TESTS: replace hardcoded certificates Since the hardcoded certificates have a limited lifetime they are replaces by certificates from the test CA. Related to https://pagure.io/SSSD/sssd/issue/3436 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Fix minor spelling mistakes in tests/cmocka/* Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: add certificate's label to the selection prompt Some types of Smartcards contain multiple certificate with the same subject-DN for different usages. To make it easier to choose between them in case the matching rules allow more than one of them for authentication the label assigned to the certificate on the Smartcard is shown in the selection prompt as well. Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Tested-by: Scott Poore <spoore@redhat.com>

pam: filter certificates in the responder not in the child With the new selection option and the handling of multiple certificates in the PAM responder it is not needed anymore to filter the certificates in p11_child but the matching rules can be applied by the PAM responder directly. Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Tested-by: Scott Poore <spoore@redhat.com>

PAM: allow missing logon_name during certificate authentication If only one certificate is available and the logon_name is the user is not given the PAM responder already tried to find the name during the pre-auth step. With multiple certificates this might cause useless extra effort and the name should be determined after the certificate is selected in the authentication step. This might currently only happen with GDM because all other PAM clients will prompt for the user name unconditionally. New unit tests are added to cover this new case. Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Tested-by: Scott Poore <spoore@redhat.com>

pam: add prompt string for certificate authentication A new certificate attribute is added which contains a string which is used in the certificate selection list displayed to the user. The Subject-DN of the certificate is used here because it is present in all certificate and in general differs for certificate with different usage. libsss_certmap is used to extract the subject-DN from the certificate and convert it into a string. Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Tested-by: Scott Poore <spoore@redhat.com>

p11_child: use options to select certificate for authentication New options are added to p11_child to select a specific certificate during authentication. The related unit tests are updated by adding the needed attributes to the requests. The was not necessary before because although the attribute were already send by pam_sss they were not used in the PAM responder but only forwarded to the back where they were used by the PKINIT code to select the expected certificate. Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Tested-by: Scott Poore <spoore@redhat.com>

PAM: handled multiple certs in the responder This patch refactors the handling of the certificate and the attributes to address the certificate on the Smartcard (module name, token name and key id). Instead of using individual variables the values are put into a new struct cert_auth_info. Since the new struct can be used as a list the PAM responder can now handle multiple certificates on the Smartcard and can send the needed data to pam_sss with multiple SSS_PAM_CERT_INFO messages. Unit tests are added to confirm the expected behavior. Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Tested-by: Scott Poore <spoore@redhat.com>

tests: update expired certificate This is a short term fix to un-break the unit tests. The proper fix would be to create the certificates at runtime during the tests. Related to https://pagure.io/SSSD/sssd/issue/3436 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: send user name hint response when needed If the PAM client didn't send a user name and promtusername is enable the PAM responder will tell pam_sss to ask for an optional user name as well. Resolves: https://pagure.io/SSSD/sssd/issue/3395 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

tests: fix test_pam_preauth_cert_no_logon_name() Currently a name is provided for test_pam_preauth_cert_no_logon_name() so it is not a no-logon-name test. This patch removes the name and adds the now missing mocked reply manually. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

pam: properly support UPN logon names Many logon applications like /bin/login or sshd canonicalize the user name before they call pam_start() and hence the UPN is not seen by SSSD's pam responder. But some like e.g. gdm don't and authentication might fail if a UPN is used. The reason is that currently the already parsed short name of the user was used in the cache_req and hence the cache_req was not able to fall back to the UPN lookup code. This patch uses the name originally provided by the user as input to allow the fallback to the UPN lookup. Resolves https://pagure.io/SSSD/sssd/issue/3240 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

PAM: Add application services Related to: https://pagure.io/SSSD/sssd/issue/3310 Adds a new PAM responder option 'pam_app_services'. This option can hold a list of PAM services that are allowed to contact the application non-POSIX domains. These services are NOT allowed to contact any of the POSIX domains. Reviewed-by: Sumit Bose <sbose@redhat.com>

LDAP: always store the certificate from the request Store the certificate used to lookup a user as mapped attribute in the cached user object. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: allow muliple users mapped to a certificate Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

TESTS: Adapt pam-srv-tests to deal with cache_req related changes Similar to what happened for nss-srv-tests, there were a few kind of changes required to fix the tests breakage caused by the last commit. 1) For tests including no user, no changes was required. 2) As we call an equivalent to "get by name" command, a name is parsed with sss_parse_inp and the returned value is now mocked. 3) For the "cache_auth_success*" tests we set pam_test_ctx->tctx->done to false after adding the password to the cache, since the code now contains tevent calls and without it only the first request proceeds into tevent_loop in test_ev_loop(), as the first finished request sets done to true. 4) As the user certificate is added as a result of calling sss_dp_account_recv and the certificate value is read by the certificate lookup, we have to, in case a certificate lookup callback is set, call mock_account_recv() for the certificate before going through the mock_account_recv() for the initgroup. 5) If no logon name is given, then the user is looked by certificates first. Since there's a matching user, the upcoming lookup by name will find the user entry. However, since the looked ip data is up to date the dp response has to be mocked and the second argument of mock_input_pam_cert() cannot be NULL but must match the user name. 6) Add a new attribute to mock_input_pam_cert() that represents whether the backend is contacted only once. It's needed because in test_pam_cert_auth() the backend is contacted first to check whether it can handle smartcard authenticatiom, but before that there's a lookup. Since the first mocked reply already adds the certificate to the user entry, the lookup by certificate will already find the user in the cache and no second lookup is needed. Co-Author: Pavel Březina <pbrezina@redhat.com> Co-Author: Sumit Bose <sbose@redhat.com> Resolves: https://fedorahosted.org/sssd/ticket/1126 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

p11: return name of PKCS#11 module and key id to pam_sss Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: forward Smartcard credentials to backends Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: use sentinel error code in PAM tests Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: add pam_response_filter option Currently the main use-case for this new option is to not set the KRB5CCNAME environment varible for services like 'sudo-i'. Resolves https://fedorahosted.org/sssd/ticket/2296 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: add a test for filter_responses() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

p11: return a fully-qualified name Related to https://fedorahosted.org/sssd/ticket/3165 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

p11: only set PKCS11_LOGIN_TOKEN_NAME if gdm-smartcard is used Resolves https://fedorahosted.org/sssd/ticket/3165 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: Use qualified names internally in the PAM responder The name is converted from whatever we receive on input to the internal format before processing the data further. Reviewed-by: Sumit Bose <sbose@redhat.com>

TESTS: Start fixing the PAM responder tests for fully qualified names in sysdb Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Responders: Make the client context more generic This is useufl to allow reusing the responder code with other protocols. Store protocol data and responder state data behind opaque pointers and use tallog_get_type to check they are of the right type. This also allows to store per responder state_ctx so that, for example, the autofs responder does not have to carry useless variables used only by the nss responder. Resolves: https://fedorahosted.org/sssd/ticket/2918 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

pam-srv-tests: Fix warning unused-function If pam-srv-tests is not build with NSS support then certificate related test are not executed and therefore there is unused setup function pam_test_setup_no_verification. src/tests/cmocka/test_pam_srv.c:323:12: error: 'pam_test_setup_no_verification' defined but not used [-Werror=unused-function] static int pam_test_setup_no_verification(void **state) ^ Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

pam-srv-tests: Increase cached_auth_timeout The execution sysdb_cache_password_ex can be slow due to function s3crypt_sha512 and valgrind slowdown. Therefore 2 seconds timeout can be reached in possitive tests test_pam_cached_auth_success and test_pam_cached_auth_success_combined_pw_with_cached_2fa Resolves: https://fedorahosted.org/sssd/ticket/2994 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

p11: add PKCS11_LOGIN_TOKEN_NAME environment variable The PKCS11_LOGIN_TOKEN_NAME environment variable is e.g. used by the Gnome Settings Daemon to determine the name of the token used for login. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

p11: add no_verification option Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

RESPONDER: Removing ncache from pam_ctx This patch switches ncache from pam_ctx to resp_ctx. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

RESPONDER: Removing neg_timeout from nss responder Timeout of negative cahce is handled by internal negative cache context. This patch removes neg_timeout from struct nss_ctx. Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

NEGCACHE: Adding timeout to struct sss_nc_ctx It adds timeout of negative cache to handling struct sss_nc_ctx. There is one change in API of negatice cache: * int sss_ncache_init(TALLOC_CTX *memctx, uint32_t timeout, <----- new struct sss_nc_ctx **_ctx); There is also one new function in common/responder: * errno_t responder_get_neg_timeout_from_confdb(struct confdb_ctx *cdb, uint32_t *ncache_timeout); Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

pam-srv-tests: Reuse test directory for IO tests This patch is related to commit 50c9d542e8bf641412debaa82a4dcf67ddb72258 "tests: Use unique name for TEST_PATH" It's better to do IO operation in common test directory to prevent conflict with other test (copy & paste errors) Reviewed-by: Pavel Březina <pbrezina@redhat.com>

p11: enable ocsp checks This patch enables the Online Certificate Status Protocol in NSS and adds an option to disable it if needed. To make further tuning of certificate verification more easy it is not an option on its own but an option to the new certificate_verification configuration option. Resolves https://fedorahosted.org/sssd/ticket/2812 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

pam-srv-tests: Add UT for cached 'online' auth. Extend PAM responder unit test to check 'online' cached authentication. Resolves: https://fedorahosted.org/sssd/ticket/2697 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

pam-srv-tests: split pam_test_setup() so it can be reused Split pam_test_setup() so domain and pam parameters can be easily set distinctly for each test. Resolves: https://fedorahosted.org/sssd/ticket/2697 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

pam-srv-tests: Change service name It would be better to not use 'ssh' or 'sshd' here at all but something like 'pam_test_service' to indicate that it is a generic name. Because a default value should not lead to a code path which handles a special case. The general PAM responder test should not run through the 'sshd' case in pam_reply() only if the service is set explicitly to 'sshd' this features should be tests. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: only allow missing user name for certificate authentication Resolves: https://fedorahosted.org/sssd/ticket/2811 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

test_pam_srv: Run cert test only with NSS Reviewed-by: Michal Židek <mzidek@redhat.com>

tests: Set p11_child_timeout to 30 in tests Ticket: https://fedorahosted.org/sssd/ticket/2773 Add way to set pam specific options in pam_test_setup adn use it to set the p11_child_timeout value to 30. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>

tests: Use unique name for TEST_PATH We had a cases in patch where two tests were using the same TEST_PATH and therefore they were stepping each other to the same files which caused failures. These failures are not easy to reproduce. This patch uses macro BASE_FILE_STEM for unique name. It should prevent copy&paste problem resulting to intermittent failures. @see also https://www.gnu.org/software/make/manual/html_node/Automatic-Variables.html Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: add certificate support to PAM (pre-)auth requests Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Minor code improvements pam_helpers.h had to be included after util.h. Removed exara empty line. Fixed code alignment Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: add PAM responder unit test Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>