Accepting request 174889 from network:ldap
Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/174889 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=46
This commit is contained in:
parent
b514a157b2
commit
665ac5a713
@ -1,414 +0,0 @@
|
||||
From e5f0ef211e81fcd7a87d5e37b0aadca50201c6d6 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Sun, 3 Mar 2013 21:43:44 +0100
|
||||
Subject: Add unit tests for simple access test by groups
|
||||
|
||||
I realized that the current unit tests for the simple access provider
|
||||
only tested the user directives. To have a baseline and be able to
|
||||
detect new bugs in the upcoming patch, I implemented unit tests for the
|
||||
group lists, too.
|
||||
(cherry picked from commit 754b09b5444e6da88ed58d6deaed8b815e268b6b)
|
||||
---
|
||||
src/tests/simple_access-tests.c | 285 +++++++++++++++++++++++++++++++++++-----
|
||||
1 file changed, 253 insertions(+), 32 deletions(-)
|
||||
|
||||
diff --git a/src/tests/simple_access-tests.c b/src/tests/simple_access-tests.c
|
||||
index c61814e..577c6d3 100644
|
||||
--- a/src/tests/simple_access-tests.c
|
||||
+++ b/src/tests/simple_access-tests.c
|
||||
@@ -30,39 +30,152 @@
|
||||
#include "providers/simple/simple_access.h"
|
||||
#include "tests/common.h"
|
||||
|
||||
+#define TESTS_PATH "tests_simple_access"
|
||||
+#define TEST_CONF_FILE "tests_conf.ldb"
|
||||
+
|
||||
const char *ulist_1[] = {"u1", "u2", NULL};
|
||||
+const char *glist_1[] = {"g1", "g2", NULL};
|
||||
+
|
||||
+struct simple_test_ctx *test_ctx = NULL;
|
||||
+
|
||||
+struct simple_test_ctx {
|
||||
+ struct sysdb_ctx *sysdb;
|
||||
+ struct confdb_ctx *confdb;
|
||||
|
||||
-struct simple_ctx *ctx = NULL;
|
||||
+ struct simple_ctx *ctx;
|
||||
+};
|
||||
|
||||
void setup_simple(void)
|
||||
{
|
||||
- fail_unless(ctx == NULL, "Simple context already initialized.");
|
||||
- ctx = talloc_zero(NULL, struct simple_ctx);
|
||||
- fail_unless(ctx != NULL, "Cannot create simple context.");
|
||||
-
|
||||
- ctx->domain = talloc_zero(ctx, struct sss_domain_info);
|
||||
- fail_unless(ctx != NULL, "Cannot create domain in simple context.");
|
||||
- ctx->domain->case_sensitive = true;
|
||||
+ errno_t ret;
|
||||
+ char *conf_db;
|
||||
+ const char *val[2];
|
||||
+ val[1] = NULL;
|
||||
+
|
||||
+ /* Create tests directory if it doesn't exist */
|
||||
+ /* (relative to current dir) */
|
||||
+ ret = mkdir(TESTS_PATH, 0775);
|
||||
+ fail_if(ret == -1 && errno != EEXIST,
|
||||
+ "Could not create %s directory", TESTS_PATH);
|
||||
+
|
||||
+ fail_unless(test_ctx == NULL, "Simple context already initialized.");
|
||||
+ test_ctx = talloc_zero(NULL, struct simple_test_ctx);
|
||||
+ fail_unless(test_ctx != NULL, "Cannot create simple test context.");
|
||||
+
|
||||
+ test_ctx->ctx = talloc_zero(test_ctx, struct simple_ctx);
|
||||
+ fail_unless(test_ctx->ctx != NULL, "Cannot create simple context.");
|
||||
+
|
||||
+ conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE);
|
||||
+ fail_if(conf_db == NULL, "Out of memory, aborting!");
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS, ("CONFDB: %s\n", conf_db));
|
||||
+
|
||||
+ /* Connect to the conf db */
|
||||
+ ret = confdb_init(test_ctx, &test_ctx->confdb, conf_db);
|
||||
+ fail_if(ret != EOK, "Could not initialize connection to the confdb");
|
||||
+
|
||||
+ val[0] = "LOCAL";
|
||||
+ ret = confdb_add_param(test_ctx->confdb, true,
|
||||
+ "config/sssd", "domains", val);
|
||||
+ fail_if(ret != EOK, "Could not initialize domains placeholder");
|
||||
+
|
||||
+ val[0] = "local";
|
||||
+ ret = confdb_add_param(test_ctx->confdb, true,
|
||||
+ "config/domain/LOCAL", "id_provider", val);
|
||||
+ fail_if(ret != EOK, "Could not initialize provider");
|
||||
+
|
||||
+ val[0] = "TRUE";
|
||||
+ ret = confdb_add_param(test_ctx->confdb, true,
|
||||
+ "config/domain/LOCAL", "enumerate", val);
|
||||
+ fail_if(ret != EOK, "Could not initialize LOCAL domain");
|
||||
+
|
||||
+ val[0] = "TRUE";
|
||||
+ ret = confdb_add_param(test_ctx->confdb, true,
|
||||
+ "config/domain/LOCAL", "cache_credentials", val);
|
||||
+ fail_if(ret != EOK, "Could not initialize LOCAL domain");
|
||||
+
|
||||
+ ret = sysdb_init_domain_and_sysdb(test_ctx, test_ctx->confdb, "local",
|
||||
+ TESTS_PATH,
|
||||
+ &test_ctx->ctx->domain, &test_ctx->ctx->sysdb);
|
||||
+ fail_if(ret != EOK, "Could not initialize connection to the sysdb (%d)", ret);
|
||||
+ test_ctx->ctx->domain->case_sensitive = true;
|
||||
}
|
||||
|
||||
void teardown_simple(void)
|
||||
{
|
||||
int ret;
|
||||
- fail_unless(ctx != NULL, "Simple context already freed.");
|
||||
- ret = talloc_free(ctx);
|
||||
- ctx = NULL;
|
||||
+ fail_unless(test_ctx != NULL, "Simple context already freed.");
|
||||
+ ret = talloc_free(test_ctx);
|
||||
+ test_ctx = NULL;
|
||||
fail_unless(ret == 0, "Connot free simple context.");
|
||||
}
|
||||
|
||||
+void setup_simple_group(void)
|
||||
+{
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ setup_simple();
|
||||
+
|
||||
+ /* Add test users u1 and u2 that would be members of test groups
|
||||
+ * g1 and g2 respectively */
|
||||
+ ret = sysdb_store_user(test_ctx->ctx->sysdb,
|
||||
+ "u1", NULL, 123, 0, "u1", "/home/u1",
|
||||
+ "/bin/bash", NULL, NULL, NULL, -1, 0);
|
||||
+ fail_if(ret != EOK, "Could not add u1");
|
||||
+
|
||||
+ ret = sysdb_store_user(test_ctx->ctx->sysdb,
|
||||
+ "u2", NULL, 456, 0, "u1", "/home/u1",
|
||||
+ "/bin/bash", NULL, NULL, NULL, -1, 0);
|
||||
+ fail_if(ret != EOK, "Could not add u2");
|
||||
+
|
||||
+ ret = sysdb_store_user(test_ctx->ctx->sysdb,
|
||||
+ "u3", NULL, 789, 0, "u1", "/home/u1",
|
||||
+ "/bin/bash", NULL, NULL, NULL, -1, 0);
|
||||
+ fail_if(ret != EOK, "Could not add u3");
|
||||
+
|
||||
+ ret = sysdb_add_group(test_ctx->ctx->sysdb,
|
||||
+ "g1", 321, NULL, 0, 0);
|
||||
+ fail_if(ret != EOK, "Could not add g1");
|
||||
+
|
||||
+ ret = sysdb_add_group(test_ctx->ctx->sysdb,
|
||||
+ "g2", 654, NULL, 0, 0);
|
||||
+ fail_if(ret != EOK, "Could not add g2");
|
||||
+
|
||||
+ ret = sysdb_add_group_member(test_ctx->ctx->sysdb,
|
||||
+ "g1", "u1", SYSDB_MEMBER_USER);
|
||||
+ fail_if(ret != EOK, "Could not add u1 to g1");
|
||||
+
|
||||
+ ret = sysdb_add_group_member(test_ctx->ctx->sysdb,
|
||||
+ "g2", "u2", SYSDB_MEMBER_USER);
|
||||
+ fail_if(ret != EOK, "Could not add u2 to g2");
|
||||
+}
|
||||
+
|
||||
+void teardown_simple_group(void)
|
||||
+{
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u1", 0);
|
||||
+ fail_if(ret != EOK, "Could not delete u1");
|
||||
+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u2", 0);
|
||||
+ fail_if(ret != EOK, "Could not delete u2");
|
||||
+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u3", 0);
|
||||
+ fail_if(ret != EOK, "Could not delete u3");
|
||||
+ ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g1", 0);
|
||||
+ fail_if(ret != EOK, "Could not delete g1");
|
||||
+ ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g2", 0);
|
||||
+ fail_if(ret != EOK, "Could not delete g2");
|
||||
+
|
||||
+ teardown_simple();
|
||||
+}
|
||||
+
|
||||
START_TEST(test_both_empty)
|
||||
{
|
||||
int ret;
|
||||
bool access_granted = false;
|
||||
|
||||
- ctx->allow_users = NULL;
|
||||
- ctx->deny_users = NULL;
|
||||
+ test_ctx->ctx->allow_users = NULL;
|
||||
+ test_ctx->ctx->deny_users = NULL;
|
||||
|
||||
- ret = simple_access_check(ctx, "u1", &access_granted);
|
||||
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
||||
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
fail_unless(access_granted == true, "Access denied "
|
||||
"while both lists are empty.");
|
||||
@@ -74,15 +187,15 @@ START_TEST(test_allow_empty)
|
||||
int ret;
|
||||
bool access_granted = true;
|
||||
|
||||
- ctx->allow_users = NULL;
|
||||
- ctx->deny_users = discard_const(ulist_1);
|
||||
+ test_ctx->ctx->allow_users = NULL;
|
||||
+ test_ctx->ctx->deny_users = discard_const(ulist_1);
|
||||
|
||||
- ret = simple_access_check(ctx, "u1", &access_granted);
|
||||
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
||||
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
fail_unless(access_granted == false, "Access granted "
|
||||
"while user is in deny list.");
|
||||
|
||||
- ret = simple_access_check(ctx, "u3", &access_granted);
|
||||
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
||||
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
fail_unless(access_granted == true, "Access denied "
|
||||
"while user is not in deny list.");
|
||||
@@ -94,15 +207,15 @@ START_TEST(test_deny_empty)
|
||||
int ret;
|
||||
bool access_granted = false;
|
||||
|
||||
- ctx->allow_users = discard_const(ulist_1);
|
||||
- ctx->deny_users = NULL;
|
||||
+ test_ctx->ctx->allow_users = discard_const(ulist_1);
|
||||
+ test_ctx->ctx->deny_users = NULL;
|
||||
|
||||
- ret = simple_access_check(ctx, "u1", &access_granted);
|
||||
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
||||
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
fail_unless(access_granted == true, "Access denied "
|
||||
"while user is in allow list.");
|
||||
|
||||
- ret = simple_access_check(ctx, "u3", &access_granted);
|
||||
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
||||
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
fail_unless(access_granted == false, "Access granted "
|
||||
"while user is not in allow list.");
|
||||
@@ -114,15 +227,15 @@ START_TEST(test_both_set)
|
||||
int ret;
|
||||
bool access_granted = false;
|
||||
|
||||
- ctx->allow_users = discard_const(ulist_1);
|
||||
- ctx->deny_users = discard_const(ulist_1);
|
||||
+ test_ctx->ctx->allow_users = discard_const(ulist_1);
|
||||
+ test_ctx->ctx->deny_users = discard_const(ulist_1);
|
||||
|
||||
- ret = simple_access_check(ctx, "u1", &access_granted);
|
||||
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
||||
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
fail_unless(access_granted == false, "Access granted "
|
||||
"while user is in deny list.");
|
||||
|
||||
- ret = simple_access_check(ctx, "u3", &access_granted);
|
||||
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
||||
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
fail_unless(access_granted == false, "Access granted "
|
||||
"while user is not in allow list.");
|
||||
@@ -134,18 +247,18 @@ START_TEST(test_case)
|
||||
int ret;
|
||||
bool access_granted = false;
|
||||
|
||||
- ctx->allow_users = discard_const(ulist_1);
|
||||
- ctx->deny_users = NULL;
|
||||
+ test_ctx->ctx->allow_users = discard_const(ulist_1);
|
||||
+ test_ctx->ctx->deny_users = NULL;
|
||||
|
||||
- ret = simple_access_check(ctx, "U1", &access_granted);
|
||||
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
|
||||
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
fail_unless(access_granted == false, "Access granted "
|
||||
"for user with different case "
|
||||
"in case-sensitive domain");
|
||||
|
||||
- ctx->domain->case_sensitive = false;
|
||||
+ test_ctx->ctx->domain->case_sensitive = false;
|
||||
|
||||
- ret = simple_access_check(ctx, "U1", &access_granted);
|
||||
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
|
||||
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
fail_unless(access_granted == true, "Access denied "
|
||||
"for user with different case "
|
||||
@@ -153,11 +266,95 @@ START_TEST(test_case)
|
||||
}
|
||||
END_TEST
|
||||
|
||||
+START_TEST(test_group_allow_empty)
|
||||
+{
|
||||
+ int ret;
|
||||
+ bool access_granted = true;
|
||||
+
|
||||
+ test_ctx->ctx->allow_groups = NULL;
|
||||
+ test_ctx->ctx->deny_groups = discard_const(glist_1);
|
||||
+
|
||||
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
||||
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
+ fail_unless(access_granted == false, "Access granted "
|
||||
+ "while group is in deny list.");
|
||||
+
|
||||
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
||||
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
+ fail_unless(access_granted == true, "Access denied "
|
||||
+ "while group is not in deny list.");
|
||||
+}
|
||||
+END_TEST
|
||||
+
|
||||
+START_TEST(test_group_deny_empty)
|
||||
+{
|
||||
+ int ret;
|
||||
+ bool access_granted = false;
|
||||
+
|
||||
+ test_ctx->ctx->allow_groups = discard_const(glist_1);
|
||||
+ test_ctx->ctx->deny_groups = NULL;
|
||||
+
|
||||
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
||||
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
+ fail_unless(access_granted == true, "Access denied "
|
||||
+ "while group is in allow list.");
|
||||
+
|
||||
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
||||
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
+ fail_unless(access_granted == false, "Access granted "
|
||||
+ "while group is not in allow list.");
|
||||
+}
|
||||
+END_TEST
|
||||
+
|
||||
+START_TEST(test_group_both_set)
|
||||
+{
|
||||
+ int ret;
|
||||
+ bool access_granted = false;
|
||||
+
|
||||
+ test_ctx->ctx->allow_groups = discard_const(ulist_1);
|
||||
+ test_ctx->ctx->deny_groups = discard_const(ulist_1);
|
||||
+
|
||||
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
||||
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
+ fail_unless(access_granted == false, "Access granted "
|
||||
+ "while group is in deny list.");
|
||||
+
|
||||
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
||||
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
+ fail_unless(access_granted == false, "Access granted "
|
||||
+ "while group is not in allow list.");
|
||||
+}
|
||||
+END_TEST
|
||||
+
|
||||
+START_TEST(test_group_case)
|
||||
+{
|
||||
+ int ret;
|
||||
+ bool access_granted = false;
|
||||
+
|
||||
+ test_ctx->ctx->allow_groups = discard_const(ulist_1);
|
||||
+ test_ctx->ctx->deny_groups = NULL;
|
||||
+
|
||||
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
|
||||
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
+ fail_unless(access_granted == false, "Access granted "
|
||||
+ "for group with different case "
|
||||
+ "in case-sensitive domain");
|
||||
+
|
||||
+ test_ctx->ctx->domain->case_sensitive = false;
|
||||
+
|
||||
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
|
||||
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||
+ fail_unless(access_granted == true, "Access denied "
|
||||
+ "for group with different case "
|
||||
+ "in case-insensitive domain");
|
||||
+}
|
||||
+END_TEST
|
||||
+
|
||||
Suite *access_simple_suite (void)
|
||||
{
|
||||
Suite *s = suite_create("access_simple");
|
||||
|
||||
- TCase *tc_allow_deny = tcase_create("allow/deny");
|
||||
+ TCase *tc_allow_deny = tcase_create("user allow/deny");
|
||||
tcase_add_checked_fixture(tc_allow_deny, setup_simple, teardown_simple);
|
||||
tcase_add_test(tc_allow_deny, test_both_empty);
|
||||
tcase_add_test(tc_allow_deny, test_allow_empty);
|
||||
@@ -166,6 +363,15 @@ Suite *access_simple_suite (void)
|
||||
tcase_add_test(tc_allow_deny, test_case);
|
||||
suite_add_tcase(s, tc_allow_deny);
|
||||
|
||||
+ TCase *tc_grp_allow_deny = tcase_create("group allow/deny");
|
||||
+ tcase_add_checked_fixture(tc_grp_allow_deny,
|
||||
+ setup_simple_group, teardown_simple_group);
|
||||
+ tcase_add_test(tc_grp_allow_deny, test_group_allow_empty);
|
||||
+ tcase_add_test(tc_grp_allow_deny, test_group_deny_empty);
|
||||
+ tcase_add_test(tc_grp_allow_deny, test_group_both_set);
|
||||
+ tcase_add_test(tc_grp_allow_deny, test_group_case);
|
||||
+ suite_add_tcase(s, tc_grp_allow_deny);
|
||||
+
|
||||
return s;
|
||||
}
|
||||
|
||||
@@ -174,6 +380,7 @@ int main(int argc, const char *argv[])
|
||||
int opt;
|
||||
poptContext pc;
|
||||
int number_failed;
|
||||
+ int ret;
|
||||
|
||||
struct poptOption long_options[] = {
|
||||
POPT_AUTOHELP
|
||||
@@ -205,6 +412,20 @@ int main(int argc, const char *argv[])
|
||||
srunner_run_all(sr, CK_ENV);
|
||||
number_failed = srunner_ntests_failed(sr);
|
||||
srunner_free(sr);
|
||||
+
|
||||
+ ret = unlink(TESTS_PATH"/"TEST_CONF_FILE);
|
||||
+ if (ret != EOK) {
|
||||
+ fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n",
|
||||
+ errno, strerror(errno));
|
||||
+ return EXIT_FAILURE;
|
||||
+ }
|
||||
+ ret = unlink(TESTS_PATH"/"LOCAL_SYSDB_FILE);
|
||||
+ if (ret != EOK) {
|
||||
+ fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n",
|
||||
+ errno, strerror(errno));
|
||||
+ return EXIT_FAILURE;
|
||||
+ }
|
||||
+
|
||||
return (number_failed==0 ? EXIT_SUCCESS : EXIT_FAILURE);
|
||||
}
|
||||
|
||||
--
|
||||
1.8.1.4
|
||||
|
@ -1,41 +0,0 @@
|
||||
From 8dfcfe629db83eb58dd6613aa174222cb853afb1 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Mon, 4 Mar 2013 16:37:04 +0100
|
||||
Subject: Do not compile main() in DP if UNIT_TESTING is defined
|
||||
|
||||
The simple access provider unit tests now need to link against the Data
|
||||
Provider when they start using the be_file_account_request() function.
|
||||
But then we would start having conflicts as at least the main()
|
||||
functions would clash.
|
||||
|
||||
If UNIT_TESTING is defined, then the data_provider_be.c module does not
|
||||
contain the main() function and can be linked against directly from
|
||||
another module that contains its own main() function
|
||||
(cherry picked from commit 26590d31f492dbbd36be6d0bde46a4bd3b221edb)
|
||||
---
|
||||
src/providers/data_provider_be.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
|
||||
index f85a04d..33590ae 100644
|
||||
--- a/src/providers/data_provider_be.c
|
||||
+++ b/src/providers/data_provider_be.c
|
||||
@@ -2651,6 +2651,7 @@ fail:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+#ifndef UNIT_TESTING
|
||||
int main(int argc, const char *argv[])
|
||||
{
|
||||
int opt;
|
||||
@@ -2732,6 +2733,7 @@ int main(int argc, const char *argv[])
|
||||
|
||||
return 0;
|
||||
}
|
||||
+#endif
|
||||
|
||||
static int data_provider_res_init(DBusMessage *message,
|
||||
struct sbus_connection *conn)
|
||||
--
|
||||
1.8.1.4
|
||||
|
@ -1,237 +0,0 @@
|
||||
From 455737c0b4b0c1bfeed54f2e27e397ce403acbca Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Fri, 22 Feb 2013 11:01:38 +0100
|
||||
Subject: Provide a be_get_account_info_send function
|
||||
|
||||
In order to resolve group names in the simple access provider we need to
|
||||
contact the Data Provider in a generic fashion from the access provider.
|
||||
We can't call any particular implementation (like sdap_generic_send())
|
||||
because we have no idea what kind of provider is configured as the
|
||||
id_provider.
|
||||
|
||||
This patch splits introduces the be_file_account_request() function into
|
||||
the data_provider_be module and makes it public.
|
||||
|
||||
A future patch should make the be_get_account_info function use the
|
||||
be_get_account_info_send function.
|
||||
(cherry picked from commit b63830b142053f99bfe954d4be5a2b0f68ce3a93)
|
||||
---
|
||||
src/providers/data_provider_be.c | 153 ++++++++++++++++++++++++++++++++++-----
|
||||
src/providers/dp_backend.h | 15 ++++
|
||||
2 files changed, 149 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
|
||||
index b261bf8..f85a04d 100644
|
||||
--- a/src/providers/data_provider_be.c
|
||||
+++ b/src/providers/data_provider_be.c
|
||||
@@ -717,6 +717,34 @@ static errno_t be_initgroups_prereq(struct be_req *be_req)
|
||||
}
|
||||
|
||||
static errno_t
|
||||
+be_file_account_request(struct be_req *be_req, struct be_acct_req *ar)
|
||||
+{
|
||||
+ errno_t ret;
|
||||
+ struct be_ctx *be_ctx = be_req->be_ctx;
|
||||
+
|
||||
+ be_req->req_data = ar;
|
||||
+
|
||||
+ /* see if we need a pre request call, only done for initgroups for now */
|
||||
+ if ((ar->entry_type & 0xFF) == BE_REQ_INITGROUPS) {
|
||||
+ ret = be_initgroups_prereq(be_req);
|
||||
+ if (ret) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, ("Prerequest failed"));
|
||||
+ return ret;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /* process request */
|
||||
+ ret = be_file_request(be_ctx, be_req,
|
||||
+ be_ctx->bet_info[BET_ID].bet_ops->handler);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to file request"));
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
+static errno_t
|
||||
split_name_extended(TALLOC_CTX *mem_ctx,
|
||||
const char *filter,
|
||||
char **name,
|
||||
@@ -742,6 +770,110 @@ split_name_extended(TALLOC_CTX *mem_ctx,
|
||||
return EOK;
|
||||
}
|
||||
|
||||
+static void
|
||||
+be_get_account_info_done(struct be_req *be_req,
|
||||
+ int dp_err, int dp_ret,
|
||||
+ const char *errstr);
|
||||
+
|
||||
+struct be_get_account_info_state {
|
||||
+ int err_maj;
|
||||
+ int err_min;
|
||||
+ const char *err_msg;
|
||||
+};
|
||||
+
|
||||
+struct tevent_req *
|
||||
+be_get_account_info_send(TALLOC_CTX *mem_ctx,
|
||||
+ struct tevent_context *ev,
|
||||
+ struct be_client *becli,
|
||||
+ struct be_ctx *be_ctx,
|
||||
+ struct be_acct_req *ar)
|
||||
+{
|
||||
+ struct tevent_req *req;
|
||||
+ struct be_get_account_info_state *state;
|
||||
+ struct be_req *be_req;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ req = tevent_req_create(mem_ctx, &state,
|
||||
+ struct be_get_account_info_state);
|
||||
+ if (!req) return NULL;
|
||||
+
|
||||
+ be_req = talloc_zero(mem_ctx, struct be_req);
|
||||
+ if (be_req == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ be_req->becli = becli;
|
||||
+ be_req->be_ctx = be_ctx;
|
||||
+ be_req->fn = be_get_account_info_done;
|
||||
+ be_req->pvt = req;
|
||||
+
|
||||
+ ret = be_file_account_request(be_req, ar);
|
||||
+ if (ret != EOK) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ return req;
|
||||
+
|
||||
+done:
|
||||
+ tevent_req_error(req, ret);
|
||||
+ tevent_req_post(req, ev);
|
||||
+ return req;
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
+be_get_account_info_done(struct be_req *be_req,
|
||||
+ int dp_err, int dp_ret,
|
||||
+ const char *errstr)
|
||||
+{
|
||||
+ struct tevent_req *req;
|
||||
+ struct be_get_account_info_state *state;
|
||||
+
|
||||
+ req = talloc_get_type(be_req->pvt, struct tevent_req);
|
||||
+ state = tevent_req_data(req, struct be_get_account_info_state);
|
||||
+
|
||||
+ state->err_maj = dp_err;
|
||||
+ state->err_min = dp_ret;
|
||||
+ if (errstr) {
|
||||
+ state->err_msg = talloc_strdup(state, errstr);
|
||||
+ if (state->err_msg == NULL) {
|
||||
+ talloc_free(be_req);
|
||||
+ tevent_req_error(req, ENOMEM);
|
||||
+ return;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ talloc_free(be_req);
|
||||
+ tevent_req_done(req);
|
||||
+}
|
||||
+
|
||||
+errno_t be_get_account_info_recv(struct tevent_req *req,
|
||||
+ TALLOC_CTX *mem_ctx,
|
||||
+ int *_err_maj,
|
||||
+ int *_err_min,
|
||||
+ const char **_err_msg)
|
||||
+{
|
||||
+ struct be_get_account_info_state *state;
|
||||
+
|
||||
+ state = tevent_req_data(req, struct be_get_account_info_state);
|
||||
+
|
||||
+ TEVENT_REQ_RETURN_ON_ERROR(req);
|
||||
+
|
||||
+ if (_err_maj) {
|
||||
+ *_err_maj = state->err_maj;
|
||||
+ }
|
||||
+
|
||||
+ if (_err_min) {
|
||||
+ *_err_min = state->err_min;
|
||||
+ }
|
||||
+
|
||||
+ if (_err_msg) {
|
||||
+ *_err_msg = talloc_steal(mem_ctx, state->err_msg);
|
||||
+ }
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
static int be_get_account_info(DBusMessage *message, struct sbus_connection *conn)
|
||||
{
|
||||
struct be_acct_req *req;
|
||||
@@ -845,8 +977,6 @@ static int be_get_account_info(DBusMessage *message, struct sbus_connection *con
|
||||
goto done;
|
||||
}
|
||||
|
||||
- be_req->req_data = req;
|
||||
-
|
||||
if ((attr_type != BE_ATTR_CORE) &&
|
||||
(attr_type != BE_ATTR_MEM) &&
|
||||
(attr_type != BE_ATTR_ALL)) {
|
||||
@@ -893,26 +1023,11 @@ static int be_get_account_info(DBusMessage *message, struct sbus_connection *con
|
||||
goto done;
|
||||
}
|
||||
|
||||
- /* see if we need a pre request call, only done for initgroups for now */
|
||||
- if ((type & 0xFF) == BE_REQ_INITGROUPS) {
|
||||
- ret = be_initgroups_prereq(be_req);
|
||||
- if (ret) {
|
||||
- err_maj = DP_ERR_FATAL;
|
||||
- err_min = ret;
|
||||
- err_msg = "Prerequest failed";
|
||||
- goto done;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- /* process request */
|
||||
-
|
||||
- ret = be_file_request(becli->bectx->bet_info[BET_ID].pvt_bet_data,
|
||||
- be_req,
|
||||
- becli->bectx->bet_info[BET_ID].bet_ops->handler);
|
||||
+ ret = be_file_account_request(be_req, req);
|
||||
if (ret != EOK) {
|
||||
err_maj = DP_ERR_FATAL;
|
||||
err_min = ret;
|
||||
- err_msg = "Failed to file request";
|
||||
+ err_msg = "Cannot file account request";
|
||||
goto done;
|
||||
}
|
||||
|
||||
diff --git a/src/providers/dp_backend.h b/src/providers/dp_backend.h
|
||||
index 58a9b74..743b6f4 100644
|
||||
--- a/src/providers/dp_backend.h
|
||||
+++ b/src/providers/dp_backend.h
|
||||
@@ -258,4 +258,19 @@ int be_fo_run_callbacks_at_next_request(struct be_ctx *ctx,
|
||||
const char *service_name);
|
||||
|
||||
void reset_fo(struct be_ctx *be_ctx);
|
||||
+
|
||||
+/* Request account information */
|
||||
+struct tevent_req *
|
||||
+be_get_account_info_send(TALLOC_CTX *mem_ctx,
|
||||
+ struct tevent_context *ev,
|
||||
+ struct be_client *becli,
|
||||
+ struct be_ctx *be_ctx,
|
||||
+ struct be_acct_req *ar);
|
||||
+
|
||||
+errno_t be_get_account_info_recv(struct tevent_req *req,
|
||||
+ TALLOC_CTX *mem_ctx,
|
||||
+ int *_err_maj,
|
||||
+ int *_err_min,
|
||||
+ const char **_err_msg);
|
||||
+
|
||||
#endif /* __DP_BACKEND_H___ */
|
||||
--
|
||||
1.8.1.4
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:20e39d7c5d89e217b5301f7e75360eb869ac1889701755a598fb3fbed923f4b4
|
||||
size 3050325
|
@ -1,7 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1.4.13 (GNU/Linux)
|
||||
|
||||
iEYEABECAAYFAlEG6DYACgkQHsardTLnvCXjrgCeMSfawp5NaaIu82GDZOq7EMxL
|
||||
tqwAmgN3gn9e7y6AzeSBdYCCcPAyLLFo
|
||||
=hHxo
|
||||
-----END PGP SIGNATURE-----
|
3
sssd-1.9.5.tar.gz
Normal file
3
sssd-1.9.5.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:a377c436901e92d689de811d48e37d88764460e889e47bfddd90626f0a8a015c
|
||||
size 3106988
|
7
sssd-1.9.5.tar.gz.asc
Normal file
7
sssd-1.9.5.tar.gz.asc
Normal file
@ -0,0 +1,7 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1.4.13 (GNU/Linux)
|
||||
|
||||
iEYEABECAAYFAlF2gY4ACgkQHsardTLnvCW6+QCg4VWHi8mlbi6FQufRtUXOTB2j
|
||||
5OAAniig5/DUZa/mrzUb+8kteg3nanNS
|
||||
=3VHJ
|
||||
-----END PGP SIGNATURE-----
|
@ -1,102 +0,0 @@
|
||||
From 3229c2107e4645240cfc4aa5d262e5330c356a49 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Engelhardt <jengelh@inai.de>
|
||||
Date: Thu, 21 Feb 2013 13:12:25 +0100
|
||||
Subject: [PATCH] sysdb: try dealing with binary-content attributes
|
||||
|
||||
I have here a LDAP user entry which has this attribute
|
||||
|
||||
loginAllowedTimeMap::
|
||||
AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA
|
||||
|
||||
In the function sysdb_attrs_add_string(), called from
|
||||
sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is
|
||||
the wrong thing to do. The result of strlen is then used to populate
|
||||
the .v_length member of a struct ldb_val - and this will set it to
|
||||
zero in this case. (There is also the problem that there may not be
|
||||
a '\0' at all in the blob.)
|
||||
|
||||
Subsequently, .v_length being 0 makes ldb_modify(), called from
|
||||
sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End
|
||||
result is that users do not get stored in the sysdb, and programs like
|
||||
`id` or `getent ...` show incomplete information.
|
||||
|
||||
The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave
|
||||
fine, but that may not mean that is the absolute lower boundary of
|
||||
introduction of the problem.
|
||||
---
|
||||
src/db/sysdb.c | 10 ++++++++++
|
||||
src/db/sysdb.h | 2 ++
|
||||
src/providers/ldap/sdap.c | 7 +++----
|
||||
src/providers/ldap/sdap_async.c | 4 ++--
|
||||
4 files changed, 17 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/db/sysdb.c b/src/db/sysdb.c
|
||||
index e7524f4..7c34791 100644
|
||||
--- a/src/db/sysdb.c
|
||||
+++ b/src/db/sysdb.c
|
||||
@@ -512,6 +512,16 @@ int sysdb_attrs_add_string(struct sysdb_attrs *attrs,
|
||||
return sysdb_attrs_add_val(attrs, name, &v);
|
||||
}
|
||||
|
||||
+int sysdb_attrs_add_mem(struct sysdb_attrs *attrs, const char *name,
|
||||
+ const void *mem, size_t size)
|
||||
+{
|
||||
+ struct ldb_val v;
|
||||
+
|
||||
+ v.data = discard_const(mem);
|
||||
+ v.length = size;
|
||||
+ return sysdb_attrs_add_val(attrs, name, &v);
|
||||
+}
|
||||
+
|
||||
int sysdb_attrs_add_bool(struct sysdb_attrs *attrs,
|
||||
const char *name, bool value)
|
||||
{
|
||||
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
|
||||
index fff97a8..23cbbb0 100644
|
||||
--- a/src/db/sysdb.h
|
||||
+++ b/src/db/sysdb.h
|
||||
@@ -250,6 +250,8 @@ int sysdb_attrs_add_val(struct sysdb_attrs *attrs,
|
||||
const char *name, const struct ldb_val *val);
|
||||
int sysdb_attrs_add_string(struct sysdb_attrs *attrs,
|
||||
const char *name, const char *str);
|
||||
+int sysdb_attrs_add_mem(struct sysdb_attrs *, const char *,
|
||||
+ const void *, size_t);
|
||||
int sysdb_attrs_add_bool(struct sysdb_attrs *attrs,
|
||||
const char *name, bool value);
|
||||
int sysdb_attrs_add_long(struct sysdb_attrs *attrs,
|
||||
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
|
||||
index 371121b..988f27d 100644
|
||||
--- a/src/providers/ldap/sdap.c
|
||||
+++ b/src/providers/ldap/sdap.c
|
||||
@@ -474,10 +474,9 @@ errno_t sdap_parse_deref(TALLOC_CTX *mem_ctx,
|
||||
for (i=0; dval->vals[i].bv_val; i++) {
|
||||
DEBUG(9, ("Dereferenced attribute value: %s\n",
|
||||
dval->vals[i].bv_val));
|
||||
- v.data = (uint8_t *) dval->vals[i].bv_val;
|
||||
- v.length = dval->vals[i].bv_len;
|
||||
-
|
||||
- ret = sysdb_attrs_add_val(res[mi]->attrs, name, &v);
|
||||
+ ret = sysdb_attrs_add_mem(res[mi]->attrs, name,
|
||||
+ dval->vals[i].bv_val,
|
||||
+ dval->vals[i].bv_len);
|
||||
if (ret) goto done;
|
||||
}
|
||||
}
|
||||
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
|
||||
index 84497b7..b7d9839 100644
|
||||
--- a/src/providers/ldap/sdap_async.c
|
||||
+++ b/src/providers/ldap/sdap_async.c
|
||||
@@ -2226,8 +2226,8 @@ sdap_attrs_add_ldap_attr(struct sysdb_attrs *ldap_attrs,
|
||||
DEBUG(SSSDBG_TRACE_INTERNAL, ("Adding %s [%s] to attributes "
|
||||
"of [%s].\n", desc, el->values[i].data, objname));
|
||||
|
||||
- ret = sysdb_attrs_add_string(attrs, attr_name,
|
||||
- (const char *) el->values[i].data);
|
||||
+ ret = sysdb_attrs_add_mem(attrs, attr_name, el->values[i].data,
|
||||
+ el->values[i].length);
|
||||
if (ret) {
|
||||
return ret;
|
||||
}
|
||||
--
|
||||
1.7.10.4
|
||||
|
24
sssd.changes
24
sssd.changes
@ -1,3 +1,27 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu May 2 09:20:49 UTC 2013 - jengelh@inai.de
|
||||
|
||||
- Update to new upstream release 1.9.5
|
||||
* Includes a fix for CVE-2013-0287: A simple access provider flaw
|
||||
prevents intended ACL use when SSSD is configured as an Active
|
||||
Directory client.
|
||||
* Fixed spurious password expiration warning that was printed on
|
||||
login with the Kerberos back end.
|
||||
* A new option ldap_rfc2307_fallback_to_local_users was added. If
|
||||
this option is set to true, SSSD is be able to resolve local
|
||||
group members of LDAP groups.
|
||||
* Fixed an indexing bug that prevented the contents of autofs maps
|
||||
from being returned to the automounter deamon in case the map
|
||||
contained a large number of entries.
|
||||
* Several fixes for safer handling of Kerberos credential caches
|
||||
for cases where the ccache is set to be stored in a DIR: type.
|
||||
- Remove Provide-a-be_get_account_info_send-function.patch,
|
||||
Add-unit-tests-for-simple-access-test-by-groups.patch,
|
||||
Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch,
|
||||
Resolve-GIDs-in-the-simple-access-provider.patch
|
||||
(CVE-2013-0287 material is in upstream),
|
||||
sssd-sysdb-binary-attrs.diff (merged upstream)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Apr 5 16:35:07 UTC 2013 - jengelh@inai.de
|
||||
|
||||
|
13
sssd.spec
13
sssd.spec
@ -17,13 +17,12 @@
|
||||
|
||||
|
||||
Name: sssd
|
||||
Version: 1.9.4
|
||||
Version: 1.9.5
|
||||
Release: 0
|
||||
Summary: System Security Services Daemon
|
||||
License: GPL-3.0+ and LGPL-3.0+
|
||||
Group: System/Daemons
|
||||
Url: https://fedorahosted.org/sssd/
|
||||
Requires(postun): pam-config
|
||||
|
||||
#Git-Clone: git://git.fedorahosted.org/sssd
|
||||
Source: https://fedorahosted.org/released/sssd/sssd-%version.tar.gz
|
||||
@ -32,13 +31,6 @@ Source3: baselibs.conf
|
||||
Patch1: 0005-implicit-decl.diff
|
||||
Patch2: sssd-ldflags.diff
|
||||
Patch3: sssd-no-ldb-check.diff
|
||||
Patch4: sssd-sysdb-binary-attrs.diff
|
||||
# Fixes for CVE-2013-0287 (will be part of 1.9.5) when released
|
||||
Patch5: Provide-a-be_get_account_info_send-function.patch
|
||||
Patch6: Add-unit-tests-for-simple-access-test-by-groups.patch
|
||||
Patch7: Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch
|
||||
Patch8: Resolve-GIDs-in-the-simple-access-provider.patch
|
||||
# End Fixed for CVE-2013-0287
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
|
||||
%define servicename sssd
|
||||
@ -111,6 +103,7 @@ BuildRequires: systemd
|
||||
%if %suse_version >= 1230
|
||||
BuildRequires: gpg-offline
|
||||
%endif
|
||||
Requires(postun): pam-config
|
||||
|
||||
%description
|
||||
Provides a set of daemons to manage access to remote directories and
|
||||
@ -210,7 +203,7 @@ Security Services Daemon (sssd).
|
||||
%prep
|
||||
%{?gpg_verify: %gpg_verify %{S:2}}
|
||||
%setup -q
|
||||
%patch -P 1 -P 2 -P 3 -P 4 -P 5 -P 6 -P 7 -P 8 -p1
|
||||
%patch -P 1 -P 2 -P 3 -p1
|
||||
|
||||
%build
|
||||
%if 0%{?suse_version} < 1210
|
||||
|
Loading…
Reference in New Issue
Block a user