p11: return a fully-qualified name

Related to https://fedorahosted.org/sssd/ticket/3165

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

2 files changed, 17 insertions, 19 deletions

diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
index 22da33067..570bfe09d 100644
--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
@@ -521,33 +521,31 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
     size_t msg_len;
     size_t slot_len;
     int ret;
-    char *username;
 
     if (sysdb_username == NULL || token_name == NULL) {
         DEBUG(SSSDBG_CRIT_FAILURE, "Missing mandatory user or slot name.\n");
         return EINVAL;
     }
 
-    ret = sss_parse_internal_fqname(pd, sysdb_username, &username, NULL);
-    if (ret != EOK) {
-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot parse [%s]\n", sysdb_username);
-        return ret;
-    }
-
-    user_len = strlen(username) + 1;
+    user_len = strlen(sysdb_username) + 1;
     slot_len = strlen(token_name) + 1;
     msg_len = user_len + slot_len;
 
     msg = talloc_zero_size(pd, msg_len);
     if (msg == NULL) {
         DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_size failed.\n");
-        talloc_free(username);
         return ENOMEM;
     }
 
-    memcpy(msg, username, user_len);
+    /* sysdb_username is a fully-qualified name which is used by pam_sss when
+     * prompting the user for the PIN and as login name if it wasn't set by
+     * the PAM caller but has to be determined based on the inserted
+     * Smartcard. If this type of name is irritating at the PIN prompt or the
+     * re_expression config option was set in a way that user@domain cannot be
+     * handled anymore some more logic has to be added here. But for the time
+     * being I think using sysdb_username is fine. */
+    memcpy(msg, sysdb_username, user_len);
     memcpy(msg + user_len, token_name, slot_len);
-    talloc_free(username);
 
     ret = pam_add_response(pd, SSS_PAM_CERT_INFO, msg_len, msg);
     talloc_free(msg);
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index 02199e6f1..4b2dea4be 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -664,11 +664,11 @@ static int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body,
     assert_int_equal(val, SSS_PAM_CERT_INFO);
 
     SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
-    assert_int_equal(val, (sizeof("pamuser") + sizeof(TEST_TOKEN_NAME)));
+    assert_int_equal(val, (sizeof("pamuser@"TEST_DOM_NAME) + sizeof(TEST_TOKEN_NAME)));
 
-    assert_int_equal(*(body + rp + sizeof("pamuser") - 1), 0);
-    assert_string_equal(body + rp, "pamuser");
-    rp += sizeof("pamuser");
+    assert_int_equal(*(body + rp + sizeof("pamuser@"TEST_DOM_NAME) - 1), 0);
+    assert_string_equal(body + rp, "pamuser@"TEST_DOM_NAME);
+    rp += sizeof("pamuser@"TEST_DOM_NAME);
 
     assert_int_equal(*(body + rp + sizeof(TEST_TOKEN_NAME) - 1), 0);
     assert_string_equal(body + rp, TEST_TOKEN_NAME);
@@ -703,11 +703,11 @@ static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
     assert_int_equal(val, SSS_PAM_CERT_INFO);
 
     SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
-    assert_int_equal(val, (sizeof("pamuser") + sizeof(TEST_TOKEN_NAME)));
+    assert_int_equal(val, (sizeof("pamuser@"TEST_DOM_NAME) + sizeof(TEST_TOKEN_NAME)));
 
-    assert_int_equal(*(body + rp + sizeof("pamuser") - 1), 0);
-    assert_string_equal(body + rp, "pamuser");
-    rp += sizeof("pamuser");
+    assert_int_equal(*(body + rp + sizeof("pamuser@"TEST_DOM_NAME) - 1), 0);
+    assert_string_equal(body + rp, "pamuser@"TEST_DOM_NAME);
+    rp += sizeof("pamuser@"TEST_DOM_NAME);
 
     assert_int_equal(*(body + rp + sizeof(TEST_TOKEN_NAME) - 1), 0);
     assert_string_equal(body + rp, TEST_TOKEN_NAME);