DEBUG: Print simple allow and deny lists For debug purposes, print the simple allow and deny users/groups lists when a sufficient log debug level is set. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SIMPLE: Make the DP handlers testable To make it possible to call the whole DP handler in the unit test, not just the evaluator part. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SIMPLE: Fail on any error parsing the access control list Luckily this error was hidden by the fact that SSSD didn't start at all when an unparseable name was encountered after startup. Otherwise, this would have been a security issue. Nonetheless, we should just fail and deny access if we can't parse a name in a simple access list. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SIMPLE: Do not parse names on startup It's not required to parse names on SSSD startup in the simple access provider. We can instead just parse the name when the access request is processed. Resolves: https://fedorahosted.org/sssd/ticket/3101 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SIMPLE: Make the simple access provider work with qualified names This patch adds a behaviour change to the simple access provider - the simple access list is parsed on the access check itself, which is when the name contexts of all domains have already been established and we are already able to parse the names in the config files with sss_parse_names. We need to support "input names" in the simple access provider because it needs to support flat names which rely on knowing the details about a domain. The simple_access_obtain_filter_lists is intentionally made non-static in order to be called from tests which initialize the name contexts on their own. Reviewed-by: Sumit Bose <sbose@redhat.com>

DP: Switch to new interface Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Rename dp_backend.h to backend.h Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

simple access: refresh master domain info To correctly decide if an object is a member of the main sssd domain, a flat name is needed. However, the information may not be available when the module is inited so it may be necessary to refresh this data later while processing a request. Resolves: https://fedorahosted.org/sssd/ticket/2189

simple access: match objects using flat name Use flat name to recognise users and groups belonging to main sssd domain. Resolves: https://fedorahosted.org/sssd/ticket/2189

simple provider: support subdomain users Resolves: https://fedorahosted.org/sssd/ticket/2034

simple access provider: allow fully qualified names https://fedorahosted.org/sssd/ticket/2026

Resolve GIDs in the simple access provider Changes the simple access provider's interface to be asynchronous. When the simple access provider encounters a group that has gid, but no meaningful name, it attempts to resolve the name using the be_file_account_request function. Some providers (like the AD provider) might perform initgroups without resolving the group names. In order for the simple access provider to work correctly, we need to resolve the groups before performing the access check. In AD provider, the situation is even more tricky b/c the groups HAVE name, but their name attribute is set to SID and they are set as non-POSIX

Add be_req_get_data() helper funciton. In preparation for making struct be_req opaque.

Add be_req_get_be_ctx() helper. In preparation for making be_req opaque

Introduce be_req_terminate() helper Call it everywhere instead of directly dereferencing be_req->fn This is in preparation of making be_req opaque.

Split simple_access_check function out Need to split out the function or new additions to the handler funtion will not allow simple access tests to compile anymore.

Remove sysdb as a be context structure member The sysdb context is already available through the 'domain' structure.

Add domain to sysdb_search_group_by_gid() Also remove unused sysdb_search_domgroup_by_gid()

Add domain to sysdb_search_user_by_name() Also remove unused sysdb_search_domuser_by_name()

Move some debug lines to new debug log levels * These are common lines of debug output when starting up sssd https://bugzilla.redhat.com/show_bug.cgi?id=811113

Make the string_equal() function public

Use the case sensitivity flag in the simple access provider

sysdb refactoring: deleted domain variables in sysdb API The patch also updates code using modified functions. Tests have also been adjusted.

simple provider: Don't treat primary GID lookup failures as fatal

Add group support to the simple access provider This patch adds simple_allow_groups and simple_deny_groups options to the simple access provider. It makes it possible to grant or deny access based on a user's group memberships within the domain. This patch makes one minor change to previous functionality: now all deny rules will supersede allow rules. Previously, if both simple_allow_users and simple_deny_users were set with the same value, the allow would win. https://fedorahosted.org/sssd/ticket/440

Add simple access provider