summaryrefslogtreecommitdiffstats
path: root/src/tests
Commit message (Collapse)AuthorAgeFilesLines
* Fix simple access group control in case-insensitive domains1.9.2-88Jakub Hrozek2013-04-151-2/+2
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1880 In the simple access provider, we need to only canonicalize user names when comparing with values in the ACL, not when searching the cache. The sysdb searches might do a base search with a DN constructed with the username which fails if the username is lower case.
* Resolve GIDs in the simple access providerJakub Hrozek2013-04-151-100/+261
| | | | | | | | | | | | | | Changes the simple access provider's interface to be asynchronous. When the simple access provider encounters a group that has gid, but no meaningful name, it attempts to resolve the name using the be_file_account_request function. Some providers (like the AD provider) might perform initgroups without resolving the group names. In order for the simple access provider to work correctly, we need to resolve the groups before performing the access check. In AD provider, the situation is even more tricky b/c the groups HAVE name, but their name attribute is set to SID and they are set as non-POSIX
* Add unit tests for simple access test by groupsJakub Hrozek2013-04-151-32/+253
| | | | | | | I realized that the current unit tests for the simple access provider only tested the user directives. To have a baseline and be able to detect new bugs in the upcoming patch, I implemented unit tests for the group lists, too.
* TOOLS: Use file descriptor to avoid races when creating a home directoryJakub Hrozek2013-01-231-3/+3
| | | | | | | | | | | When creating a home directory, the destination tree can be modified in various ways while it is being constructed because directory permissions are set before populating the directory. This can lead to file creation and permission changes outside the target directory tree, using hard links. This security problem was assigned CVE-2013-0219 https://fedorahosted.org/sssd/ticket/1782
* Refactor gid handling in the PAC responderSumit Bose2013-01-081-21/+36
| | | | | | Instead of using a single array of gid-domain_pointer pairs, Simo suggested to use a gid array for each domain an store it with a pointer to the domain.
* Add tests for get_gids_from_pac()Sumit Bose2013-01-081-0/+256
|
* Add find_domain_by_id()Sumit Bose2013-01-081-0/+49
| | | | | | | Currently domains can only be searched by name in the global domain list. To make it easier to find the domain for a given SID find_domain_by_id() which returns a pointer to the domain or subdomain entry in the global domain list if a matching id was found.
* Use struct pac_grp instead of gid_t for groups from PACSumit Bose2013-01-081-8/+11
| | | | | To be able to handle groupmemberships from other domains more data than just the gid must be kept for groups given in the PAC.
* MEMBEROF: Keep inherited ghost users around on modify operation1.9.2-34Jakub Hrozek2012-12-061-0/+248
| | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1652 It is possible to simply reset the list of ghost users to a different one during a modify operation. It is also actually how we update entries that are expired in the SSSD cache. In this case, we must be careful and retain the ghost users that are not native to the group we are processing but are rather inherited from child groups. The intention of the replace operation after all is to set the list of direct members of that group, not direct and indirect.
* MEMBEROF: Implement the modify operation for ghost usersJakub Hrozek2012-12-061-0/+480
| | | | | | | Similar to the add and delete operation, we also need to propagate the changes of the ghost user attribute to the parent groups so that if a nested group updates memberships, its parents also get the membership updated.
* MEMBEROF: Implement delete operation for ghost usersJakub Hrozek2012-12-061-1/+106
| | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1668 The memberof plugin did only expand the ghost users attribute to parents when adding a nested group, but didn't implement the reverse operation. This bug resulted in users being reported as group members even after the direct parent went away as the expanded ghost attributes were never removed from the parent entry. When a ghost entry is removed from a group, all its parent groups are expired from the cache by setting the expire timestamp to 1. Doing so would force the SSSD to re-read the group next time it is requested in order to make sure its members are really up-to-date.
* TESTS: Test ghosts users in the RFC2307 schemaJakub Hrozek2012-12-061-0/+248
|
* MEMBEROF: Do not add the ghost attribute to selfJakub Hrozek2012-12-061-2/+86
| | | | | | | | | | | | When a nested group with ghost users is added, its ghost attribute should propagate within the nested group structure much like the memberuid attribute. Unlike the memberuid attribute, the ghost attribute is only semi-managed by the memberof plugin and added manually to the original entry. This bug caused LDB errors saying that attribute or value already exists when a group with a ghost user was added to the hierarchy as groups were updated with an attribute they already had.
* LDAP: Only convert direct parents' ghost attribute to memberJakub Hrozek2012-11-211-6/+7
| | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1612 This patch changes the handling of ghost attributes when saving the actual user entry. Instead of always linking all groups that contained the ghost attribute with the new user entry, the original member attributes are now saved in the group object and the user entry is only linked with its direct parents. As the member attribute is compared against the originalDN of the user, if either the originalDN or the originalMember attributes are missing, the user object is linked with all the groups as a fallback. The original member attributes are only saved if the LDAP schema supports nesting.
* Fix compare_principal_realm() checkSumit Bose2012-11-201-0/+6
| | | | | In case of a short UPN compare_principal_realm() erroneously returns an error.
* Add string_in_list() and add_string_to_list() with testsSumit Bose2012-11-141-0/+83
| | | | | | | | string_in_list() and add_string_to_list() are two utilities for NULL terminated strings arrays. add_string_to_list() adds a new string to an existing list or creates a new one with the strings as only item if there is not list. string_in_list() checks if a given string is in the list. It can be used case sensitive or in-sensitive.
* Add diff_gid_lists() with testSumit Bose2012-11-121-2/+107
| | | | | | | | This patch adds a new call which compares a list of current GIDs with a list of new GIDs and return a list of GIDs which are currently missing and must be added and another list of GIDs which are not used anymore and must be deleted. The method is the same as used by diff_string_lists().
* Use find_or_guess_upn() where neededSumit Bose2012-11-052-2/+3
|
* krb5_auth: check if principal belongs to a different realmSumit Bose2012-11-051-0/+45
| | | | | | Add a flag if the principal used for authentication does not belong to our realm. This can be used to act differently for users from other realms.
* SSH: Refactor sysdb and related codeJan Cholasta2012-10-051-36/+11
|
* SYSDB: Remove unnecessary domain parameter from several sysdb callsJakub Hrozek2012-09-241-8/+7
| | | | | The domain can be read from the sysdb object. Removing the domain string makes the API more self-contained.
* AUTOFS: Use both key and value in entry RDNJakub Hrozek2012-09-241-1/+1
| | | | | | This patch switches from using just key in the RDN to using both key and value. That is neccessary to allow multiple direct mounts in a single map.
* AUTOFS: Add entry objects below map objectsJakub Hrozek2012-09-241-31/+17
| | | | | | | | https://fedorahosted.org/sssd/ticket/1506 Changes how the new autofs entry objects are handled. Instead of creating the entry on the cn=autofs,cn=custom level, the entry is created below the map it belongs to.
* AUTOFS: Add sysdb testsJakub Hrozek2012-09-241-0/+249
|
* SYSDB: NULL-terminate the output of sysdb_get_{ranges,subdomains}Jakub Hrozek2012-09-101-2/+2
|
* SYSDB: Abort unit test if sysdb_getpwnam failsJakub Hrozek2012-09-051-0/+3
|
* Add python bindings for murmurhash3Sumit Bose2012-08-151-0/+100
|
* Duplicate detection in fail over did not work.Michal Zidek2012-08-151-5/+5
| | | | https://fedorahosted.org/sssd/ticket/1472
* Change refreshing of subdomainsSimo Sorce2012-08-011-16/+20
| | | | | | | | | This patch keeps a local copy of the subdomains in the ipa subdomains plugin context. This has 2 advantages: 1. allows to check if anything changed w/o always hitting the sysdb. 2. later will allows us to dump this information w/o having to retrieve it again. The timestamp also allows to avoid refreshing too often.
* Add realm paramter to subdomain listSimo Sorce2012-08-011-3/+3
| | | | This will be used later for setting domain_realm mappings in krb5.conf
* tests: Remove useless constsSimo Sorce2012-08-011-27/+15
| | | | | Declaring a bunch of structures as const and then wrapping all uses in discard_const_p() is a bit silly. Remove all these useless decorations.
* Change subdomain_infoSimo Sorce2012-08-011-16/+22
| | | | | Rename the structure to use a standard name prefix so it is properly name-spaced, in preparation for changing the structure itself.
* Added unit test for sysdb_ssh.cMichal Zidek2012-08-011-0/+447
|
* Primary server support: basic support in failover codeJan Zeleny2012-08-011-6/+7
| | | | | | | | Now there are two list of servers for each service. If currently selected server is only backup, then an event will be scheduled which tries to get connection to one of primary servers and if it succeeds, it starts using this server instead of the one which is currently connected to.
* tests: allow changing cwd in all testsPavel Březina2012-07-273-0/+9
|
* Fixed: Uninitialized value in krb5_child-test if ccname was specified.Michal Zidek2012-07-181-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1411
* Fixed: Unchecked return value from dp_opt_set_int.Michal Zidek2012-07-181-1/+5
|
* Cast uid_t to unsigned long long in DEBUG messagesJakub Hrozek2012-07-102-5/+6
|
* pac responder: limit access by checking UIDsSumit Bose2012-07-101-0/+178
| | | | | | | | | | | | A check for allowed UIDs is added in the common responder code directly after accept(). If the platform does not support reading the UID of the peer but allowed UIDs are configured, access is denied. Currently only the PAC responder sets the allowed UIDs for a socket. The default is that only root is allowed to access the socket of the PAC responder. Fixes: https://fedorahosted.org/sssd/ticket/1382
* Add missing return value checkStephen Gallagher2012-07-091-1/+1
| | | | Coverity #12782
* Avoid NULL-dereference in error-handlingStephen Gallagher2012-07-091-1/+3
| | | | Coverity #12783
* Fix uninitialized value returnStephen Gallagher2012-07-091-1/+1
| | | | Coverity #12786
* Fix incorrect return value in testsStephen Gallagher2012-07-091-0/+2
| | | | Coverity #12798
* heimdal: fix compile error in krb5-child-testRambaldi2012-07-091-0/+4
|
* AD: Add AD identity providerStephen Gallagher2012-07-061-0/+109
| | | | | | This new identity provider takes advantage of existing code for the LDAP provider, but provides sensible defaults for operating against an Active Directory 2008 R2 or later server.
* TESTS: Print messages when LDAP options do not matchStephen Gallagher2012-06-291-2/+10
|
* libcrypto fully implementedGeorge McCollister2012-06-261-6/+40
| | | | | | | | | | | | | | | | Implemented working versions of the following functions for libcrypto: sss_base64_encode sss_base64_decode sss_hmac_sha1 sss_password_encrypt sss_password_decrypt test_encrypt_decrypt now expects EOK from libcrypto. test_hmac_sha1 now expects EOK from libcrypto. Added test_base64_encode to test base64 encoding implementation. Added test_base64_decode to test base64 decoding implementation. Signed-off-by: George McCollister <George.McCollister@gmail.com>
* PAC responder: test suiteJan Zeleny2012-06-211-0/+106
|
* KRB5: Auto-detect DIR cache support in configureStephen Gallagher2012-06-152-0/+7
| | | | | | We can't support the DIR cache features in systems with kerberos libraries older than 1.10. Make sure we don't build it on those systems.
* Use Kerberos context in KRB5_DEBUGJakub Hrozek2012-06-141-10/+4
| | | | | Passing Kerberos context to sss_krb5_get_error_message will allow us to get better error messages.
generated by cgit (git 2.34.1) at 2024-05-05 00:45:55 +0000