tmp_ctx);
+
+ msg = sbus_method_create_empty(tmp_ctx, "bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+ helper_msg_watch(test_ctx, msg);
+
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_METHOD_CALL);
+ assert_string_equal(dbus_message_get_destination(msg), "bus.test");
+ assert_string_equal(dbus_message_get_path(msg), "/");
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
+ assert_string_equal(dbus_message_get_member(msg), "method");
+
+ talloc_free(tmp_ctx);
+ assert_true(test_ctx->msg_removed);
+}
+
+void test_sbus_method_create__unref(void **state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+ DBusMessage *msg;
+ dbus_bool_t dbret;
+ uint32_t in_value = 32;
+ uint32_t out_value;
+
+ msg = sbus_method_create(NULL, "bus.test", "/", "iface.test", "method",
+ DBUS_TYPE_UINT32, &in_value);
+ assert_non_null(msg);
+ helper_msg_watch(test_ctx, msg);
+
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_METHOD_CALL);
+ assert_string_equal(dbus_message_get_destination(msg), "bus.test");
+ assert_string_equal(dbus_message_get_path(msg), "/");
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
+ assert_string_equal(dbus_message_get_member(msg), "method");
+
+ dbret = dbus_message_get_args(msg, NULL,
+ DBUS_TYPE_UINT32, &out_value,
+ DBUS_TYPE_INVALID);
+ assert_true(dbret);
+ assert_int_equal(out_value, 32);
+
+ dbus_message_unref(msg);
+ assert_true(test_ctx->msg_removed);
+}
+
+void test_sbus_method_create__free(void **state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+ TALLOC_CTX *tmp_ctx;
+ DBusMessage *msg;
+
+ tmp_ctx = talloc_new(test_ctx);
+ assert_non_null(tmp_ctx);
+
+ msg = sbus_method_create_empty(tmp_ctx, "bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+ helper_msg_watch(test_ctx, msg);
+
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_METHOD_CALL);
+ assert_string_equal(dbus_message_get_destination(msg), "bus.test");
+ assert_string_equal(dbus_message_get_path(msg), "/");
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
+ assert_string_equal(dbus_message_get_member(msg), "method");
+
+ talloc_free(tmp_ctx);
+ assert_true(test_ctx->msg_removed);
+}
+
+void test_sbus_signal_create_empty__unref(void **state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+ DBusMessage *msg;
+
+ msg = sbus_signal_create_empty(NULL, "/", "iface.test", "method");
+ assert_non_null(msg);
+ helper_msg_watch(test_ctx, msg);
+
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_SIGNAL);
+ assert_null(dbus_message_get_destination(msg));
+ assert_string_equal(dbus_message_get_path(msg), "/");
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
+ assert_string_equal(dbus_message_get_member(msg), "method");
+
+ dbus_message_unref(msg);
+ assert_true(test_ctx->msg_removed);
+}
+
+void test_sbus_signal_create_empty__free(void **state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+ TALLOC_CTX *tmp_ctx;
+ DBusMessage *msg;
+
+ tmp_ctx = talloc_new(test_ctx);
+ assert_non_null(tmp_ctx);
+
+ msg = sbus_signal_create_empty(tmp_ctx, "/", "iface.test", "method");
+ assert_non_null(msg);
+ helper_msg_watch(test_ctx, msg);
+
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_SIGNAL);
+ assert_null(dbus_message_get_destination(msg));
+ assert_string_equal(dbus_message_get_path(msg), "/");
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
+ assert_string_equal(dbus_message_get_member(msg), "method");
+
+ talloc_free(tmp_ctx);
+ assert_true(test_ctx->msg_removed);
+}
+
+void test_sbus_signal_create__unref(void **state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+ DBusMessage *msg;
+ dbus_bool_t dbret;
+ uint32_t in_value = 32;
+ uint32_t out_value;
+
+ msg = sbus_signal_create(NULL, "/", "iface.test", "method",
+ DBUS_TYPE_UINT32, &in_value);
+ assert_non_null(msg);
+ helper_msg_watch(test_ctx, msg);
+
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_SIGNAL);
+ assert_null(dbus_message_get_destination(msg));
+ assert_string_equal(dbus_message_get_path(msg), "/");
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
+ assert_string_equal(dbus_message_get_member(msg), "method");
+
+ dbret = dbus_message_get_args(msg, NULL,
+ DBUS_TYPE_UINT32, &out_value,
+ DBUS_TYPE_INVALID);
+ assert_true(dbret);
+ assert_int_equal(out_value, 32);
+
+ dbus_message_unref(msg);
+ assert_true(test_ctx->msg_removed);
+}
+
+void test_sbus_signal_create__free(void **state)
+{
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
+ TALLOC_CTX *tmp_ctx;
+ DBusMessage *msg;
+ dbus_bool_t dbret;
+ uint32_t in_value = 32;
+ uint32_t out_value;
+
+ tmp_ctx = talloc_new(test_ctx);
+ assert_non_null(tmp_ctx);
+
+ msg = sbus_signal_create(tmp_ctx, "/", "iface.test", "method",
+ DBUS_TYPE_UINT32, &in_value);
+ assert_non_null(msg);
+ helper_msg_watch(test_ctx, msg);
+
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_SIGNAL);
+ assert_null(dbus_message_get_destination(msg));
+ assert_string_equal(dbus_message_get_path(msg), "/");
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
+ assert_string_equal(dbus_message_get_member(msg), "method");
+
+ dbret = dbus_message_get_args(msg, NULL,
+ DBUS_TYPE_UINT32, &out_value,
+ DBUS_TYPE_INVALID);
+ assert_true(dbret);
+ assert_int_equal(out_value, 32);
+
+ talloc_free(tmp_ctx);
+ assert_true(test_ctx->msg_removed);
+}
+
+void test_sbus_reply_parse__ok(void **state)
+{
+ DBusMessage *msg;
+ DBusMessage *reply;
+ dbus_bool_t dbret;
+ uint32_t in_value1 = 32;
+ uint32_t in_value2 = 64;
+ uint32_t out_value1;
+ uint32_t out_value2;
+ errno_t ret;
+
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+ dbus_message_set_serial(msg, 1);
+
+ reply = dbus_message_new_method_return(msg);
+ assert_non_null(reply);
+
+ dbret = dbus_message_append_args(reply, DBUS_TYPE_UINT32, &in_value1,
+ DBUS_TYPE_UINT32, &in_value2,
+ DBUS_TYPE_INVALID);
+ assert_true(dbret);
+
+ ret = sbus_reply_parse(reply, DBUS_TYPE_UINT32, &out_value1,
+ DBUS_TYPE_UINT32, &out_value2);
+ assert_int_equal(ret, EOK);
+ assert_int_equal(out_value1, in_value1);
+ assert_int_equal(out_value2, in_value2);
+
+ dbus_message_unref(msg);
+ dbus_message_unref(reply);
+}
+
+void test_sbus_reply_parse__error(void **state)
+{
+ DBusMessage *msg;
+ DBusMessage *reply;
+ uint32_t out_value1;
+ uint32_t out_value2;
+ errno_t ret;
+
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+ dbus_message_set_serial(msg, 1);
+
+ reply = dbus_message_new_error(msg, SBUS_ERROR_KILLED, "Test error!");
+ assert_non_null(reply);
+
+ ret = sbus_reply_parse(reply, DBUS_TYPE_UINT32, &out_value1,
+ DBUS_TYPE_UINT32, &out_value2);
+ assert_int_equal(ret, ERR_SBUS_KILL_CONNECTION);
+
+ dbus_message_unref(msg);
+ dbus_message_unref(reply);
+}
+
+void test_sbus_reply_parse__wrong_type(void **state)
+{
+ DBusMessage *msg;
+ errno_t ret;
+
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+ dbus_message_set_serial(msg, 1);
+
+ ret = sbus_reply_parse(msg);
+ assert_int_not_equal(ret, EOK);
+
+ dbus_message_unref(msg);
+}
+
+void test_sbus_reply_check__ok(void **state)
+{
+ DBusMessage *msg;
+ DBusMessage *reply;
+ errno_t ret;
+
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+ dbus_message_set_serial(msg, 1);
+
+ reply = dbus_message_new_method_return(msg);
+ assert_non_null(reply);
+
+ ret = sbus_reply_check(reply);
+ assert_int_equal(ret, EOK);
+
+ dbus_message_unref(msg);
+ dbus_message_unref(reply);
+}
+
+void test_sbus_reply_check__error(void **state)
+{
+ DBusMessage *msg;
+ DBusMessage *reply;
+ errno_t ret;
+
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+ dbus_message_set_serial(msg, 1);
+
+ reply = dbus_message_new_error(msg, SBUS_ERROR_KILLED, "Test error!");
+ assert_non_null(reply);
+
+ ret = sbus_reply_check(reply);
+ assert_int_equal(ret, ERR_SBUS_KILL_CONNECTION);
+
+ dbus_message_unref(msg);
+ dbus_message_unref(reply);
+}
+
+void test_sbus_reply_check__wrong_type(void **state)
+{
+ DBusMessage *msg;
+ errno_t ret;
+
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
+ assert_non_null(msg);
+ dbus_message_set_serial(msg, 1);
+
+ ret = sbus_reply_check(msg);
+ assert_int_not_equal(ret, EOK);
+
+ dbus_message_unref(msg);
+}
+
+int main(int argc, const char *argv[])
+{
+ poptContext pc;
+ int opt;
+ struct poptOption long_options[] = {
+ POPT_AUTOHELP
+ SSSD_DEBUG_OPTS
+ POPT_TABLEEND
+ };
+
+ const struct CMUnitTest tests[] = {
+ cmocka_unit_test_setup_teardown(test_sbus_message_bound__null,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_message_bound__unref,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_message_bound__free,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_message_bound_steal__null,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_message_bound_steal__invalid,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_message_bound_steal__free,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_method_create_empty__unref,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_method_create_empty__free,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_method_create__unref,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_method_create__free,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_signal_create_empty__unref,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_signal_create_empty__free,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_signal_create__unref,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_signal_create__free,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_reply_parse__ok,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_reply_parse__error,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_reply_parse__wrong_type,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_reply_check__ok,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_reply_check__error,
+ test_setup, test_teardown),
+ cmocka_unit_test_setup_teardown(test_sbus_reply_check__wrong_type,
+ test_setup, test_teardown),
+ };
+
+ /* Set debug level to invalid value so we can decide if -d 0 was used. */
+ debug_level = SSSDBG_INVALID;
+
+ pc = poptGetContext(argv[0], argc, argv, long_options, 0);
+ while((opt = poptGetNextOpt(pc)) != -1) {
+ switch(opt) {
+ default:
+ fprintf(stderr, "\nInvalid option %s: %s\n\n",
+ poptBadOption(pc, 0), poptStrerror(opt));
+ poptPrintUsage(pc, stderr, 0);
+ return 1;
+ }
+ }
+ poptFreeContext(pc);
+
+ DEBUG_CLI_INIT(debug_level);
+
+ return cmocka_run_group_tests(tests, NULL, NULL);
+}
--
2.9.5

32
0009-util-server-improved-debug-at-shutdown.patch Normal file
View File

@ -0,0 +1,32 @@
From 3f52de891cba55230730602d41c3811cf1b17d96 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 9 Dec 2019 18:26:56 +0100
Subject: [PATCH 9/9] util/server: improved debug at shutdown
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Relates: https://pagure.io/SSSD/sssd/issue/4088
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/util/server.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/util/server.c b/src/util/server.c
index ee57ac128..33524066e 100644
--- a/src/util/server.c
+++ b/src/util/server.c
@@ -242,7 +242,8 @@ void orderly_shutdown(int status)
kill(-getpgrp(), SIGTERM);
}
#endif
- if (status == 0) sss_log(SSS_LOG_INFO, "Shutting down");
+ DEBUG(SSSDBG_IMPORTANT_INFO, "Shutting down (status = %d)", status);
+ sss_log(SSS_LOG_INFO, "Shutting down (status = %d)", status);
exit(status);
}
--
2.20.1

145
0010-SELINUX-Always-add-SELinux-user-to-the-semanage-data.patch
View File

@ -1,145 +0,0 @@
From 945865ae16120ffade267227ca48cefd58822fd2 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Thu, 23 Aug 2018 13:55:51 +0200
Subject: [PATCH 13/83] SELINUX: Always add SELinux user to the semanage
database if it doesn't exist
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Previously, we tried to optimize too much and only set the SELinux user
to Linux user mapping in case the SELinux user was different from the
system default. But this doesn't work for the case where the Linux user
has a non-standard home directory, because then SELinux would not have
any idea that this user's home directory should be labeled as a home
directory.
This patch relaxes the optimization in the sense that on the first
login, the SELinux context is saved regardless of whether it is the same
as the default or different.
Resolves:
https://pagure.io/SSSD/sssd/issue/3819
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/providers/ipa/selinux_child.c | 10 ++++++++--
src/util/sss_semanage.c | 30 ++++++++++++++++++++++++++++++
src/util/util.h | 1 +
src/util/util_errors.c | 1 +
src/util/util_errors.h | 1 +
5 files changed, 41 insertions(+), 2 deletions(-)
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
index d061417..925591e 100644
--- a/src/providers/ipa/selinux_child.c
+++ b/src/providers/ipa/selinux_child.c
@@ -176,13 +176,16 @@ static bool seuser_needs_update(const char *username,
ret = sss_get_seuser(username, &db_seuser, &db_mls_range);
DEBUG(SSSDBG_TRACE_INTERNAL,
- "getseuserbyname: ret: %d seuser: %s mls: %s\n",
+ "sss_get_seuser: ret: %d seuser: %s mls: %s\n",
ret, db_seuser ? db_seuser : "unknown",
db_mls_range ? db_mls_range : "unknown");
if (ret == EOK && db_seuser && db_mls_range &&
strcmp(db_seuser, seuser) == 0 &&
strcmp(db_mls_range, mls_range) == 0) {
- needs_update = false;
+ ret = sss_seuser_exists(username);
+ if (ret == EOK) {
+ needs_update = false;
+ }
}
/* OR */
if (ret == ERR_SELINUX_NOT_MANAGED) {
@@ -191,6 +194,9 @@ static bool seuser_needs_update(const char *username,
free(db_seuser);
free(db_mls_range);
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "The SELinux user does %sneed an update\n",
+ needs_update ? "" : "not ");
return needs_update;
}
diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c
index bcce57b..aea0385 100644
--- a/src/util/sss_semanage.c
+++ b/src/util/sss_semanage.c
@@ -248,6 +248,36 @@ done:
return ret;
}
+int sss_seuser_exists(const char *linuxuser)
+{
+ int ret;
+ int exists;
+ semanage_seuser_key_t *sm_key = NULL;
+ semanage_handle_t *sm_handle = NULL;
+
+ ret = sss_semanage_init(&sm_handle);
+ if (ret != EOK) {
+ return ret;
+ }
+
+ ret = semanage_seuser_key_create(sm_handle, linuxuser, &sm_key);
+ if (ret < 0) {
+ sss_semanage_close(sm_handle);
+ return EIO;
+ }
+
+ ret = semanage_seuser_exists(sm_handle, sm_key, &exists);
+ semanage_seuser_key_free(sm_key);
+ sss_semanage_close(sm_handle);
+ if (ret < 0) {
+ return EIO;
+ }
+
+ DEBUG(SSSDBG_TRACE_FUNC, "seuser exists: %s\n", exists ? "yes" : "no");
+
+ return exists ? EOK : ERR_SELINUX_USER_NOT_FOUND;
+}
+
int sss_get_seuser(const char *linuxuser,
char **selinuxuser,
char **level)
diff --git a/src/util/util.h b/src/util/util.h
index 867acf2..59e7a96 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -663,6 +663,7 @@ int sss_del_seuser(const char *login_name);
int sss_get_seuser(const char *linuxuser,
char **selinuxuser,
char **level);
+int sss_seuser_exists(const char *linuxuser);
/* convert time from generalized form to unix time */
errno_t sss_utc_to_time_t(const char *str, const char *format, time_t *unix_time);
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
index 920a178..5f8a2a2 100644
--- a/src/util/util_errors.c
+++ b/src/util/util_errors.c
@@ -75,6 +75,7 @@ struct err_string error_to_str[] = {
{ "LDAP search returned a referral" }, /* ERR_REFERRAL */
{ "Error setting SELinux user context" }, /* ERR_SELINUX_CONTEXT */
{ "SELinux is not managed by libsemanage" }, /* ERR_SELINUX_NOT_MANAGED */
+ { "SELinux user does not exist" }, /* ERR_SELINUX_USER_NOT_FOUND */
{ "Username format not allowed by re_expression" }, /* ERR_REGEX_NOMATCH */
{ "Time specification not supported" }, /* ERR_TIMESPEC_NOT_SUPPORTED */
{ "Invalid SSSD configuration detected" }, /* ERR_INVALID_CONFIG */
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
index 5a50936..c6731d4 100644
--- a/src/util/util_errors.h
+++ b/src/util/util_errors.h
@@ -97,6 +97,7 @@ enum sssd_errors {
ERR_REFERRAL,
ERR_SELINUX_CONTEXT,
ERR_SELINUX_NOT_MANAGED,
+ ERR_SELINUX_USER_NOT_FOUND,
ERR_REGEX_NOMATCH,
ERR_TIMESPEC_NOT_SUPPORTED,
ERR_INVALID_CONFIG,
--
2.9.5

52
0010-util-sss_ptr_hash-fixed-double-free-in-sss_ptr_hash_.patch Normal file
View File

@ -0,0 +1,52 @@
From 26e33b1984cce3549df170f58f8221201ad54cfd Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Tue, 7 Jan 2020 16:29:05 +0100
Subject: [PATCH] util/sss_ptr_hash: fixed double free in
sss_ptr_hash_delete_cb()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Calling data->callback(value->ptr) in sss_ptr_hash_delete_cb() could lead
to freeing of value->ptr and thus to destruction of value->spy that is
attached to value->ptr.
In turn sss_ptr_hash_spy_destructor() calls sss_ptr_hash_delete() ->
hash_delete() -> sss_ptr_hash_delete_cb() again and in this recursive
execution hash entry was actually deleted and value was freed.
When stack was unwound back to "first" sss_ptr_hash_delete_cb() it tried
to free value again => double free.
To prevent this bug value and hence spy are now freed before execution of
data->callback(value->ptr).
Resolves: https://pagure.io/SSSD/sssd/issue/4135
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/util/sss_ptr_hash.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c
index c7403ffa6..8f9762cb9 100644
--- a/src/util/sss_ptr_hash.c
+++ b/src/util/sss_ptr_hash.c
@@ -154,13 +154,13 @@ sss_ptr_hash_delete_cb(hash_entry_t *item,
callback_entry.value.type = HASH_VALUE_PTR;
callback_entry.value.ptr = value->ptr;
+ /* Free value, this also will disable spy */
+ talloc_free(value);
+
/* Switch to the input value and call custom callback. */
if (data->callback != NULL) {
data->callback(&callback_entry, deltype, data->pvt);
}
-
- /* Free value. */
- talloc_free(value);
}
hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx,
--
2.20.1

44
0011-intg-flush-the-SSSD-caches-to-sync-with-files.patch
View File

@ -1,44 +0,0 @@
From 1e2398870e8aa512ead3012d46cbe6252429467a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 10 Sep 2018 15:35:45 +0200
Subject: [PATCH 16/83] intg: flush the SSSD caches to sync with files
To make sure that SSSD has synced with the latest data added to the
passwd file sss_cache is called in two places where the current sync
scheme was not reliable. This was mainly observed when running the
integration tests on Debian.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/tests/intg/test_files_provider.py | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
index 9f30d2b..ead1cc4 100644
--- a/src/tests/intg/test_files_provider.py
+++ b/src/tests/intg/test_files_provider.py
@@ -644,6 +644,10 @@ def test_enum_users(setup_pw_with_canary, files_domain_only):
user = user_generator(i)
setup_pw_with_canary.useradd(**user)
+ # syncing with the help of the canary is not reliable after adding
+ # multiple users because the canary might still be in some caches so that
+ # the data is not refreshed properly.
+ subprocess.call(["sss_cache", "-E"])
sssd_getpwnam_sync(CANARY["name"])
user_list = call_sssd_enumeration()
# +1 because the canary is added
@@ -1043,6 +1047,10 @@ def test_getgrnam_add_remove_ghosts(setup_pw_with_canary,
# Add this user and verify it's been added as a member
pwd_ops.useradd(**USER2)
+ # The negative cache might still have user2 from the previous request,
+ # flushing the caches might help to prevent a failed lookup after adding
+ # the user.
+ subprocess.call(["sss_cache", "-E"])
res, groups = sssd_id_sync('user2')
assert res == sssd_id.NssReturnCode.SUCCESS
assert len(groups) == 2
--
2.9.5

195
0011-sdap-Add-randomness-to-ldap-connection-timeout.patch Normal file
View File

@ -0,0 +1,195 @@
From bd201746f8cf0e95615b3e98868555451b5e66b8 Mon Sep 17 00:00:00 2001
From: Tomas Halman <thalman@redhat.com>
Date: Mon, 2 Dec 2019 11:11:52 +0100
Subject: [PATCH] sdap: Add randomness to ldap connection timeout
In case of mass deployment, mass registration of IPA clients roughly on
the same time leads to regular CPU load spikes on IPA servers, the load
spikes are caused by all/most clients refreshing their LDAP connections
(ldap_connection_expire_timeout) every 15 minutes.
This patch introduces new random value (from 0 up to
ldap_connection_expire_offset) that is added to the timeout.
Resolves:
https://pagure.io/SSSD/sssd/issue/3630
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/config/cfg_rules.ini | 1 +
src/config/etc/sssd.api.d/sssd-ad.conf | 1 +
src/config/etc/sssd.api.d/sssd-ipa.conf | 1 +
src/config/etc/sssd.api.d/sssd-ldap.conf | 1 +
src/man/sssd-ldap.5.xml | 19 +++++++++++++++++++
src/providers/ad/ad_opts.c | 1 +
src/providers/ipa/ipa_opts.c | 1 +
src/providers/ldap/ldap_opts.c | 1 +
src/providers/ldap/sdap.h | 1 +
src/providers/ldap/sdap_async_connection.c | 12 ++++++++++++
10 files changed, 39 insertions(+)
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 8c73c89ac..c56d5a668 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -600,6 +600,7 @@ option = ldap_chpass_dns_service_name
option = ldap_chpass_update_last_change
option = ldap_chpass_uri
option = ldap_connection_expire_timeout
+option = ldap_connection_expire_offset
option = ldap_default_authtok
option = ldap_default_authtok_type
option = ldap_default_bind_dn
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index 80e329b3b..aaa0b2345 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -58,6 +58,7 @@ ldap_deref = str, None, false
ldap_page_size = int, None, false
ldap_deref_threshold = int, None, false
ldap_connection_expire_timeout = int, None, false
+ldap_connection_expire_offset = int, None, false
ldap_disable_paging = bool, None, false
krb5_confd_path = str, None, false
wildcard_limit = int, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index e2d46db75..7ed153d36 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -52,6 +52,7 @@ ldap_deref = str, None, false
ldap_page_size = int, None, false
ldap_deref_threshold = int, None, false
ldap_connection_expire_timeout = int, None, false
+ldap_connection_expire_offset = int, None, false
ldap_disable_paging = bool, None, false
krb5_confd_path = str, None, false
wildcard_limit = int, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index 01c1d7f12..4f73e901e 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -36,6 +36,7 @@ ldap_deref_threshold = int, None, false
ldap_sasl_canonicalize = bool, None, false
ldap_sasl_minssf = int, None, false
ldap_connection_expire_timeout = int, None, false
+ldap_connection_expire_offset = int, None, false
ldap_disable_paging = bool, None, false
ldap_disable_range_retrieval = bool, None, false
wildcard_limit = int, None, false
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 6d1ae23ec..f8bb973c7 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -509,12 +509,31 @@
the two values (this value vs. the TGT lifetime)
will be used.
</para>
+ <para>
+ This timeout can be extended of a random
+ value specified by
+ <emphasis>ldap_connection_expire_offset</emphasis>
+ </para>
<para>
Default: 900 (15 minutes)
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>ldap_connection_expire_offset (integer)</term>
+ <listitem>
+ <para>
+ Random offset between 0 and configured value
+ is added to
+ <emphasis>ldap_connection_expire_timeout</emphasis>.
+ </para>
+ <para>
+ Default: 0
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>ldap_page_size (integer)</term>
<listitem>
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
index cd568e466..1293219ee 100644
--- a/src/providers/ad/ad_opts.c
+++ b/src/providers/ad/ad_opts.c
@@ -137,6 +137,7 @@ struct dp_option ad_def_ldap_opts[] = {
{ "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
{ "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER },
+ { "ldap_connection_expire_offset", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER },
{ "ldap_disable_paging", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_idmap_range_min", DP_OPT_NUMBER, { .number = 200000 }, NULL_NUMBER },
{ "ldap_idmap_range_max", DP_OPT_NUMBER, { .number = 2000200000LL }, NULL_NUMBER },
diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c
index 7974cb8ea..4fafa073d 100644
--- a/src/providers/ipa/ipa_opts.c
+++ b/src/providers/ipa/ipa_opts.c
@@ -147,6 +147,7 @@ struct dp_option ipa_def_ldap_opts[] = {
{ "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
{ "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER },
+ { "ldap_connection_expire_offset", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER },
{ "ldap_disable_paging", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_idmap_range_min", DP_OPT_NUMBER, { .number = 200000 }, NULL_NUMBER },
{ "ldap_idmap_range_max", DP_OPT_NUMBER, { .number = 2000200000LL }, NULL_NUMBER },
diff --git a/src/providers/ldap/ldap_opts.c b/src/providers/ldap/ldap_opts.c
index a20ec0d86..ffd0c6baa 100644
--- a/src/providers/ldap/ldap_opts.c
+++ b/src/providers/ldap/ldap_opts.c
@@ -107,6 +107,7 @@ struct dp_option default_basic_opts[] = {
{ "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
{ "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER },
+ { "ldap_connection_expire_offset", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER },
{ "ldap_disable_paging", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_idmap_range_min", DP_OPT_NUMBER, { .number = 200000 }, NULL_NUMBER },
{ "ldap_idmap_range_max", DP_OPT_NUMBER, { .number = 2000200000LL }, NULL_NUMBER },
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index d0a19a660..f27b3c480 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -221,6 +221,7 @@ enum sdap_basic_opt {
SDAP_DEREF_THRESHOLD,
SDAP_SASL_CANONICALIZE,
SDAP_EXPIRE_TIMEOUT,
+ SDAP_EXPIRE_OFFSET,
SDAP_DISABLE_PAGING,
SDAP_IDMAP_LOWER,
SDAP_IDMAP_UPPER,
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index 0260cba6f..7438d14a7 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -1803,6 +1803,8 @@ static void sdap_cli_auth_step(struct tevent_req *req)
struct tevent_req *subreq;
time_t now;
int expire_timeout;
+ int expire_offset;
+
const char *sasl_mech = dp_opt_get_string(state->opts->basic,
SDAP_SASL_MECH);
const char *user_dn = dp_opt_get_string(state->opts->basic,
@@ -1832,6 +1834,16 @@ static void sdap_cli_auth_step(struct tevent_req *req)
*/
now = time(NULL);
expire_timeout = dp_opt_get_int(state->opts->basic, SDAP_EXPIRE_TIMEOUT);
+ expire_offset = dp_opt_get_int(state->opts->basic, SDAP_EXPIRE_OFFSET);
+ if (expire_offset > 0) {
+ expire_timeout += sss_rand() % (expire_offset + 1);
+ } else if (expire_offset < 0) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Negative value [%d] of ldap_connection_expire_offset "
+ "is not allowed.\n",
+ expire_offset);
+ }
+
DEBUG(SSSDBG_CONF_SETTINGS, "expire timeout is %d\n", expire_timeout);
if (!state->sh->expire_time
|| (state->sh->expire_time > (now + expire_timeout))) {
--
2.20.1

55
0012-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch Normal file
View File

@ -0,0 +1,55 @@
From 090cf77a0fd5f300a753667658af3ed763a88e83 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 26 Sep 2019 20:24:34 +0200
Subject: [PATCH 12/15] ad: allow booleans for ad_inherit_opts_if_needed()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Currently ad_inherit_opts_if_needed() can only handle strings. With this
patch it can handle boolean options as well.
Related to https://pagure.io/SSSD/sssd/issue/4131
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ad/ad_common.c | 23 ++++++++++++++++++++---
1 file changed, 20 insertions(+), 3 deletions(-)
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index 5540066d4..600e3ceb2 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -1479,9 +1479,26 @@ errno_t ad_inherit_opts_if_needed(struct dp_option *parent_opts,
const char *parent_val = NULL;
char *dummy = NULL;
char *option_list[2] = { NULL, NULL };
-
- parent_val = dp_opt_get_cstring(parent_opts, opt_id);
- if (parent_val != NULL) {
+ bool is_default = true;
+
+ switch (parent_opts[opt_id].type) {
+ case DP_OPT_STRING:
+ parent_val = dp_opt_get_cstring(parent_opts, opt_id);
+ break;
+ case DP_OPT_BOOL:
+ /* For booleans it is hard to say if the option is set or not since
+ * both possible values are valid ones. So we check if the value is
+ * different from the default and skip if it is the default. In this
+ * case the sub-domain option would either be the default as well or
+ * manully set and in both cases we do not have to change it. */
+ is_default = (parent_opts[opt_id].val.boolean
+ == parent_opts[opt_id].def_val.boolean);
+ break;
+ default:
+ DEBUG(SSSDBG_TRACE_FUNC, "Unsupported type, skipping.\n");
+ }
+
+ if (parent_val != NULL || !is_default) {
ret = confdb_get_string(cdb, NULL, subdom_conf_path,
parent_opts[opt_id].opt_name, NULL, &dummy);
if (ret != EOK) {
--
2.20.1

87
0012-sbus-dectect-python-binary-for-sbus_generate.sh.patch
View File

@ -1,87 +0,0 @@
From b03179ead11db7dbfd6a00d3eeef3dac0990f826 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 10 Sep 2018 15:40:14 +0200
Subject: [PATCH 17/83] sbus: dectect python binary for sbus_generate.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We already detect python2 and python3 binaries during configure. With
this patch PYTHON_EXEC is set to the python3 binary if python3 bindings
are generated and to the python2 binary otherwise. With the help of an
environment variable sbus_generate.sh is made aware of it.
Related to https://pagure.io/SSSD/sssd/issue/3807
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
Makefile.am | 4 ++--
configure.ac | 8 ++++++++
sbus_generate.sh => sbus_generate.sh.in | 2 +-
3 files changed, 11 insertions(+), 3 deletions(-)
rename sbus_generate.sh => sbus_generate.sh.in (93%)
diff --git a/Makefile.am b/Makefile.am
index 11d0405..deb9ce3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1020,14 +1020,14 @@ libsss_cert_la_LDFLAGS = \
$(NULL)
generate-sbus-code:
- $(srcdir)/sbus_generate.sh $(abs_srcdir)
+ $(builddir)/sbus_generate.sh $(abs_srcdir)
.PHONY: generate-sbus-code
BUILT_SOURCES += generate-sbus-code
EXTRA_DIST += \
- sbus_generate.sh \
+ sbus_generate.sh.in \
src/sbus/codegen/dbus.xml \
src/sbus/codegen/sbus_CodeGen.py \
src/sbus/codegen/sbus_DataType.py \
diff --git a/configure.ac b/configure.ac
index 1aac65f..bb18ad4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -373,6 +373,13 @@ them please use argument --without-python3-bindings when running configure.])])
SSS_CLEAN_PYTHON_VARIABLES
fi
+if test x$HAVE_PYTHON3_BINDINGS = x1; then
+ PYTHON_EXEC=$PYTHON3
+else
+ PYTHON_EXEC=$PYTHON2
+fi
+AC_SUBST(PYTHON_EXEC)
+
AM_CONDITIONAL([BUILD_PYTHON_BINDINGS],
[test x"$with_python2_bindings" = xyes \
-o x"$with_python3_bindings" = xyes])
@@ -524,4 +531,5 @@ AC_CONFIG_FILES([Makefile contrib/sssd.spec src/examples/rwtab src/doxy.config
src/config/setup.py
src/systemtap/sssd.stp
src/config/SSSDConfig/__init__.py])
+AC_CONFIG_FILES([sbus_generate.sh], [chmod +x sbus_generate.sh])
AC_OUTPUT
diff --git a/sbus_generate.sh b/sbus_generate.sh.in
similarity index 93%
rename from sbus_generate.sh
rename to sbus_generate.sh.in
index 338fd9d..b2c695e 100755
--- a/sbus_generate.sh
+++ b/sbus_generate.sh.in
@@ -13,7 +13,7 @@ generate() {
echo "Generating sbus code for: $XML"
- python $CODEGEN --sbus sbus --util util \
+ @PYTHON_EXEC@ $CODEGEN --sbus sbus --util util \
--headers "$HEADERS" \
--dest "$SRCDIR/src/$DEST" \
--fileprefix "sbus_${PREFIX}_" \
--
2.9.5

438
0013-ad-add-ad_use_ldaps.patch Normal file
View File

@ -0,0 +1,438 @@
From da0be382d95f0bdbc6ad5ccb68503456c2ee858b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 26 Sep 2019 20:27:09 +0200
Subject: [PATCH 11/13] ad: add ad_use_ldaps
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
With this new boolean option the AD provider should only use the LDAPS
port 636 and the Global Catalog port 3629 which is TLS protected as
well.
Related to https://pagure.io/SSSD/sssd/issue/4131
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/cfg_rules.ini | 1 +
src/config/etc/sssd.api.d/sssd-ad.conf | 1 +
src/man/sssd-ad.5.xml | 20 +++++++++++++++++++
src/providers/ad/ad_common.c | 24 +++++++++++++++++++----
src/providers/ad/ad_common.h | 8 +++++++-
src/providers/ad/ad_init.c | 8 +++++++-
src/providers/ad/ad_opts.c | 1 +
src/providers/ad/ad_srv.c | 16 ++++++++++++---
src/providers/ad/ad_srv.h | 3 ++-
src/providers/ad/ad_subdomains.c | 21 ++++++++++++++++++--
src/providers/ipa/ipa_subdomains_server.c | 4 ++--
12 files changed, 94 insertions(+), 14 deletions(-)
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index eba89b461..84631862a 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -252,6 +252,7 @@ option_strings = {
'ad_site' : _('a particular site to be used by the client'),
'ad_maximum_machine_account_password_age' : _('Maximum age in days before the machine account password should be renewed'),
'ad_machine_account_password_renewal_opts' : _('Option for tuning the machine account renewal task'),
+ 'ad_use_ldaps' : _('Use LDAPS port for LDAP and Global Catalog requests'),
# [provider/krb5]
'krb5_kdcip' : _('Kerberos server address'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index c56d5a668..1034a1fd6 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -464,6 +464,7 @@ option = ad_machine_account_password_renewal_opts
option = ad_maximum_machine_account_password_age
option = ad_server
option = ad_site
+option = ad_use_ldaps
# IPA provider specific options
option = ipa_anchor_uuid
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index aaa0b2345..a2af72603 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -20,6 +20,7 @@ ad_gpo_default_right = str, None, false
ad_site = str, None, false
ad_maximum_machine_account_password_age = int, None, false
ad_machine_account_password_renewal_opts = str, None, false
+ad_use_ldaps = bool, None, false
ldap_uri = str, None, false
ldap_backup_uri = str, None, false
ldap_search_base = str, None, false
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index fdcb4e4b9..ade56cd6d 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -1015,6 +1015,26 @@ ad_gpo_map_deny = +my_pam_service
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>ad_use_ldaps (bool)</term>
+ <listitem>
+ <para>
+ By default SSSD uses the plain LDAP port 389 and the
+ Global Catalog port 3628. If this option is set to
+ True SSSD will use the LDAPS port 636 and Global
+ Catalog port 3629 with LDAPS protection. Since AD
+ does not allow to have multiple encryption layers on
+ a single connection and we still want to use
+ SASL/GSSAPI or SASL/GSS-SPNEGO for authentication
+ the SASL security property maxssf is set to 0 (zero)
+ for those connections.
+ </para>
+ <para>
+ Default: False
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>dyndns_update (boolean)</term>
<listitem>
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index 600e3ceb2..a2369166a 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -729,6 +729,7 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
const char *ad_gc_service,
const char *ad_domain,
bool use_kdcinfo,
+ bool ad_use_ldaps,
size_t n_lookahead_primary,
size_t n_lookahead_backup,
struct ad_service **_service)
@@ -746,6 +747,16 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
goto done;
}
+ if (ad_use_ldaps) {
+ service->ldap_scheme = "ldaps";
+ service->port = LDAPS_PORT;
+ service->gc_port = AD_GC_LDAPS_PORT;
+ } else {
+ service->ldap_scheme = "ldap";
+ service->port = LDAP_PORT;
+ service->gc_port = AD_GC_PORT;
+ }
+
service->sdap = talloc_zero(service, struct sdap_service);
service->gc = talloc_zero(service, struct sdap_service);
if (!service->sdap || !service->gc) {
@@ -927,7 +938,8 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
goto done;
}
- new_uri = talloc_asprintf(service->sdap, "ldap://%s", srv_name);
+ new_uri = talloc_asprintf(service->sdap, "%s://%s", service->ldap_scheme,
+ srv_name);
if (!new_uri) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to copy URI\n");
ret = ENOMEM;
@@ -935,7 +947,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
}
DEBUG(SSSDBG_CONF_SETTINGS, "Constructed uri '%s'\n", new_uri);
- sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, LDAP_PORT);
+ sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, service->port);
if (sockaddr == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "resolv_get_sockaddr_address failed.\n");
ret = EIO;
@@ -951,8 +963,12 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
talloc_zfree(service->gc->uri);
talloc_zfree(service->gc->sockaddr);
if (sdata && sdata->gc) {
- new_port = fo_get_server_port(server);
- new_port = (new_port == 0) ? AD_GC_PORT : new_port;
+ if (service->gc_port == AD_GC_LDAPS_PORT) {
+ new_port = service->gc_port;
+ } else {
+ new_port = fo_get_server_port(server);
+ new_port = (new_port == 0) ? service->gc_port : new_port;
+ }
service->gc->uri = talloc_asprintf(service->gc, "%s:%d",
new_uri, new_port);
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index 75f11de2e..820e06124 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -29,7 +29,8 @@
#define AD_SERVICE_NAME "AD"
#define AD_GC_SERVICE_NAME "AD_GC"
/* The port the Global Catalog runs on */
-#define AD_GC_PORT 3268
+#define AD_GC_PORT 3268
+#define AD_GC_LDAPS_PORT 3269
#define AD_AT_OBJECT_SID "objectSID"
#define AD_AT_DNS_DOMAIN "DnsDomain"
@@ -67,6 +68,7 @@ enum ad_basic_opt {
AD_KRB5_CONFD_PATH,
AD_MAXIMUM_MACHINE_ACCOUNT_PASSWORD_AGE,
AD_MACHINE_ACCOUNT_PASSWORD_RENEWAL_OPTS,
+ AD_USE_LDAPS,
AD_OPTS_BASIC /* opts counter */
};
@@ -82,6 +84,9 @@ struct ad_service {
struct sdap_service *sdap;
struct sdap_service *gc;
struct krb5_service *krb5_service;
+ const char *ldap_scheme;
+ int port;
+ int gc_port;
};
struct ad_options {
@@ -147,6 +152,7 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *ctx,
const char *ad_gc_service,
const char *ad_domain,
bool use_kdcinfo,
+ bool ad_use_ldaps,
size_t n_lookahead_primary,
size_t n_lookahead_backup,
struct ad_service **_service);
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
index 290d5b5c1..2b4b9e2e7 100644
--- a/src/providers/ad/ad_init.c
+++ b/src/providers/ad/ad_init.c
@@ -138,6 +138,7 @@ static errno_t ad_init_options(TALLOC_CTX *mem_ctx,
char *ad_servers = NULL;
char *ad_backup_servers = NULL;
char *ad_realm;
+ bool ad_use_ldaps = false;
errno_t ret;
ad_sasl_initialize();
@@ -154,12 +155,14 @@ static errno_t ad_init_options(TALLOC_CTX *mem_ctx,
ad_servers = dp_opt_get_string(ad_options->basic, AD_SERVER);
ad_backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER);
ad_realm = dp_opt_get_string(ad_options->basic, AD_KRB5_REALM);
+ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS);
/* Set up the failover service */
ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers,
ad_realm, AD_SERVICE_NAME, AD_GC_SERVICE_NAME,
dp_opt_get_string(ad_options->basic, AD_DOMAIN),
false, /* will be set in ad_get_auth_options() */
+ ad_use_ldaps,
(size_t) -1,
(size_t) -1,
&ad_options->service);
@@ -184,11 +187,13 @@ static errno_t ad_init_srv_plugin(struct be_ctx *be_ctx,
const char *ad_site_override;
bool sites_enabled;
errno_t ret;
+ bool ad_use_ldaps;
hostname = dp_opt_get_string(ad_options->basic, AD_HOSTNAME);
ad_domain = dp_opt_get_string(ad_options->basic, AD_DOMAIN);
ad_site_override = dp_opt_get_string(ad_options->basic, AD_SITE);
sites_enabled = dp_opt_get_bool(ad_options->basic, AD_ENABLE_DNS_SITES);
+ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS);
if (!sites_enabled) {
@@ -205,7 +210,8 @@ static errno_t ad_init_srv_plugin(struct be_ctx *be_ctx,
srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res,
default_host_dbs, ad_options->id,
hostname, ad_domain,
- ad_site_override);
+ ad_site_override,
+ ad_use_ldaps);
if (srv_ctx == NULL) {
DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
return ENOMEM;
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
index 1293219ee..30f9b62fd 100644
--- a/src/providers/ad/ad_opts.c
+++ b/src/providers/ad/ad_opts.c
@@ -54,6 +54,7 @@ struct dp_option ad_basic_opts[] = {
{ "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING },
{ "ad_maximum_machine_account_password_age", DP_OPT_NUMBER, { .number = 30 }, NULL_NUMBER },
{ "ad_machine_account_password_renewal_opts", DP_OPT_STRING, { "86400:750" }, NULL_STRING },
+ { "ad_use_ldaps", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
DP_OPTION_TERMINATOR
};
diff --git a/src/providers/ad/ad_srv.c b/src/providers/ad/ad_srv.c
index 5fd25f60e..ca15d3715 100644
--- a/src/providers/ad/ad_srv.c
+++ b/src/providers/ad/ad_srv.c
@@ -244,6 +244,7 @@ struct ad_get_client_site_state {
enum host_database *host_db;
struct sdap_options *opts;
const char *ad_domain;
+ bool ad_use_ldaps;
struct fo_server_info *dcs;
size_t num_dcs;
size_t dc_index;
@@ -264,6 +265,7 @@ struct tevent_req *ad_get_client_site_send(TALLOC_CTX *mem_ctx,
enum host_database *host_db,
struct sdap_options *opts,
const char *ad_domain,
+ bool ad_use_ldaps,
struct fo_server_info *dcs,
size_t num_dcs)
{
@@ -288,6 +290,7 @@ struct tevent_req *ad_get_client_site_send(TALLOC_CTX *mem_ctx,
state->host_db = host_db;
state->opts = opts;
state->ad_domain = ad_domain;
+ state->ad_use_ldaps = ad_use_ldaps;
state->dcs = dcs;
state->num_dcs = num_dcs;
@@ -331,8 +334,11 @@ static errno_t ad_get_client_site_next_dc(struct tevent_req *req)
subreq = sdap_connect_host_send(state, state->ev, state->opts,
state->be_res->resolv,
state->be_res->family_order,
- state->host_db, "ldap", state->dc.host,
- state->dc.port, false);
+ state->host_db,
+ state->ad_use_ldaps ? "ldaps" : "ldap",
+ state->dc.host,
+ state->ad_use_ldaps ? 636 : state->dc.port,
+ false);
if (subreq == NULL) {
ret = ENOMEM;
goto done;
@@ -491,6 +497,7 @@ struct ad_srv_plugin_ctx {
const char *ad_domain;
const char *ad_site_override;
const char *current_site;
+ bool ad_use_ldaps;
};
struct ad_srv_plugin_ctx *
@@ -501,7 +508,8 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,
struct sdap_options *opts,
const char *hostname,
const char *ad_domain,
- const char *ad_site_override)
+ const char *ad_site_override,
+ bool ad_use_ldaps)
{
struct ad_srv_plugin_ctx *ctx = NULL;
errno_t ret;
@@ -515,6 +523,7 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,
ctx->be_res = be_res;
ctx->host_dbs = host_dbs;
ctx->opts = opts;
+ ctx->ad_use_ldaps = ad_use_ldaps;
ctx->hostname = talloc_strdup(ctx, hostname);
if (ctx->hostname == NULL) {
@@ -714,6 +723,7 @@ static void ad_srv_plugin_dcs_done(struct tevent_req *subreq)
state->ctx->host_dbs,
state->ctx->opts,
state->discovery_domain,
+ state->ctx->ad_use_ldaps,
dcs, num_dcs);
if (subreq == NULL) {
ret = ENOMEM;
diff --git a/src/providers/ad/ad_srv.h b/src/providers/ad/ad_srv.h
index e553d594d..8e410ec26 100644
--- a/src/providers/ad/ad_srv.h
+++ b/src/providers/ad/ad_srv.h
@@ -31,7 +31,8 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,
struct sdap_options *opts,
const char *hostname,
const char *ad_domain,
- const char *ad_site_override);
+ const char *ad_site_override,
+ bool ad_use_ldaps);
struct tevent_req *ad_srv_plugin_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index 2ce34489f..d8c201437 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -282,6 +282,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
bool use_kdcinfo = false;
size_t n_lookahead_primary = SSS_KRB5_LOOKAHEAD_PRIMARY_DEFAULT;
size_t n_lookahead_backup = SSS_KRB5_LOOKAHEAD_BACKUP_DEFAULT;
+ bool ad_use_ldaps = false;
realm = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_KRB5_REALM);
hostname = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_HOSTNAME);
@@ -312,6 +313,21 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
return ENOMEM;
}
+ ret = ad_inherit_opts_if_needed(id_ctx->ad_options->basic,
+ ad_options->basic,
+ be_ctx->cdb, subdom_conf_path,
+ AD_USE_LDAPS);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to inherit option [%s] to sub-domain [%s]. "
+ "This error is ignored but might cause issues or unexpected "
+ "behavior later on.\n",
+ id_ctx->ad_options->basic[AD_USE_LDAPS].opt_name,
+ subdom->name);
+
+ return ret;
+ }
+
ret = ad_inherit_opts_if_needed(id_ctx->sdap_id_ctx->opts->basic,
ad_options->id->basic,
be_ctx->cdb, subdom_conf_path,
@@ -344,6 +360,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
servers = dp_opt_get_string(ad_options->basic, AD_SERVER);
backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER);
+ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS);
if (id_ctx->ad_options->auth_ctx != NULL
&& id_ctx->ad_options->auth_ctx->opts != NULL) {
@@ -362,7 +379,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
ret = ad_failover_init(ad_options, be_ctx, servers, backup_servers,
subdom->realm, service_name, gc_service_name,
- subdom->name, use_kdcinfo,
+ subdom->name, use_kdcinfo, ad_use_ldaps,
n_lookahead_primary,
n_lookahead_backup,
&ad_options->service);
@@ -386,7 +403,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
ad_id_ctx->ad_options->id,
hostname,
ad_domain,
- ad_site_override);
+ ad_site_override, ad_use_ldaps);
if (srv_ctx == NULL) {
DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
return ENOMEM;
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
index fd998877b..9aebf72a5 100644
--- a/src/providers/ipa/ipa_subdomains_server.c
+++ b/src/providers/ipa/ipa_subdomains_server.c
@@ -319,7 +319,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx,
ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers,
subdom->realm,
service_name, gc_service_name,
- subdom->name, use_kdcinfo,
+ subdom->name, use_kdcinfo, false,
n_lookahead_primary, n_lookahead_backup,
&ad_options->service);
if (ret != EOK) {
@@ -344,7 +344,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx,
ad_id_ctx->ad_options->id,
id_ctx->server_mode->hostname,
ad_domain,
- ad_site_override);
+ ad_site_override, false);
if (srv_ctx == NULL) {
DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
return ENOMEM;
--
2.20.1

68
0013-sudo-respect-case-sensitivity-in-sudo-responder.patch
View File

@ -1,68 +0,0 @@
From d7f0b58e2896ed2ef9ed5a390815c1e4df6caaee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 6 Sep 2018 13:38:56 +0200
Subject: [PATCH 18/83] sudo: respect case sensitivity in sudo responder
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If the domain is not case sensitive and the case of the original user
or group name differs from the name in the rule we failed to find the
rule.
Now we filter the rule only with lower cased values in such domain.
Steps to reproduce:
1. Add user/group with upper case, e.g. USER-1
2. Add sudo rule with lower cased name, e.g. sudoUser: user-1
3. Login to system with lower case, e.g. user-1
4. Run sudo -l
Without the patch, rule is not found.
Resolves:
https://pagure.io/SSSD/sssd/issue/3820
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/db/sysdb_sudo.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
index 3ad462d..19ed97b 100644
--- a/src/db/sysdb_sudo.c
+++ b/src/db/sysdb_sudo.c
@@ -418,7 +418,17 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
ret = EINVAL;
goto done;
}
- DEBUG(SSSDBG_TRACE_FUNC, "original name: %s\n", orig_name);
+
+ DEBUG(SSSDBG_TRACE_FUNC, "Original name: %s\n", orig_name);
+
+ orig_name = sss_get_cased_name(tmp_ctx, orig_name, domain->case_sensitive);
+ if (orig_name == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ DEBUG(SSSDBG_TRACE_FUNC, "Cased name: %s\n", orig_name);
if (_uid != NULL) {
uid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_UIDNUM, 0);
@@ -450,8 +460,9 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
continue;
}
- sysdb_groupnames[num_groups] = talloc_strdup(sysdb_groupnames,
- groupname);
+ sysdb_groupnames[num_groups] = \
+ sss_get_cased_name(sysdb_groupnames, groupname,
+ domain->case_sensitive);
if (sysdb_groupnames[num_groups] == NULL) {
DEBUG(SSSDBG_MINOR_FAILURE, "Cannot strdup %s\n", groupname);
continue;
--
2.9.5

130
0014-GPO-Add-gpo_implicit_deny-option.patch
View File

@ -1,130 +0,0 @@
From 3bd67c772c951f33422261ef658a104ccecc9561 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Tue, 3 Jul 2018 20:03:39 +0200
Subject: [PATCH 19/83] GPO: Add gpo_implicit_deny option
This option (when set to True) can be used to deny access to
users even if there is not applicable GPO. Normally users are
allowed access in this situation.
Resolves:
https://pagure.io/SSSD/sssd/issue/3701
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/config/cfg_rules.ini | 1 +
src/man/sssd-ad.5.xml | 21 +++++++++++++++++++++
src/providers/ad/ad_common.h | 1 +
src/providers/ad/ad_gpo.c | 13 ++++++++++++-
src/providers/ad/ad_opts.c | 1 +
5 files changed, 36 insertions(+), 1 deletion(-)
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 36e83a9..78f215e 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -437,6 +437,7 @@ option = ad_enable_dns_sites
option = ad_enabled_domains
option = ad_enable_gc
option = ad_gpo_access_control
+option = ad_gpo_implicit_deny
option = ad_gpo_cache_timeout
option = ad_gpo_default_right
option = ad_gpo_map_batch
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index f43c7fc..0eac382 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -418,6 +418,27 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,
</varlistentry>
<varlistentry>
+ <term>ad_gpo_implicit_deny (boolean)</term>
+ <listitem>
+ <para>
+ Normally when no applicable GPOs are found the
+ users are allowed access. When this option is set
+ to True users will be allowed access only when
+ explicitly allowed by a GPO rule. Otherwise users
+ will be denied access. This can be used to harden
+ security but be careful when using this option
+ because it can deny access even to users in the
+ built-in Administrators group if no GPO rules
+ apply to them.
+ </para>
+ <para>
+ Default: False (seconds)
+ </para>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
<term>ad_gpo_cache_timeout (integer)</term>
<listitem>
<para>
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index dd440da..2c52c99 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -52,6 +52,7 @@ enum ad_basic_opt {
AD_ACCESS_FILTER,
AD_ENABLE_GC,
AD_GPO_ACCESS_CONTROL,
+ AD_GPO_IMPLICIT_DENY,
AD_GPO_CACHE_TIMEOUT,
AD_GPO_MAP_INTERACTIVE,
AD_GPO_MAP_REMOTE_INTERACTIVE,
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index d568643..f3be723 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -1586,6 +1586,7 @@ struct ad_gpo_access_state {
struct ldb_context *ldb_ctx;
struct ad_access_ctx *access_ctx;
enum gpo_access_control_mode gpo_mode;
+ bool gpo_implicit_deny;
enum gpo_map_type gpo_map_type;
struct sdap_id_conn_ctx *conn;
struct sdap_id_op *sdap_op;
@@ -1712,6 +1713,8 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
state->gpo_mode = ctx->gpo_access_control_mode;
state->gpo_timeout_option = ctx->gpo_cache_timeout;
state->ad_hostname = dp_opt_get_string(ctx->ad_options, AD_HOSTNAME);
+ state->gpo_implicit_deny = dp_opt_get_bool(ctx->ad_options,
+ AD_GPO_IMPLICIT_DENY);
state->access_ctx = ctx;
state->opts = ctx->sdap_access_ctx->id_ctx->opts;
state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT);
@@ -2171,7 +2174,15 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
}
}
- ret = EOK;
+ if (state->gpo_implicit_deny == true) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "No applicable GPOs have been found and ad_gpo_implicit_deny"
+ " is set to 'true'. The user will be denied access.\n");
+ ret = ERR_ACCESS_DENIED;
+ } else {
+ ret = EOK;
+ }
+
goto done;
}
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
index ac93327..c1d9cd7 100644
--- a/src/providers/ad/ad_opts.c
+++ b/src/providers/ad/ad_opts.c
@@ -38,6 +38,7 @@ struct dp_option ad_basic_opts[] = {
{ "ad_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING},
{ "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "ad_gpo_access_control", DP_OPT_STRING, { AD_GPO_ACCESS_MODE_DEFAULT }, NULL_STRING },
+ { "ad_gpo_implicit_deny", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ad_gpo_cache_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
{ "ad_gpo_map_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ad_gpo_map_remote_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
--
2.9.5

199
0014-ldap-add-new-option-ldap_sasl_maxssf.patch Normal file
View File

@ -0,0 +1,199 @@
From 78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 27 Sep 2019 11:49:59 +0200
Subject: [PATCH 14/15] ldap: add new option ldap_sasl_maxssf
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
There is already the ldap_sasl_minssf option. To be able to control the
maximal security strength factor (ssf) e.g. when using SASL together
with TLS the option ldap_sasl_maxssf is added as well.
Related to https://pagure.io/SSSD/sssd/issue/4131
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/cfg_rules.ini | 1 +
src/config/etc/sssd.api.d/sssd-ad.conf | 1 +
src/config/etc/sssd.api.d/sssd-ipa.conf | 1 +
src/config/etc/sssd.api.d/sssd-ldap.conf | 1 +
src/man/sssd-ldap.5.xml | 16 ++++++++++++++++
src/providers/ad/ad_opts.c | 1 +
src/providers/ipa/ipa_opts.c | 1 +
src/providers/ldap/ldap_opts.c | 1 +
src/providers/ldap/sdap.h | 1 +
src/providers/ldap/sdap_async_connection.c | 14 ++++++++++++++
11 files changed, 39 insertions(+)
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 6c2a1ce44..b3035fcff 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -306,6 +306,7 @@ option_strings = {
'ldap_sasl_authid' : _('Specify the sasl authorization id to use'),
'ldap_sasl_realm' : _('Specify the sasl authorization realm to use'),
'ldap_sasl_minssf' : _('Specify the minimal SSF for LDAP sasl authorization'),
+ 'ldap_sasl_maxssf' : _('Specify the maximal SSF for LDAP sasl authorization'),
'ldap_krb5_keytab' : _('Kerberos service keytab'),
'ldap_krb5_init_creds' : _('Use Kerberos auth for LDAP connection'),
'ldap_referrals' : _('Follow LDAP referrals'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 478ca9eb4..286443be4 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -665,6 +665,7 @@ option = ldap_sasl_authid
option = ldap_sasl_canonicalize
option = ldap_sasl_mech
option = ldap_sasl_minssf
+option = ldap_sasl_maxssf
option = ldap_schema
option = ldap_pwmodify_mode
option = ldap_search_base
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index 51cdad536..4d10e69d7 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -42,6 +42,7 @@ ldap_tls_reqcert = str, None, false
ldap_sasl_mech = str, None, false
ldap_sasl_authid = str, None, false
ldap_sasl_minssf = int, None, false
+ldap_sasl_maxssf = int, None, false
krb5_kdcip = str, None, false
krb5_server = str, None, false
krb5_backup_server = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index 7ed153d36..839f9f471 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -32,6 +32,7 @@ ldap_tls_reqcert = str, None, false
ldap_sasl_mech = str, None, false
ldap_sasl_authid = str, None, false
ldap_sasl_minssf = int, None, false
+ldap_sasl_maxssf = int, None, false
krb5_kdcip = str, None, false
krb5_server = str, None, false
krb5_backup_server = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index 4f73e901e..6db9828b9 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -35,6 +35,7 @@ ldap_page_size = int, None, false
ldap_deref_threshold = int, None, false
ldap_sasl_canonicalize = bool, None, false
ldap_sasl_minssf = int, None, false
+ldap_sasl_maxssf = int, None, false
ldap_connection_expire_timeout = int, None, false
ldap_connection_expire_offset = int, None, false
ldap_disable_paging = bool, None, false
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index f8bb973c7..0dc675410 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -612,6 +612,22 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>ldap_sasl_maxssf (integer)</term>
+ <listitem>
+ <para>
+ When communicating with an LDAP server using SASL,
+ specify the maximal security level necessary to
+ establish the connection. The values of this
+ option are defined by OpenLDAP.
+ </para>
+ <para>
+ Default: Use the system default (usually specified
+ by ldap.conf)
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>ldap_deref_threshold (integer)</term>
<listitem>
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
index 26420d655..e9a3dd6ef 100644
--- a/src/providers/ad/ad_opts.c
+++ b/src/providers/ad/ad_opts.c
@@ -106,6 +106,7 @@ struct dp_option ad_def_ldap_opts[] = {
{ "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
+ { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
{ "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
/* use the same parm name as the krb5 module so we set it only once */
diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c
index 4fafa073d..55de6e600 100644
--- a/src/providers/ipa/ipa_opts.c
+++ b/src/providers/ipa/ipa_opts.c
@@ -114,6 +114,7 @@ struct dp_option ipa_def_ldap_opts[] = {
{ "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = 56 }, NULL_NUMBER },
+ { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
{ "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
/* use the same parm name as the krb5 module so we set it only once */
diff --git a/src/providers/ldap/ldap_opts.c b/src/providers/ldap/ldap_opts.c
index ffd0c6baa..d1b4e98ad 100644
--- a/src/providers/ldap/ldap_opts.c
+++ b/src/providers/ldap/ldap_opts.c
@@ -74,6 +74,7 @@ struct dp_option default_basic_opts[] = {
{ "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
+ { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
{ "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
/* use the same parm name as the krb5 module so we set it only once */
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index f27b3c480..808a2c400 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -192,6 +192,7 @@ enum sdap_basic_opt {
SDAP_SASL_AUTHID,
SDAP_SASL_REALM,
SDAP_SASL_MINSSF,
+ SDAP_SASL_MAXSSF,
SDAP_KRB5_KEYTAB,
SDAP_KRB5_KINIT,
SDAP_KRB5_KDC,
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index 7438d14a7..5f69cedcc 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -148,6 +148,8 @@ static void sdap_sys_connect_done(struct tevent_req *subreq)
const char *sasl_mech;
int sasl_minssf;
ber_len_t ber_sasl_minssf;
+ int sasl_maxssf;
+ ber_len_t ber_sasl_maxssf;
ret = sss_ldap_init_recv(subreq, &state->sh->ldap, &sd);
talloc_zfree(subreq);
@@ -291,6 +293,18 @@ static void sdap_sys_connect_done(struct tevent_req *subreq)
goto fail;
}
}
+
+ sasl_maxssf = dp_opt_get_int(state->opts->basic, SDAP_SASL_MAXSSF);
+ if (sasl_maxssf >= 0) {
+ ber_sasl_maxssf = (ber_len_t)sasl_maxssf;
+ lret = ldap_set_option(state->sh->ldap, LDAP_OPT_X_SASL_SSF_MAX,
+ &ber_sasl_maxssf);
+ if (lret != LDAP_OPT_SUCCESS) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set LDAP MAX SSF option "
+ "to %d\n", sasl_maxssf);
+ goto fail;
+ }
+ }
}
/* if we do not use start_tls the connection is not really connected yet
--
2.20.1

41
0015-Skip-local-domain-if-not-supported.patch
View File

@ -1,41 +0,0 @@
From 10fa27eddb9bbe135277d587c6a2de4b311da6df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Tue, 18 Sep 2018 15:23:54 +0200
Subject: [PATCH 20/83] CONFDB: Skip 'local' domain if not supported
When SSSD is built without the support for local
domain, we should gracegully skip local domains
and let other domains start.
Resolves:
https://pagure.io/SSSD/sssd/issue/3828
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/confdb/confdb.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 22068ca..621647e 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -945,8 +945,14 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
goto done;
}
- if (local_provider_is_built()
- && strcasecmp(domain->provider, "local") == 0) {
+ if (strcasecmp(domain->provider, "local") == 0) {
+ if (!local_provider_is_built()) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "ID provider 'local' no longer supported, disabling\n");
+ ret = EINVAL;
+ goto done;
+ }
+
/* If this is the local provider, we need to ensure that
* no other provider was specified for other types, since
* the local provider cannot load them.
--
2.9.5

91
0015-ad-set-min-and-max-ssf-for-ldaps.patch Normal file
View File

@ -0,0 +1,91 @@
From 24387e19f065e6a585b1120d5568cb4df271d102 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 27 Sep 2019 13:45:13 +0200
Subject: [PATCH 15/15] ad: set min and max ssf for ldaps
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
AD does not allow to use encryption in the TLS and SASL layer at the
same time. To be able to use ldaps this patch sets min and max ssf to 0
if ldaps should be used.
Related to https://pagure.io/SSSD/sssd/issue/4131
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ad/ad_common.c | 21 +++++++++++++++++++++
src/providers/ad/ad_common.h | 2 ++
src/providers/ad/ad_subdomains.c | 4 ++++
3 files changed, 27 insertions(+)
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index a2369166a..51300f5b2 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -1021,6 +1021,23 @@ done:
return;
}
+void ad_set_ssf_for_ldaps(struct sdap_options *id_opts)
+{
+ int ret;
+
+ DEBUG(SSSDBG_TRACE_ALL, "Setting ssf for ldaps usage.\n");
+ ret = dp_opt_set_int(id_opts->basic, SDAP_SASL_MINSSF, 0);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to set SASL minssf for ldaps usage, ignored.\n");
+ }
+ ret = dp_opt_set_int(id_opts->basic, SDAP_SASL_MAXSSF, 0);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to set SASL maxssf for ldaps usage, ignored.\n");
+ }
+}
+
static errno_t
ad_set_sdap_options(struct ad_options *ad_opts,
struct sdap_options *id_opts)
@@ -1079,6 +1096,10 @@ ad_set_sdap_options(struct ad_options *ad_opts,
goto done;
}
+ if (dp_opt_get_bool(ad_opts->basic, AD_USE_LDAPS)) {
+ ad_set_ssf_for_ldaps(id_opts);
+ }
+
/* Warn if the user is doing something silly like overriding the schema
* with the AD provider
*/
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index 44da58fa0..8b7a86102 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -182,6 +182,8 @@ errno_t
ad_get_dyndns_options(struct be_ctx *be_ctx,
struct ad_options *ad_opts);
+void ad_set_ssf_for_ldaps(struct sdap_options *id_opts);
+
struct ad_id_ctx *
ad_id_ctx_init(struct ad_options *ad_opts, struct be_ctx *bectx);
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index d8c201437..a9c6b9f28 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -328,6 +328,10 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
return ret;
}
+ if (dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS)) {
+ ad_set_ssf_for_ldaps(ad_options->id);
+ }
+
ret = ad_inherit_opts_if_needed(id_ctx->sdap_id_ctx->opts->basic,
ad_options->id->basic,
be_ctx->cdb, subdom_conf_path,
--
2.20.1

36
0016-BE_REFRESH-Do-not-try-to-refresh-domains-from-other-.patch Normal file
View File

@ -0,0 +1,36 @@
From 007d5b79b7aef67dd843ed9a3b65095faaeb580f Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Wed, 22 Jan 2020 09:43:21 +0000
Subject: [PATCH] BE_REFRESH: Do not try to refresh domains from other backends
We cannot refresh domains from different sssd_be processes.
We can refresh just subdomains
Resolves:
https://pagure.io/SSSD/sssd/issue/4142
Merges: https://pagure.io/SSSD/sssd/pull-request/4139
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/providers/be_refresh.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/providers/be_refresh.c b/src/providers/be_refresh.c
index 6cce38390..5e43571ce 100644
--- a/src/providers/be_refresh.c
+++ b/src/providers/be_refresh.c
@@ -385,6 +385,10 @@ static errno_t be_refresh_step(struct tevent_req *req)
if (state->index == BE_REFRESH_TYPE_SENTINEL) {
state->domain = get_next_domain(state->domain,
SSS_GND_DESCEND);
+ /* we can update just subdomains */
+ if (state->domain != NULL && !IS_SUBDOMAIN(state->domain)) {
+ break;
+ }
state->index = 0;
continue;
}
--
2.20.1

259
0016-sysdb-extract-sysdb_ldb_msg_attr_to_certmap_info-cal.patch
View File

@ -1,259 +0,0 @@
From 7c619ae08f05a7595d15cf11b64461a7d19cfaa7 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 29 Jun 2018 17:49:50 +0200
Subject: [PATCH 21/83] sysdb: extract sysdb_ldb_msg_attr_to_certmap_info()
call
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/db/sysdb.h | 4 ++
src/db/sysdb_certmap.c | 191 ++++++++++++++++++++++++++++---------------------
2 files changed, 112 insertions(+), 83 deletions(-)
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index d72af5a..cb04e1b 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -702,6 +702,10 @@ errno_t sysdb_update_certmap(struct sysdb_ctx *sysdb,
struct certmap_info **certmaps,
bool user_name_hint);
+errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
+ struct ldb_message *msg,
+ struct certmap_info **certmap);
+
errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
struct certmap_info ***certmaps,
bool *user_name_hint);
diff --git a/src/db/sysdb_certmap.c b/src/db/sysdb_certmap.c
index 6d83ba0..e61cc05 100644
--- a/src/db/sysdb_certmap.c
+++ b/src/db/sysdb_certmap.c
@@ -262,19 +262,119 @@ done:
return ret;
}
+errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
+ struct ldb_message *msg,
+ struct certmap_info **certmap)
+{
+ int ret;
+ size_t d;
+ size_t num_values;
+ struct certmap_info *map = NULL;
+ const char *tmp_str;
+ uint64_t tmp_uint;
+ struct ldb_message_element *tmp_el;
+
+
+ map = talloc_zero(mem_ctx, struct certmap_info);
+ if (map == NULL) {
+ return ENOMEM;
+ }
+
+ tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
+ if (tmp_str == NULL) {
+ DEBUG(SSSDBG_MINOR_FAILURE, "The object [%s] doesn't have a name.\n",
+ ldb_dn_get_linearized(msg->dn));
+ ret = EINVAL;
+ goto done;
+ }
+
+ map->name = talloc_strdup(map, tmp_str);
+ if (map->name == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_CERTMAP_MAPPING_RULE,
+ NULL);
+ if (tmp_str != NULL) {
+ map->map_rule = talloc_strdup(map, tmp_str);
+ if (map->map_rule == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ }
+
+ tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_CERTMAP_MATCHING_RULE,
+ NULL);
+ if (tmp_str != NULL) {
+ map->match_rule = talloc_strdup(map, tmp_str);
+ if (map->match_rule == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ }
+
+ tmp_uint = ldb_msg_find_attr_as_uint64(msg, SYSDB_CERTMAP_PRIORITY,
+ (uint64_t) -1);
+ if (tmp_uint != (uint64_t) -1) {
+ if (tmp_uint > UINT32_MAX) {
+ DEBUG(SSSDBG_OP_FAILURE, "Priority value [%lu] too large.\n",
+ (unsigned long) tmp_uint);
+ ret = EINVAL;
+ goto done;
+ }
+
+ map->priority = (uint32_t) tmp_uint;
+ }
+
+ tmp_el = ldb_msg_find_element(msg, SYSDB_CERTMAP_DOMAINS);
+ if (tmp_el != NULL) {
+ num_values = tmp_el->num_values;
+ } else {
+ num_values = 0;
+ }
+
+ map->domains = talloc_zero_array(map, const char *, num_values + 1);
+ if (map->domains == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ for (d = 0; d < num_values; d++) {
+ map->domains[d] = talloc_strndup(map->domains,
+ (char *) tmp_el->values[d].data,
+ tmp_el->values[d].length);
+ if (map->domains[d] == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ }
+
+ *certmap = map;
+
+ ret = EOK;
+
+done:
+ if (ret != EOK) {
+ talloc_free(map);
+ }
+
+ return ret;
+}
+
errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
struct certmap_info ***certmaps, bool *user_name_hint)
{
size_t c;
- size_t d;
struct ldb_dn *container_dn = NULL;
int ret;
struct certmap_info **maps = NULL;
TALLOC_CTX *tmp_ctx = NULL;
struct ldb_result *res;
- const char *tmp_str;
- uint64_t tmp_uint;
- struct ldb_message_element *tmp_el;
const char *attrs[] = {SYSDB_NAME,
SYSDB_CERTMAP_PRIORITY,
SYSDB_CERTMAP_MATCHING_RULE,
@@ -283,7 +383,6 @@ errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
NULL};
const char *config_attrs[] = {SYSDB_CERTMAP_USER_NAME_HINT,
NULL};
- size_t num_values;
bool hint = false;
tmp_ctx = talloc_new(NULL);
@@ -332,86 +431,12 @@ errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
}
for (c = 0; c < res->count; c++) {
- maps[c] = talloc_zero(maps, struct certmap_info);
- if (maps[c] == NULL) {
- ret = ENOMEM;
- goto done;
- }
- tmp_str = ldb_msg_find_attr_as_string(res->msgs[c], SYSDB_NAME, NULL);
- if (tmp_str == NULL) {
- DEBUG(SSSDBG_MINOR_FAILURE, "The object [%s] doesn't have a name.\n",
- ldb_dn_get_linearized(res->msgs[c]->dn));
- ret = EINVAL;
- goto done;
- }
-
- maps[c]->name = talloc_strdup(maps, tmp_str);
- if (maps[c]->name == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- tmp_str = ldb_msg_find_attr_as_string(res->msgs[c],
- SYSDB_CERTMAP_MAPPING_RULE, NULL);
- if (tmp_str != NULL) {
- maps[c]->map_rule = talloc_strdup(maps, tmp_str);
- if (maps[c]->map_rule == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
- ret = ENOMEM;
- goto done;
- }
- }
-
- tmp_str = ldb_msg_find_attr_as_string(res->msgs[c],
- SYSDB_CERTMAP_MATCHING_RULE, NULL);
- if (tmp_str != NULL) {
- maps[c]->match_rule = talloc_strdup(maps, tmp_str);
- if (maps[c]->match_rule == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
- ret = ENOMEM;
- goto done;
- }
- }
-
- tmp_uint = ldb_msg_find_attr_as_uint64(res->msgs[c],
- SYSDB_CERTMAP_PRIORITY,
- (uint64_t) -1);
- if (tmp_uint != (uint64_t) -1) {
- if (tmp_uint > UINT32_MAX) {
- DEBUG(SSSDBG_OP_FAILURE, "Priority value [%lu] too large.\n",
- (unsigned long) tmp_uint);
- ret = EINVAL;
- goto done;
- }
-
- maps[c]->priority = (uint32_t) tmp_uint;
- }
-
- tmp_el = ldb_msg_find_element(res->msgs[c], SYSDB_CERTMAP_DOMAINS);
- if (tmp_el != NULL) {
- num_values = tmp_el->num_values;
- } else {
- num_values = 0;
- }
-
- maps[c]->domains = talloc_zero_array(maps[c], const char *,
- num_values + 1);
- if (maps[c]->domains == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n");
- ret = ENOMEM;
+ ret = sysdb_ldb_msg_attr_to_certmap_info(maps, res->msgs[c], &maps[c]);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_ldb_msg_attr_to_certmap_info failed.\n");
goto done;
}
-
- for (d = 0; d < num_values; d++) {
- maps[c]->domains[d] = talloc_strndup(maps[c]->domains,
- (char *) tmp_el->values[d].data,
- tmp_el->values[d].length);
- if (maps[c]->domains[d] == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
- ret = ENOMEM;
- goto done;
- }
- }
}
ret = EOK;
--
2.9.5

39
0017-sysdb_ldb_msg_attr_to_certmap_info-set-SSS_CERTMAP_M.patch
View File

@ -1,39 +0,0 @@
From d1dd7f7703b4f40d2fbb830e28969b31b8a1673e Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 3 Jul 2018 11:30:07 +0200
Subject: [PATCH 22/83] sysdb_ldb_msg_attr_to_certmap_info: set
SSS_CERTMAP_MIN_PRIO
Make sure that priority is always set.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/db/sysdb_certmap.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/db/sysdb_certmap.c b/src/db/sysdb_certmap.c
index e61cc05..0bb7ebc 100644
--- a/src/db/sysdb_certmap.c
+++ b/src/db/sysdb_certmap.c
@@ -22,6 +22,7 @@
#include "util/util.h"
#include "db/sysdb_private.h"
+#include "lib/certmap/sss_certmap.h"
static errno_t sysdb_create_certmap_container(struct sysdb_ctx *sysdb,
bool user_name_hint)
@@ -327,6 +328,8 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
}
map->priority = (uint32_t) tmp_uint;
+ } else {
+ map->priority = SSS_CERTMAP_MIN_PRIO;
}
tmp_el = ldb_msg_find_element(msg, SYSDB_CERTMAP_DOMAINS);
--
2.9.5

52
0017-sysdb_sudo-Enable-LDAP-time-format-compatibility.patch Normal file
View File

@ -0,0 +1,52 @@
From 58a67cd38b8be9bef45ce70588763d851840dd65 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Po=C5=82awski?= <ppolawsk@redhat.com>
Date: Tue, 3 Dec 2019 04:13:53 +0100
Subject: [PATCH] sysdb_sudo: Enable LDAP time format compatibility
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
LDAP specification allows to ommit seconds and minutes
in time border definition. In that case they defaults to zeros.
Current sssd.sudo implementation requires precision up to
seconds in time definition. This commit allows to lower
the precision up to hours.
Resolves:
https://pagure.io/SSSD/sssd/issue/4118
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/db/sysdb_sudo.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
index 59d6824c0..18088b017 100644
--- a/src/db/sysdb_sudo.c
+++ b/src/db/sysdb_sudo.c
@@ -55,6 +55,22 @@ static errno_t sysdb_sudo_convert_time(const char *str, time_t *unix_time)
"%Y%m%d%H%M%S.0%z",
"%Y%m%d%H%M%S,0Z",
"%Y%m%d%H%M%S,0%z",
+ /* LDAP specification says that minutes and seconds
+ might be omitted and in that case these are meant
+ to be treated as zeros [1].
+ */
+ "%Y%m%d%H%MZ", /* Discard seconds */
+ "%Y%m%d%H%M%z",
+ "%Y%m%d%H%M.0Z",
+ "%Y%m%d%H%M.0%z",
+ "%Y%m%d%H%M,0Z",
+ "%Y%m%d%H%M,0%z",
+ "%Y%m%d%HZ", /* Discard minutes and seconds*/
+ "%Y%m%d%H%z",
+ "%Y%m%d%H.0Z",
+ "%Y%m%d%H.0%z",
+ "%Y%m%d%H,0Z",
+ "%Y%m%d%H,0%z",
NULL};
for (format = formats; *format != NULL; format++) {
--
2.20.1

43
0018-sbus_server-stylistic-rename.patch Normal file
View File

@ -0,0 +1,43 @@
From faa5dbf6f716bd4ac0a3020a28a1ee6fbf74654a Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Thu, 23 Jan 2020 17:22:28 +0100
Subject: [PATCH 18/24] sbus_server: stylistic rename
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Renamed sbus_server_name_remove_from_table() to
sbus_server_name_remove_from_table_cb() to keep naming consistent
with other functions used as `hash_delete_callback` argument of
sss_ptr_hash_create()
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/sbus/server/sbus_server.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/sbus/server/sbus_server.c b/src/sbus/server/sbus_server.c
index 5405dae56..2b9327051 100644
--- a/src/sbus/server/sbus_server.c
+++ b/src/sbus/server/sbus_server.c
@@ -584,7 +584,7 @@ sbus_server_name_lost(struct sbus_server *server,
}
static void
-sbus_server_name_remove_from_table(hash_entry_t *item,
+sbus_server_name_remove_from_table_cb(hash_entry_t *item,
hash_destroy_enum type,
void *pvt)
{
@@ -676,7 +676,7 @@ sbus_server_create(TALLOC_CTX *mem_ctx,
}
sbus_server->names = sss_ptr_hash_create(sbus_server,
- sbus_server_name_remove_from_table, sbus_server);
+ sbus_server_name_remove_from_table_cb, sbus_server);
if (sbus_server->names == NULL) {
ret = ENOMEM;
goto done;
--
2.20.1

140
0018-sysdb-add-attr_map-attribute-to-sysdb_ldb_msg_attr_t.patch
View File

@ -1,140 +0,0 @@
From 0bf709ad348ca115443bd21e4e369abd5d7698c4 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 29 Jun 2018 18:13:59 +0200
Subject: [PATCH 23/83] sysdb: add attr_map attribute to
sysdb_ldb_msg_attr_to_certmap_info()
Allow more flexible attribute mapping in
sysdb_ldb_msg_attr_to_certmap_info()
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/db/sysdb.h | 1 +
src/db/sysdb_certmap.c | 39 +++++++++++++++++++++++++++++++--------
2 files changed, 32 insertions(+), 8 deletions(-)
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index cb04e1b..2187947 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -704,6 +704,7 @@ errno_t sysdb_update_certmap(struct sysdb_ctx *sysdb,
errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
struct ldb_message *msg,
+ const char **attr_map,
struct certmap_info **certmap);
errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
diff --git a/src/db/sysdb_certmap.c b/src/db/sysdb_certmap.c
index 0bb7ebc..e37f1ba 100644
--- a/src/db/sysdb_certmap.c
+++ b/src/db/sysdb_certmap.c
@@ -263,8 +263,19 @@ done:
return ret;
}
+enum certmap_info_member {
+ SSS_CMIM_NAME = 0,
+ SSS_CMIM_MAPPING_RULE,
+ SSS_CMIM_MATCHING_RULE,
+ SSS_CMIM_PRIORITY,
+ SSS_CMIM_DOMAINS,
+
+ SSS_CMIM_SENTINEL
+};
+
errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
struct ldb_message *msg,
+ const char **attr_map,
struct certmap_info **certmap)
{
int ret;
@@ -275,13 +286,24 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
uint64_t tmp_uint;
struct ldb_message_element *tmp_el;
+ if (msg == NULL || attr_map == NULL || certmap == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Invalid input.\n");
+ return EINVAL;
+ }
+
+ for (d = 0; d < SSS_CMIM_SENTINEL; d++) {
+ if (attr_map[d] == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Invalid attribute map");
+ return EINVAL;
+ }
+ }
map = talloc_zero(mem_ctx, struct certmap_info);
if (map == NULL) {
return ENOMEM;
}
- tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
+ tmp_str = ldb_msg_find_attr_as_string(msg, attr_map[SSS_CMIM_NAME], NULL);
if (tmp_str == NULL) {
DEBUG(SSSDBG_MINOR_FAILURE, "The object [%s] doesn't have a name.\n",
ldb_dn_get_linearized(msg->dn));
@@ -295,7 +317,7 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
goto done;
}
- tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_CERTMAP_MAPPING_RULE,
+ tmp_str = ldb_msg_find_attr_as_string(msg, attr_map[SSS_CMIM_MAPPING_RULE],
NULL);
if (tmp_str != NULL) {
map->map_rule = talloc_strdup(map, tmp_str);
@@ -306,7 +328,7 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
}
}
- tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_CERTMAP_MATCHING_RULE,
+ tmp_str = ldb_msg_find_attr_as_string(msg, attr_map[SSS_CMIM_MATCHING_RULE],
NULL);
if (tmp_str != NULL) {
map->match_rule = talloc_strdup(map, tmp_str);
@@ -317,7 +339,7 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
}
}
- tmp_uint = ldb_msg_find_attr_as_uint64(msg, SYSDB_CERTMAP_PRIORITY,
+ tmp_uint = ldb_msg_find_attr_as_uint64(msg, attr_map[SSS_CMIM_PRIORITY],
(uint64_t) -1);
if (tmp_uint != (uint64_t) -1) {
if (tmp_uint > UINT32_MAX) {
@@ -332,7 +354,7 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
map->priority = SSS_CERTMAP_MIN_PRIO;
}
- tmp_el = ldb_msg_find_element(msg, SYSDB_CERTMAP_DOMAINS);
+ tmp_el = ldb_msg_find_element(msg, attr_map[SSS_CMIM_DOMAINS]);
if (tmp_el != NULL) {
num_values = tmp_el->num_values;
} else {
@@ -379,9 +401,9 @@ errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
TALLOC_CTX *tmp_ctx = NULL;
struct ldb_result *res;
const char *attrs[] = {SYSDB_NAME,
- SYSDB_CERTMAP_PRIORITY,
- SYSDB_CERTMAP_MATCHING_RULE,
SYSDB_CERTMAP_MAPPING_RULE,
+ SYSDB_CERTMAP_MATCHING_RULE,
+ SYSDB_CERTMAP_PRIORITY,
SYSDB_CERTMAP_DOMAINS,
NULL};
const char *config_attrs[] = {SYSDB_CERTMAP_USER_NAME_HINT,
@@ -434,7 +456,8 @@ errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
}
for (c = 0; c < res->count; c++) {
- ret = sysdb_ldb_msg_attr_to_certmap_info(maps, res->msgs[c], &maps[c]);
+ ret = sysdb_ldb_msg_attr_to_certmap_info(maps, res->msgs[c], attrs,
+ &maps[c]);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"sysdb_ldb_msg_attr_to_certmap_info failed.\n");
--
2.9.5

167
0019-confdb-add-confdb_certmap_to_sysdb.patch
View File

@ -1,167 +0,0 @@
From d9cc38008a51a8a5189904f175e4d10cbde4a974 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 2 Jul 2018 10:38:54 +0200
Subject: [PATCH 24/83] confdb: add confdb_certmap_to_sysdb()
Add a function to write certificate mapping and matching rules from the
config database to the cache of a domain.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/confdb/confdb.c | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++
src/confdb/confdb.h | 23 +++++++++++++
2 files changed, 122 insertions(+)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 621647e..26415ca 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -2202,3 +2202,102 @@ done:
talloc_free(tmp_ctx);
return ret;
}
+
+static errno_t confdb_get_all_certmaps(TALLOC_CTX *mem_ctx,
+ struct confdb_ctx *cdb,
+ struct sss_domain_info *dom,
+ struct certmap_info ***_certmap_list)
+{
+ TALLOC_CTX *tmp_ctx = NULL;
+ struct ldb_dn *dn = NULL;
+ struct ldb_result *res = NULL;
+ /* The attributte order is important, because it is used in
+ * sysdb_ldb_msg_attr_to_certmap_info and must match
+ * enum certmap_info_member. */
+ static const char *attrs[] = { CONFDB_CERTMAP_NAME,
+ CONFDB_CERTMAP_MAPRULE,
+ CONFDB_CERTMAP_MATCHRULE,
+ CONFDB_CERTMAP_PRIORITY,
+ CONFDB_CERTMAP_DOMAINS,
+ NULL};
+ struct certmap_info **certmap_list = NULL;
+ size_t c;
+ int ret;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ return ENOMEM;
+ }
+
+ dn = ldb_dn_new_fmt(tmp_ctx, cdb->ldb, "cn=%s,%s", dom->name,
+ CONFDB_CERTMAP_BASEDN);
+ if (dn == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = ldb_search(cdb->ldb, tmp_ctx, &res, dn, LDB_SCOPE_ONELEVEL,
+ attrs, NULL);
+ if (ret != LDB_SUCCESS) {
+ ret = EIO;
+ goto done;
+ }
+
+ certmap_list = talloc_zero_array(tmp_ctx, struct certmap_info *,
+ res->count + 1);
+ if (certmap_list == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ for (c = 0; c < res->count; c++) {
+ ret = sysdb_ldb_msg_attr_to_certmap_info(certmap_list, res->msgs[c],
+ attrs, &certmap_list[c]);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_ldb_msg_attr_to_certmap_info failed.\n");
+ goto done;
+ }
+ }
+
+ *_certmap_list = talloc_steal(mem_ctx, certmap_list);
+
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+ return ret;
+}
+
+int confdb_certmap_to_sysdb(struct confdb_ctx *cdb,
+ struct sss_domain_info *dom)
+{
+ int ret;
+ TALLOC_CTX *tmp_ctx;
+ struct certmap_info **certmap_list;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
+ return ENOMEM;
+ }
+
+ ret = confdb_get_all_certmaps(tmp_ctx, cdb, dom, &certmap_list);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "confdb_get_all_certmaps failed.\n");
+ goto done;
+ }
+
+ ret = sysdb_update_certmap(dom->sysdb, certmap_list, false /* TODO */);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_update_certmap failed.\n");
+ goto done;
+ }
+
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+
+ return ret;
+}
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 2266501..2aae93a 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -265,6 +265,15 @@
#define CONFDB_KCM_SOCKET "socket_path"
#define CONFDB_KCM_DB "ccache_storage" /* Undocumented on purpose */
+/* Certificate mapping rules */
+#define CONFDB_CERTMAP_BASEDN "cn=certmap,cn=config"
+#define CONFDB_CERTMAP_NAME "cn"
+#define CONFDB_CERTMAP_MAPRULE "maprule"
+#define CONFDB_CERTMAP_MATCHRULE "matchrule"
+#define CONFDB_CERTMAP_DOMAINS "domains"
+#define CONFDB_CERTMAP_PRIORITY "priority"
+
+
struct confdb_ctx;
struct config_file_ctx;
@@ -662,6 +671,20 @@ int confdb_get_sub_sections(TALLOC_CTX *mem_ctx,
const char *section,
char ***sections,
int *num_sections);
+
+/**
+ * @brief Convenience function to write the certificate mapping and matching
+ * rules from the configuration database to the cache of a domain
+ *
+ * @param[in] cdb The connection object to the confdb
+ * @param[in] dom Target domain where to rules should be written to
+ *
+ * @return 0 - Successfully retrieved the entry (or used the default)
+ * @return ENOMEM - There was insufficient memory to complete the operation
+ * @return EINVAL - Typically internal processing error
+ */
+int confdb_certmap_to_sysdb(struct confdb_ctx *cdb,
+ struct sss_domain_info *dom);
/**
* @}
*/
--
2.9.5

91
0019-sss_ptr_hash-don-t-keep-empty-sss_ptr_hash_delete_da.patch Normal file
View File

@ -0,0 +1,91 @@
From adc7730a4e1b9721c93863a1b283457e9c02a3c5 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Thu, 23 Jan 2020 17:55:24 +0100
Subject: [PATCH 19/24] sss_ptr_hash: don't keep empty sss_ptr_hash_delete_data
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
There is no need to allocate memory for `sss_ptr_hash_delete_data`
if table user doesn't provide custom delete callback.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/util/sss_ptr_hash.c | 36 ++++++++++++++++++++----------------
1 file changed, 20 insertions(+), 16 deletions(-)
diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c
index 8f9762cb9..f8addec1e 100644
--- a/src/util/sss_ptr_hash.c
+++ b/src/util/sss_ptr_hash.c
@@ -138,12 +138,6 @@ sss_ptr_hash_delete_cb(hash_entry_t *item,
struct sss_ptr_hash_value *value;
struct hash_entry_t callback_entry;
- data = talloc_get_type(pvt, struct sss_ptr_hash_delete_data);
- if (data == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Invalid data!\n");
- return;
- }
-
value = talloc_get_type(item->value.ptr, struct sss_ptr_hash_value);
if (value == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Invalid value!\n");
@@ -157,8 +151,14 @@ sss_ptr_hash_delete_cb(hash_entry_t *item,
/* Free value, this also will disable spy */
talloc_free(value);
- /* Switch to the input value and call custom callback. */
- if (data->callback != NULL) {
+ if (pvt != NULL) {
+ /* Switch to the input value and call custom callback. */
+ data = talloc_get_type(pvt, struct sss_ptr_hash_delete_data);
+ if (data == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Invalid data!\n");
+ return;
+ }
+
data->callback(&callback_entry, deltype, data->pvt);
}
}
@@ -167,17 +167,19 @@ hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx,
hash_delete_callback *del_cb,
void *del_cb_pvt)
{
- struct sss_ptr_hash_delete_data *data;
+ struct sss_ptr_hash_delete_data *data = NULL;
hash_table_t *table;
errno_t ret;
- data = talloc_zero(NULL, struct sss_ptr_hash_delete_data);
- if (data == NULL) {
- return NULL;
- }
+ if (del_cb != NULL) {
+ data = talloc_zero(NULL, struct sss_ptr_hash_delete_data);
+ if (data == NULL) {
+ return NULL;
+ }
- data->callback = del_cb;
- data->pvt = del_cb_pvt;
+ data->callback = del_cb;
+ data->pvt = del_cb_pvt;
+ }
ret = sss_hash_create_ex(mem_ctx, 10, &table, 0, 0, 0, 0,
sss_ptr_hash_delete_cb, data);
@@ -188,7 +190,9 @@ hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx,
return NULL;
}
- talloc_steal(table, data);
+ if (data != NULL) {
+ talloc_steal(table, data);
+ }
return table;
}
--
2.20.1

71
0020-AD-LDAP-read-certificate-mapping-rules-from-config-f.patch
View File

@ -1,71 +0,0 @@
From 15301db1dc1e5e2aafc1805a30e3b28756218c9b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 2 Jul 2018 12:20:53 +0200
Subject: [PATCH 25/83] AD/LDAP: read certificate mapping rules from config
file
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/providers/ad/ad_init.c | 16 ++++++++++++++++
src/providers/ldap/ldap_init.c | 16 ++++++++++++++++
2 files changed, 32 insertions(+)
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
index 637efb7..a908571 100644
--- a/src/providers/ad/ad_init.c
+++ b/src/providers/ad/ad_init.c
@@ -419,6 +419,22 @@ static errno_t ad_init_misc(struct be_ctx *be_ctx,
return ret;
}
+ ret = confdb_certmap_to_sysdb(be_ctx->cdb, be_ctx->domain);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to initialize certificate mapping rules. "
+ "Authentication with certificates/Smartcards might not work "
+ "as expected.\n");
+ /* not fatal, ignored */
+ }
+
+ ret = sdap_init_certmap(sdap_id_ctx, sdap_id_ctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to initialized certificate mapping.\n");
+ return ret;
+ }
+
return EOK;
}
diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c
index 44b3e9a..95e6561 100644
--- a/src/providers/ldap/ldap_init.c
+++ b/src/providers/ldap/ldap_init.c
@@ -438,6 +438,22 @@ static errno_t ldap_init_misc(struct be_ctx *be_ctx,
"[%d]: %s\n", ret, sss_strerror(ret));
}
+ ret = confdb_certmap_to_sysdb(be_ctx->cdb, be_ctx->domain);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to initialize certificate mapping rules. "
+ "Authentication with certificates/Smartcards might not work "
+ "as expected.\n");
+ /* not fatal, ignored */
+ }
+
+ ret = sdap_init_certmap(id_ctx, id_ctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to initialized certificate mapping.\n");
+ return ret;
+ }
+
return EOK;
}
--
2.9.5

62
0020-sss_ptr_hash-sss_ptr_hash_delete-fix-optimization.patch Normal file
View File

@ -0,0 +1,62 @@
From d0eb88089b059bfe2da3bd1a3797b89d69119c29 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Thu, 23 Jan 2020 19:00:27 +0100
Subject: [PATCH 20/24] sss_ptr_hash: sss_ptr_hash_delete fix/optimization
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- no reason to skip hash_delete() just because sss_ptr_hash_lookup_internal()
failed
- avoid excessive lookup if it is not required to free payload
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/util/sss_ptr_hash.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c
index f8addec1e..7326244e6 100644
--- a/src/util/sss_ptr_hash.c
+++ b/src/util/sss_ptr_hash.c
@@ -331,20 +331,21 @@ void sss_ptr_hash_delete(hash_table_t *table,
struct sss_ptr_hash_value *value;
hash_key_t table_key;
int hret;
- void *ptr;
+ void *payload;
if (table == NULL || key == NULL) {
return;
}
- value = sss_ptr_hash_lookup_internal(table, key);
- if (value == NULL) {
- /* Value not found. */
- return;
+ if (free_value) {
+ value = sss_ptr_hash_lookup_internal(table, key);
+ if (value == NULL) {
+ free_value = false;
+ } else {
+ payload = value->ptr;
+ }
}
- ptr = value->ptr;
-
table_key.type = HASH_KEY_STRING;
table_key.str = discard_const_p(char, key);
@@ -357,7 +358,7 @@ void sss_ptr_hash_delete(hash_table_t *table,
/* Also free the original value if requested. */
if (free_value) {
- talloc_free(ptr);
+ talloc_free(payload);
}
return;
--
2.20.1

35
0021-sss_ptr_hash-removed-redundant-check.patch Normal file
View File

@ -0,0 +1,35 @@
From 8cc2ce4e9060a71d441a377008fb2f567baa5d92 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Thu, 23 Jan 2020 20:07:41 +0100
Subject: [PATCH 21/24] sss_ptr_hash: removed redundant check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
`sss_ptr_hash_check_type()` call would take care of this case.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/util/sss_ptr_hash.c | 6 ------
1 file changed, 6 deletions(-)
diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c
index 7326244e6..bf111a613 100644
--- a/src/util/sss_ptr_hash.c
+++ b/src/util/sss_ptr_hash.c
@@ -268,12 +268,6 @@ sss_ptr_hash_lookup_internal(hash_table_t *table,
return NULL;
}
- /* This may happen if we are in delete callback
- * and we try to search the hash table. */
- if (table_value.ptr == NULL) {
- return NULL;
- }
-
if (!sss_ptr_hash_check_type(table_value.ptr, "struct sss_ptr_hash_value")) {
return NULL;
}
--
2.20.1

32
0021-sysdb-sysdb_certmap_add-handle-domains-more-flexible.patch
View File

@ -1,32 +0,0 @@
From 06f7005d38d164879b727708feff80004b422f91 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 3 Jul 2018 11:31:12 +0200
Subject: [PATCH 26/83] sysdb: sysdb_certmap_add() handle domains more flexible
sysdb_ldb_msg_attr_to_certmap_info() creates an empty list if there are
no domains defined, sysdb_certmap_add() should be able to handle both a
missing or an empty domains list.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/db/sysdb_certmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/db/sysdb_certmap.c b/src/db/sysdb_certmap.c
index e37f1ba..0bcc54c 100644
--- a/src/db/sysdb_certmap.c
+++ b/src/db/sysdb_certmap.c
@@ -131,7 +131,7 @@ static errno_t sysdb_certmap_add(struct sysdb_ctx *sysdb,
}
}
- if (certmap->domains != NULL) {
+ if (certmap->domains != NULL && certmap->domains[0] != NULL) {
for (c = 0; certmap->domains[c] != NULL; c++);
el = talloc_zero(tmp_ctx, struct ldb_message_element);
if (el == NULL) {
--
2.9.5

131
0022-confdb-add-special-handling-for-rules-for-the-files-.patch
View File

@ -1,131 +0,0 @@
From 9386ef605ffbc03abe2bc273efddbc099441fe3b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 6 Jul 2018 15:17:10 +0200
Subject: [PATCH 27/83] confdb: add special handling for rules for the files
provider
To make the configuration more simple there are some special assumption
for local users, i.e. user managed by the files provider.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/confdb/confdb.c | 59 ++++++++++++++++++++++++++++++++++++++++
src/confdb/confdb.h | 1 +
src/providers/files/files_init.c | 10 +++++++
3 files changed, 70 insertions(+)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 26415ca..954c3ba 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -2203,6 +2203,56 @@ done:
return ret;
}
+static errno_t certmap_local_check(struct ldb_message *msg)
+{
+ const char *rule_name;
+ const char *tmp_str;
+ int ret;
+
+ rule_name = ldb_msg_find_attr_as_string(msg, CONFDB_CERTMAP_NAME, NULL);
+ if (rule_name == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Certficate mapping rule [%s] has no name.",
+ ldb_dn_get_linearized(msg->dn));
+ return EINVAL;
+ }
+
+ tmp_str = ldb_msg_find_attr_as_string(msg, CONFDB_CERTMAP_DOMAINS, NULL);
+ if (tmp_str != NULL) {
+ DEBUG(SSSDBG_CONF_SETTINGS,
+ "Option [%s] is ignored for local certmap rules.\n",
+ CONFDB_CERTMAP_DOMAINS);
+ }
+
+ tmp_str = ldb_msg_find_attr_as_string(msg, CONFDB_CERTMAP_MAPRULE, NULL);
+ if (tmp_str != NULL) {
+ if (tmp_str[0] != '(' || tmp_str[strlen(tmp_str) - 1] != ')') {
+ DEBUG(SSSDBG_CONF_SETTINGS,
+ "Mapping rule must be in braces (...).\n");
+ return EINVAL;
+ }
+ DEBUG(SSSDBG_TRACE_ALL, "Using [%s] mapping rule of [%s].\n",
+ tmp_str, ldb_dn_get_linearized(msg->dn));
+ return EOK;
+ }
+
+ tmp_str = talloc_asprintf(msg, "(%s)", rule_name);
+ if (tmp_str == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
+ return ENOMEM;
+ }
+ ret = ldb_msg_add_string(msg, CONFDB_CERTMAP_MAPRULE, tmp_str);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(discard_const(tmp_str));
+ DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_add_string failed.\n");
+ return EIO;
+ }
+
+ DEBUG(SSSDBG_TRACE_ALL, "Using [%s] as mapping rule for [%s].\n",
+ tmp_str, ldb_dn_get_linearized(msg->dn));
+
+ return EOK;
+}
+
static errno_t confdb_get_all_certmaps(TALLOC_CTX *mem_ctx,
struct confdb_ctx *cdb,
struct sss_domain_info *dom,
@@ -2251,6 +2301,15 @@ static errno_t confdb_get_all_certmaps(TALLOC_CTX *mem_ctx,
}
for (c = 0; c < res->count; c++) {
+ if (is_files_provider(dom)) {
+ ret = certmap_local_check(res->msgs[c]);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CONF_SETTINGS,
+ "Invalid certificate mapping [%s] for local user, "
+ "ignored.\n", ldb_dn_get_linearized(res->msgs[c]->dn));
+ continue;
+ }
+ }
ret = sysdb_ldb_msg_attr_to_certmap_info(certmap_list, res->msgs[c],
attrs, &certmap_list[c]);
if (ret != EOK) {
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 2aae93a..625d156 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -685,6 +685,7 @@ int confdb_get_sub_sections(TALLOC_CTX *mem_ctx,
*/
int confdb_certmap_to_sysdb(struct confdb_ctx *cdb,
struct sss_domain_info *dom);
+
/**
* @}
*/
diff --git a/src/providers/files/files_init.c b/src/providers/files/files_init.c
index 746c04a..c793bed 100644
--- a/src/providers/files/files_init.c
+++ b/src/providers/files/files_init.c
@@ -189,6 +189,16 @@ int sssm_files_init(TALLOC_CTX *mem_ctx,
goto done;
}
+ ret = confdb_certmap_to_sysdb(be_ctx->cdb, be_ctx->domain);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to initialize certificate mapping rules. "
+ "Authentication with certificates/Smartcards might not work "
+ "as expected.\n");
+ /* not fatal, ignored */
+ }
+
+
*_module_data = ctx;
ret = EOK;
done:
--
2.9.5

53
0022-sss_ptr_hash-fixed-memory-leak.patch Normal file
View File

@ -0,0 +1,53 @@
From 4bc0c2c7833dd643fc1137daf6519670c05c3736 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Thu, 23 Jan 2020 21:11:16 +0100
Subject: [PATCH 22/24] sss_ptr_hash: fixed memory leak
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In case `override` check was failed in _sss_ptr_hash_add()
`value` was leaking.
Fixed to do `override` check before value allocation.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/util/sss_ptr_hash.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c
index bf111a613..114b6edeb 100644
--- a/src/util/sss_ptr_hash.c
+++ b/src/util/sss_ptr_hash.c
@@ -217,21 +217,21 @@ errno_t _sss_ptr_hash_add(hash_table_t *table,
return ERR_INVALID_DATA_TYPE;
}
+ table_key.type = HASH_KEY_STRING;
+ table_key.str = discard_const_p(char, key);
+
+ if (override == false && hash_has_key(table, &table_key)) {
+ return EEXIST;
+ }
+
value = sss_ptr_hash_value_create(table, key, talloc_ptr);
if (value == NULL) {
return ENOMEM;
}
- table_key.type = HASH_KEY_STRING;
- table_key.str = discard_const_p(char, key);
-
table_value.type = HASH_VALUE_PTR;
table_value.ptr = value;
- if (override == false && hash_has_key(table, &table_key)) {
- return EEXIST;
- }
-
hret = hash_enter(table, &table_key, &table_value);
if (hret != HASH_SUCCESS) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add key %s!\n", key);
--
2.20.1

414
0023-files-add-support-for-Smartcard-authentication.patch
View File

@ -1,414 +0,0 @@
From 275eeed24adc31f3df51cf278f509a4be76a3a3c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 9 Jul 2018 18:37:46 +0200
Subject: [PATCH 28/83] files: add support for Smartcard authentication
To support certificate based authentication the files provider must be
able to map a certificate to a user during a BE_REQ_BY_CERT request.
Additionally the authentication request should be handled by the PAM
responder code which is responsible for the local Smartcard
authentication. To be consistent with the other backend an authentication
handler is added to the files provider which unconditionally returns the
offline error code telling the PAM responder to handle the
authentication if it has access to the needed credentials.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
Makefile.am | 2 +
src/providers/files/files_auth.c | 69 +++++++++++++
src/providers/files/files_certmap.c | 186 ++++++++++++++++++++++++++++++++++++
src/providers/files/files_id.c | 20 ++++
src/providers/files/files_init.c | 21 +++-
src/providers/files/files_private.h | 17 ++++
6 files changed, 314 insertions(+), 1 deletion(-)
create mode 100644 src/providers/files/files_auth.c
create mode 100644 src/providers/files/files_certmap.c
diff --git a/Makefile.am b/Makefile.am
index deb9ce3..3667856 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4285,6 +4285,8 @@ libsss_proxy_la_LDFLAGS = \
libsss_files_la_SOURCES = \
src/providers/files/files_init.c \
src/providers/files/files_id.c \
+ src/providers/files/files_auth.c \
+ src/providers/files/files_certmap.c \
src/providers/files/files_ops.c \
src/util/inotify.c \
$(NULL)
diff --git a/src/providers/files/files_auth.c b/src/providers/files/files_auth.c
new file mode 100644
index 0000000..b71de69
--- /dev/null
+++ b/src/providers/files/files_auth.c
@@ -0,0 +1,69 @@
+/*
+ SSSD
+
+ files_auth.c - PAM operations on the files provider
+
+ Copyright (C) 2018 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <security/pam_modules.h>
+
+#include "providers/data_provider/dp.h"
+#include "providers/data_provider.h"
+#include "providers/files/files_private.h"
+#include "util/cert.h"
+
+struct files_auth_ctx {
+ struct pam_data *pd;
+};
+
+struct tevent_req *
+files_auth_handler_send(TALLOC_CTX *mem_ctx,
+ void *unused,
+ struct pam_data *pd,
+ struct dp_req_params *params)
+{
+ struct files_auth_ctx *state;
+ struct tevent_req *req;
+
+ req = tevent_req_create(mem_ctx, &state, struct files_auth_ctx);
+ if (req == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n");
+ return NULL;
+ }
+
+ state->pd = pd;
+ state->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
+
+ tevent_req_done(req);
+ tevent_req_post(req, params->ev);
+ return req;
+}
+
+errno_t files_auth_handler_recv(TALLOC_CTX *mem_ctx,
+ struct tevent_req *req,
+ struct pam_data **_data)
+{
+ struct files_auth_ctx *state = NULL;
+
+ state = tevent_req_data(req, struct files_auth_ctx);
+
+ TEVENT_REQ_RETURN_ON_ERROR(req);
+
+ *_data = talloc_steal(mem_ctx, state->pd);
+
+ return EOK;
+}
diff --git a/src/providers/files/files_certmap.c b/src/providers/files/files_certmap.c
new file mode 100644
index 0000000..7d90a1f
--- /dev/null
+++ b/src/providers/files/files_certmap.c
@@ -0,0 +1,186 @@
+/*
+ SSSD
+
+ files_init.c - Initialization of the files provider
+
+ Copyright (C) 2018 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "providers/files/files_private.h"
+#include "util/util.h"
+#include "util/cert.h"
+#include "lib/certmap/sss_certmap.h"
+
+struct priv_sss_debug {
+ int level;
+};
+
+static void ext_debug(void *private, const char *file, long line,
+ const char *function, const char *format, ...)
+{
+ va_list ap;
+ struct priv_sss_debug *data = private;
+ int level = SSSDBG_OP_FAILURE;
+
+ if (data != NULL) {
+ level = data->level;
+ }
+
+ if (DEBUG_IS_SET(level)) {
+ va_start(ap, format);
+ sss_vdebug_fn(file, line, function, level, APPEND_LINE_FEED,
+ format, ap);
+ va_end(ap);
+ }
+}
+
+errno_t files_init_certmap(TALLOC_CTX *mem_ctx, struct files_id_ctx *id_ctx)
+{
+ int ret;
+ bool hint;
+ struct certmap_info **certmap_list = NULL;
+ size_t c;
+
+ ret = sysdb_get_certmap(mem_ctx, id_ctx->be->domain->sysdb,
+ &certmap_list, &hint);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_certmap failed.\n");
+ goto done;
+ }
+
+ if (certmap_list == NULL || *certmap_list == NULL) {
+ DEBUG(SSSDBG_TRACE_ALL, "No certmap data, nothing to do.\n");
+ ret = EOK;
+ goto done;
+ }
+
+ ret = sss_certmap_init(mem_ctx, ext_debug, NULL, &id_ctx->sss_certmap_ctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_certmap_init failed.\n");
+ goto done;
+ }
+
+ for (c = 0; certmap_list[c] != NULL; c++) {
+ DEBUG(SSSDBG_TRACE_ALL, "Trying to add rule [%s][%d][%s][%s].\n",
+ certmap_list[c]->name,
+ certmap_list[c]->priority,
+ certmap_list[c]->match_rule,
+ certmap_list[c]->map_rule);
+
+ ret = sss_certmap_add_rule(id_ctx->sss_certmap_ctx,
+ certmap_list[c]->priority,
+ certmap_list[c]->match_rule,
+ certmap_list[c]->map_rule,
+ certmap_list[c]->domains);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "sss_certmap_add_rule failed for rule [%s] "
+ "with error [%d][%s], skipping. "
+ "Please check for typos and if rule syntax is supported.\n",
+ certmap_list[c]->name, ret, sss_strerror(ret));
+ continue;
+ }
+ }
+
+ ret = EOK;
+
+done:
+ talloc_free(certmap_list);
+
+ return ret;
+}
+
+errno_t files_map_cert_to_user(struct files_id_ctx *id_ctx,
+ struct dp_id_data *data)
+{
+ errno_t ret;
+ char *filter;
+ char *user;
+ struct ldb_message *msg = NULL;
+ struct sysdb_attrs *attrs = NULL;
+ TALLOC_CTX *tmp_ctx;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
+ return ENOMEM;
+ }
+
+ ret = sss_cert_derb64_to_ldap_filter(tmp_ctx, data->filter_value, "",
+ id_ctx->sss_certmap_ctx,
+ id_ctx->domain, &filter);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sss_cert_derb64_to_ldap_filter failed.\n");
+ goto done;
+ }
+ if (filter == NULL || filter[0] != '('
+ || filter[strlen(filter) - 1] != ')') {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sss_cert_derb64_to_ldap_filter returned bad filter [%s].\n",
+ filter);
+ ret = EINVAL;
+ goto done;
+ }
+
+ filter[strlen(filter) - 1] = '\0';
+ user = sss_create_internal_fqname(tmp_ctx, &filter[1],
+ id_ctx->domain->name);
+ if (user == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_create_internal_fqname failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ DEBUG(SSSDBG_TRACE_ALL, "Certificate mapped to user: [%s].\n", user);
+
+ ret = sysdb_search_user_by_name(tmp_ctx, id_ctx->domain, user, NULL, &msg);
+ if (ret == EOK) {
+ attrs = sysdb_new_attrs(tmp_ctx);
+ if (attrs == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sysdb_attrs_add_base64_blob(attrs, SYSDB_USER_MAPPED_CERT,
+ data->filter_value);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_base64_blob failed.\n");
+ goto done;
+ }
+
+ ret = sysdb_set_entry_attr(id_ctx->domain->sysdb, msg->dn, attrs,
+ SYSDB_MOD_ADD);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_entry_attr failed.\n");
+ goto done;
+ }
+ } else if (ret == ENOENT) {
+ DEBUG(SSSDBG_TRACE_ALL, "Mapped user [%s] not found.\n", user);
+ ret = EOK;
+ goto done;
+ } else {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_user_by_name failed.\n");
+ goto done;
+ }
+
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+
+ return ret;
+}
diff --git a/src/providers/files/files_id.c b/src/providers/files/files_id.c
index 41314c6..f6f8c73 100644
--- a/src/providers/files/files_id.c
+++ b/src/providers/files/files_id.c
@@ -87,6 +87,26 @@ files_account_info_handler_send(TALLOC_CTX *mem_ctx,
? true \
: false;
break;
+ case BE_REQ_BY_CERT:
+ if (data->filter_type != BE_FILTER_CERT) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Unexpected filter type for lookup by cert: %d\n",
+ data->filter_type);
+ ret = EINVAL;
+ goto immediate;
+ }
+ if (id_ctx->sss_certmap_ctx == NULL) {
+ DEBUG(SSSDBG_TRACE_ALL, "Certificate mapping not configured.\n");
+ ret = EOK;
+ goto immediate;
+ }
+
+ ret = files_map_cert_to_user(id_ctx, data);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "files_map_cert_to_user failed");
+ }
+ goto immediate;
+ break;
default:
DEBUG(SSSDBG_CRIT_FAILURE,
"Unexpected entry type: %d\n", data->entry_type & BE_REQ_TYPE_MASK);
diff --git a/src/providers/files/files_init.c b/src/providers/files/files_init.c
index c793bed..1ce4bcf 100644
--- a/src/providers/files/files_init.c
+++ b/src/providers/files/files_init.c
@@ -196,9 +196,16 @@ int sssm_files_init(TALLOC_CTX *mem_ctx,
"Authentication with certificates/Smartcards might not work "
"as expected.\n");
/* not fatal, ignored */
+ } else {
+ ret = files_init_certmap(ctx, ctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "files_init_certmap failed. "
+ "Authentication with certificates/Smartcards might not work "
+ "as expected.\n");
+ /* not fatal, ignored */
+ }
}
-
*_module_data = ctx;
ret = EOK;
done:
@@ -234,3 +241,15 @@ int sssm_files_id_init(TALLOC_CTX *mem_ctx,
return EOK;
}
+
+int sssm_files_auth_init(TALLOC_CTX *mem_ctx,
+ struct be_ctx *be_ctx,
+ void *module_data,
+ struct dp_method *dp_methods)
+{
+ dp_set_method(dp_methods, DPM_AUTH_HANDLER,
+ files_auth_handler_send, files_auth_handler_recv, NULL, void,
+ struct pam_data, struct pam_data *);
+
+ return EOK;
+}
diff --git a/src/providers/files/files_private.h b/src/providers/files/files_private.h
index f44e6d4..fd17819 100644
--- a/src/providers/files/files_private.h
+++ b/src/providers/files/files_private.h
@@ -38,6 +38,7 @@ struct files_id_ctx {
struct be_ctx *be;
struct sss_domain_info *domain;
struct files_ctx *fctx;
+ struct sss_certmap_ctx *sss_certmap_ctx;
const char **passwd_files;
const char **group_files;
@@ -71,4 +72,20 @@ errno_t files_account_info_handler_recv(TALLOC_CTX *mem_ctx,
void files_account_info_finished(struct files_id_ctx *id_ctx,
int req_type,
errno_t ret);
+
+/* files_auth.c */
+struct tevent_req *files_auth_handler_send(TALLOC_CTX *mem_ctx,
+ void *unused,
+ struct pam_data *pd,
+ struct dp_req_params *params);
+
+errno_t files_auth_handler_recv(TALLOC_CTX *mem_ctx,
+ struct tevent_req *req,
+ struct pam_data **_data);
+
+/* files_certmap.c */
+errno_t files_init_certmap(TALLOC_CTX *mem_ctx, struct files_id_ctx *id_ctx);
+
+errno_t files_map_cert_to_user(struct files_id_ctx *id_ctx,
+ struct dp_id_data *data);
#endif /* __FILES_PRIVATE_H_ */
--
2.9.5

366
0023-sss_ptr_hash-internal-refactoring.patch Normal file
View File

@ -0,0 +1,366 @@
From 0bb1289252eec972ea26721a92adc7db47383f76 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 24 Jan 2020 23:57:39 +0100
Subject: [PATCH 23/24] sss_ptr_hash: internal refactoring
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
sss_ptr_hash code was refactored:
- got rid of a "spy" to make logic cleaner
- table got destructor to wipe its content
- described some usage limitation in the documentation
And resolves: https://pagure.io/SSSD/sssd/issue/4135
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/util/sss_ptr_hash.c | 183 +++++++++++++++++-----------------------
src/util/sss_ptr_hash.h | 17 +++-
2 files changed, 91 insertions(+), 109 deletions(-)
diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c
index 114b6edeb..6409236c7 100644
--- a/src/util/sss_ptr_hash.c
+++ b/src/util/sss_ptr_hash.c
@@ -39,67 +39,35 @@ static bool sss_ptr_hash_check_type(void *ptr, const char *type)
return true;
}
+static int sss_ptr_hash_table_destructor(hash_table_t *table)
+{
+ sss_ptr_hash_delete_all(table, false);
+ return 0;
+}
+
struct sss_ptr_hash_delete_data {
hash_delete_callback *callback;
void *pvt;
};
struct sss_ptr_hash_value {
- struct sss_ptr_hash_spy *spy;
- void *ptr;
-};
-
-struct sss_ptr_hash_spy {
- struct sss_ptr_hash_value *value;
hash_table_t *table;
const char *key;
+ void *payload;
};
-static int
-sss_ptr_hash_spy_destructor(struct sss_ptr_hash_spy *spy)
-{
- spy->value->spy = NULL;
-
- /* This results in removing entry from hash table and freeing the value. */
- sss_ptr_hash_delete(spy->table, spy->key, false);
-
- return 0;
-}
-
-static struct sss_ptr_hash_spy *
-sss_ptr_hash_spy_create(TALLOC_CTX *mem_ctx,
- hash_table_t *table,
- const char *key,
- struct sss_ptr_hash_value *value)
-{
- struct sss_ptr_hash_spy *spy;
-
- spy = talloc_zero(mem_ctx, struct sss_ptr_hash_spy);
- if (spy == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n");
- return NULL;
- }
-
- spy->key = talloc_strdup(spy, key);
- if (spy->key == NULL) {
- talloc_free(spy);
- return NULL;
- }
-
- spy->table = table;
- spy->value = value;
- talloc_set_destructor(spy, sss_ptr_hash_spy_destructor);
-
- return spy;
-}
-
static int
sss_ptr_hash_value_destructor(struct sss_ptr_hash_value *value)
{
- if (value->spy != NULL) {
- /* Disable spy destructor and free it. */
- talloc_set_destructor(value->spy, NULL);
- talloc_zfree(value->spy);
+ hash_key_t table_key;
+
+ if (value->table && value->key) {
+ table_key.type = HASH_KEY_STRING;
+ table_key.str = discard_const_p(char, value->key);
+ if (hash_delete(value->table, &table_key) != HASH_SUCCESS) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "failed to delete entry with key '%s'\n", value->key);
+ }
}
return 0;
@@ -112,18 +80,19 @@ sss_ptr_hash_value_create(hash_table_t *table,
{
struct sss_ptr_hash_value *value;
- value = talloc_zero(table, struct sss_ptr_hash_value);
+ value = talloc_zero(talloc_ptr, struct sss_ptr_hash_value);
if (value == NULL) {
return NULL;
}
- value->spy = sss_ptr_hash_spy_create(talloc_ptr, table, key, value);
- if (value->spy == NULL) {
+ value->key = talloc_strdup(value, key);
+ if (value->key == NULL) {
talloc_free(value);
return NULL;
}
- value->ptr = talloc_ptr;
+ value->table = table;
+ value->payload = talloc_ptr;
talloc_set_destructor(value, sss_ptr_hash_value_destructor);
return value;
@@ -138,29 +107,31 @@ sss_ptr_hash_delete_cb(hash_entry_t *item,
struct sss_ptr_hash_value *value;
struct hash_entry_t callback_entry;
+ if (pvt == NULL) {
+ return;
+ }
+
value = talloc_get_type(item->value.ptr, struct sss_ptr_hash_value);
if (value == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Invalid value!\n");
return;
}
+ /* Switch to the input value and call custom callback. */
+ data = talloc_get_type(pvt, struct sss_ptr_hash_delete_data);
+ if (data == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Invalid data!\n");
+ return;
+ }
+
callback_entry.key = item->key;
callback_entry.value.type = HASH_VALUE_PTR;
- callback_entry.value.ptr = value->ptr;
-
- /* Free value, this also will disable spy */
- talloc_free(value);
-
- if (pvt != NULL) {
- /* Switch to the input value and call custom callback. */
- data = talloc_get_type(pvt, struct sss_ptr_hash_delete_data);
- if (data == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Invalid data!\n");
- return;
- }
-
- data->callback(&callback_entry, deltype, data->pvt);
- }
+ callback_entry.value.ptr = value->payload;
+ /* Even if execution is already in the context of
+ * talloc_free(payload) -> talloc_free(value) -> ...
+ * there still might be legitimate reasons to execute callback.
+ */
+ data->callback(&callback_entry, deltype, data->pvt);
}
hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx,
@@ -194,6 +165,8 @@ hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx,
talloc_steal(table, data);
}
+ talloc_set_destructor(table, sss_ptr_hash_table_destructor);
+
return table;
}
@@ -282,15 +255,15 @@ void *_sss_ptr_hash_lookup(hash_table_t *table,
struct sss_ptr_hash_value *value;
value = sss_ptr_hash_lookup_internal(table, key);
- if (value == NULL || value->ptr == NULL) {
+ if (value == NULL || value->payload == NULL) {
return NULL;
}
- if (!sss_ptr_hash_check_type(value->ptr, type)) {
+ if (!sss_ptr_hash_check_type(value->payload, type)) {
return NULL;
}
- return value->ptr;
+ return value->payload;
}
void *_sss_ptr_get_value(hash_value_t *table_value,
@@ -311,11 +284,11 @@ void *_sss_ptr_get_value(hash_value_t *table_value,
value = table_value->ptr;
- if (!sss_ptr_hash_check_type(value->ptr, type)) {
+ if (!sss_ptr_hash_check_type(value->payload, type)) {
return NULL;
}
- return value->ptr;
+ return value->payload;
}
void sss_ptr_hash_delete(hash_table_t *table,
@@ -323,74 +296,70 @@ void sss_ptr_hash_delete(hash_table_t *table,
bool free_value)
{
struct sss_ptr_hash_value *value;
- hash_key_t table_key;
- int hret;
- void *payload;
+ void *payload = NULL;
if (table == NULL || key == NULL) {
return;
}
- if (free_value) {
- value = sss_ptr_hash_lookup_internal(table, key);
- if (value == NULL) {
- free_value = false;
- } else {
- payload = value->ptr;
- }
- }
-
- table_key.type = HASH_KEY_STRING;
- table_key.str = discard_const_p(char, key);
-
- /* Delete table entry. This will free value and spy in delete callback. */
- hret = hash_delete(table, &table_key);
- if (hret != HASH_SUCCESS && hret != HASH_ERROR_KEY_NOT_FOUND) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to remove key from table [%d]\n",
- hret);
+ value = sss_ptr_hash_lookup_internal(table, key);
+ if (value == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Unable to remove key '%s' from table\n", key);
+ return;
}
- /* Also free the original value if requested. */
if (free_value) {
- talloc_free(payload);
+ payload = value->payload;
}
+ talloc_free(value); /* this will call hash_delete() in value d-tor */
+
+ talloc_free(payload); /* it is safe to call talloc_free(NULL) */
+
return;
}
void sss_ptr_hash_delete_all(hash_table_t *table,
bool free_values)
{
+ hash_value_t *content;
struct sss_ptr_hash_value *value;
- hash_value_t *values;
+ void *payload = NULL;
unsigned long count;
unsigned long i;
int hret;
- void *ptr;
if (table == NULL) {
return;
}
- hret = hash_values(table, &count, &values);
+ hret = hash_values(table, &count, &content);
if (hret != HASH_SUCCESS) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get values [%d]\n", hret);
return;
}
- for (i = 0; i < count; i++) {
- value = values[i].ptr;
- ptr = value->ptr;
-
- /* This will remove the entry from hash table and free value. */
- talloc_free(value->spy);
-
- if (free_values) {
- /* Also free the original value. */
- talloc_free(ptr);
+ for (i = 0; i < count; ++i) {
+ if ((content[i].type == HASH_VALUE_PTR) &&
+ sss_ptr_hash_check_type(content[i].ptr,
+ "struct sss_ptr_hash_value")) {
+ value = content[i].ptr;
+ if (free_values) {
+ payload = value->payload;
+ }
+ talloc_free(value);
+ if (free_values) {
+ talloc_free(payload); /* it's safe to call talloc_free(NULL) */
+ }
+ } else {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Unexpected type of table content, skipping");
}
}
+ talloc_free(content);
+
return;
}
diff --git a/src/util/sss_ptr_hash.h b/src/util/sss_ptr_hash.h
index 56bb19a65..0889b171a 100644
--- a/src/util/sss_ptr_hash.h
+++ b/src/util/sss_ptr_hash.h
@@ -28,7 +28,19 @@
/**
* Create a new hash table with string key and talloc pointer value with
- * possible delete callback.
+ * possible custom delete callback @del_cb.
+ * Table will have destructor setup to wipe content.
+ * Never call hash_destroy(table) and hash_delete() explicitly but rather
+ * use talloc_free(table) and sss_ptr_hash_delete().
+ *
+ * A notes about @del_cb:
+ * - this callback must never modify hash table (i.e. add/del entries);
+ * - this callback is triggered when value is either explicitly removed
+ * from the table or simply freed (latter leads to removal of an entry
+ * from the table);
+ * - this callback is also triggered for every entry when table is freed
+ * entirely. In this case (deltype == HASH_TABLE_DESTROY) any table
+ * lookups / iteration are forbidden as table might be already invalidated.
*/
hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx,
hash_delete_callback *del_cb,
@@ -41,7 +53,8 @@ hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx,
* the value is overridden. Otherwise EEXIST error is returned.
*
* If talloc_ptr is freed the key and value are automatically
- * removed from the hash table.
+ * removed from the hash table (del_cb that was set up during
+ * table creation is executed as a first step of this removal).
*
* @return EOK If the <@key, @talloc_ptr> pair was inserted.
* @return EEXIST If @key already exists and @override is false.
--
2.20.1

266
0024-TESTS-added-sss_ptr_hash-unit-test.patch Normal file
View File

@ -0,0 +1,266 @@
From 88b23bf50dd1c12413f3314639de2c3909bd9098 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Tue, 28 Jan 2020 19:26:08 +0100
Subject: [PATCH 24/24] TESTS: added sss_ptr_hash unit test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
Makefile.am | 1 +
src/tests/cmocka/test_sss_ptr_hash.c | 193 +++++++++++++++++++++++++++
src/tests/cmocka/test_utils.c | 9 ++
src/tests/cmocka/test_utils.h | 6 +
4 files changed, 209 insertions(+)
create mode 100644 src/tests/cmocka/test_sss_ptr_hash.c
diff --git a/Makefile.am b/Makefile.am
index 57ba51356..c991f2aa0 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3054,6 +3054,7 @@ test_ipa_idmap_LDADD = \
test_utils_SOURCES = \
src/tests/cmocka/test_utils.c \
src/tests/cmocka/test_string_utils.c \
+ src/tests/cmocka/test_sss_ptr_hash.c \
src/p11_child/p11_child_common_utils.c \
$(NULL)
if BUILD_SSH
diff --git a/src/tests/cmocka/test_sss_ptr_hash.c b/src/tests/cmocka/test_sss_ptr_hash.c
new file mode 100644
index 000000000..1458238f5
--- /dev/null
+++ b/src/tests/cmocka/test_sss_ptr_hash.c
@@ -0,0 +1,193 @@
+/*
+ Copyright (C) 2020 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "tests/cmocka/common_mock.h"
+#include "util/sss_ptr_hash.h"
+
+static const int MAX_ENTRIES_AMOUNT = 5;
+
+static void populate_table(hash_table_t *table, int **payloads)
+{
+ char key[2] = {'z', 0};
+
+ for (int i = 0; i < MAX_ENTRIES_AMOUNT; ++i) {
+ payloads[i] = talloc_zero(global_talloc_context, int);
+ assert_non_null(payloads[i]);
+ *payloads[i] = i;
+ key[0] = '0'+(char)i;
+ assert_int_equal(sss_ptr_hash_add(table, key, payloads[i], int), 0);
+ }
+
+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT);
+}
+
+static void free_payload_cb(hash_entry_t *item, hash_destroy_enum type, void *pvt)
+{
+ int *counter;
+
+ assert_non_null(item);
+ assert_non_null(item->value.ptr);
+ talloc_zfree(item->value.ptr);
+
+ assert_non_null(pvt);
+ counter = (int *)pvt;
+ (*counter)++;
+}
+
+void test_sss_ptr_hash_with_free_cb(void **state)
+{
+ hash_table_t *table;
+ int free_counter = 0;
+ int *payloads[MAX_ENTRIES_AMOUNT];
+
+ table = sss_ptr_hash_create(global_talloc_context,
+ free_payload_cb,
+ &free_counter);
+ assert_non_null(table);
+
+ populate_table(table, payloads);
+
+ /* check explicit removal from the hash */
+ sss_ptr_hash_delete(table, "1", false);
+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-1);
+ assert_int_equal(free_counter, 1);
+
+ /* check implicit removal triggered by payload deletion */
+ talloc_free(payloads[3]);
+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-2);
+ assert_int_equal(free_counter, 2);
+
+ /* try to remove non existent entry */
+ sss_ptr_hash_delete(table, "q", false);
+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-2);
+ assert_int_equal(free_counter, 2);
+
+ /* clear all */
+ sss_ptr_hash_delete_all(table, false);
+ assert_int_equal((int)hash_count(table), 0);
+ assert_int_equal(free_counter, MAX_ENTRIES_AMOUNT);
+
+ /* check that table is still operable */
+ populate_table(table, payloads);
+ sss_ptr_hash_delete(table, "2", false);
+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-1);
+ assert_int_equal(free_counter, MAX_ENTRIES_AMOUNT+1);
+
+ talloc_free(table);
+ assert_int_equal(free_counter, MAX_ENTRIES_AMOUNT*2);
+}
+
+struct table_wrapper
+{
+ hash_table_t **table;
+};
+
+static void lookup_cb(hash_entry_t *item, hash_destroy_enum type, void *pvt)
+{
+ hash_table_t *table;
+ hash_key_t *keys;
+ unsigned long count;
+ int *value = NULL;
+ int sum = 0;
+
+ assert_non_null(pvt);
+ table = *((struct table_wrapper *)pvt)->table;
+ assert_non_null(table);
+
+ if (type == HASH_TABLE_DESTROY) {
+ /* table is being destroyed */
+ return;
+ }
+
+ assert_int_equal(hash_keys(table, &count, &keys), HASH_SUCCESS);
+ for (unsigned int i = 0; i < count; ++i) {
+ assert_int_equal(keys[i].type, HASH_KEY_STRING);
+ value = sss_ptr_hash_lookup(table, keys[i].c_str, int);
+ assert_non_null(value);
+ sum += *value;
+ }
+ DEBUG(SSSDBG_TRACE_ALL, "sum of all values = %d\n", sum);
+ talloc_free(keys);
+}
+
+/* main difference with `test_sss_ptr_hash_with_free_cb()`
+ * is that table cb here doesn't delete payload so
+ * this is requested via `free_value(s)` arg
+ */
+void test_sss_ptr_hash_with_lookup_cb(void **state)
+{
+ hash_table_t *table;
+ struct table_wrapper wrapper;
+ int *payloads[MAX_ENTRIES_AMOUNT];
+
+ wrapper.table = &table;
+ table = sss_ptr_hash_create(global_talloc_context,
+ lookup_cb,
+ &wrapper);
+ assert_non_null(table);
+
+ populate_table(table, payloads);
+
+ /* check explicit removal from the hash */
+ sss_ptr_hash_delete(table, "2", true);
+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-1);
+
+ /* check implicit removal triggered by payload deletion */
+ talloc_free(payloads[0]);
+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-2);
+
+ /* clear all */
+ sss_ptr_hash_delete_all(table, true);
+ assert_int_equal((int)hash_count(table), 0);
+ /* teardown function shall verify there are no leaks
+ * on global_talloc_context and so that payloads[] were freed
+ */
+
+ /* check that table is still operable */
+ populate_table(table, payloads);
+
+ talloc_free(table);
+ /* d-tor triggers hash_destroy() but since cb here doesn free payload
+ * this should be done manually
+ */
+ for (int i = 0; i < MAX_ENTRIES_AMOUNT; ++i) {
+ talloc_free(payloads[i]);
+ }
+}
+
+/* Just smoke test to verify that absence of cb doesn't break anything */
+void test_sss_ptr_hash_without_cb(void **state)
+{
+ hash_table_t *table;
+ int *payloads[MAX_ENTRIES_AMOUNT];
+
+ table = sss_ptr_hash_create(global_talloc_context, NULL, NULL);
+ assert_non_null(table);
+
+ populate_table(table, payloads);
+
+ sss_ptr_hash_delete(table, "4", true);
+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-1);
+
+ talloc_free(payloads[1]);
+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-2);
+
+ sss_ptr_hash_delete_all(table, true);
+ assert_int_equal((int)hash_count(table), 0);
+
+ talloc_free(table);
+}
diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
index 666f32903..c5eda4dd2 100644
--- a/src/tests/cmocka/test_utils.c
+++ b/src/tests/cmocka/test_utils.c
@@ -2055,6 +2055,15 @@ int main(int argc, const char *argv[])
cmocka_unit_test_setup_teardown(test_sss_get_domain_mappings_content,
setup_dom_list_with_subdomains,
teardown_dom_list),
+ cmocka_unit_test_setup_teardown(test_sss_ptr_hash_with_free_cb,
+ setup_leak_tests,
+ teardown_leak_tests),
+ cmocka_unit_test_setup_teardown(test_sss_ptr_hash_with_lookup_cb,
+ setup_leak_tests,
+ teardown_leak_tests),
+ cmocka_unit_test_setup_teardown(test_sss_ptr_hash_without_cb,
+ setup_leak_tests,
+ teardown_leak_tests),
};
/* Set debug level to invalid value so we can decide if -d 0 was used. */
diff --git a/src/tests/cmocka/test_utils.h b/src/tests/cmocka/test_utils.h
index e93e0da25..44b9479f9 100644
--- a/src/tests/cmocka/test_utils.h
+++ b/src/tests/cmocka/test_utils.h
@@ -33,4 +33,10 @@ void test_guid_blob_to_string_buf(void **state);
void test_get_last_x_chars(void **state);
void test_concatenate_string_array(void **state);
+/* from src/tests/cmocka/test_sss_ptr_hash.c */
+void test_sss_ptr_hash_with_free_cb(void **state);
+void test_sss_ptr_hash_with_lookup_cb(void **state);
+void test_sss_ptr_hash_without_cb(void **state);
+
+
#endif /* __TESTS__CMOCKA__TEST_UTILS_H__ */
--
2.20.1

68
0024-responder-make-sure-SSS_DP_CERT-is-passed-to-files-p.patch
View File

@ -1,68 +0,0 @@
From 9fdc5f1d87a133885e6a22810a7eb980c60dcb55 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 9 Jul 2018 18:45:21 +0200
Subject: [PATCH 29/83] responder: make sure SSS_DP_CERT is passed to files
provider
Currently the files provider is only contacted once in a while to update
the full cache with fresh data from the passwd file. To allow rule based
certificate mapping the lookup by certificate request must be always
send to the file provider so that it can evaluate the rules and add the
certificate to cached entry of the matching user.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/common/responder_dp.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
index 878aa1d..39f0f20 100644
--- a/src/responder/common/responder_dp.c
+++ b/src/responder/common/responder_dp.c
@@ -34,15 +34,17 @@ sss_dp_account_files_params(struct sss_domain_info *dom,
enum sss_dp_acct_type *_type_out,
const char **_opt_name_out)
{
- if (sss_domain_get_state(dom) != DOM_INCONSISTENT) {
+ if (type_in != SSS_DP_CERT) {
+ if (sss_domain_get_state(dom) != DOM_INCONSISTENT) {
+ DEBUG(SSSDBG_TRACE_INTERNAL,
+ "The entries in the files domain are up-to-date\n");
+ return EOK;
+ }
+
DEBUG(SSSDBG_TRACE_INTERNAL,
- "The entries in the files domain are up-to-date\n");
- return EOK;
+ "Domain files is not consistent, issuing update\n");
}
- DEBUG(SSSDBG_TRACE_INTERNAL,
- "Domain files is not consistent, issuing update\n");
-
switch(type_in) {
case SSS_DP_USER:
case SSS_DP_GROUP:
@@ -56,12 +58,16 @@ sss_dp_account_files_params(struct sss_domain_info *dom,
*_type_out = type_in;
*_opt_name_out = DP_REQ_OPT_FILES_INITGR;
return EAGAIN;
+ case SSS_DP_CERT:
+ /* Let the backend handle certificate mapping for local users */
+ *_type_out = type_in;
+ *_opt_name_out = opt_name_in;
+ return EAGAIN;
/* These are not handled by the files provider, just fall back */
case SSS_DP_NETGR:
case SSS_DP_SERVICES:
case SSS_DP_SECID:
case SSS_DP_USER_AND_GROUP:
- case SSS_DP_CERT:
case SSS_DP_WILDCARD_USER:
case SSS_DP_WILDCARD_GROUP:
return EOK;
--
2.9.5

166
0025-PAM-add-certificate-matching-rules-from-all-domains.patch
View File

@ -1,166 +0,0 @@
From d42f44d54453d3ddb54875374c1b61dc1e7cd821 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 9 Jul 2018 18:56:26 +0200
Subject: [PATCH 30/83] PAM: add certificate matching rules from all domains
Currently the PAM responder only reads the certificate mapping and
matching rules from the first domain. To support Smartcard
authentication for local and remote users all configured domains must be
taken into account.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/pam/pamsrv.h | 2 +-
src/responder/pam/pamsrv_cmd.c | 2 +-
src/responder/pam/pamsrv_p11.c | 77 +++++++++++++++++++++++++++---------------
3 files changed, 51 insertions(+), 30 deletions(-)
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index d189ccc..5d87756 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -114,7 +114,7 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd);
errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
- struct certmap_info **certmap_list);
+ struct sss_domain_info *domains);
errno_t
pam_set_last_online_auth_with_curr_token(struct sss_domain_info *domain,
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index a6bb289..ed9ad57 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1737,7 +1737,7 @@ static void pam_forwarder_cb(struct tevent_req *req)
goto done;
}
- ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains->certmaps);
+ ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"p11_refresh_certmap_ctx failed, "
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
index bf72207..ffa6787 100644
--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
@@ -142,11 +142,14 @@ static void ext_debug(void *private, const char *file, long line,
}
errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
- struct certmap_info **certmap_list)
+ struct sss_domain_info *domains)
{
int ret;
struct sss_certmap_ctx *sss_certmap_ctx = NULL;
size_t c;
+ struct sss_domain_info *dom;
+ bool certmap_found = false;
+ struct certmap_info **certmap_list;
ret = sss_certmap_init(pctx, ext_debug, NULL, &sss_certmap_ctx);
if (ret != EOK) {
@@ -154,7 +157,15 @@ errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
goto done;
}
- if (certmap_list == NULL || *certmap_list == NULL) {
+ DLIST_FOR_EACH(dom, domains) {
+ certmap_list = dom->certmaps;
+ if (certmap_list != NULL && *certmap_list != NULL) {
+ certmap_found = true;
+ break;
+ }
+ }
+
+ if (!certmap_found) {
/* Try to add default matching rule */
ret = sss_certmap_add_rule(sss_certmap_ctx, SSS_CERTMAP_MIN_PRIO,
CERT_AUTH_DEFAULT_MATCHING_RULE, NULL, NULL);
@@ -166,24 +177,32 @@ errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
goto done;
}
- for (c = 0; certmap_list[c] != NULL; c++) {
- DEBUG(SSSDBG_TRACE_ALL,
- "Trying to add rule [%s][%d][%s][%s].\n",
- certmap_list[c]->name, certmap_list[c]->priority,
- certmap_list[c]->match_rule, certmap_list[c]->map_rule);
-
- ret = sss_certmap_add_rule(sss_certmap_ctx, certmap_list[c]->priority,
- certmap_list[c]->match_rule,
- certmap_list[c]->map_rule,
- certmap_list[c]->domains);
- if (ret != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "sss_certmap_add_rule failed for rule [%s] "
- "with error [%d][%s], skipping. "
- "Please check for typos and if rule syntax is supported.\n",
- certmap_list[c]->name, ret, sss_strerror(ret));
+ DLIST_FOR_EACH(dom, domains) {
+ certmap_list = dom->certmaps;
+ if (certmap_list == NULL || *certmap_list == NULL) {
continue;
}
+
+ for (c = 0; certmap_list[c] != NULL; c++) {
+ DEBUG(SSSDBG_TRACE_ALL,
+ "Trying to add rule [%s][%d][%s][%s].\n",
+ certmap_list[c]->name, certmap_list[c]->priority,
+ certmap_list[c]->match_rule, certmap_list[c]->map_rule);
+
+ ret = sss_certmap_add_rule(sss_certmap_ctx,
+ certmap_list[c]->priority,
+ certmap_list[c]->match_rule,
+ certmap_list[c]->map_rule,
+ certmap_list[c]->domains);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "sss_certmap_add_rule failed for rule [%s] "
+ "with error [%d][%s], skipping. "
+ "Please check for typos and if rule syntax is supported.\n",
+ certmap_list[c]->name, ret, sss_strerror(ret));
+ continue;
+ }
+ }
}
ret = EOK;
@@ -204,19 +223,21 @@ errno_t p11_child_init(struct pam_ctx *pctx)
int ret;
struct certmap_info **certmaps;
bool user_name_hint;
- struct sss_domain_info *dom = pctx->rctx->domains;
+ struct sss_domain_info *dom;
- ret = sysdb_get_certmap(dom, dom->sysdb, &certmaps, &user_name_hint);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_certmap failed.\n");
- return ret;
- }
+ DLIST_FOR_EACH(dom, pctx->rctx->domains) {
+ ret = sysdb_get_certmap(dom, dom->sysdb, &certmaps, &user_name_hint);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_certmap failed.\n");
+ return ret;
+ }
- dom->user_name_hint = user_name_hint;
- talloc_free(dom->certmaps);
- dom->certmaps = certmaps;
+ dom->user_name_hint = user_name_hint;
+ talloc_free(dom->certmaps);
+ dom->certmaps = certmaps;
+ }
- ret = p11_refresh_certmap_ctx(pctx, dom->certmaps);
+ ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "p11_refresh_certmap_ctx failed.\n");
return ret;
--
2.9.5

86
0025-p11_child-check-if-card-is-present-in-wait_for_card.patch Normal file
View File

@ -0,0 +1,86 @@
From 7b647338a40d701c6a5bb51c48c10a31a6b72699 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 30 Jan 2020 13:14:14 +0100
Subject: [PATCH 25/26] p11_child: check if card is present in wait_for_card()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Some implementations of C_WaitForSlotEvent() might return even if no
card was inserted. So it has to be checked if a card is really present.
Resolves: https://pagure.io/SSSD/sssd/issue/4159
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/p11_child/p11_child_openssl.c | 47 ++++++++++++++++---------------
1 file changed, 25 insertions(+), 22 deletions(-)
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
index 56601b117..295715612 100644
--- a/src/p11_child/p11_child_openssl.c
+++ b/src/p11_child/p11_child_openssl.c
@@ -1546,35 +1546,38 @@ static errno_t wait_for_card(CK_FUNCTION_LIST *module, CK_SLOT_ID *slot_id)
CK_RV rv;
CK_SLOT_INFO info;
- rv = module->C_WaitForSlotEvent(wait_flags, slot_id, NULL);
- if (rv != CKR_OK) {
- if (rv != CKR_FUNCTION_NOT_SUPPORTED) {
+ do {
+ rv = module->C_WaitForSlotEvent(wait_flags, slot_id, NULL);
+ if (rv != CKR_OK && rv != CKR_FUNCTION_NOT_SUPPORTED) {
DEBUG(SSSDBG_OP_FAILURE,
"C_WaitForSlotEvent failed [%lu][%s].\n",
rv, p11_kit_strerror(rv));
return EIO;
}
- /* Poor man's wait */
- do {
+ if (rv == CKR_FUNCTION_NOT_SUPPORTED) {
+ /* Poor man's wait */
sleep(10);
- rv = module->C_GetSlotInfo(*slot_id, &info);
- if (rv != CKR_OK) {
- DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotInfo failed\n");
- return EIO;
- }
- DEBUG(SSSDBG_TRACE_ALL,
- "Description [%s] Manufacturer [%s] flags [%lu] "
- "removable [%s] token present [%s].\n",
- info.slotDescription, info.manufacturerID, info.flags,
- (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
- (info.flags & CKF_TOKEN_PRESENT) ? "true": "false");
- if ((info.flags & CKF_REMOVABLE_DEVICE)
- && (info.flags & CKF_TOKEN_PRESENT)) {
- break;
- }
- } while (true);
- }
+ }
+
+ rv = module->C_GetSlotInfo(*slot_id, &info);
+ if (rv != CKR_OK) {
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotInfo failed\n");
+ return EIO;
+ }
+ DEBUG(SSSDBG_TRACE_ALL,
+ "Description [%s] Manufacturer [%s] flags [%lu] "
+ "removable [%s] token present [%s].\n",
+ info.slotDescription, info.manufacturerID, info.flags,
+ (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
+ (info.flags & CKF_TOKEN_PRESENT) ? "true": "false");
+
+ /* Check if really a token is present */
+ if ((info.flags & CKF_REMOVABLE_DEVICE)
+ && (info.flags & CKF_TOKEN_PRESENT)) {
+ break;
+ }
+ } while (true);
return EOK;
}
--
2.20.1

37
0026-PAM-client-only-require-UID-0-for-private-socket.patch Normal file
View File

@ -0,0 +1,37 @@
From 37780b895199bab991edae6b1eeb91b7b3966bcf Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 6 Feb 2020 14:50:23 +0100
Subject: [PATCH 26/26] PAM client: only require UID 0 for private socket
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Some privileged services like e.g. gdm might only call with UID 0 but
with a different GID. This patch removes the GID 0 requirement to access
to private PAM socket so that e.g. gdm can use the wait-for-card option.
Resolves: https://pagure.io/SSSD/sssd/issue/4159
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/sss_client/common.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
index 270ca8b54..902438c86 100644
--- a/src/sss_client/common.c
+++ b/src/sss_client/common.c
@@ -910,8 +910,8 @@ int sss_pam_make_request(enum sss_cli_command cmd,
goto out;
}
- /* only root shall use the privileged pipe */
- if (getuid() == 0 && getgid() == 0) {
+ /* only UID 0 shall use the privileged pipe */
+ if (getuid() == 0) {
socket_name = SSS_PAM_PRIV_SOCKET_NAME;
errno = 0;
statret = stat(socket_name, &stat_buf);
--
2.20.1

182
0026-doc-add-certificate-mapping-section-to-man-page.patch
View File

@ -1,182 +0,0 @@
From 0c739e969a617bdb4c06cdfd63772bf6d283c518 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 3 Sep 2018 18:38:42 +0200
Subject: [PATCH 31/83] doc: add certificate mapping section to man page
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/man/sssd.conf.5.xml | 149 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 149 insertions(+)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 881ffc6..04143f1 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -3299,6 +3299,135 @@ ldap_user_extra_attrs = phone:telephoneNumber
</para>
</refsect1>
+ <refsect1 id='certmap'>
+ <title>CERTIFICATE MAPPING SECTION</title>
+ <para>
+ To allow authentication with Smartcards and certificates SSSD must
+ be able to map certificates to users. This can be done by adding the
+ full certificate to the LDAP object of the user or to a local
+ override. While using the full certificate is required to use the
+ Smartcard authentication feature of SSH (see
+ <citerefentry>
+ <refentrytitle>sss_ssh_authorizedkeys</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>
+ for details) it might be cumbersome or not even possible to do this
+ for the general case where local services use PAM for
+ authentication.
+ </para>
+ <para>
+ To make the mapping more flexible mapping and matching rules were
+ added to SSSD (see
+ <citerefentry>
+ <refentrytitle>sss-certmap</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry>
+ for details).
+ </para>
+ <para>
+ A mapping and matching rule can be added to the SSSD configuration
+ in a section on its own with a name like
+ <quote>[certmap/<replaceable>DOMAIN_NAME</replaceable>/<replaceable>RULE_NAME</replaceable>]</quote>.
+ In this section the following options are allowed:
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term>matchrule (string)</term>
+ <listitem>
+ <para>
+ Only certificates from the Smartcard which matches this
+ rule will be processed, all others are ignored.
+ </para>
+ <para>
+ Default: KRB5:&lt;EKU&gt;clientAuth, i.e. only
+ certificates which have the Extended Key Usage
+ <quote>clientAuth</quote>
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>maprule (string)</term>
+ <listitem>
+ <para>
+ Defines how the user is found for a given certificate.
+ </para>
+ <para>
+ Default:
+ <itemizedlist>
+ <listitem>
+ <para>LDAP:(userCertificate;binary={cert!bin})
+ for LDAP based providers like
+ <quote>ldap</quote>, <quote>AD</quote> or
+ <quote>ipa</quote>.</para>
+ </listitem>
+ <listitem>
+ <para>The RULE_NAME for the <quote>files</quote>
+ provider which tries to find a user with the
+ same name.</para>
+ </listitem>
+ </itemizedlist>
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>domains (string)</term>
+ <listitem>
+ <para>
+ Comma separated list of domain names the rule should be
+ applied. By default a rule is only valid in the domain
+ configured in sssd.conf. If the provider supports
+ subdomains this option can be used to add the rule to
+ subdomains as well.
+ </para>
+ <para>
+ Default: the configured domain in sssd.conf
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>priority (integer)</term>
+ <listitem>
+ <para>
+ Unsigned integer value defining the priority of the
+ rule. The higher the number the lower the priority.
+ <quote>0</quote> stands for the highest priority while
+ <quote>4294967295</quote> is the lowest.
+ </para>
+ <para>
+ Default: the lowest priority
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ <para>
+ To make the configuration simple and reduce the amount of
+ configuration options the <quote>files</quote> provider has some
+ special properties:
+ <itemizedlist>
+ <listitem>
+ <para>
+ if maprule is not set the RULE_NAME name is assumed to
+ be the name of the matching user
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ if a maprule is used both a single user name or a
+ template like
+ <quote>{subject_rfc822_name.short_name}</quote> must
+ be in braces like e.g. <quote>(username)</quote> or
+ <quote>({subject_rfc822_name.short_name})</quote>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ the <quote>domains</quote> option is ignored
+ </para>
+ </listitem>
+ </itemizedlist>
+ </para>
+ </refsect1>
+
<refsect1 id='example'>
<title>EXAMPLES</title>
<para>
@@ -3343,6 +3472,26 @@ enumerate = False
use_fully_qualified_names = false
</programlisting>
</para>
+ <para>
+ 3. The following example shows the configuration for two certificate
+ mapping rules. The first is valid for the configured domain
+ <quote>my.domain</quote> and additionally for the subdomains
+ <quote>your.domain</quote> and uses the full certificate in the
+ search filter. The second example is valid for the domain
+ <quote>files</quote> where it is assumed the files provider is used
+ for this domain and contains a matching rule for the local user
+ <quote>myname</quote>.
+<programlisting>
+[certmap/my.domain/rule_name]
+matchrule = &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$
+maprule = (userCertificate;binary={cert!bin})
+domains = my.domain, your.domain
+priority = 10
+
+[certmap/files/myname]
+matchrule = &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$&lt;SUBJECT&gt;^CN=User.Name,DC=MY,DC=DOMAIN$
+</programlisting>
+ </para>
</refsect1>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
--
2.9.5

30
0027-intg-user-default-locale.patch
View File

@ -1,30 +0,0 @@
From 16941c47a6f0fc2f1679725d55cde221f3c3a6ef Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 7 Sep 2018 22:12:02 +0200
Subject: [PATCH 32/83] intg: user default locale
Some checks depend on english error messages so checks should be always
run with the default locale.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/tests/intg/Makefile.am | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index 65da9ca..6f7605b 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -126,6 +126,7 @@ intgcheck-installed: config.py passwd group
PATH="$$(dirname -- $(SLAPD)):$$PATH" \
PATH="$(DESTDIR)$(sbindir):$(DESTDIR)$(bindir):$$PATH" \
PATH="$$PATH:$(abs_builddir):$(abs_srcdir)" \
+ LANG=C \
PYTHONPATH="$(abs_builddir):$(abs_srcdir)" \
LDB_MODULES_PATH="$(DESTDIR)$(ldblibdir)" \
NON_WRAPPED_UID=$$(id -u) \
--
2.9.5

34
0028-PAM-use-better-PAM-error-code-for-failed-Smartcard-a.patch
View File

@ -1,34 +0,0 @@
From 442ae7b1d0704cdd667d4f1ba4c165ce3f3ffed4 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 7 Sep 2018 22:16:50 +0200
Subject: [PATCH 33/83] PAM: use better PAM error code for failed Smartcard
authentication
If the user enters a wrong PIN the PAM responder currently returns
PAM_USER_UNKNOWN better is PAM_AUTH_ERR.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/pam/pamsrv_cmd.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index ed9ad57..817f3c5 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1436,7 +1436,9 @@ static void pam_forwarder_cert_cb(struct tevent_req *req)
if (pd->cmd == SSS_PAM_AUTHENTICATE) {
DEBUG(SSSDBG_CRIT_FAILURE,
"No certificate returned, authentication failed.\n");
- ret = ENOENT;
+ preq->pd->pam_status = PAM_AUTH_ERR;
+ pam_reply(preq);
+ return;
} else {
ret = pam_check_user_search(preq);
}
--
2.9.5

31
0029-test_ca-test-library-only-for-readable.patch
View File

@ -1,31 +0,0 @@
From 91aea762d02731193eb66a00b930ff1fe8bc5ab8 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 10 Sep 2018 22:03:55 +0200
Subject: [PATCH 34/83] test_ca: test library only for readable
On Debian libraries typically do not have the execute-bit set so it is
better to only check for readability.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/external/test_ca.m4 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/external/test_ca.m4 b/src/external/test_ca.m4
index 2cdb3c7..bb48726 100644
--- a/src/external/test_ca.m4
+++ b/src/external/test_ca.m4
@@ -58,7 +58,7 @@ AC_DEFUN([AM_CHECK_TEST_CA],
AC_MSG_NOTICE([Could not find p11tool])
fi
- AM_CONDITIONAL([BUILD_TEST_CA], [test -x "$OPENSSL" -a -x "$SSH_KEYGEN" -a -x "$SOFTHSM2_PATH" -a -x "$SOFTHSM2_UTIL" -a -x "$P11TOOL"])
+ AM_CONDITIONAL([BUILD_TEST_CA], [test -x "$OPENSSL" -a -x "$SSH_KEYGEN" -a -r "$SOFTHSM2_PATH" -a -x "$SOFTHSM2_UTIL" -a -x "$P11TOOL"])
fi
AM_COND_IF([BUILD_TEST_CA],
--
2.9.5

57
0030-test_ca-set-a-password-PIN-to-nss-databases.patch
View File

@ -1,57 +0,0 @@
From a45a410dc7fa7cf84bcac541e693ee8781e25431 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 7 Sep 2018 22:17:47 +0200
Subject: [PATCH 35/83] test_ca: set a password/PIN to nss databases
To make sure the PIN is properly checked during tests the NSS databases
need a password.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/tests/test_CA/Makefile.am | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am
index 0c70993..1bce2c3 100644
--- a/src/tests/test_CA/Makefile.am
+++ b/src/tests/test_CA/Makefile.am
@@ -33,7 +33,7 @@ endif
ca_all: clean serial SSSD_test_CA.pem $(certs) $(certs_h) $(pubkeys) $(pubkeys_h) $(pkcs12) $(extra)
$(pwdfile):
- @echo "12345678" > $@
+ @echo "123456" > $@
SSSD_test_CA.pem: $(openssl_ca_key) $(openssl_ca_config) serial
$(OPENSSL) req -batch -config ${openssl_ca_config} -x509 -new -nodes -key $< -sha256 -days 1024 -set_serial 0 -extensions v3_ca -out $@
@@ -65,18 +65,18 @@ SSSD_test_cert_pubsshkey_%.h: SSSD_test_cert_pubsshkey_%.pub
# - src/tests/cmocka/test_pam_srv.c
p11_nssdb: SSSD_test_cert_pkcs12_0001.pem SSSD_test_CA.pem $(pwdfile)
mkdir $@
- $(CERTUTIL) -d sql:./$@ -N --empty-password
- $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem
- $(PK12UTIL) -d sql:./$@ -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile)
+ $(CERTUTIL) -d sql:./$@ -N -f $(pwdfile)
+ $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem -f $(pwdfile)
+ $(PK12UTIL) -d sql:./$@ -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile) -k $(pwdfile)
# This nss db is used in
# - src/tests/cmocka/test_pam_srv.c
p11_nssdb_2certs: SSSD_test_cert_pkcs12_0001.pem SSSD_test_cert_pkcs12_0002.pem SSSD_test_CA.pem $(pwdfile)
mkdir $@
- $(CERTUTIL) -d sql:./$@ -N --empty-password
- $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem
- $(PK12UTIL) -d sql:./$@ p11_nssdb -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile)
- $(PK12UTIL) -d sql:./$@ p11_nssdb -i SSSD_test_cert_pkcs12_0002.pem -w $(pwdfile)
+ $(CERTUTIL) -d sql:./$@ -N -f $(pwdfile)
+ $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem -f $(pwdfile)
+ $(PK12UTIL) -d sql:./$@ -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile) -k $(pwdfile)
+ $(PK12UTIL) -d sql:./$@ -i SSSD_test_cert_pkcs12_0002.pem -w $(pwdfile) -k $(pwdfile)
# The softhsm2 PKCS#11 setups are used in
# - src/tests/cmocka/test_pam_srv.c
--
2.9.5

78
0031-getsockopt_wrapper-add-support-for-PAM-clients.patch
View File

@ -1,78 +0,0 @@
From d332c8a0e7a4c7f0b3ee1b2110145a23cbd61c2a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 7 Sep 2018 22:19:26 +0200
Subject: [PATCH 36/83] getsockopt_wrapper: add support for PAM clients
PAM clients expect that the private socket of the PAM responder is
handled by root. With this patch getsockopt_wrapper can return the
expected UID and GID to PAM clients.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/tests/intg/getsockopt_wrapper.c | 34 ++++++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/src/tests/intg/getsockopt_wrapper.c b/src/tests/intg/getsockopt_wrapper.c
index 5109123..2f50889 100644
--- a/src/tests/intg/getsockopt_wrapper.c
+++ b/src/tests/intg/getsockopt_wrapper.c
@@ -45,6 +45,23 @@ static bool is_secrets_socket(int fd)
return NULL != strstr(unix_socket->sun_path, "secrets.socket");
}
+static bool peer_is_private_pam(int fd)
+{
+ int ret;
+ struct sockaddr_storage addr = { 0 };
+ socklen_t addrlen = sizeof(addr);
+ struct sockaddr_un *unix_socket;
+
+ ret = getpeername(fd, (struct sockaddr *)&addr, &addrlen);
+ if (ret != 0) return false;
+
+ if (addr.ss_family != AF_UNIX) return false;
+
+ unix_socket = (struct sockaddr_un *)&addr;
+
+ return NULL != strstr(unix_socket->sun_path, "private/pam");
+}
+
static uid_t fake_secret_peer(uid_t orig_id)
{
char *val;
@@ -57,6 +74,21 @@ static uid_t fake_secret_peer(uid_t orig_id)
return atoi(val);
}
+static void fake_peer_uid_gid(uid_t *uid, gid_t *gid)
+{
+ char *val;
+
+ val = getenv("SSSD_INTG_PEER_UID");
+ if (val != NULL) {
+ *uid = atoi(val);
+ }
+
+ val = getenv("SSSD_INTG_PEER_GID");
+ if (val != NULL) {
+ *gid = atoi(val);
+ }
+}
+
typedef typeof(getsockopt) getsockopt_fn_t;
static getsockopt_fn_t *orig_getsockopt = NULL;
@@ -84,6 +116,8 @@ int getsockopt(int sockfd, int level, int optname,
cr->uid = 0;
} else if (is_secrets_socket(sockfd)) {
cr->uid = fake_secret_peer(cr->uid);
+ } else if (peer_is_private_pam(sockfd)) {
+ fake_peer_uid_gid(&cr->uid, &cr->gid);
}
}
--
2.9.5

330
0032-intg-add-Smartcard-authentication-tests.patch
View File

@ -1,330 +0,0 @@
From 657f3b89bca9adfb13f0867c91f1d76845d2d6dd Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 7 Sep 2018 22:26:21 +0200
Subject: [PATCH 37/83] intg: add Smartcard authentication tests
Two test for Smartcard authentication of a local user, i.e. a user
managed by the files provider, are added. One for a successful
authentication, the other for a failed authentication with a wrong PIN.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
configure.ac | 1 +
contrib/ci/deps.sh | 2 +
contrib/sssd.spec.in | 1 +
src/external/cwrap.m4 | 5 ++
src/external/intgcheck.m4 | 1 +
src/tests/intg/Makefile.am | 24 ++++++-
src/tests/intg/test_pam_responder.py | 131 ++++++++++++++++++++++++++++++++---
7 files changed, 155 insertions(+), 10 deletions(-)
diff --git a/configure.ac b/configure.ac
index bb18ad4..5816b04 100644
--- a/configure.ac
+++ b/configure.ac
@@ -495,6 +495,7 @@ AM_CONDITIONAL([HAVE_CHECK], [test x$have_check != x])
AM_CHECK_CMOCKA
AM_CHECK_UID_WRAPPER
AM_CHECK_NSS_WRAPPER
+AM_CHECK_PAM_WRAPPER
AM_CHECK_TEST_CA
# Check if the user wants SSSD to be compiled with systemtap probes
diff --git a/contrib/ci/deps.sh b/contrib/ci/deps.sh
index 5906e53..c04c7aa 100644
--- a/contrib/ci/deps.sh
+++ b/contrib/ci/deps.sh
@@ -46,6 +46,7 @@ if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then
pyldb
rpm-build
uid_wrapper
+ pam_wrapper
python-requests
curl-devel
krb5-server
@@ -117,6 +118,7 @@ if [[ "$DISTRO_BRANCH" == -debian-* ]]; then
fakeroot
libnss-wrapper
libuid-wrapper
+ libpam-wrapper
python-pytest
python-ldap
python-ldb
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 5ebd51f..26fae6d 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -237,6 +237,7 @@ BuildRequires: selinux-policy-targeted
BuildRequires: libcmocka-devel >= 1.0.0
BuildRequires: uid_wrapper
BuildRequires: nss_wrapper
+BuildRequires: pam_wrapper
# Test CA requires openssl independent if SSSD is build with NSS or openssl,
# openssh is needed for ssh-keygen and NSS builds need nss-tools for certutil.
diff --git a/src/external/cwrap.m4 b/src/external/cwrap.m4
index b8489cc..6e3487c 100644
--- a/src/external/cwrap.m4
+++ b/src/external/cwrap.m4
@@ -28,3 +28,8 @@ AC_DEFUN([AM_CHECK_NSS_WRAPPER],
[
AM_CHECK_WRAPPER(nss_wrapper, HAVE_NSS_WRAPPER)
])
+
+AC_DEFUN([AM_CHECK_PAM_WRAPPER],
+[
+ AM_CHECK_WRAPPER(pam_wrapper, HAVE_PAM_WRAPPER)
+])
diff --git a/src/external/intgcheck.m4 b/src/external/intgcheck.m4
index 60a7bf3..c14f669 100644
--- a/src/external/intgcheck.m4
+++ b/src/external/intgcheck.m4
@@ -22,6 +22,7 @@ AC_DEFUN([SSS_ENABLE_INTGCHECK_REQS], [
if test x"$enable_intgcheck_reqs" = xyes; then
SSS_INTGCHECK_REQ([HAVE_UID_WRAPPER], [uid_wrapper])
SSS_INTGCHECK_REQ([HAVE_NSS_WRAPPER], [nss_wrapper])
+ SSS_INTGCHECK_REQ([HAVE_PAM_WRAPPER], [pam_wrapper])
SSS_INTGCHECK_REQ([HAVE_SLAPD], [slapd])
SSS_INTGCHECK_REQ([HAVE_LDAPMODIFY], [ldapmodify])
SSS_INTGCHECK_REQ([HAVE_FAKEROOT], [fakeroot])
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index 6f7605b..bb3a7f0 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -105,13 +105,29 @@ passwd: root
group:
echo "root:x:0:" > $@
+PAM_SERVICE_DIR=pam_service_dir
+pam_sss_service:
+ $(MKDIR_P) $(PAM_SERVICE_DIR)
+ echo "auth required $(DESTDIR)$(pammoddir)/pam_sss.so" > $(PAM_SERVICE_DIR)/$@
+ echo "account required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
+ echo "password required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
+ echo "session required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
+
CLEANFILES=config.py config.pyc passwd group
clean-local:
rm -Rf root
rm -f $(builddir)/cwrap-dbus-system.conf
-intgcheck-installed: config.py passwd group
+if HAVE_NSS
+PAM_CERT_DB_PATH="sql:$(DESTDIR)$(sysconfdir)/pki/nssdb"
+SOFTHSM2_CONF=""
+else
+PAM_CERT_DB_PATH="$(abs_builddir)/../test_CA/SSSD_test_CA.pem"
+SOFTHSM2_CONF="$(abs_builddir)/../test_CA/softhsm2_one.conf"
+endif
+
+intgcheck-installed: config.py passwd group pam_sss_service
pipepath="$(DESTDIR)$(pipepath)"; \
if test $${#pipepath} -gt 80; then \
echo "error: Pipe directory path too long," \
@@ -131,12 +147,18 @@ intgcheck-installed: config.py passwd group
LDB_MODULES_PATH="$(DESTDIR)$(ldblibdir)" \
NON_WRAPPED_UID=$$(id -u) \
LD_PRELOAD="$(libdir)/getsockopt_wrapper.so:$$nss_wrapper:$$uid_wrapper" \
+ LD_LIBRARY_PATH="$$LD_LIBRARY_PATH:$(DESTDIR)$(nsslibdir)" \
NSS_WRAPPER_PASSWD="$(abs_builddir)/passwd" \
NSS_WRAPPER_GROUP="$(abs_builddir)/group" \
NSS_WRAPPER_MODULE_SO_PATH="$(DESTDIR)$(nsslibdir)/libnss_sss.so.2" \
NSS_WRAPPER_MODULE_FN_PREFIX="sss" \
UID_WRAPPER=1 \
UID_WRAPPER_ROOT=1 \
+ PAM_WRAPPER=0 \
+ PAM_WRAPPER_SERVICE_DIR="$(abs_builddir)/$(PAM_SERVICE_DIR)" \
+ PAM_WRAPPER_PATH=$$(pkg-config --libs pam_wrapper) \
+ PAM_CERT_DB_PATH=$(PAM_CERT_DB_PATH) \
+ SOFTHSM2_CONF=$(SOFTHSM2_CONF) \
DBUS_SOCK_DIR="$(DESTDIR)$(runstatedir)/dbus/" \
DBUS_SESSION_BUS_ADDRESS="unix:path=$$DBUS_SOCK_DIR/fake_socket" \
DBUS_SYSTEM_BUS_ADDRESS="unix:path=$$DBUS_SOCK_DIR/system_bus_socket" \
diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py
index cf6fff2..c6d048c 100644
--- a/src/tests/intg/test_pam_responder.py
+++ b/src/tests/intg/test_pam_responder.py
@@ -27,31 +27,44 @@ import signal
import errno
import subprocess
import time
-import pytest
+import shutil
import config
-from util import unindent
+import pytest
+
+from intg.util import unindent
+from intg.files_ops import passwd_ops_setup
+USER1 = dict(name='user1', passwd='x', uid=10001, gid=20001,
+ gecos='User for tests',
+ dir='/home/user1',
+ shell='/bin/bash')
-def format_pam_cert_auth_conf():
+
+def format_pam_cert_auth_conf(config):
"""Format a basic SSSD configuration"""
return unindent("""\
[sssd]
+ debug_level = 10
domains = auth_only
- services = pam
+ services = pam, nss
[nss]
+ debug_level = 10
[pam]
pam_cert_auth = True
+ pam_p11_allowed_services = +pam_sss_service
+ pam_cert_db_path = {config.PAM_CERT_DB_PATH}
debug_level = 10
[domain/auth_only]
- id_provider = ldap
- auth_provider = ldap
- chpass_provider = ldap
- access_provider = ldap
+ debug_level = 10
+ id_provider = files
+
+ [certmap/auth_only/user1]
+ matchrule = <SUBJECT>.*CN=SSSD test cert 0001.*
""").format(**locals())
@@ -79,6 +92,8 @@ def create_conf_fixture(request, contents):
def create_sssd_process():
"""Start the SSSD process"""
+ os.environ["SSS_FILES_PASSWD"] = os.environ["NSS_WRAPPER_PASSWD"]
+ os.environ["SSS_FILES_GROUP"] = os.environ["NSS_WRAPPER_GROUP"]
if subprocess.call(["sssd", "-D", "-f"]) != 0:
raise Exception("sssd start failed")
@@ -116,12 +131,41 @@ def create_sssd_fixture(request):
request.addfinalizer(cleanup_sssd_process)
+def create_nssdb():
+ os.mkdir(config.SYSCONFDIR + "/pki")
+ os.mkdir(config.SYSCONFDIR + "/pki/nssdb")
+ if subprocess.call(["certutil", "-N", "-d",
+ "sql:" + config.SYSCONFDIR + "/pki/nssdb/",
+ "--empty-password"]) != 0:
+ raise Exception("certutil failed")
+
+ pkcs11_txt = open(config.SYSCONFDIR + "/pki/nssdb/pkcs11.txt", "w")
+ pkcs11_txt.write("library=libsoftokn3.so\nname=soft\n" +
+ "parameters=configdir='sql:" + config.ABS_BUILDDIR +
+ "/../test_CA/p11_nssdb' " +
+ "dbSlotDescription='SSSD Test Slot' " +
+ "dbTokenDescription='SSSD Test Token' " +
+ "secmod='secmod.db' flags=readOnly)\n\n")
+ pkcs11_txt.close()
+
+
+def cleanup_nssdb():
+ shutil.rmtree(config.SYSCONFDIR + "/pki")
+
+
+def create_nssdb_fixture(request):
+ create_nssdb()
+ request.addfinalizer(cleanup_nssdb)
+
+
@pytest.fixture
def simple_pam_cert_auth(request):
"""Setup SSSD with pam_cert_auth=True"""
- conf = format_pam_cert_auth_conf()
+ config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
+ conf = format_pam_cert_auth_conf(config)
create_conf_fixture(request, conf)
create_sssd_fixture(request)
+ create_nssdb_fixture(request)
return None
@@ -129,3 +173,72 @@ def test_preauth_indicator(simple_pam_cert_auth):
"""Check if preauth indicator file is created"""
statinfo = os.stat(config.PUBCONF_PATH + "/pam_preauth_available")
assert stat.S_ISREG(statinfo.st_mode)
+
+
+@pytest.fixture
+def pam_wrapper_setup(request):
+ pwrap_runtimedir = os.getenv("PAM_WRAPPER_SERVICE_DIR")
+ if pwrap_runtimedir is None:
+ raise ValueError("The PAM_WRAPPER_SERVICE_DIR variable is unset\n")
+
+
+def test_sc_auth_wrong_pin(simple_pam_cert_auth, pam_wrapper_setup,
+ passwd_ops_setup):
+
+ passwd_ops_setup.useradd(**USER1)
+ current_env = os.environ.copy()
+ current_env['PAM_WRAPPER'] = "1"
+ current_env['SSSD_INTG_PEER_UID'] = "0"
+ current_env['SSSD_INTG_PEER_GID'] = "0"
+ current_env['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
+
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
+ "--action=auth", "--service=pam_sss_service"],
+ universal_newlines=True,
+ env=current_env, stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+
+ try:
+ out, err = sssctl.communicate(input="111")
+ except:
+ sssctl.kill()
+ out, err = sssctl.communicate()
+
+ sssctl.stdin.close()
+ sssctl.stdout.close()
+
+ if sssctl.wait() != 0:
+ raise Exception("sssctl failed")
+
+ assert err.find("pam_authenticate for user [user1]: " +
+ "Authentication failure") != -1
+
+
+def test_sc_auth(simple_pam_cert_auth, pam_wrapper_setup, passwd_ops_setup):
+
+ passwd_ops_setup.useradd(**USER1)
+ current_env = os.environ.copy()
+ current_env['PAM_WRAPPER'] = "1"
+ current_env['SSSD_INTG_PEER_UID'] = "0"
+ current_env['SSSD_INTG_PEER_GID'] = "0"
+ current_env['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
+
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
+ "--action=auth", "--service=pam_sss_service"],
+ universal_newlines=True,
+ env=current_env, stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+
+ try:
+ out, err = sssctl.communicate(input="123456")
+ except:
+ sssctl.kill()
+ out, err = sssctl.communicate()
+
+ sssctl.stdin.close()
+ sssctl.stdout.close()
+
+ if sssctl.wait() != 0:
+ raise Exception("sssctl failed")
+
+ assert err.find("pam_authenticate for user [user1]: Success") != -1
--
2.9.5

49
0033-proxy-access-provider-directly-not-through-be_ctx.patch
View File

@ -1,49 +0,0 @@
From 4ffe3ab9023ff858410256bc5c38a03d9cd88cf9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 5 Sep 2018 13:35:54 +0200
Subject: [PATCH 39/83] proxy: access provider directly not through be_ctx
Modules are initialized as part of dp_init_send() but be_ctx->provider is set
only after this request is finished therefore it is not available here.
Resolves:
https://pagure.io/SSSD/sssd/issue/3812
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/providers/proxy/proxy_init.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/providers/proxy/proxy_init.c b/src/providers/proxy/proxy_init.c
index cf4f82e..98c6dd1 100644
--- a/src/providers/proxy/proxy_init.c
+++ b/src/providers/proxy/proxy_init.c
@@ -192,6 +192,7 @@ static errno_t proxy_auth_conf(TALLOC_CTX *mem_ctx,
static errno_t proxy_init_auth_ctx(TALLOC_CTX *mem_ctx,
struct be_ctx *be_ctx,
+ struct data_provider *provider,
struct proxy_auth_ctx **_auth_ctx)
{
struct proxy_auth_ctx *auth_ctx;
@@ -213,7 +214,7 @@ static errno_t proxy_init_auth_ctx(TALLOC_CTX *mem_ctx,
goto done;
}
- ret = proxy_client_init(dp_sbus_conn(be_ctx->provider), auth_ctx);
+ ret = proxy_client_init(dp_sbus_conn(provider), auth_ctx);
if (ret != EOK) {
goto done;
}
@@ -273,7 +274,7 @@ errno_t sssm_proxy_init(TALLOC_CTX *mem_ctx,
/* Initialize auth_ctx since one of the access, auth or chpass is set. */
- ret = proxy_init_auth_ctx(mem_ctx, be_ctx, &auth_ctx);
+ ret = proxy_init_auth_ctx(mem_ctx, be_ctx, provider, &auth_ctx);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create auth context [%d]: %s\n",
ret, sss_strerror(ret));
--
2.9.5

144
0034-dp-set-be_ctx-provider-as-part-of-dp_init-request.patch
View File

@ -1,144 +0,0 @@
From 4c5a1afa0df41aac05d34455c6e54a6f52a8dd28 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 5 Sep 2018 13:51:55 +0200
Subject: [PATCH 40/83] dp: set be_ctx->provider as part of dp_init request
Backend context is overused inside sssd code even during its initialization.
Some parts of initialization code requires access to be_ctx->provider so we
must make it available as soon as possible.
Better solution would be to always use 'provider' directly in initialization
but this makes it safer for any future changes as one does not have to keep
in mind when it is safe to use be_ctx->provider and when not. Now it is
always safe.
Resolves:
https://pagure.io/SSSD/sssd/issue/3812
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/providers/data_provider/dp.c | 21 +++++++++++++--------
src/providers/data_provider/dp.h | 1 -
src/providers/data_provider_be.c | 2 +-
src/providers/proxy/proxy_init.c | 2 +-
4 files changed, 15 insertions(+), 11 deletions(-)
diff --git a/src/providers/data_provider/dp.c b/src/providers/data_provider/dp.c
index fd19d28..bd003c8 100644
--- a/src/providers/data_provider/dp.c
+++ b/src/providers/data_provider/dp.c
@@ -120,6 +120,7 @@ static int dp_destructor(struct data_provider *provider)
}
struct dp_init_state {
+ struct be_ctx *be_ctx;
struct data_provider *provider;
char *sbus_name;
};
@@ -158,6 +159,7 @@ dp_init_send(TALLOC_CTX *mem_ctx,
goto done;
}
+ state->be_ctx = be_ctx;
state->provider->ev = ev;
state->provider->uid = uid;
state->provider->gid = gid;
@@ -224,12 +226,14 @@ static void dp_init_done(struct tevent_req *subreq)
sbus_server_set_on_connection(state->provider->sbus_server,
dp_client_init, state->provider);
+ /* be_ctx->provider must be accessible from modules and targets */
+ state->be_ctx->provider = talloc_steal(state->be_ctx, state->provider);
+
ret = dp_init_modules(state->provider, &state->provider->modules);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize DP modules "
"[%d]: %s\n", ret, sss_strerror(ret));
- tevent_req_error(req, ret);
- return;
+ goto done;
}
ret = dp_init_targets(state->provider, state->provider->be_ctx,
@@ -237,25 +241,27 @@ static void dp_init_done(struct tevent_req *subreq)
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize DP targets "
"[%d]: %s\n", ret, sss_strerror(ret));
- tevent_req_error(req, ret);
- return;
+ goto done;
}
ret = dp_init_interface(state->provider);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize DP interface "
"[%d]: %s\n", ret, sss_strerror(ret));
+ goto done;
+ }
+
+done:
+ if (ret != EOK) {
+ talloc_zfree(state->be_ctx->provider);
tevent_req_error(req, ret);
- return;
}
tevent_req_done(req);
- return;
}
errno_t dp_init_recv(TALLOC_CTX *mem_ctx,
struct tevent_req *req,
- struct data_provider **_provider,
const char **_sbus_name)
{
struct dp_init_state *state;
@@ -263,7 +269,6 @@ errno_t dp_init_recv(TALLOC_CTX *mem_ctx,
TEVENT_REQ_RETURN_ON_ERROR(req);
- *_provider = talloc_steal(mem_ctx, state->provider);
*_sbus_name = talloc_steal(mem_ctx, state->sbus_name);
return EOK;
diff --git a/src/providers/data_provider/dp.h b/src/providers/data_provider/dp.h
index 33e6e65..0028eb1 100644
--- a/src/providers/data_provider/dp.h
+++ b/src/providers/data_provider/dp.h
@@ -117,7 +117,6 @@ dp_init_send(TALLOC_CTX *mem_ctx,
errno_t dp_init_recv(TALLOC_CTX *mem_ctx,
struct tevent_req *req,
- struct data_provider **_provider,
const char **_sbus_name);
bool _dp_target_enabled(struct data_provider *provider,
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index 670ddb4..6d2477e 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -541,7 +541,7 @@ static void dp_initialized(struct tevent_req *req)
be_ctx = tevent_req_callback_data(req, struct be_ctx);
- ret = dp_init_recv(be_ctx, req, &be_ctx->provider, &be_ctx->sbus_name);
+ ret = dp_init_recv(be_ctx, req, &be_ctx->sbus_name);
talloc_zfree(req);
if (ret != EOK) {
goto done;
diff --git a/src/providers/proxy/proxy_init.c b/src/providers/proxy/proxy_init.c
index 98c6dd1..32343a3 100644
--- a/src/providers/proxy/proxy_init.c
+++ b/src/providers/proxy/proxy_init.c
@@ -214,7 +214,7 @@ static errno_t proxy_init_auth_ctx(TALLOC_CTX *mem_ctx,
goto done;
}
- ret = proxy_client_init(dp_sbus_conn(provider), auth_ctx);
+ ret = proxy_client_init(dp_sbus_conn(be_ctx->provider), auth_ctx);
if (ret != EOK) {
goto done;
}
--
2.9.5

42
0035-sbus-read-destination-after-sender-is-set.patch
View File

@ -1,42 +0,0 @@
From 9245bf1afe6767a0412212bc0040e606ee850e7d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 12 Sep 2018 13:21:11 +0200
Subject: [PATCH 41/83] sbus: read destination after sender is set
dbus_message_set_sender may reallocate internal fields which will yield pointer
obtained by dbus_message_get_* invalid.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/sbus/server/sbus_server_handler.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/sbus/server/sbus_server_handler.c b/src/sbus/server/sbus_server_handler.c
index c300d81..d4e4547 100644
--- a/src/sbus/server/sbus_server_handler.c
+++ b/src/sbus/server/sbus_server_handler.c
@@ -148,9 +148,6 @@ sbus_server_filter(DBusConnection *dbus_conn,
return DBUS_HANDLER_RESULT_HANDLED;
}
- destination = dbus_message_get_destination(message);
- type = dbus_message_get_type(message);
-
conn = dbus_connection_get_data(dbus_conn, server->data_slot);
if (conn == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unknown connection!\n");
@@ -173,6 +170,11 @@ sbus_server_filter(DBusConnection *dbus_conn,
return DBUS_HANDLER_RESULT_HANDLED;
}
+ /* Set sender may reallocate internal fields so this needs to be read
+ * after we call dbus_message_set_sender(). */
+ destination = dbus_message_get_destination(message);
+ type = dbus_message_get_type(message);
+
if (type == DBUS_MESSAGE_TYPE_SIGNAL) {
return sbus_server_route_signal(server, conn, message, destination);
}
--
2.9.5

34
0036-sbus-do-not-try-to-remove-signal-listeners-when-disc.patch
View File

@ -1,34 +0,0 @@
From b821ee3ca93beb94a7a9b22b6f7a205e4900212e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 12 Sep 2018 13:22:34 +0200
Subject: [PATCH 42/83] sbus: do not try to remove signal listeners when
disconnecting
This may cause some troubles if the dbus connection was dropped
as dbus will try to actually send the messages. Also when the
connectin is being freed, tevent integration is already disabled
so there is no point in doing this.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/sbus/router/sbus_router_hash.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/sbus/router/sbus_router_hash.c b/src/sbus/router/sbus_router_hash.c
index 186dc61..2d407b2 100644
--- a/src/sbus/router/sbus_router_hash.c
+++ b/src/sbus/router/sbus_router_hash.c
@@ -384,6 +384,10 @@ sbus_router_listeners_delete_cb(hash_entry_t *item,
return;
}
+ if (conn->disconnecting) {
+ return;
+ }
+
/* If we still have the D-Bus connection available, we try to unregister
* the previously registered listener when its removed from table. */
--
2.9.5

29
0037-sbus-free-watch_fd-fdevent-explicitly.patch
View File

@ -1,29 +0,0 @@
From f1f9af528f71f42ac41bb7a272f4f7d940fd3a0f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 12 Sep 2018 13:24:27 +0200
Subject: [PATCH 43/83] sbus: free watch_fd->fdevent explicitly
We never reproduced this with gdb but valgrind shows invalid read in sbus_watch_handler
after the watch_fd was freed. This should not be needed since watch_fd is memory parent
of fdevent but it seems to help.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/sbus/connection/sbus_watch.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/sbus/connection/sbus_watch.c b/src/sbus/connection/sbus_watch.c
index 3898311..0e4bd01 100644
--- a/src/sbus/connection/sbus_watch.c
+++ b/src/sbus/connection/sbus_watch.c
@@ -280,6 +280,7 @@ sbus_watch_remove(DBusWatch *dbus_watch, void *data)
if (watch_fd->dbus_watch.read == NULL
&& watch_fd->dbus_watch.write == NULL) {
+ talloc_free(watch_fd->fdevent);
talloc_free(watch_fd);
}
}
--
2.9.5

139
0038-doc-remove-local-provider-reference-from-manpages.patch
View File

@ -1,139 +0,0 @@
From de8c9caf61e7b971cda9563cc5851ea222db5830 Mon Sep 17 00:00:00 2001
From: Tomas Halman <thalman@redhat.com>
Date: Thu, 27 Sep 2018 16:03:40 +0200
Subject: [PATCH 44/83] doc: remove local provider reference from manpages
Introduce new condition for documentation build. Related part of
documentation is excluded, if build is done without local provider.
Resolves https://pagure.io/SSSD/sssd/issue/3826
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/man/Makefile.am | 6 +++++-
src/man/include/seealso.xml | 44 +++++++++++++++++++++++---------------------
src/man/sssd.conf.5.xml | 15 +++++++++------
3 files changed, 37 insertions(+), 28 deletions(-)
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
index b4c20d8..54a30d1 100644
--- a/src/man/Makefile.am
+++ b/src/man/Makefile.am
@@ -51,7 +51,11 @@ CRYPTO_CONDS = ;with_nss
else
CRYPTO_CONDS = ;with_openssl
endif
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SEC_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(CRYPTO_CONDS)
+if BUILD_LOCAL_PROVIDER
+LOCAL_PROVIDER_CONDS = ;enable_local_provider
+endif
+
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SEC_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(CRYPTO_CONDS)$(LOCAL_PROVIDER_CONDS)
#Special Rules:
diff --git a/src/man/include/seealso.xml b/src/man/include/seealso.xml
index 52798e4..f324b66 100644
--- a/src/man/include/seealso.xml
+++ b/src/man/include/seealso.xml
@@ -44,27 +44,29 @@
<citerefentry>
<refentrytitle>sss_debuglevel</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
- <citerefentry>
- <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>,
+ <phrase condition="enable_local_provider">
+ <citerefentry>
+ <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ </phrase>
<citerefentry>
<refentrytitle>sss_obfuscate</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 04143f1..c1e3895 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -2179,7 +2179,7 @@ pam_p11_allowed_services = +my_pam_service, -login
<para>
<quote>proxy</quote>: Support a legacy NSS provider.
</para>
- <para>
+ <para condition="enable_local_provider">
<quote>local</quote>: SSSD internal provider for
local users (DEPRECATED).
</para>
@@ -2324,7 +2324,7 @@ pam_p11_allowed_services = +my_pam_service, -login
<para>
<quote>proxy</quote> for relaying authentication to some other PAM target.
</para>
- <para>
+ <para condition="enable_local_provider">
<quote>local</quote>: SSSD internal provider for
local users
</para>
@@ -2836,9 +2836,12 @@ pam_p11_allowed_services = +my_pam_service, -login
<term>case_sensitive (string)</term>
<listitem>
<para>
- Treat user and group names as case sensitive. At
- the moment, this option is not supported in
- the local provider. Possible option values are:
+ Treat user and group names as case sensitive.
+ <phrase condition="enable_local_provider">
+ At the moment, this option is not supported in
+ the local provider.
+ </phrase>
+ Possible option values are:
<variablelist>
<varlistentry>
<term>True</term>
@@ -3148,7 +3151,7 @@ ldap_user_extra_attrs = phone:telephoneNumber
</programlisting>
</refsect2>
- <refsect2 id='local_domain'>
+ <refsect2 id='local_domain' condition="enable_local_provider">
<title>The local domain section</title>
<para>
This section contains settings for domain that stores users and
--
2.9.5

47
0039-confdb-log-an-error-when-domain-is-misconfigured.patch
View File

@ -1,47 +0,0 @@
From 081b18e75c746f9a2ad1fb412c825293090311f8 Mon Sep 17 00:00:00 2001
From: Tomas Halman <thalman@redhat.com>
Date: Mon, 1 Oct 2018 15:49:06 +0200
Subject: [PATCH 54/83] confdb: log an error when domain is misconfigured
We need to inform user that there is misconfiguration
and particular domain will not be started.
Resolves:
https://pagure.io/SSSD/sssd/issue/3827
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/confdb/confdb.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 954c3ba..2f3d900 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -39,6 +39,9 @@
#define SAME_DOMAINS_ERROR_MSG "Domain '%s' is the same as or differs only "\
"in case from domain '%s'.\n"
+#define RETRIEVE_DOMAIN_ERROR_MSG "Error (%d [%s]) retrieving domain [%s], "\
+ "skipping!\n"
+
static char *prepend_cn(char *str, int *slen, const char *comp, int clen)
{
char *ret;
@@ -1522,8 +1525,12 @@ int confdb_get_domains(struct confdb_ctx *cdb,
ret = confdb_get_domain_internal(cdb, cdb, domlist[i], &domain);
if (ret) {
DEBUG(SSSDBG_FATAL_FAILURE,
- "Error (%d [%s]) retrieving domain [%s], skipping!\n",
+ RETRIEVE_DOMAIN_ERROR_MSG,
ret, sss_strerror(ret), domlist[i]);
+ sss_log(SSS_LOG_CRIT,
+ RETRIEVE_DOMAIN_ERROR_MSG,
+ ret, sss_strerror(ret), domlist[i]);
+
continue;
}
--
2.9.5

57
0040-be-use-be_is_offline-for-the-main-domain-when-asking.patch
View File

@ -1,57 +0,0 @@
From dfa7bf1133f002a9fbbd3495a70909913db25b16 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 14 Sep 2018 12:30:57 +0200
Subject: [PATCH 55/83] be: use be_is_offline for the main domain when asking
for domain status
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The DOM_ACTIVE/INACTIVE flag is not used with the main domain as it
is used only for subdomains.
Resolves:
https://pagure.io/SSSD/sssd/issue/3830
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/providers/data_provider/dp_iface_backend.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/src/providers/data_provider/dp_iface_backend.c b/src/providers/data_provider/dp_iface_backend.c
index 25a00f3..85159a7 100644
--- a/src/providers/data_provider/dp_iface_backend.c
+++ b/src/providers/data_provider/dp_iface_backend.c
@@ -37,15 +37,23 @@ dp_backend_is_online(TALLOC_CTX *mem_ctx,
struct sss_domain_info *domain;
if (SBUS_REQ_STRING_IS_EMPTY(domname)) {
- *_is_online = be_is_offline(be_ctx);
- return EOK;
+ domain = be_ctx->domain;
+ } else {
+ domain = find_domain_by_name(be_ctx->domain, domname, false);
+ if (domain == NULL) {
+ return ERR_DOMAIN_NOT_FOUND;
+ }
}
- domain = find_domain_by_name(be_ctx->domain, domname, false);
- if (domain == NULL) {
- return ERR_DOMAIN_NOT_FOUND;
+ /**
+ * FIXME: https://pagure.io/SSSD/sssd/issue/3831
+ * domain->state is set only for subdomains not for the main domain
+ */
+ if (be_ctx->domain == domain) {
+ *_is_online = be_is_offline(be_ctx) == false;
+ } else {
+ *_is_online = domain->state == DOM_ACTIVE;
}
- *_is_online = domain->state == DOM_ACTIVE;
return EOK;
}
--
2.9.5

146
0041-p11-handle-multiple-certs-during-auth-with-OpenSSL.patch
View File

@ -1,146 +0,0 @@
From e29b82077a78157a1e4d90e2308c1272d7612f3d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 2 Oct 2018 12:13:29 +0200
Subject: [PATCH 56/83] p11: handle multiple certs during auth with OpenSSL
This patch adds missing code already available in the NSS version to
select a certificate for authentication if multiple certificates are
available on the Smartcard. A unit test to check this feature is added
as well.
Related to https://pagure.io/SSSD/sssd/issue/3489
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/p11_child/p11_child_openssl.c | 46 ++++++++++++++++++++++++++++++++++++++-
src/tests/cmocka/test_pam_srv.c | 36 ++++++++++++++++++++++++++++++
2 files changed, 81 insertions(+), 1 deletion(-)
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
index be58726..bf4418f 100644
--- a/src/p11_child/p11_child_openssl.c
+++ b/src/p11_child/p11_child_openssl.c
@@ -572,8 +572,10 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
char *slot_name = NULL;
char *token_name = NULL;
CK_SESSION_HANDLE session = 0;
+ struct cert_list *all_cert_list = NULL;
struct cert_list *cert_list = NULL;
struct cert_list *item = NULL;
+ struct cert_list *tmp_cert = NULL;
char *multi = NULL;
bool pkcs11_session = false;
bool pkcs11_login = false;
@@ -691,12 +693,54 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
DEBUG(SSSDBG_TRACE_ALL, "Login NOT required.\n");
}
- ret = read_certs(mem_ctx, module, session, p11_ctx, &cert_list);
+ ret = read_certs(mem_ctx, module, session, p11_ctx, &all_cert_list);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "read_certs failed.\n");
goto done;
}
+ DLIST_FOR_EACH(item, all_cert_list) {
+ /* Check if we found the certificates we needed for authentication or
+ * the requested ones for pre-auth. For authentication all attributes
+ * must be given and match, for pre-auth only the given ones must
+ * match. */
+ DEBUG(SSSDBG_TRACE_ALL, "%s %s %s %s %s %s.\n",
+ module_name_in, module_file_name, token_name_in, token_name,
+ key_id_in, item->id);
+
+ if ((mode == OP_AUTH
+ && module_name_in != NULL
+ && token_name_in != NULL
+ && key_id_in != NULL
+ && item->id != NULL
+ && strcmp(key_id_in, item->id) == 0
+ && strcmp(token_name_in, token_name) == 0
+ && strcmp(module_name_in, module_file_name) == 0)
+ || (mode == OP_PREAUTH
+ && (module_name_in == NULL
+ || (module_name_in != NULL
+ && strcmp(module_name_in, module_file_name) == 0))
+ && (token_name_in == NULL
+ || (token_name_in != NULL
+ && strcmp(token_name_in, token_name) == 0))
+ && (key_id_in == NULL
+ || (key_id_in != NULL && item->id != NULL
+ && strcmp(key_id_in, item->id) == 0)))) {
+
+ tmp_cert = talloc_memdup(mem_ctx, item, sizeof(struct cert_list));
+ if (tmp_cert == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_memdup failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ tmp_cert->prev = NULL;
+ tmp_cert->next = NULL;
+
+ DLIST_ADD(cert_list, tmp_cert);
+
+ }
+ }
+
/* TODO: check module_name_in, token_name_in, key_id_in */
if (cert_list == NULL) {
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index 446985d..2b02ac2 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -2443,6 +2443,40 @@ void test_pam_cert_preauth_2certs_two_mappings(void **state)
assert_int_equal(ret, EOK);
}
+void test_pam_cert_auth_2certs_one_mapping(void **state)
+{
+ int ret;
+
+#ifdef HAVE_NSS
+ set_cert_auth_param(pam_test_ctx->pctx, NSS_DB_2CERTS);
+#else
+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_two.conf"));
+#endif
+
+ mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token",
+ TEST_MODULE_NAME,
+ "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL,
+ test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001,
+ true);
+
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+
+ /* Assume backend cannot handle Smartcard credentials */
+ pam_test_ctx->exp_pam_status = PAM_BAD_ITEM;
+
+ set_cmd_cb(test_pam_simple_check_success);
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
+ pam_test_ctx->pam_cmds);
+ assert_int_equal(ret, EOK);
+
+ /* Wait until the test finishes with EOK */
+ ret = test_ev_loop(pam_test_ctx->tctx);
+ assert_int_equal(ret, EOK);
+}
+
+
void test_filter_response(void **state)
{
int ret;
@@ -2875,6 +2909,8 @@ int main(int argc, const char *argv[])
pam_test_setup, pam_test_teardown),
cmocka_unit_test_setup_teardown(test_pam_cert_preauth_2certs_two_mappings,
pam_test_setup, pam_test_teardown),
+ cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_one_mapping,
+ pam_test_setup, pam_test_teardown),
cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name,
pam_test_setup, pam_test_teardown),
cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name_no_key_id,
--
2.9.5

74
0042-doc-Add-nsswitch.conf-note-to-manpage.patch
View File

@ -1,74 +0,0 @@
From 0be037bbedd0aed6a7eccead6aabe0d07258242a Mon Sep 17 00:00:00 2001
From: Tomas Halman <thalman@redhat.com>
Date: Mon, 1 Oct 2018 13:45:52 +0200
Subject: [PATCH 57/83] doc: Add nsswitch.conf note to manpage
We want to add note about nsswitch.conf configuration
into sssd-files manpage.
Resolves:
https://pagure.io/SSSD/sssd/issue/3750
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
---
src/man/sssd-files.5.xml | 34 +++++++++++++++++++++++++++++++++-
1 file changed, 33 insertions(+), 1 deletion(-)
diff --git a/src/man/sssd-files.5.xml b/src/man/sssd-files.5.xml
index 59e1b65..067e219 100644
--- a/src/man/sssd-files.5.xml
+++ b/src/man/sssd-files.5.xml
@@ -51,6 +51,27 @@
<manvolnum>5</manvolnum>
</citerefentry>.
</para>
+ <para>
+ Another reason is to provide efficient caching of local users and groups.
+ </para>
+ <para>
+ Please note that some distributions enable the files domain automatically,
+ prepending the domain before any explicitly configured domains.
+ See enable_files_domain in
+ <citerefentry>
+ <refentrytitle>sssd.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry>.
+ </para>
+ <para>
+ SSSD never handles resolution of user/group "root". Also resolution of
+ UID/GID 0 is not handled by SSSD. Such requests are passed to next
+ NSS module (usually files).
+ </para>
+ <para>
+ When SSSD is not running or responding, nss_sss returns the UNAVAIL code
+ which causes the request to be passed to the next module.
+ </para>
</refsect1>
<refsect1 id='configuration-options'>
@@ -112,9 +133,20 @@
id_provider = files
</programlisting>
</para>
+ <para>
+ To leverage caching of local users and groups by SSSD
+ nss_sss module must be listed before nss_files module
+ in /etc/nsswitch.conf.
+ </para>
+ <para>
+<programlisting>
+passwd: sss files
+group: sss files
+</programlisting>
+ </para>
</refsect1>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
</refentry>
</reference>
--
2.9.5

31
0043-MAN-Fix-typo-in-ad_gpo_implicit_deny-default-value.patch
View File

@ -1,31 +0,0 @@
From e5dc30e0092b240a32f2004966eeecdc57d50fb8 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 8 Oct 2018 07:45:45 +0000
Subject: [PATCH 58/83] MAN: Fix typo in ad_gpo_implicit_deny default value
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Merges: https://pagure.io/SSSD/sssd/pull-request/3846
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/man/sssd-ad.5.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 0eac382..ea0adf7 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -432,7 +432,7 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,
apply to them.
</para>
<para>
- Default: False (seconds)
+ Default: False
</para>
</listitem>
</varlistentry>
--
2.9.5

470
0044-p11_child-add-wait_for_card-option.patch
View File

@ -1,470 +0,0 @@
From 42f69e26e5b858dd03492cc2a148d02c2ccc2161 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 14 Sep 2018 12:47:00 +0200
Subject: [PATCH 59/83] p11_child: add --wait_for_card option
The --wait_for_card option will let the p11_child wait until a
Smartcard/token is available in a slot with the removable flag.
Related to https://pagure.io/SSSD/sssd/issue/3650
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/p11_child/p11_child.h | 5 +-
src/p11_child/p11_child_common.c | 12 +++-
src/p11_child/p11_child_nss.c | 105 ++++++++++++++++++++---------
src/p11_child/p11_child_openssl.c | 136 ++++++++++++++++++++++++++++++--------
4 files changed, 196 insertions(+), 62 deletions(-)
diff --git a/src/p11_child/p11_child.h b/src/p11_child/p11_child.h
index 1e9fc3d..dd8fdea 100644
--- a/src/p11_child/p11_child.h
+++ b/src/p11_child/p11_child.h
@@ -25,6 +25,9 @@
#ifndef __P11_CHILD_H__
#define __P11_CHILD_H__
+/* Time to wait during a C_Finalize C_Initialize cycle to discover
+ * new slots. */
+#define PKCS11_FINIALIZE_INITIALIZE_WAIT_TIME 3
struct p11_ctx;
enum op_mode {
@@ -41,7 +44,7 @@ enum pin_mode {
};
errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *nss_db,
- struct p11_ctx **p11_ctx);
+ bool wait_for_card, struct p11_ctx **p11_ctx);
errno_t init_verification(struct p11_ctx *p11_ctx,
struct cert_verify_opts *cert_verify_opts);
diff --git a/src/p11_child/p11_child_common.c b/src/p11_child/p11_child_common.c
index 125430d..bc5f6b0 100644
--- a/src/p11_child/p11_child_common.c
+++ b/src/p11_child/p11_child_common.c
@@ -57,6 +57,7 @@ static const char *op_mode_str(enum op_mode mode)
static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db,
struct cert_verify_opts *cert_verify_opts,
+ bool wait_for_card,
const char *cert_b64, const char *pin,
const char *module_name, const char *token_name,
const char *key_id, char **multi)
@@ -64,7 +65,7 @@ static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db,
int ret;
struct p11_ctx *p11_ctx;
- ret = init_p11_ctx(mem_ctx, ca_db, &p11_ctx);
+ ret = init_p11_ctx(mem_ctx, ca_db, wait_for_card, &p11_ctx);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "init_p11_ctx failed.\n");
return ret;
@@ -157,6 +158,7 @@ int main(int argc, const char *argv[])
char *token_name = NULL;
char *key_id = NULL;
char *cert_b64 = NULL;
+ bool wait_for_card = false;
struct poptOption long_options[] = {
POPT_AUTOHELP
@@ -174,6 +176,7 @@ int main(int argc, const char *argv[])
SSSD_LOGGER_OPTS
{"auth", 0, POPT_ARG_NONE, NULL, 'a', _("Run in auth mode"), NULL},
{"pre", 0, POPT_ARG_NONE, NULL, 'p', _("Run in pre-auth mode"), NULL},
+ {"wait_for_card", 0, POPT_ARG_NONE, NULL, 'w', _("Wait until card is available"), NULL},
{"verification", 0, POPT_ARG_NONE, NULL, 'v', _("Run in verification mode"),
NULL},
{"pin", 0, POPT_ARG_NONE, NULL, 'i', _("Expect PIN on stdin"), NULL},
@@ -258,6 +261,9 @@ int main(int argc, const char *argv[])
}
pin_mode = PIN_KEYPAD;
break;
+ case 'w':
+ wait_for_card = true;
+ break;
default:
fprintf(stderr, "\nInvalid option %s: %s\n\n",
poptBadOption(pc, 0), poptStrerror(opt));
@@ -360,8 +366,8 @@ int main(int argc, const char *argv[])
}
}
- ret = do_work(main_ctx, mode, nss_db, cert_verify_opts, cert_b64,
- pin, module_name, token_name, key_id, &multi);
+ ret = do_work(main_ctx, mode, nss_db, cert_verify_opts, wait_for_card,
+ cert_b64, pin, module_name, token_name, key_id, &multi);
if (ret != 0) {
DEBUG(SSSDBG_OP_FAILURE, "do_work failed.\n");
goto fail;
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
index d6a0b80..b2777d1 100644
--- a/src/p11_child/p11_child_nss.c
+++ b/src/p11_child/p11_child_nss.c
@@ -51,6 +51,7 @@ struct p11_ctx {
CERTCertDBHandle *handle;
struct cert_verify_opts *cert_verify_opts;
const char *nss_db;
+ bool wait_for_card;
};
#define EXP_USAGES ( certificateUsageSSLClient \
@@ -141,6 +142,19 @@ static int talloc_free_handle(struct p11_ctx *p11_ctx)
return 0;
}
+static NSSInitContext *get_nss_ctx(const char *nss_db)
+{
+ uint32_t flags = NSS_INIT_READONLY
+ | NSS_INIT_FORCEOPEN
+ | NSS_INIT_NOROOTINIT
+ | NSS_INIT_OPTIMIZESPACE
+ | NSS_INIT_PK11RELOAD;
+ NSSInitParameters parameters = { 0 };
+ parameters.length = sizeof (parameters);
+
+ return NSS_InitContext(nss_db, "", "", SECMOD_DB, &parameters, flags);
+}
+
errno_t init_verification(struct p11_ctx *p11_ctx,
struct cert_verify_opts *cert_verify_opts)
{
@@ -256,14 +270,15 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
SECItem signed_random_value = {0};
SECKEYPublicKey *pub_key;
CERTCertificate *found_cert = NULL;
- PK11SlotList *list = NULL;
- PK11SlotListElement *le;
const char *label;
char *key_id_str = NULL;
CERTCertList *valid_certs = NULL;
char *cert_b64 = NULL;
char *multi = NULL;
PRCList *node;
+ CK_SLOT_INFO slInfo;
+ PK11TokenStatus token_status;
+ size_t s;
PK11_SetPasswordFunc(password_passthrough);
@@ -297,28 +312,50 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
mod_list_item->module->dllName);
}
- list = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE,
- NULL);
- if (list == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "PK11_GetAllTokens failed.\n");
- ret = EIO;
- goto done;
- }
+ for (;;) {
+ mod_list = SECMOD_GetDefaultModuleList();
+ for (mod_list_item = mod_list; mod_list_item != NULL;
+ mod_list_item = mod_list_item->next) {
+ for (s = 0; s < mod_list_item->module->slotCount; s++) {
+ slInfo.flags = 0;
+ rv = PK11_GetSlotInfo(mod_list_item->module->slots[s], &slInfo);
+ DEBUG(SSSDBG_TRACE_ALL,
+ "Description [%s] Manufacturer [%s] flags [%lu] "
+ "removable [%s] token present [%s].\n",
+ slInfo.slotDescription, slInfo.manufacturerID,
+ slInfo.flags,
+ (slInfo.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
+ (slInfo.flags & CKF_TOKEN_PRESENT) ? "true": "false");
+
+ if (rv == SECSuccess && (slInfo.flags & CKF_REMOVABLE_DEVICE)) {
+ slot = PK11_ReferenceSlot(mod_list_item->module->slots[s]);
+ break;
+ }
+ }
+ }
- for (le = list->head; le; le = le->next) {
- CK_SLOT_INFO slInfo;
+ /* When e.g. using Yubikeys the slot isn't present until the device is
+ * inserted, so we should wait for a slot as well. */
+ if (p11_ctx->wait_for_card && slot == NULL) {
+ rv = NSS_ShutdownContext(p11_ctx->nss_ctx);
+ if (rv != SECSuccess) {
+ DEBUG(SSSDBG_OP_FAILURE, "NSS_ShutdownContext failed [%d][%s].\n",
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
+ }
- slInfo.flags = 0;
- rv = PK11_GetSlotInfo(le->slot, &slInfo);
- DEBUG(SSSDBG_TRACE_ALL,
- "Description [%s] Manufacturer [%s] flags [%lu].\n",
- slInfo.slotDescription, slInfo.manufacturerID, slInfo.flags);
- if (rv == SECSuccess && (slInfo.flags & CKF_REMOVABLE_DEVICE)) {
- slot = PK11_ReferenceSlot(le->slot);
+ sleep(PKCS11_FINIALIZE_INITIALIZE_WAIT_TIME);
+
+ p11_ctx->nss_ctx = get_nss_ctx(p11_ctx->nss_db);
+ if (p11_ctx->nss_ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "NSS_InitContext failed [%d][%s].\n",
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
+ return EIO;
+ }
+ } else {
break;
}
}
- PK11_FreeSlotList(list);
+
if (slot == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "No removable slots found.\n");
ret = EIO;
@@ -332,6 +369,22 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
module = PK11_GetModule(slot);
module_name = module->dllName == NULL ? "NSS-Internal" : module->dllName;
+ if (!(slInfo.flags & CKF_TOKEN_PRESENT)) {
+ DEBUG(SSSDBG_TRACE_ALL, "Token not present.\n");
+ if (p11_ctx->wait_for_card) {
+ token_status = PK11_WaitForTokenEvent(slot, PK11TokenPresentEvent,
+ PR_INTERVAL_NO_TIMEOUT, 0, 0);
+ if (token_status != PK11TokenPresent) {
+ DEBUG(SSSDBG_OP_FAILURE, "PK11_WaitForTokenEvent failed.\n");
+ ret = EIO;
+ goto done;
+ }
+ } else {
+ ret = EIO;
+ goto done;
+ }
+ }
+
DEBUG(SSSDBG_TRACE_ALL, "Found [%s] in slot [%s][%d] of module [%d][%s].\n",
token_name, slot_name, (int) slot_id, (int) module_id, module_name);
@@ -651,26 +704,18 @@ static int talloc_nss_shutdown(struct p11_ctx *p11_ctx)
}
errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *nss_db,
- struct p11_ctx **p11_ctx)
+ bool wait_for_card, struct p11_ctx **p11_ctx)
{
struct p11_ctx *ctx;
- uint32_t flags = NSS_INIT_READONLY
- | NSS_INIT_FORCEOPEN
- | NSS_INIT_NOROOTINIT
- | NSS_INIT_OPTIMIZESPACE
- | NSS_INIT_PK11RELOAD;
- NSSInitParameters parameters = { 0 };
- parameters.length = sizeof (parameters);
-
ctx = talloc_zero(mem_ctx, struct p11_ctx);
if (ctx == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_zero failed.\n");
return ENOMEM;
}
ctx->nss_db = nss_db;
+ ctx->wait_for_card = wait_for_card;
- ctx->nss_ctx = NSS_InitContext(nss_db, "", "", SECMOD_DB, &parameters,
- flags);
+ ctx->nss_ctx = get_nss_ctx(nss_db);
if (ctx->nss_ctx == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "NSS_InitContext failed [%d][%s].\n",
PR_GetError(), PORT_ErrorToString(PR_GetError()));
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
index bf4418f..d4572d9 100644
--- a/src/p11_child/p11_child_openssl.c
+++ b/src/p11_child/p11_child_openssl.c
@@ -40,6 +40,7 @@
struct p11_ctx {
X509_STORE *x509_store;
const char *ca_db;
+ bool wait_for_card;
};
static int talloc_cleanup_openssl(struct p11_ctx *p11_ctx)
@@ -48,8 +49,9 @@ static int talloc_cleanup_openssl(struct p11_ctx *p11_ctx)
return 0;
}
+
errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *ca_db,
- struct p11_ctx **p11_ctx)
+ bool wait_for_card, struct p11_ctx **p11_ctx)
{
int ret;
struct p11_ctx *ctx;
@@ -73,6 +75,7 @@ errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *ca_db,
}
ctx->ca_db = ca_db;
+ ctx->wait_for_card = wait_for_card;
talloc_set_destructor(ctx, talloc_cleanup_openssl);
*p11_ctx = ctx;
@@ -547,6 +550,45 @@ done:
return ret;
}
+static errno_t wait_for_card(CK_FUNCTION_LIST *module, CK_SLOT_ID *slot_id)
+{
+ CK_FLAGS wait_flags = 0;
+ CK_RV rv;
+ CK_SLOT_INFO info;
+
+ rv = module->C_WaitForSlotEvent(wait_flags, slot_id, NULL);
+ if (rv != CKR_OK) {
+ if (rv != CKR_FUNCTION_NOT_SUPPORTED) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "C_WaitForSlotEvent failed [%lu][%s].\n",
+ rv, p11_kit_strerror(rv));
+ return EIO;
+ }
+
+ /* Poor man's wait */
+ do {
+ sleep(10);
+ rv = module->C_GetSlotInfo(*slot_id, &info);
+ if (rv != CKR_OK) {
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotInfo failed\n");
+ return EIO;
+ }
+ DEBUG(SSSDBG_TRACE_ALL,
+ "Description [%s] Manufacturer [%s] flags [%lu] "
+ "removable [%s] token present [%s].\n",
+ info.slotDescription, info.manufacturerID, info.flags,
+ (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
+ (info.flags & CKF_TOKEN_PRESENT) ? "true": "false");
+ if ((info.flags & CKF_REMOVABLE_DEVICE)
+ && (info.flags & CKF_TOKEN_PRESENT)) {
+ break;
+ }
+ } while (true);
+ }
+
+ return EOK;
+}
+
#define MAX_SLOTS 64
errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
@@ -588,39 +630,62 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
return EIO;
}
- DEBUG(SSSDBG_TRACE_ALL, "Module List:\n");
- for (c = 0; modules[c] != NULL; c++) {
- mod_name = p11_kit_module_get_name(modules[c]);
- mod_file_name = p11_kit_module_get_filename(modules[c]);
- DEBUG(SSSDBG_TRACE_ALL, "common name: [%s].\n", mod_name);
- DEBUG(SSSDBG_TRACE_ALL, "dll name: [%s].\n", mod_file_name);
- free(mod_name);
- free(mod_file_name);
+ for (;;) {
+ DEBUG(SSSDBG_TRACE_ALL, "Module List:\n");
+ for (c = 0; modules[c] != NULL; c++) {
+ mod_name = p11_kit_module_get_name(modules[c]);
+ mod_file_name = p11_kit_module_get_filename(modules[c]);
+ DEBUG(SSSDBG_TRACE_ALL, "common name: [%s].\n", mod_name);
+ DEBUG(SSSDBG_TRACE_ALL, "dll name: [%s].\n", mod_file_name);
+ free(mod_name);
+ free(mod_file_name);
- num_slots = MAX_SLOTS;
- rv = modules[c]->C_GetSlotList(CK_TRUE, slots, &num_slots);
- if (rv != CKR_OK) {
- DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotList failed.\n");
- ret = EIO;
- goto done;
- }
-
- for (s = 0; s < num_slots; s++) {
- rv = modules[c]->C_GetSlotInfo(slots[s], &info);
+ num_slots = MAX_SLOTS;
+ rv = modules[c]->C_GetSlotList(CK_FALSE, slots, &num_slots);
if (rv != CKR_OK) {
- DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotInfo failed\n");
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotList failed.\n");
ret = EIO;
goto done;
}
- DEBUG(SSSDBG_TRACE_ALL,
- "Description [%s] Manufacturer [%s] flags [%lu] removable [%s].\n",
- info.slotDescription, info.manufacturerID, info.flags,
- (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false");
- if ((info.flags & CKF_REMOVABLE_DEVICE)) {
+
+ for (s = 0; s < num_slots; s++) {
+ rv = modules[c]->C_GetSlotInfo(slots[s], &info);
+ if (rv != CKR_OK) {
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotInfo failed\n");
+ ret = EIO;
+ goto done;
+ }
+ DEBUG(SSSDBG_TRACE_ALL,
+ "Description [%s] Manufacturer [%s] flags [%lu] "
+ "removable [%s] token present [%s].\n",
+ info.slotDescription, info.manufacturerID, info.flags,
+ (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
+ (info.flags & CKF_TOKEN_PRESENT) ? "true": "false");
+ if ((info.flags & CKF_REMOVABLE_DEVICE)) {
+ break;
+ }
+ }
+ if (s != num_slots) {
break;
}
}
- if (s != num_slots) {
+
+ /* When e.g. using Yubikeys the slot isn't present until the device is
+ * inserted, so we should wait for a slot as well. */
+ if (p11_ctx->wait_for_card && modules[c] == NULL) {
+ p11_kit_modules_finalize_and_release(modules);
+
+ sleep(PKCS11_FINIALIZE_INITIALIZE_WAIT_TIME);
+
+ modules = p11_kit_modules_load_and_initialize(0);
+ if (modules == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "p11_kit_modules_load_and_initialize failed.\n");
+ ret = EIO;
+ goto done;
+ }
+
+ } else {
break;
}
}
@@ -631,14 +696,29 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
goto done;
}
- rv = modules[c]->C_GetTokenInfo(slots[s], &token_info);
+ slot_id = slots[s];
+
+ if (!(info.flags & CKF_TOKEN_PRESENT)) {
+ DEBUG(SSSDBG_TRACE_ALL, "Token not present.\n");
+ if (p11_ctx->wait_for_card) {
+ ret = wait_for_card(modules[c], &slot_id);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "wait_for_card failed.\n");
+ goto done;
+ }
+ } else {
+ ret = EIO;
+ goto done;
+ }
+ }
+
+ rv = modules[c]->C_GetTokenInfo(slot_id, &token_info);
if (rv != CKR_OK) {
DEBUG(SSSDBG_OP_FAILURE, "C_GetTokenInfo failed.\n");
ret = EIO;
goto done;
}
- slot_id = slots[s];
module_id = c;
slot_name = p11_kit_space_strdup(info.slotDescription,
sizeof(info.slotDescription));
--
2.9.5

143
0045-PAM-add-p11_wait_for_card_timeout-option.patch
View File

@ -1,143 +0,0 @@
From 2e4ecf5a866b212bef44e262fd90c67a88dc616a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 18 Sep 2018 18:15:02 +0200
Subject: [PATCH 60/83] PAM: add p11_wait_for_card_timeout option
If the --wait_for_card is used to call p11_child the PAM responder
should be prepared to wait longer until p11_child can return
successfully.
Related to https://pagure.io/SSSD/sssd/issue/3650
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/confdb/confdb.h | 1 +
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/cfg_rules.ini | 1 +
src/config/etc/sssd.api.conf | 1 +
src/man/sssd.conf.5.xml | 14 ++++++++++++++
src/responder/pam/pamsrv_cmd.c | 15 +++++++++++++++
src/util/util.h | 1 +
7 files changed, 34 insertions(+)
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 625d156..87904c2 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -130,6 +130,7 @@
#define CONFDB_PAM_CERT_AUTH "pam_cert_auth"
#define CONFDB_PAM_CERT_DB_PATH "pam_cert_db_path"
#define CONFDB_PAM_P11_CHILD_TIMEOUT "p11_child_timeout"
+#define CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT "p11_wait_for_card_timeout"
#define CONFDB_PAM_APP_SERVICES "pam_app_services"
#define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 81a03ad..4d1dba2 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -104,6 +104,7 @@ option_strings = {
'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'),
'pam_app_services' : _('Which PAM services are permitted to contact application domains'),
'pam_p11_allowed_services' : _('Allowed services for using smartcards'),
+ 'p11_wait_for_card_timeout' : _('Additional timeout to wait for a card if requested'),
# [sudo]
'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 78f215e..50a8f1d 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -127,6 +127,7 @@ option = pam_cert_db_path
option = p11_child_timeout
option = pam_app_services
option = pam_p11_allowed_services
+option = p11_wait_for_card_timeout
[rule/allowed_sudo_options]
validator = ini_allowed_options
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 52494c0..bb686c3 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -76,6 +76,7 @@ pam_cert_db_path = str, None, false
p11_child_timeout = int, None, false
pam_app_services = str, None, false
pam_p11_allowed_services = str, None, false
+p11_wait_for_card_timeout = int, None, false
[sudo]
# sudo service
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index c1e3895..4df0163 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1464,6 +1464,20 @@ pam_p11_allowed_services = +my_pam_service, -login
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>p11_wait_for_card_timeout (integer)</term>
+ <listitem>
+ <para>
+ If Smartcard authentication is required how many
+ extra seconds in addition to p11_child_timeout
+ should the PAM responder wait until a Smartcard is
+ inserted.
+ </para>
+ <para>
+ Default: 60
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 817f3c5..c8df32d 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1297,6 +1297,7 @@ static errno_t check_cert(TALLOC_CTX *mctx,
struct pam_data *pd)
{
int p11_child_timeout;
+ int wait_for_card_timeout;
char *cert_verification_opts;
errno_t ret;
struct tevent_req *req;
@@ -1311,6 +1312,20 @@ static errno_t check_cert(TALLOC_CTX *mctx,
ret, sss_strerror(ret));
return ret;
}
+ if ((pd->cli_flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) && pd->priv == 1) {
+ ret = confdb_get_int(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT,
+ P11_WAIT_FOR_CARD_TIMEOUT_DEFAULT,
+ &wait_for_card_timeout);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to read wait_for_card_timeout from confdb: [%d]: %s\n",
+ ret, sss_strerror(ret));
+ return ret;
+ }
+
+ p11_child_timeout += wait_for_card_timeout;
+ }
ret = confdb_get_string(pctx->rctx->cdb, mctx, CONFDB_MONITOR_CONF_ENTRY,
CONFDB_MONITOR_CERT_VERIFICATION, NULL,
diff --git a/src/util/util.h b/src/util/util.h
index 59e7a96..e3e9100 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -724,6 +724,7 @@ errno_t create_preauth_indicator(void);
#define P11_CHILD_LOG_FILE "p11_child"
#define P11_CHILD_PATH SSSD_LIBEXEC_PATH"/p11_child"
#define P11_CHILD_TIMEOUT_DEFAULT 10
+#define P11_WAIT_FOR_CARD_TIMEOUT_DEFAULT 60
#endif /* SSSD_LIBEXEC_PATH */
#endif /* __SSSD_UTIL_H__ */
--
2.9.5

244
0046-pam_sss-make-flags-public.patch
View File

@ -1,244 +0,0 @@
From d33a8bed5aad9135426c9ebdf101cf600685ab81 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 18 Sep 2018 10:11:02 +0200
Subject: [PATCH 61/83] pam_sss: make flags public
To allow the PAM responder to act on the config flags set for pam_sss
the flags have to be made public first.
Related to https://pagure.io/SSSD/sssd/issue/3650
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/sss_client/pam_sss.c | 71 +++++++++++++++++++++---------------------------
src/sss_client/sss_cli.h | 9 ++++++
2 files changed, 40 insertions(+), 40 deletions(-)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 59081cc..b336d1f 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -52,15 +52,6 @@
#include <libintl.h>
#define _(STRING) dgettext (PACKAGE, STRING)
-#define FLAGS_USE_FIRST_PASS (1 << 0)
-#define FLAGS_FORWARD_PASS (1 << 1)
-#define FLAGS_USE_AUTHTOK (1 << 2)
-#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
-#define FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
-#define FLAGS_USE_2FA (1 << 5)
-#define FLAGS_ALLOW_MISSING_NAME (1 << 6)
-#define FLAGS_PROMPT_ALWAYS (1 << 7)
-
#define PWEXP_FLAG "pam_sss:password_expired_flag"
#define FD_DESTRUCTOR "pam_sss:fd_destructor"
#define PAM_SSS_AUTHOK_TYPE "pam_sss:authtok_type"
@@ -1193,13 +1184,13 @@ static int get_pam_items(pam_handle_t *pamh, uint32_t flags,
pi->pam_service_size=strlen(pi->pam_service)+1;
ret = pam_get_item(pamh, PAM_USER, (const void **) &(pi->pam_user));
- if (ret == PAM_PERM_DENIED && (flags & FLAGS_ALLOW_MISSING_NAME)) {
+ if (ret == PAM_PERM_DENIED && (flags & PAM_CLI_FLAGS_ALLOW_MISSING_NAME)) {
pi->pam_user = "";
ret = PAM_SUCCESS;
}
if (ret != PAM_SUCCESS) return ret;
if (pi->pam_user == NULL) {
- if (flags & FLAGS_ALLOW_MISSING_NAME) {
+ if (flags & PAM_CLI_FLAGS_ALLOW_MISSING_NAME) {
pi->pam_user = "";
} else {
D(("No user found, aborting."));
@@ -1959,11 +1950,11 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
for (; argc-- > 0; ++argv) {
if (strcmp(*argv, "forward_pass") == 0) {
- *flags |= FLAGS_FORWARD_PASS;
+ *flags |= PAM_CLI_FLAGS_FORWARD_PASS;
} else if (strcmp(*argv, "use_first_pass") == 0) {
- *flags |= FLAGS_USE_FIRST_PASS;
+ *flags |= PAM_CLI_FLAGS_USE_FIRST_PASS;
} else if (strcmp(*argv, "use_authtok") == 0) {
- *flags |= FLAGS_USE_AUTHTOK;
+ *flags |= PAM_CLI_FLAGS_USE_AUTHTOK;
} else if (strncmp(*argv, OPT_DOMAINS_KEY, strlen(OPT_DOMAINS_KEY)) == 0) {
if (*(*argv+strlen(OPT_DOMAINS_KEY)) == '\0') {
logger(pamh, LOG_ERR, "Missing argument to option domains.");
@@ -1997,15 +1988,15 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
} else if (strcmp(*argv, "quiet") == 0) {
*quiet_mode = true;
} else if (strcmp(*argv, "ignore_unknown_user") == 0) {
- *flags |= FLAGS_IGNORE_UNKNOWN_USER;
+ *flags |= PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER;
} else if (strcmp(*argv, "ignore_authinfo_unavail") == 0) {
- *flags |= FLAGS_IGNORE_AUTHINFO_UNAVAIL;
+ *flags |= PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL;
} else if (strcmp(*argv, "use_2fa") == 0) {
- *flags |= FLAGS_USE_2FA;
+ *flags |= PAM_CLI_FLAGS_USE_2FA;
} else if (strcmp(*argv, "allow_missing_name") == 0) {
- *flags |= FLAGS_ALLOW_MISSING_NAME;
+ *flags |= PAM_CLI_FLAGS_ALLOW_MISSING_NAME;
} else if (strcmp(*argv, "prompt_always") == 0) {
- *flags |= FLAGS_PROMPT_ALWAYS;
+ *flags |= PAM_CLI_FLAGS_PROMPT_ALWAYS;
} else {
logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
}
@@ -2020,10 +2011,10 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
{
int ret;
- if ((flags & FLAGS_USE_FIRST_PASS)
+ if ((flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
|| ( pi->pamstack_authtok != NULL
&& *(pi->pamstack_authtok) != '\0'
- && !(flags & FLAGS_PROMPT_ALWAYS))) {
+ && !(flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))) {
pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
pi->pam_authtok = strdup(pi->pamstack_authtok);
if (pi->pam_authtok == NULL) {
@@ -2032,7 +2023,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
}
pi->pam_authtok_size = strlen(pi->pam_authtok);
} else {
- if (flags & FLAGS_USE_2FA
+ if (flags & PAM_CLI_FLAGS_USE_2FA
|| (pi->otp_vendor != NULL && pi->otp_token_id != NULL
&& pi->otp_challenge != NULL)) {
if (pi->password_prompting) {
@@ -2062,7 +2053,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
return ret;
}
- if (flags & FLAGS_FORWARD_PASS) {
+ if (flags & PAM_CLI_FLAGS_FORWARD_PASS) {
if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_PASSWORD) {
ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_authtok);
} else if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA
@@ -2193,8 +2184,8 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
/* we query for the old password during PAM_PRELIM_CHECK to make
* pam_sss work e.g. with pam_cracklib */
if (pam_flags & PAM_PRELIM_CHECK) {
- if ( (getuid() != 0 || exp_data ) && !(flags & FLAGS_USE_FIRST_PASS)) {
- if (flags & FLAGS_USE_2FA
+ if ( (getuid() != 0 || exp_data ) && !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)) {
+ if (flags & PAM_CLI_FLAGS_USE_2FA
|| (pi->otp_vendor != NULL && pi->otp_token_id != NULL
&& pi->otp_challenge != NULL)) {
if (pi->password_prompting) {
@@ -2253,7 +2244,7 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
}
}
- if (flags & FLAGS_USE_AUTHTOK) {
+ if (flags & PAM_CLI_FLAGS_USE_AUTHTOK) {
pi->pam_newauthtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
pi->pam_newauthtok = strdup(pi->pamstack_authtok);
if (pi->pam_newauthtok == NULL) {
@@ -2268,7 +2259,7 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
return ret;
}
- if (flags & FLAGS_FORWARD_PASS) {
+ if (flags & PAM_CLI_FLAGS_FORWARD_PASS) {
ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_newauthtok);
if (ret != PAM_SUCCESS) {
D(("Failed to set PAM_AUTHTOK [%s], "
@@ -2376,10 +2367,10 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
ret = get_pam_items(pamh, flags, &pi);
if (ret != PAM_SUCCESS) {
D(("get items returned error: %s", pam_strerror(pamh,ret)));
- if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
+ if (flags & PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
ret = PAM_IGNORE;
}
- if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
+ if (flags & PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL
&& ret == PAM_AUTHINFO_UNAVAIL) {
ret = PAM_IGNORE;
}
@@ -2393,13 +2384,13 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
case SSS_PAM_AUTHENTICATE:
/*
* Only do preauth if
- * - FLAGS_USE_FIRST_PASS is not set
- * - no password is on the stack or FLAGS_PROMPT_ALWAYS is set
+ * - PAM_CLI_FLAGS_USE_FIRST_PASS is not set
+ * - no password is on the stack or PAM_CLI_FLAGS_PROMPT_ALWAYS is set
* - preauth indicator file exists.
*/
- if ( !(flags & FLAGS_USE_FIRST_PASS)
+ if ( !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
&& (pi.pam_authtok == NULL
- || (flags & FLAGS_PROMPT_ALWAYS))
+ || (flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))
&& access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
quiet_mode);
@@ -2443,14 +2434,14 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
* The means the preauth step has to be done here as well but
* only if
* - PAM_PRELIM_CHECK is set
- * - FLAGS_USE_FIRST_PASS is not set
- * - no password is on the stack or FLAGS_PROMPT_ALWAYS is set
+ * - PAM_CLI_FLAGS_USE_FIRST_PASS is not set
+ * - no password is on the stack or PAM_CLI_FLAGS_PROMPT_ALWAYS is set
* - preauth indicator file exists.
*/
if ( (pam_flags & PAM_PRELIM_CHECK)
- && !(flags & FLAGS_USE_FIRST_PASS)
+ && !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
&& (pi.pam_authtok == NULL
- || (flags & FLAGS_PROMPT_ALWAYS))
+ || (flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))
&& access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
quiet_mode);
@@ -2497,11 +2488,11 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
pam_status = send_and_receive(pamh, &pi, task, quiet_mode);
- if (flags & FLAGS_IGNORE_UNKNOWN_USER
+ if (flags & PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER
&& pam_status == PAM_USER_UNKNOWN) {
pam_status = PAM_IGNORE;
}
- if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
+ if (flags & PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL
&& pam_status == PAM_AUTHINFO_UNAVAIL) {
pam_status = PAM_IGNORE;
}
@@ -2581,7 +2572,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
retry = true;
retries--;
- flags &= ~FLAGS_USE_FIRST_PASS;
+ flags &= ~PAM_CLI_FLAGS_USE_FIRST_PASS;
ret = pam_set_item(pamh, PAM_AUTHTOK, NULL);
if (ret != PAM_SUCCESS) {
D(("Failed to unset PAM_AUTHTOK [%s]",
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index 24d28ed..3404715 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -365,6 +365,15 @@ enum pam_item_type {
SSS_PAM_ITEM_REQUESTED_DOMAINS,
};
+#define PAM_CLI_FLAGS_USE_FIRST_PASS (1 << 0)
+#define PAM_CLI_FLAGS_FORWARD_PASS (1 << 1)
+#define PAM_CLI_FLAGS_USE_AUTHTOK (1 << 2)
+#define PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
+#define PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
+#define PAM_CLI_FLAGS_USE_2FA (1 << 5)
+#define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)
+#define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
+
#define SSS_NSS_MAX_ENTRIES 256
#define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
struct sss_cli_req_data {
--
2.9.5

100
0047-pam_sss-add-try_cert_auth-option.patch
View File

@ -1,100 +0,0 @@
From d3a18f06162b9585d2db936472b75fdbff37162d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 17 Sep 2018 17:54:26 +0200
Subject: [PATCH 62/83] pam_sss: add try_cert_auth option
With this new option pam_sss can be configured to only do Smartcard
authentication or return an error if this is not possible.
Related to https://pagure.io/SSSD/sssd/issue/3650
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/man/pam_sss.8.xml | 23 +++++++++++++++++++++++
src/sss_client/pam_sss.c | 9 +++++++++
src/sss_client/sss_cli.h | 1 +
3 files changed, 33 insertions(+)
diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml
index d8e6a20..ca2e8e2 100644
--- a/src/man/pam_sss.8.xml
+++ b/src/man/pam_sss.8.xml
@@ -50,6 +50,9 @@
<arg choice='opt'>
<replaceable>prompt_always</replaceable>
</arg>
+ <arg choice='opt'>
+ <replaceable>try_cert_auth</replaceable>
+ </arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -200,6 +203,26 @@ auth sufficient pam_sss.so allow_missing_name
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>try_cert_auth</option>
+ </term>
+ <listitem>
+ <para>
+ Try to use certificate based authentication, i.e.
+ authentication with a Smartcard or similar devices. If a
+ Smartcard is available and the service is allowed for
+ Smartcard authentication the use will be prompted for a
+ PIN and the certificate based authentication will
+ continue
+ </para>
+ <para>
+ If no Smartcard is available or certificate based
+ authentication is not allowed for the current service
+ PAM_AUTHINFO_UNAVAIL is returned.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index b336d1f..96ff15a 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1997,6 +1997,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
*flags |= PAM_CLI_FLAGS_ALLOW_MISSING_NAME;
} else if (strcmp(*argv, "prompt_always") == 0) {
*flags |= PAM_CLI_FLAGS_PROMPT_ALWAYS;
+ } else if (strcmp(*argv, "try_cert_auth") == 0) {
+ *flags |= PAM_CLI_FLAGS_TRY_CERT_AUTH;
} else {
logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
}
@@ -2405,6 +2407,13 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
}
}
+ if (flags & PAM_CLI_FLAGS_TRY_CERT_AUTH
+ && pi.cert_list == NULL) {
+ D(("No certificates for authentication available."));
+ overwrite_and_free_pam_items(&pi);
+ return PAM_AUTHINFO_UNAVAIL;
+ }
+
if (strcmp(pi.pam_service, "gdm-smartcard") == 0) {
ret = check_login_token_name(pamh, &pi, quiet_mode);
if (ret != PAM_SUCCESS) {
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index 3404715..38e3f99 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -373,6 +373,7 @@ enum pam_item_type {
#define PAM_CLI_FLAGS_USE_2FA (1 << 5)
#define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)
#define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
+#define PAM_CLI_FLAGS_TRY_CERT_AUTH (1 << 8)
#define SSS_NSS_MAX_ENTRIES 256
#define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
--
2.9.5

370
0048-pam_sss-add-option-require_cert_auth.patch
View File

@ -1,370 +0,0 @@
From 49be8974b490c368d349752f3196af0c9ed28dd5 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 18 Sep 2018 09:53:37 +0200
Subject: [PATCH 63/83] pam_sss: add option require_cert_auth
With this new option pam_sss will wait until a Smartcard is available
and then try to authenticate with the help of the Smartcard.
Related https://pagure.io/SSSD/sssd/issue/3650
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/man/pam_sss.8.xml | 25 ++++++++++++
src/responder/pam/pamsrv_cmd.c | 12 ++++++
src/responder/pam/pamsrv_p11.c | 5 ++-
src/sss_client/pam_message.c | 4 ++
src/sss_client/pam_message.h | 1 +
src/sss_client/pam_sss.c | 90 ++++++++++++++++++++++++++----------------
src/sss_client/sss_cli.h | 2 +
src/util/sss_pam_data.c | 1 +
src/util/sss_pam_data.h | 1 +
9 files changed, 106 insertions(+), 35 deletions(-)
diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml
index ca2e8e2..9998519 100644
--- a/src/man/pam_sss.8.xml
+++ b/src/man/pam_sss.8.xml
@@ -53,6 +53,9 @@
<arg choice='opt'>
<replaceable>try_cert_auth</replaceable>
</arg>
+ <arg choice='opt'>
+ <replaceable>require_cert_auth</replaceable>
+ </arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -223,6 +226,28 @@ auth sufficient pam_sss.so allow_missing_name
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>require_cert_auth</option>
+ </term>
+ <listitem>
+ <para>
+ Do certificate based authentication, i.e.
+ authentication with a Smartcard or similar devices. If a
+ Smartcard is not available the user will be prompted to
+ insert one. SSSD will wait for a Smartcard until the
+ timeout defined by p11_wait_for_card_timeout passed,
+ please see
+ <citerefentry><refentrytitle>sssd.conf</refentrytitle>
+ <manvolnum>5</manvolnum></citerefentry> for details.
+ </para>
+ <para>
+ If no Smartcard is available after the timeout or
+ certificate based authentication is not allowed for the
+ current service PAM_AUTHINFO_UNAVAIL is returned.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index c8df32d..6e37f83 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -317,6 +317,11 @@ static int pam_parse_in_data_v2(struct pam_data *pd,
size, body, blen, &c);
if (ret != EOK) return ret;
break;
+ case SSS_PAM_ITEM_FLAGS:
+ ret = extract_uint32_t(&pd->cli_flags, size,
+ body, blen, &c);
+ if (ret != EOK) return ret;
+ break;
default:
DEBUG(SSSDBG_CRIT_FAILURE,
"Ignoring unknown data type [%d].\n", type);
@@ -1447,6 +1452,13 @@ static void pam_forwarder_cert_cb(struct tevent_req *req)
"No certificate found and no logon name given, " \
"authentication not possible.\n");
ret = ENOENT;
+ } else if (pd->cli_flags & PAM_CLI_FLAGS_TRY_CERT_AUTH) {
+ DEBUG(SSSDBG_TRACE_ALL,
+ "try_cert_auth flag set but no certificate available, "
+ "request finished.\n");
+ preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
+ pam_reply(preq);
+ return;
} else {
if (pd->cmd == SSS_PAM_AUTHENTICATE) {
DEBUG(SSSDBG_CRIT_FAILURE,
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
index ffa6787..8b8859d 100644
--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
@@ -721,7 +721,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
struct timeval tv;
int pipefd_to_child[2] = PIPE_INIT;
int pipefd_from_child[2] = PIPE_INIT;
- const char *extra_args[13] = { NULL };
+ const char *extra_args[14] = { NULL };
uint8_t *write_buf = NULL;
size_t write_buf_len = 0;
size_t arg_c;
@@ -748,6 +748,9 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
/* extra_args are added in revers order */
arg_c = 0;
+ if ((pd->cli_flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) && pd->priv == 1) {
+ extra_args[arg_c++] = "--wait_for_card";
+ }
extra_args[arg_c++] = nss_db;
extra_args[arg_c++] = "--nssdb";
if (verify_opts != NULL) {
diff --git a/src/sss_client/pam_message.c b/src/sss_client/pam_message.c
index b239f6f..036ae2a 100644
--- a/src/sss_client/pam_message.c
+++ b/src/sss_client/pam_message.c
@@ -126,6 +126,7 @@ int pack_message_v3(struct pam_items *pi, size_t *size, uint8_t **buffer)
len += 3*sizeof(uint32_t); /* cli_pid */
len += *pi->requested_domains != '\0' ?
2*sizeof(uint32_t) + pi->requested_domains_size : 0;
+ len += 3*sizeof(uint32_t); /* flags */
buf = malloc(len);
if (buf == NULL) {
@@ -164,6 +165,9 @@ int pack_message_v3(struct pam_items *pi, size_t *size, uint8_t **buffer)
pi->pam_newauthtok, pi->pam_newauthtok_size,
&buf[rp]);
+ rp += add_uint32_t_item(SSS_PAM_ITEM_FLAGS, (uint32_t) pi->flags,
+ &buf[rp]);
+
SAFEALIGN_SETMEM_UINT32(buf + rp, SSS_END_OF_PAM_REQUEST, &rp);
if (rp != len) {
diff --git a/src/sss_client/pam_message.h b/src/sss_client/pam_message.h
index 11526a8..50fedcd 100644
--- a/src/sss_client/pam_message.h
+++ b/src/sss_client/pam_message.h
@@ -51,6 +51,7 @@ struct pam_items {
enum sss_authtok_type pam_newauthtok_type;
size_t pam_newauthtok_size;
pid_t cli_pid;
+ uint32_t flags;
const char *login_name;
char *domain_name;
const char *requested_domains;
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 96ff15a..b4c1036 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -134,6 +134,7 @@ static void free_cai(struct cert_auth_info *cai)
free(cai->cert_user);
free(cai->cert);
free(cai->token_name);
+ free(cai->module_name);
free(cai->key_id);
free(cai->prompt_str);
free(cai);
@@ -1247,6 +1248,8 @@ static int get_pam_items(pam_handle_t *pamh, uint32_t flags,
pi->cert_list = NULL;
pi->selected_cert = NULL;
+ pi->flags = flags;
+
return PAM_SUCCESS;
}
@@ -1267,6 +1270,7 @@ static void print_pam_items(struct pam_items *pi)
D(("Newauthtok: %s", CHECK_AND_RETURN_PI_STRING(pi->pam_newauthtok)));
D(("Cli_PID: %d", pi->cli_pid));
D(("Requested domains: %s", pi->requested_domains));
+ D(("Flags: %d", pi->flags));
}
static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
@@ -1999,6 +2003,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
*flags |= PAM_CLI_FLAGS_PROMPT_ALWAYS;
} else if (strcmp(*argv, "try_cert_auth") == 0) {
*flags |= PAM_CLI_FLAGS_TRY_CERT_AUTH;
+ } else if (strcmp(*argv, "require_cert_auth") == 0) {
+ *flags |= PAM_CLI_FLAGS_REQUIRE_CERT_AUTH;
} else {
logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
}
@@ -2274,55 +2280,51 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
return PAM_SUCCESS;
}
-#define SC_ENTER_FMT "Please enter smart card labeled\n %s\nand press enter"
+#define SC_ENTER_LABEL_FMT "Please enter smart card labeled\n %s"
+#define SC_ENTER_FMT "Please enter smart card"
static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi,
- bool quiet_mode)
+ int retries, bool quiet_mode)
{
int ret;
int pam_status;
char *login_token_name;
char *prompt = NULL;
- size_t size;
- char *answer = NULL;
- /* TODO: check multiple cert case */
- struct cert_auth_info *cai = pi->cert_list;
+ uint32_t orig_flags = pi->flags;
- if (cai == NULL) {
- D(("No certificate information available"));
- return EINVAL;
+ login_token_name = getenv("PKCS11_LOGIN_TOKEN_NAME");
+ if (login_token_name == NULL
+ && !(pi->flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH)) {
+ return PAM_SUCCESS;
}
- login_token_name = getenv("PKCS11_LOGIN_TOKEN_NAME");
if (login_token_name == NULL) {
- return PAM_SUCCESS;
+ ret = asprintf(&prompt, SC_ENTER_FMT);
+ } else {
+ ret = asprintf(&prompt, SC_ENTER_LABEL_FMT, login_token_name);
+ }
+ if (ret == -1) {
+ return ENOMEM;
}
- while (cai->token_name == NULL
- || strcmp(login_token_name, cai->token_name) != 0) {
- size = sizeof(SC_ENTER_FMT) + strlen(login_token_name);
- prompt = malloc(size);
- if (prompt == NULL) {
- D(("malloc failed."));
- return ENOMEM;
- }
+ pi->flags |= PAM_CLI_FLAGS_REQUIRE_CERT_AUTH;
- ret = snprintf(prompt, size, SC_ENTER_FMT,
- login_token_name);
- if (ret < 0 || ret >= size) {
- D(("snprintf failed."));
- free(prompt);
- return EFAULT;
+ /* TODO: check multiple cert case */
+ while (pi->cert_list == NULL || pi->cert_list->token_name == NULL
+ || (login_token_name != NULL
+ && strcmp(login_token_name,
+ pi->cert_list->token_name) != 0)) {
+
+ if (retries < 0) {
+ ret = PAM_AUTHINFO_UNAVAIL;
+ goto done;
}
+ retries--;
- ret = do_pam_conversation(pamh, PAM_PROMPT_ECHO_OFF, prompt,
- NULL, &answer);
- free(prompt);
+ ret = do_pam_conversation(pamh, PAM_TEXT_INFO, prompt, NULL, NULL);
if (ret != PAM_SUCCESS) {
D(("do_pam_conversation failed."));
- return ret;
- } else {
- free(answer);
+ goto done;
}
pam_status = send_and_receive(pamh, pi, SSS_PAM_PREAUTH, quiet_mode);
@@ -2335,7 +2337,14 @@ static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi,
}
}
- return PAM_SUCCESS;
+ ret = PAM_SUCCESS;
+
+done:
+
+ pi->flags = orig_flags;
+ free(prompt);
+
+ return ret;
}
static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
@@ -2394,8 +2403,19 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
&& (pi.pam_authtok == NULL
|| (flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))
&& access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
+
+ if (flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) {
+ /* Do not use PAM_CLI_FLAGS_REQUIRE_CERT_AUTH in the first
+ * SSS_PAM_PREAUTH run. In case a card is already inserted
+ * we do not have to prompt to insert a card. */
+ pi.flags &= ~PAM_CLI_FLAGS_REQUIRE_CERT_AUTH;
+ pi.flags |= PAM_CLI_FLAGS_TRY_CERT_AUTH;
+ }
+
pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
quiet_mode);
+
+ pi.flags = flags;
if (pam_status != PAM_SUCCESS) {
D(("send_and_receive returned [%d] during pre-auth",
pam_status));
@@ -2414,8 +2434,10 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
return PAM_AUTHINFO_UNAVAIL;
}
- if (strcmp(pi.pam_service, "gdm-smartcard") == 0) {
- ret = check_login_token_name(pamh, &pi, quiet_mode);
+ if (strcmp(pi.pam_service, "gdm-smartcard") == 0
+ || (flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH)) {
+ ret = check_login_token_name(pamh, &pi, retries,
+ quiet_mode);
if (ret != PAM_SUCCESS) {
D(("check_login_token_name failed.\n"));
return ret;
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index 38e3f99..af8a439 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -363,6 +363,7 @@ enum pam_item_type {
SSS_PAM_ITEM_CLI_LOCALE,
SSS_PAM_ITEM_CLI_PID,
SSS_PAM_ITEM_REQUESTED_DOMAINS,
+ SSS_PAM_ITEM_FLAGS,
};
#define PAM_CLI_FLAGS_USE_FIRST_PASS (1 << 0)
@@ -374,6 +375,7 @@ enum pam_item_type {
#define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)
#define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
#define PAM_CLI_FLAGS_TRY_CERT_AUTH (1 << 8)
+#define PAM_CLI_FLAGS_REQUIRE_CERT_AUTH (1 << 9)
#define SSS_NSS_MAX_ENTRIES 256
#define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
diff --git a/src/util/sss_pam_data.c b/src/util/sss_pam_data.c
index 5e41349..cb8779c 100644
--- a/src/util/sss_pam_data.c
+++ b/src/util/sss_pam_data.c
@@ -176,6 +176,7 @@ void pam_print_data(int l, struct pam_data *pd)
DEBUG(l, "priv: %d\n", pd->priv);
DEBUG(l, "cli_pid: %d\n", pd->cli_pid);
DEBUG(l, "logon name: %s\n", PAM_SAFE_ITEM(pd->logon_name));
+ DEBUG(l, "flags: %d\n", pd->cli_flags);
}
int pam_add_response(struct pam_data *pd, enum response_type type,
diff --git a/src/util/sss_pam_data.h b/src/util/sss_pam_data.h
index 7d74fa6..c989810 100644
--- a/src/util/sss_pam_data.h
+++ b/src/util/sss_pam_data.h
@@ -58,6 +58,7 @@ struct pam_data {
struct sss_auth_token *newauthtok;
uint32_t cli_pid;
char *logon_name;
+ uint32_t cli_flags;
int pam_status;
int response_delay;
--
2.9.5

309
0049-intg-require-SC-tests.patch
View File

@ -1,309 +0,0 @@
From 5cdb6968f407c7bcaba69f4892f51fd6426dddb2 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 26 Sep 2018 11:48:37 +0200
Subject: [PATCH 64/83] intg: require SC tests
Integration test for the new try_cert_auth and require_cert_auth option
for pam_sss.
Related to https://pagure.io/SSSD/sssd/issue/3650
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/tests/intg/Makefile.am | 16 ++-
src/tests/intg/test_pam_responder.py | 188 +++++++++++++++++++++++++++++++----
2 files changed, 182 insertions(+), 22 deletions(-)
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index bb3a7f0..44fb635 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -113,6 +113,20 @@ pam_sss_service:
echo "password required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
echo "session required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
+pam_sss_sc_required:
+ $(MKDIR_P) $(PAM_SERVICE_DIR)
+ echo "auth required $(DESTDIR)$(pammoddir)/pam_sss.so require_cert_auth retry=1" > $(PAM_SERVICE_DIR)/$@
+ echo "account required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
+ echo "password required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
+ echo "session required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
+
+pam_sss_try_sc:
+ $(MKDIR_P) $(PAM_SERVICE_DIR)
+ echo "auth required $(DESTDIR)$(pammoddir)/pam_sss.so try_cert_auth" > $(PAM_SERVICE_DIR)/$@
+ echo "account required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
+ echo "password required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
+ echo "session required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
+
CLEANFILES=config.py config.pyc passwd group
clean-local:
@@ -127,7 +141,7 @@ PAM_CERT_DB_PATH="$(abs_builddir)/../test_CA/SSSD_test_CA.pem"
SOFTHSM2_CONF="$(abs_builddir)/../test_CA/softhsm2_one.conf"
endif
-intgcheck-installed: config.py passwd group pam_sss_service
+intgcheck-installed: config.py passwd group pam_sss_service pam_sss_sc_required pam_sss_try_sc
pipepath="$(DESTDIR)$(pipepath)"; \
if test $${#pipepath} -gt 80; then \
echo "error: Pipe directory path too long," \
diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py
index c6d048c..06f69a3 100644
--- a/src/tests/intg/test_pam_responder.py
+++ b/src/tests/intg/test_pam_responder.py
@@ -41,6 +41,11 @@ USER1 = dict(name='user1', passwd='x', uid=10001, gid=20001,
dir='/home/user1',
shell='/bin/bash')
+USER2 = dict(name='user2', passwd='x', uid=10002, gid=20002,
+ gecos='User with no Smartcard mapping',
+ dir='/home/user2',
+ shell='/bin/bash')
+
def format_pam_cert_auth_conf(config):
"""Format a basic SSSD configuration"""
@@ -55,8 +60,11 @@ def format_pam_cert_auth_conf(config):
[pam]
pam_cert_auth = True
- pam_p11_allowed_services = +pam_sss_service
+ pam_p11_allowed_services = +pam_sss_service, +pam_sss_sc_required, \
+ +pam_sss_try_sc
pam_cert_db_path = {config.PAM_CERT_DB_PATH}
+ p11_child_timeout = 5
+ p11_wait_for_card_timeout = 5
debug_level = 10
[domain/auth_only]
@@ -149,6 +157,15 @@ def create_nssdb():
pkcs11_txt.close()
+def create_nssdb_no_cert():
+ os.mkdir(config.SYSCONFDIR + "/pki")
+ os.mkdir(config.SYSCONFDIR + "/pki/nssdb")
+ if subprocess.call(["certutil", "-N", "-d",
+ "sql:" + config.SYSCONFDIR + "/pki/nssdb/",
+ "--empty-password"]) != 0:
+ raise Exception("certutil failed")
+
+
def cleanup_nssdb():
shutil.rmtree(config.SYSCONFDIR + "/pki")
@@ -158,14 +175,42 @@ def create_nssdb_fixture(request):
request.addfinalizer(cleanup_nssdb)
+def create_nssdb_no_cert_fixture(request):
+ create_nssdb_no_cert()
+ request.addfinalizer(cleanup_nssdb)
+
+
@pytest.fixture
-def simple_pam_cert_auth(request):
+def simple_pam_cert_auth(request, passwd_ops_setup):
"""Setup SSSD with pam_cert_auth=True"""
config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
conf = format_pam_cert_auth_conf(config)
create_conf_fixture(request, conf)
create_sssd_fixture(request)
create_nssdb_fixture(request)
+ passwd_ops_setup.useradd(**USER1)
+ passwd_ops_setup.useradd(**USER2)
+ return None
+
+
+@pytest.fixture
+def simple_pam_cert_auth_no_cert(request, passwd_ops_setup):
+ """Setup SSSD with pam_cert_auth=True"""
+ config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
+
+ old_softhsm2_conf = os.environ['SOFTHSM2_CONF']
+ del os.environ['SOFTHSM2_CONF']
+
+ conf = format_pam_cert_auth_conf(config)
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ create_nssdb_no_cert_fixture(request)
+
+ os.environ['SOFTHSM2_CONF'] = old_softhsm2_conf
+
+ passwd_ops_setup.useradd(**USER1)
+ passwd_ops_setup.useradd(**USER2)
+
return None
@@ -176,26 +221,26 @@ def test_preauth_indicator(simple_pam_cert_auth):
@pytest.fixture
-def pam_wrapper_setup(request):
+def env_for_sssctl(request):
pwrap_runtimedir = os.getenv("PAM_WRAPPER_SERVICE_DIR")
if pwrap_runtimedir is None:
raise ValueError("The PAM_WRAPPER_SERVICE_DIR variable is unset\n")
+ env_for_sssctl = os.environ.copy()
+ env_for_sssctl['PAM_WRAPPER'] = "1"
+ env_for_sssctl['SSSD_INTG_PEER_UID'] = "0"
+ env_for_sssctl['SSSD_INTG_PEER_GID'] = "0"
+ env_for_sssctl['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
-def test_sc_auth_wrong_pin(simple_pam_cert_auth, pam_wrapper_setup,
- passwd_ops_setup):
+ return env_for_sssctl
- passwd_ops_setup.useradd(**USER1)
- current_env = os.environ.copy()
- current_env['PAM_WRAPPER'] = "1"
- current_env['SSSD_INTG_PEER_UID'] = "0"
- current_env['SSSD_INTG_PEER_GID'] = "0"
- current_env['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
+
+def test_sc_auth_wrong_pin(simple_pam_cert_auth, env_for_sssctl):
sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
"--action=auth", "--service=pam_sss_service"],
universal_newlines=True,
- env=current_env, stdin=subprocess.PIPE,
+ env=env_for_sssctl, stdin=subprocess.PIPE,
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
try:
@@ -214,19 +259,120 @@ def test_sc_auth_wrong_pin(simple_pam_cert_auth, pam_wrapper_setup,
"Authentication failure") != -1
-def test_sc_auth(simple_pam_cert_auth, pam_wrapper_setup, passwd_ops_setup):
-
- passwd_ops_setup.useradd(**USER1)
- current_env = os.environ.copy()
- current_env['PAM_WRAPPER'] = "1"
- current_env['SSSD_INTG_PEER_UID'] = "0"
- current_env['SSSD_INTG_PEER_GID'] = "0"
- current_env['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
+def test_sc_auth(simple_pam_cert_auth, env_for_sssctl):
sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
"--action=auth", "--service=pam_sss_service"],
universal_newlines=True,
- env=current_env, stdin=subprocess.PIPE,
+ env=env_for_sssctl, stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+
+ try:
+ out, err = sssctl.communicate(input="123456")
+ except:
+ sssctl.kill()
+ out, err = sssctl.communicate()
+
+ sssctl.stdin.close()
+ sssctl.stdout.close()
+
+ if sssctl.wait() != 0:
+ raise Exception("sssctl failed")
+
+ assert err.find("pam_authenticate for user [user1]: Success") != -1
+
+
+def test_require_sc_auth(simple_pam_cert_auth, env_for_sssctl):
+
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
+ "--action=auth",
+ "--service=pam_sss_sc_required"],
+ universal_newlines=True,
+ env=env_for_sssctl, stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+
+ try:
+ out, err = sssctl.communicate(input="123456")
+ except:
+ sssctl.kill()
+ out, err = sssctl.communicate()
+
+ sssctl.stdin.close()
+ sssctl.stdout.close()
+
+ if sssctl.wait() != 0:
+ raise Exception("sssctl failed")
+
+ assert err.find("pam_authenticate for user [user1]: Success") != -1
+
+
+def test_require_sc_auth_no_cert(simple_pam_cert_auth_no_cert, env_for_sssctl):
+
+ # We have to wait about 20s before the command returns because there will
+ # be 2 run since retry=1 in the PAM configuration and both
+ # p11_child_timeout and p11_wait_for_card_timeout are 5s in sssd.conf,
+ # so 2*(5+5)=20. */
+ start_time = time.time()
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
+ "--action=auth",
+ "--service=pam_sss_sc_required"],
+ universal_newlines=True,
+ env=env_for_sssctl, stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+
+ try:
+ out, err = sssctl.communicate(input="123456")
+ except:
+ sssctl.kill()
+ out, err = sssctl.communicate()
+
+ sssctl.stdin.close()
+ sssctl.stdout.close()
+
+ if sssctl.wait() != 0:
+ raise Exception("sssctl failed")
+
+ end_time = time.time()
+ assert end_time > start_time and \
+ (end_time - start_time) >= 20 and \
+ (end_time - start_time) < 40
+ assert out.find("Please enter smart card\nPlease enter smart card") != -1
+ assert err.find("pam_authenticate for user [user1]: Authentication " +
+ "service cannot retrieve authentication info") != -1
+
+
+def test_try_sc_auth_no_map(simple_pam_cert_auth, env_for_sssctl):
+
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user2",
+ "--action=auth",
+ "--service=pam_sss_try_sc"],
+ universal_newlines=True,
+ env=env_for_sssctl, stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+
+ try:
+ out, err = sssctl.communicate(input="123456")
+ except:
+ sssctl.kill()
+ out, err = sssctl.communicate()
+
+ sssctl.stdin.close()
+ sssctl.stdout.close()
+
+ if sssctl.wait() != 0:
+ raise Exception("sssctl failed")
+
+ assert err.find("pam_authenticate for user [user2]: Authentication " +
+ "service cannot retrieve authentication info") != -1
+
+
+def test_try_sc_auth(simple_pam_cert_auth, env_for_sssctl):
+
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
+ "--action=auth",
+ "--service=pam_sss_try_sc"],
+ universal_newlines=True,
+ env=env_for_sssctl, stdin=subprocess.PIPE,
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
try:
--
2.9.5

407
0050-p11_child-show-PKCS-11-URI-in-debug-output.patch
View File

@ -1,407 +0,0 @@
From 46fd681a73ffef062cd027e7018e1a02d7a0a9df Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 8 Oct 2018 10:45:28 +0200
Subject: [PATCH 65/83] p11_child: show PKCS#11 URI in debug output
Related to https://pagure.io/SSSD/sssd/issue/3814
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/p11_child/p11_child_nss.c | 240 ++++++++++++++++++++++++++++++++++++++
src/p11_child/p11_child_openssl.c | 80 +++++++++++++
2 files changed, 320 insertions(+)
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
index b2777d1..fff1f25 100644
--- a/src/p11_child/p11_child_nss.c
+++ b/src/p11_child/p11_child_nss.c
@@ -39,6 +39,7 @@
#include <pk11pub.h>
#include <prerror.h>
#include <ocsp.h>
+#include <pkcs11uri.h>
#include "util/child_common.h"
#include "providers/backend.h"
@@ -63,6 +64,239 @@ struct p11_ctx {
| certificateUsageStatusResponder \
| certificateUsageSSLCA )
+
+static char *get_pkcs11_string(TALLOC_CTX *mem_ctx, const char *in, size_t len)
+{
+ size_t c = len;
+
+ if (in == NULL || len == 0) {
+ return NULL;
+ }
+
+ while(c > 0 && in[c - 1] == ' ') {
+ c--;
+ }
+
+ return talloc_strndup(mem_ctx, in, c);
+}
+
+static char *pct_encode(TALLOC_CTX *mem_ctx, SECItem *data)
+{
+ char *pct;
+ size_t c;
+ int ret;
+
+ pct = talloc_zero_size(mem_ctx, sizeof(char) * (3*data->len + 1));
+ if (pct == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_size failed.\n");
+ return NULL;
+ }
+
+ for (c = 0; c < data->len; c++) {
+ ret = snprintf(pct + 3*c, 4, "%%%02X", data->data[c]);
+ if (ret != 3) {
+ DEBUG(SSSDBG_OP_FAILURE, "snprintf failed.\n");
+ talloc_free(pct);
+ return NULL;
+ }
+ }
+
+ return pct;
+}
+
+static char *get_key_id_pct(TALLOC_CTX *mem_ctx, PK11SlotInfo *slot,
+ CERTCertificate *cert)
+{
+ SECItem *key_id = NULL;
+ char *key_id_str = NULL;
+
+ key_id = PK11_GetLowLevelKeyIDForCert(slot, cert, NULL);
+ if (key_id == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "PK11_GetLowLevelKeyIDForCert failed [%d][%s].\n",
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
+ return NULL;
+ }
+
+ key_id_str = pct_encode(mem_ctx, key_id);
+ SECITEM_FreeItem(key_id, PR_TRUE);
+ if (key_id_str == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "pct_encode failed.\n");
+ return NULL;
+ }
+
+ return key_id_str;
+}
+
+static char *get_pkcs11_uri(TALLOC_CTX *mem_ctx, SECMODModule *mod,
+ PK11SlotInfo *slot,
+ const char *label, CERTCertificate *cert)
+{
+ CK_INFO module_info;
+ CK_SLOT_INFO slot_info;
+ CK_TOKEN_INFO token_info;
+ char *values[13];
+ PK11URIAttribute attrs[13];
+ size_t nattrs = 0;
+ SECStatus rv;
+ char *tmp_str;
+ char *uri_str;
+ PK11URI *uri;
+ CK_SLOT_ID slot_id;
+ char *id_pct;
+
+ rv = PK11_GetModInfo(mod, &module_info);
+ if (rv != SECSuccess) {
+ DEBUG(SSSDBG_OP_FAILURE, "PK11_GetModInfo failed.\n");
+ return NULL;
+ }
+
+ rv = PK11_GetSlotInfo(slot, &slot_info);
+ if (rv != SECSuccess) {
+ DEBUG(SSSDBG_OP_FAILURE, "PK11_GetSlotInfo failed.\n");
+ return NULL;
+ }
+
+ rv = PK11_GetTokenInfo(slot, &token_info);
+ if (rv != SECSuccess) {
+ DEBUG(SSSDBG_OP_FAILURE, "PK11_GetTokenInfo failed.\n");
+ return NULL;
+ }
+ values[nattrs] = get_pkcs11_string(mem_ctx,
+ (char *)module_info.libraryDescription,
+ sizeof(module_info.libraryDescription));
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
+ attrs[nattrs].name = PK11URI_PATTR_LIBRARY_DESCRIPTION;
+ attrs[nattrs].value = values[nattrs];
+ nattrs++;
+ }
+
+ values[nattrs] = get_pkcs11_string(mem_ctx,
+ (char *)module_info.manufacturerID,
+ sizeof(module_info.manufacturerID));
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
+ attrs[nattrs].name = PK11URI_PATTR_LIBRARY_MANUFACTURER;
+ attrs[nattrs].value = values[nattrs];
+ nattrs++;
+ }
+
+ values[nattrs] = talloc_asprintf(mem_ctx, "%d.%d",
+ module_info.libraryVersion.major,
+ module_info.libraryVersion.minor);
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
+ attrs[nattrs].name = PK11URI_PATTR_LIBRARY_VERSION;
+ attrs[nattrs].value = values[nattrs];
+ nattrs++;
+ }
+
+ values[nattrs] = get_pkcs11_string(mem_ctx,
+ (char *)slot_info.slotDescription,
+ sizeof(slot_info.slotDescription));
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
+ attrs[nattrs].name = PK11URI_PATTR_SLOT_DESCRIPTION;
+ attrs[nattrs].value = values[nattrs];
+ nattrs++;
+ }
+
+ values[nattrs] = get_pkcs11_string(mem_ctx,
+ (char *)slot_info.manufacturerID,
+ sizeof(slot_info.manufacturerID));
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
+ attrs[nattrs].name = PK11URI_PATTR_SLOT_MANUFACTURER;
+ attrs[nattrs].value = values[nattrs];
+ nattrs++;
+ }
+
+ slot_id = PK11_GetSlotID(slot);
+ values[nattrs] = talloc_asprintf(mem_ctx, "%d", (int) slot_id);
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
+ attrs[nattrs].name = PK11URI_PATTR_SLOT_ID;
+ attrs[nattrs].value = values[nattrs];
+ nattrs++;
+ }
+
+ values[nattrs] = get_pkcs11_string(mem_ctx, (char *)token_info.model,
+ sizeof(token_info.model));
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
+ attrs[nattrs].name = PK11URI_PATTR_MODEL;
+ attrs[nattrs].value = values[nattrs];
+ nattrs++;
+ }
+
+ values[nattrs] = get_pkcs11_string(mem_ctx,
+ (char *)token_info.manufacturerID,
+ sizeof(token_info.manufacturerID));
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
+ attrs[nattrs].name = PK11URI_PATTR_MANUFACTURER;
+ attrs[nattrs].value = values[nattrs];
+ nattrs++;
+ }
+
+ values[nattrs] = get_pkcs11_string(mem_ctx,
+ (char *)token_info.serialNumber,
+ sizeof(token_info.serialNumber));
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
+ attrs[nattrs].name = PK11URI_PATTR_SERIAL;
+ attrs[nattrs].value = values[nattrs];
+ nattrs++;
+ }
+
+ values[nattrs] = get_pkcs11_string(mem_ctx, (char *)token_info.label,
+ sizeof(token_info.label));
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
+ attrs[nattrs].name = PK11URI_PATTR_TOKEN;
+ attrs[nattrs].value = values[nattrs];
+ nattrs++;
+ }
+
+ if (label != NULL && *label != '\0') {
+ attrs[nattrs].name = PK11URI_PATTR_OBJECT;
+ attrs[nattrs].value = label;
+ nattrs++;
+ }
+
+ attrs[nattrs].name = PK11URI_PATTR_TYPE;
+ attrs[nattrs].value = "cert";
+ nattrs++;
+
+ uri = PK11URI_CreateURI(attrs, nattrs, NULL, 0);
+ if (uri == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "PK11URI_CreateURI failed.\n");
+ return NULL;
+ }
+
+ tmp_str = PK11URI_FormatURI(NULL, uri);
+ PK11URI_DestroyURI(uri);
+ if (tmp_str == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "PK11URI_FormatURI failed.\n");
+ return NULL;
+ }
+
+ /* Currently I have no idea how to get the ID properly formatted with the
+ * NSS PK11 calls. Since all attribute values are treated as strings zeros
+ * in the IDs cannot be handled. And the IDs cannot be set percent-encoded
+ * since all attribute values will be escaped which means the '%' sign
+ * will be escaped to '%25'. Hence for the time being the ID is added
+ * manually to the end of the URI. */
+ id_pct = get_key_id_pct(mem_ctx, slot, cert);
+ if (id_pct == NULL || *id_pct == '\0') {
+ DEBUG(SSSDBG_OP_FAILURE, "get_key_id_pct failed.\n");
+ PORT_Free(tmp_str);
+ return NULL;
+ }
+
+ uri_str = talloc_asprintf(mem_ctx, "%s;%s=%s", tmp_str,
+ PK11URI_PATTR_ID, id_pct);
+ talloc_free(id_pct);
+ if (uri_str == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
+ return NULL;
+ }
+
+ return uri_str;
+
+}
+
static char *password_passthrough(PK11SlotInfo *slot, PRBool retry, void *arg)
{
/* give up if 1) no password was supplied, or 2) the password has already
@@ -465,6 +699,9 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
cert_list_node->cert->nickname,
cert_list_node->cert->subjectName);
+ DEBUG(SSSDBG_TRACE_ALL, "module uri: %s.\n", PK11_GetModuleURI(module));
+ DEBUG(SSSDBG_TRACE_ALL, "token uri: %s.\n", PK11_GetTokenURI(slot));
+
if (p11_ctx->handle != NULL) {
if (!do_verification(p11_ctx, cert_list_node->cert)) {
DEBUG(SSSDBG_OP_FAILURE,
@@ -651,6 +888,9 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
DEBUG(SSSDBG_TRACE_ALL, "Found certificate has key id [%s].\n",
key_id_str);
+ DEBUG(SSSDBG_TRACE_ALL, "uri: %s.\n", get_pkcs11_uri(mem_ctx, module,
+ slot, label,
+ found_cert));
multi = talloc_asprintf_append(multi, "%s\n%s\n%s\n%s\n%s\n",
token_name, module_name, key_id_str,
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
index d4572d9..09edeef 100644
--- a/src/p11_child/p11_child_openssl.c
+++ b/src/p11_child/p11_child_openssl.c
@@ -29,6 +29,7 @@
#include <openssl/err.h>
#include <openssl/rand.h>
#include <p11-kit/p11-kit.h>
+#include <p11-kit/uri.h>
#include <popt.h>
@@ -43,6 +44,72 @@ struct p11_ctx {
bool wait_for_card;
};
+
+static char *get_pkcs11_uri(TALLOC_CTX *mem_ctx, CK_INFO *module_info,
+ CK_SLOT_INFO *slot_info, CK_SLOT_ID slot_id,
+ CK_TOKEN_INFO *token_info, CK_ATTRIBUTE *label,
+ CK_ATTRIBUTE *id)
+{
+ P11KitUri *uri;
+ char *uri_str = NULL;
+ char *tmp_str = NULL;
+ int ret;
+ CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE;
+ CK_ATTRIBUTE class_attr = {CKA_CLASS, &cert_class, sizeof(CK_OBJECT_CLASS)};
+
+ uri = p11_kit_uri_new();
+ if (uri == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_new failed.\n");
+ return NULL;
+ }
+
+ ret = p11_kit_uri_set_attribute(uri, label);
+ if (ret != P11_KIT_URI_OK) {
+ DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_set_attribute failed.\n");
+ goto done;
+ }
+
+ ret = p11_kit_uri_set_attribute(uri, id);
+ if (ret != P11_KIT_URI_OK) {
+ DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_set_attribute failed.\n");
+ goto done;
+ }
+
+ ret = p11_kit_uri_set_attribute(uri, &class_attr);
+ if (ret != P11_KIT_URI_OK) {
+ DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_set_attribute failed.\n");
+ goto done;
+ }
+
+
+ memcpy(p11_kit_uri_get_token_info(uri), token_info, sizeof(CK_TOKEN_INFO));
+
+ memcpy(p11_kit_uri_get_slot_info(uri), slot_info, sizeof(CK_SLOT_INFO));
+ ret = p11_kit_uri_set_slot_id(uri, slot_id);
+
+ memcpy(p11_kit_uri_get_module_info(uri), module_info, sizeof(CK_INFO));
+
+ ret = p11_kit_uri_format(uri, P11_KIT_URI_FOR_ANY, &tmp_str);
+ if (ret != P11_KIT_URI_OK) {
+ DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_format failed [%s].\n",
+ p11_kit_uri_message(ret));
+ goto done;
+ }
+
+ if (tmp_str != NULL) {
+ uri_str = talloc_strdup(mem_ctx, tmp_str);
+ free(tmp_str);
+ if (uri_str == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
+ }
+ }
+
+done:
+ p11_kit_uri_free(uri);
+
+ return uri_str;
+}
+
static int talloc_cleanup_openssl(struct p11_ctx *p11_ctx)
{
CRYPTO_cleanup_all_ex_data();
@@ -234,6 +301,7 @@ struct cert_list {
X509 *cert;
char *subject_dn;
char *cert_b64;
+ char *uri;
CK_KEY_TYPE key_type;
CK_OBJECT_HANDLE private_key;
};
@@ -608,6 +676,7 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
CK_SLOT_ID slot_id;
CK_SLOT_INFO info;
CK_TOKEN_INFO token_info;
+ CK_INFO module_info;
CK_RV rv;
size_t module_id;
char *module_file_name = NULL;
@@ -821,6 +890,17 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
}
}
+ memset(&module_info, 0, sizeof(CK_INFO));
+ module->C_GetInfo(&module_info);
+
+ DLIST_FOR_EACH(item, cert_list) {
+ item->uri = get_pkcs11_uri(mem_ctx, &module_info, &info, slot_id,
+ &token_info,
+ &item->attributes[1] /* label */,
+ &item->attributes[0] /* id */);
+ DEBUG(SSSDBG_TRACE_ALL, "uri: %s.\n", item->uri);
+ }
+
/* TODO: check module_name_in, token_name_in, key_id_in */
if (cert_list == NULL) {
--
2.9.5

238
0051-p11_child-add-PKCS-11-uri-to-restrict-selection.patch
View File

@ -1,238 +0,0 @@
From f7b2152a4c3c816a5bc4226a0e01791313accef3 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 8 Oct 2018 12:47:25 +0200
Subject: [PATCH 66/83] p11_child: add PKCS#11 uri to restrict selection
Related to https://pagure.io/SSSD/sssd/issue/3814
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/p11_child/p11_child.h | 2 +-
src/p11_child/p11_child_common.c | 9 +++--
src/p11_child/p11_child_nss.c | 2 +-
src/p11_child/p11_child_openssl.c | 81 +++++++++++++++++++++++++++++++++++++--
4 files changed, 86 insertions(+), 8 deletions(-)
diff --git a/src/p11_child/p11_child.h b/src/p11_child/p11_child.h
index dd8fdea..92ecf74 100644
--- a/src/p11_child/p11_child.h
+++ b/src/p11_child/p11_child.h
@@ -54,5 +54,5 @@ bool do_verification_b64(struct p11_ctx *p11_ctx, const char *cert_b64);
errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
enum op_mode mode, const char *pin,
const char *module_name_in, const char *token_name_in,
- const char *key_id_in, char **_multi);
+ const char *key_id_in, const char *uri, char **_multi);
#endif /* __P11_CHILD_H__ */
diff --git a/src/p11_child/p11_child_common.c b/src/p11_child/p11_child_common.c
index bc5f6b0..097e7fa 100644
--- a/src/p11_child/p11_child_common.c
+++ b/src/p11_child/p11_child_common.c
@@ -60,7 +60,7 @@ static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db,
bool wait_for_card,
const char *cert_b64, const char *pin,
const char *module_name, const char *token_name,
- const char *key_id, char **multi)
+ const char *key_id, const char *uri, char **multi)
{
int ret;
struct p11_ctx *p11_ctx;
@@ -90,7 +90,7 @@ static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db,
}
} else {
ret = do_card(mem_ctx, p11_ctx, mode, pin,
- module_name, token_name, key_id, multi);
+ module_name, token_name, key_id, uri, multi);
}
done:
@@ -159,6 +159,7 @@ int main(int argc, const char *argv[])
char *key_id = NULL;
char *cert_b64 = NULL;
bool wait_for_card = false;
+ char *uri = NULL;
struct poptOption long_options[] = {
POPT_AUTOHELP
@@ -194,6 +195,8 @@ int main(int argc, const char *argv[])
_("Key ID for authentication"), NULL},
{"certificate", 0, POPT_ARG_STRING, &cert_b64, 0,
_("certificate to verify, base64 encoded"), NULL},
+ {"uri", 0, POPT_ARG_STRING, &uri, 0,
+ _("PKCS#11 URI to restrict selection"), NULL},
POPT_TABLEEND
};
@@ -367,7 +370,7 @@ int main(int argc, const char *argv[])
}
ret = do_work(main_ctx, mode, nss_db, cert_verify_opts, wait_for_card,
- cert_b64, pin, module_name, token_name, key_id, &multi);
+ cert_b64, pin, module_name, token_name, key_id, uri, &multi);
if (ret != 0) {
DEBUG(SSSDBG_OP_FAILURE, "do_work failed.\n");
goto fail;
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
index fff1f25..f9cbf3f 100644
--- a/src/p11_child/p11_child_nss.c
+++ b/src/p11_child/p11_child_nss.c
@@ -480,7 +480,7 @@ bool do_verification_b64(struct p11_ctx *p11_ctx, const char *cert_b64)
errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
enum op_mode mode, const char *pin,
const char *module_name_in, const char *token_name_in,
- const char *key_id_in, char **_multi)
+ const char *key_id_in, const char *uri, char **_multi)
{
int ret;
SECStatus rv;
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
index 09edeef..000e1c9 100644
--- a/src/p11_child/p11_child_openssl.c
+++ b/src/p11_child/p11_child_openssl.c
@@ -85,7 +85,7 @@ static char *get_pkcs11_uri(TALLOC_CTX *mem_ctx, CK_INFO *module_info,
memcpy(p11_kit_uri_get_token_info(uri), token_info, sizeof(CK_TOKEN_INFO));
memcpy(p11_kit_uri_get_slot_info(uri), slot_info, sizeof(CK_SLOT_INFO));
- ret = p11_kit_uri_set_slot_id(uri, slot_id);
+ p11_kit_uri_set_slot_id(uri, slot_id);
memcpy(p11_kit_uri_get_module_info(uri), module_info, sizeof(CK_INFO));
@@ -662,7 +662,7 @@ static errno_t wait_for_card(CK_FUNCTION_LIST *module, CK_SLOT_ID *slot_id)
errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
enum op_mode mode, const char *pin,
const char *module_name_in, const char *token_name_in,
- const char *key_id_in, char **_multi)
+ const char *key_id_in, const char *uri_str, char **_multi)
{
int ret;
size_t c;
@@ -674,6 +674,7 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
CK_ULONG num_slots;
CK_SLOT_ID slots[MAX_SLOTS];
CK_SLOT_ID slot_id;
+ CK_SLOT_ID uri_slot_id;
CK_SLOT_INFO info;
CK_TOKEN_INFO token_info;
CK_INFO module_info;
@@ -690,6 +691,19 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
char *multi = NULL;
bool pkcs11_session = false;
bool pkcs11_login = false;
+ P11KitUri *uri = NULL;
+
+ if (uri_str != NULL) {
+ uri = p11_kit_uri_new();
+ ret = p11_kit_uri_parse(uri_str, P11_KIT_URI_FOR_ANY, uri);
+ if (ret != P11_KIT_URI_OK) {
+ DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_parse failed [%d][%s].\n",
+ ret, p11_kit_uri_message(ret));
+ ret = EINVAL;
+ goto done;
+ }
+ }
+
/* Maybe use P11_KIT_MODULE_TRUSTED ? */
modules = p11_kit_modules_load_and_initialize(0);
@@ -709,6 +723,23 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
free(mod_name);
free(mod_file_name);
+ if (uri != NULL) {
+ memset(&module_info, 0, sizeof(CK_INFO));
+ rv = modules[c]->C_GetInfo(&module_info);
+ if (rv != CKR_OK) {
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetInfo failed.\n");
+ ret = EIO;
+ goto done;
+ }
+
+ /* Skip modules which do not match the PKCS#11 URI */
+ if (p11_kit_uri_match_module_info(uri, &module_info) != 1) {
+ DEBUG(SSSDBG_TRACE_ALL,
+ "Not matching URI [%s], skipping.\n", uri_str);
+ continue;
+ }
+ }
+
num_slots = MAX_SLOTS;
rv = modules[c]->C_GetSlotList(CK_FALSE, slots, &num_slots);
if (rv != CKR_OK) {
@@ -730,6 +761,37 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
info.slotDescription, info.manufacturerID, info.flags,
(info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
(info.flags & CKF_TOKEN_PRESENT) ? "true": "false");
+
+ /* Skip slots which do not match the PKCS#11 URI */
+ if (uri != NULL) {
+ uri_slot_id = p11_kit_uri_get_slot_id(uri);
+ if ((uri_slot_id != (CK_SLOT_ID)-1
+ && uri_slot_id != slots[s])
+ || p11_kit_uri_match_slot_info(uri, &info) != 1) {
+ DEBUG(SSSDBG_TRACE_ALL,
+ "Not matching URI [%s], skipping.\n", uri_str);
+ continue;
+ }
+ }
+
+ if ((info.flags & CKF_TOKEN_PRESENT) && uri != NULL) {
+ rv = modules[c]->C_GetTokenInfo(slots[s], &token_info);
+ if (rv != CKR_OK) {
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetTokenInfo failed.\n");
+ ret = EIO;
+ goto done;
+ }
+ DEBUG(SSSDBG_TRACE_ALL, "Token label [%s].\n",
+ token_info.label);
+
+ if (p11_kit_uri_match_token_info(uri, &token_info) != 1) {
+ DEBUG(SSSDBG_CONF_SETTINGS,
+ "No matching uri [%s], skipping.\n", uri_str);
+ continue;
+ }
+
+ }
+
if ((info.flags & CKF_REMOVABLE_DEVICE)) {
break;
}
@@ -788,6 +850,13 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
goto done;
}
+ if (uri != NULL && p11_kit_uri_match_token_info(uri, &token_info) != 1) {
+ DEBUG(SSSDBG_CONF_SETTINGS, "No token matching uri [%s] found.",
+ uri_str);
+ ret = ENOENT;
+ goto done;
+ }
+
module_id = c;
slot_name = p11_kit_space_strdup(info.slotDescription,
sizeof(info.slotDescription));
@@ -891,7 +960,12 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
}
memset(&module_info, 0, sizeof(CK_INFO));
- module->C_GetInfo(&module_info);
+ rv = module->C_GetInfo(&module_info);
+ if (rv != CKR_OK) {
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetInfo failed.\n");
+ ret = EIO;
+ goto done;
+ }
DLIST_FOR_EACH(item, cert_list) {
item->uri = get_pkcs11_uri(mem_ctx, &module_info, &info, slot_id,
@@ -970,6 +1044,7 @@ done:
free(token_name);
free(module_file_name);
p11_kit_modules_finalize_and_release(modules);
+ p11_kit_uri_free(uri);
return ret;
}
--
2.9.5

193
0052-PAM-add-p11_uri-option.patch
View File

@ -1,193 +0,0 @@
From 725b65081d19da658b16338686c53dcf16d49de0 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 9 Oct 2018 10:47:04 +0200
Subject: [PATCH 67/83] PAM: add p11_uri option
Related to https://pagure.io/SSSD/sssd/issue/3814
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/confdb/confdb.h | 1 +
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/cfg_rules.ini | 1 +
src/config/etc/sssd.api.conf | 1 +
src/man/sssd.conf.5.xml | 33 +++++++++++++++++++++++++++++++++
src/responder/pam/pamsrv.h | 1 +
src/responder/pam/pamsrv_cmd.c | 12 +++++++++++-
src/responder/pam/pamsrv_p11.c | 9 ++++++++-
8 files changed, 57 insertions(+), 2 deletions(-)
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 87904c2..741d4bc 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -133,6 +133,7 @@
#define CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT "p11_wait_for_card_timeout"
#define CONFDB_PAM_APP_SERVICES "pam_app_services"
#define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services"
+#define CONFDB_PAM_P11_URI "p11_uri"
/* SUDO */
#define CONFDB_SUDO_CONF_ENTRY "config/sudo"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 4d1dba2..a20157c 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -105,6 +105,7 @@ option_strings = {
'pam_app_services' : _('Which PAM services are permitted to contact application domains'),
'pam_p11_allowed_services' : _('Allowed services for using smartcards'),
'p11_wait_for_card_timeout' : _('Additional timeout to wait for a card if requested'),
+ 'p11_uri' : _('PKCS#11 URI to restrict the selection of devices for Smartcard authentication'),
# [sudo]
'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 50a8f1d..09a52df 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -128,6 +128,7 @@ option = p11_child_timeout
option = pam_app_services
option = pam_p11_allowed_services
option = p11_wait_for_card_timeout
+option = p11_uri
[rule/allowed_sudo_options]
validator = ini_allowed_options
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index bb686c3..c6d6690 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -77,6 +77,7 @@ p11_child_timeout = int, None, false
pam_app_services = str, None, false
pam_p11_allowed_services = str, None, false
p11_wait_for_card_timeout = int, None, false
+p11_uri = str, None, false
[sudo]
# sudo service
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 4df0163..c8d53f0 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1478,6 +1478,39 @@ pam_p11_allowed_services = +my_pam_service, -login
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>p11_uri (string)</term>
+ <listitem>
+ <para>
+ PKCS#11 URI (see RFC-7512 for details) which can be
+ used to restrict the selection of devices used for
+ Smartcard authentication. By default SSSD's
+ p11_child will search for a PKCS#11 slot (reader)
+ where the 'removable' flags is set and read the
+ certificates from the inserted token from the first
+ slot found. If multiple readers are connected
+ p11_uri can be use to tell p11_child to use a
+ specific reader.
+ </para>
+ <para>
+ Example:
+ <programlisting>
+p11_uri = slot-description=My%20Smartcar%20Reader
+ </programlisting>
+ or
+ <programlisting>
+p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2
+ </programlisting>
+ To find suitable URI please check the debug output
+ of p11_child. As an alternative the GnuTLS utility
+ 'p11tool' with e.g. the '--list-all' will show
+ PKCS#11 URIs as well.
+ </para>
+ <para>
+ Default: none
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 5d87756..60aa979 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -103,6 +103,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
time_t timeout,
const char *verify_opts,
struct sss_certmap_ctx *sss_certmap_ctx,
+ const char *uri,
struct pam_data *pd);
errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
struct cert_auth_info **cert_list);
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 6e37f83..a22afd2 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1306,6 +1306,7 @@ static errno_t check_cert(TALLOC_CTX *mctx,
char *cert_verification_opts;
errno_t ret;
struct tevent_req *req;
+ char *uri = NULL;
ret = confdb_get_int(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY,
CONFDB_PAM_P11_CHILD_TIMEOUT,
@@ -1342,10 +1343,19 @@ static errno_t check_cert(TALLOC_CTX *mctx,
return ret;
}
+ ret = confdb_get_string(pctx->rctx->cdb, mctx, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_P11_URI, NULL, &uri);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to read certificate_verification from confdb: [%d]: %s\n",
+ ret, sss_strerror(ret));
+ return ret;
+ }
+
req = pam_check_cert_send(mctx, ev, pctx->p11_child_debug_fd,
pctx->nss_db, p11_child_timeout,
cert_verification_opts, pctx->sss_certmap_ctx,
- pd);
+ uri, pd);
if (req == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "pam_check_cert_send failed.\n");
return ENOMEM;
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
index 8b8859d..491bd2b 100644
--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
@@ -711,6 +711,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
time_t timeout,
const char *verify_opts,
struct sss_certmap_ctx *sss_certmap_ctx,
+ const char *uri,
struct pam_data *pd)
{
errno_t ret;
@@ -721,7 +722,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
struct timeval tv;
int pipefd_to_child[2] = PIPE_INIT;
int pipefd_from_child[2] = PIPE_INIT;
- const char *extra_args[14] = { NULL };
+ const char *extra_args[16] = { NULL };
uint8_t *write_buf = NULL;
size_t write_buf_len = 0;
size_t arg_c;
@@ -748,6 +749,12 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
/* extra_args are added in revers order */
arg_c = 0;
+ if (uri != NULL) {
+ DEBUG(SSSDBG_TRACE_ALL, "Adding PKCS#11 URI [%s].\n", uri);
+ extra_args[arg_c++] = uri;
+ extra_args[arg_c++] = "--uri";
+ }
+
if ((pd->cli_flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) && pd->priv == 1) {
extra_args[arg_c++] = "--wait_for_card";
}
--
2.9.5

209
0053-tests-add-PKCS-11-URI-tests.patch
View File

@ -1,209 +0,0 @@
From 4a22fb6bba6662ad628f6e17203e8ccf20eb9666 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 9 Oct 2018 10:46:43 +0200
Subject: [PATCH 68/83] tests: add PKCS#11 URI tests
Related to https://pagure.io/SSSD/sssd/issue/3814
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/tests/cmocka/test_pam_srv.c | 120 ++++++++++++++++++++++++++++++++++++++++
src/tests/test_CA/Makefile.am | 16 +++++-
2 files changed, 135 insertions(+), 1 deletion(-)
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index 2b02ac2..7fc9224 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -65,6 +65,7 @@
#endif
#define TEST_TOKEN_NAME "SSSD Test Token"
+#define TEST_TOKEN2_NAME "SSSD Test Token Number 2"
#define TEST_KEY_ID "C554C9F82C2A9D58B70921C143304153A8A42F17"
#ifdef HAVE_NSS
#define TEST_MODULE_NAME "NSS-Internal"
@@ -961,6 +962,54 @@ static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen,
return EOK;
}
+static int test_pam_cert2_token2_check_ex(uint32_t status, uint8_t *body,
+ size_t blen, enum response_type type,
+ const char *name)
+{
+ size_t rp = 0;
+ uint32_t val;
+ size_t check2_len = 0;
+ char const *check2_strings[] = { NULL,
+ TEST_TOKEN2_NAME,
+ TEST_MODULE_NAME,
+ TEST2_KEY_ID,
+ TEST2_PROMPT,
+ NULL };
+
+ assert_int_equal(status, 0);
+
+ check2_strings[0] = name;
+ check2_len = check_string_array_len(check2_strings);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, pam_test_ctx->exp_pam_status);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, 2);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, SSS_PAM_DOMAIN_NAME);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, 9);
+
+ assert_int_equal(*(body + rp + val - 1), 0);
+ assert_string_equal(body + rp, TEST_DOM_NAME);
+ rp += val;
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, type);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, check2_len);
+
+ check_string_array(check2_strings, body, &rp);
+
+ assert_int_equal(rp, blen);
+
+ return EOK;
+}
+
static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
{
return test_pam_cert_check_ex(status, body, blen,
@@ -968,6 +1017,12 @@ static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
NULL);
}
+static int test_pam_cert2_check(uint32_t status, uint8_t *body, size_t blen)
+{
+ return test_pam_cert2_token2_check_ex(status, body, blen, SSS_PAM_CERT_INFO,
+ "pamuser@"TEST_DOM_NAME);
+}
+
static int test_pam_cert_check_auth_success(uint32_t status, uint8_t *body,
size_t blen)
{
@@ -2476,6 +2531,65 @@ void test_pam_cert_auth_2certs_one_mapping(void **state)
assert_int_equal(ret, EOK);
}
+void test_pam_cert_preauth_uri_token1(void **state)
+{
+ int ret;
+
+ struct sss_test_conf_param pam_params[] = {
+ { CONFDB_PAM_P11_URI, "pkcs11:token=SSSD%20Test%20Token" },
+ { NULL, NULL }, /* Sentinel */
+ };
+
+ ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
+ assert_int_equal(ret, EOK);
+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2tokens.conf"));
+
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,
+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false);
+
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+
+ set_cmd_cb(test_pam_cert_check);
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
+ pam_test_ctx->pam_cmds);
+ assert_int_equal(ret, EOK);
+
+ /* Wait until the test finishes with EOK */
+ ret = test_ev_loop(pam_test_ctx->tctx);
+ assert_int_equal(ret, EOK);
+}
+
+void test_pam_cert_preauth_uri_token2(void **state)
+{
+ int ret;
+
+ struct sss_test_conf_param pam_params[] = {
+ { CONFDB_PAM_P11_URI, "pkcs11:token=SSSD%20Test%20Token%20Number%202" },
+ { NULL, NULL }, /* Sentinel */
+ };
+
+ ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
+ assert_int_equal(ret, EOK);
+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2tokens.conf"));
+
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,
+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0002, false);
+
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+
+ set_cmd_cb(test_pam_cert2_check);
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
+ pam_test_ctx->pam_cmds);
+ assert_int_equal(ret, EOK);
+
+ /* Wait until the test finishes with EOK */
+ ret = test_ev_loop(pam_test_ctx->tctx);
+ assert_int_equal(ret, EOK);
+}
void test_filter_response(void **state)
{
@@ -2915,6 +3029,12 @@ int main(int argc, const char *argv[])
pam_test_setup, pam_test_teardown),
cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name_no_key_id,
pam_test_setup, pam_test_teardown),
+#ifndef HAVE_NSS
+ cmocka_unit_test_setup_teardown(test_pam_cert_preauth_uri_token1,
+ pam_test_setup, pam_test_teardown),
+ cmocka_unit_test_setup_teardown(test_pam_cert_preauth_uri_token2,
+ pam_test_setup, pam_test_teardown),
+#endif /* ! HAVE_NSS */
#endif /* HAVE_TEST_CA */
cmocka_unit_test_setup_teardown(test_filter_response,
diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am
index 1bce2c3..b574c76 100644
--- a/src/tests/test_CA/Makefile.am
+++ b/src/tests/test_CA/Makefile.am
@@ -24,7 +24,7 @@ pkcs12 = $(addprefix SSSD_test_cert_pkcs12_,$(addsuffix .pem,$(ids)))
if HAVE_NSS
extra = p11_nssdb p11_nssdb_2certs
else
-extra = softhsm2_none softhsm2_one softhsm2_two
+extra = softhsm2_none softhsm2_one softhsm2_two softhsm2_2tokens
endif
# If openssl is run in parallel there might be conflicts with the serial
@@ -114,6 +114,20 @@ softhsm2_two.conf:
@echo "objectstore.backend = file" >> $@
@echo "slots.removable = true" >> $@
+softhsm2_2tokens: softhsm2_2tokens.conf
+ mkdir $@
+ SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token" --pin 123456 --so-pin 123456 --free
+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0001.pem --login --label 'SSSD test cert 0001' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' pkcs11:token=SSSD%20Test%20Token
+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0001.pem --login --label 'SSSD test cert 0001' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' pkcs11:token=SSSD%20Test%20Token
+ SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token Number 2" --pin 654321 --so-pin 654321 --free
+ GNUTLS_PIN=654321 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0002.pem --login --label 'SSSD test cert 0002' --id '5405842D56CF31F0BB025A695C5F3E907051C5B9' pkcs11:token=SSSD%20Test%20Token%20Number%202
+ GNUTLS_PIN=654321 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0002.pem --login --label 'SSSD test cert 0002' --id '5405842D56CF31F0BB025A695C5F3E907051C5B9' pkcs11:token=SSSD%20Test%20Token%20Number%202
+
+softhsm2_2tokens.conf:
+ @echo "directories.tokendir = "$(abs_top_builddir)"/src/tests/test_CA/softhsm2_2tokens" > $@
+ @echo "objectstore.backend = file" >> $@
+ @echo "slots.removable = true" >> $@
+
CLEANFILES = \
index.txt index.txt.attr \
index.txt.attr.old index.txt.old \
--
2.9.5

53
0054-test_config-Test-for-invalid-characker-in-domain.patch
View File

@ -1,53 +0,0 @@
From 7a2e56d061085c155a51253bd612255a4d24cb57 Mon Sep 17 00:00:00 2001
From: Tomas Halman <thalman@redhat.com>
Date: Mon, 8 Oct 2018 12:47:40 +0200
Subject: [PATCH 69/83] test_config: Test for invalid characker in domain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
There was bug allowing forbidden characters in config file section name.
Bug has been fixed meantime but we decided to write the test to avoid
regeression.
Resolves:
https://pagure.io/SSSD/sssd/issue/3334
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/tests/cmocka/test_config_check.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/tests/cmocka/test_config_check.c b/src/tests/cmocka/test_config_check.c
index a2958de..61c7886 100644
--- a/src/tests/cmocka/test_config_check.c
+++ b/src/tests/cmocka/test_config_check.c
@@ -106,6 +106,17 @@ void config_check_test_bad_section_name(void **state)
config_check_test_common(cfg_str, 1, expected_errors);
}
+void config_check_test_bad_chars_in_section_name(void **state)
+{
+ char cfg_str[] = "[domain/LD@P]";
+ const char *expected_errors[] = {
+ "[rule/allowed_sections]: Section [domain/LD@P] is not allowed. "
+ "Check for typos.",
+ };
+
+ config_check_test_common(cfg_str, 1, expected_errors);
+}
+
void config_check_test_too_many_subdomains(void **state)
{
char cfg_str[] = "[domain/ad.test/b.test/c.test]";
@@ -264,6 +275,7 @@ int main(int argc, const char *argv[])
const struct CMUnitTest tests[] = {
cmocka_unit_test(config_check_test_bad_section_name),
+ cmocka_unit_test(config_check_test_bad_chars_in_section_name),
cmocka_unit_test(config_check_test_too_many_subdomains),
cmocka_unit_test(config_check_test_bad_sssd_option_name),
cmocka_unit_test(config_check_test_bad_pam_option_name),
--
2.9.5

147
0055-PAM-return-short-name-for-files-provider-users.patch
View File

@ -1,147 +0,0 @@
From dbd717fe5b7d8dd640b6ade435b49edb3db5280a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 9 Oct 2018 13:25:35 +0200
Subject: [PATCH 70/83] PAM: return short name for files provider users
If the 'allow_missing_name' option is used with pam_sss and the user
name will be determined based on the certificate content and the mapping
rules the PAM responder will by default return the fully-qualified name
of the user which is then later used by other PAM modules as well.
For local users which are configured to use SSSD for Smartcard
authentication this might cause issues in other PAM modules because they
are not aware of the fully-qualified name and will treat the user as
unknown.
With this patch the PAM responder will return the short name for all
users handled by the files provider.
Related to https://pagure.io/SSSD/sssd/issue/3848
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/pam/pamsrv.h | 3 ++-
src/responder/pam/pamsrv_cmd.c | 13 +++++++++----
src/responder/pam/pamsrv_p11.c | 32 +++++++++++++++++++++++++++++---
3 files changed, 40 insertions(+), 8 deletions(-)
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 60aa979..3a927bb 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -108,7 +108,8 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
struct cert_auth_info **cert_list);
-errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
+errno_t add_pam_cert_response(struct pam_data *pd, struct sss_domain_info *dom,
+ const char *sysdb_username,
struct cert_auth_info *cert_info,
enum response_type type);
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index a22afd2..553bf8f 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1645,7 +1645,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
preq->current_cert != NULL;
preq->current_cert = sss_cai_get_next(preq->current_cert)) {
- ret = add_pam_cert_response(preq->pd, "",
+ ret = add_pam_cert_response(preq->pd,
+ preq->cctx->rctx->domains, "",
preq->current_cert,
preq->cctx->rctx->domains->user_name_hint
? SSS_PAM_CERT_INFO_WITH_HINT
@@ -1699,7 +1700,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
if (preq->cctx->rctx->domains->user_name_hint
&& preq->pd->cmd == SSS_PAM_PREAUTH) {
- ret = add_pam_cert_response(preq->pd, cert_user,
+ ret = add_pam_cert_response(preq->pd,
+ preq->cctx->rctx->domains, cert_user,
preq->cert_list,
SSS_PAM_CERT_INFO_WITH_HINT);
preq->pd->pam_status = PAM_SUCCESS;
@@ -1725,7 +1727,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
* SSS_PAM_CERT_INFO message to send the name to the caller. */
if (preq->pd->cmd == SSS_PAM_AUTHENTICATE
&& preq->pd->logon_name == NULL) {
- ret = add_pam_cert_response(preq->pd, cert_user,
+ ret = add_pam_cert_response(preq->pd,
+ preq->cctx->rctx->domains, cert_user,
preq->cert_list,
SSS_PAM_CERT_INFO);
if (ret != EOK) {
@@ -2117,7 +2120,9 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
"the backend.\n");
}
- ret = add_pam_cert_response(preq->pd, cert_user,
+ ret = add_pam_cert_response(preq->pd,
+ preq->cctx->rctx->domains,
+ cert_user,
preq->current_cert,
SSS_PAM_CERT_INFO);
if (ret != EOK) {
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
index 491bd2b..785b29c 100644
--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
@@ -1145,7 +1145,8 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username,
* used when running gdm-password. */
#define PKCS11_LOGIN_TOKEN_ENV_NAME "PKCS11_LOGIN_TOKEN_NAME"
-errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
+errno_t add_pam_cert_response(struct pam_data *pd, struct sss_domain_info *dom,
+ const char *sysdb_username,
struct cert_auth_info *cert_info,
enum response_type type)
{
@@ -1153,6 +1154,10 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
char *env = NULL;
size_t msg_len;
int ret;
+ char *short_name = NULL;
+ char *domain_name = NULL;
+ const char *cert_info_name = sysdb_username;
+
if (type != SSS_PAM_CERT_INFO && type != SSS_PAM_CERT_INFO_WITH_HINT) {
DEBUG(SSSDBG_CRIT_FAILURE, "Invalid response type [%d].\n", type);
@@ -1174,9 +1179,30 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
* Smartcard. If this type of name is irritating at the PIN prompt or the
* re_expression config option was set in a way that user@domain cannot be
* handled anymore some more logic has to be added here. But for the time
- * being I think using sysdb_username is fine. */
+ * being I think using sysdb_username is fine.
+ * As special case is the files provider which handles local users which
+ * by definition only have a short name. To avoid confusion by other
+ * modules on the PAM stack the short name is returned in this case. */
+
+ if (sysdb_username != NULL) {
+ ret = sss_parse_internal_fqname(pd, sysdb_username,
+ &short_name, &domain_name);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse name '%s' [%d]: %s, "
+ "using full name.\n",
+ sysdb_username, ret, sss_strerror(ret));
+ } else {
+ if (domain_name != NULL
+ && is_files_provider(find_domain_by_name(dom, domain_name,
+ false))) {
+ cert_info_name = short_name;
+ }
+ }
+ }
- ret = pack_cert_data(pd, sysdb_username, cert_info, &msg, &msg_len);
+ ret = pack_cert_data(pd, cert_info_name, cert_info, &msg, &msg_len);
+ talloc_free(short_name);
+ talloc_free(domain_name);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "pack_cert_data failed.\n");
return ret;
--
2.9.5

181
0056-TESTS-Add-a-test-for-whitespace-trimming-in-netgroup.patch
View File

@ -1,181 +0,0 @@
From 941e67b0bbb780aadb6461b60b4e3554dfb893db Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 16 May 2018 10:23:49 +0200
Subject: [PATCH 71/83] TESTS: Add a test for whitespace trimming in netgroup
entries
This is a unit test for commit dbb1abae6eaa9df24f61e3a9f855e2461a66a197
Reviewed-by: Tomas Halman <thalman@redhat.com>
---
src/tests/sysdb-tests.c | 132 +++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 130 insertions(+), 2 deletions(-)
diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
index 933a07e..d3117cd 100644
--- a/src/tests/sysdb-tests.c
+++ b/src/tests/sysdb-tests.c
@@ -4388,6 +4388,125 @@ START_TEST (test_netgroup_base_dn)
}
END_TEST
+static errno_t netgr_triple_to_attrs(struct sysdb_attrs *attrs,
+ struct sysdb_netgroup_ctx *netgrent)
+{
+ int ret;
+ char *dummy;
+
+ dummy = talloc_asprintf(attrs, "(%s,%s,%s)",
+ netgrent->value.triple.hostname,
+ netgrent->value.triple.username,
+ netgrent->value.triple.domainname);
+ if (dummy == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
+ return ENOMEM;
+ }
+
+ ret = sysdb_attrs_add_string(attrs, SYSDB_NETGROUP_TRIPLE, dummy);
+ talloc_zfree(dummy);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_attrs_add_string failed.\n");
+ return ret;
+ }
+
+ return EOK;
+}
+
+static errno_t store_netgr(struct sysdb_test_ctx *test_ctx,
+ const char *name,
+ struct sysdb_netgroup_ctx *netgrent)
+{
+ struct sysdb_attrs *attrs;
+ errno_t ret;
+
+ attrs = sysdb_new_attrs(test_ctx);
+ if (attrs == NULL) {
+ return ENOMEM;
+ }
+
+ ret = netgr_triple_to_attrs(attrs, netgrent);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_add_netgroup failed.\n");
+ return ret;
+ }
+
+ ret = sysdb_add_netgroup(test_ctx->domain, name, NULL, attrs, NULL,
+ 0, 0);
+ talloc_zfree(attrs);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_add_netgroup failed.\n");
+ return ret;
+ }
+
+ return EOK;
+}
+
+static bool sysdb_netgr_ctx_cmp(struct sysdb_netgroup_ctx *a,
+ struct sysdb_netgroup_ctx *b)
+{
+ return a->type == b->type &&
+ strcmp(a->value.triple.username, b->value.triple.username) == 0 &&
+ strcmp(a->value.triple.hostname, b->value.triple.hostname) == 0 &&
+ strcmp(a->value.triple.domainname, b->value.triple.domainname) == 0;
+}
+
+START_TEST (test_sysdb_netgr_to_entries)
+{
+ errno_t ret;
+ bool bret;
+ struct sysdb_test_ctx *test_ctx;
+ struct sysdb_netgroup_ctx simple_netgroup = {
+ .type = SYSDB_NETGROUP_TRIPLE_VAL,
+ .value.triple.hostname = discard_const("host"),
+ .value.triple.username = discard_const("user"),
+ .value.triple.domainname = discard_const("domain"),
+ };
+ struct sysdb_netgroup_ctx ws_netgroup = {
+ .type = SYSDB_NETGROUP_TRIPLE_VAL,
+ .value.triple.hostname = discard_const(" host "),
+ .value.triple.username = discard_const(" user "),
+ .value.triple.domainname = discard_const(" domain "),
+ };
+ struct ldb_result *res;
+ struct sysdb_netgroup_ctx **entries;
+ size_t netgroup_count;
+
+ ret = setup_sysdb_tests(&test_ctx);
+ fail_if(ret != EOK, "Could not set up the test");
+
+ ret = store_netgr(test_ctx, "simple_netgroup", &simple_netgroup);
+ fail_if(ret != EOK, "Could not store the netgr");
+
+ ret = sysdb_getnetgr(test_ctx, test_ctx->domain, "simple_netgroup", &res);
+ fail_unless(ret == EOK, "sysdb_getnetgr error [%d][%s]",
+ ret, strerror(ret));
+ fail_unless(res->count == 1, "Received [%d] responses",
+ res->count);
+ ret = sysdb_netgr_to_entries(test_ctx, res, &entries, &netgroup_count);
+ fail_unless(ret == EOK, "sysdb_netgr_to_entries error [%d][%s]",
+ ret, strerror(ret));
+ fail_unless(netgroup_count == 1, "Received [%d] triples", netgroup_count);
+ bret = sysdb_netgr_ctx_cmp(entries[0], &simple_netgroup);
+ fail_unless(bret == true, "Netgroup triples do not match");
+
+ ret = store_netgr(test_ctx, "ws_netgroup", &ws_netgroup);
+ fail_if(ret != EOK, "Could not store the netgr");
+
+ ret = sysdb_getnetgr(test_ctx, test_ctx->domain, "ws_netgroup", &res);
+ fail_unless(ret == EOK, "sysdb_getnetgr error [%d][%s]",
+ ret, strerror(ret));
+ fail_unless(res->count == 1, "Received [%d] responses",
+ res->count);
+ ret = sysdb_netgr_to_entries(test_ctx, res, &entries, &netgroup_count);
+ fail_unless(ret == EOK, "sysdb_netgr_to_entries error [%d][%s]",
+ ret, strerror(ret));
+ fail_unless(netgroup_count == 1, "Received [%d] triples", netgroup_count);
+ bret = sysdb_netgr_ctx_cmp(entries[0], &simple_netgroup);
+ fail_unless(bret == true, "Netgroup triples do not match");
+}
+END_TEST
+
START_TEST(test_odd_characters)
{
errno_t ret;
@@ -4404,6 +4523,8 @@ START_TEST(test_odd_characters)
const char *received_group;
static const char *user_attrs[] = SYSDB_PW_ATTRS;
static const char *netgr_attrs[] = SYSDB_NETGR_ATTRS;
+ struct sysdb_netgroup_ctx **entries;
+ size_t netgroup_count;
/* Setup */
ret = setup_sysdb_tests(&test_ctx);
@@ -4546,9 +4667,13 @@ START_TEST(test_odd_characters)
ret, strerror(ret));
fail_unless(res->count == 1, "Received [%d] responses",
res->count);
- talloc_zfree(res);
- /* ===== Arbitrary Entries ===== */
+ /* Parse */
+ ret = sysdb_netgr_to_entries(test_ctx, res, &entries, &netgroup_count);
+ fail_unless(ret == EOK, "sysdb_netgr_to_entries error [%d][%s]",
+ ret, strerror(ret));
+
+ talloc_zfree(res);
talloc_free(test_ctx);
}
@@ -7418,6 +7543,9 @@ Suite *create_sysdb_suite(void)
tcase_add_test(tc_sysdb, test_netgroup_base_dn);
+ /* Test splitting the netgroup triple */
+ tcase_add_test(tc_sysdb, test_sysdb_netgr_to_entries);
+
/* ===== SERVICE TESTS ===== */
/* Create a new service */
--
2.9.5

57
0057-FILES-The-files-provider-should-not-enumerate.patch
View File

@ -1,57 +0,0 @@
From 7b3794fbe5e4f0888d4faeba12e6c5268f8cca42 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 9 Oct 2018 12:12:44 +0200
Subject: [PATCH 73/83] FILES: The files provider should not enumerate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves:
https://pagure.io/SSSD/sssd/issue/3849
For reason I cannot explain now, the files provider always enumerates.
There is commit a60e6ec which implements this, but it's clearly wrong,
because then the plain getent passwd output contains duplicates from
nss_files and nss_sss:
$ getent passwd | sort
adm:x:3:4:adm:/var/adm:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
bin:x:1:1:bin:/bin:/sbin/nologin
bin:x:1:1:bin:/bin:/sbin/nologin
certuser:x:10329:10330::/home/certuser:/bin/bash
certuser:x:10329:10330::/home/certuser:/bin/bash
chrony:x:997:994::/var/lib/chrony:/sbin/nologin
chrony:x:997:994::/var/lib/chrony:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/confdb/confdb.c | 5 +----
1 files changed, 1 insertions(+), 4 deletions(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 2f3d900..fdc6122 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -875,7 +875,6 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
char *default_domain;
bool fqnames_default = false;
int memcache_timeout;
- bool enum_default;
tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) return ENOMEM;
@@ -1009,10 +1008,8 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
"Interpreting as true\n", domain->name);
domain->enumerate = true;
} else { /* assume the new format */
- enum_default = is_files_provider(domain);
-
ret = get_entry_as_bool(res->msgs[0], &domain->enumerate,
- CONFDB_DOMAIN_ENUMERATE, enum_default);
+ CONFDB_DOMAIN_ENUMERATE, 0);
if(ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Invalid value for %s\n", CONFDB_DOMAIN_ENUMERATE);

489
0058-p11_child-add-OCSP-check-ot-the-OpenSSL-version.patch
View File

@ -1,489 +0,0 @@
From 91c608d0eb48435b5b5d2f3631a4bb2a40b8d519 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 10 Oct 2018 15:37:16 +0200
Subject: [PATCH 74/83] p11_child: add OCSP check ot the OpenSSL version
Related to https://pagure.io/SSSD/sssd/issue/3489
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/man/sssd.conf.5.xml | 26 ++-
src/p11_child/p11_child_openssl.c | 346 ++++++++++++++++++++++++++++++++++++++
src/tests/cmocka/test_utils.c | 3 +
src/util/util.c | 2 +
4 files changed, 370 insertions(+), 7 deletions(-)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index c8d53f0..5e3ae48 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -479,8 +479,8 @@
be replaced with the URL of the OCSP
default responder e.g.
http://example.com:80/ocsp.</para>
- <para>This option must be used together
- with
+ <para>(NSS Version) This option must be
+ used together with
ocsp_default_responder_signing_cert.
</para>
</listitem>
@@ -489,17 +489,29 @@
<term>
ocsp_default_responder_signing_cert=NAME</term>
<listitem>
- <para>The nickname of the cert to trust
- (expected) to sign the OCSP responses.
- The certificate with the given nickname
- must be available in the systems NSS
- database.</para>
+ <para>(NSS Version) The nickname of the
+ cert to trust (expected) to sign the
+ OCSP responses. The certificate with
+ the given nickname must be available in
+ the systems NSS database.</para>
<para>This option must be used together
with ocsp_default_responder.</para>
+ <para>(OpenSSL version) This option is
+ currently ignored. All needed
+ certificates must be available in the
+ PEM file given by
+ pam_cert_db_path.</para>
</listitem>
</varlistentry>
</variablelist>
</para>
+ <para condition="with_nss">
+ This man page was generated for the NSS version.
+ </para>
+ <para condition="with_openssl">
+ This man page was generated for the OpenSSL
+ version.
+ </para>
<para>
Unknown options are reported but ignored.
</para>
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
index 000e1c9..d66a2f8 100644
--- a/src/p11_child/p11_child_openssl.c
+++ b/src/p11_child/p11_child_openssl.c
@@ -28,6 +28,7 @@
#include <openssl/x509.h>
#include <openssl/err.h>
#include <openssl/rand.h>
+#include <openssl/ocsp.h>
#include <p11-kit/p11-kit.h>
#include <p11-kit/uri.h>
@@ -42,8 +43,344 @@ struct p11_ctx {
X509_STORE *x509_store;
const char *ca_db;
bool wait_for_card;
+ struct cert_verify_opts *cert_verify_opts;
};
+static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host,
+ const char *path,
+ OCSP_REQUEST *req, int req_timeout)
+{
+ int fd;
+ int rv;
+ OCSP_REQ_CTX *ctx = NULL;
+ OCSP_RESPONSE *rsp = NULL;
+ fd_set confds;
+ struct timeval tv;
+
+ if (req_timeout != -1) {
+ BIO_set_nbio(cbio, 1);
+ }
+
+ rv = BIO_do_connect(cbio);
+
+ if ((rv <= 0) && ((req_timeout == -1) || !BIO_should_retry(cbio))) {
+ DEBUG(SSSDBG_OP_FAILURE, "Error connecting BIO\n");
+ return NULL;
+ }
+
+ if (BIO_get_fd(cbio, &fd) < 0) {
+ DEBUG(SSSDBG_OP_FAILURE, "Can't get connection fd\n");
+ goto err;
+ }
+
+ if (req_timeout != -1 && rv <= 0) {
+ FD_ZERO(&confds);
+ FD_SET(fd, &confds);
+ tv.tv_usec = 0;
+ tv.tv_sec = req_timeout;
+ rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
+ if (rv == 0) {
+ DEBUG(SSSDBG_OP_FAILURE, "Timeout on connect\n");
+ return NULL;
+ }
+ }
+
+ ctx = OCSP_sendreq_new(cbio, path, NULL, -1);
+ if (ctx == NULL) {
+ return NULL;
+ }
+
+ if (OCSP_REQ_CTX_add1_header(ctx, "Host", host) == 0) {
+ goto err;
+ }
+
+ if (!OCSP_REQ_CTX_set1_req(ctx, req)) {
+ goto err;
+ }
+
+ for (;;) {
+ rv = OCSP_sendreq_nbio(&rsp, ctx);
+ if (rv != -1)
+ break;
+ if (req_timeout == -1)
+ continue;
+ FD_ZERO(&confds);
+ FD_SET(fd, &confds);
+ tv.tv_usec = 0;
+ tv.tv_sec = req_timeout;
+ if (BIO_should_read(cbio)) {
+ rv = select(fd + 1, (void *)&confds, NULL, NULL, &tv);
+ } else if (BIO_should_write(cbio)) {
+ rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
+ } else {
+ DEBUG(SSSDBG_OP_FAILURE, "Unexpected retry condition\n");
+ goto err;
+ }
+ if (rv == 0) {
+ DEBUG(SSSDBG_OP_FAILURE, "Timeout on request\n");
+ break;
+ }
+ if (rv == -1) {
+ DEBUG(SSSDBG_OP_FAILURE, "Select error\n");
+ break;
+ }
+
+ }
+ err:
+ OCSP_REQ_CTX_free(ctx);
+
+ return rsp;
+}
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define TLS_client_method SSLv23_client_method
+#define X509_STORE_get0_objects(store) (store->objs)
+#define X509_OBJECT_get_type(object) (object->type)
+#define X509_OBJECT_get0_X509(object) (object->data.x509)
+#endif
+
+OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
+ const char *host, const char *path,
+ const char *port, int use_ssl,
+ int req_timeout)
+{
+ BIO *cbio = NULL;
+ SSL_CTX *ctx = NULL;
+ OCSP_RESPONSE *resp = NULL;
+
+ cbio = BIO_new_connect(host);
+ if (cbio == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Error creating connect BIO\n");
+ goto end;
+ }
+ if (port != NULL)
+ BIO_set_conn_port(cbio, port);
+ if (use_ssl == 1) {
+ BIO *sbio;
+ ctx = SSL_CTX_new(TLS_client_method());
+ if (ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Error creating SSL context.\n");
+ goto end;
+ }
+ SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
+ sbio = BIO_new_ssl(ctx, 1);
+ cbio = BIO_push(sbio, cbio);
+ }
+
+ resp = query_responder(cbio, host, path, req, req_timeout);
+ if (resp == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Error querying OCSP responder\n");
+ }
+
+ end:
+ BIO_free_all(cbio);
+ SSL_CTX_free(ctx);
+ return resp;
+}
+
+static errno_t do_ocsp(struct p11_ctx *p11_ctx, X509 *cert)
+{
+ OCSP_REQUEST *ocsp_req = NULL;
+ OCSP_RESPONSE *ocsp_resp = NULL;
+ OCSP_BASICRESP *ocsp_basic = NULL;
+ OCSP_CERTID *cid = NULL;
+ STACK_OF(OPENSSL_STRING) *ocsp_urls = NULL;
+ char *url_str;
+ X509 *issuer = NULL;
+ int req_timeout = -1;
+ int status;
+ int ret = EIO;
+ int reason;
+ ASN1_GENERALIZEDTIME *revtime;
+ ASN1_GENERALIZEDTIME *thisupd;
+ ASN1_GENERALIZEDTIME *nextupd;
+ long grace_time = (5 * 60); /* Allow 5 minutes time difference when
+ * checking the validity of the OCSP response */
+ char *host = NULL;
+ char *path = NULL;
+ char *port = NULL;
+ int use_ssl;
+ X509_NAME *issuer_name = NULL;
+ X509_OBJECT *x509_obj;
+ STACK_OF(X509_OBJECT) *store_objects;
+
+ ocsp_urls = X509_get1_ocsp(cert);
+ if (ocsp_urls == NULL
+ && p11_ctx->cert_verify_opts->ocsp_default_responder == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "No OCSP URL in certificate and no default responder defined, "
+ "skipping OCSP check.\n");
+ return EOK;
+ }
+
+ if (p11_ctx->cert_verify_opts->ocsp_default_responder != NULL) {
+ url_str = p11_ctx->cert_verify_opts->ocsp_default_responder;
+ } else {
+ if (sk_OPENSSL_STRING_num(ocsp_urls) > 1) {
+ DEBUG(SSSDBG_CONF_SETTINGS,
+ "Found more than 1 OCSP URLs, just using the first.\n");
+ }
+
+ url_str = sk_OPENSSL_STRING_value(ocsp_urls, 0);
+ }
+
+ DEBUG(SSSDBG_TRACE_ALL, "Using OCSP URL [%s].\n", url_str);
+
+ ret = OCSP_parse_url(url_str, &host, &port, &path, &use_ssl);
+ if (ret != 1) {
+ DEBUG(SSSDBG_OP_FAILURE, "OCSP_parse_url failed to parse [%s].\n",
+ url_str);
+ ret = EIO;
+ goto done;
+ }
+
+ issuer_name = X509_get_issuer_name(cert);
+ if (issuer_name == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Certificate has no issuer, "
+ "cannot run OCSP check.\n");
+ ret = EINVAL;
+ goto done;
+ }
+
+ store_objects = X509_STORE_get0_objects(p11_ctx->x509_store);
+ if (store_objects == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "No objects found in certificate store, OCSP failed.\n");
+ ret = EINVAL;
+ goto done;
+ }
+
+ x509_obj = X509_OBJECT_retrieve_by_subject(store_objects, X509_LU_X509,
+ issuer_name);
+ if (x509_obj == NULL || X509_OBJECT_get_type(x509_obj) != X509_LU_X509) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Issuer not found.\n");
+ ret = EIO;
+ goto done;
+ }
+
+ issuer = X509_OBJECT_get0_X509(x509_obj);
+
+ ocsp_req = OCSP_REQUEST_new();
+ if (ocsp_req == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "OCSP_REQUEST_new failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ cid = OCSP_cert_to_id(EVP_sha1(), cert, issuer);
+ if (cid == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "OCSP_cert_to_id failed.\n");
+ ret = EIO;
+ goto done;
+ }
+
+ if (OCSP_request_add0_id(ocsp_req, cid) == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "OCSP_request_add0_id failed.\n");
+ ret = EIO;
+ goto done;
+ }
+
+ OCSP_request_add1_nonce(ocsp_req, NULL, -1);
+
+ ocsp_resp = process_responder(ocsp_req, host, path, port, use_ssl,
+ req_timeout);
+ if (ocsp_resp == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "process_responder failed.\n");
+ ret = EIO;
+ goto done;
+ }
+
+ status = OCSP_response_status(ocsp_resp);
+ if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "OCSP response error: [%d][%s].\n",
+ status, OCSP_response_status_str(status));
+ ret = EIO;
+ goto done;
+ }
+
+ ocsp_basic = OCSP_response_get1_basic(ocsp_resp);
+ if (ocsp_resp == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "OCSP_response_get1_basic failed.\n");
+ ret = EIO;
+ goto done;
+ }
+
+ switch (OCSP_check_nonce(ocsp_req, ocsp_basic)) {
+ case -1:
+ DEBUG(SSSDBG_CRIT_FAILURE, "No nonce in OCSP response. This might "
+ "indicate a replay attack or an OCSP responder which does not "
+ "support nonces. Accepting response.\n");
+ break;
+ case 0:
+ DEBUG(SSSDBG_CRIT_FAILURE, "Nonce in OCSP response does not match the "
+ "one used in the request.\n");
+ ret = EIO;
+ goto done;
+ break;
+ case 1:
+ DEBUG(SSSDBG_TRACE_ALL, "Nonce in OCSP response is the same as the one "
+ "used in the request.\n");
+ break;
+ case 2:
+ case 3:
+ DEBUG(SSSDBG_CRIT_FAILURE, "Missing nonce in OCSP request, this should"
+ "never happen.\n");
+ ret = EIO;
+ goto done;
+ break;
+ default:
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected result of OCSP_check_nonce.\n");
+ }
+
+ status = OCSP_basic_verify(ocsp_basic, NULL, p11_ctx->x509_store, 0);
+ if (status != 1) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "OCSP_base_verify failed to verify OCSP "
+ "response.\n");
+ ret = EIO;
+ goto done;
+ }
+
+ ret = OCSP_resp_find_status(ocsp_basic, cid, &status, &reason,
+ &revtime, &thisupd, &nextupd);
+ if (ret != 1) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "OCSP response does not contain status of "
+ "our certificate.\n");
+ ret = EIO;
+ goto done;
+ }
+
+ if (status != V_OCSP_CERTSTATUS_GOOD) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "OCSP check failed with [%d][%s].\n",
+ status, OCSP_cert_status_str(status));
+ if (status == V_OCSP_CERTSTATUS_REVOKED) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Certificate is revoked [%d][%s].\n",
+ reason, OCSP_crl_reason_str(reason));
+ }
+ ret = EIO;
+ goto done;
+ }
+
+ if (OCSP_check_validity(thisupd, nextupd, grace_time, -1) != 1) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "OCSP response is not valid anymore.\n");
+ ret = EIO;
+ goto done;
+ }
+
+ DEBUG(SSSDBG_TRACE_ALL, "OCSP check was successful.\n");
+ ret = EOK;
+
+done:
+ OCSP_BASICRESP_free(ocsp_basic);
+ OCSP_RESPONSE_free(ocsp_resp);
+ OCSP_REQUEST_free(ocsp_req);
+
+ OPENSSL_free(host);
+ OPENSSL_free(port);
+ OPENSSL_free(path);
+ X509_email_free(ocsp_urls);
+
+ return ret;
+}
static char *get_pkcs11_uri(TALLOC_CTX *mem_ctx, CK_INFO *module_info,
CK_SLOT_INFO *slot_info, CK_SLOT_ID slot_id,
@@ -191,6 +528,7 @@ errno_t init_verification(struct p11_ctx *p11_ctx,
}
p11_ctx->x509_store = store;
+ p11_ctx->cert_verify_opts = cert_verify_opts;
talloc_set_destructor(p11_ctx, talloc_free_x509_store);
ret = EOK;
@@ -262,6 +600,14 @@ bool do_verification(struct p11_ctx *p11_ctx, X509 *cert)
goto done;
}
+ if (p11_ctx->cert_verify_opts->do_ocsp) {
+ ret = do_ocsp(p11_ctx, cert);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "do_ocsp failed.\n");
+ goto done;
+ }
+ }
+
res = true;
done:
diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
index 1a8699a..c86e526 100644
--- a/src/tests/cmocka/test_utils.c
+++ b/src/tests/cmocka/test_utils.c
@@ -1612,6 +1612,8 @@ static void test_parse_cert_verify_opts(void **state)
&cv_opts);
assert_int_equal(ret, EINVAL);
+/* Only NSS requires that both are set */
+#ifdef HAVE_NSS
ret = parse_cert_verify_opts(global_talloc_context,
"ocsp_default_responder=abc", &cv_opts);
assert_int_equal(ret, EINVAL);
@@ -1620,6 +1622,7 @@ static void test_parse_cert_verify_opts(void **state)
"ocsp_default_responder_signing_cert=def",
&cv_opts);
assert_int_equal(ret, EINVAL);
+#endif
ret = parse_cert_verify_opts(global_talloc_context,
"ocsp_default_responder=abc,"
diff --git a/src/util/util.c b/src/util/util.c
index 53dd9a1..7f475fa 100644
--- a/src/util/util.c
+++ b/src/util/util.c
@@ -1123,6 +1123,7 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
}
}
+#ifdef HAVE_NSS
if ((cert_verify_opts->ocsp_default_responder == NULL
&& cert_verify_opts->ocsp_default_responder_signing_cert != NULL)
|| (cert_verify_opts->ocsp_default_responder != NULL
@@ -1135,6 +1136,7 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
ret = EINVAL;
goto done;
}
+#endif
ret = EOK;
--
2.9.5

279
0059-p11_child-add-crl_file-option-for-the-OpenSSL-build.patch
View File

@ -1,279 +0,0 @@
From 3c096c9ad6dad911d035cfdd802b5dda4710fc68 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 11 Oct 2018 17:35:24 +0200
Subject: [PATCH 75/83] p11_child: add crl_file option for the OpenSSL build
In the NSS build a Certificate Revocation List (CRL) can just be added
to the NSS database. For OpenSSL a separate file is needed.
Related to https://pagure.io/SSSD/sssd/issue/3489
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/man/sssd.conf.5.xml | 24 ++++++++++++++++++++++++
src/p11_child/p11_child_common.c | 12 ++++++------
src/p11_child/p11_child_openssl.c | 26 +++++++++++++++++++++++++-
src/tests/cmocka/test_utils.c | 16 ++++++++++++++++
src/util/util.c | 13 +++++++++++++
src/util/util.h | 1 +
6 files changed, 85 insertions(+), 7 deletions(-)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 5e3ae48..bea25c6 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -503,6 +503,30 @@
pam_cert_db_path.</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>crl_file=/PATH/TO/CRL/FILE</term>
+ <listitem>
+ <para>(NSS Version) This option is
+ ignored, please see
+ <citerefentry>
+ <refentrytitle>crlutil</refentrytitle>
+ <manvolnum>1</manvolnum>
+ </citerefentry>
+ how to import a Certificate Revocation
+ List (CRL) into a NSS database.</para>
+
+ <para>(OpenSSL Version) Use the
+ Certificate Revocation List (CRL) from
+ the given file during the verification
+ of the certificate. The CRL must be
+ given in PEM format, see
+ <citerefentry>
+ <refentrytitle>crl</refentrytitle>
+ <manvolnum>1ssl</manvolnum>
+ </citerefentry>
+ for details.</para>
+ </listitem>
+ </varlistentry>
</variablelist>
</para>
<para condition="with_nss">
diff --git a/src/p11_child/p11_child_common.c b/src/p11_child/p11_child_common.c
index 097e7fa..b992aeb 100644
--- a/src/p11_child/p11_child_common.c
+++ b/src/p11_child/p11_child_common.c
@@ -48,7 +48,7 @@ static const char *op_mode_str(enum op_mode mode)
return "pre-auth";
break;
case OP_VERIFIY:
- return "verifiy";
+ return "verify";
break;
default:
return "unknown";
@@ -219,7 +219,7 @@ int main(int argc, const char *argv[])
case 'a':
if (mode != OP_NONE) {
fprintf(stderr,
- "\n--verifiy, --auth and --pre are mutually " \
+ "\n--verify, --auth and --pre are mutually " \
"exclusive and should be only used once.\n\n");
poptPrintUsage(pc, stderr, 0);
_exit(-1);
@@ -229,7 +229,7 @@ int main(int argc, const char *argv[])
case 'p':
if (mode != OP_NONE) {
fprintf(stderr,
- "\n--verifiy, --auth and --pre are mutually " \
+ "\n--verify, --auth and --pre are mutually " \
"exclusive and should be only used once.\n\n");
poptPrintUsage(pc, stderr, 0);
_exit(-1);
@@ -239,7 +239,7 @@ int main(int argc, const char *argv[])
case 'v':
if (mode != OP_NONE) {
fprintf(stderr,
- "\n--verifiy, --auth and --pre are mutually " \
+ "\n--verify, --auth and --pre are mutually " \
"exclusive and should be only used once.\n\n");
poptPrintUsage(pc, stderr, 0);
_exit(-1);
@@ -283,7 +283,7 @@ int main(int argc, const char *argv[])
if (mode == OP_NONE) {
fprintf(stderr, "\nMissing operation mode, either " \
- "--verifiy, --auth or --pre must be specified.\n\n");
+ "--verify, --auth or --pre must be specified.\n\n");
poptPrintUsage(pc, stderr, 0);
_exit(-1);
} else if (mode == OP_AUTH && pin_mode == PIN_NONE) {
@@ -350,7 +350,7 @@ int main(int argc, const char *argv[])
ret = parse_cert_verify_opts(main_ctx, verify_opts, &cert_verify_opts);
if (ret != EOK) {
- DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse verifiy option.\n");
+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse verify option.\n");
goto fail;
}
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
index d66a2f8..9defdfc 100644
--- a/src/p11_child/p11_child_openssl.c
+++ b/src/p11_child/p11_child_openssl.c
@@ -501,6 +501,7 @@ errno_t init_verification(struct p11_ctx *p11_ctx,
X509_STORE *store = NULL;
unsigned long err;
X509_LOOKUP *lookup = NULL;
+ X509_VERIFY_PARAM *verify_param = NULL;
store = X509_STORE_new();
if (store == NULL) {
@@ -527,6 +528,30 @@ errno_t init_verification(struct p11_ctx *p11_ctx,
goto done;
}
+ if (cert_verify_opts->crl_file != NULL) {
+ verify_param = X509_VERIFY_PARAM_new();
+ if (verify_param == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "X509_VERIFY_PARAM_new failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ X509_VERIFY_PARAM_set_flags(verify_param, (X509_V_FLAG_CRL_CHECK
+ | X509_V_FLAG_CRL_CHECK_ALL));
+
+ X509_STORE_set1_param(store, verify_param);
+
+ ret = X509_load_crl_file(lookup, cert_verify_opts->crl_file,
+ X509_FILETYPE_PEM);
+ if (ret == 0) {
+ err = ERR_get_error();
+ DEBUG(SSSDBG_OP_FAILURE, "X509_load_crl_file failed [%lu][%s].\n",
+ err, ERR_error_string(err, NULL));
+ ret = EIO;
+ goto done;
+ }
+ }
+
p11_ctx->x509_store = store;
p11_ctx->cert_verify_opts = cert_verify_opts;
talloc_set_destructor(p11_ctx, talloc_free_x509_store);
@@ -536,7 +561,6 @@ errno_t init_verification(struct p11_ctx *p11_ctx,
done:
if (ret != EOK) {
X509_STORE_free(store);
- X509_LOOKUP_free(lookup);
}
return ret;
diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
index c86e526..cf1c2ae 100644
--- a/src/tests/cmocka/test_utils.c
+++ b/src/tests/cmocka/test_utils.c
@@ -1567,6 +1567,7 @@ static void test_parse_cert_verify_opts(void **state)
assert_true(cv_opts->do_ocsp);
assert_null(cv_opts->ocsp_default_responder);
assert_null(cv_opts->ocsp_default_responder_signing_cert);
+ assert_null(cv_opts->crl_file);
talloc_free(cv_opts);
ret = parse_cert_verify_opts(global_talloc_context, "wedfkwefjk", &cv_opts);
@@ -1575,6 +1576,7 @@ static void test_parse_cert_verify_opts(void **state)
assert_true(cv_opts->do_ocsp);
assert_null(cv_opts->ocsp_default_responder);
assert_null(cv_opts->ocsp_default_responder_signing_cert);
+ assert_null(cv_opts->crl_file);
talloc_free(cv_opts);
ret = parse_cert_verify_opts(global_talloc_context, "no_ocsp", &cv_opts);
@@ -1583,6 +1585,7 @@ static void test_parse_cert_verify_opts(void **state)
assert_false(cv_opts->do_ocsp);
assert_null(cv_opts->ocsp_default_responder);
assert_null(cv_opts->ocsp_default_responder_signing_cert);
+ assert_null(cv_opts->crl_file);
talloc_free(cv_opts);
ret = parse_cert_verify_opts(global_talloc_context, "no_verification",
@@ -1592,6 +1595,7 @@ static void test_parse_cert_verify_opts(void **state)
assert_true(cv_opts->do_ocsp);
assert_null(cv_opts->ocsp_default_responder);
assert_null(cv_opts->ocsp_default_responder_signing_cert);
+ assert_null(cv_opts->crl_file);
talloc_free(cv_opts);
ret = parse_cert_verify_opts(global_talloc_context,
@@ -1601,6 +1605,7 @@ static void test_parse_cert_verify_opts(void **state)
assert_false(cv_opts->do_ocsp);
assert_null(cv_opts->ocsp_default_responder);
assert_null(cv_opts->ocsp_default_responder_signing_cert);
+ assert_null(cv_opts->crl_file);
talloc_free(cv_opts);
ret = parse_cert_verify_opts(global_talloc_context,
@@ -1633,6 +1638,17 @@ static void test_parse_cert_verify_opts(void **state)
assert_true(cv_opts->do_ocsp);
assert_string_equal(cv_opts->ocsp_default_responder, "abc");
assert_string_equal(cv_opts->ocsp_default_responder_signing_cert, "def");
+ assert_null(cv_opts->crl_file);
+ talloc_free(cv_opts);
+
+ ret = parse_cert_verify_opts(global_talloc_context, "crl_file=hij",
+ &cv_opts);
+ assert_int_equal(ret, EOK);
+ assert_true(cv_opts->do_verification);
+ assert_true(cv_opts->do_ocsp);
+ assert_null(cv_opts->ocsp_default_responder);
+ assert_null(cv_opts->ocsp_default_responder_signing_cert);
+ assert_string_equal(cv_opts->crl_file, "hij");
talloc_free(cv_opts);
}
diff --git a/src/util/util.c b/src/util/util.c
index 7f475fa..cbe6a28 100644
--- a/src/util/util.c
+++ b/src/util/util.c
@@ -1024,6 +1024,7 @@ static struct cert_verify_opts *init_cert_verify_opts(TALLOC_CTX *mem_ctx)
cert_verify_opts->do_verification = true;
cert_verify_opts->ocsp_default_responder = NULL;
cert_verify_opts->ocsp_default_responder_signing_cert = NULL;
+ cert_verify_opts->crl_file = NULL;
return cert_verify_opts;
}
@@ -1035,6 +1036,8 @@ static struct cert_verify_opts *init_cert_verify_opts(TALLOC_CTX *mem_ctx)
"ocsp_default_responder_signing_cert="
#define OCSP_DEFAUL_RESPONDER_SIGNING_CERT_LEN \
(sizeof(OCSP_DEFAUL_RESPONDER_SIGNING_CERT) - 1)
+#define CRL_FILE "crl_file="
+#define CRL_FILE_LEN (sizeof(CRL_FILE) -1)
errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
struct cert_verify_opts **_cert_verify_opts)
@@ -1116,6 +1119,16 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
DEBUG(SSSDBG_TRACE_ALL,
"Using OCSP default responder signing cert nickname [%s]\n",
cert_verify_opts->ocsp_default_responder_signing_cert);
+ } else if (strncasecmp(opts[c], CRL_FILE, CRL_FILE_LEN) == 0) {
+ cert_verify_opts->crl_file = talloc_strdup(cert_verify_opts,
+ &opts[c][CRL_FILE_LEN]);
+ if (cert_verify_opts->crl_file == NULL
+ || *cert_verify_opts->crl_file == '\0') {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to parse crl_file option [%s].\n", opts[c]);
+ ret = EINVAL;
+ goto done;
+ }
} else {
DEBUG(SSSDBG_CRIT_FAILURE,
"Unsupported certificate verification option [%s], " \
diff --git a/src/util/util.h b/src/util/util.h
index e3e9100..7e9b3d6 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -371,6 +371,7 @@ struct cert_verify_opts {
bool do_verification;
char *ocsp_default_responder;
char *ocsp_default_responder_signing_cert;
+ char *crl_file;
};
errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
--
2.9.5

37
0060-p11-Fix-two-instances-of-Wmaybe-uninitialized-in-p11.patch
View File

@ -1,37 +0,0 @@
From 7794caec36e7142423491d90aaade7e49b9df1c1 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 12 Oct 2018 09:32:11 +0200
Subject: [PATCH 76/83] p11: Fix two instances of -Wmaybe-uninitialized in
p11_child_openssl.c
If uri_str was passed to the p11_child and parsing the URI failed, then
modules would be uninitialized, but freed in the done handler with
p11_kit_modules_finalize_and_release()
Also, another warning is suppressed by setting the 's' variable to zero.
While it cannot happen that the variable will be uninitialized, we
should help the compiler by setting a value explicitly.
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/p11_child/p11_child_openssl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
index 9defdfc..adfe272 100644
--- a/src/p11_child/p11_child_openssl.c
+++ b/src/p11_child/p11_child_openssl.c
@@ -1036,8 +1036,8 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
{
int ret;
size_t c;
- size_t s;
- CK_FUNCTION_LIST **modules;
+ size_t s = 0;
+ CK_FUNCTION_LIST **modules = NULL;
CK_FUNCTION_LIST *module = NULL;
char *mod_name;
char *mod_file_name;
--
2.9.5

31
0061-sudo-use-correct-sbus-interface.patch
View File

@ -1,31 +0,0 @@
From 250e82252b53991e2902b292cfa6029ab28a10fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 15 Oct 2018 12:46:35 +0200
Subject: [PATCH 77/83] sudo: use correct sbus interface
Internal dbus interfaces were renamed to shorter names in sbus2.
Resolves:
https://pagure.io/SSSD/sssd/issue/3854
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/sudo/sudosrv_dp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/responder/sudo/sudosrv_dp.c b/src/responder/sudo/sudosrv_dp.c
index 2c6b26e..78dd296 100644
--- a/src/responder/sudo/sudosrv_dp.c
+++ b/src/responder/sudo/sudosrv_dp.c
@@ -66,7 +66,7 @@ sss_dp_get_sudoers_msg(TALLOC_CTX *mem_ctx,
msg = dbus_message_new_method_call(bus_name,
SSS_BUS_PATH,
- "org.freedesktop.sssd.dataprovider",
+ "sssd.dataprovider",
"sudoHandler");
if (msg == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n");
--
2.9.5

40
0062-sudo-fix-error-handling-in-sudosrv_refresh_rules_don.patch
View File

@ -1,40 +0,0 @@
From 8fbaf224193b9ca8b82a290bd52265c2f9b40315 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 15 Oct 2018 13:01:34 +0200
Subject: [PATCH 78/83] sudo: fix error handling in sudosrv_refresh_rules_done
If sbus returns non-zero code then the output variables are not set and
therefore we access uninitialized memory.
Resolves:
https://pagure.io/SSSD/sssd/issue/3854
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/sudo/sudosrv_get_sudorules.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c
index 14bd824..76faef0 100644
--- a/src/responder/sudo/sudosrv_get_sudorules.c
+++ b/src/responder/sudo/sudosrv_get_sudorules.c
@@ -576,10 +576,15 @@ static void sudosrv_refresh_rules_done(struct tevent_req *subreq)
ret = sss_dp_get_sudoers_recv(state, subreq, &err_maj, &err_min, &err_msg);
talloc_zfree(subreq);
if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to refresh rules [%d]: %s\n",
+ ret, sss_strerror(ret));
+ goto done;
+ } else if (err_maj != 0 || err_min != 0) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Unable to get information from Data Provider, "
"Error: %u, %u, %s\n",
- (unsigned int)err_maj, (unsigned int)err_min, err_msg);
+ (unsigned int)err_maj, (unsigned int)err_min,
+ (err_msg == NULL ? "(null)" : err_msg));
goto done;
}
--
2.9.5

64
0063-sbus-remove-leftovers-from-previous-implementation.patch
View File

@ -1,64 +0,0 @@
From c74b430ba95d99b245b6347328024e4b4815b35e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 15 Oct 2018 12:48:41 +0200
Subject: [PATCH 79/83] sbus: remove leftovers from previous implementation
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/providers/data_provider/dp_iface.h | 8 +--
src/providers/data_provider_be.c | 2 +-
5 files changed, 5 insertions(+), 26 deletions(-)
diff --git a/src/providers/data_provider/dp_iface.h b/src/providers/data_provider/dp_iface.h
index 0b0855d..d1382cd 100644
--- a/src/providers/data_provider/dp_iface.h
+++ b/src/providers/data_provider/dp_iface.h
@@ -141,21 +141,21 @@ dp_get_account_domain_recv(TALLOC_CTX *mem_ctx,
uint32_t *_error,
const char **_err_msg);
-/* org.freedesktop.sssd.DataProvider.Client */
+/* sssd.DataProvider.Client */
errno_t
dp_client_register(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct data_provider *provider,
const char *name);
-/* org.freedesktop.sssd.DataProvider.Backend */
+/* sssd.DataProvider.Backend */
errno_t dp_backend_is_online(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct be_ctx *be_ctx,
const char *domname,
bool *_is_online);
-/* org.freedesktop.sssd.DataProvider.Failover */
+/* sssd.DataProvider.Failover */
errno_t
dp_failover_list_services(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
@@ -177,7 +177,7 @@ dp_failover_list_servers(TALLOC_CTX *mem_ctx,
const char *service_name,
const char ***_servers);
-/* org.freedesktop.sssd.DataProvider.AccessControl */
+/* sssd.DataProvider.AccessControl */
struct tevent_req *
dp_access_control_refresh_rules_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index 6d2477e..7043e7a 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -48,7 +48,7 @@
#include "resolv/async_resolv.h"
#include "sss_iface/sss_iface_async.h"
-/* org.freedesktop.sssd.service */
+/* sssd.service */
static errno_t
data_provider_res_init(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
2.9.5

44
0064-CONFIGURE-Add-minimal-required-version-for-p11-kit.patch
View File

@ -1,44 +0,0 @@
From 05ba237af582c1ca3780e5fe06ab3320494efe52 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Sat, 13 Oct 2018 16:22:13 +0000
Subject: [PATCH 80/83] CONFIGURE: Add minimal required version for p11-kit
There are few functions which were added in upstream p11-kit 0.23.3.
And there are compilation failures with older versions.
src/p11_child/p11_child_openssl.c: In function 'get_pkcs11_uri':
src/p11_child/p11_child_openssl.c:87:12: error: implicit declaration of function 'p11_kit_uri_get_slot_info' [-Werror=implicit-function-declaration]
memcpy(p11_kit_uri_get_slot_info(uri), slot_info, sizeof(CK_SLOT_INFO));
^
src/p11_child/p11_child_openssl.c:88:5: error: implicit declaration of function 'p11_kit_uri_set_slot_id' [-Werror=implicit-function-declaration]
p11_kit_uri_set_slot_id(uri, slot_id);
^
src/p11_child/p11_child_openssl.c: In function 'do_card':
src/p11_child/p11_child_openssl.c:767:35: error: implicit declaration of function 'p11_kit_uri_get_slot_id' [-Werror=implicit-function-declaration]
uri_slot_id = p11_kit_uri_get_slot_id(uri);
^
src/p11_child/p11_child_openssl.c:770:32: error: implicit declaration of function 'p11_kit_uri_match_slot_info' [-Werror=implicit-function-declaration]
|| p11_kit_uri_match_slot_info(uri, &info) != 1) {
^
Merges: https://pagure.io/SSSD/sssd/pull-request/3852
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/external/p11-kit.m4 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/external/p11-kit.m4 b/src/external/p11-kit.m4
index a959f43..eb0474f 100644
--- a/src/external/p11-kit.m4
+++ b/src/external/p11-kit.m4
@@ -1,4 +1,4 @@
AC_SUBST(P11_KIT_CFLAGS)
AC_SUBST(P11_KIT_LIBS)
-PKG_CHECK_MODULES([P11_KIT], [p11-kit-1])
+PKG_CHECK_MODULES([P11_KIT], [p11-kit-1 >= 0.23.3])
--
2.9.5

46
0065-SBUS-Silence-warning-maybe-uninitialized.patch
View File

@ -1,46 +0,0 @@
From d143319bce8fc778df93fe7cd7ef4d03b7a3fc92 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Sat, 13 Oct 2018 16:24:56 +0000
Subject: [PATCH 81/83] SBUS: Silence warning maybe-uninitialized
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
It should not happen because function sbus_interface_find_property
should return NULL for access different than SBUS_PROPERTY_READABLE
or SBUS_PROPERTY_WRITABLE. And thus we would return ERR_SBUS_UNKNOWN_PROPERTY
from the function sbus_request_property.
src/sbus/interface/sbus_properties.c: In function 'sbus_request_property.isra.0':
src/sbus/interface/sbus_properties.c:360:14:
error: 'type' may be used uninitialized in this function
[-Werror=maybe-uninitialized]
sbus_req = sbus_request_create(mem_ctx, conn, type, destination,
~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
interface_name, property_name, path);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
Merges: https://pagure.io/SSSD/sssd/pull-request/3851
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/sbus/interface/sbus_properties.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/sbus/interface/sbus_properties.c b/src/sbus/interface/sbus_properties.c
index bd15807..906e6db 100644
--- a/src/sbus/interface/sbus_properties.c
+++ b/src/sbus/interface/sbus_properties.c
@@ -355,6 +355,8 @@ sbus_request_property(TALLOC_CTX *mem_ctx,
case SBUS_PROPERTY_WRITABLE:
type = SBUS_REQUEST_PROPERTY_SET;
break;
+ default:
+ return EINVAL;
}
sbus_req = sbus_request_create(mem_ctx, conn, type, destination,
--
2.9.5

136
0066-files-add-session-recording-flag.patch
View File

@ -1,136 +0,0 @@
From 46c483c09b85cecf8d1cc72618da993d8948c894 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 15 Oct 2018 20:05:09 +0200
Subject: [PATCH 82/83] files: add session recording flag
If session recording is configured for a group the NSS ans PAM
responder rely on a attribute in the cache set by the backend to
determine is session recording is configured for the user or not. This
flag is typically set during the initgroups request.
Since the files provider does not have a dedicated initgroups request
the attribute must be set otherwise. This patch sets is for all users
after the files are reloaded.
Related to https://pagure.io/SSSD/sssd/issue/3855
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/providers/data_provider/dp_iface.h | 3 ++
src/providers/data_provider/dp_target_id.c | 62 ++++++++++++++++++++++++++++++
src/providers/files/files_ops.c | 7 ++++
3 files changed, 72 insertions(+)
diff --git a/src/providers/data_provider/dp_iface.h b/src/providers/data_provider/dp_iface.h
index d1382cd..8635ae0 100644
--- a/src/providers/data_provider/dp_iface.h
+++ b/src/providers/data_provider/dp_iface.h
@@ -188,4 +188,7 @@ errno_t
dp_access_control_refresh_rules_recv(TALLOC_CTX *mem_ctx,
struct tevent_req *req);
+
+errno_t
+dp_add_sr_attribute(struct be_ctx *be_ctx);
#endif /* DP_IFACE_H_ */
diff --git a/src/providers/data_provider/dp_target_id.c b/src/providers/data_provider/dp_target_id.c
index 265788b..748d886 100644
--- a/src/providers/data_provider/dp_target_id.c
+++ b/src/providers/data_provider/dp_target_id.c
@@ -328,6 +328,68 @@ done:
talloc_free(tmp_ctx);
}
+errno_t dp_add_sr_attribute(struct be_ctx *be_ctx)
+{
+ int ret;
+ struct dp_initgr_ctx *dp_initgr_ctx = NULL;
+ TALLOC_CTX *tmp_ctx = NULL;
+ struct dp_id_data *data;
+ size_t msgs_count;
+ struct ldb_message **msgs = NULL;
+ const char *attrs[] = {SYSDB_NAME, NULL};
+ size_t c;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
+ return ENOMEM;
+ }
+
+ ret = sysdb_search_users(tmp_ctx, be_ctx->domain, "("SYSDB_NAME "=*)", attrs,
+ &msgs_count, &msgs);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_users failed.\n");
+ goto done;
+ }
+
+ data = talloc_zero(tmp_ctx, struct dp_id_data);
+ if (data == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ data->entry_type = BE_REQ_INITGROUPS;
+ data->filter_type = BE_FILTER_NAME;
+ data->filter_value = NULL;
+ data->extra_value = NULL;
+ data->domain = be_ctx->domain->name;
+
+ for (c = 0; c < msgs_count; c++) {
+ data->filter_value = ldb_msg_find_attr_as_string(msgs[c], SYSDB_NAME,
+ NULL);
+ if (data->filter_value == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Cache object [%s] does not have a name, skipping.\n",
+ ldb_dn_get_linearized(msgs[c]->dn));
+ continue;
+ }
+
+ talloc_free(dp_initgr_ctx);
+ ret = dp_create_initgroups_ctx(tmp_ctx, be_ctx, data, &dp_initgr_ctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "dp_create_initgroups_ctx failed.\n");
+ goto done;
+ }
+
+ dp_req_initgr_pp_sr_overlay(be_ctx->provider, dp_initgr_ctx);
+ }
+
+done:
+ talloc_free(tmp_ctx);
+
+ return ret;
+}
+
static errno_t set_initgroups_expire_attribute(struct sss_domain_info *domain,
const char *name)
{
diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c
index f5a4029..74f77b5 100644
--- a/src/providers/files/files_ops.c
+++ b/src/providers/files/files_ops.c
@@ -26,6 +26,7 @@
#include "db/sysdb.h"
#include "util/inotify.h"
#include "util/util.h"
+#include "providers/data_provider/dp_iface.h"
/* When changing this constant, make sure to also adjust the files integration
* test for reallocation branch
@@ -771,6 +772,12 @@ static errno_t sf_enum_files(struct files_id_ctx *id_ctx,
}
}
+ ret = dp_add_sr_attribute(id_ctx->be);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to add session recording attribute, ignored.\n");
+ }
+
ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
if (ret != EOK) {
goto done;
--
2.9.5

43
0067-UTIL-Suppress-Coverity-warning.patch
View File

@ -1,43 +0,0 @@
From fc29c3eb9750c5e7def4e1ab6eb18f4f5024f567 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 16 Oct 2018 10:42:43 +0200
Subject: [PATCH 83/83] UTIL: Suppress Coverity warning
We recently added this code:
if (domain_name != NULL
&& is_files_provider(find_domain_by_name(dom,
domain_name,
false)))
find_domain_by_name returns NULL if the domain_name can't be found. This
of course makes mostly sense for trusted domains that can appear and
disappear. And is_files_provider() didn't handle the situation where the
domain pointer was NULL and would directly dereference it.
This commit just adds a NULL check for the domain pointer so that
is_files_provider() returns 'false' if the domain pointer was NULL.
Another alternative might be to check the return value of
find_domain_by_name(), but I don't think it's worth the trouble.
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/util/domain_info_utils.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index 8bef6c9..ffb8cdf 100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -931,6 +931,7 @@ bool sss_domain_info_get_output_fqnames(struct sss_domain_info *domain)
bool is_files_provider(struct sss_domain_info *domain)
{
- return domain->provider != NULL &&
+ return domain != NULL &&
+ domain->provider != NULL &&
strcasecmp(domain->provider, "files") == 0;
}
--
2.9.5

Some files were not shown because too many files have changed in this diff Show More