ifp: use realloc in ifp_list_ctx_remaining_capacity() ifp_list_ctx_remaining_capacity() might be called multiple times if results from multiple domains are added to the result list. The current use of talloc_zero_array() which was introduced with commit b0b9222 will override results which are already in the list. This causes a regression since it worked before. This patch replaces it with talloc_realloc(). Resolves https://pagure.io/SSSD/sssd/issue/3608 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

IFP: parse ping arguments in codegen Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

IFP: Change ifp_list_ctx_remaining_capacity() return type Now ifp_list_ctx_remaining_capacity() returns an errno_t and receives the count as an output parameter. It allows better handling and error reporting in case something goes wrong internally in this function. Related: https://pagure.io/SSSD/sssd/issue/3306 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Add domain and domainname attributes to the user org.freedekstop.sssd.infopipe.Users.User gets two new attributes: - domain: object path of user's domain - domainname: user's domain name org.freedekstop.sssd.infopipe.GetUserAttr can now request new attribute: - domainname: user's domain name Resolves: https://pagure.io/SSSD/sssd/issue/2714 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

IFP: Amend the InfoPipe responder for fqdns Parses the internal sysdb names and puts them on the bus using the sss_output_name() helper. Previously, the raw sysdb names were used. Reviewed-by: Sumit Bose <sbose@redhat.com>

IFP: new header file that contains interface definitions To be shared across tools and libs. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

RESPONDER: Removing ncache from ifp_ctx This patch switches ncache from ifp_ctx to resp_ctx. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

RESPONDER: Removing neg_timeout from ifp repsonder Timeout of negative cache is handled by context of negative cache itself. This patch removes neg_timeout parameter from ifp_ctx and from ifp_user_get_attr_state. Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Add wildcard requests Resolves: https://fedorahosted.org/sssd/ticket/2553 Can be used as: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.ListByName \ string:r\* uint32:10 dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Groups \ org.freedesktop.sssd.infopipe.Groups.ListByName \ string:r\* uint32:10 dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.ListByDomainAndName \ string:ipaldap string:r\* uint32:10 dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Groups \ org.freedesktop.sssd.infopipe.Groups.ListByDomainAndName \ string:ipaldap string:r\* uint32:10 By default the wildcard_limit is unset, that is, the request will return all cached entries that match. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Export nodes IFP now exports cached users and groups in introspection. After a user is cached with: dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users/ipaldap/397400000 \ org.freedesktop.sssd.infopipe.Cache.Object.Store And Introspection called with: dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.DBus.Introspectable.Introspect The cached users would be visible in the Introspection XML as: <node name="ipaldap/397400000" /> </node> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IFP: add org.freedesktop.sssd.infopipe.Users.User Example calls: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/LDAP_2ePB/10001 org.freedesktop.DBus.Properties.Get string:org.freedesktop.sssd.infopipe.Users.User string:name method return sender=:1.159 -> dest=:1.165 reply_serial=2 variant string "user-1" Resolves: https://fedorahosted.org/sssd/ticket/2150 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IFP: simplify object path constant names The number of interfaces will grow and in order to keep names of object path constant consistent it means that also their names will grow. The new naming schema is: /org/freedesktop/sssd/infopipe -> IFP_PATH_ / -> _ everything uppercase Example: /org/freedesktop/sssd/infopipe/Components/Responders -> IFP_PATH_COMPONENTS_RESPONDERS If the path contains a _TREE suffix, it represents the whole subtree. For example: IFP_PATH_DOMAINS_TREE is /org/freedesktop/sssd/infopipe/Domains/* Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IFP: move interface definitions from ifpsrv.c into separate file Number of IFP interfaces will grown up rapidly in the future. It is not convenient to keep it inside ifpsrv.c. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sbus: move common opath functions from ifp to sbus code These functions are quite general thus they may be part of sbus interface. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Add parse_attr_list_ex() helper function Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IFP: Add a utility function to reply with an object path Reviewed-by: Stef Walter <stefw@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Add utility functions to escape and unescape object paths D-Bus spec says: Each element must only contain the ASCII characters "[A-Z][a-z][0-9]_" This patch adds two utility functions to escape raw input into format suitable for DBus and conversely transform escaped paths back into raw paths. Reviewed-by: Stef Walter <stefw@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Add a GetGroupsList method This patch adds a new method on the bus with the following synopsis: <method name="GetUserGroups"> <arg name="user" type="s" direction="in" /> <arg name="values" type="as" direction="out"/> </method> Its purpose is to return names of groups the user is a member of as a list of strings. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Per-attribute ACL for users Introduces a new option called user_attributes that allows to specify which user attributes are allowed to be queried from the IFP responder. By default only the default POSIX set is allowed, this option allows to either add other attributes (+attrname) or remove them from the default set (-attrname). Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Add GetUserAttrs call Adds a DBus method that allows the caller to retrieve attributes of a user. The synopsis of the call is as follows: <method name="GetUserAttr"> <arg type="s" name="user" direction="in"/> <arg type="as" name="attr" direction="in"/> <arg type="a{sv}" name="values" direction="out"/> </method> The return value is an array (one attribute per array member) of dictionaries. The key of the dictionary is the attribute name, the value is a variant containing the attribute values as strings. If an attribute does not exist or is not permitted to be read, no error is returned. If the users does not exist, the method returns an error. In future patches this function will be marked as obsolete in favor of object-oriented approach. ifp_user_get_attr_unpack_msg is a separate function to allow extending it in a later patch. The function to check the cache validity duplicates quite a bit of code with the NSS responder. The refactoring would be nice to get done along with #843. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Stef Walter <stefw@redhat.com>

IFP: Initialize negative cache timeout In order to avoid hitting the back end with repetitive requests, the InfoPipe responder needs a negative cache, too. This patch follows the convention set by other responders, where the negative cache timeouts are read from the [nss] section. This is not ideal, however, and ticket #2318 tracks moving the configuration to the [ifp] section primarily. The timeout is also a separate parameter in the NSS context. We should consider moving it to the negcache context instead (#2317). Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Stef Walter <stefw@redhat.com>

IFP: use a list of allowed_uids for authentication Similar to the PAC responder, the InfoPipe uses a list of UIDs that are allowed to communicate with the IFP responder. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Stef Walter <stefw@redhat.com>

IFP: Add utility functions Adds a number of utility functions, most importanly ifp_req_create(). The ifp_req is a structure that will be passed along with the ifp request and would provide easy access to both the sbus_request data and per-responder data, like the ifp_ctx. Also includes a utility function to split a path prefix from a full path and add a ldb_element into a dictionary. These will be reused later. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Stef Walter <stefw@redhat.com>

IFP: Connect to the system bus Related: https://fedorahosted.org/sssd/ticket/2072 Adds the possibility for the InfoPipe responder to connect to the system bus. At the moment, only a dummy method "Ping" is provided. The method only accepts a single string parameter that has to be 'ping'.

IFP: Re-add the InfoPipe server Related: https://fedorahosted.org/sssd/ticket/2072 This commit only adds the responder and the needed plumbing. No DBus related code is in yet.