Tree - rpms/sssd - src.fedoraproject.org

sinnykumari / rpms / sssd

Forked from rpms/sssd 5 years ago

Blame 0025-PAM-add-certificate-matching-rules-from-all-domains.patch

Blob History Raw

		c0971b7	`From d42f44d54453d3ddb54875374c1b61dc1e7cd821 Mon Sep 17 00:00:00 2001`
		c0971b7	`From: Sumit Bose <sbose@redhat.com>`
		c0971b7	`Date: Mon, 9 Jul 2018 18:56:26 +0200`
		c0971b7	`Subject: [PATCH 30/83] PAM: add certificate matching rules from all domains`
		c0971b7
		c0971b7	`Currently the PAM responder only reads the certificate mapping and`
		c0971b7	`matching rules from the first domain. To support Smartcard`
		c0971b7	`authentication for local and remote users all configured domains must be`
		c0971b7	`taken into account.`
		c0971b7
		c0971b7	`Related to https://pagure.io/SSSD/sssd/issue/3500`
		c0971b7
		c0971b7	`Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>`
		c0971b7	`---`
		c0971b7	`src/responder/pam/pamsrv.h \| 2 +-`
		c0971b7	`src/responder/pam/pamsrv_cmd.c \| 2 +-`
		c0971b7	`src/responder/pam/pamsrv_p11.c \| 77 +++++++++++++++++++++++++++---------------`
		c0971b7	`3 files changed, 51 insertions(+), 30 deletions(-)`
		c0971b7
		c0971b7	`diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h`
		c0971b7	`index d189ccc..5d87756 100644`
		c0971b7	`--- a/src/responder/pam/pamsrv.h`
		c0971b7	`+++ b/src/responder/pam/pamsrv.h`
		c0971b7	`@@ -114,7 +114,7 @@ errno_t add_pam_cert_response(struct pam_data pd, const char sysdb_username,`
		c0971b7	`bool may_do_cert_auth(struct pam_ctx pctx, struct pam_data pd);`
		c0971b7
		c0971b7	`errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,`
		c0971b7	`- struct certmap_info **certmap_list);`
		c0971b7	`+ struct sss_domain_info *domains);`
		c0971b7
		c0971b7	`errno_t`
		c0971b7	`pam_set_last_online_auth_with_curr_token(struct sss_domain_info *domain,`
		c0971b7	`diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c`
		c0971b7	`index a6bb289..ed9ad57 100644`
		c0971b7	`--- a/src/responder/pam/pamsrv_cmd.c`
		c0971b7	`+++ b/src/responder/pam/pamsrv_cmd.c`
		c0971b7	`@@ -1737,7 +1737,7 @@ static void pam_forwarder_cb(struct tevent_req *req)`
		c0971b7	`goto done;`
		c0971b7	`}`
		c0971b7
		c0971b7	`- ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains->certmaps);`
		c0971b7	`+ ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains);`
		c0971b7	`if (ret != EOK) {`
		c0971b7	`DEBUG(SSSDBG_OP_FAILURE,`
		c0971b7	`"p11_refresh_certmap_ctx failed, "`
		c0971b7	`diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c`
		c0971b7	`index bf72207..ffa6787 100644`
		c0971b7	`--- a/src/responder/pam/pamsrv_p11.c`
		c0971b7	`+++ b/src/responder/pam/pamsrv_p11.c`
		c0971b7	`@@ -142,11 +142,14 @@ static void ext_debug(void private, const char file, long line,`
		c0971b7	`}`
		c0971b7
		c0971b7	`errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,`
		c0971b7	`- struct certmap_info **certmap_list)`
		c0971b7	`+ struct sss_domain_info *domains)`
		c0971b7	`{`
		c0971b7	`int ret;`
		c0971b7	`struct sss_certmap_ctx *sss_certmap_ctx = NULL;`
		c0971b7	`size_t c;`
		c0971b7	`+ struct sss_domain_info *dom;`
		c0971b7	`+ bool certmap_found = false;`
		c0971b7	`+ struct certmap_info **certmap_list;`
		c0971b7
		c0971b7	`ret = sss_certmap_init(pctx, ext_debug, NULL, &sss_certmap_ctx);`
		c0971b7	`if (ret != EOK) {`
		c0971b7	`@@ -154,7 +157,15 @@ errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,`
		c0971b7	`goto done;`
		c0971b7	`}`
		c0971b7
		c0971b7	`- if (certmap_list == NULL \|\| *certmap_list == NULL) {`
		c0971b7	`+ DLIST_FOR_EACH(dom, domains) {`
		c0971b7	`+ certmap_list = dom->certmaps;`
		c0971b7	`+ if (certmap_list != NULL && *certmap_list != NULL) {`
		c0971b7	`+ certmap_found = true;`
		c0971b7	`+ break;`
		c0971b7	`+ }`
		c0971b7	`+ }`
		c0971b7	`+`
		c0971b7	`+ if (!certmap_found) {`
		c0971b7	`/* Try to add default matching rule */`
		c0971b7	`ret = sss_certmap_add_rule(sss_certmap_ctx, SSS_CERTMAP_MIN_PRIO,`
		c0971b7	`CERT_AUTH_DEFAULT_MATCHING_RULE, NULL, NULL);`
		c0971b7	`@@ -166,24 +177,32 @@ errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx,`
		c0971b7	`goto done;`
		c0971b7	`}`
		c0971b7
		c0971b7	`- for (c = 0; certmap_list[c] != NULL; c++) {`
		c0971b7	`- DEBUG(SSSDBG_TRACE_ALL,`
		c0971b7	`- "Trying to add rule [%s][%d][%s][%s].\n",`
		c0971b7	`- certmap_list[c]->name, certmap_list[c]->priority,`
		c0971b7	`- certmap_list[c]->match_rule, certmap_list[c]->map_rule);`
		c0971b7	`-`
		c0971b7	`- ret = sss_certmap_add_rule(sss_certmap_ctx, certmap_list[c]->priority,`
		c0971b7	`- certmap_list[c]->match_rule,`
		c0971b7	`- certmap_list[c]->map_rule,`
		c0971b7	`- certmap_list[c]->domains);`
		c0971b7	`- if (ret != 0) {`
		c0971b7	`- DEBUG(SSSDBG_CRIT_FAILURE,`
		c0971b7	`- "sss_certmap_add_rule failed for rule [%s] "`
		c0971b7	`- "with error [%d][%s], skipping. "`
		c0971b7	`- "Please check for typos and if rule syntax is supported.\n",`
		c0971b7	`- certmap_list[c]->name, ret, sss_strerror(ret));`
		c0971b7	`+ DLIST_FOR_EACH(dom, domains) {`
		c0971b7	`+ certmap_list = dom->certmaps;`
		c0971b7	`+ if (certmap_list == NULL \|\| *certmap_list == NULL) {`
		c0971b7	`continue;`
		c0971b7	`}`
		c0971b7	`+`
		c0971b7	`+ for (c = 0; certmap_list[c] != NULL; c++) {`
		c0971b7	`+ DEBUG(SSSDBG_TRACE_ALL,`
		c0971b7	`+ "Trying to add rule [%s][%d][%s][%s].\n",`
		c0971b7	`+ certmap_list[c]->name, certmap_list[c]->priority,`
		c0971b7	`+ certmap_list[c]->match_rule, certmap_list[c]->map_rule);`
		c0971b7	`+`
		c0971b7	`+ ret = sss_certmap_add_rule(sss_certmap_ctx,`
		c0971b7	`+ certmap_list[c]->priority,`
		c0971b7	`+ certmap_list[c]->match_rule,`
		c0971b7	`+ certmap_list[c]->map_rule,`
		c0971b7	`+ certmap_list[c]->domains);`
		c0971b7	`+ if (ret != 0) {`
		c0971b7	`+ DEBUG(SSSDBG_CRIT_FAILURE,`
		c0971b7	`+ "sss_certmap_add_rule failed for rule [%s] "`
		c0971b7	`+ "with error [%d][%s], skipping. "`
		c0971b7	`+ "Please check for typos and if rule syntax is supported.\n",`
		c0971b7	`+ certmap_list[c]->name, ret, sss_strerror(ret));`
		c0971b7	`+ continue;`
		c0971b7	`+ }`
		c0971b7	`+ }`
		c0971b7	`}`
		c0971b7
		c0971b7	`ret = EOK;`
		c0971b7	`@@ -204,19 +223,21 @@ errno_t p11_child_init(struct pam_ctx *pctx)`
		c0971b7	`int ret;`
		c0971b7	`struct certmap_info **certmaps;`
		c0971b7	`bool user_name_hint;`
		c0971b7	`- struct sss_domain_info *dom = pctx->rctx->domains;`
		c0971b7	`+ struct sss_domain_info *dom;`
		c0971b7
		c0971b7	`- ret = sysdb_get_certmap(dom, dom->sysdb, &certmaps, &user_name_hint);`
		c0971b7	`- if (ret != EOK) {`
		c0971b7	`- DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_certmap failed.\n");`
		c0971b7	`- return ret;`
		c0971b7	`- }`
		c0971b7	`+ DLIST_FOR_EACH(dom, pctx->rctx->domains) {`
		c0971b7	`+ ret = sysdb_get_certmap(dom, dom->sysdb, &certmaps, &user_name_hint);`
		c0971b7	`+ if (ret != EOK) {`
		c0971b7	`+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_certmap failed.\n");`
		c0971b7	`+ return ret;`
		c0971b7	`+ }`
		c0971b7
		c0971b7	`- dom->user_name_hint = user_name_hint;`
		c0971b7	`- talloc_free(dom->certmaps);`
		c0971b7	`- dom->certmaps = certmaps;`
		c0971b7	`+ dom->user_name_hint = user_name_hint;`
		c0971b7	`+ talloc_free(dom->certmaps);`
		c0971b7	`+ dom->certmaps = certmaps;`
		c0971b7	`+ }`
		c0971b7
		c0971b7	`- ret = p11_refresh_certmap_ctx(pctx, dom->certmaps);`
		c0971b7	`+ ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains);`
		c0971b7	`if (ret != EOK) {`
		c0971b7	`DEBUG(SSSDBG_OP_FAILURE, "p11_refresh_certmap_ctx failed.\n");`
		c0971b7	`return ret;`
		c0971b7	`--`
		c0971b7	`2.9.5`
		c0971b7

sinnykumari / rpms / sssd

Source Code

Blame 0025-PAM-add-certificate-matching-rules-from-all-domains.patch