MONITOR: Remove unused shutDown sbus method The shutDown method has not been used or set for a long time. Trim the internal interface by removing all references to this internal method. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

MONITOR: Remove deprecated pong sbus method The pong method is deprecated since we started using the watchdog. Since this is dead code, it makes sense to just remove it. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

DP: Remove old data provider interface Reverse data provider interface is moved to a better location in NSS responder. All responders now can have an sbus interface defined per data provider connection. The unused old data provider interface is removed. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Responders: Make the client context more generic This is useufl to allow reusing the responder code with other protocols. Store protocol data and responder state data behind opaque pointers and use tallog_get_type to check they are of the right type. This also allows to store per responder state_ctx so that, for example, the autofs responder does not have to carry useless variables used only by the nss responder. Resolves: https://fedorahosted.org/sssd/ticket/2918 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

RESPONDER: New interface for client registration This is just a beginning of new responder interface to data provider and it is just to make the client registration work. It needs further improvement. The idea is to take the existing interface and make it work better with further extensions of data provider. The current interface has several disadvantages such as it is originally build only for account requests and doesn't take different set of output parameters. It also doesn't work well with integration into tevent-made responders. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

RESPONDER: Removing ncache from ifp_ctx This patch switches ncache from ifp_ctx to resp_ctx. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

RESPONDER: Removing neg_timeout from ifp repsonder Timeout of negative cache is handled by context of negative cache itself. This patch removes neg_timeout parameter from ifp_ctx and from ifp_user_get_attr_state. Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

NEGCACHE: Adding timeout to struct sss_nc_ctx It adds timeout of negative cache to handling struct sss_nc_ctx. There is one change in API of negatice cache: * int sss_ncache_init(TALLOC_CTX *memctx, uint32_t timeout, <----- new struct sss_nc_ctx **_ctx); There is also one new function in common/responder: * errno_t responder_get_neg_timeout_from_confdb(struct confdb_ctx *cdb, uint32_t *ncache_timeout); Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Suppress warning from static analyzer It seems that clang expected that errno can change to 0 in case of error. It might be a bug in static analyzer. But the workaround does not change the logic and the errno is read just once.

IFP: Add wildcard requests Resolves: https://fedorahosted.org/sssd/ticket/2553 Can be used as: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.ListByName \ string:r\* uint32:10 dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Groups \ org.freedesktop.sssd.infopipe.Groups.ListByName \ string:r\* uint32:10 dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.ListByDomainAndName \ string:ipaldap string:r\* uint32:10 dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Groups \ org.freedesktop.sssd.infopipe.Groups.ListByDomainAndName \ string:ipaldap string:r\* uint32:10 By default the wildcard_limit is unset, that is, the request will return all cached entries that match. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Export nodes IFP now exports cached users and groups in introspection. After a user is cached with: dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users/ipaldap/397400000 \ org.freedesktop.sssd.infopipe.Cache.Object.Store And Introspection called with: dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.DBus.Introspectable.Introspect The cached users would be visible in the Introspection XML as: <node name="ipaldap/397400000" /> </node> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IFP: add org.freedesktop.sssd.infopipe.Users.User Example calls: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/LDAP_2ePB/10001 org.freedesktop.DBus.Properties.Get string:org.freedesktop.sssd.infopipe.Users.User string:name method return sender=:1.159 -> dest=:1.165 reply_serial=2 variant string "user-1" Resolves: https://fedorahosted.org/sssd/ticket/2150 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

responders: reset ncache after domains are discovered during startup After responders start, they add a lookup operation that discovers the subdomains so that qualifying users works. After this operation is finishes, we need to reset negcache to allow users to be added into the newly discovered domains. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

IFP: unify generated interfaces names Number of interfaces will grow. It is mandatory to unify names of generated structures and methods to simplify coding and debugging. The C name is created from D-Bus lowercased interface name using the following rewrite rules: org.freedesktop.sssd.infopipe -> iface_ifp . -> _ Example: org.freedesktop.sssd.infopipe.Domains -> iface_ifp_domains Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IFP: move interface definitions from ifpsrv.c into separate file Number of IFP interfaces will grown up rapidly in the future. It is not convenient to keep it inside ifpsrv.c. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sbus: add new iface via sbus_conn_register_iface() Rename sbus_conn_add_interface() to sbus_conn_register_iface() and remove sbus_new_interface() calls since it is just one more unnecessary call outside the sbus code. The function sbus_new_interface() is made static and used directly in sbus_conn_register_iface(). The name was chosen to better describe what the function is doing. That it registers an interface on a given object path. The same interface can be used with different paths so it is not really about adding an interface. Preparation for: https://fedorahosted.org/sssd/ticket/2339 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IFP: Fix typo in debug message Reviewed-by: Pavel Reichl <preichl@redhat.com>

RESPONDERS: Set default value for umask Resolves: https://fedorahosted.org/sssd/ticket/2468 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

responders: Do not initialize pipe fd if already present Allow to skip initialization of pipe file descriptor if the responder context already has one. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

SSSD: Add the options to specify a UID and GID to run as Adds new command line options --uid and --gid to all SSSD servers, making it possible to switch to another user ID if needed. So far all code still runs as root. Reviewed-by: Pavel Reichl <preichl@redhat.com>

IFP: Provide a SBUS method to reconnect to sysbus Introduces a new method implemented only by the IFP responder. When this method is received, the responder attempts to reconnect to the system bus, if not connected already. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>

IFP: Return a specific value on failure connecting to the system bus We need to treat the failure to connect to the system bus as non-fatal. In this commit, we introduce a special error code and only print a DEBUG message when this error code is returned from the startup function. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Fix DEBUG messages The DEBUG messages in the IFP responder predated Nikolai's mass-patches and were not converted correctly. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Implement SSSD components Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IFP: Implement domain getters Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IFP: Add ListDomains and FindDomainByName Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Support multiple interfaces on sysbus Instead of passing just one interface with the functions, we need to support multiple interfaces for the InfoPipe and export them all on the sysbus. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Add a GetGroupsList method This patch adds a new method on the bus with the following synopsis: <method name="GetUserGroups"> <arg name="user" type="s" direction="in" /> <arg name="values" type="as" direction="out"/> </method> Its purpose is to return names of groups the user is a member of as a list of strings. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Per-attribute ACL for users Introduces a new option called user_attributes that allows to specify which user attributes are allowed to be queried from the IFP responder. By default only the default POSIX set is allowed, this option allows to either add other attributes (+attrname) or remove them from the default set (-attrname). Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Add GetUserAttrs call Adds a DBus method that allows the caller to retrieve attributes of a user. The synopsis of the call is as follows: <method name="GetUserAttr"> <arg type="s" name="user" direction="in"/> <arg type="as" name="attr" direction="in"/> <arg type="a{sv}" name="values" direction="out"/> </method> The return value is an array (one attribute per array member) of dictionaries. The key of the dictionary is the attribute name, the value is a variant containing the attribute values as strings. If an attribute does not exist or is not permitted to be read, no error is returned. If the users does not exist, the method returns an error. In future patches this function will be marked as obsolete in favor of object-oriented approach. ifp_user_get_attr_unpack_msg is a separate function to allow extending it in a later patch. The function to check the cache validity duplicates quite a bit of code with the NSS responder. The refactoring would be nice to get done along with #843. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Stef Walter <stefw@redhat.com>

IFP: Initialize negative cache timeout In order to avoid hitting the back end with repetitive requests, the InfoPipe responder needs a negative cache, too. This patch follows the convention set by other responders, where the negative cache timeouts are read from the [nss] section. This is not ideal, however, and ticket #2318 tracks moving the configuration to the [ifp] section primarily. The timeout is also a separate parameter in the NSS context. We should consider moving it to the negcache context instead (#2317). Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Stef Walter <stefw@redhat.com>

IFP: use a list of allowed_uids for authentication Similar to the PAC responder, the InfoPipe uses a list of UIDs that are allowed to communicate with the IFP responder. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Stef Walter <stefw@redhat.com>

SBUS: Add SBUS_CONN_TYPE_SYSBUS We need to retrieve caller IDs for each call from the system bus. This commit adds a new SBUS connection type that identifies system bus connection. The connection is used in the IFP provider. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Stef Walter <stefw@redhat.com>

IFP: do not create client socket There is no need for client socket in IFP responder, since it uses D-Bus for communication with clients. Resolves: https://fedorahosted.org/sssd/ticket/2290 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Connect to the system bus Related: https://fedorahosted.org/sssd/ticket/2072 Adds the possibility for the InfoPipe responder to connect to the system bus. At the moment, only a dummy method "Ping" is provided. The method only accepts a single string parameter that has to be 'ping'.

IFP: Re-add the InfoPipe server Related: https://fedorahosted.org/sssd/ticket/2072 This commit only adds the responder and the needed plumbing. No DBus related code is in yet.