NEGCACHE: Add API for setting and checking locate-account-domain requests Extends the negative cache API with several request getsetters: - sss_ncache_set/check_domain_locate_type - check if this request type supports locating account domain or set that this request type does not support the locator. - sss_ncache_set/check_locate_gid/uid - check if it is time to call the locator again or set that the locator should not be called for IDs again for the duration of the negative cache. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

TEST_NEGCACHE: Ensure root's uid and gid are always added to ncache In order to do so two new functions have been introduced and test_sss_ncache_prepopulate() has been modified in order to ensure that root's uid and gid are always added to the negative cache. Related: https://pagure.io/SSSD/sssd/issue/3460 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

TEST_NEGCACHE: Test that "root" is always added to ncache Simply modify test_sss_ncache_prepopulate() in order to ensure that "root" user and group are always added to the negative cache, no matter whether they're set as part of the filter_users or filter_groups options. Related: https://pagure.io/SSSD/sssd/issue/3460 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

NEGCACHE: Add API to reset all users and groups Adds a negative cache API to reset negatively cached users and groups. This will be used when the files back end finishes enumeration to make sure all results are available. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

nss: make nss responder tests work with new code There were few type of changes that were require for tests to work: 1) When calling "get by name" commands, a name is parsed with sss_parse_inp. Returned value is now mocked. 2) When calling "get by upn" commands, a name is parsed with sss_parse_inp and negative cache is not hit in the first run since cache_req knows it may be upn since it is not equal to any known domain. Returned value of sss_parse_inp is now mocked to return ERR_DOMAIN_NOT_FOUND and negative cache hits are checked to be 0. 3) Lookups by certificate or sid do not require name parsing so those have separate mock functions. 4) Sometime the test fail since different number of mocked functions is called due to changes in the code. Where possible, will_return_always() is used, otherwise number of mocked values was fixed. 5) In SID by name lookups, we set nss_test_ctx->tctx->done to false on the beggining of for cycle, since the code now contains tevent calls and withough it only a first request proceed into tevent_loop in test_ev_loop() because the first finished request sets it to true. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

NCACHE: Store FQDNs internaly, check for shortnames in files When storing users and groups by their name in the negative cache, store them fully qualfied so that the responder only has to track the name in the internal format once the input is converted. Reviewed-by: Sumit Bose <sbose@redhat.com>

Remove braces from DEBUG statements Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

RESPONDERS: Negative caching of local users This patch adds new option 'neg_cache_locals_timeout' into section of NSS responder. It allows negative caching of local groups and users. Default value is 0 which means no caching. Resolves: https://fedorahosted.org/sssd/ticket/2928 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

RESPONDER: Removing ncache from nss_ctx This patch switches ncache from nss_ctx to resp_ctx. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

RESPONDER: Removing neg_timeout from nss responder Timeout of negative cahce is handled by internal negative cache context. This patch removes neg_timeout from struct nss_ctx. Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

NEGCACHE: Removing timeout from sss_ncache_check_* It removes timeout parameter from check functions of negative cache. Timeout is set ny init function and it is handled internally. API change: * int sss_ncache_check_...(struct sss_nc_ctx *ctx, int ttl, <----- timeout vanished struct sss_domain_info *dom, ...); Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

NEGCACHE: Adding timeout to struct sss_nc_ctx It adds timeout of negative cache to handling struct sss_nc_ctx. There is one change in API of negatice cache: * int sss_ncache_init(TALLOC_CTX *memctx, uint32_t timeout, <----- new struct sss_nc_ctx **_ctx); There is also one new function in common/responder: * errno_t responder_get_neg_timeout_from_confdb(struct confdb_ctx *cdb, uint32_t *ncache_timeout); Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

TEST: Removing duplication of mock_rctx There were duplicaton of mock_rctx(). Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

NEGCACHE: Removing of condition for ttl = -1 If ttl = -1 then function sss_ncache_check_str() returns EEXIST without checking negcache. This behaviour is out of logic. We use ttl = 0 for permanent caching. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

NEGCACHE: Fixing typo in test_sss_ncache_gid() There were sss_ncache_*_uid() functions instead of sss_ncache_*_gid() functions. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

tests: Use unique name for TEST_PATH We had a cases in patch where two tests were using the same TEST_PATH and therefore they were stepping each other to the same files which caused failures. These failures are not easy to reproduce. This patch uses macro BASE_FILE_STEM for unique name. It should prevent copy&paste problem resulting to intermittent failures. @see also https://www.gnu.org/software/make/manual/html_node/Automatic-Variables.html Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

negcache: allow domain name for UID and GID Related to https://fedorahosted.org/sssd/ticket/2731 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

ncache: add calls for certificate based searches Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

ncache: Add sss_ncache_reset_repopulate_permanent This new function resets the negative cache and then re-adds the permanent entries. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

ncache: Silence critical error from filter_users when default_domain_suffix is set When default_domain_suffix is used and filter_users is set (at least root is always, by default), SSSD tried to add the negcache entry to the default domain. But since the default domain is not known after start up, adding the entries fail with a verbose error message. This patch handles EAGAIN returned from the parsing function while setting negcache entries gracefully and also makes the debug message in parsing function more precise. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

ncache: Fix sss_ncache_reset_permanent There was an off-by-one error in sss_ncache_reset_permanent that prevented the reset from working. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

tests: convert all unit tests to cmocka 1.0 or later All tests now use the cmocka-1.0-compatible API. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

tests: remove code duplication in single domain cleanup Reviewed-by: Michal Židek <mzidek@redhat.com>

TESTS: Remove unused macros Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

TEST: Do not clean up if test fail. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

TEST: Use right domain name in negcache test Directory tests_ncache was not removed after negcache test, because sysdb cache had different name and was not removed in the function test_dom_suite_cleanup. [sssd] [test_dom_suite_cleanup] (0x0020): Could not delete the test dir (39) (Directory not empty) Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

TEST: Remove unused argument sysdb_path Name of sysdb file is automatically generated from domain name and db_path in function sysdb_domain_init. talloc_asprintf is called with arguments "%s/cache_%s.ldb", db_path, dom->name Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

TEST: Use unique directory for negcache test nss-srv-tests and test-negcache wrote temporary files to the same subdirectory 'tests_nss'. There could be a race condition when tests ran in parallel. The first test could remove directory which the second one wanted to use. [ldb] (0x0020): Unable to open tdb 'tests_nss/test_nss_conf.ldb' [ldb] (0x0020): Failed to connect to 'tests_nss/test_nss_conf.ldb' with backend 'tdb': Unable to open tdb 'tests_nss/test_nss_conf.ldb' [confdb_init] (0x0010): Unable to open config database [tests_nss/test_nss_conf.ldb] [create_dom_test_ctx] (0x0020): confdb_init failed: 5 Reviewed-by: Michal Žídek <mzidek@redhat.com>

Unit-test-for-negcache-module-added Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>