CACHE_REQ: Make use of domainResolutionOrder domainResolutionOrder has been introduced in the previous commits and allows the admin to set up a specific order which the domains will be resolved during a lookup and with this patch we can take advantage of this. In order to have it working a new structure has been added (struct domain_resolution_order) to the responder context and will be used by the cache_req to perform the lookups based on this list. As the ipaDomainResolutionOrder may be set globally on IPA or per View, SSSD does respect the following precedence order: View > Globally. The way the list is built is quite simple, basically having the domains present on ipaDomainResolutionOrder as the first domains (in that specific order) and then appending the remaining domains to this list. The final result is a completely flat list with all the domains respecting the specified order (it's important to remember that the domains not specified won't follow any specific order, they're just "random" based on the domains list present in the responder context. Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

nss: make nss responder tests work with new code There were few type of changes that were require for tests to work: 1) When calling "get by name" commands, a name is parsed with sss_parse_inp. Returned value is now mocked. 2) When calling "get by upn" commands, a name is parsed with sss_parse_inp and negative cache is not hit in the first run since cache_req knows it may be upn since it is not equal to any known domain. Returned value of sss_parse_inp is now mocked to return ERR_DOMAIN_NOT_FOUND and negative cache hits are checked to be 0. 3) Lookups by certificate or sid do not require name parsing so those have separate mock functions. 4) Sometime the test fail since different number of mocked functions is called due to changes in the code. Where possible, will_return_always() is used, otherwise number of mocked values was fixed. 5) In SID by name lookups, we set nss_test_ctx->tctx->done to false on the beggining of for cycle, since the code now contains tevent calls and withough it only a first request proceed into tevent_loop in test_ev_loop() because the first finished request sets it to true. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Responders: Make the client context more generic This is useufl to allow reusing the responder code with other protocols. Store protocol data and responder state data behind opaque pointers and use tallog_get_type to check they are of the right type. This also allows to store per responder state_ctx so that, for example, the autofs responder does not have to carry useless variables used only by the nss responder. Resolves: https://fedorahosted.org/sssd/ticket/2918 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

RESPONDERS: Negative caching of local users This patch adds new option 'neg_cache_locals_timeout' into section of NSS responder. It allows negative caching of local groups and users. Default value is 0 which means no caching. Resolves: https://fedorahosted.org/sssd/ticket/2928 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

RESPONDERS: Negcache in resp_ctx preparing Preparation for initialization of negative cache in common responder. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

TESTS: Split a separate common_mock_resp_dp module Splitting the module would allow responders that test the Data Provider requests to use the mock_rctx/mock_cctx functions without duplicate definitions. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

CMocka based test for the NSS responder