sssd.git/src/responder, branch master Unnamed repository; edit this file 'description' to name the repository. SECRETS: remove unused variable 2017-04-21T11:45:02+00:00 Lukas Slebodnik lslebodn@redhat.com 2017-04-19T15:56:20+00:00 0e8f0c06cad5805b1a1161f60e3f2cdb7a5a2921 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
IFP: Use sized_domain_name to format the groups the user is a member of 2017-04-21T09:24:41+00:00 Jakub Hrozek jhrozek@redhat.com 2017-04-19T15:46:03+00:00 c9a73bb6ffa010ef206896a0d1c2801bc056fa45 Resolves: https://pagure.io/SSSD/sssd/issue/3268 Uses the common function sized_domain_name() to format a group the user is a member of to the appropriate format. To see the code is working correctly, run: dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserGroups string:trusted_user Where trusted_user is a user from a trusted domain that is a member of groups from the joined domain and a trusted domain as well. The groups from the joined domain should not be qualified, the groups from the trusted domain should be qualified. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Resolves:
    https://pagure.io/SSSD/sssd/issue/3268

Uses the common function sized_domain_name() to format a group the user
is a member of to the appropriate format.

To see the code is working correctly, run:
        dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe
                  /org/freedesktop/sssd/infopipe
                  org.freedesktop.sssd.infopipe.GetUserGroups
                  string:trusted_user

Where trusted_user is a user from a trusted domain that is a member of groups
from the joined domain and a trusted domain as well. The groups from the
joined domain should not be qualified, the groups from the trusted
domain should be qualified.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Move sized_output_name() and sized_domain_name() into responder common code 2017-04-21T09:24:41+00:00 Jakub Hrozek jhrozek@redhat.com 2017-04-19T15:44:40+00:00 7c074ba2f923985ab0d4f9d6a5e01ff3f2f0a7a8 These functions are used to format a name into a format that the user configured for output, including case sensitiveness, replacing whitespace and qualified format. They were used only in the NSS responder, which typically returns strings to the NSS client library and then the user. But it makes sense to just reuse the same code in the IFP responder as well, since it does essentially the same job. The patch also renames sized_member_name to sized_domain_name. Previously, the function was only used to format a group member, the IFP responder would use the same function to format a group the user is a member of. Related to: https://pagure.io/SSSD/sssd/issue/3268 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
These functions are used to format a name into a format that the user
configured for output, including case sensitiveness, replacing
whitespace and qualified format. They were used only in the NSS
responder, which typically returns strings to the NSS client library and
then the user.

But it makes sense to just reuse the same code in the IFP responder as
well, since it does essentially the same job.

The patch also renames sized_member_name to sized_domain_name.
Previously, the function was only used to format a group member, the IFP
responder would use the same function to format a group the user is a
member of.

Related to:
    https://pagure.io/SSSD/sssd/issue/3268

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
responders: do not leak selinux context on clients destruction 2017-04-03T13:37:27+00:00 Pavel Březina pbrezina@redhat.com 2017-04-03T10:56:01+00:00 05c2c3047912fca1c1a35ab1c8d3157b05383495 The SELinux context created in get_client_cred is not talloc bound and we were leaking it if available with each client's destruction. Resolves: https://pagure.io/SSSD/sssd/issue/3360 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
The SELinux context created in get_client_cred is not talloc bound and
we were leaking it if available with each client's destruction.

Resolves:
https://pagure.io/SSSD/sssd/issue/3360

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
secrets: always add Content-Length header 2017-03-30T17:08:20+00:00 Pavel Březina pbrezina@redhat.com 2017-03-15T14:15:08+00:00 13d720de13e490850c1139eea865bcd5195a2630 If custodia server does not reply with Content-Length header, curl may wait for non-existing body of http reply if such body does not exist (for example during POST operation when creating a container). Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
If custodia server does not reply with Content-Length header, curl may
wait for non-existing body of http reply if such body does not exist
(for example during POST operation when creating a container).

Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
secrets: fix debug message 2017-03-30T17:08:10+00:00 Pavel Březina pbrezina@redhat.com 2017-03-15T12:27:59+00:00 db826f57b4c2ee814823057cc536386889f7aa1d Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
secrets: support HTTP basic authentication with proxy provider 2017-03-30T17:08:05+00:00 Pavel Březina pbrezina@redhat.com 2017-02-28T12:58:20+00:00 af026ea6a6e812b7d6c5c889dda64ba7b7c433ee Even though configuration options auth_type = basic, username and password are read they were not used anywhere prior this patch. Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Even though configuration options auth_type = basic, username and password
are read they were not used anywhere prior this patch.

Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
secrets: allow to configure certificate check 2017-03-30T17:08:00+00:00 Pavel Březina pbrezina@redhat.com 2017-02-28T10:47:32+00:00 720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417 Some users may want to use TLS with unverified peer (for example if they use self-signed certificate) or if unverified hostname (if certificate hostname does not match with the real hostname). On the other side it may be useful to point to a directory containing custom certificate authorities. This patch add three new options to secrets responder: verify_peer => peer's certificate must be valid verify_host => hostnames must match capath => path to directory containing CA certs cacert => ca certificate cert => client certificate key => client private key Resolves: https://pagure.io/SSSD/sssd/issue/3192 Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Some users may want to use TLS with unverified peer (for example if
they use self-signed certificate) or if unverified hostname (if
certificate hostname does not match with the real hostname). On the
other side it may be useful to point to a directory containing custom
certificate authorities.

This patch add three new options to secrets responder:
verify_peer => peer's certificate must be valid
verify_host => hostnames must match
capath => path to directory containing CA certs
cacert => ca certificate
cert => client certificate
key => client private key

Resolves:
https://pagure.io/SSSD/sssd/issue/3192

Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
secrets: remove http-parser code in proxy provider 2017-03-30T17:07:55+00:00 Pavel Březina pbrezina@redhat.com 2017-02-28T13:14:40+00:00 06744bf5a47d5971a338281c8243b11cf72dac90 We switche to libcurl in previous patch. This just removes the unused code. Resolves: https://pagure.io/SSSD/sssd/issue/3192 Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
We switche to libcurl in previous patch. This just removes the unused code.

Resolves:
https://pagure.io/SSSD/sssd/issue/3192

Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
secrets: use tcurl in proxy provider 2017-03-30T17:07:50+00:00 Pavel Březina pbrezina@redhat.com 2017-02-22T09:38:56+00:00 df99d709c8cbef3c378c111944d83b7345e4c1ea We switch from http-parser to libcurl for an http client. This gaves us many features for free such as tls and http basic authentication support instead of implementing it on our own. Resolves: https://pagure.io/SSSD/sssd/issue/3192 Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
We switch from http-parser to libcurl for an http client. This gaves us many
features for free such as tls and http basic authentication support instead
of implementing it on our own.

Resolves:
https://pagure.io/SSSD/sssd/issue/3192

Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>