ifp: use realloc in ifp_list_ctx_remaining_capacity() ifp_list_ctx_remaining_capacity() might be called multiple times if results from multiple domains are added to the result list. The current use of talloc_zero_array() which was introduced with commit b0b9222 will override results which are already in the list. This causes a regression since it worked before. This patch replaces it with talloc_realloc(). Resolves https://pagure.io/SSSD/sssd/issue/3608 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

IFP: Don't pre-allocate the amount of entries requested By allocating the number of entries when actually copying the list we can avoid situations where users request an enourmous amount of results but the number of results got from the backend are just a few. With this new approach we end up allocating the whole list more frequently but we avoid not returning valid results because the requested number of enties is too big (note that if the amount of results is too big as well, there's nothing much we can do). A simple reproducer for this issue can be the really extreme call: $ dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.ListByName string:"*" uint32:"-1" The example pasted above would try to allocate an array of MAX_UINT32 size, which would fail directly. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Change ifp_list_ctx_remaining_capacity() return type Now ifp_list_ctx_remaining_capacity() returns an errno_t and receives the count as an output parameter. It allows better handling and error reporting in case something goes wrong internally in this function. Related: https://pagure.io/SSSD/sssd/issue/3306 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Fix of limit = 0 (unlimited result) If we set limit to 0 it means that result is unlimited. Internally we restrict number of result by allocation of result array. In unlimited case there was a bug and zero array was allocated. This fix allocates neccessary array when we know real result size. Resolves: https://pagure.io/SSSD/sssd/issue/3306 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Add domain and domainname attributes to the user org.freedekstop.sssd.infopipe.Users.User gets two new attributes: - domain: object path of user's domain - domainname: user's domain name org.freedekstop.sssd.infopipe.GetUserAttr can now request new attribute: - domainname: user's domain name Resolves: https://pagure.io/SSSD/sssd/issue/2714 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

IFP: Amend the InfoPipe responder for fqdns Parses the internal sysdb names and puts them on the bus using the sss_output_name() helper. Previously, the raw sysdb names were used. Reviewed-by: Sumit Bose <sbose@redhat.com>

IFP: use default limit if provided is 0 Returning zero values doesn't make any sense, so we may use it as "use sssd configuration instead". Reviewed-by: Petr Cech <pcech@redhat.com>

IFP: Add wildcard requests Resolves: https://fedorahosted.org/sssd/ticket/2553 Can be used as: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.ListByName \ string:r\* uint32:10 dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Groups \ org.freedesktop.sssd.infopipe.Groups.ListByName \ string:r\* uint32:10 dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.ListByDomainAndName \ string:ipaldap string:r\* uint32:10 dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Groups \ org.freedesktop.sssd.infopipe.Groups.ListByDomainAndName \ string:ipaldap string:r\* uint32:10 By default the wildcard_limit is unset, that is, the request will return all cached entries that match. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: add org.freedesktop.sssd.infopipe.Users.User Example calls: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/LDAP_2ePB/10001 org.freedesktop.DBus.Properties.Get string:org.freedesktop.sssd.infopipe.Users.User string:name method return sender=:1.159 -> dest=:1.165 reply_serial=2 variant string "user-1" Resolves: https://fedorahosted.org/sssd/ticket/2150 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sbus: move common opath functions from ifp to sbus code These functions are quite general thus they may be part of sbus interface. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Add parse_attr_list_ex() helper function Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IFP: Add a utility function to reply with an object path Reviewed-by: Stef Walter <stefw@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Add utility functions to escape and unescape object paths D-Bus spec says: Each element must only contain the ASCII characters "[A-Z][a-z][0-9]_" This patch adds two utility functions to escape raw input into format suitable for DBus and conversely transform escaped paths back into raw paths. Reviewed-by: Stef Walter <stefw@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Per-attribute ACL for users Introduces a new option called user_attributes that allows to specify which user attributes are allowed to be queried from the IFP responder. By default only the default POSIX set is allowed, this option allows to either add other attributes (+attrname) or remove them from the default set (-attrname). Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: use a list of allowed_uids for authentication Similar to the PAC responder, the InfoPipe uses a list of UIDs that are allowed to communicate with the IFP responder. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Stef Walter <stefw@redhat.com>

IFP: Add utility functions Adds a number of utility functions, most importanly ifp_req_create(). The ifp_req is a structure that will be passed along with the ifp request and would provide easy access to both the sbus_request data and per-responder data, like the ifp_ctx. Also includes a utility function to split a path prefix from a full path and add a ldb_element into a dictionary. These will be reused later. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Stef Walter <stefw@redhat.com>