SECRETS: Do not link with c-ares Since we started using libcurl for the proxy provider, there is no point in initializing or linking against c-ares. If we want to explicitly use a resolver in the future, we should use libcurl callbacks. Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SECRETS: Fix warning Wpointer-bool-conversion Debug messages would always say that verify_peer and verify_host are enabled. Even though they would be explicitly disabled. src/responder/secrets/proxy.c:143:18: error: address of 'cfg->verify_peer' will always evaluate to 'true' [-Werror,-Wpointer-bool-conversion] (&cfg->verify_peer ? "true" : "false")); ~~~~~^~~~~~~~~~~ ~ src/util/debug.h:108:32: note: expanded from macro 'DEBUG' format, ##__VA_ARGS__); \ ^~~~~~~~~~~ src/responder/secrets/proxy.c:149:18: error: address of 'cfg->verify_host' will always evaluate to 'true' [-Werror,-Wpointer-bool-conversion] (&cfg->verify_host ? "true" : "false")); ~~~~~^~~~~~~~~~~ ~ src/util/debug.h:108:32: note: expanded from macro 'DEBUG' format, ##__VA_ARGS__); \ ^~~~~~~~~~~ Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SECRETS: remove unused variable Reviewed-by: Pavel Březina <pbrezina@redhat.com>

secrets: support HTTP basic authentication with proxy provider Even though configuration options auth_type = basic, username and password are read they were not used anywhere prior this patch. Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

secrets: allow to configure certificate check Some users may want to use TLS with unverified peer (for example if they use self-signed certificate) or if unverified hostname (if certificate hostname does not match with the real hostname). On the other side it may be useful to point to a directory containing custom certificate authorities. This patch add three new options to secrets responder: verify_peer => peer's certificate must be valid verify_host => hostnames must match capath => path to directory containing CA certs cacert => ca certificate cert => client certificate key => client private key Resolves: https://pagure.io/SSSD/sssd/issue/3192 Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

secrets: remove http-parser code in proxy provider We switche to libcurl in previous patch. This just removes the unused code. Resolves: https://pagure.io/SSSD/sssd/issue/3192 Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

secrets: use tcurl in proxy provider We switch from http-parser to libcurl for an http client. This gaves us many features for free such as tls and http basic authentication support instead of implementing it on our own. Resolves: https://pagure.io/SSSD/sssd/issue/3192 Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SECRETS: Use HTTP error code 504 when a proxy server cannot be reached Previously, a generic 500 error code was returned. This patch adds a new error message on a failure to contact the proxy server and returns 504, "Gateway timeout" instead. Resolves: https://fedorahosted.org/sssd/ticket/3212 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

SECRETS: Use a better data type for ret Normally we use errno_t for return codes and size_t for counting objects. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

SECRETS: Add DEBUG messages to the sssd-secrets provider Previously, it was not possible to follow the flow of the secrets responder or find out what went wrong on error. This patch adds DEBUG messages so that most failure cases have their own message. At the same time, running sssd-secrets with debug_level <= 3 does not emit any messages at all. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

Secrets: Add Proxy backend Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>