IPA_RULES_COMMON: Introduce ipa_common_get_hostgroupname() By moving the get_ipa_hostgroupname() method from ipa_hbac_hosts.[ch] to ipa_rules_common.[ch] it can be used by both HBAC and, in the future, for new backend modules. The method got renamed to ipa_common_get_hostgroupname() and some coding style changes have been made in order to match with what SSSD follows. Related: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: Leave only HBAC specific defines in ipa_hbac_private.h The defines that were moved can and will be used by another backend module that will be introduced in the near future. Related: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: Use custom error codes when validating HBAC rules https://fedorahosted.org/sssd/ticket/2603 Instead of reusing EINVAL/ENOENT, use more descriptive error codes. This will be useful in the next patch where we act on certain codes. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Update DEBUG* invocations to use new levels Use a script to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 2)

IPA: Deprecate ipa_hbac_support_srchost option This option got already deprecated on the ipa server side. Option is undocumented and warning is printed both to the sssd log files and syslog. Resolves: https://fedorahosted.org/sssd/ticket/1918

Remove sysdb arg from hbac_*host_attrs_to_rule()

Add domain argument to sysdb_search_custom() Also changes sysdb_search_custom_by_name()

IPA hosts refactoring

Separate the host-retrieval code from IPA HBAC to common IPA code

Fixed minor memory-hierarchy-related issue in IPA HBAC

Raise the debug level of two very noisy statements

Support multiple search bases in HBAC

Add ipa_hbac_support_srchost option to IPA provider don't fetch all host groups if this option is false https://fedorahosted.org/sssd/ticket/1078

Cleanup: Remove unused parameters

HBAC: Use originalMember for identifying hostgroups

Do not access memory out of bounds

HBAC: Use of hostgroups for targethost or sourcehost was broken We were trying to look up the wrong attribute for the name of the hostgroup.

sysdb refactoring: deleted domain variables in sysdb API The patch also updates code using modified functions. Tests have also been adjusted.

Add helper functions for looking up HBAC rule components