pool/sssd
SHA256
2
0
Fork 3
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 174889 from network:ldap

Browse Source 
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/174889
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=46
This commit is contained in:
Stephan Kulow 2013-05-13 13:39:41 +00:00 committed by Git OBS Bridge
commit bef1999863
11 changed files with 37 additions and 2438 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

414
Add-unit-tests-for-simple-access-test-by-groups.patch
View File

@ -1,414 +0,0 @@
From e5f0ef211e81fcd7a87d5e37b0aadca50201c6d6 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Sun, 3 Mar 2013 21:43:44 +0100
Subject: Add unit tests for simple access test by groups
I realized that the current unit tests for the simple access provider
only tested the user directives. To have a baseline and be able to
detect new bugs in the upcoming patch, I implemented unit tests for the
group lists, too.
(cherry picked from commit 754b09b5444e6da88ed58d6deaed8b815e268b6b)
---
src/tests/simple_access-tests.c | 285 +++++++++++++++++++++++++++++++++++-----
1 file changed, 253 insertions(+), 32 deletions(-)
diff --git a/src/tests/simple_access-tests.c b/src/tests/simple_access-tests.c
index c61814e..577c6d3 100644
--- a/src/tests/simple_access-tests.c
+++ b/src/tests/simple_access-tests.c
@@ -30,39 +30,152 @@
#include "providers/simple/simple_access.h"
#include "tests/common.h"
+#define TESTS_PATH "tests_simple_access"
+#define TEST_CONF_FILE "tests_conf.ldb"
+
const char *ulist_1[] = {"u1", "u2", NULL};
+const char *glist_1[] = {"g1", "g2", NULL};
+
+struct simple_test_ctx *test_ctx = NULL;
+
+struct simple_test_ctx {
+ struct sysdb_ctx *sysdb;
+ struct confdb_ctx *confdb;
-struct simple_ctx *ctx = NULL;
+ struct simple_ctx *ctx;
+};
void setup_simple(void)
{
- fail_unless(ctx == NULL, "Simple context already initialized.");
- ctx = talloc_zero(NULL, struct simple_ctx);
- fail_unless(ctx != NULL, "Cannot create simple context.");
-
- ctx->domain = talloc_zero(ctx, struct sss_domain_info);
- fail_unless(ctx != NULL, "Cannot create domain in simple context.");
- ctx->domain->case_sensitive = true;
+ errno_t ret;
+ char *conf_db;
+ const char *val[2];
+ val[1] = NULL;
+
+ /* Create tests directory if it doesn't exist */
+ /* (relative to current dir) */
+ ret = mkdir(TESTS_PATH, 0775);
+ fail_if(ret == -1 && errno != EEXIST,
+ "Could not create %s directory", TESTS_PATH);
+
+ fail_unless(test_ctx == NULL, "Simple context already initialized.");
+ test_ctx = talloc_zero(NULL, struct simple_test_ctx);
+ fail_unless(test_ctx != NULL, "Cannot create simple test context.");
+
+ test_ctx->ctx = talloc_zero(test_ctx, struct simple_ctx);
+ fail_unless(test_ctx->ctx != NULL, "Cannot create simple context.");
+
+ conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE);
+ fail_if(conf_db == NULL, "Out of memory, aborting!");
+ DEBUG(SSSDBG_TRACE_LIBS, ("CONFDB: %s\n", conf_db));
+
+ /* Connect to the conf db */
+ ret = confdb_init(test_ctx, &test_ctx->confdb, conf_db);
+ fail_if(ret != EOK, "Could not initialize connection to the confdb");
+
+ val[0] = "LOCAL";
+ ret = confdb_add_param(test_ctx->confdb, true,
+ "config/sssd", "domains", val);
+ fail_if(ret != EOK, "Could not initialize domains placeholder");
+
+ val[0] = "local";
+ ret = confdb_add_param(test_ctx->confdb, true,
+ "config/domain/LOCAL", "id_provider", val);
+ fail_if(ret != EOK, "Could not initialize provider");
+
+ val[0] = "TRUE";
+ ret = confdb_add_param(test_ctx->confdb, true,
+ "config/domain/LOCAL", "enumerate", val);
+ fail_if(ret != EOK, "Could not initialize LOCAL domain");
+
+ val[0] = "TRUE";
+ ret = confdb_add_param(test_ctx->confdb, true,
+ "config/domain/LOCAL", "cache_credentials", val);
+ fail_if(ret != EOK, "Could not initialize LOCAL domain");
+
+ ret = sysdb_init_domain_and_sysdb(test_ctx, test_ctx->confdb, "local",
+ TESTS_PATH,
+ &test_ctx->ctx->domain, &test_ctx->ctx->sysdb);
+ fail_if(ret != EOK, "Could not initialize connection to the sysdb (%d)", ret);
+ test_ctx->ctx->domain->case_sensitive = true;
}
void teardown_simple(void)
{
int ret;
- fail_unless(ctx != NULL, "Simple context already freed.");
- ret = talloc_free(ctx);
- ctx = NULL;
+ fail_unless(test_ctx != NULL, "Simple context already freed.");
+ ret = talloc_free(test_ctx);
+ test_ctx = NULL;
fail_unless(ret == 0, "Connot free simple context.");
}
+void setup_simple_group(void)
+{
+ errno_t ret;
+
+ setup_simple();
+
+ /* Add test users u1 and u2 that would be members of test groups
+ * g1 and g2 respectively */
+ ret = sysdb_store_user(test_ctx->ctx->sysdb,
+ "u1", NULL, 123, 0, "u1", "/home/u1",
+ "/bin/bash", NULL, NULL, NULL, -1, 0);
+ fail_if(ret != EOK, "Could not add u1");
+
+ ret = sysdb_store_user(test_ctx->ctx->sysdb,
+ "u2", NULL, 456, 0, "u1", "/home/u1",
+ "/bin/bash", NULL, NULL, NULL, -1, 0);
+ fail_if(ret != EOK, "Could not add u2");
+
+ ret = sysdb_store_user(test_ctx->ctx->sysdb,
+ "u3", NULL, 789, 0, "u1", "/home/u1",
+ "/bin/bash", NULL, NULL, NULL, -1, 0);
+ fail_if(ret != EOK, "Could not add u3");
+
+ ret = sysdb_add_group(test_ctx->ctx->sysdb,
+ "g1", 321, NULL, 0, 0);
+ fail_if(ret != EOK, "Could not add g1");
+
+ ret = sysdb_add_group(test_ctx->ctx->sysdb,
+ "g2", 654, NULL, 0, 0);
+ fail_if(ret != EOK, "Could not add g2");
+
+ ret = sysdb_add_group_member(test_ctx->ctx->sysdb,
+ "g1", "u1", SYSDB_MEMBER_USER);
+ fail_if(ret != EOK, "Could not add u1 to g1");
+
+ ret = sysdb_add_group_member(test_ctx->ctx->sysdb,
+ "g2", "u2", SYSDB_MEMBER_USER);
+ fail_if(ret != EOK, "Could not add u2 to g2");
+}
+
+void teardown_simple_group(void)
+{
+ errno_t ret;
+
+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u1", 0);
+ fail_if(ret != EOK, "Could not delete u1");
+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u2", 0);
+ fail_if(ret != EOK, "Could not delete u2");
+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u3", 0);
+ fail_if(ret != EOK, "Could not delete u3");
+ ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g1", 0);
+ fail_if(ret != EOK, "Could not delete g1");
+ ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g2", 0);
+ fail_if(ret != EOK, "Could not delete g2");
+
+ teardown_simple();
+}
+
START_TEST(test_both_empty)
{
int ret;
bool access_granted = false;
- ctx->allow_users = NULL;
- ctx->deny_users = NULL;
+ test_ctx->ctx->allow_users = NULL;
+ test_ctx->ctx->deny_users = NULL;
- ret = simple_access_check(ctx, "u1", &access_granted);
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
fail_unless(ret == EOK, "access_simple_check failed.");
fail_unless(access_granted == true, "Access denied "
"while both lists are empty.");
@@ -74,15 +187,15 @@ START_TEST(test_allow_empty)
int ret;
bool access_granted = true;
- ctx->allow_users = NULL;
- ctx->deny_users = discard_const(ulist_1);
+ test_ctx->ctx->allow_users = NULL;
+ test_ctx->ctx->deny_users = discard_const(ulist_1);
- ret = simple_access_check(ctx, "u1", &access_granted);
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
fail_unless(ret == EOK, "access_simple_check failed.");
fail_unless(access_granted == false, "Access granted "
"while user is in deny list.");
- ret = simple_access_check(ctx, "u3", &access_granted);
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
fail_unless(ret == EOK, "access_simple_check failed.");
fail_unless(access_granted == true, "Access denied "
"while user is not in deny list.");
@@ -94,15 +207,15 @@ START_TEST(test_deny_empty)
int ret;
bool access_granted = false;
- ctx->allow_users = discard_const(ulist_1);
- ctx->deny_users = NULL;
+ test_ctx->ctx->allow_users = discard_const(ulist_1);
+ test_ctx->ctx->deny_users = NULL;
- ret = simple_access_check(ctx, "u1", &access_granted);
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
fail_unless(ret == EOK, "access_simple_check failed.");
fail_unless(access_granted == true, "Access denied "
"while user is in allow list.");
- ret = simple_access_check(ctx, "u3", &access_granted);
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
fail_unless(ret == EOK, "access_simple_check failed.");
fail_unless(access_granted == false, "Access granted "
"while user is not in allow list.");
@@ -114,15 +227,15 @@ START_TEST(test_both_set)
int ret;
bool access_granted = false;
- ctx->allow_users = discard_const(ulist_1);
- ctx->deny_users = discard_const(ulist_1);
+ test_ctx->ctx->allow_users = discard_const(ulist_1);
+ test_ctx->ctx->deny_users = discard_const(ulist_1);
- ret = simple_access_check(ctx, "u1", &access_granted);
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
fail_unless(ret == EOK, "access_simple_check failed.");
fail_unless(access_granted == false, "Access granted "
"while user is in deny list.");
- ret = simple_access_check(ctx, "u3", &access_granted);
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
fail_unless(ret == EOK, "access_simple_check failed.");
fail_unless(access_granted == false, "Access granted "
"while user is not in allow list.");
@@ -134,18 +247,18 @@ START_TEST(test_case)
int ret;
bool access_granted = false;
- ctx->allow_users = discard_const(ulist_1);
- ctx->deny_users = NULL;
+ test_ctx->ctx->allow_users = discard_const(ulist_1);
+ test_ctx->ctx->deny_users = NULL;
- ret = simple_access_check(ctx, "U1", &access_granted);
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
fail_unless(ret == EOK, "access_simple_check failed.");
fail_unless(access_granted == false, "Access granted "
"for user with different case "
"in case-sensitive domain");
- ctx->domain->case_sensitive = false;
+ test_ctx->ctx->domain->case_sensitive = false;
- ret = simple_access_check(ctx, "U1", &access_granted);
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
fail_unless(ret == EOK, "access_simple_check failed.");
fail_unless(access_granted == true, "Access denied "
"for user with different case "
@@ -153,11 +266,95 @@ START_TEST(test_case)
}
END_TEST
+START_TEST(test_group_allow_empty)
+{
+ int ret;
+ bool access_granted = true;
+
+ test_ctx->ctx->allow_groups = NULL;
+ test_ctx->ctx->deny_groups = discard_const(glist_1);
+
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == false, "Access granted "
+ "while group is in deny list.");
+
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == true, "Access denied "
+ "while group is not in deny list.");
+}
+END_TEST
+
+START_TEST(test_group_deny_empty)
+{
+ int ret;
+ bool access_granted = false;
+
+ test_ctx->ctx->allow_groups = discard_const(glist_1);
+ test_ctx->ctx->deny_groups = NULL;
+
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == true, "Access denied "
+ "while group is in allow list.");
+
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == false, "Access granted "
+ "while group is not in allow list.");
+}
+END_TEST
+
+START_TEST(test_group_both_set)
+{
+ int ret;
+ bool access_granted = false;
+
+ test_ctx->ctx->allow_groups = discard_const(ulist_1);
+ test_ctx->ctx->deny_groups = discard_const(ulist_1);
+
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == false, "Access granted "
+ "while group is in deny list.");
+
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == false, "Access granted "
+ "while group is not in allow list.");
+}
+END_TEST
+
+START_TEST(test_group_case)
+{
+ int ret;
+ bool access_granted = false;
+
+ test_ctx->ctx->allow_groups = discard_const(ulist_1);
+ test_ctx->ctx->deny_groups = NULL;
+
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == false, "Access granted "
+ "for group with different case "
+ "in case-sensitive domain");
+
+ test_ctx->ctx->domain->case_sensitive = false;
+
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == true, "Access denied "
+ "for group with different case "
+ "in case-insensitive domain");
+}
+END_TEST
+
Suite *access_simple_suite (void)
{
Suite *s = suite_create("access_simple");
- TCase *tc_allow_deny = tcase_create("allow/deny");
+ TCase *tc_allow_deny = tcase_create("user allow/deny");
tcase_add_checked_fixture(tc_allow_deny, setup_simple, teardown_simple);
tcase_add_test(tc_allow_deny, test_both_empty);
tcase_add_test(tc_allow_deny, test_allow_empty);
@@ -166,6 +363,15 @@ Suite *access_simple_suite (void)
tcase_add_test(tc_allow_deny, test_case);
suite_add_tcase(s, tc_allow_deny);
+ TCase *tc_grp_allow_deny = tcase_create("group allow/deny");
+ tcase_add_checked_fixture(tc_grp_allow_deny,
+ setup_simple_group, teardown_simple_group);
+ tcase_add_test(tc_grp_allow_deny, test_group_allow_empty);
+ tcase_add_test(tc_grp_allow_deny, test_group_deny_empty);
+ tcase_add_test(tc_grp_allow_deny, test_group_both_set);
+ tcase_add_test(tc_grp_allow_deny, test_group_case);
+ suite_add_tcase(s, tc_grp_allow_deny);
+
return s;
}
@@ -174,6 +380,7 @@ int main(int argc, const char *argv[])
int opt;
poptContext pc;
int number_failed;
+ int ret;
struct poptOption long_options[] = {
POPT_AUTOHELP
@@ -205,6 +412,20 @@ int main(int argc, const char *argv[])
srunner_run_all(sr, CK_ENV);
number_failed = srunner_ntests_failed(sr);
srunner_free(sr);
+
+ ret = unlink(TESTS_PATH"/"TEST_CONF_FILE);
+ if (ret != EOK) {
+ fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n",
+ errno, strerror(errno));
+ return EXIT_FAILURE;
+ }
+ ret = unlink(TESTS_PATH"/"LOCAL_SYSDB_FILE);
+ if (ret != EOK) {
+ fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n",
+ errno, strerror(errno));
+ return EXIT_FAILURE;
+ }
+
return (number_failed==0 ? EXIT_SUCCESS : EXIT_FAILURE);
}
--
1.8.1.4

41
Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch
View File

@ -1,41 +0,0 @@
From 8dfcfe629db83eb58dd6613aa174222cb853afb1 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 4 Mar 2013 16:37:04 +0100
Subject: Do not compile main() in DP if UNIT_TESTING is defined
The simple access provider unit tests now need to link against the Data
Provider when they start using the be_file_account_request() function.
But then we would start having conflicts as at least the main()
functions would clash.
If UNIT_TESTING is defined, then the data_provider_be.c module does not
contain the main() function and can be linked against directly from
another module that contains its own main() function
(cherry picked from commit 26590d31f492dbbd36be6d0bde46a4bd3b221edb)
---
src/providers/data_provider_be.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index f85a04d..33590ae 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -2651,6 +2651,7 @@ fail:
return ret;
}
+#ifndef UNIT_TESTING
int main(int argc, const char *argv[])
{
int opt;
@@ -2732,6 +2733,7 @@ int main(int argc, const char *argv[])
return 0;
}
+#endif
static int data_provider_res_init(DBusMessage *message,
struct sbus_connection *conn)
--
1.8.1.4

237
Provide-a-be_get_account_info_send-function.patch
View File

@ -1,237 +0,0 @@
From 455737c0b4b0c1bfeed54f2e27e397ce403acbca Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 22 Feb 2013 11:01:38 +0100
Subject: Provide a be_get_account_info_send function
In order to resolve group names in the simple access provider we need to
contact the Data Provider in a generic fashion from the access provider.
We can't call any particular implementation (like sdap_generic_send())
because we have no idea what kind of provider is configured as the
id_provider.
This patch splits introduces the be_file_account_request() function into
the data_provider_be module and makes it public.
A future patch should make the be_get_account_info function use the
be_get_account_info_send function.
(cherry picked from commit b63830b142053f99bfe954d4be5a2b0f68ce3a93)
---
src/providers/data_provider_be.c | 153 ++++++++++++++++++++++++++++++++++-----
src/providers/dp_backend.h | 15 ++++
2 files changed, 149 insertions(+), 19 deletions(-)
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index b261bf8..f85a04d 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -717,6 +717,34 @@ static errno_t be_initgroups_prereq(struct be_req *be_req)
}
static errno_t
+be_file_account_request(struct be_req *be_req, struct be_acct_req *ar)
+{
+ errno_t ret;
+ struct be_ctx *be_ctx = be_req->be_ctx;
+
+ be_req->req_data = ar;
+
+ /* see if we need a pre request call, only done for initgroups for now */
+ if ((ar->entry_type & 0xFF) == BE_REQ_INITGROUPS) {
+ ret = be_initgroups_prereq(be_req);
+ if (ret) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("Prerequest failed"));
+ return ret;
+ }
+ }
+
+ /* process request */
+ ret = be_file_request(be_ctx, be_req,
+ be_ctx->bet_info[BET_ID].bet_ops->handler);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to file request"));
+ return ret;
+ }
+
+ return EOK;
+}
+
+static errno_t
split_name_extended(TALLOC_CTX *mem_ctx,
const char *filter,
char **name,
@@ -742,6 +770,110 @@ split_name_extended(TALLOC_CTX *mem_ctx,
return EOK;
}
+static void
+be_get_account_info_done(struct be_req *be_req,
+ int dp_err, int dp_ret,
+ const char *errstr);
+
+struct be_get_account_info_state {
+ int err_maj;
+ int err_min;
+ const char *err_msg;
+};
+
+struct tevent_req *
+be_get_account_info_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct be_client *becli,
+ struct be_ctx *be_ctx,
+ struct be_acct_req *ar)
+{
+ struct tevent_req *req;
+ struct be_get_account_info_state *state;
+ struct be_req *be_req;
+ errno_t ret;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct be_get_account_info_state);
+ if (!req) return NULL;
+
+ be_req = talloc_zero(mem_ctx, struct be_req);
+ if (be_req == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ be_req->becli = becli;
+ be_req->be_ctx = be_ctx;
+ be_req->fn = be_get_account_info_done;
+ be_req->pvt = req;
+
+ ret = be_file_account_request(be_req, ar);
+ if (ret != EOK) {
+ goto done;
+ }
+
+ return req;
+
+done:
+ tevent_req_error(req, ret);
+ tevent_req_post(req, ev);
+ return req;
+}
+
+static void
+be_get_account_info_done(struct be_req *be_req,
+ int dp_err, int dp_ret,
+ const char *errstr)
+{
+ struct tevent_req *req;
+ struct be_get_account_info_state *state;
+
+ req = talloc_get_type(be_req->pvt, struct tevent_req);
+ state = tevent_req_data(req, struct be_get_account_info_state);
+
+ state->err_maj = dp_err;
+ state->err_min = dp_ret;
+ if (errstr) {
+ state->err_msg = talloc_strdup(state, errstr);
+ if (state->err_msg == NULL) {
+ talloc_free(be_req);
+ tevent_req_error(req, ENOMEM);
+ return;
+ }
+ }
+
+ talloc_free(be_req);
+ tevent_req_done(req);
+}
+
+errno_t be_get_account_info_recv(struct tevent_req *req,
+ TALLOC_CTX *mem_ctx,
+ int *_err_maj,
+ int *_err_min,
+ const char **_err_msg)
+{
+ struct be_get_account_info_state *state;
+
+ state = tevent_req_data(req, struct be_get_account_info_state);
+
+ TEVENT_REQ_RETURN_ON_ERROR(req);
+
+ if (_err_maj) {
+ *_err_maj = state->err_maj;
+ }
+
+ if (_err_min) {
+ *_err_min = state->err_min;
+ }
+
+ if (_err_msg) {
+ *_err_msg = talloc_steal(mem_ctx, state->err_msg);
+ }
+
+ return EOK;
+}
+
static int be_get_account_info(DBusMessage *message, struct sbus_connection *conn)
{
struct be_acct_req *req;
@@ -845,8 +977,6 @@ static int be_get_account_info(DBusMessage *message, struct sbus_connection *con
goto done;
}
- be_req->req_data = req;
-
if ((attr_type != BE_ATTR_CORE) &&
(attr_type != BE_ATTR_MEM) &&
(attr_type != BE_ATTR_ALL)) {
@@ -893,26 +1023,11 @@ static int be_get_account_info(DBusMessage *message, struct sbus_connection *con
goto done;
}
- /* see if we need a pre request call, only done for initgroups for now */
- if ((type & 0xFF) == BE_REQ_INITGROUPS) {
- ret = be_initgroups_prereq(be_req);
- if (ret) {
- err_maj = DP_ERR_FATAL;
- err_min = ret;
- err_msg = "Prerequest failed";
- goto done;
- }
- }
-
- /* process request */
-
- ret = be_file_request(becli->bectx->bet_info[BET_ID].pvt_bet_data,
- be_req,
- becli->bectx->bet_info[BET_ID].bet_ops->handler);
+ ret = be_file_account_request(be_req, req);
if (ret != EOK) {
err_maj = DP_ERR_FATAL;
err_min = ret;
- err_msg = "Failed to file request";
+ err_msg = "Cannot file account request";
goto done;
}
diff --git a/src/providers/dp_backend.h b/src/providers/dp_backend.h
index 58a9b74..743b6f4 100644
--- a/src/providers/dp_backend.h
+++ b/src/providers/dp_backend.h
@@ -258,4 +258,19 @@ int be_fo_run_callbacks_at_next_request(struct be_ctx *ctx,
const char *service_name);
void reset_fo(struct be_ctx *be_ctx);
+
+/* Request account information */
+struct tevent_req *
+be_get_account_info_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct be_client *becli,
+ struct be_ctx *be_ctx,
+ struct be_acct_req *ar);
+
+errno_t be_get_account_info_recv(struct tevent_req *req,
+ TALLOC_CTX *mem_ctx,
+ int *_err_maj,
+ int *_err_min,
+ const char **_err_msg);
+
#endif /* __DP_BACKEND_H___ */
--
1.8.1.4

1624
Resolve-GIDs-in-the-simple-access-provider.patch
View File

File diff suppressed because it is too large Load Diff

3
sssd-1.9.4.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:20e39d7c5d89e217b5301f7e75360eb869ac1889701755a598fb3fbed923f4b4
size 3050325

7
sssd-1.9.4.tar.gz.asc
View File

@ -1,7 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iEYEABECAAYFAlEG6DYACgkQHsardTLnvCXjrgCeMSfawp5NaaIu82GDZOq7EMxL
tqwAmgN3gn9e7y6AzeSBdYCCcPAyLLFo
=hHxo
-----END PGP SIGNATURE-----

3
sssd-1.9.5.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a377c436901e92d689de811d48e37d88764460e889e47bfddd90626f0a8a015c
size 3106988

7
sssd-1.9.5.tar.gz.asc Normal file
View File

@ -0,0 +1,7 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iEYEABECAAYFAlF2gY4ACgkQHsardTLnvCW6+QCg4VWHi8mlbi6FQufRtUXOTB2j
5OAAniig5/DUZa/mrzUb+8kteg3nanNS
=3VHJ
-----END PGP SIGNATURE-----

102
sssd-sysdb-binary-attrs.diff
View File

@ -1,102 +0,0 @@
From 3229c2107e4645240cfc4aa5d262e5330c356a49 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Thu, 21 Feb 2013 13:12:25 +0100
Subject: [PATCH] sysdb: try dealing with binary-content attributes
I have here a LDAP user entry which has this attribute
loginAllowedTimeMap::
AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA
In the function sysdb_attrs_add_string(), called from
sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is
the wrong thing to do. The result of strlen is then used to populate
the .v_length member of a struct ldb_val - and this will set it to
zero in this case. (There is also the problem that there may not be
a '\0' at all in the blob.)
Subsequently, .v_length being 0 makes ldb_modify(), called from
sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End
result is that users do not get stored in the sysdb, and programs like
`id` or `getent ...` show incomplete information.
The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave
fine, but that may not mean that is the absolute lower boundary of
introduction of the problem.
---
src/db/sysdb.c | 10 ++++++++++
src/db/sysdb.h | 2 ++
src/providers/ldap/sdap.c | 7 +++----
src/providers/ldap/sdap_async.c | 4 ++--
4 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/src/db/sysdb.c b/src/db/sysdb.c
index e7524f4..7c34791 100644
--- a/src/db/sysdb.c
+++ b/src/db/sysdb.c
@@ -512,6 +512,16 @@ int sysdb_attrs_add_string(struct sysdb_attrs *attrs,
return sysdb_attrs_add_val(attrs, name, &v);
}
+int sysdb_attrs_add_mem(struct sysdb_attrs *attrs, const char *name,
+ const void *mem, size_t size)
+{
+ struct ldb_val v;
+
+ v.data = discard_const(mem);
+ v.length = size;
+ return sysdb_attrs_add_val(attrs, name, &v);
+}
+
int sysdb_attrs_add_bool(struct sysdb_attrs *attrs,
const char *name, bool value)
{
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index fff97a8..23cbbb0 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -250,6 +250,8 @@ int sysdb_attrs_add_val(struct sysdb_attrs *attrs,
const char *name, const struct ldb_val *val);
int sysdb_attrs_add_string(struct sysdb_attrs *attrs,
const char *name, const char *str);
+int sysdb_attrs_add_mem(struct sysdb_attrs *, const char *,
+ const void *, size_t);
int sysdb_attrs_add_bool(struct sysdb_attrs *attrs,
const char *name, bool value);
int sysdb_attrs_add_long(struct sysdb_attrs *attrs,
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index 371121b..988f27d 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -474,10 +474,9 @@ errno_t sdap_parse_deref(TALLOC_CTX *mem_ctx,
for (i=0; dval->vals[i].bv_val; i++) {
DEBUG(9, ("Dereferenced attribute value: %s\n",
dval->vals[i].bv_val));
- v.data = (uint8_t *) dval->vals[i].bv_val;
- v.length = dval->vals[i].bv_len;
-
- ret = sysdb_attrs_add_val(res[mi]->attrs, name, &v);
+ ret = sysdb_attrs_add_mem(res[mi]->attrs, name,
+ dval->vals[i].bv_val,
+ dval->vals[i].bv_len);
if (ret) goto done;
}
}
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index 84497b7..b7d9839 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -2226,8 +2226,8 @@ sdap_attrs_add_ldap_attr(struct sysdb_attrs *ldap_attrs,
DEBUG(SSSDBG_TRACE_INTERNAL, ("Adding %s [%s] to attributes "
"of [%s].\n", desc, el->values[i].data, objname));
- ret = sysdb_attrs_add_string(attrs, attr_name,
- (const char *) el->values[i].data);
+ ret = sysdb_attrs_add_mem(attrs, attr_name, el->values[i].data,
+ el->values[i].length);
if (ret) {
return ret;
}
--
1.7.10.4

24
sssd.changes
View File

@ -1,3 +1,27 @@
-------------------------------------------------------------------
Thu May 2 09:20:49 UTC 2013 - jengelh@inai.de
- Update to new upstream release 1.9.5
* Includes a fix for CVE-2013-0287: A simple access provider flaw
prevents intended ACL use when SSSD is configured as an Active
Directory client.
* Fixed spurious password expiration warning that was printed on
login with the Kerberos back end.
* A new option ldap_rfc2307_fallback_to_local_users was added. If
this option is set to true, SSSD is be able to resolve local
group members of LDAP groups.
* Fixed an indexing bug that prevented the contents of autofs maps
from being returned to the automounter deamon in case the map
contained a large number of entries.
* Several fixes for safer handling of Kerberos credential caches
for cases where the ccache is set to be stored in a DIR: type.
- Remove Provide-a-be_get_account_info_send-function.patch,
Add-unit-tests-for-simple-access-test-by-groups.patch,
Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch,
Resolve-GIDs-in-the-simple-access-provider.patch
(CVE-2013-0287 material is in upstream),
sssd-sysdb-binary-attrs.diff (merged upstream)
-------------------------------------------------------------------
Fri Apr 5 16:35:07 UTC 2013 - jengelh@inai.de

13
sssd.spec
View File

@ -17,13 +17,12 @@
Name: sssd
Version: 1.9.4
Version: 1.9.5
Release: 0
Summary: System Security Services Daemon
License: GPL-3.0+ and LGPL-3.0+
Group: System/Daemons
Url: https://fedorahosted.org/sssd/
Requires(postun): pam-config
#Git-Clone: git://git.fedorahosted.org/sssd
Source: https://fedorahosted.org/released/sssd/sssd-%version.tar.gz
@ -32,13 +31,6 @@ Source3: baselibs.conf
Patch1: 0005-implicit-decl.diff
Patch2: sssd-ldflags.diff
Patch3: sssd-no-ldb-check.diff
Patch4: sssd-sysdb-binary-attrs.diff
# Fixes for CVE-2013-0287 (will be part of 1.9.5) when released
Patch5: Provide-a-be_get_account_info_send-function.patch
Patch6: Add-unit-tests-for-simple-access-test-by-groups.patch
Patch7: Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch
Patch8: Resolve-GIDs-in-the-simple-access-provider.patch
# End Fixed for CVE-2013-0287
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define servicename sssd
@ -111,6 +103,7 @@ BuildRequires: systemd
%if %suse_version >= 1230
BuildRequires: gpg-offline
%endif
Requires(postun): pam-config
%description
Provides a set of daemons to manage access to remote directories and
@ -210,7 +203,7 @@ Security Services Daemon (sssd).
%prep
%{?gpg_verify: %gpg_verify %{S:2}}
%setup -q
%patch -P 1 -P 2 -P 3 -P 4 -P 5 -P 6 -P 7 -P 8 -p1
%patch -P 1 -P 2 -P 3 -p1
%build
%if 0%{?suse_version} < 1210