SUDO: Use initgr_with_views when looking up a sudo user The sudo responder code didn't take views into account when looking for rules, which resulted in sudo rules being ignored if the user's name was overriden. Please see the ticket for a detailed info on how to reproduce the bug. Resolves: https://pagure.io/SSSD/sssd/issue/3488 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SYSDB: Remove unused prototype from header file The function sysdb_get_sudo_filter was removed as part of ticket #2919 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

sudo: solve problems with fully qualified names sudo expects the same name in sudo rule as login name. Therefore if fully qualified name is used or even enforced by setting use_fully_qualified_names to true or by forcing default domain with default_domain_suffix sssd is able to correctly return the rules but sudo can't match the user with contect of sudoUser attribute since it is not qualified. This patch changes the rules on the fly to avoid using names at all. We do this in two steps: 1. We fetch all rules that match current user name, id or groups and replace sudoUser attribute with sudoUser: #uid. 2. We fetch complementry rules that contain netgroups since it is expected we don't have infromation about existing netgroups in cache, sudo still needs to evaluate it for us if needed. This patch also remove test for sysdb_get_sudo_filter since it wasn't sufficient anyway and I did not rewrite it since I don't thing it is a good thing to have filter tests that depends on exact filter order. Resolves: https://fedorahosted.org/sssd/ticket/2919 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Add new funtions into sysdb_sudo This patch adds two new functions into public API of sysdb_sudo: * sysdb_search_sudo_rules * sysdb_set_sudo_rule_attr Resolves: https://fedorahosted.org/sssd/ticket/2081 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA SUDO: download externalUser attribute This allows configuration with id_provider = proxy and sudo_provider = ipa when someone needs to fetch rules for local users. https://fedorahosted.org/sssd/ticket/2972 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA SUDO: Add support for ipaSudoRunAsExt* attributes Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA SUDO: Add ipasudocmd mapping Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA SUDO: Add ipasudocmdgrp mapping Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA SUDO: Add ipasudorule mapping Reviewed-by: Sumit Bose <sbose@redhat.com>

SUDO: make sudo sysdb interface more reusable Reviewed-by: Sumit Bose <sbose@redhat.com>

sudo: fetch sudoRunAs attribute This attribute was used in pre 1.7 versions of sudo and it is now deprecated by sudoRunAsUser and sudoRunAsGroup. However, some users still use this attribute so we need to support it to ensure backward compatibility. This patch makes sure that this attribute is downloaded if present and provided to sudo. Sudo than decides how to handle it. The new mapping option is not present in a man page since this attribute is deprecated in sudo for a very long time. Resolves: https://fedorahosted.org/sssd/ticket/2212 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Drop the sysdb_ctx parameter from the sysdb_sudo.c module

sudo responder: change num_rules type from size_t to uint32_t https://fedorahosted.org/sssd/ticket/1779 2^32 should be enough to store sudo rules. size_t type was causing troubles on big endian architectures, because it wasn't used correctly in combination with D-Bus.

Add domain arguments to sysdb sudo functions

Make sysdb_custom_subtree_dn() require a domain.

sudo: support generalized time format https://fedorahosted.org/sssd/ticket/1712 The timestamp doesn't have to be in the form yyyymmddHHMMSSZ any more. It can be in any form of generalized time format.

Rename SYSDB_SUDO_CACHE_AT_OC to SYSDB_SUDO_CACHE_OC It does not contain name of the object class attribute but the value itself. I renamed it to avoid confusion.

sudo: clean up

sudo sysdb: add expiration time to the filter

sysdb: remove sudo_set/get_refreshed

sysdb: add getter/setter for last sudo full refresh time

Redesign purging of the sudo cache https://fedorahosted.org/sssd/ticket/1173

SUDO Integration - responder 'sudo_timed' option https://fedorahosted.org/sssd/ticket/1116

SUDO Integration - make sysdb_get_sudo_filter() more configurable https://fedorahosted.org/sssd/ticket/1143

SUDO Integration - functions for manipulating with 'refreshed' attribute https://fedorahosted.org/sssd/ticket/1110

SUDO Integration - sysdb interface