Accepting request 160208 from network:ldap
CVE-2013-0287 (bnc#809153) (forwarded request 160207 from rhafer) OBS-URL: https://build.opensuse.org/request/show/160208 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=44
This commit is contained in:
parent
0d7e32d3cc
commit
9ba0639961
414
Add-unit-tests-for-simple-access-test-by-groups.patch
Normal file
414
Add-unit-tests-for-simple-access-test-by-groups.patch
Normal file
@ -0,0 +1,414 @@
|
|||||||
|
From e5f0ef211e81fcd7a87d5e37b0aadca50201c6d6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Sun, 3 Mar 2013 21:43:44 +0100
|
||||||
|
Subject: Add unit tests for simple access test by groups
|
||||||
|
|
||||||
|
I realized that the current unit tests for the simple access provider
|
||||||
|
only tested the user directives. To have a baseline and be able to
|
||||||
|
detect new bugs in the upcoming patch, I implemented unit tests for the
|
||||||
|
group lists, too.
|
||||||
|
(cherry picked from commit 754b09b5444e6da88ed58d6deaed8b815e268b6b)
|
||||||
|
---
|
||||||
|
src/tests/simple_access-tests.c | 285 +++++++++++++++++++++++++++++++++++-----
|
||||||
|
1 file changed, 253 insertions(+), 32 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/tests/simple_access-tests.c b/src/tests/simple_access-tests.c
|
||||||
|
index c61814e..577c6d3 100644
|
||||||
|
--- a/src/tests/simple_access-tests.c
|
||||||
|
+++ b/src/tests/simple_access-tests.c
|
||||||
|
@@ -30,39 +30,152 @@
|
||||||
|
#include "providers/simple/simple_access.h"
|
||||||
|
#include "tests/common.h"
|
||||||
|
|
||||||
|
+#define TESTS_PATH "tests_simple_access"
|
||||||
|
+#define TEST_CONF_FILE "tests_conf.ldb"
|
||||||
|
+
|
||||||
|
const char *ulist_1[] = {"u1", "u2", NULL};
|
||||||
|
+const char *glist_1[] = {"g1", "g2", NULL};
|
||||||
|
+
|
||||||
|
+struct simple_test_ctx *test_ctx = NULL;
|
||||||
|
+
|
||||||
|
+struct simple_test_ctx {
|
||||||
|
+ struct sysdb_ctx *sysdb;
|
||||||
|
+ struct confdb_ctx *confdb;
|
||||||
|
|
||||||
|
-struct simple_ctx *ctx = NULL;
|
||||||
|
+ struct simple_ctx *ctx;
|
||||||
|
+};
|
||||||
|
|
||||||
|
void setup_simple(void)
|
||||||
|
{
|
||||||
|
- fail_unless(ctx == NULL, "Simple context already initialized.");
|
||||||
|
- ctx = talloc_zero(NULL, struct simple_ctx);
|
||||||
|
- fail_unless(ctx != NULL, "Cannot create simple context.");
|
||||||
|
-
|
||||||
|
- ctx->domain = talloc_zero(ctx, struct sss_domain_info);
|
||||||
|
- fail_unless(ctx != NULL, "Cannot create domain in simple context.");
|
||||||
|
- ctx->domain->case_sensitive = true;
|
||||||
|
+ errno_t ret;
|
||||||
|
+ char *conf_db;
|
||||||
|
+ const char *val[2];
|
||||||
|
+ val[1] = NULL;
|
||||||
|
+
|
||||||
|
+ /* Create tests directory if it doesn't exist */
|
||||||
|
+ /* (relative to current dir) */
|
||||||
|
+ ret = mkdir(TESTS_PATH, 0775);
|
||||||
|
+ fail_if(ret == -1 && errno != EEXIST,
|
||||||
|
+ "Could not create %s directory", TESTS_PATH);
|
||||||
|
+
|
||||||
|
+ fail_unless(test_ctx == NULL, "Simple context already initialized.");
|
||||||
|
+ test_ctx = talloc_zero(NULL, struct simple_test_ctx);
|
||||||
|
+ fail_unless(test_ctx != NULL, "Cannot create simple test context.");
|
||||||
|
+
|
||||||
|
+ test_ctx->ctx = talloc_zero(test_ctx, struct simple_ctx);
|
||||||
|
+ fail_unless(test_ctx->ctx != NULL, "Cannot create simple context.");
|
||||||
|
+
|
||||||
|
+ conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE);
|
||||||
|
+ fail_if(conf_db == NULL, "Out of memory, aborting!");
|
||||||
|
+ DEBUG(SSSDBG_TRACE_LIBS, ("CONFDB: %s\n", conf_db));
|
||||||
|
+
|
||||||
|
+ /* Connect to the conf db */
|
||||||
|
+ ret = confdb_init(test_ctx, &test_ctx->confdb, conf_db);
|
||||||
|
+ fail_if(ret != EOK, "Could not initialize connection to the confdb");
|
||||||
|
+
|
||||||
|
+ val[0] = "LOCAL";
|
||||||
|
+ ret = confdb_add_param(test_ctx->confdb, true,
|
||||||
|
+ "config/sssd", "domains", val);
|
||||||
|
+ fail_if(ret != EOK, "Could not initialize domains placeholder");
|
||||||
|
+
|
||||||
|
+ val[0] = "local";
|
||||||
|
+ ret = confdb_add_param(test_ctx->confdb, true,
|
||||||
|
+ "config/domain/LOCAL", "id_provider", val);
|
||||||
|
+ fail_if(ret != EOK, "Could not initialize provider");
|
||||||
|
+
|
||||||
|
+ val[0] = "TRUE";
|
||||||
|
+ ret = confdb_add_param(test_ctx->confdb, true,
|
||||||
|
+ "config/domain/LOCAL", "enumerate", val);
|
||||||
|
+ fail_if(ret != EOK, "Could not initialize LOCAL domain");
|
||||||
|
+
|
||||||
|
+ val[0] = "TRUE";
|
||||||
|
+ ret = confdb_add_param(test_ctx->confdb, true,
|
||||||
|
+ "config/domain/LOCAL", "cache_credentials", val);
|
||||||
|
+ fail_if(ret != EOK, "Could not initialize LOCAL domain");
|
||||||
|
+
|
||||||
|
+ ret = sysdb_init_domain_and_sysdb(test_ctx, test_ctx->confdb, "local",
|
||||||
|
+ TESTS_PATH,
|
||||||
|
+ &test_ctx->ctx->domain, &test_ctx->ctx->sysdb);
|
||||||
|
+ fail_if(ret != EOK, "Could not initialize connection to the sysdb (%d)", ret);
|
||||||
|
+ test_ctx->ctx->domain->case_sensitive = true;
|
||||||
|
}
|
||||||
|
|
||||||
|
void teardown_simple(void)
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
- fail_unless(ctx != NULL, "Simple context already freed.");
|
||||||
|
- ret = talloc_free(ctx);
|
||||||
|
- ctx = NULL;
|
||||||
|
+ fail_unless(test_ctx != NULL, "Simple context already freed.");
|
||||||
|
+ ret = talloc_free(test_ctx);
|
||||||
|
+ test_ctx = NULL;
|
||||||
|
fail_unless(ret == 0, "Connot free simple context.");
|
||||||
|
}
|
||||||
|
|
||||||
|
+void setup_simple_group(void)
|
||||||
|
+{
|
||||||
|
+ errno_t ret;
|
||||||
|
+
|
||||||
|
+ setup_simple();
|
||||||
|
+
|
||||||
|
+ /* Add test users u1 and u2 that would be members of test groups
|
||||||
|
+ * g1 and g2 respectively */
|
||||||
|
+ ret = sysdb_store_user(test_ctx->ctx->sysdb,
|
||||||
|
+ "u1", NULL, 123, 0, "u1", "/home/u1",
|
||||||
|
+ "/bin/bash", NULL, NULL, NULL, -1, 0);
|
||||||
|
+ fail_if(ret != EOK, "Could not add u1");
|
||||||
|
+
|
||||||
|
+ ret = sysdb_store_user(test_ctx->ctx->sysdb,
|
||||||
|
+ "u2", NULL, 456, 0, "u1", "/home/u1",
|
||||||
|
+ "/bin/bash", NULL, NULL, NULL, -1, 0);
|
||||||
|
+ fail_if(ret != EOK, "Could not add u2");
|
||||||
|
+
|
||||||
|
+ ret = sysdb_store_user(test_ctx->ctx->sysdb,
|
||||||
|
+ "u3", NULL, 789, 0, "u1", "/home/u1",
|
||||||
|
+ "/bin/bash", NULL, NULL, NULL, -1, 0);
|
||||||
|
+ fail_if(ret != EOK, "Could not add u3");
|
||||||
|
+
|
||||||
|
+ ret = sysdb_add_group(test_ctx->ctx->sysdb,
|
||||||
|
+ "g1", 321, NULL, 0, 0);
|
||||||
|
+ fail_if(ret != EOK, "Could not add g1");
|
||||||
|
+
|
||||||
|
+ ret = sysdb_add_group(test_ctx->ctx->sysdb,
|
||||||
|
+ "g2", 654, NULL, 0, 0);
|
||||||
|
+ fail_if(ret != EOK, "Could not add g2");
|
||||||
|
+
|
||||||
|
+ ret = sysdb_add_group_member(test_ctx->ctx->sysdb,
|
||||||
|
+ "g1", "u1", SYSDB_MEMBER_USER);
|
||||||
|
+ fail_if(ret != EOK, "Could not add u1 to g1");
|
||||||
|
+
|
||||||
|
+ ret = sysdb_add_group_member(test_ctx->ctx->sysdb,
|
||||||
|
+ "g2", "u2", SYSDB_MEMBER_USER);
|
||||||
|
+ fail_if(ret != EOK, "Could not add u2 to g2");
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void teardown_simple_group(void)
|
||||||
|
+{
|
||||||
|
+ errno_t ret;
|
||||||
|
+
|
||||||
|
+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u1", 0);
|
||||||
|
+ fail_if(ret != EOK, "Could not delete u1");
|
||||||
|
+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u2", 0);
|
||||||
|
+ fail_if(ret != EOK, "Could not delete u2");
|
||||||
|
+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u3", 0);
|
||||||
|
+ fail_if(ret != EOK, "Could not delete u3");
|
||||||
|
+ ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g1", 0);
|
||||||
|
+ fail_if(ret != EOK, "Could not delete g1");
|
||||||
|
+ ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g2", 0);
|
||||||
|
+ fail_if(ret != EOK, "Could not delete g2");
|
||||||
|
+
|
||||||
|
+ teardown_simple();
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
START_TEST(test_both_empty)
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
bool access_granted = false;
|
||||||
|
|
||||||
|
- ctx->allow_users = NULL;
|
||||||
|
- ctx->deny_users = NULL;
|
||||||
|
+ test_ctx->ctx->allow_users = NULL;
|
||||||
|
+ test_ctx->ctx->deny_users = NULL;
|
||||||
|
|
||||||
|
- ret = simple_access_check(ctx, "u1", &access_granted);
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
||||||
|
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
fail_unless(access_granted == true, "Access denied "
|
||||||
|
"while both lists are empty.");
|
||||||
|
@@ -74,15 +187,15 @@ START_TEST(test_allow_empty)
|
||||||
|
int ret;
|
||||||
|
bool access_granted = true;
|
||||||
|
|
||||||
|
- ctx->allow_users = NULL;
|
||||||
|
- ctx->deny_users = discard_const(ulist_1);
|
||||||
|
+ test_ctx->ctx->allow_users = NULL;
|
||||||
|
+ test_ctx->ctx->deny_users = discard_const(ulist_1);
|
||||||
|
|
||||||
|
- ret = simple_access_check(ctx, "u1", &access_granted);
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
||||||
|
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
fail_unless(access_granted == false, "Access granted "
|
||||||
|
"while user is in deny list.");
|
||||||
|
|
||||||
|
- ret = simple_access_check(ctx, "u3", &access_granted);
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
||||||
|
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
fail_unless(access_granted == true, "Access denied "
|
||||||
|
"while user is not in deny list.");
|
||||||
|
@@ -94,15 +207,15 @@ START_TEST(test_deny_empty)
|
||||||
|
int ret;
|
||||||
|
bool access_granted = false;
|
||||||
|
|
||||||
|
- ctx->allow_users = discard_const(ulist_1);
|
||||||
|
- ctx->deny_users = NULL;
|
||||||
|
+ test_ctx->ctx->allow_users = discard_const(ulist_1);
|
||||||
|
+ test_ctx->ctx->deny_users = NULL;
|
||||||
|
|
||||||
|
- ret = simple_access_check(ctx, "u1", &access_granted);
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
||||||
|
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
fail_unless(access_granted == true, "Access denied "
|
||||||
|
"while user is in allow list.");
|
||||||
|
|
||||||
|
- ret = simple_access_check(ctx, "u3", &access_granted);
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
||||||
|
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
fail_unless(access_granted == false, "Access granted "
|
||||||
|
"while user is not in allow list.");
|
||||||
|
@@ -114,15 +227,15 @@ START_TEST(test_both_set)
|
||||||
|
int ret;
|
||||||
|
bool access_granted = false;
|
||||||
|
|
||||||
|
- ctx->allow_users = discard_const(ulist_1);
|
||||||
|
- ctx->deny_users = discard_const(ulist_1);
|
||||||
|
+ test_ctx->ctx->allow_users = discard_const(ulist_1);
|
||||||
|
+ test_ctx->ctx->deny_users = discard_const(ulist_1);
|
||||||
|
|
||||||
|
- ret = simple_access_check(ctx, "u1", &access_granted);
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
||||||
|
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
fail_unless(access_granted == false, "Access granted "
|
||||||
|
"while user is in deny list.");
|
||||||
|
|
||||||
|
- ret = simple_access_check(ctx, "u3", &access_granted);
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
||||||
|
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
fail_unless(access_granted == false, "Access granted "
|
||||||
|
"while user is not in allow list.");
|
||||||
|
@@ -134,18 +247,18 @@ START_TEST(test_case)
|
||||||
|
int ret;
|
||||||
|
bool access_granted = false;
|
||||||
|
|
||||||
|
- ctx->allow_users = discard_const(ulist_1);
|
||||||
|
- ctx->deny_users = NULL;
|
||||||
|
+ test_ctx->ctx->allow_users = discard_const(ulist_1);
|
||||||
|
+ test_ctx->ctx->deny_users = NULL;
|
||||||
|
|
||||||
|
- ret = simple_access_check(ctx, "U1", &access_granted);
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
|
||||||
|
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
fail_unless(access_granted == false, "Access granted "
|
||||||
|
"for user with different case "
|
||||||
|
"in case-sensitive domain");
|
||||||
|
|
||||||
|
- ctx->domain->case_sensitive = false;
|
||||||
|
+ test_ctx->ctx->domain->case_sensitive = false;
|
||||||
|
|
||||||
|
- ret = simple_access_check(ctx, "U1", &access_granted);
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
|
||||||
|
fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
fail_unless(access_granted == true, "Access denied "
|
||||||
|
"for user with different case "
|
||||||
|
@@ -153,11 +266,95 @@ START_TEST(test_case)
|
||||||
|
}
|
||||||
|
END_TEST
|
||||||
|
|
||||||
|
+START_TEST(test_group_allow_empty)
|
||||||
|
+{
|
||||||
|
+ int ret;
|
||||||
|
+ bool access_granted = true;
|
||||||
|
+
|
||||||
|
+ test_ctx->ctx->allow_groups = NULL;
|
||||||
|
+ test_ctx->ctx->deny_groups = discard_const(glist_1);
|
||||||
|
+
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
||||||
|
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
+ fail_unless(access_granted == false, "Access granted "
|
||||||
|
+ "while group is in deny list.");
|
||||||
|
+
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
||||||
|
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
+ fail_unless(access_granted == true, "Access denied "
|
||||||
|
+ "while group is not in deny list.");
|
||||||
|
+}
|
||||||
|
+END_TEST
|
||||||
|
+
|
||||||
|
+START_TEST(test_group_deny_empty)
|
||||||
|
+{
|
||||||
|
+ int ret;
|
||||||
|
+ bool access_granted = false;
|
||||||
|
+
|
||||||
|
+ test_ctx->ctx->allow_groups = discard_const(glist_1);
|
||||||
|
+ test_ctx->ctx->deny_groups = NULL;
|
||||||
|
+
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
||||||
|
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
+ fail_unless(access_granted == true, "Access denied "
|
||||||
|
+ "while group is in allow list.");
|
||||||
|
+
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
||||||
|
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
+ fail_unless(access_granted == false, "Access granted "
|
||||||
|
+ "while group is not in allow list.");
|
||||||
|
+}
|
||||||
|
+END_TEST
|
||||||
|
+
|
||||||
|
+START_TEST(test_group_both_set)
|
||||||
|
+{
|
||||||
|
+ int ret;
|
||||||
|
+ bool access_granted = false;
|
||||||
|
+
|
||||||
|
+ test_ctx->ctx->allow_groups = discard_const(ulist_1);
|
||||||
|
+ test_ctx->ctx->deny_groups = discard_const(ulist_1);
|
||||||
|
+
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
|
||||||
|
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
+ fail_unless(access_granted == false, "Access granted "
|
||||||
|
+ "while group is in deny list.");
|
||||||
|
+
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
|
||||||
|
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
+ fail_unless(access_granted == false, "Access granted "
|
||||||
|
+ "while group is not in allow list.");
|
||||||
|
+}
|
||||||
|
+END_TEST
|
||||||
|
+
|
||||||
|
+START_TEST(test_group_case)
|
||||||
|
+{
|
||||||
|
+ int ret;
|
||||||
|
+ bool access_granted = false;
|
||||||
|
+
|
||||||
|
+ test_ctx->ctx->allow_groups = discard_const(ulist_1);
|
||||||
|
+ test_ctx->ctx->deny_groups = NULL;
|
||||||
|
+
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
|
||||||
|
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
+ fail_unless(access_granted == false, "Access granted "
|
||||||
|
+ "for group with different case "
|
||||||
|
+ "in case-sensitive domain");
|
||||||
|
+
|
||||||
|
+ test_ctx->ctx->domain->case_sensitive = false;
|
||||||
|
+
|
||||||
|
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
|
||||||
|
+ fail_unless(ret == EOK, "access_simple_check failed.");
|
||||||
|
+ fail_unless(access_granted == true, "Access denied "
|
||||||
|
+ "for group with different case "
|
||||||
|
+ "in case-insensitive domain");
|
||||||
|
+}
|
||||||
|
+END_TEST
|
||||||
|
+
|
||||||
|
Suite *access_simple_suite (void)
|
||||||
|
{
|
||||||
|
Suite *s = suite_create("access_simple");
|
||||||
|
|
||||||
|
- TCase *tc_allow_deny = tcase_create("allow/deny");
|
||||||
|
+ TCase *tc_allow_deny = tcase_create("user allow/deny");
|
||||||
|
tcase_add_checked_fixture(tc_allow_deny, setup_simple, teardown_simple);
|
||||||
|
tcase_add_test(tc_allow_deny, test_both_empty);
|
||||||
|
tcase_add_test(tc_allow_deny, test_allow_empty);
|
||||||
|
@@ -166,6 +363,15 @@ Suite *access_simple_suite (void)
|
||||||
|
tcase_add_test(tc_allow_deny, test_case);
|
||||||
|
suite_add_tcase(s, tc_allow_deny);
|
||||||
|
|
||||||
|
+ TCase *tc_grp_allow_deny = tcase_create("group allow/deny");
|
||||||
|
+ tcase_add_checked_fixture(tc_grp_allow_deny,
|
||||||
|
+ setup_simple_group, teardown_simple_group);
|
||||||
|
+ tcase_add_test(tc_grp_allow_deny, test_group_allow_empty);
|
||||||
|
+ tcase_add_test(tc_grp_allow_deny, test_group_deny_empty);
|
||||||
|
+ tcase_add_test(tc_grp_allow_deny, test_group_both_set);
|
||||||
|
+ tcase_add_test(tc_grp_allow_deny, test_group_case);
|
||||||
|
+ suite_add_tcase(s, tc_grp_allow_deny);
|
||||||
|
+
|
||||||
|
return s;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -174,6 +380,7 @@ int main(int argc, const char *argv[])
|
||||||
|
int opt;
|
||||||
|
poptContext pc;
|
||||||
|
int number_failed;
|
||||||
|
+ int ret;
|
||||||
|
|
||||||
|
struct poptOption long_options[] = {
|
||||||
|
POPT_AUTOHELP
|
||||||
|
@@ -205,6 +412,20 @@ int main(int argc, const char *argv[])
|
||||||
|
srunner_run_all(sr, CK_ENV);
|
||||||
|
number_failed = srunner_ntests_failed(sr);
|
||||||
|
srunner_free(sr);
|
||||||
|
+
|
||||||
|
+ ret = unlink(TESTS_PATH"/"TEST_CONF_FILE);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n",
|
||||||
|
+ errno, strerror(errno));
|
||||||
|
+ return EXIT_FAILURE;
|
||||||
|
+ }
|
||||||
|
+ ret = unlink(TESTS_PATH"/"LOCAL_SYSDB_FILE);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n",
|
||||||
|
+ errno, strerror(errno));
|
||||||
|
+ return EXIT_FAILURE;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
return (number_failed==0 ? EXIT_SUCCESS : EXIT_FAILURE);
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
1.8.1.4
|
||||||
|
|
41
Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch
Normal file
41
Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
From 8dfcfe629db83eb58dd6613aa174222cb853afb1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Mon, 4 Mar 2013 16:37:04 +0100
|
||||||
|
Subject: Do not compile main() in DP if UNIT_TESTING is defined
|
||||||
|
|
||||||
|
The simple access provider unit tests now need to link against the Data
|
||||||
|
Provider when they start using the be_file_account_request() function.
|
||||||
|
But then we would start having conflicts as at least the main()
|
||||||
|
functions would clash.
|
||||||
|
|
||||||
|
If UNIT_TESTING is defined, then the data_provider_be.c module does not
|
||||||
|
contain the main() function and can be linked against directly from
|
||||||
|
another module that contains its own main() function
|
||||||
|
(cherry picked from commit 26590d31f492dbbd36be6d0bde46a4bd3b221edb)
|
||||||
|
---
|
||||||
|
src/providers/data_provider_be.c | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
|
||||||
|
index f85a04d..33590ae 100644
|
||||||
|
--- a/src/providers/data_provider_be.c
|
||||||
|
+++ b/src/providers/data_provider_be.c
|
||||||
|
@@ -2651,6 +2651,7 @@ fail:
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifndef UNIT_TESTING
|
||||||
|
int main(int argc, const char *argv[])
|
||||||
|
{
|
||||||
|
int opt;
|
||||||
|
@@ -2732,6 +2733,7 @@ int main(int argc, const char *argv[])
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
static int data_provider_res_init(DBusMessage *message,
|
||||||
|
struct sbus_connection *conn)
|
||||||
|
--
|
||||||
|
1.8.1.4
|
||||||
|
|
237
Provide-a-be_get_account_info_send-function.patch
Normal file
237
Provide-a-be_get_account_info_send-function.patch
Normal file
@ -0,0 +1,237 @@
|
|||||||
|
From 455737c0b4b0c1bfeed54f2e27e397ce403acbca Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Fri, 22 Feb 2013 11:01:38 +0100
|
||||||
|
Subject: Provide a be_get_account_info_send function
|
||||||
|
|
||||||
|
In order to resolve group names in the simple access provider we need to
|
||||||
|
contact the Data Provider in a generic fashion from the access provider.
|
||||||
|
We can't call any particular implementation (like sdap_generic_send())
|
||||||
|
because we have no idea what kind of provider is configured as the
|
||||||
|
id_provider.
|
||||||
|
|
||||||
|
This patch splits introduces the be_file_account_request() function into
|
||||||
|
the data_provider_be module and makes it public.
|
||||||
|
|
||||||
|
A future patch should make the be_get_account_info function use the
|
||||||
|
be_get_account_info_send function.
|
||||||
|
(cherry picked from commit b63830b142053f99bfe954d4be5a2b0f68ce3a93)
|
||||||
|
---
|
||||||
|
src/providers/data_provider_be.c | 153 ++++++++++++++++++++++++++++++++++-----
|
||||||
|
src/providers/dp_backend.h | 15 ++++
|
||||||
|
2 files changed, 149 insertions(+), 19 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
|
||||||
|
index b261bf8..f85a04d 100644
|
||||||
|
--- a/src/providers/data_provider_be.c
|
||||||
|
+++ b/src/providers/data_provider_be.c
|
||||||
|
@@ -717,6 +717,34 @@ static errno_t be_initgroups_prereq(struct be_req *be_req)
|
||||||
|
}
|
||||||
|
|
||||||
|
static errno_t
|
||||||
|
+be_file_account_request(struct be_req *be_req, struct be_acct_req *ar)
|
||||||
|
+{
|
||||||
|
+ errno_t ret;
|
||||||
|
+ struct be_ctx *be_ctx = be_req->be_ctx;
|
||||||
|
+
|
||||||
|
+ be_req->req_data = ar;
|
||||||
|
+
|
||||||
|
+ /* see if we need a pre request call, only done for initgroups for now */
|
||||||
|
+ if ((ar->entry_type & 0xFF) == BE_REQ_INITGROUPS) {
|
||||||
|
+ ret = be_initgroups_prereq(be_req);
|
||||||
|
+ if (ret) {
|
||||||
|
+ DEBUG(SSSDBG_CRIT_FAILURE, ("Prerequest failed"));
|
||||||
|
+ return ret;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* process request */
|
||||||
|
+ ret = be_file_request(be_ctx, be_req,
|
||||||
|
+ be_ctx->bet_info[BET_ID].bet_ops->handler);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to file request"));
|
||||||
|
+ return ret;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return EOK;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static errno_t
|
||||||
|
split_name_extended(TALLOC_CTX *mem_ctx,
|
||||||
|
const char *filter,
|
||||||
|
char **name,
|
||||||
|
@@ -742,6 +770,110 @@ split_name_extended(TALLOC_CTX *mem_ctx,
|
||||||
|
return EOK;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void
|
||||||
|
+be_get_account_info_done(struct be_req *be_req,
|
||||||
|
+ int dp_err, int dp_ret,
|
||||||
|
+ const char *errstr);
|
||||||
|
+
|
||||||
|
+struct be_get_account_info_state {
|
||||||
|
+ int err_maj;
|
||||||
|
+ int err_min;
|
||||||
|
+ const char *err_msg;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+struct tevent_req *
|
||||||
|
+be_get_account_info_send(TALLOC_CTX *mem_ctx,
|
||||||
|
+ struct tevent_context *ev,
|
||||||
|
+ struct be_client *becli,
|
||||||
|
+ struct be_ctx *be_ctx,
|
||||||
|
+ struct be_acct_req *ar)
|
||||||
|
+{
|
||||||
|
+ struct tevent_req *req;
|
||||||
|
+ struct be_get_account_info_state *state;
|
||||||
|
+ struct be_req *be_req;
|
||||||
|
+ errno_t ret;
|
||||||
|
+
|
||||||
|
+ req = tevent_req_create(mem_ctx, &state,
|
||||||
|
+ struct be_get_account_info_state);
|
||||||
|
+ if (!req) return NULL;
|
||||||
|
+
|
||||||
|
+ be_req = talloc_zero(mem_ctx, struct be_req);
|
||||||
|
+ if (be_req == NULL) {
|
||||||
|
+ ret = ENOMEM;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ be_req->becli = becli;
|
||||||
|
+ be_req->be_ctx = be_ctx;
|
||||||
|
+ be_req->fn = be_get_account_info_done;
|
||||||
|
+ be_req->pvt = req;
|
||||||
|
+
|
||||||
|
+ ret = be_file_account_request(be_req, ar);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return req;
|
||||||
|
+
|
||||||
|
+done:
|
||||||
|
+ tevent_req_error(req, ret);
|
||||||
|
+ tevent_req_post(req, ev);
|
||||||
|
+ return req;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+be_get_account_info_done(struct be_req *be_req,
|
||||||
|
+ int dp_err, int dp_ret,
|
||||||
|
+ const char *errstr)
|
||||||
|
+{
|
||||||
|
+ struct tevent_req *req;
|
||||||
|
+ struct be_get_account_info_state *state;
|
||||||
|
+
|
||||||
|
+ req = talloc_get_type(be_req->pvt, struct tevent_req);
|
||||||
|
+ state = tevent_req_data(req, struct be_get_account_info_state);
|
||||||
|
+
|
||||||
|
+ state->err_maj = dp_err;
|
||||||
|
+ state->err_min = dp_ret;
|
||||||
|
+ if (errstr) {
|
||||||
|
+ state->err_msg = talloc_strdup(state, errstr);
|
||||||
|
+ if (state->err_msg == NULL) {
|
||||||
|
+ talloc_free(be_req);
|
||||||
|
+ tevent_req_error(req, ENOMEM);
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ talloc_free(be_req);
|
||||||
|
+ tevent_req_done(req);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+errno_t be_get_account_info_recv(struct tevent_req *req,
|
||||||
|
+ TALLOC_CTX *mem_ctx,
|
||||||
|
+ int *_err_maj,
|
||||||
|
+ int *_err_min,
|
||||||
|
+ const char **_err_msg)
|
||||||
|
+{
|
||||||
|
+ struct be_get_account_info_state *state;
|
||||||
|
+
|
||||||
|
+ state = tevent_req_data(req, struct be_get_account_info_state);
|
||||||
|
+
|
||||||
|
+ TEVENT_REQ_RETURN_ON_ERROR(req);
|
||||||
|
+
|
||||||
|
+ if (_err_maj) {
|
||||||
|
+ *_err_maj = state->err_maj;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (_err_min) {
|
||||||
|
+ *_err_min = state->err_min;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (_err_msg) {
|
||||||
|
+ *_err_msg = talloc_steal(mem_ctx, state->err_msg);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return EOK;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static int be_get_account_info(DBusMessage *message, struct sbus_connection *conn)
|
||||||
|
{
|
||||||
|
struct be_acct_req *req;
|
||||||
|
@@ -845,8 +977,6 @@ static int be_get_account_info(DBusMessage *message, struct sbus_connection *con
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
- be_req->req_data = req;
|
||||||
|
-
|
||||||
|
if ((attr_type != BE_ATTR_CORE) &&
|
||||||
|
(attr_type != BE_ATTR_MEM) &&
|
||||||
|
(attr_type != BE_ATTR_ALL)) {
|
||||||
|
@@ -893,26 +1023,11 @@ static int be_get_account_info(DBusMessage *message, struct sbus_connection *con
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* see if we need a pre request call, only done for initgroups for now */
|
||||||
|
- if ((type & 0xFF) == BE_REQ_INITGROUPS) {
|
||||||
|
- ret = be_initgroups_prereq(be_req);
|
||||||
|
- if (ret) {
|
||||||
|
- err_maj = DP_ERR_FATAL;
|
||||||
|
- err_min = ret;
|
||||||
|
- err_msg = "Prerequest failed";
|
||||||
|
- goto done;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- /* process request */
|
||||||
|
-
|
||||||
|
- ret = be_file_request(becli->bectx->bet_info[BET_ID].pvt_bet_data,
|
||||||
|
- be_req,
|
||||||
|
- becli->bectx->bet_info[BET_ID].bet_ops->handler);
|
||||||
|
+ ret = be_file_account_request(be_req, req);
|
||||||
|
if (ret != EOK) {
|
||||||
|
err_maj = DP_ERR_FATAL;
|
||||||
|
err_min = ret;
|
||||||
|
- err_msg = "Failed to file request";
|
||||||
|
+ err_msg = "Cannot file account request";
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/src/providers/dp_backend.h b/src/providers/dp_backend.h
|
||||||
|
index 58a9b74..743b6f4 100644
|
||||||
|
--- a/src/providers/dp_backend.h
|
||||||
|
+++ b/src/providers/dp_backend.h
|
||||||
|
@@ -258,4 +258,19 @@ int be_fo_run_callbacks_at_next_request(struct be_ctx *ctx,
|
||||||
|
const char *service_name);
|
||||||
|
|
||||||
|
void reset_fo(struct be_ctx *be_ctx);
|
||||||
|
+
|
||||||
|
+/* Request account information */
|
||||||
|
+struct tevent_req *
|
||||||
|
+be_get_account_info_send(TALLOC_CTX *mem_ctx,
|
||||||
|
+ struct tevent_context *ev,
|
||||||
|
+ struct be_client *becli,
|
||||||
|
+ struct be_ctx *be_ctx,
|
||||||
|
+ struct be_acct_req *ar);
|
||||||
|
+
|
||||||
|
+errno_t be_get_account_info_recv(struct tevent_req *req,
|
||||||
|
+ TALLOC_CTX *mem_ctx,
|
||||||
|
+ int *_err_maj,
|
||||||
|
+ int *_err_min,
|
||||||
|
+ const char **_err_msg);
|
||||||
|
+
|
||||||
|
#endif /* __DP_BACKEND_H___ */
|
||||||
|
--
|
||||||
|
1.8.1.4
|
||||||
|
|
1624
Resolve-GIDs-in-the-simple-access-provider.patch
Normal file
1624
Resolve-GIDs-in-the-simple-access-provider.patch
Normal file
File diff suppressed because it is too large
Load Diff
15
sssd.changes
15
sssd.changes
@ -1,3 +1,18 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Mar 20 10:05:00 UTC 2013 - rhafer@suse.com
|
||||||
|
|
||||||
|
- Fixed security issue: CVE-2013-0287 (bnc#809153):
|
||||||
|
When SSSD is configured as an Active Directory client by using
|
||||||
|
the new Active Directory provider or equivalent configuration
|
||||||
|
of the LDAP provider, the Simple Access Provider does not
|
||||||
|
handle access control correctly. If any groups are specified
|
||||||
|
with the simple_deny_groups option, the group members are
|
||||||
|
permitted access. New patches:
|
||||||
|
* Provide-a-be_get_account_info_send-function.patch
|
||||||
|
* Add-unit-tests-for-simple-access-test-by-groups.patch
|
||||||
|
* Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch
|
||||||
|
* Resolve-GIDs-in-the-simple-access-provider.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Feb 26 08:29:43 UTC 2013 - jengelh@inai.de
|
Tue Feb 26 08:29:43 UTC 2013 - jengelh@inai.de
|
||||||
|
|
||||||
|
@ -32,6 +32,12 @@ Patch1: 0005-implicit-decl.diff
|
|||||||
Patch2: sssd-ldflags.diff
|
Patch2: sssd-ldflags.diff
|
||||||
Patch3: sssd-no-ldb-check.diff
|
Patch3: sssd-no-ldb-check.diff
|
||||||
Patch4: sssd-sysdb-binary-attrs.diff
|
Patch4: sssd-sysdb-binary-attrs.diff
|
||||||
|
# Fixes for CVE-2013-0287 (will be part of 1.9.5) when released
|
||||||
|
Patch5: Provide-a-be_get_account_info_send-function.patch
|
||||||
|
Patch6: Add-unit-tests-for-simple-access-test-by-groups.patch
|
||||||
|
Patch7: Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch
|
||||||
|
Patch8: Resolve-GIDs-in-the-simple-access-provider.patch
|
||||||
|
# End Fixed for CVE-2013-0287
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
|
|
||||||
%define servicename sssd
|
%define servicename sssd
|
||||||
@ -200,7 +206,7 @@ Security Services Daemon (sssd).
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
%patch -P 1 -P 2 -P 3 -P 4 -p1
|
%patch -P 1 -P 2 -P 3 -P 4 -P 5 -P 6 -P 7 -P 8 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%if 0%{?suse_version} < 1210
|
%if 0%{?suse_version} < 1210
|
||||||
|
Loading…
Reference in New Issue
Block a user