cache_req: switch to new code This patch switch the old switch-based cache req code to the new plugin-based. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

fix some 'might be used uninitialized' warnings Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sudo: solve problems with fully qualified names sudo expects the same name in sudo rule as login name. Therefore if fully qualified name is used or even enforced by setting use_fully_qualified_names to true or by forcing default domain with default_domain_suffix sssd is able to correctly return the rules but sudo can't match the user with contect of sudoUser attribute since it is not qualified. This patch changes the rules on the fly to avoid using names at all. We do this in two steps: 1. We fetch all rules that match current user name, id or groups and replace sudoUser attribute with sudoUser: #uid. 2. We fetch complementry rules that contain netgroups since it is expected we don't have infromation about existing netgroups in cache, sudo still needs to evaluate it for us if needed. This patch also remove test for sysdb_get_sudo_filter since it wasn't sufficient anyway and I did not rewrite it since I don't thing it is a good thing to have filter tests that depends on exact filter order. Resolves: https://fedorahosted.org/sssd/ticket/2919 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Remove braces from DEBUG statements Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

RESPONDER: Removing ncache from sudo_ctx This patch switches ncache from sudo_ctx to resp_ctx. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

RESPONDER: Removing neg_timeout from pam responder It removes neg_timeout parameter from struct pam_ctx. Timeout is handled by context of negative cache internally. This patch additioanlly removes neg_timeout from struct cache_req_state. Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sudo: convert get_sudorules to tevent There was a lot of confusion with different error codes and where to call sudosrv_cmd_done to finish the client request. Converting it whole to tevent makes it much more simpler to read and follow the request logic. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sudo: do not use tevent when parsing query Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sudo: use cache_req for initgroups This is just blind code change, the next patch will improve it so for example we don't do initgroups during query-parsing phase. Resolves: https://fedorahosted.org/sssd/ticket/1126 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

util: Update get_next_domain's interface Update get next domain to be able to include disbled domains and change the interface to accept flags instead of multiple booleans. Ticket: https://fedorahosted.org/sssd/ticket/2673 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sudo: send original name and id with local views if possible Resolves: https://fedorahosted.org/sssd/ticket/2833 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sudo: search with view even if user is found If an overriden name is provided and the user is already cache we fail to refresh it since we won't search with VIEW flag. This patch fix it. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sudo: use "higher value wins" when ordering rules This commit changes the default ordering logic (lower value wins) to a correct one that is used by native ldap support. It also adds a new option sudo_inverse_order to switch to the original SSSD (incorrect) behaviour if needed. Resolves: https://fedorahosted.org/sssd/ticket/2682 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Add missing new lines to debug messages Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sudo: support views Reviewed-by: Sumit Bose <sbose@redhat.com>

SUDO: Use the override_space option https://fedorahosted.org/sssd/ticket/2397 With this path, a user whose name is "space user" would match a sudo rule while using the override_default_space option. Please note that the option is only a client-side override, so the sudoUser attribute must contain the space in order to match the original name. In other words, when substituting space ( ) for underscore (_), this attribute would match: sudoUser: space user this would not: sudoUser: space_user Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sudo: fetch sudoRunAs attribute This attribute was used in pre 1.7 versions of sudo and it is now deprecated by sudoRunAsUser and sudoRunAsGroup. However, some users still use this attribute so we need to support it to ensure backward compatibility. This patch makes sure that this attribute is downloaded if present and provided to sudo. Sudo than decides how to handle it. The new mapping option is not present in a man page since this attribute is deprecated in sudo for a very long time. Resolves: https://fedorahosted.org/sssd/ticket/2212 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Remove unused parameter from sudosrv_get_sudorules_query_cache

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 2)

SYSDB: Drop the sysdb_ctx parameter from the sysdb_sudo.c module

SYSDB: Drop the sysdb_ctx parameter from the sysdb_search module

sudo responder: use different callback for oob refresh https://fedorahosted.org/sssd/ticket/1693 Since we don't care about returned values from out of band refresh, we do not need to set callback data. However, this caused talloc to abort as it considers it as type mismatch when called from tevent_req_callback_data().

Fixing critical format string issues. --missing arguments. --format '%s', but argument is integer. --wrong format string, examle: '%\n'

sudo responder: search rules for subdomains in parent domain subtree https://fedorahosted.org/sssd/ticket/1912 SUDO rules are stored under cn=ipa.domain,cn=sysdb tree but sobdomains users are in cn=sub.domain,cn=sysdb. When we search for rules for subdomain users we have to switch domain context to parent.

Check for correct variable name https://fedorahosted.org/sssd/ticket/1864

Removing unused parameter type from sudosrv_get_sudorules_query_cache() https://fedorahosted.org/sssd/ticket/1825

Parent and subdomains use the same sysdb Remove code that tries to get the 'right' sysdb, as it is always going to get the same answer anyway since the recent patches to rework the domains/sysdb relationship.

Add function get_next_domain() Use this function instead of explicitly calling domain->next This function allows to get the next primary domain or to descend into the subdomains and replaces also get_next_dom_or_subdom()

sudo responder: change num_rules type from size_t to uint32_t https://fedorahosted.org/sssd/ticket/1779 2^32 should be enough to store sudo rules. size_t type was causing troubles on big endian architectures, because it wasn't used correctly in combination with D-Bus.

Add domain arguments to sysdb sudo functions

Add domain argument to sysdb_search_custom() Also changes sysdb_search_custom_by_name()

Pass domain to sysdb_get<pw/gr>nam() functions Also allows us to remove sysdb_subdom_get<pw/gr>nam() wrappers and restore fqnames proper value in subdomains, by testing for a parent domain being present or not.

sudo: print rule name if notBefore or notAfter attribute is missing ...and if sudo_timed = true. https://fedorahosted.org/sssd/ticket/1688 A comma was missing in attribute list. This caused concatenation of the two attributes so we requested one attribute called "objectClasscn". This doesn't affect functionality, only debug messages.

sudo: print how many rules we are refreshing or returning

sudo: support users from subdomains https://fedorahosted.org/sssd/ticket/1616

use tmp_ctx in sudosrv_get_sudorules_from_cache()

sudo: fix missing parameter in two debug messages

Remove SYSDB_SUDO_CACHE_OC from attribute lists It is not an attribute.

Rename SYSDB_SUDO_CACHE_AT_OC to SYSDB_SUDO_CACHE_OC It does not contain name of the object class attribute but the value itself. I renamed it to avoid confusion.

Fix potential NULL-dereference Coverity #12800

Fix potential NULL-dereference Coverity #12801

sudo responder: schedule OOB full refresh when expired rule is deleted

sudo responder: refresh expired rules

sudo responder: update dp interface

sudo responder: allow fetching only expired rules in sudosrv_get_sudorules_query_cache()

sudo sysdb: add expiration time to the filter

sudo responder: new request enum type sss_sudo_type represents query type that comes to the responder sss_dp_sudo_type represents query type to DP that is issued by the responder I'm leaving current values of sss_dp_sudo_type untouched so the compilation is not broken. Hovewer, they will be changed to new DP types once the DP interface is updated.

sudo api: send uid, username and domainname https://fedorahosted.org/sssd/ticket/1239 Test client was changed accordingly. The new usage is: sss_sudo_cli username [uid] If uid is not set, getpwnam(username) is called. It will retrieve both default options and rules.

sudo responder: get rid of dctx where possible

sudo responder: remove code duplication in commands

Remove sysdb_get_ctx_from_list()

Move sudo_dom_ctx.user to local variable

Honor case_sensitive option in sudo responder https://fedorahosted.org/sssd/ticket/1205

SUDO Integration - fix offline behaviour

SUDO Integration - in-memory cache in responder New sudo responder option: cache_timeout https://fedorahosted.org/sssd/ticket/1111

Fix sudo compilation on RHEL5

SUDO Integration - responder command for cn=defaults https://fedorahosted.org/sssd/ticket/1143

SUDO Integration - make sysdb_get_sudo_filter() more configurable https://fedorahosted.org/sssd/ticket/1143

Use the new SUDO request in DP and sudo responder Also remove the old request implementation https://fedorahosted.org/sssd/ticket/1115

DP: Fix bugs in sss_dp_get_account_int The conversion to the tevent_req style introduced numerous bugs related to memory management of the various client requests. In some circumstances, this could cause memory corruption and segmentation faults in the NSS responder. This patch makes the following changes: 1) Rename the internal lookup from subreq to sidereq, to indicate that it is not a sub-request of the current lookup (and therefore is not cancelled if the current request is). 2) Change the handling of the callback loops since they call tevent_req_[done|error], which results in them being freed (and therefore removed from the cb_list. This was the source of the memory corruption that would occasionally result in dereferencing an unreadable request. 3) Remove the unnecessary sss_dp_get_account_int_recv() function and change sss_dp_get_account_done() so that it only frees the sidereq. All of the waiting processes have already been signaled with the final results from sss_dp_get_account_int_done()

RESPONDER: Extend sss_dp_account_send() to include extra data Some NSS maps such as 'services' require more values to be passed to the data provider than just the name or ID. In these cases, we will amend an optional component to filter value to pass to the data provider backend.

SUDO Integration review issues

SUDO Integration - responder - get sudo rules logic

SUDO Integration - responder