[SSSD] [sssd PR#5636][comment] Improve assertion when verifying paths for Python modules
URL: https://github.com/SSSD/sssd/pull/5636 Title: #5636: Improve assertion when verifying paths for Python modules sergiodj commented: """ Fair enough, thank you! """ See the full comment at https://github.com/SSSD/sssd/pull/5636#issuecomment-843646012 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5636][comment] Improve assertion when verifying paths for Python modules
URL: https://github.com/SSSD/sssd/pull/5636 Title: #5636: Improve assertion when verifying paths for Python modules elkoniu commented: """ Thank you for this Python investigation:) So far this PR LGTM but I would like a second pair of eyes to take a look at it too. On the morning I will try to ping some Python specialist from the team for final ACK. """ See the full comment at https://github.com/SSSD/sssd/pull/5636#issuecomment-843641286 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5636][comment] Improve assertion when verifying paths for Python modules
URL: https://github.com/SSSD/sssd/pull/5636 Title: #5636: Improve assertion when verifying paths for Python modules sergiodj commented: """ Heh, I had written a whole wall of text replying to your last comment, but then I investigated a bit more and ended up finding what's happening. In a nutshell: * Ubuntu Impish (the development version) is using Python 3.9.5. * Debian sid is using Python 3.9.2. When I looked at the Python 3.9.5 changelog, I found this bug: https://bugs.python.org/issue43105 And voilĂ : everything makes sense. Python 3.9.5+ resolves relative paths in imported modules, which breaks the current test because, unless `SSS_TEST_DIR` is set (which it is not), the path will always be relative. IMHO, and if I understand the purpose of the test, this means that the proposed change is actually the correct way to address this problem. For what it's worth, and because I had written so much before: * I don't think there is a way to determine the "chroot" part from `module.__file__`, because from what I gathered the path change happens even when you're building sssd outside of a chroot (inside a VM, a container or even natively, for example). Moreover, it's not really possible to determine that we're inside a chroot just by looking at this path. For example, for `sbuild` the `<>` part is actually something like `build/sssd-GhFpxp/sssd-2.4.1`, which is a regular path like any other. Thanks! """ See the full comment at https://github.com/SSSD/sssd/pull/5636#issuecomment-843637837 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5552][comment] files: split update into batches
URL: https://github.com/SSSD/sssd/pull/5552 Title: #5552: files: split update into batches elkoniu commented: """ @sumit-bose Maybe temporary we should convert this PR to [WIP] state? """ See the full comment at https://github.com/SSSD/sssd/pull/5552#issuecomment-843631952 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5636][comment] Improve assertion when verifying paths for Python modules
URL: https://github.com/SSSD/sssd/pull/5636 Title: #5636: Improve assertion when verifying paths for Python modules elkoniu commented: """ If I understand this test cases correctly the steps are (based on `pyhbac` usecase): 1) Create temporary `MODPATH` subdirectory under `TEST_DIR` 2) Depending on python version make symbolic link to correct `pyhbac.so` version in the `MODPATH` directory 3) Import `pyhbac` 4) Confirm that imported `pyhbac` module path is the same as created `pyhbac.so` symlink path. What `chroot` breaks is injection of prefix `/<>/build/` into loaded module path. By using `realpath()` you forcing following symbolic links for both: chroot path and the link we created in steep (2). I think functionally it is correct. What I am wondering is, if we should detect and thread chroot environment special here. For example instead of calling `realpath()` - subtract "chroot" piece from `module.__file__`. Can you check if any module loaded into chroot environment will have this chroot-specific prefix added to `module.__file__`? Maybe this should be addressed in Python directly. """ See the full comment at https://github.com/SSSD/sssd/pull/5636#issuecomment-843620673 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5636][comment] Improve assertion when verifying paths for Python modules
URL: https://github.com/SSSD/sssd/pull/5636 Title: #5636: Improve assertion when verifying paths for Python modules sergiodj commented: """ Thanks for the reply, @elkoniu. Here's how the paths are evaluated: ``` realpath(pyhbac.__file__) = /tmp/sssd/build/.libs/_py3hbac.so realpath(MODPATH + /pyhbac.so) = /tmp/sssd/build/.libs/_py3hbac.so ``` You can also check that, without the patch, the paths are evaluated as: ``` '/<>/build/./tp_pyhbac_xw2omut2/pyhbac.so' './tp_pyhbac_xw2omut2/pyhbac.so' ``` Where `<>` is just a mnemonic for some temporary path that `sbuild` uses. They are the same path, but the second one is relative. Thanks. """ See the full comment at https://github.com/SSSD/sssd/pull/5636#issuecomment-843595627 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5636][comment] Improve assertion when verifying paths for Python modules
URL: https://github.com/SSSD/sssd/pull/5636 Title: #5636: Improve assertion when verifying paths for Python modules elkoniu commented: """ Thank you for this PR. If there is a chance you can run the test again and show how `os.path.realpath(pyhbac.__file__)` and `os.path.realpath(MODPATH + "/pyhbac.so")` are evaluated on your chroot environment? Simple `print` will be good enough. """ See the full comment at https://github.com/SSSD/sssd/pull/5636#issuecomment-843584540 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5639][+Tests] TEST: Fixes after running new tests downstream
URL: https://github.com/SSSD/sssd/pull/5639 Title: #5639: TEST: Fixes after running new tests downstream Label: +Tests ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5613][+Accepted] ipa: read auto_private_groups from id range if available
URL: https://github.com/SSSD/sssd/pull/5613 Title: #5613: ipa: read auto_private_groups from id range if available Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5613][comment] ipa: read auto_private_groups from id range if available
URL: https://github.com/SSSD/sssd/pull/5613 Title: #5613: ipa: read auto_private_groups from id range if available sumit-bose commented: """ > > > Finally, not strictly related to your patches, I think the `hybrid` mode > > make no sense for auto-generated IDs (`--range-type=ipa-ad-trust`), it > > should give the same results as `false` mode. So it might be worth it not > > allow to set it in this case at all in the ipa tools. What do you think? > > Did you mean same results as `true` mode? It makes sense to disable this > option there. > Sorry, yes, I meant `true`. I tested the patch with various id-overrides and didn't find any oddness which isn't present in the original code as well, so ACK. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5613#issuecomment-843306232 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5613][-Waiting for review] ipa: read auto_private_groups from id range if available
URL: https://github.com/SSSD/sssd/pull/5613 Title: #5613: ipa: read auto_private_groups from id range if available Label: -Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5636][edited] Improve assertion when verifying paths for Python modules
URL: https://github.com/SSSD/sssd/pull/5636 Author: sergiodj Title: #5636: Improve assertion when verifying paths for Python modules Action: edited Changed field: body Original value: """ In Ubuntu we're facing a problem where the 3 Python tests under src/tests/*-test.py are failing due to cosmetical differences between what the '.__file__' method returns and what 'MODPATH' ends up being. I have not been able to pinpoint exactly what is causing this issue; it only happens when SSSD is built inside a chroot environment (with sbuild, for example). The logs look like this: ```python F == FAIL: testImport (__main__.PyHbacImport) Import the module and assert it comes from tree -- Traceback (most recent call last): File "/<>/src/tests/pyhbac-test.py", line 91, in testImport self.assertEqual(pyhbac.__file__, MODPATH + "/pyhbac.so") AssertionError: '/<>/build/./tp_pyhbac_xw2omut2/pyhbac.so' != './tp_pyhbac_xw2omut2/pyhbac.so' - /<>/build/./tp_pyhbac_xw2omut2/pyhbac.so + ./tp_pyhbac_xw2omut2/pyhbac.so ``` Given that the intention of the test is to verify that the two paths are equal, I suggest that we do this slight improvement and call 'os.path.realpath' before comparing both paths. This way we guarantee that they're both properly canonicalized. I have verified that the tests still pass with this change. """ ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5641][comment] UTIL/SECRETS: mistype fix
URL: https://github.com/SSSD/sssd/pull/5641 Title: #5641: UTIL/SECRETS: mistype fix justin-stephenson commented: """ Ack, thank you. """ See the full comment at https://github.com/SSSD/sssd/pull/5641#issuecomment-843131647 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5641][-Waiting for review] UTIL/SECRETS: mistype fix
URL: https://github.com/SSSD/sssd/pull/5641 Title: #5641: UTIL/SECRETS: mistype fix Label: -Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5641][+Accepted] UTIL/SECRETS: mistype fix
URL: https://github.com/SSSD/sssd/pull/5641 Title: #5641: UTIL/SECRETS: mistype fix Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5640][edited] Test test_ipa_missing_secondary_ipa_posix_groups
URL: https://github.com/SSSD/sssd/pull/5640 Author: jakub-vavra-cz Title: #5640: Test test_ipa_missing_secondary_ipa_posix_groups Action: edited Changed field: body Original value: """ """ ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5640][synchronized] Test test_ipa_missing_secondary_ipa_posix_groups
URL: https://github.com/SSSD/sssd/pull/5640
Author: jakub-vavra-cz
Title: #5640: Test test_ipa_missing_secondary_ipa_posix_groups
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5640/head:pr5640
git checkout pr5640
From 7297618da2414f469d1271c69208914f1d544cbd Mon Sep 17 00:00:00 2001
From: Jakub Vavra
Date: Tue, 11 May 2021 13:45:37 +0200
Subject: [PATCH] Add test_ipa_missing_secondary_ipa_posix_groups
---
src/tests/multihost/ipa/test_adtrust.py | 121
1 file changed, 121 insertions(+)
diff --git a/src/tests/multihost/ipa/test_adtrust.py b/src/tests/multihost/ipa/test_adtrust.py
index c56c79af1b..8b4a010d82 100644
--- a/src/tests/multihost/ipa/test_adtrust.py
+++ b/src/tests/multihost/ipa/test_adtrust.py
@@ -7,6 +7,7 @@
"""
import pytest
+import re
import time
from sssd.testlib.common.utils import sssdTools
from sssd.testlib.common.exceptions import SSSDException
@@ -115,3 +116,123 @@ def test_honour_idoverride(self, multihost, create_aduser_group):
multihost.master[0].run_command(delete_id_view)
ipa_client.clear_sssd_cache()
assert count == 0
+
+def test_ipa_missing_secondary_ipa_posix_groups(self, multihost,
+create_aduser_group):
+"""
+:title: IPA missing secondary IPA Posix groups in latest sssd
+:id: bbb82516-4127-4053-9b06-9104ac889819
+:setup:
+ 1. Configure trust between IPA server and AD.
+ 2. Configure client machine with SSSD integrated to IPA.
+ 3. domain-resolution-order set so the AD domains are checked first
+ 4. Create external group that is member of a posix group
+ 5. Create user that is a member of the external group
+:steps:
+ 0. Clean sssd cache
+ 1. Check that external group is member of posix group.
+ 2. Using id check that user is member of posix group.
+:expectedresults:
+ 0. Cache is cleared
+ 1. The external group is member of posix group.
+ 2. The posix group gid is present in id output .
+:teardown:
+ Remove the created user, groups and revert resolution order.
+:customerscenario: True
+:bugzilla:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1945552
+ https://bugzilla.redhat.com/show_bug.cgi?id=1937919
+ https://bugzilla.redhat.com/show_bug.cgi?id=1945654
+"""
+ad_domain = multihost.ad[0].domainname
+ipaserver = sssdTools(multihost.master[0])
+ipa_domain = ipaserver.get_domain_section_name()
+(username, _) = create_aduser_group
+posix_group = "posix_group_01"
+ext_group = "ext_group_01"
+# SETUP
+# Set the domain resolution order to AD first
+resorder_cmd = f'ipa config-mod --domain-resolution-order=' \
+ f'{ad_domain}:{ipa_domain}'
+multihost.master[0].run_command(resorder_cmd, raiseonerr=False)
+
+# Create posix group
+pgroup_cmd = f'ipa group-add {posix_group}'
+multihost.master[0].run_command(pgroup_cmd, raiseonerr=False)
+
+# Create and external group
+ext_group_cmd = f'ipa group-add --external {ext_group}'
+multihost.master[0].run_command(ext_group_cmd, raiseonerr=False)
+
+# Set membership of external group in posix group
+member_cmd = f'ipa -n group-add-member {posix_group} --groups=' \
+ f'{ext_group}'
+multihost.master[0].run_command(member_cmd, raiseonerr=False)
+
+# Set AD user membership in external group
+usr_mbr_cmd = f"ipa -n group-add-member {ext_group} --external" \
+ f" '{username}@{ad_domain}'"
+multihost.master[0].run_command(usr_mbr_cmd, raiseonerr=False)
+
+# TEST
+# Get posix group id
+grp_show_cmd = f"ipa group-show {posix_group}"
+cmd = multihost.master[0].run_command(grp_show_cmd, raiseonerr=False)
+gid_regex = re.compile(r"GID: (\d+)")
+posix_group_id = gid_regex.search(cmd.stdout_text).group(1)
+
+# Check that external group is member of posix group
+grp_show_cmd = f"ipa group-show {ext_group}"
+cmd = multihost.master[0].run_command(grp_show_cmd, raiseonerr=False)
+assert posix_group in cmd.stdout_text, \
+"The external group is not a member of posix group!"
+
+# A bit of wait so the user is propagated
+time.sleep(60)
+
+# The reproduction rate is not 100%, I had reliably 2+
+# fails in 5 rounds.
+for _ in range(5):
+# Clean caches on SSSD so we don't have to wait for cache timeouts
+# The reproduction works better on sssd on ipa master
+sssd_client = sssdTools(multihost.master[0])
+sssd_client.clear_sssd_cache()
+
+# Search the
[SSSD] [sssd PR#5641][+Waiting for review] UTIL/SECRETS: mistype fix
URL: https://github.com/SSSD/sssd/pull/5641 Title: #5641: UTIL/SECRETS: mistype fix Label: +Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5641][opened] UTIL/SECRETS: mistype fix
URL: https://github.com/SSSD/sssd/pull/5641
Author: alexey-tikhonov
Title: #5641: UTIL/SECRETS: mistype fix
Action: opened
PR body:
"""
Wrong variable was tested after mem allocation.
Also fixes following covscan issues:
```
Error: DEADCODE (CWE-561):
sssd-2.5.0/src/util/secrets/secrets.c:1004: cond_notnull: Condition "uuid_list
== NULL", taking false branch. Now the value of "uuid_list" is not "NULL".
sssd-2.5.0/src/util/secrets/secrets.c:1010: notnull: At condition "uuid_list ==
NULL", the value of "uuid_list" cannot be "NULL".
sssd-2.5.0/src/util/secrets/secrets.c:1010: dead_error_condition: The condition
"uuid_list == NULL" cannot be true.
sssd-2.5.0/src/util/secrets/secrets.c:1011: dead_error_begin: Execution cannot
reach this statement: "ret = 12;".
# 1009|uid_list = talloc_zero_array(tmp_ctx, const char *, res->count);
# 1010| if (uuid_list == NULL) {
# 1011|-> ret = ENOMEM;
# 1012| goto done;
# 1013| }
```
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5641/head:pr5641
git checkout pr5641
From c1d08c30711ab12352af6278c2c92cd3f387204e Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov
Date: Tue, 18 May 2021 12:04:01 +0200
Subject: [PATCH] UTIL/SECRETS: mistype fix
Wrong variable was tested after mem allocation.
Also fixes following covscan issues:
```
Error: DEADCODE (CWE-561):
sssd-2.5.0/src/util/secrets/secrets.c:1004: cond_notnull: Condition "uuid_list == NULL", taking false branch. Now the value of "uuid_list" is not "NULL".
sssd-2.5.0/src/util/secrets/secrets.c:1010: notnull: At condition "uuid_list == NULL", the value of "uuid_list" cannot be "NULL".
sssd-2.5.0/src/util/secrets/secrets.c:1010: dead_error_condition: The condition "uuid_list == NULL" cannot be true.
sssd-2.5.0/src/util/secrets/secrets.c:1011: dead_error_begin: Execution cannot reach this statement: "ret = 12;".
# 1009| uid_list = talloc_zero_array(tmp_ctx, const char *, res->count);
# 1010| if (uuid_list == NULL) {
# 1011|-> ret = ENOMEM;
# 1012| goto done;
# 1013| }
```
---
src/util/secrets/secrets.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c
index 42df14aa9c..34eed87baf 100644
--- a/src/util/secrets/secrets.c
+++ b/src/util/secrets/secrets.c
@@ -1000,14 +1000,14 @@ errno_t sss_sec_list_cc_uuids(TALLOC_CTX *mem_ctx,
goto done;
}
- uuid_list = talloc_zero_array(tmp_ctx, const char *, res->count);
+uuid_list = talloc_zero_array(tmp_ctx, const char *, res->count);
if (uuid_list == NULL) {
ret = ENOMEM;
goto done;
}
- uid_list = talloc_zero_array(tmp_ctx, const char *, res->count);
-if (uuid_list == NULL) {
+uid_list = talloc_zero_array(tmp_ctx, const char *, res->count);
+if (uid_list == NULL) {
ret = ENOMEM;
goto done;
}
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5640][+Tests] Test test_ipa_missing_secondary_ipa_posix_groups
URL: https://github.com/SSSD/sssd/pull/5640 Title: #5640: Test test_ipa_missing_secondary_ipa_posix_groups Label: +Tests ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5640][+Waiting for review] Test test_ipa_missing_secondary_ipa_posix_groups
URL: https://github.com/SSSD/sssd/pull/5640 Title: #5640: Test test_ipa_missing_secondary_ipa_posix_groups Label: +Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5640][opened] Test test_ipa_missing_secondary_ipa_posix_groups
URL: https://github.com/SSSD/sssd/pull/5640
Author: jakub-vavra-cz
Title: #5640: Test test_ipa_missing_secondary_ipa_posix_groups
Action: opened
PR body:
"""
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5640/head:pr5640
git checkout pr5640
From 63324cc2e09002407158e23fbf3ad90311612290 Mon Sep 17 00:00:00 2001
From: Jakub Vavra
Date: Tue, 11 May 2021 13:45:37 +0200
Subject: [PATCH] Add test_ipa_missing_secondary_ipa_posix_groups
---
src/tests/multihost/ipa/test_adtrust.py | 120
1 file changed, 120 insertions(+)
diff --git a/src/tests/multihost/ipa/test_adtrust.py b/src/tests/multihost/ipa/test_adtrust.py
index c56c79af1b..4c55df2723 100644
--- a/src/tests/multihost/ipa/test_adtrust.py
+++ b/src/tests/multihost/ipa/test_adtrust.py
@@ -7,6 +7,7 @@
"""
import pytest
+import re
import time
from sssd.testlib.common.utils import sssdTools
from sssd.testlib.common.exceptions import SSSDException
@@ -115,3 +116,122 @@ def test_honour_idoverride(self, multihost, create_aduser_group):
multihost.master[0].run_command(delete_id_view)
ipa_client.clear_sssd_cache()
assert count == 0
+
+def test_ipa_missing_secondary_ipa_posix_groups(self, multihost,
+create_aduser_group):
+"""
+:title: IPA missing secondary IPA Posix groups in latest sssd
+:id: bbb82516-4127-4053-9b06-9104ac889819
+:setup:
+ 1. Configure trust between IPA server and AD.
+ 2. Configure client machine with SSSD integrated to IPA.
+ 3. domain-resolution-order set so the AD domains are checked first
+ 4. Create external group that is member of a posix group
+ 5. Create user that is a member of the external group
+:steps:
+ 0. Clean sssd cache
+ 1. Check that external group is member of posix group.
+ 2. Using id check that user is member of posix group.
+:expectedresults:
+ 0. Cache is cleared
+ 1. The external group is member of posix group.
+ 2. The posix group gid is present in id output .
+:teardown:
+ Remove the created user, groups and revert resolution order.
+:bugzilla:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1945552
+ https://bugzilla.redhat.com/show_bug.cgi?id=1937919
+ https://bugzilla.redhat.com/show_bug.cgi?id=1945654
+"""
+ad_domain = multihost.ad[0].domainname
+ipaserver = sssdTools(multihost.master[0])
+ipa_domain = ipaserver.get_domain_section_name()
+(username, _) = create_aduser_group
+posix_group = "posix_group_01"
+ext_group = "ext_group_01"
+# SETUP
+# Set the domain resolution order to AD first
+resorder_cmd = f'ipa config-mod --domain-resolution-order=' \
+ f'{ad_domain}:{ipa_domain}'
+multihost.master[0].run_command(resorder_cmd, raiseonerr=False)
+
+# Create posix group
+pgroup_cmd = f'ipa group-add {posix_group}'
+multihost.master[0].run_command(pgroup_cmd, raiseonerr=False)
+
+# Create and external group
+ext_group_cmd = f'ipa group-add --external {ext_group}'
+multihost.master[0].run_command(ext_group_cmd, raiseonerr=False)
+
+# Set membership of external group in posix group
+member_cmd = f'ipa -n group-add-member {posix_group} --groups=' \
+ f'{ext_group}'
+multihost.master[0].run_command(member_cmd, raiseonerr=False)
+
+# Set AD user membership in external group
+usr_mbr_cmd = f"ipa -n group-add-member {ext_group} --external" \
+ f" '{username}@{ad_domain}'"
+multihost.master[0].run_command(usr_mbr_cmd, raiseonerr=False)
+
+# TEST
+# Get posix group id
+grp_show_cmd = f"ipa group-show {posix_group}"
+cmd = multihost.master[0].run_command(grp_show_cmd, raiseonerr=False)
+gid_regex = re.compile(r"GID: (\d+)")
+posix_group_id = gid_regex.search(cmd.stdout_text).group(1)
+
+# Check that external group is member of posix group
+grp_show_cmd = f"ipa group-show {ext_group}"
+cmd = multihost.master[0].run_command(grp_show_cmd, raiseonerr=False)
+assert posix_group in cmd.stdout_text, \
+"The external group is not a member of posix group!"
+
+# A bit of wait so the user is propagated
+time.sleep(60)
+
+# The repoduction rate is not 100%, I had reliably 2+ fails in 5 rounds.
+for _ in range(5):
+# Clean caches on SSSD so we don't have to wait for cache timeouts
+# The reproduction works better on sssd on ipa master
+sssd_client = sssdTools(multihost.master[0])
+sssd_client.clear_sssd_cache()
+
+# Search the posix group
+
[SSSD] [sssd PR#5639][opened] TEST: Fixes after running new tests downstream
URL: https://github.com/SSSD/sssd/pull/5639
Author: sgoveas
Title: #5639: TEST: Fixes after running new tests downstream
Action: opened
PR body:
"""
tests have been synced downstream. Some test were failing or needed
docstring updates for new polarion format
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5639/head:pr5639
git checkout pr5639
From efbe18e2352b710ef838042ee7c214273c05eaa8 Mon Sep 17 00:00:00 2001
From: Steeve Goveas
Date: Tue, 18 May 2021 16:14:20 +0530
Subject: [PATCH] TEST: Fixes after running new tests downstream
tests have been synced downstream. Some test were failing or needed
docstring updates for new polarion format
---
src/tests/multihost/ad/test_sudo.py | 1 -
.../multihost/alltests/test_automount.py | 21 +--
src/tests/multihost/alltests/test_sudo.py | 4 ++--
src/tests/multihost/ipa/test_misc.py | 3 ++-
4 files changed, 14 insertions(+), 15 deletions(-)
diff --git a/src/tests/multihost/ad/test_sudo.py b/src/tests/multihost/ad/test_sudo.py
index f61bd4a675..26125dbc77 100644
--- a/src/tests/multihost/ad/test_sudo.py
+++ b/src/tests/multihost/ad/test_sudo.py
@@ -89,7 +89,6 @@ def test_002_bz1372440(self, multihost):
2. Add users to the group.
3. Verify sudo_idmuser1 can fetch the sudo rule
4. Run the required command as sudo
-
:expectedresults:
1. Should succeed
2. Should succeed
diff --git a/src/tests/multihost/alltests/test_automount.py b/src/tests/multihost/alltests/test_automount.py
index df6b75b89a..4607f14863 100644
--- a/src/tests/multihost/alltests/test_automount.py
+++ b/src/tests/multihost/alltests/test_automount.py
@@ -455,6 +455,7 @@ def test_008_wildcardsearch(self, multihost, indirect_nismaps,
del_pcap = 'rm -f %s' % auto_pcapfile
multihost.client[0].run_command(del_pcap)
+@pytest.mark.parametrize('add_nisobject', ['/export'], indirect=True)
@pytest.mark.tier2
def test_009_maps_after_coming_online(self, multihost, add_nisobject):
"""
@@ -462,19 +463,15 @@ def test_009_maps_after_coming_online(self, multihost, add_nisobject):
:id: b9da6e0e-3d8b-4465-b435-338708d0d51e
:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1113639
:customerscenario: True
-
-:setup:
+:steps:
1. edit sssd.conf and specify autofs_provider = ad
2. restart autofs
-
-:steps:
- 1. firewalld block 389 and 636
- 2. stop sssd, autofs.
- 3. remove sssd cache
- 4. Start sssd
- 5. remove firewall rule
- 6. start autofs
-
+ 3. firewalld block 389 and 636
+ 4. stop sssd, autofs.
+ 5. remove sssd cache
+ 6. Start sssd
+ 7. remove firewall rule
+ 8. start autofs
:expectedresults:
1. Should succeed
2. Should succeed
@@ -482,6 +479,8 @@ def test_009_maps_after_coming_online(self, multihost, add_nisobject):
4. Should succeed
5. Should succeed
6. Should succeed
+ 7. Should succeed
+ 8. Should succeed
"""
multihost.master[0].run_command(['touch', '/export/nfs-test'])
client = sssdTools(multihost.client[0])
diff --git a/src/tests/multihost/alltests/test_sudo.py b/src/tests/multihost/alltests/test_sudo.py
index aa1d1790f7..ac7400b505 100644
--- a/src/tests/multihost/alltests/test_sudo.py
+++ b/src/tests/multihost/alltests/test_sudo.py
@@ -33,7 +33,7 @@ def test_bz1294670(self, multihost, backupsssdconf, localusers):
multihost.client[0].service_sssd('stop')
tools = sssdTools(multihost.client[0])
# remove sssd cache
-tools.remove_sss_cache('/var/lib/sss/db')
+tools.remove_sss_cache('/var/lib/sss/db/')
tools = sssdTools(multihost.client[0])
ldap_uri = 'ldap://%s' % multihost.master[0].sys_hostname
sssd_params = {'services': 'nss, pam, sudo'}
@@ -87,7 +87,7 @@ def test_timed_sudoers_entry(self,
# pylint: disable=unused-argument
tools = sssdTools(multihost.client[0])
multihost.client[0].service_sssd('stop')
-tools.remove_sss_cache('/var/lib/sss/db')
+tools.remove_sss_cache('/var/lib/sss/db/')
sudo_base = 'ou=sudoers,dc=example,dc=test'
sudo_uri = "ldap://%s; % multihost.master[0].sys_hostname
params = {'ldap_sudo_search_base': sudo_base,
diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py
index cd22f55d6d..a15ac5f08a 100644
--- a/src/tests/multihost/ipa/test_misc.py
+++ b/src/tests/multihost/ipa/test_misc.py
@@ -85,8 +85,9 @@ def test_filter_groups(self, multihost, default_ipa_groups,
add_group_member, backupsssdconf):
"""
:title: filter_groups option partially filters the group from id
-
[SSSD] [sssd PR#5633][comment] Gentoo/openrc: Add sssd-kcm service script
URL: https://github.com/SSSD/sssd/pull/5633 Title: #5633: Gentoo/openrc: Add sssd-kcm service script joakim-tjernlund commented: """ > Not exclusively related to this PR, but rather a question in general: do we > really want to keep (and extend) any distribution specific stuff in upstream > repo? (Besides some stuff for Fedora that can be considered as examples.) Since there are paths in these scripts that need to be changed I think it makes sense to have them here. Lots of other apps does have such scripts as well. """ See the full comment at https://github.com/SSSD/sssd/pull/5633#issuecomment-843054506 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5633][comment] Gentoo/openrc: Add sssd-kcm service script
URL: https://github.com/SSSD/sssd/pull/5633 Title: #5633: Gentoo/openrc: Add sssd-kcm service script alexey-tikhonov commented: """ Not exclusively related to this PR, but rather a question in general: do we really want to keep (and extend) any distribution specific stuff in upstream repo? (Besides some stuff for Fedora that can be considered as examples.) """ See the full comment at https://github.com/SSSD/sssd/pull/5633#issuecomment-843020090 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5613][-Changes requested] ipa: read auto_private_groups from id range if available
URL: https://github.com/SSSD/sssd/pull/5613 Title: #5613: ipa: read auto_private_groups from id range if available Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5633][comment] Gentoo/openrc: Add sssd-kcm service script
URL: https://github.com/SSSD/sssd/pull/5633 Title: #5633: Gentoo/openrc: Add sssd-kcm service script sumit-bose commented: """ Hi, thank you for the patch. I haven't tested it on Gentoo but all changes are in agreement with the SSSD init script we already have for Gentoo and having a dedicate init script for KCM makes sense. So I'm fine with the patch. I'm waiting to see if other developers would like to comment before setting the Accepted label. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5633#issuecomment-842935140 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
