Accepting request 174889 from network:ldap

Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/174889
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=46
This commit is contained in:
Stephan Kulow 2013-05-13 13:39:41 +00:00 committed by Git OBS Bridge
parent b514a157b2
commit 665ac5a713
11 changed files with 37 additions and 2438 deletions

View File

@ -1,414 +0,0 @@
From e5f0ef211e81fcd7a87d5e37b0aadca50201c6d6 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Sun, 3 Mar 2013 21:43:44 +0100
Subject: Add unit tests for simple access test by groups
I realized that the current unit tests for the simple access provider
only tested the user directives. To have a baseline and be able to
detect new bugs in the upcoming patch, I implemented unit tests for the
group lists, too.
(cherry picked from commit 754b09b5444e6da88ed58d6deaed8b815e268b6b)
---
src/tests/simple_access-tests.c | 285 +++++++++++++++++++++++++++++++++++-----
1 file changed, 253 insertions(+), 32 deletions(-)
diff --git a/src/tests/simple_access-tests.c b/src/tests/simple_access-tests.c
index c61814e..577c6d3 100644
--- a/src/tests/simple_access-tests.c
+++ b/src/tests/simple_access-tests.c
@@ -30,39 +30,152 @@
#include "providers/simple/simple_access.h"
#include "tests/common.h"
+#define TESTS_PATH "tests_simple_access"
+#define TEST_CONF_FILE "tests_conf.ldb"
+
const char *ulist_1[] = {"u1", "u2", NULL};
+const char *glist_1[] = {"g1", "g2", NULL};
+
+struct simple_test_ctx *test_ctx = NULL;
+
+struct simple_test_ctx {
+ struct sysdb_ctx *sysdb;
+ struct confdb_ctx *confdb;
-struct simple_ctx *ctx = NULL;
+ struct simple_ctx *ctx;
+};
void setup_simple(void)
{
- fail_unless(ctx == NULL, "Simple context already initialized.");
- ctx = talloc_zero(NULL, struct simple_ctx);
- fail_unless(ctx != NULL, "Cannot create simple context.");
-
- ctx->domain = talloc_zero(ctx, struct sss_domain_info);
- fail_unless(ctx != NULL, "Cannot create domain in simple context.");
- ctx->domain->case_sensitive = true;
+ errno_t ret;
+ char *conf_db;
+ const char *val[2];
+ val[1] = NULL;
+
+ /* Create tests directory if it doesn't exist */
+ /* (relative to current dir) */
+ ret = mkdir(TESTS_PATH, 0775);
+ fail_if(ret == -1 && errno != EEXIST,
+ "Could not create %s directory", TESTS_PATH);
+
+ fail_unless(test_ctx == NULL, "Simple context already initialized.");
+ test_ctx = talloc_zero(NULL, struct simple_test_ctx);
+ fail_unless(test_ctx != NULL, "Cannot create simple test context.");
+
+ test_ctx->ctx = talloc_zero(test_ctx, struct simple_ctx);
+ fail_unless(test_ctx->ctx != NULL, "Cannot create simple context.");
+
+ conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE);
+ fail_if(conf_db == NULL, "Out of memory, aborting!");
+ DEBUG(SSSDBG_TRACE_LIBS, ("CONFDB: %s\n", conf_db));
+
+ /* Connect to the conf db */
+ ret = confdb_init(test_ctx, &test_ctx->confdb, conf_db);
+ fail_if(ret != EOK, "Could not initialize connection to the confdb");
+
+ val[0] = "LOCAL";
+ ret = confdb_add_param(test_ctx->confdb, true,
+ "config/sssd", "domains", val);
+ fail_if(ret != EOK, "Could not initialize domains placeholder");
+
+ val[0] = "local";
+ ret = confdb_add_param(test_ctx->confdb, true,
+ "config/domain/LOCAL", "id_provider", val);
+ fail_if(ret != EOK, "Could not initialize provider");
+
+ val[0] = "TRUE";
+ ret = confdb_add_param(test_ctx->confdb, true,
+ "config/domain/LOCAL", "enumerate", val);
+ fail_if(ret != EOK, "Could not initialize LOCAL domain");
+
+ val[0] = "TRUE";
+ ret = confdb_add_param(test_ctx->confdb, true,
+ "config/domain/LOCAL", "cache_credentials", val);
+ fail_if(ret != EOK, "Could not initialize LOCAL domain");
+
+ ret = sysdb_init_domain_and_sysdb(test_ctx, test_ctx->confdb, "local",
+ TESTS_PATH,
+ &test_ctx->ctx->domain, &test_ctx->ctx->sysdb);
+ fail_if(ret != EOK, "Could not initialize connection to the sysdb (%d)", ret);
+ test_ctx->ctx->domain->case_sensitive = true;
}
void teardown_simple(void)
{
int ret;
- fail_unless(ctx != NULL, "Simple context already freed.");
- ret = talloc_free(ctx);
- ctx = NULL;
+ fail_unless(test_ctx != NULL, "Simple context already freed.");
+ ret = talloc_free(test_ctx);
+ test_ctx = NULL;
fail_unless(ret == 0, "Connot free simple context.");
}
+void setup_simple_group(void)
+{
+ errno_t ret;
+
+ setup_simple();
+
+ /* Add test users u1 and u2 that would be members of test groups
+ * g1 and g2 respectively */
+ ret = sysdb_store_user(test_ctx->ctx->sysdb,
+ "u1", NULL, 123, 0, "u1", "/home/u1",
+ "/bin/bash", NULL, NULL, NULL, -1, 0);
+ fail_if(ret != EOK, "Could not add u1");
+
+ ret = sysdb_store_user(test_ctx->ctx->sysdb,
+ "u2", NULL, 456, 0, "u1", "/home/u1",
+ "/bin/bash", NULL, NULL, NULL, -1, 0);
+ fail_if(ret != EOK, "Could not add u2");
+
+ ret = sysdb_store_user(test_ctx->ctx->sysdb,
+ "u3", NULL, 789, 0, "u1", "/home/u1",
+ "/bin/bash", NULL, NULL, NULL, -1, 0);
+ fail_if(ret != EOK, "Could not add u3");
+
+ ret = sysdb_add_group(test_ctx->ctx->sysdb,
+ "g1", 321, NULL, 0, 0);
+ fail_if(ret != EOK, "Could not add g1");
+
+ ret = sysdb_add_group(test_ctx->ctx->sysdb,
+ "g2", 654, NULL, 0, 0);
+ fail_if(ret != EOK, "Could not add g2");
+
+ ret = sysdb_add_group_member(test_ctx->ctx->sysdb,
+ "g1", "u1", SYSDB_MEMBER_USER);
+ fail_if(ret != EOK, "Could not add u1 to g1");
+
+ ret = sysdb_add_group_member(test_ctx->ctx->sysdb,
+ "g2", "u2", SYSDB_MEMBER_USER);
+ fail_if(ret != EOK, "Could not add u2 to g2");
+}
+
+void teardown_simple_group(void)
+{
+ errno_t ret;
+
+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u1", 0);
+ fail_if(ret != EOK, "Could not delete u1");
+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u2", 0);
+ fail_if(ret != EOK, "Could not delete u2");
+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u3", 0);
+ fail_if(ret != EOK, "Could not delete u3");
+ ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g1", 0);
+ fail_if(ret != EOK, "Could not delete g1");
+ ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g2", 0);
+ fail_if(ret != EOK, "Could not delete g2");
+
+ teardown_simple();
+}
+
START_TEST(test_both_empty)
{
int ret;
bool access_granted = false;
- ctx->allow_users = NULL;
- ctx->deny_users = NULL;
+ test_ctx->ctx->allow_users = NULL;
+ test_ctx->ctx->deny_users = NULL;
- ret = simple_access_check(ctx, "u1", &access_granted);
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
fail_unless(ret == EOK, "access_simple_check failed.");
fail_unless(access_granted == true, "Access denied "
"while both lists are empty.");
@@ -74,15 +187,15 @@ START_TEST(test_allow_empty)
int ret;
bool access_granted = true;
- ctx->allow_users = NULL;
- ctx->deny_users = discard_const(ulist_1);
+ test_ctx->ctx->allow_users = NULL;
+ test_ctx->ctx->deny_users = discard_const(ulist_1);
- ret = simple_access_check(ctx, "u1", &access_granted);
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
fail_unless(ret == EOK, "access_simple_check failed.");
fail_unless(access_granted == false, "Access granted "
"while user is in deny list.");
- ret = simple_access_check(ctx, "u3", &access_granted);
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
fail_unless(ret == EOK, "access_simple_check failed.");
fail_unless(access_granted == true, "Access denied "
"while user is not in deny list.");
@@ -94,15 +207,15 @@ START_TEST(test_deny_empty)
int ret;
bool access_granted = false;
- ctx->allow_users = discard_const(ulist_1);
- ctx->deny_users = NULL;
+ test_ctx->ctx->allow_users = discard_const(ulist_1);
+ test_ctx->ctx->deny_users = NULL;
- ret = simple_access_check(ctx, "u1", &access_granted);
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
fail_unless(ret == EOK, "access_simple_check failed.");
fail_unless(access_granted == true, "Access denied "
"while user is in allow list.");
- ret = simple_access_check(ctx, "u3", &access_granted);
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
fail_unless(ret == EOK, "access_simple_check failed.");
fail_unless(access_granted == false, "Access granted "
"while user is not in allow list.");
@@ -114,15 +227,15 @@ START_TEST(test_both_set)
int ret;
bool access_granted = false;
- ctx->allow_users = discard_const(ulist_1);
- ctx->deny_users = discard_const(ulist_1);
+ test_ctx->ctx->allow_users = discard_const(ulist_1);
+ test_ctx->ctx->deny_users = discard_const(ulist_1);
- ret = simple_access_check(ctx, "u1", &access_granted);
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
fail_unless(ret == EOK, "access_simple_check failed.");
fail_unless(access_granted == false, "Access granted "
"while user is in deny list.");
- ret = simple_access_check(ctx, "u3", &access_granted);
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
fail_unless(ret == EOK, "access_simple_check failed.");
fail_unless(access_granted == false, "Access granted "
"while user is not in allow list.");
@@ -134,18 +247,18 @@ START_TEST(test_case)
int ret;
bool access_granted = false;
- ctx->allow_users = discard_const(ulist_1);
- ctx->deny_users = NULL;
+ test_ctx->ctx->allow_users = discard_const(ulist_1);
+ test_ctx->ctx->deny_users = NULL;
- ret = simple_access_check(ctx, "U1", &access_granted);
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
fail_unless(ret == EOK, "access_simple_check failed.");
fail_unless(access_granted == false, "Access granted "
"for user with different case "
"in case-sensitive domain");
- ctx->domain->case_sensitive = false;
+ test_ctx->ctx->domain->case_sensitive = false;
- ret = simple_access_check(ctx, "U1", &access_granted);
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
fail_unless(ret == EOK, "access_simple_check failed.");
fail_unless(access_granted == true, "Access denied "
"for user with different case "
@@ -153,11 +266,95 @@ START_TEST(test_case)
}
END_TEST
+START_TEST(test_group_allow_empty)
+{
+ int ret;
+ bool access_granted = true;
+
+ test_ctx->ctx->allow_groups = NULL;
+ test_ctx->ctx->deny_groups = discard_const(glist_1);
+
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == false, "Access granted "
+ "while group is in deny list.");
+
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == true, "Access denied "
+ "while group is not in deny list.");
+}
+END_TEST
+
+START_TEST(test_group_deny_empty)
+{
+ int ret;
+ bool access_granted = false;
+
+ test_ctx->ctx->allow_groups = discard_const(glist_1);
+ test_ctx->ctx->deny_groups = NULL;
+
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == true, "Access denied "
+ "while group is in allow list.");
+
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == false, "Access granted "
+ "while group is not in allow list.");
+}
+END_TEST
+
+START_TEST(test_group_both_set)
+{
+ int ret;
+ bool access_granted = false;
+
+ test_ctx->ctx->allow_groups = discard_const(ulist_1);
+ test_ctx->ctx->deny_groups = discard_const(ulist_1);
+
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == false, "Access granted "
+ "while group is in deny list.");
+
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == false, "Access granted "
+ "while group is not in allow list.");
+}
+END_TEST
+
+START_TEST(test_group_case)
+{
+ int ret;
+ bool access_granted = false;
+
+ test_ctx->ctx->allow_groups = discard_const(ulist_1);
+ test_ctx->ctx->deny_groups = NULL;
+
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == false, "Access granted "
+ "for group with different case "
+ "in case-sensitive domain");
+
+ test_ctx->ctx->domain->case_sensitive = false;
+
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == true, "Access denied "
+ "for group with different case "
+ "in case-insensitive domain");
+}
+END_TEST
+
Suite *access_simple_suite (void)
{
Suite *s = suite_create("access_simple");
- TCase *tc_allow_deny = tcase_create("allow/deny");
+ TCase *tc_allow_deny = tcase_create("user allow/deny");
tcase_add_checked_fixture(tc_allow_deny, setup_simple, teardown_simple);
tcase_add_test(tc_allow_deny, test_both_empty);
tcase_add_test(tc_allow_deny, test_allow_empty);
@@ -166,6 +363,15 @@ Suite *access_simple_suite (void)
tcase_add_test(tc_allow_deny, test_case);
suite_add_tcase(s, tc_allow_deny);
+ TCase *tc_grp_allow_deny = tcase_create("group allow/deny");
+ tcase_add_checked_fixture(tc_grp_allow_deny,
+ setup_simple_group, teardown_simple_group);
+ tcase_add_test(tc_grp_allow_deny, test_group_allow_empty);
+ tcase_add_test(tc_grp_allow_deny, test_group_deny_empty);
+ tcase_add_test(tc_grp_allow_deny, test_group_both_set);
+ tcase_add_test(tc_grp_allow_deny, test_group_case);
+ suite_add_tcase(s, tc_grp_allow_deny);
+
return s;
}
@@ -174,6 +380,7 @@ int main(int argc, const char *argv[])
int opt;
poptContext pc;
int number_failed;
+ int ret;
struct poptOption long_options[] = {
POPT_AUTOHELP
@@ -205,6 +412,20 @@ int main(int argc, const char *argv[])
srunner_run_all(sr, CK_ENV);
number_failed = srunner_ntests_failed(sr);
srunner_free(sr);
+
+ ret = unlink(TESTS_PATH"/"TEST_CONF_FILE);
+ if (ret != EOK) {
+ fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n",
+ errno, strerror(errno));
+ return EXIT_FAILURE;
+ }
+ ret = unlink(TESTS_PATH"/"LOCAL_SYSDB_FILE);
+ if (ret != EOK) {
+ fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n",
+ errno, strerror(errno));
+ return EXIT_FAILURE;
+ }
+
return (number_failed==0 ? EXIT_SUCCESS : EXIT_FAILURE);
}
--
1.8.1.4

View File

@ -1,41 +0,0 @@
From 8dfcfe629db83eb58dd6613aa174222cb853afb1 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 4 Mar 2013 16:37:04 +0100
Subject: Do not compile main() in DP if UNIT_TESTING is defined
The simple access provider unit tests now need to link against the Data
Provider when they start using the be_file_account_request() function.
But then we would start having conflicts as at least the main()
functions would clash.
If UNIT_TESTING is defined, then the data_provider_be.c module does not
contain the main() function and can be linked against directly from
another module that contains its own main() function
(cherry picked from commit 26590d31f492dbbd36be6d0bde46a4bd3b221edb)
---
src/providers/data_provider_be.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index f85a04d..33590ae 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -2651,6 +2651,7 @@ fail:
return ret;
}
+#ifndef UNIT_TESTING
int main(int argc, const char *argv[])
{
int opt;
@@ -2732,6 +2733,7 @@ int main(int argc, const char *argv[])
return 0;
}
+#endif
static int data_provider_res_init(DBusMessage *message,
struct sbus_connection *conn)
--
1.8.1.4

View File

@ -1,237 +0,0 @@
From 455737c0b4b0c1bfeed54f2e27e397ce403acbca Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 22 Feb 2013 11:01:38 +0100
Subject: Provide a be_get_account_info_send function
In order to resolve group names in the simple access provider we need to
contact the Data Provider in a generic fashion from the access provider.
We can't call any particular implementation (like sdap_generic_send())
because we have no idea what kind of provider is configured as the
id_provider.
This patch splits introduces the be_file_account_request() function into
the data_provider_be module and makes it public.
A future patch should make the be_get_account_info function use the
be_get_account_info_send function.
(cherry picked from commit b63830b142053f99bfe954d4be5a2b0f68ce3a93)
---
src/providers/data_provider_be.c | 153 ++++++++++++++++++++++++++++++++++-----
src/providers/dp_backend.h | 15 ++++
2 files changed, 149 insertions(+), 19 deletions(-)
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index b261bf8..f85a04d 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -717,6 +717,34 @@ static errno_t be_initgroups_prereq(struct be_req *be_req)
}
static errno_t
+be_file_account_request(struct be_req *be_req, struct be_acct_req *ar)
+{
+ errno_t ret;
+ struct be_ctx *be_ctx = be_req->be_ctx;
+
+ be_req->req_data = ar;
+
+ /* see if we need a pre request call, only done for initgroups for now */
+ if ((ar->entry_type & 0xFF) == BE_REQ_INITGROUPS) {
+ ret = be_initgroups_prereq(be_req);
+ if (ret) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("Prerequest failed"));
+ return ret;
+ }
+ }
+
+ /* process request */
+ ret = be_file_request(be_ctx, be_req,
+ be_ctx->bet_info[BET_ID].bet_ops->handler);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to file request"));
+ return ret;
+ }
+
+ return EOK;
+}
+
+static errno_t
split_name_extended(TALLOC_CTX *mem_ctx,
const char *filter,
char **name,
@@ -742,6 +770,110 @@ split_name_extended(TALLOC_CTX *mem_ctx,
return EOK;
}
+static void
+be_get_account_info_done(struct be_req *be_req,
+ int dp_err, int dp_ret,
+ const char *errstr);
+
+struct be_get_account_info_state {
+ int err_maj;
+ int err_min;
+ const char *err_msg;
+};
+
+struct tevent_req *
+be_get_account_info_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct be_client *becli,
+ struct be_ctx *be_ctx,
+ struct be_acct_req *ar)
+{
+ struct tevent_req *req;
+ struct be_get_account_info_state *state;
+ struct be_req *be_req;
+ errno_t ret;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct be_get_account_info_state);
+ if (!req) return NULL;
+
+ be_req = talloc_zero(mem_ctx, struct be_req);
+ if (be_req == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ be_req->becli = becli;
+ be_req->be_ctx = be_ctx;
+ be_req->fn = be_get_account_info_done;
+ be_req->pvt = req;
+
+ ret = be_file_account_request(be_req, ar);
+ if (ret != EOK) {
+ goto done;
+ }
+
+ return req;
+
+done:
+ tevent_req_error(req, ret);
+ tevent_req_post(req, ev);
+ return req;
+}
+
+static void
+be_get_account_info_done(struct be_req *be_req,
+ int dp_err, int dp_ret,
+ const char *errstr)
+{
+ struct tevent_req *req;
+ struct be_get_account_info_state *state;
+
+ req = talloc_get_type(be_req->pvt, struct tevent_req);
+ state = tevent_req_data(req, struct be_get_account_info_state);
+
+ state->err_maj = dp_err;
+ state->err_min = dp_ret;
+ if (errstr) {
+ state->err_msg = talloc_strdup(state, errstr);
+ if (state->err_msg == NULL) {
+ talloc_free(be_req);
+ tevent_req_error(req, ENOMEM);
+ return;
+ }
+ }
+
+ talloc_free(be_req);
+ tevent_req_done(req);
+}
+
+errno_t be_get_account_info_recv(struct tevent_req *req,
+ TALLOC_CTX *mem_ctx,
+ int *_err_maj,
+ int *_err_min,
+ const char **_err_msg)
+{
+ struct be_get_account_info_state *state;
+
+ state = tevent_req_data(req, struct be_get_account_info_state);
+
+ TEVENT_REQ_RETURN_ON_ERROR(req);
+
+ if (_err_maj) {
+ *_err_maj = state->err_maj;
+ }
+
+ if (_err_min) {
+ *_err_min = state->err_min;
+ }
+
+ if (_err_msg) {
+ *_err_msg = talloc_steal(mem_ctx, state->err_msg);
+ }
+
+ return EOK;
+}
+
static int be_get_account_info(DBusMessage *message, struct sbus_connection *conn)
{
struct be_acct_req *req;
@@ -845,8 +977,6 @@ static int be_get_account_info(DBusMessage *message, struct sbus_connection *con
goto done;
}
- be_req->req_data = req;
-
if ((attr_type != BE_ATTR_CORE) &&
(attr_type != BE_ATTR_MEM) &&
(attr_type != BE_ATTR_ALL)) {
@@ -893,26 +1023,11 @@ static int be_get_account_info(DBusMessage *message, struct sbus_connection *con
goto done;
}
- /* see if we need a pre request call, only done for initgroups for now */
- if ((type & 0xFF) == BE_REQ_INITGROUPS) {
- ret = be_initgroups_prereq(be_req);
- if (ret) {
- err_maj = DP_ERR_FATAL;
- err_min = ret;
- err_msg = "Prerequest failed";
- goto done;
- }
- }
-
- /* process request */
-
- ret = be_file_request(becli->bectx->bet_info[BET_ID].pvt_bet_data,
- be_req,
- becli->bectx->bet_info[BET_ID].bet_ops->handler);
+ ret = be_file_account_request(be_req, req);
if (ret != EOK) {
err_maj = DP_ERR_FATAL;
err_min = ret;
- err_msg = "Failed to file request";
+ err_msg = "Cannot file account request";
goto done;
}
diff --git a/src/providers/dp_backend.h b/src/providers/dp_backend.h
index 58a9b74..743b6f4 100644
--- a/src/providers/dp_backend.h
+++ b/src/providers/dp_backend.h
@@ -258,4 +258,19 @@ int be_fo_run_callbacks_at_next_request(struct be_ctx *ctx,
const char *service_name);
void reset_fo(struct be_ctx *be_ctx);
+
+/* Request account information */
+struct tevent_req *
+be_get_account_info_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct be_client *becli,
+ struct be_ctx *be_ctx,
+ struct be_acct_req *ar);
+
+errno_t be_get_account_info_recv(struct tevent_req *req,
+ TALLOC_CTX *mem_ctx,
+ int *_err_maj,
+ int *_err_min,
+ const char **_err_msg);
+
#endif /* __DP_BACKEND_H___ */
--
1.8.1.4

File diff suppressed because it is too large Load Diff

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:20e39d7c5d89e217b5301f7e75360eb869ac1889701755a598fb3fbed923f4b4
size 3050325

View File

@ -1,7 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iEYEABECAAYFAlEG6DYACgkQHsardTLnvCXjrgCeMSfawp5NaaIu82GDZOq7EMxL
tqwAmgN3gn9e7y6AzeSBdYCCcPAyLLFo
=hHxo
-----END PGP SIGNATURE-----

3
sssd-1.9.5.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a377c436901e92d689de811d48e37d88764460e889e47bfddd90626f0a8a015c
size 3106988

7
sssd-1.9.5.tar.gz.asc Normal file
View File

@ -0,0 +1,7 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iEYEABECAAYFAlF2gY4ACgkQHsardTLnvCW6+QCg4VWHi8mlbi6FQufRtUXOTB2j
5OAAniig5/DUZa/mrzUb+8kteg3nanNS
=3VHJ
-----END PGP SIGNATURE-----

View File

@ -1,102 +0,0 @@
From 3229c2107e4645240cfc4aa5d262e5330c356a49 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Thu, 21 Feb 2013 13:12:25 +0100
Subject: [PATCH] sysdb: try dealing with binary-content attributes
I have here a LDAP user entry which has this attribute
loginAllowedTimeMap::
AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA
In the function sysdb_attrs_add_string(), called from
sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is
the wrong thing to do. The result of strlen is then used to populate
the .v_length member of a struct ldb_val - and this will set it to
zero in this case. (There is also the problem that there may not be
a '\0' at all in the blob.)
Subsequently, .v_length being 0 makes ldb_modify(), called from
sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End
result is that users do not get stored in the sysdb, and programs like
`id` or `getent ...` show incomplete information.
The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave
fine, but that may not mean that is the absolute lower boundary of
introduction of the problem.
---
src/db/sysdb.c | 10 ++++++++++
src/db/sysdb.h | 2 ++
src/providers/ldap/sdap.c | 7 +++----
src/providers/ldap/sdap_async.c | 4 ++--
4 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/src/db/sysdb.c b/src/db/sysdb.c
index e7524f4..7c34791 100644
--- a/src/db/sysdb.c
+++ b/src/db/sysdb.c
@@ -512,6 +512,16 @@ int sysdb_attrs_add_string(struct sysdb_attrs *attrs,
return sysdb_attrs_add_val(attrs, name, &v);
}
+int sysdb_attrs_add_mem(struct sysdb_attrs *attrs, const char *name,
+ const void *mem, size_t size)
+{
+ struct ldb_val v;
+
+ v.data = discard_const(mem);
+ v.length = size;
+ return sysdb_attrs_add_val(attrs, name, &v);
+}
+
int sysdb_attrs_add_bool(struct sysdb_attrs *attrs,
const char *name, bool value)
{
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index fff97a8..23cbbb0 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -250,6 +250,8 @@ int sysdb_attrs_add_val(struct sysdb_attrs *attrs,
const char *name, const struct ldb_val *val);
int sysdb_attrs_add_string(struct sysdb_attrs *attrs,
const char *name, const char *str);
+int sysdb_attrs_add_mem(struct sysdb_attrs *, const char *,
+ const void *, size_t);
int sysdb_attrs_add_bool(struct sysdb_attrs *attrs,
const char *name, bool value);
int sysdb_attrs_add_long(struct sysdb_attrs *attrs,
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index 371121b..988f27d 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -474,10 +474,9 @@ errno_t sdap_parse_deref(TALLOC_CTX *mem_ctx,
for (i=0; dval->vals[i].bv_val; i++) {
DEBUG(9, ("Dereferenced attribute value: %s\n",
dval->vals[i].bv_val));
- v.data = (uint8_t *) dval->vals[i].bv_val;
- v.length = dval->vals[i].bv_len;
-
- ret = sysdb_attrs_add_val(res[mi]->attrs, name, &v);
+ ret = sysdb_attrs_add_mem(res[mi]->attrs, name,
+ dval->vals[i].bv_val,
+ dval->vals[i].bv_len);
if (ret) goto done;
}
}
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index 84497b7..b7d9839 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -2226,8 +2226,8 @@ sdap_attrs_add_ldap_attr(struct sysdb_attrs *ldap_attrs,
DEBUG(SSSDBG_TRACE_INTERNAL, ("Adding %s [%s] to attributes "
"of [%s].\n", desc, el->values[i].data, objname));
- ret = sysdb_attrs_add_string(attrs, attr_name,
- (const char *) el->values[i].data);
+ ret = sysdb_attrs_add_mem(attrs, attr_name, el->values[i].data,
+ el->values[i].length);
if (ret) {
return ret;
}
--
1.7.10.4

View File

@ -1,3 +1,27 @@
-------------------------------------------------------------------
Thu May 2 09:20:49 UTC 2013 - jengelh@inai.de
- Update to new upstream release 1.9.5
* Includes a fix for CVE-2013-0287: A simple access provider flaw
prevents intended ACL use when SSSD is configured as an Active
Directory client.
* Fixed spurious password expiration warning that was printed on
login with the Kerberos back end.
* A new option ldap_rfc2307_fallback_to_local_users was added. If
this option is set to true, SSSD is be able to resolve local
group members of LDAP groups.
* Fixed an indexing bug that prevented the contents of autofs maps
from being returned to the automounter deamon in case the map
contained a large number of entries.
* Several fixes for safer handling of Kerberos credential caches
for cases where the ccache is set to be stored in a DIR: type.
- Remove Provide-a-be_get_account_info_send-function.patch,
Add-unit-tests-for-simple-access-test-by-groups.patch,
Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch,
Resolve-GIDs-in-the-simple-access-provider.patch
(CVE-2013-0287 material is in upstream),
sssd-sysdb-binary-attrs.diff (merged upstream)
-------------------------------------------------------------------
Fri Apr 5 16:35:07 UTC 2013 - jengelh@inai.de

View File

@ -17,13 +17,12 @@
Name: sssd
Version: 1.9.4
Version: 1.9.5
Release: 0
Summary: System Security Services Daemon
License: GPL-3.0+ and LGPL-3.0+
Group: System/Daemons
Url: https://fedorahosted.org/sssd/
Requires(postun): pam-config
#Git-Clone: git://git.fedorahosted.org/sssd
Source: https://fedorahosted.org/released/sssd/sssd-%version.tar.gz
@ -32,13 +31,6 @@ Source3: baselibs.conf
Patch1: 0005-implicit-decl.diff
Patch2: sssd-ldflags.diff
Patch3: sssd-no-ldb-check.diff
Patch4: sssd-sysdb-binary-attrs.diff
# Fixes for CVE-2013-0287 (will be part of 1.9.5) when released
Patch5: Provide-a-be_get_account_info_send-function.patch
Patch6: Add-unit-tests-for-simple-access-test-by-groups.patch
Patch7: Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch
Patch8: Resolve-GIDs-in-the-simple-access-provider.patch
# End Fixed for CVE-2013-0287
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define servicename sssd
@ -111,6 +103,7 @@ BuildRequires: systemd
%if %suse_version >= 1230
BuildRequires: gpg-offline
%endif
Requires(postun): pam-config
%description
Provides a set of daemons to manage access to remote directories and
@ -210,7 +203,7 @@ Security Services Daemon (sssd).
%prep
%{?gpg_verify: %gpg_verify %{S:2}}
%setup -q
%patch -P 1 -P 2 -P 3 -P 4 -P 5 -P 6 -P 7 -P 8 -p1
%patch -P 1 -P 2 -P 3 -p1
%build
%if 0%{?suse_version} < 1210