[SSSD] Re: [PATCHES] ipa: add support for certificate overrides

On Thu, Jun 09, 2016 at 12:09:49PM +0200, Lukas Slebodnik wrote: > On (09/06/16 11:41), Sumit Bose wrote: > >On Thu, Jun 09, 2016 at 11:20:14AM +0200, Lukas Slebodnik wrote: > >> On (08/06/16 15:39), Sumit Bose wrote: > >> >On Tue, Jun 07, 2016 at 04:40:42PM +0200, Jakub Hrozek wrote: > >> >> On Tue, Jun 07, 2016 at 02:55:40PM +0200, Sumit Bose wrote: > >> >> > On Tue, Jun 07, 2016 at 01:56:10PM +0200, Jakub Hrozek wrote: > >> >> > > On Tue, Jun 07, 2016 at 12:28:22PM +0200, Sumit Bose wrote: > >> >> > > > sure, here you are. > >> >> > > > > >> >> > > > bye, > >> >> > > > Sumit > >> >> > > > >> >> > > Hmm, are these the correct patches? > >> >> > > > >> >> > > /home/remote/jhrozek/devel/sssd/src/db/sysdb_views.c: In function 'sysdb_search_override_by_cert': > >> >> > > /home/remote/jhrozek/devel/sssd/src/db/sysdb_views.c:880:11: error: too many arguments to function 'sss_cert_derb64_to_ldap_filter' > >> >> > > ret = sss_cert_derb64_to_ldap_filter(tmp_ctx, cert, SYSDB_USER_CERT, NULL, > >> >> > > ^ > >> >> > > In file included from /home/remote/jhrozek/devel/sssd/src/db/sysdb_views.c:23:0: > >> >> > > /home/remote/jhrozek/devel/sssd/src/util/cert.h:40:9: note: declared here > >> >> > > errno_t sss_cert_derb64_to_ldap_filter(TALLOC_CTX *mem_ctx, const char *derb64, > >> >> > > ^ > >> >> > > >> >> > ah, sorry, I picked the patches from a wrong branch. > >> >> > > >> >> > Please try the new version. > >> >> > >> >> OK, this looks better, but there CI still complains on Debian: > >> >> /bin/bash ./libtool --tag=CC --mode=link gcc -Wall -Wshadow > >> >> -Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align > >> >> -Wwrite-strings -Wundef -Werror-implicit-function-declaration > >> >> -Winit-self -Wmissing-include-dirs -fno-strict-aliasing -std=gnu99 -g3 > >> >> -O2 -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE > >> >> -o proxy_child src/providers/proxy/proxy_child-proxy_child.o > >> >> src/providers/proxy_child-data_provider_iface_generated.o -lpam -ltalloc > >> >> -ltevent -ltalloc -lpopt -lldb -ldbus-1 -lpcre -lini_config > >> >> -lbasicobjects -lref_array -lcollection -lcollection -ldhash -llber > >> >> -lldap -lselinux -ltdb libsss_util.la libsss_crypt.la libsss_debug.la > >> >> libsss_child.la > >> >> /usr/bin/ld: src/responder/nss/nsssrv_cmd.o: undefined reference to > >> >> symbol 'sss_cert_derb64_to_pem' > >> >> //var/lib/jenkins/workspace/ci/label/debian_testing/ci-build-debug/.libs/libsss_cert.so: > >> >> //error adding symbols: DSO missing from command line > >> >> collect2: error: ld returned 1 exit status > >> >> Makefile:10585: recipe for target 'sssd_nss' failed > >> >> make[2]: *** [sssd_nss] Error 1 > >> >> make[2]: *** Waiting for unfinished jobs... > >> >> > >> >> CI link: > >> >> http://sssd-ci.duckdns.org/logs/job/44/61/debian_testing/ci-build-debug/c... > >> > > >> >ok, I added libsss_cert.la to the nss responder binary and the test. > >> > > >> >New version attached. > >> > > >> >bye, > >> >Sumit > >> > > >> > >> >From cb3f7bc55b22140b997d6b94f76893798731d79f Mon Sep 17 00:00:00 2001 > >> >From: Sumit Bose <sbose(a)redhat.com&gt; > >> >Date: Tue, 26 Apr 2016 13:13:43 +0200 > >> >Subject: [PATCH 12/12] nss-idmap: add sss_nss_getnamebycert() > >> > > >> >--- > >> > Makefile.am | 2 +- > >> > src/python/pysss_nss_idmap.c | 47 ++++++++++++++++++++++++++++-- > >> > src/responder/nss/nsssrv_cmd.c | 1 + > >> > src/sss_client/idmap/sss_nss_idmap.c | 26 ++++++++++++++++- > >> > src/sss_client/idmap/sss_nss_idmap.exports | 6 ++++ > >> > src/sss_client/idmap/sss_nss_idmap.h | 15 ++++++++++ > >> > 6 files changed, 93 insertions(+), 4 deletions(-) > >> > > >> >diff --git a/Makefile.am b/Makefile.am > >> >index fdd129d326d092989a92506cc86694dded58ff72..a504a4f613b881afcbc096a03de0f284ebf34896 100644 > >> >--- a/Makefile.am > >> >+++ b/Makefile.am > >> >@@ -989,7 +989,7 @@ libsss_nss_idmap_la_LIBADD = \ > >> > $(CLIENT_LIBS) > >> > libsss_nss_idmap_la_LDFLAGS = \ > >> > -Wl,--version-script,$(srcdir)/src/sss_client/idmap/sss_nss_idmap.exports \ > >> >- -version-info 1:0:1 > >> >+ -version-info 2:0:2 > >> > > >> > dist_noinst_DATA += src/sss_client/idmap/sss_nss_idmap.exports > >> > > >> >diff --git a/src/python/pysss_nss_idmap.c b/src/python/pysss_nss_idmap.c > >> >index 36d66f405442d63e430f92862990f1656486112d..a88ef77a3c8056e4962c35811de3dbbb18f4c9a4 100644 > >> >--- a/src/python/pysss_nss_idmap.c > >> >+++ b/src/python/pysss_nss_idmap.c > >> >@@ -33,7 +33,8 @@ enum lookup_type { > >> > SIDBYNAME, > >> > SIDBYID, > >> > NAMEBYSID, > >> >- IDBYSID > >> >+ IDBYSID, > >> >+ NAMEBYCERT > >> > }; > >> > > >> > static int add_dict(PyObject *py_result, PyObject *key, PyObject *res_type, > >> >@@ -166,6 +167,28 @@ static int do_getsidbyid(PyObject *py_result, PyObject *py_id) > >> > return ret; > >> > } > >> > > >> >+static int do_getnamebycert(PyObject *py_result, PyObject *py_cert) > >> >+{ > >> >+ int ret; > >> >+ const char *cert; > >> >+ char *name = NULL; > >> >+ enum sss_id_type id_type; > >> >+ > >> >+ cert = py_string_or_unicode_as_string(py_cert); > >> >+ if (cert == NULL) { > >> >+ return EINVAL; > >> >+ } > >> >+ > >> >+ ret = sss_nss_getnamebycert(cert, &name, &id_type); > >> >+ if (ret == 0) { > >> >+ ret = add_dict(py_result, py_cert, PyBytes_FromString(SSS_NAME_KEY), > >> >+ PyUnicode_FromString(name), PYNUMBER_FROMLONG(id_type)); > >> >+ } > >> >+ free(name); > >> >+ > >> >+ return ret; > >> >+} > >> >+ > >> > static int do_getidbysid(PyObject *py_result, PyObject *py_sid) > >> > { > >> > const char *sid; > >> >@@ -203,6 +226,9 @@ static int do_lookup(enum lookup_type type, PyObject *py_result, > >> > case IDBYSID: > >> > return do_getidbysid(py_result, py_inp); > >> > break; > >> >+ case NAMEBYCERT: > >> >+ return do_getnamebycert(py_result, py_inp); > >> >+ break; > >> > default: > >> > return ENOSYS; > >> > } > >> >@@ -260,7 +286,7 @@ static PyObject *check_args(enum lookup_type type, PyObject *args) > >> > case ENOENT: /* nothing found, return empty dict */ > >> > break; > >> > case EINVAL: > >> >- PyErr_Format(PyExc_ValueError, "Unable to retrieve argument\n"); > >> >+ PyErr_Format(PyExc_ValueError, "Unable to retrieve result\n"); > >> > Py_XDECREF(py_result); > >> > return NULL; > >> > break; > >> >@@ -339,6 +365,21 @@ static PyObject * py_getidbysid(PyObject *module, PyObject *args) > >> > return check_args(IDBYSID, args); > >> > } > >> > > >> >+PyDoc_STRVAR(getnamebycert_doc, > >> >+"getnamebycert(sid or list/tuple of certificates) -> dict(sid => dict(results))\n\ > >> >+\n\ > >> >+Returns a dictionary with a dictonary of results for each given certificates.\n\ > >> >+The result dictonary contain the name and the type of the object which can be\n\ > >> >+accessed with the key constants NAME_KEY and TYPE_KEY, respectively.\n\ > >> >+\n\ > >> >+NOTE: getnamebycert currently works only with id_provider set as \"ad\" or \"ipa\"" > >> >+); > >> >+ > >> >+static PyObject * py_getnamebycert(PyObject *module, PyObject *args) > >> >+{ > >> >+ return check_args(NAMEBYCERT, args); > >> >+} > >> >+ > >> > static PyMethodDef methods[] = { > >> > { sss_py_const_p(char, "getsidbyname"), (PyCFunction) py_getsidbyname, > >> > METH_VARARGS, getsidbyname_doc }, > >> >@@ -348,6 +389,8 @@ static PyMethodDef methods[] = { > >> > METH_VARARGS, getnamebysid_doc }, > >> > { sss_py_const_p(char, "getidbysid"), (PyCFunction) py_getidbysid, > >> > METH_VARARGS, getidbysid_doc }, > >> >+ { sss_py_const_p(char, "getnamebycert"), (PyCFunction) py_getnamebycert, > >> >+ METH_VARARGS, getnamebycert_doc }, > >> > { NULL,NULL, 0, NULL } > >> > }; > >> > > >> >diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c > >> >index 762c26b74581acb5568b602caaef2586521f6903..64e2945a99a6f3262517aa7c817475904418a1ed 100644 > >> >--- a/src/responder/nss/nsssrv_cmd.c > >> >+++ b/src/responder/nss/nsssrv_cmd.c > >> >@@ -5525,6 +5525,7 @@ static int nss_cmd_getbycert(enum sss_cli_command cmd, struct cli_ctx *cctx) > >> > } > >> > > >> > derb64 = (const char *) body; > >> >+ DEBUG(SSSDBG_TRACE_ALL, "cert [%s]\n", derb64); > >> > > >> > /* check input */ > >> > ret = sss_cert_derb64_to_pem(cctx, derb64, &pem_cert, &pem_size); > >> >diff --git a/src/sss_client/idmap/sss_nss_idmap.c b/src/sss_client/idmap/sss_nss_idmap.c > >> >index 55d8043bd992bebf82a46206a9f3aecbe1e88238..fa5a499e3606f7e45a406de4d63002ba35365cb1 100644 > >> >--- a/src/sss_client/idmap/sss_nss_idmap.c > >> >+++ b/src/sss_client/idmap/sss_nss_idmap.c > >> >@@ -159,7 +159,8 @@ static int sss_nss_getyyybyxxx(union input inp, enum sss_cli_command cmd , > >> > case SSS_NSS_GETNAMEBYSID: > >> > case SSS_NSS_GETIDBYSID: > >> > case SSS_NSS_GETORIGBYNAME: > >> >- ret = sss_strnlen(inp.str, SSS_NAME_MAX, &inp_len); > >> >+ case SSS_NSS_GETNAMEBYCERT: > >> >+ ret = sss_strnlen(inp.str, 2048, &inp_len); > >> > if (ret != EOK) { > >> > return EINVAL; > >> > } > >> >@@ -209,6 +210,7 @@ static int sss_nss_getyyybyxxx(union input inp, enum sss_cli_command cmd , > >> > case SSS_NSS_GETSIDBYID: > >> > case SSS_NSS_GETSIDBYNAME: > >> > case SSS_NSS_GETNAMEBYSID: > >> >+ case SSS_NSS_GETNAMEBYCERT: > >> > if (data_len <= 1 || repbuf[replen - 1] != '\0') { > >> > ret = EBADMSG; > >> > goto done; > >> >@@ -368,3 +370,25 @@ int sss_nss_getorigbyname(const char *fq_name, struct sss_nss_kv **kv_list, > >> > > >> > return ret; > >> > } > >> >+ > >> >+int sss_nss_getnamebycert(const char *cert, char **fq_name, > >> >+ enum sss_id_type *type) > >> >+{ > >> >+ int ret; > >> >+ union input inp; > >> >+ struct output out; > >> >+ > >> >+ if (fq_name == NULL || cert == NULL || *cert == '\0') { > >> >+ return EINVAL; > >> >+ } > >> >+ > >> >+ inp.str = cert; > >> >+ > >> >+ ret = sss_nss_getyyybyxxx(inp, SSS_NSS_GETNAMEBYCERT, &out); > >> >+ if (ret == EOK) { > >> >+ *fq_name = out.d.str; > >> >+ *type = out.type; > >> >+ } > >> >+ > >> >+ return ret; > >> >+} > >> >diff --git a/src/sss_client/idmap/sss_nss_idmap.exports b/src/sss_client/idmap/sss_nss_idmap.exports > >> >index 8aa4702416534c49176d29cee381e1c9292c4847..bd5d80212017d38334c3cdeefa47d6029f42aebb 100644 > >> >--- a/src/sss_client/idmap/sss_nss_idmap.exports > >> >+++ b/src/sss_client/idmap/sss_nss_idmap.exports > >> >@@ -19,3 +19,9 @@ SSS_NSS_IDMAP_0.1.0 { > >> > sss_nss_getorigbyname; > >> > sss_nss_free_kv; > >> > } SSS_NSS_IDMAP_0.0.1; > >> >+ > >> >+SSS_NSS_IDMAP_0.2.0 { > >> >+ # public functions > >> >+ global: > >> >+ sss_nss_getnamebycert; > >> >+} SSS_NSS_IDMAP_0.1.0; > >> I wanted to push these patches. > >> But I noticed that this function does not suit to this library. > >> > >> Summary and description says something else. > >> > >> sh$ rpm -q --info libsss_nss_idmap | tail -n4 > >> URL : http://fedorahosted.org/sssd/ > >> Summary : Library for SID based lookups > >> Description : > >> Utility library for SID based lookups > > > >Would you agree if I change summary and description to '... for SID and > >certificate based ...' > > > > that would be the easiest solution and I am not against :-) > > I just wanted to hear other optinions. > > > BTW feel free to send just diff for spec file. > I can squash it before pushing to master. > Please find attached an updated version of the 12th patch. bye, Sumit

From 1decd1940a4278cb6c2b19c3f995e8e601c15d75 Mon Sep 17 00:00:00 2001 From: Sumit Bose <sbose(a)redhat.com&gt; Date: Tue, 26 Apr 2016 13:13:43 +0200 Subject: [PATCH 12/12] nss-idmap: add sss_nss_getnamebycert() --- Makefile.am | 2 +- contrib/sssd.spec.in | 8 ++--- src/python/pysss_nss_idmap.c | 47 ++++++++++++++++++++++++++++-- src/responder/nss/nsssrv_cmd.c | 1 + src/sss_client/idmap/sss_nss_idmap.c | 26 ++++++++++++++++- src/sss_client/idmap/sss_nss_idmap.exports | 6 ++++ src/sss_client/idmap/sss_nss_idmap.h | 15 ++++++++++ 7 files changed, 97 insertions(+), 8 deletions(-)