DP: Remove old data provider interface Reverse data provider interface is moved to a better location in NSS responder. All responders now can have an sbus interface defined per data provider connection. The unused old data provider interface is removed. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

RESPONDER: Add a helper function sss_resp_create_fqname When looking up entries in the responders that have not been yet converted to the cache_req API, we need to perform some common operations all the time. These include converting the name to the right case, reverse-replacing whitespace and converting the name to the qualified format for that domain. This patch adds a function that performs these steps to avoid code duplication. Reviewed-by: Sumit Bose <sbose@redhat.com>

Secrets: Add initial responder code for secrets service Start implementing the Secrets Service Reponder core. This commit implements stratup and basic conenction handling and HTTP parsing (using the http-parser library). Signed-off-by: Simo Sorce <simo@redhat.com> Related: https://fedorahosted.org/sssd/ticket/2913 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Responders: Add support for socket activation Add helper that uses systemd socket activation if available to accept a pre-listining socket at startup. Related: https://fedorahosted.org/sssd/ticket/2913 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Responders: Make the client context more generic This is useufl to allow reusing the responder code with other protocols. Store protocol data and responder state data behind opaque pointers and use tallog_get_type to check they are of the right type. This also allows to store per responder state_ctx so that, for example, the autofs responder does not have to carry useless variables used only by the nss responder. Resolves: https://fedorahosted.org/sssd/ticket/2918 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

RESPONDER: New interface for client registration This is just a beginning of new responder interface to data provider and it is just to make the client registration work. It needs further improvement. The idea is to take the existing interface and make it work better with further extensions of data provider. The current interface has several disadvantages such as it is originally build only for account requests and doesn't take different set of output parameters. It also doesn't work well with integration into tevent-made responders. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

RESPONDER: Removing of redudant function There is redudant function responder_get_neg_timeout_from_confdb(). This patch removes it. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

RESPONDERS: Negcache in resp_ctx preparing Preparation for initialization of negative cache in common responder. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

NEGCACHE: Adding timeout to struct sss_nc_ctx It adds timeout of negative cache to handling struct sss_nc_ctx. There is one change in API of negatice cache: * int sss_ncache_init(TALLOC_CTX *memctx, uint32_t timeout, <----- new struct sss_nc_ctx **_ctx); There is also one new function in common/responder: * errno_t responder_get_neg_timeout_from_confdb(struct confdb_ctx *cdb, uint32_t *ncache_timeout); Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

cache_req: improve debugging Each debug message is matched to a specific request, this way it will be easier to follow the request flow especially when paralel request are running. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

Util: Improve code to get connection credentials Adds support to get SELINUX context and make code more abstract so that struct ucred (if availale) can be used w/o redefining uid,gid,pid to int32. Also gives a layer of indirection that may come handy if we want to improve the code further in the future. Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com>

REFACTOR: SCKT_RSP_UMASK constant in responder code This patch adds new SCKT_RSP_UMASK constant which stands for 0111. And it replaces all occurances in responder code. Resolves: https://fedorahosted.org/sssd/ticket/2424 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

REFACTOR: DFL_RSP_UMASK constant in responder code There is DFL_RSP_UMASK constant for very secure umask in responder code. This patch replaces occurances of value 0177 with this constant. Resolves: https://fedorahosted.org/sssd/ticket/2424 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DP: Add DP_WILDCARD and SSS_DP_WILDCARD_USER/SSS_DP_WILDCARD_GROUP Related: https://fedorahosted.org/sssd/ticket/2553 Extends the Data Provider interface and the responder<->Data provider interface with wildcard lookups. The patch uses a new "wildcard" prefix rather than reusing the existing user/group prefixes. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: add FindByCertificate method for User objects Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

responders: reset ncache after domains are discovered during startup After responders start, they add a lookup operation that discovers the subdomains so that qualifying users works. After this operation is finishes, we need to reset negcache to allow users to be added into the newly discovered domains. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Add parse_attr_list_ex() helper function Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

RESPONDERS: Set default value for umask Resolves: https://fedorahosted.org/sssd/ticket/2468 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

RESPONDERS: refactor create_pipe_fd() Resolves: https://fedorahosted.org/sssd/ticket/2470 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

responders: Do not initialize pipe fd if already present Allow to skip initialization of pipe file descriptor if the responder context already has one. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

responder_common: Create fd for pipe in helper Move creating of file descriptor for pipes into helper function and make this function public. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

UTIL: Add a function to convert id_t from a number or a name We need a custom function that would convert a numeric or string input into uid_t. The function will be used to drop privileges in servers and also in the PAC and IFP responders. Includes a unit test to test all code that changed as well as a fix for a misnamed attribute in the csv_to_uid_list function synopsis. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Make the space override responder-agnostic https://fedorahosted.org/sssd/ticket/2397 In order to make the override_space option usable by other responders, we need to move the override_space option to the generic responder structure. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

RESPONDERS: Add a new request sss_parse_inp_send The responders were copying code to parse input and on encountering an uknown domain, send the discover subdomain request. This patch adds a reusable request that can always be called in responders and in case the name can be parsed, just shortcut. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sbus: Refactor how we export DBus interfaces Most importantly, stop using per connection private data. This doesn't scale when you have more than one thing exporting or exported on a connection. Remove struct sbus_interface and expand sbus_conn_add_interface() function. Remove various struct sbus_interface args to connection initialization functions and make callers use sbus_conn_add_interface() directly. The old method was optimized for exporting one interface on a connection. We'll have connections that export zero, one or more interfaces. To export an interface on a DBus server, call sbus_conn_add_interface() from within the sbus_server_conn_init_fn. To export an interface on a DBus client, call sbus_conn_add_interface() after sbus_new_connection() returns. As before struct sbus_interface represents an object exported via DBus. However it is now talloc allocated. One can set instance data on the struct sbus_interface. This instance data is passed to the various handlers and used in their implementation. However, we now have type safe interface exporting in the various high level sss_process_init() sss_monitor_init() and so on. Introspection support was not in use, and is now gone until we implement it using the metadata (future patch). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sbus: Add struct sbus_request to represent a DBus invocation struct sbus_request represents a request from a dbus client being handled by a dbus server implementation. The struct contains the message, connection and method (and in the future teh property) which is being requested. In the future it will contain caller information as well. sbus_request is a talloc memory context, and is a good place to attach any allocations and memory specific to the request. Each handler accepts an sbus_request. If a handler returns EOK, it is assumed that the handler will finish the request. Any of the sbus_request_*finish() methods can be used to complete the request and send back a reply. sbus_request_return_and_finish() uses the same argument varargs syntax as dbus_message_append_args(), which isn't a great syntax. Document it a bit, but don't try to redesign: The marshalling work (will follow this patch set) will remove the need to use varargs for most DBus implementation code. This patch migrates the monitor and data provider dbus code to use sbus_request, but does not try to rework the talloc context's to use it. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

UTIL: Move sss_parse_name_for_domains declaration to util.h

Remove duplicate declaration

Include external headers with #include <foo.h> I find it more readable to include headers from outside the sssd tree with <foo.h>, not "foo.h". The latter should be used for in-tree headers only.

Lookup domains at startup To make sure that e.g. the short/NetBIOS domain name is available this patch make sure that the responders send a get_domains request to their backends at startup the collect the domain information or read it from the cache if the backend is offline. For completeness I added this to all responders even if they do not need the information at the moment. Fixes https://fedorahosted.org/sssd/ticket/1951

Add responder_get_domain_by_id() This new call is similar to responder_get_domain() but uses the domain SID as search parameter. Since the length of the stored domain SID is used in the comparison, SIDs of users and groups and be used directly without stripping the RID component. The functionality is not merged into responder_get_domain() to allow to calculate the timeout correctly and return a specific error code if the entry is expired.

Add two new request types to the data-provider interface The patch adds two new request types for SID related requests. The first one is used if a SID is given and the corresponding object should be found. The second one can be used if the SID for an object is requested but it is not clear if the object is a user or a group.

Remove unused TALLOC_CTX from responder_get_domain() Recent refactoring removed the need to copy the domain info data of sub-domains because the related objects will not be removed from memory anymore.

Move sss_cmd_execute from client to responder code. I think it logically belongs there and allows to better exercise the responder commands from unit tests.

Refactor sysdb initialization Change the way sysdbs are initialized. Make callers responsible for providing the list of domains. Remove the returned array of sysdb contexts, it was used only by sss_cache and not really necessary there either as that tool can easily iterate the domains. Make sysdb ctx children of their respective domains. Neither sysdb context nor domains are ever freed until a program is done so there shouldn't be any memory hierarchy issue. As plus we simplify the code by removing a destructor and a setter function.

do not call dp callbacks when responder is shutting down https://fedorahosted.org/sssd/ticket/1514 We were experiencing crash duting responder shut down. This happened when there were some unresolved dp request during the shut down. The memory hierarchy is main_ctx->specific_ctx->rctx, where specific_ctx may be one of the pam, nss, sudo, etc. contexts. If we try to call dp request callback as a result of responder termination, the specific context is already semi freed, which may cause crash.

Add new option default_domain_suffix

pac responder: limit access by checking UIDs A check for allowed UIDs is added in the common responder code directly after accept(). If the platform does not support reading the UID of the peer but allowed UIDs are configured, access is denied. Currently only the PAC responder sets the allowed UIDs for a socket. The default is that only root is allowed to access the socket of the PAC responder. Fixes: https://fedorahosted.org/sssd/ticket/1382

Make the client idle timeout configurable

Add support for terminating idle connections

Make re_expression and full_name_format per domain options * Allows different user/domain qualified names for different domains. For example Domain\User or user@domain. * The global re_expression and full_name_format options remain as defaults for the domains. * Subdomains get the re_expression and full_name_format of their parent domain. https://bugzilla.redhat.com/show_bug.cgi?id=811663

SSH: Add dp_get_host_send to common responder code Instead of using account_info request, creates a new ssh specific request. This improves code readability and will make the code more flexible in the future. https://fedorahosted.org/sssd/ticket/1176

Modified responder_get_domain() Now it checks for subdomains as well as for the domain itself

Responder part of the subdomain retrieval work

Use the correct hash table for pending requests The function that handled pending requests on reconnect was checking an orphaned global variable that was never used, redenring the whole function uselsess. This fixes a very nasty bug that was causing requests for which we never received an answer for (for example because the backend failed and was restarted) to be never removed and therefore causing a black hole effect for any other request of the same type. Fixes: https://fedorahosted.org/sssd/ticket/1229

RESPONDERS: Allow increasing the file-descriptor limit This patch will increase the file descriptor limit to 8k or the limits.conf maximum, whichever is lesser. https://fedorahosted.org/sssd/ticket/1197

Remove setent structure when callback is called

DP: Add support for hosts in sss_dp_get_account Host requests are directed to the host info handler.

AUTOFS: responder

Split the logic to check cache expiration into separate function

RESPONDERS: Refactor setent_req_list Makes the setent_add_ref() and setent_notify_*() functions more generic to be reusable by the autofs responder.

RESPONDERS: Provide a common sss_cmd_send_error function The common function could be reused in new responders

Refactor nss_cmd_send_empty

NSS: Add service enumeration support to NSS provider

DP: Refactor responder_dp_req so it's reusable by other responders * the internal request is now more generic and is decoupled from account-specific data. There is a new sss_dp_issue_request() wrapper that issues a BE request or registers a callback * the public requests all use struct sss_dp_req_state as the tevent_req state data. This allows to report back data from the internal request even if the caller is just a callback notifier * each specific request now uses an _info structure that contains all the data necessary to construct a DBusMessage passed to provider * each specific request now defines a sss_dp_get_$data_msg callback that is called from the sss_dp_issue_request() common wraper. The purpose of the wrapper is to construct a DBusMessage and bind it to a DBus method so the message can be just sent over to back end The miscellanous changes include: * change SSS_DP_ constants to an enum. This way, a switch() would error if a value is not handled. * rename sss_dp_get_account_int_send() to sss_dp_internal_get_send() request because the internal request is going to handle more than just account data * the DBus return values were renamed from err_maj, err_min to dp_err and dp_ret respectively

DP: Add support for services in dp requests

RESPONDER: Extend sss_dp_account_send() to include extra data Some NSS maps such as 'services' require more values to be passed to the data provider than just the name or ID. In these cases, we will amend an optional component to filter value to pass to the data provider backend.

PAM: make initgroups timeout work across multiple clients Instead of timing out the initgroups lookup on a per-cctx basis, we will maintain a hash table of recently-seen users and use this instead. This will allow SSSD to handle user's logging into multiple services simultaneously more graciously, as well as playing nicer with SSH (which makes calls to PAM both before and after a fork). https://fedorahosted.org/sssd/ticket/1063

Responders: Split getting domain by name into separate function

RESPONDER: Refactor DP requests into tevent_req style

RESPONDER: Ensure that all input strings are valid UTF-8

Allow changing the log level without restart We will now re-read the confdb debug_level value when processing the monitor_common_logrotate() function, which occurs when the monitor receives a SIGHUP.

Update the ID cache for any PAM request Also adds an option to limit how often we check the ID provider, so that conversations with multiple PAM requests won't update the cache multiple times. https://fedorahosted.org/sssd/ticket/749

Remove all nss requests after a reconnect Currently we do not handle the open nss request after a reconnect and wait until they timeout (which is a couple of minutes!). This patch adds a handler that terminates all requests after a reconnect. Then responder will return matching cache entries or nothing.

Add netgroup support to the NSS responder

Handle multiple simultaneous enumeration requests Previously, if a second enumeration request arrived while one was already being processed, each process would receive only a subset of the total number of available users or groups. This is because we were maintaining the response object as a global value in the NSS responder. The second request would come in, see that the data set was already populated, and start reading from wherever the cursor was currently pointed. With this patch, we now move the cursor to the client context instead of the global NSS context. Additionally, this patch completely rewrites the approach to enumerations in the tevent_req style. This makes it much easier to follow in the code. In order to ensure that a slow or malicious client cannot hold onto a reference for the setent result object indefinitely, we set an expiration on the object. We use the enum_cache_timeout here, since that is an appropriate value. If the timeout fires during the normal operation of the get*ent() loop of a client program, we will save the current values of the read index so that we can resume as soon as the object has been refreshed by an implicit setent call. Instead of deleting the enumeration result object immediately after the last in-progress client has read it, we'll keep the object around for the lifetime of enum_cache_timeout. This way, additional clients making enumeration requests can still access the results in-memory.

Use SO_PEERCRED on the PAM socket This is the second attempt to let the PAM client and the PAM responder exchange their credentials, i.e. uid, gid and pid. Because this approach does not require any message interchange between the client and the server the protocol version number is not changed. On the client side the connection is terminated it the responder is not run by root. On the server side the effective uid and gid and the pid of the client are available for future use. The following additional changes are made by this patch: - the checks of the ownership and the permissions on the PAM sockets are enhanced - internal error codes are introduced on the client side to generate more specific log messages if an error occurs

Revert "Add better checks on PAM socket" This reverts commit 5a88e963744e5da453e88b5c36499f04712df097.

Add better checks on PAM socket - check if the public socket belongs to root and has 0666 permissions - use a SCM_CREDENTIALS message if available

Rename server/ directory to src/ Also update BUILD.txt