IFP: parse ping arguments in codegen Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

IFP: Fix error handling in ifp_user_get_attr_handle_reply() This bug was introduced in 37d2194cc9ea4d0254c88a3419e2376572562bab Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

IFP: Add domain and domainname attributes to the user org.freedekstop.sssd.infopipe.Users.User gets two new attributes: - domain: object path of user's domain - domainname: user's domain name org.freedekstop.sssd.infopipe.GetUserAttr can now request new attribute: - domainname: user's domain name Resolves: https://pagure.io/SSSD/sssd/issue/2714 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

IFP: Resolve group names from GIDs if required The AD provider only converts SIDs to GIDs during initgroups to improve performance. But this is not sufficient for the org.freedesktop.sssd.infopipe.GetUserGroups method, which needs to return names. We need to resolve the GIDs to names ourselves in that method. Resolves: https://pagure.io/SSSD/sssd/issue/3392 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Only format the output name to the short version before output The ifp_user_get_attr_done() request handler was reused for both GetUserGroups and GetUserAttrs requests. Yet, it performed output formatting of name and nameAlias. This is bad, because the output formatting should really be done only during output. Also, it broke any post-processing of the returned message which the request might do later. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Use sized_domain_name to format the groups the user is a member of Resolves: https://pagure.io/SSSD/sssd/issue/3268 Uses the common function sized_domain_name() to format a group the user is a member of to the appropriate format. To see the code is working correctly, run: dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserGroups string:trusted_user Where trusted_user is a user from a trusted domain that is a member of groups from the joined domain and a trusted domain as well. The groups from the joined domain should not be qualified, the groups from the trusted domain should be qualified. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Search both POSIX and non-POSIX domains Related to: https://pagure.io/SSSD/sssd/issue/3310 Changes the behaviour of the InfoPipe responder so that both application and POSIX domains are searched. In general, the IFP responder uses the CACHE_REQ_ANY_DOM lookup type because we can't presume the intention of the caller. Therefore, deployments that combine both POSIX and non-POSIX domains must use fully qualified names or select the right domain order manually. There is one change between the POSIX and non-POSIX users or groups - the object path. For the POSIX users, the object path includes the UID or GID. Because we don't have that for the non-POSIX objects, the object name is used in the path instead. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

CACHE_REQ: Domain type selection in cache_req Related to: https://pagure.io/SSSD/sssd/issue/3310 Adds a new enumeration cache_req_dom_type. It is a tri-state that allows the caller to select which domains can be contacted - either only POSIX, only application domains or any type. Not all plugins of cache_req have the new parameter added -- only those that are usable/useful in a non-POSIX environment. For example, it makes no sense to allow the selection for calls by ID because those are inherently POSIX-specific. Also, services or netgroups are supported only coming from POSIX domains. At the moment, the patch should not change any behaviour as all calls default to contacting POSIX domains only. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sss_parse_inp_send: provide default_domain as parameter It is not always desirable to consider default_domain from configuration but expect none instead. For example when we search host certificates. This is currently not used in this patch since host lookups parse name directly with sss_parse_name but it will be used in the next patch. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IFP: Fix GetUserAttr GetUserAttr used to segfault without this patch. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

cache_req: encapsulate output data into structure In enumeration calls we want to get objects from all domains, not only from the first matched domain. We move the cache search result into a structure that contains combination of domain and ldb_result. This is preparation for enumeration support inside cache_req. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

ifp: remove unused fields from state Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: switch to new code This patch switch the old switch-based cache req code to the new plugin-based. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IFP: Amend the InfoPipe responder for fqdns Parses the internal sysdb names and puts them on the bus using the sss_output_name() helper. Previously, the raw sysdb names were used. Reviewed-by: Sumit Bose <sbose@redhat.com>

RESPONDER: Removing ncache from ifp_ctx This patch switches ncache from ifp_ctx to resp_ctx. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

RESPONDER: Removing neg_timeout from ifp repsonder Timeout of negative cache is handled by context of negative cache itself. This patch removes neg_timeout parameter from ifp_ctx and from ifp_user_get_attr_state. Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

RESPONDER: Removing neg_timeout from pam responder It removes neg_timeout parameter from struct pam_ctx. Timeout is handled by context of negative cache internally. This patch additioanlly removes neg_timeout from struct cache_req_state. Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Do not crash on invalid arguments to GetUserAttr Reviewed-by: Pavel Březina <pbrezina@redhat.com>

cache_req: hide input and pass parameters in struct This way it makes it a lot easier to add new parameters. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

cache_req: add SID lookups Resolves: https://fedorahosted.org/sssd/ticket/2848 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

cache_req: improve debugging Each debug message is matched to a specific request, this way it will be easier to follow the request flow especially when paralel request are running. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

IFP: add FindByCertificate method for User objects Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: deprecate GetUserAttr Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

cache_req: parse input name if needed The input name is now parse automatically by cache_req if none particullar domain is specified. The parsed named is returned from _recv as an output parameter. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

cache_req: add support for user by uid Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

cache_req: preparations for different input type Currently cache_req takes only user name as an input parameter. However, this is not enough since we will need also UID and GID in the future. This patch creates a structure to hold input parameters so it can be simply extended to support other input types. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IFP: unify generated interfaces names Number of interfaces will grow. It is mandatory to unify names of generated structures and methods to simplify coding and debugging. The C name is created from D-Bus lowercased interface name using the following rewrite rules: org.freedesktop.sssd.infopipe -> iface_ifp . -> _ Example: org.freedesktop.sssd.infopipe.Domains -> iface_ifp_domains Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IFP: use new cache interface Reviewed-by: Michal Židek <mzidek@redhat.com>

IFP: Return group names with the right case The IFP code wasn't honoring the case settings of the domain. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: support views Reviewed-by: Sumit Bose <sbose@redhat.com>

IFP: Use the override_space option https://fedorahosted.org/sssd/ticket/2397 The input of the InfoPipe responder substitutes the configured character for space and the GetUserAttrs and GetUserGroups functions substitute space for the configured character in their output. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

IFP: Fix lookups with fully-qualified names The Data Provider lookup code user the original input string as the lookup key instead of the parsed name component. For example, for an input joe@mydomain, the backend would have searched for: (&(cn=joe@mydomain)(objectclass=user)) This patch fixes the lookup to use the parsed name. https://fedorahosted.org/sssd/ticket/2402 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Remove unused parameter from ifp_user_get_groups_reply Reviewed-by: Pavel Reichl <preichl@redhat.com>

Remove unused parameter from ifp_user_get_attr_handle_reply Reviewed-by: Pavel Reichl <preichl@redhat.com>

IFP: Add a GetGroupsList method This patch adds a new method on the bus with the following synopsis: <method name="GetUserGroups"> <arg name="user" type="s" direction="in" /> <arg name="values" type="as" direction="out"/> </method> Its purpose is to return names of groups the user is a member of as a list of strings. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Per-attribute ACL for users Introduces a new option called user_attributes that allows to specify which user attributes are allowed to be queried from the IFP responder. By default only the default POSIX set is allowed, this option allows to either add other attributes (+attrname) or remove them from the default set (-attrname). Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Add GetUserAttrs call Adds a DBus method that allows the caller to retrieve attributes of a user. The synopsis of the call is as follows: <method name="GetUserAttr"> <arg type="s" name="user" direction="in"/> <arg type="as" name="attr" direction="in"/> <arg type="a{sv}" name="values" direction="out"/> </method> The return value is an array (one attribute per array member) of dictionaries. The key of the dictionary is the attribute name, the value is a variant containing the attribute values as strings. If an attribute does not exist or is not permitted to be read, no error is returned. If the users does not exist, the method returns an error. In future patches this function will be marked as obsolete in favor of object-oriented approach. ifp_user_get_attr_unpack_msg is a separate function to allow extending it in a later patch. The function to check the cache validity duplicates quite a bit of code with the NSS responder. The refactoring would be nice to get done along with #843. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Stef Walter <stefw@redhat.com>

IFP: use a list of allowed_uids for authentication Similar to the PAC responder, the InfoPipe uses a list of UIDs that are allowed to communicate with the IFP responder. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Stef Walter <stefw@redhat.com>

IFP: Connect to the system bus Related: https://fedorahosted.org/sssd/ticket/2072 Adds the possibility for the InfoPipe responder to connect to the system bus. At the moment, only a dummy method "Ping" is provided. The method only accepts a single string parameter that has to be 'ping'.

IFP: Re-add the InfoPipe server Related: https://fedorahosted.org/sssd/ticket/2072 This commit only adds the responder and the needed plumbing. No DBus related code is in yet.