| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
Currently cert_verify_opts is only initialized when there is an option
in the config file. This might cause issues later when the struct is
accessed. Since parse_cert_verify_opts() can already handle an empty
option the additional check is not needed at all.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
Use division instead of modulo while rounding the created packet size up
to a multiple of SSSSRV_PACKET_MEM_SIZE in sss_packet_new. This fixes
potentially packet buffer overflows with certain body sizes.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Just adds more debugging messages that are handy in seeing what gets
passed between sudo responder and client.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sudo expects the same name in sudo rule as login name. Therefore
if fully qualified name is used or even enforced by setting
use_fully_qualified_names to true or by forcing default domain
with default_domain_suffix sssd is able to correctly return the
rules but sudo can't match the user with contect of sudoUser
attribute since it is not qualified.
This patch changes the rules on the fly to avoid using names at all.
We do this in two steps:
1. We fetch all rules that match current user name, id or groups and
replace sudoUser attribute with sudoUser: #uid.
2. We fetch complementry rules that contain netgroups since it is
expected we don't have infromation about existing netgroups in
cache, sudo still needs to evaluate it for us if needed.
This patch also remove test for sysdb_get_sudo_filter since it wasn't
sufficient anyway and I did not rewrite it since I don't thing it
is a good thing to have filter tests that depends on exact filter
order.
Resolves:
https://fedorahosted.org/sssd/ticket/2919
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
The function sysdb_init() is never used to allow upgrade, so the
allow_upgrade parameter was pointless.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
| |
Parses the internal sysdb names and puts them on the bus using the
sss_output_name() helper. Previously, the raw sysdb names were used.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
| |
name.name is the input name. Since cache_req is an internal interface,
we need to return the sysdb name instead.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
| |
The name is converted from whatever we receive on input to the internal
format before processing the data further.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
| |
The name is converted from whatever we receive on input to the internal
format before processing the data further.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
| |
Since sysdb_search_user_by_upn() searches the whole cache we have to set
the domain so that it matches the result.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a utility function sized_output_name() which wraps the output_name()
function and returns the sized_struct structure. This function is used
when formatting the output name for the client, but also when
saving/deleting the memory cache entries.
Its sister function sized_member_name() is very similar, but infers the
domain name from memberuid or ghost attribute.
Because all names internally are used in the same format, the logic to
append domain or format the usename for output in the fill_XXX() family
of functions is much simpler. In general, adding a domain suffix no
longer relies in the domain being a subdomain, but only the dom->fqnames
The parse_member() function was removed because it is no longer
required.
The nss test was amended to store names in the internal fqdn format on
input and checks for either shortnames or qualified names with the right
format created using sss_tc_fqname() on output.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
| |
When storing users and groups by their name in the negative cache, store
them fully qualfied so that the responder only has to track the name in
the internal format once the input is converted.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
expand_homedir_template() can be considered an outward-facing interface,
therefore the function and its input structure will accept the internal
name format and parse it internally into a username and domain
component.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When looking up entries in the responders that have not been yet
converted to the cache_req API, we need to perform some common
operations all the time. These include converting the name to the right
case, reverse-replacing whitespace and converting the name to the qualified
format for that domain.
This patch adds a function that performs these steps to avoid code
duplication.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
| |
When looking up users or groups by name, qualify the name into the
internal format before the lookup.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
local user
If an IPA client uses the SSH integration and a local user logs in with
SSH, the sss_ssh_authorizedkeys looks up their keys in the SSH
responder, which doesn't find the user and returns ENOENT. The
sss_ssh_authorizedkeys reports a failure on any error, including ENOENT
which produced a confusing error message in the logs.
This patch adds a new error code that handles users that are not found
by SSSD but exist on the system and also special cases root with the
same error code. Therefore, logging in as a local user no longer prints
an error message.
Resolves:
https://fedorahosted.org/sssd/ticket/3003
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
body->length has type size_t and not long unsigned.
size_t does not have the same size on 64 bit and 32 bit platform
src/responder/secrets/providers.c: In function 'sec_http_reply_with_body':
src/responder/secrets/providers.c:204:25: error: format '%lu' expects argument
of type 'long unsigned int', but argument 6 has type
'size_t {aka unsigned int}' [-Werror=format=]
"HTTP/1.1 %d %s\r\n"
"Content-Type: %s\r\n"
"Content-Length: %lu\r\n"
^
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The protocol requires a user to creat a container efore trying to store
an entry in it. Do the same in the local provider so that no surprises
arise when admins route request to a remote storage server.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Properly handle and enforce ithe presence of the content-type header
in the local and proxy providers to conform to the Custoida protocol.
Avoids different behavior between the local provider and a remote server
that may cause developers to have an application working against the
local storage and then fail when the administrator configures a remote
storage.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Generates a master key file if it doesn't exist and encrypts secrets
using the master key contained in the file.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Also adds support for the basic LOCAL provider that stores data
on the local machine.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Start implementing the Secrets Service Reponder core.
This commit implements stratup and basic conenction handling and HTTP
parsing (using the http-parser library).
Signed-off-by: Simo Sorce <simo@redhat.com>
Related:
https://fedorahosted.org/sssd/ticket/2913
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add helper that uses systemd socket activation if available to accept a
pre-listining socket at startup.
Related:
https://fedorahosted.org/sssd/ticket/2913
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is useufl to allow reusing the responder code with other protocols.
Store protocol data and responder state data behind opaque pointers and
use tallog_get_type to check they are of the right type.
This also allows to store per responder state_ctx so that, for example,
the autofs responder does not have to carry useless variables used only
by the nss responder.
Resolves:
https://fedorahosted.org/sssd/ticket/2918
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Functions tevent_req_is_error and _tevent_req_error
use type uint64_t for error code.
SSSD uses errno_t which is an alias for int.
Therefore complier assumes that macro TEVENT_REQ_RETURN_ON_ERROR
can return 0 due to implicit down casting from uint64_t -> int.
This patch makes down casting explicit and returns EINVAL
if result of downcasting is 0.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
To be shared across tools and libs.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a sysdb entry is searched, the sysdb cache is consulted first
for users or groups. If an entry is found in the sysdb cache, the
attributes from the timestamp cache are merged to return the full and
up-to-date set of attributes.
The merging is done with a single BASE search which is a direct lookup
into the underlying key-value database, so it should be relatively fast.
More complex merging is done only for enumeration by filter which is
currently done only via the IFP back end and should be quite
infrequent, so I hope we can justify a more complex merging there.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
For all domain types, except the local domain, open a connection to a
new ldb file located at /var/lib/sss/db names timestamps_$domain.ldb.
Constructs the ldb file path manually in sysdb_check_upgrade_02() but
that should be acceptable because nobody should be running such an old
cache these days anyway.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is just a beginning of new responder interface to data provider
and it is just to make the client registration work. It needs further
improvement.
The idea is to take the existing interface and make it work better
with further extensions of data provider. The current interface has
several disadvantages such as it is originally build only for
account requests and doesn't take different set of output parameters.
It also doesn't work well with integration into tevent-made responders.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Current an invalid certificate cause the whole ssh key lookup request to
abort. Since it is possible that e.g. the LDAP user entry contains
certificates where the client does not have the needed CA certificates
for validation we should just ignore invalid certificates.
Resolves https://fedorahosted.org/sssd/ticket/2977
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch adds new option 'neg_cache_locals_timeout' into section
of NSS responder. It allows negative caching of local groups and
users. Default value is 0 which means no caching.
Resolves:
https://fedorahosted.org/sssd/ticket/2928
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
The PKCS11_LOGIN_TOKEN_NAME environment variable is e.g. used by the
Gnome Settings Daemon to determine the name of the token used for login.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3006
The handling of open pipes in failure cases was suboptimal. Moreover,
the faulty logic was copied all over the place. This patch introduces
helper macros to:
- initialize the pipe endpoints to -1
- close an open pipe fd and set it to -1 afterwards
- close both ends unless already closed
These macros are used in the child handling code.
The patch also uses child_io_destructor in the p11_child code for safer
fd handling.
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
When exec() fails, we should not attempt to continue, but just kill the
forked process. The patch adds this logic to the exec_child() and
exec_child_ex() functions to avoid code duplication
Resolves:
https://fedorahosted.org/sssd/ticket/3016
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
There is redudant function responder_get_neg_timeout_from_confdb().
This patch removes it.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
This patch switches ncache from sudo_ctx to resp_ctx.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
