sssd.git/src/tests, branch jhrozek_sysdb_fqdn Unnamed repository; edit this file to name it for gitweb. sudo: solve problems with fully qualified names 2016-07-06T15:40:23+00:00 Pavel Březina pbrezina@redhat.com 2016-05-26T09:37:30+00:00 98a85bf0b2334c45a60c5bc10042e5abdeff3f98 sudo expects the same name in sudo rule as login name. Therefore if fully qualified name is used or even enforced by setting use_fully_qualified_names to true or by forcing default domain with default_domain_suffix sssd is able to correctly return the rules but sudo can't match the user with contect of sudoUser attribute since it is not qualified. This patch changes the rules on the fly to avoid using names at all. We do this in two steps: 1. We fetch all rules that match current user name, id or groups and replace sudoUser attribute with sudoUser: #uid. 2. We fetch complementry rules that contain netgroups since it is expected we don't have infromation about existing netgroups in cache, sudo still needs to evaluate it for us if needed. This patch also remove test for sysdb_get_sudo_filter since it wasn't sufficient anyway and I did not rewrite it since I don't thing it is a good thing to have filter tests that depends on exact filter order. Resolves: https://fedorahosted.org/sssd/ticket/2919 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
sudo expects the same name in sudo rule as login name. Therefore
if fully qualified name is used or even enforced by setting
use_fully_qualified_names to true or by forcing default domain
with default_domain_suffix sssd is able to correctly return the
rules but sudo can't match the user with contect of sudoUser
attribute since it is not qualified.

This patch changes the rules on the fly to avoid using names at all.
We do this in two steps:
1. We fetch all rules that match current user name, id or groups and
   replace sudoUser attribute with sudoUser: #uid.
2. We fetch complementry rules that contain netgroups since it is
   expected we don't have infromation about existing netgroups in
   cache, sudo still needs to evaluate it for us if needed.

This patch also remove test for sysdb_get_sudo_filter since it wasn't
sufficient anyway and I did not rewrite it since I don't thing it
is a good thing to have filter tests that depends on exact filter
order.

Resolves:
https://fedorahosted.org/sssd/ticket/2919

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
TESTS: Convert the tests to use qualified names for ldb lookups 2016-07-06T15:40:22+00:00 Jakub Hrozek jhrozek@redhat.com 2016-07-01T11:24:47+00:00 edc438d11e10384da9bb984406d3eb0903a93664 The timestamp cache tests look into ldb to check the timestamps. This patch converts the lookups to qualified names to make sure the lookups actually match. 
The timestamp cache tests look into ldb to check the timestamps. This
patch converts the lookups to qualified names to make sure the lookups
actually match.
UTIL: Remove unused functions 2016-07-06T15:40:22+00:00 Jakub Hrozek jhrozek@redhat.com 2016-06-28T16:12:15+00:00 19a36064635911048247bc7b295e77560c1ff160 The conversion to sysdb made several functions obsolete. Remove them. 
The conversion to sysdb made several functions obsolete. Remove them.
RESPONDERS: Return the sysdb name from cache_req 2016-07-06T15:40:22+00:00 Jakub Hrozek jhrozek@redhat.com 2016-06-22T05:22:59+00:00 285eb4f0210adfb8ced1b1f10de3299f87f840bc name.name is the input name. Since cache_req is an internal interface, we need to return the sysdb name instead. 
name.name is the input name. Since cache_req is an internal interface,
we need to return the sysdb name instead.
KRB5: Use shortname when expanding the user template in Kerberos ccache 2016-07-06T15:33:00+00:00 Jakub Hrozek jhrozek@redhat.com 2016-06-14T14:08:22+00:00 9352842380a9d3d7598418a1491b51d942784865 Creating the username part of the ccache file is an output operation, it makes sense to use sss_output_name() there which parses the name out of the internal qualified name. 
Creating the username part of the ccache file is an output operation, it
makes sense to use sss_output_name() there which parses the name out of
the internal qualified name.
PAM: Use qualified names internally in the PAM responder 2016-07-06T15:32:59+00:00 Jakub Hrozek jhrozek@redhat.com 2016-03-15T13:29:02+00:00 f87b86535785803419a44626353a8868db450896 The name is converted from whatever we receive on input to the internal format before processing the data further. 
The name is converted from whatever we receive on input to the internal
format before processing the data further.
TESTS: Start fixing the PAM responder tests for fully qualified names in sysdb 2016-07-06T15:32:59+00:00 Michal Zidek mzidek@redhat.com 2016-04-05T10:53:06+00:00 0270fad784b03e959a8b65798681f4408eb9613f 






TESTS; orig_name does not need to be expanded to sysdb format
2016-07-06T15:32:59+00:00

Sumit Bose
sbose@redhat.com

2016-07-05T11:21:36+00:00

b8f393ed773fbd3bdcffca637285bc11b5d0996a












NSS: Fix NSS responder to cope with fully-qualified usernames
2016-07-06T15:32:59+00:00

Jakub Hrozek
jhrozek@redhat.com

2016-03-17T07:19:18+00:00

d3d0429751d448b4f69503c7a8cc91ed963104e0

Adds a utility function sized_output_name() which wraps the output_name()
function and returns the sized_struct structure. This function is used
when formatting the output name for the client, but also when
saving/deleting the memory cache entries.

Its sister function sized_member_name() is very similar, but infers the
domain name from memberuid or ghost attribute.

Because all names internally are used in the same format, the logic to
append domain or format the usename for output in the fill_XXX() family
of functions is much simpler. In general, adding a domain suffix no
longer relies in the domain being a subdomain, but only the dom->fqnames

The parse_member() function was removed because it is no longer
required.

The nss test was amended to store names in the internal fqdn format on
input and checks for either shortnames or qualified names with the right
format created using sss_tc_fqname() on output.





Adds a utility function sized_output_name() which wraps the output_name()
function and returns the sized_struct structure. This function is used
when formatting the output name for the client, but also when
saving/deleting the memory cache entries.

Its sister function sized_member_name() is very similar, but infers the
domain name from memberuid or ghost attribute.

Because all names internally are used in the same format, the logic to
append domain or format the usename for output in the fill_XXX() family
of functions is much simpler. In general, adding a domain suffix no
longer relies in the domain being a subdomain, but only the dom->fqnames

The parse_member() function was removed because it is no longer
required.

The nss test was amended to store names in the internal fqdn format on
input and checks for either shortnames or qualified names with the right
format created using sss_tc_fqname() on output.







NCACHE: Store FQDNs internaly, check for shortnames in files
2016-07-06T15:32:59+00:00

Jakub Hrozek
jhrozek@redhat.com

2016-06-19T17:54:50+00:00

bcb40efd3673d64d5a4b09458a3ab622876aa814

When storing users and groups by their name in the negative cache, store
them fully qualfied so that the responder only has to track the name in
the internal format once the input is converted.





When storing users and groups by their name in the negative cache, store
them fully qualfied so that the responder only has to track the name in
the internal format once the input is converted.