[SSSD] Re: [PATCHES] ipa: add support for certificate overrides

9 Jun 2016

On (09/06/16 12:47), Sumit Bose wrote:
...
On Thu, Jun 09, 2016 at 12:09:49PM +0200, Lukas Slebodnik wrote:
...
On (09/06/16 11:41), Sumit Bose wrote:
...
On Thu, Jun 09, 2016 at 11:20:14AM +0200, Lukas Slebodnik wrote:
...
On (08/06/16 15:39), Sumit Bose wrote:
...
On Tue, Jun 07, 2016 at 04:40:42PM +0200, Jakub Hrozek wrote:
...
On Tue, Jun 07, 2016 at 02:55:40PM +0200, Sumit Bose wrote:
> On Tue, Jun 07, 2016 at 01:56:10PM +0200, Jakub Hrozek wrote:
> > On Tue, Jun 07, 2016 at 12:28:22PM +0200, Sumit Bose wrote:
> > > sure, here you are.
> > > 
> > > bye,
> > > Sumit
> > 
> > Hmm, are these the correct patches?
> > 
> > /home/remote/jhrozek/devel/sssd/src/db/sysdb_views.c: In function 'sysdb_search_override_by_cert':
> > /home/remote/jhrozek/devel/sssd/src/db/sysdb_views.c:880:11: error: too many arguments to function 'sss_cert_derb64_to_ldap_filter'
> >      ret = sss_cert_derb64_to_ldap_filter(tmp_ctx, cert, SYSDB_USER_CERT, NULL,
> >            ^
> > In file included from /home/remote/jhrozek/devel/sssd/src/db/sysdb_views.c:23:0:
> > /home/remote/jhrozek/devel/sssd/src/util/cert.h:40:9: note: declared here
> >  errno_t sss_cert_derb64_to_ldap_filter(TALLOC_CTX *mem_ctx, const char *derb64,
> >          ^
> 
> ah, sorry, I picked the patches from a wrong branch.
> 
> Please try the new version.
OK, this looks better, but there CI still complains on Debian:
/bin/bash ./libtool  --tag=CC   --mode=link gcc  -Wall -Wshadow
-Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align
-Wwrite-strings -Wundef -Werror-implicit-function-declaration
-Winit-self -Wmissing-include-dirs -fno-strict-aliasing -std=gnu99  -g3
-O2 -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
-o proxy_child src/providers/proxy/proxy_child-proxy_child.o
src/providers/proxy_child-data_provider_iface_generated.o -lpam -ltalloc
-ltevent -ltalloc -lpopt -lldb -ldbus-1 -lpcre -lini_config
-lbasicobjects -lref_array -lcollection -lcollection -ldhash -llber
-lldap -lselinux -ltdb libsss_util.la libsss_crypt.la libsss_debug.la
libsss_child.la  
/usr/bin/ld: src/responder/nss/nsssrv_cmd.o: undefined reference to
symbol 'sss_cert_derb64_to_pem'
//var/lib/jenkins/workspace/ci/label/debian_testing/ci-build-debug/.libs/libsss_cert.so:
//error adding symbols: DSO missing from command line
collect2: error: ld returned 1 exit status
Makefile:10585: recipe for target 'sssd_nss' failed
make[2]: *** [sssd_nss] Error 1
make[2]: *** Waiting for unfinished jobs...
CI link:
http://sssd-ci.duckdns.org/logs/job/44/61/debian_testing/ci-build-debug/ci-m...
ok, I added libsss_cert.la to the nss responder binary and the test.
New version attached.
bye,
Sumit
...
From cb3f7bc55b22140b997d6b94f76893798731d79f Mon Sep 17 00:00:00 2001
From: Sumit Bose sbose@redhat.com
Date: Tue, 26 Apr 2016 13:13:43 +0200
Subject: [PATCH 12/12] nss-idmap: add sss_nss_getnamebycert()

Makefile.am                                |  2 +-
src/python/pysss_nss_idmap.c               | 47 ++++++++++++++++++++++++++++--
src/responder/nss/nsssrv_cmd.c             |  1 +
src/sss_client/idmap/sss_nss_idmap.c       | 26 ++++++++++++++++-
src/sss_client/idmap/sss_nss_idmap.exports |  6 ++++
src/sss_client/idmap/sss_nss_idmap.h       | 15 ++++++++++
6 files changed, 93 insertions(+), 4 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index fdd129d326d092989a92506cc86694dded58ff72..a504a4f613b881afcbc096a03de0f284ebf34896 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -989,7 +989,7 @@ libsss_nss_idmap_la_LIBADD = \
    $(CLIENT_LIBS)
libsss_nss_idmap_la_LDFLAGS = \
    -Wl,--version-script,$(srcdir)/src/sss_client/idmap/sss_nss_idmap.exports \

-version-info 1:0:1


-version-info 2:0:2

dist_noinst_DATA += src/sss_client/idmap/sss_nss_idmap.exports
diff --git a/src/python/pysss_nss_idmap.c b/src/python/pysss_nss_idmap.c
index 36d66f405442d63e430f92862990f1656486112d..a88ef77a3c8056e4962c35811de3dbbb18f4c9a4 100644
--- a/src/python/pysss_nss_idmap.c
+++ b/src/python/pysss_nss_idmap.c
@@ -33,7 +33,8 @@ enum lookup_type {
    SIDBYNAME,
    SIDBYID,
    NAMEBYSID,

IDBYSID


IDBYSID,
NAMEBYCERT

};
static int add_dict(PyObject *py_result, PyObject *key, PyObject *res_type,
@@ -166,6 +167,28 @@ static int do_getsidbyid(PyObject *py_result, PyObject *py_id)
    return ret;
}
+static int do_getnamebycert(PyObject *py_result, PyObject *py_cert)
+{

int ret;
const char *cert;
char *name = NULL;
enum sss_id_type id_type;

cert = py_string_or_unicode_as_string(py_cert);
if (cert == NULL) {
   return EINVAL;


}

ret = sss_nss_getnamebycert(cert, &name, &id_type);
if (ret == 0) {
   ret = add_dict(py_result, py_cert, PyBytes_FromString(SSS_NAME_KEY),


                  PyUnicode_FromString(name), PYNUMBER_FROMLONG(id_type));


}
free(name);

return ret;

+}



static int do_getidbysid(PyObject *py_result, PyObject *py_sid)
{
    const char *sid;
@@ -203,6 +226,9 @@ static int do_lookup(enum lookup_type type, PyObject *py_result,
    case IDBYSID:
        return do_getidbysid(py_result, py_inp);
        break;

case NAMEBYCERT:
   return do_getnamebycert(py_result, py_inp);


   break;

default:
      return ENOSYS;
  }

@@ -260,7 +286,7 @@ static PyObject *check_args(enum lookup_type type, PyObject *args)
        case ENOENT: /* nothing found, return empty dict */
            break;
        case EINVAL:

       PyErr_Format(PyExc_ValueError, "Unable to retrieve argument\n");




       PyErr_Format(PyExc_ValueError, "Unable to retrieve result\n");
      Py_XDECREF(py_result);
      return NULL;
      break;



@@ -339,6 +365,21 @@ static PyObject * py_getidbysid(PyObject *module, PyObject *args)
    return check_args(IDBYSID, args);
}
+PyDoc_STRVAR(getnamebycert_doc,
+"getnamebycert(sid or list/tuple of certificates) -> dict(sid => dict(results))\n\
+\n\
+Returns a dictionary with a dictonary of results for each given certificates.\n\
+The result dictonary contain the name and the type of the object which can be\n\
+accessed with the key constants NAME_KEY and TYPE_KEY, respectively.\n\
+\n\
+NOTE: getnamebycert currently works only with id_provider set as "ad" or "ipa""
+);



+static PyObject * py_getnamebycert(PyObject *module, PyObject *args)
+{

return check_args(NAMEBYCERT, args);

+}



static PyMethodDef methods[] = {
    { sss_py_const_p(char, "getsidbyname"), (PyCFunction) py_getsidbyname,
      METH_VARARGS, getsidbyname_doc },
@@ -348,6 +389,8 @@ static PyMethodDef methods[] = {
      METH_VARARGS, getnamebysid_doc },
    { sss_py_const_p(char, "getidbysid"), (PyCFunction) py_getidbysid,
      METH_VARARGS, getidbysid_doc },

{ sss_py_const_p(char, "getnamebycert"), (PyCFunction) py_getnamebycert,
 METH_VARARGS, getnamebycert_doc },

{ NULL,NULL, 0, NULL }

};
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index 762c26b74581acb5568b602caaef2586521f6903..64e2945a99a6f3262517aa7c817475904418a1ed 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -5525,6 +5525,7 @@ static int nss_cmd_getbycert(enum sss_cli_command cmd, struct cli_ctx *cctx)
    }
derb64 = (const char *) body;


DEBUG(SSSDBG_TRACE_ALL, "cert [%s]\n", derb64);
/* check input */
ret = sss_cert_derb64_to_pem(cctx, derb64, &pem_cert, &pem_size);


diff --git a/src/sss_client/idmap/sss_nss_idmap.c b/src/sss_client/idmap/sss_nss_idmap.c
index 55d8043bd992bebf82a46206a9f3aecbe1e88238..fa5a499e3606f7e45a406de4d63002ba35365cb1 100644
--- a/src/sss_client/idmap/sss_nss_idmap.c
+++ b/src/sss_client/idmap/sss_nss_idmap.c
@@ -159,7 +159,8 @@ static int sss_nss_getyyybyxxx(union input inp, enum sss_cli_command cmd ,
    case SSS_NSS_GETNAMEBYSID:
    case SSS_NSS_GETIDBYSID:
    case SSS_NSS_GETORIGBYNAME:

   ret = sss_strnlen(inp.str, SSS_NAME_MAX, &inp_len);




case SSS_NSS_GETNAMEBYCERT:
   ret = sss_strnlen(inp.str, 2048, &inp_len);
  if (ret != EOK) {
      return EINVAL;
  }



@@ -209,6 +210,7 @@ static int sss_nss_getyyybyxxx(union input inp, enum sss_cli_command cmd ,
    case SSS_NSS_GETSIDBYID:
    case SSS_NSS_GETSIDBYNAME:
    case SSS_NSS_GETNAMEBYSID:

case SSS_NSS_GETNAMEBYCERT:
   if (data_len <= 1 || repbuf[replen - 1] != '\0') {
       ret = EBADMSG;
       goto done;

@@ -368,3 +370,25 @@ int sss_nss_getorigbyname(const char *fq_name, struct sss_nss_kv **kv_list,
return ret;

}



+int sss_nss_getnamebycert(const char *cert, char **fq_name,

                     enum sss_id_type *type)



+{

int ret;
union input inp;
struct output out;

if (fq_name == NULL || cert == NULL || *cert == '\0') {
   return EINVAL;


}

inp.str = cert;

ret = sss_nss_getyyybyxxx(inp, SSS_NSS_GETNAMEBYCERT, &out);
if (ret == EOK) {
   *fq_name = out.d.str;


   *type = out.type;


}

return ret;

+}
diff --git a/src/sss_client/idmap/sss_nss_idmap.exports b/src/sss_client/idmap/sss_nss_idmap.exports
index 8aa4702416534c49176d29cee381e1c9292c4847..bd5d80212017d38334c3cdeefa47d6029f42aebb 100644
--- a/src/sss_client/idmap/sss_nss_idmap.exports
+++ b/src/sss_client/idmap/sss_nss_idmap.exports
@@ -19,3 +19,9 @@ SSS_NSS_IDMAP_0.1.0 {
        sss_nss_getorigbyname;
        sss_nss_free_kv;
} SSS_NSS_IDMAP_0.0.1;



+SSS_NSS_IDMAP_0.2.0 {

# public functions
global:
   sss_nss_getnamebycert;



+} SSS_NSS_IDMAP_0.1.0;
I wanted to push these patches.
But I noticed that this function does not suit to this library.
Summary and description says something else.
sh$ rpm -q --info libsss_nss_idmap | tail -n4
URL         : http://fedorahosted.org/sssd/
Summary     : Library for SID based lookups
Description :
Utility library for SID based lookups
Would you agree if I change summary and description to '... for SID and
certificate based ...'
that would be the easiest solution and I am not against :-)
I just wanted to hear other optinions.
BTW feel free to send just diff for spec file.
I can squash it before pushing to master.
Please find attached an updated version of the 12th patch.
bye,
Sumit
Thank you
...
From 1decd1940a4278cb6c2b19c3f995e8e601c15d75 Mon Sep 17 00:00:00 2001
From: Sumit Bose sbose@redhat.com
Date: Tue, 26 Apr 2016 13:13:43 +0200
Subject: [PATCH 12/12] nss-idmap: add sss_nss_getnamebycert()

Makefile.am                                |  2 +-
contrib/sssd.spec.in                       |  8 ++---
src/python/pysss_nss_idmap.c               | 47 ++++++++++++++++++++++++++++--
src/responder/nss/nsssrv_cmd.c             |  1 +
src/sss_client/idmap/sss_nss_idmap.c       | 26 ++++++++++++++++-
src/sss_client/idmap/sss_nss_idmap.exports |  6 ++++
src/sss_client/idmap/sss_nss_idmap.h       | 15 ++++++++++
7 files changed, 97 insertions(+), 8 deletions(-)
ACK++
master:
* 9c88f837ffacf6548c13825589b327de1a5525f3
* 1a45124f3f300f9afdcb08eab0938e5e7d0534d9
* 21513e51a4a2eb08f245333bf8f223713a3d7cb3
* 2f90ec2e16f0c14c789d9ed20e008e3103337210
* 8822520e6552bbf5ad1b62a4f88dd31a9c8475f1
* ffe2522a208cddd415d7c3498dcc73ffda863b6f
* cf89f552f06b95bd69d8c61aaa55a330a5d9f6e6
* dc936929c01647c0fc116a112cee200156328037
* a1210c8db81a1cc0b45eb62a8450abcdea3afc7b
* cdc3e9dc42e13f01d8e2623e92dd046a5bb169f1
* 6cb34580ee6e9e2c9190b77b10db8a3c43e3c9c8
* 6cdeb0923c16e3fafe21aaadca6dac1d71474c31
I could not find related ticket.
Please close it yourself it there is one :-)
LS

    

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

[SSSD] Re: [PATCHES] ipa: add support for certificate overrides