sssd.git/src/responder/common/cache_req/plugins, branch sudo Unnamed repository; edit this file 'description' to name the repository. cache_req: Do not use default_domain_suffix with netgroups 2017-06-08T15:30:31+00:00 Lukas Slebodnik lslebodn@redhat.com 2017-06-08T10:32:44+00:00 c83e265bbb5b2f2aa4f0067263753c8403c383f9 Resolves: https://pagure.io/SSSD/sssd/issue/3428 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Resolves:
https://pagure.io/SSSD/sssd/issue/3428

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
BUILD: Fix build without ssh 2017-05-25T11:49:26+00:00 Lukas Slebodnik lslebodn@redhat.com 2017-05-23T12:41:11+00:00 d82ffa52dd4c3bb11115b1687edc189284797329 cache_req_host_by_name_lookup should be used only by ssh responder. But we cannot rely on this fact and therefore we should return ERR_INTERNAL instead of EOK to catch mis-usage of the cache_req plugin autoreconf -if ./configure --without-ssh make check CCLD sssd_nss src/responder/common/cache_req/plugins/cache_req_host_by_name.o: In function `cache_req_host_by_name_lookup': src/responder/common/cache_req/plugins/cache_req_host_by_name.c:48: undefined reference to `sysdb_get_ssh_host' collect2: error: ld returned 1 exit status make: *** [Makefile:14285: sssd_nss] Error 1 src/tests/cmocka/test_utils-test_sss_ssh.o: In function `test_textual_public_key': src/tests/cmocka/test_sss_ssh.c:78: undefined reference to `sss_ssh_format_pubkey' src/tests/cmocka/test_sss_ssh.c:82: undefined reference to `sss_ssh_format_pubkey' src/tests/cmocka/test_sss_ssh.c:86: undefined reference to `sss_ssh_format_pubkey' src/tests/cmocka/test_sss_ssh.c:89: undefined reference to `sss_ssh_format_pubkey' src/tests/cmocka/test_sss_ssh.c:92: undefined reference to `sss_ssh_format_pubkey' src/tests/cmocka/test_utils-test_sss_ssh.o:src/tests/cmocka/test_sss_ssh.c:95: more undefined references to `sss_ssh_format_pubkey' follow collect2: error: ld returned 1 exit status Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
cache_req_host_by_name_lookup should be used only by ssh responder.
But we cannot rely on this fact and therefore we should return
ERR_INTERNAL instead of EOK to catch mis-usage of the cache_req
plugin

autoreconf -if
./configure --without-ssh
make check

  CCLD     sssd_nss
src/responder/common/cache_req/plugins/cache_req_host_by_name.o:
    In function `cache_req_host_by_name_lookup':
src/responder/common/cache_req/plugins/cache_req_host_by_name.c:48:
     undefined reference to `sysdb_get_ssh_host'
collect2: error: ld returned 1 exit status
make: *** [Makefile:14285: sssd_nss] Error 1

src/tests/cmocka/test_utils-test_sss_ssh.o: In function `test_textual_public_key':
src/tests/cmocka/test_sss_ssh.c:78: undefined reference to `sss_ssh_format_pubkey'
src/tests/cmocka/test_sss_ssh.c:82: undefined reference to `sss_ssh_format_pubkey'
src/tests/cmocka/test_sss_ssh.c:86: undefined reference to `sss_ssh_format_pubkey'
src/tests/cmocka/test_sss_ssh.c:89: undefined reference to `sss_ssh_format_pubkey'
src/tests/cmocka/test_sss_ssh.c:92: undefined reference to `sss_ssh_format_pubkey'
src/tests/cmocka/test_utils-test_sss_ssh.o:src/tests/cmocka/test_sss_ssh.c:95:
    more undefined references to `sss_ssh_format_pubkey' follow
collect2: error: ld returned 1 exit status

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
cache_req: use the right negative cache for initgroups by upn 2017-05-23T09:29:55+00:00 Sumit Bose sbose@redhat.com 2017-05-22T12:58:01+00:00 870b58a6cc6b5cf92a6503c1578e5c21617c8d40 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
CACHE_REQ: Make use of cache_req_ncache_filter_fn() 2017-05-10T13:03:22+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-04-25T14:33:58+00:00 4ef0b19a5e8a327443d027e57487c8a1e4f654ce This patch makes use of cache_req_ncache_filter_fn() in order to process the result of a cache_req search and then filter out all the results that are present in the negative cache. The "post cache_req search" result processing is done basically in two different cases: - plugins which don't use name as an input token (group_by_id, user_by_id and object_by_id), but still can be affected by filter_{users,groups} options; - plugins responsible for groups and users enumeration (enum_groups and enum_users); Resolves: https://pagure.io/SSSD/sssd/issue/3362 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
This patch makes use of cache_req_ncache_filter_fn() in order to process
the result of a cache_req search and then filter out all the results
that are present in the negative cache.

The "post cache_req search" result processing is done basically in two
different cases:
- plugins which don't use name as an input token (group_by_id, user_by_id
  and object_by_id), but still can be affected by filter_{users,groups}
  options;
- plugins responsible for groups and users enumeration (enum_groups and
  enum_users);

Resolves:
https://pagure.io/SSSD/sssd/issue/3362

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
CACHE_REQ: Add a new cache_req_ncache_filter_fn() plugin function 2017-05-10T13:03:11+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-04-25T12:14:05+00:00 f24ee5cca4cd43e7edf26fec453fbd99392bbe4b This function will be responsible for filtering out all the results that we have that are also present in the negative cache. This is useful mainly for plugins which don't use name as an input token but can still be affected by filter_{users,groups} options. For now this new function is not being used anywhere. Related: https://pagure.io/SSSD/sssd/issue/3362 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
This function will be responsible for filtering out all the results that
we have that are also present in the negative cache.

This is useful mainly for plugins which don't use name as an input token
but can still be affected by filter_{users,groups} options.

For now this new function is not being used anywhere.

Related:
https://pagure.io/SSSD/sssd/issue/3362

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
CACHE_REQ: Domain type selection in cache_req 2017-03-30T12:09:22+00:00 Jakub Hrozek jhrozek@redhat.com 2017-03-24T09:39:12+00:00 cee85e8fb9534ec997e5388fce59f392cf029573 Related to: https://pagure.io/SSSD/sssd/issue/3310 Adds a new enumeration cache_req_dom_type. It is a tri-state that allows the caller to select which domains can be contacted - either only POSIX, only application domains or any type. Not all plugins of cache_req have the new parameter added -- only those that are usable/useful in a non-POSIX environment. For example, it makes no sense to allow the selection for calls by ID because those are inherently POSIX-specific. Also, services or netgroups are supported only coming from POSIX domains. At the moment, the patch should not change any behaviour as all calls default to contacting POSIX domains only. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Related to:
    https://pagure.io/SSSD/sssd/issue/3310

Adds a new enumeration cache_req_dom_type. It is a tri-state that
allows the caller to select which domains can be contacted - either only
POSIX, only application domains or any type.

Not all plugins of cache_req have the new parameter added -- only those
that are usable/useful in a non-POSIX environment. For example, it makes
no sense to allow the selection for calls by ID because those are
inherently POSIX-specific. Also, services or netgroups are supported
only coming from POSIX domains.

At the moment, the patch should not change any behaviour as all calls
default to contacting POSIX domains only.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
CACHE_REQ: Descend into subdomains on lookups 2017-03-29T12:00:17+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-03-01T08:34:57+00:00 dcc52d9c6411528bab815351d1e6145d211a4765 Let's make all plugins, but the "host_by_name", to descend into the subdomains on lookups. This patch basically prepares the field for the coming up patches that will allow group/user resolution in all domains (or a subset of the domains) to be possible by only using the short names without the domain component. The "host_by_name" plugin was not changed as it's a specific IPA plugin and won't find anything on its subdomains. Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> 
Let's make all plugins, but the "host_by_name", to descend into the
subdomains on lookups.

This patch basically prepares the field for the coming up patches that
will allow group/user resolution in all domains (or a subset of the
domains) to be possible by only using the short names without the domain
component.

The "host_by_name" plugin was not changed as it's a specific IPA plugin
and won't find anything on its subdomains.

Related:
https://pagure.io/SSSD/sssd/issue/3001

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
cache_req: allow multiple matches for searches by certificate 2017-03-10T21:19:58+00:00 Sumit Bose sbose@redhat.com 2017-02-16T12:30:18+00:00 2b80496ceedc498f7e13ebaf3e1eaa9d894b8cb9 Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Related to https://pagure.io/SSSD/sssd/issue/3050

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
CACHE_REQ: Only search the given domain when looking up entries by UPN 2017-03-03T16:36:09+00:00 Jakub Hrozek jhrozek@redhat.com 2017-03-03T12:47:52+00:00 538321890c4d5f08c8702cfc2c00e57cbd13d334 We were searching UPNs in the whole sysdb, which made cache_req think the result came in from the domain it was searching. The bug manifested when a user from a trusted domain was looked by UPN, then cache_req searched the main domain, the result from subdomain was considered as coming from the main domain and as a result, the getpwnam() output was not qualified. That is a problem, because PAM applications often sanitize the user with getpwnam, so effectively a login with UPN was shortened to just a shortname and failed. Reviewed-by: Sumit Bose <sbose@redhat.com> 
We were searching UPNs in the whole sysdb, which made cache_req think the
result came in from the domain it was searching.

The bug manifested when a user from a trusted domain was looked by UPN,
then cache_req searched the main domain, the result from subdomain was
considered as coming from the main domain and as a result, the getpwnam()
output was not qualified. That is a problem, because PAM applications
often sanitize the user with getpwnam, so effectively a login with UPN
was shortened to just a shortname and failed.

Reviewed-by: Sumit Bose <sbose@redhat.com>
SYSDB: When searching for UPNs, search either the whole DB or only the given domain 2017-03-03T16:36:03+00:00 Jakub Hrozek jhrozek@redhat.com 2017-03-02T16:54:46+00:00 afadeb1a530ff010a2f9a7552562576b843c874b The search-by-UPN functions always searched for the whole domain. In some cases, the caller depends on the result coming from the domain specified by the 'domain' parameter. This is the case in the cache_req code at least. Even though it should be safe to just switch to always searching the whole domain, in order to allow us to examine the code carefully and test each codepath, let's introduce a boolean option to the search functions. Currently it defaults to false in all codepaths and as we test the individual ones, we can flip the option to true until we finally remove the option altogether. Reviewed-by: Sumit Bose <sbose@redhat.com> 
The search-by-UPN functions always searched for the whole domain. In
some cases, the caller depends on the result coming from the domain
specified by the 'domain' parameter. This is the case in the cache_req
code at least. Even though it should be safe to just switch to always
searching the whole domain, in order to allow us to examine the code
carefully and test each codepath, let's introduce a boolean option to
the search functions. Currently it defaults to false in all codepaths
and as we test the individual ones, we can flip the option to true until
we finally remove the option altogether.

Reviewed-by: Sumit Bose <sbose@redhat.com>