Compare commits
22 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
b62cbca7ed | ||
|
69547de9a4 | ||
|
379f80d2ca | ||
|
8915b3954f | ||
|
ff7c4a21d0 | ||
|
9af45e39cd | ||
|
f4f3a2dcca | ||
|
ed1f57da00 | ||
|
5fb22adfc9 | ||
|
57935c4a32 | ||
|
a574fcb984 | ||
|
ee8fde703d | ||
|
eb491b5232 | ||
|
3f232d02e9 | ||
|
7e00e587f6 | ||
|
374a7c5781 | ||
|
252666a315 | ||
|
9fb549e162 | ||
|
7d2f8acb2e | ||
|
80b558654c | ||
|
125adf7606 | ||
|
6625bffdcb |
5
.gitignore
vendored
5
.gitignore
vendored
@ -81,3 +81,8 @@ sssd-1.2.91.tar.gz
|
|||||||
/sssd-1.16.1.tar.gz
|
/sssd-1.16.1.tar.gz
|
||||||
/sssd-1.16.2.tar.gz
|
/sssd-1.16.2.tar.gz
|
||||||
/sssd-2.0.0.tar.gz
|
/sssd-2.0.0.tar.gz
|
||||||
|
/sssd-2.1.0.tar.gz
|
||||||
|
/sssd-2.2.0.tar.gz
|
||||||
|
/sssd-2.2.1.tar.gz
|
||||||
|
/sssd-2.2.2.tar.gz
|
||||||
|
/sssd-2.2.3.tar.gz
|
||||||
|
@ -1,27 +0,0 @@
|
|||||||
From 53e6fdfd881f051898e85448832eafdd2ea09454 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Thu, 22 Nov 2018 11:33:20 +0100
|
|
||||||
Subject: [PATCH] BUILD: Accept krb5 1.17 for building the PAC plugin
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/external/pac_responder.m4 | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4
|
|
||||||
index e0685f0ce..dc986a1b8 100644
|
|
||||||
--- a/src/external/pac_responder.m4
|
|
||||||
+++ b/src/external/pac_responder.m4
|
|
||||||
@@ -18,7 +18,8 @@ then
|
|
||||||
Kerberos\ 5\ release\ 1.13* | \
|
|
||||||
Kerberos\ 5\ release\ 1.14* | \
|
|
||||||
Kerberos\ 5\ release\ 1.15* | \
|
|
||||||
- Kerberos\ 5\ release\ 1.16*)
|
|
||||||
+ Kerberos\ 5\ release\ 1.16* | \
|
|
||||||
+ Kerberos\ 5\ release\ 1.17*)
|
|
||||||
krb5_version_ok=yes
|
|
||||||
AC_MSG_RESULT([yes])
|
|
||||||
;;
|
|
||||||
--
|
|
||||||
2.20.0
|
|
||||||
|
|
@ -1,109 +0,0 @@
|
|||||||
From 101934f29e6b76931b1499adc19ae7f7a976789d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
|
||||||
Date: Tue, 14 Aug 2018 08:20:57 +0000
|
|
||||||
Subject: [PATCH 1/4] BUILD: Fix issue with installation of libsss_secrets
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
libsss_secret.so is linked with libsss_util.so therefore it shoudl be
|
|
||||||
added into pkglib_LTLIBRARIES after libsss_util.so.
|
|
||||||
Otherwise there can failure in linking phase.
|
|
||||||
|
|
||||||
libtool: warning: relinking 'libsss_secrets.la'
|
|
||||||
libtool: install: (cd /home/build/sssd/ci-build-debug/intg/bld; /bin/sh
|
|
||||||
"/home/build/sssd/ci-build-debug/intg/bld/libtool" --tag CC
|
|
||||||
--mode=relink gcc -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith
|
|
||||||
-Wcast-qual -Wcast-align -Wwrite-strings -Wundef
|
|
||||||
-Werror-implicit-function-declaration -Winit-self -Wmissing-include-dirs
|
|
||||||
-fno-strict-aliasing -std=gnu99 -O2 -g -g3 -O2 -Werror
|
|
||||||
-D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
|
|
||||||
-D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
|
|
||||||
-avoid-version -o libsss_secrets.la -rpath
|
|
||||||
/tmp/sssd-intg.l7nl5pgb/lib/sssd
|
|
||||||
src/util/secrets/libsss_secrets_la-secrets.lo
|
|
||||||
src/util/secrets/libsss_secrets_la-config.lo -ltalloc -lldb
|
|
||||||
libsss_crypt.la libsss_debug.la libsss_util.la )
|
|
||||||
libtool: relink: gcc -shared -fPIC -DPIC
|
|
||||||
src/util/secrets/.libs/libsss_secrets_la-secrets.o
|
|
||||||
src/util/secrets/.libs/libsss_secrets_la-config.o -Wl,-rpath
|
|
||||||
-Wl,/tmp/sssd-intg.l7nl5pgb/lib/sssd -ltalloc -lldb
|
|
||||||
-L/tmp/sssd-intg.l7nl5pgb/lib/sssd -lsss_crypt -lsss_debug -lsss_util
|
|
||||||
-O2 -g -g3 -O2 -Wl,-soname -Wl,libsss_secrets.so -o
|
|
||||||
.libs/libsss_secrets.so
|
|
||||||
/usr/bin/ld: cannot find -lsss_util
|
|
||||||
collect2: error: ld returned 1 exit status
|
|
||||||
libtool: error: error: relink 'libsss_secrets.la' with the above
|
|
||||||
command before installing it
|
|
||||||
|
|
||||||
Merges: https://pagure.io/SSSD/sssd/pull-request/3808
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
---
|
|
||||||
Makefile.am | 43 +++++++++++++++++++++----------------------
|
|
||||||
1 file changed, 21 insertions(+), 22 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/Makefile.am b/Makefile.am
|
|
||||||
index d313957..a2d8ea4 100644
|
|
||||||
--- a/Makefile.am
|
|
||||||
+++ b/Makefile.am
|
|
||||||
@@ -1209,28 +1209,6 @@ libsss_iface_sync_la_LDFLAGS = \
|
|
||||||
-avoid-version \
|
|
||||||
$(NULL)
|
|
||||||
|
|
||||||
-if BUILD_WITH_LIBSECRET
|
|
||||||
-pkglib_LTLIBRARIES += libsss_secrets.la
|
|
||||||
-
|
|
||||||
-libsss_secrets_la_SOURCES = \
|
|
||||||
- src/util/secrets/secrets.c \
|
|
||||||
- src/util/secrets/config.c \
|
|
||||||
- $(NULL)
|
|
||||||
-libsss_secrets_la_CFLAGS = \
|
|
||||||
- $(AM_CFLAGS) \
|
|
||||||
- $(NULL)
|
|
||||||
-libsss_secrets_la_LIBADD = \
|
|
||||||
- $(TALLOC_LIBS) \
|
|
||||||
- $(LDB_LIBS) \
|
|
||||||
- libsss_crypt.la \
|
|
||||||
- libsss_debug.la \
|
|
||||||
- libsss_util.la \
|
|
||||||
- $(NULL)
|
|
||||||
-libsss_secrets_la_LDFLAGS = \
|
|
||||||
- -avoid-version \
|
|
||||||
- $(NULL)
|
|
||||||
-endif
|
|
||||||
-
|
|
||||||
pkglib_LTLIBRARIES += libsss_util.la
|
|
||||||
libsss_util_la_SOURCES = \
|
|
||||||
src/confdb/confdb.c \
|
|
||||||
@@ -1314,6 +1292,27 @@ libsss_util_la_LIBADD += stap_generated_probes.lo
|
|
||||||
endif
|
|
||||||
libsss_util_la_LDFLAGS = -avoid-version
|
|
||||||
|
|
||||||
+if BUILD_WITH_LIBSECRET
|
|
||||||
+pkglib_LTLIBRARIES += libsss_secrets.la
|
|
||||||
+libsss_secrets_la_SOURCES = \
|
|
||||||
+ src/util/secrets/secrets.c \
|
|
||||||
+ src/util/secrets/config.c \
|
|
||||||
+ $(NULL)
|
|
||||||
+libsss_secrets_la_CFLAGS = \
|
|
||||||
+ $(AM_CFLAGS) \
|
|
||||||
+ $(NULL)
|
|
||||||
+libsss_secrets_la_LIBADD = \
|
|
||||||
+ $(TALLOC_LIBS) \
|
|
||||||
+ $(LDB_LIBS) \
|
|
||||||
+ libsss_crypt.la \
|
|
||||||
+ libsss_debug.la \
|
|
||||||
+ libsss_util.la \
|
|
||||||
+ $(NULL)
|
|
||||||
+libsss_secrets_la_LDFLAGS = \
|
|
||||||
+ -avoid-version \
|
|
||||||
+ $(NULL)
|
|
||||||
+endif
|
|
||||||
+
|
|
||||||
pkglib_LTLIBRARIES += libsss_semanage.la
|
|
||||||
libsss_semanage_la_CFLAGS = \
|
|
||||||
$(AM_CFLAGS) \
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
53
0001-Fix-build-failure-against-samba-4.12.0rc1.patch
Normal file
53
0001-Fix-build-failure-against-samba-4.12.0rc1.patch
Normal file
@ -0,0 +1,53 @@
|
|||||||
|
From bc56b10aea999284458dcc293b54cf65288e325d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
Date: Fri, 24 Jan 2020 15:17:39 +0100
|
||||||
|
Subject: [PATCH] Fix build failure against samba 4.12.0rc1
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
The ndr_pull_get_switch() function was dropped, but it was just a wrapper
|
||||||
|
around the ndr_token_peek() function, so we can use this approach on both
|
||||||
|
old and new versions of libndr.
|
||||||
|
|
||||||
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
---
|
||||||
|
src/providers/ad/ad_gpo_ndr.c | 6 +++---
|
||||||
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c
|
||||||
|
index d57303349..8f405aa62 100644
|
||||||
|
--- a/src/providers/ad/ad_gpo_ndr.c
|
||||||
|
+++ b/src/providers/ad/ad_gpo_ndr.c
|
||||||
|
@@ -105,7 +105,7 @@ ndr_pull_security_ace_object_type(struct ndr_pull *ndr,
|
||||||
|
union security_ace_object_type *r)
|
||||||
|
{
|
||||||
|
uint32_t level;
|
||||||
|
- level = ndr_pull_get_switch_value(ndr, r);
|
||||||
|
+ level = ndr_token_peek(&ndr->switch_list, r);
|
||||||
|
NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
|
||||||
|
if (ndr_flags & NDR_SCALARS) {
|
||||||
|
NDR_CHECK(ndr_pull_union_align(ndr, 4));
|
||||||
|
@@ -135,7 +135,7 @@ ndr_pull_security_ace_object_inherited_type(struct ndr_pull *ndr,
|
||||||
|
union security_ace_object_inherited_type *r)
|
||||||
|
{
|
||||||
|
uint32_t level;
|
||||||
|
- level = ndr_pull_get_switch_value(ndr, r);
|
||||||
|
+ level = ndr_token_peek(&ndr->switch_list, r);
|
||||||
|
NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
|
||||||
|
if (ndr_flags & NDR_SCALARS) {
|
||||||
|
NDR_CHECK(ndr_pull_union_align(ndr, 4));
|
||||||
|
@@ -198,7 +198,7 @@ ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr,
|
||||||
|
union security_ace_object_ctr *r)
|
||||||
|
{
|
||||||
|
uint32_t level;
|
||||||
|
- level = ndr_pull_get_switch_value(ndr, r);
|
||||||
|
+ level = ndr_token_peek(&ndr->switch_list, r);
|
||||||
|
NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
|
||||||
|
if (ndr_flags & NDR_SCALARS) {
|
||||||
|
NDR_CHECK(ndr_pull_union_align(ndr, 4));
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -1,459 +0,0 @@
|
|||||||
From 194438830cdd729e317c1e1baf93da7201dfd39b Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Mon, 4 Feb 2019 12:00:01 +0100
|
|
||||||
Subject: [PATCH 1/3] sbus: avoid using invalid stack point in SBUS_INTERFACE
|
|
||||||
|
|
||||||
SBUS_INTERFACE macros expanded as:
|
|
||||||
struct sbus_interface bus =
|
|
||||||
({ sbus_interface(
|
|
||||||
"org.freedesktop.DBus",
|
|
||||||
((void *)0),
|
|
||||||
(((const struct sbus_method[])
|
|
||||||
{
|
|
||||||
({
|
|
||||||
/* ... compile time check of function signature omitted */ ;
|
|
||||||
sbus_method_sync(/* ... full list of params omitted */);
|
|
||||||
}),
|
|
||||||
...
|
|
||||||
|
|
||||||
This however includes an issue that methods/properties/signals are returned
|
|
||||||
by value, however stored in sbus_interface as pointers. Once we return out
|
|
||||||
of the top-level block and assign resulting sbus_interface into 'bus' variable
|
|
||||||
those objects allocated on stack becomes invalid and can be overwritten by other
|
|
||||||
allocations on stack.
|
|
||||||
|
|
||||||
This patch overcomes this issue by changing declaration of SBUS_INTERFACE and
|
|
||||||
avoiding using this top-level block. This still keeps the declarative structure
|
|
||||||
and simplifies the code as it does not require any memory handling and
|
|
||||||
tests for successful allocations.
|
|
||||||
|
|
||||||
const struct sbus_method __ ## varname ## _m[] = methods; \
|
|
||||||
const struct sbus_signal __ ## varname ## _s[] = signals; \
|
|
||||||
const struct sbus_property __ ## varname ## _p[] = properties; \
|
|
||||||
struct sbus_interface varname = SBUS_IFACE_ ## iface( \
|
|
||||||
(__ ## varname ## _m), \
|
|
||||||
(__ ## varname ## _s), \
|
|
||||||
(__ ## varname ## _p) \
|
|
||||||
)
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://pagure.io/SSSD/sssd/issue/3924
|
|
||||||
|
|
||||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
---
|
|
||||||
src/monitor/monitor.c | 2 +-
|
|
||||||
src/providers/data_provider/dp.c | 10 +++++-----
|
|
||||||
src/providers/data_provider_be.c | 2 +-
|
|
||||||
src/providers/proxy/proxy_child.c | 2 +-
|
|
||||||
src/providers/proxy/proxy_client.c | 2 +-
|
|
||||||
src/responder/autofs/autofssrv.c | 2 +-
|
|
||||||
src/responder/common/responder_iface.c | 6 +++---
|
|
||||||
src/responder/ifp/ifp_iface/ifp_iface.c | 24 ++++++++++++------------
|
|
||||||
src/responder/ifp/ifpsrv.c | 2 +-
|
|
||||||
src/responder/nss/nss_iface.c | 2 +-
|
|
||||||
src/responder/nss/nsssrv.c | 2 +-
|
|
||||||
src/sbus/interface/sbus_introspection.c | 2 +-
|
|
||||||
src/sbus/interface/sbus_properties.c | 2 +-
|
|
||||||
src/sbus/sbus_interface.h | 22 +++++++++++++++++-----
|
|
||||||
src/sbus/server/sbus_server_interface.c | 2 +-
|
|
||||||
15 files changed, 48 insertions(+), 36 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
|
|
||||||
index 136cf8f27..8d12f8133 100644
|
|
||||||
--- a/src/monitor/monitor.c
|
|
||||||
+++ b/src/monitor/monitor.c
|
|
||||||
@@ -2018,7 +2018,7 @@ static void monitor_sbus_connected(struct tevent_req *req)
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- struct sbus_interface iface = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface,
|
|
||||||
sssd_monitor,
|
|
||||||
SBUS_METHODS(
|
|
||||||
SBUS_SYNC(METHOD, sssd_monitor, RegisterService, monitor_sbus_RegisterService, ctx)
|
|
||||||
diff --git a/src/providers/data_provider/dp.c b/src/providers/data_provider/dp.c
|
|
||||||
index bd003c8b3..e79d6f294 100644
|
|
||||||
--- a/src/providers/data_provider/dp.c
|
|
||||||
+++ b/src/providers/data_provider/dp.c
|
|
||||||
@@ -33,7 +33,7 @@ dp_init_interface(struct data_provider *provider)
|
|
||||||
{
|
|
||||||
errno_t ret;
|
|
||||||
|
|
||||||
- struct sbus_interface iface_dp_client = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface_dp_client,
|
|
||||||
sssd_DataProvider_Client,
|
|
||||||
SBUS_METHODS(
|
|
||||||
SBUS_SYNC(METHOD, sssd_DataProvider_Client, Register, dp_client_register, provider)
|
|
||||||
@@ -42,7 +42,7 @@ dp_init_interface(struct data_provider *provider)
|
|
||||||
SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
|
|
||||||
);
|
|
||||||
|
|
||||||
- struct sbus_interface iface_dp_backend = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface_dp_backend,
|
|
||||||
sssd_DataProvider_Backend,
|
|
||||||
SBUS_METHODS(
|
|
||||||
SBUS_SYNC(METHOD, sssd_DataProvider_Backend, IsOnline, dp_backend_is_online, provider->be_ctx)
|
|
||||||
@@ -51,7 +51,7 @@ dp_init_interface(struct data_provider *provider)
|
|
||||||
SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
|
|
||||||
);
|
|
||||||
|
|
||||||
- struct sbus_interface iface_dp_failover = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface_dp_failover,
|
|
||||||
sssd_DataProvider_Failover,
|
|
||||||
SBUS_METHODS(
|
|
||||||
SBUS_SYNC(METHOD, sssd_DataProvider_Failover, ListServices, dp_failover_list_services, provider->be_ctx),
|
|
||||||
@@ -62,7 +62,7 @@ dp_init_interface(struct data_provider *provider)
|
|
||||||
SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
|
|
||||||
);
|
|
||||||
|
|
||||||
- struct sbus_interface iface_dp_access = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface_dp_access,
|
|
||||||
sssd_DataProvider_AccessControl,
|
|
||||||
SBUS_METHODS(
|
|
||||||
SBUS_ASYNC(METHOD, sssd_DataProvider_AccessControl, RefreshRules, dp_access_control_refresh_rules_send, dp_access_control_refresh_rules_recv, provider)
|
|
||||||
@@ -71,7 +71,7 @@ dp_init_interface(struct data_provider *provider)
|
|
||||||
SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
|
|
||||||
);
|
|
||||||
|
|
||||||
- struct sbus_interface iface_dp = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface_dp,
|
|
||||||
sssd_dataprovider,
|
|
||||||
SBUS_METHODS(
|
|
||||||
SBUS_ASYNC(METHOD, sssd_dataprovider, pamHandler, dp_pam_handler_send, dp_pam_handler_recv, provider),
|
|
||||||
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
|
|
||||||
index 7043e7a5f..942952b24 100644
|
|
||||||
--- a/src/providers/data_provider_be.c
|
|
||||||
+++ b/src/providers/data_provider_be.c
|
|
||||||
@@ -382,7 +382,7 @@ static void signal_be_reset_offline(struct tevent_context *ev,
|
|
||||||
static errno_t
|
|
||||||
be_register_monitor_iface(struct sbus_connection *conn, struct be_ctx *be_ctx)
|
|
||||||
{
|
|
||||||
- struct sbus_interface iface_service = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface_service,
|
|
||||||
sssd_service,
|
|
||||||
SBUS_METHODS(
|
|
||||||
SBUS_SYNC(METHOD, sssd_service, resInit, data_provider_res_init, be_ctx),
|
|
||||||
diff --git a/src/providers/proxy/proxy_child.c b/src/providers/proxy/proxy_child.c
|
|
||||||
index 134f96f82..4f06d42aa 100644
|
|
||||||
--- a/src/providers/proxy/proxy_child.c
|
|
||||||
+++ b/src/providers/proxy/proxy_child.c
|
|
||||||
@@ -348,7 +348,7 @@ proxy_cli_init(struct pc_ctx *ctx)
|
|
||||||
return ENOMEM;
|
|
||||||
}
|
|
||||||
|
|
||||||
- struct sbus_interface iface = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface,
|
|
||||||
sssd_ProxyChild_Auth,
|
|
||||||
SBUS_METHODS(
|
|
||||||
SBUS_SYNC(METHOD, sssd_ProxyChild_Auth, PAM, pc_pam_handler, ctx)
|
|
||||||
diff --git a/src/providers/proxy/proxy_client.c b/src/providers/proxy/proxy_client.c
|
|
||||||
index 1c325eee5..09ebf3bda 100644
|
|
||||||
--- a/src/providers/proxy/proxy_client.c
|
|
||||||
+++ b/src/providers/proxy/proxy_client.c
|
|
||||||
@@ -100,7 +100,7 @@ proxy_client_init(struct sbus_connection *conn,
|
|
||||||
{
|
|
||||||
errno_t ret;
|
|
||||||
|
|
||||||
- struct sbus_interface iface = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface,
|
|
||||||
sssd_ProxyChild_Client,
|
|
||||||
SBUS_METHODS(
|
|
||||||
SBUS_SYNC(METHOD, sssd_ProxyChild_Client, Register, proxy_client_register, auth_ctx)
|
|
||||||
diff --git a/src/responder/autofs/autofssrv.c b/src/responder/autofs/autofssrv.c
|
|
||||||
index 614e901e7..230bd2aac 100644
|
|
||||||
--- a/src/responder/autofs/autofssrv.c
|
|
||||||
+++ b/src/responder/autofs/autofssrv.c
|
|
||||||
@@ -62,7 +62,7 @@ autofs_register_service_iface(struct autofs_ctx *autofs_ctx,
|
|
||||||
{
|
|
||||||
errno_t ret;
|
|
||||||
|
|
||||||
- struct sbus_interface iface_svc = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface_svc,
|
|
||||||
sssd_service,
|
|
||||||
SBUS_METHODS(
|
|
||||||
SBUS_SYNC(METHOD, sssd_service, resInit, monitor_common_res_init, NULL),
|
|
||||||
diff --git a/src/responder/common/responder_iface.c b/src/responder/common/responder_iface.c
|
|
||||||
index 79b632c05..911cd6cc0 100644
|
|
||||||
--- a/src/responder/common/responder_iface.c
|
|
||||||
+++ b/src/responder/common/responder_iface.c
|
|
||||||
@@ -99,7 +99,7 @@ sss_resp_register_sbus_iface(struct sbus_connection *conn,
|
|
||||||
{
|
|
||||||
errno_t ret;
|
|
||||||
|
|
||||||
- struct sbus_interface iface_resp_domain = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface_resp_domain,
|
|
||||||
sssd_Responder_Domain,
|
|
||||||
SBUS_METHODS(
|
|
||||||
SBUS_SYNC(METHOD, sssd_Responder_Domain, SetActive, sss_resp_domain_active, rctx),
|
|
||||||
@@ -109,7 +109,7 @@ sss_resp_register_sbus_iface(struct sbus_connection *conn,
|
|
||||||
SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
|
|
||||||
);
|
|
||||||
|
|
||||||
- struct sbus_interface iface_resp_negcache = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface_resp_negcache,
|
|
||||||
sssd_Responder_NegativeCache,
|
|
||||||
SBUS_METHODS(
|
|
||||||
SBUS_SYNC(METHOD, sssd_Responder_NegativeCache, ResetUsers, sss_resp_reset_ncache_users, rctx),
|
|
||||||
@@ -139,7 +139,7 @@ sss_resp_register_service_iface(struct resp_ctx *rctx)
|
|
||||||
{
|
|
||||||
errno_t ret;
|
|
||||||
|
|
||||||
- struct sbus_interface iface_svc = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface_svc,
|
|
||||||
sssd_service,
|
|
||||||
SBUS_METHODS(
|
|
||||||
SBUS_SYNC(METHOD, sssd_service, resInit, monitor_common_res_init, NULL),
|
|
||||||
diff --git a/src/responder/ifp/ifp_iface/ifp_iface.c b/src/responder/ifp/ifp_iface/ifp_iface.c
|
|
||||||
index fa9f9ba53..a3385091b 100644
|
|
||||||
--- a/src/responder/ifp/ifp_iface/ifp_iface.c
|
|
||||||
+++ b/src/responder/ifp/ifp_iface/ifp_iface.c
|
|
||||||
@@ -77,7 +77,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
|
|
||||||
{
|
|
||||||
errno_t ret;
|
|
||||||
|
|
||||||
- struct sbus_interface iface_ifp = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface_ifp,
|
|
||||||
org_freedesktop_sssd_infopipe,
|
|
||||||
SBUS_METHODS(
|
|
||||||
SBUS_SYNC(METHOD, org_freedesktop_sssd_infopipe, Ping, ifp_ping, ctx),
|
|
||||||
@@ -96,7 +96,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
|
|
||||||
SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
|
|
||||||
);
|
|
||||||
|
|
||||||
- struct sbus_interface iface_ifp_components = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface_ifp_components,
|
|
||||||
org_freedesktop_sssd_infopipe_Components,
|
|
||||||
SBUS_METHODS(SBUS_NO_METHODS),
|
|
||||||
SBUS_SIGNALS(SBUS_NO_SIGNALS),
|
|
||||||
@@ -109,7 +109,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
|
|
||||||
)
|
|
||||||
);
|
|
||||||
|
|
||||||
- struct sbus_interface iface_ifp_domains = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface_ifp_domains,
|
|
||||||
org_freedesktop_sssd_infopipe_Domains,
|
|
||||||
SBUS_METHODS(SBUS_NO_METHODS),
|
|
||||||
SBUS_SIGNALS(SBUS_NO_SIGNALS),
|
|
||||||
@@ -131,7 +131,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
|
|
||||||
)
|
|
||||||
);
|
|
||||||
|
|
||||||
- struct sbus_interface iface_ifp_domains_domain = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface_ifp_domains_domain,
|
|
||||||
org_freedesktop_sssd_infopipe_Domains_Domain,
|
|
||||||
SBUS_METHODS(
|
|
||||||
SBUS_ASYNC(METHOD, org_freedesktop_sssd_infopipe_Domains_Domain, IsOnline, ifp_domains_domain_is_online_send, ifp_domains_domain_is_online_recv, ctx),
|
|
||||||
@@ -144,7 +144,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
|
|
||||||
SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
|
|
||||||
);
|
|
||||||
|
|
||||||
- struct sbus_interface iface_ifp_users = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface_ifp_users,
|
|
||||||
org_freedesktop_sssd_infopipe_Users,
|
|
||||||
SBUS_METHODS(
|
|
||||||
SBUS_ASYNC(METHOD, org_freedesktop_sssd_infopipe_Users, FindByName, ifp_users_find_by_name_send, ifp_users_find_by_name_recv, ctx),
|
|
||||||
@@ -159,7 +159,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
|
|
||||||
SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
|
|
||||||
);
|
|
||||||
|
|
||||||
- struct sbus_interface iface_ifp_users_user = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface_ifp_users_user,
|
|
||||||
org_freedesktop_sssd_infopipe_Users_User,
|
|
||||||
SBUS_METHODS(SBUS_NO_METHODS),
|
|
||||||
SBUS_SIGNALS(SBUS_NO_SIGNALS),
|
|
||||||
@@ -178,7 +178,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
|
|
||||||
)
|
|
||||||
);
|
|
||||||
|
|
||||||
- struct sbus_interface iface_ifp_cache_user = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface_ifp_cache_user,
|
|
||||||
org_freedesktop_sssd_infopipe_Cache,
|
|
||||||
SBUS_METHODS(
|
|
||||||
SBUS_SYNC(METHOD, org_freedesktop_sssd_infopipe_Cache, List, ifp_cache_list_user, ctx),
|
|
||||||
@@ -188,7 +188,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
|
|
||||||
SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
|
|
||||||
);
|
|
||||||
|
|
||||||
- struct sbus_interface iface_ifp_cache_object_user = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface_ifp_cache_object_user,
|
|
||||||
org_freedesktop_sssd_infopipe_Cache_Object,
|
|
||||||
SBUS_METHODS(
|
|
||||||
SBUS_SYNC(METHOD, org_freedesktop_sssd_infopipe_Cache_Object, Store, ifp_cache_object_store_user, ctx),
|
|
||||||
@@ -198,7 +198,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
|
|
||||||
SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
|
|
||||||
);
|
|
||||||
|
|
||||||
- struct sbus_interface iface_ifp_groups = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface_ifp_groups,
|
|
||||||
org_freedesktop_sssd_infopipe_Groups,
|
|
||||||
SBUS_METHODS(
|
|
||||||
SBUS_ASYNC(METHOD, org_freedesktop_sssd_infopipe_Groups, FindByName, ifp_groups_find_by_name_send, ifp_groups_find_by_name_recv, ctx),
|
|
||||||
@@ -210,7 +210,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
|
|
||||||
SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
|
|
||||||
);
|
|
||||||
|
|
||||||
- struct sbus_interface iface_ifp_groups_group = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface_ifp_groups_group,
|
|
||||||
org_freedesktop_sssd_infopipe_Groups_Group,
|
|
||||||
SBUS_METHODS(
|
|
||||||
SBUS_ASYNC(METHOD, org_freedesktop_sssd_infopipe_Groups_Group, UpdateMemberList, ifp_groups_group_update_member_list_send, ifp_groups_group_update_member_list_recv, ctx)
|
|
||||||
@@ -225,7 +225,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
|
|
||||||
)
|
|
||||||
);
|
|
||||||
|
|
||||||
- struct sbus_interface iface_ifp_cache_group = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface_ifp_cache_group,
|
|
||||||
org_freedesktop_sssd_infopipe_Cache,
|
|
||||||
SBUS_METHODS(
|
|
||||||
SBUS_SYNC(METHOD, org_freedesktop_sssd_infopipe_Cache, List, ifp_cache_list_group, ctx),
|
|
||||||
@@ -235,7 +235,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn,
|
|
||||||
SBUS_PROPERTIES(SBUS_NO_PROPERTIES)
|
|
||||||
);
|
|
||||||
|
|
||||||
- struct sbus_interface iface_ifp_cache_object_group = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface_ifp_cache_object_group,
|
|
||||||
org_freedesktop_sssd_infopipe_Cache_Object,
|
|
||||||
SBUS_METHODS(
|
|
||||||
SBUS_SYNC(METHOD, org_freedesktop_sssd_infopipe_Cache_Object, Store, ifp_cache_object_store_group, ctx),
|
|
||||||
diff --git a/src/responder/ifp/ifpsrv.c b/src/responder/ifp/ifpsrv.c
|
|
||||||
index 61072aad1..0c53534e4 100644
|
|
||||||
--- a/src/responder/ifp/ifpsrv.c
|
|
||||||
+++ b/src/responder/ifp/ifpsrv.c
|
|
||||||
@@ -135,7 +135,7 @@ ifp_register_service_iface(struct ifp_ctx *ifp_ctx,
|
|
||||||
{
|
|
||||||
errno_t ret;
|
|
||||||
|
|
||||||
- struct sbus_interface iface_svc = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface_svc,
|
|
||||||
sssd_service,
|
|
||||||
SBUS_METHODS(
|
|
||||||
SBUS_SYNC(METHOD, sssd_service, resInit, monitor_common_res_init, NULL),
|
|
||||||
diff --git a/src/responder/nss/nss_iface.c b/src/responder/nss/nss_iface.c
|
|
||||||
index f39c3d370..a47b35fca 100644
|
|
||||||
--- a/src/responder/nss/nss_iface.c
|
|
||||||
+++ b/src/responder/nss/nss_iface.c
|
|
||||||
@@ -219,7 +219,7 @@ nss_register_backend_iface(struct sbus_connection *conn,
|
|
||||||
{
|
|
||||||
errno_t ret;
|
|
||||||
|
|
||||||
- struct sbus_interface iface = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface,
|
|
||||||
sssd_nss_MemoryCache,
|
|
||||||
SBUS_METHODS(
|
|
||||||
SBUS_SYNC(METHOD, sssd_nss_MemoryCache, UpdateInitgroups, nss_memorycache_update_initgroups, nss_ctx),
|
|
||||||
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
|
|
||||||
index daaf3c06c..9cc9c5d35 100644
|
|
||||||
--- a/src/responder/nss/nsssrv.c
|
|
||||||
+++ b/src/responder/nss/nsssrv.c
|
|
||||||
@@ -276,7 +276,7 @@ nss_register_service_iface(struct nss_ctx *nss_ctx,
|
|
||||||
{
|
|
||||||
errno_t ret;
|
|
||||||
|
|
||||||
- struct sbus_interface iface_svc = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface_svc,
|
|
||||||
sssd_service,
|
|
||||||
SBUS_METHODS(
|
|
||||||
SBUS_SYNC(METHOD, sssd_service, resInit, monitor_common_res_init, NULL),
|
|
||||||
diff --git a/src/sbus/interface/sbus_introspection.c b/src/sbus/interface/sbus_introspection.c
|
|
||||||
index b2de9a9ac..863383719 100644
|
|
||||||
--- a/src/sbus/interface/sbus_introspection.c
|
|
||||||
+++ b/src/sbus/interface/sbus_introspection.c
|
|
||||||
@@ -658,7 +658,7 @@ errno_t
|
|
||||||
sbus_register_introspection(struct sbus_router *router)
|
|
||||||
{
|
|
||||||
|
|
||||||
- struct sbus_interface iface = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface,
|
|
||||||
org_freedesktop_DBus_Introspectable,
|
|
||||||
SBUS_METHODS(
|
|
||||||
SBUS_ASYNC(METHOD, org_freedesktop_DBus_Introspectable, Introspect,
|
|
||||||
diff --git a/src/sbus/interface/sbus_properties.c b/src/sbus/interface/sbus_properties.c
|
|
||||||
index 9df4c6bd6..8be933caa 100644
|
|
||||||
--- a/src/sbus/interface/sbus_properties.c
|
|
||||||
+++ b/src/sbus/interface/sbus_properties.c
|
|
||||||
@@ -867,7 +867,7 @@ errno_t
|
|
||||||
sbus_register_properties(struct sbus_router *router)
|
|
||||||
{
|
|
||||||
|
|
||||||
- struct sbus_interface iface = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(iface,
|
|
||||||
org_freedesktop_DBus_Properties,
|
|
||||||
SBUS_METHODS(
|
|
||||||
SBUS_ASYNC(METHOD, org_freedesktop_DBus_Properties, Get,
|
|
||||||
diff --git a/src/sbus/sbus_interface.h b/src/sbus/sbus_interface.h
|
|
||||||
index eb1462dd2..45ab4b5ad 100644
|
|
||||||
--- a/src/sbus/sbus_interface.h
|
|
||||||
+++ b/src/sbus/sbus_interface.h
|
|
||||||
@@ -80,7 +80,7 @@ struct sbus_node;
|
|
||||||
* };
|
|
||||||
*/
|
|
||||||
#define SBUS_METHODS(...) \
|
|
||||||
- (const struct sbus_method[]) { \
|
|
||||||
+ { \
|
|
||||||
__VA_ARGS__, \
|
|
||||||
SBUS_INTERFACE_SENTINEL \
|
|
||||||
}
|
|
||||||
@@ -117,7 +117,7 @@ struct sbus_node;
|
|
||||||
* };
|
|
||||||
*/
|
|
||||||
#define SBUS_SIGNALS(...) \
|
|
||||||
- (const struct sbus_signal[]) { \
|
|
||||||
+ { \
|
|
||||||
__VA_ARGS__, \
|
|
||||||
SBUS_INTERFACE_SENTINEL \
|
|
||||||
}
|
|
||||||
@@ -159,7 +159,7 @@ struct sbus_node;
|
|
||||||
* };
|
|
||||||
*/
|
|
||||||
#define SBUS_PROPERTIES(...) \
|
|
||||||
- (const struct sbus_property[]) { \
|
|
||||||
+ { \
|
|
||||||
__VA_ARGS__, \
|
|
||||||
SBUS_INTERFACE_SENTINEL \
|
|
||||||
}
|
|
||||||
@@ -228,6 +228,11 @@ struct sbus_node;
|
|
||||||
/**
|
|
||||||
* Create and sbus interface.
|
|
||||||
*
|
|
||||||
+ * @param varname Name of the variable that will hold the interface
|
|
||||||
+ * description. It is created as:
|
|
||||||
+ * struct sbus_interface varname;
|
|
||||||
+ * You can refer to it later when creating 'sbus_path'
|
|
||||||
+ * structure as &varname.
|
|
||||||
* @param iface Name of the interface with dots replaced
|
|
||||||
* with underscore. (token, not a string)
|
|
||||||
* @param methods Methods on the interface.
|
|
||||||
@@ -239,8 +244,15 @@ struct sbus_node;
|
|
||||||
*
|
|
||||||
* @see SBUS_METHODS, SBUS_SIGNALS, SBUS_PROPERTIES to create those arguments.
|
|
||||||
*/
|
|
||||||
-#define SBUS_INTERFACE(iface, methods, signals, properties) \
|
|
||||||
- SBUS_IFACE_ ## iface((methods), (signals), (properties))
|
|
||||||
+#define SBUS_INTERFACE(varname, iface, methods, signals, properties) \
|
|
||||||
+ const struct sbus_method __ ## varname ## _m[] = methods; \
|
|
||||||
+ const struct sbus_signal __ ## varname ## _s[] = signals; \
|
|
||||||
+ const struct sbus_property __ ## varname ## _p[] = properties; \
|
|
||||||
+ struct sbus_interface varname = SBUS_IFACE_ ## iface( \
|
|
||||||
+ (__ ## varname ## _m), \
|
|
||||||
+ (__ ## varname ## _s), \
|
|
||||||
+ (__ ## varname ## _p) \
|
|
||||||
+ )
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Create a new sbus synchronous handler.
|
|
||||||
diff --git a/src/sbus/server/sbus_server_interface.c b/src/sbus/server/sbus_server_interface.c
|
|
||||||
index 695d4d09b..9c0ba0abb 100644
|
|
||||||
--- a/src/sbus/server/sbus_server_interface.c
|
|
||||||
+++ b/src/sbus/server/sbus_server_interface.c
|
|
||||||
@@ -387,7 +387,7 @@ sbus_server_setup_interface(struct sbus_server *server)
|
|
||||||
{
|
|
||||||
errno_t ret;
|
|
||||||
|
|
||||||
- struct sbus_interface bus = SBUS_INTERFACE(
|
|
||||||
+ SBUS_INTERFACE(bus,
|
|
||||||
org_freedesktop_DBus,
|
|
||||||
SBUS_METHODS(
|
|
||||||
SBUS_SYNC(METHOD, org_freedesktop_DBus, Hello, sbus_server_bus_hello, server),
|
|
||||||
--
|
|
||||||
2.20.1
|
|
||||||
|
|
@ -1,42 +0,0 @@
|
|||||||
From 04c1909a0c1c13eee10141f08eff2048decc2e49 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Adam Williamson <awilliam@redhat.com>
|
|
||||||
Date: Wed, 12 Dec 2018 22:28:15 -0800
|
|
||||||
Subject: [PATCH] sbus: use 120 second default timeout
|
|
||||||
|
|
||||||
As discussed in #1654537, first login to a system as a FreeIPA
|
|
||||||
domain user now usually causes an expensive SELinux operation
|
|
||||||
to happen; this can take longer than the default bus message
|
|
||||||
timeout of 25 seconds. To deal with this for now, let's use a
|
|
||||||
120 second default timeout; this is a big hammer, but unless we
|
|
||||||
can refactor things to use a longer timeout just for that one
|
|
||||||
call, or make the actual operation take less time, there's not
|
|
||||||
much else we can do.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://bugzilla.redhat.com/show_bug.cgi?id=1654537
|
|
||||||
|
|
||||||
Signed-off-by: Adam Williamson <awilliam@redhat.com>
|
|
||||||
---
|
|
||||||
src/sbus/sbus_message.h | 6 ++++--
|
|
||||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/sbus/sbus_message.h b/src/sbus/sbus_message.h
|
|
||||||
index e7b8fe594..7ae634ece 100644
|
|
||||||
--- a/src/sbus/sbus_message.h
|
|
||||||
+++ b/src/sbus/sbus_message.h
|
|
||||||
@@ -27,8 +27,10 @@
|
|
||||||
#include "util/util.h"
|
|
||||||
#include "sbus/sbus_errors.h"
|
|
||||||
|
|
||||||
-/* Use reasonable default timeout which is computed in libdbus */
|
|
||||||
-#define SBUS_MESSAGE_TIMEOUT -1
|
|
||||||
+/* Use longer default timeout than libdbus default due to expensive
|
|
||||||
+ * selinux operation: see https://bugzilla.redhat.com/show_bug.cgi?id=1654537
|
|
||||||
+ */
|
|
||||||
+#define SBUS_MESSAGE_TIMEOUT 120000
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Bound message with a talloc context.
|
|
||||||
--
|
|
||||||
2.20.0
|
|
||||||
|
|
@ -1,33 +0,0 @@
|
|||||||
From 08bba3a6e3e4e21f2e20b71cca463d50420aa9ee Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Thu, 22 Nov 2018 11:36:57 +0100
|
|
||||||
Subject: [PATCH] tests: fix mocking krb5_creds in test_copy_ccache
|
|
||||||
|
|
||||||
To just test some ccache related functionality without talking to an
|
|
||||||
actual KDC to get the tickets some needed libkrb5 structs were mocked
|
|
||||||
based on tests from the MIT Kerberos source code. One struct member
|
|
||||||
(is_skey) was so far not regarded by libkrb5 for out test case. But a
|
|
||||||
recent fix for http://krbdev.mit.edu/rt/Ticket/Display.html?id=8718
|
|
||||||
changed this and we have to change the mocking.
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/tests/cmocka/test_copy_ccache.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/tests/cmocka/test_copy_ccache.c b/src/tests/cmocka/test_copy_ccache.c
|
|
||||||
index 84225b6bf..7c76c00e8 100644
|
|
||||||
--- a/src/tests/cmocka/test_copy_ccache.c
|
|
||||||
+++ b/src/tests/cmocka/test_copy_ccache.c
|
|
||||||
@@ -88,7 +88,7 @@ static int setup_ccache(void **state)
|
|
||||||
test_creds.times.starttime = 2222;
|
|
||||||
test_creds.times.endtime = 3333;
|
|
||||||
test_creds.times.renew_till = 4444;
|
|
||||||
- test_creds.is_skey = 1;
|
|
||||||
+ test_creds.is_skey = 0;
|
|
||||||
test_creds.ticket_flags = 5555;
|
|
||||||
test_creds.addresses = addrs;
|
|
||||||
|
|
||||||
--
|
|
||||||
2.20.0
|
|
||||||
|
|
@ -0,0 +1,29 @@
|
|||||||
|
From 399ee9d1af9cca4026ce50c58ce25c45a30c85c2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||||
|
Date: Sat, 1 Feb 2020 17:39:07 +0000
|
||||||
|
Subject: [PATCH] BUILD: Accept krb5 1.18 for building the PAC plugin
|
||||||
|
|
||||||
|
Merges: https://pagure.io/SSSD/sssd/pull-request/4152
|
||||||
|
|
||||||
|
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||||
|
---
|
||||||
|
src/external/pac_responder.m4 | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4
|
||||||
|
index dc986a1b8..114d8470f 100644
|
||||||
|
--- a/src/external/pac_responder.m4
|
||||||
|
+++ b/src/external/pac_responder.m4
|
||||||
|
@@ -19,7 +19,8 @@ then
|
||||||
|
Kerberos\ 5\ release\ 1.14* | \
|
||||||
|
Kerberos\ 5\ release\ 1.15* | \
|
||||||
|
Kerberos\ 5\ release\ 1.16* | \
|
||||||
|
- Kerberos\ 5\ release\ 1.17*)
|
||||||
|
+ Kerberos\ 5\ release\ 1.17* | \
|
||||||
|
+ Kerberos\ 5\ release\ 1.18*)
|
||||||
|
krb5_version_ok=yes
|
||||||
|
AC_MSG_RESULT([yes])
|
||||||
|
;;
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -1,49 +0,0 @@
|
|||||||
From 677a93372e4b7359d19d7e55467fa5ccea4a80a3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
|
||||||
Date: Wed, 15 Aug 2018 22:07:40 +0200
|
|
||||||
Subject: [PATCH 2/4] BUILD: Add missing deps to libsss_sbus*.so
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
It indirectly caused failures when linking unit test.
|
|
||||||
|
|
||||||
CCLD test_sbus_opath
|
|
||||||
/usr/bin/ld: ./.libs/libsss_sbus.so: undefined reference to `g_utf8_validate'
|
|
||||||
/usr/bin/ld: ./.libs/libsss_sbus.so: undefined reference to `g_free'
|
|
||||||
/usr/bin/ld: ./.libs/libsss_sbus.so: undefined reference to `g_malloc'
|
|
||||||
/usr/bin/ld: ./.libs/libsss_sbus.so: undefined reference to `g_utf8_casefold'
|
|
||||||
/usr/bin/ld: ./.libs/libsss_sbus.so: undefined reference to `g_utf8_collate'
|
|
||||||
/usr/bin/ld: ./.libs/libsss_sbus.so: undefined reference to `g_utf8_strlen'
|
|
||||||
/usr/bin/ld: ./.libs/libsss_sbus.so: undefined reference to `g_utf8_strdown'
|
|
||||||
|
|
||||||
Merges: https://pagure.io/SSSD/sssd/pull-request/3808
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
---
|
|
||||||
Makefile.am | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/Makefile.am b/Makefile.am
|
|
||||||
index a2d8ea4..1b4f044 100644
|
|
||||||
--- a/Makefile.am
|
|
||||||
+++ b/Makefile.am
|
|
||||||
@@ -1105,6 +1105,7 @@ libsss_sbus_la_LIBADD = \
|
|
||||||
$(TALLOC_LIBS) \
|
|
||||||
$(TEVENT_LIBS) \
|
|
||||||
$(DBUS_LIBS) \
|
|
||||||
+ $(UNICODE_LIBS) \
|
|
||||||
$(NULL)
|
|
||||||
libsss_sbus_la_CFLAGS = \
|
|
||||||
$(AM_CFLAGS) \
|
|
||||||
@@ -1146,6 +1147,7 @@ libsss_sbus_sync_la_CFLAGS = \
|
|
||||||
$(AM_CFLAGS) \
|
|
||||||
$(TALLOC_CFLAGS) \
|
|
||||||
$(DBUS_CFLAGS) \
|
|
||||||
+ $(UNICODE_LIBS) \
|
|
||||||
$(NULL)
|
|
||||||
libsss_sbus_sync_la_LDFLAGS = \
|
|
||||||
-avoid-version \
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,267 +0,0 @@
|
|||||||
From e185b039468ec27bbc905c61c57dffc5496af521 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Tue, 5 Feb 2019 10:36:13 +0100
|
|
||||||
Subject: [PATCH 2/3] sbus: improve documentation of SBUS_INTERFACE
|
|
||||||
|
|
||||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
---
|
|
||||||
src/sbus/sbus_interface.h | 195 +++++++++++++++++++++++++++-----------
|
|
||||||
1 file changed, 138 insertions(+), 57 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/sbus/sbus_interface.h b/src/sbus/sbus_interface.h
|
|
||||||
index 45ab4b5ad..2312fde68 100644
|
|
||||||
--- a/src/sbus/sbus_interface.h
|
|
||||||
+++ b/src/sbus/sbus_interface.h
|
|
||||||
@@ -49,35 +49,47 @@ struct sbus_node;
|
|
||||||
*
|
|
||||||
* @see SBUS_SYNC, SBUS_ASYNC, SBUS_NO_METHODS, SBUS_WITHOUT_METHODS
|
|
||||||
*
|
|
||||||
+ * The following examples demonstrate the intended usage of this macro.
|
|
||||||
+ * Do not use it in any other way.
|
|
||||||
+ *
|
|
||||||
* @example Interface with two methods, one with synchronous handler,
|
|
||||||
* one with asynchronous handler.
|
|
||||||
*
|
|
||||||
- * struct sbus_interface iface = {
|
|
||||||
- * .name = SBUS_IFACE_ORG_FREEDESKTOP_SSSD,
|
|
||||||
- * SBUS_METHODS(
|
|
||||||
- * SBUS_SYNC (METHOD, org_freedekstop_sssd, UpdateMembers,
|
|
||||||
- * update_members_sync, pvt_data),
|
|
||||||
- * SBUS_ASYNC(METHOD, org_freedekstop_sssd, UpdateMembersAsync,
|
|
||||||
- * update_members_send, update_members_recv,
|
|
||||||
- * pvt_data)
|
|
||||||
- * )
|
|
||||||
- * };
|
|
||||||
+ * SBUS_INTERFACE(
|
|
||||||
+ * iface_variable,
|
|
||||||
+ * org_freedesktop_sssd,
|
|
||||||
+ * SBUS_METHODS(
|
|
||||||
+ * SBUS_SYNC (METHOD, org_freedekstop_sssd, UpdateMembers,
|
|
||||||
+ * update_members_sync, pvt_data),
|
|
||||||
+ * SBUS_ASYNC(METHOD, org_freedekstop_sssd, UpdateMembersAsync,
|
|
||||||
+ * update_members_send, update_members_recv,
|
|
||||||
+ * pvt_data)
|
|
||||||
+ * ),
|
|
||||||
+ * @signals,
|
|
||||||
+ * @properties
|
|
||||||
+ * );
|
|
||||||
*
|
|
||||||
* @example Interface with no methods.
|
|
||||||
*
|
|
||||||
- * struct sbus_interface empty_iface = {
|
|
||||||
- * .name = SBUS_IFACE_ORG_FREEDESKTOP_SSSD,
|
|
||||||
- * SBUS_METHODS(
|
|
||||||
- * SBUS_NO_METHODS
|
|
||||||
- * )
|
|
||||||
- * };
|
|
||||||
+ * SBUS_INTERFACE(
|
|
||||||
+ * iface_variable,
|
|
||||||
+ * org_freedesktop_sssd,
|
|
||||||
+ * SBUS_METHODS(
|
|
||||||
+ * SBUS_NO_METHODS
|
|
||||||
+ * ),
|
|
||||||
+ * @signals,
|
|
||||||
+ * @properties
|
|
||||||
+ * );
|
|
||||||
*
|
|
||||||
* or
|
|
||||||
*
|
|
||||||
- * struct sbus_interface empty_iface = {
|
|
||||||
- * .name = SBUS_IFACE_ORG_FREEDESKTOP_SSSD,
|
|
||||||
- * SBUS_WITHOUT_METHODS
|
|
||||||
- * };
|
|
||||||
+ * SBUS_INTERFACE(
|
|
||||||
+ * iface_variable,
|
|
||||||
+ * org_freedesktop_sssd,
|
|
||||||
+ * SBUS_WITHOUT_METHODS,
|
|
||||||
+ * @signals,
|
|
||||||
+ * @properties
|
|
||||||
+ * );
|
|
||||||
*/
|
|
||||||
#define SBUS_METHODS(...) \
|
|
||||||
{ \
|
|
||||||
@@ -91,30 +103,42 @@ struct sbus_node;
|
|
||||||
*
|
|
||||||
* @see SBUS_EMIT, SBUS_NO_SIGNALS, SBUS_WITHOUT_SIGNALS
|
|
||||||
*
|
|
||||||
+ * The following examples demonstrate the intended usage of this macro.
|
|
||||||
+ * Do not use it in any other way.
|
|
||||||
+ *
|
|
||||||
* @example Interface that can emit a PropertyChanged signal.
|
|
||||||
*
|
|
||||||
- * struct sbus_interface iface = {
|
|
||||||
- * .name = SBUS_IFACE_ORG_FREEDESKTOP_SSSD,
|
|
||||||
- * SBUS_SIGNALS(
|
|
||||||
- * SBUS_EMIT(org_freedekstop_sssd, PropertyChanged)
|
|
||||||
- * )
|
|
||||||
- * };
|
|
||||||
+ * SBUS_INTERFACE(
|
|
||||||
+ * iface_variable,
|
|
||||||
+ * org_freedesktop_sssd,
|
|
||||||
+ * @methods,
|
|
||||||
+ * SBUS_SIGNALS(
|
|
||||||
+ * SBUS_EMIT(org_freedekstop_sssd, PropertyChanged)
|
|
||||||
+ * ),
|
|
||||||
+ * @properties
|
|
||||||
+ * );
|
|
||||||
*
|
|
||||||
* @example Interface with no signals.
|
|
||||||
*
|
|
||||||
- * struct sbus_interface empty_iface = {
|
|
||||||
- * .name = SBUS_IFACE_ORG_FREEDESKTOP_SSSD,
|
|
||||||
- * SBUS_SIGNALS(
|
|
||||||
- * SBUS_NO_SIGNALS
|
|
||||||
- * )
|
|
||||||
- * };
|
|
||||||
+ * SBUS_INTERFACE(
|
|
||||||
+ * iface_variable,
|
|
||||||
+ * org_freedesktop_sssd,
|
|
||||||
+ * @methods,
|
|
||||||
+ * SBUS_SIGNALS(
|
|
||||||
+ * SBUS_NO_SIGNALS
|
|
||||||
+ * ),
|
|
||||||
+ * @properties
|
|
||||||
+ * );
|
|
||||||
*
|
|
||||||
* or
|
|
||||||
*
|
|
||||||
- * struct sbus_interface empty_iface = {
|
|
||||||
- * .name = SBUS_IFACE_ORG_FREEDESKTOP_SSSD,
|
|
||||||
- * SBUS_WITHOUT_SIGNALS
|
|
||||||
- * };
|
|
||||||
+ * SBUS_INTERFACE(
|
|
||||||
+ * iface_variable,
|
|
||||||
+ * org_freedesktop_sssd,
|
|
||||||
+ * @methods,
|
|
||||||
+ * SBUS_WITHOUT_SIGNALS,
|
|
||||||
+ * @properties
|
|
||||||
+ * );
|
|
||||||
*/
|
|
||||||
#define SBUS_SIGNALS(...) \
|
|
||||||
{ \
|
|
||||||
@@ -128,35 +152,47 @@ struct sbus_node;
|
|
||||||
*
|
|
||||||
* @see SBUS_SYNC, SBUS_ASYNC, SBUS_NO_PROPERTIES, SBUS_WITHOUT_PROPERTIES
|
|
||||||
*
|
|
||||||
+ * The following examples demonstrate the intended usage of this macro.
|
|
||||||
+ * Do not use it in any other way.
|
|
||||||
+ *
|
|
||||||
* @example Interface with one property with asynchronous getter and
|
|
||||||
* synchronous setter.
|
|
||||||
*
|
|
||||||
- * struct sbus_interface iface = {
|
|
||||||
- * .name = SBUS_IFACE_ORG_FREEDESKTOP_SSSD,
|
|
||||||
- * SBUS_PROPERTIES(
|
|
||||||
- * SBUS_SYNC (GETTER, org_freedekstop_sssd, domain_name,
|
|
||||||
- * set_domain_name, pvt_data),
|
|
||||||
- * SBUS_ASYNC(GETTER, org_freedekstop_sssd, domain_name,
|
|
||||||
- * get_domain_name_send, get_domain_name_recv,
|
|
||||||
- * pvt_data)
|
|
||||||
- * )
|
|
||||||
- * };
|
|
||||||
+ * SBUS_INTERFACE(
|
|
||||||
+ * iface_variable,
|
|
||||||
+ * org_freedesktop_sssd,
|
|
||||||
+ * @methods,
|
|
||||||
+ * @signals,
|
|
||||||
+ * SBUS_PROPERTIES(
|
|
||||||
+ * SBUS_SYNC (GETTER, org_freedekstop_sssd, domain_name,
|
|
||||||
+ * set_domain_name, pvt_data),
|
|
||||||
+ * SBUS_ASYNC(GETTER, org_freedekstop_sssd, domain_name,
|
|
||||||
+ * get_domain_name_send, get_domain_name_recv,
|
|
||||||
+ * pvt_data)
|
|
||||||
+ * )
|
|
||||||
+ * );
|
|
||||||
*
|
|
||||||
* @example Interface with no properties.
|
|
||||||
*
|
|
||||||
- * struct sbus_interface empty_iface = {
|
|
||||||
- * .name = SBUS_IFACE_ORG_FREEDESKTOP_SSSD,
|
|
||||||
- * SBUS_PROPERTIES(
|
|
||||||
- * SBUS_NO_PROPERTIES
|
|
||||||
- * )
|
|
||||||
- * };
|
|
||||||
+ * SBUS_INTERFACE(
|
|
||||||
+ * iface_variable,
|
|
||||||
+ * org_freedesktop_sssd,
|
|
||||||
+ * @methods,
|
|
||||||
+ * @signals,
|
|
||||||
+ * SBUS_PROPERTIES(
|
|
||||||
+ * SBUS_NO_PROPERTIES
|
|
||||||
+ * )
|
|
||||||
+ * );
|
|
||||||
*
|
|
||||||
* or
|
|
||||||
*
|
|
||||||
- * struct sbus_interface empty_iface = {
|
|
||||||
- * .name = SBUS_IFACE_ORG_FREEDESKTOP_SSSD,
|
|
||||||
- * SBUS_WITHOUT_PROPERTIES
|
|
||||||
- * };
|
|
||||||
+ * SBUS_INTERFACE(
|
|
||||||
+ * iface_variable,
|
|
||||||
+ * org_freedesktop_sssd,
|
|
||||||
+ * @methods,
|
|
||||||
+ * @signals,
|
|
||||||
+ * SBUS_WITHOUT_PROPERTIES
|
|
||||||
+ * );
|
|
||||||
*/
|
|
||||||
#define SBUS_PROPERTIES(...) \
|
|
||||||
{ \
|
|
||||||
@@ -239,8 +275,53 @@ struct sbus_node;
|
|
||||||
* @param signals Signals on the interface.
|
|
||||||
* @param properties Properties on the interface.
|
|
||||||
*
|
|
||||||
+ * Please note that the following macro introduced to the scope these variables:
|
|
||||||
+ * - __varname_m
|
|
||||||
+ * - __varname_s
|
|
||||||
+ * - __varname_p
|
|
||||||
+ *
|
|
||||||
+ * These variables are intended for internal purpose only and should not be
|
|
||||||
+ * used outside this macro. They are allocated on stack and will be destroyed
|
|
||||||
+ * with it.
|
|
||||||
+ *
|
|
||||||
+ * Additionally, it creates 'struct sbus_interface varname'. This variable
|
|
||||||
+ * holds the information about the interfaces you created. The structure and
|
|
||||||
+ * all its data are allocated on stack and will be destroyed with it.
|
|
||||||
+ *
|
|
||||||
+ * The only intended usage of this variable is to assign it to an sbus path
|
|
||||||
+ * and then register this path inside the same function where the interface
|
|
||||||
+ * is defined. It should not be used in any other way.
|
|
||||||
+ *
|
|
||||||
+ * The following example demonstrates the intended usage of this macro.
|
|
||||||
+ * Do not use it in any other way.
|
|
||||||
+ *
|
|
||||||
* @example
|
|
||||||
- * SBUS_INTERFACE(org_freedesktop_sssd, @methods, @signals, @properties)
|
|
||||||
+ * SBUS_INTERFACE(
|
|
||||||
+ * iface_bus,
|
|
||||||
+ * org_freedesktop_DBus,
|
|
||||||
+ * SBUS_METHODS(
|
|
||||||
+ * SBUS_SYNC(METHOD, org_freedesktop_DBus, Hello, sbus_server_bus_hello, server),
|
|
||||||
+ * SBUS_SYNC(METHOD, org_freedesktop_DBus, RequestName, sbus_server_bus_request_name, server),
|
|
||||||
+ * ),
|
|
||||||
+ * SBUS_SIGNALS(
|
|
||||||
+ * SBUS_EMITS(org_freedesktop_DBus, NameOwnerChanged),
|
|
||||||
+ * SBUS_EMITS(org_freedesktop_DBus, NameAcquired),
|
|
||||||
+ * SBUS_EMITS(org_freedesktop_DBus, NameLost)
|
|
||||||
+ * ),
|
|
||||||
+ * SBUS_WITHOUT_PROPERTIES
|
|
||||||
+ * );
|
|
||||||
+ *
|
|
||||||
+ * struct sbus_path paths[] = {
|
|
||||||
+ * {"/org/freedesktop/dbus", &iface_bus},
|
|
||||||
+ * {NULL, NULL}
|
|
||||||
+ * };
|
|
||||||
+ *
|
|
||||||
+ * ret = sbus_router_add_path_map(server->router, paths);
|
|
||||||
+ * if (ret != EOK) {
|
|
||||||
+ * DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add paths [%d]: %s\n",
|
|
||||||
+ * ret, sss_strerror(ret));
|
|
||||||
+ * return ret;
|
|
||||||
+ * }
|
|
||||||
*
|
|
||||||
* @see SBUS_METHODS, SBUS_SIGNALS, SBUS_PROPERTIES to create those arguments.
|
|
||||||
*/
|
|
||||||
--
|
|
||||||
2.20.1
|
|
||||||
|
|
@ -1,118 +0,0 @@
|
|||||||
From 53ed60b878d3737d4c174644b69df960595479da Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
|
||||||
Date: Wed, 15 Aug 2018 22:23:42 +0200
|
|
||||||
Subject: [PATCH 3/4] BUILD: Reduce compilation of unnecessary files
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
We safe compilation of 52 files 2 times with linking to existing
|
|
||||||
internal libraries.
|
|
||||||
|
|
||||||
It also fixes issue with multiple definition of the same symbol
|
|
||||||
|
|
||||||
CCLD responder_common-tests
|
|
||||||
/usr/bin/ld: .libs/libsss_debug.so and ../../../src/util/responder_common_tests-debug.o:
|
|
||||||
warning: multiple common of `sss_logger'
|
|
||||||
collect2: error: ld returned 1 exit status
|
|
||||||
|
|
||||||
Merges: https://pagure.io/SSSD/sssd/pull-request/3808
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
---
|
|
||||||
src/tests/cwrap/Makefile.am | 64 +++------------------------------------------
|
|
||||||
1 file changed, 4 insertions(+), 60 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am
|
|
||||||
index d5778d1..b63c695 100644
|
|
||||||
--- a/src/tests/cwrap/Makefile.am
|
|
||||||
+++ b/src/tests/cwrap/Makefile.am
|
|
||||||
@@ -66,67 +66,7 @@ SSSD_CACHE_REQ_OBJ = \
|
|
||||||
../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c \
|
|
||||||
$(NULL)
|
|
||||||
|
|
||||||
-SSSD_SBUS_OBJ = \
|
|
||||||
- ../../../src/util/check_and_open.c \
|
|
||||||
- ../../../src/util/debug.c \
|
|
||||||
- ../../../src/util/sss_ptr_hash.c \
|
|
||||||
- ../../../src/util/sss_ptr_list.c \
|
|
||||||
- ../../../src/util/sss_utf8.c \
|
|
||||||
- ../../../src/util/util.c \
|
|
||||||
- ../../../src/util/util_errors.c \
|
|
||||||
- ../../../src/util/util_ext.c \
|
|
||||||
- ../../../src/util/strtonum.c \
|
|
||||||
- ../../../src/sbus/sbus_errors.c \
|
|
||||||
- ../../../src/sbus/sbus_opath.c \
|
|
||||||
- ../../../src/sbus/connection/sbus_connection.c \
|
|
||||||
- ../../../src/sbus/connection/sbus_connection_connect.c \
|
|
||||||
- ../../../src/sbus/connection/sbus_dbus.c \
|
|
||||||
- ../../../src/sbus/connection/sbus_dispatcher.c \
|
|
||||||
- ../../../src/sbus/connection/sbus_reconnect.c \
|
|
||||||
- ../../../src/sbus/connection/sbus_send.c \
|
|
||||||
- ../../../src/sbus/connection/sbus_watch.c \
|
|
||||||
- ../../../src/sbus/interface_dbus/sbus_dbus_arguments.c \
|
|
||||||
- ../../../src/sbus/interface_dbus/sbus_dbus_client_async.c \
|
|
||||||
- ../../../src/sbus/interface_dbus/sbus_dbus_invokers.c \
|
|
||||||
- ../../../src/sbus/interface_dbus/sbus_dbus_keygens.c \
|
|
||||||
- ../../../src/sbus/interface_dbus/sbus_dbus_symbols.c \
|
|
||||||
- ../../../src/sbus/interface/sbus_interface.c \
|
|
||||||
- ../../../src/sbus/interface/sbus_introspection.c \
|
|
||||||
- ../../../src/sbus/interface/sbus_iterator_readers.c \
|
|
||||||
- ../../../src/sbus/interface/sbus_iterator_writers.c \
|
|
||||||
- ../../../src/sbus/interface/sbus_properties.c \
|
|
||||||
- ../../../src/sbus/interface/sbus_properties_parser.c \
|
|
||||||
- ../../../src/sbus/interface/sbus_std_signals.c \
|
|
||||||
- ../../../src/sbus/request/sbus_message.c \
|
|
||||||
- ../../../src/sbus/request/sbus_request.c \
|
|
||||||
- ../../../src/sbus/request/sbus_request_call.c \
|
|
||||||
- ../../../src/sbus/request/sbus_request_hash.c \
|
|
||||||
- ../../../src/sbus/request/sbus_request_sender.c \
|
|
||||||
- ../../../src/sbus/request/sbus_request_util.c \
|
|
||||||
- ../../../src/sbus/router/sbus_router.c \
|
|
||||||
- ../../../src/sbus/router/sbus_router_handler.c \
|
|
||||||
- ../../../src/sbus/router/sbus_router_hash.c \
|
|
||||||
- ../../../src/sbus/server/sbus_server_handler.c \
|
|
||||||
- ../../../src/sbus/server/sbus_server_interface.c \
|
|
||||||
- ../../../src/sbus/server/sbus_server_match.c \
|
|
||||||
- ../../../src/sbus/server/sbus_server.c \
|
|
||||||
- $(NULL)
|
|
||||||
-
|
|
||||||
-SSSD_IFACE_OBJ = \
|
|
||||||
- ../../../src/sss_iface/sbus_sss_arguments.c \
|
|
||||||
- ../../../src/sss_iface/sbus_sss_client_async.c \
|
|
||||||
- ../../../src/sss_iface/sbus_sss_invokers.c \
|
|
||||||
- ../../../src/sss_iface/sbus_sss_keygens.c \
|
|
||||||
- ../../../src/sss_iface/sbus_sss_symbols.c \
|
|
||||||
- ../../../src/sss_iface/sss_iface_types.c \
|
|
||||||
- ../../../src/sss_iface/sss_iface.c \
|
|
||||||
- ../../../src/util/domain_info_utils.c \
|
|
||||||
- ../../../src/util/sss_pam_data.c \
|
|
||||||
- $(NULL)
|
|
||||||
-
|
|
||||||
SSSD_RESPONDER_IFACE_OBJ = \
|
|
||||||
- $(SSSD_SBUS_OBJ) \
|
|
||||||
- $(SSSD_IFACE_OBJ) \
|
|
||||||
../../../src/responder/common/responder_iface.c \
|
|
||||||
$(NULL)
|
|
||||||
|
|
||||||
@@ -244,6 +184,8 @@ responder_common_tests_LDADD = \
|
|
||||||
$(abs_top_builddir)/libsss_util.la \
|
|
||||||
$(abs_top_builddir)/libsss_debug.la \
|
|
||||||
$(abs_top_builddir)/libsss_test_common.la \
|
|
||||||
+ $(abs_top_builddir)/libsss_iface.la \
|
|
||||||
+ $(abs_top_builddir)/libsss_sbus.la \
|
|
||||||
$(NULL)
|
|
||||||
|
|
||||||
negcache_tests_SOURCES =\
|
|
||||||
@@ -262,6 +204,8 @@ negcache_tests_LDADD = \
|
|
||||||
$(abs_top_builddir)/libsss_util.la \
|
|
||||||
$(abs_top_builddir)/libsss_debug.la \
|
|
||||||
$(abs_top_builddir)/libsss_test_common.la \
|
|
||||||
+ $(abs_top_builddir)/libsss_iface.la \
|
|
||||||
+ $(abs_top_builddir)/libsss_sbus.la \
|
|
||||||
$(NULL)
|
|
||||||
|
|
||||||
tests: $(check_PROGRAMS)
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
35
0003-INI-sssctl-config-check-command-error-messages.patch
Normal file
35
0003-INI-sssctl-config-check-command-error-messages.patch
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
From b626651847e188e89a332b8ac4bfaaa5047e1b3d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Halman <thalman@redhat.com>
|
||||||
|
Date: Tue, 10 Dec 2019 16:30:32 +0100
|
||||||
|
Subject: [PATCH] INI: sssctl config-check command error messages
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
In case of parsing error sssctl config-check command does not give
|
||||||
|
proper error messages with line number. With this patch the error
|
||||||
|
message is printed again.
|
||||||
|
|
||||||
|
Resolves:
|
||||||
|
https://pagure.io/SSSD/sssd/issue/4129
|
||||||
|
|
||||||
|
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||||
|
---
|
||||||
|
src/util/sss_ini.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
|
||||||
|
index e3699805d..5d91602cd 100644
|
||||||
|
--- a/src/util/sss_ini.c
|
||||||
|
+++ b/src/util/sss_ini.c
|
||||||
|
@@ -865,6 +865,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
|
||||||
|
|
||||||
|
ret = sss_ini_parse(self);
|
||||||
|
if (ret != EOK) {
|
||||||
|
+ sss_ini_config_print_errors(self->error_list);
|
||||||
|
DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration.\n");
|
||||||
|
return ERR_INI_PARSE_FAILED;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -1,58 +0,0 @@
|
|||||||
From 38ebae7e0ea889fa9022670a3e08e7352b624677 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
Date: Mon, 4 Feb 2019 18:13:14 +0100
|
|
||||||
Subject: [PATCH 3/3] sbus/interface: fixed interface copy helpers
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
In `sbus_method_copy()` and other copy helpers there was code like:
|
|
||||||
```
|
|
||||||
copy = talloc_zero_array(mem_ctx, struct sbus_method, count + 1);
|
|
||||||
memcpy(copy, input, sizeof(struct sbus_method) * count + 1);
|
|
||||||
```
|
|
||||||
Copy of one byte of "sentinel" doesn't make a sense.
|
|
||||||
We can either rely on the fact that sentinel is zero-initialized struct
|
|
||||||
*and* `talloc_zero_array()` zero-initializes memory (so copying of
|
|
||||||
sentinel may be omitted at all) or just copy sentinel in a whole.
|
|
||||||
Opted for second option as more clear variant.
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
---
|
|
||||||
src/sbus/interface/sbus_interface.c | 6 +++---
|
|
||||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/sbus/interface/sbus_interface.c b/src/sbus/interface/sbus_interface.c
|
|
||||||
index ed1b5fd79..afd54dd81 100644
|
|
||||||
--- a/src/sbus/interface/sbus_interface.c
|
|
||||||
+++ b/src/sbus/interface/sbus_interface.c
|
|
||||||
@@ -109,7 +109,7 @@ sbus_method_copy(TALLOC_CTX *mem_ctx,
|
|
||||||
|
|
||||||
/* All data is either pointer to a static data or it is not a pointer.
|
|
||||||
* We can just copy it. */
|
|
||||||
- memcpy(copy, input, sizeof(struct sbus_method) * count + 1);
|
|
||||||
+ memcpy(copy, input, sizeof(struct sbus_method) * (count + 1));
|
|
||||||
|
|
||||||
return copy;
|
|
||||||
}
|
|
||||||
@@ -144,7 +144,7 @@ sbus_signal_copy(TALLOC_CTX *mem_ctx,
|
|
||||||
|
|
||||||
/* All data is either pointer to a static data or it is not a pointer.
|
|
||||||
* We can just copy it. */
|
|
||||||
- memcpy(copy, input, sizeof(struct sbus_signal) * count + 1);
|
|
||||||
+ memcpy(copy, input, sizeof(struct sbus_signal) * (count + 1));
|
|
||||||
|
|
||||||
return copy;
|
|
||||||
}
|
|
||||||
@@ -208,7 +208,7 @@ sbus_property_copy(TALLOC_CTX *mem_ctx,
|
|
||||||
|
|
||||||
/* All data is either pointer to a static data or it is not a pointer.
|
|
||||||
* We can just copy it. */
|
|
||||||
- memcpy(copy, input, sizeof(struct sbus_property) * count + 1);
|
|
||||||
+ memcpy(copy, input, sizeof(struct sbus_property) * (count + 1));
|
|
||||||
|
|
||||||
return copy;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.20.1
|
|
||||||
|
|
@ -1,39 +0,0 @@
|
|||||||
From 81dce19792cf300950411722d16b72f8816aecb0 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Tue, 28 Aug 2018 14:47:44 +0200
|
|
||||||
Subject: [PATCH] KCM: Don't error out if creating a new ID as the first step
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
We need to handle the case where the nextID operation is ran, but the
|
|
||||||
secdb is totally empty, otherwise logins with sssd's krb5_child would
|
|
||||||
fail.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://pagure.io/SSSD/sssd/issue/3815
|
|
||||||
|
|
||||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
||||||
---
|
|
||||||
src/responder/kcm/kcmsrv_ccache_secdb.c | 5 ++++-
|
|
||||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c
|
|
||||||
index 0f1c037..a61d7b1 100644
|
|
||||||
--- a/src/responder/kcm/kcmsrv_ccache_secdb.c
|
|
||||||
+++ b/src/responder/kcm/kcmsrv_ccache_secdb.c
|
|
||||||
@@ -595,7 +595,10 @@ static struct tevent_req *ccdb_secdb_nextid_send(TALLOC_CTX *mem_ctx,
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = sss_sec_list(state, sreq, &keys, &nkeys);
|
|
||||||
- if (ret != EOK) {
|
|
||||||
+ if (ret == ENOENT) {
|
|
||||||
+ keys = NULL;
|
|
||||||
+ nkeys = 0;
|
|
||||||
+ } else if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
"Cannot list keys [%d]: %s\n",
|
|
||||||
ret, sss_strerror(ret));
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -0,0 +1,42 @@
|
|||||||
|
From 21cb9fb28db1f2eb4ee770eb029bfe20233e4392 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Thu, 12 Dec 2019 13:10:16 +0100
|
||||||
|
Subject: [PATCH] certmap: mention special regex characters in man page
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Since some of the matching rules use regular expressions some characters
|
||||||
|
must be escaped so that they can be used a ordinary characters in the
|
||||||
|
rules.
|
||||||
|
|
||||||
|
Related to https://pagure.io/SSSD/sssd/issue/4127
|
||||||
|
|
||||||
|
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||||
|
---
|
||||||
|
src/man/sss-certmap.5.xml | 9 +++++++++
|
||||||
|
1 file changed, 9 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/man/sss-certmap.5.xml b/src/man/sss-certmap.5.xml
|
||||||
|
index db258d14a..10343625e 100644
|
||||||
|
--- a/src/man/sss-certmap.5.xml
|
||||||
|
+++ b/src/man/sss-certmap.5.xml
|
||||||
|
@@ -92,6 +92,15 @@
|
||||||
|
<para>
|
||||||
|
Example: <SUBJECT>.*,DC=MY,DC=DOMAIN
|
||||||
|
</para>
|
||||||
|
+ <para>
|
||||||
|
+ Please note that the characters "^.[$()|*+?{\" have a
|
||||||
|
+ special meaning in regular expressions and must be
|
||||||
|
+ escaped with the help of the '\' character so that they
|
||||||
|
+ are matched as ordinary characters.
|
||||||
|
+ </para>
|
||||||
|
+ <para>
|
||||||
|
+ Example: <SUBJECT>^CN=.* \(Admin\),DC=MY,DC=DOMAIN$
|
||||||
|
+ </para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
98
0005-ldap_child-do-not-try-PKINIT.patch
Normal file
98
0005-ldap_child-do-not-try-PKINIT.patch
Normal file
@ -0,0 +1,98 @@
|
|||||||
|
From 580d61884b6c0a81357d8f9fa69fe69d1f017185 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Fri, 6 Dec 2019 12:29:49 +0100
|
||||||
|
Subject: [PATCH] ldap_child: do not try PKINIT
|
||||||
|
|
||||||
|
if the PKINIT plugin is installed and pkinit_identities is set in
|
||||||
|
/etc/krb5.conf libkrb5 will try to do PKINIT although ldap_child only
|
||||||
|
wants to authenticate with a keytab. As a result ldap_child might try to
|
||||||
|
access a Smartcard which is either not allowed at all or might cause
|
||||||
|
unexpected delays.
|
||||||
|
|
||||||
|
To avoid this the current patch sets pkinit_identities for LDAP child
|
||||||
|
explicitly to make the PKINIT plugin fail because if installed libkrb5
|
||||||
|
will always use it.
|
||||||
|
|
||||||
|
It turned out the setting pre-authentication options requires some
|
||||||
|
internal flags to be set and krb5_get_init_creds_opt_alloc() must be
|
||||||
|
used to initialize the options struct.
|
||||||
|
|
||||||
|
Related to https://pagure.io/SSSD/sssd/issue/4126
|
||||||
|
|
||||||
|
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
---
|
||||||
|
src/providers/ldap/ldap_child.c | 30 ++++++++++++++++++++++--------
|
||||||
|
1 file changed, 22 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
|
||||||
|
index 408d64db4..b081df90f 100644
|
||||||
|
--- a/src/providers/ldap/ldap_child.c
|
||||||
|
+++ b/src/providers/ldap/ldap_child.c
|
||||||
|
@@ -277,7 +277,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
|
||||||
|
krb5_ccache ccache = NULL;
|
||||||
|
krb5_principal kprinc;
|
||||||
|
krb5_creds my_creds;
|
||||||
|
- krb5_get_init_creds_opt options;
|
||||||
|
+ krb5_get_init_creds_opt *options = NULL;
|
||||||
|
krb5_error_code krberr;
|
||||||
|
krb5_timestamp kdc_time_offset;
|
||||||
|
int canonicalize = 0;
|
||||||
|
@@ -392,19 +392,32 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
|
||||||
|
}
|
||||||
|
|
||||||
|
memset(&my_creds, 0, sizeof(my_creds));
|
||||||
|
- memset(&options, 0, sizeof(options));
|
||||||
|
|
||||||
|
- krb5_get_init_creds_opt_set_address_list(&options, NULL);
|
||||||
|
- krb5_get_init_creds_opt_set_forwardable(&options, 0);
|
||||||
|
- krb5_get_init_creds_opt_set_proxiable(&options, 0);
|
||||||
|
- krb5_get_init_creds_opt_set_tkt_life(&options, lifetime);
|
||||||
|
+ krberr = krb5_get_init_creds_opt_alloc(context, &options);
|
||||||
|
+ if (krberr != 0) {
|
||||||
|
+ DEBUG(SSSDBG_OP_FAILURE, "krb5_get_init_creds_opt_alloc failed.\n");
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ krb5_get_init_creds_opt_set_address_list(options, NULL);
|
||||||
|
+ krb5_get_init_creds_opt_set_forwardable(options, 0);
|
||||||
|
+ krb5_get_init_creds_opt_set_proxiable(options, 0);
|
||||||
|
+ krb5_get_init_creds_opt_set_tkt_life(options, lifetime);
|
||||||
|
+ krberr = krb5_get_init_creds_opt_set_pa(context, options,
|
||||||
|
+ "X509_user_identity", "");
|
||||||
|
+ if (krberr != 0) {
|
||||||
|
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||||
|
+ "krb5_get_init_creds_opt_set_pa failed [%d], ignored.\n",
|
||||||
|
+ krberr);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
|
||||||
|
tmp_str = getenv("KRB5_CANONICALIZE");
|
||||||
|
if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) {
|
||||||
|
DEBUG(SSSDBG_CONF_SETTINGS, "Will canonicalize principals\n");
|
||||||
|
canonicalize = 1;
|
||||||
|
}
|
||||||
|
- sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize);
|
||||||
|
+ sss_krb5_get_init_creds_opt_set_canonicalize(options, canonicalize);
|
||||||
|
|
||||||
|
ccname_file = talloc_asprintf(tmp_ctx, "%s/ccache_%s",
|
||||||
|
DB_PATH, realm_name);
|
||||||
|
@@ -433,7 +446,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
|
||||||
|
}
|
||||||
|
|
||||||
|
krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc,
|
||||||
|
- keytab, 0, NULL, &options);
|
||||||
|
+ keytab, 0, NULL, options);
|
||||||
|
if (krberr != 0) {
|
||||||
|
DEBUG(SSSDBG_OP_FAILURE,
|
||||||
|
"krb5_get_init_creds_keytab() failed: %d\n", krberr);
|
||||||
|
@@ -513,6 +526,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
|
||||||
|
*expire_time_out = my_creds.times.endtime - kdc_time_offset;
|
||||||
|
|
||||||
|
done:
|
||||||
|
+ krb5_get_init_creds_opt_free(context, options);
|
||||||
|
if (krberr != 0) {
|
||||||
|
if (*_krb5_msg == NULL) {
|
||||||
|
/* no custom error message provided hence get one from libkrb5 */
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -1,48 +0,0 @@
|
|||||||
From 55d5b43543b5ef62322fe635fe8108410cb4ea77 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Wed, 5 Sep 2018 15:08:52 +0200
|
|
||||||
Subject: [PATCH 08/83] sbus: register filter on new connection
|
|
||||||
|
|
||||||
The filter is not again registered on new connection when the old connection
|
|
||||||
was lost. This caused a segfault when the router is destroyed during shutdown.
|
|
||||||
|
|
||||||
It also would not allow to recieve and process any messages as the filter
|
|
||||||
function is needed for that. However, this was not very visible with
|
|
||||||
current sssd architecture.
|
|
||||||
|
|
||||||
Steps to reproduce:
|
|
||||||
1. Run SSSD
|
|
||||||
2. pkill sssd_be
|
|
||||||
3. Wait for responders to reconnect to backend
|
|
||||||
4. Shutdown SSSD
|
|
||||||
5. It will crash without this patch
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://pagure.io/SSSD/sssd/issue/3821
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/sbus/router/sbus_router.c | 7 +++++++
|
|
||||||
1 file changed, 7 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/sbus/router/sbus_router.c b/src/sbus/router/sbus_router.c
|
|
||||||
index 24c2c76..d31cef1 100644
|
|
||||||
--- a/src/sbus/router/sbus_router.c
|
|
||||||
+++ b/src/sbus/router/sbus_router.c
|
|
||||||
@@ -364,6 +364,13 @@ errno_t
|
|
||||||
sbus_router_reset(struct sbus_connection *conn)
|
|
||||||
{
|
|
||||||
errno_t ret;
|
|
||||||
+ bool bret;
|
|
||||||
+
|
|
||||||
+ bret = sbus_router_filter_add(conn->router);
|
|
||||||
+ if (!bret) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to register message filter!\n");
|
|
||||||
+ return EFAULT;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
ret = sbus_router_reset_listeners(conn);
|
|
||||||
if (ret != EOK) {
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,26 +0,0 @@
|
|||||||
From 8c8f74b0dfa29643279d31b12300ced47d5c2ab5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Thu, 16 Aug 2018 11:42:44 +0200
|
|
||||||
Subject: [PATCH 09/83] sbus: fix typo
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/sbus/sbus_message.h | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/sbus/sbus_message.h b/src/sbus/sbus_message.h
|
|
||||||
index 99dd930..92d5cea 100644
|
|
||||||
--- a/src/sbus/sbus_message.h
|
|
||||||
+++ b/src/sbus/sbus_message.h
|
|
||||||
@@ -49,7 +49,7 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg);
|
|
||||||
*
|
|
||||||
* DO NOT USE dbus_message_unref() on such message anymore since it would not
|
|
||||||
* release internal data about the bound. The message will be automatically
|
|
||||||
- * unreferenced whent the talloc context is freed.
|
|
||||||
+ * unreferenced when the talloc context is freed.
|
|
||||||
*
|
|
||||||
* @param mem_ctx Memory context to bound the message with. It can not be NULL.
|
|
||||||
* @param msg Message to be bound with memory context.
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
52
0006-util-watchdog-fixed-watchdog-implementation.patch
Normal file
52
0006-util-watchdog-fixed-watchdog-implementation.patch
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
From 2c13d8bd00f1e8ff30e9fc81f183f6450303ac30 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
Date: Wed, 11 Dec 2019 18:42:49 +0100
|
||||||
|
Subject: [PATCH] util/watchdog: fixed watchdog implementation
|
||||||
|
|
||||||
|
In case watchdog detected locked process and this process was parent
|
||||||
|
process it just sent SIGTERM to the whole group of processes, including
|
||||||
|
itself.
|
||||||
|
This handling was wrong: generic `server_setup()` installs custom
|
||||||
|
libtevent handler for SIGTERM signal so this signal is only processed
|
||||||
|
in the context of tevent mainloop. But if tevent mainloop is stuck
|
||||||
|
(exactly the case that triggers WD) then event is not processed
|
||||||
|
and this made watchdog useless.
|
||||||
|
`watchdog_handler()` and `watchdog_detect_timeshift()` were amended to do
|
||||||
|
unconditional `_exit()` after optionally sending a signal to the group.
|
||||||
|
|
||||||
|
Resolves: https://pagure.io/SSSD/sssd/issue/4089
|
||||||
|
|
||||||
|
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||||
|
---
|
||||||
|
src/util/util_watchdog.c | 6 ++----
|
||||||
|
1 file changed, 2 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c
|
||||||
|
index a07275b19..38c248271 100644
|
||||||
|
--- a/src/util/util_watchdog.c
|
||||||
|
+++ b/src/util/util_watchdog.c
|
||||||
|
@@ -54,9 +54,8 @@ static void watchdog_detect_timeshift(void)
|
||||||
|
if (write(watchdog_ctx.pipefd[1], "1", 1) != 1) {
|
||||||
|
if (getpid() == getpgrp()) {
|
||||||
|
kill(-getpgrp(), SIGTERM);
|
||||||
|
- } else {
|
||||||
|
- _exit(1);
|
||||||
|
}
|
||||||
|
+ _exit(1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -75,9 +74,8 @@ static void watchdog_handler(int sig)
|
||||||
|
if (__sync_add_and_fetch(&watchdog_ctx.ticks, 1) > WATCHDOG_MAX_TICKS) {
|
||||||
|
if (getpid() == getpgrp()) {
|
||||||
|
kill(-getpgrp(), SIGTERM);
|
||||||
|
- } else {
|
||||||
|
- _exit(1);
|
||||||
|
}
|
||||||
|
+ _exit(1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
56
0007-providers-krb5-got-rid-of-unused-code.patch
Normal file
56
0007-providers-krb5-got-rid-of-unused-code.patch
Normal file
@ -0,0 +1,56 @@
|
|||||||
|
From 1d4a7ffdcf8b303a40058db49d5e1be4bfb8271a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
Date: Mon, 9 Dec 2019 17:20:28 +0100
|
||||||
|
Subject: [PATCH 7/9] providers/krb5: got rid of unused code
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||||
|
---
|
||||||
|
src/providers/krb5/krb5_common.c | 10 ----------
|
||||||
|
src/providers/krb5/krb5_common.h | 7 -------
|
||||||
|
2 files changed, 17 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
|
||||||
|
index bfda561c1..5c11c347b 100644
|
||||||
|
--- a/src/providers/krb5/krb5_common.c
|
||||||
|
+++ b/src/providers/krb5/krb5_common.c
|
||||||
|
@@ -1133,16 +1133,6 @@ void remove_krb5_info_files_callback(void *pvt)
|
||||||
|
talloc_free(ctx);
|
||||||
|
}
|
||||||
|
|
||||||
|
-void krb5_finalize(struct tevent_context *ev,
|
||||||
|
- struct tevent_signal *se,
|
||||||
|
- int signum,
|
||||||
|
- int count,
|
||||||
|
- void *siginfo,
|
||||||
|
- void *private_data)
|
||||||
|
-{
|
||||||
|
- orderly_shutdown(0);
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
errno_t krb5_get_simple_upn(TALLOC_CTX *mem_ctx, struct krb5_ctx *krb5_ctx,
|
||||||
|
struct sss_domain_info *dom, const char *username,
|
||||||
|
const char *user_dom, char **_upn)
|
||||||
|
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
|
||||||
|
index cc9313115..493d12e5f 100644
|
||||||
|
--- a/src/providers/krb5/krb5_common.h
|
||||||
|
+++ b/src/providers/krb5/krb5_common.h
|
||||||
|
@@ -196,13 +196,6 @@ int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx,
|
||||||
|
|
||||||
|
void remove_krb5_info_files_callback(void *pvt);
|
||||||
|
|
||||||
|
-void krb5_finalize(struct tevent_context *ev,
|
||||||
|
- struct tevent_signal *se,
|
||||||
|
- int signum,
|
||||||
|
- int count,
|
||||||
|
- void *siginfo,
|
||||||
|
- void *private_data);
|
||||||
|
-
|
||||||
|
errno_t remove_krb5_info_files(TALLOC_CTX *mem_ctx, const char *realm);
|
||||||
|
|
||||||
|
errno_t krb5_get_simple_upn(TALLOC_CTX *mem_ctx, struct krb5_ctx *krb5_ctx,
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -1,41 +0,0 @@
|
|||||||
From 30f4adf874aff174734ad77902a79fc5727ab495 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Thu, 16 Aug 2018 12:57:47 +0200
|
|
||||||
Subject: [PATCH 10/83] sbus: check for null message in sbus_message_bound
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/sbus/request/sbus_message.c | 10 ++++++++++
|
|
||||||
1 file changed, 10 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/sbus/request/sbus_message.c b/src/sbus/request/sbus_message.c
|
|
||||||
index 950be91..7314fd7 100644
|
|
||||||
--- a/src/sbus/request/sbus_message.c
|
|
||||||
+++ b/src/sbus/request/sbus_message.c
|
|
||||||
@@ -83,6 +83,11 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg)
|
|
||||||
return EINVAL;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (msg == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Message can not be NULL!\n");
|
|
||||||
+ return EINVAL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* Create a talloc context that will unreference this message when
|
|
||||||
* the parent context is freed. */
|
|
||||||
talloc_msg = talloc(mem_ctx, struct sbus_talloc_msg);
|
|
||||||
@@ -122,6 +127,11 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg)
|
|
||||||
errno_t
|
|
||||||
sbus_message_bound_ref(TALLOC_CTX *mem_ctx, DBusMessage *msg)
|
|
||||||
{
|
|
||||||
+ if (msg == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Message can not be NULL!\n");
|
|
||||||
+ return EINVAL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
dbus_message_ref(msg);
|
|
||||||
return sbus_message_bound(mem_ctx, msg);
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -0,0 +1,84 @@
|
|||||||
|
From e41e9b37e4d3fcd8544fb6c591dafbaef0954438 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
Date: Mon, 9 Dec 2019 17:48:14 +0100
|
||||||
|
Subject: [PATCH 8/9] data_provider_be: got rid of duplicating SIGTERM handler
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
It was wrong to install two libtevent SIGTERM handlers both of which did
|
||||||
|
orderly_shutdown()->exit(). Naturally only one of the handlers was executed
|
||||||
|
(as process was terminated with exit()) and libtevent docs doesn't say
|
||||||
|
anything about order of execution. But chances are, be_process_finalize()
|
||||||
|
was executed first so default_quit() was not executed and main_ctx was not
|
||||||
|
freed.
|
||||||
|
|
||||||
|
Moreover there is just no reason to have separate be_process_finalize()
|
||||||
|
at all: default server handler default_quit() frees main_ctx. And be_ctx
|
||||||
|
is linked to main_ctx so will be freed by default handler as well.
|
||||||
|
|
||||||
|
Resolves: https://pagure.io/SSSD/sssd/issue/4088
|
||||||
|
|
||||||
|
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||||
|
---
|
||||||
|
src/providers/data_provider_be.c | 37 --------------------------------
|
||||||
|
1 file changed, 37 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
|
||||||
|
index cfcf0268d..ce00231ff 100644
|
||||||
|
--- a/src/providers/data_provider_be.c
|
||||||
|
+++ b/src/providers/data_provider_be.c
|
||||||
|
@@ -445,36 +445,6 @@ be_register_monitor_iface(struct sbus_connection *conn, struct be_ctx *be_ctx)
|
||||||
|
return sbus_connection_add_path_map(be_ctx->mon_conn, paths);
|
||||||
|
}
|
||||||
|
|
||||||
|
-static void be_process_finalize(struct tevent_context *ev,
|
||||||
|
- struct tevent_signal *se,
|
||||||
|
- int signum,
|
||||||
|
- int count,
|
||||||
|
- void *siginfo,
|
||||||
|
- void *private_data)
|
||||||
|
-{
|
||||||
|
- struct be_ctx *be_ctx;
|
||||||
|
-
|
||||||
|
- be_ctx = talloc_get_type(private_data, struct be_ctx);
|
||||||
|
- talloc_free(be_ctx);
|
||||||
|
- orderly_shutdown(0);
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static errno_t be_process_install_sigterm_handler(struct be_ctx *be_ctx)
|
||||||
|
-{
|
||||||
|
- struct tevent_signal *sige;
|
||||||
|
-
|
||||||
|
- BlockSignals(false, SIGTERM);
|
||||||
|
-
|
||||||
|
- sige = tevent_add_signal(be_ctx->ev, be_ctx, SIGTERM, SA_SIGINFO,
|
||||||
|
- be_process_finalize, be_ctx);
|
||||||
|
- if (sige == NULL) {
|
||||||
|
- DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_signal failed.\n");
|
||||||
|
- return ENOMEM;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- return EOK;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
static void dp_initialized(struct tevent_req *req);
|
||||||
|
|
||||||
|
errno_t be_process_init(TALLOC_CTX *mem_ctx,
|
||||||
|
@@ -566,13 +536,6 @@ errno_t be_process_init(TALLOC_CTX *mem_ctx,
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* Install signal handler */
|
||||||
|
- ret = be_process_install_sigterm_handler(be_ctx);
|
||||||
|
- if (ret != EOK) {
|
||||||
|
- DEBUG(SSSDBG_CRIT_FAILURE, "be_install_sigterm_handler failed.\n");
|
||||||
|
- goto done;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
req = dp_init_send(be_ctx, be_ctx->ev, be_ctx, be_ctx->uid, be_ctx->gid);
|
||||||
|
if (req == NULL) {
|
||||||
|
ret = ENOMEM;
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -1,336 +0,0 @@
|
|||||||
From ca50c40511f08c0f7c786598e5793a06789c6cce Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Thu, 16 Aug 2018 13:17:13 +0200
|
|
||||||
Subject: [PATCH 11/83] sbus: replace sbus_message_bound_ref with
|
|
||||||
sbus_message_bound_steal
|
|
||||||
|
|
||||||
The memory context used to new message reference accidentally overwrote
|
|
||||||
the one use by the initial sbus_message_bound call. This caused a memory
|
|
||||||
leak of message as its reference counter got increased but number of
|
|
||||||
talloc contexts bound this this message decreased at the same time.
|
|
||||||
|
|
||||||
Fixing this is non-trival and it would require separate data slot for
|
|
||||||
each reference. Because we do not have any existing use case for this
|
|
||||||
and we use it only as an equivalent of talloc_steal it is better to
|
|
||||||
provide a real equivalent for this talloc function.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://pagure.io/SSSD/sssd/issue/3810
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/responder/ifp/ifp_iface/sbus_ifp_client_sync.c | 4 +-
|
|
||||||
src/sbus/codegen/templates/client_async.c.tpl | 4 +-
|
|
||||||
src/sbus/codegen/templates/client_sync.c.tpl | 4 +-
|
|
||||||
src/sbus/interface_dbus/sbus_dbus_client_async.c | 8 ++--
|
|
||||||
src/sbus/interface_dbus/sbus_dbus_client_sync.c | 8 ++--
|
|
||||||
src/sbus/request/sbus_message.c | 51 +++++++++++++++++-----
|
|
||||||
src/sbus/request/sbus_request.c | 10 ++---
|
|
||||||
src/sbus/request/sbus_request_call.c | 5 +--
|
|
||||||
src/sbus/sbus_message.h | 8 +---
|
|
||||||
src/sbus/sync/sbus_sync_call.c | 5 +--
|
|
||||||
10 files changed, 65 insertions(+), 42 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/ifp/ifp_iface/sbus_ifp_client_sync.c b/src/responder/ifp/ifp_iface/sbus_ifp_client_sync.c
|
|
||||||
index 4859b93..1f0a8e3 100644
|
|
||||||
--- a/src/responder/ifp/ifp_iface/sbus_ifp_client_sync.c
|
|
||||||
+++ b/src/responder/ifp/ifp_iface/sbus_ifp_client_sync.c
|
|
||||||
@@ -526,9 +526,9 @@ sbus_method_in_sas_out_raw
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = sbus_message_bound_ref(mem_ctx, reply);
|
|
||||||
+ ret = sbus_message_bound_steal(mem_ctx, reply);
|
|
||||||
if (ret != EOK) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
|
|
||||||
ret, sss_strerror(ret));
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
diff --git a/src/sbus/codegen/templates/client_async.c.tpl b/src/sbus/codegen/templates/client_async.c.tpl
|
|
||||||
index 6ffb4f8..e16ce42 100644
|
|
||||||
--- a/src/sbus/codegen/templates/client_async.c.tpl
|
|
||||||
+++ b/src/sbus/codegen/templates/client_async.c.tpl
|
|
||||||
@@ -193,9 +193,9 @@
|
|
||||||
return EINVAL;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = sbus_message_bound_ref(mem_ctx, state->reply);
|
|
||||||
+ ret = sbus_message_bound_steal(mem_ctx, state->reply);
|
|
||||||
if (ret != EOK) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
|
|
||||||
ret, sss_strerror(ret));
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
diff --git a/src/sbus/codegen/templates/client_sync.c.tpl b/src/sbus/codegen/templates/client_sync.c.tpl
|
|
||||||
index 30fa009..fe9a3a4 100644
|
|
||||||
--- a/src/sbus/codegen/templates/client_sync.c.tpl
|
|
||||||
+++ b/src/sbus/codegen/templates/client_sync.c.tpl
|
|
||||||
@@ -110,9 +110,9 @@
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = sbus_message_bound_ref(mem_ctx, reply);
|
|
||||||
+ ret = sbus_message_bound_steal(mem_ctx, reply);
|
|
||||||
if (ret != EOK) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
|
|
||||||
ret, sss_strerror(ret));
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
diff --git a/src/sbus/interface_dbus/sbus_dbus_client_async.c b/src/sbus/interface_dbus/sbus_dbus_client_async.c
|
|
||||||
index 9dbd72c..0060e8b 100644
|
|
||||||
--- a/src/sbus/interface_dbus/sbus_dbus_client_async.c
|
|
||||||
+++ b/src/sbus/interface_dbus/sbus_dbus_client_async.c
|
|
||||||
@@ -301,9 +301,9 @@ sbus_method_in_s_out_raw_recv
|
|
||||||
return EINVAL;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = sbus_message_bound_ref(mem_ctx, state->reply);
|
|
||||||
+ ret = sbus_message_bound_steal(mem_ctx, state->reply);
|
|
||||||
if (ret != EOK) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
|
|
||||||
ret, sss_strerror(ret));
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
@@ -513,9 +513,9 @@ sbus_method_in_ss_out_raw_recv
|
|
||||||
return EINVAL;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = sbus_message_bound_ref(mem_ctx, state->reply);
|
|
||||||
+ ret = sbus_message_bound_steal(mem_ctx, state->reply);
|
|
||||||
if (ret != EOK) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
|
|
||||||
ret, sss_strerror(ret));
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
diff --git a/src/sbus/interface_dbus/sbus_dbus_client_sync.c b/src/sbus/interface_dbus/sbus_dbus_client_sync.c
|
|
||||||
index a0473cd..3ab0aab 100644
|
|
||||||
--- a/src/sbus/interface_dbus/sbus_dbus_client_sync.c
|
|
||||||
+++ b/src/sbus/interface_dbus/sbus_dbus_client_sync.c
|
|
||||||
@@ -101,9 +101,9 @@ sbus_method_in_s_out_raw
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = sbus_message_bound_ref(mem_ctx, reply);
|
|
||||||
+ ret = sbus_message_bound_steal(mem_ctx, reply);
|
|
||||||
if (ret != EOK) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
|
|
||||||
ret, sss_strerror(ret));
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
@@ -159,9 +159,9 @@ sbus_method_in_ss_out_raw
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = sbus_message_bound_ref(mem_ctx, reply);
|
|
||||||
+ ret = sbus_message_bound_steal(mem_ctx, reply);
|
|
||||||
if (ret != EOK) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
|
|
||||||
ret, sss_strerror(ret));
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
diff --git a/src/sbus/request/sbus_message.c b/src/sbus/request/sbus_message.c
|
|
||||||
index 7314fd7..90c6df4 100644
|
|
||||||
--- a/src/sbus/request/sbus_message.c
|
|
||||||
+++ b/src/sbus/request/sbus_message.c
|
|
||||||
@@ -29,8 +29,9 @@
|
|
||||||
#include "sbus/interface/sbus_iterator_writers.h"
|
|
||||||
|
|
||||||
/* Data slot that is used for message data. The slot is shared for all
|
|
||||||
- * messages. */
|
|
||||||
-dbus_int32_t data_slot = -1;
|
|
||||||
+ * messages, i.e. when a data slot is allocated all messages have the
|
|
||||||
+ * slot available. */
|
|
||||||
+dbus_int32_t global_data_slot = -1;
|
|
||||||
|
|
||||||
struct sbus_talloc_msg {
|
|
||||||
DBusMessage *msg;
|
|
||||||
@@ -48,7 +49,7 @@ static int sbus_talloc_msg_destructor(struct sbus_talloc_msg *talloc_msg)
|
|
||||||
/* There may exist more references to this message but this talloc
|
|
||||||
* context is no longer valid. We remove dbus message data to invoke
|
|
||||||
* dbus destructor now. */
|
|
||||||
- dbus_message_set_data(talloc_msg->msg, data_slot, NULL, NULL);
|
|
||||||
+ dbus_message_set_data(talloc_msg->msg, global_data_slot, NULL, NULL);
|
|
||||||
dbus_message_unref(talloc_msg->msg);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
@@ -60,7 +61,7 @@ static void sbus_msg_data_destructor(void *ctx)
|
|
||||||
talloc_msg = talloc_get_type(ctx, struct sbus_talloc_msg);
|
|
||||||
|
|
||||||
/* Decrement ref counter on data slot. */
|
|
||||||
- dbus_message_free_data_slot(&data_slot);
|
|
||||||
+ dbus_message_free_data_slot(&global_data_slot);
|
|
||||||
|
|
||||||
if (!talloc_msg->in_talloc_destructor) {
|
|
||||||
/* References to this message dropped to zero but through
|
|
||||||
@@ -100,7 +101,8 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg)
|
|
||||||
/* Allocate a dbus message data slot that will contain pointer to the
|
|
||||||
* talloc context so we can pick up cases when the dbus message is
|
|
||||||
* freed through dbus api. */
|
|
||||||
- bret = dbus_message_allocate_data_slot(&data_slot);
|
|
||||||
+
|
|
||||||
+ bret = dbus_message_allocate_data_slot(&global_data_slot);
|
|
||||||
if (!bret) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to allocate data slot!\n");
|
|
||||||
talloc_free(talloc_msg);
|
|
||||||
@@ -108,11 +110,11 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg)
|
|
||||||
}
|
|
||||||
|
|
||||||
free_fn = sbus_msg_data_destructor;
|
|
||||||
- bret = dbus_message_set_data(msg, data_slot, talloc_msg, free_fn);
|
|
||||||
+ bret = dbus_message_set_data(msg, global_data_slot, talloc_msg, free_fn);
|
|
||||||
if (!bret) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set message data!\n");
|
|
||||||
talloc_free(talloc_msg);
|
|
||||||
- dbus_message_free_data_slot(&data_slot);
|
|
||||||
+ dbus_message_free_data_slot(&global_data_slot);
|
|
||||||
return ENOMEM;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -125,15 +127,44 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg)
|
|
||||||
}
|
|
||||||
|
|
||||||
errno_t
|
|
||||||
-sbus_message_bound_ref(TALLOC_CTX *mem_ctx, DBusMessage *msg)
|
|
||||||
+sbus_message_bound_steal(TALLOC_CTX *mem_ctx, DBusMessage *msg)
|
|
||||||
{
|
|
||||||
+ struct sbus_talloc_msg *talloc_msg;
|
|
||||||
+ void *data;
|
|
||||||
+
|
|
||||||
+ if (mem_ctx == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Warning: bounding to NULL context!\n");
|
|
||||||
+ return EINVAL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (msg == NULL) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE, "Message can not be NULL!\n");
|
|
||||||
return EINVAL;
|
|
||||||
}
|
|
||||||
|
|
||||||
- dbus_message_ref(msg);
|
|
||||||
- return sbus_message_bound(mem_ctx, msg);
|
|
||||||
+ if (global_data_slot < 0) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "This message is not talloc-bound! "
|
|
||||||
+ "(data slot < 0)\n");
|
|
||||||
+ return ERR_INTERNAL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ data = dbus_message_get_data(msg, global_data_slot);
|
|
||||||
+ if (data == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "This message is not talloc-bound! "
|
|
||||||
+ "(returned data is NULL)\n");
|
|
||||||
+ return ERR_INTERNAL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ talloc_msg = talloc_get_type(data, struct sbus_talloc_msg);
|
|
||||||
+ if (talloc_msg == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "This message is not talloc-bound! "
|
|
||||||
+ "(invalid data)\n");
|
|
||||||
+ return ERR_INTERNAL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ talloc_steal(mem_ctx, talloc_msg);
|
|
||||||
+
|
|
||||||
+ return EOK;
|
|
||||||
}
|
|
||||||
|
|
||||||
DBusMessage *
|
|
||||||
diff --git a/src/sbus/request/sbus_request.c b/src/sbus/request/sbus_request.c
|
|
||||||
index 3d0e2f9..1ccd01e 100644
|
|
||||||
--- a/src/sbus/request/sbus_request.c
|
|
||||||
+++ b/src/sbus/request/sbus_request.c
|
|
||||||
@@ -564,10 +564,9 @@ sbus_incoming_request_recv(TALLOC_CTX *mem_ctx,
|
|
||||||
return EOK;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* Create new reference to the reply and bound it with caller mem_ctx. */
|
|
||||||
- ret = sbus_message_bound_ref(mem_ctx, state->reply);
|
|
||||||
+ ret = sbus_message_bound_steal(mem_ctx, state->reply);
|
|
||||||
if (ret != EOK) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
|
|
||||||
ret, sss_strerror(ret));
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
@@ -709,10 +708,9 @@ sbus_outgoing_request_recv(TALLOC_CTX *mem_ctx,
|
|
||||||
|
|
||||||
TEVENT_REQ_RETURN_ON_ERROR(req);
|
|
||||||
|
|
||||||
- /* Create new reference to the reply and bound it with caller mem_ctx. */
|
|
||||||
- ret = sbus_message_bound_ref(mem_ctx, state->reply);
|
|
||||||
+ ret = sbus_message_bound_steal(mem_ctx, state->reply);
|
|
||||||
if (ret != EOK) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
|
|
||||||
ret, sss_strerror(ret));
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
diff --git a/src/sbus/request/sbus_request_call.c b/src/sbus/request/sbus_request_call.c
|
|
||||||
index 1cf58bd..cf2a6e5 100644
|
|
||||||
--- a/src/sbus/request/sbus_request_call.c
|
|
||||||
+++ b/src/sbus/request/sbus_request_call.c
|
|
||||||
@@ -126,10 +126,9 @@ sbus_call_method_recv(TALLOC_CTX *mem_ctx,
|
|
||||||
|
|
||||||
TEVENT_REQ_RETURN_ON_ERROR(req);
|
|
||||||
|
|
||||||
- /* Create new reference to the reply and bound it with caller mem_ctx. */
|
|
||||||
- ret = sbus_message_bound_ref(mem_ctx, state->reply);
|
|
||||||
+ ret = sbus_message_bound_steal(mem_ctx, state->reply);
|
|
||||||
if (ret != EOK) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
|
|
||||||
ret, sss_strerror(ret));
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
diff --git a/src/sbus/sbus_message.h b/src/sbus/sbus_message.h
|
|
||||||
index 92d5cea..e7b8fe5 100644
|
|
||||||
--- a/src/sbus/sbus_message.h
|
|
||||||
+++ b/src/sbus/sbus_message.h
|
|
||||||
@@ -45,11 +45,7 @@ errno_t
|
|
||||||
sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg);
|
|
||||||
|
|
||||||
/**
|
|
||||||
- * Reference the message and bound it with talloc context.
|
|
||||||
- *
|
|
||||||
- * DO NOT USE dbus_message_unref() on such message anymore since it would not
|
|
||||||
- * release internal data about the bound. The message will be automatically
|
|
||||||
- * unreferenced when the talloc context is freed.
|
|
||||||
+ * Steal previously bound D-Bus message to a new talloc parent.
|
|
||||||
*
|
|
||||||
* @param mem_ctx Memory context to bound the message with. It can not be NULL.
|
|
||||||
* @param msg Message to be bound with memory context.
|
|
||||||
@@ -57,7 +53,7 @@ sbus_message_bound(TALLOC_CTX *mem_ctx, DBusMessage *msg);
|
|
||||||
* @return EOK on success, other errno code on error.
|
|
||||||
*/
|
|
||||||
errno_t
|
|
||||||
-sbus_message_bound_ref(TALLOC_CTX *mem_ctx, DBusMessage *msg);
|
|
||||||
+sbus_message_bound_steal(TALLOC_CTX *mem_ctx, DBusMessage *msg);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Create an empty D-Bus method call.
|
|
||||||
diff --git a/src/sbus/sync/sbus_sync_call.c b/src/sbus/sync/sbus_sync_call.c
|
|
||||||
index 8549e58..a4f8a5c 100644
|
|
||||||
--- a/src/sbus/sync/sbus_sync_call.c
|
|
||||||
+++ b/src/sbus/sync/sbus_sync_call.c
|
|
||||||
@@ -63,10 +63,9 @@ sbus_sync_call_method(TALLOC_CTX *mem_ctx,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* Create new reference to the reply and bound it with caller mem_ctx. */
|
|
||||||
- ret = sbus_message_bound_ref(mem_ctx, reply);
|
|
||||||
+ ret = sbus_message_bound_steal(mem_ctx, reply);
|
|
||||||
if (ret != EOK) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to bound message [%d]: %s\n",
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to steal message [%d]: %s\n",
|
|
||||||
ret, sss_strerror(ret));
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,663 +0,0 @@
|
|||||||
From c895fa2449900f4abd1dce6bb62a45c52bbb12cf Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Thu, 16 Aug 2018 13:20:55 +0200
|
|
||||||
Subject: [PATCH 12/83] sbus: add unit tests for public sbus_message module
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
Makefile.am | 14 +
|
|
||||||
src/tests/cmocka/sbus/test_sbus_message.c | 610 ++++++++++++++++++++++++++++++
|
|
||||||
2 files changed, 624 insertions(+)
|
|
||||||
create mode 100644 src/tests/cmocka/sbus/test_sbus_message.c
|
|
||||||
|
|
||||||
diff --git a/Makefile.am b/Makefile.am
|
|
||||||
index 1b4f044..11d0405 100644
|
|
||||||
--- a/Makefile.am
|
|
||||||
+++ b/Makefile.am
|
|
||||||
@@ -270,6 +270,7 @@ if HAVE_CMOCKA
|
|
||||||
test_copy_keytab \
|
|
||||||
test_child_common \
|
|
||||||
responder_cache_req-tests \
|
|
||||||
+ test_sbus_message \
|
|
||||||
test_sbus_opath \
|
|
||||||
test_fo_srv \
|
|
||||||
pam-srv-tests \
|
|
||||||
@@ -2594,6 +2595,19 @@ test_ssh_client_LDADD = \
|
|
||||||
$(SSSD_LIBS) \
|
|
||||||
$(NULL)
|
|
||||||
|
|
||||||
+test_sbus_message_SOURCES = \
|
|
||||||
+ src/tests/cmocka/sbus/test_sbus_message.c \
|
|
||||||
+ $(NULL)
|
|
||||||
+test_sbus_message_CFLAGS = \
|
|
||||||
+ $(AM_CFLAGS)
|
|
||||||
+test_sbus_message_LDADD = \
|
|
||||||
+ $(CMOCKA_LIBS) \
|
|
||||||
+ $(POPT_LIBS) \
|
|
||||||
+ libsss_debug.la \
|
|
||||||
+ libsss_test_common.la \
|
|
||||||
+ libsss_sbus.la \
|
|
||||||
+ $(NULL)
|
|
||||||
+
|
|
||||||
test_sbus_opath_SOURCES = \
|
|
||||||
src/tests/cmocka/sbus/test_sbus_opath.c \
|
|
||||||
$(NULL)
|
|
||||||
diff --git a/src/tests/cmocka/sbus/test_sbus_message.c b/src/tests/cmocka/sbus/test_sbus_message.c
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..c01e168
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/src/tests/cmocka/sbus/test_sbus_message.c
|
|
||||||
@@ -0,0 +1,610 @@
|
|
||||||
+/*
|
|
||||||
+ Authors:
|
|
||||||
+ Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
+ Pavel Březina <pbrezina@redhat.com>
|
|
||||||
+
|
|
||||||
+ Copyright (C) 2014 Red Hat
|
|
||||||
+
|
|
||||||
+ This program is free software; you can redistribute it and/or modify
|
|
||||||
+ it under the terms of the GNU General Public License as published by
|
|
||||||
+ the Free Software Foundation; either version 3 of the License, or
|
|
||||||
+ (at your option) any later version.
|
|
||||||
+
|
|
||||||
+ This program is distributed in the hope that it will be useful,
|
|
||||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
+ GNU General Public License for more details.
|
|
||||||
+
|
|
||||||
+ You should have received a copy of the GNU General Public License
|
|
||||||
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
+*/
|
|
||||||
+
|
|
||||||
+#include "config.h"
|
|
||||||
+
|
|
||||||
+#include <talloc.h>
|
|
||||||
+#include <errno.h>
|
|
||||||
+#include <popt.h>
|
|
||||||
+
|
|
||||||
+#include "util/util.h"
|
|
||||||
+#include "sbus/sbus_message.h"
|
|
||||||
+#include "tests/cmocka/common_mock.h"
|
|
||||||
+#include "tests/common.h"
|
|
||||||
+
|
|
||||||
+#define BASE_PATH "/some/path"
|
|
||||||
+
|
|
||||||
+struct test_ctx {
|
|
||||||
+ bool msg_removed;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static void helper_msg_removed(void *state)
|
|
||||||
+{
|
|
||||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(state, struct test_ctx);
|
|
||||||
+
|
|
||||||
+ test_ctx->msg_removed = true;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void helper_msg_watch(struct test_ctx *test_ctx, DBusMessage *msg)
|
|
||||||
+{
|
|
||||||
+ DBusFreeFunction free_fn;
|
|
||||||
+ dbus_int32_t data_slot = -1;
|
|
||||||
+ dbus_bool_t bret;
|
|
||||||
+
|
|
||||||
+ assert_non_null(msg);
|
|
||||||
+
|
|
||||||
+ bret = dbus_message_allocate_data_slot(&data_slot);
|
|
||||||
+ assert_true(bret);
|
|
||||||
+
|
|
||||||
+ free_fn = helper_msg_removed;
|
|
||||||
+ bret = dbus_message_set_data(msg, data_slot, test_ctx, free_fn);
|
|
||||||
+ assert_true(bret);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int test_setup(void **state)
|
|
||||||
+{
|
|
||||||
+ struct test_ctx *test_ctx;
|
|
||||||
+
|
|
||||||
+ assert_true(leak_check_setup());
|
|
||||||
+
|
|
||||||
+ test_ctx = talloc_zero(global_talloc_context, struct test_ctx);
|
|
||||||
+ assert_non_null(test_ctx);
|
|
||||||
+ *state = test_ctx;
|
|
||||||
+
|
|
||||||
+ check_leaks_push(test_ctx);
|
|
||||||
+
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int test_teardown(void **state)
|
|
||||||
+{
|
|
||||||
+ struct test_ctx *test_ctx;
|
|
||||||
+
|
|
||||||
+ test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
|
||||||
+
|
|
||||||
+ assert_true(check_leaks_pop(test_ctx));
|
|
||||||
+ talloc_zfree(test_ctx);
|
|
||||||
+ assert_true(leak_check_teardown());
|
|
||||||
+
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void test_sbus_message_bound__null(void **state)
|
|
||||||
+{
|
|
||||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
|
||||||
+ DBusMessage *msg;
|
|
||||||
+ errno_t ret;
|
|
||||||
+
|
|
||||||
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
|
|
||||||
+ assert_non_null(msg);
|
|
||||||
+
|
|
||||||
+ ret = sbus_message_bound(NULL, msg);
|
|
||||||
+ assert_int_equal(ret, EINVAL);
|
|
||||||
+
|
|
||||||
+ ret = sbus_message_bound(test_ctx, NULL);
|
|
||||||
+ assert_int_equal(ret, EINVAL);
|
|
||||||
+
|
|
||||||
+ dbus_message_unref(msg);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void test_sbus_message_bound__unref(void **state)
|
|
||||||
+{
|
|
||||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
|
||||||
+ DBusMessage *msg;
|
|
||||||
+ errno_t ret;
|
|
||||||
+
|
|
||||||
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
|
|
||||||
+ assert_non_null(msg);
|
|
||||||
+ helper_msg_watch(test_ctx, msg);
|
|
||||||
+
|
|
||||||
+ ret = sbus_message_bound(test_ctx, msg);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+
|
|
||||||
+ /* no memory leak should be detected in teardown */
|
|
||||||
+ dbus_message_unref(msg);
|
|
||||||
+ assert_true(test_ctx->msg_removed);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void test_sbus_message_bound__free(void **state)
|
|
||||||
+{
|
|
||||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
|
||||||
+ TALLOC_CTX *tmp_ctx;
|
|
||||||
+ DBusMessage *msg;
|
|
||||||
+ errno_t ret;
|
|
||||||
+
|
|
||||||
+ tmp_ctx = talloc_new(test_ctx);
|
|
||||||
+ assert_non_null(tmp_ctx);
|
|
||||||
+
|
|
||||||
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
|
|
||||||
+ assert_non_null(msg);
|
|
||||||
+ helper_msg_watch(test_ctx, msg);
|
|
||||||
+
|
|
||||||
+ ret = sbus_message_bound(tmp_ctx, msg);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+
|
|
||||||
+ talloc_free(tmp_ctx);
|
|
||||||
+ assert_true(test_ctx->msg_removed);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void test_sbus_message_bound_steal__null(void **state)
|
|
||||||
+{
|
|
||||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
|
||||||
+ DBusMessage *msg;
|
|
||||||
+ errno_t ret;
|
|
||||||
+
|
|
||||||
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
|
|
||||||
+ assert_non_null(msg);
|
|
||||||
+ helper_msg_watch(test_ctx, msg);
|
|
||||||
+
|
|
||||||
+ ret = sbus_message_bound_steal(NULL, msg);
|
|
||||||
+ assert_int_equal(ret, EINVAL);
|
|
||||||
+
|
|
||||||
+ ret = sbus_message_bound_steal(test_ctx, NULL);
|
|
||||||
+ assert_int_equal(ret, EINVAL);
|
|
||||||
+
|
|
||||||
+ dbus_message_unref(msg);
|
|
||||||
+ assert_true(test_ctx->msg_removed);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void test_sbus_message_bound_steal__invalid(void **state)
|
|
||||||
+{
|
|
||||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
|
||||||
+ DBusMessage *msg;
|
|
||||||
+ errno_t ret;
|
|
||||||
+
|
|
||||||
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
|
|
||||||
+ assert_non_null(msg);
|
|
||||||
+ helper_msg_watch(test_ctx, msg);
|
|
||||||
+
|
|
||||||
+ ret = sbus_message_bound_steal(test_ctx, msg);
|
|
||||||
+ assert_int_equal(ret, ERR_INTERNAL);
|
|
||||||
+
|
|
||||||
+ dbus_message_unref(msg);
|
|
||||||
+ assert_true(test_ctx->msg_removed);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void test_sbus_message_bound_steal__free(void **state)
|
|
||||||
+{
|
|
||||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
|
||||||
+ TALLOC_CTX *tmp_ctx;
|
|
||||||
+ TALLOC_CTX *tmp_ctx_steal;
|
|
||||||
+ DBusMessage *msg;
|
|
||||||
+ errno_t ret;
|
|
||||||
+
|
|
||||||
+ tmp_ctx = talloc_new(test_ctx);
|
|
||||||
+ assert_non_null(tmp_ctx);
|
|
||||||
+
|
|
||||||
+ tmp_ctx_steal = talloc_new(test_ctx);
|
|
||||||
+ assert_non_null(tmp_ctx_steal);
|
|
||||||
+
|
|
||||||
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
|
|
||||||
+ assert_non_null(msg);
|
|
||||||
+ helper_msg_watch(test_ctx, msg);
|
|
||||||
+
|
|
||||||
+ ret = sbus_message_bound(tmp_ctx, msg);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+
|
|
||||||
+ /* this will increase ref counter of message and add new talloc bound */
|
|
||||||
+ ret = sbus_message_bound_steal(tmp_ctx_steal, msg);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+
|
|
||||||
+ talloc_free(tmp_ctx);
|
|
||||||
+ assert_false(test_ctx->msg_removed);
|
|
||||||
+ talloc_free(tmp_ctx_steal);
|
|
||||||
+ assert_true(test_ctx->msg_removed);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void test_sbus_method_create_empty__unref(void **state)
|
|
||||||
+{
|
|
||||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
|
||||||
+ DBusMessage *msg;
|
|
||||||
+
|
|
||||||
+ msg = sbus_method_create_empty(NULL, "bus.test", "/", "iface.test", "method");
|
|
||||||
+ assert_non_null(msg);
|
|
||||||
+ helper_msg_watch(test_ctx, msg);
|
|
||||||
+
|
|
||||||
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_METHOD_CALL);
|
|
||||||
+ assert_string_equal(dbus_message_get_destination(msg), "bus.test");
|
|
||||||
+ assert_string_equal(dbus_message_get_path(msg), "/");
|
|
||||||
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
|
|
||||||
+ assert_string_equal(dbus_message_get_member(msg), "method");
|
|
||||||
+
|
|
||||||
+ dbus_message_unref(msg);
|
|
||||||
+ assert_true(test_ctx->msg_removed);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void test_sbus_method_create_empty__free(void **state)
|
|
||||||
+{
|
|
||||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
|
||||||
+ TALLOC_CTX *tmp_ctx;
|
|
||||||
+ DBusMessage *msg;
|
|
||||||
+
|
|
||||||
+ tmp_ctx = talloc_new(test_ctx);
|
|
||||||
+ assert_non_null(tmp_ctx);
|
|
||||||
+
|
|
||||||
+ msg = sbus_method_create_empty(tmp_ctx, "bus.test", "/", "iface.test", "method");
|
|
||||||
+ assert_non_null(msg);
|
|
||||||
+ helper_msg_watch(test_ctx, msg);
|
|
||||||
+
|
|
||||||
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_METHOD_CALL);
|
|
||||||
+ assert_string_equal(dbus_message_get_destination(msg), "bus.test");
|
|
||||||
+ assert_string_equal(dbus_message_get_path(msg), "/");
|
|
||||||
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
|
|
||||||
+ assert_string_equal(dbus_message_get_member(msg), "method");
|
|
||||||
+
|
|
||||||
+ talloc_free(tmp_ctx);
|
|
||||||
+ assert_true(test_ctx->msg_removed);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void test_sbus_method_create__unref(void **state)
|
|
||||||
+{
|
|
||||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
|
||||||
+ DBusMessage *msg;
|
|
||||||
+ dbus_bool_t dbret;
|
|
||||||
+ uint32_t in_value = 32;
|
|
||||||
+ uint32_t out_value;
|
|
||||||
+
|
|
||||||
+ msg = sbus_method_create(NULL, "bus.test", "/", "iface.test", "method",
|
|
||||||
+ DBUS_TYPE_UINT32, &in_value);
|
|
||||||
+ assert_non_null(msg);
|
|
||||||
+ helper_msg_watch(test_ctx, msg);
|
|
||||||
+
|
|
||||||
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_METHOD_CALL);
|
|
||||||
+ assert_string_equal(dbus_message_get_destination(msg), "bus.test");
|
|
||||||
+ assert_string_equal(dbus_message_get_path(msg), "/");
|
|
||||||
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
|
|
||||||
+ assert_string_equal(dbus_message_get_member(msg), "method");
|
|
||||||
+
|
|
||||||
+ dbret = dbus_message_get_args(msg, NULL,
|
|
||||||
+ DBUS_TYPE_UINT32, &out_value,
|
|
||||||
+ DBUS_TYPE_INVALID);
|
|
||||||
+ assert_true(dbret);
|
|
||||||
+ assert_int_equal(out_value, 32);
|
|
||||||
+
|
|
||||||
+ dbus_message_unref(msg);
|
|
||||||
+ assert_true(test_ctx->msg_removed);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void test_sbus_method_create__free(void **state)
|
|
||||||
+{
|
|
||||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
|
||||||
+ TALLOC_CTX *tmp_ctx;
|
|
||||||
+ DBusMessage *msg;
|
|
||||||
+
|
|
||||||
+ tmp_ctx = talloc_new(test_ctx);
|
|
||||||
+ assert_non_null(tmp_ctx);
|
|
||||||
+
|
|
||||||
+ msg = sbus_method_create_empty(tmp_ctx, "bus.test", "/", "iface.test", "method");
|
|
||||||
+ assert_non_null(msg);
|
|
||||||
+ helper_msg_watch(test_ctx, msg);
|
|
||||||
+
|
|
||||||
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_METHOD_CALL);
|
|
||||||
+ assert_string_equal(dbus_message_get_destination(msg), "bus.test");
|
|
||||||
+ assert_string_equal(dbus_message_get_path(msg), "/");
|
|
||||||
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
|
|
||||||
+ assert_string_equal(dbus_message_get_member(msg), "method");
|
|
||||||
+
|
|
||||||
+ talloc_free(tmp_ctx);
|
|
||||||
+ assert_true(test_ctx->msg_removed);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void test_sbus_signal_create_empty__unref(void **state)
|
|
||||||
+{
|
|
||||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
|
||||||
+ DBusMessage *msg;
|
|
||||||
+
|
|
||||||
+ msg = sbus_signal_create_empty(NULL, "/", "iface.test", "method");
|
|
||||||
+ assert_non_null(msg);
|
|
||||||
+ helper_msg_watch(test_ctx, msg);
|
|
||||||
+
|
|
||||||
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_SIGNAL);
|
|
||||||
+ assert_null(dbus_message_get_destination(msg));
|
|
||||||
+ assert_string_equal(dbus_message_get_path(msg), "/");
|
|
||||||
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
|
|
||||||
+ assert_string_equal(dbus_message_get_member(msg), "method");
|
|
||||||
+
|
|
||||||
+ dbus_message_unref(msg);
|
|
||||||
+ assert_true(test_ctx->msg_removed);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void test_sbus_signal_create_empty__free(void **state)
|
|
||||||
+{
|
|
||||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
|
||||||
+ TALLOC_CTX *tmp_ctx;
|
|
||||||
+ DBusMessage *msg;
|
|
||||||
+
|
|
||||||
+ tmp_ctx = talloc_new(test_ctx);
|
|
||||||
+ assert_non_null(tmp_ctx);
|
|
||||||
+
|
|
||||||
+ msg = sbus_signal_create_empty(tmp_ctx, "/", "iface.test", "method");
|
|
||||||
+ assert_non_null(msg);
|
|
||||||
+ helper_msg_watch(test_ctx, msg);
|
|
||||||
+
|
|
||||||
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_SIGNAL);
|
|
||||||
+ assert_null(dbus_message_get_destination(msg));
|
|
||||||
+ assert_string_equal(dbus_message_get_path(msg), "/");
|
|
||||||
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
|
|
||||||
+ assert_string_equal(dbus_message_get_member(msg), "method");
|
|
||||||
+
|
|
||||||
+ talloc_free(tmp_ctx);
|
|
||||||
+ assert_true(test_ctx->msg_removed);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void test_sbus_signal_create__unref(void **state)
|
|
||||||
+{
|
|
||||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
|
||||||
+ DBusMessage *msg;
|
|
||||||
+ dbus_bool_t dbret;
|
|
||||||
+ uint32_t in_value = 32;
|
|
||||||
+ uint32_t out_value;
|
|
||||||
+
|
|
||||||
+ msg = sbus_signal_create(NULL, "/", "iface.test", "method",
|
|
||||||
+ DBUS_TYPE_UINT32, &in_value);
|
|
||||||
+ assert_non_null(msg);
|
|
||||||
+ helper_msg_watch(test_ctx, msg);
|
|
||||||
+
|
|
||||||
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_SIGNAL);
|
|
||||||
+ assert_null(dbus_message_get_destination(msg));
|
|
||||||
+ assert_string_equal(dbus_message_get_path(msg), "/");
|
|
||||||
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
|
|
||||||
+ assert_string_equal(dbus_message_get_member(msg), "method");
|
|
||||||
+
|
|
||||||
+ dbret = dbus_message_get_args(msg, NULL,
|
|
||||||
+ DBUS_TYPE_UINT32, &out_value,
|
|
||||||
+ DBUS_TYPE_INVALID);
|
|
||||||
+ assert_true(dbret);
|
|
||||||
+ assert_int_equal(out_value, 32);
|
|
||||||
+
|
|
||||||
+ dbus_message_unref(msg);
|
|
||||||
+ assert_true(test_ctx->msg_removed);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void test_sbus_signal_create__free(void **state)
|
|
||||||
+{
|
|
||||||
+ struct test_ctx *test_ctx = talloc_get_type_abort(*state, struct test_ctx);
|
|
||||||
+ TALLOC_CTX *tmp_ctx;
|
|
||||||
+ DBusMessage *msg;
|
|
||||||
+ dbus_bool_t dbret;
|
|
||||||
+ uint32_t in_value = 32;
|
|
||||||
+ uint32_t out_value;
|
|
||||||
+
|
|
||||||
+ tmp_ctx = talloc_new(test_ctx);
|
|
||||||
+ assert_non_null(tmp_ctx);
|
|
||||||
+
|
|
||||||
+ msg = sbus_signal_create(tmp_ctx, "/", "iface.test", "method",
|
|
||||||
+ DBUS_TYPE_UINT32, &in_value);
|
|
||||||
+ assert_non_null(msg);
|
|
||||||
+ helper_msg_watch(test_ctx, msg);
|
|
||||||
+
|
|
||||||
+ assert_int_equal(dbus_message_get_type(msg), DBUS_MESSAGE_TYPE_SIGNAL);
|
|
||||||
+ assert_null(dbus_message_get_destination(msg));
|
|
||||||
+ assert_string_equal(dbus_message_get_path(msg), "/");
|
|
||||||
+ assert_string_equal(dbus_message_get_interface(msg), "iface.test");
|
|
||||||
+ assert_string_equal(dbus_message_get_member(msg), "method");
|
|
||||||
+
|
|
||||||
+ dbret = dbus_message_get_args(msg, NULL,
|
|
||||||
+ DBUS_TYPE_UINT32, &out_value,
|
|
||||||
+ DBUS_TYPE_INVALID);
|
|
||||||
+ assert_true(dbret);
|
|
||||||
+ assert_int_equal(out_value, 32);
|
|
||||||
+
|
|
||||||
+ talloc_free(tmp_ctx);
|
|
||||||
+ assert_true(test_ctx->msg_removed);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void test_sbus_reply_parse__ok(void **state)
|
|
||||||
+{
|
|
||||||
+ DBusMessage *msg;
|
|
||||||
+ DBusMessage *reply;
|
|
||||||
+ dbus_bool_t dbret;
|
|
||||||
+ uint32_t in_value1 = 32;
|
|
||||||
+ uint32_t in_value2 = 64;
|
|
||||||
+ uint32_t out_value1;
|
|
||||||
+ uint32_t out_value2;
|
|
||||||
+ errno_t ret;
|
|
||||||
+
|
|
||||||
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
|
|
||||||
+ assert_non_null(msg);
|
|
||||||
+ dbus_message_set_serial(msg, 1);
|
|
||||||
+
|
|
||||||
+ reply = dbus_message_new_method_return(msg);
|
|
||||||
+ assert_non_null(reply);
|
|
||||||
+
|
|
||||||
+ dbret = dbus_message_append_args(reply, DBUS_TYPE_UINT32, &in_value1,
|
|
||||||
+ DBUS_TYPE_UINT32, &in_value2,
|
|
||||||
+ DBUS_TYPE_INVALID);
|
|
||||||
+ assert_true(dbret);
|
|
||||||
+
|
|
||||||
+ ret = sbus_reply_parse(reply, DBUS_TYPE_UINT32, &out_value1,
|
|
||||||
+ DBUS_TYPE_UINT32, &out_value2);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+ assert_int_equal(out_value1, in_value1);
|
|
||||||
+ assert_int_equal(out_value2, in_value2);
|
|
||||||
+
|
|
||||||
+ dbus_message_unref(msg);
|
|
||||||
+ dbus_message_unref(reply);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void test_sbus_reply_parse__error(void **state)
|
|
||||||
+{
|
|
||||||
+ DBusMessage *msg;
|
|
||||||
+ DBusMessage *reply;
|
|
||||||
+ uint32_t out_value1;
|
|
||||||
+ uint32_t out_value2;
|
|
||||||
+ errno_t ret;
|
|
||||||
+
|
|
||||||
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
|
|
||||||
+ assert_non_null(msg);
|
|
||||||
+ dbus_message_set_serial(msg, 1);
|
|
||||||
+
|
|
||||||
+ reply = dbus_message_new_error(msg, SBUS_ERROR_KILLED, "Test error!");
|
|
||||||
+ assert_non_null(reply);
|
|
||||||
+
|
|
||||||
+ ret = sbus_reply_parse(reply, DBUS_TYPE_UINT32, &out_value1,
|
|
||||||
+ DBUS_TYPE_UINT32, &out_value2);
|
|
||||||
+ assert_int_equal(ret, ERR_SBUS_KILL_CONNECTION);
|
|
||||||
+
|
|
||||||
+ dbus_message_unref(msg);
|
|
||||||
+ dbus_message_unref(reply);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void test_sbus_reply_parse__wrong_type(void **state)
|
|
||||||
+{
|
|
||||||
+ DBusMessage *msg;
|
|
||||||
+ errno_t ret;
|
|
||||||
+
|
|
||||||
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
|
|
||||||
+ assert_non_null(msg);
|
|
||||||
+ dbus_message_set_serial(msg, 1);
|
|
||||||
+
|
|
||||||
+ ret = sbus_reply_parse(msg);
|
|
||||||
+ assert_int_not_equal(ret, EOK);
|
|
||||||
+
|
|
||||||
+ dbus_message_unref(msg);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void test_sbus_reply_check__ok(void **state)
|
|
||||||
+{
|
|
||||||
+ DBusMessage *msg;
|
|
||||||
+ DBusMessage *reply;
|
|
||||||
+ errno_t ret;
|
|
||||||
+
|
|
||||||
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
|
|
||||||
+ assert_non_null(msg);
|
|
||||||
+ dbus_message_set_serial(msg, 1);
|
|
||||||
+
|
|
||||||
+ reply = dbus_message_new_method_return(msg);
|
|
||||||
+ assert_non_null(reply);
|
|
||||||
+
|
|
||||||
+ ret = sbus_reply_check(reply);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+
|
|
||||||
+ dbus_message_unref(msg);
|
|
||||||
+ dbus_message_unref(reply);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void test_sbus_reply_check__error(void **state)
|
|
||||||
+{
|
|
||||||
+ DBusMessage *msg;
|
|
||||||
+ DBusMessage *reply;
|
|
||||||
+ errno_t ret;
|
|
||||||
+
|
|
||||||
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
|
|
||||||
+ assert_non_null(msg);
|
|
||||||
+ dbus_message_set_serial(msg, 1);
|
|
||||||
+
|
|
||||||
+ reply = dbus_message_new_error(msg, SBUS_ERROR_KILLED, "Test error!");
|
|
||||||
+ assert_non_null(reply);
|
|
||||||
+
|
|
||||||
+ ret = sbus_reply_check(reply);
|
|
||||||
+ assert_int_equal(ret, ERR_SBUS_KILL_CONNECTION);
|
|
||||||
+
|
|
||||||
+ dbus_message_unref(msg);
|
|
||||||
+ dbus_message_unref(reply);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void test_sbus_reply_check__wrong_type(void **state)
|
|
||||||
+{
|
|
||||||
+ DBusMessage *msg;
|
|
||||||
+ errno_t ret;
|
|
||||||
+
|
|
||||||
+ msg = dbus_message_new_method_call("bus.test", "/", "iface.test", "method");
|
|
||||||
+ assert_non_null(msg);
|
|
||||||
+ dbus_message_set_serial(msg, 1);
|
|
||||||
+
|
|
||||||
+ ret = sbus_reply_check(msg);
|
|
||||||
+ assert_int_not_equal(ret, EOK);
|
|
||||||
+
|
|
||||||
+ dbus_message_unref(msg);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int main(int argc, const char *argv[])
|
|
||||||
+{
|
|
||||||
+ poptContext pc;
|
|
||||||
+ int opt;
|
|
||||||
+ struct poptOption long_options[] = {
|
|
||||||
+ POPT_AUTOHELP
|
|
||||||
+ SSSD_DEBUG_OPTS
|
|
||||||
+ POPT_TABLEEND
|
|
||||||
+ };
|
|
||||||
+
|
|
||||||
+ const struct CMUnitTest tests[] = {
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_sbus_message_bound__null,
|
|
||||||
+ test_setup, test_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_sbus_message_bound__unref,
|
|
||||||
+ test_setup, test_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_sbus_message_bound__free,
|
|
||||||
+ test_setup, test_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_sbus_message_bound_steal__null,
|
|
||||||
+ test_setup, test_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_sbus_message_bound_steal__invalid,
|
|
||||||
+ test_setup, test_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_sbus_message_bound_steal__free,
|
|
||||||
+ test_setup, test_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_sbus_method_create_empty__unref,
|
|
||||||
+ test_setup, test_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_sbus_method_create_empty__free,
|
|
||||||
+ test_setup, test_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_sbus_method_create__unref,
|
|
||||||
+ test_setup, test_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_sbus_method_create__free,
|
|
||||||
+ test_setup, test_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_sbus_signal_create_empty__unref,
|
|
||||||
+ test_setup, test_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_sbus_signal_create_empty__free,
|
|
||||||
+ test_setup, test_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_sbus_signal_create__unref,
|
|
||||||
+ test_setup, test_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_sbus_signal_create__free,
|
|
||||||
+ test_setup, test_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_sbus_reply_parse__ok,
|
|
||||||
+ test_setup, test_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_sbus_reply_parse__error,
|
|
||||||
+ test_setup, test_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_sbus_reply_parse__wrong_type,
|
|
||||||
+ test_setup, test_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_sbus_reply_check__ok,
|
|
||||||
+ test_setup, test_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_sbus_reply_check__error,
|
|
||||||
+ test_setup, test_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_sbus_reply_check__wrong_type,
|
|
||||||
+ test_setup, test_teardown),
|
|
||||||
+ };
|
|
||||||
+
|
|
||||||
+ /* Set debug level to invalid value so we can decide if -d 0 was used. */
|
|
||||||
+ debug_level = SSSDBG_INVALID;
|
|
||||||
+
|
|
||||||
+ pc = poptGetContext(argv[0], argc, argv, long_options, 0);
|
|
||||||
+ while((opt = poptGetNextOpt(pc)) != -1) {
|
|
||||||
+ switch(opt) {
|
|
||||||
+ default:
|
|
||||||
+ fprintf(stderr, "\nInvalid option %s: %s\n\n",
|
|
||||||
+ poptBadOption(pc, 0), poptStrerror(opt));
|
|
||||||
+ poptPrintUsage(pc, stderr, 0);
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ poptFreeContext(pc);
|
|
||||||
+
|
|
||||||
+ DEBUG_CLI_INIT(debug_level);
|
|
||||||
+
|
|
||||||
+ return cmocka_run_group_tests(tests, NULL, NULL);
|
|
||||||
+}
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
32
0009-util-server-improved-debug-at-shutdown.patch
Normal file
32
0009-util-server-improved-debug-at-shutdown.patch
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
From 3f52de891cba55230730602d41c3811cf1b17d96 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
Date: Mon, 9 Dec 2019 18:26:56 +0100
|
||||||
|
Subject: [PATCH 9/9] util/server: improved debug at shutdown
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Relates: https://pagure.io/SSSD/sssd/issue/4088
|
||||||
|
|
||||||
|
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||||
|
---
|
||||||
|
src/util/server.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/util/server.c b/src/util/server.c
|
||||||
|
index ee57ac128..33524066e 100644
|
||||||
|
--- a/src/util/server.c
|
||||||
|
+++ b/src/util/server.c
|
||||||
|
@@ -242,7 +242,8 @@ void orderly_shutdown(int status)
|
||||||
|
kill(-getpgrp(), SIGTERM);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
- if (status == 0) sss_log(SSS_LOG_INFO, "Shutting down");
|
||||||
|
+ DEBUG(SSSDBG_IMPORTANT_INFO, "Shutting down (status = %d)", status);
|
||||||
|
+ sss_log(SSS_LOG_INFO, "Shutting down (status = %d)", status);
|
||||||
|
exit(status);
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -1,145 +0,0 @@
|
|||||||
From 945865ae16120ffade267227ca48cefd58822fd2 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Thu, 23 Aug 2018 13:55:51 +0200
|
|
||||||
Subject: [PATCH 13/83] SELINUX: Always add SELinux user to the semanage
|
|
||||||
database if it doesn't exist
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Previously, we tried to optimize too much and only set the SELinux user
|
|
||||||
to Linux user mapping in case the SELinux user was different from the
|
|
||||||
system default. But this doesn't work for the case where the Linux user
|
|
||||||
has a non-standard home directory, because then SELinux would not have
|
|
||||||
any idea that this user's home directory should be labeled as a home
|
|
||||||
directory.
|
|
||||||
|
|
||||||
This patch relaxes the optimization in the sense that on the first
|
|
||||||
login, the SELinux context is saved regardless of whether it is the same
|
|
||||||
as the default or different.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://pagure.io/SSSD/sssd/issue/3819
|
|
||||||
|
|
||||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
||||||
---
|
|
||||||
src/providers/ipa/selinux_child.c | 10 ++++++++--
|
|
||||||
src/util/sss_semanage.c | 30 ++++++++++++++++++++++++++++++
|
|
||||||
src/util/util.h | 1 +
|
|
||||||
src/util/util_errors.c | 1 +
|
|
||||||
src/util/util_errors.h | 1 +
|
|
||||||
5 files changed, 41 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
|
|
||||||
index d061417..925591e 100644
|
|
||||||
--- a/src/providers/ipa/selinux_child.c
|
|
||||||
+++ b/src/providers/ipa/selinux_child.c
|
|
||||||
@@ -176,13 +176,16 @@ static bool seuser_needs_update(const char *username,
|
|
||||||
|
|
||||||
ret = sss_get_seuser(username, &db_seuser, &db_mls_range);
|
|
||||||
DEBUG(SSSDBG_TRACE_INTERNAL,
|
|
||||||
- "getseuserbyname: ret: %d seuser: %s mls: %s\n",
|
|
||||||
+ "sss_get_seuser: ret: %d seuser: %s mls: %s\n",
|
|
||||||
ret, db_seuser ? db_seuser : "unknown",
|
|
||||||
db_mls_range ? db_mls_range : "unknown");
|
|
||||||
if (ret == EOK && db_seuser && db_mls_range &&
|
|
||||||
strcmp(db_seuser, seuser) == 0 &&
|
|
||||||
strcmp(db_mls_range, mls_range) == 0) {
|
|
||||||
- needs_update = false;
|
|
||||||
+ ret = sss_seuser_exists(username);
|
|
||||||
+ if (ret == EOK) {
|
|
||||||
+ needs_update = false;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
/* OR */
|
|
||||||
if (ret == ERR_SELINUX_NOT_MANAGED) {
|
|
||||||
@@ -191,6 +194,9 @@ static bool seuser_needs_update(const char *username,
|
|
||||||
|
|
||||||
free(db_seuser);
|
|
||||||
free(db_mls_range);
|
|
||||||
+ DEBUG(SSSDBG_TRACE_FUNC,
|
|
||||||
+ "The SELinux user does %sneed an update\n",
|
|
||||||
+ needs_update ? "" : "not ");
|
|
||||||
return needs_update;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c
|
|
||||||
index bcce57b..aea0385 100644
|
|
||||||
--- a/src/util/sss_semanage.c
|
|
||||||
+++ b/src/util/sss_semanage.c
|
|
||||||
@@ -248,6 +248,36 @@ done:
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+int sss_seuser_exists(const char *linuxuser)
|
|
||||||
+{
|
|
||||||
+ int ret;
|
|
||||||
+ int exists;
|
|
||||||
+ semanage_seuser_key_t *sm_key = NULL;
|
|
||||||
+ semanage_handle_t *sm_handle = NULL;
|
|
||||||
+
|
|
||||||
+ ret = sss_semanage_init(&sm_handle);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = semanage_seuser_key_create(sm_handle, linuxuser, &sm_key);
|
|
||||||
+ if (ret < 0) {
|
|
||||||
+ sss_semanage_close(sm_handle);
|
|
||||||
+ return EIO;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = semanage_seuser_exists(sm_handle, sm_key, &exists);
|
|
||||||
+ semanage_seuser_key_free(sm_key);
|
|
||||||
+ sss_semanage_close(sm_handle);
|
|
||||||
+ if (ret < 0) {
|
|
||||||
+ return EIO;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ DEBUG(SSSDBG_TRACE_FUNC, "seuser exists: %s\n", exists ? "yes" : "no");
|
|
||||||
+
|
|
||||||
+ return exists ? EOK : ERR_SELINUX_USER_NOT_FOUND;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int sss_get_seuser(const char *linuxuser,
|
|
||||||
char **selinuxuser,
|
|
||||||
char **level)
|
|
||||||
diff --git a/src/util/util.h b/src/util/util.h
|
|
||||||
index 867acf2..59e7a96 100644
|
|
||||||
--- a/src/util/util.h
|
|
||||||
+++ b/src/util/util.h
|
|
||||||
@@ -663,6 +663,7 @@ int sss_del_seuser(const char *login_name);
|
|
||||||
int sss_get_seuser(const char *linuxuser,
|
|
||||||
char **selinuxuser,
|
|
||||||
char **level);
|
|
||||||
+int sss_seuser_exists(const char *linuxuser);
|
|
||||||
|
|
||||||
/* convert time from generalized form to unix time */
|
|
||||||
errno_t sss_utc_to_time_t(const char *str, const char *format, time_t *unix_time);
|
|
||||||
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
|
|
||||||
index 920a178..5f8a2a2 100644
|
|
||||||
--- a/src/util/util_errors.c
|
|
||||||
+++ b/src/util/util_errors.c
|
|
||||||
@@ -75,6 +75,7 @@ struct err_string error_to_str[] = {
|
|
||||||
{ "LDAP search returned a referral" }, /* ERR_REFERRAL */
|
|
||||||
{ "Error setting SELinux user context" }, /* ERR_SELINUX_CONTEXT */
|
|
||||||
{ "SELinux is not managed by libsemanage" }, /* ERR_SELINUX_NOT_MANAGED */
|
|
||||||
+ { "SELinux user does not exist" }, /* ERR_SELINUX_USER_NOT_FOUND */
|
|
||||||
{ "Username format not allowed by re_expression" }, /* ERR_REGEX_NOMATCH */
|
|
||||||
{ "Time specification not supported" }, /* ERR_TIMESPEC_NOT_SUPPORTED */
|
|
||||||
{ "Invalid SSSD configuration detected" }, /* ERR_INVALID_CONFIG */
|
|
||||||
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
|
|
||||||
index 5a50936..c6731d4 100644
|
|
||||||
--- a/src/util/util_errors.h
|
|
||||||
+++ b/src/util/util_errors.h
|
|
||||||
@@ -97,6 +97,7 @@ enum sssd_errors {
|
|
||||||
ERR_REFERRAL,
|
|
||||||
ERR_SELINUX_CONTEXT,
|
|
||||||
ERR_SELINUX_NOT_MANAGED,
|
|
||||||
+ ERR_SELINUX_USER_NOT_FOUND,
|
|
||||||
ERR_REGEX_NOMATCH,
|
|
||||||
ERR_TIMESPEC_NOT_SUPPORTED,
|
|
||||||
ERR_INVALID_CONFIG,
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -0,0 +1,52 @@
|
|||||||
|
From 26e33b1984cce3549df170f58f8221201ad54cfd Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
Date: Tue, 7 Jan 2020 16:29:05 +0100
|
||||||
|
Subject: [PATCH] util/sss_ptr_hash: fixed double free in
|
||||||
|
sss_ptr_hash_delete_cb()
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Calling data->callback(value->ptr) in sss_ptr_hash_delete_cb() could lead
|
||||||
|
to freeing of value->ptr and thus to destruction of value->spy that is
|
||||||
|
attached to value->ptr.
|
||||||
|
In turn sss_ptr_hash_spy_destructor() calls sss_ptr_hash_delete() ->
|
||||||
|
hash_delete() -> sss_ptr_hash_delete_cb() again and in this recursive
|
||||||
|
execution hash entry was actually deleted and value was freed.
|
||||||
|
When stack was unwound back to "first" sss_ptr_hash_delete_cb() it tried
|
||||||
|
to free value again => double free.
|
||||||
|
|
||||||
|
To prevent this bug value and hence spy are now freed before execution of
|
||||||
|
data->callback(value->ptr).
|
||||||
|
|
||||||
|
Resolves: https://pagure.io/SSSD/sssd/issue/4135
|
||||||
|
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
---
|
||||||
|
src/util/sss_ptr_hash.c | 6 +++---
|
||||||
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c
|
||||||
|
index c7403ffa6..8f9762cb9 100644
|
||||||
|
--- a/src/util/sss_ptr_hash.c
|
||||||
|
+++ b/src/util/sss_ptr_hash.c
|
||||||
|
@@ -154,13 +154,13 @@ sss_ptr_hash_delete_cb(hash_entry_t *item,
|
||||||
|
callback_entry.value.type = HASH_VALUE_PTR;
|
||||||
|
callback_entry.value.ptr = value->ptr;
|
||||||
|
|
||||||
|
+ /* Free value, this also will disable spy */
|
||||||
|
+ talloc_free(value);
|
||||||
|
+
|
||||||
|
/* Switch to the input value and call custom callback. */
|
||||||
|
if (data->callback != NULL) {
|
||||||
|
data->callback(&callback_entry, deltype, data->pvt);
|
||||||
|
}
|
||||||
|
-
|
||||||
|
- /* Free value. */
|
||||||
|
- talloc_free(value);
|
||||||
|
}
|
||||||
|
|
||||||
|
hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx,
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -1,44 +0,0 @@
|
|||||||
From 1e2398870e8aa512ead3012d46cbe6252429467a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Mon, 10 Sep 2018 15:35:45 +0200
|
|
||||||
Subject: [PATCH 16/83] intg: flush the SSSD caches to sync with files
|
|
||||||
|
|
||||||
To make sure that SSSD has synced with the latest data added to the
|
|
||||||
passwd file sss_cache is called in two places where the current sync
|
|
||||||
scheme was not reliable. This was mainly observed when running the
|
|
||||||
integration tests on Debian.
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/tests/intg/test_files_provider.py | 8 ++++++++
|
|
||||||
1 file changed, 8 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
|
|
||||||
index 9f30d2b..ead1cc4 100644
|
|
||||||
--- a/src/tests/intg/test_files_provider.py
|
|
||||||
+++ b/src/tests/intg/test_files_provider.py
|
|
||||||
@@ -644,6 +644,10 @@ def test_enum_users(setup_pw_with_canary, files_domain_only):
|
|
||||||
user = user_generator(i)
|
|
||||||
setup_pw_with_canary.useradd(**user)
|
|
||||||
|
|
||||||
+ # syncing with the help of the canary is not reliable after adding
|
|
||||||
+ # multiple users because the canary might still be in some caches so that
|
|
||||||
+ # the data is not refreshed properly.
|
|
||||||
+ subprocess.call(["sss_cache", "-E"])
|
|
||||||
sssd_getpwnam_sync(CANARY["name"])
|
|
||||||
user_list = call_sssd_enumeration()
|
|
||||||
# +1 because the canary is added
|
|
||||||
@@ -1043,6 +1047,10 @@ def test_getgrnam_add_remove_ghosts(setup_pw_with_canary,
|
|
||||||
|
|
||||||
# Add this user and verify it's been added as a member
|
|
||||||
pwd_ops.useradd(**USER2)
|
|
||||||
+ # The negative cache might still have user2 from the previous request,
|
|
||||||
+ # flushing the caches might help to prevent a failed lookup after adding
|
|
||||||
+ # the user.
|
|
||||||
+ subprocess.call(["sss_cache", "-E"])
|
|
||||||
res, groups = sssd_id_sync('user2')
|
|
||||||
assert res == sssd_id.NssReturnCode.SUCCESS
|
|
||||||
assert len(groups) == 2
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
195
0011-sdap-Add-randomness-to-ldap-connection-timeout.patch
Normal file
195
0011-sdap-Add-randomness-to-ldap-connection-timeout.patch
Normal file
@ -0,0 +1,195 @@
|
|||||||
|
From bd201746f8cf0e95615b3e98868555451b5e66b8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Halman <thalman@redhat.com>
|
||||||
|
Date: Mon, 2 Dec 2019 11:11:52 +0100
|
||||||
|
Subject: [PATCH] sdap: Add randomness to ldap connection timeout
|
||||||
|
|
||||||
|
In case of mass deployment, mass registration of IPA clients roughly on
|
||||||
|
the same time leads to regular CPU load spikes on IPA servers, the load
|
||||||
|
spikes are caused by all/most clients refreshing their LDAP connections
|
||||||
|
(ldap_connection_expire_timeout) every 15 minutes.
|
||||||
|
|
||||||
|
This patch introduces new random value (from 0 up to
|
||||||
|
ldap_connection_expire_offset) that is added to the timeout.
|
||||||
|
|
||||||
|
Resolves:
|
||||||
|
https://pagure.io/SSSD/sssd/issue/3630
|
||||||
|
|
||||||
|
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
---
|
||||||
|
src/config/cfg_rules.ini | 1 +
|
||||||
|
src/config/etc/sssd.api.d/sssd-ad.conf | 1 +
|
||||||
|
src/config/etc/sssd.api.d/sssd-ipa.conf | 1 +
|
||||||
|
src/config/etc/sssd.api.d/sssd-ldap.conf | 1 +
|
||||||
|
src/man/sssd-ldap.5.xml | 19 +++++++++++++++++++
|
||||||
|
src/providers/ad/ad_opts.c | 1 +
|
||||||
|
src/providers/ipa/ipa_opts.c | 1 +
|
||||||
|
src/providers/ldap/ldap_opts.c | 1 +
|
||||||
|
src/providers/ldap/sdap.h | 1 +
|
||||||
|
src/providers/ldap/sdap_async_connection.c | 12 ++++++++++++
|
||||||
|
10 files changed, 39 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
||||||
|
index 8c73c89ac..c56d5a668 100644
|
||||||
|
--- a/src/config/cfg_rules.ini
|
||||||
|
+++ b/src/config/cfg_rules.ini
|
||||||
|
@@ -600,6 +600,7 @@ option = ldap_chpass_dns_service_name
|
||||||
|
option = ldap_chpass_update_last_change
|
||||||
|
option = ldap_chpass_uri
|
||||||
|
option = ldap_connection_expire_timeout
|
||||||
|
+option = ldap_connection_expire_offset
|
||||||
|
option = ldap_default_authtok
|
||||||
|
option = ldap_default_authtok_type
|
||||||
|
option = ldap_default_bind_dn
|
||||||
|
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
|
||||||
|
index 80e329b3b..aaa0b2345 100644
|
||||||
|
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
|
||||||
|
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
|
||||||
|
@@ -58,6 +58,7 @@ ldap_deref = str, None, false
|
||||||
|
ldap_page_size = int, None, false
|
||||||
|
ldap_deref_threshold = int, None, false
|
||||||
|
ldap_connection_expire_timeout = int, None, false
|
||||||
|
+ldap_connection_expire_offset = int, None, false
|
||||||
|
ldap_disable_paging = bool, None, false
|
||||||
|
krb5_confd_path = str, None, false
|
||||||
|
wildcard_limit = int, None, false
|
||||||
|
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
|
||||||
|
index e2d46db75..7ed153d36 100644
|
||||||
|
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
|
||||||
|
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
|
||||||
|
@@ -52,6 +52,7 @@ ldap_deref = str, None, false
|
||||||
|
ldap_page_size = int, None, false
|
||||||
|
ldap_deref_threshold = int, None, false
|
||||||
|
ldap_connection_expire_timeout = int, None, false
|
||||||
|
+ldap_connection_expire_offset = int, None, false
|
||||||
|
ldap_disable_paging = bool, None, false
|
||||||
|
krb5_confd_path = str, None, false
|
||||||
|
wildcard_limit = int, None, false
|
||||||
|
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
|
||||||
|
index 01c1d7f12..4f73e901e 100644
|
||||||
|
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
|
||||||
|
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
|
||||||
|
@@ -36,6 +36,7 @@ ldap_deref_threshold = int, None, false
|
||||||
|
ldap_sasl_canonicalize = bool, None, false
|
||||||
|
ldap_sasl_minssf = int, None, false
|
||||||
|
ldap_connection_expire_timeout = int, None, false
|
||||||
|
+ldap_connection_expire_offset = int, None, false
|
||||||
|
ldap_disable_paging = bool, None, false
|
||||||
|
ldap_disable_range_retrieval = bool, None, false
|
||||||
|
wildcard_limit = int, None, false
|
||||||
|
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
|
||||||
|
index 6d1ae23ec..f8bb973c7 100644
|
||||||
|
--- a/src/man/sssd-ldap.5.xml
|
||||||
|
+++ b/src/man/sssd-ldap.5.xml
|
||||||
|
@@ -509,12 +509,31 @@
|
||||||
|
the two values (this value vs. the TGT lifetime)
|
||||||
|
will be used.
|
||||||
|
</para>
|
||||||
|
+ <para>
|
||||||
|
+ This timeout can be extended of a random
|
||||||
|
+ value specified by
|
||||||
|
+ <emphasis>ldap_connection_expire_offset</emphasis>
|
||||||
|
+ </para>
|
||||||
|
<para>
|
||||||
|
Default: 900 (15 minutes)
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
+ <varlistentry>
|
||||||
|
+ <term>ldap_connection_expire_offset (integer)</term>
|
||||||
|
+ <listitem>
|
||||||
|
+ <para>
|
||||||
|
+ Random offset between 0 and configured value
|
||||||
|
+ is added to
|
||||||
|
+ <emphasis>ldap_connection_expire_timeout</emphasis>.
|
||||||
|
+ </para>
|
||||||
|
+ <para>
|
||||||
|
+ Default: 0
|
||||||
|
+ </para>
|
||||||
|
+ </listitem>
|
||||||
|
+ </varlistentry>
|
||||||
|
+
|
||||||
|
<varlistentry>
|
||||||
|
<term>ldap_page_size (integer)</term>
|
||||||
|
<listitem>
|
||||||
|
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
|
||||||
|
index cd568e466..1293219ee 100644
|
||||||
|
--- a/src/providers/ad/ad_opts.c
|
||||||
|
+++ b/src/providers/ad/ad_opts.c
|
||||||
|
@@ -137,6 +137,7 @@ struct dp_option ad_def_ldap_opts[] = {
|
||||||
|
{ "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
|
||||||
|
{ "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
||||||
|
{ "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER },
|
||||||
|
+ { "ldap_connection_expire_offset", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER },
|
||||||
|
{ "ldap_disable_paging", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
||||||
|
{ "ldap_idmap_range_min", DP_OPT_NUMBER, { .number = 200000 }, NULL_NUMBER },
|
||||||
|
{ "ldap_idmap_range_max", DP_OPT_NUMBER, { .number = 2000200000LL }, NULL_NUMBER },
|
||||||
|
diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c
|
||||||
|
index 7974cb8ea..4fafa073d 100644
|
||||||
|
--- a/src/providers/ipa/ipa_opts.c
|
||||||
|
+++ b/src/providers/ipa/ipa_opts.c
|
||||||
|
@@ -147,6 +147,7 @@ struct dp_option ipa_def_ldap_opts[] = {
|
||||||
|
{ "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
|
||||||
|
{ "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
||||||
|
{ "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER },
|
||||||
|
+ { "ldap_connection_expire_offset", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER },
|
||||||
|
{ "ldap_disable_paging", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
||||||
|
{ "ldap_idmap_range_min", DP_OPT_NUMBER, { .number = 200000 }, NULL_NUMBER },
|
||||||
|
{ "ldap_idmap_range_max", DP_OPT_NUMBER, { .number = 2000200000LL }, NULL_NUMBER },
|
||||||
|
diff --git a/src/providers/ldap/ldap_opts.c b/src/providers/ldap/ldap_opts.c
|
||||||
|
index a20ec0d86..ffd0c6baa 100644
|
||||||
|
--- a/src/providers/ldap/ldap_opts.c
|
||||||
|
+++ b/src/providers/ldap/ldap_opts.c
|
||||||
|
@@ -107,6 +107,7 @@ struct dp_option default_basic_opts[] = {
|
||||||
|
{ "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
|
||||||
|
{ "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
||||||
|
{ "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER },
|
||||||
|
+ { "ldap_connection_expire_offset", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER },
|
||||||
|
{ "ldap_disable_paging", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
||||||
|
{ "ldap_idmap_range_min", DP_OPT_NUMBER, { .number = 200000 }, NULL_NUMBER },
|
||||||
|
{ "ldap_idmap_range_max", DP_OPT_NUMBER, { .number = 2000200000LL }, NULL_NUMBER },
|
||||||
|
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
|
||||||
|
index d0a19a660..f27b3c480 100644
|
||||||
|
--- a/src/providers/ldap/sdap.h
|
||||||
|
+++ b/src/providers/ldap/sdap.h
|
||||||
|
@@ -221,6 +221,7 @@ enum sdap_basic_opt {
|
||||||
|
SDAP_DEREF_THRESHOLD,
|
||||||
|
SDAP_SASL_CANONICALIZE,
|
||||||
|
SDAP_EXPIRE_TIMEOUT,
|
||||||
|
+ SDAP_EXPIRE_OFFSET,
|
||||||
|
SDAP_DISABLE_PAGING,
|
||||||
|
SDAP_IDMAP_LOWER,
|
||||||
|
SDAP_IDMAP_UPPER,
|
||||||
|
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
|
||||||
|
index 0260cba6f..7438d14a7 100644
|
||||||
|
--- a/src/providers/ldap/sdap_async_connection.c
|
||||||
|
+++ b/src/providers/ldap/sdap_async_connection.c
|
||||||
|
@@ -1803,6 +1803,8 @@ static void sdap_cli_auth_step(struct tevent_req *req)
|
||||||
|
struct tevent_req *subreq;
|
||||||
|
time_t now;
|
||||||
|
int expire_timeout;
|
||||||
|
+ int expire_offset;
|
||||||
|
+
|
||||||
|
const char *sasl_mech = dp_opt_get_string(state->opts->basic,
|
||||||
|
SDAP_SASL_MECH);
|
||||||
|
const char *user_dn = dp_opt_get_string(state->opts->basic,
|
||||||
|
@@ -1832,6 +1834,16 @@ static void sdap_cli_auth_step(struct tevent_req *req)
|
||||||
|
*/
|
||||||
|
now = time(NULL);
|
||||||
|
expire_timeout = dp_opt_get_int(state->opts->basic, SDAP_EXPIRE_TIMEOUT);
|
||||||
|
+ expire_offset = dp_opt_get_int(state->opts->basic, SDAP_EXPIRE_OFFSET);
|
||||||
|
+ if (expire_offset > 0) {
|
||||||
|
+ expire_timeout += sss_rand() % (expire_offset + 1);
|
||||||
|
+ } else if (expire_offset < 0) {
|
||||||
|
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
||||||
|
+ "Negative value [%d] of ldap_connection_expire_offset "
|
||||||
|
+ "is not allowed.\n",
|
||||||
|
+ expire_offset);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
DEBUG(SSSDBG_CONF_SETTINGS, "expire timeout is %d\n", expire_timeout);
|
||||||
|
if (!state->sh->expire_time
|
||||||
|
|| (state->sh->expire_time > (now + expire_timeout))) {
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
55
0012-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch
Normal file
55
0012-ad-allow-booleans-for-ad_inherit_opts_if_needed.patch
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
From 090cf77a0fd5f300a753667658af3ed763a88e83 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Thu, 26 Sep 2019 20:24:34 +0200
|
||||||
|
Subject: [PATCH 12/15] ad: allow booleans for ad_inherit_opts_if_needed()
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Currently ad_inherit_opts_if_needed() can only handle strings. With this
|
||||||
|
patch it can handle boolean options as well.
|
||||||
|
|
||||||
|
Related to https://pagure.io/SSSD/sssd/issue/4131
|
||||||
|
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
---
|
||||||
|
src/providers/ad/ad_common.c | 23 ++++++++++++++++++++---
|
||||||
|
1 file changed, 20 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
|
||||||
|
index 5540066d4..600e3ceb2 100644
|
||||||
|
--- a/src/providers/ad/ad_common.c
|
||||||
|
+++ b/src/providers/ad/ad_common.c
|
||||||
|
@@ -1479,9 +1479,26 @@ errno_t ad_inherit_opts_if_needed(struct dp_option *parent_opts,
|
||||||
|
const char *parent_val = NULL;
|
||||||
|
char *dummy = NULL;
|
||||||
|
char *option_list[2] = { NULL, NULL };
|
||||||
|
-
|
||||||
|
- parent_val = dp_opt_get_cstring(parent_opts, opt_id);
|
||||||
|
- if (parent_val != NULL) {
|
||||||
|
+ bool is_default = true;
|
||||||
|
+
|
||||||
|
+ switch (parent_opts[opt_id].type) {
|
||||||
|
+ case DP_OPT_STRING:
|
||||||
|
+ parent_val = dp_opt_get_cstring(parent_opts, opt_id);
|
||||||
|
+ break;
|
||||||
|
+ case DP_OPT_BOOL:
|
||||||
|
+ /* For booleans it is hard to say if the option is set or not since
|
||||||
|
+ * both possible values are valid ones. So we check if the value is
|
||||||
|
+ * different from the default and skip if it is the default. In this
|
||||||
|
+ * case the sub-domain option would either be the default as well or
|
||||||
|
+ * manully set and in both cases we do not have to change it. */
|
||||||
|
+ is_default = (parent_opts[opt_id].val.boolean
|
||||||
|
+ == parent_opts[opt_id].def_val.boolean);
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ DEBUG(SSSDBG_TRACE_FUNC, "Unsupported type, skipping.\n");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (parent_val != NULL || !is_default) {
|
||||||
|
ret = confdb_get_string(cdb, NULL, subdom_conf_path,
|
||||||
|
parent_opts[opt_id].opt_name, NULL, &dummy);
|
||||||
|
if (ret != EOK) {
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -1,87 +0,0 @@
|
|||||||
From b03179ead11db7dbfd6a00d3eeef3dac0990f826 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Mon, 10 Sep 2018 15:40:14 +0200
|
|
||||||
Subject: [PATCH 17/83] sbus: dectect python binary for sbus_generate.sh
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
We already detect python2 and python3 binaries during configure. With
|
|
||||||
this patch PYTHON_EXEC is set to the python3 binary if python3 bindings
|
|
||||||
are generated and to the python2 binary otherwise. With the help of an
|
|
||||||
environment variable sbus_generate.sh is made aware of it.
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3807
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
---
|
|
||||||
Makefile.am | 4 ++--
|
|
||||||
configure.ac | 8 ++++++++
|
|
||||||
sbus_generate.sh => sbus_generate.sh.in | 2 +-
|
|
||||||
3 files changed, 11 insertions(+), 3 deletions(-)
|
|
||||||
rename sbus_generate.sh => sbus_generate.sh.in (93%)
|
|
||||||
|
|
||||||
diff --git a/Makefile.am b/Makefile.am
|
|
||||||
index 11d0405..deb9ce3 100644
|
|
||||||
--- a/Makefile.am
|
|
||||||
+++ b/Makefile.am
|
|
||||||
@@ -1020,14 +1020,14 @@ libsss_cert_la_LDFLAGS = \
|
|
||||||
$(NULL)
|
|
||||||
|
|
||||||
generate-sbus-code:
|
|
||||||
- $(srcdir)/sbus_generate.sh $(abs_srcdir)
|
|
||||||
+ $(builddir)/sbus_generate.sh $(abs_srcdir)
|
|
||||||
|
|
||||||
.PHONY: generate-sbus-code
|
|
||||||
|
|
||||||
BUILT_SOURCES += generate-sbus-code
|
|
||||||
|
|
||||||
EXTRA_DIST += \
|
|
||||||
- sbus_generate.sh \
|
|
||||||
+ sbus_generate.sh.in \
|
|
||||||
src/sbus/codegen/dbus.xml \
|
|
||||||
src/sbus/codegen/sbus_CodeGen.py \
|
|
||||||
src/sbus/codegen/sbus_DataType.py \
|
|
||||||
diff --git a/configure.ac b/configure.ac
|
|
||||||
index 1aac65f..bb18ad4 100644
|
|
||||||
--- a/configure.ac
|
|
||||||
+++ b/configure.ac
|
|
||||||
@@ -373,6 +373,13 @@ them please use argument --without-python3-bindings when running configure.])])
|
|
||||||
SSS_CLEAN_PYTHON_VARIABLES
|
|
||||||
fi
|
|
||||||
|
|
||||||
+if test x$HAVE_PYTHON3_BINDINGS = x1; then
|
|
||||||
+ PYTHON_EXEC=$PYTHON3
|
|
||||||
+else
|
|
||||||
+ PYTHON_EXEC=$PYTHON2
|
|
||||||
+fi
|
|
||||||
+AC_SUBST(PYTHON_EXEC)
|
|
||||||
+
|
|
||||||
AM_CONDITIONAL([BUILD_PYTHON_BINDINGS],
|
|
||||||
[test x"$with_python2_bindings" = xyes \
|
|
||||||
-o x"$with_python3_bindings" = xyes])
|
|
||||||
@@ -524,4 +531,5 @@ AC_CONFIG_FILES([Makefile contrib/sssd.spec src/examples/rwtab src/doxy.config
|
|
||||||
src/config/setup.py
|
|
||||||
src/systemtap/sssd.stp
|
|
||||||
src/config/SSSDConfig/__init__.py])
|
|
||||||
+AC_CONFIG_FILES([sbus_generate.sh], [chmod +x sbus_generate.sh])
|
|
||||||
AC_OUTPUT
|
|
||||||
diff --git a/sbus_generate.sh b/sbus_generate.sh.in
|
|
||||||
similarity index 93%
|
|
||||||
rename from sbus_generate.sh
|
|
||||||
rename to sbus_generate.sh.in
|
|
||||||
index 338fd9d..b2c695e 100755
|
|
||||||
--- a/sbus_generate.sh
|
|
||||||
+++ b/sbus_generate.sh.in
|
|
||||||
@@ -13,7 +13,7 @@ generate() {
|
|
||||||
|
|
||||||
echo "Generating sbus code for: $XML"
|
|
||||||
|
|
||||||
- python $CODEGEN --sbus sbus --util util \
|
|
||||||
+ @PYTHON_EXEC@ $CODEGEN --sbus sbus --util util \
|
|
||||||
--headers "$HEADERS" \
|
|
||||||
--dest "$SRCDIR/src/$DEST" \
|
|
||||||
--fileprefix "sbus_${PREFIX}_" \
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
438
0013-ad-add-ad_use_ldaps.patch
Normal file
438
0013-ad-add-ad_use_ldaps.patch
Normal file
@ -0,0 +1,438 @@
|
|||||||
|
From da0be382d95f0bdbc6ad5ccb68503456c2ee858b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Thu, 26 Sep 2019 20:27:09 +0200
|
||||||
|
Subject: [PATCH 11/13] ad: add ad_use_ldaps
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
With this new boolean option the AD provider should only use the LDAPS
|
||||||
|
port 636 and the Global Catalog port 3629 which is TLS protected as
|
||||||
|
well.
|
||||||
|
|
||||||
|
Related to https://pagure.io/SSSD/sssd/issue/4131
|
||||||
|
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
---
|
||||||
|
src/config/SSSDConfig/__init__.py.in | 1 +
|
||||||
|
src/config/cfg_rules.ini | 1 +
|
||||||
|
src/config/etc/sssd.api.d/sssd-ad.conf | 1 +
|
||||||
|
src/man/sssd-ad.5.xml | 20 +++++++++++++++++++
|
||||||
|
src/providers/ad/ad_common.c | 24 +++++++++++++++++++----
|
||||||
|
src/providers/ad/ad_common.h | 8 +++++++-
|
||||||
|
src/providers/ad/ad_init.c | 8 +++++++-
|
||||||
|
src/providers/ad/ad_opts.c | 1 +
|
||||||
|
src/providers/ad/ad_srv.c | 16 ++++++++++++---
|
||||||
|
src/providers/ad/ad_srv.h | 3 ++-
|
||||||
|
src/providers/ad/ad_subdomains.c | 21 ++++++++++++++++++--
|
||||||
|
src/providers/ipa/ipa_subdomains_server.c | 4 ++--
|
||||||
|
12 files changed, 94 insertions(+), 14 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
||||||
|
index eba89b461..84631862a 100644
|
||||||
|
--- a/src/config/SSSDConfig/__init__.py.in
|
||||||
|
+++ b/src/config/SSSDConfig/__init__.py.in
|
||||||
|
@@ -252,6 +252,7 @@ option_strings = {
|
||||||
|
'ad_site' : _('a particular site to be used by the client'),
|
||||||
|
'ad_maximum_machine_account_password_age' : _('Maximum age in days before the machine account password should be renewed'),
|
||||||
|
'ad_machine_account_password_renewal_opts' : _('Option for tuning the machine account renewal task'),
|
||||||
|
+ 'ad_use_ldaps' : _('Use LDAPS port for LDAP and Global Catalog requests'),
|
||||||
|
|
||||||
|
# [provider/krb5]
|
||||||
|
'krb5_kdcip' : _('Kerberos server address'),
|
||||||
|
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
||||||
|
index c56d5a668..1034a1fd6 100644
|
||||||
|
--- a/src/config/cfg_rules.ini
|
||||||
|
+++ b/src/config/cfg_rules.ini
|
||||||
|
@@ -464,6 +464,7 @@ option = ad_machine_account_password_renewal_opts
|
||||||
|
option = ad_maximum_machine_account_password_age
|
||||||
|
option = ad_server
|
||||||
|
option = ad_site
|
||||||
|
+option = ad_use_ldaps
|
||||||
|
|
||||||
|
# IPA provider specific options
|
||||||
|
option = ipa_anchor_uuid
|
||||||
|
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
|
||||||
|
index aaa0b2345..a2af72603 100644
|
||||||
|
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
|
||||||
|
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
|
||||||
|
@@ -20,6 +20,7 @@ ad_gpo_default_right = str, None, false
|
||||||
|
ad_site = str, None, false
|
||||||
|
ad_maximum_machine_account_password_age = int, None, false
|
||||||
|
ad_machine_account_password_renewal_opts = str, None, false
|
||||||
|
+ad_use_ldaps = bool, None, false
|
||||||
|
ldap_uri = str, None, false
|
||||||
|
ldap_backup_uri = str, None, false
|
||||||
|
ldap_search_base = str, None, false
|
||||||
|
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
|
||||||
|
index fdcb4e4b9..ade56cd6d 100644
|
||||||
|
--- a/src/man/sssd-ad.5.xml
|
||||||
|
+++ b/src/man/sssd-ad.5.xml
|
||||||
|
@@ -1015,6 +1015,26 @@ ad_gpo_map_deny = +my_pam_service
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
+ <varlistentry>
|
||||||
|
+ <term>ad_use_ldaps (bool)</term>
|
||||||
|
+ <listitem>
|
||||||
|
+ <para>
|
||||||
|
+ By default SSSD uses the plain LDAP port 389 and the
|
||||||
|
+ Global Catalog port 3628. If this option is set to
|
||||||
|
+ True SSSD will use the LDAPS port 636 and Global
|
||||||
|
+ Catalog port 3629 with LDAPS protection. Since AD
|
||||||
|
+ does not allow to have multiple encryption layers on
|
||||||
|
+ a single connection and we still want to use
|
||||||
|
+ SASL/GSSAPI or SASL/GSS-SPNEGO for authentication
|
||||||
|
+ the SASL security property maxssf is set to 0 (zero)
|
||||||
|
+ for those connections.
|
||||||
|
+ </para>
|
||||||
|
+ <para>
|
||||||
|
+ Default: False
|
||||||
|
+ </para>
|
||||||
|
+ </listitem>
|
||||||
|
+ </varlistentry>
|
||||||
|
+
|
||||||
|
<varlistentry>
|
||||||
|
<term>dyndns_update (boolean)</term>
|
||||||
|
<listitem>
|
||||||
|
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
|
||||||
|
index 600e3ceb2..a2369166a 100644
|
||||||
|
--- a/src/providers/ad/ad_common.c
|
||||||
|
+++ b/src/providers/ad/ad_common.c
|
||||||
|
@@ -729,6 +729,7 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
|
||||||
|
const char *ad_gc_service,
|
||||||
|
const char *ad_domain,
|
||||||
|
bool use_kdcinfo,
|
||||||
|
+ bool ad_use_ldaps,
|
||||||
|
size_t n_lookahead_primary,
|
||||||
|
size_t n_lookahead_backup,
|
||||||
|
struct ad_service **_service)
|
||||||
|
@@ -746,6 +747,16 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (ad_use_ldaps) {
|
||||||
|
+ service->ldap_scheme = "ldaps";
|
||||||
|
+ service->port = LDAPS_PORT;
|
||||||
|
+ service->gc_port = AD_GC_LDAPS_PORT;
|
||||||
|
+ } else {
|
||||||
|
+ service->ldap_scheme = "ldap";
|
||||||
|
+ service->port = LDAP_PORT;
|
||||||
|
+ service->gc_port = AD_GC_PORT;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
service->sdap = talloc_zero(service, struct sdap_service);
|
||||||
|
service->gc = talloc_zero(service, struct sdap_service);
|
||||||
|
if (!service->sdap || !service->gc) {
|
||||||
|
@@ -927,7 +938,8 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
- new_uri = talloc_asprintf(service->sdap, "ldap://%s", srv_name);
|
||||||
|
+ new_uri = talloc_asprintf(service->sdap, "%s://%s", service->ldap_scheme,
|
||||||
|
+ srv_name);
|
||||||
|
if (!new_uri) {
|
||||||
|
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to copy URI\n");
|
||||||
|
ret = ENOMEM;
|
||||||
|
@@ -935,7 +947,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
|
||||||
|
}
|
||||||
|
DEBUG(SSSDBG_CONF_SETTINGS, "Constructed uri '%s'\n", new_uri);
|
||||||
|
|
||||||
|
- sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, LDAP_PORT);
|
||||||
|
+ sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, service->port);
|
||||||
|
if (sockaddr == NULL) {
|
||||||
|
DEBUG(SSSDBG_CRIT_FAILURE, "resolv_get_sockaddr_address failed.\n");
|
||||||
|
ret = EIO;
|
||||||
|
@@ -951,8 +963,12 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
|
||||||
|
talloc_zfree(service->gc->uri);
|
||||||
|
talloc_zfree(service->gc->sockaddr);
|
||||||
|
if (sdata && sdata->gc) {
|
||||||
|
- new_port = fo_get_server_port(server);
|
||||||
|
- new_port = (new_port == 0) ? AD_GC_PORT : new_port;
|
||||||
|
+ if (service->gc_port == AD_GC_LDAPS_PORT) {
|
||||||
|
+ new_port = service->gc_port;
|
||||||
|
+ } else {
|
||||||
|
+ new_port = fo_get_server_port(server);
|
||||||
|
+ new_port = (new_port == 0) ? service->gc_port : new_port;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
service->gc->uri = talloc_asprintf(service->gc, "%s:%d",
|
||||||
|
new_uri, new_port);
|
||||||
|
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
|
||||||
|
index 75f11de2e..820e06124 100644
|
||||||
|
--- a/src/providers/ad/ad_common.h
|
||||||
|
+++ b/src/providers/ad/ad_common.h
|
||||||
|
@@ -29,7 +29,8 @@
|
||||||
|
#define AD_SERVICE_NAME "AD"
|
||||||
|
#define AD_GC_SERVICE_NAME "AD_GC"
|
||||||
|
/* The port the Global Catalog runs on */
|
||||||
|
-#define AD_GC_PORT 3268
|
||||||
|
+#define AD_GC_PORT 3268
|
||||||
|
+#define AD_GC_LDAPS_PORT 3269
|
||||||
|
|
||||||
|
#define AD_AT_OBJECT_SID "objectSID"
|
||||||
|
#define AD_AT_DNS_DOMAIN "DnsDomain"
|
||||||
|
@@ -67,6 +68,7 @@ enum ad_basic_opt {
|
||||||
|
AD_KRB5_CONFD_PATH,
|
||||||
|
AD_MAXIMUM_MACHINE_ACCOUNT_PASSWORD_AGE,
|
||||||
|
AD_MACHINE_ACCOUNT_PASSWORD_RENEWAL_OPTS,
|
||||||
|
+ AD_USE_LDAPS,
|
||||||
|
|
||||||
|
AD_OPTS_BASIC /* opts counter */
|
||||||
|
};
|
||||||
|
@@ -82,6 +84,9 @@ struct ad_service {
|
||||||
|
struct sdap_service *sdap;
|
||||||
|
struct sdap_service *gc;
|
||||||
|
struct krb5_service *krb5_service;
|
||||||
|
+ const char *ldap_scheme;
|
||||||
|
+ int port;
|
||||||
|
+ int gc_port;
|
||||||
|
};
|
||||||
|
|
||||||
|
struct ad_options {
|
||||||
|
@@ -147,6 +152,7 @@ ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *ctx,
|
||||||
|
const char *ad_gc_service,
|
||||||
|
const char *ad_domain,
|
||||||
|
bool use_kdcinfo,
|
||||||
|
+ bool ad_use_ldaps,
|
||||||
|
size_t n_lookahead_primary,
|
||||||
|
size_t n_lookahead_backup,
|
||||||
|
struct ad_service **_service);
|
||||||
|
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
|
||||||
|
index 290d5b5c1..2b4b9e2e7 100644
|
||||||
|
--- a/src/providers/ad/ad_init.c
|
||||||
|
+++ b/src/providers/ad/ad_init.c
|
||||||
|
@@ -138,6 +138,7 @@ static errno_t ad_init_options(TALLOC_CTX *mem_ctx,
|
||||||
|
char *ad_servers = NULL;
|
||||||
|
char *ad_backup_servers = NULL;
|
||||||
|
char *ad_realm;
|
||||||
|
+ bool ad_use_ldaps = false;
|
||||||
|
errno_t ret;
|
||||||
|
|
||||||
|
ad_sasl_initialize();
|
||||||
|
@@ -154,12 +155,14 @@ static errno_t ad_init_options(TALLOC_CTX *mem_ctx,
|
||||||
|
ad_servers = dp_opt_get_string(ad_options->basic, AD_SERVER);
|
||||||
|
ad_backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER);
|
||||||
|
ad_realm = dp_opt_get_string(ad_options->basic, AD_KRB5_REALM);
|
||||||
|
+ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS);
|
||||||
|
|
||||||
|
/* Set up the failover service */
|
||||||
|
ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers,
|
||||||
|
ad_realm, AD_SERVICE_NAME, AD_GC_SERVICE_NAME,
|
||||||
|
dp_opt_get_string(ad_options->basic, AD_DOMAIN),
|
||||||
|
false, /* will be set in ad_get_auth_options() */
|
||||||
|
+ ad_use_ldaps,
|
||||||
|
(size_t) -1,
|
||||||
|
(size_t) -1,
|
||||||
|
&ad_options->service);
|
||||||
|
@@ -184,11 +187,13 @@ static errno_t ad_init_srv_plugin(struct be_ctx *be_ctx,
|
||||||
|
const char *ad_site_override;
|
||||||
|
bool sites_enabled;
|
||||||
|
errno_t ret;
|
||||||
|
+ bool ad_use_ldaps;
|
||||||
|
|
||||||
|
hostname = dp_opt_get_string(ad_options->basic, AD_HOSTNAME);
|
||||||
|
ad_domain = dp_opt_get_string(ad_options->basic, AD_DOMAIN);
|
||||||
|
ad_site_override = dp_opt_get_string(ad_options->basic, AD_SITE);
|
||||||
|
sites_enabled = dp_opt_get_bool(ad_options->basic, AD_ENABLE_DNS_SITES);
|
||||||
|
+ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS);
|
||||||
|
|
||||||
|
|
||||||
|
if (!sites_enabled) {
|
||||||
|
@@ -205,7 +210,8 @@ static errno_t ad_init_srv_plugin(struct be_ctx *be_ctx,
|
||||||
|
srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res,
|
||||||
|
default_host_dbs, ad_options->id,
|
||||||
|
hostname, ad_domain,
|
||||||
|
- ad_site_override);
|
||||||
|
+ ad_site_override,
|
||||||
|
+ ad_use_ldaps);
|
||||||
|
if (srv_ctx == NULL) {
|
||||||
|
DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
|
||||||
|
return ENOMEM;
|
||||||
|
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
|
||||||
|
index 1293219ee..30f9b62fd 100644
|
||||||
|
--- a/src/providers/ad/ad_opts.c
|
||||||
|
+++ b/src/providers/ad/ad_opts.c
|
||||||
|
@@ -54,6 +54,7 @@ struct dp_option ad_basic_opts[] = {
|
||||||
|
{ "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING },
|
||||||
|
{ "ad_maximum_machine_account_password_age", DP_OPT_NUMBER, { .number = 30 }, NULL_NUMBER },
|
||||||
|
{ "ad_machine_account_password_renewal_opts", DP_OPT_STRING, { "86400:750" }, NULL_STRING },
|
||||||
|
+ { "ad_use_ldaps", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
||||||
|
DP_OPTION_TERMINATOR
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/src/providers/ad/ad_srv.c b/src/providers/ad/ad_srv.c
|
||||||
|
index 5fd25f60e..ca15d3715 100644
|
||||||
|
--- a/src/providers/ad/ad_srv.c
|
||||||
|
+++ b/src/providers/ad/ad_srv.c
|
||||||
|
@@ -244,6 +244,7 @@ struct ad_get_client_site_state {
|
||||||
|
enum host_database *host_db;
|
||||||
|
struct sdap_options *opts;
|
||||||
|
const char *ad_domain;
|
||||||
|
+ bool ad_use_ldaps;
|
||||||
|
struct fo_server_info *dcs;
|
||||||
|
size_t num_dcs;
|
||||||
|
size_t dc_index;
|
||||||
|
@@ -264,6 +265,7 @@ struct tevent_req *ad_get_client_site_send(TALLOC_CTX *mem_ctx,
|
||||||
|
enum host_database *host_db,
|
||||||
|
struct sdap_options *opts,
|
||||||
|
const char *ad_domain,
|
||||||
|
+ bool ad_use_ldaps,
|
||||||
|
struct fo_server_info *dcs,
|
||||||
|
size_t num_dcs)
|
||||||
|
{
|
||||||
|
@@ -288,6 +290,7 @@ struct tevent_req *ad_get_client_site_send(TALLOC_CTX *mem_ctx,
|
||||||
|
state->host_db = host_db;
|
||||||
|
state->opts = opts;
|
||||||
|
state->ad_domain = ad_domain;
|
||||||
|
+ state->ad_use_ldaps = ad_use_ldaps;
|
||||||
|
state->dcs = dcs;
|
||||||
|
state->num_dcs = num_dcs;
|
||||||
|
|
||||||
|
@@ -331,8 +334,11 @@ static errno_t ad_get_client_site_next_dc(struct tevent_req *req)
|
||||||
|
subreq = sdap_connect_host_send(state, state->ev, state->opts,
|
||||||
|
state->be_res->resolv,
|
||||||
|
state->be_res->family_order,
|
||||||
|
- state->host_db, "ldap", state->dc.host,
|
||||||
|
- state->dc.port, false);
|
||||||
|
+ state->host_db,
|
||||||
|
+ state->ad_use_ldaps ? "ldaps" : "ldap",
|
||||||
|
+ state->dc.host,
|
||||||
|
+ state->ad_use_ldaps ? 636 : state->dc.port,
|
||||||
|
+ false);
|
||||||
|
if (subreq == NULL) {
|
||||||
|
ret = ENOMEM;
|
||||||
|
goto done;
|
||||||
|
@@ -491,6 +497,7 @@ struct ad_srv_plugin_ctx {
|
||||||
|
const char *ad_domain;
|
||||||
|
const char *ad_site_override;
|
||||||
|
const char *current_site;
|
||||||
|
+ bool ad_use_ldaps;
|
||||||
|
};
|
||||||
|
|
||||||
|
struct ad_srv_plugin_ctx *
|
||||||
|
@@ -501,7 +508,8 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,
|
||||||
|
struct sdap_options *opts,
|
||||||
|
const char *hostname,
|
||||||
|
const char *ad_domain,
|
||||||
|
- const char *ad_site_override)
|
||||||
|
+ const char *ad_site_override,
|
||||||
|
+ bool ad_use_ldaps)
|
||||||
|
{
|
||||||
|
struct ad_srv_plugin_ctx *ctx = NULL;
|
||||||
|
errno_t ret;
|
||||||
|
@@ -515,6 +523,7 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,
|
||||||
|
ctx->be_res = be_res;
|
||||||
|
ctx->host_dbs = host_dbs;
|
||||||
|
ctx->opts = opts;
|
||||||
|
+ ctx->ad_use_ldaps = ad_use_ldaps;
|
||||||
|
|
||||||
|
ctx->hostname = talloc_strdup(ctx, hostname);
|
||||||
|
if (ctx->hostname == NULL) {
|
||||||
|
@@ -714,6 +723,7 @@ static void ad_srv_plugin_dcs_done(struct tevent_req *subreq)
|
||||||
|
state->ctx->host_dbs,
|
||||||
|
state->ctx->opts,
|
||||||
|
state->discovery_domain,
|
||||||
|
+ state->ctx->ad_use_ldaps,
|
||||||
|
dcs, num_dcs);
|
||||||
|
if (subreq == NULL) {
|
||||||
|
ret = ENOMEM;
|
||||||
|
diff --git a/src/providers/ad/ad_srv.h b/src/providers/ad/ad_srv.h
|
||||||
|
index e553d594d..8e410ec26 100644
|
||||||
|
--- a/src/providers/ad/ad_srv.h
|
||||||
|
+++ b/src/providers/ad/ad_srv.h
|
||||||
|
@@ -31,7 +31,8 @@ ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx,
|
||||||
|
struct sdap_options *opts,
|
||||||
|
const char *hostname,
|
||||||
|
const char *ad_domain,
|
||||||
|
- const char *ad_site_override);
|
||||||
|
+ const char *ad_site_override,
|
||||||
|
+ bool ad_use_ldaps);
|
||||||
|
|
||||||
|
struct tevent_req *ad_srv_plugin_send(TALLOC_CTX *mem_ctx,
|
||||||
|
struct tevent_context *ev,
|
||||||
|
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
||||||
|
index 2ce34489f..d8c201437 100644
|
||||||
|
--- a/src/providers/ad/ad_subdomains.c
|
||||||
|
+++ b/src/providers/ad/ad_subdomains.c
|
||||||
|
@@ -282,6 +282,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
||||||
|
bool use_kdcinfo = false;
|
||||||
|
size_t n_lookahead_primary = SSS_KRB5_LOOKAHEAD_PRIMARY_DEFAULT;
|
||||||
|
size_t n_lookahead_backup = SSS_KRB5_LOOKAHEAD_BACKUP_DEFAULT;
|
||||||
|
+ bool ad_use_ldaps = false;
|
||||||
|
|
||||||
|
realm = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_KRB5_REALM);
|
||||||
|
hostname = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_HOSTNAME);
|
||||||
|
@@ -312,6 +313,21 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
||||||
|
return ENOMEM;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ ret = ad_inherit_opts_if_needed(id_ctx->ad_options->basic,
|
||||||
|
+ ad_options->basic,
|
||||||
|
+ be_ctx->cdb, subdom_conf_path,
|
||||||
|
+ AD_USE_LDAPS);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||||
|
+ "Failed to inherit option [%s] to sub-domain [%s]. "
|
||||||
|
+ "This error is ignored but might cause issues or unexpected "
|
||||||
|
+ "behavior later on.\n",
|
||||||
|
+ id_ctx->ad_options->basic[AD_USE_LDAPS].opt_name,
|
||||||
|
+ subdom->name);
|
||||||
|
+
|
||||||
|
+ return ret;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
ret = ad_inherit_opts_if_needed(id_ctx->sdap_id_ctx->opts->basic,
|
||||||
|
ad_options->id->basic,
|
||||||
|
be_ctx->cdb, subdom_conf_path,
|
||||||
|
@@ -344,6 +360,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
||||||
|
|
||||||
|
servers = dp_opt_get_string(ad_options->basic, AD_SERVER);
|
||||||
|
backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER);
|
||||||
|
+ ad_use_ldaps = dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS);
|
||||||
|
|
||||||
|
if (id_ctx->ad_options->auth_ctx != NULL
|
||||||
|
&& id_ctx->ad_options->auth_ctx->opts != NULL) {
|
||||||
|
@@ -362,7 +379,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
||||||
|
|
||||||
|
ret = ad_failover_init(ad_options, be_ctx, servers, backup_servers,
|
||||||
|
subdom->realm, service_name, gc_service_name,
|
||||||
|
- subdom->name, use_kdcinfo,
|
||||||
|
+ subdom->name, use_kdcinfo, ad_use_ldaps,
|
||||||
|
n_lookahead_primary,
|
||||||
|
n_lookahead_backup,
|
||||||
|
&ad_options->service);
|
||||||
|
@@ -386,7 +403,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
||||||
|
ad_id_ctx->ad_options->id,
|
||||||
|
hostname,
|
||||||
|
ad_domain,
|
||||||
|
- ad_site_override);
|
||||||
|
+ ad_site_override, ad_use_ldaps);
|
||||||
|
if (srv_ctx == NULL) {
|
||||||
|
DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
|
||||||
|
return ENOMEM;
|
||||||
|
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
|
||||||
|
index fd998877b..9aebf72a5 100644
|
||||||
|
--- a/src/providers/ipa/ipa_subdomains_server.c
|
||||||
|
+++ b/src/providers/ipa/ipa_subdomains_server.c
|
||||||
|
@@ -319,7 +319,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx,
|
||||||
|
ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers,
|
||||||
|
subdom->realm,
|
||||||
|
service_name, gc_service_name,
|
||||||
|
- subdom->name, use_kdcinfo,
|
||||||
|
+ subdom->name, use_kdcinfo, false,
|
||||||
|
n_lookahead_primary, n_lookahead_backup,
|
||||||
|
&ad_options->service);
|
||||||
|
if (ret != EOK) {
|
||||||
|
@@ -344,7 +344,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx,
|
||||||
|
ad_id_ctx->ad_options->id,
|
||||||
|
id_ctx->server_mode->hostname,
|
||||||
|
ad_domain,
|
||||||
|
- ad_site_override);
|
||||||
|
+ ad_site_override, false);
|
||||||
|
if (srv_ctx == NULL) {
|
||||||
|
DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n");
|
||||||
|
return ENOMEM;
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -1,68 +0,0 @@
|
|||||||
From d7f0b58e2896ed2ef9ed5a390815c1e4df6caaee Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Thu, 6 Sep 2018 13:38:56 +0200
|
|
||||||
Subject: [PATCH 18/83] sudo: respect case sensitivity in sudo responder
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
If the domain is not case sensitive and the case of the original user
|
|
||||||
or group name differs from the name in the rule we failed to find the
|
|
||||||
rule.
|
|
||||||
|
|
||||||
Now we filter the rule only with lower cased values in such domain.
|
|
||||||
|
|
||||||
Steps to reproduce:
|
|
||||||
1. Add user/group with upper case, e.g. USER-1
|
|
||||||
2. Add sudo rule with lower cased name, e.g. sudoUser: user-1
|
|
||||||
3. Login to system with lower case, e.g. user-1
|
|
||||||
4. Run sudo -l
|
|
||||||
|
|
||||||
Without the patch, rule is not found.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://pagure.io/SSSD/sssd/issue/3820
|
|
||||||
|
|
||||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
||||||
---
|
|
||||||
src/db/sysdb_sudo.c | 17 ++++++++++++++---
|
|
||||||
1 file changed, 14 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
|
|
||||||
index 3ad462d..19ed97b 100644
|
|
||||||
--- a/src/db/sysdb_sudo.c
|
|
||||||
+++ b/src/db/sysdb_sudo.c
|
|
||||||
@@ -418,7 +418,17 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
|
|
||||||
ret = EINVAL;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
- DEBUG(SSSDBG_TRACE_FUNC, "original name: %s\n", orig_name);
|
|
||||||
+
|
|
||||||
+ DEBUG(SSSDBG_TRACE_FUNC, "Original name: %s\n", orig_name);
|
|
||||||
+
|
|
||||||
+ orig_name = sss_get_cased_name(tmp_ctx, orig_name, domain->case_sensitive);
|
|
||||||
+ if (orig_name == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n");
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ DEBUG(SSSDBG_TRACE_FUNC, "Cased name: %s\n", orig_name);
|
|
||||||
|
|
||||||
if (_uid != NULL) {
|
|
||||||
uid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_UIDNUM, 0);
|
|
||||||
@@ -450,8 +460,9 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
- sysdb_groupnames[num_groups] = talloc_strdup(sysdb_groupnames,
|
|
||||||
- groupname);
|
|
||||||
+ sysdb_groupnames[num_groups] = \
|
|
||||||
+ sss_get_cased_name(sysdb_groupnames, groupname,
|
|
||||||
+ domain->case_sensitive);
|
|
||||||
if (sysdb_groupnames[num_groups] == NULL) {
|
|
||||||
DEBUG(SSSDBG_MINOR_FAILURE, "Cannot strdup %s\n", groupname);
|
|
||||||
continue;
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,130 +0,0 @@
|
|||||||
From 3bd67c772c951f33422261ef658a104ccecc9561 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
|
||||||
Date: Tue, 3 Jul 2018 20:03:39 +0200
|
|
||||||
Subject: [PATCH 19/83] GPO: Add gpo_implicit_deny option
|
|
||||||
|
|
||||||
This option (when set to True) can be used to deny access to
|
|
||||||
users even if there is not applicable GPO. Normally users are
|
|
||||||
allowed access in this situation.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://pagure.io/SSSD/sssd/issue/3701
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/config/cfg_rules.ini | 1 +
|
|
||||||
src/man/sssd-ad.5.xml | 21 +++++++++++++++++++++
|
|
||||||
src/providers/ad/ad_common.h | 1 +
|
|
||||||
src/providers/ad/ad_gpo.c | 13 ++++++++++++-
|
|
||||||
src/providers/ad/ad_opts.c | 1 +
|
|
||||||
5 files changed, 36 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
|
||||||
index 36e83a9..78f215e 100644
|
|
||||||
--- a/src/config/cfg_rules.ini
|
|
||||||
+++ b/src/config/cfg_rules.ini
|
|
||||||
@@ -437,6 +437,7 @@ option = ad_enable_dns_sites
|
|
||||||
option = ad_enabled_domains
|
|
||||||
option = ad_enable_gc
|
|
||||||
option = ad_gpo_access_control
|
|
||||||
+option = ad_gpo_implicit_deny
|
|
||||||
option = ad_gpo_cache_timeout
|
|
||||||
option = ad_gpo_default_right
|
|
||||||
option = ad_gpo_map_batch
|
|
||||||
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
|
|
||||||
index f43c7fc..0eac382 100644
|
|
||||||
--- a/src/man/sssd-ad.5.xml
|
|
||||||
+++ b/src/man/sssd-ad.5.xml
|
|
||||||
@@ -418,6 +418,27 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
+ <term>ad_gpo_implicit_deny (boolean)</term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ Normally when no applicable GPOs are found the
|
|
||||||
+ users are allowed access. When this option is set
|
|
||||||
+ to True users will be allowed access only when
|
|
||||||
+ explicitly allowed by a GPO rule. Otherwise users
|
|
||||||
+ will be denied access. This can be used to harden
|
|
||||||
+ security but be careful when using this option
|
|
||||||
+ because it can deny access even to users in the
|
|
||||||
+ built-in Administrators group if no GPO rules
|
|
||||||
+ apply to them.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ Default: False (seconds)
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+ <varlistentry>
|
|
||||||
<term>ad_gpo_cache_timeout (integer)</term>
|
|
||||||
<listitem>
|
|
||||||
<para>
|
|
||||||
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
|
|
||||||
index dd440da..2c52c99 100644
|
|
||||||
--- a/src/providers/ad/ad_common.h
|
|
||||||
+++ b/src/providers/ad/ad_common.h
|
|
||||||
@@ -52,6 +52,7 @@ enum ad_basic_opt {
|
|
||||||
AD_ACCESS_FILTER,
|
|
||||||
AD_ENABLE_GC,
|
|
||||||
AD_GPO_ACCESS_CONTROL,
|
|
||||||
+ AD_GPO_IMPLICIT_DENY,
|
|
||||||
AD_GPO_CACHE_TIMEOUT,
|
|
||||||
AD_GPO_MAP_INTERACTIVE,
|
|
||||||
AD_GPO_MAP_REMOTE_INTERACTIVE,
|
|
||||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
|
||||||
index d568643..f3be723 100644
|
|
||||||
--- a/src/providers/ad/ad_gpo.c
|
|
||||||
+++ b/src/providers/ad/ad_gpo.c
|
|
||||||
@@ -1586,6 +1586,7 @@ struct ad_gpo_access_state {
|
|
||||||
struct ldb_context *ldb_ctx;
|
|
||||||
struct ad_access_ctx *access_ctx;
|
|
||||||
enum gpo_access_control_mode gpo_mode;
|
|
||||||
+ bool gpo_implicit_deny;
|
|
||||||
enum gpo_map_type gpo_map_type;
|
|
||||||
struct sdap_id_conn_ctx *conn;
|
|
||||||
struct sdap_id_op *sdap_op;
|
|
||||||
@@ -1712,6 +1713,8 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
|
|
||||||
state->gpo_mode = ctx->gpo_access_control_mode;
|
|
||||||
state->gpo_timeout_option = ctx->gpo_cache_timeout;
|
|
||||||
state->ad_hostname = dp_opt_get_string(ctx->ad_options, AD_HOSTNAME);
|
|
||||||
+ state->gpo_implicit_deny = dp_opt_get_bool(ctx->ad_options,
|
|
||||||
+ AD_GPO_IMPLICIT_DENY);
|
|
||||||
state->access_ctx = ctx;
|
|
||||||
state->opts = ctx->sdap_access_ctx->id_ctx->opts;
|
|
||||||
state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT);
|
|
||||||
@@ -2171,7 +2174,15 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = EOK;
|
|
||||||
+ if (state->gpo_implicit_deny == true) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_FUNC,
|
|
||||||
+ "No applicable GPOs have been found and ad_gpo_implicit_deny"
|
|
||||||
+ " is set to 'true'. The user will be denied access.\n");
|
|
||||||
+ ret = ERR_ACCESS_DENIED;
|
|
||||||
+ } else {
|
|
||||||
+ ret = EOK;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
|
|
||||||
index ac93327..c1d9cd7 100644
|
|
||||||
--- a/src/providers/ad/ad_opts.c
|
|
||||||
+++ b/src/providers/ad/ad_opts.c
|
|
||||||
@@ -38,6 +38,7 @@ struct dp_option ad_basic_opts[] = {
|
|
||||||
{ "ad_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING},
|
|
||||||
{ "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
|
|
||||||
{ "ad_gpo_access_control", DP_OPT_STRING, { AD_GPO_ACCESS_MODE_DEFAULT }, NULL_STRING },
|
|
||||||
+ { "ad_gpo_implicit_deny", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
|
||||||
{ "ad_gpo_cache_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
|
|
||||||
{ "ad_gpo_map_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
|
||||||
{ "ad_gpo_map_remote_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
199
0014-ldap-add-new-option-ldap_sasl_maxssf.patch
Normal file
199
0014-ldap-add-new-option-ldap_sasl_maxssf.patch
Normal file
@ -0,0 +1,199 @@
|
|||||||
|
From 78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Fri, 27 Sep 2019 11:49:59 +0200
|
||||||
|
Subject: [PATCH 14/15] ldap: add new option ldap_sasl_maxssf
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
There is already the ldap_sasl_minssf option. To be able to control the
|
||||||
|
maximal security strength factor (ssf) e.g. when using SASL together
|
||||||
|
with TLS the option ldap_sasl_maxssf is added as well.
|
||||||
|
|
||||||
|
Related to https://pagure.io/SSSD/sssd/issue/4131
|
||||||
|
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
---
|
||||||
|
src/config/SSSDConfig/__init__.py.in | 1 +
|
||||||
|
src/config/cfg_rules.ini | 1 +
|
||||||
|
src/config/etc/sssd.api.d/sssd-ad.conf | 1 +
|
||||||
|
src/config/etc/sssd.api.d/sssd-ipa.conf | 1 +
|
||||||
|
src/config/etc/sssd.api.d/sssd-ldap.conf | 1 +
|
||||||
|
src/man/sssd-ldap.5.xml | 16 ++++++++++++++++
|
||||||
|
src/providers/ad/ad_opts.c | 1 +
|
||||||
|
src/providers/ipa/ipa_opts.c | 1 +
|
||||||
|
src/providers/ldap/ldap_opts.c | 1 +
|
||||||
|
src/providers/ldap/sdap.h | 1 +
|
||||||
|
src/providers/ldap/sdap_async_connection.c | 14 ++++++++++++++
|
||||||
|
11 files changed, 39 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
||||||
|
index 6c2a1ce44..b3035fcff 100644
|
||||||
|
--- a/src/config/SSSDConfig/__init__.py.in
|
||||||
|
+++ b/src/config/SSSDConfig/__init__.py.in
|
||||||
|
@@ -306,6 +306,7 @@ option_strings = {
|
||||||
|
'ldap_sasl_authid' : _('Specify the sasl authorization id to use'),
|
||||||
|
'ldap_sasl_realm' : _('Specify the sasl authorization realm to use'),
|
||||||
|
'ldap_sasl_minssf' : _('Specify the minimal SSF for LDAP sasl authorization'),
|
||||||
|
+ 'ldap_sasl_maxssf' : _('Specify the maximal SSF for LDAP sasl authorization'),
|
||||||
|
'ldap_krb5_keytab' : _('Kerberos service keytab'),
|
||||||
|
'ldap_krb5_init_creds' : _('Use Kerberos auth for LDAP connection'),
|
||||||
|
'ldap_referrals' : _('Follow LDAP referrals'),
|
||||||
|
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
||||||
|
index 478ca9eb4..286443be4 100644
|
||||||
|
--- a/src/config/cfg_rules.ini
|
||||||
|
+++ b/src/config/cfg_rules.ini
|
||||||
|
@@ -665,6 +665,7 @@ option = ldap_sasl_authid
|
||||||
|
option = ldap_sasl_canonicalize
|
||||||
|
option = ldap_sasl_mech
|
||||||
|
option = ldap_sasl_minssf
|
||||||
|
+option = ldap_sasl_maxssf
|
||||||
|
option = ldap_schema
|
||||||
|
option = ldap_pwmodify_mode
|
||||||
|
option = ldap_search_base
|
||||||
|
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
|
||||||
|
index 51cdad536..4d10e69d7 100644
|
||||||
|
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
|
||||||
|
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
|
||||||
|
@@ -42,6 +42,7 @@ ldap_tls_reqcert = str, None, false
|
||||||
|
ldap_sasl_mech = str, None, false
|
||||||
|
ldap_sasl_authid = str, None, false
|
||||||
|
ldap_sasl_minssf = int, None, false
|
||||||
|
+ldap_sasl_maxssf = int, None, false
|
||||||
|
krb5_kdcip = str, None, false
|
||||||
|
krb5_server = str, None, false
|
||||||
|
krb5_backup_server = str, None, false
|
||||||
|
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
|
||||||
|
index 7ed153d36..839f9f471 100644
|
||||||
|
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
|
||||||
|
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
|
||||||
|
@@ -32,6 +32,7 @@ ldap_tls_reqcert = str, None, false
|
||||||
|
ldap_sasl_mech = str, None, false
|
||||||
|
ldap_sasl_authid = str, None, false
|
||||||
|
ldap_sasl_minssf = int, None, false
|
||||||
|
+ldap_sasl_maxssf = int, None, false
|
||||||
|
krb5_kdcip = str, None, false
|
||||||
|
krb5_server = str, None, false
|
||||||
|
krb5_backup_server = str, None, false
|
||||||
|
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
|
||||||
|
index 4f73e901e..6db9828b9 100644
|
||||||
|
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
|
||||||
|
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
|
||||||
|
@@ -35,6 +35,7 @@ ldap_page_size = int, None, false
|
||||||
|
ldap_deref_threshold = int, None, false
|
||||||
|
ldap_sasl_canonicalize = bool, None, false
|
||||||
|
ldap_sasl_minssf = int, None, false
|
||||||
|
+ldap_sasl_maxssf = int, None, false
|
||||||
|
ldap_connection_expire_timeout = int, None, false
|
||||||
|
ldap_connection_expire_offset = int, None, false
|
||||||
|
ldap_disable_paging = bool, None, false
|
||||||
|
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
|
||||||
|
index f8bb973c7..0dc675410 100644
|
||||||
|
--- a/src/man/sssd-ldap.5.xml
|
||||||
|
+++ b/src/man/sssd-ldap.5.xml
|
||||||
|
@@ -612,6 +612,22 @@
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
+ <varlistentry>
|
||||||
|
+ <term>ldap_sasl_maxssf (integer)</term>
|
||||||
|
+ <listitem>
|
||||||
|
+ <para>
|
||||||
|
+ When communicating with an LDAP server using SASL,
|
||||||
|
+ specify the maximal security level necessary to
|
||||||
|
+ establish the connection. The values of this
|
||||||
|
+ option are defined by OpenLDAP.
|
||||||
|
+ </para>
|
||||||
|
+ <para>
|
||||||
|
+ Default: Use the system default (usually specified
|
||||||
|
+ by ldap.conf)
|
||||||
|
+ </para>
|
||||||
|
+ </listitem>
|
||||||
|
+ </varlistentry>
|
||||||
|
+
|
||||||
|
<varlistentry>
|
||||||
|
<term>ldap_deref_threshold (integer)</term>
|
||||||
|
<listitem>
|
||||||
|
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
|
||||||
|
index 26420d655..e9a3dd6ef 100644
|
||||||
|
--- a/src/providers/ad/ad_opts.c
|
||||||
|
+++ b/src/providers/ad/ad_opts.c
|
||||||
|
@@ -106,6 +106,7 @@ struct dp_option ad_def_ldap_opts[] = {
|
||||||
|
{ "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
||||||
|
{ "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
||||||
|
{ "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
|
||||||
|
+ { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
|
||||||
|
{ "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
||||||
|
{ "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
|
||||||
|
/* use the same parm name as the krb5 module so we set it only once */
|
||||||
|
diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c
|
||||||
|
index 4fafa073d..55de6e600 100644
|
||||||
|
--- a/src/providers/ipa/ipa_opts.c
|
||||||
|
+++ b/src/providers/ipa/ipa_opts.c
|
||||||
|
@@ -114,6 +114,7 @@ struct dp_option ipa_def_ldap_opts[] = {
|
||||||
|
{ "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
||||||
|
{ "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
||||||
|
{ "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = 56 }, NULL_NUMBER },
|
||||||
|
+ { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
|
||||||
|
{ "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
||||||
|
{ "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
|
||||||
|
/* use the same parm name as the krb5 module so we set it only once */
|
||||||
|
diff --git a/src/providers/ldap/ldap_opts.c b/src/providers/ldap/ldap_opts.c
|
||||||
|
index ffd0c6baa..d1b4e98ad 100644
|
||||||
|
--- a/src/providers/ldap/ldap_opts.c
|
||||||
|
+++ b/src/providers/ldap/ldap_opts.c
|
||||||
|
@@ -74,6 +74,7 @@ struct dp_option default_basic_opts[] = {
|
||||||
|
{ "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
||||||
|
{ "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
||||||
|
{ "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
|
||||||
|
+ { "ldap_sasl_maxssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER },
|
||||||
|
{ "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
||||||
|
{ "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
|
||||||
|
/* use the same parm name as the krb5 module so we set it only once */
|
||||||
|
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
|
||||||
|
index f27b3c480..808a2c400 100644
|
||||||
|
--- a/src/providers/ldap/sdap.h
|
||||||
|
+++ b/src/providers/ldap/sdap.h
|
||||||
|
@@ -192,6 +192,7 @@ enum sdap_basic_opt {
|
||||||
|
SDAP_SASL_AUTHID,
|
||||||
|
SDAP_SASL_REALM,
|
||||||
|
SDAP_SASL_MINSSF,
|
||||||
|
+ SDAP_SASL_MAXSSF,
|
||||||
|
SDAP_KRB5_KEYTAB,
|
||||||
|
SDAP_KRB5_KINIT,
|
||||||
|
SDAP_KRB5_KDC,
|
||||||
|
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
|
||||||
|
index 7438d14a7..5f69cedcc 100644
|
||||||
|
--- a/src/providers/ldap/sdap_async_connection.c
|
||||||
|
+++ b/src/providers/ldap/sdap_async_connection.c
|
||||||
|
@@ -148,6 +148,8 @@ static void sdap_sys_connect_done(struct tevent_req *subreq)
|
||||||
|
const char *sasl_mech;
|
||||||
|
int sasl_minssf;
|
||||||
|
ber_len_t ber_sasl_minssf;
|
||||||
|
+ int sasl_maxssf;
|
||||||
|
+ ber_len_t ber_sasl_maxssf;
|
||||||
|
|
||||||
|
ret = sss_ldap_init_recv(subreq, &state->sh->ldap, &sd);
|
||||||
|
talloc_zfree(subreq);
|
||||||
|
@@ -291,6 +293,18 @@ static void sdap_sys_connect_done(struct tevent_req *subreq)
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ sasl_maxssf = dp_opt_get_int(state->opts->basic, SDAP_SASL_MAXSSF);
|
||||||
|
+ if (sasl_maxssf >= 0) {
|
||||||
|
+ ber_sasl_maxssf = (ber_len_t)sasl_maxssf;
|
||||||
|
+ lret = ldap_set_option(state->sh->ldap, LDAP_OPT_X_SASL_SSF_MAX,
|
||||||
|
+ &ber_sasl_maxssf);
|
||||||
|
+ if (lret != LDAP_OPT_SUCCESS) {
|
||||||
|
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set LDAP MAX SSF option "
|
||||||
|
+ "to %d\n", sasl_maxssf);
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
/* if we do not use start_tls the connection is not really connected yet
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -1,41 +0,0 @@
|
|||||||
From 10fa27eddb9bbe135277d587c6a2de4b311da6df Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
|
||||||
Date: Tue, 18 Sep 2018 15:23:54 +0200
|
|
||||||
Subject: [PATCH 20/83] CONFDB: Skip 'local' domain if not supported
|
|
||||||
|
|
||||||
When SSSD is built without the support for local
|
|
||||||
domain, we should gracegully skip local domains
|
|
||||||
and let other domains start.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://pagure.io/SSSD/sssd/issue/3828
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/confdb/confdb.c | 10 ++++++++--
|
|
||||||
1 file changed, 8 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
|
||||||
index 22068ca..621647e 100644
|
|
||||||
--- a/src/confdb/confdb.c
|
|
||||||
+++ b/src/confdb/confdb.c
|
|
||||||
@@ -945,8 +945,14 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (local_provider_is_built()
|
|
||||||
- && strcasecmp(domain->provider, "local") == 0) {
|
|
||||||
+ if (strcasecmp(domain->provider, "local") == 0) {
|
|
||||||
+ if (!local_provider_is_built()) {
|
|
||||||
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
|
||||||
+ "ID provider 'local' no longer supported, disabling\n");
|
|
||||||
+ ret = EINVAL;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* If this is the local provider, we need to ensure that
|
|
||||||
* no other provider was specified for other types, since
|
|
||||||
* the local provider cannot load them.
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
91
0015-ad-set-min-and-max-ssf-for-ldaps.patch
Normal file
91
0015-ad-set-min-and-max-ssf-for-ldaps.patch
Normal file
@ -0,0 +1,91 @@
|
|||||||
|
From 24387e19f065e6a585b1120d5568cb4df271d102 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Fri, 27 Sep 2019 13:45:13 +0200
|
||||||
|
Subject: [PATCH 15/15] ad: set min and max ssf for ldaps
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
AD does not allow to use encryption in the TLS and SASL layer at the
|
||||||
|
same time. To be able to use ldaps this patch sets min and max ssf to 0
|
||||||
|
if ldaps should be used.
|
||||||
|
|
||||||
|
Related to https://pagure.io/SSSD/sssd/issue/4131
|
||||||
|
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
---
|
||||||
|
src/providers/ad/ad_common.c | 21 +++++++++++++++++++++
|
||||||
|
src/providers/ad/ad_common.h | 2 ++
|
||||||
|
src/providers/ad/ad_subdomains.c | 4 ++++
|
||||||
|
3 files changed, 27 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
|
||||||
|
index a2369166a..51300f5b2 100644
|
||||||
|
--- a/src/providers/ad/ad_common.c
|
||||||
|
+++ b/src/providers/ad/ad_common.c
|
||||||
|
@@ -1021,6 +1021,23 @@ done:
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
+void ad_set_ssf_for_ldaps(struct sdap_options *id_opts)
|
||||||
|
+{
|
||||||
|
+ int ret;
|
||||||
|
+
|
||||||
|
+ DEBUG(SSSDBG_TRACE_ALL, "Setting ssf for ldaps usage.\n");
|
||||||
|
+ ret = dp_opt_set_int(id_opts->basic, SDAP_SASL_MINSSF, 0);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||||
|
+ "Failed to set SASL minssf for ldaps usage, ignored.\n");
|
||||||
|
+ }
|
||||||
|
+ ret = dp_opt_set_int(id_opts->basic, SDAP_SASL_MAXSSF, 0);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||||
|
+ "Failed to set SASL maxssf for ldaps usage, ignored.\n");
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static errno_t
|
||||||
|
ad_set_sdap_options(struct ad_options *ad_opts,
|
||||||
|
struct sdap_options *id_opts)
|
||||||
|
@@ -1079,6 +1096,10 @@ ad_set_sdap_options(struct ad_options *ad_opts,
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (dp_opt_get_bool(ad_opts->basic, AD_USE_LDAPS)) {
|
||||||
|
+ ad_set_ssf_for_ldaps(id_opts);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* Warn if the user is doing something silly like overriding the schema
|
||||||
|
* with the AD provider
|
||||||
|
*/
|
||||||
|
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
|
||||||
|
index 44da58fa0..8b7a86102 100644
|
||||||
|
--- a/src/providers/ad/ad_common.h
|
||||||
|
+++ b/src/providers/ad/ad_common.h
|
||||||
|
@@ -182,6 +182,8 @@ errno_t
|
||||||
|
ad_get_dyndns_options(struct be_ctx *be_ctx,
|
||||||
|
struct ad_options *ad_opts);
|
||||||
|
|
||||||
|
+void ad_set_ssf_for_ldaps(struct sdap_options *id_opts);
|
||||||
|
+
|
||||||
|
struct ad_id_ctx *
|
||||||
|
ad_id_ctx_init(struct ad_options *ad_opts, struct be_ctx *bectx);
|
||||||
|
|
||||||
|
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
||||||
|
index d8c201437..a9c6b9f28 100644
|
||||||
|
--- a/src/providers/ad/ad_subdomains.c
|
||||||
|
+++ b/src/providers/ad/ad_subdomains.c
|
||||||
|
@@ -328,6 +328,10 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (dp_opt_get_bool(ad_options->basic, AD_USE_LDAPS)) {
|
||||||
|
+ ad_set_ssf_for_ldaps(ad_options->id);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
ret = ad_inherit_opts_if_needed(id_ctx->sdap_id_ctx->opts->basic,
|
||||||
|
ad_options->id->basic,
|
||||||
|
be_ctx->cdb, subdom_conf_path,
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -0,0 +1,36 @@
|
|||||||
|
From 007d5b79b7aef67dd843ed9a3b65095faaeb580f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||||
|
Date: Wed, 22 Jan 2020 09:43:21 +0000
|
||||||
|
Subject: [PATCH] BE_REFRESH: Do not try to refresh domains from other backends
|
||||||
|
|
||||||
|
We cannot refresh domains from different sssd_be processes.
|
||||||
|
We can refresh just subdomains
|
||||||
|
|
||||||
|
Resolves:
|
||||||
|
https://pagure.io/SSSD/sssd/issue/4142
|
||||||
|
|
||||||
|
Merges: https://pagure.io/SSSD/sssd/pull-request/4139
|
||||||
|
|
||||||
|
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||||
|
---
|
||||||
|
src/providers/be_refresh.c | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/providers/be_refresh.c b/src/providers/be_refresh.c
|
||||||
|
index 6cce38390..5e43571ce 100644
|
||||||
|
--- a/src/providers/be_refresh.c
|
||||||
|
+++ b/src/providers/be_refresh.c
|
||||||
|
@@ -385,6 +385,10 @@ static errno_t be_refresh_step(struct tevent_req *req)
|
||||||
|
if (state->index == BE_REFRESH_TYPE_SENTINEL) {
|
||||||
|
state->domain = get_next_domain(state->domain,
|
||||||
|
SSS_GND_DESCEND);
|
||||||
|
+ /* we can update just subdomains */
|
||||||
|
+ if (state->domain != NULL && !IS_SUBDOMAIN(state->domain)) {
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
state->index = 0;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -1,259 +0,0 @@
|
|||||||
From 7c619ae08f05a7595d15cf11b64461a7d19cfaa7 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Fri, 29 Jun 2018 17:49:50 +0200
|
|
||||||
Subject: [PATCH 21/83] sysdb: extract sysdb_ldb_msg_attr_to_certmap_info()
|
|
||||||
call
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/db/sysdb.h | 4 ++
|
|
||||||
src/db/sysdb_certmap.c | 191 ++++++++++++++++++++++++++++---------------------
|
|
||||||
2 files changed, 112 insertions(+), 83 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
|
|
||||||
index d72af5a..cb04e1b 100644
|
|
||||||
--- a/src/db/sysdb.h
|
|
||||||
+++ b/src/db/sysdb.h
|
|
||||||
@@ -702,6 +702,10 @@ errno_t sysdb_update_certmap(struct sysdb_ctx *sysdb,
|
|
||||||
struct certmap_info **certmaps,
|
|
||||||
bool user_name_hint);
|
|
||||||
|
|
||||||
+errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
|
|
||||||
+ struct ldb_message *msg,
|
|
||||||
+ struct certmap_info **certmap);
|
|
||||||
+
|
|
||||||
errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
|
|
||||||
struct certmap_info ***certmaps,
|
|
||||||
bool *user_name_hint);
|
|
||||||
diff --git a/src/db/sysdb_certmap.c b/src/db/sysdb_certmap.c
|
|
||||||
index 6d83ba0..e61cc05 100644
|
|
||||||
--- a/src/db/sysdb_certmap.c
|
|
||||||
+++ b/src/db/sysdb_certmap.c
|
|
||||||
@@ -262,19 +262,119 @@ done:
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
|
|
||||||
+ struct ldb_message *msg,
|
|
||||||
+ struct certmap_info **certmap)
|
|
||||||
+{
|
|
||||||
+ int ret;
|
|
||||||
+ size_t d;
|
|
||||||
+ size_t num_values;
|
|
||||||
+ struct certmap_info *map = NULL;
|
|
||||||
+ const char *tmp_str;
|
|
||||||
+ uint64_t tmp_uint;
|
|
||||||
+ struct ldb_message_element *tmp_el;
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+ map = talloc_zero(mem_ctx, struct certmap_info);
|
|
||||||
+ if (map == NULL) {
|
|
||||||
+ return ENOMEM;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
|
|
||||||
+ if (tmp_str == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_MINOR_FAILURE, "The object [%s] doesn't have a name.\n",
|
|
||||||
+ ldb_dn_get_linearized(msg->dn));
|
|
||||||
+ ret = EINVAL;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ map->name = talloc_strdup(map, tmp_str);
|
|
||||||
+ if (map->name == NULL) {
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_CERTMAP_MAPPING_RULE,
|
|
||||||
+ NULL);
|
|
||||||
+ if (tmp_str != NULL) {
|
|
||||||
+ map->map_rule = talloc_strdup(map, tmp_str);
|
|
||||||
+ if (map->map_rule == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_CERTMAP_MATCHING_RULE,
|
|
||||||
+ NULL);
|
|
||||||
+ if (tmp_str != NULL) {
|
|
||||||
+ map->match_rule = talloc_strdup(map, tmp_str);
|
|
||||||
+ if (map->match_rule == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ tmp_uint = ldb_msg_find_attr_as_uint64(msg, SYSDB_CERTMAP_PRIORITY,
|
|
||||||
+ (uint64_t) -1);
|
|
||||||
+ if (tmp_uint != (uint64_t) -1) {
|
|
||||||
+ if (tmp_uint > UINT32_MAX) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "Priority value [%lu] too large.\n",
|
|
||||||
+ (unsigned long) tmp_uint);
|
|
||||||
+ ret = EINVAL;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ map->priority = (uint32_t) tmp_uint;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ tmp_el = ldb_msg_find_element(msg, SYSDB_CERTMAP_DOMAINS);
|
|
||||||
+ if (tmp_el != NULL) {
|
|
||||||
+ num_values = tmp_el->num_values;
|
|
||||||
+ } else {
|
|
||||||
+ num_values = 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ map->domains = talloc_zero_array(map, const char *, num_values + 1);
|
|
||||||
+ if (map->domains == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n");
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ for (d = 0; d < num_values; d++) {
|
|
||||||
+ map->domains[d] = talloc_strndup(map->domains,
|
|
||||||
+ (char *) tmp_el->values[d].data,
|
|
||||||
+ tmp_el->values[d].length);
|
|
||||||
+ if (map->domains[d] == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ *certmap = map;
|
|
||||||
+
|
|
||||||
+ ret = EOK;
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ talloc_free(map);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
|
|
||||||
struct certmap_info ***certmaps, bool *user_name_hint)
|
|
||||||
{
|
|
||||||
size_t c;
|
|
||||||
- size_t d;
|
|
||||||
struct ldb_dn *container_dn = NULL;
|
|
||||||
int ret;
|
|
||||||
struct certmap_info **maps = NULL;
|
|
||||||
TALLOC_CTX *tmp_ctx = NULL;
|
|
||||||
struct ldb_result *res;
|
|
||||||
- const char *tmp_str;
|
|
||||||
- uint64_t tmp_uint;
|
|
||||||
- struct ldb_message_element *tmp_el;
|
|
||||||
const char *attrs[] = {SYSDB_NAME,
|
|
||||||
SYSDB_CERTMAP_PRIORITY,
|
|
||||||
SYSDB_CERTMAP_MATCHING_RULE,
|
|
||||||
@@ -283,7 +383,6 @@ errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
|
|
||||||
NULL};
|
|
||||||
const char *config_attrs[] = {SYSDB_CERTMAP_USER_NAME_HINT,
|
|
||||||
NULL};
|
|
||||||
- size_t num_values;
|
|
||||||
bool hint = false;
|
|
||||||
|
|
||||||
tmp_ctx = talloc_new(NULL);
|
|
||||||
@@ -332,86 +431,12 @@ errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
|
|
||||||
}
|
|
||||||
|
|
||||||
for (c = 0; c < res->count; c++) {
|
|
||||||
- maps[c] = talloc_zero(maps, struct certmap_info);
|
|
||||||
- if (maps[c] == NULL) {
|
|
||||||
- ret = ENOMEM;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
- tmp_str = ldb_msg_find_attr_as_string(res->msgs[c], SYSDB_NAME, NULL);
|
|
||||||
- if (tmp_str == NULL) {
|
|
||||||
- DEBUG(SSSDBG_MINOR_FAILURE, "The object [%s] doesn't have a name.\n",
|
|
||||||
- ldb_dn_get_linearized(res->msgs[c]->dn));
|
|
||||||
- ret = EINVAL;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- maps[c]->name = talloc_strdup(maps, tmp_str);
|
|
||||||
- if (maps[c]->name == NULL) {
|
|
||||||
- ret = ENOMEM;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- tmp_str = ldb_msg_find_attr_as_string(res->msgs[c],
|
|
||||||
- SYSDB_CERTMAP_MAPPING_RULE, NULL);
|
|
||||||
- if (tmp_str != NULL) {
|
|
||||||
- maps[c]->map_rule = talloc_strdup(maps, tmp_str);
|
|
||||||
- if (maps[c]->map_rule == NULL) {
|
|
||||||
- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
|
|
||||||
- ret = ENOMEM;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- tmp_str = ldb_msg_find_attr_as_string(res->msgs[c],
|
|
||||||
- SYSDB_CERTMAP_MATCHING_RULE, NULL);
|
|
||||||
- if (tmp_str != NULL) {
|
|
||||||
- maps[c]->match_rule = talloc_strdup(maps, tmp_str);
|
|
||||||
- if (maps[c]->match_rule == NULL) {
|
|
||||||
- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
|
|
||||||
- ret = ENOMEM;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- tmp_uint = ldb_msg_find_attr_as_uint64(res->msgs[c],
|
|
||||||
- SYSDB_CERTMAP_PRIORITY,
|
|
||||||
- (uint64_t) -1);
|
|
||||||
- if (tmp_uint != (uint64_t) -1) {
|
|
||||||
- if (tmp_uint > UINT32_MAX) {
|
|
||||||
- DEBUG(SSSDBG_OP_FAILURE, "Priority value [%lu] too large.\n",
|
|
||||||
- (unsigned long) tmp_uint);
|
|
||||||
- ret = EINVAL;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- maps[c]->priority = (uint32_t) tmp_uint;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- tmp_el = ldb_msg_find_element(res->msgs[c], SYSDB_CERTMAP_DOMAINS);
|
|
||||||
- if (tmp_el != NULL) {
|
|
||||||
- num_values = tmp_el->num_values;
|
|
||||||
- } else {
|
|
||||||
- num_values = 0;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- maps[c]->domains = talloc_zero_array(maps[c], const char *,
|
|
||||||
- num_values + 1);
|
|
||||||
- if (maps[c]->domains == NULL) {
|
|
||||||
- DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n");
|
|
||||||
- ret = ENOMEM;
|
|
||||||
+ ret = sysdb_ldb_msg_attr_to_certmap_info(maps, res->msgs[c], &maps[c]);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
+ "sysdb_ldb_msg_attr_to_certmap_info failed.\n");
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
-
|
|
||||||
- for (d = 0; d < num_values; d++) {
|
|
||||||
- maps[c]->domains[d] = talloc_strndup(maps[c]->domains,
|
|
||||||
- (char *) tmp_el->values[d].data,
|
|
||||||
- tmp_el->values[d].length);
|
|
||||||
- if (maps[c]->domains[d] == NULL) {
|
|
||||||
- DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n");
|
|
||||||
- ret = ENOMEM;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = EOK;
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,39 +0,0 @@
|
|||||||
From d1dd7f7703b4f40d2fbb830e28969b31b8a1673e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Tue, 3 Jul 2018 11:30:07 +0200
|
|
||||||
Subject: [PATCH 22/83] sysdb_ldb_msg_attr_to_certmap_info: set
|
|
||||||
SSS_CERTMAP_MIN_PRIO
|
|
||||||
|
|
||||||
Make sure that priority is always set.
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/db/sysdb_certmap.c | 3 +++
|
|
||||||
1 file changed, 3 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/db/sysdb_certmap.c b/src/db/sysdb_certmap.c
|
|
||||||
index e61cc05..0bb7ebc 100644
|
|
||||||
--- a/src/db/sysdb_certmap.c
|
|
||||||
+++ b/src/db/sysdb_certmap.c
|
|
||||||
@@ -22,6 +22,7 @@
|
|
||||||
|
|
||||||
#include "util/util.h"
|
|
||||||
#include "db/sysdb_private.h"
|
|
||||||
+#include "lib/certmap/sss_certmap.h"
|
|
||||||
|
|
||||||
static errno_t sysdb_create_certmap_container(struct sysdb_ctx *sysdb,
|
|
||||||
bool user_name_hint)
|
|
||||||
@@ -327,6 +328,8 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
|
|
||||||
}
|
|
||||||
|
|
||||||
map->priority = (uint32_t) tmp_uint;
|
|
||||||
+ } else {
|
|
||||||
+ map->priority = SSS_CERTMAP_MIN_PRIO;
|
|
||||||
}
|
|
||||||
|
|
||||||
tmp_el = ldb_msg_find_element(msg, SYSDB_CERTMAP_DOMAINS);
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
52
0017-sysdb_sudo-Enable-LDAP-time-format-compatibility.patch
Normal file
52
0017-sysdb_sudo-Enable-LDAP-time-format-compatibility.patch
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
From 58a67cd38b8be9bef45ce70588763d851840dd65 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Pawe=C5=82=20Po=C5=82awski?= <ppolawsk@redhat.com>
|
||||||
|
Date: Tue, 3 Dec 2019 04:13:53 +0100
|
||||||
|
Subject: [PATCH] sysdb_sudo: Enable LDAP time format compatibility
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
LDAP specification allows to ommit seconds and minutes
|
||||||
|
in time border definition. In that case they defaults to zeros.
|
||||||
|
Current sssd.sudo implementation requires precision up to
|
||||||
|
seconds in time definition. This commit allows to lower
|
||||||
|
the precision up to hours.
|
||||||
|
|
||||||
|
Resolves:
|
||||||
|
https://pagure.io/SSSD/sssd/issue/4118
|
||||||
|
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
---
|
||||||
|
src/db/sysdb_sudo.c | 16 ++++++++++++++++
|
||||||
|
1 file changed, 16 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
|
||||||
|
index 59d6824c0..18088b017 100644
|
||||||
|
--- a/src/db/sysdb_sudo.c
|
||||||
|
+++ b/src/db/sysdb_sudo.c
|
||||||
|
@@ -55,6 +55,22 @@ static errno_t sysdb_sudo_convert_time(const char *str, time_t *unix_time)
|
||||||
|
"%Y%m%d%H%M%S.0%z",
|
||||||
|
"%Y%m%d%H%M%S,0Z",
|
||||||
|
"%Y%m%d%H%M%S,0%z",
|
||||||
|
+ /* LDAP specification says that minutes and seconds
|
||||||
|
+ might be omitted and in that case these are meant
|
||||||
|
+ to be treated as zeros [1].
|
||||||
|
+ */
|
||||||
|
+ "%Y%m%d%H%MZ", /* Discard seconds */
|
||||||
|
+ "%Y%m%d%H%M%z",
|
||||||
|
+ "%Y%m%d%H%M.0Z",
|
||||||
|
+ "%Y%m%d%H%M.0%z",
|
||||||
|
+ "%Y%m%d%H%M,0Z",
|
||||||
|
+ "%Y%m%d%H%M,0%z",
|
||||||
|
+ "%Y%m%d%HZ", /* Discard minutes and seconds*/
|
||||||
|
+ "%Y%m%d%H%z",
|
||||||
|
+ "%Y%m%d%H.0Z",
|
||||||
|
+ "%Y%m%d%H.0%z",
|
||||||
|
+ "%Y%m%d%H,0Z",
|
||||||
|
+ "%Y%m%d%H,0%z",
|
||||||
|
NULL};
|
||||||
|
|
||||||
|
for (format = formats; *format != NULL; format++) {
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
43
0018-sbus_server-stylistic-rename.patch
Normal file
43
0018-sbus_server-stylistic-rename.patch
Normal file
@ -0,0 +1,43 @@
|
|||||||
|
From faa5dbf6f716bd4ac0a3020a28a1ee6fbf74654a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
Date: Thu, 23 Jan 2020 17:22:28 +0100
|
||||||
|
Subject: [PATCH 18/24] sbus_server: stylistic rename
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Renamed sbus_server_name_remove_from_table() to
|
||||||
|
sbus_server_name_remove_from_table_cb() to keep naming consistent
|
||||||
|
with other functions used as `hash_delete_callback` argument of
|
||||||
|
sss_ptr_hash_create()
|
||||||
|
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
---
|
||||||
|
src/sbus/server/sbus_server.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/sbus/server/sbus_server.c b/src/sbus/server/sbus_server.c
|
||||||
|
index 5405dae56..2b9327051 100644
|
||||||
|
--- a/src/sbus/server/sbus_server.c
|
||||||
|
+++ b/src/sbus/server/sbus_server.c
|
||||||
|
@@ -584,7 +584,7 @@ sbus_server_name_lost(struct sbus_server *server,
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
-sbus_server_name_remove_from_table(hash_entry_t *item,
|
||||||
|
+sbus_server_name_remove_from_table_cb(hash_entry_t *item,
|
||||||
|
hash_destroy_enum type,
|
||||||
|
void *pvt)
|
||||||
|
{
|
||||||
|
@@ -676,7 +676,7 @@ sbus_server_create(TALLOC_CTX *mem_ctx,
|
||||||
|
}
|
||||||
|
|
||||||
|
sbus_server->names = sss_ptr_hash_create(sbus_server,
|
||||||
|
- sbus_server_name_remove_from_table, sbus_server);
|
||||||
|
+ sbus_server_name_remove_from_table_cb, sbus_server);
|
||||||
|
if (sbus_server->names == NULL) {
|
||||||
|
ret = ENOMEM;
|
||||||
|
goto done;
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -1,140 +0,0 @@
|
|||||||
From 0bf709ad348ca115443bd21e4e369abd5d7698c4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Fri, 29 Jun 2018 18:13:59 +0200
|
|
||||||
Subject: [PATCH 23/83] sysdb: add attr_map attribute to
|
|
||||||
sysdb_ldb_msg_attr_to_certmap_info()
|
|
||||||
|
|
||||||
Allow more flexible attribute mapping in
|
|
||||||
sysdb_ldb_msg_attr_to_certmap_info()
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/db/sysdb.h | 1 +
|
|
||||||
src/db/sysdb_certmap.c | 39 +++++++++++++++++++++++++++++++--------
|
|
||||||
2 files changed, 32 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
|
|
||||||
index cb04e1b..2187947 100644
|
|
||||||
--- a/src/db/sysdb.h
|
|
||||||
+++ b/src/db/sysdb.h
|
|
||||||
@@ -704,6 +704,7 @@ errno_t sysdb_update_certmap(struct sysdb_ctx *sysdb,
|
|
||||||
|
|
||||||
errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
|
|
||||||
struct ldb_message *msg,
|
|
||||||
+ const char **attr_map,
|
|
||||||
struct certmap_info **certmap);
|
|
||||||
|
|
||||||
errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
|
|
||||||
diff --git a/src/db/sysdb_certmap.c b/src/db/sysdb_certmap.c
|
|
||||||
index 0bb7ebc..e37f1ba 100644
|
|
||||||
--- a/src/db/sysdb_certmap.c
|
|
||||||
+++ b/src/db/sysdb_certmap.c
|
|
||||||
@@ -263,8 +263,19 @@ done:
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+enum certmap_info_member {
|
|
||||||
+ SSS_CMIM_NAME = 0,
|
|
||||||
+ SSS_CMIM_MAPPING_RULE,
|
|
||||||
+ SSS_CMIM_MATCHING_RULE,
|
|
||||||
+ SSS_CMIM_PRIORITY,
|
|
||||||
+ SSS_CMIM_DOMAINS,
|
|
||||||
+
|
|
||||||
+ SSS_CMIM_SENTINEL
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
|
|
||||||
struct ldb_message *msg,
|
|
||||||
+ const char **attr_map,
|
|
||||||
struct certmap_info **certmap)
|
|
||||||
{
|
|
||||||
int ret;
|
|
||||||
@@ -275,13 +286,24 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
|
|
||||||
uint64_t tmp_uint;
|
|
||||||
struct ldb_message_element *tmp_el;
|
|
||||||
|
|
||||||
+ if (msg == NULL || attr_map == NULL || certmap == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Invalid input.\n");
|
|
||||||
+ return EINVAL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ for (d = 0; d < SSS_CMIM_SENTINEL; d++) {
|
|
||||||
+ if (attr_map[d] == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Invalid attribute map");
|
|
||||||
+ return EINVAL;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
|
|
||||||
map = talloc_zero(mem_ctx, struct certmap_info);
|
|
||||||
if (map == NULL) {
|
|
||||||
return ENOMEM;
|
|
||||||
}
|
|
||||||
|
|
||||||
- tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
|
|
||||||
+ tmp_str = ldb_msg_find_attr_as_string(msg, attr_map[SSS_CMIM_NAME], NULL);
|
|
||||||
if (tmp_str == NULL) {
|
|
||||||
DEBUG(SSSDBG_MINOR_FAILURE, "The object [%s] doesn't have a name.\n",
|
|
||||||
ldb_dn_get_linearized(msg->dn));
|
|
||||||
@@ -295,7 +317,7 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_CERTMAP_MAPPING_RULE,
|
|
||||||
+ tmp_str = ldb_msg_find_attr_as_string(msg, attr_map[SSS_CMIM_MAPPING_RULE],
|
|
||||||
NULL);
|
|
||||||
if (tmp_str != NULL) {
|
|
||||||
map->map_rule = talloc_strdup(map, tmp_str);
|
|
||||||
@@ -306,7 +328,7 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_CERTMAP_MATCHING_RULE,
|
|
||||||
+ tmp_str = ldb_msg_find_attr_as_string(msg, attr_map[SSS_CMIM_MATCHING_RULE],
|
|
||||||
NULL);
|
|
||||||
if (tmp_str != NULL) {
|
|
||||||
map->match_rule = talloc_strdup(map, tmp_str);
|
|
||||||
@@ -317,7 +339,7 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- tmp_uint = ldb_msg_find_attr_as_uint64(msg, SYSDB_CERTMAP_PRIORITY,
|
|
||||||
+ tmp_uint = ldb_msg_find_attr_as_uint64(msg, attr_map[SSS_CMIM_PRIORITY],
|
|
||||||
(uint64_t) -1);
|
|
||||||
if (tmp_uint != (uint64_t) -1) {
|
|
||||||
if (tmp_uint > UINT32_MAX) {
|
|
||||||
@@ -332,7 +354,7 @@ errno_t sysdb_ldb_msg_attr_to_certmap_info(TALLOC_CTX *mem_ctx,
|
|
||||||
map->priority = SSS_CERTMAP_MIN_PRIO;
|
|
||||||
}
|
|
||||||
|
|
||||||
- tmp_el = ldb_msg_find_element(msg, SYSDB_CERTMAP_DOMAINS);
|
|
||||||
+ tmp_el = ldb_msg_find_element(msg, attr_map[SSS_CMIM_DOMAINS]);
|
|
||||||
if (tmp_el != NULL) {
|
|
||||||
num_values = tmp_el->num_values;
|
|
||||||
} else {
|
|
||||||
@@ -379,9 +401,9 @@ errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
|
|
||||||
TALLOC_CTX *tmp_ctx = NULL;
|
|
||||||
struct ldb_result *res;
|
|
||||||
const char *attrs[] = {SYSDB_NAME,
|
|
||||||
- SYSDB_CERTMAP_PRIORITY,
|
|
||||||
- SYSDB_CERTMAP_MATCHING_RULE,
|
|
||||||
SYSDB_CERTMAP_MAPPING_RULE,
|
|
||||||
+ SYSDB_CERTMAP_MATCHING_RULE,
|
|
||||||
+ SYSDB_CERTMAP_PRIORITY,
|
|
||||||
SYSDB_CERTMAP_DOMAINS,
|
|
||||||
NULL};
|
|
||||||
const char *config_attrs[] = {SYSDB_CERTMAP_USER_NAME_HINT,
|
|
||||||
@@ -434,7 +456,8 @@ errno_t sysdb_get_certmap(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
|
|
||||||
}
|
|
||||||
|
|
||||||
for (c = 0; c < res->count; c++) {
|
|
||||||
- ret = sysdb_ldb_msg_attr_to_certmap_info(maps, res->msgs[c], &maps[c]);
|
|
||||||
+ ret = sysdb_ldb_msg_attr_to_certmap_info(maps, res->msgs[c], attrs,
|
|
||||||
+ &maps[c]);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
"sysdb_ldb_msg_attr_to_certmap_info failed.\n");
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,167 +0,0 @@
|
|||||||
From d9cc38008a51a8a5189904f175e4d10cbde4a974 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Mon, 2 Jul 2018 10:38:54 +0200
|
|
||||||
Subject: [PATCH 24/83] confdb: add confdb_certmap_to_sysdb()
|
|
||||||
|
|
||||||
Add a function to write certificate mapping and matching rules from the
|
|
||||||
config database to the cache of a domain.
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/confdb/confdb.c | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
||||||
src/confdb/confdb.h | 23 +++++++++++++
|
|
||||||
2 files changed, 122 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
|
||||||
index 621647e..26415ca 100644
|
|
||||||
--- a/src/confdb/confdb.c
|
|
||||||
+++ b/src/confdb/confdb.c
|
|
||||||
@@ -2202,3 +2202,102 @@ done:
|
|
||||||
talloc_free(tmp_ctx);
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+static errno_t confdb_get_all_certmaps(TALLOC_CTX *mem_ctx,
|
|
||||||
+ struct confdb_ctx *cdb,
|
|
||||||
+ struct sss_domain_info *dom,
|
|
||||||
+ struct certmap_info ***_certmap_list)
|
|
||||||
+{
|
|
||||||
+ TALLOC_CTX *tmp_ctx = NULL;
|
|
||||||
+ struct ldb_dn *dn = NULL;
|
|
||||||
+ struct ldb_result *res = NULL;
|
|
||||||
+ /* The attributte order is important, because it is used in
|
|
||||||
+ * sysdb_ldb_msg_attr_to_certmap_info and must match
|
|
||||||
+ * enum certmap_info_member. */
|
|
||||||
+ static const char *attrs[] = { CONFDB_CERTMAP_NAME,
|
|
||||||
+ CONFDB_CERTMAP_MAPRULE,
|
|
||||||
+ CONFDB_CERTMAP_MATCHRULE,
|
|
||||||
+ CONFDB_CERTMAP_PRIORITY,
|
|
||||||
+ CONFDB_CERTMAP_DOMAINS,
|
|
||||||
+ NULL};
|
|
||||||
+ struct certmap_info **certmap_list = NULL;
|
|
||||||
+ size_t c;
|
|
||||||
+ int ret;
|
|
||||||
+
|
|
||||||
+ tmp_ctx = talloc_new(NULL);
|
|
||||||
+ if (tmp_ctx == NULL) {
|
|
||||||
+ return ENOMEM;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ dn = ldb_dn_new_fmt(tmp_ctx, cdb->ldb, "cn=%s,%s", dom->name,
|
|
||||||
+ CONFDB_CERTMAP_BASEDN);
|
|
||||||
+ if (dn == NULL) {
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = ldb_search(cdb->ldb, tmp_ctx, &res, dn, LDB_SCOPE_ONELEVEL,
|
|
||||||
+ attrs, NULL);
|
|
||||||
+ if (ret != LDB_SUCCESS) {
|
|
||||||
+ ret = EIO;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ certmap_list = talloc_zero_array(tmp_ctx, struct certmap_info *,
|
|
||||||
+ res->count + 1);
|
|
||||||
+ if (certmap_list == NULL) {
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ for (c = 0; c < res->count; c++) {
|
|
||||||
+ ret = sysdb_ldb_msg_attr_to_certmap_info(certmap_list, res->msgs[c],
|
|
||||||
+ attrs, &certmap_list[c]);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
+ "sysdb_ldb_msg_attr_to_certmap_info failed.\n");
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ *_certmap_list = talloc_steal(mem_ctx, certmap_list);
|
|
||||||
+
|
|
||||||
+ ret = EOK;
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
+ talloc_free(tmp_ctx);
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int confdb_certmap_to_sysdb(struct confdb_ctx *cdb,
|
|
||||||
+ struct sss_domain_info *dom)
|
|
||||||
+{
|
|
||||||
+ int ret;
|
|
||||||
+ TALLOC_CTX *tmp_ctx;
|
|
||||||
+ struct certmap_info **certmap_list;
|
|
||||||
+
|
|
||||||
+ tmp_ctx = talloc_new(NULL);
|
|
||||||
+ if (tmp_ctx == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
|
|
||||||
+ return ENOMEM;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = confdb_get_all_certmaps(tmp_ctx, cdb, dom, &certmap_list);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "confdb_get_all_certmaps failed.\n");
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = sysdb_update_certmap(dom->sysdb, certmap_list, false /* TODO */);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_update_certmap failed.\n");
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = EOK;
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
+ talloc_free(tmp_ctx);
|
|
||||||
+
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
|
||||||
index 2266501..2aae93a 100644
|
|
||||||
--- a/src/confdb/confdb.h
|
|
||||||
+++ b/src/confdb/confdb.h
|
|
||||||
@@ -265,6 +265,15 @@
|
|
||||||
#define CONFDB_KCM_SOCKET "socket_path"
|
|
||||||
#define CONFDB_KCM_DB "ccache_storage" /* Undocumented on purpose */
|
|
||||||
|
|
||||||
+/* Certificate mapping rules */
|
|
||||||
+#define CONFDB_CERTMAP_BASEDN "cn=certmap,cn=config"
|
|
||||||
+#define CONFDB_CERTMAP_NAME "cn"
|
|
||||||
+#define CONFDB_CERTMAP_MAPRULE "maprule"
|
|
||||||
+#define CONFDB_CERTMAP_MATCHRULE "matchrule"
|
|
||||||
+#define CONFDB_CERTMAP_DOMAINS "domains"
|
|
||||||
+#define CONFDB_CERTMAP_PRIORITY "priority"
|
|
||||||
+
|
|
||||||
+
|
|
||||||
struct confdb_ctx;
|
|
||||||
struct config_file_ctx;
|
|
||||||
|
|
||||||
@@ -662,6 +671,20 @@ int confdb_get_sub_sections(TALLOC_CTX *mem_ctx,
|
|
||||||
const char *section,
|
|
||||||
char ***sections,
|
|
||||||
int *num_sections);
|
|
||||||
+
|
|
||||||
+/**
|
|
||||||
+ * @brief Convenience function to write the certificate mapping and matching
|
|
||||||
+ * rules from the configuration database to the cache of a domain
|
|
||||||
+ *
|
|
||||||
+ * @param[in] cdb The connection object to the confdb
|
|
||||||
+ * @param[in] dom Target domain where to rules should be written to
|
|
||||||
+ *
|
|
||||||
+ * @return 0 - Successfully retrieved the entry (or used the default)
|
|
||||||
+ * @return ENOMEM - There was insufficient memory to complete the operation
|
|
||||||
+ * @return EINVAL - Typically internal processing error
|
|
||||||
+ */
|
|
||||||
+int confdb_certmap_to_sysdb(struct confdb_ctx *cdb,
|
|
||||||
+ struct sss_domain_info *dom);
|
|
||||||
/**
|
|
||||||
* @}
|
|
||||||
*/
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -0,0 +1,91 @@
|
|||||||
|
From adc7730a4e1b9721c93863a1b283457e9c02a3c5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
Date: Thu, 23 Jan 2020 17:55:24 +0100
|
||||||
|
Subject: [PATCH 19/24] sss_ptr_hash: don't keep empty sss_ptr_hash_delete_data
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
There is no need to allocate memory for `sss_ptr_hash_delete_data`
|
||||||
|
if table user doesn't provide custom delete callback.
|
||||||
|
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
---
|
||||||
|
src/util/sss_ptr_hash.c | 36 ++++++++++++++++++++----------------
|
||||||
|
1 file changed, 20 insertions(+), 16 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c
|
||||||
|
index 8f9762cb9..f8addec1e 100644
|
||||||
|
--- a/src/util/sss_ptr_hash.c
|
||||||
|
+++ b/src/util/sss_ptr_hash.c
|
||||||
|
@@ -138,12 +138,6 @@ sss_ptr_hash_delete_cb(hash_entry_t *item,
|
||||||
|
struct sss_ptr_hash_value *value;
|
||||||
|
struct hash_entry_t callback_entry;
|
||||||
|
|
||||||
|
- data = talloc_get_type(pvt, struct sss_ptr_hash_delete_data);
|
||||||
|
- if (data == NULL) {
|
||||||
|
- DEBUG(SSSDBG_CRIT_FAILURE, "Invalid data!\n");
|
||||||
|
- return;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
value = talloc_get_type(item->value.ptr, struct sss_ptr_hash_value);
|
||||||
|
if (value == NULL) {
|
||||||
|
DEBUG(SSSDBG_CRIT_FAILURE, "Invalid value!\n");
|
||||||
|
@@ -157,8 +151,14 @@ sss_ptr_hash_delete_cb(hash_entry_t *item,
|
||||||
|
/* Free value, this also will disable spy */
|
||||||
|
talloc_free(value);
|
||||||
|
|
||||||
|
- /* Switch to the input value and call custom callback. */
|
||||||
|
- if (data->callback != NULL) {
|
||||||
|
+ if (pvt != NULL) {
|
||||||
|
+ /* Switch to the input value and call custom callback. */
|
||||||
|
+ data = talloc_get_type(pvt, struct sss_ptr_hash_delete_data);
|
||||||
|
+ if (data == NULL) {
|
||||||
|
+ DEBUG(SSSDBG_CRIT_FAILURE, "Invalid data!\n");
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
data->callback(&callback_entry, deltype, data->pvt);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -167,17 +167,19 @@ hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx,
|
||||||
|
hash_delete_callback *del_cb,
|
||||||
|
void *del_cb_pvt)
|
||||||
|
{
|
||||||
|
- struct sss_ptr_hash_delete_data *data;
|
||||||
|
+ struct sss_ptr_hash_delete_data *data = NULL;
|
||||||
|
hash_table_t *table;
|
||||||
|
errno_t ret;
|
||||||
|
|
||||||
|
- data = talloc_zero(NULL, struct sss_ptr_hash_delete_data);
|
||||||
|
- if (data == NULL) {
|
||||||
|
- return NULL;
|
||||||
|
- }
|
||||||
|
+ if (del_cb != NULL) {
|
||||||
|
+ data = talloc_zero(NULL, struct sss_ptr_hash_delete_data);
|
||||||
|
+ if (data == NULL) {
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- data->callback = del_cb;
|
||||||
|
- data->pvt = del_cb_pvt;
|
||||||
|
+ data->callback = del_cb;
|
||||||
|
+ data->pvt = del_cb_pvt;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
ret = sss_hash_create_ex(mem_ctx, 10, &table, 0, 0, 0, 0,
|
||||||
|
sss_ptr_hash_delete_cb, data);
|
||||||
|
@@ -188,7 +190,9 @@ hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx,
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
- talloc_steal(table, data);
|
||||||
|
+ if (data != NULL) {
|
||||||
|
+ talloc_steal(table, data);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
return table;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -1,71 +0,0 @@
|
|||||||
From 15301db1dc1e5e2aafc1805a30e3b28756218c9b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Mon, 2 Jul 2018 12:20:53 +0200
|
|
||||||
Subject: [PATCH 25/83] AD/LDAP: read certificate mapping rules from config
|
|
||||||
file
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/providers/ad/ad_init.c | 16 ++++++++++++++++
|
|
||||||
src/providers/ldap/ldap_init.c | 16 ++++++++++++++++
|
|
||||||
2 files changed, 32 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
|
|
||||||
index 637efb7..a908571 100644
|
|
||||||
--- a/src/providers/ad/ad_init.c
|
|
||||||
+++ b/src/providers/ad/ad_init.c
|
|
||||||
@@ -419,6 +419,22 @@ static errno_t ad_init_misc(struct be_ctx *be_ctx,
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ ret = confdb_certmap_to_sysdb(be_ctx->cdb, be_ctx->domain);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ "Failed to initialize certificate mapping rules. "
|
|
||||||
+ "Authentication with certificates/Smartcards might not work "
|
|
||||||
+ "as expected.\n");
|
|
||||||
+ /* not fatal, ignored */
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = sdap_init_certmap(sdap_id_ctx, sdap_id_ctx);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ "Failed to initialized certificate mapping.\n");
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
return EOK;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c
|
|
||||||
index 44b3e9a..95e6561 100644
|
|
||||||
--- a/src/providers/ldap/ldap_init.c
|
|
||||||
+++ b/src/providers/ldap/ldap_init.c
|
|
||||||
@@ -438,6 +438,22 @@ static errno_t ldap_init_misc(struct be_ctx *be_ctx,
|
|
||||||
"[%d]: %s\n", ret, sss_strerror(ret));
|
|
||||||
}
|
|
||||||
|
|
||||||
+ ret = confdb_certmap_to_sysdb(be_ctx->cdb, be_ctx->domain);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ "Failed to initialize certificate mapping rules. "
|
|
||||||
+ "Authentication with certificates/Smartcards might not work "
|
|
||||||
+ "as expected.\n");
|
|
||||||
+ /* not fatal, ignored */
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = sdap_init_certmap(id_ctx, id_ctx);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ "Failed to initialized certificate mapping.\n");
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
return EOK;
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
62
0020-sss_ptr_hash-sss_ptr_hash_delete-fix-optimization.patch
Normal file
62
0020-sss_ptr_hash-sss_ptr_hash_delete-fix-optimization.patch
Normal file
@ -0,0 +1,62 @@
|
|||||||
|
From d0eb88089b059bfe2da3bd1a3797b89d69119c29 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
Date: Thu, 23 Jan 2020 19:00:27 +0100
|
||||||
|
Subject: [PATCH 20/24] sss_ptr_hash: sss_ptr_hash_delete fix/optimization
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
- no reason to skip hash_delete() just because sss_ptr_hash_lookup_internal()
|
||||||
|
failed
|
||||||
|
- avoid excessive lookup if it is not required to free payload
|
||||||
|
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
---
|
||||||
|
src/util/sss_ptr_hash.c | 17 +++++++++--------
|
||||||
|
1 file changed, 9 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c
|
||||||
|
index f8addec1e..7326244e6 100644
|
||||||
|
--- a/src/util/sss_ptr_hash.c
|
||||||
|
+++ b/src/util/sss_ptr_hash.c
|
||||||
|
@@ -331,20 +331,21 @@ void sss_ptr_hash_delete(hash_table_t *table,
|
||||||
|
struct sss_ptr_hash_value *value;
|
||||||
|
hash_key_t table_key;
|
||||||
|
int hret;
|
||||||
|
- void *ptr;
|
||||||
|
+ void *payload;
|
||||||
|
|
||||||
|
if (table == NULL || key == NULL) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
- value = sss_ptr_hash_lookup_internal(table, key);
|
||||||
|
- if (value == NULL) {
|
||||||
|
- /* Value not found. */
|
||||||
|
- return;
|
||||||
|
+ if (free_value) {
|
||||||
|
+ value = sss_ptr_hash_lookup_internal(table, key);
|
||||||
|
+ if (value == NULL) {
|
||||||
|
+ free_value = false;
|
||||||
|
+ } else {
|
||||||
|
+ payload = value->ptr;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
- ptr = value->ptr;
|
||||||
|
-
|
||||||
|
table_key.type = HASH_KEY_STRING;
|
||||||
|
table_key.str = discard_const_p(char, key);
|
||||||
|
|
||||||
|
@@ -357,7 +358,7 @@ void sss_ptr_hash_delete(hash_table_t *table,
|
||||||
|
|
||||||
|
/* Also free the original value if requested. */
|
||||||
|
if (free_value) {
|
||||||
|
- talloc_free(ptr);
|
||||||
|
+ talloc_free(payload);
|
||||||
|
}
|
||||||
|
|
||||||
|
return;
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
35
0021-sss_ptr_hash-removed-redundant-check.patch
Normal file
35
0021-sss_ptr_hash-removed-redundant-check.patch
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
From 8cc2ce4e9060a71d441a377008fb2f567baa5d92 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
Date: Thu, 23 Jan 2020 20:07:41 +0100
|
||||||
|
Subject: [PATCH 21/24] sss_ptr_hash: removed redundant check
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
`sss_ptr_hash_check_type()` call would take care of this case.
|
||||||
|
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
---
|
||||||
|
src/util/sss_ptr_hash.c | 6 ------
|
||||||
|
1 file changed, 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c
|
||||||
|
index 7326244e6..bf111a613 100644
|
||||||
|
--- a/src/util/sss_ptr_hash.c
|
||||||
|
+++ b/src/util/sss_ptr_hash.c
|
||||||
|
@@ -268,12 +268,6 @@ sss_ptr_hash_lookup_internal(hash_table_t *table,
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* This may happen if we are in delete callback
|
||||||
|
- * and we try to search the hash table. */
|
||||||
|
- if (table_value.ptr == NULL) {
|
||||||
|
- return NULL;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
if (!sss_ptr_hash_check_type(table_value.ptr, "struct sss_ptr_hash_value")) {
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -1,32 +0,0 @@
|
|||||||
From 06f7005d38d164879b727708feff80004b422f91 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Tue, 3 Jul 2018 11:31:12 +0200
|
|
||||||
Subject: [PATCH 26/83] sysdb: sysdb_certmap_add() handle domains more flexible
|
|
||||||
|
|
||||||
sysdb_ldb_msg_attr_to_certmap_info() creates an empty list if there are
|
|
||||||
no domains defined, sysdb_certmap_add() should be able to handle both a
|
|
||||||
missing or an empty domains list.
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/db/sysdb_certmap.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/db/sysdb_certmap.c b/src/db/sysdb_certmap.c
|
|
||||||
index e37f1ba..0bcc54c 100644
|
|
||||||
--- a/src/db/sysdb_certmap.c
|
|
||||||
+++ b/src/db/sysdb_certmap.c
|
|
||||||
@@ -131,7 +131,7 @@ static errno_t sysdb_certmap_add(struct sysdb_ctx *sysdb,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (certmap->domains != NULL) {
|
|
||||||
+ if (certmap->domains != NULL && certmap->domains[0] != NULL) {
|
|
||||||
for (c = 0; certmap->domains[c] != NULL; c++);
|
|
||||||
el = talloc_zero(tmp_ctx, struct ldb_message_element);
|
|
||||||
if (el == NULL) {
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,131 +0,0 @@
|
|||||||
From 9386ef605ffbc03abe2bc273efddbc099441fe3b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Fri, 6 Jul 2018 15:17:10 +0200
|
|
||||||
Subject: [PATCH 27/83] confdb: add special handling for rules for the files
|
|
||||||
provider
|
|
||||||
|
|
||||||
To make the configuration more simple there are some special assumption
|
|
||||||
for local users, i.e. user managed by the files provider.
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/confdb/confdb.c | 59 ++++++++++++++++++++++++++++++++++++++++
|
|
||||||
src/confdb/confdb.h | 1 +
|
|
||||||
src/providers/files/files_init.c | 10 +++++++
|
|
||||||
3 files changed, 70 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
|
||||||
index 26415ca..954c3ba 100644
|
|
||||||
--- a/src/confdb/confdb.c
|
|
||||||
+++ b/src/confdb/confdb.c
|
|
||||||
@@ -2203,6 +2203,56 @@ done:
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static errno_t certmap_local_check(struct ldb_message *msg)
|
|
||||||
+{
|
|
||||||
+ const char *rule_name;
|
|
||||||
+ const char *tmp_str;
|
|
||||||
+ int ret;
|
|
||||||
+
|
|
||||||
+ rule_name = ldb_msg_find_attr_as_string(msg, CONFDB_CERTMAP_NAME, NULL);
|
|
||||||
+ if (rule_name == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Certficate mapping rule [%s] has no name.",
|
|
||||||
+ ldb_dn_get_linearized(msg->dn));
|
|
||||||
+ return EINVAL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ tmp_str = ldb_msg_find_attr_as_string(msg, CONFDB_CERTMAP_DOMAINS, NULL);
|
|
||||||
+ if (tmp_str != NULL) {
|
|
||||||
+ DEBUG(SSSDBG_CONF_SETTINGS,
|
|
||||||
+ "Option [%s] is ignored for local certmap rules.\n",
|
|
||||||
+ CONFDB_CERTMAP_DOMAINS);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ tmp_str = ldb_msg_find_attr_as_string(msg, CONFDB_CERTMAP_MAPRULE, NULL);
|
|
||||||
+ if (tmp_str != NULL) {
|
|
||||||
+ if (tmp_str[0] != '(' || tmp_str[strlen(tmp_str) - 1] != ')') {
|
|
||||||
+ DEBUG(SSSDBG_CONF_SETTINGS,
|
|
||||||
+ "Mapping rule must be in braces (...).\n");
|
|
||||||
+ return EINVAL;
|
|
||||||
+ }
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL, "Using [%s] mapping rule of [%s].\n",
|
|
||||||
+ tmp_str, ldb_dn_get_linearized(msg->dn));
|
|
||||||
+ return EOK;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ tmp_str = talloc_asprintf(msg, "(%s)", rule_name);
|
|
||||||
+ if (tmp_str == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
|
|
||||||
+ return ENOMEM;
|
|
||||||
+ }
|
|
||||||
+ ret = ldb_msg_add_string(msg, CONFDB_CERTMAP_MAPRULE, tmp_str);
|
|
||||||
+ if (ret != LDB_SUCCESS) {
|
|
||||||
+ talloc_free(discard_const(tmp_str));
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_add_string failed.\n");
|
|
||||||
+ return EIO;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL, "Using [%s] as mapping rule for [%s].\n",
|
|
||||||
+ tmp_str, ldb_dn_get_linearized(msg->dn));
|
|
||||||
+
|
|
||||||
+ return EOK;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static errno_t confdb_get_all_certmaps(TALLOC_CTX *mem_ctx,
|
|
||||||
struct confdb_ctx *cdb,
|
|
||||||
struct sss_domain_info *dom,
|
|
||||||
@@ -2251,6 +2301,15 @@ static errno_t confdb_get_all_certmaps(TALLOC_CTX *mem_ctx,
|
|
||||||
}
|
|
||||||
|
|
||||||
for (c = 0; c < res->count; c++) {
|
|
||||||
+ if (is_files_provider(dom)) {
|
|
||||||
+ ret = certmap_local_check(res->msgs[c]);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_CONF_SETTINGS,
|
|
||||||
+ "Invalid certificate mapping [%s] for local user, "
|
|
||||||
+ "ignored.\n", ldb_dn_get_linearized(res->msgs[c]->dn));
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
ret = sysdb_ldb_msg_attr_to_certmap_info(certmap_list, res->msgs[c],
|
|
||||||
attrs, &certmap_list[c]);
|
|
||||||
if (ret != EOK) {
|
|
||||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
|
||||||
index 2aae93a..625d156 100644
|
|
||||||
--- a/src/confdb/confdb.h
|
|
||||||
+++ b/src/confdb/confdb.h
|
|
||||||
@@ -685,6 +685,7 @@ int confdb_get_sub_sections(TALLOC_CTX *mem_ctx,
|
|
||||||
*/
|
|
||||||
int confdb_certmap_to_sysdb(struct confdb_ctx *cdb,
|
|
||||||
struct sss_domain_info *dom);
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* @}
|
|
||||||
*/
|
|
||||||
diff --git a/src/providers/files/files_init.c b/src/providers/files/files_init.c
|
|
||||||
index 746c04a..c793bed 100644
|
|
||||||
--- a/src/providers/files/files_init.c
|
|
||||||
+++ b/src/providers/files/files_init.c
|
|
||||||
@@ -189,6 +189,16 @@ int sssm_files_init(TALLOC_CTX *mem_ctx,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ ret = confdb_certmap_to_sysdb(be_ctx->cdb, be_ctx->domain);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ "Failed to initialize certificate mapping rules. "
|
|
||||||
+ "Authentication with certificates/Smartcards might not work "
|
|
||||||
+ "as expected.\n");
|
|
||||||
+ /* not fatal, ignored */
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+
|
|
||||||
*_module_data = ctx;
|
|
||||||
ret = EOK;
|
|
||||||
done:
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
53
0022-sss_ptr_hash-fixed-memory-leak.patch
Normal file
53
0022-sss_ptr_hash-fixed-memory-leak.patch
Normal file
@ -0,0 +1,53 @@
|
|||||||
|
From 4bc0c2c7833dd643fc1137daf6519670c05c3736 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
Date: Thu, 23 Jan 2020 21:11:16 +0100
|
||||||
|
Subject: [PATCH 22/24] sss_ptr_hash: fixed memory leak
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
In case `override` check was failed in _sss_ptr_hash_add()
|
||||||
|
`value` was leaking.
|
||||||
|
Fixed to do `override` check before value allocation.
|
||||||
|
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
---
|
||||||
|
src/util/sss_ptr_hash.c | 14 +++++++-------
|
||||||
|
1 file changed, 7 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c
|
||||||
|
index bf111a613..114b6edeb 100644
|
||||||
|
--- a/src/util/sss_ptr_hash.c
|
||||||
|
+++ b/src/util/sss_ptr_hash.c
|
||||||
|
@@ -217,21 +217,21 @@ errno_t _sss_ptr_hash_add(hash_table_t *table,
|
||||||
|
return ERR_INVALID_DATA_TYPE;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ table_key.type = HASH_KEY_STRING;
|
||||||
|
+ table_key.str = discard_const_p(char, key);
|
||||||
|
+
|
||||||
|
+ if (override == false && hash_has_key(table, &table_key)) {
|
||||||
|
+ return EEXIST;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
value = sss_ptr_hash_value_create(table, key, talloc_ptr);
|
||||||
|
if (value == NULL) {
|
||||||
|
return ENOMEM;
|
||||||
|
}
|
||||||
|
|
||||||
|
- table_key.type = HASH_KEY_STRING;
|
||||||
|
- table_key.str = discard_const_p(char, key);
|
||||||
|
-
|
||||||
|
table_value.type = HASH_VALUE_PTR;
|
||||||
|
table_value.ptr = value;
|
||||||
|
|
||||||
|
- if (override == false && hash_has_key(table, &table_key)) {
|
||||||
|
- return EEXIST;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
hret = hash_enter(table, &table_key, &table_value);
|
||||||
|
if (hret != HASH_SUCCESS) {
|
||||||
|
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add key %s!\n", key);
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -1,414 +0,0 @@
|
|||||||
From 275eeed24adc31f3df51cf278f509a4be76a3a3c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Mon, 9 Jul 2018 18:37:46 +0200
|
|
||||||
Subject: [PATCH 28/83] files: add support for Smartcard authentication
|
|
||||||
|
|
||||||
To support certificate based authentication the files provider must be
|
|
||||||
able to map a certificate to a user during a BE_REQ_BY_CERT request.
|
|
||||||
|
|
||||||
Additionally the authentication request should be handled by the PAM
|
|
||||||
responder code which is responsible for the local Smartcard
|
|
||||||
authentication. To be consistent with the other backend an authentication
|
|
||||||
handler is added to the files provider which unconditionally returns the
|
|
||||||
offline error code telling the PAM responder to handle the
|
|
||||||
authentication if it has access to the needed credentials.
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
Makefile.am | 2 +
|
|
||||||
src/providers/files/files_auth.c | 69 +++++++++++++
|
|
||||||
src/providers/files/files_certmap.c | 186 ++++++++++++++++++++++++++++++++++++
|
|
||||||
src/providers/files/files_id.c | 20 ++++
|
|
||||||
src/providers/files/files_init.c | 21 +++-
|
|
||||||
src/providers/files/files_private.h | 17 ++++
|
|
||||||
6 files changed, 314 insertions(+), 1 deletion(-)
|
|
||||||
create mode 100644 src/providers/files/files_auth.c
|
|
||||||
create mode 100644 src/providers/files/files_certmap.c
|
|
||||||
|
|
||||||
diff --git a/Makefile.am b/Makefile.am
|
|
||||||
index deb9ce3..3667856 100644
|
|
||||||
--- a/Makefile.am
|
|
||||||
+++ b/Makefile.am
|
|
||||||
@@ -4285,6 +4285,8 @@ libsss_proxy_la_LDFLAGS = \
|
|
||||||
libsss_files_la_SOURCES = \
|
|
||||||
src/providers/files/files_init.c \
|
|
||||||
src/providers/files/files_id.c \
|
|
||||||
+ src/providers/files/files_auth.c \
|
|
||||||
+ src/providers/files/files_certmap.c \
|
|
||||||
src/providers/files/files_ops.c \
|
|
||||||
src/util/inotify.c \
|
|
||||||
$(NULL)
|
|
||||||
diff --git a/src/providers/files/files_auth.c b/src/providers/files/files_auth.c
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..b71de69
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/src/providers/files/files_auth.c
|
|
||||||
@@ -0,0 +1,69 @@
|
|
||||||
+/*
|
|
||||||
+ SSSD
|
|
||||||
+
|
|
||||||
+ files_auth.c - PAM operations on the files provider
|
|
||||||
+
|
|
||||||
+ Copyright (C) 2018 Red Hat
|
|
||||||
+
|
|
||||||
+ This program is free software; you can redistribute it and/or modify
|
|
||||||
+ it under the terms of the GNU General Public License as published by
|
|
||||||
+ the Free Software Foundation; either version 3 of the License, or
|
|
||||||
+ (at your option) any later version.
|
|
||||||
+
|
|
||||||
+ This program is distributed in the hope that it will be useful,
|
|
||||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
+ GNU General Public License for more details.
|
|
||||||
+
|
|
||||||
+ You should have received a copy of the GNU General Public License
|
|
||||||
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
+*/
|
|
||||||
+
|
|
||||||
+#include <security/pam_modules.h>
|
|
||||||
+
|
|
||||||
+#include "providers/data_provider/dp.h"
|
|
||||||
+#include "providers/data_provider.h"
|
|
||||||
+#include "providers/files/files_private.h"
|
|
||||||
+#include "util/cert.h"
|
|
||||||
+
|
|
||||||
+struct files_auth_ctx {
|
|
||||||
+ struct pam_data *pd;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+struct tevent_req *
|
|
||||||
+files_auth_handler_send(TALLOC_CTX *mem_ctx,
|
|
||||||
+ void *unused,
|
|
||||||
+ struct pam_data *pd,
|
|
||||||
+ struct dp_req_params *params)
|
|
||||||
+{
|
|
||||||
+ struct files_auth_ctx *state;
|
|
||||||
+ struct tevent_req *req;
|
|
||||||
+
|
|
||||||
+ req = tevent_req_create(mem_ctx, &state, struct files_auth_ctx);
|
|
||||||
+ if (req == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n");
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ state->pd = pd;
|
|
||||||
+ state->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
|
|
||||||
+
|
|
||||||
+ tevent_req_done(req);
|
|
||||||
+ tevent_req_post(req, params->ev);
|
|
||||||
+ return req;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+errno_t files_auth_handler_recv(TALLOC_CTX *mem_ctx,
|
|
||||||
+ struct tevent_req *req,
|
|
||||||
+ struct pam_data **_data)
|
|
||||||
+{
|
|
||||||
+ struct files_auth_ctx *state = NULL;
|
|
||||||
+
|
|
||||||
+ state = tevent_req_data(req, struct files_auth_ctx);
|
|
||||||
+
|
|
||||||
+ TEVENT_REQ_RETURN_ON_ERROR(req);
|
|
||||||
+
|
|
||||||
+ *_data = talloc_steal(mem_ctx, state->pd);
|
|
||||||
+
|
|
||||||
+ return EOK;
|
|
||||||
+}
|
|
||||||
diff --git a/src/providers/files/files_certmap.c b/src/providers/files/files_certmap.c
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..7d90a1f
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/src/providers/files/files_certmap.c
|
|
||||||
@@ -0,0 +1,186 @@
|
|
||||||
+/*
|
|
||||||
+ SSSD
|
|
||||||
+
|
|
||||||
+ files_init.c - Initialization of the files provider
|
|
||||||
+
|
|
||||||
+ Copyright (C) 2018 Red Hat
|
|
||||||
+
|
|
||||||
+ This program is free software; you can redistribute it and/or modify
|
|
||||||
+ it under the terms of the GNU General Public License as published by
|
|
||||||
+ the Free Software Foundation; either version 3 of the License, or
|
|
||||||
+ (at your option) any later version.
|
|
||||||
+
|
|
||||||
+ This program is distributed in the hope that it will be useful,
|
|
||||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
+ GNU General Public License for more details.
|
|
||||||
+
|
|
||||||
+ You should have received a copy of the GNU General Public License
|
|
||||||
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
+*/
|
|
||||||
+
|
|
||||||
+#include "providers/files/files_private.h"
|
|
||||||
+#include "util/util.h"
|
|
||||||
+#include "util/cert.h"
|
|
||||||
+#include "lib/certmap/sss_certmap.h"
|
|
||||||
+
|
|
||||||
+struct priv_sss_debug {
|
|
||||||
+ int level;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static void ext_debug(void *private, const char *file, long line,
|
|
||||||
+ const char *function, const char *format, ...)
|
|
||||||
+{
|
|
||||||
+ va_list ap;
|
|
||||||
+ struct priv_sss_debug *data = private;
|
|
||||||
+ int level = SSSDBG_OP_FAILURE;
|
|
||||||
+
|
|
||||||
+ if (data != NULL) {
|
|
||||||
+ level = data->level;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (DEBUG_IS_SET(level)) {
|
|
||||||
+ va_start(ap, format);
|
|
||||||
+ sss_vdebug_fn(file, line, function, level, APPEND_LINE_FEED,
|
|
||||||
+ format, ap);
|
|
||||||
+ va_end(ap);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+errno_t files_init_certmap(TALLOC_CTX *mem_ctx, struct files_id_ctx *id_ctx)
|
|
||||||
+{
|
|
||||||
+ int ret;
|
|
||||||
+ bool hint;
|
|
||||||
+ struct certmap_info **certmap_list = NULL;
|
|
||||||
+ size_t c;
|
|
||||||
+
|
|
||||||
+ ret = sysdb_get_certmap(mem_ctx, id_ctx->be->domain->sysdb,
|
|
||||||
+ &certmap_list, &hint);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_certmap failed.\n");
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (certmap_list == NULL || *certmap_list == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL, "No certmap data, nothing to do.\n");
|
|
||||||
+ ret = EOK;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = sss_certmap_init(mem_ctx, ext_debug, NULL, &id_ctx->sss_certmap_ctx);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "sss_certmap_init failed.\n");
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ for (c = 0; certmap_list[c] != NULL; c++) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL, "Trying to add rule [%s][%d][%s][%s].\n",
|
|
||||||
+ certmap_list[c]->name,
|
|
||||||
+ certmap_list[c]->priority,
|
|
||||||
+ certmap_list[c]->match_rule,
|
|
||||||
+ certmap_list[c]->map_rule);
|
|
||||||
+
|
|
||||||
+ ret = sss_certmap_add_rule(id_ctx->sss_certmap_ctx,
|
|
||||||
+ certmap_list[c]->priority,
|
|
||||||
+ certmap_list[c]->match_rule,
|
|
||||||
+ certmap_list[c]->map_rule,
|
|
||||||
+ certmap_list[c]->domains);
|
|
||||||
+ if (ret != 0) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ "sss_certmap_add_rule failed for rule [%s] "
|
|
||||||
+ "with error [%d][%s], skipping. "
|
|
||||||
+ "Please check for typos and if rule syntax is supported.\n",
|
|
||||||
+ certmap_list[c]->name, ret, sss_strerror(ret));
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = EOK;
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
+ talloc_free(certmap_list);
|
|
||||||
+
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+errno_t files_map_cert_to_user(struct files_id_ctx *id_ctx,
|
|
||||||
+ struct dp_id_data *data)
|
|
||||||
+{
|
|
||||||
+ errno_t ret;
|
|
||||||
+ char *filter;
|
|
||||||
+ char *user;
|
|
||||||
+ struct ldb_message *msg = NULL;
|
|
||||||
+ struct sysdb_attrs *attrs = NULL;
|
|
||||||
+ TALLOC_CTX *tmp_ctx;
|
|
||||||
+
|
|
||||||
+ tmp_ctx = talloc_new(NULL);
|
|
||||||
+ if (tmp_ctx == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
|
|
||||||
+ return ENOMEM;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = sss_cert_derb64_to_ldap_filter(tmp_ctx, data->filter_value, "",
|
|
||||||
+ id_ctx->sss_certmap_ctx,
|
|
||||||
+ id_ctx->domain, &filter);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
+ "sss_cert_derb64_to_ldap_filter failed.\n");
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ if (filter == NULL || filter[0] != '('
|
|
||||||
+ || filter[strlen(filter) - 1] != ')') {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
+ "sss_cert_derb64_to_ldap_filter returned bad filter [%s].\n",
|
|
||||||
+ filter);
|
|
||||||
+ ret = EINVAL;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ filter[strlen(filter) - 1] = '\0';
|
|
||||||
+ user = sss_create_internal_fqname(tmp_ctx, &filter[1],
|
|
||||||
+ id_ctx->domain->name);
|
|
||||||
+ if (user == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "sss_create_internal_fqname failed.\n");
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL, "Certificate mapped to user: [%s].\n", user);
|
|
||||||
+
|
|
||||||
+ ret = sysdb_search_user_by_name(tmp_ctx, id_ctx->domain, user, NULL, &msg);
|
|
||||||
+ if (ret == EOK) {
|
|
||||||
+ attrs = sysdb_new_attrs(tmp_ctx);
|
|
||||||
+ if (attrs == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n");
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = sysdb_attrs_add_base64_blob(attrs, SYSDB_USER_MAPPED_CERT,
|
|
||||||
+ data->filter_value);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_base64_blob failed.\n");
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = sysdb_set_entry_attr(id_ctx->domain->sysdb, msg->dn, attrs,
|
|
||||||
+ SYSDB_MOD_ADD);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_entry_attr failed.\n");
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ } else if (ret == ENOENT) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL, "Mapped user [%s] not found.\n", user);
|
|
||||||
+ ret = EOK;
|
|
||||||
+ goto done;
|
|
||||||
+ } else {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_user_by_name failed.\n");
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = EOK;
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
+ talloc_free(tmp_ctx);
|
|
||||||
+
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
diff --git a/src/providers/files/files_id.c b/src/providers/files/files_id.c
|
|
||||||
index 41314c6..f6f8c73 100644
|
|
||||||
--- a/src/providers/files/files_id.c
|
|
||||||
+++ b/src/providers/files/files_id.c
|
|
||||||
@@ -87,6 +87,26 @@ files_account_info_handler_send(TALLOC_CTX *mem_ctx,
|
|
||||||
? true \
|
|
||||||
: false;
|
|
||||||
break;
|
|
||||||
+ case BE_REQ_BY_CERT:
|
|
||||||
+ if (data->filter_type != BE_FILTER_CERT) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ "Unexpected filter type for lookup by cert: %d\n",
|
|
||||||
+ data->filter_type);
|
|
||||||
+ ret = EINVAL;
|
|
||||||
+ goto immediate;
|
|
||||||
+ }
|
|
||||||
+ if (id_ctx->sss_certmap_ctx == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL, "Certificate mapping not configured.\n");
|
|
||||||
+ ret = EOK;
|
|
||||||
+ goto immediate;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = files_map_cert_to_user(id_ctx, data);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "files_map_cert_to_user failed");
|
|
||||||
+ }
|
|
||||||
+ goto immediate;
|
|
||||||
+ break;
|
|
||||||
default:
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
"Unexpected entry type: %d\n", data->entry_type & BE_REQ_TYPE_MASK);
|
|
||||||
diff --git a/src/providers/files/files_init.c b/src/providers/files/files_init.c
|
|
||||||
index c793bed..1ce4bcf 100644
|
|
||||||
--- a/src/providers/files/files_init.c
|
|
||||||
+++ b/src/providers/files/files_init.c
|
|
||||||
@@ -196,9 +196,16 @@ int sssm_files_init(TALLOC_CTX *mem_ctx,
|
|
||||||
"Authentication with certificates/Smartcards might not work "
|
|
||||||
"as expected.\n");
|
|
||||||
/* not fatal, ignored */
|
|
||||||
+ } else {
|
|
||||||
+ ret = files_init_certmap(ctx, ctx);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "files_init_certmap failed. "
|
|
||||||
+ "Authentication with certificates/Smartcards might not work "
|
|
||||||
+ "as expected.\n");
|
|
||||||
+ /* not fatal, ignored */
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
-
|
|
||||||
*_module_data = ctx;
|
|
||||||
ret = EOK;
|
|
||||||
done:
|
|
||||||
@@ -234,3 +241,15 @@ int sssm_files_id_init(TALLOC_CTX *mem_ctx,
|
|
||||||
|
|
||||||
return EOK;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+int sssm_files_auth_init(TALLOC_CTX *mem_ctx,
|
|
||||||
+ struct be_ctx *be_ctx,
|
|
||||||
+ void *module_data,
|
|
||||||
+ struct dp_method *dp_methods)
|
|
||||||
+{
|
|
||||||
+ dp_set_method(dp_methods, DPM_AUTH_HANDLER,
|
|
||||||
+ files_auth_handler_send, files_auth_handler_recv, NULL, void,
|
|
||||||
+ struct pam_data, struct pam_data *);
|
|
||||||
+
|
|
||||||
+ return EOK;
|
|
||||||
+}
|
|
||||||
diff --git a/src/providers/files/files_private.h b/src/providers/files/files_private.h
|
|
||||||
index f44e6d4..fd17819 100644
|
|
||||||
--- a/src/providers/files/files_private.h
|
|
||||||
+++ b/src/providers/files/files_private.h
|
|
||||||
@@ -38,6 +38,7 @@ struct files_id_ctx {
|
|
||||||
struct be_ctx *be;
|
|
||||||
struct sss_domain_info *domain;
|
|
||||||
struct files_ctx *fctx;
|
|
||||||
+ struct sss_certmap_ctx *sss_certmap_ctx;
|
|
||||||
|
|
||||||
const char **passwd_files;
|
|
||||||
const char **group_files;
|
|
||||||
@@ -71,4 +72,20 @@ errno_t files_account_info_handler_recv(TALLOC_CTX *mem_ctx,
|
|
||||||
void files_account_info_finished(struct files_id_ctx *id_ctx,
|
|
||||||
int req_type,
|
|
||||||
errno_t ret);
|
|
||||||
+
|
|
||||||
+/* files_auth.c */
|
|
||||||
+struct tevent_req *files_auth_handler_send(TALLOC_CTX *mem_ctx,
|
|
||||||
+ void *unused,
|
|
||||||
+ struct pam_data *pd,
|
|
||||||
+ struct dp_req_params *params);
|
|
||||||
+
|
|
||||||
+errno_t files_auth_handler_recv(TALLOC_CTX *mem_ctx,
|
|
||||||
+ struct tevent_req *req,
|
|
||||||
+ struct pam_data **_data);
|
|
||||||
+
|
|
||||||
+/* files_certmap.c */
|
|
||||||
+errno_t files_init_certmap(TALLOC_CTX *mem_ctx, struct files_id_ctx *id_ctx);
|
|
||||||
+
|
|
||||||
+errno_t files_map_cert_to_user(struct files_id_ctx *id_ctx,
|
|
||||||
+ struct dp_id_data *data);
|
|
||||||
#endif /* __FILES_PRIVATE_H_ */
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
366
0023-sss_ptr_hash-internal-refactoring.patch
Normal file
366
0023-sss_ptr_hash-internal-refactoring.patch
Normal file
@ -0,0 +1,366 @@
|
|||||||
|
From 0bb1289252eec972ea26721a92adc7db47383f76 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
Date: Fri, 24 Jan 2020 23:57:39 +0100
|
||||||
|
Subject: [PATCH 23/24] sss_ptr_hash: internal refactoring
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
sss_ptr_hash code was refactored:
|
||||||
|
- got rid of a "spy" to make logic cleaner
|
||||||
|
- table got destructor to wipe its content
|
||||||
|
- described some usage limitation in the documentation
|
||||||
|
|
||||||
|
And resolves: https://pagure.io/SSSD/sssd/issue/4135
|
||||||
|
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
---
|
||||||
|
src/util/sss_ptr_hash.c | 183 +++++++++++++++++-----------------------
|
||||||
|
src/util/sss_ptr_hash.h | 17 +++-
|
||||||
|
2 files changed, 91 insertions(+), 109 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c
|
||||||
|
index 114b6edeb..6409236c7 100644
|
||||||
|
--- a/src/util/sss_ptr_hash.c
|
||||||
|
+++ b/src/util/sss_ptr_hash.c
|
||||||
|
@@ -39,67 +39,35 @@ static bool sss_ptr_hash_check_type(void *ptr, const char *type)
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int sss_ptr_hash_table_destructor(hash_table_t *table)
|
||||||
|
+{
|
||||||
|
+ sss_ptr_hash_delete_all(table, false);
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
struct sss_ptr_hash_delete_data {
|
||||||
|
hash_delete_callback *callback;
|
||||||
|
void *pvt;
|
||||||
|
};
|
||||||
|
|
||||||
|
struct sss_ptr_hash_value {
|
||||||
|
- struct sss_ptr_hash_spy *spy;
|
||||||
|
- void *ptr;
|
||||||
|
-};
|
||||||
|
-
|
||||||
|
-struct sss_ptr_hash_spy {
|
||||||
|
- struct sss_ptr_hash_value *value;
|
||||||
|
hash_table_t *table;
|
||||||
|
const char *key;
|
||||||
|
+ void *payload;
|
||||||
|
};
|
||||||
|
|
||||||
|
-static int
|
||||||
|
-sss_ptr_hash_spy_destructor(struct sss_ptr_hash_spy *spy)
|
||||||
|
-{
|
||||||
|
- spy->value->spy = NULL;
|
||||||
|
-
|
||||||
|
- /* This results in removing entry from hash table and freeing the value. */
|
||||||
|
- sss_ptr_hash_delete(spy->table, spy->key, false);
|
||||||
|
-
|
||||||
|
- return 0;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static struct sss_ptr_hash_spy *
|
||||||
|
-sss_ptr_hash_spy_create(TALLOC_CTX *mem_ctx,
|
||||||
|
- hash_table_t *table,
|
||||||
|
- const char *key,
|
||||||
|
- struct sss_ptr_hash_value *value)
|
||||||
|
-{
|
||||||
|
- struct sss_ptr_hash_spy *spy;
|
||||||
|
-
|
||||||
|
- spy = talloc_zero(mem_ctx, struct sss_ptr_hash_spy);
|
||||||
|
- if (spy == NULL) {
|
||||||
|
- DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n");
|
||||||
|
- return NULL;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- spy->key = talloc_strdup(spy, key);
|
||||||
|
- if (spy->key == NULL) {
|
||||||
|
- talloc_free(spy);
|
||||||
|
- return NULL;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- spy->table = table;
|
||||||
|
- spy->value = value;
|
||||||
|
- talloc_set_destructor(spy, sss_ptr_hash_spy_destructor);
|
||||||
|
-
|
||||||
|
- return spy;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
static int
|
||||||
|
sss_ptr_hash_value_destructor(struct sss_ptr_hash_value *value)
|
||||||
|
{
|
||||||
|
- if (value->spy != NULL) {
|
||||||
|
- /* Disable spy destructor and free it. */
|
||||||
|
- talloc_set_destructor(value->spy, NULL);
|
||||||
|
- talloc_zfree(value->spy);
|
||||||
|
+ hash_key_t table_key;
|
||||||
|
+
|
||||||
|
+ if (value->table && value->key) {
|
||||||
|
+ table_key.type = HASH_KEY_STRING;
|
||||||
|
+ table_key.str = discard_const_p(char, value->key);
|
||||||
|
+ if (hash_delete(value->table, &table_key) != HASH_SUCCESS) {
|
||||||
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||||
|
+ "failed to delete entry with key '%s'\n", value->key);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
@@ -112,18 +80,19 @@ sss_ptr_hash_value_create(hash_table_t *table,
|
||||||
|
{
|
||||||
|
struct sss_ptr_hash_value *value;
|
||||||
|
|
||||||
|
- value = talloc_zero(table, struct sss_ptr_hash_value);
|
||||||
|
+ value = talloc_zero(talloc_ptr, struct sss_ptr_hash_value);
|
||||||
|
if (value == NULL) {
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
- value->spy = sss_ptr_hash_spy_create(talloc_ptr, table, key, value);
|
||||||
|
- if (value->spy == NULL) {
|
||||||
|
+ value->key = talloc_strdup(value, key);
|
||||||
|
+ if (value->key == NULL) {
|
||||||
|
talloc_free(value);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
- value->ptr = talloc_ptr;
|
||||||
|
+ value->table = table;
|
||||||
|
+ value->payload = talloc_ptr;
|
||||||
|
talloc_set_destructor(value, sss_ptr_hash_value_destructor);
|
||||||
|
|
||||||
|
return value;
|
||||||
|
@@ -138,29 +107,31 @@ sss_ptr_hash_delete_cb(hash_entry_t *item,
|
||||||
|
struct sss_ptr_hash_value *value;
|
||||||
|
struct hash_entry_t callback_entry;
|
||||||
|
|
||||||
|
+ if (pvt == NULL) {
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
value = talloc_get_type(item->value.ptr, struct sss_ptr_hash_value);
|
||||||
|
if (value == NULL) {
|
||||||
|
DEBUG(SSSDBG_CRIT_FAILURE, "Invalid value!\n");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* Switch to the input value and call custom callback. */
|
||||||
|
+ data = talloc_get_type(pvt, struct sss_ptr_hash_delete_data);
|
||||||
|
+ if (data == NULL) {
|
||||||
|
+ DEBUG(SSSDBG_CRIT_FAILURE, "Invalid data!\n");
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
callback_entry.key = item->key;
|
||||||
|
callback_entry.value.type = HASH_VALUE_PTR;
|
||||||
|
- callback_entry.value.ptr = value->ptr;
|
||||||
|
-
|
||||||
|
- /* Free value, this also will disable spy */
|
||||||
|
- talloc_free(value);
|
||||||
|
-
|
||||||
|
- if (pvt != NULL) {
|
||||||
|
- /* Switch to the input value and call custom callback. */
|
||||||
|
- data = talloc_get_type(pvt, struct sss_ptr_hash_delete_data);
|
||||||
|
- if (data == NULL) {
|
||||||
|
- DEBUG(SSSDBG_CRIT_FAILURE, "Invalid data!\n");
|
||||||
|
- return;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- data->callback(&callback_entry, deltype, data->pvt);
|
||||||
|
- }
|
||||||
|
+ callback_entry.value.ptr = value->payload;
|
||||||
|
+ /* Even if execution is already in the context of
|
||||||
|
+ * talloc_free(payload) -> talloc_free(value) -> ...
|
||||||
|
+ * there still might be legitimate reasons to execute callback.
|
||||||
|
+ */
|
||||||
|
+ data->callback(&callback_entry, deltype, data->pvt);
|
||||||
|
}
|
||||||
|
|
||||||
|
hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx,
|
||||||
|
@@ -194,6 +165,8 @@ hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx,
|
||||||
|
talloc_steal(table, data);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ talloc_set_destructor(table, sss_ptr_hash_table_destructor);
|
||||||
|
+
|
||||||
|
return table;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -282,15 +255,15 @@ void *_sss_ptr_hash_lookup(hash_table_t *table,
|
||||||
|
struct sss_ptr_hash_value *value;
|
||||||
|
|
||||||
|
value = sss_ptr_hash_lookup_internal(table, key);
|
||||||
|
- if (value == NULL || value->ptr == NULL) {
|
||||||
|
+ if (value == NULL || value->payload == NULL) {
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (!sss_ptr_hash_check_type(value->ptr, type)) {
|
||||||
|
+ if (!sss_ptr_hash_check_type(value->payload, type)) {
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
- return value->ptr;
|
||||||
|
+ return value->payload;
|
||||||
|
}
|
||||||
|
|
||||||
|
void *_sss_ptr_get_value(hash_value_t *table_value,
|
||||||
|
@@ -311,11 +284,11 @@ void *_sss_ptr_get_value(hash_value_t *table_value,
|
||||||
|
|
||||||
|
value = table_value->ptr;
|
||||||
|
|
||||||
|
- if (!sss_ptr_hash_check_type(value->ptr, type)) {
|
||||||
|
+ if (!sss_ptr_hash_check_type(value->payload, type)) {
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
- return value->ptr;
|
||||||
|
+ return value->payload;
|
||||||
|
}
|
||||||
|
|
||||||
|
void sss_ptr_hash_delete(hash_table_t *table,
|
||||||
|
@@ -323,74 +296,70 @@ void sss_ptr_hash_delete(hash_table_t *table,
|
||||||
|
bool free_value)
|
||||||
|
{
|
||||||
|
struct sss_ptr_hash_value *value;
|
||||||
|
- hash_key_t table_key;
|
||||||
|
- int hret;
|
||||||
|
- void *payload;
|
||||||
|
+ void *payload = NULL;
|
||||||
|
|
||||||
|
if (table == NULL || key == NULL) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (free_value) {
|
||||||
|
- value = sss_ptr_hash_lookup_internal(table, key);
|
||||||
|
- if (value == NULL) {
|
||||||
|
- free_value = false;
|
||||||
|
- } else {
|
||||||
|
- payload = value->ptr;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- table_key.type = HASH_KEY_STRING;
|
||||||
|
- table_key.str = discard_const_p(char, key);
|
||||||
|
-
|
||||||
|
- /* Delete table entry. This will free value and spy in delete callback. */
|
||||||
|
- hret = hash_delete(table, &table_key);
|
||||||
|
- if (hret != HASH_SUCCESS && hret != HASH_ERROR_KEY_NOT_FOUND) {
|
||||||
|
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to remove key from table [%d]\n",
|
||||||
|
- hret);
|
||||||
|
+ value = sss_ptr_hash_lookup_internal(table, key);
|
||||||
|
+ if (value == NULL) {
|
||||||
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||||
|
+ "Unable to remove key '%s' from table\n", key);
|
||||||
|
+ return;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* Also free the original value if requested. */
|
||||||
|
if (free_value) {
|
||||||
|
- talloc_free(payload);
|
||||||
|
+ payload = value->payload;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ talloc_free(value); /* this will call hash_delete() in value d-tor */
|
||||||
|
+
|
||||||
|
+ talloc_free(payload); /* it is safe to call talloc_free(NULL) */
|
||||||
|
+
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
void sss_ptr_hash_delete_all(hash_table_t *table,
|
||||||
|
bool free_values)
|
||||||
|
{
|
||||||
|
+ hash_value_t *content;
|
||||||
|
struct sss_ptr_hash_value *value;
|
||||||
|
- hash_value_t *values;
|
||||||
|
+ void *payload = NULL;
|
||||||
|
unsigned long count;
|
||||||
|
unsigned long i;
|
||||||
|
int hret;
|
||||||
|
- void *ptr;
|
||||||
|
|
||||||
|
if (table == NULL) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
- hret = hash_values(table, &count, &values);
|
||||||
|
+ hret = hash_values(table, &count, &content);
|
||||||
|
if (hret != HASH_SUCCESS) {
|
||||||
|
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get values [%d]\n", hret);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
- for (i = 0; i < count; i++) {
|
||||||
|
- value = values[i].ptr;
|
||||||
|
- ptr = value->ptr;
|
||||||
|
-
|
||||||
|
- /* This will remove the entry from hash table and free value. */
|
||||||
|
- talloc_free(value->spy);
|
||||||
|
-
|
||||||
|
- if (free_values) {
|
||||||
|
- /* Also free the original value. */
|
||||||
|
- talloc_free(ptr);
|
||||||
|
+ for (i = 0; i < count; ++i) {
|
||||||
|
+ if ((content[i].type == HASH_VALUE_PTR) &&
|
||||||
|
+ sss_ptr_hash_check_type(content[i].ptr,
|
||||||
|
+ "struct sss_ptr_hash_value")) {
|
||||||
|
+ value = content[i].ptr;
|
||||||
|
+ if (free_values) {
|
||||||
|
+ payload = value->payload;
|
||||||
|
+ }
|
||||||
|
+ talloc_free(value);
|
||||||
|
+ if (free_values) {
|
||||||
|
+ talloc_free(payload); /* it's safe to call talloc_free(NULL) */
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||||
|
+ "Unexpected type of table content, skipping");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ talloc_free(content);
|
||||||
|
+
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/src/util/sss_ptr_hash.h b/src/util/sss_ptr_hash.h
|
||||||
|
index 56bb19a65..0889b171a 100644
|
||||||
|
--- a/src/util/sss_ptr_hash.h
|
||||||
|
+++ b/src/util/sss_ptr_hash.h
|
||||||
|
@@ -28,7 +28,19 @@
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Create a new hash table with string key and talloc pointer value with
|
||||||
|
- * possible delete callback.
|
||||||
|
+ * possible custom delete callback @del_cb.
|
||||||
|
+ * Table will have destructor setup to wipe content.
|
||||||
|
+ * Never call hash_destroy(table) and hash_delete() explicitly but rather
|
||||||
|
+ * use talloc_free(table) and sss_ptr_hash_delete().
|
||||||
|
+ *
|
||||||
|
+ * A notes about @del_cb:
|
||||||
|
+ * - this callback must never modify hash table (i.e. add/del entries);
|
||||||
|
+ * - this callback is triggered when value is either explicitly removed
|
||||||
|
+ * from the table or simply freed (latter leads to removal of an entry
|
||||||
|
+ * from the table);
|
||||||
|
+ * - this callback is also triggered for every entry when table is freed
|
||||||
|
+ * entirely. In this case (deltype == HASH_TABLE_DESTROY) any table
|
||||||
|
+ * lookups / iteration are forbidden as table might be already invalidated.
|
||||||
|
*/
|
||||||
|
hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx,
|
||||||
|
hash_delete_callback *del_cb,
|
||||||
|
@@ -41,7 +53,8 @@ hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx,
|
||||||
|
* the value is overridden. Otherwise EEXIST error is returned.
|
||||||
|
*
|
||||||
|
* If talloc_ptr is freed the key and value are automatically
|
||||||
|
- * removed from the hash table.
|
||||||
|
+ * removed from the hash table (del_cb that was set up during
|
||||||
|
+ * table creation is executed as a first step of this removal).
|
||||||
|
*
|
||||||
|
* @return EOK If the <@key, @talloc_ptr> pair was inserted.
|
||||||
|
* @return EEXIST If @key already exists and @override is false.
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
266
0024-TESTS-added-sss_ptr_hash-unit-test.patch
Normal file
266
0024-TESTS-added-sss_ptr_hash-unit-test.patch
Normal file
@ -0,0 +1,266 @@
|
|||||||
|
From 88b23bf50dd1c12413f3314639de2c3909bd9098 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
Date: Tue, 28 Jan 2020 19:26:08 +0100
|
||||||
|
Subject: [PATCH 24/24] TESTS: added sss_ptr_hash unit test
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
---
|
||||||
|
Makefile.am | 1 +
|
||||||
|
src/tests/cmocka/test_sss_ptr_hash.c | 193 +++++++++++++++++++++++++++
|
||||||
|
src/tests/cmocka/test_utils.c | 9 ++
|
||||||
|
src/tests/cmocka/test_utils.h | 6 +
|
||||||
|
4 files changed, 209 insertions(+)
|
||||||
|
create mode 100644 src/tests/cmocka/test_sss_ptr_hash.c
|
||||||
|
|
||||||
|
diff --git a/Makefile.am b/Makefile.am
|
||||||
|
index 57ba51356..c991f2aa0 100644
|
||||||
|
--- a/Makefile.am
|
||||||
|
+++ b/Makefile.am
|
||||||
|
@@ -3054,6 +3054,7 @@ test_ipa_idmap_LDADD = \
|
||||||
|
test_utils_SOURCES = \
|
||||||
|
src/tests/cmocka/test_utils.c \
|
||||||
|
src/tests/cmocka/test_string_utils.c \
|
||||||
|
+ src/tests/cmocka/test_sss_ptr_hash.c \
|
||||||
|
src/p11_child/p11_child_common_utils.c \
|
||||||
|
$(NULL)
|
||||||
|
if BUILD_SSH
|
||||||
|
diff --git a/src/tests/cmocka/test_sss_ptr_hash.c b/src/tests/cmocka/test_sss_ptr_hash.c
|
||||||
|
new file mode 100644
|
||||||
|
index 000000000..1458238f5
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/tests/cmocka/test_sss_ptr_hash.c
|
||||||
|
@@ -0,0 +1,193 @@
|
||||||
|
+/*
|
||||||
|
+ Copyright (C) 2020 Red Hat
|
||||||
|
+
|
||||||
|
+ This program is free software; you can redistribute it and/or modify
|
||||||
|
+ it under the terms of the GNU General Public License as published by
|
||||||
|
+ the Free Software Foundation; either version 3 of the License, or
|
||||||
|
+ (at your option) any later version.
|
||||||
|
+
|
||||||
|
+ This program is distributed in the hope that it will be useful,
|
||||||
|
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+ GNU General Public License for more details.
|
||||||
|
+
|
||||||
|
+ You should have received a copy of the GNU General Public License
|
||||||
|
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+*/
|
||||||
|
+
|
||||||
|
+#include "tests/cmocka/common_mock.h"
|
||||||
|
+#include "util/sss_ptr_hash.h"
|
||||||
|
+
|
||||||
|
+static const int MAX_ENTRIES_AMOUNT = 5;
|
||||||
|
+
|
||||||
|
+static void populate_table(hash_table_t *table, int **payloads)
|
||||||
|
+{
|
||||||
|
+ char key[2] = {'z', 0};
|
||||||
|
+
|
||||||
|
+ for (int i = 0; i < MAX_ENTRIES_AMOUNT; ++i) {
|
||||||
|
+ payloads[i] = talloc_zero(global_talloc_context, int);
|
||||||
|
+ assert_non_null(payloads[i]);
|
||||||
|
+ *payloads[i] = i;
|
||||||
|
+ key[0] = '0'+(char)i;
|
||||||
|
+ assert_int_equal(sss_ptr_hash_add(table, key, payloads[i], int), 0);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void free_payload_cb(hash_entry_t *item, hash_destroy_enum type, void *pvt)
|
||||||
|
+{
|
||||||
|
+ int *counter;
|
||||||
|
+
|
||||||
|
+ assert_non_null(item);
|
||||||
|
+ assert_non_null(item->value.ptr);
|
||||||
|
+ talloc_zfree(item->value.ptr);
|
||||||
|
+
|
||||||
|
+ assert_non_null(pvt);
|
||||||
|
+ counter = (int *)pvt;
|
||||||
|
+ (*counter)++;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void test_sss_ptr_hash_with_free_cb(void **state)
|
||||||
|
+{
|
||||||
|
+ hash_table_t *table;
|
||||||
|
+ int free_counter = 0;
|
||||||
|
+ int *payloads[MAX_ENTRIES_AMOUNT];
|
||||||
|
+
|
||||||
|
+ table = sss_ptr_hash_create(global_talloc_context,
|
||||||
|
+ free_payload_cb,
|
||||||
|
+ &free_counter);
|
||||||
|
+ assert_non_null(table);
|
||||||
|
+
|
||||||
|
+ populate_table(table, payloads);
|
||||||
|
+
|
||||||
|
+ /* check explicit removal from the hash */
|
||||||
|
+ sss_ptr_hash_delete(table, "1", false);
|
||||||
|
+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-1);
|
||||||
|
+ assert_int_equal(free_counter, 1);
|
||||||
|
+
|
||||||
|
+ /* check implicit removal triggered by payload deletion */
|
||||||
|
+ talloc_free(payloads[3]);
|
||||||
|
+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-2);
|
||||||
|
+ assert_int_equal(free_counter, 2);
|
||||||
|
+
|
||||||
|
+ /* try to remove non existent entry */
|
||||||
|
+ sss_ptr_hash_delete(table, "q", false);
|
||||||
|
+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-2);
|
||||||
|
+ assert_int_equal(free_counter, 2);
|
||||||
|
+
|
||||||
|
+ /* clear all */
|
||||||
|
+ sss_ptr_hash_delete_all(table, false);
|
||||||
|
+ assert_int_equal((int)hash_count(table), 0);
|
||||||
|
+ assert_int_equal(free_counter, MAX_ENTRIES_AMOUNT);
|
||||||
|
+
|
||||||
|
+ /* check that table is still operable */
|
||||||
|
+ populate_table(table, payloads);
|
||||||
|
+ sss_ptr_hash_delete(table, "2", false);
|
||||||
|
+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-1);
|
||||||
|
+ assert_int_equal(free_counter, MAX_ENTRIES_AMOUNT+1);
|
||||||
|
+
|
||||||
|
+ talloc_free(table);
|
||||||
|
+ assert_int_equal(free_counter, MAX_ENTRIES_AMOUNT*2);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+struct table_wrapper
|
||||||
|
+{
|
||||||
|
+ hash_table_t **table;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static void lookup_cb(hash_entry_t *item, hash_destroy_enum type, void *pvt)
|
||||||
|
+{
|
||||||
|
+ hash_table_t *table;
|
||||||
|
+ hash_key_t *keys;
|
||||||
|
+ unsigned long count;
|
||||||
|
+ int *value = NULL;
|
||||||
|
+ int sum = 0;
|
||||||
|
+
|
||||||
|
+ assert_non_null(pvt);
|
||||||
|
+ table = *((struct table_wrapper *)pvt)->table;
|
||||||
|
+ assert_non_null(table);
|
||||||
|
+
|
||||||
|
+ if (type == HASH_TABLE_DESTROY) {
|
||||||
|
+ /* table is being destroyed */
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ assert_int_equal(hash_keys(table, &count, &keys), HASH_SUCCESS);
|
||||||
|
+ for (unsigned int i = 0; i < count; ++i) {
|
||||||
|
+ assert_int_equal(keys[i].type, HASH_KEY_STRING);
|
||||||
|
+ value = sss_ptr_hash_lookup(table, keys[i].c_str, int);
|
||||||
|
+ assert_non_null(value);
|
||||||
|
+ sum += *value;
|
||||||
|
+ }
|
||||||
|
+ DEBUG(SSSDBG_TRACE_ALL, "sum of all values = %d\n", sum);
|
||||||
|
+ talloc_free(keys);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/* main difference with `test_sss_ptr_hash_with_free_cb()`
|
||||||
|
+ * is that table cb here doesn't delete payload so
|
||||||
|
+ * this is requested via `free_value(s)` arg
|
||||||
|
+ */
|
||||||
|
+void test_sss_ptr_hash_with_lookup_cb(void **state)
|
||||||
|
+{
|
||||||
|
+ hash_table_t *table;
|
||||||
|
+ struct table_wrapper wrapper;
|
||||||
|
+ int *payloads[MAX_ENTRIES_AMOUNT];
|
||||||
|
+
|
||||||
|
+ wrapper.table = &table;
|
||||||
|
+ table = sss_ptr_hash_create(global_talloc_context,
|
||||||
|
+ lookup_cb,
|
||||||
|
+ &wrapper);
|
||||||
|
+ assert_non_null(table);
|
||||||
|
+
|
||||||
|
+ populate_table(table, payloads);
|
||||||
|
+
|
||||||
|
+ /* check explicit removal from the hash */
|
||||||
|
+ sss_ptr_hash_delete(table, "2", true);
|
||||||
|
+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-1);
|
||||||
|
+
|
||||||
|
+ /* check implicit removal triggered by payload deletion */
|
||||||
|
+ talloc_free(payloads[0]);
|
||||||
|
+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-2);
|
||||||
|
+
|
||||||
|
+ /* clear all */
|
||||||
|
+ sss_ptr_hash_delete_all(table, true);
|
||||||
|
+ assert_int_equal((int)hash_count(table), 0);
|
||||||
|
+ /* teardown function shall verify there are no leaks
|
||||||
|
+ * on global_talloc_context and so that payloads[] were freed
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+ /* check that table is still operable */
|
||||||
|
+ populate_table(table, payloads);
|
||||||
|
+
|
||||||
|
+ talloc_free(table);
|
||||||
|
+ /* d-tor triggers hash_destroy() but since cb here doesn free payload
|
||||||
|
+ * this should be done manually
|
||||||
|
+ */
|
||||||
|
+ for (int i = 0; i < MAX_ENTRIES_AMOUNT; ++i) {
|
||||||
|
+ talloc_free(payloads[i]);
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/* Just smoke test to verify that absence of cb doesn't break anything */
|
||||||
|
+void test_sss_ptr_hash_without_cb(void **state)
|
||||||
|
+{
|
||||||
|
+ hash_table_t *table;
|
||||||
|
+ int *payloads[MAX_ENTRIES_AMOUNT];
|
||||||
|
+
|
||||||
|
+ table = sss_ptr_hash_create(global_talloc_context, NULL, NULL);
|
||||||
|
+ assert_non_null(table);
|
||||||
|
+
|
||||||
|
+ populate_table(table, payloads);
|
||||||
|
+
|
||||||
|
+ sss_ptr_hash_delete(table, "4", true);
|
||||||
|
+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-1);
|
||||||
|
+
|
||||||
|
+ talloc_free(payloads[1]);
|
||||||
|
+ assert_int_equal((int)hash_count(table), MAX_ENTRIES_AMOUNT-2);
|
||||||
|
+
|
||||||
|
+ sss_ptr_hash_delete_all(table, true);
|
||||||
|
+ assert_int_equal((int)hash_count(table), 0);
|
||||||
|
+
|
||||||
|
+ talloc_free(table);
|
||||||
|
+}
|
||||||
|
diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
|
||||||
|
index 666f32903..c5eda4dd2 100644
|
||||||
|
--- a/src/tests/cmocka/test_utils.c
|
||||||
|
+++ b/src/tests/cmocka/test_utils.c
|
||||||
|
@@ -2055,6 +2055,15 @@ int main(int argc, const char *argv[])
|
||||||
|
cmocka_unit_test_setup_teardown(test_sss_get_domain_mappings_content,
|
||||||
|
setup_dom_list_with_subdomains,
|
||||||
|
teardown_dom_list),
|
||||||
|
+ cmocka_unit_test_setup_teardown(test_sss_ptr_hash_with_free_cb,
|
||||||
|
+ setup_leak_tests,
|
||||||
|
+ teardown_leak_tests),
|
||||||
|
+ cmocka_unit_test_setup_teardown(test_sss_ptr_hash_with_lookup_cb,
|
||||||
|
+ setup_leak_tests,
|
||||||
|
+ teardown_leak_tests),
|
||||||
|
+ cmocka_unit_test_setup_teardown(test_sss_ptr_hash_without_cb,
|
||||||
|
+ setup_leak_tests,
|
||||||
|
+ teardown_leak_tests),
|
||||||
|
};
|
||||||
|
|
||||||
|
/* Set debug level to invalid value so we can decide if -d 0 was used. */
|
||||||
|
diff --git a/src/tests/cmocka/test_utils.h b/src/tests/cmocka/test_utils.h
|
||||||
|
index e93e0da25..44b9479f9 100644
|
||||||
|
--- a/src/tests/cmocka/test_utils.h
|
||||||
|
+++ b/src/tests/cmocka/test_utils.h
|
||||||
|
@@ -33,4 +33,10 @@ void test_guid_blob_to_string_buf(void **state);
|
||||||
|
void test_get_last_x_chars(void **state);
|
||||||
|
void test_concatenate_string_array(void **state);
|
||||||
|
|
||||||
|
+/* from src/tests/cmocka/test_sss_ptr_hash.c */
|
||||||
|
+void test_sss_ptr_hash_with_free_cb(void **state);
|
||||||
|
+void test_sss_ptr_hash_with_lookup_cb(void **state);
|
||||||
|
+void test_sss_ptr_hash_without_cb(void **state);
|
||||||
|
+
|
||||||
|
+
|
||||||
|
#endif /* __TESTS__CMOCKA__TEST_UTILS_H__ */
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -1,68 +0,0 @@
|
|||||||
From 9fdc5f1d87a133885e6a22810a7eb980c60dcb55 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Mon, 9 Jul 2018 18:45:21 +0200
|
|
||||||
Subject: [PATCH 29/83] responder: make sure SSS_DP_CERT is passed to files
|
|
||||||
provider
|
|
||||||
|
|
||||||
Currently the files provider is only contacted once in a while to update
|
|
||||||
the full cache with fresh data from the passwd file. To allow rule based
|
|
||||||
certificate mapping the lookup by certificate request must be always
|
|
||||||
send to the file provider so that it can evaluate the rules and add the
|
|
||||||
certificate to cached entry of the matching user.
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/responder/common/responder_dp.c | 20 +++++++++++++-------
|
|
||||||
1 file changed, 13 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
|
|
||||||
index 878aa1d..39f0f20 100644
|
|
||||||
--- a/src/responder/common/responder_dp.c
|
|
||||||
+++ b/src/responder/common/responder_dp.c
|
|
||||||
@@ -34,15 +34,17 @@ sss_dp_account_files_params(struct sss_domain_info *dom,
|
|
||||||
enum sss_dp_acct_type *_type_out,
|
|
||||||
const char **_opt_name_out)
|
|
||||||
{
|
|
||||||
- if (sss_domain_get_state(dom) != DOM_INCONSISTENT) {
|
|
||||||
+ if (type_in != SSS_DP_CERT) {
|
|
||||||
+ if (sss_domain_get_state(dom) != DOM_INCONSISTENT) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_INTERNAL,
|
|
||||||
+ "The entries in the files domain are up-to-date\n");
|
|
||||||
+ return EOK;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
DEBUG(SSSDBG_TRACE_INTERNAL,
|
|
||||||
- "The entries in the files domain are up-to-date\n");
|
|
||||||
- return EOK;
|
|
||||||
+ "Domain files is not consistent, issuing update\n");
|
|
||||||
}
|
|
||||||
|
|
||||||
- DEBUG(SSSDBG_TRACE_INTERNAL,
|
|
||||||
- "Domain files is not consistent, issuing update\n");
|
|
||||||
-
|
|
||||||
switch(type_in) {
|
|
||||||
case SSS_DP_USER:
|
|
||||||
case SSS_DP_GROUP:
|
|
||||||
@@ -56,12 +58,16 @@ sss_dp_account_files_params(struct sss_domain_info *dom,
|
|
||||||
*_type_out = type_in;
|
|
||||||
*_opt_name_out = DP_REQ_OPT_FILES_INITGR;
|
|
||||||
return EAGAIN;
|
|
||||||
+ case SSS_DP_CERT:
|
|
||||||
+ /* Let the backend handle certificate mapping for local users */
|
|
||||||
+ *_type_out = type_in;
|
|
||||||
+ *_opt_name_out = opt_name_in;
|
|
||||||
+ return EAGAIN;
|
|
||||||
/* These are not handled by the files provider, just fall back */
|
|
||||||
case SSS_DP_NETGR:
|
|
||||||
case SSS_DP_SERVICES:
|
|
||||||
case SSS_DP_SECID:
|
|
||||||
case SSS_DP_USER_AND_GROUP:
|
|
||||||
- case SSS_DP_CERT:
|
|
||||||
case SSS_DP_WILDCARD_USER:
|
|
||||||
case SSS_DP_WILDCARD_GROUP:
|
|
||||||
return EOK;
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,166 +0,0 @@
|
|||||||
From d42f44d54453d3ddb54875374c1b61dc1e7cd821 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Mon, 9 Jul 2018 18:56:26 +0200
|
|
||||||
Subject: [PATCH 30/83] PAM: add certificate matching rules from all domains
|
|
||||||
|
|
||||||
Currently the PAM responder only reads the certificate mapping and
|
|
||||||
matching rules from the first domain. To support Smartcard
|
|
||||||
authentication for local and remote users all configured domains must be
|
|
||||||
taken into account.
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/responder/pam/pamsrv.h | 2 +-
|
|
||||||
src/responder/pam/pamsrv_cmd.c | 2 +-
|
|
||||||
src/responder/pam/pamsrv_p11.c | 77 +++++++++++++++++++++++++++---------------
|
|
||||||
3 files changed, 51 insertions(+), 30 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
|
|
||||||
index d189ccc..5d87756 100644
|
|
||||||
--- a/src/responder/pam/pamsrv.h
|
|
||||||
+++ b/src/responder/pam/pamsrv.h
|
|
||||||
@@ -114,7 +114,7 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
|
|
||||||
bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd);
|
|
||||||
|
|
||||||
errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
|
|
||||||
- struct certmap_info **certmap_list);
|
|
||||||
+ struct sss_domain_info *domains);
|
|
||||||
|
|
||||||
errno_t
|
|
||||||
pam_set_last_online_auth_with_curr_token(struct sss_domain_info *domain,
|
|
||||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
|
||||||
index a6bb289..ed9ad57 100644
|
|
||||||
--- a/src/responder/pam/pamsrv_cmd.c
|
|
||||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
|
||||||
@@ -1737,7 +1737,7 @@ static void pam_forwarder_cb(struct tevent_req *req)
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains->certmaps);
|
|
||||||
+ ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
"p11_refresh_certmap_ctx failed, "
|
|
||||||
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
|
|
||||||
index bf72207..ffa6787 100644
|
|
||||||
--- a/src/responder/pam/pamsrv_p11.c
|
|
||||||
+++ b/src/responder/pam/pamsrv_p11.c
|
|
||||||
@@ -142,11 +142,14 @@ static void ext_debug(void *private, const char *file, long line,
|
|
||||||
}
|
|
||||||
|
|
||||||
errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
|
|
||||||
- struct certmap_info **certmap_list)
|
|
||||||
+ struct sss_domain_info *domains)
|
|
||||||
{
|
|
||||||
int ret;
|
|
||||||
struct sss_certmap_ctx *sss_certmap_ctx = NULL;
|
|
||||||
size_t c;
|
|
||||||
+ struct sss_domain_info *dom;
|
|
||||||
+ bool certmap_found = false;
|
|
||||||
+ struct certmap_info **certmap_list;
|
|
||||||
|
|
||||||
ret = sss_certmap_init(pctx, ext_debug, NULL, &sss_certmap_ctx);
|
|
||||||
if (ret != EOK) {
|
|
||||||
@@ -154,7 +157,15 @@ errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (certmap_list == NULL || *certmap_list == NULL) {
|
|
||||||
+ DLIST_FOR_EACH(dom, domains) {
|
|
||||||
+ certmap_list = dom->certmaps;
|
|
||||||
+ if (certmap_list != NULL && *certmap_list != NULL) {
|
|
||||||
+ certmap_found = true;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!certmap_found) {
|
|
||||||
/* Try to add default matching rule */
|
|
||||||
ret = sss_certmap_add_rule(sss_certmap_ctx, SSS_CERTMAP_MIN_PRIO,
|
|
||||||
CERT_AUTH_DEFAULT_MATCHING_RULE, NULL, NULL);
|
|
||||||
@@ -166,24 +177,32 @@ errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- for (c = 0; certmap_list[c] != NULL; c++) {
|
|
||||||
- DEBUG(SSSDBG_TRACE_ALL,
|
|
||||||
- "Trying to add rule [%s][%d][%s][%s].\n",
|
|
||||||
- certmap_list[c]->name, certmap_list[c]->priority,
|
|
||||||
- certmap_list[c]->match_rule, certmap_list[c]->map_rule);
|
|
||||||
-
|
|
||||||
- ret = sss_certmap_add_rule(sss_certmap_ctx, certmap_list[c]->priority,
|
|
||||||
- certmap_list[c]->match_rule,
|
|
||||||
- certmap_list[c]->map_rule,
|
|
||||||
- certmap_list[c]->domains);
|
|
||||||
- if (ret != 0) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
- "sss_certmap_add_rule failed for rule [%s] "
|
|
||||||
- "with error [%d][%s], skipping. "
|
|
||||||
- "Please check for typos and if rule syntax is supported.\n",
|
|
||||||
- certmap_list[c]->name, ret, sss_strerror(ret));
|
|
||||||
+ DLIST_FOR_EACH(dom, domains) {
|
|
||||||
+ certmap_list = dom->certmaps;
|
|
||||||
+ if (certmap_list == NULL || *certmap_list == NULL) {
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ for (c = 0; certmap_list[c] != NULL; c++) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL,
|
|
||||||
+ "Trying to add rule [%s][%d][%s][%s].\n",
|
|
||||||
+ certmap_list[c]->name, certmap_list[c]->priority,
|
|
||||||
+ certmap_list[c]->match_rule, certmap_list[c]->map_rule);
|
|
||||||
+
|
|
||||||
+ ret = sss_certmap_add_rule(sss_certmap_ctx,
|
|
||||||
+ certmap_list[c]->priority,
|
|
||||||
+ certmap_list[c]->match_rule,
|
|
||||||
+ certmap_list[c]->map_rule,
|
|
||||||
+ certmap_list[c]->domains);
|
|
||||||
+ if (ret != 0) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ "sss_certmap_add_rule failed for rule [%s] "
|
|
||||||
+ "with error [%d][%s], skipping. "
|
|
||||||
+ "Please check for typos and if rule syntax is supported.\n",
|
|
||||||
+ certmap_list[c]->name, ret, sss_strerror(ret));
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = EOK;
|
|
||||||
@@ -204,19 +223,21 @@ errno_t p11_child_init(struct pam_ctx *pctx)
|
|
||||||
int ret;
|
|
||||||
struct certmap_info **certmaps;
|
|
||||||
bool user_name_hint;
|
|
||||||
- struct sss_domain_info *dom = pctx->rctx->domains;
|
|
||||||
+ struct sss_domain_info *dom;
|
|
||||||
|
|
||||||
- ret = sysdb_get_certmap(dom, dom->sysdb, &certmaps, &user_name_hint);
|
|
||||||
- if (ret != EOK) {
|
|
||||||
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_certmap failed.\n");
|
|
||||||
- return ret;
|
|
||||||
- }
|
|
||||||
+ DLIST_FOR_EACH(dom, pctx->rctx->domains) {
|
|
||||||
+ ret = sysdb_get_certmap(dom, dom->sysdb, &certmaps, &user_name_hint);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_certmap failed.\n");
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- dom->user_name_hint = user_name_hint;
|
|
||||||
- talloc_free(dom->certmaps);
|
|
||||||
- dom->certmaps = certmaps;
|
|
||||||
+ dom->user_name_hint = user_name_hint;
|
|
||||||
+ talloc_free(dom->certmaps);
|
|
||||||
+ dom->certmaps = certmaps;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- ret = p11_refresh_certmap_ctx(pctx, dom->certmaps);
|
|
||||||
+ ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE, "p11_refresh_certmap_ctx failed.\n");
|
|
||||||
return ret;
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -0,0 +1,86 @@
|
|||||||
|
From 7b647338a40d701c6a5bb51c48c10a31a6b72699 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Thu, 30 Jan 2020 13:14:14 +0100
|
||||||
|
Subject: [PATCH 25/26] p11_child: check if card is present in wait_for_card()
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Some implementations of C_WaitForSlotEvent() might return even if no
|
||||||
|
card was inserted. So it has to be checked if a card is really present.
|
||||||
|
|
||||||
|
Resolves: https://pagure.io/SSSD/sssd/issue/4159
|
||||||
|
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
---
|
||||||
|
src/p11_child/p11_child_openssl.c | 47 ++++++++++++++++---------------
|
||||||
|
1 file changed, 25 insertions(+), 22 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
|
||||||
|
index 56601b117..295715612 100644
|
||||||
|
--- a/src/p11_child/p11_child_openssl.c
|
||||||
|
+++ b/src/p11_child/p11_child_openssl.c
|
||||||
|
@@ -1546,35 +1546,38 @@ static errno_t wait_for_card(CK_FUNCTION_LIST *module, CK_SLOT_ID *slot_id)
|
||||||
|
CK_RV rv;
|
||||||
|
CK_SLOT_INFO info;
|
||||||
|
|
||||||
|
- rv = module->C_WaitForSlotEvent(wait_flags, slot_id, NULL);
|
||||||
|
- if (rv != CKR_OK) {
|
||||||
|
- if (rv != CKR_FUNCTION_NOT_SUPPORTED) {
|
||||||
|
+ do {
|
||||||
|
+ rv = module->C_WaitForSlotEvent(wait_flags, slot_id, NULL);
|
||||||
|
+ if (rv != CKR_OK && rv != CKR_FUNCTION_NOT_SUPPORTED) {
|
||||||
|
DEBUG(SSSDBG_OP_FAILURE,
|
||||||
|
"C_WaitForSlotEvent failed [%lu][%s].\n",
|
||||||
|
rv, p11_kit_strerror(rv));
|
||||||
|
return EIO;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* Poor man's wait */
|
||||||
|
- do {
|
||||||
|
+ if (rv == CKR_FUNCTION_NOT_SUPPORTED) {
|
||||||
|
+ /* Poor man's wait */
|
||||||
|
sleep(10);
|
||||||
|
- rv = module->C_GetSlotInfo(*slot_id, &info);
|
||||||
|
- if (rv != CKR_OK) {
|
||||||
|
- DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotInfo failed\n");
|
||||||
|
- return EIO;
|
||||||
|
- }
|
||||||
|
- DEBUG(SSSDBG_TRACE_ALL,
|
||||||
|
- "Description [%s] Manufacturer [%s] flags [%lu] "
|
||||||
|
- "removable [%s] token present [%s].\n",
|
||||||
|
- info.slotDescription, info.manufacturerID, info.flags,
|
||||||
|
- (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
|
||||||
|
- (info.flags & CKF_TOKEN_PRESENT) ? "true": "false");
|
||||||
|
- if ((info.flags & CKF_REMOVABLE_DEVICE)
|
||||||
|
- && (info.flags & CKF_TOKEN_PRESENT)) {
|
||||||
|
- break;
|
||||||
|
- }
|
||||||
|
- } while (true);
|
||||||
|
- }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ rv = module->C_GetSlotInfo(*slot_id, &info);
|
||||||
|
+ if (rv != CKR_OK) {
|
||||||
|
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotInfo failed\n");
|
||||||
|
+ return EIO;
|
||||||
|
+ }
|
||||||
|
+ DEBUG(SSSDBG_TRACE_ALL,
|
||||||
|
+ "Description [%s] Manufacturer [%s] flags [%lu] "
|
||||||
|
+ "removable [%s] token present [%s].\n",
|
||||||
|
+ info.slotDescription, info.manufacturerID, info.flags,
|
||||||
|
+ (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
|
||||||
|
+ (info.flags & CKF_TOKEN_PRESENT) ? "true": "false");
|
||||||
|
+
|
||||||
|
+ /* Check if really a token is present */
|
||||||
|
+ if ((info.flags & CKF_REMOVABLE_DEVICE)
|
||||||
|
+ && (info.flags & CKF_TOKEN_PRESENT)) {
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ } while (true);
|
||||||
|
|
||||||
|
return EOK;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
37
0026-PAM-client-only-require-UID-0-for-private-socket.patch
Normal file
37
0026-PAM-client-only-require-UID-0-for-private-socket.patch
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
From 37780b895199bab991edae6b1eeb91b7b3966bcf Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Thu, 6 Feb 2020 14:50:23 +0100
|
||||||
|
Subject: [PATCH 26/26] PAM client: only require UID 0 for private socket
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Some privileged services like e.g. gdm might only call with UID 0 but
|
||||||
|
with a different GID. This patch removes the GID 0 requirement to access
|
||||||
|
to private PAM socket so that e.g. gdm can use the wait-for-card option.
|
||||||
|
|
||||||
|
Resolves: https://pagure.io/SSSD/sssd/issue/4159
|
||||||
|
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
---
|
||||||
|
src/sss_client/common.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
|
||||||
|
index 270ca8b54..902438c86 100644
|
||||||
|
--- a/src/sss_client/common.c
|
||||||
|
+++ b/src/sss_client/common.c
|
||||||
|
@@ -910,8 +910,8 @@ int sss_pam_make_request(enum sss_cli_command cmd,
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* only root shall use the privileged pipe */
|
||||||
|
- if (getuid() == 0 && getgid() == 0) {
|
||||||
|
+ /* only UID 0 shall use the privileged pipe */
|
||||||
|
+ if (getuid() == 0) {
|
||||||
|
socket_name = SSS_PAM_PRIV_SOCKET_NAME;
|
||||||
|
errno = 0;
|
||||||
|
statret = stat(socket_name, &stat_buf);
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -1,182 +0,0 @@
|
|||||||
From 0c739e969a617bdb4c06cdfd63772bf6d283c518 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Mon, 3 Sep 2018 18:38:42 +0200
|
|
||||||
Subject: [PATCH 31/83] doc: add certificate mapping section to man page
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/man/sssd.conf.5.xml | 149 ++++++++++++++++++++++++++++++++++++++++++++++++
|
|
||||||
1 file changed, 149 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
||||||
index 881ffc6..04143f1 100644
|
|
||||||
--- a/src/man/sssd.conf.5.xml
|
|
||||||
+++ b/src/man/sssd.conf.5.xml
|
|
||||||
@@ -3299,6 +3299,135 @@ ldap_user_extra_attrs = phone:telephoneNumber
|
|
||||||
</para>
|
|
||||||
</refsect1>
|
|
||||||
|
|
||||||
+ <refsect1 id='certmap'>
|
|
||||||
+ <title>CERTIFICATE MAPPING SECTION</title>
|
|
||||||
+ <para>
|
|
||||||
+ To allow authentication with Smartcards and certificates SSSD must
|
|
||||||
+ be able to map certificates to users. This can be done by adding the
|
|
||||||
+ full certificate to the LDAP object of the user or to a local
|
|
||||||
+ override. While using the full certificate is required to use the
|
|
||||||
+ Smartcard authentication feature of SSH (see
|
|
||||||
+ <citerefentry>
|
|
||||||
+ <refentrytitle>sss_ssh_authorizedkeys</refentrytitle>
|
|
||||||
+ <manvolnum>8</manvolnum>
|
|
||||||
+ </citerefentry>
|
|
||||||
+ for details) it might be cumbersome or not even possible to do this
|
|
||||||
+ for the general case where local services use PAM for
|
|
||||||
+ authentication.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ To make the mapping more flexible mapping and matching rules were
|
|
||||||
+ added to SSSD (see
|
|
||||||
+ <citerefentry>
|
|
||||||
+ <refentrytitle>sss-certmap</refentrytitle>
|
|
||||||
+ <manvolnum>5</manvolnum>
|
|
||||||
+ </citerefentry>
|
|
||||||
+ for details).
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ A mapping and matching rule can be added to the SSSD configuration
|
|
||||||
+ in a section on its own with a name like
|
|
||||||
+ <quote>[certmap/<replaceable>DOMAIN_NAME</replaceable>/<replaceable>RULE_NAME</replaceable>]</quote>.
|
|
||||||
+ In this section the following options are allowed:
|
|
||||||
+ </para>
|
|
||||||
+ <variablelist>
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>matchrule (string)</term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ Only certificates from the Smartcard which matches this
|
|
||||||
+ rule will be processed, all others are ignored.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ Default: KRB5:<EKU>clientAuth, i.e. only
|
|
||||||
+ certificates which have the Extended Key Usage
|
|
||||||
+ <quote>clientAuth</quote>
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>maprule (string)</term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ Defines how the user is found for a given certificate.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ Default:
|
|
||||||
+ <itemizedlist>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>LDAP:(userCertificate;binary={cert!bin})
|
|
||||||
+ for LDAP based providers like
|
|
||||||
+ <quote>ldap</quote>, <quote>AD</quote> or
|
|
||||||
+ <quote>ipa</quote>.</para>
|
|
||||||
+ </listitem>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>The RULE_NAME for the <quote>files</quote>
|
|
||||||
+ provider which tries to find a user with the
|
|
||||||
+ same name.</para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </itemizedlist>
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>domains (string)</term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ Comma separated list of domain names the rule should be
|
|
||||||
+ applied. By default a rule is only valid in the domain
|
|
||||||
+ configured in sssd.conf. If the provider supports
|
|
||||||
+ subdomains this option can be used to add the rule to
|
|
||||||
+ subdomains as well.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ Default: the configured domain in sssd.conf
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>priority (integer)</term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ Unsigned integer value defining the priority of the
|
|
||||||
+ rule. The higher the number the lower the priority.
|
|
||||||
+ <quote>0</quote> stands for the highest priority while
|
|
||||||
+ <quote>4294967295</quote> is the lowest.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ Default: the lowest priority
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
+ </variablelist>
|
|
||||||
+ <para>
|
|
||||||
+ To make the configuration simple and reduce the amount of
|
|
||||||
+ configuration options the <quote>files</quote> provider has some
|
|
||||||
+ special properties:
|
|
||||||
+ <itemizedlist>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ if maprule is not set the RULE_NAME name is assumed to
|
|
||||||
+ be the name of the matching user
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ if a maprule is used both a single user name or a
|
|
||||||
+ template like
|
|
||||||
+ <quote>{subject_rfc822_name.short_name}</quote> must
|
|
||||||
+ be in braces like e.g. <quote>(username)</quote> or
|
|
||||||
+ <quote>({subject_rfc822_name.short_name})</quote>
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ the <quote>domains</quote> option is ignored
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </itemizedlist>
|
|
||||||
+ </para>
|
|
||||||
+ </refsect1>
|
|
||||||
+
|
|
||||||
<refsect1 id='example'>
|
|
||||||
<title>EXAMPLES</title>
|
|
||||||
<para>
|
|
||||||
@@ -3343,6 +3472,26 @@ enumerate = False
|
|
||||||
use_fully_qualified_names = false
|
|
||||||
</programlisting>
|
|
||||||
</para>
|
|
||||||
+ <para>
|
|
||||||
+ 3. The following example shows the configuration for two certificate
|
|
||||||
+ mapping rules. The first is valid for the configured domain
|
|
||||||
+ <quote>my.domain</quote> and additionally for the subdomains
|
|
||||||
+ <quote>your.domain</quote> and uses the full certificate in the
|
|
||||||
+ search filter. The second example is valid for the domain
|
|
||||||
+ <quote>files</quote> where it is assumed the files provider is used
|
|
||||||
+ for this domain and contains a matching rule for the local user
|
|
||||||
+ <quote>myname</quote>.
|
|
||||||
+<programlisting>
|
|
||||||
+[certmap/my.domain/rule_name]
|
|
||||||
+matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$
|
|
||||||
+maprule = (userCertificate;binary={cert!bin})
|
|
||||||
+domains = my.domain, your.domain
|
|
||||||
+priority = 10
|
|
||||||
+
|
|
||||||
+[certmap/files/myname]
|
|
||||||
+matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$<SUBJECT>^CN=User.Name,DC=MY,DC=DOMAIN$
|
|
||||||
+</programlisting>
|
|
||||||
+ </para>
|
|
||||||
</refsect1>
|
|
||||||
|
|
||||||
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,30 +0,0 @@
|
|||||||
From 16941c47a6f0fc2f1679725d55cde221f3c3a6ef Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Fri, 7 Sep 2018 22:12:02 +0200
|
|
||||||
Subject: [PATCH 32/83] intg: user default locale
|
|
||||||
|
|
||||||
Some checks depend on english error messages so checks should be always
|
|
||||||
run with the default locale.
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/tests/intg/Makefile.am | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
|
|
||||||
index 65da9ca..6f7605b 100644
|
|
||||||
--- a/src/tests/intg/Makefile.am
|
|
||||||
+++ b/src/tests/intg/Makefile.am
|
|
||||||
@@ -126,6 +126,7 @@ intgcheck-installed: config.py passwd group
|
|
||||||
PATH="$$(dirname -- $(SLAPD)):$$PATH" \
|
|
||||||
PATH="$(DESTDIR)$(sbindir):$(DESTDIR)$(bindir):$$PATH" \
|
|
||||||
PATH="$$PATH:$(abs_builddir):$(abs_srcdir)" \
|
|
||||||
+ LANG=C \
|
|
||||||
PYTHONPATH="$(abs_builddir):$(abs_srcdir)" \
|
|
||||||
LDB_MODULES_PATH="$(DESTDIR)$(ldblibdir)" \
|
|
||||||
NON_WRAPPED_UID=$$(id -u) \
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,34 +0,0 @@
|
|||||||
From 442ae7b1d0704cdd667d4f1ba4c165ce3f3ffed4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Fri, 7 Sep 2018 22:16:50 +0200
|
|
||||||
Subject: [PATCH 33/83] PAM: use better PAM error code for failed Smartcard
|
|
||||||
authentication
|
|
||||||
|
|
||||||
If the user enters a wrong PIN the PAM responder currently returns
|
|
||||||
PAM_USER_UNKNOWN better is PAM_AUTH_ERR.
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/responder/pam/pamsrv_cmd.c | 4 +++-
|
|
||||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
|
||||||
index ed9ad57..817f3c5 100644
|
|
||||||
--- a/src/responder/pam/pamsrv_cmd.c
|
|
||||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
|
||||||
@@ -1436,7 +1436,9 @@ static void pam_forwarder_cert_cb(struct tevent_req *req)
|
|
||||||
if (pd->cmd == SSS_PAM_AUTHENTICATE) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
"No certificate returned, authentication failed.\n");
|
|
||||||
- ret = ENOENT;
|
|
||||||
+ preq->pd->pam_status = PAM_AUTH_ERR;
|
|
||||||
+ pam_reply(preq);
|
|
||||||
+ return;
|
|
||||||
} else {
|
|
||||||
ret = pam_check_user_search(preq);
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,31 +0,0 @@
|
|||||||
From 91aea762d02731193eb66a00b930ff1fe8bc5ab8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Mon, 10 Sep 2018 22:03:55 +0200
|
|
||||||
Subject: [PATCH 34/83] test_ca: test library only for readable
|
|
||||||
|
|
||||||
On Debian libraries typically do not have the execute-bit set so it is
|
|
||||||
better to only check for readability.
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/external/test_ca.m4 | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/external/test_ca.m4 b/src/external/test_ca.m4
|
|
||||||
index 2cdb3c7..bb48726 100644
|
|
||||||
--- a/src/external/test_ca.m4
|
|
||||||
+++ b/src/external/test_ca.m4
|
|
||||||
@@ -58,7 +58,7 @@ AC_DEFUN([AM_CHECK_TEST_CA],
|
|
||||||
AC_MSG_NOTICE([Could not find p11tool])
|
|
||||||
fi
|
|
||||||
|
|
||||||
- AM_CONDITIONAL([BUILD_TEST_CA], [test -x "$OPENSSL" -a -x "$SSH_KEYGEN" -a -x "$SOFTHSM2_PATH" -a -x "$SOFTHSM2_UTIL" -a -x "$P11TOOL"])
|
|
||||||
+ AM_CONDITIONAL([BUILD_TEST_CA], [test -x "$OPENSSL" -a -x "$SSH_KEYGEN" -a -r "$SOFTHSM2_PATH" -a -x "$SOFTHSM2_UTIL" -a -x "$P11TOOL"])
|
|
||||||
fi
|
|
||||||
|
|
||||||
AM_COND_IF([BUILD_TEST_CA],
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,57 +0,0 @@
|
|||||||
From a45a410dc7fa7cf84bcac541e693ee8781e25431 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Fri, 7 Sep 2018 22:17:47 +0200
|
|
||||||
Subject: [PATCH 35/83] test_ca: set a password/PIN to nss databases
|
|
||||||
|
|
||||||
To make sure the PIN is properly checked during tests the NSS databases
|
|
||||||
need a password.
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/tests/test_CA/Makefile.am | 16 ++++++++--------
|
|
||||||
1 file changed, 8 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am
|
|
||||||
index 0c70993..1bce2c3 100644
|
|
||||||
--- a/src/tests/test_CA/Makefile.am
|
|
||||||
+++ b/src/tests/test_CA/Makefile.am
|
|
||||||
@@ -33,7 +33,7 @@ endif
|
|
||||||
ca_all: clean serial SSSD_test_CA.pem $(certs) $(certs_h) $(pubkeys) $(pubkeys_h) $(pkcs12) $(extra)
|
|
||||||
|
|
||||||
$(pwdfile):
|
|
||||||
- @echo "12345678" > $@
|
|
||||||
+ @echo "123456" > $@
|
|
||||||
|
|
||||||
SSSD_test_CA.pem: $(openssl_ca_key) $(openssl_ca_config) serial
|
|
||||||
$(OPENSSL) req -batch -config ${openssl_ca_config} -x509 -new -nodes -key $< -sha256 -days 1024 -set_serial 0 -extensions v3_ca -out $@
|
|
||||||
@@ -65,18 +65,18 @@ SSSD_test_cert_pubsshkey_%.h: SSSD_test_cert_pubsshkey_%.pub
|
|
||||||
# - src/tests/cmocka/test_pam_srv.c
|
|
||||||
p11_nssdb: SSSD_test_cert_pkcs12_0001.pem SSSD_test_CA.pem $(pwdfile)
|
|
||||||
mkdir $@
|
|
||||||
- $(CERTUTIL) -d sql:./$@ -N --empty-password
|
|
||||||
- $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem
|
|
||||||
- $(PK12UTIL) -d sql:./$@ -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile)
|
|
||||||
+ $(CERTUTIL) -d sql:./$@ -N -f $(pwdfile)
|
|
||||||
+ $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem -f $(pwdfile)
|
|
||||||
+ $(PK12UTIL) -d sql:./$@ -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile) -k $(pwdfile)
|
|
||||||
|
|
||||||
# This nss db is used in
|
|
||||||
# - src/tests/cmocka/test_pam_srv.c
|
|
||||||
p11_nssdb_2certs: SSSD_test_cert_pkcs12_0001.pem SSSD_test_cert_pkcs12_0002.pem SSSD_test_CA.pem $(pwdfile)
|
|
||||||
mkdir $@
|
|
||||||
- $(CERTUTIL) -d sql:./$@ -N --empty-password
|
|
||||||
- $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem
|
|
||||||
- $(PK12UTIL) -d sql:./$@ p11_nssdb -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile)
|
|
||||||
- $(PK12UTIL) -d sql:./$@ p11_nssdb -i SSSD_test_cert_pkcs12_0002.pem -w $(pwdfile)
|
|
||||||
+ $(CERTUTIL) -d sql:./$@ -N -f $(pwdfile)
|
|
||||||
+ $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem -f $(pwdfile)
|
|
||||||
+ $(PK12UTIL) -d sql:./$@ -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile) -k $(pwdfile)
|
|
||||||
+ $(PK12UTIL) -d sql:./$@ -i SSSD_test_cert_pkcs12_0002.pem -w $(pwdfile) -k $(pwdfile)
|
|
||||||
|
|
||||||
# The softhsm2 PKCS#11 setups are used in
|
|
||||||
# - src/tests/cmocka/test_pam_srv.c
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,78 +0,0 @@
|
|||||||
From d332c8a0e7a4c7f0b3ee1b2110145a23cbd61c2a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Fri, 7 Sep 2018 22:19:26 +0200
|
|
||||||
Subject: [PATCH 36/83] getsockopt_wrapper: add support for PAM clients
|
|
||||||
|
|
||||||
PAM clients expect that the private socket of the PAM responder is
|
|
||||||
handled by root. With this patch getsockopt_wrapper can return the
|
|
||||||
expected UID and GID to PAM clients.
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/tests/intg/getsockopt_wrapper.c | 34 ++++++++++++++++++++++++++++++++++
|
|
||||||
1 file changed, 34 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/tests/intg/getsockopt_wrapper.c b/src/tests/intg/getsockopt_wrapper.c
|
|
||||||
index 5109123..2f50889 100644
|
|
||||||
--- a/src/tests/intg/getsockopt_wrapper.c
|
|
||||||
+++ b/src/tests/intg/getsockopt_wrapper.c
|
|
||||||
@@ -45,6 +45,23 @@ static bool is_secrets_socket(int fd)
|
|
||||||
return NULL != strstr(unix_socket->sun_path, "secrets.socket");
|
|
||||||
}
|
|
||||||
|
|
||||||
+static bool peer_is_private_pam(int fd)
|
|
||||||
+{
|
|
||||||
+ int ret;
|
|
||||||
+ struct sockaddr_storage addr = { 0 };
|
|
||||||
+ socklen_t addrlen = sizeof(addr);
|
|
||||||
+ struct sockaddr_un *unix_socket;
|
|
||||||
+
|
|
||||||
+ ret = getpeername(fd, (struct sockaddr *)&addr, &addrlen);
|
|
||||||
+ if (ret != 0) return false;
|
|
||||||
+
|
|
||||||
+ if (addr.ss_family != AF_UNIX) return false;
|
|
||||||
+
|
|
||||||
+ unix_socket = (struct sockaddr_un *)&addr;
|
|
||||||
+
|
|
||||||
+ return NULL != strstr(unix_socket->sun_path, "private/pam");
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static uid_t fake_secret_peer(uid_t orig_id)
|
|
||||||
{
|
|
||||||
char *val;
|
|
||||||
@@ -57,6 +74,21 @@ static uid_t fake_secret_peer(uid_t orig_id)
|
|
||||||
return atoi(val);
|
|
||||||
}
|
|
||||||
|
|
||||||
+static void fake_peer_uid_gid(uid_t *uid, gid_t *gid)
|
|
||||||
+{
|
|
||||||
+ char *val;
|
|
||||||
+
|
|
||||||
+ val = getenv("SSSD_INTG_PEER_UID");
|
|
||||||
+ if (val != NULL) {
|
|
||||||
+ *uid = atoi(val);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ val = getenv("SSSD_INTG_PEER_GID");
|
|
||||||
+ if (val != NULL) {
|
|
||||||
+ *gid = atoi(val);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
typedef typeof(getsockopt) getsockopt_fn_t;
|
|
||||||
|
|
||||||
static getsockopt_fn_t *orig_getsockopt = NULL;
|
|
||||||
@@ -84,6 +116,8 @@ int getsockopt(int sockfd, int level, int optname,
|
|
||||||
cr->uid = 0;
|
|
||||||
} else if (is_secrets_socket(sockfd)) {
|
|
||||||
cr->uid = fake_secret_peer(cr->uid);
|
|
||||||
+ } else if (peer_is_private_pam(sockfd)) {
|
|
||||||
+ fake_peer_uid_gid(&cr->uid, &cr->gid);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,330 +0,0 @@
|
|||||||
From 657f3b89bca9adfb13f0867c91f1d76845d2d6dd Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Fri, 7 Sep 2018 22:26:21 +0200
|
|
||||||
Subject: [PATCH 37/83] intg: add Smartcard authentication tests
|
|
||||||
|
|
||||||
Two test for Smartcard authentication of a local user, i.e. a user
|
|
||||||
managed by the files provider, are added. One for a successful
|
|
||||||
authentication, the other for a failed authentication with a wrong PIN.
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3500
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
configure.ac | 1 +
|
|
||||||
contrib/ci/deps.sh | 2 +
|
|
||||||
contrib/sssd.spec.in | 1 +
|
|
||||||
src/external/cwrap.m4 | 5 ++
|
|
||||||
src/external/intgcheck.m4 | 1 +
|
|
||||||
src/tests/intg/Makefile.am | 24 ++++++-
|
|
||||||
src/tests/intg/test_pam_responder.py | 131 ++++++++++++++++++++++++++++++++---
|
|
||||||
7 files changed, 155 insertions(+), 10 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/configure.ac b/configure.ac
|
|
||||||
index bb18ad4..5816b04 100644
|
|
||||||
--- a/configure.ac
|
|
||||||
+++ b/configure.ac
|
|
||||||
@@ -495,6 +495,7 @@ AM_CONDITIONAL([HAVE_CHECK], [test x$have_check != x])
|
|
||||||
AM_CHECK_CMOCKA
|
|
||||||
AM_CHECK_UID_WRAPPER
|
|
||||||
AM_CHECK_NSS_WRAPPER
|
|
||||||
+AM_CHECK_PAM_WRAPPER
|
|
||||||
AM_CHECK_TEST_CA
|
|
||||||
|
|
||||||
# Check if the user wants SSSD to be compiled with systemtap probes
|
|
||||||
diff --git a/contrib/ci/deps.sh b/contrib/ci/deps.sh
|
|
||||||
index 5906e53..c04c7aa 100644
|
|
||||||
--- a/contrib/ci/deps.sh
|
|
||||||
+++ b/contrib/ci/deps.sh
|
|
||||||
@@ -46,6 +46,7 @@ if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then
|
|
||||||
pyldb
|
|
||||||
rpm-build
|
|
||||||
uid_wrapper
|
|
||||||
+ pam_wrapper
|
|
||||||
python-requests
|
|
||||||
curl-devel
|
|
||||||
krb5-server
|
|
||||||
@@ -117,6 +118,7 @@ if [[ "$DISTRO_BRANCH" == -debian-* ]]; then
|
|
||||||
fakeroot
|
|
||||||
libnss-wrapper
|
|
||||||
libuid-wrapper
|
|
||||||
+ libpam-wrapper
|
|
||||||
python-pytest
|
|
||||||
python-ldap
|
|
||||||
python-ldb
|
|
||||||
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
|
|
||||||
index 5ebd51f..26fae6d 100644
|
|
||||||
--- a/contrib/sssd.spec.in
|
|
||||||
+++ b/contrib/sssd.spec.in
|
|
||||||
@@ -237,6 +237,7 @@ BuildRequires: selinux-policy-targeted
|
|
||||||
BuildRequires: libcmocka-devel >= 1.0.0
|
|
||||||
BuildRequires: uid_wrapper
|
|
||||||
BuildRequires: nss_wrapper
|
|
||||||
+BuildRequires: pam_wrapper
|
|
||||||
|
|
||||||
# Test CA requires openssl independent if SSSD is build with NSS or openssl,
|
|
||||||
# openssh is needed for ssh-keygen and NSS builds need nss-tools for certutil.
|
|
||||||
diff --git a/src/external/cwrap.m4 b/src/external/cwrap.m4
|
|
||||||
index b8489cc..6e3487c 100644
|
|
||||||
--- a/src/external/cwrap.m4
|
|
||||||
+++ b/src/external/cwrap.m4
|
|
||||||
@@ -28,3 +28,8 @@ AC_DEFUN([AM_CHECK_NSS_WRAPPER],
|
|
||||||
[
|
|
||||||
AM_CHECK_WRAPPER(nss_wrapper, HAVE_NSS_WRAPPER)
|
|
||||||
])
|
|
||||||
+
|
|
||||||
+AC_DEFUN([AM_CHECK_PAM_WRAPPER],
|
|
||||||
+[
|
|
||||||
+ AM_CHECK_WRAPPER(pam_wrapper, HAVE_PAM_WRAPPER)
|
|
||||||
+])
|
|
||||||
diff --git a/src/external/intgcheck.m4 b/src/external/intgcheck.m4
|
|
||||||
index 60a7bf3..c14f669 100644
|
|
||||||
--- a/src/external/intgcheck.m4
|
|
||||||
+++ b/src/external/intgcheck.m4
|
|
||||||
@@ -22,6 +22,7 @@ AC_DEFUN([SSS_ENABLE_INTGCHECK_REQS], [
|
|
||||||
if test x"$enable_intgcheck_reqs" = xyes; then
|
|
||||||
SSS_INTGCHECK_REQ([HAVE_UID_WRAPPER], [uid_wrapper])
|
|
||||||
SSS_INTGCHECK_REQ([HAVE_NSS_WRAPPER], [nss_wrapper])
|
|
||||||
+ SSS_INTGCHECK_REQ([HAVE_PAM_WRAPPER], [pam_wrapper])
|
|
||||||
SSS_INTGCHECK_REQ([HAVE_SLAPD], [slapd])
|
|
||||||
SSS_INTGCHECK_REQ([HAVE_LDAPMODIFY], [ldapmodify])
|
|
||||||
SSS_INTGCHECK_REQ([HAVE_FAKEROOT], [fakeroot])
|
|
||||||
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
|
|
||||||
index 6f7605b..bb3a7f0 100644
|
|
||||||
--- a/src/tests/intg/Makefile.am
|
|
||||||
+++ b/src/tests/intg/Makefile.am
|
|
||||||
@@ -105,13 +105,29 @@ passwd: root
|
|
||||||
group:
|
|
||||||
echo "root:x:0:" > $@
|
|
||||||
|
|
||||||
+PAM_SERVICE_DIR=pam_service_dir
|
|
||||||
+pam_sss_service:
|
|
||||||
+ $(MKDIR_P) $(PAM_SERVICE_DIR)
|
|
||||||
+ echo "auth required $(DESTDIR)$(pammoddir)/pam_sss.so" > $(PAM_SERVICE_DIR)/$@
|
|
||||||
+ echo "account required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
|
||||||
+ echo "password required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
|
||||||
+ echo "session required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
|
||||||
+
|
|
||||||
CLEANFILES=config.py config.pyc passwd group
|
|
||||||
|
|
||||||
clean-local:
|
|
||||||
rm -Rf root
|
|
||||||
rm -f $(builddir)/cwrap-dbus-system.conf
|
|
||||||
|
|
||||||
-intgcheck-installed: config.py passwd group
|
|
||||||
+if HAVE_NSS
|
|
||||||
+PAM_CERT_DB_PATH="sql:$(DESTDIR)$(sysconfdir)/pki/nssdb"
|
|
||||||
+SOFTHSM2_CONF=""
|
|
||||||
+else
|
|
||||||
+PAM_CERT_DB_PATH="$(abs_builddir)/../test_CA/SSSD_test_CA.pem"
|
|
||||||
+SOFTHSM2_CONF="$(abs_builddir)/../test_CA/softhsm2_one.conf"
|
|
||||||
+endif
|
|
||||||
+
|
|
||||||
+intgcheck-installed: config.py passwd group pam_sss_service
|
|
||||||
pipepath="$(DESTDIR)$(pipepath)"; \
|
|
||||||
if test $${#pipepath} -gt 80; then \
|
|
||||||
echo "error: Pipe directory path too long," \
|
|
||||||
@@ -131,12 +147,18 @@ intgcheck-installed: config.py passwd group
|
|
||||||
LDB_MODULES_PATH="$(DESTDIR)$(ldblibdir)" \
|
|
||||||
NON_WRAPPED_UID=$$(id -u) \
|
|
||||||
LD_PRELOAD="$(libdir)/getsockopt_wrapper.so:$$nss_wrapper:$$uid_wrapper" \
|
|
||||||
+ LD_LIBRARY_PATH="$$LD_LIBRARY_PATH:$(DESTDIR)$(nsslibdir)" \
|
|
||||||
NSS_WRAPPER_PASSWD="$(abs_builddir)/passwd" \
|
|
||||||
NSS_WRAPPER_GROUP="$(abs_builddir)/group" \
|
|
||||||
NSS_WRAPPER_MODULE_SO_PATH="$(DESTDIR)$(nsslibdir)/libnss_sss.so.2" \
|
|
||||||
NSS_WRAPPER_MODULE_FN_PREFIX="sss" \
|
|
||||||
UID_WRAPPER=1 \
|
|
||||||
UID_WRAPPER_ROOT=1 \
|
|
||||||
+ PAM_WRAPPER=0 \
|
|
||||||
+ PAM_WRAPPER_SERVICE_DIR="$(abs_builddir)/$(PAM_SERVICE_DIR)" \
|
|
||||||
+ PAM_WRAPPER_PATH=$$(pkg-config --libs pam_wrapper) \
|
|
||||||
+ PAM_CERT_DB_PATH=$(PAM_CERT_DB_PATH) \
|
|
||||||
+ SOFTHSM2_CONF=$(SOFTHSM2_CONF) \
|
|
||||||
DBUS_SOCK_DIR="$(DESTDIR)$(runstatedir)/dbus/" \
|
|
||||||
DBUS_SESSION_BUS_ADDRESS="unix:path=$$DBUS_SOCK_DIR/fake_socket" \
|
|
||||||
DBUS_SYSTEM_BUS_ADDRESS="unix:path=$$DBUS_SOCK_DIR/system_bus_socket" \
|
|
||||||
diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py
|
|
||||||
index cf6fff2..c6d048c 100644
|
|
||||||
--- a/src/tests/intg/test_pam_responder.py
|
|
||||||
+++ b/src/tests/intg/test_pam_responder.py
|
|
||||||
@@ -27,31 +27,44 @@ import signal
|
|
||||||
import errno
|
|
||||||
import subprocess
|
|
||||||
import time
|
|
||||||
-import pytest
|
|
||||||
+import shutil
|
|
||||||
|
|
||||||
import config
|
|
||||||
|
|
||||||
-from util import unindent
|
|
||||||
+import pytest
|
|
||||||
+
|
|
||||||
+from intg.util import unindent
|
|
||||||
+from intg.files_ops import passwd_ops_setup
|
|
||||||
|
|
||||||
+USER1 = dict(name='user1', passwd='x', uid=10001, gid=20001,
|
|
||||||
+ gecos='User for tests',
|
|
||||||
+ dir='/home/user1',
|
|
||||||
+ shell='/bin/bash')
|
|
||||||
|
|
||||||
-def format_pam_cert_auth_conf():
|
|
||||||
+
|
|
||||||
+def format_pam_cert_auth_conf(config):
|
|
||||||
"""Format a basic SSSD configuration"""
|
|
||||||
return unindent("""\
|
|
||||||
[sssd]
|
|
||||||
+ debug_level = 10
|
|
||||||
domains = auth_only
|
|
||||||
- services = pam
|
|
||||||
+ services = pam, nss
|
|
||||||
|
|
||||||
[nss]
|
|
||||||
+ debug_level = 10
|
|
||||||
|
|
||||||
[pam]
|
|
||||||
pam_cert_auth = True
|
|
||||||
+ pam_p11_allowed_services = +pam_sss_service
|
|
||||||
+ pam_cert_db_path = {config.PAM_CERT_DB_PATH}
|
|
||||||
debug_level = 10
|
|
||||||
|
|
||||||
[domain/auth_only]
|
|
||||||
- id_provider = ldap
|
|
||||||
- auth_provider = ldap
|
|
||||||
- chpass_provider = ldap
|
|
||||||
- access_provider = ldap
|
|
||||||
+ debug_level = 10
|
|
||||||
+ id_provider = files
|
|
||||||
+
|
|
||||||
+ [certmap/auth_only/user1]
|
|
||||||
+ matchrule = <SUBJECT>.*CN=SSSD test cert 0001.*
|
|
||||||
""").format(**locals())
|
|
||||||
|
|
||||||
|
|
||||||
@@ -79,6 +92,8 @@ def create_conf_fixture(request, contents):
|
|
||||||
|
|
||||||
def create_sssd_process():
|
|
||||||
"""Start the SSSD process"""
|
|
||||||
+ os.environ["SSS_FILES_PASSWD"] = os.environ["NSS_WRAPPER_PASSWD"]
|
|
||||||
+ os.environ["SSS_FILES_GROUP"] = os.environ["NSS_WRAPPER_GROUP"]
|
|
||||||
if subprocess.call(["sssd", "-D", "-f"]) != 0:
|
|
||||||
raise Exception("sssd start failed")
|
|
||||||
|
|
||||||
@@ -116,12 +131,41 @@ def create_sssd_fixture(request):
|
|
||||||
request.addfinalizer(cleanup_sssd_process)
|
|
||||||
|
|
||||||
|
|
||||||
+def create_nssdb():
|
|
||||||
+ os.mkdir(config.SYSCONFDIR + "/pki")
|
|
||||||
+ os.mkdir(config.SYSCONFDIR + "/pki/nssdb")
|
|
||||||
+ if subprocess.call(["certutil", "-N", "-d",
|
|
||||||
+ "sql:" + config.SYSCONFDIR + "/pki/nssdb/",
|
|
||||||
+ "--empty-password"]) != 0:
|
|
||||||
+ raise Exception("certutil failed")
|
|
||||||
+
|
|
||||||
+ pkcs11_txt = open(config.SYSCONFDIR + "/pki/nssdb/pkcs11.txt", "w")
|
|
||||||
+ pkcs11_txt.write("library=libsoftokn3.so\nname=soft\n" +
|
|
||||||
+ "parameters=configdir='sql:" + config.ABS_BUILDDIR +
|
|
||||||
+ "/../test_CA/p11_nssdb' " +
|
|
||||||
+ "dbSlotDescription='SSSD Test Slot' " +
|
|
||||||
+ "dbTokenDescription='SSSD Test Token' " +
|
|
||||||
+ "secmod='secmod.db' flags=readOnly)\n\n")
|
|
||||||
+ pkcs11_txt.close()
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def cleanup_nssdb():
|
|
||||||
+ shutil.rmtree(config.SYSCONFDIR + "/pki")
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def create_nssdb_fixture(request):
|
|
||||||
+ create_nssdb()
|
|
||||||
+ request.addfinalizer(cleanup_nssdb)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
@pytest.fixture
|
|
||||||
def simple_pam_cert_auth(request):
|
|
||||||
"""Setup SSSD with pam_cert_auth=True"""
|
|
||||||
- conf = format_pam_cert_auth_conf()
|
|
||||||
+ config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
|
|
||||||
+ conf = format_pam_cert_auth_conf(config)
|
|
||||||
create_conf_fixture(request, conf)
|
|
||||||
create_sssd_fixture(request)
|
|
||||||
+ create_nssdb_fixture(request)
|
|
||||||
return None
|
|
||||||
|
|
||||||
|
|
||||||
@@ -129,3 +173,72 @@ def test_preauth_indicator(simple_pam_cert_auth):
|
|
||||||
"""Check if preauth indicator file is created"""
|
|
||||||
statinfo = os.stat(config.PUBCONF_PATH + "/pam_preauth_available")
|
|
||||||
assert stat.S_ISREG(statinfo.st_mode)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+@pytest.fixture
|
|
||||||
+def pam_wrapper_setup(request):
|
|
||||||
+ pwrap_runtimedir = os.getenv("PAM_WRAPPER_SERVICE_DIR")
|
|
||||||
+ if pwrap_runtimedir is None:
|
|
||||||
+ raise ValueError("The PAM_WRAPPER_SERVICE_DIR variable is unset\n")
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def test_sc_auth_wrong_pin(simple_pam_cert_auth, pam_wrapper_setup,
|
|
||||||
+ passwd_ops_setup):
|
|
||||||
+
|
|
||||||
+ passwd_ops_setup.useradd(**USER1)
|
|
||||||
+ current_env = os.environ.copy()
|
|
||||||
+ current_env['PAM_WRAPPER'] = "1"
|
|
||||||
+ current_env['SSSD_INTG_PEER_UID'] = "0"
|
|
||||||
+ current_env['SSSD_INTG_PEER_GID'] = "0"
|
|
||||||
+ current_env['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
|
|
||||||
+
|
|
||||||
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
|
|
||||||
+ "--action=auth", "--service=pam_sss_service"],
|
|
||||||
+ universal_newlines=True,
|
|
||||||
+ env=current_env, stdin=subprocess.PIPE,
|
|
||||||
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
||||||
+
|
|
||||||
+ try:
|
|
||||||
+ out, err = sssctl.communicate(input="111")
|
|
||||||
+ except:
|
|
||||||
+ sssctl.kill()
|
|
||||||
+ out, err = sssctl.communicate()
|
|
||||||
+
|
|
||||||
+ sssctl.stdin.close()
|
|
||||||
+ sssctl.stdout.close()
|
|
||||||
+
|
|
||||||
+ if sssctl.wait() != 0:
|
|
||||||
+ raise Exception("sssctl failed")
|
|
||||||
+
|
|
||||||
+ assert err.find("pam_authenticate for user [user1]: " +
|
|
||||||
+ "Authentication failure") != -1
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def test_sc_auth(simple_pam_cert_auth, pam_wrapper_setup, passwd_ops_setup):
|
|
||||||
+
|
|
||||||
+ passwd_ops_setup.useradd(**USER1)
|
|
||||||
+ current_env = os.environ.copy()
|
|
||||||
+ current_env['PAM_WRAPPER'] = "1"
|
|
||||||
+ current_env['SSSD_INTG_PEER_UID'] = "0"
|
|
||||||
+ current_env['SSSD_INTG_PEER_GID'] = "0"
|
|
||||||
+ current_env['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
|
|
||||||
+
|
|
||||||
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
|
|
||||||
+ "--action=auth", "--service=pam_sss_service"],
|
|
||||||
+ universal_newlines=True,
|
|
||||||
+ env=current_env, stdin=subprocess.PIPE,
|
|
||||||
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
||||||
+
|
|
||||||
+ try:
|
|
||||||
+ out, err = sssctl.communicate(input="123456")
|
|
||||||
+ except:
|
|
||||||
+ sssctl.kill()
|
|
||||||
+ out, err = sssctl.communicate()
|
|
||||||
+
|
|
||||||
+ sssctl.stdin.close()
|
|
||||||
+ sssctl.stdout.close()
|
|
||||||
+
|
|
||||||
+ if sssctl.wait() != 0:
|
|
||||||
+ raise Exception("sssctl failed")
|
|
||||||
+
|
|
||||||
+ assert err.find("pam_authenticate for user [user1]: Success") != -1
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,49 +0,0 @@
|
|||||||
From 4ffe3ab9023ff858410256bc5c38a03d9cd88cf9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Wed, 5 Sep 2018 13:35:54 +0200
|
|
||||||
Subject: [PATCH 39/83] proxy: access provider directly not through be_ctx
|
|
||||||
|
|
||||||
Modules are initialized as part of dp_init_send() but be_ctx->provider is set
|
|
||||||
only after this request is finished therefore it is not available here.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://pagure.io/SSSD/sssd/issue/3812
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/providers/proxy/proxy_init.c | 5 +++--
|
|
||||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/proxy/proxy_init.c b/src/providers/proxy/proxy_init.c
|
|
||||||
index cf4f82e..98c6dd1 100644
|
|
||||||
--- a/src/providers/proxy/proxy_init.c
|
|
||||||
+++ b/src/providers/proxy/proxy_init.c
|
|
||||||
@@ -192,6 +192,7 @@ static errno_t proxy_auth_conf(TALLOC_CTX *mem_ctx,
|
|
||||||
|
|
||||||
static errno_t proxy_init_auth_ctx(TALLOC_CTX *mem_ctx,
|
|
||||||
struct be_ctx *be_ctx,
|
|
||||||
+ struct data_provider *provider,
|
|
||||||
struct proxy_auth_ctx **_auth_ctx)
|
|
||||||
{
|
|
||||||
struct proxy_auth_ctx *auth_ctx;
|
|
||||||
@@ -213,7 +214,7 @@ static errno_t proxy_init_auth_ctx(TALLOC_CTX *mem_ctx,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = proxy_client_init(dp_sbus_conn(be_ctx->provider), auth_ctx);
|
|
||||||
+ ret = proxy_client_init(dp_sbus_conn(provider), auth_ctx);
|
|
||||||
if (ret != EOK) {
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
@@ -273,7 +274,7 @@ errno_t sssm_proxy_init(TALLOC_CTX *mem_ctx,
|
|
||||||
|
|
||||||
/* Initialize auth_ctx since one of the access, auth or chpass is set. */
|
|
||||||
|
|
||||||
- ret = proxy_init_auth_ctx(mem_ctx, be_ctx, &auth_ctx);
|
|
||||||
+ ret = proxy_init_auth_ctx(mem_ctx, be_ctx, provider, &auth_ctx);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create auth context [%d]: %s\n",
|
|
||||||
ret, sss_strerror(ret));
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,144 +0,0 @@
|
|||||||
From 4c5a1afa0df41aac05d34455c6e54a6f52a8dd28 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Wed, 5 Sep 2018 13:51:55 +0200
|
|
||||||
Subject: [PATCH 40/83] dp: set be_ctx->provider as part of dp_init request
|
|
||||||
|
|
||||||
Backend context is overused inside sssd code even during its initialization.
|
|
||||||
Some parts of initialization code requires access to be_ctx->provider so we
|
|
||||||
must make it available as soon as possible.
|
|
||||||
|
|
||||||
Better solution would be to always use 'provider' directly in initialization
|
|
||||||
but this makes it safer for any future changes as one does not have to keep
|
|
||||||
in mind when it is safe to use be_ctx->provider and when not. Now it is
|
|
||||||
always safe.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://pagure.io/SSSD/sssd/issue/3812
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/providers/data_provider/dp.c | 21 +++++++++++++--------
|
|
||||||
src/providers/data_provider/dp.h | 1 -
|
|
||||||
src/providers/data_provider_be.c | 2 +-
|
|
||||||
src/providers/proxy/proxy_init.c | 2 +-
|
|
||||||
4 files changed, 15 insertions(+), 11 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/data_provider/dp.c b/src/providers/data_provider/dp.c
|
|
||||||
index fd19d28..bd003c8 100644
|
|
||||||
--- a/src/providers/data_provider/dp.c
|
|
||||||
+++ b/src/providers/data_provider/dp.c
|
|
||||||
@@ -120,6 +120,7 @@ static int dp_destructor(struct data_provider *provider)
|
|
||||||
}
|
|
||||||
|
|
||||||
struct dp_init_state {
|
|
||||||
+ struct be_ctx *be_ctx;
|
|
||||||
struct data_provider *provider;
|
|
||||||
char *sbus_name;
|
|
||||||
};
|
|
||||||
@@ -158,6 +159,7 @@ dp_init_send(TALLOC_CTX *mem_ctx,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ state->be_ctx = be_ctx;
|
|
||||||
state->provider->ev = ev;
|
|
||||||
state->provider->uid = uid;
|
|
||||||
state->provider->gid = gid;
|
|
||||||
@@ -224,12 +226,14 @@ static void dp_init_done(struct tevent_req *subreq)
|
|
||||||
sbus_server_set_on_connection(state->provider->sbus_server,
|
|
||||||
dp_client_init, state->provider);
|
|
||||||
|
|
||||||
+ /* be_ctx->provider must be accessible from modules and targets */
|
|
||||||
+ state->be_ctx->provider = talloc_steal(state->be_ctx, state->provider);
|
|
||||||
+
|
|
||||||
ret = dp_init_modules(state->provider, &state->provider->modules);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize DP modules "
|
|
||||||
"[%d]: %s\n", ret, sss_strerror(ret));
|
|
||||||
- tevent_req_error(req, ret);
|
|
||||||
- return;
|
|
||||||
+ goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = dp_init_targets(state->provider, state->provider->be_ctx,
|
|
||||||
@@ -237,25 +241,27 @@ static void dp_init_done(struct tevent_req *subreq)
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize DP targets "
|
|
||||||
"[%d]: %s\n", ret, sss_strerror(ret));
|
|
||||||
- tevent_req_error(req, ret);
|
|
||||||
- return;
|
|
||||||
+ goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = dp_init_interface(state->provider);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize DP interface "
|
|
||||||
"[%d]: %s\n", ret, sss_strerror(ret));
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ talloc_zfree(state->be_ctx->provider);
|
|
||||||
tevent_req_error(req, ret);
|
|
||||||
- return;
|
|
||||||
}
|
|
||||||
|
|
||||||
tevent_req_done(req);
|
|
||||||
- return;
|
|
||||||
}
|
|
||||||
|
|
||||||
errno_t dp_init_recv(TALLOC_CTX *mem_ctx,
|
|
||||||
struct tevent_req *req,
|
|
||||||
- struct data_provider **_provider,
|
|
||||||
const char **_sbus_name)
|
|
||||||
{
|
|
||||||
struct dp_init_state *state;
|
|
||||||
@@ -263,7 +269,6 @@ errno_t dp_init_recv(TALLOC_CTX *mem_ctx,
|
|
||||||
|
|
||||||
TEVENT_REQ_RETURN_ON_ERROR(req);
|
|
||||||
|
|
||||||
- *_provider = talloc_steal(mem_ctx, state->provider);
|
|
||||||
*_sbus_name = talloc_steal(mem_ctx, state->sbus_name);
|
|
||||||
|
|
||||||
return EOK;
|
|
||||||
diff --git a/src/providers/data_provider/dp.h b/src/providers/data_provider/dp.h
|
|
||||||
index 33e6e65..0028eb1 100644
|
|
||||||
--- a/src/providers/data_provider/dp.h
|
|
||||||
+++ b/src/providers/data_provider/dp.h
|
|
||||||
@@ -117,7 +117,6 @@ dp_init_send(TALLOC_CTX *mem_ctx,
|
|
||||||
|
|
||||||
errno_t dp_init_recv(TALLOC_CTX *mem_ctx,
|
|
||||||
struct tevent_req *req,
|
|
||||||
- struct data_provider **_provider,
|
|
||||||
const char **_sbus_name);
|
|
||||||
|
|
||||||
bool _dp_target_enabled(struct data_provider *provider,
|
|
||||||
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
|
|
||||||
index 670ddb4..6d2477e 100644
|
|
||||||
--- a/src/providers/data_provider_be.c
|
|
||||||
+++ b/src/providers/data_provider_be.c
|
|
||||||
@@ -541,7 +541,7 @@ static void dp_initialized(struct tevent_req *req)
|
|
||||||
|
|
||||||
be_ctx = tevent_req_callback_data(req, struct be_ctx);
|
|
||||||
|
|
||||||
- ret = dp_init_recv(be_ctx, req, &be_ctx->provider, &be_ctx->sbus_name);
|
|
||||||
+ ret = dp_init_recv(be_ctx, req, &be_ctx->sbus_name);
|
|
||||||
talloc_zfree(req);
|
|
||||||
if (ret != EOK) {
|
|
||||||
goto done;
|
|
||||||
diff --git a/src/providers/proxy/proxy_init.c b/src/providers/proxy/proxy_init.c
|
|
||||||
index 98c6dd1..32343a3 100644
|
|
||||||
--- a/src/providers/proxy/proxy_init.c
|
|
||||||
+++ b/src/providers/proxy/proxy_init.c
|
|
||||||
@@ -214,7 +214,7 @@ static errno_t proxy_init_auth_ctx(TALLOC_CTX *mem_ctx,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = proxy_client_init(dp_sbus_conn(provider), auth_ctx);
|
|
||||||
+ ret = proxy_client_init(dp_sbus_conn(be_ctx->provider), auth_ctx);
|
|
||||||
if (ret != EOK) {
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,42 +0,0 @@
|
|||||||
From 9245bf1afe6767a0412212bc0040e606ee850e7d Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Wed, 12 Sep 2018 13:21:11 +0200
|
|
||||||
Subject: [PATCH 41/83] sbus: read destination after sender is set
|
|
||||||
|
|
||||||
dbus_message_set_sender may reallocate internal fields which will yield pointer
|
|
||||||
obtained by dbus_message_get_* invalid.
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/sbus/server/sbus_server_handler.c | 8 +++++---
|
|
||||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/sbus/server/sbus_server_handler.c b/src/sbus/server/sbus_server_handler.c
|
|
||||||
index c300d81..d4e4547 100644
|
|
||||||
--- a/src/sbus/server/sbus_server_handler.c
|
|
||||||
+++ b/src/sbus/server/sbus_server_handler.c
|
|
||||||
@@ -148,9 +148,6 @@ sbus_server_filter(DBusConnection *dbus_conn,
|
|
||||||
return DBUS_HANDLER_RESULT_HANDLED;
|
|
||||||
}
|
|
||||||
|
|
||||||
- destination = dbus_message_get_destination(message);
|
|
||||||
- type = dbus_message_get_type(message);
|
|
||||||
-
|
|
||||||
conn = dbus_connection_get_data(dbus_conn, server->data_slot);
|
|
||||||
if (conn == NULL) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unknown connection!\n");
|
|
||||||
@@ -173,6 +170,11 @@ sbus_server_filter(DBusConnection *dbus_conn,
|
|
||||||
return DBUS_HANDLER_RESULT_HANDLED;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /* Set sender may reallocate internal fields so this needs to be read
|
|
||||||
+ * after we call dbus_message_set_sender(). */
|
|
||||||
+ destination = dbus_message_get_destination(message);
|
|
||||||
+ type = dbus_message_get_type(message);
|
|
||||||
+
|
|
||||||
if (type == DBUS_MESSAGE_TYPE_SIGNAL) {
|
|
||||||
return sbus_server_route_signal(server, conn, message, destination);
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,34 +0,0 @@
|
|||||||
From b821ee3ca93beb94a7a9b22b6f7a205e4900212e Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Wed, 12 Sep 2018 13:22:34 +0200
|
|
||||||
Subject: [PATCH 42/83] sbus: do not try to remove signal listeners when
|
|
||||||
disconnecting
|
|
||||||
|
|
||||||
This may cause some troubles if the dbus connection was dropped
|
|
||||||
as dbus will try to actually send the messages. Also when the
|
|
||||||
connectin is being freed, tevent integration is already disabled
|
|
||||||
so there is no point in doing this.
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/sbus/router/sbus_router_hash.c | 4 ++++
|
|
||||||
1 file changed, 4 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/sbus/router/sbus_router_hash.c b/src/sbus/router/sbus_router_hash.c
|
|
||||||
index 186dc61..2d407b2 100644
|
|
||||||
--- a/src/sbus/router/sbus_router_hash.c
|
|
||||||
+++ b/src/sbus/router/sbus_router_hash.c
|
|
||||||
@@ -384,6 +384,10 @@ sbus_router_listeners_delete_cb(hash_entry_t *item,
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (conn->disconnecting) {
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* If we still have the D-Bus connection available, we try to unregister
|
|
||||||
* the previously registered listener when its removed from table. */
|
|
||||||
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,29 +0,0 @@
|
|||||||
From f1f9af528f71f42ac41bb7a272f4f7d940fd3a0f Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Wed, 12 Sep 2018 13:24:27 +0200
|
|
||||||
Subject: [PATCH 43/83] sbus: free watch_fd->fdevent explicitly
|
|
||||||
|
|
||||||
We never reproduced this with gdb but valgrind shows invalid read in sbus_watch_handler
|
|
||||||
after the watch_fd was freed. This should not be needed since watch_fd is memory parent
|
|
||||||
of fdevent but it seems to help.
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/sbus/connection/sbus_watch.c | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/src/sbus/connection/sbus_watch.c b/src/sbus/connection/sbus_watch.c
|
|
||||||
index 3898311..0e4bd01 100644
|
|
||||||
--- a/src/sbus/connection/sbus_watch.c
|
|
||||||
+++ b/src/sbus/connection/sbus_watch.c
|
|
||||||
@@ -280,6 +280,7 @@ sbus_watch_remove(DBusWatch *dbus_watch, void *data)
|
|
||||||
|
|
||||||
if (watch_fd->dbus_watch.read == NULL
|
|
||||||
&& watch_fd->dbus_watch.write == NULL) {
|
|
||||||
+ talloc_free(watch_fd->fdevent);
|
|
||||||
talloc_free(watch_fd);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,139 +0,0 @@
|
|||||||
From de8c9caf61e7b971cda9563cc5851ea222db5830 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Halman <thalman@redhat.com>
|
|
||||||
Date: Thu, 27 Sep 2018 16:03:40 +0200
|
|
||||||
Subject: [PATCH 44/83] doc: remove local provider reference from manpages
|
|
||||||
|
|
||||||
Introduce new condition for documentation build. Related part of
|
|
||||||
documentation is excluded, if build is done without local provider.
|
|
||||||
|
|
||||||
Resolves https://pagure.io/SSSD/sssd/issue/3826
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/man/Makefile.am | 6 +++++-
|
|
||||||
src/man/include/seealso.xml | 44 +++++++++++++++++++++++---------------------
|
|
||||||
src/man/sssd.conf.5.xml | 15 +++++++++------
|
|
||||||
3 files changed, 37 insertions(+), 28 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
|
|
||||||
index b4c20d8..54a30d1 100644
|
|
||||||
--- a/src/man/Makefile.am
|
|
||||||
+++ b/src/man/Makefile.am
|
|
||||||
@@ -51,7 +51,11 @@ CRYPTO_CONDS = ;with_nss
|
|
||||||
else
|
|
||||||
CRYPTO_CONDS = ;with_openssl
|
|
||||||
endif
|
|
||||||
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SEC_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(CRYPTO_CONDS)
|
|
||||||
+if BUILD_LOCAL_PROVIDER
|
|
||||||
+LOCAL_PROVIDER_CONDS = ;enable_local_provider
|
|
||||||
+endif
|
|
||||||
+
|
|
||||||
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SEC_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(CRYPTO_CONDS)$(LOCAL_PROVIDER_CONDS)
|
|
||||||
|
|
||||||
|
|
||||||
#Special Rules:
|
|
||||||
diff --git a/src/man/include/seealso.xml b/src/man/include/seealso.xml
|
|
||||||
index 52798e4..f324b66 100644
|
|
||||||
--- a/src/man/include/seealso.xml
|
|
||||||
+++ b/src/man/include/seealso.xml
|
|
||||||
@@ -44,27 +44,29 @@
|
|
||||||
<citerefentry>
|
|
||||||
<refentrytitle>sss_debuglevel</refentrytitle><manvolnum>8</manvolnum>
|
|
||||||
</citerefentry>,
|
|
||||||
- <citerefentry>
|
|
||||||
- <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum>
|
|
||||||
- </citerefentry>,
|
|
||||||
- <citerefentry>
|
|
||||||
- <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum>
|
|
||||||
- </citerefentry>,
|
|
||||||
- <citerefentry>
|
|
||||||
- <refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum>
|
|
||||||
- </citerefentry>,
|
|
||||||
- <citerefentry>
|
|
||||||
- <refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum>
|
|
||||||
- </citerefentry>,
|
|
||||||
- <citerefentry>
|
|
||||||
- <refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum>
|
|
||||||
- </citerefentry>,
|
|
||||||
- <citerefentry>
|
|
||||||
- <refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum>
|
|
||||||
- </citerefentry>,
|
|
||||||
- <citerefentry>
|
|
||||||
- <refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum>
|
|
||||||
- </citerefentry>,
|
|
||||||
+ <phrase condition="enable_local_provider">
|
|
||||||
+ <citerefentry>
|
|
||||||
+ <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum>
|
|
||||||
+ </citerefentry>,
|
|
||||||
+ <citerefentry>
|
|
||||||
+ <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum>
|
|
||||||
+ </citerefentry>,
|
|
||||||
+ <citerefentry>
|
|
||||||
+ <refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum>
|
|
||||||
+ </citerefentry>,
|
|
||||||
+ <citerefentry>
|
|
||||||
+ <refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum>
|
|
||||||
+ </citerefentry>,
|
|
||||||
+ <citerefentry>
|
|
||||||
+ <refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum>
|
|
||||||
+ </citerefentry>,
|
|
||||||
+ <citerefentry>
|
|
||||||
+ <refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum>
|
|
||||||
+ </citerefentry>,
|
|
||||||
+ <citerefentry>
|
|
||||||
+ <refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum>
|
|
||||||
+ </citerefentry>,
|
|
||||||
+ </phrase>
|
|
||||||
<citerefentry>
|
|
||||||
<refentrytitle>sss_obfuscate</refentrytitle><manvolnum>8</manvolnum>
|
|
||||||
</citerefentry>,
|
|
||||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
||||||
index 04143f1..c1e3895 100644
|
|
||||||
--- a/src/man/sssd.conf.5.xml
|
|
||||||
+++ b/src/man/sssd.conf.5.xml
|
|
||||||
@@ -2179,7 +2179,7 @@ pam_p11_allowed_services = +my_pam_service, -login
|
|
||||||
<para>
|
|
||||||
<quote>proxy</quote>: Support a legacy NSS provider.
|
|
||||||
</para>
|
|
||||||
- <para>
|
|
||||||
+ <para condition="enable_local_provider">
|
|
||||||
<quote>local</quote>: SSSD internal provider for
|
|
||||||
local users (DEPRECATED).
|
|
||||||
</para>
|
|
||||||
@@ -2324,7 +2324,7 @@ pam_p11_allowed_services = +my_pam_service, -login
|
|
||||||
<para>
|
|
||||||
<quote>proxy</quote> for relaying authentication to some other PAM target.
|
|
||||||
</para>
|
|
||||||
- <para>
|
|
||||||
+ <para condition="enable_local_provider">
|
|
||||||
<quote>local</quote>: SSSD internal provider for
|
|
||||||
local users
|
|
||||||
</para>
|
|
||||||
@@ -2836,9 +2836,12 @@ pam_p11_allowed_services = +my_pam_service, -login
|
|
||||||
<term>case_sensitive (string)</term>
|
|
||||||
<listitem>
|
|
||||||
<para>
|
|
||||||
- Treat user and group names as case sensitive. At
|
|
||||||
- the moment, this option is not supported in
|
|
||||||
- the local provider. Possible option values are:
|
|
||||||
+ Treat user and group names as case sensitive.
|
|
||||||
+ <phrase condition="enable_local_provider">
|
|
||||||
+ At the moment, this option is not supported in
|
|
||||||
+ the local provider.
|
|
||||||
+ </phrase>
|
|
||||||
+ Possible option values are:
|
|
||||||
<variablelist>
|
|
||||||
<varlistentry>
|
|
||||||
<term>True</term>
|
|
||||||
@@ -3148,7 +3151,7 @@ ldap_user_extra_attrs = phone:telephoneNumber
|
|
||||||
</programlisting>
|
|
||||||
</refsect2>
|
|
||||||
|
|
||||||
- <refsect2 id='local_domain'>
|
|
||||||
+ <refsect2 id='local_domain' condition="enable_local_provider">
|
|
||||||
<title>The local domain section</title>
|
|
||||||
<para>
|
|
||||||
This section contains settings for domain that stores users and
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,47 +0,0 @@
|
|||||||
From 081b18e75c746f9a2ad1fb412c825293090311f8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Halman <thalman@redhat.com>
|
|
||||||
Date: Mon, 1 Oct 2018 15:49:06 +0200
|
|
||||||
Subject: [PATCH 54/83] confdb: log an error when domain is misconfigured
|
|
||||||
|
|
||||||
We need to inform user that there is misconfiguration
|
|
||||||
and particular domain will not be started.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://pagure.io/SSSD/sssd/issue/3827
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/confdb/confdb.c | 9 ++++++++-
|
|
||||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
|
||||||
index 954c3ba..2f3d900 100644
|
|
||||||
--- a/src/confdb/confdb.c
|
|
||||||
+++ b/src/confdb/confdb.c
|
|
||||||
@@ -39,6 +39,9 @@
|
|
||||||
#define SAME_DOMAINS_ERROR_MSG "Domain '%s' is the same as or differs only "\
|
|
||||||
"in case from domain '%s'.\n"
|
|
||||||
|
|
||||||
+#define RETRIEVE_DOMAIN_ERROR_MSG "Error (%d [%s]) retrieving domain [%s], "\
|
|
||||||
+ "skipping!\n"
|
|
||||||
+
|
|
||||||
static char *prepend_cn(char *str, int *slen, const char *comp, int clen)
|
|
||||||
{
|
|
||||||
char *ret;
|
|
||||||
@@ -1522,8 +1525,12 @@ int confdb_get_domains(struct confdb_ctx *cdb,
|
|
||||||
ret = confdb_get_domain_internal(cdb, cdb, domlist[i], &domain);
|
|
||||||
if (ret) {
|
|
||||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
|
||||||
- "Error (%d [%s]) retrieving domain [%s], skipping!\n",
|
|
||||||
+ RETRIEVE_DOMAIN_ERROR_MSG,
|
|
||||||
ret, sss_strerror(ret), domlist[i]);
|
|
||||||
+ sss_log(SSS_LOG_CRIT,
|
|
||||||
+ RETRIEVE_DOMAIN_ERROR_MSG,
|
|
||||||
+ ret, sss_strerror(ret), domlist[i]);
|
|
||||||
+
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,57 +0,0 @@
|
|||||||
From dfa7bf1133f002a9fbbd3495a70909913db25b16 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Fri, 14 Sep 2018 12:30:57 +0200
|
|
||||||
Subject: [PATCH 55/83] be: use be_is_offline for the main domain when asking
|
|
||||||
for domain status
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
The DOM_ACTIVE/INACTIVE flag is not used with the main domain as it
|
|
||||||
is used only for subdomains.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://pagure.io/SSSD/sssd/issue/3830
|
|
||||||
|
|
||||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
||||||
---
|
|
||||||
src/providers/data_provider/dp_iface_backend.c | 20 ++++++++++++++------
|
|
||||||
1 file changed, 14 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/data_provider/dp_iface_backend.c b/src/providers/data_provider/dp_iface_backend.c
|
|
||||||
index 25a00f3..85159a7 100644
|
|
||||||
--- a/src/providers/data_provider/dp_iface_backend.c
|
|
||||||
+++ b/src/providers/data_provider/dp_iface_backend.c
|
|
||||||
@@ -37,15 +37,23 @@ dp_backend_is_online(TALLOC_CTX *mem_ctx,
|
|
||||||
struct sss_domain_info *domain;
|
|
||||||
|
|
||||||
if (SBUS_REQ_STRING_IS_EMPTY(domname)) {
|
|
||||||
- *_is_online = be_is_offline(be_ctx);
|
|
||||||
- return EOK;
|
|
||||||
+ domain = be_ctx->domain;
|
|
||||||
+ } else {
|
|
||||||
+ domain = find_domain_by_name(be_ctx->domain, domname, false);
|
|
||||||
+ if (domain == NULL) {
|
|
||||||
+ return ERR_DOMAIN_NOT_FOUND;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
- domain = find_domain_by_name(be_ctx->domain, domname, false);
|
|
||||||
- if (domain == NULL) {
|
|
||||||
- return ERR_DOMAIN_NOT_FOUND;
|
|
||||||
+ /**
|
|
||||||
+ * FIXME: https://pagure.io/SSSD/sssd/issue/3831
|
|
||||||
+ * domain->state is set only for subdomains not for the main domain
|
|
||||||
+ */
|
|
||||||
+ if (be_ctx->domain == domain) {
|
|
||||||
+ *_is_online = be_is_offline(be_ctx) == false;
|
|
||||||
+ } else {
|
|
||||||
+ *_is_online = domain->state == DOM_ACTIVE;
|
|
||||||
}
|
|
||||||
|
|
||||||
- *_is_online = domain->state == DOM_ACTIVE;
|
|
||||||
return EOK;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,146 +0,0 @@
|
|||||||
From e29b82077a78157a1e4d90e2308c1272d7612f3d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Tue, 2 Oct 2018 12:13:29 +0200
|
|
||||||
Subject: [PATCH 56/83] p11: handle multiple certs during auth with OpenSSL
|
|
||||||
|
|
||||||
This patch adds missing code already available in the NSS version to
|
|
||||||
select a certificate for authentication if multiple certificates are
|
|
||||||
available on the Smartcard. A unit test to check this feature is added
|
|
||||||
as well.
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3489
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/p11_child/p11_child_openssl.c | 46 ++++++++++++++++++++++++++++++++++++++-
|
|
||||||
src/tests/cmocka/test_pam_srv.c | 36 ++++++++++++++++++++++++++++++
|
|
||||||
2 files changed, 81 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
|
|
||||||
index be58726..bf4418f 100644
|
|
||||||
--- a/src/p11_child/p11_child_openssl.c
|
|
||||||
+++ b/src/p11_child/p11_child_openssl.c
|
|
||||||
@@ -572,8 +572,10 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
||||||
char *slot_name = NULL;
|
|
||||||
char *token_name = NULL;
|
|
||||||
CK_SESSION_HANDLE session = 0;
|
|
||||||
+ struct cert_list *all_cert_list = NULL;
|
|
||||||
struct cert_list *cert_list = NULL;
|
|
||||||
struct cert_list *item = NULL;
|
|
||||||
+ struct cert_list *tmp_cert = NULL;
|
|
||||||
char *multi = NULL;
|
|
||||||
bool pkcs11_session = false;
|
|
||||||
bool pkcs11_login = false;
|
|
||||||
@@ -691,12 +693,54 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
||||||
DEBUG(SSSDBG_TRACE_ALL, "Login NOT required.\n");
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = read_certs(mem_ctx, module, session, p11_ctx, &cert_list);
|
|
||||||
+ ret = read_certs(mem_ctx, module, session, p11_ctx, &all_cert_list);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE, "read_certs failed.\n");
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ DLIST_FOR_EACH(item, all_cert_list) {
|
|
||||||
+ /* Check if we found the certificates we needed for authentication or
|
|
||||||
+ * the requested ones for pre-auth. For authentication all attributes
|
|
||||||
+ * must be given and match, for pre-auth only the given ones must
|
|
||||||
+ * match. */
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL, "%s %s %s %s %s %s.\n",
|
|
||||||
+ module_name_in, module_file_name, token_name_in, token_name,
|
|
||||||
+ key_id_in, item->id);
|
|
||||||
+
|
|
||||||
+ if ((mode == OP_AUTH
|
|
||||||
+ && module_name_in != NULL
|
|
||||||
+ && token_name_in != NULL
|
|
||||||
+ && key_id_in != NULL
|
|
||||||
+ && item->id != NULL
|
|
||||||
+ && strcmp(key_id_in, item->id) == 0
|
|
||||||
+ && strcmp(token_name_in, token_name) == 0
|
|
||||||
+ && strcmp(module_name_in, module_file_name) == 0)
|
|
||||||
+ || (mode == OP_PREAUTH
|
|
||||||
+ && (module_name_in == NULL
|
|
||||||
+ || (module_name_in != NULL
|
|
||||||
+ && strcmp(module_name_in, module_file_name) == 0))
|
|
||||||
+ && (token_name_in == NULL
|
|
||||||
+ || (token_name_in != NULL
|
|
||||||
+ && strcmp(token_name_in, token_name) == 0))
|
|
||||||
+ && (key_id_in == NULL
|
|
||||||
+ || (key_id_in != NULL && item->id != NULL
|
|
||||||
+ && strcmp(key_id_in, item->id) == 0)))) {
|
|
||||||
+
|
|
||||||
+ tmp_cert = talloc_memdup(mem_ctx, item, sizeof(struct cert_list));
|
|
||||||
+ if (tmp_cert == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_memdup failed.\n");
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ tmp_cert->prev = NULL;
|
|
||||||
+ tmp_cert->next = NULL;
|
|
||||||
+
|
|
||||||
+ DLIST_ADD(cert_list, tmp_cert);
|
|
||||||
+
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* TODO: check module_name_in, token_name_in, key_id_in */
|
|
||||||
|
|
||||||
if (cert_list == NULL) {
|
|
||||||
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
|
|
||||||
index 446985d..2b02ac2 100644
|
|
||||||
--- a/src/tests/cmocka/test_pam_srv.c
|
|
||||||
+++ b/src/tests/cmocka/test_pam_srv.c
|
|
||||||
@@ -2443,6 +2443,40 @@ void test_pam_cert_preauth_2certs_two_mappings(void **state)
|
|
||||||
assert_int_equal(ret, EOK);
|
|
||||||
}
|
|
||||||
|
|
||||||
+void test_pam_cert_auth_2certs_one_mapping(void **state)
|
|
||||||
+{
|
|
||||||
+ int ret;
|
|
||||||
+
|
|
||||||
+#ifdef HAVE_NSS
|
|
||||||
+ set_cert_auth_param(pam_test_ctx->pctx, NSS_DB_2CERTS);
|
|
||||||
+#else
|
|
||||||
+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
|
|
||||||
+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_two.conf"));
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+ mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token",
|
|
||||||
+ TEST_MODULE_NAME,
|
|
||||||
+ "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL,
|
|
||||||
+ test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001,
|
|
||||||
+ true);
|
|
||||||
+
|
|
||||||
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
|
|
||||||
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
||||||
+
|
|
||||||
+ /* Assume backend cannot handle Smartcard credentials */
|
|
||||||
+ pam_test_ctx->exp_pam_status = PAM_BAD_ITEM;
|
|
||||||
+
|
|
||||||
+ set_cmd_cb(test_pam_simple_check_success);
|
|
||||||
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE,
|
|
||||||
+ pam_test_ctx->pam_cmds);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+
|
|
||||||
+ /* Wait until the test finishes with EOK */
|
|
||||||
+ ret = test_ev_loop(pam_test_ctx->tctx);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+
|
|
||||||
void test_filter_response(void **state)
|
|
||||||
{
|
|
||||||
int ret;
|
|
||||||
@@ -2875,6 +2909,8 @@ int main(int argc, const char *argv[])
|
|
||||||
pam_test_setup, pam_test_teardown),
|
|
||||||
cmocka_unit_test_setup_teardown(test_pam_cert_preauth_2certs_two_mappings,
|
|
||||||
pam_test_setup, pam_test_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_one_mapping,
|
|
||||||
+ pam_test_setup, pam_test_teardown),
|
|
||||||
cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name,
|
|
||||||
pam_test_setup, pam_test_teardown),
|
|
||||||
cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name_no_key_id,
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,74 +0,0 @@
|
|||||||
From 0be037bbedd0aed6a7eccead6aabe0d07258242a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Halman <thalman@redhat.com>
|
|
||||||
Date: Mon, 1 Oct 2018 13:45:52 +0200
|
|
||||||
Subject: [PATCH 57/83] doc: Add nsswitch.conf note to manpage
|
|
||||||
|
|
||||||
We want to add note about nsswitch.conf configuration
|
|
||||||
into sssd-files manpage.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://pagure.io/SSSD/sssd/issue/3750
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
|
||||||
---
|
|
||||||
src/man/sssd-files.5.xml | 34 +++++++++++++++++++++++++++++++++-
|
|
||||||
1 file changed, 33 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/man/sssd-files.5.xml b/src/man/sssd-files.5.xml
|
|
||||||
index 59e1b65..067e219 100644
|
|
||||||
--- a/src/man/sssd-files.5.xml
|
|
||||||
+++ b/src/man/sssd-files.5.xml
|
|
||||||
@@ -51,6 +51,27 @@
|
|
||||||
<manvolnum>5</manvolnum>
|
|
||||||
</citerefentry>.
|
|
||||||
</para>
|
|
||||||
+ <para>
|
|
||||||
+ Another reason is to provide efficient caching of local users and groups.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ Please note that some distributions enable the files domain automatically,
|
|
||||||
+ prepending the domain before any explicitly configured domains.
|
|
||||||
+ See enable_files_domain in
|
|
||||||
+ <citerefentry>
|
|
||||||
+ <refentrytitle>sssd.conf</refentrytitle>
|
|
||||||
+ <manvolnum>5</manvolnum>
|
|
||||||
+ </citerefentry>.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ SSSD never handles resolution of user/group "root". Also resolution of
|
|
||||||
+ UID/GID 0 is not handled by SSSD. Such requests are passed to next
|
|
||||||
+ NSS module (usually files).
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ When SSSD is not running or responding, nss_sss returns the UNAVAIL code
|
|
||||||
+ which causes the request to be passed to the next module.
|
|
||||||
+ </para>
|
|
||||||
</refsect1>
|
|
||||||
|
|
||||||
<refsect1 id='configuration-options'>
|
|
||||||
@@ -112,9 +133,20 @@
|
|
||||||
id_provider = files
|
|
||||||
</programlisting>
|
|
||||||
</para>
|
|
||||||
+ <para>
|
|
||||||
+ To leverage caching of local users and groups by SSSD
|
|
||||||
+ nss_sss module must be listed before nss_files module
|
|
||||||
+ in /etc/nsswitch.conf.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+<programlisting>
|
|
||||||
+passwd: sss files
|
|
||||||
+group: sss files
|
|
||||||
+</programlisting>
|
|
||||||
+ </para>
|
|
||||||
</refsect1>
|
|
||||||
|
|
||||||
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
|
|
||||||
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
|
|
||||||
|
|
||||||
</refentry>
|
|
||||||
</reference>
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,31 +0,0 @@
|
|||||||
From e5dc30e0092b240a32f2004966eeecdc57d50fb8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
|
||||||
Date: Mon, 8 Oct 2018 07:45:45 +0000
|
|
||||||
Subject: [PATCH 58/83] MAN: Fix typo in ad_gpo_implicit_deny default value
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Merges: https://pagure.io/SSSD/sssd/pull-request/3846
|
|
||||||
|
|
||||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
||||||
---
|
|
||||||
src/man/sssd-ad.5.xml | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
|
|
||||||
index 0eac382..ea0adf7 100644
|
|
||||||
--- a/src/man/sssd-ad.5.xml
|
|
||||||
+++ b/src/man/sssd-ad.5.xml
|
|
||||||
@@ -432,7 +432,7 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,
|
|
||||||
apply to them.
|
|
||||||
</para>
|
|
||||||
<para>
|
|
||||||
- Default: False (seconds)
|
|
||||||
+ Default: False
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,470 +0,0 @@
|
|||||||
From 42f69e26e5b858dd03492cc2a148d02c2ccc2161 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Fri, 14 Sep 2018 12:47:00 +0200
|
|
||||||
Subject: [PATCH 59/83] p11_child: add --wait_for_card option
|
|
||||||
|
|
||||||
The --wait_for_card option will let the p11_child wait until a
|
|
||||||
Smartcard/token is available in a slot with the removable flag.
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3650
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/p11_child/p11_child.h | 5 +-
|
|
||||||
src/p11_child/p11_child_common.c | 12 +++-
|
|
||||||
src/p11_child/p11_child_nss.c | 105 ++++++++++++++++++++---------
|
|
||||||
src/p11_child/p11_child_openssl.c | 136 ++++++++++++++++++++++++++++++--------
|
|
||||||
4 files changed, 196 insertions(+), 62 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/p11_child/p11_child.h b/src/p11_child/p11_child.h
|
|
||||||
index 1e9fc3d..dd8fdea 100644
|
|
||||||
--- a/src/p11_child/p11_child.h
|
|
||||||
+++ b/src/p11_child/p11_child.h
|
|
||||||
@@ -25,6 +25,9 @@
|
|
||||||
#ifndef __P11_CHILD_H__
|
|
||||||
#define __P11_CHILD_H__
|
|
||||||
|
|
||||||
+/* Time to wait during a C_Finalize C_Initialize cycle to discover
|
|
||||||
+ * new slots. */
|
|
||||||
+#define PKCS11_FINIALIZE_INITIALIZE_WAIT_TIME 3
|
|
||||||
struct p11_ctx;
|
|
||||||
|
|
||||||
enum op_mode {
|
|
||||||
@@ -41,7 +44,7 @@ enum pin_mode {
|
|
||||||
};
|
|
||||||
|
|
||||||
errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *nss_db,
|
|
||||||
- struct p11_ctx **p11_ctx);
|
|
||||||
+ bool wait_for_card, struct p11_ctx **p11_ctx);
|
|
||||||
|
|
||||||
errno_t init_verification(struct p11_ctx *p11_ctx,
|
|
||||||
struct cert_verify_opts *cert_verify_opts);
|
|
||||||
diff --git a/src/p11_child/p11_child_common.c b/src/p11_child/p11_child_common.c
|
|
||||||
index 125430d..bc5f6b0 100644
|
|
||||||
--- a/src/p11_child/p11_child_common.c
|
|
||||||
+++ b/src/p11_child/p11_child_common.c
|
|
||||||
@@ -57,6 +57,7 @@ static const char *op_mode_str(enum op_mode mode)
|
|
||||||
|
|
||||||
static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db,
|
|
||||||
struct cert_verify_opts *cert_verify_opts,
|
|
||||||
+ bool wait_for_card,
|
|
||||||
const char *cert_b64, const char *pin,
|
|
||||||
const char *module_name, const char *token_name,
|
|
||||||
const char *key_id, char **multi)
|
|
||||||
@@ -64,7 +65,7 @@ static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db,
|
|
||||||
int ret;
|
|
||||||
struct p11_ctx *p11_ctx;
|
|
||||||
|
|
||||||
- ret = init_p11_ctx(mem_ctx, ca_db, &p11_ctx);
|
|
||||||
+ ret = init_p11_ctx(mem_ctx, ca_db, wait_for_card, &p11_ctx);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE, "init_p11_ctx failed.\n");
|
|
||||||
return ret;
|
|
||||||
@@ -157,6 +158,7 @@ int main(int argc, const char *argv[])
|
|
||||||
char *token_name = NULL;
|
|
||||||
char *key_id = NULL;
|
|
||||||
char *cert_b64 = NULL;
|
|
||||||
+ bool wait_for_card = false;
|
|
||||||
|
|
||||||
struct poptOption long_options[] = {
|
|
||||||
POPT_AUTOHELP
|
|
||||||
@@ -174,6 +176,7 @@ int main(int argc, const char *argv[])
|
|
||||||
SSSD_LOGGER_OPTS
|
|
||||||
{"auth", 0, POPT_ARG_NONE, NULL, 'a', _("Run in auth mode"), NULL},
|
|
||||||
{"pre", 0, POPT_ARG_NONE, NULL, 'p', _("Run in pre-auth mode"), NULL},
|
|
||||||
+ {"wait_for_card", 0, POPT_ARG_NONE, NULL, 'w', _("Wait until card is available"), NULL},
|
|
||||||
{"verification", 0, POPT_ARG_NONE, NULL, 'v', _("Run in verification mode"),
|
|
||||||
NULL},
|
|
||||||
{"pin", 0, POPT_ARG_NONE, NULL, 'i', _("Expect PIN on stdin"), NULL},
|
|
||||||
@@ -258,6 +261,9 @@ int main(int argc, const char *argv[])
|
|
||||||
}
|
|
||||||
pin_mode = PIN_KEYPAD;
|
|
||||||
break;
|
|
||||||
+ case 'w':
|
|
||||||
+ wait_for_card = true;
|
|
||||||
+ break;
|
|
||||||
default:
|
|
||||||
fprintf(stderr, "\nInvalid option %s: %s\n\n",
|
|
||||||
poptBadOption(pc, 0), poptStrerror(opt));
|
|
||||||
@@ -360,8 +366,8 @@ int main(int argc, const char *argv[])
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = do_work(main_ctx, mode, nss_db, cert_verify_opts, cert_b64,
|
|
||||||
- pin, module_name, token_name, key_id, &multi);
|
|
||||||
+ ret = do_work(main_ctx, mode, nss_db, cert_verify_opts, wait_for_card,
|
|
||||||
+ cert_b64, pin, module_name, token_name, key_id, &multi);
|
|
||||||
if (ret != 0) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE, "do_work failed.\n");
|
|
||||||
goto fail;
|
|
||||||
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
|
|
||||||
index d6a0b80..b2777d1 100644
|
|
||||||
--- a/src/p11_child/p11_child_nss.c
|
|
||||||
+++ b/src/p11_child/p11_child_nss.c
|
|
||||||
@@ -51,6 +51,7 @@ struct p11_ctx {
|
|
||||||
CERTCertDBHandle *handle;
|
|
||||||
struct cert_verify_opts *cert_verify_opts;
|
|
||||||
const char *nss_db;
|
|
||||||
+ bool wait_for_card;
|
|
||||||
};
|
|
||||||
|
|
||||||
#define EXP_USAGES ( certificateUsageSSLClient \
|
|
||||||
@@ -141,6 +142,19 @@ static int talloc_free_handle(struct p11_ctx *p11_ctx)
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static NSSInitContext *get_nss_ctx(const char *nss_db)
|
|
||||||
+{
|
|
||||||
+ uint32_t flags = NSS_INIT_READONLY
|
|
||||||
+ | NSS_INIT_FORCEOPEN
|
|
||||||
+ | NSS_INIT_NOROOTINIT
|
|
||||||
+ | NSS_INIT_OPTIMIZESPACE
|
|
||||||
+ | NSS_INIT_PK11RELOAD;
|
|
||||||
+ NSSInitParameters parameters = { 0 };
|
|
||||||
+ parameters.length = sizeof (parameters);
|
|
||||||
+
|
|
||||||
+ return NSS_InitContext(nss_db, "", "", SECMOD_DB, ¶meters, flags);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
errno_t init_verification(struct p11_ctx *p11_ctx,
|
|
||||||
struct cert_verify_opts *cert_verify_opts)
|
|
||||||
{
|
|
||||||
@@ -256,14 +270,15 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
||||||
SECItem signed_random_value = {0};
|
|
||||||
SECKEYPublicKey *pub_key;
|
|
||||||
CERTCertificate *found_cert = NULL;
|
|
||||||
- PK11SlotList *list = NULL;
|
|
||||||
- PK11SlotListElement *le;
|
|
||||||
const char *label;
|
|
||||||
char *key_id_str = NULL;
|
|
||||||
CERTCertList *valid_certs = NULL;
|
|
||||||
char *cert_b64 = NULL;
|
|
||||||
char *multi = NULL;
|
|
||||||
PRCList *node;
|
|
||||||
+ CK_SLOT_INFO slInfo;
|
|
||||||
+ PK11TokenStatus token_status;
|
|
||||||
+ size_t s;
|
|
||||||
|
|
||||||
PK11_SetPasswordFunc(password_passthrough);
|
|
||||||
|
|
||||||
@@ -297,28 +312,50 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
||||||
mod_list_item->module->dllName);
|
|
||||||
}
|
|
||||||
|
|
||||||
- list = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE,
|
|
||||||
- NULL);
|
|
||||||
- if (list == NULL) {
|
|
||||||
- DEBUG(SSSDBG_OP_FAILURE, "PK11_GetAllTokens failed.\n");
|
|
||||||
- ret = EIO;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
+ for (;;) {
|
|
||||||
+ mod_list = SECMOD_GetDefaultModuleList();
|
|
||||||
+ for (mod_list_item = mod_list; mod_list_item != NULL;
|
|
||||||
+ mod_list_item = mod_list_item->next) {
|
|
||||||
+ for (s = 0; s < mod_list_item->module->slotCount; s++) {
|
|
||||||
+ slInfo.flags = 0;
|
|
||||||
+ rv = PK11_GetSlotInfo(mod_list_item->module->slots[s], &slInfo);
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL,
|
|
||||||
+ "Description [%s] Manufacturer [%s] flags [%lu] "
|
|
||||||
+ "removable [%s] token present [%s].\n",
|
|
||||||
+ slInfo.slotDescription, slInfo.manufacturerID,
|
|
||||||
+ slInfo.flags,
|
|
||||||
+ (slInfo.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
|
|
||||||
+ (slInfo.flags & CKF_TOKEN_PRESENT) ? "true": "false");
|
|
||||||
+
|
|
||||||
+ if (rv == SECSuccess && (slInfo.flags & CKF_REMOVABLE_DEVICE)) {
|
|
||||||
+ slot = PK11_ReferenceSlot(mod_list_item->module->slots[s]);
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- for (le = list->head; le; le = le->next) {
|
|
||||||
- CK_SLOT_INFO slInfo;
|
|
||||||
+ /* When e.g. using Yubikeys the slot isn't present until the device is
|
|
||||||
+ * inserted, so we should wait for a slot as well. */
|
|
||||||
+ if (p11_ctx->wait_for_card && slot == NULL) {
|
|
||||||
+ rv = NSS_ShutdownContext(p11_ctx->nss_ctx);
|
|
||||||
+ if (rv != SECSuccess) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "NSS_ShutdownContext failed [%d][%s].\n",
|
|
||||||
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- slInfo.flags = 0;
|
|
||||||
- rv = PK11_GetSlotInfo(le->slot, &slInfo);
|
|
||||||
- DEBUG(SSSDBG_TRACE_ALL,
|
|
||||||
- "Description [%s] Manufacturer [%s] flags [%lu].\n",
|
|
||||||
- slInfo.slotDescription, slInfo.manufacturerID, slInfo.flags);
|
|
||||||
- if (rv == SECSuccess && (slInfo.flags & CKF_REMOVABLE_DEVICE)) {
|
|
||||||
- slot = PK11_ReferenceSlot(le->slot);
|
|
||||||
+ sleep(PKCS11_FINIALIZE_INITIALIZE_WAIT_TIME);
|
|
||||||
+
|
|
||||||
+ p11_ctx->nss_ctx = get_nss_ctx(p11_ctx->nss_db);
|
|
||||||
+ if (p11_ctx->nss_ctx == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "NSS_InitContext failed [%d][%s].\n",
|
|
||||||
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
||||||
+ return EIO;
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
- PK11_FreeSlotList(list);
|
|
||||||
+
|
|
||||||
if (slot == NULL) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE, "No removable slots found.\n");
|
|
||||||
ret = EIO;
|
|
||||||
@@ -332,6 +369,22 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
||||||
module = PK11_GetModule(slot);
|
|
||||||
module_name = module->dllName == NULL ? "NSS-Internal" : module->dllName;
|
|
||||||
|
|
||||||
+ if (!(slInfo.flags & CKF_TOKEN_PRESENT)) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL, "Token not present.\n");
|
|
||||||
+ if (p11_ctx->wait_for_card) {
|
|
||||||
+ token_status = PK11_WaitForTokenEvent(slot, PK11TokenPresentEvent,
|
|
||||||
+ PR_INTERVAL_NO_TIMEOUT, 0, 0);
|
|
||||||
+ if (token_status != PK11TokenPresent) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "PK11_WaitForTokenEvent failed.\n");
|
|
||||||
+ ret = EIO;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
+ ret = EIO;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
DEBUG(SSSDBG_TRACE_ALL, "Found [%s] in slot [%s][%d] of module [%d][%s].\n",
|
|
||||||
token_name, slot_name, (int) slot_id, (int) module_id, module_name);
|
|
||||||
|
|
||||||
@@ -651,26 +704,18 @@ static int talloc_nss_shutdown(struct p11_ctx *p11_ctx)
|
|
||||||
}
|
|
||||||
|
|
||||||
errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *nss_db,
|
|
||||||
- struct p11_ctx **p11_ctx)
|
|
||||||
+ bool wait_for_card, struct p11_ctx **p11_ctx)
|
|
||||||
{
|
|
||||||
struct p11_ctx *ctx;
|
|
||||||
- uint32_t flags = NSS_INIT_READONLY
|
|
||||||
- | NSS_INIT_FORCEOPEN
|
|
||||||
- | NSS_INIT_NOROOTINIT
|
|
||||||
- | NSS_INIT_OPTIMIZESPACE
|
|
||||||
- | NSS_INIT_PK11RELOAD;
|
|
||||||
- NSSInitParameters parameters = { 0 };
|
|
||||||
- parameters.length = sizeof (parameters);
|
|
||||||
-
|
|
||||||
ctx = talloc_zero(mem_ctx, struct p11_ctx);
|
|
||||||
if (ctx == NULL) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE, "talloc_zero failed.\n");
|
|
||||||
return ENOMEM;
|
|
||||||
}
|
|
||||||
ctx->nss_db = nss_db;
|
|
||||||
+ ctx->wait_for_card = wait_for_card;
|
|
||||||
|
|
||||||
- ctx->nss_ctx = NSS_InitContext(nss_db, "", "", SECMOD_DB, ¶meters,
|
|
||||||
- flags);
|
|
||||||
+ ctx->nss_ctx = get_nss_ctx(nss_db);
|
|
||||||
if (ctx->nss_ctx == NULL) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE, "NSS_InitContext failed [%d][%s].\n",
|
|
||||||
PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
||||||
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
|
|
||||||
index bf4418f..d4572d9 100644
|
|
||||||
--- a/src/p11_child/p11_child_openssl.c
|
|
||||||
+++ b/src/p11_child/p11_child_openssl.c
|
|
||||||
@@ -40,6 +40,7 @@
|
|
||||||
struct p11_ctx {
|
|
||||||
X509_STORE *x509_store;
|
|
||||||
const char *ca_db;
|
|
||||||
+ bool wait_for_card;
|
|
||||||
};
|
|
||||||
|
|
||||||
static int talloc_cleanup_openssl(struct p11_ctx *p11_ctx)
|
|
||||||
@@ -48,8 +49,9 @@ static int talloc_cleanup_openssl(struct p11_ctx *p11_ctx)
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *ca_db,
|
|
||||||
- struct p11_ctx **p11_ctx)
|
|
||||||
+ bool wait_for_card, struct p11_ctx **p11_ctx)
|
|
||||||
{
|
|
||||||
int ret;
|
|
||||||
struct p11_ctx *ctx;
|
|
||||||
@@ -73,6 +75,7 @@ errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *ca_db,
|
|
||||||
}
|
|
||||||
|
|
||||||
ctx->ca_db = ca_db;
|
|
||||||
+ ctx->wait_for_card = wait_for_card;
|
|
||||||
talloc_set_destructor(ctx, talloc_cleanup_openssl);
|
|
||||||
|
|
||||||
*p11_ctx = ctx;
|
|
||||||
@@ -547,6 +550,45 @@ done:
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static errno_t wait_for_card(CK_FUNCTION_LIST *module, CK_SLOT_ID *slot_id)
|
|
||||||
+{
|
|
||||||
+ CK_FLAGS wait_flags = 0;
|
|
||||||
+ CK_RV rv;
|
|
||||||
+ CK_SLOT_INFO info;
|
|
||||||
+
|
|
||||||
+ rv = module->C_WaitForSlotEvent(wait_flags, slot_id, NULL);
|
|
||||||
+ if (rv != CKR_OK) {
|
|
||||||
+ if (rv != CKR_FUNCTION_NOT_SUPPORTED) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
+ "C_WaitForSlotEvent failed [%lu][%s].\n",
|
|
||||||
+ rv, p11_kit_strerror(rv));
|
|
||||||
+ return EIO;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Poor man's wait */
|
|
||||||
+ do {
|
|
||||||
+ sleep(10);
|
|
||||||
+ rv = module->C_GetSlotInfo(*slot_id, &info);
|
|
||||||
+ if (rv != CKR_OK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotInfo failed\n");
|
|
||||||
+ return EIO;
|
|
||||||
+ }
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL,
|
|
||||||
+ "Description [%s] Manufacturer [%s] flags [%lu] "
|
|
||||||
+ "removable [%s] token present [%s].\n",
|
|
||||||
+ info.slotDescription, info.manufacturerID, info.flags,
|
|
||||||
+ (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
|
|
||||||
+ (info.flags & CKF_TOKEN_PRESENT) ? "true": "false");
|
|
||||||
+ if ((info.flags & CKF_REMOVABLE_DEVICE)
|
|
||||||
+ && (info.flags & CKF_TOKEN_PRESENT)) {
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ } while (true);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return EOK;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
#define MAX_SLOTS 64
|
|
||||||
|
|
||||||
errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
||||||
@@ -588,39 +630,62 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
||||||
return EIO;
|
|
||||||
}
|
|
||||||
|
|
||||||
- DEBUG(SSSDBG_TRACE_ALL, "Module List:\n");
|
|
||||||
- for (c = 0; modules[c] != NULL; c++) {
|
|
||||||
- mod_name = p11_kit_module_get_name(modules[c]);
|
|
||||||
- mod_file_name = p11_kit_module_get_filename(modules[c]);
|
|
||||||
- DEBUG(SSSDBG_TRACE_ALL, "common name: [%s].\n", mod_name);
|
|
||||||
- DEBUG(SSSDBG_TRACE_ALL, "dll name: [%s].\n", mod_file_name);
|
|
||||||
- free(mod_name);
|
|
||||||
- free(mod_file_name);
|
|
||||||
+ for (;;) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL, "Module List:\n");
|
|
||||||
+ for (c = 0; modules[c] != NULL; c++) {
|
|
||||||
+ mod_name = p11_kit_module_get_name(modules[c]);
|
|
||||||
+ mod_file_name = p11_kit_module_get_filename(modules[c]);
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL, "common name: [%s].\n", mod_name);
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL, "dll name: [%s].\n", mod_file_name);
|
|
||||||
+ free(mod_name);
|
|
||||||
+ free(mod_file_name);
|
|
||||||
|
|
||||||
- num_slots = MAX_SLOTS;
|
|
||||||
- rv = modules[c]->C_GetSlotList(CK_TRUE, slots, &num_slots);
|
|
||||||
- if (rv != CKR_OK) {
|
|
||||||
- DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotList failed.\n");
|
|
||||||
- ret = EIO;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- for (s = 0; s < num_slots; s++) {
|
|
||||||
- rv = modules[c]->C_GetSlotInfo(slots[s], &info);
|
|
||||||
+ num_slots = MAX_SLOTS;
|
|
||||||
+ rv = modules[c]->C_GetSlotList(CK_FALSE, slots, &num_slots);
|
|
||||||
if (rv != CKR_OK) {
|
|
||||||
- DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotInfo failed\n");
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotList failed.\n");
|
|
||||||
ret = EIO;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
- DEBUG(SSSDBG_TRACE_ALL,
|
|
||||||
- "Description [%s] Manufacturer [%s] flags [%lu] removable [%s].\n",
|
|
||||||
- info.slotDescription, info.manufacturerID, info.flags,
|
|
||||||
- (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false");
|
|
||||||
- if ((info.flags & CKF_REMOVABLE_DEVICE)) {
|
|
||||||
+
|
|
||||||
+ for (s = 0; s < num_slots; s++) {
|
|
||||||
+ rv = modules[c]->C_GetSlotInfo(slots[s], &info);
|
|
||||||
+ if (rv != CKR_OK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotInfo failed\n");
|
|
||||||
+ ret = EIO;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL,
|
|
||||||
+ "Description [%s] Manufacturer [%s] flags [%lu] "
|
|
||||||
+ "removable [%s] token present [%s].\n",
|
|
||||||
+ info.slotDescription, info.manufacturerID, info.flags,
|
|
||||||
+ (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
|
|
||||||
+ (info.flags & CKF_TOKEN_PRESENT) ? "true": "false");
|
|
||||||
+ if ((info.flags & CKF_REMOVABLE_DEVICE)) {
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ if (s != num_slots) {
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
- if (s != num_slots) {
|
|
||||||
+
|
|
||||||
+ /* When e.g. using Yubikeys the slot isn't present until the device is
|
|
||||||
+ * inserted, so we should wait for a slot as well. */
|
|
||||||
+ if (p11_ctx->wait_for_card && modules[c] == NULL) {
|
|
||||||
+ p11_kit_modules_finalize_and_release(modules);
|
|
||||||
+
|
|
||||||
+ sleep(PKCS11_FINIALIZE_INITIALIZE_WAIT_TIME);
|
|
||||||
+
|
|
||||||
+ modules = p11_kit_modules_load_and_initialize(0);
|
|
||||||
+ if (modules == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
+ "p11_kit_modules_load_and_initialize failed.\n");
|
|
||||||
+ ret = EIO;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ } else {
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -631,14 +696,29 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- rv = modules[c]->C_GetTokenInfo(slots[s], &token_info);
|
|
||||||
+ slot_id = slots[s];
|
|
||||||
+
|
|
||||||
+ if (!(info.flags & CKF_TOKEN_PRESENT)) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL, "Token not present.\n");
|
|
||||||
+ if (p11_ctx->wait_for_card) {
|
|
||||||
+ ret = wait_for_card(modules[c], &slot_id);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "wait_for_card failed.\n");
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
+ ret = EIO;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ rv = modules[c]->C_GetTokenInfo(slot_id, &token_info);
|
|
||||||
if (rv != CKR_OK) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE, "C_GetTokenInfo failed.\n");
|
|
||||||
ret = EIO;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- slot_id = slots[s];
|
|
||||||
module_id = c;
|
|
||||||
slot_name = p11_kit_space_strdup(info.slotDescription,
|
|
||||||
sizeof(info.slotDescription));
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,143 +0,0 @@
|
|||||||
From 2e4ecf5a866b212bef44e262fd90c67a88dc616a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Tue, 18 Sep 2018 18:15:02 +0200
|
|
||||||
Subject: [PATCH 60/83] PAM: add p11_wait_for_card_timeout option
|
|
||||||
|
|
||||||
If the --wait_for_card is used to call p11_child the PAM responder
|
|
||||||
should be prepared to wait longer until p11_child can return
|
|
||||||
successfully.
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3650
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/confdb/confdb.h | 1 +
|
|
||||||
src/config/SSSDConfig/__init__.py.in | 1 +
|
|
||||||
src/config/cfg_rules.ini | 1 +
|
|
||||||
src/config/etc/sssd.api.conf | 1 +
|
|
||||||
src/man/sssd.conf.5.xml | 14 ++++++++++++++
|
|
||||||
src/responder/pam/pamsrv_cmd.c | 15 +++++++++++++++
|
|
||||||
src/util/util.h | 1 +
|
|
||||||
7 files changed, 34 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
|
||||||
index 625d156..87904c2 100644
|
|
||||||
--- a/src/confdb/confdb.h
|
|
||||||
+++ b/src/confdb/confdb.h
|
|
||||||
@@ -130,6 +130,7 @@
|
|
||||||
#define CONFDB_PAM_CERT_AUTH "pam_cert_auth"
|
|
||||||
#define CONFDB_PAM_CERT_DB_PATH "pam_cert_db_path"
|
|
||||||
#define CONFDB_PAM_P11_CHILD_TIMEOUT "p11_child_timeout"
|
|
||||||
+#define CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT "p11_wait_for_card_timeout"
|
|
||||||
#define CONFDB_PAM_APP_SERVICES "pam_app_services"
|
|
||||||
#define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services"
|
|
||||||
|
|
||||||
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
|
||||||
index 81a03ad..4d1dba2 100644
|
|
||||||
--- a/src/config/SSSDConfig/__init__.py.in
|
|
||||||
+++ b/src/config/SSSDConfig/__init__.py.in
|
|
||||||
@@ -104,6 +104,7 @@ option_strings = {
|
|
||||||
'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'),
|
|
||||||
'pam_app_services' : _('Which PAM services are permitted to contact application domains'),
|
|
||||||
'pam_p11_allowed_services' : _('Allowed services for using smartcards'),
|
|
||||||
+ 'p11_wait_for_card_timeout' : _('Additional timeout to wait for a card if requested'),
|
|
||||||
|
|
||||||
# [sudo]
|
|
||||||
'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
|
|
||||||
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
|
||||||
index 78f215e..50a8f1d 100644
|
|
||||||
--- a/src/config/cfg_rules.ini
|
|
||||||
+++ b/src/config/cfg_rules.ini
|
|
||||||
@@ -127,6 +127,7 @@ option = pam_cert_db_path
|
|
||||||
option = p11_child_timeout
|
|
||||||
option = pam_app_services
|
|
||||||
option = pam_p11_allowed_services
|
|
||||||
+option = p11_wait_for_card_timeout
|
|
||||||
|
|
||||||
[rule/allowed_sudo_options]
|
|
||||||
validator = ini_allowed_options
|
|
||||||
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
|
|
||||||
index 52494c0..bb686c3 100644
|
|
||||||
--- a/src/config/etc/sssd.api.conf
|
|
||||||
+++ b/src/config/etc/sssd.api.conf
|
|
||||||
@@ -76,6 +76,7 @@ pam_cert_db_path = str, None, false
|
|
||||||
p11_child_timeout = int, None, false
|
|
||||||
pam_app_services = str, None, false
|
|
||||||
pam_p11_allowed_services = str, None, false
|
|
||||||
+p11_wait_for_card_timeout = int, None, false
|
|
||||||
|
|
||||||
[sudo]
|
|
||||||
# sudo service
|
|
||||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
||||||
index c1e3895..4df0163 100644
|
|
||||||
--- a/src/man/sssd.conf.5.xml
|
|
||||||
+++ b/src/man/sssd.conf.5.xml
|
|
||||||
@@ -1464,6 +1464,20 @@ pam_p11_allowed_services = +my_pam_service, -login
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>p11_wait_for_card_timeout (integer)</term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ If Smartcard authentication is required how many
|
|
||||||
+ extra seconds in addition to p11_child_timeout
|
|
||||||
+ should the PAM responder wait until a Smartcard is
|
|
||||||
+ inserted.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ Default: 60
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
</variablelist>
|
|
||||||
</refsect2>
|
|
||||||
|
|
||||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
|
||||||
index 817f3c5..c8df32d 100644
|
|
||||||
--- a/src/responder/pam/pamsrv_cmd.c
|
|
||||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
|
||||||
@@ -1297,6 +1297,7 @@ static errno_t check_cert(TALLOC_CTX *mctx,
|
|
||||||
struct pam_data *pd)
|
|
||||||
{
|
|
||||||
int p11_child_timeout;
|
|
||||||
+ int wait_for_card_timeout;
|
|
||||||
char *cert_verification_opts;
|
|
||||||
errno_t ret;
|
|
||||||
struct tevent_req *req;
|
|
||||||
@@ -1311,6 +1312,20 @@ static errno_t check_cert(TALLOC_CTX *mctx,
|
|
||||||
ret, sss_strerror(ret));
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
+ if ((pd->cli_flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) && pd->priv == 1) {
|
|
||||||
+ ret = confdb_get_int(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY,
|
|
||||||
+ CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT,
|
|
||||||
+ P11_WAIT_FOR_CARD_TIMEOUT_DEFAULT,
|
|
||||||
+ &wait_for_card_timeout);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ "Failed to read wait_for_card_timeout from confdb: [%d]: %s\n",
|
|
||||||
+ ret, sss_strerror(ret));
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ p11_child_timeout += wait_for_card_timeout;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
ret = confdb_get_string(pctx->rctx->cdb, mctx, CONFDB_MONITOR_CONF_ENTRY,
|
|
||||||
CONFDB_MONITOR_CERT_VERIFICATION, NULL,
|
|
||||||
diff --git a/src/util/util.h b/src/util/util.h
|
|
||||||
index 59e7a96..e3e9100 100644
|
|
||||||
--- a/src/util/util.h
|
|
||||||
+++ b/src/util/util.h
|
|
||||||
@@ -724,6 +724,7 @@ errno_t create_preauth_indicator(void);
|
|
||||||
#define P11_CHILD_LOG_FILE "p11_child"
|
|
||||||
#define P11_CHILD_PATH SSSD_LIBEXEC_PATH"/p11_child"
|
|
||||||
#define P11_CHILD_TIMEOUT_DEFAULT 10
|
|
||||||
+#define P11_WAIT_FOR_CARD_TIMEOUT_DEFAULT 60
|
|
||||||
#endif /* SSSD_LIBEXEC_PATH */
|
|
||||||
|
|
||||||
#endif /* __SSSD_UTIL_H__ */
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,244 +0,0 @@
|
|||||||
From d33a8bed5aad9135426c9ebdf101cf600685ab81 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Tue, 18 Sep 2018 10:11:02 +0200
|
|
||||||
Subject: [PATCH 61/83] pam_sss: make flags public
|
|
||||||
|
|
||||||
To allow the PAM responder to act on the config flags set for pam_sss
|
|
||||||
the flags have to be made public first.
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3650
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/sss_client/pam_sss.c | 71 +++++++++++++++++++++---------------------------
|
|
||||||
src/sss_client/sss_cli.h | 9 ++++++
|
|
||||||
2 files changed, 40 insertions(+), 40 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
|
||||||
index 59081cc..b336d1f 100644
|
|
||||||
--- a/src/sss_client/pam_sss.c
|
|
||||||
+++ b/src/sss_client/pam_sss.c
|
|
||||||
@@ -52,15 +52,6 @@
|
|
||||||
#include <libintl.h>
|
|
||||||
#define _(STRING) dgettext (PACKAGE, STRING)
|
|
||||||
|
|
||||||
-#define FLAGS_USE_FIRST_PASS (1 << 0)
|
|
||||||
-#define FLAGS_FORWARD_PASS (1 << 1)
|
|
||||||
-#define FLAGS_USE_AUTHTOK (1 << 2)
|
|
||||||
-#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
|
|
||||||
-#define FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
|
|
||||||
-#define FLAGS_USE_2FA (1 << 5)
|
|
||||||
-#define FLAGS_ALLOW_MISSING_NAME (1 << 6)
|
|
||||||
-#define FLAGS_PROMPT_ALWAYS (1 << 7)
|
|
||||||
-
|
|
||||||
#define PWEXP_FLAG "pam_sss:password_expired_flag"
|
|
||||||
#define FD_DESTRUCTOR "pam_sss:fd_destructor"
|
|
||||||
#define PAM_SSS_AUTHOK_TYPE "pam_sss:authtok_type"
|
|
||||||
@@ -1193,13 +1184,13 @@ static int get_pam_items(pam_handle_t *pamh, uint32_t flags,
|
|
||||||
pi->pam_service_size=strlen(pi->pam_service)+1;
|
|
||||||
|
|
||||||
ret = pam_get_item(pamh, PAM_USER, (const void **) &(pi->pam_user));
|
|
||||||
- if (ret == PAM_PERM_DENIED && (flags & FLAGS_ALLOW_MISSING_NAME)) {
|
|
||||||
+ if (ret == PAM_PERM_DENIED && (flags & PAM_CLI_FLAGS_ALLOW_MISSING_NAME)) {
|
|
||||||
pi->pam_user = "";
|
|
||||||
ret = PAM_SUCCESS;
|
|
||||||
}
|
|
||||||
if (ret != PAM_SUCCESS) return ret;
|
|
||||||
if (pi->pam_user == NULL) {
|
|
||||||
- if (flags & FLAGS_ALLOW_MISSING_NAME) {
|
|
||||||
+ if (flags & PAM_CLI_FLAGS_ALLOW_MISSING_NAME) {
|
|
||||||
pi->pam_user = "";
|
|
||||||
} else {
|
|
||||||
D(("No user found, aborting."));
|
|
||||||
@@ -1959,11 +1950,11 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
|
|
||||||
|
|
||||||
for (; argc-- > 0; ++argv) {
|
|
||||||
if (strcmp(*argv, "forward_pass") == 0) {
|
|
||||||
- *flags |= FLAGS_FORWARD_PASS;
|
|
||||||
+ *flags |= PAM_CLI_FLAGS_FORWARD_PASS;
|
|
||||||
} else if (strcmp(*argv, "use_first_pass") == 0) {
|
|
||||||
- *flags |= FLAGS_USE_FIRST_PASS;
|
|
||||||
+ *flags |= PAM_CLI_FLAGS_USE_FIRST_PASS;
|
|
||||||
} else if (strcmp(*argv, "use_authtok") == 0) {
|
|
||||||
- *flags |= FLAGS_USE_AUTHTOK;
|
|
||||||
+ *flags |= PAM_CLI_FLAGS_USE_AUTHTOK;
|
|
||||||
} else if (strncmp(*argv, OPT_DOMAINS_KEY, strlen(OPT_DOMAINS_KEY)) == 0) {
|
|
||||||
if (*(*argv+strlen(OPT_DOMAINS_KEY)) == '\0') {
|
|
||||||
logger(pamh, LOG_ERR, "Missing argument to option domains.");
|
|
||||||
@@ -1997,15 +1988,15 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
|
|
||||||
} else if (strcmp(*argv, "quiet") == 0) {
|
|
||||||
*quiet_mode = true;
|
|
||||||
} else if (strcmp(*argv, "ignore_unknown_user") == 0) {
|
|
||||||
- *flags |= FLAGS_IGNORE_UNKNOWN_USER;
|
|
||||||
+ *flags |= PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER;
|
|
||||||
} else if (strcmp(*argv, "ignore_authinfo_unavail") == 0) {
|
|
||||||
- *flags |= FLAGS_IGNORE_AUTHINFO_UNAVAIL;
|
|
||||||
+ *flags |= PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL;
|
|
||||||
} else if (strcmp(*argv, "use_2fa") == 0) {
|
|
||||||
- *flags |= FLAGS_USE_2FA;
|
|
||||||
+ *flags |= PAM_CLI_FLAGS_USE_2FA;
|
|
||||||
} else if (strcmp(*argv, "allow_missing_name") == 0) {
|
|
||||||
- *flags |= FLAGS_ALLOW_MISSING_NAME;
|
|
||||||
+ *flags |= PAM_CLI_FLAGS_ALLOW_MISSING_NAME;
|
|
||||||
} else if (strcmp(*argv, "prompt_always") == 0) {
|
|
||||||
- *flags |= FLAGS_PROMPT_ALWAYS;
|
|
||||||
+ *flags |= PAM_CLI_FLAGS_PROMPT_ALWAYS;
|
|
||||||
} else {
|
|
||||||
logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
|
|
||||||
}
|
|
||||||
@@ -2020,10 +2011,10 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
|
|
||||||
{
|
|
||||||
int ret;
|
|
||||||
|
|
||||||
- if ((flags & FLAGS_USE_FIRST_PASS)
|
|
||||||
+ if ((flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
|
|
||||||
|| ( pi->pamstack_authtok != NULL
|
|
||||||
&& *(pi->pamstack_authtok) != '\0'
|
|
||||||
- && !(flags & FLAGS_PROMPT_ALWAYS))) {
|
|
||||||
+ && !(flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))) {
|
|
||||||
pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
|
|
||||||
pi->pam_authtok = strdup(pi->pamstack_authtok);
|
|
||||||
if (pi->pam_authtok == NULL) {
|
|
||||||
@@ -2032,7 +2023,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
|
|
||||||
}
|
|
||||||
pi->pam_authtok_size = strlen(pi->pam_authtok);
|
|
||||||
} else {
|
|
||||||
- if (flags & FLAGS_USE_2FA
|
|
||||||
+ if (flags & PAM_CLI_FLAGS_USE_2FA
|
|
||||||
|| (pi->otp_vendor != NULL && pi->otp_token_id != NULL
|
|
||||||
&& pi->otp_challenge != NULL)) {
|
|
||||||
if (pi->password_prompting) {
|
|
||||||
@@ -2062,7 +2053,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (flags & FLAGS_FORWARD_PASS) {
|
|
||||||
+ if (flags & PAM_CLI_FLAGS_FORWARD_PASS) {
|
|
||||||
if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_PASSWORD) {
|
|
||||||
ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_authtok);
|
|
||||||
} else if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA
|
|
||||||
@@ -2193,8 +2184,8 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
|
|
||||||
/* we query for the old password during PAM_PRELIM_CHECK to make
|
|
||||||
* pam_sss work e.g. with pam_cracklib */
|
|
||||||
if (pam_flags & PAM_PRELIM_CHECK) {
|
|
||||||
- if ( (getuid() != 0 || exp_data ) && !(flags & FLAGS_USE_FIRST_PASS)) {
|
|
||||||
- if (flags & FLAGS_USE_2FA
|
|
||||||
+ if ( (getuid() != 0 || exp_data ) && !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)) {
|
|
||||||
+ if (flags & PAM_CLI_FLAGS_USE_2FA
|
|
||||||
|| (pi->otp_vendor != NULL && pi->otp_token_id != NULL
|
|
||||||
&& pi->otp_challenge != NULL)) {
|
|
||||||
if (pi->password_prompting) {
|
|
||||||
@@ -2253,7 +2244,7 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (flags & FLAGS_USE_AUTHTOK) {
|
|
||||||
+ if (flags & PAM_CLI_FLAGS_USE_AUTHTOK) {
|
|
||||||
pi->pam_newauthtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
|
|
||||||
pi->pam_newauthtok = strdup(pi->pamstack_authtok);
|
|
||||||
if (pi->pam_newauthtok == NULL) {
|
|
||||||
@@ -2268,7 +2259,7 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (flags & FLAGS_FORWARD_PASS) {
|
|
||||||
+ if (flags & PAM_CLI_FLAGS_FORWARD_PASS) {
|
|
||||||
ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_newauthtok);
|
|
||||||
if (ret != PAM_SUCCESS) {
|
|
||||||
D(("Failed to set PAM_AUTHTOK [%s], "
|
|
||||||
@@ -2376,10 +2367,10 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
||||||
ret = get_pam_items(pamh, flags, &pi);
|
|
||||||
if (ret != PAM_SUCCESS) {
|
|
||||||
D(("get items returned error: %s", pam_strerror(pamh,ret)));
|
|
||||||
- if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
|
|
||||||
+ if (flags & PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
|
|
||||||
ret = PAM_IGNORE;
|
|
||||||
}
|
|
||||||
- if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
|
|
||||||
+ if (flags & PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL
|
|
||||||
&& ret == PAM_AUTHINFO_UNAVAIL) {
|
|
||||||
ret = PAM_IGNORE;
|
|
||||||
}
|
|
||||||
@@ -2393,13 +2384,13 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
||||||
case SSS_PAM_AUTHENTICATE:
|
|
||||||
/*
|
|
||||||
* Only do preauth if
|
|
||||||
- * - FLAGS_USE_FIRST_PASS is not set
|
|
||||||
- * - no password is on the stack or FLAGS_PROMPT_ALWAYS is set
|
|
||||||
+ * - PAM_CLI_FLAGS_USE_FIRST_PASS is not set
|
|
||||||
+ * - no password is on the stack or PAM_CLI_FLAGS_PROMPT_ALWAYS is set
|
|
||||||
* - preauth indicator file exists.
|
|
||||||
*/
|
|
||||||
- if ( !(flags & FLAGS_USE_FIRST_PASS)
|
|
||||||
+ if ( !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
|
|
||||||
&& (pi.pam_authtok == NULL
|
|
||||||
- || (flags & FLAGS_PROMPT_ALWAYS))
|
|
||||||
+ || (flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))
|
|
||||||
&& access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
|
|
||||||
pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
|
|
||||||
quiet_mode);
|
|
||||||
@@ -2443,14 +2434,14 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
||||||
* The means the preauth step has to be done here as well but
|
|
||||||
* only if
|
|
||||||
* - PAM_PRELIM_CHECK is set
|
|
||||||
- * - FLAGS_USE_FIRST_PASS is not set
|
|
||||||
- * - no password is on the stack or FLAGS_PROMPT_ALWAYS is set
|
|
||||||
+ * - PAM_CLI_FLAGS_USE_FIRST_PASS is not set
|
|
||||||
+ * - no password is on the stack or PAM_CLI_FLAGS_PROMPT_ALWAYS is set
|
|
||||||
* - preauth indicator file exists.
|
|
||||||
*/
|
|
||||||
if ( (pam_flags & PAM_PRELIM_CHECK)
|
|
||||||
- && !(flags & FLAGS_USE_FIRST_PASS)
|
|
||||||
+ && !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
|
|
||||||
&& (pi.pam_authtok == NULL
|
|
||||||
- || (flags & FLAGS_PROMPT_ALWAYS))
|
|
||||||
+ || (flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))
|
|
||||||
&& access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
|
|
||||||
pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
|
|
||||||
quiet_mode);
|
|
||||||
@@ -2497,11 +2488,11 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
||||||
|
|
||||||
pam_status = send_and_receive(pamh, &pi, task, quiet_mode);
|
|
||||||
|
|
||||||
- if (flags & FLAGS_IGNORE_UNKNOWN_USER
|
|
||||||
+ if (flags & PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER
|
|
||||||
&& pam_status == PAM_USER_UNKNOWN) {
|
|
||||||
pam_status = PAM_IGNORE;
|
|
||||||
}
|
|
||||||
- if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
|
|
||||||
+ if (flags & PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL
|
|
||||||
&& pam_status == PAM_AUTHINFO_UNAVAIL) {
|
|
||||||
pam_status = PAM_IGNORE;
|
|
||||||
}
|
|
||||||
@@ -2581,7 +2572,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
||||||
retry = true;
|
|
||||||
retries--;
|
|
||||||
|
|
||||||
- flags &= ~FLAGS_USE_FIRST_PASS;
|
|
||||||
+ flags &= ~PAM_CLI_FLAGS_USE_FIRST_PASS;
|
|
||||||
ret = pam_set_item(pamh, PAM_AUTHTOK, NULL);
|
|
||||||
if (ret != PAM_SUCCESS) {
|
|
||||||
D(("Failed to unset PAM_AUTHTOK [%s]",
|
|
||||||
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
|
|
||||||
index 24d28ed..3404715 100644
|
|
||||||
--- a/src/sss_client/sss_cli.h
|
|
||||||
+++ b/src/sss_client/sss_cli.h
|
|
||||||
@@ -365,6 +365,15 @@ enum pam_item_type {
|
|
||||||
SSS_PAM_ITEM_REQUESTED_DOMAINS,
|
|
||||||
};
|
|
||||||
|
|
||||||
+#define PAM_CLI_FLAGS_USE_FIRST_PASS (1 << 0)
|
|
||||||
+#define PAM_CLI_FLAGS_FORWARD_PASS (1 << 1)
|
|
||||||
+#define PAM_CLI_FLAGS_USE_AUTHTOK (1 << 2)
|
|
||||||
+#define PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
|
|
||||||
+#define PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
|
|
||||||
+#define PAM_CLI_FLAGS_USE_2FA (1 << 5)
|
|
||||||
+#define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)
|
|
||||||
+#define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
|
|
||||||
+
|
|
||||||
#define SSS_NSS_MAX_ENTRIES 256
|
|
||||||
#define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
|
|
||||||
struct sss_cli_req_data {
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,100 +0,0 @@
|
|||||||
From d3a18f06162b9585d2db936472b75fdbff37162d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Mon, 17 Sep 2018 17:54:26 +0200
|
|
||||||
Subject: [PATCH 62/83] pam_sss: add try_cert_auth option
|
|
||||||
|
|
||||||
With this new option pam_sss can be configured to only do Smartcard
|
|
||||||
authentication or return an error if this is not possible.
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3650
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/man/pam_sss.8.xml | 23 +++++++++++++++++++++++
|
|
||||||
src/sss_client/pam_sss.c | 9 +++++++++
|
|
||||||
src/sss_client/sss_cli.h | 1 +
|
|
||||||
3 files changed, 33 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml
|
|
||||||
index d8e6a20..ca2e8e2 100644
|
|
||||||
--- a/src/man/pam_sss.8.xml
|
|
||||||
+++ b/src/man/pam_sss.8.xml
|
|
||||||
@@ -50,6 +50,9 @@
|
|
||||||
<arg choice='opt'>
|
|
||||||
<replaceable>prompt_always</replaceable>
|
|
||||||
</arg>
|
|
||||||
+ <arg choice='opt'>
|
|
||||||
+ <replaceable>try_cert_auth</replaceable>
|
|
||||||
+ </arg>
|
|
||||||
</cmdsynopsis>
|
|
||||||
</refsynopsisdiv>
|
|
||||||
|
|
||||||
@@ -200,6 +203,26 @@ auth sufficient pam_sss.so allow_missing_name
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>
|
|
||||||
+ <option>try_cert_auth</option>
|
|
||||||
+ </term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ Try to use certificate based authentication, i.e.
|
|
||||||
+ authentication with a Smartcard or similar devices. If a
|
|
||||||
+ Smartcard is available and the service is allowed for
|
|
||||||
+ Smartcard authentication the use will be prompted for a
|
|
||||||
+ PIN and the certificate based authentication will
|
|
||||||
+ continue
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ If no Smartcard is available or certificate based
|
|
||||||
+ authentication is not allowed for the current service
|
|
||||||
+ PAM_AUTHINFO_UNAVAIL is returned.
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
</variablelist>
|
|
||||||
</refsect1>
|
|
||||||
|
|
||||||
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
|
||||||
index b336d1f..96ff15a 100644
|
|
||||||
--- a/src/sss_client/pam_sss.c
|
|
||||||
+++ b/src/sss_client/pam_sss.c
|
|
||||||
@@ -1997,6 +1997,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
|
|
||||||
*flags |= PAM_CLI_FLAGS_ALLOW_MISSING_NAME;
|
|
||||||
} else if (strcmp(*argv, "prompt_always") == 0) {
|
|
||||||
*flags |= PAM_CLI_FLAGS_PROMPT_ALWAYS;
|
|
||||||
+ } else if (strcmp(*argv, "try_cert_auth") == 0) {
|
|
||||||
+ *flags |= PAM_CLI_FLAGS_TRY_CERT_AUTH;
|
|
||||||
} else {
|
|
||||||
logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
|
|
||||||
}
|
|
||||||
@@ -2405,6 +2407,13 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (flags & PAM_CLI_FLAGS_TRY_CERT_AUTH
|
|
||||||
+ && pi.cert_list == NULL) {
|
|
||||||
+ D(("No certificates for authentication available."));
|
|
||||||
+ overwrite_and_free_pam_items(&pi);
|
|
||||||
+ return PAM_AUTHINFO_UNAVAIL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (strcmp(pi.pam_service, "gdm-smartcard") == 0) {
|
|
||||||
ret = check_login_token_name(pamh, &pi, quiet_mode);
|
|
||||||
if (ret != PAM_SUCCESS) {
|
|
||||||
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
|
|
||||||
index 3404715..38e3f99 100644
|
|
||||||
--- a/src/sss_client/sss_cli.h
|
|
||||||
+++ b/src/sss_client/sss_cli.h
|
|
||||||
@@ -373,6 +373,7 @@ enum pam_item_type {
|
|
||||||
#define PAM_CLI_FLAGS_USE_2FA (1 << 5)
|
|
||||||
#define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)
|
|
||||||
#define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
|
|
||||||
+#define PAM_CLI_FLAGS_TRY_CERT_AUTH (1 << 8)
|
|
||||||
|
|
||||||
#define SSS_NSS_MAX_ENTRIES 256
|
|
||||||
#define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,370 +0,0 @@
|
|||||||
From 49be8974b490c368d349752f3196af0c9ed28dd5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Tue, 18 Sep 2018 09:53:37 +0200
|
|
||||||
Subject: [PATCH 63/83] pam_sss: add option require_cert_auth
|
|
||||||
|
|
||||||
With this new option pam_sss will wait until a Smartcard is available
|
|
||||||
and then try to authenticate with the help of the Smartcard.
|
|
||||||
|
|
||||||
Related https://pagure.io/SSSD/sssd/issue/3650
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/man/pam_sss.8.xml | 25 ++++++++++++
|
|
||||||
src/responder/pam/pamsrv_cmd.c | 12 ++++++
|
|
||||||
src/responder/pam/pamsrv_p11.c | 5 ++-
|
|
||||||
src/sss_client/pam_message.c | 4 ++
|
|
||||||
src/sss_client/pam_message.h | 1 +
|
|
||||||
src/sss_client/pam_sss.c | 90 ++++++++++++++++++++++++++----------------
|
|
||||||
src/sss_client/sss_cli.h | 2 +
|
|
||||||
src/util/sss_pam_data.c | 1 +
|
|
||||||
src/util/sss_pam_data.h | 1 +
|
|
||||||
9 files changed, 106 insertions(+), 35 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml
|
|
||||||
index ca2e8e2..9998519 100644
|
|
||||||
--- a/src/man/pam_sss.8.xml
|
|
||||||
+++ b/src/man/pam_sss.8.xml
|
|
||||||
@@ -53,6 +53,9 @@
|
|
||||||
<arg choice='opt'>
|
|
||||||
<replaceable>try_cert_auth</replaceable>
|
|
||||||
</arg>
|
|
||||||
+ <arg choice='opt'>
|
|
||||||
+ <replaceable>require_cert_auth</replaceable>
|
|
||||||
+ </arg>
|
|
||||||
</cmdsynopsis>
|
|
||||||
</refsynopsisdiv>
|
|
||||||
|
|
||||||
@@ -223,6 +226,28 @@ auth sufficient pam_sss.so allow_missing_name
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>
|
|
||||||
+ <option>require_cert_auth</option>
|
|
||||||
+ </term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ Do certificate based authentication, i.e.
|
|
||||||
+ authentication with a Smartcard or similar devices. If a
|
|
||||||
+ Smartcard is not available the user will be prompted to
|
|
||||||
+ insert one. SSSD will wait for a Smartcard until the
|
|
||||||
+ timeout defined by p11_wait_for_card_timeout passed,
|
|
||||||
+ please see
|
|
||||||
+ <citerefentry><refentrytitle>sssd.conf</refentrytitle>
|
|
||||||
+ <manvolnum>5</manvolnum></citerefentry> for details.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ If no Smartcard is available after the timeout or
|
|
||||||
+ certificate based authentication is not allowed for the
|
|
||||||
+ current service PAM_AUTHINFO_UNAVAIL is returned.
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
</variablelist>
|
|
||||||
</refsect1>
|
|
||||||
|
|
||||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
|
||||||
index c8df32d..6e37f83 100644
|
|
||||||
--- a/src/responder/pam/pamsrv_cmd.c
|
|
||||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
|
||||||
@@ -317,6 +317,11 @@ static int pam_parse_in_data_v2(struct pam_data *pd,
|
|
||||||
size, body, blen, &c);
|
|
||||||
if (ret != EOK) return ret;
|
|
||||||
break;
|
|
||||||
+ case SSS_PAM_ITEM_FLAGS:
|
|
||||||
+ ret = extract_uint32_t(&pd->cli_flags, size,
|
|
||||||
+ body, blen, &c);
|
|
||||||
+ if (ret != EOK) return ret;
|
|
||||||
+ break;
|
|
||||||
default:
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
"Ignoring unknown data type [%d].\n", type);
|
|
||||||
@@ -1447,6 +1452,13 @@ static void pam_forwarder_cert_cb(struct tevent_req *req)
|
|
||||||
"No certificate found and no logon name given, " \
|
|
||||||
"authentication not possible.\n");
|
|
||||||
ret = ENOENT;
|
|
||||||
+ } else if (pd->cli_flags & PAM_CLI_FLAGS_TRY_CERT_AUTH) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL,
|
|
||||||
+ "try_cert_auth flag set but no certificate available, "
|
|
||||||
+ "request finished.\n");
|
|
||||||
+ preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
|
|
||||||
+ pam_reply(preq);
|
|
||||||
+ return;
|
|
||||||
} else {
|
|
||||||
if (pd->cmd == SSS_PAM_AUTHENTICATE) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
|
|
||||||
index ffa6787..8b8859d 100644
|
|
||||||
--- a/src/responder/pam/pamsrv_p11.c
|
|
||||||
+++ b/src/responder/pam/pamsrv_p11.c
|
|
||||||
@@ -721,7 +721,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
|
|
||||||
struct timeval tv;
|
|
||||||
int pipefd_to_child[2] = PIPE_INIT;
|
|
||||||
int pipefd_from_child[2] = PIPE_INIT;
|
|
||||||
- const char *extra_args[13] = { NULL };
|
|
||||||
+ const char *extra_args[14] = { NULL };
|
|
||||||
uint8_t *write_buf = NULL;
|
|
||||||
size_t write_buf_len = 0;
|
|
||||||
size_t arg_c;
|
|
||||||
@@ -748,6 +748,9 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
|
|
||||||
|
|
||||||
/* extra_args are added in revers order */
|
|
||||||
arg_c = 0;
|
|
||||||
+ if ((pd->cli_flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) && pd->priv == 1) {
|
|
||||||
+ extra_args[arg_c++] = "--wait_for_card";
|
|
||||||
+ }
|
|
||||||
extra_args[arg_c++] = nss_db;
|
|
||||||
extra_args[arg_c++] = "--nssdb";
|
|
||||||
if (verify_opts != NULL) {
|
|
||||||
diff --git a/src/sss_client/pam_message.c b/src/sss_client/pam_message.c
|
|
||||||
index b239f6f..036ae2a 100644
|
|
||||||
--- a/src/sss_client/pam_message.c
|
|
||||||
+++ b/src/sss_client/pam_message.c
|
|
||||||
@@ -126,6 +126,7 @@ int pack_message_v3(struct pam_items *pi, size_t *size, uint8_t **buffer)
|
|
||||||
len += 3*sizeof(uint32_t); /* cli_pid */
|
|
||||||
len += *pi->requested_domains != '\0' ?
|
|
||||||
2*sizeof(uint32_t) + pi->requested_domains_size : 0;
|
|
||||||
+ len += 3*sizeof(uint32_t); /* flags */
|
|
||||||
|
|
||||||
buf = malloc(len);
|
|
||||||
if (buf == NULL) {
|
|
||||||
@@ -164,6 +165,9 @@ int pack_message_v3(struct pam_items *pi, size_t *size, uint8_t **buffer)
|
|
||||||
pi->pam_newauthtok, pi->pam_newauthtok_size,
|
|
||||||
&buf[rp]);
|
|
||||||
|
|
||||||
+ rp += add_uint32_t_item(SSS_PAM_ITEM_FLAGS, (uint32_t) pi->flags,
|
|
||||||
+ &buf[rp]);
|
|
||||||
+
|
|
||||||
SAFEALIGN_SETMEM_UINT32(buf + rp, SSS_END_OF_PAM_REQUEST, &rp);
|
|
||||||
|
|
||||||
if (rp != len) {
|
|
||||||
diff --git a/src/sss_client/pam_message.h b/src/sss_client/pam_message.h
|
|
||||||
index 11526a8..50fedcd 100644
|
|
||||||
--- a/src/sss_client/pam_message.h
|
|
||||||
+++ b/src/sss_client/pam_message.h
|
|
||||||
@@ -51,6 +51,7 @@ struct pam_items {
|
|
||||||
enum sss_authtok_type pam_newauthtok_type;
|
|
||||||
size_t pam_newauthtok_size;
|
|
||||||
pid_t cli_pid;
|
|
||||||
+ uint32_t flags;
|
|
||||||
const char *login_name;
|
|
||||||
char *domain_name;
|
|
||||||
const char *requested_domains;
|
|
||||||
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
|
||||||
index 96ff15a..b4c1036 100644
|
|
||||||
--- a/src/sss_client/pam_sss.c
|
|
||||||
+++ b/src/sss_client/pam_sss.c
|
|
||||||
@@ -134,6 +134,7 @@ static void free_cai(struct cert_auth_info *cai)
|
|
||||||
free(cai->cert_user);
|
|
||||||
free(cai->cert);
|
|
||||||
free(cai->token_name);
|
|
||||||
+ free(cai->module_name);
|
|
||||||
free(cai->key_id);
|
|
||||||
free(cai->prompt_str);
|
|
||||||
free(cai);
|
|
||||||
@@ -1247,6 +1248,8 @@ static int get_pam_items(pam_handle_t *pamh, uint32_t flags,
|
|
||||||
pi->cert_list = NULL;
|
|
||||||
pi->selected_cert = NULL;
|
|
||||||
|
|
||||||
+ pi->flags = flags;
|
|
||||||
+
|
|
||||||
return PAM_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1267,6 +1270,7 @@ static void print_pam_items(struct pam_items *pi)
|
|
||||||
D(("Newauthtok: %s", CHECK_AND_RETURN_PI_STRING(pi->pam_newauthtok)));
|
|
||||||
D(("Cli_PID: %d", pi->cli_pid));
|
|
||||||
D(("Requested domains: %s", pi->requested_domains));
|
|
||||||
+ D(("Flags: %d", pi->flags));
|
|
||||||
}
|
|
||||||
|
|
||||||
static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
|
|
||||||
@@ -1999,6 +2003,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
|
|
||||||
*flags |= PAM_CLI_FLAGS_PROMPT_ALWAYS;
|
|
||||||
} else if (strcmp(*argv, "try_cert_auth") == 0) {
|
|
||||||
*flags |= PAM_CLI_FLAGS_TRY_CERT_AUTH;
|
|
||||||
+ } else if (strcmp(*argv, "require_cert_auth") == 0) {
|
|
||||||
+ *flags |= PAM_CLI_FLAGS_REQUIRE_CERT_AUTH;
|
|
||||||
} else {
|
|
||||||
logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
|
|
||||||
}
|
|
||||||
@@ -2274,55 +2280,51 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
|
|
||||||
return PAM_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
-#define SC_ENTER_FMT "Please enter smart card labeled\n %s\nand press enter"
|
|
||||||
+#define SC_ENTER_LABEL_FMT "Please enter smart card labeled\n %s"
|
|
||||||
+#define SC_ENTER_FMT "Please enter smart card"
|
|
||||||
|
|
||||||
static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi,
|
|
||||||
- bool quiet_mode)
|
|
||||||
+ int retries, bool quiet_mode)
|
|
||||||
{
|
|
||||||
int ret;
|
|
||||||
int pam_status;
|
|
||||||
char *login_token_name;
|
|
||||||
char *prompt = NULL;
|
|
||||||
- size_t size;
|
|
||||||
- char *answer = NULL;
|
|
||||||
- /* TODO: check multiple cert case */
|
|
||||||
- struct cert_auth_info *cai = pi->cert_list;
|
|
||||||
+ uint32_t orig_flags = pi->flags;
|
|
||||||
|
|
||||||
- if (cai == NULL) {
|
|
||||||
- D(("No certificate information available"));
|
|
||||||
- return EINVAL;
|
|
||||||
+ login_token_name = getenv("PKCS11_LOGIN_TOKEN_NAME");
|
|
||||||
+ if (login_token_name == NULL
|
|
||||||
+ && !(pi->flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH)) {
|
|
||||||
+ return PAM_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
- login_token_name = getenv("PKCS11_LOGIN_TOKEN_NAME");
|
|
||||||
if (login_token_name == NULL) {
|
|
||||||
- return PAM_SUCCESS;
|
|
||||||
+ ret = asprintf(&prompt, SC_ENTER_FMT);
|
|
||||||
+ } else {
|
|
||||||
+ ret = asprintf(&prompt, SC_ENTER_LABEL_FMT, login_token_name);
|
|
||||||
+ }
|
|
||||||
+ if (ret == -1) {
|
|
||||||
+ return ENOMEM;
|
|
||||||
}
|
|
||||||
|
|
||||||
- while (cai->token_name == NULL
|
|
||||||
- || strcmp(login_token_name, cai->token_name) != 0) {
|
|
||||||
- size = sizeof(SC_ENTER_FMT) + strlen(login_token_name);
|
|
||||||
- prompt = malloc(size);
|
|
||||||
- if (prompt == NULL) {
|
|
||||||
- D(("malloc failed."));
|
|
||||||
- return ENOMEM;
|
|
||||||
- }
|
|
||||||
+ pi->flags |= PAM_CLI_FLAGS_REQUIRE_CERT_AUTH;
|
|
||||||
|
|
||||||
- ret = snprintf(prompt, size, SC_ENTER_FMT,
|
|
||||||
- login_token_name);
|
|
||||||
- if (ret < 0 || ret >= size) {
|
|
||||||
- D(("snprintf failed."));
|
|
||||||
- free(prompt);
|
|
||||||
- return EFAULT;
|
|
||||||
+ /* TODO: check multiple cert case */
|
|
||||||
+ while (pi->cert_list == NULL || pi->cert_list->token_name == NULL
|
|
||||||
+ || (login_token_name != NULL
|
|
||||||
+ && strcmp(login_token_name,
|
|
||||||
+ pi->cert_list->token_name) != 0)) {
|
|
||||||
+
|
|
||||||
+ if (retries < 0) {
|
|
||||||
+ ret = PAM_AUTHINFO_UNAVAIL;
|
|
||||||
+ goto done;
|
|
||||||
}
|
|
||||||
+ retries--;
|
|
||||||
|
|
||||||
- ret = do_pam_conversation(pamh, PAM_PROMPT_ECHO_OFF, prompt,
|
|
||||||
- NULL, &answer);
|
|
||||||
- free(prompt);
|
|
||||||
+ ret = do_pam_conversation(pamh, PAM_TEXT_INFO, prompt, NULL, NULL);
|
|
||||||
if (ret != PAM_SUCCESS) {
|
|
||||||
D(("do_pam_conversation failed."));
|
|
||||||
- return ret;
|
|
||||||
- } else {
|
|
||||||
- free(answer);
|
|
||||||
+ goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
pam_status = send_and_receive(pamh, pi, SSS_PAM_PREAUTH, quiet_mode);
|
|
||||||
@@ -2335,7 +2337,14 @@ static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- return PAM_SUCCESS;
|
|
||||||
+ ret = PAM_SUCCESS;
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
+
|
|
||||||
+ pi->flags = orig_flags;
|
|
||||||
+ free(prompt);
|
|
||||||
+
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
||||||
@@ -2394,8 +2403,19 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
||||||
&& (pi.pam_authtok == NULL
|
|
||||||
|| (flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))
|
|
||||||
&& access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
|
|
||||||
+
|
|
||||||
+ if (flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) {
|
|
||||||
+ /* Do not use PAM_CLI_FLAGS_REQUIRE_CERT_AUTH in the first
|
|
||||||
+ * SSS_PAM_PREAUTH run. In case a card is already inserted
|
|
||||||
+ * we do not have to prompt to insert a card. */
|
|
||||||
+ pi.flags &= ~PAM_CLI_FLAGS_REQUIRE_CERT_AUTH;
|
|
||||||
+ pi.flags |= PAM_CLI_FLAGS_TRY_CERT_AUTH;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
|
|
||||||
quiet_mode);
|
|
||||||
+
|
|
||||||
+ pi.flags = flags;
|
|
||||||
if (pam_status != PAM_SUCCESS) {
|
|
||||||
D(("send_and_receive returned [%d] during pre-auth",
|
|
||||||
pam_status));
|
|
||||||
@@ -2414,8 +2434,10 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
||||||
return PAM_AUTHINFO_UNAVAIL;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (strcmp(pi.pam_service, "gdm-smartcard") == 0) {
|
|
||||||
- ret = check_login_token_name(pamh, &pi, quiet_mode);
|
|
||||||
+ if (strcmp(pi.pam_service, "gdm-smartcard") == 0
|
|
||||||
+ || (flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH)) {
|
|
||||||
+ ret = check_login_token_name(pamh, &pi, retries,
|
|
||||||
+ quiet_mode);
|
|
||||||
if (ret != PAM_SUCCESS) {
|
|
||||||
D(("check_login_token_name failed.\n"));
|
|
||||||
return ret;
|
|
||||||
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
|
|
||||||
index 38e3f99..af8a439 100644
|
|
||||||
--- a/src/sss_client/sss_cli.h
|
|
||||||
+++ b/src/sss_client/sss_cli.h
|
|
||||||
@@ -363,6 +363,7 @@ enum pam_item_type {
|
|
||||||
SSS_PAM_ITEM_CLI_LOCALE,
|
|
||||||
SSS_PAM_ITEM_CLI_PID,
|
|
||||||
SSS_PAM_ITEM_REQUESTED_DOMAINS,
|
|
||||||
+ SSS_PAM_ITEM_FLAGS,
|
|
||||||
};
|
|
||||||
|
|
||||||
#define PAM_CLI_FLAGS_USE_FIRST_PASS (1 << 0)
|
|
||||||
@@ -374,6 +375,7 @@ enum pam_item_type {
|
|
||||||
#define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)
|
|
||||||
#define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
|
|
||||||
#define PAM_CLI_FLAGS_TRY_CERT_AUTH (1 << 8)
|
|
||||||
+#define PAM_CLI_FLAGS_REQUIRE_CERT_AUTH (1 << 9)
|
|
||||||
|
|
||||||
#define SSS_NSS_MAX_ENTRIES 256
|
|
||||||
#define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
|
|
||||||
diff --git a/src/util/sss_pam_data.c b/src/util/sss_pam_data.c
|
|
||||||
index 5e41349..cb8779c 100644
|
|
||||||
--- a/src/util/sss_pam_data.c
|
|
||||||
+++ b/src/util/sss_pam_data.c
|
|
||||||
@@ -176,6 +176,7 @@ void pam_print_data(int l, struct pam_data *pd)
|
|
||||||
DEBUG(l, "priv: %d\n", pd->priv);
|
|
||||||
DEBUG(l, "cli_pid: %d\n", pd->cli_pid);
|
|
||||||
DEBUG(l, "logon name: %s\n", PAM_SAFE_ITEM(pd->logon_name));
|
|
||||||
+ DEBUG(l, "flags: %d\n", pd->cli_flags);
|
|
||||||
}
|
|
||||||
|
|
||||||
int pam_add_response(struct pam_data *pd, enum response_type type,
|
|
||||||
diff --git a/src/util/sss_pam_data.h b/src/util/sss_pam_data.h
|
|
||||||
index 7d74fa6..c989810 100644
|
|
||||||
--- a/src/util/sss_pam_data.h
|
|
||||||
+++ b/src/util/sss_pam_data.h
|
|
||||||
@@ -58,6 +58,7 @@ struct pam_data {
|
|
||||||
struct sss_auth_token *newauthtok;
|
|
||||||
uint32_t cli_pid;
|
|
||||||
char *logon_name;
|
|
||||||
+ uint32_t cli_flags;
|
|
||||||
|
|
||||||
int pam_status;
|
|
||||||
int response_delay;
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,309 +0,0 @@
|
|||||||
From 5cdb6968f407c7bcaba69f4892f51fd6426dddb2 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Wed, 26 Sep 2018 11:48:37 +0200
|
|
||||||
Subject: [PATCH 64/83] intg: require SC tests
|
|
||||||
|
|
||||||
Integration test for the new try_cert_auth and require_cert_auth option
|
|
||||||
for pam_sss.
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3650
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/tests/intg/Makefile.am | 16 ++-
|
|
||||||
src/tests/intg/test_pam_responder.py | 188 +++++++++++++++++++++++++++++++----
|
|
||||||
2 files changed, 182 insertions(+), 22 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
|
|
||||||
index bb3a7f0..44fb635 100644
|
|
||||||
--- a/src/tests/intg/Makefile.am
|
|
||||||
+++ b/src/tests/intg/Makefile.am
|
|
||||||
@@ -113,6 +113,20 @@ pam_sss_service:
|
|
||||||
echo "password required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
|
||||||
echo "session required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
|
||||||
|
|
||||||
+pam_sss_sc_required:
|
|
||||||
+ $(MKDIR_P) $(PAM_SERVICE_DIR)
|
|
||||||
+ echo "auth required $(DESTDIR)$(pammoddir)/pam_sss.so require_cert_auth retry=1" > $(PAM_SERVICE_DIR)/$@
|
|
||||||
+ echo "account required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
|
||||||
+ echo "password required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
|
||||||
+ echo "session required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
|
||||||
+
|
|
||||||
+pam_sss_try_sc:
|
|
||||||
+ $(MKDIR_P) $(PAM_SERVICE_DIR)
|
|
||||||
+ echo "auth required $(DESTDIR)$(pammoddir)/pam_sss.so try_cert_auth" > $(PAM_SERVICE_DIR)/$@
|
|
||||||
+ echo "account required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
|
||||||
+ echo "password required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
|
||||||
+ echo "session required $(DESTDIR)$(pammoddir)/pam_sss.so" >> $(PAM_SERVICE_DIR)/$@
|
|
||||||
+
|
|
||||||
CLEANFILES=config.py config.pyc passwd group
|
|
||||||
|
|
||||||
clean-local:
|
|
||||||
@@ -127,7 +141,7 @@ PAM_CERT_DB_PATH="$(abs_builddir)/../test_CA/SSSD_test_CA.pem"
|
|
||||||
SOFTHSM2_CONF="$(abs_builddir)/../test_CA/softhsm2_one.conf"
|
|
||||||
endif
|
|
||||||
|
|
||||||
-intgcheck-installed: config.py passwd group pam_sss_service
|
|
||||||
+intgcheck-installed: config.py passwd group pam_sss_service pam_sss_sc_required pam_sss_try_sc
|
|
||||||
pipepath="$(DESTDIR)$(pipepath)"; \
|
|
||||||
if test $${#pipepath} -gt 80; then \
|
|
||||||
echo "error: Pipe directory path too long," \
|
|
||||||
diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py
|
|
||||||
index c6d048c..06f69a3 100644
|
|
||||||
--- a/src/tests/intg/test_pam_responder.py
|
|
||||||
+++ b/src/tests/intg/test_pam_responder.py
|
|
||||||
@@ -41,6 +41,11 @@ USER1 = dict(name='user1', passwd='x', uid=10001, gid=20001,
|
|
||||||
dir='/home/user1',
|
|
||||||
shell='/bin/bash')
|
|
||||||
|
|
||||||
+USER2 = dict(name='user2', passwd='x', uid=10002, gid=20002,
|
|
||||||
+ gecos='User with no Smartcard mapping',
|
|
||||||
+ dir='/home/user2',
|
|
||||||
+ shell='/bin/bash')
|
|
||||||
+
|
|
||||||
|
|
||||||
def format_pam_cert_auth_conf(config):
|
|
||||||
"""Format a basic SSSD configuration"""
|
|
||||||
@@ -55,8 +60,11 @@ def format_pam_cert_auth_conf(config):
|
|
||||||
|
|
||||||
[pam]
|
|
||||||
pam_cert_auth = True
|
|
||||||
- pam_p11_allowed_services = +pam_sss_service
|
|
||||||
+ pam_p11_allowed_services = +pam_sss_service, +pam_sss_sc_required, \
|
|
||||||
+ +pam_sss_try_sc
|
|
||||||
pam_cert_db_path = {config.PAM_CERT_DB_PATH}
|
|
||||||
+ p11_child_timeout = 5
|
|
||||||
+ p11_wait_for_card_timeout = 5
|
|
||||||
debug_level = 10
|
|
||||||
|
|
||||||
[domain/auth_only]
|
|
||||||
@@ -149,6 +157,15 @@ def create_nssdb():
|
|
||||||
pkcs11_txt.close()
|
|
||||||
|
|
||||||
|
|
||||||
+def create_nssdb_no_cert():
|
|
||||||
+ os.mkdir(config.SYSCONFDIR + "/pki")
|
|
||||||
+ os.mkdir(config.SYSCONFDIR + "/pki/nssdb")
|
|
||||||
+ if subprocess.call(["certutil", "-N", "-d",
|
|
||||||
+ "sql:" + config.SYSCONFDIR + "/pki/nssdb/",
|
|
||||||
+ "--empty-password"]) != 0:
|
|
||||||
+ raise Exception("certutil failed")
|
|
||||||
+
|
|
||||||
+
|
|
||||||
def cleanup_nssdb():
|
|
||||||
shutil.rmtree(config.SYSCONFDIR + "/pki")
|
|
||||||
|
|
||||||
@@ -158,14 +175,42 @@ def create_nssdb_fixture(request):
|
|
||||||
request.addfinalizer(cleanup_nssdb)
|
|
||||||
|
|
||||||
|
|
||||||
+def create_nssdb_no_cert_fixture(request):
|
|
||||||
+ create_nssdb_no_cert()
|
|
||||||
+ request.addfinalizer(cleanup_nssdb)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
@pytest.fixture
|
|
||||||
-def simple_pam_cert_auth(request):
|
|
||||||
+def simple_pam_cert_auth(request, passwd_ops_setup):
|
|
||||||
"""Setup SSSD with pam_cert_auth=True"""
|
|
||||||
config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
|
|
||||||
conf = format_pam_cert_auth_conf(config)
|
|
||||||
create_conf_fixture(request, conf)
|
|
||||||
create_sssd_fixture(request)
|
|
||||||
create_nssdb_fixture(request)
|
|
||||||
+ passwd_ops_setup.useradd(**USER1)
|
|
||||||
+ passwd_ops_setup.useradd(**USER2)
|
|
||||||
+ return None
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+@pytest.fixture
|
|
||||||
+def simple_pam_cert_auth_no_cert(request, passwd_ops_setup):
|
|
||||||
+ """Setup SSSD with pam_cert_auth=True"""
|
|
||||||
+ config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
|
|
||||||
+
|
|
||||||
+ old_softhsm2_conf = os.environ['SOFTHSM2_CONF']
|
|
||||||
+ del os.environ['SOFTHSM2_CONF']
|
|
||||||
+
|
|
||||||
+ conf = format_pam_cert_auth_conf(config)
|
|
||||||
+ create_conf_fixture(request, conf)
|
|
||||||
+ create_sssd_fixture(request)
|
|
||||||
+ create_nssdb_no_cert_fixture(request)
|
|
||||||
+
|
|
||||||
+ os.environ['SOFTHSM2_CONF'] = old_softhsm2_conf
|
|
||||||
+
|
|
||||||
+ passwd_ops_setup.useradd(**USER1)
|
|
||||||
+ passwd_ops_setup.useradd(**USER2)
|
|
||||||
+
|
|
||||||
return None
|
|
||||||
|
|
||||||
|
|
||||||
@@ -176,26 +221,26 @@ def test_preauth_indicator(simple_pam_cert_auth):
|
|
||||||
|
|
||||||
|
|
||||||
@pytest.fixture
|
|
||||||
-def pam_wrapper_setup(request):
|
|
||||||
+def env_for_sssctl(request):
|
|
||||||
pwrap_runtimedir = os.getenv("PAM_WRAPPER_SERVICE_DIR")
|
|
||||||
if pwrap_runtimedir is None:
|
|
||||||
raise ValueError("The PAM_WRAPPER_SERVICE_DIR variable is unset\n")
|
|
||||||
|
|
||||||
+ env_for_sssctl = os.environ.copy()
|
|
||||||
+ env_for_sssctl['PAM_WRAPPER'] = "1"
|
|
||||||
+ env_for_sssctl['SSSD_INTG_PEER_UID'] = "0"
|
|
||||||
+ env_for_sssctl['SSSD_INTG_PEER_GID'] = "0"
|
|
||||||
+ env_for_sssctl['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
|
|
||||||
|
|
||||||
-def test_sc_auth_wrong_pin(simple_pam_cert_auth, pam_wrapper_setup,
|
|
||||||
- passwd_ops_setup):
|
|
||||||
+ return env_for_sssctl
|
|
||||||
|
|
||||||
- passwd_ops_setup.useradd(**USER1)
|
|
||||||
- current_env = os.environ.copy()
|
|
||||||
- current_env['PAM_WRAPPER'] = "1"
|
|
||||||
- current_env['SSSD_INTG_PEER_UID'] = "0"
|
|
||||||
- current_env['SSSD_INTG_PEER_GID'] = "0"
|
|
||||||
- current_env['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
|
|
||||||
+
|
|
||||||
+def test_sc_auth_wrong_pin(simple_pam_cert_auth, env_for_sssctl):
|
|
||||||
|
|
||||||
sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
|
|
||||||
"--action=auth", "--service=pam_sss_service"],
|
|
||||||
universal_newlines=True,
|
|
||||||
- env=current_env, stdin=subprocess.PIPE,
|
|
||||||
+ env=env_for_sssctl, stdin=subprocess.PIPE,
|
|
||||||
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
||||||
|
|
||||||
try:
|
|
||||||
@@ -214,19 +259,120 @@ def test_sc_auth_wrong_pin(simple_pam_cert_auth, pam_wrapper_setup,
|
|
||||||
"Authentication failure") != -1
|
|
||||||
|
|
||||||
|
|
||||||
-def test_sc_auth(simple_pam_cert_auth, pam_wrapper_setup, passwd_ops_setup):
|
|
||||||
-
|
|
||||||
- passwd_ops_setup.useradd(**USER1)
|
|
||||||
- current_env = os.environ.copy()
|
|
||||||
- current_env['PAM_WRAPPER'] = "1"
|
|
||||||
- current_env['SSSD_INTG_PEER_UID'] = "0"
|
|
||||||
- current_env['SSSD_INTG_PEER_GID'] = "0"
|
|
||||||
- current_env['LD_PRELOAD'] += ':' + os.environ['PAM_WRAPPER_PATH']
|
|
||||||
+def test_sc_auth(simple_pam_cert_auth, env_for_sssctl):
|
|
||||||
|
|
||||||
sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
|
|
||||||
"--action=auth", "--service=pam_sss_service"],
|
|
||||||
universal_newlines=True,
|
|
||||||
- env=current_env, stdin=subprocess.PIPE,
|
|
||||||
+ env=env_for_sssctl, stdin=subprocess.PIPE,
|
|
||||||
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
||||||
+
|
|
||||||
+ try:
|
|
||||||
+ out, err = sssctl.communicate(input="123456")
|
|
||||||
+ except:
|
|
||||||
+ sssctl.kill()
|
|
||||||
+ out, err = sssctl.communicate()
|
|
||||||
+
|
|
||||||
+ sssctl.stdin.close()
|
|
||||||
+ sssctl.stdout.close()
|
|
||||||
+
|
|
||||||
+ if sssctl.wait() != 0:
|
|
||||||
+ raise Exception("sssctl failed")
|
|
||||||
+
|
|
||||||
+ assert err.find("pam_authenticate for user [user1]: Success") != -1
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def test_require_sc_auth(simple_pam_cert_auth, env_for_sssctl):
|
|
||||||
+
|
|
||||||
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
|
|
||||||
+ "--action=auth",
|
|
||||||
+ "--service=pam_sss_sc_required"],
|
|
||||||
+ universal_newlines=True,
|
|
||||||
+ env=env_for_sssctl, stdin=subprocess.PIPE,
|
|
||||||
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
||||||
+
|
|
||||||
+ try:
|
|
||||||
+ out, err = sssctl.communicate(input="123456")
|
|
||||||
+ except:
|
|
||||||
+ sssctl.kill()
|
|
||||||
+ out, err = sssctl.communicate()
|
|
||||||
+
|
|
||||||
+ sssctl.stdin.close()
|
|
||||||
+ sssctl.stdout.close()
|
|
||||||
+
|
|
||||||
+ if sssctl.wait() != 0:
|
|
||||||
+ raise Exception("sssctl failed")
|
|
||||||
+
|
|
||||||
+ assert err.find("pam_authenticate for user [user1]: Success") != -1
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def test_require_sc_auth_no_cert(simple_pam_cert_auth_no_cert, env_for_sssctl):
|
|
||||||
+
|
|
||||||
+ # We have to wait about 20s before the command returns because there will
|
|
||||||
+ # be 2 run since retry=1 in the PAM configuration and both
|
|
||||||
+ # p11_child_timeout and p11_wait_for_card_timeout are 5s in sssd.conf,
|
|
||||||
+ # so 2*(5+5)=20. */
|
|
||||||
+ start_time = time.time()
|
|
||||||
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
|
|
||||||
+ "--action=auth",
|
|
||||||
+ "--service=pam_sss_sc_required"],
|
|
||||||
+ universal_newlines=True,
|
|
||||||
+ env=env_for_sssctl, stdin=subprocess.PIPE,
|
|
||||||
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
||||||
+
|
|
||||||
+ try:
|
|
||||||
+ out, err = sssctl.communicate(input="123456")
|
|
||||||
+ except:
|
|
||||||
+ sssctl.kill()
|
|
||||||
+ out, err = sssctl.communicate()
|
|
||||||
+
|
|
||||||
+ sssctl.stdin.close()
|
|
||||||
+ sssctl.stdout.close()
|
|
||||||
+
|
|
||||||
+ if sssctl.wait() != 0:
|
|
||||||
+ raise Exception("sssctl failed")
|
|
||||||
+
|
|
||||||
+ end_time = time.time()
|
|
||||||
+ assert end_time > start_time and \
|
|
||||||
+ (end_time - start_time) >= 20 and \
|
|
||||||
+ (end_time - start_time) < 40
|
|
||||||
+ assert out.find("Please enter smart card\nPlease enter smart card") != -1
|
|
||||||
+ assert err.find("pam_authenticate for user [user1]: Authentication " +
|
|
||||||
+ "service cannot retrieve authentication info") != -1
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def test_try_sc_auth_no_map(simple_pam_cert_auth, env_for_sssctl):
|
|
||||||
+
|
|
||||||
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user2",
|
|
||||||
+ "--action=auth",
|
|
||||||
+ "--service=pam_sss_try_sc"],
|
|
||||||
+ universal_newlines=True,
|
|
||||||
+ env=env_for_sssctl, stdin=subprocess.PIPE,
|
|
||||||
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
||||||
+
|
|
||||||
+ try:
|
|
||||||
+ out, err = sssctl.communicate(input="123456")
|
|
||||||
+ except:
|
|
||||||
+ sssctl.kill()
|
|
||||||
+ out, err = sssctl.communicate()
|
|
||||||
+
|
|
||||||
+ sssctl.stdin.close()
|
|
||||||
+ sssctl.stdout.close()
|
|
||||||
+
|
|
||||||
+ if sssctl.wait() != 0:
|
|
||||||
+ raise Exception("sssctl failed")
|
|
||||||
+
|
|
||||||
+ assert err.find("pam_authenticate for user [user2]: Authentication " +
|
|
||||||
+ "service cannot retrieve authentication info") != -1
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def test_try_sc_auth(simple_pam_cert_auth, env_for_sssctl):
|
|
||||||
+
|
|
||||||
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
|
|
||||||
+ "--action=auth",
|
|
||||||
+ "--service=pam_sss_try_sc"],
|
|
||||||
+ universal_newlines=True,
|
|
||||||
+ env=env_for_sssctl, stdin=subprocess.PIPE,
|
|
||||||
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
||||||
|
|
||||||
try:
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,407 +0,0 @@
|
|||||||
From 46fd681a73ffef062cd027e7018e1a02d7a0a9df Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Mon, 8 Oct 2018 10:45:28 +0200
|
|
||||||
Subject: [PATCH 65/83] p11_child: show PKCS#11 URI in debug output
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3814
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/p11_child/p11_child_nss.c | 240 ++++++++++++++++++++++++++++++++++++++
|
|
||||||
src/p11_child/p11_child_openssl.c | 80 +++++++++++++
|
|
||||||
2 files changed, 320 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
|
|
||||||
index b2777d1..fff1f25 100644
|
|
||||||
--- a/src/p11_child/p11_child_nss.c
|
|
||||||
+++ b/src/p11_child/p11_child_nss.c
|
|
||||||
@@ -39,6 +39,7 @@
|
|
||||||
#include <pk11pub.h>
|
|
||||||
#include <prerror.h>
|
|
||||||
#include <ocsp.h>
|
|
||||||
+#include <pkcs11uri.h>
|
|
||||||
|
|
||||||
#include "util/child_common.h"
|
|
||||||
#include "providers/backend.h"
|
|
||||||
@@ -63,6 +64,239 @@ struct p11_ctx {
|
|
||||||
| certificateUsageStatusResponder \
|
|
||||||
| certificateUsageSSLCA )
|
|
||||||
|
|
||||||
+
|
|
||||||
+static char *get_pkcs11_string(TALLOC_CTX *mem_ctx, const char *in, size_t len)
|
|
||||||
+{
|
|
||||||
+ size_t c = len;
|
|
||||||
+
|
|
||||||
+ if (in == NULL || len == 0) {
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ while(c > 0 && in[c - 1] == ' ') {
|
|
||||||
+ c--;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return talloc_strndup(mem_ctx, in, c);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static char *pct_encode(TALLOC_CTX *mem_ctx, SECItem *data)
|
|
||||||
+{
|
|
||||||
+ char *pct;
|
|
||||||
+ size_t c;
|
|
||||||
+ int ret;
|
|
||||||
+
|
|
||||||
+ pct = talloc_zero_size(mem_ctx, sizeof(char) * (3*data->len + 1));
|
|
||||||
+ if (pct == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_size failed.\n");
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ for (c = 0; c < data->len; c++) {
|
|
||||||
+ ret = snprintf(pct + 3*c, 4, "%%%02X", data->data[c]);
|
|
||||||
+ if (ret != 3) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "snprintf failed.\n");
|
|
||||||
+ talloc_free(pct);
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return pct;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static char *get_key_id_pct(TALLOC_CTX *mem_ctx, PK11SlotInfo *slot,
|
|
||||||
+ CERTCertificate *cert)
|
|
||||||
+{
|
|
||||||
+ SECItem *key_id = NULL;
|
|
||||||
+ char *key_id_str = NULL;
|
|
||||||
+
|
|
||||||
+ key_id = PK11_GetLowLevelKeyIDForCert(slot, cert, NULL);
|
|
||||||
+ if (key_id == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
+ "PK11_GetLowLevelKeyIDForCert failed [%d][%s].\n",
|
|
||||||
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ key_id_str = pct_encode(mem_ctx, key_id);
|
|
||||||
+ SECITEM_FreeItem(key_id, PR_TRUE);
|
|
||||||
+ if (key_id_str == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "pct_encode failed.\n");
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return key_id_str;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static char *get_pkcs11_uri(TALLOC_CTX *mem_ctx, SECMODModule *mod,
|
|
||||||
+ PK11SlotInfo *slot,
|
|
||||||
+ const char *label, CERTCertificate *cert)
|
|
||||||
+{
|
|
||||||
+ CK_INFO module_info;
|
|
||||||
+ CK_SLOT_INFO slot_info;
|
|
||||||
+ CK_TOKEN_INFO token_info;
|
|
||||||
+ char *values[13];
|
|
||||||
+ PK11URIAttribute attrs[13];
|
|
||||||
+ size_t nattrs = 0;
|
|
||||||
+ SECStatus rv;
|
|
||||||
+ char *tmp_str;
|
|
||||||
+ char *uri_str;
|
|
||||||
+ PK11URI *uri;
|
|
||||||
+ CK_SLOT_ID slot_id;
|
|
||||||
+ char *id_pct;
|
|
||||||
+
|
|
||||||
+ rv = PK11_GetModInfo(mod, &module_info);
|
|
||||||
+ if (rv != SECSuccess) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "PK11_GetModInfo failed.\n");
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ rv = PK11_GetSlotInfo(slot, &slot_info);
|
|
||||||
+ if (rv != SECSuccess) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "PK11_GetSlotInfo failed.\n");
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ rv = PK11_GetTokenInfo(slot, &token_info);
|
|
||||||
+ if (rv != SECSuccess) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "PK11_GetTokenInfo failed.\n");
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+ values[nattrs] = get_pkcs11_string(mem_ctx,
|
|
||||||
+ (char *)module_info.libraryDescription,
|
|
||||||
+ sizeof(module_info.libraryDescription));
|
|
||||||
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
|
|
||||||
+ attrs[nattrs].name = PK11URI_PATTR_LIBRARY_DESCRIPTION;
|
|
||||||
+ attrs[nattrs].value = values[nattrs];
|
|
||||||
+ nattrs++;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ values[nattrs] = get_pkcs11_string(mem_ctx,
|
|
||||||
+ (char *)module_info.manufacturerID,
|
|
||||||
+ sizeof(module_info.manufacturerID));
|
|
||||||
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
|
|
||||||
+ attrs[nattrs].name = PK11URI_PATTR_LIBRARY_MANUFACTURER;
|
|
||||||
+ attrs[nattrs].value = values[nattrs];
|
|
||||||
+ nattrs++;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ values[nattrs] = talloc_asprintf(mem_ctx, "%d.%d",
|
|
||||||
+ module_info.libraryVersion.major,
|
|
||||||
+ module_info.libraryVersion.minor);
|
|
||||||
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
|
|
||||||
+ attrs[nattrs].name = PK11URI_PATTR_LIBRARY_VERSION;
|
|
||||||
+ attrs[nattrs].value = values[nattrs];
|
|
||||||
+ nattrs++;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ values[nattrs] = get_pkcs11_string(mem_ctx,
|
|
||||||
+ (char *)slot_info.slotDescription,
|
|
||||||
+ sizeof(slot_info.slotDescription));
|
|
||||||
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
|
|
||||||
+ attrs[nattrs].name = PK11URI_PATTR_SLOT_DESCRIPTION;
|
|
||||||
+ attrs[nattrs].value = values[nattrs];
|
|
||||||
+ nattrs++;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ values[nattrs] = get_pkcs11_string(mem_ctx,
|
|
||||||
+ (char *)slot_info.manufacturerID,
|
|
||||||
+ sizeof(slot_info.manufacturerID));
|
|
||||||
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
|
|
||||||
+ attrs[nattrs].name = PK11URI_PATTR_SLOT_MANUFACTURER;
|
|
||||||
+ attrs[nattrs].value = values[nattrs];
|
|
||||||
+ nattrs++;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ slot_id = PK11_GetSlotID(slot);
|
|
||||||
+ values[nattrs] = talloc_asprintf(mem_ctx, "%d", (int) slot_id);
|
|
||||||
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
|
|
||||||
+ attrs[nattrs].name = PK11URI_PATTR_SLOT_ID;
|
|
||||||
+ attrs[nattrs].value = values[nattrs];
|
|
||||||
+ nattrs++;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ values[nattrs] = get_pkcs11_string(mem_ctx, (char *)token_info.model,
|
|
||||||
+ sizeof(token_info.model));
|
|
||||||
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
|
|
||||||
+ attrs[nattrs].name = PK11URI_PATTR_MODEL;
|
|
||||||
+ attrs[nattrs].value = values[nattrs];
|
|
||||||
+ nattrs++;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ values[nattrs] = get_pkcs11_string(mem_ctx,
|
|
||||||
+ (char *)token_info.manufacturerID,
|
|
||||||
+ sizeof(token_info.manufacturerID));
|
|
||||||
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
|
|
||||||
+ attrs[nattrs].name = PK11URI_PATTR_MANUFACTURER;
|
|
||||||
+ attrs[nattrs].value = values[nattrs];
|
|
||||||
+ nattrs++;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ values[nattrs] = get_pkcs11_string(mem_ctx,
|
|
||||||
+ (char *)token_info.serialNumber,
|
|
||||||
+ sizeof(token_info.serialNumber));
|
|
||||||
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
|
|
||||||
+ attrs[nattrs].name = PK11URI_PATTR_SERIAL;
|
|
||||||
+ attrs[nattrs].value = values[nattrs];
|
|
||||||
+ nattrs++;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ values[nattrs] = get_pkcs11_string(mem_ctx, (char *)token_info.label,
|
|
||||||
+ sizeof(token_info.label));
|
|
||||||
+ if (values[nattrs] != NULL && *values[nattrs] != '\0') {
|
|
||||||
+ attrs[nattrs].name = PK11URI_PATTR_TOKEN;
|
|
||||||
+ attrs[nattrs].value = values[nattrs];
|
|
||||||
+ nattrs++;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (label != NULL && *label != '\0') {
|
|
||||||
+ attrs[nattrs].name = PK11URI_PATTR_OBJECT;
|
|
||||||
+ attrs[nattrs].value = label;
|
|
||||||
+ nattrs++;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ attrs[nattrs].name = PK11URI_PATTR_TYPE;
|
|
||||||
+ attrs[nattrs].value = "cert";
|
|
||||||
+ nattrs++;
|
|
||||||
+
|
|
||||||
+ uri = PK11URI_CreateURI(attrs, nattrs, NULL, 0);
|
|
||||||
+ if (uri == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "PK11URI_CreateURI failed.\n");
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ tmp_str = PK11URI_FormatURI(NULL, uri);
|
|
||||||
+ PK11URI_DestroyURI(uri);
|
|
||||||
+ if (tmp_str == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "PK11URI_FormatURI failed.\n");
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Currently I have no idea how to get the ID properly formatted with the
|
|
||||||
+ * NSS PK11 calls. Since all attribute values are treated as strings zeros
|
|
||||||
+ * in the IDs cannot be handled. And the IDs cannot be set percent-encoded
|
|
||||||
+ * since all attribute values will be escaped which means the '%' sign
|
|
||||||
+ * will be escaped to '%25'. Hence for the time being the ID is added
|
|
||||||
+ * manually to the end of the URI. */
|
|
||||||
+ id_pct = get_key_id_pct(mem_ctx, slot, cert);
|
|
||||||
+ if (id_pct == NULL || *id_pct == '\0') {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "get_key_id_pct failed.\n");
|
|
||||||
+ PORT_Free(tmp_str);
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ uri_str = talloc_asprintf(mem_ctx, "%s;%s=%s", tmp_str,
|
|
||||||
+ PK11URI_PATTR_ID, id_pct);
|
|
||||||
+ talloc_free(id_pct);
|
|
||||||
+ if (uri_str == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return uri_str;
|
|
||||||
+
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static char *password_passthrough(PK11SlotInfo *slot, PRBool retry, void *arg)
|
|
||||||
{
|
|
||||||
/* give up if 1) no password was supplied, or 2) the password has already
|
|
||||||
@@ -465,6 +699,9 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
||||||
cert_list_node->cert->nickname,
|
|
||||||
cert_list_node->cert->subjectName);
|
|
||||||
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL, "module uri: %s.\n", PK11_GetModuleURI(module));
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL, "token uri: %s.\n", PK11_GetTokenURI(slot));
|
|
||||||
+
|
|
||||||
if (p11_ctx->handle != NULL) {
|
|
||||||
if (!do_verification(p11_ctx, cert_list_node->cert)) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
@@ -651,6 +888,9 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
||||||
|
|
||||||
DEBUG(SSSDBG_TRACE_ALL, "Found certificate has key id [%s].\n",
|
|
||||||
key_id_str);
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL, "uri: %s.\n", get_pkcs11_uri(mem_ctx, module,
|
|
||||||
+ slot, label,
|
|
||||||
+ found_cert));
|
|
||||||
|
|
||||||
multi = talloc_asprintf_append(multi, "%s\n%s\n%s\n%s\n%s\n",
|
|
||||||
token_name, module_name, key_id_str,
|
|
||||||
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
|
|
||||||
index d4572d9..09edeef 100644
|
|
||||||
--- a/src/p11_child/p11_child_openssl.c
|
|
||||||
+++ b/src/p11_child/p11_child_openssl.c
|
|
||||||
@@ -29,6 +29,7 @@
|
|
||||||
#include <openssl/err.h>
|
|
||||||
#include <openssl/rand.h>
|
|
||||||
#include <p11-kit/p11-kit.h>
|
|
||||||
+#include <p11-kit/uri.h>
|
|
||||||
|
|
||||||
#include <popt.h>
|
|
||||||
|
|
||||||
@@ -43,6 +44,72 @@ struct p11_ctx {
|
|
||||||
bool wait_for_card;
|
|
||||||
};
|
|
||||||
|
|
||||||
+
|
|
||||||
+static char *get_pkcs11_uri(TALLOC_CTX *mem_ctx, CK_INFO *module_info,
|
|
||||||
+ CK_SLOT_INFO *slot_info, CK_SLOT_ID slot_id,
|
|
||||||
+ CK_TOKEN_INFO *token_info, CK_ATTRIBUTE *label,
|
|
||||||
+ CK_ATTRIBUTE *id)
|
|
||||||
+{
|
|
||||||
+ P11KitUri *uri;
|
|
||||||
+ char *uri_str = NULL;
|
|
||||||
+ char *tmp_str = NULL;
|
|
||||||
+ int ret;
|
|
||||||
+ CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE;
|
|
||||||
+ CK_ATTRIBUTE class_attr = {CKA_CLASS, &cert_class, sizeof(CK_OBJECT_CLASS)};
|
|
||||||
+
|
|
||||||
+ uri = p11_kit_uri_new();
|
|
||||||
+ if (uri == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_new failed.\n");
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = p11_kit_uri_set_attribute(uri, label);
|
|
||||||
+ if (ret != P11_KIT_URI_OK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_set_attribute failed.\n");
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = p11_kit_uri_set_attribute(uri, id);
|
|
||||||
+ if (ret != P11_KIT_URI_OK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_set_attribute failed.\n");
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = p11_kit_uri_set_attribute(uri, &class_attr);
|
|
||||||
+ if (ret != P11_KIT_URI_OK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_set_attribute failed.\n");
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+ memcpy(p11_kit_uri_get_token_info(uri), token_info, sizeof(CK_TOKEN_INFO));
|
|
||||||
+
|
|
||||||
+ memcpy(p11_kit_uri_get_slot_info(uri), slot_info, sizeof(CK_SLOT_INFO));
|
|
||||||
+ ret = p11_kit_uri_set_slot_id(uri, slot_id);
|
|
||||||
+
|
|
||||||
+ memcpy(p11_kit_uri_get_module_info(uri), module_info, sizeof(CK_INFO));
|
|
||||||
+
|
|
||||||
+ ret = p11_kit_uri_format(uri, P11_KIT_URI_FOR_ANY, &tmp_str);
|
|
||||||
+ if (ret != P11_KIT_URI_OK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_format failed [%s].\n",
|
|
||||||
+ p11_kit_uri_message(ret));
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (tmp_str != NULL) {
|
|
||||||
+ uri_str = talloc_strdup(mem_ctx, tmp_str);
|
|
||||||
+ free(tmp_str);
|
|
||||||
+ if (uri_str == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
+ p11_kit_uri_free(uri);
|
|
||||||
+
|
|
||||||
+ return uri_str;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int talloc_cleanup_openssl(struct p11_ctx *p11_ctx)
|
|
||||||
{
|
|
||||||
CRYPTO_cleanup_all_ex_data();
|
|
||||||
@@ -234,6 +301,7 @@ struct cert_list {
|
|
||||||
X509 *cert;
|
|
||||||
char *subject_dn;
|
|
||||||
char *cert_b64;
|
|
||||||
+ char *uri;
|
|
||||||
CK_KEY_TYPE key_type;
|
|
||||||
CK_OBJECT_HANDLE private_key;
|
|
||||||
};
|
|
||||||
@@ -608,6 +676,7 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
||||||
CK_SLOT_ID slot_id;
|
|
||||||
CK_SLOT_INFO info;
|
|
||||||
CK_TOKEN_INFO token_info;
|
|
||||||
+ CK_INFO module_info;
|
|
||||||
CK_RV rv;
|
|
||||||
size_t module_id;
|
|
||||||
char *module_file_name = NULL;
|
|
||||||
@@ -821,6 +890,17 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ memset(&module_info, 0, sizeof(CK_INFO));
|
|
||||||
+ module->C_GetInfo(&module_info);
|
|
||||||
+
|
|
||||||
+ DLIST_FOR_EACH(item, cert_list) {
|
|
||||||
+ item->uri = get_pkcs11_uri(mem_ctx, &module_info, &info, slot_id,
|
|
||||||
+ &token_info,
|
|
||||||
+ &item->attributes[1] /* label */,
|
|
||||||
+ &item->attributes[0] /* id */);
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL, "uri: %s.\n", item->uri);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* TODO: check module_name_in, token_name_in, key_id_in */
|
|
||||||
|
|
||||||
if (cert_list == NULL) {
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,238 +0,0 @@
|
|||||||
From f7b2152a4c3c816a5bc4226a0e01791313accef3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Mon, 8 Oct 2018 12:47:25 +0200
|
|
||||||
Subject: [PATCH 66/83] p11_child: add PKCS#11 uri to restrict selection
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3814
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/p11_child/p11_child.h | 2 +-
|
|
||||||
src/p11_child/p11_child_common.c | 9 +++--
|
|
||||||
src/p11_child/p11_child_nss.c | 2 +-
|
|
||||||
src/p11_child/p11_child_openssl.c | 81 +++++++++++++++++++++++++++++++++++++--
|
|
||||||
4 files changed, 86 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/p11_child/p11_child.h b/src/p11_child/p11_child.h
|
|
||||||
index dd8fdea..92ecf74 100644
|
|
||||||
--- a/src/p11_child/p11_child.h
|
|
||||||
+++ b/src/p11_child/p11_child.h
|
|
||||||
@@ -54,5 +54,5 @@ bool do_verification_b64(struct p11_ctx *p11_ctx, const char *cert_b64);
|
|
||||||
errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
||||||
enum op_mode mode, const char *pin,
|
|
||||||
const char *module_name_in, const char *token_name_in,
|
|
||||||
- const char *key_id_in, char **_multi);
|
|
||||||
+ const char *key_id_in, const char *uri, char **_multi);
|
|
||||||
#endif /* __P11_CHILD_H__ */
|
|
||||||
diff --git a/src/p11_child/p11_child_common.c b/src/p11_child/p11_child_common.c
|
|
||||||
index bc5f6b0..097e7fa 100644
|
|
||||||
--- a/src/p11_child/p11_child_common.c
|
|
||||||
+++ b/src/p11_child/p11_child_common.c
|
|
||||||
@@ -60,7 +60,7 @@ static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db,
|
|
||||||
bool wait_for_card,
|
|
||||||
const char *cert_b64, const char *pin,
|
|
||||||
const char *module_name, const char *token_name,
|
|
||||||
- const char *key_id, char **multi)
|
|
||||||
+ const char *key_id, const char *uri, char **multi)
|
|
||||||
{
|
|
||||||
int ret;
|
|
||||||
struct p11_ctx *p11_ctx;
|
|
||||||
@@ -90,7 +90,7 @@ static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db,
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
ret = do_card(mem_ctx, p11_ctx, mode, pin,
|
|
||||||
- module_name, token_name, key_id, multi);
|
|
||||||
+ module_name, token_name, key_id, uri, multi);
|
|
||||||
}
|
|
||||||
|
|
||||||
done:
|
|
||||||
@@ -159,6 +159,7 @@ int main(int argc, const char *argv[])
|
|
||||||
char *key_id = NULL;
|
|
||||||
char *cert_b64 = NULL;
|
|
||||||
bool wait_for_card = false;
|
|
||||||
+ char *uri = NULL;
|
|
||||||
|
|
||||||
struct poptOption long_options[] = {
|
|
||||||
POPT_AUTOHELP
|
|
||||||
@@ -194,6 +195,8 @@ int main(int argc, const char *argv[])
|
|
||||||
_("Key ID for authentication"), NULL},
|
|
||||||
{"certificate", 0, POPT_ARG_STRING, &cert_b64, 0,
|
|
||||||
_("certificate to verify, base64 encoded"), NULL},
|
|
||||||
+ {"uri", 0, POPT_ARG_STRING, &uri, 0,
|
|
||||||
+ _("PKCS#11 URI to restrict selection"), NULL},
|
|
||||||
POPT_TABLEEND
|
|
||||||
};
|
|
||||||
|
|
||||||
@@ -367,7 +370,7 @@ int main(int argc, const char *argv[])
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = do_work(main_ctx, mode, nss_db, cert_verify_opts, wait_for_card,
|
|
||||||
- cert_b64, pin, module_name, token_name, key_id, &multi);
|
|
||||||
+ cert_b64, pin, module_name, token_name, key_id, uri, &multi);
|
|
||||||
if (ret != 0) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE, "do_work failed.\n");
|
|
||||||
goto fail;
|
|
||||||
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
|
|
||||||
index fff1f25..f9cbf3f 100644
|
|
||||||
--- a/src/p11_child/p11_child_nss.c
|
|
||||||
+++ b/src/p11_child/p11_child_nss.c
|
|
||||||
@@ -480,7 +480,7 @@ bool do_verification_b64(struct p11_ctx *p11_ctx, const char *cert_b64)
|
|
||||||
errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
||||||
enum op_mode mode, const char *pin,
|
|
||||||
const char *module_name_in, const char *token_name_in,
|
|
||||||
- const char *key_id_in, char **_multi)
|
|
||||||
+ const char *key_id_in, const char *uri, char **_multi)
|
|
||||||
{
|
|
||||||
int ret;
|
|
||||||
SECStatus rv;
|
|
||||||
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
|
|
||||||
index 09edeef..000e1c9 100644
|
|
||||||
--- a/src/p11_child/p11_child_openssl.c
|
|
||||||
+++ b/src/p11_child/p11_child_openssl.c
|
|
||||||
@@ -85,7 +85,7 @@ static char *get_pkcs11_uri(TALLOC_CTX *mem_ctx, CK_INFO *module_info,
|
|
||||||
memcpy(p11_kit_uri_get_token_info(uri), token_info, sizeof(CK_TOKEN_INFO));
|
|
||||||
|
|
||||||
memcpy(p11_kit_uri_get_slot_info(uri), slot_info, sizeof(CK_SLOT_INFO));
|
|
||||||
- ret = p11_kit_uri_set_slot_id(uri, slot_id);
|
|
||||||
+ p11_kit_uri_set_slot_id(uri, slot_id);
|
|
||||||
|
|
||||||
memcpy(p11_kit_uri_get_module_info(uri), module_info, sizeof(CK_INFO));
|
|
||||||
|
|
||||||
@@ -662,7 +662,7 @@ static errno_t wait_for_card(CK_FUNCTION_LIST *module, CK_SLOT_ID *slot_id)
|
|
||||||
errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
||||||
enum op_mode mode, const char *pin,
|
|
||||||
const char *module_name_in, const char *token_name_in,
|
|
||||||
- const char *key_id_in, char **_multi)
|
|
||||||
+ const char *key_id_in, const char *uri_str, char **_multi)
|
|
||||||
{
|
|
||||||
int ret;
|
|
||||||
size_t c;
|
|
||||||
@@ -674,6 +674,7 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
||||||
CK_ULONG num_slots;
|
|
||||||
CK_SLOT_ID slots[MAX_SLOTS];
|
|
||||||
CK_SLOT_ID slot_id;
|
|
||||||
+ CK_SLOT_ID uri_slot_id;
|
|
||||||
CK_SLOT_INFO info;
|
|
||||||
CK_TOKEN_INFO token_info;
|
|
||||||
CK_INFO module_info;
|
|
||||||
@@ -690,6 +691,19 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
||||||
char *multi = NULL;
|
|
||||||
bool pkcs11_session = false;
|
|
||||||
bool pkcs11_login = false;
|
|
||||||
+ P11KitUri *uri = NULL;
|
|
||||||
+
|
|
||||||
+ if (uri_str != NULL) {
|
|
||||||
+ uri = p11_kit_uri_new();
|
|
||||||
+ ret = p11_kit_uri_parse(uri_str, P11_KIT_URI_FOR_ANY, uri);
|
|
||||||
+ if (ret != P11_KIT_URI_OK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "p11_kit_uri_parse failed [%d][%s].\n",
|
|
||||||
+ ret, p11_kit_uri_message(ret));
|
|
||||||
+ ret = EINVAL;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
|
|
||||||
/* Maybe use P11_KIT_MODULE_TRUSTED ? */
|
|
||||||
modules = p11_kit_modules_load_and_initialize(0);
|
|
||||||
@@ -709,6 +723,23 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
||||||
free(mod_name);
|
|
||||||
free(mod_file_name);
|
|
||||||
|
|
||||||
+ if (uri != NULL) {
|
|
||||||
+ memset(&module_info, 0, sizeof(CK_INFO));
|
|
||||||
+ rv = modules[c]->C_GetInfo(&module_info);
|
|
||||||
+ if (rv != CKR_OK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetInfo failed.\n");
|
|
||||||
+ ret = EIO;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Skip modules which do not match the PKCS#11 URI */
|
|
||||||
+ if (p11_kit_uri_match_module_info(uri, &module_info) != 1) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL,
|
|
||||||
+ "Not matching URI [%s], skipping.\n", uri_str);
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
num_slots = MAX_SLOTS;
|
|
||||||
rv = modules[c]->C_GetSlotList(CK_FALSE, slots, &num_slots);
|
|
||||||
if (rv != CKR_OK) {
|
|
||||||
@@ -730,6 +761,37 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
||||||
info.slotDescription, info.manufacturerID, info.flags,
|
|
||||||
(info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
|
|
||||||
(info.flags & CKF_TOKEN_PRESENT) ? "true": "false");
|
|
||||||
+
|
|
||||||
+ /* Skip slots which do not match the PKCS#11 URI */
|
|
||||||
+ if (uri != NULL) {
|
|
||||||
+ uri_slot_id = p11_kit_uri_get_slot_id(uri);
|
|
||||||
+ if ((uri_slot_id != (CK_SLOT_ID)-1
|
|
||||||
+ && uri_slot_id != slots[s])
|
|
||||||
+ || p11_kit_uri_match_slot_info(uri, &info) != 1) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL,
|
|
||||||
+ "Not matching URI [%s], skipping.\n", uri_str);
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if ((info.flags & CKF_TOKEN_PRESENT) && uri != NULL) {
|
|
||||||
+ rv = modules[c]->C_GetTokenInfo(slots[s], &token_info);
|
|
||||||
+ if (rv != CKR_OK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetTokenInfo failed.\n");
|
|
||||||
+ ret = EIO;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL, "Token label [%s].\n",
|
|
||||||
+ token_info.label);
|
|
||||||
+
|
|
||||||
+ if (p11_kit_uri_match_token_info(uri, &token_info) != 1) {
|
|
||||||
+ DEBUG(SSSDBG_CONF_SETTINGS,
|
|
||||||
+ "No matching uri [%s], skipping.\n", uri_str);
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if ((info.flags & CKF_REMOVABLE_DEVICE)) {
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
@@ -788,6 +850,13 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (uri != NULL && p11_kit_uri_match_token_info(uri, &token_info) != 1) {
|
|
||||||
+ DEBUG(SSSDBG_CONF_SETTINGS, "No token matching uri [%s] found.",
|
|
||||||
+ uri_str);
|
|
||||||
+ ret = ENOENT;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
module_id = c;
|
|
||||||
slot_name = p11_kit_space_strdup(info.slotDescription,
|
|
||||||
sizeof(info.slotDescription));
|
|
||||||
@@ -891,7 +960,12 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
||||||
}
|
|
||||||
|
|
||||||
memset(&module_info, 0, sizeof(CK_INFO));
|
|
||||||
- module->C_GetInfo(&module_info);
|
|
||||||
+ rv = module->C_GetInfo(&module_info);
|
|
||||||
+ if (rv != CKR_OK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "C_GetInfo failed.\n");
|
|
||||||
+ ret = EIO;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
DLIST_FOR_EACH(item, cert_list) {
|
|
||||||
item->uri = get_pkcs11_uri(mem_ctx, &module_info, &info, slot_id,
|
|
||||||
@@ -970,6 +1044,7 @@ done:
|
|
||||||
free(token_name);
|
|
||||||
free(module_file_name);
|
|
||||||
p11_kit_modules_finalize_and_release(modules);
|
|
||||||
+ p11_kit_uri_free(uri);
|
|
||||||
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,193 +0,0 @@
|
|||||||
From 725b65081d19da658b16338686c53dcf16d49de0 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Tue, 9 Oct 2018 10:47:04 +0200
|
|
||||||
Subject: [PATCH 67/83] PAM: add p11_uri option
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3814
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/confdb/confdb.h | 1 +
|
|
||||||
src/config/SSSDConfig/__init__.py.in | 1 +
|
|
||||||
src/config/cfg_rules.ini | 1 +
|
|
||||||
src/config/etc/sssd.api.conf | 1 +
|
|
||||||
src/man/sssd.conf.5.xml | 33 +++++++++++++++++++++++++++++++++
|
|
||||||
src/responder/pam/pamsrv.h | 1 +
|
|
||||||
src/responder/pam/pamsrv_cmd.c | 12 +++++++++++-
|
|
||||||
src/responder/pam/pamsrv_p11.c | 9 ++++++++-
|
|
||||||
8 files changed, 57 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
|
||||||
index 87904c2..741d4bc 100644
|
|
||||||
--- a/src/confdb/confdb.h
|
|
||||||
+++ b/src/confdb/confdb.h
|
|
||||||
@@ -133,6 +133,7 @@
|
|
||||||
#define CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT "p11_wait_for_card_timeout"
|
|
||||||
#define CONFDB_PAM_APP_SERVICES "pam_app_services"
|
|
||||||
#define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services"
|
|
||||||
+#define CONFDB_PAM_P11_URI "p11_uri"
|
|
||||||
|
|
||||||
/* SUDO */
|
|
||||||
#define CONFDB_SUDO_CONF_ENTRY "config/sudo"
|
|
||||||
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
|
||||||
index 4d1dba2..a20157c 100644
|
|
||||||
--- a/src/config/SSSDConfig/__init__.py.in
|
|
||||||
+++ b/src/config/SSSDConfig/__init__.py.in
|
|
||||||
@@ -105,6 +105,7 @@ option_strings = {
|
|
||||||
'pam_app_services' : _('Which PAM services are permitted to contact application domains'),
|
|
||||||
'pam_p11_allowed_services' : _('Allowed services for using smartcards'),
|
|
||||||
'p11_wait_for_card_timeout' : _('Additional timeout to wait for a card if requested'),
|
|
||||||
+ 'p11_uri' : _('PKCS#11 URI to restrict the selection of devices for Smartcard authentication'),
|
|
||||||
|
|
||||||
# [sudo]
|
|
||||||
'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
|
|
||||||
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
|
||||||
index 50a8f1d..09a52df 100644
|
|
||||||
--- a/src/config/cfg_rules.ini
|
|
||||||
+++ b/src/config/cfg_rules.ini
|
|
||||||
@@ -128,6 +128,7 @@ option = p11_child_timeout
|
|
||||||
option = pam_app_services
|
|
||||||
option = pam_p11_allowed_services
|
|
||||||
option = p11_wait_for_card_timeout
|
|
||||||
+option = p11_uri
|
|
||||||
|
|
||||||
[rule/allowed_sudo_options]
|
|
||||||
validator = ini_allowed_options
|
|
||||||
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
|
|
||||||
index bb686c3..c6d6690 100644
|
|
||||||
--- a/src/config/etc/sssd.api.conf
|
|
||||||
+++ b/src/config/etc/sssd.api.conf
|
|
||||||
@@ -77,6 +77,7 @@ p11_child_timeout = int, None, false
|
|
||||||
pam_app_services = str, None, false
|
|
||||||
pam_p11_allowed_services = str, None, false
|
|
||||||
p11_wait_for_card_timeout = int, None, false
|
|
||||||
+p11_uri = str, None, false
|
|
||||||
|
|
||||||
[sudo]
|
|
||||||
# sudo service
|
|
||||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
||||||
index 4df0163..c8d53f0 100644
|
|
||||||
--- a/src/man/sssd.conf.5.xml
|
|
||||||
+++ b/src/man/sssd.conf.5.xml
|
|
||||||
@@ -1478,6 +1478,39 @@ pam_p11_allowed_services = +my_pam_service, -login
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>p11_uri (string)</term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ PKCS#11 URI (see RFC-7512 for details) which can be
|
|
||||||
+ used to restrict the selection of devices used for
|
|
||||||
+ Smartcard authentication. By default SSSD's
|
|
||||||
+ p11_child will search for a PKCS#11 slot (reader)
|
|
||||||
+ where the 'removable' flags is set and read the
|
|
||||||
+ certificates from the inserted token from the first
|
|
||||||
+ slot found. If multiple readers are connected
|
|
||||||
+ p11_uri can be use to tell p11_child to use a
|
|
||||||
+ specific reader.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ Example:
|
|
||||||
+ <programlisting>
|
|
||||||
+p11_uri = slot-description=My%20Smartcar%20Reader
|
|
||||||
+ </programlisting>
|
|
||||||
+ or
|
|
||||||
+ <programlisting>
|
|
||||||
+p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2
|
|
||||||
+ </programlisting>
|
|
||||||
+ To find suitable URI please check the debug output
|
|
||||||
+ of p11_child. As an alternative the GnuTLS utility
|
|
||||||
+ 'p11tool' with e.g. the '--list-all' will show
|
|
||||||
+ PKCS#11 URIs as well.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ Default: none
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
</variablelist>
|
|
||||||
</refsect2>
|
|
||||||
|
|
||||||
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
|
|
||||||
index 5d87756..60aa979 100644
|
|
||||||
--- a/src/responder/pam/pamsrv.h
|
|
||||||
+++ b/src/responder/pam/pamsrv.h
|
|
||||||
@@ -103,6 +103,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
|
|
||||||
time_t timeout,
|
|
||||||
const char *verify_opts,
|
|
||||||
struct sss_certmap_ctx *sss_certmap_ctx,
|
|
||||||
+ const char *uri,
|
|
||||||
struct pam_data *pd);
|
|
||||||
errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
|
|
||||||
struct cert_auth_info **cert_list);
|
|
||||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
|
||||||
index 6e37f83..a22afd2 100644
|
|
||||||
--- a/src/responder/pam/pamsrv_cmd.c
|
|
||||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
|
||||||
@@ -1306,6 +1306,7 @@ static errno_t check_cert(TALLOC_CTX *mctx,
|
|
||||||
char *cert_verification_opts;
|
|
||||||
errno_t ret;
|
|
||||||
struct tevent_req *req;
|
|
||||||
+ char *uri = NULL;
|
|
||||||
|
|
||||||
ret = confdb_get_int(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY,
|
|
||||||
CONFDB_PAM_P11_CHILD_TIMEOUT,
|
|
||||||
@@ -1342,10 +1343,19 @@ static errno_t check_cert(TALLOC_CTX *mctx,
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ ret = confdb_get_string(pctx->rctx->cdb, mctx, CONFDB_PAM_CONF_ENTRY,
|
|
||||||
+ CONFDB_PAM_P11_URI, NULL, &uri);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ "Failed to read certificate_verification from confdb: [%d]: %s\n",
|
|
||||||
+ ret, sss_strerror(ret));
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
req = pam_check_cert_send(mctx, ev, pctx->p11_child_debug_fd,
|
|
||||||
pctx->nss_db, p11_child_timeout,
|
|
||||||
cert_verification_opts, pctx->sss_certmap_ctx,
|
|
||||||
- pd);
|
|
||||||
+ uri, pd);
|
|
||||||
if (req == NULL) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE, "pam_check_cert_send failed.\n");
|
|
||||||
return ENOMEM;
|
|
||||||
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
|
|
||||||
index 8b8859d..491bd2b 100644
|
|
||||||
--- a/src/responder/pam/pamsrv_p11.c
|
|
||||||
+++ b/src/responder/pam/pamsrv_p11.c
|
|
||||||
@@ -711,6 +711,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
|
|
||||||
time_t timeout,
|
|
||||||
const char *verify_opts,
|
|
||||||
struct sss_certmap_ctx *sss_certmap_ctx,
|
|
||||||
+ const char *uri,
|
|
||||||
struct pam_data *pd)
|
|
||||||
{
|
|
||||||
errno_t ret;
|
|
||||||
@@ -721,7 +722,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
|
|
||||||
struct timeval tv;
|
|
||||||
int pipefd_to_child[2] = PIPE_INIT;
|
|
||||||
int pipefd_from_child[2] = PIPE_INIT;
|
|
||||||
- const char *extra_args[14] = { NULL };
|
|
||||||
+ const char *extra_args[16] = { NULL };
|
|
||||||
uint8_t *write_buf = NULL;
|
|
||||||
size_t write_buf_len = 0;
|
|
||||||
size_t arg_c;
|
|
||||||
@@ -748,6 +749,12 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
|
|
||||||
|
|
||||||
/* extra_args are added in revers order */
|
|
||||||
arg_c = 0;
|
|
||||||
+ if (uri != NULL) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL, "Adding PKCS#11 URI [%s].\n", uri);
|
|
||||||
+ extra_args[arg_c++] = uri;
|
|
||||||
+ extra_args[arg_c++] = "--uri";
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if ((pd->cli_flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) && pd->priv == 1) {
|
|
||||||
extra_args[arg_c++] = "--wait_for_card";
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,209 +0,0 @@
|
|||||||
From 4a22fb6bba6662ad628f6e17203e8ccf20eb9666 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Tue, 9 Oct 2018 10:46:43 +0200
|
|
||||||
Subject: [PATCH 68/83] tests: add PKCS#11 URI tests
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3814
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/tests/cmocka/test_pam_srv.c | 120 ++++++++++++++++++++++++++++++++++++++++
|
|
||||||
src/tests/test_CA/Makefile.am | 16 +++++-
|
|
||||||
2 files changed, 135 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
|
|
||||||
index 2b02ac2..7fc9224 100644
|
|
||||||
--- a/src/tests/cmocka/test_pam_srv.c
|
|
||||||
+++ b/src/tests/cmocka/test_pam_srv.c
|
|
||||||
@@ -65,6 +65,7 @@
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#define TEST_TOKEN_NAME "SSSD Test Token"
|
|
||||||
+#define TEST_TOKEN2_NAME "SSSD Test Token Number 2"
|
|
||||||
#define TEST_KEY_ID "C554C9F82C2A9D58B70921C143304153A8A42F17"
|
|
||||||
#ifdef HAVE_NSS
|
|
||||||
#define TEST_MODULE_NAME "NSS-Internal"
|
|
||||||
@@ -961,6 +962,54 @@ static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen,
|
|
||||||
return EOK;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int test_pam_cert2_token2_check_ex(uint32_t status, uint8_t *body,
|
|
||||||
+ size_t blen, enum response_type type,
|
|
||||||
+ const char *name)
|
|
||||||
+{
|
|
||||||
+ size_t rp = 0;
|
|
||||||
+ uint32_t val;
|
|
||||||
+ size_t check2_len = 0;
|
|
||||||
+ char const *check2_strings[] = { NULL,
|
|
||||||
+ TEST_TOKEN2_NAME,
|
|
||||||
+ TEST_MODULE_NAME,
|
|
||||||
+ TEST2_KEY_ID,
|
|
||||||
+ TEST2_PROMPT,
|
|
||||||
+ NULL };
|
|
||||||
+
|
|
||||||
+ assert_int_equal(status, 0);
|
|
||||||
+
|
|
||||||
+ check2_strings[0] = name;
|
|
||||||
+ check2_len = check_string_array_len(check2_strings);
|
|
||||||
+
|
|
||||||
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
||||||
+ assert_int_equal(val, pam_test_ctx->exp_pam_status);
|
|
||||||
+
|
|
||||||
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
||||||
+ assert_int_equal(val, 2);
|
|
||||||
+
|
|
||||||
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
||||||
+ assert_int_equal(val, SSS_PAM_DOMAIN_NAME);
|
|
||||||
+
|
|
||||||
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
||||||
+ assert_int_equal(val, 9);
|
|
||||||
+
|
|
||||||
+ assert_int_equal(*(body + rp + val - 1), 0);
|
|
||||||
+ assert_string_equal(body + rp, TEST_DOM_NAME);
|
|
||||||
+ rp += val;
|
|
||||||
+
|
|
||||||
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
||||||
+ assert_int_equal(val, type);
|
|
||||||
+
|
|
||||||
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
||||||
+ assert_int_equal(val, check2_len);
|
|
||||||
+
|
|
||||||
+ check_string_array(check2_strings, body, &rp);
|
|
||||||
+
|
|
||||||
+ assert_int_equal(rp, blen);
|
|
||||||
+
|
|
||||||
+ return EOK;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
|
|
||||||
{
|
|
||||||
return test_pam_cert_check_ex(status, body, blen,
|
|
||||||
@@ -968,6 +1017,12 @@ static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
|
|
||||||
NULL);
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int test_pam_cert2_check(uint32_t status, uint8_t *body, size_t blen)
|
|
||||||
+{
|
|
||||||
+ return test_pam_cert2_token2_check_ex(status, body, blen, SSS_PAM_CERT_INFO,
|
|
||||||
+ "pamuser@"TEST_DOM_NAME);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int test_pam_cert_check_auth_success(uint32_t status, uint8_t *body,
|
|
||||||
size_t blen)
|
|
||||||
{
|
|
||||||
@@ -2476,6 +2531,65 @@ void test_pam_cert_auth_2certs_one_mapping(void **state)
|
|
||||||
assert_int_equal(ret, EOK);
|
|
||||||
}
|
|
||||||
|
|
||||||
+void test_pam_cert_preauth_uri_token1(void **state)
|
|
||||||
+{
|
|
||||||
+ int ret;
|
|
||||||
+
|
|
||||||
+ struct sss_test_conf_param pam_params[] = {
|
|
||||||
+ { CONFDB_PAM_P11_URI, "pkcs11:token=SSSD%20Test%20Token" },
|
|
||||||
+ { NULL, NULL }, /* Sentinel */
|
|
||||||
+ };
|
|
||||||
+
|
|
||||||
+ ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
|
|
||||||
+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2tokens.conf"));
|
|
||||||
+
|
|
||||||
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,
|
|
||||||
+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false);
|
|
||||||
+
|
|
||||||
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
|
|
||||||
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
||||||
+
|
|
||||||
+ set_cmd_cb(test_pam_cert_check);
|
|
||||||
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
|
|
||||||
+ pam_test_ctx->pam_cmds);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+
|
|
||||||
+ /* Wait until the test finishes with EOK */
|
|
||||||
+ ret = test_ev_loop(pam_test_ctx->tctx);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void test_pam_cert_preauth_uri_token2(void **state)
|
|
||||||
+{
|
|
||||||
+ int ret;
|
|
||||||
+
|
|
||||||
+ struct sss_test_conf_param pam_params[] = {
|
|
||||||
+ { CONFDB_PAM_P11_URI, "pkcs11:token=SSSD%20Test%20Token%20Number%202" },
|
|
||||||
+ { NULL, NULL }, /* Sentinel */
|
|
||||||
+ };
|
|
||||||
+
|
|
||||||
+ ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+ set_cert_auth_param(pam_test_ctx->pctx, CA_DB);
|
|
||||||
+ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2tokens.conf"));
|
|
||||||
+
|
|
||||||
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,
|
|
||||||
+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0002, false);
|
|
||||||
+
|
|
||||||
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
|
|
||||||
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
||||||
+
|
|
||||||
+ set_cmd_cb(test_pam_cert2_check);
|
|
||||||
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
|
|
||||||
+ pam_test_ctx->pam_cmds);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+
|
|
||||||
+ /* Wait until the test finishes with EOK */
|
|
||||||
+ ret = test_ev_loop(pam_test_ctx->tctx);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+}
|
|
||||||
|
|
||||||
void test_filter_response(void **state)
|
|
||||||
{
|
|
||||||
@@ -2915,6 +3029,12 @@ int main(int argc, const char *argv[])
|
|
||||||
pam_test_setup, pam_test_teardown),
|
|
||||||
cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name_no_key_id,
|
|
||||||
pam_test_setup, pam_test_teardown),
|
|
||||||
+#ifndef HAVE_NSS
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_pam_cert_preauth_uri_token1,
|
|
||||||
+ pam_test_setup, pam_test_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_pam_cert_preauth_uri_token2,
|
|
||||||
+ pam_test_setup, pam_test_teardown),
|
|
||||||
+#endif /* ! HAVE_NSS */
|
|
||||||
#endif /* HAVE_TEST_CA */
|
|
||||||
|
|
||||||
cmocka_unit_test_setup_teardown(test_filter_response,
|
|
||||||
diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am
|
|
||||||
index 1bce2c3..b574c76 100644
|
|
||||||
--- a/src/tests/test_CA/Makefile.am
|
|
||||||
+++ b/src/tests/test_CA/Makefile.am
|
|
||||||
@@ -24,7 +24,7 @@ pkcs12 = $(addprefix SSSD_test_cert_pkcs12_,$(addsuffix .pem,$(ids)))
|
|
||||||
if HAVE_NSS
|
|
||||||
extra = p11_nssdb p11_nssdb_2certs
|
|
||||||
else
|
|
||||||
-extra = softhsm2_none softhsm2_one softhsm2_two
|
|
||||||
+extra = softhsm2_none softhsm2_one softhsm2_two softhsm2_2tokens
|
|
||||||
endif
|
|
||||||
|
|
||||||
# If openssl is run in parallel there might be conflicts with the serial
|
|
||||||
@@ -114,6 +114,20 @@ softhsm2_two.conf:
|
|
||||||
@echo "objectstore.backend = file" >> $@
|
|
||||||
@echo "slots.removable = true" >> $@
|
|
||||||
|
|
||||||
+softhsm2_2tokens: softhsm2_2tokens.conf
|
|
||||||
+ mkdir $@
|
|
||||||
+ SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token" --pin 123456 --so-pin 123456 --free
|
|
||||||
+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0001.pem --login --label 'SSSD test cert 0001' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' pkcs11:token=SSSD%20Test%20Token
|
|
||||||
+ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0001.pem --login --label 'SSSD test cert 0001' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' pkcs11:token=SSSD%20Test%20Token
|
|
||||||
+ SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token Number 2" --pin 654321 --so-pin 654321 --free
|
|
||||||
+ GNUTLS_PIN=654321 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0002.pem --login --label 'SSSD test cert 0002' --id '5405842D56CF31F0BB025A695C5F3E907051C5B9' pkcs11:token=SSSD%20Test%20Token%20Number%202
|
|
||||||
+ GNUTLS_PIN=654321 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0002.pem --login --label 'SSSD test cert 0002' --id '5405842D56CF31F0BB025A695C5F3E907051C5B9' pkcs11:token=SSSD%20Test%20Token%20Number%202
|
|
||||||
+
|
|
||||||
+softhsm2_2tokens.conf:
|
|
||||||
+ @echo "directories.tokendir = "$(abs_top_builddir)"/src/tests/test_CA/softhsm2_2tokens" > $@
|
|
||||||
+ @echo "objectstore.backend = file" >> $@
|
|
||||||
+ @echo "slots.removable = true" >> $@
|
|
||||||
+
|
|
||||||
CLEANFILES = \
|
|
||||||
index.txt index.txt.attr \
|
|
||||||
index.txt.attr.old index.txt.old \
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,53 +0,0 @@
|
|||||||
From 7a2e56d061085c155a51253bd612255a4d24cb57 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Halman <thalman@redhat.com>
|
|
||||||
Date: Mon, 8 Oct 2018 12:47:40 +0200
|
|
||||||
Subject: [PATCH 69/83] test_config: Test for invalid characker in domain
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
There was bug allowing forbidden characters in config file section name.
|
|
||||||
Bug has been fixed meantime but we decided to write the test to avoid
|
|
||||||
regeression.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://pagure.io/SSSD/sssd/issue/3334
|
|
||||||
|
|
||||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
||||||
---
|
|
||||||
src/tests/cmocka/test_config_check.c | 12 ++++++++++++
|
|
||||||
1 file changed, 12 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/tests/cmocka/test_config_check.c b/src/tests/cmocka/test_config_check.c
|
|
||||||
index a2958de..61c7886 100644
|
|
||||||
--- a/src/tests/cmocka/test_config_check.c
|
|
||||||
+++ b/src/tests/cmocka/test_config_check.c
|
|
||||||
@@ -106,6 +106,17 @@ void config_check_test_bad_section_name(void **state)
|
|
||||||
config_check_test_common(cfg_str, 1, expected_errors);
|
|
||||||
}
|
|
||||||
|
|
||||||
+void config_check_test_bad_chars_in_section_name(void **state)
|
|
||||||
+{
|
|
||||||
+ char cfg_str[] = "[domain/LD@P]";
|
|
||||||
+ const char *expected_errors[] = {
|
|
||||||
+ "[rule/allowed_sections]: Section [domain/LD@P] is not allowed. "
|
|
||||||
+ "Check for typos.",
|
|
||||||
+ };
|
|
||||||
+
|
|
||||||
+ config_check_test_common(cfg_str, 1, expected_errors);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
void config_check_test_too_many_subdomains(void **state)
|
|
||||||
{
|
|
||||||
char cfg_str[] = "[domain/ad.test/b.test/c.test]";
|
|
||||||
@@ -264,6 +275,7 @@ int main(int argc, const char *argv[])
|
|
||||||
|
|
||||||
const struct CMUnitTest tests[] = {
|
|
||||||
cmocka_unit_test(config_check_test_bad_section_name),
|
|
||||||
+ cmocka_unit_test(config_check_test_bad_chars_in_section_name),
|
|
||||||
cmocka_unit_test(config_check_test_too_many_subdomains),
|
|
||||||
cmocka_unit_test(config_check_test_bad_sssd_option_name),
|
|
||||||
cmocka_unit_test(config_check_test_bad_pam_option_name),
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,147 +0,0 @@
|
|||||||
From dbd717fe5b7d8dd640b6ade435b49edb3db5280a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Tue, 9 Oct 2018 13:25:35 +0200
|
|
||||||
Subject: [PATCH 70/83] PAM: return short name for files provider users
|
|
||||||
|
|
||||||
If the 'allow_missing_name' option is used with pam_sss and the user
|
|
||||||
name will be determined based on the certificate content and the mapping
|
|
||||||
rules the PAM responder will by default return the fully-qualified name
|
|
||||||
of the user which is then later used by other PAM modules as well.
|
|
||||||
|
|
||||||
For local users which are configured to use SSSD for Smartcard
|
|
||||||
authentication this might cause issues in other PAM modules because they
|
|
||||||
are not aware of the fully-qualified name and will treat the user as
|
|
||||||
unknown.
|
|
||||||
|
|
||||||
With this patch the PAM responder will return the short name for all
|
|
||||||
users handled by the files provider.
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3848
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/responder/pam/pamsrv.h | 3 ++-
|
|
||||||
src/responder/pam/pamsrv_cmd.c | 13 +++++++++----
|
|
||||||
src/responder/pam/pamsrv_p11.c | 32 +++++++++++++++++++++++++++++---
|
|
||||||
3 files changed, 40 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
|
|
||||||
index 60aa979..3a927bb 100644
|
|
||||||
--- a/src/responder/pam/pamsrv.h
|
|
||||||
+++ b/src/responder/pam/pamsrv.h
|
|
||||||
@@ -108,7 +108,8 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
|
|
||||||
errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
|
|
||||||
struct cert_auth_info **cert_list);
|
|
||||||
|
|
||||||
-errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
|
|
||||||
+errno_t add_pam_cert_response(struct pam_data *pd, struct sss_domain_info *dom,
|
|
||||||
+ const char *sysdb_username,
|
|
||||||
struct cert_auth_info *cert_info,
|
|
||||||
enum response_type type);
|
|
||||||
|
|
||||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
|
||||||
index a22afd2..553bf8f 100644
|
|
||||||
--- a/src/responder/pam/pamsrv_cmd.c
|
|
||||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
|
||||||
@@ -1645,7 +1645,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
|
|
||||||
preq->current_cert != NULL;
|
|
||||||
preq->current_cert = sss_cai_get_next(preq->current_cert)) {
|
|
||||||
|
|
||||||
- ret = add_pam_cert_response(preq->pd, "",
|
|
||||||
+ ret = add_pam_cert_response(preq->pd,
|
|
||||||
+ preq->cctx->rctx->domains, "",
|
|
||||||
preq->current_cert,
|
|
||||||
preq->cctx->rctx->domains->user_name_hint
|
|
||||||
? SSS_PAM_CERT_INFO_WITH_HINT
|
|
||||||
@@ -1699,7 +1700,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
|
|
||||||
|
|
||||||
if (preq->cctx->rctx->domains->user_name_hint
|
|
||||||
&& preq->pd->cmd == SSS_PAM_PREAUTH) {
|
|
||||||
- ret = add_pam_cert_response(preq->pd, cert_user,
|
|
||||||
+ ret = add_pam_cert_response(preq->pd,
|
|
||||||
+ preq->cctx->rctx->domains, cert_user,
|
|
||||||
preq->cert_list,
|
|
||||||
SSS_PAM_CERT_INFO_WITH_HINT);
|
|
||||||
preq->pd->pam_status = PAM_SUCCESS;
|
|
||||||
@@ -1725,7 +1727,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
|
|
||||||
* SSS_PAM_CERT_INFO message to send the name to the caller. */
|
|
||||||
if (preq->pd->cmd == SSS_PAM_AUTHENTICATE
|
|
||||||
&& preq->pd->logon_name == NULL) {
|
|
||||||
- ret = add_pam_cert_response(preq->pd, cert_user,
|
|
||||||
+ ret = add_pam_cert_response(preq->pd,
|
|
||||||
+ preq->cctx->rctx->domains, cert_user,
|
|
||||||
preq->cert_list,
|
|
||||||
SSS_PAM_CERT_INFO);
|
|
||||||
if (ret != EOK) {
|
|
||||||
@@ -2117,7 +2120,9 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
|
|
||||||
"the backend.\n");
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = add_pam_cert_response(preq->pd, cert_user,
|
|
||||||
+ ret = add_pam_cert_response(preq->pd,
|
|
||||||
+ preq->cctx->rctx->domains,
|
|
||||||
+ cert_user,
|
|
||||||
preq->current_cert,
|
|
||||||
SSS_PAM_CERT_INFO);
|
|
||||||
if (ret != EOK) {
|
|
||||||
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
|
|
||||||
index 491bd2b..785b29c 100644
|
|
||||||
--- a/src/responder/pam/pamsrv_p11.c
|
|
||||||
+++ b/src/responder/pam/pamsrv_p11.c
|
|
||||||
@@ -1145,7 +1145,8 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username,
|
|
||||||
* used when running gdm-password. */
|
|
||||||
#define PKCS11_LOGIN_TOKEN_ENV_NAME "PKCS11_LOGIN_TOKEN_NAME"
|
|
||||||
|
|
||||||
-errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
|
|
||||||
+errno_t add_pam_cert_response(struct pam_data *pd, struct sss_domain_info *dom,
|
|
||||||
+ const char *sysdb_username,
|
|
||||||
struct cert_auth_info *cert_info,
|
|
||||||
enum response_type type)
|
|
||||||
{
|
|
||||||
@@ -1153,6 +1154,10 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
|
|
||||||
char *env = NULL;
|
|
||||||
size_t msg_len;
|
|
||||||
int ret;
|
|
||||||
+ char *short_name = NULL;
|
|
||||||
+ char *domain_name = NULL;
|
|
||||||
+ const char *cert_info_name = sysdb_username;
|
|
||||||
+
|
|
||||||
|
|
||||||
if (type != SSS_PAM_CERT_INFO && type != SSS_PAM_CERT_INFO_WITH_HINT) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE, "Invalid response type [%d].\n", type);
|
|
||||||
@@ -1174,9 +1179,30 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
|
|
||||||
* Smartcard. If this type of name is irritating at the PIN prompt or the
|
|
||||||
* re_expression config option was set in a way that user@domain cannot be
|
|
||||||
* handled anymore some more logic has to be added here. But for the time
|
|
||||||
- * being I think using sysdb_username is fine. */
|
|
||||||
+ * being I think using sysdb_username is fine.
|
|
||||||
+ * As special case is the files provider which handles local users which
|
|
||||||
+ * by definition only have a short name. To avoid confusion by other
|
|
||||||
+ * modules on the PAM stack the short name is returned in this case. */
|
|
||||||
+
|
|
||||||
+ if (sysdb_username != NULL) {
|
|
||||||
+ ret = sss_parse_internal_fqname(pd, sysdb_username,
|
|
||||||
+ &short_name, &domain_name);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse name '%s' [%d]: %s, "
|
|
||||||
+ "using full name.\n",
|
|
||||||
+ sysdb_username, ret, sss_strerror(ret));
|
|
||||||
+ } else {
|
|
||||||
+ if (domain_name != NULL
|
|
||||||
+ && is_files_provider(find_domain_by_name(dom, domain_name,
|
|
||||||
+ false))) {
|
|
||||||
+ cert_info_name = short_name;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- ret = pack_cert_data(pd, sysdb_username, cert_info, &msg, &msg_len);
|
|
||||||
+ ret = pack_cert_data(pd, cert_info_name, cert_info, &msg, &msg_len);
|
|
||||||
+ talloc_free(short_name);
|
|
||||||
+ talloc_free(domain_name);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE, "pack_cert_data failed.\n");
|
|
||||||
return ret;
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,181 +0,0 @@
|
|||||||
From 941e67b0bbb780aadb6461b60b4e3554dfb893db Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Wed, 16 May 2018 10:23:49 +0200
|
|
||||||
Subject: [PATCH 71/83] TESTS: Add a test for whitespace trimming in netgroup
|
|
||||||
entries
|
|
||||||
|
|
||||||
This is a unit test for commit dbb1abae6eaa9df24f61e3a9f855e2461a66a197
|
|
||||||
|
|
||||||
Reviewed-by: Tomas Halman <thalman@redhat.com>
|
|
||||||
---
|
|
||||||
src/tests/sysdb-tests.c | 132 +++++++++++++++++++++++++++++++++++++++++++++++-
|
|
||||||
1 file changed, 130 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
|
|
||||||
index 933a07e..d3117cd 100644
|
|
||||||
--- a/src/tests/sysdb-tests.c
|
|
||||||
+++ b/src/tests/sysdb-tests.c
|
|
||||||
@@ -4388,6 +4388,125 @@ START_TEST (test_netgroup_base_dn)
|
|
||||||
}
|
|
||||||
END_TEST
|
|
||||||
|
|
||||||
+static errno_t netgr_triple_to_attrs(struct sysdb_attrs *attrs,
|
|
||||||
+ struct sysdb_netgroup_ctx *netgrent)
|
|
||||||
+{
|
|
||||||
+ int ret;
|
|
||||||
+ char *dummy;
|
|
||||||
+
|
|
||||||
+ dummy = talloc_asprintf(attrs, "(%s,%s,%s)",
|
|
||||||
+ netgrent->value.triple.hostname,
|
|
||||||
+ netgrent->value.triple.username,
|
|
||||||
+ netgrent->value.triple.domainname);
|
|
||||||
+ if (dummy == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
|
||||||
+ return ENOMEM;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = sysdb_attrs_add_string(attrs, SYSDB_NETGROUP_TRIPLE, dummy);
|
|
||||||
+ talloc_zfree(dummy);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_attrs_add_string failed.\n");
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return EOK;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static errno_t store_netgr(struct sysdb_test_ctx *test_ctx,
|
|
||||||
+ const char *name,
|
|
||||||
+ struct sysdb_netgroup_ctx *netgrent)
|
|
||||||
+{
|
|
||||||
+ struct sysdb_attrs *attrs;
|
|
||||||
+ errno_t ret;
|
|
||||||
+
|
|
||||||
+ attrs = sysdb_new_attrs(test_ctx);
|
|
||||||
+ if (attrs == NULL) {
|
|
||||||
+ return ENOMEM;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = netgr_triple_to_attrs(attrs, netgrent);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_add_netgroup failed.\n");
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = sysdb_add_netgroup(test_ctx->domain, name, NULL, attrs, NULL,
|
|
||||||
+ 0, 0);
|
|
||||||
+ talloc_zfree(attrs);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_add_netgroup failed.\n");
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return EOK;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static bool sysdb_netgr_ctx_cmp(struct sysdb_netgroup_ctx *a,
|
|
||||||
+ struct sysdb_netgroup_ctx *b)
|
|
||||||
+{
|
|
||||||
+ return a->type == b->type &&
|
|
||||||
+ strcmp(a->value.triple.username, b->value.triple.username) == 0 &&
|
|
||||||
+ strcmp(a->value.triple.hostname, b->value.triple.hostname) == 0 &&
|
|
||||||
+ strcmp(a->value.triple.domainname, b->value.triple.domainname) == 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+START_TEST (test_sysdb_netgr_to_entries)
|
|
||||||
+{
|
|
||||||
+ errno_t ret;
|
|
||||||
+ bool bret;
|
|
||||||
+ struct sysdb_test_ctx *test_ctx;
|
|
||||||
+ struct sysdb_netgroup_ctx simple_netgroup = {
|
|
||||||
+ .type = SYSDB_NETGROUP_TRIPLE_VAL,
|
|
||||||
+ .value.triple.hostname = discard_const("host"),
|
|
||||||
+ .value.triple.username = discard_const("user"),
|
|
||||||
+ .value.triple.domainname = discard_const("domain"),
|
|
||||||
+ };
|
|
||||||
+ struct sysdb_netgroup_ctx ws_netgroup = {
|
|
||||||
+ .type = SYSDB_NETGROUP_TRIPLE_VAL,
|
|
||||||
+ .value.triple.hostname = discard_const(" host "),
|
|
||||||
+ .value.triple.username = discard_const(" user "),
|
|
||||||
+ .value.triple.domainname = discard_const(" domain "),
|
|
||||||
+ };
|
|
||||||
+ struct ldb_result *res;
|
|
||||||
+ struct sysdb_netgroup_ctx **entries;
|
|
||||||
+ size_t netgroup_count;
|
|
||||||
+
|
|
||||||
+ ret = setup_sysdb_tests(&test_ctx);
|
|
||||||
+ fail_if(ret != EOK, "Could not set up the test");
|
|
||||||
+
|
|
||||||
+ ret = store_netgr(test_ctx, "simple_netgroup", &simple_netgroup);
|
|
||||||
+ fail_if(ret != EOK, "Could not store the netgr");
|
|
||||||
+
|
|
||||||
+ ret = sysdb_getnetgr(test_ctx, test_ctx->domain, "simple_netgroup", &res);
|
|
||||||
+ fail_unless(ret == EOK, "sysdb_getnetgr error [%d][%s]",
|
|
||||||
+ ret, strerror(ret));
|
|
||||||
+ fail_unless(res->count == 1, "Received [%d] responses",
|
|
||||||
+ res->count);
|
|
||||||
+ ret = sysdb_netgr_to_entries(test_ctx, res, &entries, &netgroup_count);
|
|
||||||
+ fail_unless(ret == EOK, "sysdb_netgr_to_entries error [%d][%s]",
|
|
||||||
+ ret, strerror(ret));
|
|
||||||
+ fail_unless(netgroup_count == 1, "Received [%d] triples", netgroup_count);
|
|
||||||
+ bret = sysdb_netgr_ctx_cmp(entries[0], &simple_netgroup);
|
|
||||||
+ fail_unless(bret == true, "Netgroup triples do not match");
|
|
||||||
+
|
|
||||||
+ ret = store_netgr(test_ctx, "ws_netgroup", &ws_netgroup);
|
|
||||||
+ fail_if(ret != EOK, "Could not store the netgr");
|
|
||||||
+
|
|
||||||
+ ret = sysdb_getnetgr(test_ctx, test_ctx->domain, "ws_netgroup", &res);
|
|
||||||
+ fail_unless(ret == EOK, "sysdb_getnetgr error [%d][%s]",
|
|
||||||
+ ret, strerror(ret));
|
|
||||||
+ fail_unless(res->count == 1, "Received [%d] responses",
|
|
||||||
+ res->count);
|
|
||||||
+ ret = sysdb_netgr_to_entries(test_ctx, res, &entries, &netgroup_count);
|
|
||||||
+ fail_unless(ret == EOK, "sysdb_netgr_to_entries error [%d][%s]",
|
|
||||||
+ ret, strerror(ret));
|
|
||||||
+ fail_unless(netgroup_count == 1, "Received [%d] triples", netgroup_count);
|
|
||||||
+ bret = sysdb_netgr_ctx_cmp(entries[0], &simple_netgroup);
|
|
||||||
+ fail_unless(bret == true, "Netgroup triples do not match");
|
|
||||||
+}
|
|
||||||
+END_TEST
|
|
||||||
+
|
|
||||||
START_TEST(test_odd_characters)
|
|
||||||
{
|
|
||||||
errno_t ret;
|
|
||||||
@@ -4404,6 +4523,8 @@ START_TEST(test_odd_characters)
|
|
||||||
const char *received_group;
|
|
||||||
static const char *user_attrs[] = SYSDB_PW_ATTRS;
|
|
||||||
static const char *netgr_attrs[] = SYSDB_NETGR_ATTRS;
|
|
||||||
+ struct sysdb_netgroup_ctx **entries;
|
|
||||||
+ size_t netgroup_count;
|
|
||||||
|
|
||||||
/* Setup */
|
|
||||||
ret = setup_sysdb_tests(&test_ctx);
|
|
||||||
@@ -4546,9 +4667,13 @@ START_TEST(test_odd_characters)
|
|
||||||
ret, strerror(ret));
|
|
||||||
fail_unless(res->count == 1, "Received [%d] responses",
|
|
||||||
res->count);
|
|
||||||
- talloc_zfree(res);
|
|
||||||
|
|
||||||
- /* ===== Arbitrary Entries ===== */
|
|
||||||
+ /* Parse */
|
|
||||||
+ ret = sysdb_netgr_to_entries(test_ctx, res, &entries, &netgroup_count);
|
|
||||||
+ fail_unless(ret == EOK, "sysdb_netgr_to_entries error [%d][%s]",
|
|
||||||
+ ret, strerror(ret));
|
|
||||||
+
|
|
||||||
+ talloc_zfree(res);
|
|
||||||
|
|
||||||
talloc_free(test_ctx);
|
|
||||||
}
|
|
||||||
@@ -7418,6 +7543,9 @@ Suite *create_sysdb_suite(void)
|
|
||||||
|
|
||||||
tcase_add_test(tc_sysdb, test_netgroup_base_dn);
|
|
||||||
|
|
||||||
+ /* Test splitting the netgroup triple */
|
|
||||||
+ tcase_add_test(tc_sysdb, test_sysdb_netgr_to_entries);
|
|
||||||
+
|
|
||||||
/* ===== SERVICE TESTS ===== */
|
|
||||||
|
|
||||||
/* Create a new service */
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,57 +0,0 @@
|
|||||||
From 7b3794fbe5e4f0888d4faeba12e6c5268f8cca42 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Tue, 9 Oct 2018 12:12:44 +0200
|
|
||||||
Subject: [PATCH 73/83] FILES: The files provider should not enumerate
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://pagure.io/SSSD/sssd/issue/3849
|
|
||||||
|
|
||||||
For reason I cannot explain now, the files provider always enumerates.
|
|
||||||
There is commit a60e6ec which implements this, but it's clearly wrong,
|
|
||||||
because then the plain getent passwd output contains duplicates from
|
|
||||||
nss_files and nss_sss:
|
|
||||||
|
|
||||||
$ getent passwd | sort
|
|
||||||
adm:x:3:4:adm:/var/adm:/sbin/nologin
|
|
||||||
adm:x:3:4:adm:/var/adm:/sbin/nologin
|
|
||||||
bin:x:1:1:bin:/bin:/sbin/nologin
|
|
||||||
bin:x:1:1:bin:/bin:/sbin/nologin
|
|
||||||
certuser:x:10329:10330::/home/certuser:/bin/bash
|
|
||||||
certuser:x:10329:10330::/home/certuser:/bin/bash
|
|
||||||
chrony:x:997:994::/var/lib/chrony:/sbin/nologin
|
|
||||||
chrony:x:997:994::/var/lib/chrony:/sbin/nologin
|
|
||||||
daemon:x:2:2:daemon:/sbin:/sbin/nologin
|
|
||||||
daemon:x:2:2:daemon:/sbin:/sbin/nologin
|
|
||||||
|
|
||||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
||||||
---
|
|
||||||
src/confdb/confdb.c | 5 +----
|
|
||||||
1 files changed, 1 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
|
||||||
index 2f3d900..fdc6122 100644
|
|
||||||
--- a/src/confdb/confdb.c
|
|
||||||
+++ b/src/confdb/confdb.c
|
|
||||||
@@ -875,7 +875,6 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
|
||||||
char *default_domain;
|
|
||||||
bool fqnames_default = false;
|
|
||||||
int memcache_timeout;
|
|
||||||
- bool enum_default;
|
|
||||||
|
|
||||||
tmp_ctx = talloc_new(mem_ctx);
|
|
||||||
if (!tmp_ctx) return ENOMEM;
|
|
||||||
@@ -1009,10 +1008,8 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
|
||||||
"Interpreting as true\n", domain->name);
|
|
||||||
domain->enumerate = true;
|
|
||||||
} else { /* assume the new format */
|
|
||||||
- enum_default = is_files_provider(domain);
|
|
||||||
-
|
|
||||||
ret = get_entry_as_bool(res->msgs[0], &domain->enumerate,
|
|
||||||
- CONFDB_DOMAIN_ENUMERATE, enum_default);
|
|
||||||
+ CONFDB_DOMAIN_ENUMERATE, 0);
|
|
||||||
if(ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
|
||||||
"Invalid value for %s\n", CONFDB_DOMAIN_ENUMERATE);
|
|
@ -1,489 +0,0 @@
|
|||||||
From 91c608d0eb48435b5b5d2f3631a4bb2a40b8d519 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Wed, 10 Oct 2018 15:37:16 +0200
|
|
||||||
Subject: [PATCH 74/83] p11_child: add OCSP check ot the OpenSSL version
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3489
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/man/sssd.conf.5.xml | 26 ++-
|
|
||||||
src/p11_child/p11_child_openssl.c | 346 ++++++++++++++++++++++++++++++++++++++
|
|
||||||
src/tests/cmocka/test_utils.c | 3 +
|
|
||||||
src/util/util.c | 2 +
|
|
||||||
4 files changed, 370 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
||||||
index c8d53f0..5e3ae48 100644
|
|
||||||
--- a/src/man/sssd.conf.5.xml
|
|
||||||
+++ b/src/man/sssd.conf.5.xml
|
|
||||||
@@ -479,8 +479,8 @@
|
|
||||||
be replaced with the URL of the OCSP
|
|
||||||
default responder e.g.
|
|
||||||
http://example.com:80/ocsp.</para>
|
|
||||||
- <para>This option must be used together
|
|
||||||
- with
|
|
||||||
+ <para>(NSS Version) This option must be
|
|
||||||
+ used together with
|
|
||||||
ocsp_default_responder_signing_cert.
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
@@ -489,17 +489,29 @@
|
|
||||||
<term>
|
|
||||||
ocsp_default_responder_signing_cert=NAME</term>
|
|
||||||
<listitem>
|
|
||||||
- <para>The nickname of the cert to trust
|
|
||||||
- (expected) to sign the OCSP responses.
|
|
||||||
- The certificate with the given nickname
|
|
||||||
- must be available in the systems NSS
|
|
||||||
- database.</para>
|
|
||||||
+ <para>(NSS Version) The nickname of the
|
|
||||||
+ cert to trust (expected) to sign the
|
|
||||||
+ OCSP responses. The certificate with
|
|
||||||
+ the given nickname must be available in
|
|
||||||
+ the systems NSS database.</para>
|
|
||||||
<para>This option must be used together
|
|
||||||
with ocsp_default_responder.</para>
|
|
||||||
+ <para>(OpenSSL version) This option is
|
|
||||||
+ currently ignored. All needed
|
|
||||||
+ certificates must be available in the
|
|
||||||
+ PEM file given by
|
|
||||||
+ pam_cert_db_path.</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
</variablelist>
|
|
||||||
</para>
|
|
||||||
+ <para condition="with_nss">
|
|
||||||
+ This man page was generated for the NSS version.
|
|
||||||
+ </para>
|
|
||||||
+ <para condition="with_openssl">
|
|
||||||
+ This man page was generated for the OpenSSL
|
|
||||||
+ version.
|
|
||||||
+ </para>
|
|
||||||
<para>
|
|
||||||
Unknown options are reported but ignored.
|
|
||||||
</para>
|
|
||||||
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
|
|
||||||
index 000e1c9..d66a2f8 100644
|
|
||||||
--- a/src/p11_child/p11_child_openssl.c
|
|
||||||
+++ b/src/p11_child/p11_child_openssl.c
|
|
||||||
@@ -28,6 +28,7 @@
|
|
||||||
#include <openssl/x509.h>
|
|
||||||
#include <openssl/err.h>
|
|
||||||
#include <openssl/rand.h>
|
|
||||||
+#include <openssl/ocsp.h>
|
|
||||||
#include <p11-kit/p11-kit.h>
|
|
||||||
#include <p11-kit/uri.h>
|
|
||||||
|
|
||||||
@@ -42,8 +43,344 @@ struct p11_ctx {
|
|
||||||
X509_STORE *x509_store;
|
|
||||||
const char *ca_db;
|
|
||||||
bool wait_for_card;
|
|
||||||
+ struct cert_verify_opts *cert_verify_opts;
|
|
||||||
};
|
|
||||||
|
|
||||||
+static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host,
|
|
||||||
+ const char *path,
|
|
||||||
+ OCSP_REQUEST *req, int req_timeout)
|
|
||||||
+{
|
|
||||||
+ int fd;
|
|
||||||
+ int rv;
|
|
||||||
+ OCSP_REQ_CTX *ctx = NULL;
|
|
||||||
+ OCSP_RESPONSE *rsp = NULL;
|
|
||||||
+ fd_set confds;
|
|
||||||
+ struct timeval tv;
|
|
||||||
+
|
|
||||||
+ if (req_timeout != -1) {
|
|
||||||
+ BIO_set_nbio(cbio, 1);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ rv = BIO_do_connect(cbio);
|
|
||||||
+
|
|
||||||
+ if ((rv <= 0) && ((req_timeout == -1) || !BIO_should_retry(cbio))) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "Error connecting BIO\n");
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (BIO_get_fd(cbio, &fd) < 0) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "Can't get connection fd\n");
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (req_timeout != -1 && rv <= 0) {
|
|
||||||
+ FD_ZERO(&confds);
|
|
||||||
+ FD_SET(fd, &confds);
|
|
||||||
+ tv.tv_usec = 0;
|
|
||||||
+ tv.tv_sec = req_timeout;
|
|
||||||
+ rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
|
|
||||||
+ if (rv == 0) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "Timeout on connect\n");
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ctx = OCSP_sendreq_new(cbio, path, NULL, -1);
|
|
||||||
+ if (ctx == NULL) {
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (OCSP_REQ_CTX_add1_header(ctx, "Host", host) == 0) {
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!OCSP_REQ_CTX_set1_req(ctx, req)) {
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ for (;;) {
|
|
||||||
+ rv = OCSP_sendreq_nbio(&rsp, ctx);
|
|
||||||
+ if (rv != -1)
|
|
||||||
+ break;
|
|
||||||
+ if (req_timeout == -1)
|
|
||||||
+ continue;
|
|
||||||
+ FD_ZERO(&confds);
|
|
||||||
+ FD_SET(fd, &confds);
|
|
||||||
+ tv.tv_usec = 0;
|
|
||||||
+ tv.tv_sec = req_timeout;
|
|
||||||
+ if (BIO_should_read(cbio)) {
|
|
||||||
+ rv = select(fd + 1, (void *)&confds, NULL, NULL, &tv);
|
|
||||||
+ } else if (BIO_should_write(cbio)) {
|
|
||||||
+ rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
|
|
||||||
+ } else {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "Unexpected retry condition\n");
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ if (rv == 0) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "Timeout on request\n");
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ if (rv == -1) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "Select error\n");
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ }
|
|
||||||
+ err:
|
|
||||||
+ OCSP_REQ_CTX_free(ctx);
|
|
||||||
+
|
|
||||||
+ return rsp;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
||||||
+#define TLS_client_method SSLv23_client_method
|
|
||||||
+#define X509_STORE_get0_objects(store) (store->objs)
|
|
||||||
+#define X509_OBJECT_get_type(object) (object->type)
|
|
||||||
+#define X509_OBJECT_get0_X509(object) (object->data.x509)
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
|
|
||||||
+ const char *host, const char *path,
|
|
||||||
+ const char *port, int use_ssl,
|
|
||||||
+ int req_timeout)
|
|
||||||
+{
|
|
||||||
+ BIO *cbio = NULL;
|
|
||||||
+ SSL_CTX *ctx = NULL;
|
|
||||||
+ OCSP_RESPONSE *resp = NULL;
|
|
||||||
+
|
|
||||||
+ cbio = BIO_new_connect(host);
|
|
||||||
+ if (cbio == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "Error creating connect BIO\n");
|
|
||||||
+ goto end;
|
|
||||||
+ }
|
|
||||||
+ if (port != NULL)
|
|
||||||
+ BIO_set_conn_port(cbio, port);
|
|
||||||
+ if (use_ssl == 1) {
|
|
||||||
+ BIO *sbio;
|
|
||||||
+ ctx = SSL_CTX_new(TLS_client_method());
|
|
||||||
+ if (ctx == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "Error creating SSL context.\n");
|
|
||||||
+ goto end;
|
|
||||||
+ }
|
|
||||||
+ SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
|
|
||||||
+ sbio = BIO_new_ssl(ctx, 1);
|
|
||||||
+ cbio = BIO_push(sbio, cbio);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ resp = query_responder(cbio, host, path, req, req_timeout);
|
|
||||||
+ if (resp == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "Error querying OCSP responder\n");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ end:
|
|
||||||
+ BIO_free_all(cbio);
|
|
||||||
+ SSL_CTX_free(ctx);
|
|
||||||
+ return resp;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static errno_t do_ocsp(struct p11_ctx *p11_ctx, X509 *cert)
|
|
||||||
+{
|
|
||||||
+ OCSP_REQUEST *ocsp_req = NULL;
|
|
||||||
+ OCSP_RESPONSE *ocsp_resp = NULL;
|
|
||||||
+ OCSP_BASICRESP *ocsp_basic = NULL;
|
|
||||||
+ OCSP_CERTID *cid = NULL;
|
|
||||||
+ STACK_OF(OPENSSL_STRING) *ocsp_urls = NULL;
|
|
||||||
+ char *url_str;
|
|
||||||
+ X509 *issuer = NULL;
|
|
||||||
+ int req_timeout = -1;
|
|
||||||
+ int status;
|
|
||||||
+ int ret = EIO;
|
|
||||||
+ int reason;
|
|
||||||
+ ASN1_GENERALIZEDTIME *revtime;
|
|
||||||
+ ASN1_GENERALIZEDTIME *thisupd;
|
|
||||||
+ ASN1_GENERALIZEDTIME *nextupd;
|
|
||||||
+ long grace_time = (5 * 60); /* Allow 5 minutes time difference when
|
|
||||||
+ * checking the validity of the OCSP response */
|
|
||||||
+ char *host = NULL;
|
|
||||||
+ char *path = NULL;
|
|
||||||
+ char *port = NULL;
|
|
||||||
+ int use_ssl;
|
|
||||||
+ X509_NAME *issuer_name = NULL;
|
|
||||||
+ X509_OBJECT *x509_obj;
|
|
||||||
+ STACK_OF(X509_OBJECT) *store_objects;
|
|
||||||
+
|
|
||||||
+ ocsp_urls = X509_get1_ocsp(cert);
|
|
||||||
+ if (ocsp_urls == NULL
|
|
||||||
+ && p11_ctx->cert_verify_opts->ocsp_default_responder == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ "No OCSP URL in certificate and no default responder defined, "
|
|
||||||
+ "skipping OCSP check.\n");
|
|
||||||
+ return EOK;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (p11_ctx->cert_verify_opts->ocsp_default_responder != NULL) {
|
|
||||||
+ url_str = p11_ctx->cert_verify_opts->ocsp_default_responder;
|
|
||||||
+ } else {
|
|
||||||
+ if (sk_OPENSSL_STRING_num(ocsp_urls) > 1) {
|
|
||||||
+ DEBUG(SSSDBG_CONF_SETTINGS,
|
|
||||||
+ "Found more than 1 OCSP URLs, just using the first.\n");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ url_str = sk_OPENSSL_STRING_value(ocsp_urls, 0);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL, "Using OCSP URL [%s].\n", url_str);
|
|
||||||
+
|
|
||||||
+ ret = OCSP_parse_url(url_str, &host, &port, &path, &use_ssl);
|
|
||||||
+ if (ret != 1) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "OCSP_parse_url failed to parse [%s].\n",
|
|
||||||
+ url_str);
|
|
||||||
+ ret = EIO;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ issuer_name = X509_get_issuer_name(cert);
|
|
||||||
+ if (issuer_name == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Certificate has no issuer, "
|
|
||||||
+ "cannot run OCSP check.\n");
|
|
||||||
+ ret = EINVAL;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ store_objects = X509_STORE_get0_objects(p11_ctx->x509_store);
|
|
||||||
+ if (store_objects == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ "No objects found in certificate store, OCSP failed.\n");
|
|
||||||
+ ret = EINVAL;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ x509_obj = X509_OBJECT_retrieve_by_subject(store_objects, X509_LU_X509,
|
|
||||||
+ issuer_name);
|
|
||||||
+ if (x509_obj == NULL || X509_OBJECT_get_type(x509_obj) != X509_LU_X509) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Issuer not found.\n");
|
|
||||||
+ ret = EIO;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ issuer = X509_OBJECT_get0_X509(x509_obj);
|
|
||||||
+
|
|
||||||
+ ocsp_req = OCSP_REQUEST_new();
|
|
||||||
+ if (ocsp_req == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "OCSP_REQUEST_new failed.\n");
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ cid = OCSP_cert_to_id(EVP_sha1(), cert, issuer);
|
|
||||||
+ if (cid == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "OCSP_cert_to_id failed.\n");
|
|
||||||
+ ret = EIO;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (OCSP_request_add0_id(ocsp_req, cid) == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "OCSP_request_add0_id failed.\n");
|
|
||||||
+ ret = EIO;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ OCSP_request_add1_nonce(ocsp_req, NULL, -1);
|
|
||||||
+
|
|
||||||
+ ocsp_resp = process_responder(ocsp_req, host, path, port, use_ssl,
|
|
||||||
+ req_timeout);
|
|
||||||
+ if (ocsp_resp == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "process_responder failed.\n");
|
|
||||||
+ ret = EIO;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ status = OCSP_response_status(ocsp_resp);
|
|
||||||
+ if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "OCSP response error: [%d][%s].\n",
|
|
||||||
+ status, OCSP_response_status_str(status));
|
|
||||||
+ ret = EIO;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ocsp_basic = OCSP_response_get1_basic(ocsp_resp);
|
|
||||||
+ if (ocsp_resp == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "OCSP_response_get1_basic failed.\n");
|
|
||||||
+ ret = EIO;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ switch (OCSP_check_nonce(ocsp_req, ocsp_basic)) {
|
|
||||||
+ case -1:
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "No nonce in OCSP response. This might "
|
|
||||||
+ "indicate a replay attack or an OCSP responder which does not "
|
|
||||||
+ "support nonces. Accepting response.\n");
|
|
||||||
+ break;
|
|
||||||
+ case 0:
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Nonce in OCSP response does not match the "
|
|
||||||
+ "one used in the request.\n");
|
|
||||||
+ ret = EIO;
|
|
||||||
+ goto done;
|
|
||||||
+ break;
|
|
||||||
+ case 1:
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL, "Nonce in OCSP response is the same as the one "
|
|
||||||
+ "used in the request.\n");
|
|
||||||
+ break;
|
|
||||||
+ case 2:
|
|
||||||
+ case 3:
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Missing nonce in OCSP request, this should"
|
|
||||||
+ "never happen.\n");
|
|
||||||
+ ret = EIO;
|
|
||||||
+ goto done;
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected result of OCSP_check_nonce.\n");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ status = OCSP_basic_verify(ocsp_basic, NULL, p11_ctx->x509_store, 0);
|
|
||||||
+ if (status != 1) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "OCSP_base_verify failed to verify OCSP "
|
|
||||||
+ "response.\n");
|
|
||||||
+ ret = EIO;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = OCSP_resp_find_status(ocsp_basic, cid, &status, &reason,
|
|
||||||
+ &revtime, &thisupd, &nextupd);
|
|
||||||
+ if (ret != 1) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "OCSP response does not contain status of "
|
|
||||||
+ "our certificate.\n");
|
|
||||||
+ ret = EIO;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (status != V_OCSP_CERTSTATUS_GOOD) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "OCSP check failed with [%d][%s].\n",
|
|
||||||
+ status, OCSP_cert_status_str(status));
|
|
||||||
+ if (status == V_OCSP_CERTSTATUS_REVOKED) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Certificate is revoked [%d][%s].\n",
|
|
||||||
+ reason, OCSP_crl_reason_str(reason));
|
|
||||||
+ }
|
|
||||||
+ ret = EIO;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (OCSP_check_validity(thisupd, nextupd, grace_time, -1) != 1) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "OCSP response is not valid anymore.\n");
|
|
||||||
+ ret = EIO;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ DEBUG(SSSDBG_TRACE_ALL, "OCSP check was successful.\n");
|
|
||||||
+ ret = EOK;
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
+ OCSP_BASICRESP_free(ocsp_basic);
|
|
||||||
+ OCSP_RESPONSE_free(ocsp_resp);
|
|
||||||
+ OCSP_REQUEST_free(ocsp_req);
|
|
||||||
+
|
|
||||||
+ OPENSSL_free(host);
|
|
||||||
+ OPENSSL_free(port);
|
|
||||||
+ OPENSSL_free(path);
|
|
||||||
+ X509_email_free(ocsp_urls);
|
|
||||||
+
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
|
|
||||||
static char *get_pkcs11_uri(TALLOC_CTX *mem_ctx, CK_INFO *module_info,
|
|
||||||
CK_SLOT_INFO *slot_info, CK_SLOT_ID slot_id,
|
|
||||||
@@ -191,6 +528,7 @@ errno_t init_verification(struct p11_ctx *p11_ctx,
|
|
||||||
}
|
|
||||||
|
|
||||||
p11_ctx->x509_store = store;
|
|
||||||
+ p11_ctx->cert_verify_opts = cert_verify_opts;
|
|
||||||
talloc_set_destructor(p11_ctx, talloc_free_x509_store);
|
|
||||||
|
|
||||||
ret = EOK;
|
|
||||||
@@ -262,6 +600,14 @@ bool do_verification(struct p11_ctx *p11_ctx, X509 *cert)
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (p11_ctx->cert_verify_opts->do_ocsp) {
|
|
||||||
+ ret = do_ocsp(p11_ctx, cert);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "do_ocsp failed.\n");
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
res = true;
|
|
||||||
|
|
||||||
done:
|
|
||||||
diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
|
|
||||||
index 1a8699a..c86e526 100644
|
|
||||||
--- a/src/tests/cmocka/test_utils.c
|
|
||||||
+++ b/src/tests/cmocka/test_utils.c
|
|
||||||
@@ -1612,6 +1612,8 @@ static void test_parse_cert_verify_opts(void **state)
|
|
||||||
&cv_opts);
|
|
||||||
assert_int_equal(ret, EINVAL);
|
|
||||||
|
|
||||||
+/* Only NSS requires that both are set */
|
|
||||||
+#ifdef HAVE_NSS
|
|
||||||
ret = parse_cert_verify_opts(global_talloc_context,
|
|
||||||
"ocsp_default_responder=abc", &cv_opts);
|
|
||||||
assert_int_equal(ret, EINVAL);
|
|
||||||
@@ -1620,6 +1622,7 @@ static void test_parse_cert_verify_opts(void **state)
|
|
||||||
"ocsp_default_responder_signing_cert=def",
|
|
||||||
&cv_opts);
|
|
||||||
assert_int_equal(ret, EINVAL);
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
ret = parse_cert_verify_opts(global_talloc_context,
|
|
||||||
"ocsp_default_responder=abc,"
|
|
||||||
diff --git a/src/util/util.c b/src/util/util.c
|
|
||||||
index 53dd9a1..7f475fa 100644
|
|
||||||
--- a/src/util/util.c
|
|
||||||
+++ b/src/util/util.c
|
|
||||||
@@ -1123,6 +1123,7 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef HAVE_NSS
|
|
||||||
if ((cert_verify_opts->ocsp_default_responder == NULL
|
|
||||||
&& cert_verify_opts->ocsp_default_responder_signing_cert != NULL)
|
|
||||||
|| (cert_verify_opts->ocsp_default_responder != NULL
|
|
||||||
@@ -1135,6 +1136,7 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
|
|
||||||
ret = EINVAL;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
ret = EOK;
|
|
||||||
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,279 +0,0 @@
|
|||||||
From 3c096c9ad6dad911d035cfdd802b5dda4710fc68 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Thu, 11 Oct 2018 17:35:24 +0200
|
|
||||||
Subject: [PATCH 75/83] p11_child: add crl_file option for the OpenSSL build
|
|
||||||
|
|
||||||
In the NSS build a Certificate Revocation List (CRL) can just be added
|
|
||||||
to the NSS database. For OpenSSL a separate file is needed.
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3489
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/man/sssd.conf.5.xml | 24 ++++++++++++++++++++++++
|
|
||||||
src/p11_child/p11_child_common.c | 12 ++++++------
|
|
||||||
src/p11_child/p11_child_openssl.c | 26 +++++++++++++++++++++++++-
|
|
||||||
src/tests/cmocka/test_utils.c | 16 ++++++++++++++++
|
|
||||||
src/util/util.c | 13 +++++++++++++
|
|
||||||
src/util/util.h | 1 +
|
|
||||||
6 files changed, 85 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
||||||
index 5e3ae48..bea25c6 100644
|
|
||||||
--- a/src/man/sssd.conf.5.xml
|
|
||||||
+++ b/src/man/sssd.conf.5.xml
|
|
||||||
@@ -503,6 +503,30 @@
|
|
||||||
pam_cert_db_path.</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>crl_file=/PATH/TO/CRL/FILE</term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>(NSS Version) This option is
|
|
||||||
+ ignored, please see
|
|
||||||
+ <citerefentry>
|
|
||||||
+ <refentrytitle>crlutil</refentrytitle>
|
|
||||||
+ <manvolnum>1</manvolnum>
|
|
||||||
+ </citerefentry>
|
|
||||||
+ how to import a Certificate Revocation
|
|
||||||
+ List (CRL) into a NSS database.</para>
|
|
||||||
+
|
|
||||||
+ <para>(OpenSSL Version) Use the
|
|
||||||
+ Certificate Revocation List (CRL) from
|
|
||||||
+ the given file during the verification
|
|
||||||
+ of the certificate. The CRL must be
|
|
||||||
+ given in PEM format, see
|
|
||||||
+ <citerefentry>
|
|
||||||
+ <refentrytitle>crl</refentrytitle>
|
|
||||||
+ <manvolnum>1ssl</manvolnum>
|
|
||||||
+ </citerefentry>
|
|
||||||
+ for details.</para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
</variablelist>
|
|
||||||
</para>
|
|
||||||
<para condition="with_nss">
|
|
||||||
diff --git a/src/p11_child/p11_child_common.c b/src/p11_child/p11_child_common.c
|
|
||||||
index 097e7fa..b992aeb 100644
|
|
||||||
--- a/src/p11_child/p11_child_common.c
|
|
||||||
+++ b/src/p11_child/p11_child_common.c
|
|
||||||
@@ -48,7 +48,7 @@ static const char *op_mode_str(enum op_mode mode)
|
|
||||||
return "pre-auth";
|
|
||||||
break;
|
|
||||||
case OP_VERIFIY:
|
|
||||||
- return "verifiy";
|
|
||||||
+ return "verify";
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
return "unknown";
|
|
||||||
@@ -219,7 +219,7 @@ int main(int argc, const char *argv[])
|
|
||||||
case 'a':
|
|
||||||
if (mode != OP_NONE) {
|
|
||||||
fprintf(stderr,
|
|
||||||
- "\n--verifiy, --auth and --pre are mutually " \
|
|
||||||
+ "\n--verify, --auth and --pre are mutually " \
|
|
||||||
"exclusive and should be only used once.\n\n");
|
|
||||||
poptPrintUsage(pc, stderr, 0);
|
|
||||||
_exit(-1);
|
|
||||||
@@ -229,7 +229,7 @@ int main(int argc, const char *argv[])
|
|
||||||
case 'p':
|
|
||||||
if (mode != OP_NONE) {
|
|
||||||
fprintf(stderr,
|
|
||||||
- "\n--verifiy, --auth and --pre are mutually " \
|
|
||||||
+ "\n--verify, --auth and --pre are mutually " \
|
|
||||||
"exclusive and should be only used once.\n\n");
|
|
||||||
poptPrintUsage(pc, stderr, 0);
|
|
||||||
_exit(-1);
|
|
||||||
@@ -239,7 +239,7 @@ int main(int argc, const char *argv[])
|
|
||||||
case 'v':
|
|
||||||
if (mode != OP_NONE) {
|
|
||||||
fprintf(stderr,
|
|
||||||
- "\n--verifiy, --auth and --pre are mutually " \
|
|
||||||
+ "\n--verify, --auth and --pre are mutually " \
|
|
||||||
"exclusive and should be only used once.\n\n");
|
|
||||||
poptPrintUsage(pc, stderr, 0);
|
|
||||||
_exit(-1);
|
|
||||||
@@ -283,7 +283,7 @@ int main(int argc, const char *argv[])
|
|
||||||
|
|
||||||
if (mode == OP_NONE) {
|
|
||||||
fprintf(stderr, "\nMissing operation mode, either " \
|
|
||||||
- "--verifiy, --auth or --pre must be specified.\n\n");
|
|
||||||
+ "--verify, --auth or --pre must be specified.\n\n");
|
|
||||||
poptPrintUsage(pc, stderr, 0);
|
|
||||||
_exit(-1);
|
|
||||||
} else if (mode == OP_AUTH && pin_mode == PIN_NONE) {
|
|
||||||
@@ -350,7 +350,7 @@ int main(int argc, const char *argv[])
|
|
||||||
|
|
||||||
ret = parse_cert_verify_opts(main_ctx, verify_opts, &cert_verify_opts);
|
|
||||||
if (ret != EOK) {
|
|
||||||
- DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse verifiy option.\n");
|
|
||||||
+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse verify option.\n");
|
|
||||||
goto fail;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
|
|
||||||
index d66a2f8..9defdfc 100644
|
|
||||||
--- a/src/p11_child/p11_child_openssl.c
|
|
||||||
+++ b/src/p11_child/p11_child_openssl.c
|
|
||||||
@@ -501,6 +501,7 @@ errno_t init_verification(struct p11_ctx *p11_ctx,
|
|
||||||
X509_STORE *store = NULL;
|
|
||||||
unsigned long err;
|
|
||||||
X509_LOOKUP *lookup = NULL;
|
|
||||||
+ X509_VERIFY_PARAM *verify_param = NULL;
|
|
||||||
|
|
||||||
store = X509_STORE_new();
|
|
||||||
if (store == NULL) {
|
|
||||||
@@ -527,6 +528,30 @@ errno_t init_verification(struct p11_ctx *p11_ctx,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (cert_verify_opts->crl_file != NULL) {
|
|
||||||
+ verify_param = X509_VERIFY_PARAM_new();
|
|
||||||
+ if (verify_param == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "X509_VERIFY_PARAM_new failed.\n");
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ X509_VERIFY_PARAM_set_flags(verify_param, (X509_V_FLAG_CRL_CHECK
|
|
||||||
+ | X509_V_FLAG_CRL_CHECK_ALL));
|
|
||||||
+
|
|
||||||
+ X509_STORE_set1_param(store, verify_param);
|
|
||||||
+
|
|
||||||
+ ret = X509_load_crl_file(lookup, cert_verify_opts->crl_file,
|
|
||||||
+ X509_FILETYPE_PEM);
|
|
||||||
+ if (ret == 0) {
|
|
||||||
+ err = ERR_get_error();
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "X509_load_crl_file failed [%lu][%s].\n",
|
|
||||||
+ err, ERR_error_string(err, NULL));
|
|
||||||
+ ret = EIO;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
p11_ctx->x509_store = store;
|
|
||||||
p11_ctx->cert_verify_opts = cert_verify_opts;
|
|
||||||
talloc_set_destructor(p11_ctx, talloc_free_x509_store);
|
|
||||||
@@ -536,7 +561,6 @@ errno_t init_verification(struct p11_ctx *p11_ctx,
|
|
||||||
done:
|
|
||||||
if (ret != EOK) {
|
|
||||||
X509_STORE_free(store);
|
|
||||||
- X509_LOOKUP_free(lookup);
|
|
||||||
}
|
|
||||||
|
|
||||||
return ret;
|
|
||||||
diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
|
|
||||||
index c86e526..cf1c2ae 100644
|
|
||||||
--- a/src/tests/cmocka/test_utils.c
|
|
||||||
+++ b/src/tests/cmocka/test_utils.c
|
|
||||||
@@ -1567,6 +1567,7 @@ static void test_parse_cert_verify_opts(void **state)
|
|
||||||
assert_true(cv_opts->do_ocsp);
|
|
||||||
assert_null(cv_opts->ocsp_default_responder);
|
|
||||||
assert_null(cv_opts->ocsp_default_responder_signing_cert);
|
|
||||||
+ assert_null(cv_opts->crl_file);
|
|
||||||
talloc_free(cv_opts);
|
|
||||||
|
|
||||||
ret = parse_cert_verify_opts(global_talloc_context, "wedfkwefjk", &cv_opts);
|
|
||||||
@@ -1575,6 +1576,7 @@ static void test_parse_cert_verify_opts(void **state)
|
|
||||||
assert_true(cv_opts->do_ocsp);
|
|
||||||
assert_null(cv_opts->ocsp_default_responder);
|
|
||||||
assert_null(cv_opts->ocsp_default_responder_signing_cert);
|
|
||||||
+ assert_null(cv_opts->crl_file);
|
|
||||||
talloc_free(cv_opts);
|
|
||||||
|
|
||||||
ret = parse_cert_verify_opts(global_talloc_context, "no_ocsp", &cv_opts);
|
|
||||||
@@ -1583,6 +1585,7 @@ static void test_parse_cert_verify_opts(void **state)
|
|
||||||
assert_false(cv_opts->do_ocsp);
|
|
||||||
assert_null(cv_opts->ocsp_default_responder);
|
|
||||||
assert_null(cv_opts->ocsp_default_responder_signing_cert);
|
|
||||||
+ assert_null(cv_opts->crl_file);
|
|
||||||
talloc_free(cv_opts);
|
|
||||||
|
|
||||||
ret = parse_cert_verify_opts(global_talloc_context, "no_verification",
|
|
||||||
@@ -1592,6 +1595,7 @@ static void test_parse_cert_verify_opts(void **state)
|
|
||||||
assert_true(cv_opts->do_ocsp);
|
|
||||||
assert_null(cv_opts->ocsp_default_responder);
|
|
||||||
assert_null(cv_opts->ocsp_default_responder_signing_cert);
|
|
||||||
+ assert_null(cv_opts->crl_file);
|
|
||||||
talloc_free(cv_opts);
|
|
||||||
|
|
||||||
ret = parse_cert_verify_opts(global_talloc_context,
|
|
||||||
@@ -1601,6 +1605,7 @@ static void test_parse_cert_verify_opts(void **state)
|
|
||||||
assert_false(cv_opts->do_ocsp);
|
|
||||||
assert_null(cv_opts->ocsp_default_responder);
|
|
||||||
assert_null(cv_opts->ocsp_default_responder_signing_cert);
|
|
||||||
+ assert_null(cv_opts->crl_file);
|
|
||||||
talloc_free(cv_opts);
|
|
||||||
|
|
||||||
ret = parse_cert_verify_opts(global_talloc_context,
|
|
||||||
@@ -1633,6 +1638,17 @@ static void test_parse_cert_verify_opts(void **state)
|
|
||||||
assert_true(cv_opts->do_ocsp);
|
|
||||||
assert_string_equal(cv_opts->ocsp_default_responder, "abc");
|
|
||||||
assert_string_equal(cv_opts->ocsp_default_responder_signing_cert, "def");
|
|
||||||
+ assert_null(cv_opts->crl_file);
|
|
||||||
+ talloc_free(cv_opts);
|
|
||||||
+
|
|
||||||
+ ret = parse_cert_verify_opts(global_talloc_context, "crl_file=hij",
|
|
||||||
+ &cv_opts);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+ assert_true(cv_opts->do_verification);
|
|
||||||
+ assert_true(cv_opts->do_ocsp);
|
|
||||||
+ assert_null(cv_opts->ocsp_default_responder);
|
|
||||||
+ assert_null(cv_opts->ocsp_default_responder_signing_cert);
|
|
||||||
+ assert_string_equal(cv_opts->crl_file, "hij");
|
|
||||||
talloc_free(cv_opts);
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/src/util/util.c b/src/util/util.c
|
|
||||||
index 7f475fa..cbe6a28 100644
|
|
||||||
--- a/src/util/util.c
|
|
||||||
+++ b/src/util/util.c
|
|
||||||
@@ -1024,6 +1024,7 @@ static struct cert_verify_opts *init_cert_verify_opts(TALLOC_CTX *mem_ctx)
|
|
||||||
cert_verify_opts->do_verification = true;
|
|
||||||
cert_verify_opts->ocsp_default_responder = NULL;
|
|
||||||
cert_verify_opts->ocsp_default_responder_signing_cert = NULL;
|
|
||||||
+ cert_verify_opts->crl_file = NULL;
|
|
||||||
|
|
||||||
return cert_verify_opts;
|
|
||||||
}
|
|
||||||
@@ -1035,6 +1036,8 @@ static struct cert_verify_opts *init_cert_verify_opts(TALLOC_CTX *mem_ctx)
|
|
||||||
"ocsp_default_responder_signing_cert="
|
|
||||||
#define OCSP_DEFAUL_RESPONDER_SIGNING_CERT_LEN \
|
|
||||||
(sizeof(OCSP_DEFAUL_RESPONDER_SIGNING_CERT) - 1)
|
|
||||||
+#define CRL_FILE "crl_file="
|
|
||||||
+#define CRL_FILE_LEN (sizeof(CRL_FILE) -1)
|
|
||||||
|
|
||||||
errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
|
|
||||||
struct cert_verify_opts **_cert_verify_opts)
|
|
||||||
@@ -1116,6 +1119,16 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
|
|
||||||
DEBUG(SSSDBG_TRACE_ALL,
|
|
||||||
"Using OCSP default responder signing cert nickname [%s]\n",
|
|
||||||
cert_verify_opts->ocsp_default_responder_signing_cert);
|
|
||||||
+ } else if (strncasecmp(opts[c], CRL_FILE, CRL_FILE_LEN) == 0) {
|
|
||||||
+ cert_verify_opts->crl_file = talloc_strdup(cert_verify_opts,
|
|
||||||
+ &opts[c][CRL_FILE_LEN]);
|
|
||||||
+ if (cert_verify_opts->crl_file == NULL
|
|
||||||
+ || *cert_verify_opts->crl_file == '\0') {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ "Failed to parse crl_file option [%s].\n", opts[c]);
|
|
||||||
+ ret = EINVAL;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
} else {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
"Unsupported certificate verification option [%s], " \
|
|
||||||
diff --git a/src/util/util.h b/src/util/util.h
|
|
||||||
index e3e9100..7e9b3d6 100644
|
|
||||||
--- a/src/util/util.h
|
|
||||||
+++ b/src/util/util.h
|
|
||||||
@@ -371,6 +371,7 @@ struct cert_verify_opts {
|
|
||||||
bool do_verification;
|
|
||||||
char *ocsp_default_responder;
|
|
||||||
char *ocsp_default_responder_signing_cert;
|
|
||||||
+ char *crl_file;
|
|
||||||
};
|
|
||||||
|
|
||||||
errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,37 +0,0 @@
|
|||||||
From 7794caec36e7142423491d90aaade7e49b9df1c1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Fri, 12 Oct 2018 09:32:11 +0200
|
|
||||||
Subject: [PATCH 76/83] p11: Fix two instances of -Wmaybe-uninitialized in
|
|
||||||
p11_child_openssl.c
|
|
||||||
|
|
||||||
If uri_str was passed to the p11_child and parsing the URI failed, then
|
|
||||||
modules would be uninitialized, but freed in the done handler with
|
|
||||||
p11_kit_modules_finalize_and_release()
|
|
||||||
|
|
||||||
Also, another warning is suppressed by setting the 's' variable to zero.
|
|
||||||
While it cannot happen that the variable will be uninitialized, we
|
|
||||||
should help the compiler by setting a value explicitly.
|
|
||||||
|
|
||||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
||||||
---
|
|
||||||
src/p11_child/p11_child_openssl.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
|
|
||||||
index 9defdfc..adfe272 100644
|
|
||||||
--- a/src/p11_child/p11_child_openssl.c
|
|
||||||
+++ b/src/p11_child/p11_child_openssl.c
|
|
||||||
@@ -1036,8 +1036,8 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx,
|
|
||||||
{
|
|
||||||
int ret;
|
|
||||||
size_t c;
|
|
||||||
- size_t s;
|
|
||||||
- CK_FUNCTION_LIST **modules;
|
|
||||||
+ size_t s = 0;
|
|
||||||
+ CK_FUNCTION_LIST **modules = NULL;
|
|
||||||
CK_FUNCTION_LIST *module = NULL;
|
|
||||||
char *mod_name;
|
|
||||||
char *mod_file_name;
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,31 +0,0 @@
|
|||||||
From 250e82252b53991e2902b292cfa6029ab28a10fb Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Mon, 15 Oct 2018 12:46:35 +0200
|
|
||||||
Subject: [PATCH 77/83] sudo: use correct sbus interface
|
|
||||||
|
|
||||||
Internal dbus interfaces were renamed to shorter names in sbus2.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://pagure.io/SSSD/sssd/issue/3854
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/responder/sudo/sudosrv_dp.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/sudo/sudosrv_dp.c b/src/responder/sudo/sudosrv_dp.c
|
|
||||||
index 2c6b26e..78dd296 100644
|
|
||||||
--- a/src/responder/sudo/sudosrv_dp.c
|
|
||||||
+++ b/src/responder/sudo/sudosrv_dp.c
|
|
||||||
@@ -66,7 +66,7 @@ sss_dp_get_sudoers_msg(TALLOC_CTX *mem_ctx,
|
|
||||||
|
|
||||||
msg = dbus_message_new_method_call(bus_name,
|
|
||||||
SSS_BUS_PATH,
|
|
||||||
- "org.freedesktop.sssd.dataprovider",
|
|
||||||
+ "sssd.dataprovider",
|
|
||||||
"sudoHandler");
|
|
||||||
if (msg == NULL) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n");
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,40 +0,0 @@
|
|||||||
From 8fbaf224193b9ca8b82a290bd52265c2f9b40315 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Mon, 15 Oct 2018 13:01:34 +0200
|
|
||||||
Subject: [PATCH 78/83] sudo: fix error handling in sudosrv_refresh_rules_done
|
|
||||||
|
|
||||||
If sbus returns non-zero code then the output variables are not set and
|
|
||||||
therefore we access uninitialized memory.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://pagure.io/SSSD/sssd/issue/3854
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/responder/sudo/sudosrv_get_sudorules.c | 7 ++++++-
|
|
||||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c
|
|
||||||
index 14bd824..76faef0 100644
|
|
||||||
--- a/src/responder/sudo/sudosrv_get_sudorules.c
|
|
||||||
+++ b/src/responder/sudo/sudosrv_get_sudorules.c
|
|
||||||
@@ -576,10 +576,15 @@ static void sudosrv_refresh_rules_done(struct tevent_req *subreq)
|
|
||||||
ret = sss_dp_get_sudoers_recv(state, subreq, &err_maj, &err_min, &err_msg);
|
|
||||||
talloc_zfree(subreq);
|
|
||||||
if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to refresh rules [%d]: %s\n",
|
|
||||||
+ ret, sss_strerror(ret));
|
|
||||||
+ goto done;
|
|
||||||
+ } else if (err_maj != 0 || err_min != 0) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
"Unable to get information from Data Provider, "
|
|
||||||
"Error: %u, %u, %s\n",
|
|
||||||
- (unsigned int)err_maj, (unsigned int)err_min, err_msg);
|
|
||||||
+ (unsigned int)err_maj, (unsigned int)err_min,
|
|
||||||
+ (err_msg == NULL ? "(null)" : err_msg));
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,64 +0,0 @@
|
|||||||
From c74b430ba95d99b245b6347328024e4b4815b35e Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Mon, 15 Oct 2018 12:48:41 +0200
|
|
||||||
Subject: [PATCH 79/83] sbus: remove leftovers from previous implementation
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/providers/data_provider/dp_iface.h | 8 +--
|
|
||||||
src/providers/data_provider_be.c | 2 +-
|
|
||||||
5 files changed, 5 insertions(+), 26 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/data_provider/dp_iface.h b/src/providers/data_provider/dp_iface.h
|
|
||||||
index 0b0855d..d1382cd 100644
|
|
||||||
--- a/src/providers/data_provider/dp_iface.h
|
|
||||||
+++ b/src/providers/data_provider/dp_iface.h
|
|
||||||
@@ -141,21 +141,21 @@ dp_get_account_domain_recv(TALLOC_CTX *mem_ctx,
|
|
||||||
uint32_t *_error,
|
|
||||||
const char **_err_msg);
|
|
||||||
|
|
||||||
-/* org.freedesktop.sssd.DataProvider.Client */
|
|
||||||
+/* sssd.DataProvider.Client */
|
|
||||||
errno_t
|
|
||||||
dp_client_register(TALLOC_CTX *mem_ctx,
|
|
||||||
struct sbus_request *sbus_req,
|
|
||||||
struct data_provider *provider,
|
|
||||||
const char *name);
|
|
||||||
|
|
||||||
-/* org.freedesktop.sssd.DataProvider.Backend */
|
|
||||||
+/* sssd.DataProvider.Backend */
|
|
||||||
errno_t dp_backend_is_online(TALLOC_CTX *mem_ctx,
|
|
||||||
struct sbus_request *sbus_req,
|
|
||||||
struct be_ctx *be_ctx,
|
|
||||||
const char *domname,
|
|
||||||
bool *_is_online);
|
|
||||||
|
|
||||||
-/* org.freedesktop.sssd.DataProvider.Failover */
|
|
||||||
+/* sssd.DataProvider.Failover */
|
|
||||||
errno_t
|
|
||||||
dp_failover_list_services(TALLOC_CTX *mem_ctx,
|
|
||||||
struct sbus_request *sbus_req,
|
|
||||||
@@ -177,7 +177,7 @@ dp_failover_list_servers(TALLOC_CTX *mem_ctx,
|
|
||||||
const char *service_name,
|
|
||||||
const char ***_servers);
|
|
||||||
|
|
||||||
-/* org.freedesktop.sssd.DataProvider.AccessControl */
|
|
||||||
+/* sssd.DataProvider.AccessControl */
|
|
||||||
struct tevent_req *
|
|
||||||
dp_access_control_refresh_rules_send(TALLOC_CTX *mem_ctx,
|
|
||||||
struct tevent_context *ev,
|
|
||||||
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
|
|
||||||
index 6d2477e..7043e7a 100644
|
|
||||||
--- a/src/providers/data_provider_be.c
|
|
||||||
+++ b/src/providers/data_provider_be.c
|
|
||||||
@@ -48,7 +48,7 @@
|
|
||||||
#include "resolv/async_resolv.h"
|
|
||||||
#include "sss_iface/sss_iface_async.h"
|
|
||||||
|
|
||||||
-/* org.freedesktop.sssd.service */
|
|
||||||
+/* sssd.service */
|
|
||||||
static errno_t
|
|
||||||
data_provider_res_init(TALLOC_CTX *mem_ctx,
|
|
||||||
struct sbus_request *sbus_req,
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,44 +0,0 @@
|
|||||||
From 05ba237af582c1ca3780e5fe06ab3320494efe52 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
|
||||||
Date: Sat, 13 Oct 2018 16:22:13 +0000
|
|
||||||
Subject: [PATCH 80/83] CONFIGURE: Add minimal required version for p11-kit
|
|
||||||
|
|
||||||
There are few functions which were added in upstream p11-kit 0.23.3.
|
|
||||||
And there are compilation failures with older versions.
|
|
||||||
|
|
||||||
src/p11_child/p11_child_openssl.c: In function 'get_pkcs11_uri':
|
|
||||||
src/p11_child/p11_child_openssl.c:87:12: error: implicit declaration of function 'p11_kit_uri_get_slot_info' [-Werror=implicit-function-declaration]
|
|
||||||
memcpy(p11_kit_uri_get_slot_info(uri), slot_info, sizeof(CK_SLOT_INFO));
|
|
||||||
^
|
|
||||||
|
|
||||||
src/p11_child/p11_child_openssl.c:88:5: error: implicit declaration of function 'p11_kit_uri_set_slot_id' [-Werror=implicit-function-declaration]
|
|
||||||
p11_kit_uri_set_slot_id(uri, slot_id);
|
|
||||||
^
|
|
||||||
|
|
||||||
src/p11_child/p11_child_openssl.c: In function 'do_card':
|
|
||||||
src/p11_child/p11_child_openssl.c:767:35: error: implicit declaration of function 'p11_kit_uri_get_slot_id' [-Werror=implicit-function-declaration]
|
|
||||||
uri_slot_id = p11_kit_uri_get_slot_id(uri);
|
|
||||||
^
|
|
||||||
src/p11_child/p11_child_openssl.c:770:32: error: implicit declaration of function 'p11_kit_uri_match_slot_info' [-Werror=implicit-function-declaration]
|
|
||||||
|| p11_kit_uri_match_slot_info(uri, &info) != 1) {
|
|
||||||
^
|
|
||||||
Merges: https://pagure.io/SSSD/sssd/pull-request/3852
|
|
||||||
|
|
||||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
||||||
---
|
|
||||||
src/external/p11-kit.m4 | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/external/p11-kit.m4 b/src/external/p11-kit.m4
|
|
||||||
index a959f43..eb0474f 100644
|
|
||||||
--- a/src/external/p11-kit.m4
|
|
||||||
+++ b/src/external/p11-kit.m4
|
|
||||||
@@ -1,4 +1,4 @@
|
|
||||||
AC_SUBST(P11_KIT_CFLAGS)
|
|
||||||
AC_SUBST(P11_KIT_LIBS)
|
|
||||||
|
|
||||||
-PKG_CHECK_MODULES([P11_KIT], [p11-kit-1])
|
|
||||||
+PKG_CHECK_MODULES([P11_KIT], [p11-kit-1 >= 0.23.3])
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,46 +0,0 @@
|
|||||||
From d143319bce8fc778df93fe7cd7ef4d03b7a3fc92 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
|
||||||
Date: Sat, 13 Oct 2018 16:24:56 +0000
|
|
||||||
Subject: [PATCH 81/83] SBUS: Silence warning maybe-uninitialized
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
It should not happen because function sbus_interface_find_property
|
|
||||||
should return NULL for access different than SBUS_PROPERTY_READABLE
|
|
||||||
or SBUS_PROPERTY_WRITABLE. And thus we would return ERR_SBUS_UNKNOWN_PROPERTY
|
|
||||||
from the function sbus_request_property.
|
|
||||||
|
|
||||||
src/sbus/interface/sbus_properties.c: In function 'sbus_request_property.isra.0':
|
|
||||||
src/sbus/interface/sbus_properties.c:360:14:
|
|
||||||
error: 'type' may be used uninitialized in this function
|
|
||||||
[-Werror=maybe-uninitialized]
|
|
||||||
sbus_req = sbus_request_create(mem_ctx, conn, type, destination,
|
|
||||||
~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
interface_name, property_name, path);
|
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
cc1: all warnings being treated as errors
|
|
||||||
|
|
||||||
Merges: https://pagure.io/SSSD/sssd/pull-request/3851
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
---
|
|
||||||
src/sbus/interface/sbus_properties.c | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/sbus/interface/sbus_properties.c b/src/sbus/interface/sbus_properties.c
|
|
||||||
index bd15807..906e6db 100644
|
|
||||||
--- a/src/sbus/interface/sbus_properties.c
|
|
||||||
+++ b/src/sbus/interface/sbus_properties.c
|
|
||||||
@@ -355,6 +355,8 @@ sbus_request_property(TALLOC_CTX *mem_ctx,
|
|
||||||
case SBUS_PROPERTY_WRITABLE:
|
|
||||||
type = SBUS_REQUEST_PROPERTY_SET;
|
|
||||||
break;
|
|
||||||
+ default:
|
|
||||||
+ return EINVAL;
|
|
||||||
}
|
|
||||||
|
|
||||||
sbus_req = sbus_request_create(mem_ctx, conn, type, destination,
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,136 +0,0 @@
|
|||||||
From 46c483c09b85cecf8d1cc72618da993d8948c894 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Mon, 15 Oct 2018 20:05:09 +0200
|
|
||||||
Subject: [PATCH 82/83] files: add session recording flag
|
|
||||||
|
|
||||||
If session recording is configured for a group the NSS ans PAM
|
|
||||||
responder rely on a attribute in the cache set by the backend to
|
|
||||||
determine is session recording is configured for the user or not. This
|
|
||||||
flag is typically set during the initgroups request.
|
|
||||||
|
|
||||||
Since the files provider does not have a dedicated initgroups request
|
|
||||||
the attribute must be set otherwise. This patch sets is for all users
|
|
||||||
after the files are reloaded.
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/3855
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
---
|
|
||||||
src/providers/data_provider/dp_iface.h | 3 ++
|
|
||||||
src/providers/data_provider/dp_target_id.c | 62 ++++++++++++++++++++++++++++++
|
|
||||||
src/providers/files/files_ops.c | 7 ++++
|
|
||||||
3 files changed, 72 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/providers/data_provider/dp_iface.h b/src/providers/data_provider/dp_iface.h
|
|
||||||
index d1382cd..8635ae0 100644
|
|
||||||
--- a/src/providers/data_provider/dp_iface.h
|
|
||||||
+++ b/src/providers/data_provider/dp_iface.h
|
|
||||||
@@ -188,4 +188,7 @@ errno_t
|
|
||||||
dp_access_control_refresh_rules_recv(TALLOC_CTX *mem_ctx,
|
|
||||||
struct tevent_req *req);
|
|
||||||
|
|
||||||
+
|
|
||||||
+errno_t
|
|
||||||
+dp_add_sr_attribute(struct be_ctx *be_ctx);
|
|
||||||
#endif /* DP_IFACE_H_ */
|
|
||||||
diff --git a/src/providers/data_provider/dp_target_id.c b/src/providers/data_provider/dp_target_id.c
|
|
||||||
index 265788b..748d886 100644
|
|
||||||
--- a/src/providers/data_provider/dp_target_id.c
|
|
||||||
+++ b/src/providers/data_provider/dp_target_id.c
|
|
||||||
@@ -328,6 +328,68 @@ done:
|
|
||||||
talloc_free(tmp_ctx);
|
|
||||||
}
|
|
||||||
|
|
||||||
+errno_t dp_add_sr_attribute(struct be_ctx *be_ctx)
|
|
||||||
+{
|
|
||||||
+ int ret;
|
|
||||||
+ struct dp_initgr_ctx *dp_initgr_ctx = NULL;
|
|
||||||
+ TALLOC_CTX *tmp_ctx = NULL;
|
|
||||||
+ struct dp_id_data *data;
|
|
||||||
+ size_t msgs_count;
|
|
||||||
+ struct ldb_message **msgs = NULL;
|
|
||||||
+ const char *attrs[] = {SYSDB_NAME, NULL};
|
|
||||||
+ size_t c;
|
|
||||||
+
|
|
||||||
+ tmp_ctx = talloc_new(NULL);
|
|
||||||
+ if (tmp_ctx == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
|
|
||||||
+ return ENOMEM;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = sysdb_search_users(tmp_ctx, be_ctx->domain, "("SYSDB_NAME "=*)", attrs,
|
|
||||||
+ &msgs_count, &msgs);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_users failed.\n");
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ data = talloc_zero(tmp_ctx, struct dp_id_data);
|
|
||||||
+ if (data == NULL) {
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ data->entry_type = BE_REQ_INITGROUPS;
|
|
||||||
+ data->filter_type = BE_FILTER_NAME;
|
|
||||||
+ data->filter_value = NULL;
|
|
||||||
+ data->extra_value = NULL;
|
|
||||||
+ data->domain = be_ctx->domain->name;
|
|
||||||
+
|
|
||||||
+ for (c = 0; c < msgs_count; c++) {
|
|
||||||
+ data->filter_value = ldb_msg_find_attr_as_string(msgs[c], SYSDB_NAME,
|
|
||||||
+ NULL);
|
|
||||||
+ if (data->filter_value == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ "Cache object [%s] does not have a name, skipping.\n",
|
|
||||||
+ ldb_dn_get_linearized(msgs[c]->dn));
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ talloc_free(dp_initgr_ctx);
|
|
||||||
+ ret = dp_create_initgroups_ctx(tmp_ctx, be_ctx, data, &dp_initgr_ctx);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "dp_create_initgroups_ctx failed.\n");
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ dp_req_initgr_pp_sr_overlay(be_ctx->provider, dp_initgr_ctx);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
+ talloc_free(tmp_ctx);
|
|
||||||
+
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static errno_t set_initgroups_expire_attribute(struct sss_domain_info *domain,
|
|
||||||
const char *name)
|
|
||||||
{
|
|
||||||
diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c
|
|
||||||
index f5a4029..74f77b5 100644
|
|
||||||
--- a/src/providers/files/files_ops.c
|
|
||||||
+++ b/src/providers/files/files_ops.c
|
|
||||||
@@ -26,6 +26,7 @@
|
|
||||||
#include "db/sysdb.h"
|
|
||||||
#include "util/inotify.h"
|
|
||||||
#include "util/util.h"
|
|
||||||
+#include "providers/data_provider/dp_iface.h"
|
|
||||||
|
|
||||||
/* When changing this constant, make sure to also adjust the files integration
|
|
||||||
* test for reallocation branch
|
|
||||||
@@ -771,6 +772,12 @@ static errno_t sf_enum_files(struct files_id_ctx *id_ctx,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ ret = dp_add_sr_attribute(id_ctx->be);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ "Failed to add session recording attribute, ignored.\n");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
|
|
||||||
if (ret != EOK) {
|
|
||||||
goto done;
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
@ -1,43 +0,0 @@
|
|||||||
From fc29c3eb9750c5e7def4e1ab6eb18f4f5024f567 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Tue, 16 Oct 2018 10:42:43 +0200
|
|
||||||
Subject: [PATCH 83/83] UTIL: Suppress Coverity warning
|
|
||||||
|
|
||||||
We recently added this code:
|
|
||||||
if (domain_name != NULL
|
|
||||||
&& is_files_provider(find_domain_by_name(dom,
|
|
||||||
domain_name,
|
|
||||||
false)))
|
|
||||||
|
|
||||||
find_domain_by_name returns NULL if the domain_name can't be found. This
|
|
||||||
of course makes mostly sense for trusted domains that can appear and
|
|
||||||
disappear. And is_files_provider() didn't handle the situation where the
|
|
||||||
domain pointer was NULL and would directly dereference it.
|
|
||||||
|
|
||||||
This commit just adds a NULL check for the domain pointer so that
|
|
||||||
is_files_provider() returns 'false' if the domain pointer was NULL.
|
|
||||||
|
|
||||||
Another alternative might be to check the return value of
|
|
||||||
find_domain_by_name(), but I don't think it's worth the trouble.
|
|
||||||
|
|
||||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
||||||
---
|
|
||||||
src/util/domain_info_utils.c | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
|
|
||||||
index 8bef6c9..ffb8cdf 100644
|
|
||||||
--- a/src/util/domain_info_utils.c
|
|
||||||
+++ b/src/util/domain_info_utils.c
|
|
||||||
@@ -931,6 +931,7 @@ bool sss_domain_info_get_output_fqnames(struct sss_domain_info *domain)
|
|
||||||
|
|
||||||
bool is_files_provider(struct sss_domain_info *domain)
|
|
||||||
{
|
|
||||||
- return domain->provider != NULL &&
|
|
||||||
+ return domain != NULL &&
|
|
||||||
+ domain->provider != NULL &&
|
|
||||||
strcasecmp(domain->provider, "files") == 0;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.9.5
|
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user