| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
Use division instead of modulo while rounding the created packet size up
to a multiple of SSSSRV_PACKET_MEM_SIZE in sss_packet_new. This fixes
potentially packet buffer overflows with certain body sizes.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
The function sysdb_init() is never used to allow upgrade, so the
allow_upgrade parameter was pointless.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
name.name is the input name. Since cache_req is an internal interface,
we need to return the sysdb name instead.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
| |
When storing users and groups by their name in the negative cache, store
them fully qualfied so that the responder only has to track the name in
the internal format once the input is converted.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When looking up entries in the responders that have not been yet
converted to the cache_req API, we need to perform some common
operations all the time. These include converting the name to the right
case, reverse-replacing whitespace and converting the name to the qualified
format for that domain.
This patch adds a function that performs these steps to avoid code
duplication.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
When looking up users or groups by name, qualify the name into the
internal format before the lookup.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Start implementing the Secrets Service Reponder core.
This commit implements stratup and basic conenction handling and HTTP
parsing (using the http-parser library).
Signed-off-by: Simo Sorce <simo@redhat.com>
Related:
https://fedorahosted.org/sssd/ticket/2913
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Add helper that uses systemd socket activation if available to accept a
pre-listining socket at startup.
Related:
https://fedorahosted.org/sssd/ticket/2913
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is useufl to allow reusing the responder code with other protocols.
Store protocol data and responder state data behind opaque pointers and
use tallog_get_type to check they are of the right type.
This also allows to store per responder state_ctx so that, for example,
the autofs responder does not have to carry useless variables used only
by the nss responder.
Resolves:
https://fedorahosted.org/sssd/ticket/2918
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Functions tevent_req_is_error and _tevent_req_error
use type uint64_t for error code.
SSSD uses errno_t which is an alias for int.
Therefore complier assumes that macro TEVENT_REQ_RETURN_ON_ERROR
can return 0 due to implicit down casting from uint64_t -> int.
This patch makes down casting explicit and returns EINVAL
if result of downcasting is 0.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a sysdb entry is searched, the sysdb cache is consulted first
for users or groups. If an entry is found in the sysdb cache, the
attributes from the timestamp cache are merged to return the full and
up-to-date set of attributes.
The merging is done with a single BASE search which is a direct lookup
into the underlying key-value database, so it should be relatively fast.
More complex merging is done only for enumeration by filter which is
currently done only via the IFP back end and should be quite
infrequent, so I hope we can justify a more complex merging there.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
For all domain types, except the local domain, open a connection to a
new ldb file located at /var/lib/sss/db names timestamps_$domain.ldb.
Constructs the ldb file path manually in sysdb_check_upgrade_02() but
that should be acceptable because nobody should be running such an old
cache these days anyway.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is just a beginning of new responder interface to data provider
and it is just to make the client registration work. It needs further
improvement.
The idea is to take the existing interface and make it work better
with further extensions of data provider. The current interface has
several disadvantages such as it is originally build only for
account requests and doesn't take different set of output parameters.
It also doesn't work well with integration into tevent-made responders.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds new option 'neg_cache_locals_timeout' into section
of NSS responder. It allows negative caching of local groups and
users. Default value is 0 which means no caching.
Resolves:
https://fedorahosted.org/sssd/ticket/2928
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
| |
There is redudant function responder_get_neg_timeout_from_confdb().
This patch removes it.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Preparation for initialization of negative cache in common responder.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Timeout of negative cahce is handled by internal negative cache
context. This patch removes neg_timeout from struct nss_ctx.
Resolves:
https://fedorahosted.org/sssd/ticket/2317
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
It removes neg_timeout parameter from struct pam_ctx. Timeout is
handled by context of negative cache internally.
This patch additioanlly removes neg_timeout from struct cache_req_state.
Resolves:
https://fedorahosted.org/sssd/ticket/2317
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
It adds new function to negative cache API:
* int sss_ncache_get_timeout(struct sss_nc_ctx *ctx);
Resolves:
https://fedorahosted.org/sssd/ticket/2317
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It removes timeout parameter from check functions of negative cache.
Timeout is set ny init function and it is handled internally.
API change:
* int sss_ncache_check_...(struct sss_nc_ctx *ctx,
int ttl, <----- timeout vanished
struct sss_domain_info *dom,
...);
Resolves:
https://fedorahosted.org/sssd/ticket/2317
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It adds timeout of negative cache to handling
struct sss_nc_ctx.
There is one change in API of negatice cache:
* int sss_ncache_init(TALLOC_CTX *memctx,
uint32_t timeout, <----- new
struct sss_nc_ctx **_ctx);
There is also one new function in common/responder:
* errno_t responder_get_neg_timeout_from_confdb(struct confdb_ctx *cdb,
uint32_t *ncache_timeout);
Resolves:
https://fedorahosted.org/sssd/ticket/2317
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
| |
If ttl = -1 then function sss_ncache_check_str() returns EEXIST without
checking negcache. This behaviour is out of logic.
We use ttl = 0 for permanent caching.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To close a socket associated to an fd event we must set the close
function of the event and not associate a destructor to a parent context.
Otherwise the destructor will close() the socket before the fd event is
freed, and this may cause invalid calls on a closed file descriptor to
poll/epoll/etc.
Discovered by looking at strace output.
Resolves:
https://fedorahosted.org/sssd/ticket/2973
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
The input part has no longer meaning.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
| |
This way it makes it a lot easier to add new parameters.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2848
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Each debug message is matched to a specific request, this way it
will be easier to follow the request flow especially when paralel
request are running.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
| |
It is not always a name.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
This way it is more clear that the string parameters should not
be misued when adding a new one.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This is needed for LOCAL view but also creates a shortcut for
server side overrides.
Resolves:
https://fedorahosted.org/sssd/ticket/2849
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Adds support to get SELINUX context and make code more abstract so
that struct ucred (if availale) can be used w/o redefining uid,gid,pid to
int32. Also gives a layer of indirection that may come handy if we want
to improve the code further in the future.
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
| |
Like lookup by ID or by UPN the match for lookups by certificate can be
found in any domain and all sub-domains must be included in the search.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
| |
src/responder/common/responder_cache_req.c: In function 'cache_req_input_set_name':
src/responder/common/responder_cache_req.c:199: warning: declaration of 'dup' shadows a global declaration
/usr/include/unistd.h:528: warning: shadowed declaration is here
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update get next domain to be able to
include disbled domains and change the
interface to accept flags instead of
multiple booleans.
Ticket:
https://fedorahosted.org/sssd/ticket/2673
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This patch adds new SCKT_RSP_UMASK constant which stands for 0111. And
it replaces all occurances in responder code.
Resolves:
https://fedorahosted.org/sssd/ticket/2424
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
There is DFL_RSP_UMASK constant for very secure umask in responder
code. This patch replaces occurances of value 0177 with this constant.
Resolves:
https://fedorahosted.org/sssd/ticket/2424
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
Parsed name or UPN is now stored in input->name instead of touching
orig_name and storing the original name in raw_name.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Required for:
https://fedorahosted.org/sssd/ticket/2637
This is a first step towards making it possible for domain to be around,
but not contacted by Data Provider.
Also explicitly create domains as active, previously we only relied on
talloc_zero marking dom->disabled as false.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|