| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
The protocol requires a user to creat a container efore trying to store
an entry in it. Do the same in the local provider so that no surprises
arise when admins route request to a remote storage server.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Properly handle and enforce ithe presence of the content-type header
in the local and proxy providers to conform to the Custoida protocol.
Avoids different behavior between the local provider and a remote server
that may cause developers to have an application working against the
local storage and then fail when the administrator configures a remote
storage.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
| |
Generates a master key file if it doesn't exist and encrypts secrets using the
master key contained in the file.
Resolves:
https://fedorahosted.org/sssd/ticket/XXXX
|
| |
|
|
|
|
|
| |
Also adds support for the basic LOCAL provider that stores data
on the local machine.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Start implementing the Secrets Service Reponder core.
This commit implements stratup and basic conenction handling and HTTP
parsing (using the http-parser library).
Signed-off-by: Simo Sorce <simo@redhat.com>
Related:
https://fedorahosted.org/sssd/ticket/2913
|
| |
|
|
|
|
|
|
| |
Add helper that uses systemd socket activation if available to accept a
pre-listining socket at startup.
Related:
https://fedorahosted.org/sssd/ticket/2913
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This is useufl to allow reusing the responder code with other protocols.
Store protocol data and responder state data behind opaque pointers and
use tallog_get_type to check they are of the right type.
This also allows to store per responder state_ctx so that, for example,
the autofs responder does not have to carry useless variables used only
by the nss responder.
Resolves:
https://fedorahosted.org/sssd/ticket/2918
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To close a socket associated to an fd event we must set the close
function of the event and not associate a destructor to a parent context.
Otherwise the destructor will close() the socket before the fd event is
freed, and this may cause invalid calls on a closed file descriptor to
poll/epoll/etc.
Discovered by looking at strace output.
Resolves:
https://fedorahosted.org/sssd/ticket/2973
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
The input part has no longer meaning.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
| |
This way it makes it a lot easier to add new parameters.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2848
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Each debug message is matched to a specific request, this way it
will be easier to follow the request flow especially when paralel
request are running.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
| |
It is not always a name.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
This way it is more clear that the string parameters should not
be misued when adding a new one.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Tested against Windows Server 2012.
Resolves:
https://fedorahosted.org/sssd/ticket/2839
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
In general we just return NULL if tevent_req_create() fails because
there is nothing we can do with the request anyway. Especially
tevent_req_error() should not be called because it tries to dereference
req.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2865
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This is needed for LOCAL view but also creates a shortcut for
server side overrides.
Resolves:
https://fedorahosted.org/sssd/ticket/2849
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Adds support to get SELINUX context and make code more abstract so
that struct ucred (if availale) can be used w/o redefining uid,gid,pid to
int32. Also gives a layer of indirection that may come handy if we want
to improve the code further in the future.
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When refresh_expired_interval was not zero,
the NSS responder only refreshed netgroup cache
using background periodic task and ignored
SYSDB_CACHE_EXPIRE attribute.
With this behaviour it was impossible to
get new netgroup from remote server even
after sss_cache tool was used to expire
existing entry in the cache.
Resolves:
https://fedorahosted.org/sssd/ticket/2912
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
Resolves https://fedorahosted.org/sssd/ticket/2925
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the SSSD default options like e.g. --debug-level are added
unconditionally to the command line options of a child process when
started with the child helper functions.
If a binary from a different source should be started as a child by SSSD
those options might not be known or used differently. This patch adds an
option to exec_child_ex() which allows to skip the default options and
only add specific options.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch enables the Online Certificate Status Protocol in NSS and
adds an option to disable it if needed. To make further tuning of
certificate verification more easy it is not an option on its own but an
option to the new certificate_verification configuration option.
Resolves https://fedorahosted.org/sssd/ticket/2812
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Extend PAM responder unit test to check 'online' cached authentication.
Resolves:
https://fedorahosted.org/sssd/ticket/2697
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Like lookup by ID or by UPN the match for lookups by certificate can be
found in any domain and all sub-domains must be included in the search.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
When ifp_users_user_get_groups is called, for example via GetAll and
the list of groups contains a non-POSIX group, we skip an array member,
resulting in random memory being passed to the caller.
Resolves:
https://fedorahosted.org/sssd/ticket/2863
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
src/responder/common/responder_cache_req.c: In function 'cache_req_input_set_name':
src/responder/common/responder_cache_req.c:199: warning: declaration of 'dup' shadows a global declaration
/usr/include/unistd.h:528: warning: shadowed declaration is here
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While handling well-known SIDs a debug statement tries to access memory that is
already freed. This can be seen with the following output from valgrind.
==17600== Invalid read of size 4
==17600== at 0x805ACC6: nss_cmd_getbysid (nsssrv_cmd.c:5458)
==17600== by 0x805AF41: nss_cmd_getnamebysid (nsssrv_cmd.c:5509)
==17600== by 0x80662F4: sss_cmd_execute (responder_cmd.c:161)
==17600== by 0x8067015: client_cmd_execute (responder_common.c:249)
==17600== by 0x80671F5: client_recv (responder_common.c:283)
==17600== by 0x806741C: client_fd_handler (responder_common.c:335)
==17600== by 0x45F5112: epoll_event_loop (tevent_epoll.c:728)
==17600== by 0x45F5112: epoll_event_loop_once (tevent_epoll.c:926)
==17600== by 0x45F32EE: std_event_loop_once (tevent_standard.c:114)
==17600== by 0x45EF3BF: _tevent_loop_once (tevent.c:530)
==17600== by 0x45EF5AB: tevent_common_loop_wait (tevent.c:634)
==17600== by 0x45F326E: std_event_loop_wait (tevent_standard.c:140)
==17600== by 0x45EF647: _tevent_loop_wait (tevent.c:653)
==17600== Address 0x4b248a0 is 72 bytes inside a block of size 88 free'd
==17600== at 0x402C26D: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==17600== by 0x45FEC9E: _talloc_free_internal (talloc.c:1057)
==17600== by 0x45FEC9E: _talloc_free (talloc.c:1581)
==17600== by 0x8066085: sss_cmd_done (responder_cmd.c:93)
==17600== by 0x805A9B0: nss_check_well_known_sid (nsssrv_cmd.c:5382)
==17600== by 0x805AC86: nss_cmd_getbysid (nsssrv_cmd.c:5455)
==17600== by 0x805AF41: nss_cmd_getnamebysid (nsssrv_cmd.c:5509)
==17600== by 0x80662F4: sss_cmd_execute (responder_cmd.c:161)
==17600== by 0x8067015: client_cmd_execute (responder_common.c:249)
==17600== by 0x80671F5: client_recv (responder_common.c:283)
==17600== by 0x806741C: client_fd_handler (responder_common.c:335)
==17600== by 0x45F5112: epoll_event_loop (tevent_epoll.c:728)
==17600== by 0x45F5112: epoll_event_loop_once (tevent_epoll.c:926)
==17600== by 0x45F32EE: std_event_loop_once (tevent_standard.c:114)
==17600==
The patch contains a change to the unit tests which frees the memory in
the wrapper for sss_cmd_done() too. This allows to detect this kind of
issue in the unit tests as well.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
Conditions with get_next_domain were a little
confusing for coverity (but also for developers'
eyes).
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Update get next domain to be able to
include disbled domains and change the
interface to accept flags instead of
multiple booleans.
Ticket:
https://fedorahosted.org/sssd/ticket/2673
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This patch adds new SCKT_RSP_UMASK constant which stands for 0111. And
it replaces all occurances in responder code.
Resolves:
https://fedorahosted.org/sssd/ticket/2424
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
There is DFL_RSP_UMASK constant for very secure umask in responder
code. This patch replaces occurances of value 0177 with this constant.
Resolves:
https://fedorahosted.org/sssd/ticket/2424
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2833
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
If an overriden name is provided and the user is already cache we fail
to refresh it since we won't search with VIEW flag. This patch fix
it.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2833
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
| |
Parsed name or UPN is now stored in input->name instead of touching
orig_name and storing the original name in raw_name.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2811
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
It seems that clang expected that errno can change to 0
in case of error. It might be a bug in static analyzer.
But the workaround does not change the logic and
the errno is read just once.
|
