| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
FakeAD is openldap with ldif schema which allows to load static data
from real AD. Instance of class will also contain some predefined
users/groups which can be used for basic sanity testing in sssd of AD features.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Patch prepends path to sssd python modules; so we will be
able to import them without any issue and they will be preferred over
system modules.
sh$[/tmp/sssd-intg.3gb4hzpn/var/log/sssd] python2
Python 2.7.13 (default, Aug 16 2017, 12:56:26)
[GCC 7.1.1 20170802 (Red Hat 7.1.1-7)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import SSSDConfig
>>> print(SSSDConfig.__file__)
/tmp/sssd-intg.3gb4hzpn/lib/python2.7/site-packages/SSSDConfig/__init__.pyc
>>> import pyhbac
>>> print(pyhbac.__file__)
/tmp/sssd-intg.3gb4hzpn/lib64/python2.7/site-packages/pyhbac.so
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
http://stackoverflow.com/questions/9698614/super-raises-typeerror-must-be-type-not-classobj-for-new-style-class
========================== ERRORS ===========================
_______ ERROR at setup of test_regression_ticket2163 ________
Traceback (most recent call last):
File "src/tests/intg/test_pysss_nss_idmap.py", line 48, in ad_inst
instance.teardown()
File "src/tests/intg/ds_openldap.py", line 371, in teardown
super(FakeAD, self).teardown()
TypeError: super() argument 1 must be type, not classobj
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
It will allow to prefer locally built python modules
in integration tests.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
intg/bld/src/tests/intg/config.py:5:7: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:6:11: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:7:15: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:8:12: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:9:10: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:10:8: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:11:9: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:12:13: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:13:9: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:14:12: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:15:11: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:16:13: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:17:12: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:18:13: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:20:11: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:21:7: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:22:11: E221 multiple spaces before operator
intg/bld/src/tests/intg/config.py:23:7: E221 multiple spaces before operator
pep8 will prevent reformatting in case of added new options
e.g. 53a4219e2f51cd0443931aa931505bf0b4bf5a45
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This patch sanitizes the input for sysdb searches by UPN/email, SID and
UUID.
This security issue was assigned CVE-2017-12173
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since dbus-1.11.18 DBUS_COOKIE_SHA1 respect $HOME variable
and fallback to value returned from getpwnam only if env HOME
does not exist. It caused problem for dbus communication
between sssd processes because local user usually do not have
directory $HOME/.dbus-keyrings/. And directory created in cwrap
environment is problmatic
[build@host ~]$ ls -ld ~/.dbus-keyrings/
drw-------. 2 build build 6 Oct 3 10:44 /home/build/.dbus-keyrings/
[buildhost ~]$ ls -lna ~/.dbus-keyrings/
ls: cannot access '/home/build/.dbus-keyrings/.': Permission denied
ls: cannot access '/home/build/.dbus-keyrings/..': Permission denied
total 0
d????????? ? ? ? ? ? .
d????????? ? ? ? ? ? ..
[build@host ~]$ touch ~/.dbus-keyrings/test
touch: cannot touch '/home/build/.dbus-keyrings/test': Permission denied
Other alternative would be to set env variable HOME to the
same value as in fake passwd file:
HOME=$(abs_builddir)/root
Related dbus bug:
https://bugs.freedesktop.org/show_bug.cgi?id=101960
Resolves:
https://pagure.io/SSSD/sssd/issue/3531
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
This warning only happens when building SSSD on RHEL6.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SSSD's plugin for MIT Kerberos to send the PAC to the PAC responder
currently uses sss_pac_make_request() which does not protect the
communication with the PAC responder with a mutex as e.g. the NSS and
PAM clients.
If an application using threads loads this plugin via libkrb5 in
different threads and is heavily processing Kerberos tickets with PACs
chances are that two threads try to communicate with SSSD at once. In
this case one of the threads will miss a reply and will wait for it
until the default client timeout of 300s is passed.
This patch adds a call which uses a mutex to protect the communication
which will avoid the 300s delay mentioned above.
Resolves:
https://pagure.io/SSSD/sssd/issue/3518
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
A unit test for the recent changes from
0526dde7f3d4089617c0f4a6a85f83e9d266c9f1 is added.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This patch fixes a use-after-free in the AD provider part and
initializes the certmap_ctx with data from the cache at startup.
Related to https://pagure.io/SSSD/sssd/issue/3508
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
If there are only OIDs in a <EKU> part of a matching rule a NULL pointer
dereference might occur.
Related to https://pagure.io/SSSD/sssd/issue/3508
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The sudo responder code didn't take views into account when looking for
rules, which resulted in sudo rules being ignored if the user's name was
overriden.
Please see the ticket for a detailed info on how to reproduce the bug.
Resolves:
https://pagure.io/SSSD/sssd/issue/3488
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The OpenSSL 1.1 API is used but there is a short macro block which
should added the needed compatibility if and older OpenSSL version is
used.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3473
We're being quite strict in test_idle_timeout when checking for the
number of open fds which leads to spurious failures like:
=================================== FAILURES ===================================
______________________________ test_idle_timeout _______________________________
Traceback (most recent call last):
File "/var/lib/jenkins/workspace/ci/label/fedora23/src/tests/intg/test_secrets.py", line 427, in test_idle_timeout
assert nfds_pre + 1 == nfds_conn
AssertionError: assert (27 + 1) == 27
==================== 1 failed, 221 passed in 473.37 seconds ====================
This is just a check that "a" connection was opened, so we don't have to
check for exact match, but just for larger-or-equal.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add a special value for all the quota-like settings that means 'no
limit'.
Because the responder also had a global limit on the size of the
accepted body (64kiB), this patch also removes the hardcoded limit and
instead keep track of the biggest quota value on startup.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Adds a new option max_uid_secrets that allows to set a limit of secrets
for this particular client so that the user cannot starve other users.
Resolves:
https://pagure.io/SSSD/sssd/issue/3363
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
regular non-ccache secrets
Test that even when we store the maximum number of secrets, we can still
store kerberos credentials, but only until we reach the max_secrets
limit as well.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
subsection
This patch makes obsoletes the old way of configuring quotas for the
secrets responder. Instead, adds a new way of configuring each hive
separately in a configuration subsection, e.g.
[secrets/secrets]
max_secrets = 123
The old way is still supported as a backwards-compatible method.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In order to do so two new functions have been introduced and
test_sss_ncache_prepopulate() has been modified in order to ensure that
root's uid and gid are always added to the negative cache.
Related: https://pagure.io/SSSD/sssd/issue/3460
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Simply modify test_sss_ncache_prepopulate() in order to ensure that
"root" user and group are always added to the negative cache, no matter
whether they're set as part of the filter_users or filter_groups
options.
Related: https://pagure.io/SSSD/sssd/issue/3460
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The newly added function helps us to create a new dir avoiding a
possible TUCTOU issue.
It's going to be used by the new session provider code.
A simple test for this new function has also been provided.
Related:
https://pagure.io/SSSD/sssd/issue/2995
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
files.c has at least one function that will be re-used for the new
session provider that's about to be added. Also, a few other functions
may be added and files.c seems the right place for those.
selinux.c has been moved together with files.c as the latter takes
advantage of some functions from the former and we do not want to always
link agains the tools code.
The public functions from files.c got a "sss_" prefix and it has been
changed whenever they're used.
Last but not least, all the places that included "tools/tools_util.h"
due to the functions on files.c had this include removed (as they were
already including "util/util.h".
Related:
https://pagure.io/SSSD/sssd/issue/2995
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In cwrap environment, we start sssd_kcm and sssd_secrets ourself
and not by systemd socket activation. Our approach is to wait a second in
a loop till socket is available. However sometimes 1 second is not enough.
Patch increases wait timeout from 1 second to 10 and it seems to be enough even
when processes were executed with valgrind.
Traceback (most recent call last):
File "src/tests/intg/test_secrets.py", line 419, in setup_for_cli_timeout_test
return create_sssd_secrets_fixture(request)
File "src/tests/intg/test_secrets.py", line 82, in create_sssd_secrets_fixture
assert os.path.exists(sock_path)
AssertionError: assert False
+ where False = <function exists at 0x7f6c1cf520c8>('/tmp/sssd-intg.cdv0namx/var/run/secrets.socket')
+ where <function exists at 0x7f6c1cf520c8> = <module 'posixpath' from '/usr/lib64/python2.7/posixpath.pyc'>.exists
+ where <module 'posixpath' from '/usr/lib64/python2.7/posixpath.pyc'> = os.path
Resolves:
https://pagure.io/SSSD/sssd/issue/3481
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We add udp_preference_limit = 0 to krb5 snippet if ad provider is
used. This option enable TCP connection before UDP, when sending
a message to the KDC.
Resolves:
https://pagure.io/SSSD/sssd/issue/3254
Signed-off-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
add_remove fails quite often in enumeration test. The reason of failures
is not obvious and will take some time to investigate it.
Failures blocks testing of other patches therefore its better to disable
tests. (pytest run functions/methods which start with "test")
Temporary workaround for:
https://pagure.io/SSSD/sssd/issue/3463
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These are the header files which are used by both client and server:
src/util/io.h
src/util/murmurhash3.h
src/util/util_safealign.h
This patch is about moving these header files to special folder
(src/shared). It will be easier to identify these headers when looking
for them in the src tree.
util_safalign.h is renamed as safalign.h because util_ namespace is
appropriate when this file belonged to the util's folder which is no
longer the case.
Resolves:
https://pagure.io/SSSD/sssd/issue/1898
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
Add basic tests for all base combinations of session recording
configuration options.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
After entires are retrieved by cache_req for user info requests (except
initgr), overlay them with sessionRecording attribute retrieved from an
initgr request made additionally for each entry.
Do not do additional initgr requests with selective session recording
enabled, if we don't have any group names to match against in session
recording configuration. Only do user name matches instead.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
Add session recording configuration loading to the common responder
initialization. To be used for substituting the user shell when
session recording is enabled.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Related to https://pagure.io/SSSD/sssd/issue/1960
Related to https://pagure.io/SSSD/sssd/issue/1938
Related to https://pagure.io/SSSD/sssd/issue/1844
Related to https://pagure.io/SSSD/sssd/issue/1593
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The secrets responder test was chosen even though the bug was in the generic
responder code b/c it runs a single responder process, so it's trivial to
read the PID of the responder under test.
Changes subprocess.call() for os.execv() so that the setup function can
return the secret responder PID right away.
The client timeout in the test has to be at least 10 seconds because
internally, the responders don't allow a shorter timeout.
Regression test for https://pagure.io/SSSD/sssd/issue/3448
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
User and group override have been failing when using it with files provider.
This test helps us to avoid such regression in the future.
As mentioned in the comment added to the test's code, there's an issue
in nss_wrapper [0] and nss_wrapper always looks into the files first
before using the NSS module, causing a test failure in case the
fully-qualified name is not used when looking up for the original (not
overriden) user and group.
Related:
https://pagure.io/SSSD/sssd/issue/3391
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
| |
Add code to the existing zero nesting level test, check group list and
ensure nested groups are intentionally skipped and filtered out.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This is a short term fix to un-break the unit tests. The proper fix
would be to create the certificates at runtime during the tests.
Related to https://pagure.io/SSSD/sssd/issue/3436
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As some regressions have been caused by not handling properly naming
conflicts when using shortnames, last explicitly use fully qualified
names as output in the following situations:
- domain resolution order is set;
- a trusted domain has been using `use_fully_qualified_name = false`
In both cases we want to ensure that even handling shortnames as input,
the output will always be fully qualified.
As part of this patch, our tests ended up being modified to reflect the
changes done. In other words, the tests related to shortnames now return
expect as return a fully qualified name for trusted domains.
Resolves:
https://pagure.io/SSSD/sssd/issue/3403
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
org.freedekstop.sssd.infopipe.Users.User gets two new attributes:
- domain: object path of user's domain
- domainname: user's domain name
org.freedekstop.sssd.infopipe.GetUserAttr can now request new attribute:
- domainname: user's domain name
Resolves:
https://pagure.io/SSSD/sssd/issue/2714
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
| |
ctype.h is not used directly by util/util.h. The header file ctype.h
must be included in 32 files and after removing it from util.h it had to be
added only to 8 missing files
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
fcntl.h is not used directly by util/util.h. The header file fcntl.h
must be included in 49 files and after removing it from util.h it had to be
added only to 7 missing file which were using either directly syscall fcntl
or syscall open.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
| |
signal.h is not used directly by util/util.h. The header file signal.h
must be included in 19 files and after removing it from util.h it had to be
added only to 12 missing files. And util.util.h is included in 381 files
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
