[Pkg-sssd-devel] [Git][sssd-team/sssd][master] 194 commits: BUILD.txt: fix invalid link
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Wed May 25 09:22:21 BST 2022
Timo Aaltonen pushed to branch master at Debian SSSD packaging / sssd
Commits:
ad8f0d35 by Pavel Březina at 2022-01-26T14:43:54+01:00
BUILD.txt: fix invalid link
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
2054f990 by Alexey Tikhonov at 2022-01-26T14:44:07+01:00
TESTS: fixed use-after-free
`test_ctx->filename` was allocated on the `owner` context that
is freed by this moment.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
c2e2036a by Alexey Tikhonov at 2022-01-26T14:44:07+01:00
UTILS: removed unused file helpers
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
23286d27 by Jakub Vavra at 2022-01-28T08:20:11+01:00
Tests: Update/fix AD parameters tests ported from bash
Update ssh password change test to set Min Age policy on AD.
Update ktutil automation in AD params to fix tests using it.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
c0f767c5 by Anuj Borah at 2022-02-01T11:44:15+01:00
Tests: Fix test_pass_krb5cname_to_pam test
Need restart and new ssd connection
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
- - - - -
7f6c2755 by Alexey Tikhonov at 2022-02-01T11:44:49+01:00
debug: suppress backtrace for backend errors
Don't trigger backtrace in responder log in case of backend fail.
(an addition to ca8b655fb676dde48eb72cfa6a520c696ada362c)
Resolves: https://github.com/SSSD/sssd/issues/5968
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
fa47bd1d by Alexey Tikhonov at 2022-02-01T11:45:06+01:00
CACHE_REQ: removed unused code
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
95b17d15 by Shridhar Gadekar at 2022-02-01T11:45:18+01:00
Tests: sssctl analyze capture tevent chain ID logic in logs
sssctl analyze should capture tevent chain ID in the logs,
verifies #5863
Reviewed-by: Anuj Borah <aborah at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
7e41098e by Jakub Vavra at 2022-02-01T11:45:28+01:00
Tests: Add a test for bz1859315 - sssd does not use kerberos port that is set.
Verifies: SSSD-2827, SSSD-4262
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1859315
https://bugzilla.redhat.com/show_bug.cgi?id=2041560
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
7f4e04ba by Anuj Borah at 2022-02-01T11:45:39+01:00
Tests: Port the old ns_account_lock.sh script to pytest
Port the old ns_account_lock.sh script to pytest
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
- - - - -
fa2d7a49 by Sumit Bose at 2022-02-01T16:41:25+01:00
TEST: fix long line pep8 error
Was introduced by c0f767c5513183048a3abae447881ded505cce47
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
10a14594 by Jakub Vavra at 2022-02-04T14:50:05+01:00
Tests: [SSSD-3579]: Update test_0018_bz1734040 for RHEL 9.
The logging changed in RHEL 9, so regex update was done.
To trigger the condition it was needed to query for AD user
instead of root.
Made the mode of failure more clear from assert .
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
bd6f6671 by Jakub Vavra at 2022-02-08T15:36:13+01:00
Tests: Use lazy initialization for ad_conn property of AD.
The lazy initialization of ad_conn should prevent failing in setup
in adjoin for tests that are not actively touching AD through ldap
connection. This way we isolate the LDAPS ldap.STRONG_AUTH_REQUIRED
error only to tests/fixtures that are actively using it.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
eb85382c by Jakub Vavra at 2022-02-08T15:36:13+01:00
Tests: Update ADOperations methods to use powershell.
Replace the direct ldap access with powershell in these functions.
Replace dsadd dsrm calls with powershell as well.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
6845db5a by Jakub Vavra at 2022-02-09T13:23:52+01:00
Tests: Add sleep before collecting logs in flaky ad parameters tests.
The tests in TestADParamsPorted:
test_0021_ad_parameters_ssh_change_password_logon
test_0022_ad_parameters_account_disabled
test_0023_ad_parameters_account_expired
collected log immediately after event but when cloud is under load
they were randomly failing as the log was not written yet.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
121576a4 by Iker Pedrosa at 2022-02-10T09:54:48+01:00
util: fix rawhide compilation problem
The signature for krb5_expire_callback_func() changed in
https://github.com/krb5/krb5/commit/aedd1fea8405d857c072fb41f2d38db9df31c70d
but it wasn't updated in sssd. That was causing a compilation issue in
rawhide that this commit fixes. The change only updates the sssd
signature to match the one provided by krb5.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
d1ad68fa by Sumit Bose at 2022-02-10T09:56:42+01:00
krb5_child: move FAST TGT request into a function
Make the code more flexible to add another method to get FAST
credentials.
Resolves: https://github.com/SSSD/sssd/issues/5961
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
58ab4137 by Sumit Bose at 2022-02-10T09:56:42+01:00
krb5_child: add fast-use-anonymous-pkinit option
Add anonymous PKINIT as an alternative method to get FAST credentials.
Resolves: https://github.com/SSSD/sssd/issues/5961
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
7e839bef by Sumit Bose at 2022-02-10T09:56:42+01:00
krb5: add krb5_fast_use_anonymous_pkinit option
With the new option krb5_fast_use_anonymous_pkinit SSSD can be told to
use anonymous PKINIT to get FAST credential
:relnote: Add support for anonymous PKINIT to get FAST credentials
Resolves: https://github.com/SSSD/sssd/issues/5961
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
0eb8564c by Steeve Goveas at 2022-02-10T09:57:25+01:00
Tests: Add tests for poor man's backtrace
Tests are added to check that no duplicate backtrace is generated and it
is generated when
* no debug level is defined / default debug level
* debug level is set to 0 or 1
* no backtrace when debug level is >= 9
* backtrace can be disabled
Verifies: #5585
https://bugzilla.redhat.com/show_bug.cgi?id=1949149
https://bugzilla.redhat.com/show_bug.cgi?id=2021196
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
b67caf27 by Samuel Cabrero at 2022-02-10T09:57:40+01:00
Tests: Use group1_dom1-19661 in test_pysss_nss_idmap.py
The group3_dom1-17775 group has a member referencing a user in a
different domain, which will make the test fail in the following
commits.
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
941418f4 by Samuel Cabrero at 2022-02-10T09:57:40+01:00
SDAP: Add 'ldap_ignore_unreadable_references' parameter
When resolving a group using the AD provider it may happen sssd doesn't
have permissions to read the entry referenced in the 'member' attribute,
for example when the entry is located under a restricted LDAP sub-tree
for security reasons.
In this scenario, the sssd behavior is not consistent and depends on the
ldap_deref_threshold parameter, that controls if an attribute scoped
query (ASQ) will be used or if the group members will be searched
individually. If an ASQ operation is issued, the operation will fail
because the referenced entry can't be parsed and this can
lead to missing groups and makes impossible to use the group in simple
access provider. On the other hand, when the group members are looked
up individually sssd just ignores the unreadable entry.
This patch adds a new parameter 'ldap_ignore_unreadable_references' to
control if the current operation will fail when an unreadable entry is
found or the entry will be ignored, regardless if sssd issued an ASQ or
the members are looked up individually.
The issue can be replicated deploying this AD setup:
CN=users,DC=aforest,DC=ad
CN=g1,CN=users,DC=aforest,DC=ad
member: CN=g2,CN=users,DC=aforest,DC=ad
member: CN=g3,CN=users,DC=aforest,DC=ad
member: CN=g4,CN=users,DC=aforest,DC=ad
member: CN=g5,CN=users,DC=aforest,DC=ad
member: CN=user1,CN=users,DC=aforest,DC=ad
CN=g2,CN=users,DC=aforest,DC=ad
member: CN=g3,CN=users,DC=aforest,DC=ad
member: CN=g4,CN=users,DC=aforest,DC=ad
member: CN=g5,CN=users,DC=aforest,DC=ad
member: CN=user2,CN=users,DC=aforest,DC=ad
memberOf: CN=g1,CN=users,DC=aforest,DC=ad
CN=g3,CN=users,DC=aforest,DC=ad <-- Deny access to sssd account
member: CN=g4,CN=users,DC=aforest,DC=ad
member: CN=g5,CN=users,DC=aforest,DC=ad
member: CN=user3,CN=users,DC=aforest,DC=ad
memberOf: CN=g2,CN=users,DC=aforest,DC=ad
memberOf: CN=g1,CN=users,DC=aforest,DC=ad
CN=g4,CN=users,DC=aforest,DC=ad
member: CN=g5,CN=users,DC=aforest,DC=ad
member: CN=user5,CN=users,DC=aforest,DC=ad
memberOf: CN=g3,CN=users,DC=aforest,DC=ad
memberOf: CN=g2,CN=users,DC=aforest,DC=ad
memberOf: CN=g1,CN=users,DC=aforest,DC=ad
CN=g5,CN=users,DC=aforest,DC=ad
member: CN=user5,CN=users,DC=aforest,DC=ad
memberOf: CN=g4,CN=users,DC=aforest,DC=ad
memberOf: CN=g3,CN=users,DC=aforest,DC=ad
memberOf: CN=g2,CN=users,DC=aforest,DC=ad
memberOf: CN=g1,CN=users,DC=aforest,DC=ad
CN=user1,CN=users,DC=aforest,DC=ad
memberOf: CN=g1,CN=users,DC=aforest,DC=ad
CN=user2,CN=users,DC=aforest,DC=ad
memberOf: CN=g2,CN=users,DC=aforest,DC=ad
CN=user3,CN=users,DC=aforest,DC=ad
memberOf: CN=g3,CN=users,DC=aforest,DC=ad
CN=user4,CN=users,DC=aforest,DC=ad
memberOf: CN=g4,CN=users,DC=aforest,DC=ad
CN=user5,CN=users,DC=aforest,DC=ad
memberOf: CN=g5,CN=users,DC=aforest,DC=ad
And using this sssd.conf
-------------------------------------------------------------------------------
[sssd]
config_file_version = 2
services = nss, pam
domains = aforest.ad
[nss]
[pam]
[domain/aforest.ad]
auth_provider = ad
id_provider = ad
access_provider = simple
simple_allow_groups = g1
ldap_deref_threshold = 1
debug_level = 10
-------------------------------------------------------------------------------
In this setup sssd can't resolve group 'g1' because it fails parsing one
of the referenced members, 'g3':
$> getent group g1
No output.
$> id user5
uid=1862001108(user5) gid=1862000513(domain users) groups=1862000513(domain users),1862001111,18620011
When the group is used to filter access it does not work:
...
[simple_access_check_send] (0x0200): [RID#7] Simple access check for user1 at aforest.ad
...
[simple_check_get_groups_send] (0x0400): [RID#7] Need to resolve 3 groups
[sdap_get_generic_ext_step] (0x0400): [RID#8] calling ldap_search_ext with [(&(objectSID=S-1-5-21-3230
...
[sdap_nested_group_hash_insert] (0x4000): [RID#8] Inserting [CN=g1,CN=Users,DC=aforest,DC=ad] into has
[sdap_nested_group_process_send] (0x2000): [RID#8] About to process group [CN=g1,CN=Users,DC=aforest,D
...
[sdap_nested_group_process_send] (0x0400): [RID#8] More members were missing than the deref threshold
[sdap_nested_group_process_send] (0x2000): [RID#8] Looking up 2/5 members of group [CN=g1,CN=Users,DC=
[sdap_nested_group_process_send] (0x2000): [RID#8] Dereferencing members of group [CN=g1,CN=Users,DC=a
[sdap_deref_search_send] (0x2000): [RID#8] Server supports ASQ
[sdap_asq_search_send] (0x0400): [RID#8] Dereferencing entry [CN=g1,CN=Users,DC=aforest,DC=ad] using A
...
[sdap_get_generic_ext_step] (0x0400): [RID#8] calling ldap_search_ext with [no filter][CN=g1,CN=Users,
...
[sdap_process_message] (0x4000): [RID#8] Message type: [LDAP_RES_SEARCH_ENTRY]
[sdap_asq_search_parse_entry] (0x0040): [RID#8] Unknown entry type, no objectClass found for DN [CN=g3
[sdap_get_generic_op_finished] (0x0020): [RID#8] reply parsing callback failed.
[sdap_op_destructor] (0x1000): [RID#8] Abandoning operation 3
[generic_ext_search_handler] (0x0020): [RID#8] sdap_get_generic_ext_recv request failed: [22]: Invalid
[sdap_deref_search_done] (0x0040): [RID#8] dereference processing failed [22]: Invalid argument
[sdap_nested_group_deref_direct_done] (0x0020): [RID#8] Error processing direct membership [22]: Inval
[sdap_nested_done] (0x0020): [RID#8] Nested group processing failed: [22][Invalid argument]
...
[simple_resolve_group_done] (0x0080): [RID#8] Cannot refresh data from DP: 3,0: Group lookup failed
...
[simple_check_get_groups_next] (0x2000): [RID#9] All groups resolved. Done.
[simple_access_check_done] (0x0040): [RID#9] Could not collect groups of user user1 at aforest.ad
[simple_access_check_done] (0x0400): [RID#9] But no deny groups were defined so we can continue.
[simple_check_groups] (0x4000): [RID#9] Checking against allow list group name [g1 at aforest.ad].
[simple_access_check_done] (0x2000): [RID#9] Group check done
[simple_access_check_recv] (0x1000): [RID#9] Access not granted
...
Resolves: https://github.com/SSSD/sssd/issues/4893
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5c7fb41f by Samuel Cabrero at 2022-02-10T09:57:40+01:00
SDAP: Honor ldap_ignore_unreadable_references parameter
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
57d6af2f by Samuel Cabrero at 2022-02-10T09:57:40+01:00
Tests: Add a test for the ldap_ignore_unreadable_references parameter
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
bf9deea1 by Anuj Borah at 2022-02-10T11:35:49+01:00
Tests: Add 389-ds package to client machine
We need dsidm in client machine
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
- - - - -
00940cd1 by Tomas Halman at 2022-02-15T17:20:06+01:00
systemtap: Hard-coded path instead of @libdir@
There were hard-coded paths in the sssd.stp.in file. The probes did not
work on another platforms or if SSSD was compiled with different prefix
like /usr/local.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
c41cc16c by Justin Stephenson at 2022-02-15T17:20:27+01:00
CI: Remove unused travis CI related files
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
3935e89c by Tomas Halman at 2022-02-15T17:20:54+01:00
ci: discard old builds
Until now builds were kept forever or until manual removal. That
caused an issue with running out of space occasionally.
With this change all builds older than 30 days are discarded.
The second limit removes oldest builds to keep the history
up to 70 builds.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
775150b5 by Sumit Bose at 2022-02-15T17:22:09+01:00
debug: add new dubug level SSSDBG_PERF_STAT
SSSDBG_PERF_STAT should be use for statistical or performance data, e.g
time needed for a request.
:relnote: A new debug level is added to show statistical and performance
data. Currently the duration of a backend request and of single LDAP
operations are recorded if debug_level is set to 9 or the bit 0x20000 is
set.
Resolves: https://github.com/SSSD/sssd/issues/5967
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
2fb5cbfa by Sumit Bose at 2022-02-15T17:22:09+01:00
util: add time measurement helpers
Two new calls get_start_time() and get_spend_time_us() are added to make
it easy to calculate time differences in micro-seconds (us).
Resolves: https://github.com/SSSD/sssd/issues/5967
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
3b795530 by Sumit Bose at 2022-02-15T17:22:09+01:00
sdap: record time needed for a sdap operation
The start time of an sdap operation is stored to calculate the spend
time when the operation finished. This spend time is an upper limit for
the time the underlying LDAP operation took. The actual time of the LDAP
operation might be shorter. This might happen is many sdap operations
are running in parallel and the given operation has to wait for
processing due to the asynchronous handling of the operations.
Resolves: https://github.com/SSSD/sssd/issues/5967
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
3063a73c by Sumit Bose at 2022-02-15T17:22:09+01:00
dp: adding log message with spend time
The time a backend request needs from start to finish is recorded in the
logs.
Resolves: https://github.com/SSSD/sssd/issues/5967
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
23e64bee by Sumit Bose at 2022-02-15T17:22:09+01:00
sdap: split out function to get the server IP as string
Currently the IP address of the current LDAP server is only available in
a log message. The new call sdap_get_server_ip_str() makes it available
for other purposes as well.
Resolves: https://github.com/SSSD/sssd/issues/5967
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
5dc34b75 by Sumit Bose at 2022-02-15T17:22:09+01:00
sdap_op: add strings member for extra statistical information
Besides the LDAP message id other information might be helpful when
collections statistics about LDAP operations.
Resolves: https://github.com/SSSD/sssd/issues/5967
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
a9b4ae62 by Sumit Bose at 2022-02-15T17:22:09+01:00
ldap: add info string for statistics
Add the server IP address and other information about the current LDAP
request to the timing statistics.
Resolves: https://github.com/SSSD/sssd/issues/5967
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
e2082c03 by Sumit Bose at 2022-02-15T17:22:09+01:00
ipa: add info string for statistics
Add the server IPA address and other information about the current
extdom LDAP extended operation to the timing statistics.
Resolves: https://github.com/SSSD/sssd/issues/5967
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
b3646c66 by Sumit Bose at 2022-02-15T17:22:09+01:00
sdap: warn if request needs 80% of timeout
To easy identify LDAP request which are running longer than expected all
requests needing 80% of there timeout are recorded wit h log level
SSSDBG_IMPORTANT_INFO.
The threshold of 80% is currently hard-coded.
Please note that due to the asynchronous processing in the backend some
requests might be logged with a long execution time not because they
need the recorded time but because their processing is delayed by
another request which was processed before.
:relnote: A warning is added in the logs if an LDAP operation needs more
than 80% of the configured timeout.
Resolves: https://github.com/SSSD/sssd/issues/5967
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
15f66efc by Sumit Bose at 2022-02-15T17:22:09+01:00
sdap: make struct sdap_op private
Only the msgid member of struct sdap_op is used for debugging messages
in some other places of the code.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
5494f7ff by Sumit Bose at 2022-02-15T17:22:09+01:00
sdap: add sdap_get_server_ip_str_safe()
This new call is similar to sdap_get_server_ip_str() but will never
return NULL so that the caller can always expect a string.
sdap_get_server_ip_str() is replaced with the new call where needed.
Resolves: https://github.com/SSSD/sssd/issues/5967
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
27e2a0f4 by Iker Pedrosa at 2022-02-17T11:04:28+01:00
CI: enable CodeQL analysis
Enable the CodeQL analysis on the master branch for push, pull-request
and nightly.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
bcfb1cb1 by Iker Pedrosa at 2022-02-17T11:04:28+01:00
CI: split dependencies for Ubuntu
python-ldap, python-ldb and python-requests have been renamed in Ubuntu
to python3-*, thus the dependencies need to be split.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
d53bb2be by Iker Pedrosa at 2022-02-17T11:04:28+01:00
sbus: Multiplication result converted to larger type
A multiplication result that is converted to a larger type can be a sign
that the result can overflow the type converted from. Using a cast to
the target type (size_t) to avoid overflow.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
923c94b4 by Iker Pedrosa at 2022-02-17T11:04:28+01:00
Duplicate include guard
Using the same include guard macro in more than one header file may
cause unexpected behavior from the compiler. Rename the macros to avoid
problem.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
5ea0c927 by Iker Pedrosa at 2022-02-17T11:04:28+01:00
Array offset used before range check
Accessing an array offset before checking the range means that the
program may attempt to read beyond the end of a buffer. Reverse order of
conditions to avoid the problem.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
94976819 by Iker Pedrosa at 2022-02-17T11:04:28+01:00
Potentially uninitialized local variable
Reading from a local variable that has not been assigned to will
typically yield garbage. Fix by assigning a value when defining the
variable.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
c30356d0 by Iker Pedrosa at 2022-02-17T11:04:28+01:00
Inconsistent nullness check
The result value of a function is often checked for nullness, but not
always. Since the value is mostly checked, it is likely that the
function can return null values in some cases, and omitting the check
could crash the program. To avoid it check the return value in all
cases.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
6df69052 by Pavel Březina at 2022-02-17T13:13:59+01:00
ci: move languages parameter to codeql init
codeql analyze does not have this parameter:
```
Warning: Unexpected input(s) 'languages', valid inputs are ['check_name', 'output', 'upload', 'cleanup-level', 'ram', 'add-snippets', 'skip-queries', 'threads', 'checkout_path', 'ref', 'sha', 'category', 'upload-database', 'wait-for-processing', 'token', 'matrix']
```
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
f36deb3e by Iker Pedrosa at 2022-02-17T13:14:49+01:00
tests: Remove unused format_interactive_conf()
CodeQL was reporting "Wrong number of arguments in a call" for an unused
function.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
dd5f2338 by Iker Pedrosa at 2022-02-17T13:14:49+01:00
tests: Remove unused gethostbyaddr_r()
CodeQL was reporting "Potentially uninitialized local variable" in an
unused function.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
2ec51872 by Jakub Vavra at 2022-02-21T12:25:45+01:00
Tests: Update KeytabRotation tests in AD tier 2
Remove class fixture clear_sssd_cache from TestHostKeytabRotation.
In the case that the environment is not tainted the tests fail to
restart sssd in setup because it is not configured yet resulting in ERROR..
Clearing cache and restart of sssd added in keytab_sssd_conf fixture,
where it is actually needed.
Added extra debug information when sssd fails to start.
The test Testsmbsecretrotation::test_0001_rotation needs to restart
sssd so the changed configuration is properly applied.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
5f944543 by Alexey Tikhonov at 2022-02-22T12:10:39+01:00
SIMPLE: reduce severity level of debug message in case primary group is missing in the domain cache
Since this is not treated as an error, this shouldn't trigger
a backtrace as well.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
5cdb7e2c by Alexey Tikhonov at 2022-02-22T12:10:51+01:00
Test: fix wrong messages
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
25faf983 by Alexey Tikhonov at 2022-02-22T12:10:51+01:00
AD/IPA: ignore 'ldap_default_authtok_type' conf setting
AD/IPA providers can't use simple bind, but this option
can be set in case AD/IPA and LDAP provider types are mixed
in the same domain, causing issues during `sdap_cli_auth_step()`
Resolves: https://github.com/SSSD/sssd/issues/5998
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
d082681a by Dhairya Parmar at 2022-02-22T12:11:05+01:00
TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode
Explanation
- In SSSD the default value for ssh_hash_known_hosts is set to true,
It should be changed to false for consistency with the OpenSSH
setting that does not hashes host names by default
Verifies
Issue: https://github.com/SSSD/sssd/issues/5848
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
- - - - -
616e69f6 by Justin Stephenson at 2022-02-22T12:11:17+01:00
make_srpm: Add option to specify package version
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
21a91ce2 by Justin Stephenson at 2022-02-22T12:11:17+01:00
CI: Add internal covscan workflow to Jenkins
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
b2154298 by Pavel Březina at 2022-02-23T12:23:54+01:00
ci: build pull requests in copr
New copr project will be created for each pull request under the sssd
group. The project will be automatically deleted after 60 days or after
the pull request is closed.
The workflow works like this:
- build tarball and spec file (rvn is sssd-pr#prid-#runid)
- build srpm
- upload srpm as an artifact to the job
- create copr project @sssd/pr#prid if not exist
- cancel previous pending/running builds if there are any
- build package in centos-* and fedora-*
One job is created for each chroot.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
0d7ae85f by Pavel Březina at 2022-02-24T10:23:57+01:00
sifp: fix coverity issue
```
Error: GCC_ANALYZER_WARNING (CWE-457):
sssd-pr5762_14/src/lib/sifp/sss_sifp_parser.c: scope_hint: In function 'sss_sifp_parse_dict'
sssd-pr5762_14/src/lib/sifp/sss_sifp_parser.c:233:18: warning[-Wanalyzer-use-of-uninitialized-value]: use of uninitialized value 'table_key.<U7260>.str'
sssd-pr5762_14/src/lib/sifp/sss_sifp_parser.c:461:5: note: in expansion of macro 'check_dbus_arg'
sssd-pr5762_14/src/lib/sifp/sss_sifp_parser.c:147:5: note: in expansion of macro 'check_dbus_arg'
231|
232| done:
233|-> if (table_key.str != NULL) {
234| _free(ctx, table_key.str);
235| }
```
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
90ad1ea4 by Iker Pedrosa at 2022-03-01T12:10:34+01:00
tests: Unreachable code
src/tests/multihost/alltests/conftest.py: correct indentation.
src/tests/multihost/basic/test_sudo.py: remove the unreachable code.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
9bd821b6 by Iker Pedrosa at 2022-03-01T12:10:34+01:00
Comparison result is always the same
Remove the condition and clean the code.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
b9783436 by Iker Pedrosa at 2022-03-01T12:10:34+01:00
ad: Empty branch of conditional
Remove condition.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
36920a04 by Iker Pedrosa at 2022-03-01T12:10:34+01:00
Commented-out code
Remove the unused code.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
f04ca9b2 by Iker Pedrosa at 2022-03-01T12:10:34+01:00
Implicit string concatenation in a list
Make clear the strings that need to be concatenated.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
0a9c00c3 by Justin Stephenson at 2022-03-01T12:10:50+01:00
Add external covscan workflow
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
81936d43 by Jakub Vavra at 2022-03-02T13:49:59+01:00
Tests: Reduce sleeps before collecting logs in AD parameters tests.
Partially undo https://github.com/SSSD/sssd/pull/5985 where
sleep was added by a mistake to test 0021.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
63ab01f3 by Jakub Vavra at 2022-03-02T13:52:17+01:00
Tests: Port ad-schema test suite from bash.
Reviewed-by: Kaushik Banerjee <kbanerje at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
961e320d by Justin Stephenson at 2022-03-07T13:13:27+01:00
CI: Update apt cache
Debian based distro CI workflows may error when apt cache is not
up-to-date. For example in GitHub Actions:
Fetched 46.1 MB in 13s (3596 kB/s)
E: Failed to fetch
http://azure.archive.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-dbg_2.31-0ubuntu9.2_amd64.deb
404 Not Found [IP: 40.81.13.82 80]
E: Unable to fetch some archives, maybe run apt-get update or try with
--fix-missing?
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
f1573e51 by Alexey Tikhonov at 2022-03-07T13:13:38+01:00
UTILS: reduce debug level in case well_known_sid_to_name() fails
It's up to a function user to decide on a severity of a helper fail.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
439b9fc6 by Iker Pedrosa at 2022-03-09T10:59:58+01:00
CI: change pycodestyle max line length
Change the maximum length from 79 to 119 characters.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
91e8c4fb by Jean-Baptiste Denis at 2022-03-10T13:53:25+01:00
Increase listen backlog
The previous value (10) could introduce delays in responder answer in some highly used environment.
See https://github.com/SSSD/sssd/issues/6035 for test and details.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
bab44e92 by Iker Pedrosa at 2022-03-10T13:53:38+01:00
Tests: fix missing name (F821)
Define the missing name: missing import, missing variable declaration,
self instance variable...
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
94e5466e by Iker Pedrosa at 2022-03-10T13:53:38+01:00
Tests: fix indentation(E12*) and whitespace(E20*)
Fix indentation and remove whitespaces.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
b3244e39 by Iker Pedrosa at 2022-03-10T13:53:38+01:00
Tests: fix missing whitespace after ',' (E231)
Add whitespace.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
e81f8991 by Iker Pedrosa at 2022-03-10T13:53:38+01:00
Tests: fix unexpected spaces around '/' (E251)
Remove whitespace.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
5be30ac0 by Iker Pedrosa at 2022-03-10T13:53:38+01:00
Tests: remove 12 years old TODOs
These TODOs were being reported by flake8 for several reasons.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
6bbfd1b6 by Iker Pedrosa at 2022-03-10T13:53:50+01:00
Tests: fix ambiguous variable (E741)
Fix the ambiguous variable name reported by flake8 by renaming it.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
58605202 by Iker Pedrosa at 2022-03-10T13:53:50+01:00
Tests: fix shadowed variable (F402)
Fix the shadowed variable reported by flake8 by renaming it.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
fe46bd3b by Iker Pedrosa at 2022-03-10T13:53:50+01:00
Tests: fix f-strings usage (F541)
Fix the f-strings misuse reported by flake8.
f-string is a new and improved way of formatting strings in python. It
is commonly used to concatenate strings. The code that I have changed
was either not concatenating a string so a simple string would have
been enough, or concatenating f-strings in the old way.
For more information check https://realpython.com/python-f-strings/
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
56b37520 by Iker Pedrosa at 2022-03-10T13:53:50+01:00
Tests: fix comparison symbols (F632)
Fix the comparison symbols misuse reported by flake8 by using "==" or
"!=" to compare str, bytes, int, float and tuple.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
899a7df9 by Iker Pedrosa at 2022-03-10T13:54:03+01:00
Tests: fix indentation issues (E111 and E117)
Fix indentation issues reported by flake8.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
294debcd by Iker Pedrosa at 2022-03-10T13:54:03+01:00
Tests: fix end semicolon (E703)
Fix the end semicolon reported by flake8 by removing it.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
0534fd3e by Iker Pedrosa at 2022-03-10T13:54:03+01:00
Tests: fix incorrect comparison with "==" (E711)
Fix the incorrect usage of "==" reported by flake8 by changing the
comparison to "None" using the "is" keyword instead of "==".
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
089123bd by Iker Pedrosa at 2022-03-10T13:54:03+01:00
Tests: fix bare 'except' (E722)
Fix the bare 'except' reported by flake8 by specifying the exception
handler.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
556f42e1 by Anuj Borah at 2022-03-10T13:54:15+01:00
Tests: Regressions 8.5 - alltests-tier3
1. Add new marker tier1_3
2. Fix test_krb_ldap_connection.py test script
3. Add a new test script test_krb_ldap_connection_gssapi.py with
setup_sssd_gssapi fixture
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
- - - - -
5cf46fc8 by Alejandro López at 2022-03-10T13:56:32+01:00
COMMIT TEMPLATE: Fixed two typos
Twice the word "desription" was written instead of "description."
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
1b24149e by Steeve Goveas at 2022-03-11T12:17:36+01:00
TEST: Enable files domain, fix flake8 issues, improve test code
Steps to reproduce needs the files domain to be enabled for rhel 9.
Updated variable names for easy readability, changed %-formatting to f
strings, deleted unused variables and instead updated raiseronerr to
'True' where cmd is expected to pass and added assert to verify expected
exit code where raiseonerr is 'False', made use of 'userlist' variable
and updated steps and expectedresults in docstring.
Verifies
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1824323
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
d377d1da by Iker Pedrosa at 2022-03-11T18:14:14+01:00
Tests: fix continuation line under-indented (E128)
Commit 1b24149eeb0489b8a2d35629ff41c085dbf2c538 introduced a linter
issue that makes all CI runs to fail. Fix it by adding an additional
whitespace.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
2f742fc9 by Iker Pedrosa at 2022-03-14T14:20:38+01:00
Tests: fix star imports (F403 and F405)
Fix the start imports detected by flake8 by changing to the proper name.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
634c91b0 by Iker Pedrosa at 2022-03-14T14:20:38+01:00
Tests: fix imported but unused modules (F401)
Fix the unused modules detected by flake8 by removing them.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
8cdfd3d2 by Iker Pedrosa at 2022-03-14T14:21:04+01:00
Tests: fix blank lines (E302 and E303)
Fix the black lines issues detected by flake8 by adding or removing
them depending on the case.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
4f303da4 by Iker Pedrosa at 2022-03-14T14:21:04+01:00
Tests: fix blank line at end of file (W391)
Fix the black line at the end of file detected by flake8 by removing it.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
838669d9 by Iker Pedrosa at 2022-03-14T14:21:04+01:00
Tests: fix line too long (E501)
Fix the too long lines detected by flake8 by moving the content to a new
line.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
3f8493f9 by Iker Pedrosa at 2022-03-14T14:36:35+01:00
Tests: fix missing name (F821)
Fix the missing name (missing import, missing variable declaration, self
instance variable...) detected by flake8 by defining it.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
c71d83b8 by Iker Pedrosa at 2022-03-14T14:36:35+01:00
Tests: fix missing whitespace after ',' (E231)
Fix the missing whitespace after ',' detected by flake8 by adding it.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
b8f4c171 by Iker Pedrosa at 2022-03-14T14:36:35+01:00
Tests: block comment should start with '# ' (E265)
Fix the block comment start issue detected by flake8 by adding the
space.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
b963aa3c by Alexey Tikhonov at 2022-03-16T11:22:13+01:00
SDAP: sdap_nested_group_hash_insert(): don't create key copy - hash_enter() takes care of this.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
709e9cc9 by Pavel Březina at 2022-03-16T11:22:26+01:00
authtok: add SSS_AUTHTOK_TYPE_OAUTH2
Add a new authentication token type: SSS_AUTHTOK_TYPE_OAUTH2.
It will be used later to enable OAuth2 authentication via Kerberos.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
292bde66 by Pavel Březina at 2022-03-16T11:22:26+01:00
pam: add new SSS_CHILD_KEEP_ALIVE pam item
This pam item indicates that the child process performing authenticate
is kept alive and should be used to further continue with the
authentication instead of creating a new child process.
This patch only adds the pam item and forwards it back and forth pam_sss
and the backend. It will be used in following commits.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
7d688556 by Pavel Březina at 2022-03-16T11:22:26+01:00
pam: add new SSS_PAM_OAUTH2_INFO pam item
This item will hold OAuth2 authentication url and pin. It will be used
in one of the next patch to allow OAuth2 authentication via Kerberos.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8ca8fcf0 by Pavel Březina at 2022-03-16T11:22:26+01:00
conf: add libjansson dependency
Currently required for KRB5 IdP plugins.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
67314942 by Pavel Březina at 2022-03-16T11:22:26+01:00
make: define RUNDIR
Required for KRB5 IdP plugins.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
68a8a2d7 by Pavel Březina at 2022-03-16T11:22:26+01:00
krb5: add idp preauth plugins
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
3a2add67 by Pavel Březina at 2022-03-16T11:22:26+01:00
krb5: support to exchange multiple messages with the same child
Previously, we expected the krb5_child to exit immediately after
receiving a response. However, now we require to exchange multiple
messages in order to maintain internal Kerberos state.
This patch adds a hash table that stores file descriptors for each child
(pid:child_io_fds). The file descriptors are closed when the child exits
but are kept open until then.
If pam_data->child_pid is not 0 we lookup the file descriptors in the
hash table and use them to continue the authentication process instead
of creating a new child.
If the pid is zero, we create a new child and store new file descriptors
in the table.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5f9e5c2e by Pavel Březina at 2022-03-16T11:22:27+01:00
krb5: terminate child if it fails to setup
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
689bb4f8 by Pavel Březina at 2022-03-16T11:22:27+01:00
krb5: exchange messages with krb5_child with exact length
This is needed so we don't rely on received EOF when reading from
a pipe so we can exchange multiple messages. Now the protocol
contains a uin32_t header that contains length of the rest of
the message.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
dcd7133e by Pavel Březina at 2022-03-16T11:22:27+01:00
krb5: add support for idp:oauth2 responder question
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8cba6b4b by Pavel Březina at 2022-03-16T11:22:27+01:00
krb5: fix memory hierarchy in krb5_child unpack_buffer()
Fields that belong to krb5_req were attached to pam_data which caused
unexpected troubles when kr->pd gets freed and swapped with new one.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
95495e7b by Pavel Březina at 2022-03-16T11:22:27+01:00
krb5: add keep alive timeout for krb5_child
This timeout will kill the child after a longer time in order to
allow interactive communication with the user.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
918d493c by Pavel Březina at 2022-03-16T11:22:27+01:00
pam: add oauth2 url+pin prompt
Add a new prompt for oauth2 authentication. The user is prompted with
url and pin. He/she must visit the url, provide the pin and
authenticate. Then just press enter to continue the authentication.
The RADIUS server will then ask the identify provider if the
authentication was successful and then reply back.
The answer is set to the same pin, just to provide some verification
mechanism and because Kerberos requires non-empty token.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9c5632df by Sumit Bose at 2022-03-17T11:54:58+01:00
nss: add sss_nss_getorigbyusername and sss_nss_getorigbygroupname
Since the user and group namespaces are independent in POSIX/Linux it is
important to be able to indicate if a user or a group is search by name.
Currently the sss_nss_getorigbyname() call does not allow this and this
patches adds two new calls to fix this.
Resolves: https://github.com/SSSD/sssd/issues/6042
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
d241b552 by Alexey Tikhonov at 2022-03-17T11:55:18+01:00
GPO: ignore non-ascii symbols in values in GPT.INI
Windows uses ANSI (extended-ASCII) to encode the GPT.INI file.
See https://lists.samba.org/archive/cifs-protocol/2019-March/003228.html
for details.
There is no trivial way to figure out actual code page used. But from
practical point of view, it seems the only key whose value might be
non-ascii is "DisplayName", and SSSD doesn't use it anyway.
This patch replaces non-ascii symbols in values of GPT.INI with '?'
character to make content compatible with libini_config parser.
Resolves: https://github.com/SSSD/sssd/issues/4138
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ad1f64e4 by Iker Pedrosa at 2022-03-18T11:58:34+01:00
Tests: fix unused variable (F841)
Fix the unused variables detected by flake8 by removing or using them.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Co-Authored-By: Steeve Goveas <sgoveas at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
abc41d0b by Justin Stephenson at 2022-03-21T12:52:48+01:00
CONTRIB: Switch distro.sh to use /etc/os-release
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
59484ef0 by Justin Stephenson at 2022-03-21T12:52:48+01:00
CONTRIB: Add shadow and unused-variable to SSS_WARNINGS
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
098c3fcf by Justin Stephenson at 2022-03-21T12:52:48+01:00
CONTRIB: Update rpm-spec-builddeps to python3 shebang
Needed to support using contrib/ci/deps.sh inside a
fedora:latest container.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
a0f454aa by Justin Stephenson at 2022-03-21T12:52:48+01:00
CONTRIB: Add install dependencies option to contrib/ci/run
Add support to only install dependencies and execute no other steps.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
94254dd7 by Justin Stephenson at 2022-03-21T12:52:48+01:00
CI: Install dependencies with contrib/ci/run
Contrib/ci/run script is already used by sssd-ci/* targets, use
it as a frontend for this GH action also.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
81450b9a by Justin Stephenson at 2022-03-21T12:52:48+01:00
CI: Add warnings enabled build and make check
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
027e89b4 by Sumit Bose at 2022-03-21T12:52:59+01:00
test: suppress memory leak in _dl_find_object_update
Some recent version of glibc have a memory leak causing a failure if the
dlopen-tests runs under valgrind.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
3baf161e by Sumit Bose at 2022-03-21T12:53:00+01:00
integration tests: switch OpenLDAP from hdb to mdb
The latest versions of OpenLDAP do not support hdb anymore.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
6edbb6cd by Steeve Goveas at 2022-03-23T12:21:10+01:00
Tests: prefix 'session_' to avoid failure
It was accidently removed during the flake8 fixes
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
e538db29 by Steeve Goveas at 2022-03-23T12:21:10+01:00
Tests: CRB repo name has changed in IDM CI
CRB repo is prefixed with the name of the OS, adding a '*' should solve
the issue.
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
0c0705e3 by Tomas Halman at 2022-03-23T12:21:41+01:00
usertools: better default for IPA/AD re_expression
Some Active Directory groups, typically those used for MS Exchange
contain an “@” sign in the name. New IPA and AD re_expression
default handles it correctly, considering that the domain is everything
that follows the last '@'.
:relnote: Better default for IPA/AD re_expression. Tunning for
group names containing '@' is no longer needed.
Resolves: https://github.com/SSSD/sssd/issues/6055
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
c159f529 by Tomas Halman at 2022-03-23T12:21:41+01:00
usertools: move default re_expression definition
With this patch the defaults for re_expression are moved to utils.h
and both defaults (ad/ipa and ldap) are defined in one place.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
dde276e2 by Tomas Halman at 2022-03-23T12:21:41+01:00
TESTS: New tests for IPA/AD re_expression default
New tests for default IPA/AD re_expression. This expression defines
how to parse the string containing user name and domain into these
components.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
8a9458df by Alejandro López at 2022-03-24T11:58:45+01:00
confdb: refactor confdb_get_domain_internal()
All the actions previously done in confdb_get_domain_internal() are now done
in separate functions and those functions are called from it.
Resolves: https://github.com/SSSD/sssd/issues/5380
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
51e92297 by Sumit Bose at 2022-03-25T11:22:58+01:00
ad: use right sdap_domain in ad_domain_info_send
Originally ad_domain_info_send() was only called when there was only a
single domain available and hence only a single sdap_domain struct with
the search bases in the sdap_domain list. Since ad_domain_info_send() is
now called at other times as well the right sdap_domain struct must be
selected so that the right search bases are used.
Resolves: https://github.com/SSSD/sssd/issues/6063
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
81d67a59 by Alexey Sheplyakov at 2022-03-25T11:23:19+01:00
ad: gpo: ignore GPO if SecEdit/GptTmpl.inf is missing
This makes it possible to use sssd's group policy based access control with
samba4 domain controllers `out of the box`. The problem is caused by
1) group policy based control denies access (to all users) if
`${GPO_GUID}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf`
file is missing.
2) The `Default Domain Policy` and the `Default Domain Controller Policy`
GPOs created by samba4 list the Security Protocol Extension CSE GUID
{827D319E-6EAC-11D2-A4EA-00C04F79F83A} in their `gPCMachineExtensionNames`,
however there are no .../SecEdit/GptTmpl.inf files in the sysvol.
According to the section 3.2.5 of [MS-GPSM] current sssd's behavior is
correct. However Windows GPO client (at least the one in Windows 2008 r2)
just skips such broken GPOs. This patch makes sssd behave in the same way,
and makes setting up samba4 based AD domain less painful.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
fd19512a by Iker Pedrosa at 2022-03-25T14:04:25+01:00
ccpcheck: fix issues
The issues fixed fall in the following categories: invalid printf
argument type and redundant check for a pointer.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
74ef76b8 by Pavel Březina at 2022-03-29T11:35:25+02:00
ci: avoid concurrent runs
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
e8b22f2d by Pavel Březina at 2022-03-29T11:35:25+02:00
ci: allow to run coverity scan on demand
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
71cd2822 by Pavel Březina at 2022-03-29T11:35:36+02:00
cache_req: fallback to UPN even with cache_first = true
The condition `ret == ENOENT && state->first_iteration` was not met
with `cache_first = true` because `state->first_iteration` got set
to `false`.
Resolves: https://github.com/SSSD/sssd/issues/6059
:fixes: SSSD now correctly falls back to UPN search if the user was
not found even with `cache_first = true`.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
a049ac71 by Alejandro López at 2022-03-29T11:35:50+02:00
systemd: only relaunch after crashes and do not retry forever
Set Relaunch=on-abnormal to only relaunch after a crash. Systemd
will not try to relaunch sssd if it returned with an error code,
for instance, on a wrong configuration file.
Use StartLimitIntevalSec and StartLimitBurst to limit the number of
times it is relaunched. Avoid blocking the boot process.
Resolves: https://github.com/SSSD/sssd/issues/5753
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
8b95efa2 by Pavel Březina at 2022-03-29T12:50:00+02:00
intg: do not run valgrind on infopipe tests
This was done only to workaround some issue that does not exists
anymore.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
ee752f8e by Pavel Březina at 2022-03-29T12:50:00+02:00
intg: make kcm renewal test user independent
intgcheck are called in nss_wrapper environment, the tests itself
are still executed with the same uid as the original user. This
means that kcm tests are running kinit as the user who called
`make intgcheck`.
Previously, `test_kcm_renewals` failed if the user uid != 1000 because
it was not found by sssd_kcm. Now, we create user with the same uid
as the caller and it works.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
52e53926 by Pavel Březina at 2022-03-29T12:50:00+02:00
ci: make sure that $USER is available
USER is not set when running command on container directly through
'podman exec' or from shell created from 'podman exec -it ... /bin/bash'
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
5def61fb by Pavel Březina at 2022-03-29T12:50:00+02:00
ci: disable mock build in contrib/ci/run
It is not possible to run mock build against RHEL-8/9 due to missing
packages and we have COPR builds in place so it is a redundant check.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
df44fc20 by Pavel Březina at 2022-03-29T12:50:00+02:00
ci: make intgcheck work on CentOS Stream and RHEL 9
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
4ea511c6 by Pavel Březina at 2022-03-29T12:50:01+02:00
ci: include acl package in basic multihost tests
Otherwise 389ds setup will fail on Fedora 36, see:
https://bugzilla.redhat.com/show_bug.cgi?id=2057436
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
562a4507 by Pavel Březina at 2022-03-29T12:50:01+02:00
ci: run intgcheck and multihost tests
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
1abda838 by Iker Pedrosa at 2022-03-29T12:50:13+02:00
CI: enable cppcheck analysis
Enable the cppcheck analysis tool for pull-requests.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
67b12923 by Iker Pedrosa at 2022-03-29T12:52:14+02:00
CI: enable flake8 analysis
Enable the flake8 analysis for pull-requests.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
3c39d007 by Iker Pedrosa at 2022-03-29T12:52:14+02:00
Tests: remove unused module (F401)
Remove unused module reported by flake8.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
73bd21b3 by Iker Pedrosa at 2022-03-29T12:52:14+02:00
SSSDConfig: fix indentation for bracket (E124)
Fix the closing bracket visual indentantion issue reported by flake8.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
30831cc3 by Iker Pedrosa at 2022-03-29T12:52:14+02:00
GDB: rename duplicated function (F811)
Rename duplicated function reported by flake8.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
22bbb7a0 by Pavel Březina at 2022-03-29T15:00:07+02:00
ci: fix concurrency group for copr
github.ref points to the target branch on pull_request_target
- - - - -
6d105980 by Madhuri Upadhye at 2022-03-31T12:30:12+02:00
Tests: ipa: Minor fix while add users in groups in windows bash shell script.
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
aa054c22 by Anuj Borah at 2022-03-31T12:30:23+02:00
Tests: Install nss-pam-ldapd package for alltests-tier2
Install nss-pam-ldapd package for alltests-tier2
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
- - - - -
60c30a3f by Alexey Tikhonov at 2022-03-31T13:18:47+02:00
UTILS: fixes CWE-394
like:
```
src/responder/nss/nsssrv.c:339: negative_return_fn: Function "sss_mmap_cache_init(nctx, "passwd", nctx->mc_uid, nctx->mc_gid, SSS_MC_PASSWD, mc_size_passwd * 26214UL, (time_t)memcache_timeout, &nctx->pwd_mc_ctx)" returns a negative number.
src/responder/nss/nsssrv.c:339: assign: Assigning: "ret" = "sss_mmap_cache_init(nctx, "passwd", nctx->mc_uid, nctx->mc_gid, SSS_MC_PASSWD, mc_size_passwd * 26214UL, (time_t)memcache_timeout, &nctx->pwd_mc_ctx)".
src/responder/nss/nsssrv.c:346: negative_returns: "ret" is passed to a parameter that cannot be negative.
# 344| &nctx->pwd_mc_ctx);
# 345| if (ret) {
# 346|-> DEBUG(SSSDBG_CRIT_FAILURE,
# 347| "Failed to initialize passwd mmap cache: '%s'\n",
# 348| sss_strerror(ret));
```
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
d1bce130 by Anuj Borah at 2022-03-31T13:19:41+02:00
Tests: Porting of proxy provider test suits to pytest
https://gitlab.cee.redhat.com/sssd/sssd-qe/-/tree/RHEL8.6/client/proxy_provider/krb_auth
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
38636ffa by Shridhar Gadekar at 2022-04-06T11:13:49+02:00
minor change in testcase description
The testcase description mentioned ssh_cache instead of sss_cache.
Correcting the command in description.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
d8d25758 by Sumit Bose at 2022-04-06T11:14:02+02:00
pam: fix section parsing issue
Due to a typo it was always necessary to have a `[prompting/password]`
section in sssd.conf to enable the other `prompting` section.
This patch fixes this and adds some unit test to cover that part of the
code.
Resolves: https://github.com/SSSD/sssd/issues/6081
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
34829d3b by Sumit Bose at 2022-04-06T11:14:02+02:00
tests: add utilities for cmocka based unit tests
Calls to list all tests and run only a single test are added.
Resolves: https://github.com/SSSD/sssd/issues/6081
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
5c5a6b89 by Sumit Bose at 2022-04-06T11:14:02+02:00
tests: allow to run single pam-srv-tests tests
Since each pam-srv-test will remove the test directory the --no-cleanup
option only makes sense if a test can be run individually.
Resolves: https://github.com/SSSD/sssd/issues/6081
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
6a51ffee by Pavel Březina at 2022-04-08T12:39:43+02:00
ci: add working-directory to build-sssd-srpm
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
4396cd4b by Pavel Březina at 2022-04-08T12:39:43+02:00
ci: integrate covscan into github actions
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
872bbbcc by Pavel Březina at 2022-04-08T12:39:43+02:00
ci: fix concurrency group in analyze-target workflow
github.ref points to the target branch not the the pull request
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
0fbabd4a by Pavel Březina at 2022-04-08T12:39:43+02:00
ci: switch to next-actions
SSSD/action-build-srpm and SSSD/action-copr were move to new
next-actions organization so we do not pollute SSSD namespace with
generic and unrelated stuff.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
c321fa5f by Pavel Březina at 2022-04-08T12:39:43+02:00
ci: switch to next-actions/print-logs
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
a84797cb by Anuj Borah at 2022-04-08T12:39:54+02:00
Tests: Fix FileNotFoundError for environment_setup
Fix FileNotFoundError for environment_setup
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
- - - - -
f853a868 by Pavel Březina at 2022-04-08T12:40:05+02:00
krb5: switch to Proxy-State in idp plugin
State attribute can be present only once (RFC-2865), but some IdPs can
return larger data. This patch switches to Proxy-State which make take
multiple values and concatenates these into single krb5_data like we
already do with Reply-Message.
Resolves: https://github.com/SSSD/sssd/issues/6088
Reviewed-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
63e6365c by Alexander Bokovoy at 2022-04-08T12:40:05+02:00
krb5: switch to Proxy-State in idp plugin reply
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
74cb09ea by Pavel Březina at 2022-04-08T12:40:06+02:00
krb5: idp method is only supported if FAST channel is available
Reviewed-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2980f114 by Pavel Březina at 2022-04-08T16:05:30+02:00
ci: use correct checkout path for covscan
- - - - -
0c568e94 by Pavel Březina at 2022-04-11T10:51:13+02:00
ci: disable fedora-review for copr pr builds
fedora-review switched logic and if source can not be downloaded
from url in the spec file it is now considered an error. Pull request
do not have tarballs, so we need to disable this tool.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
42d3e28c by Iker Pedrosa at 2022-04-11T12:50:48+02:00
CI: disable result comment for cppcheck
cppcheck action posts a result comment every time that a code changes is
pushed to a PR. This commit updates the action reference to avoid
posting the comment.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
37f90057 by Alexey Tikhonov at 2022-04-14T10:56:16+02:00
Revert "usertools: force local user for sssd process user"
This reverts commit 9c447dc85853116c035bbc2f9e3b8553a65be621.
Resolves: https://github.com/SSSD/sssd/issues/6107
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
3c6218aa by Alexey Tikhonov at 2022-04-14T10:56:16+02:00
Revert "man: sssd.conf and sssd-ifp clarify user option"
This reverts commit 3d25724dc63dffb6d734790e58b1647e3a64e84f.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
720c39a1 by Alexey Tikhonov at 2022-04-14T10:56:31+02:00
SID mem-cache: config, init, man page
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
2a160adb by Alexey Tikhonov at 2022-04-14T10:56:31+02:00
mem-cache: fix error in the comment
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
d5e4753e by Alexey Tikhonov at 2022-04-14T10:56:31+02:00
SID mem-cache: data structure and store function
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
f869c694 by Alexey Tikhonov at 2022-04-14T10:56:31+02:00
NSS: SID: debug message in case of collision: - fixed mistype (users -> groups) - added SIDs of colliding entries
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
a87dfd62 by Alexey Tikhonov at 2022-04-14T10:56:31+02:00
NSS: SID: reduced code duplication
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
25426f6a by Alexey Tikhonov at 2022-04-14T10:56:31+02:00
NSS: mem-cache: const correctness
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
aec620f6 by Alexey Tikhonov at 2022-04-14T10:56:31+02:00
NSS: SID: store results in mem-cache
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
483d26e9 by Alexey Tikhonov at 2022-04-14T10:56:31+02:00
SSS_CLIENT: sss_get_ex() should be static
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
24770866 by Alexey Tikhonov at 2022-04-14T10:56:31+02:00
SSS_CLIENT: NSS: SID: mem-cache support for sid-by-id and id-by-sid lookups
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
8cee413b by Alexey Tikhonov at 2022-04-14T10:56:31+02:00
NSS: SID: don't try to deduce object type based on request type
Effectively, this code was no-op anyway as `cmd_ctx->sid_id_type` wasn't
set for SID related requests to anything but SSS_ID_TYPE_NOT_SPECIFIED
anyway.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
b2be59f1 by Alexey Tikhonov at 2022-04-14T10:56:31+02:00
SSS_CLIENT: NSS: SID: improved sss_nss_mc_get_sid_by_id()
Resolves: https://github.com/SSSD/sssd/issues/3768
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
731b3e66 by Sumit Bose at 2022-04-14T10:56:46+02:00
pam: add more checks for require_cert_auth
Fail authentication if no Smartcard based credentials are available if
require_cert_auth is set.
Resolves: https://github.com/SSSD/sssd/issues/6023
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
4d2277f8 by Sumit Bose at 2022-04-14T10:56:46+02:00
pam: better SC fallback message
If no suitable certificates were found or if gdm-smartcard was somehow
activated without a Smartcard present ask to (re)-insert a Smartcard.
Resolves: https://github.com/SSSD/sssd/issues/6022
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
878737c8 by Sumit Bose at 2022-04-14T12:37:11+02:00
oidc_child: add initial implementation of oidc_child
Currently oidc_child will be used by FreeIPA's ipa_otpd to authenticate
a user against an IdP with the device code workflow. For the
communication with the user the recently added OAuth2 patches with the
Kerberos pre-authentication module will be used.
Later on it might be possible to add a SSSD authentication provider
which is using oidc_child as well.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
cc811edf by Sumit Bose at 2022-04-14T12:37:11+02:00
oidc_child: make build configurable
With the configure option '--with-oidc-child=no' oidc_child is not
build.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
66f60aad by Pavel Březina at 2022-04-14T15:18:25+02:00
contrib: add sssd public key
This key will be used for SSSD-related activities such as signing
release tarballs.
It is also uploaded to `keys.openpgp.org` key server, it can be fetched with:
```
gpg2 --keyserver keys.openpgp.org --recv-keys C13CD07FFB2DB1408E457A3CD3D21B2910CF6759
```
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
e09ac40a by Weblate at 2022-04-14T15:18:54+02:00
po: update translations
(Korean) currently translated at 30.5% (861 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 30.2% (853 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 29.4% (830 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Finnish) currently translated at 7.7% (48 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/
po: update translations
(Finnish) currently translated at 3.6% (96 of 2627 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/
po: update translations
(Finnish) currently translated at 6.3% (39 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/
po: update translations
(Finnish) currently translated at 3.6% (95 of 2627 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/
po: update translations
(Korean) currently translated at 29.3% (829 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 29.2% (824 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 28.8% (814 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Czech) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/
po: update translations
(Korean) currently translated at 28.7% (812 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 28.5% (805 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 28.3% (799 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 26.9% (761 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Finnish) currently translated at 3.5% (94 of 2627 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/
po: update translations
(Swedish) currently translated at 100.0% (2627 of 2627 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Ukrainian) currently translated at 100.0% (2627 of 2627 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/
po: update translations
(Korean) currently translated at 27.3% (715 of 2615 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 24.5% (641 of 2615 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 18.6% (488 of 2615 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
- - - - -
f9901d5a by Pavel Březina at 2022-04-14T15:22:01+02:00
pot: update pot files
- - - - -
f48eddc3 by Pavel Březina at 2022-04-14T15:23:57+02:00
Release sssd-2.7.0
- - - - -
063d3a7f by Timo Aaltonen at 2022-05-25T09:48:42+03:00
Merge branch 'upstream'
- - - - -
2418b327 by Timo Aaltonen at 2022-05-25T09:49:06+03:00
version bump
- - - - -
c471fb92 by Timo Aaltonen at 2022-05-25T09:50:58+03:00
Update signing-key.asc.
- - - - -
18fdac4a by Timo Aaltonen at 2022-05-25T09:56:28+03:00
source: Update diff-ignores.
- - - - -
3ea1f683 by Timo Aaltonen at 2022-05-25T10:29:34+03:00
control, rules: Add sssd-idp package, which includes plugins for external identity providers.
- - - - -
c9cc2fb6 by Timo Aaltonen at 2022-05-25T10:52:00+03:00
control, rules: Enable krb5 config snippets by default.
- - - - -
c5c8f926 by Timo Aaltonen at 2022-05-25T11:04:47+03:00
control: modify idp description
- - - - -
30 changed files:
- .git-commit-template
- + .github/actions/build-sssd-srpm/action.yml
- + .github/actions/configure/action.yml
- + .github/actions/install-dependencies/action.yml
- + .github/workflows/analyze-target.yml
- + .github/workflows/ci.yml
- + .github/workflows/copr_build.yml
- + .github/workflows/copr_cleanup.yml
- + .github/workflows/coverity.yml
- + .github/workflows/static-code-analysis.yml
- − .travis.yml
- − .travis/travis-docker-build.sh
- − .travis/travis-tasks.sh
- BUILD.txt
- − Dockerfile
- − Dockerfile.deps
- Jenkinsfile
- Makefile.am
- README.md
- configure.ac
- contrib/ci/README.md
- contrib/ci/configure.sh
- contrib/ci/deps.sh
- contrib/ci/distro.sh
- + contrib/ci/get-matrix.py
- contrib/ci/rpm-spec-builddeps
- contrib/ci/run
- contrib/ci/sssd.supp
- contrib/fedora/bashrc_sssd
- contrib/fedora/make_srpm.sh
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/6dffd5ff6559b9cc62521be3ddab0ccf8273de7c...c5c8f926e6c18ae50c109de84466d3f7d3994479
--
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/6dffd5ff6559b9cc62521be3ddab0ccf8273de7c...c5c8f926e6c18ae50c109de84466d3f7d3994479
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20220525/5d8301d9/attachment-0001.htm>
More information about the Pkg-sssd-devel
mailing list