[SSSD] [sssd PR#5830][synchronized] Tests: Port the old ns_account_lock.sh script to pytest

2021-10-18 Thread aborah-sudo
   URL: https://github.com/SSSD/sssd/pull/5830
Author: aborah-sudo
 Title: #5830: Tests: Port the old ns_account_lock.sh script to pytest
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5830/head:pr5830
git checkout pr5830
From 374afd4e636b6576eba6f8dec727249c95229309 Mon Sep 17 00:00:00 2001
From: Anuj Borah 
Date: Tue, 19 Oct 2021 00:18:27 +0530
Subject: [PATCH] Tests: Port the old ns_account_lock.sh script to pytest

Port the old ns_account_lock.sh script to pytest
---
 src/tests/multihost/alltests/pytest.ini   |   1 +
 src/tests/multihost/alltests/readme.rst   |   1 +
 .../alltests/test_ns_account_lock.py  | 413 ++
 3 files changed, 415 insertions(+)
 create mode 100644 src/tests/multihost/alltests/test_ns_account_lock.py

diff --git a/src/tests/multihost/alltests/pytest.ini b/src/tests/multihost/alltests/pytest.ini
index 66519e8003..8702cf9b8d 100644
--- a/src/tests/multihost/alltests/pytest.ini
+++ b/src/tests/multihost/alltests/pytest.ini
@@ -11,6 +11,7 @@ markers =
 ldapextraattrs: Tests related to Ldap Extra attributes
 multidomain: Tests related to SSSD Multiple Domains
 netgroup: Tests related to netgroup
+nsaccountlock: Tests related to nsaccountlock
 offline: Tests related to ldap offline suite
 services: Tests related to SSSD sanity services
 sssctl: Tests related to sssctl tool
diff --git a/src/tests/multihost/alltests/readme.rst b/src/tests/multihost/alltests/readme.rst
index dd750b358a..3fab51efe4 100644
--- a/src/tests/multihost/alltests/readme.rst
+++ b/src/tests/multihost/alltests/readme.rst
@@ -22,6 +22,7 @@ Following are the pytest markers used
 * ldapextraattrs: Tests related to Ldap Extra attributes
 * multidomain: Tests related to SSSD Multiple Domains
 * netgroup: Tests related to netgroup
+* nsaccountlock: Tests related to nsaccountlock
 * offline: Tests related to ldap offline suite
 * services: Tests related to SSSD sanity services
 * sssctl: Tests related to sssctl tool
diff --git a/src/tests/multihost/alltests/test_ns_account_lock.py b/src/tests/multihost/alltests/test_ns_account_lock.py
new file mode 100644
index 00..09af5e1aec
--- /dev/null
+++ b/src/tests/multihost/alltests/test_ns_account_lock.py
@@ -0,0 +1,413 @@
+""" Automation of nsaccount lock
+
+:subsystemteam: sst_idm_sssd
+:upstream: yes
+"""
+
+from __future__ import print_function
+import re
+import pytest
+import threading
+import time
+import paramiko
+import subprocess
+from sssd.testlib.common.expect import pexpect_ssh
+from sssd.testlib.common.exceptions import SSHLoginException
+from sssd.testlib.common.utils import sssdTools, LdapOperations
+from sssd.testlib.common.utils import SSHClient
+import ldap
+
+
+def execute_cmd(multihost, command):
+""" Execute command on client """
+cmd = multihost.client[0].run_command(command)
+return cmd
+
+
+def lock_check(multihost, user):
+"Check if user is locked"
+assert f"Performing RHDS access check for user" \
+   f" [{user}@example1]" \
+   in execute_cmd(multihost,
+  'grep "Performing RHDS'
+  ' access check for user"'
+  ' /var/log/sssd/*').stdout_text
+assert "pam_sss(sshd:account): system info:" \
+   " [The user account is locked on the server]" \
+   in execute_cmd(multihost,
+  'grep "pam_sss(sshd:account): '
+  'system info" /var/log/secure*').stdout_text
+assert f"pam_sss(sshd:account):" \
+   f" Access denied for user" \
+   f" {user}@example1: 6 (Permission denied)"\
+   in execute_cmd(multihost, 'grep '
+ '"Access denied '
+ 'for user" '
+ '/var/log/secure*').stdout_text
+
+
+def unlock_check(multihost, user):
+"Check if user is unlocked"
+assert f"Performing RHDS access " \
+   f"check for user [{user}@example1]" \
+   in execute_cmd(multihost,
+  'grep "Performing RHDS '
+  'access check for user"'
+  ' /var/log/sssd/*').stdout_text
+assert f"{user}@example1" in \
+   execute_cmd(multihost,
+   'grep "is not locked." '
+   '/var/log/sssd/*').stdout_text
+
+
+def manage_user_roles(multihost, user, lock, type1):
+"Manage users and roles"
+master_e = multihost.master[0].ip
+assert f"Entry {user},ou=people," \
+   f"dc=example,dc=test is {lock}" in \
+   execute_cmd(multihost, f"dsidm "
+  f"ldap://{master_e}:389 -D"
+  f" 'cn=Directory Manager'"
+  f" -w Secret123 -b dc=example,"
+  f"dc=test {type1}"
+ 

[SSSD] [sssd PR#5830][synchronized] Tests: Port the old ns_account_lock.sh script to pytest

2021-10-18 Thread aborah-sudo
   URL: https://github.com/SSSD/sssd/pull/5830
Author: aborah-sudo
 Title: #5830: Tests: Port the old ns_account_lock.sh script to pytest
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5830/head:pr5830
git checkout pr5830
From 0503df8bbc0586c8c729be4743f93ca69bec7c68 Mon Sep 17 00:00:00 2001
From: Anuj Borah 
Date: Tue, 19 Oct 2021 00:18:27 +0530
Subject: [PATCH] Tests: Port the old ns_account_lock.sh script to pytest

Port the old ns_account_lock.sh script to pytest
---
 src/tests/multihost/alltests/pytest.ini   |   1 +
 src/tests/multihost/alltests/readme.rst   |   1 +
 .../alltests/test_ns_account_lock.py  | 413 ++
 3 files changed, 415 insertions(+)
 create mode 100644 src/tests/multihost/alltests/test_ns_account_lock.py

diff --git a/src/tests/multihost/alltests/pytest.ini b/src/tests/multihost/alltests/pytest.ini
index 66519e8003..8702cf9b8d 100644
--- a/src/tests/multihost/alltests/pytest.ini
+++ b/src/tests/multihost/alltests/pytest.ini
@@ -11,6 +11,7 @@ markers =
 ldapextraattrs: Tests related to Ldap Extra attributes
 multidomain: Tests related to SSSD Multiple Domains
 netgroup: Tests related to netgroup
+nsaccountlock: Tests related to nsaccountlock
 offline: Tests related to ldap offline suite
 services: Tests related to SSSD sanity services
 sssctl: Tests related to sssctl tool
diff --git a/src/tests/multihost/alltests/readme.rst b/src/tests/multihost/alltests/readme.rst
index dd750b358a..3fab51efe4 100644
--- a/src/tests/multihost/alltests/readme.rst
+++ b/src/tests/multihost/alltests/readme.rst
@@ -22,6 +22,7 @@ Following are the pytest markers used
 * ldapextraattrs: Tests related to Ldap Extra attributes
 * multidomain: Tests related to SSSD Multiple Domains
 * netgroup: Tests related to netgroup
+* nsaccountlock: Tests related to nsaccountlock
 * offline: Tests related to ldap offline suite
 * services: Tests related to SSSD sanity services
 * sssctl: Tests related to sssctl tool
diff --git a/src/tests/multihost/alltests/test_ns_account_lock.py b/src/tests/multihost/alltests/test_ns_account_lock.py
new file mode 100644
index 00..9357d9f514
--- /dev/null
+++ b/src/tests/multihost/alltests/test_ns_account_lock.py
@@ -0,0 +1,413 @@
+""" Automation of nsaccount lock
+
+:subsystemteam: sst_idm_sssd
+:upstream: yes
+"""
+
+from __future__ import print_function
+import re
+import pytest
+import threading
+import time
+import paramiko
+import subprocess
+from sssd.testlib.common.expect import pexpect_ssh
+from sssd.testlib.common.exceptions import SSHLoginException
+from sssd.testlib.common.utils import sssdTools, LdapOperations
+from sssd.testlib.common.utils import SSHClient
+import ldap
+
+
+def execute_cmd(multihost, command):
+""" Execute command on client """
+cmd = multihost.client[0].run_command(command)
+return cmd
+
+
+def lock_check(multihost, user):
+"Check if user is locked"
+assert f"Performing RHDS access check for user" \
+   f" [{user}@example1]" \
+   in execute_cmd(multihost,
+  'grep "Performing RHDS'
+  ' access check for user"'
+  ' /var/log/sssd/*').stdout_text
+assert "pam_sss(sshd:account): system info:" \
+   " [The user account is locked on the server]" \
+   in execute_cmd(multihost,
+  'grep "pam_sss(sshd:account): '
+  'system info" /var/log/secure*').stdout_text
+assert f"pam_sss(sshd:account):" \
+   f" Access denied for user" \
+   f" {user}@example1: 6 (Permission denied)"\
+   in execute_cmd(multihost, 'grep '
+ '"Access denied '
+ 'for user" '
+ '/var/log/secure*').stdout_text
+
+
+def unlock_check(multihost, user):
+"Check if user is unlocked"
+assert f"Performing RHDS access " \
+   f"check for user [{user}@example1]" \
+   in execute_cmd(multihost,
+  'grep "Performing RHDS '
+  'access check for user"'
+  ' /var/log/sssd/*').stdout_text
+assert f"{user}@example1" in \
+   execute_cmd(multihost,
+   'grep "is not locked." '
+   '/var/log/sssd/*').stdout_text
+
+
+def manage_user_roles(multihost, user, lock, type1):
+"Manage users and roles"
+master_e = multihost.master[0].ip
+assert f"Entry {user},ou=people," \
+   f"dc=example,dc=test is {lock}" in \
+   execute_cmd(multihost, f"dsidm "
+  f"ldap://{master_e}:389 -D"
+  f" 'cn=Directory Manager'"
+  f" -w Secret123 -b dc=example,"
+  f"dc=test {type1}"
+ 

[SSSD] [sssd PR#5831][opened] Fixes a couple of compilations warnings

2021-10-18 Thread alexey-tikhonov
   URL: https://github.com/SSSD/sssd/pull/5831
Author: alexey-tikhonov
 Title: #5831: Fixes a couple of compilations warnings
Action: opened

PR body:
"""
None
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5831/head:pr5831
git checkout pr5831
From 48d4392fa3c55eed05cc864bf6e1cc870fa34fef Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov 
Date: Mon, 18 Oct 2021 22:25:31 +0200
Subject: [PATCH 1/2] GPO: fixed compilation warning
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes following compilation warning:
```
../src/providers/ad/ad_gpo.c: In function ‘ad_gpo_access_send’:
../src/util/debug.h:138:5: warning: ‘%s’ directive argument is null [-Wformat-overflow=]
  138 | sss_debug_fn(__FILE__, __LINE__, __FUNCTION__, \
  | ^~~~
  139 |  level, \
  |  
  140 |  format, ##__VA_ARGS__); \
  |  ~~
../src/providers/ad/ad_gpo.c:1847:5: note: in expansion of macro ‘DEBUG’
 1847 | DEBUG(SSSDBG_TRACE_FUNC, "service %s maps to %s\n", service,
  | ^
```
---
 src/providers/ad/ad_gpo.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 219f398491..f3452176af 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -250,7 +250,7 @@ struct gpo_map_option_entry gpo_map_option_entries[] = {
 {GPO_MAP_DENY, AD_GPO_MAP_DENY, gpo_map_deny_defaults, NULL, NULL},
 };
 
-const char* gpo_map_type_string(int gpo_map_type)
+static const char* gpo_map_type_string(int gpo_map_type)
 {
 switch(gpo_map_type) {
 case GPO_MAP_INTERACTIVE:return "Interactive";
@@ -261,7 +261,7 @@ const char* gpo_map_type_string(int gpo_map_type)
 case GPO_MAP_PERMIT: return "Permitted";
 case GPO_MAP_DENY:   return "Denied";
 }
-return NULL;
+return "-unknown-";  /* this helper is only used in logs */
 }
 
 static inline bool

From cd78f562fd639d92628fa6646a720574722d3c9c Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov 
Date: Mon, 18 Oct 2021 22:35:13 +0200
Subject: [PATCH 2/2] KCM: fixed uninitialized value

Fixes following warnings:
```
Error: UNINIT (CWE-457):
sssd-2.6.0/src/responder/kcm/kcmsrv_ccache.c:285: var_decl: Declaring variable "ret" without initializer.
sssd-2.6.0/src/responder/kcm/kcmsrv_ccache.c:323: uninit_use: Using uninitialized value "ret".
 #  321|   krb5_free_context(kctx);
 #  322|
 #  323|-> return ret;
 #  324|   #else
 #  325|   return EOK;

Error: CLANG_WARNING:
sssd-2.6.0/src/responder/kcm/kcmsrv_ccache.c:323:5: warning[core.uninitialized.UndefReturn]: Undefined or garbage value returned to caller
 #  321|   krb5_free_context(kctx);
 #  322|
 #  323|-> return ret;
 #  324|   #else
 #  325|   return EOK;
```
---
 src/responder/kcm/kcmsrv_ccache.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c
index ef174e0a09..4327aae415 100644
--- a/src/responder/kcm/kcmsrv_ccache.c
+++ b/src/responder/kcm/kcmsrv_ccache.c
@@ -294,6 +294,7 @@ kcm_cc_remove_duplicates(struct kcm_ccache *cc,
 kcrd = kcm_cred_to_krb5(kctx, kcm_crd);
 if (kcrd == NULL) {
 DEBUG(SSSDBG_CRIT_FAILURE, "Failed to convert kcm cred to krb5\n");
+ret = ERR_CREDS_INVALID;
 goto done;
 }
 
@@ -301,6 +302,7 @@ kcm_cc_remove_duplicates(struct kcm_ccache *cc,
 kcrd_cc = kcm_cred_to_krb5(kctx, p);
 if (kcrd_cc == NULL) {
 DEBUG(SSSDBG_CRIT_FAILURE, "Failed to convert kcm cred to krb5\n");
+ret = ERR_CREDS_INVALID;
 goto done;
 }
 
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[SSSD] [sssd PR#5827][+Waiting for review] A number of fixes around `strto*()` usage

2021-10-18 Thread alexey-tikhonov
  URL: https://github.com/SSSD/sssd/pull/5827
Title: #5827: A number of fixes around `strto*()` usage

Label: +Waiting for review
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[SSSD] [sssd PR#5827][-Changes requested] A number of fixes around `strto*()` usage

2021-10-18 Thread alexey-tikhonov
  URL: https://github.com/SSSD/sssd/pull/5827
Title: #5827: A number of fixes around `strto*()` usage

Label: -Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[SSSD] [sssd PR#5827][comment] A number of fixes around `strto*()` usage

2021-10-18 Thread alexey-tikhonov
  URL: https://github.com/SSSD/sssd/pull/5827
Title: #5827: A number of fixes around `strto*()` usage

alexey-tikhonov commented:
"""
> > src/providers/ldap/ldap_id_services.c
> > 266:port = strtouint16(state->name, NULL, 10);
> 
> Again, internal stuff. But ok, to be consistent I will add checks here...
> 
> > src/providers/ldap/sdap_access.c
> > 1859:duration = strtouint32(pwdAccountLockedDurationTime, NULL, 
> > 0);
> 
> This value is from LDAP - "pwdLockoutDuration" . I just wasn't sure what 
> weird format it might have... But it looks 
> https://ldapwiki.com/wiki/PwdLockoutDuration says "Integer" so ok, I will 
> update this as well.

Done.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5827#issuecomment-946133323
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[SSSD] [sssd PR#5827][synchronized] A number of fixes around `strto*()` usage

2021-10-18 Thread alexey-tikhonov
   URL: https://github.com/SSSD/sssd/pull/5827
Author: alexey-tikhonov
 Title: #5827: A number of fixes around `strto*()` usage
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5827/head:pr5827
git checkout pr5827
From 4354d843bc3163e58f7784c4d79208751f944267 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov 
Date: Fri, 15 Oct 2021 18:23:55 +0200
Subject: [PATCH 1/4] Removed excessive includes around 'strtonum'

---
 src/providers/ad/ad_gpo.c  | 1 +
 src/util/strtonum.c| 6 --
 src/util/strtonum.h| 2 --
 src/util/usertools.c   | 1 +
 src/util/well_known_sids.c | 1 +
 5 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 219f398491..f833b48a7a 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -31,6 +31,7 @@
  *   ad_gpo_process_cse_send/recv: retrieve policy file data
  */
 
+#include 
 #include 
 #include 
 #include 
diff --git a/src/util/strtonum.c b/src/util/strtonum.c
index 22e682b4b2..8eda8ea25e 100644
--- a/src/util/strtonum.c
+++ b/src/util/strtonum.c
@@ -19,14 +19,10 @@
along with this program.  If not, see .
 */
 
-#include 
 #include 
 #include 
-#include "config.h"
-#include "util/util.h"
 #include "util/strtonum.h"
 
-/* strtoint32 */
 int32_t strtoint32(const char *nptr, char **endptr, int base)
 {
 long long ret = 0;
@@ -48,7 +44,6 @@ int32_t strtoint32(const char *nptr, char **endptr, int base)
 }
 
 
-/* strtouint32 */
 uint32_t strtouint32(const char *nptr, char **endptr, int base)
 {
 unsigned long long ret = 0;
@@ -65,7 +60,6 @@ uint32_t strtouint32(const char *nptr, char **endptr, int base)
 }
 
 
-/* strtouint16 */
 uint16_t strtouint16(const char *nptr, char **endptr, int base)
 {
 unsigned long long ret = 0;
diff --git a/src/util/strtonum.h b/src/util/strtonum.h
index d9c31e9cde..ae493b5f51 100644
--- a/src/util/strtonum.h
+++ b/src/util/strtonum.h
@@ -22,8 +22,6 @@
 #ifndef _STRTONUM_H_
 #define _STRTONUM_H_
 
-#include 
-#include 
 #include 
 
 int32_t strtoint32(const char *nptr, char **endptr, int base);
diff --git a/src/util/usertools.c b/src/util/usertools.c
index 8c2ed4e2de..e94ca1b54e 100644
--- a/src/util/usertools.c
+++ b/src/util/usertools.c
@@ -21,6 +21,7 @@
 
 #include 
 #include 
+#include 
 #include 
 #include 
 
diff --git a/src/util/well_known_sids.c b/src/util/well_known_sids.c
index 38fe2646fa..1f9a7beea8 100644
--- a/src/util/well_known_sids.c
+++ b/src/util/well_known_sids.c
@@ -20,6 +20,7 @@
 along with this program.  If not, see .
 */
 
+#include 
 #include "util/util.h"
 #include "util/strtonum.h"
 

From e5c11fda40809fd40bf2c7466e9c18254f8aa605 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov 
Date: Fri, 15 Oct 2021 21:12:32 +0200
Subject: [PATCH 2/4] 'strtonum' helpers: usage sanitization

---
 src/db/sysdb.c   | 3 ---
 src/providers/ad/ad_id.c | 8 
 src/providers/ad/ad_machine_pw_renewal.c | 2 --
 src/providers/ipa/ipa_s2n_exop.c | 1 -
 src/providers/ipa/ipa_subdomains_id.c| 8 
 src/providers/ipa/ipa_views.c| 1 -
 src/providers/ldap/ldap_id.c | 4 ++--
 src/providers/ldap/ldap_id_services.c| 7 ---
 src/providers/ldap/sdap_access.c | 8 
 src/providers/ldap/sdap_range.c  | 2 +-
 src/providers/proxy/proxy_services.c | 1 -
 src/responder/common/responder_common.c  | 3 +--
 src/responder/ifp/ifp_groups.c   | 9 +
 src/responder/ifp/ifp_users.c| 7 ---
 src/responder/ifp/ifpsrv.c   | 7 ---
 src/tools/common/sss_colondb.c   | 7 ---
 src/util/usertools.c | 3 +--
 src/util/well_known_sids.c   | 1 -
 18 files changed, 38 insertions(+), 44 deletions(-)

diff --git a/src/db/sysdb.c b/src/db/sysdb.c
index 3fe0ebf6c2..3ba79ab360 100644
--- a/src/db/sysdb.c
+++ b/src/db/sysdb.c
@@ -359,7 +359,6 @@ int sysdb_attrs_get_int32_t(struct sysdb_attrs *attrs, const char *name,
 return ERANGE;
 }
 
-errno = 0;
 val = strtoint32((const char *) el->values[0].data, &endptr, 10);
 if (errno != 0) return errno;
 if (*endptr) return EINVAL;
@@ -385,7 +384,6 @@ int sysdb_attrs_get_uint32_t(struct sysdb_attrs *attrs, const char *name,
 return ERANGE;
 }
 
-errno = 0;
 val = strtouint32((const char *) el->values[0].data, &endptr, 10);
 if (errno != 0) return errno;
 if (*endptr) return EINVAL;
@@ -411,7 +409,6 @@ int sysdb_attrs_get_uint16_t(struct sysdb_attrs *attrs, const char *name,
 return ERANGE;
 }
 
-errno = 0;
 val = strtouint16((const char *) el->values[0].data, &endptr, 10);
 if (errno != 0) return errno;
 if (*endptr) return EINVAL;
diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c
index 8e4a0a5094..3d124724

[SSSD] [sssd PR#5829][comment] DP: Resolve intermediate groups prior to SR overlay

2021-10-18 Thread justin-stephenson
  URL: https://github.com/SSSD/sssd/pull/5829
Title: #5829: DP: Resolve intermediate groups prior to SR overlay

justin-stephenson commented:
"""
This is on me to fix the intg test failures, test_initgroups_with_mc is 
failing, likely due to ``sbus_call_nss_memcache_UpdateInitgroups_send`` being 
moved into `dp_get_account_info_initgroups_resolv_done`.

-- Before SSSD is stopped
~~~
bash-5.1# id user1
uid=1001(user1) gid=2001(group1) groups=2001(group1)

bash-5.1# hexdump -C /tmp/sssd-intg.C2ZNOgHS/var/lib/sss/mc/group
  01 00 00 f0 01 00 00 00  01 00 00 00 01 00 00 00  ||
0010  79 32 3d a6 40 00 60 00  cd 4c 00 00 a0 99 09 00  |y2=.@.`..L..|
0020  38 00 00 00 78 00 60 00  48 4d 60 00 00 00 00 00  |8...x.`.HM`.|
0030  01 00 00 f0 00 00 00 00  00 00 00 f0 55 00 00 00  |U...|
0040  cb d3 6d 61 00 00 00 00  ff ff ff ff ff ff ff ff  |..ma|
0050  dc 51 00 00 d1 bf 00 00  ff ff ff ff 00 00 00 f0  |.Q..|
0060  10 00 00 00 d1 07 00 00  03 00 00 00 1d 00 00 00  ||
0070  67 72 6f 75 70 31 00 2a  00 75 73 65 72 31 00 75  |group1.*.user1.u|
0080  73 65 72 31 31 00 75 73  65 72 32 31 00 ff ff ff  |ser11.user21|
0090  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  ||
~~~

--- After SSSD is stopped when returning from memcache
~~~
bash-5.1# id user2
uid=1002(user2) gid=2002 groups=2002


bash-5.1# hexdump -C /tmp/sssd-intg.C2ZNOgHS/var/lib/sss/mc/group
  01 00 00 f0 01 00 00 00  01 00 00 00 01 00 00 00  ||
0010  ad 7a 29 a7 40 00 60 00  cd 4c 00 00 a0 99 09 00  |.z).@.`..L..|
0020  38 00 00 00 78 00 60 00  48 4d 60 00 00 00 00 00  |8...x.`.HM`.|
0030  01 00 00 f0 00 00 00 00  ff ff ff ff ff ff ff ff  ||
0040  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  ||
*
00600070  ff ff ff ff ff ff ff ff  00 00 00 00 00 00 00 00  ||
00600080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ||
*
00604d40  00 00 00 00 00 00 00 00  ff ff ff ff ff ff ff ff  ||
00604d50  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  ||
*
0069e6e0  ff ff ff ff ff ff ff ff   ||
0069e6e8
~~~
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5829#issuecomment-946126101
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[SSSD] [sssd PR#5827][comment] A number of fixes around `strto*()` usage

2021-10-18 Thread alexey-tikhonov
  URL: https://github.com/SSSD/sssd/pull/5827
Title: #5827: A number of fixes around `strto*()` usage

alexey-tikhonov commented:
"""
> I found call for `strtoul()` in one more place:
> 
> ```
> src/providers/ldap/sdap_sudo_shared.c 
>   
> 194:strtoul(srv_opts->max_sudo_value, &timezone, 10); 
>   
> 204:usn_number = strtoul(usn, &timezone, 10);
> ```
> 
> I think in the 2nd case evaluation against `> UINT32_MAX` is missing.

Why?
https://ldapwiki.com/wiki/Update%20Sequence%20Number says `Update Sequence 
Number (USN) is a 64-bit number `.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5827#issuecomment-946116907
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[SSSD] [sssd PR#5827][+Changes requested] A number of fixes around `strto*()` usage

2021-10-18 Thread alexey-tikhonov
  URL: https://github.com/SSSD/sssd/pull/5827
Title: #5827: A number of fixes around `strto*()` usage

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[SSSD] [sssd PR#5827][comment] A number of fixes around `strto*()` usage

2021-10-18 Thread alexey-tikhonov
  URL: https://github.com/SSSD/sssd/pull/5827
Title: #5827: A number of fixes around `strto*()` usage

alexey-tikhonov commented:
"""
> There are few more places where `strtouint*()` is called with 2nd parameter 
> set to NULL:

I don't have very strong justification but will try my best to explain why I 
missed those.

> src/sbus/sbus_errors.c
>   
> 74:ret = strtouint32(error->message, NULL, 10); 

This is a case `dbus_error_has_name(error, SBUS_ERROR_ERRNO)`, i.e. (IIUC) 
`error->message` is set by another SSSD process, i.e. can be treated as a more 
or less "safe" source.
But imagine we want to be prudent and catch a case "123abc". How are we going 
to handle this?
This is a helper function that translates `error` to error code. So instead of 
`123` in this case of malformed error text we can return, for example, 
`ERR_INTERNAL`. Does it make some sense? Perhaps. Much sense? Imo, no.
 
> src/responder/kcm/kcmsrv_ccache_secdb.c   
>  
> 846:uid = strtouint32(uid_list[i], NULL, 10);  

`uid_list` originates from sssd-kcm ccache DB, so again, more or less reliable.

> src/tests/cwrap/test_server.c 
>  
> 79:tmp = strtouint32(buf, NULL, 10);  
>  

That's a test. It's not that I don't care at all, but it really can be not as 
strict.

> src/providers/ldap/ldap_id_services.c 
>  
> 266:port = strtouint16(state->name, NULL, 10);
>  

Again, internal stuff. But ok, to be consistent I will add checks here...

>   
>  
> src/providers/ldap/sdap_access.c  
>  
> 1859:duration = strtouint32(pwdAccountLockedDurationTime, NULL, 
> 0);

This value is from LDAP - "pwdLockoutDuration" . I just wasn't sure what weird 
format it might have...
But it looks https://ldapwiki.com/wiki/PwdLockoutDuration says "Integer" so ok, 
I will update this as well.

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5827#issuecomment-946114494
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[SSSD] [sssd PR#5827][comment] A number of fixes around `strto*()` usage

2021-10-18 Thread alexey-tikhonov
  URL: https://github.com/SSSD/sssd/pull/5827
Title: #5827: A number of fixes around `strto*()` usage

alexey-tikhonov commented:
"""
> There are few more places where `strtouint*()` is called with 2nd parameter 
> set to NULL:

I don't have very strong justification but will try my best to explain why I 
missed those.

> src/sbus/sbus_errors.c
>   
> 74:ret = strtouint32(error->message, NULL, 10); 

This is a case `dbus_error_has_name(error, SBUS_ERROR_ERRNO)`, i.e. (IIUC) 
`error->message` is set by another SSSD process, i.e. can be treated as a more 
or less "safe" source.
But imagine we want to be prudent and catch a case "123abc". How are we going 
to handle this?
This is a helper function that translates `error` to error code. So instead of 
`123` in this case of malformed error text we can return, for example, 
`ERR_INTERNAL`. Does it make some sense? Perhaps. Much sense? Imo, no.
 
> src/responder/kcm/kcmsrv_ccache_secdb.c   
>  
> 846:uid = strtouint32(uid_list[i], NULL, 10);  

`uid_list` originates from sssd-kcm ccache DB, so again, more or less reliable.

> src/tests/cwrap/test_server.c 
>  
> 79:tmp = strtouint32(buf, NULL, 10);  
>  

That's a test.

> src/providers/ldap/ldap_id_services.c 
>  
> 266:port = strtouint16(state->name, NULL, 10);
>  

Again, internal stuff. But ok, to be consistent I will add checks here...

>   
>  
> src/providers/ldap/sdap_access.c  
>  
> 1859:duration = strtouint32(pwdAccountLockedDurationTime, NULL, 
> 0);

This value is from LDAP - "pwdLockoutDuration" . I just wasn't sure what weird 
format it might have...
But it looks https://ldapwiki.com/wiki/PwdLockoutDuration says "Integer" so ok, 
I will update this as well.

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5827#issuecomment-946114494
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[SSSD] [sssd PR#5827][comment] A number of fixes around `strto*()` usage

2021-10-18 Thread alexey-tikhonov
  URL: https://github.com/SSSD/sssd/pull/5827
Title: #5827: A number of fixes around `strto*()` usage

alexey-tikhonov commented:
"""
> There are few more places where `strtouint*()` is called with 2nd parameter 
> set to NULL:

I don't have very strong justification but will try my best to explain why I 
missed those.

> src/sbus/sbus_errors.c
>   
> 74:ret = strtouint32(error->message, NULL, 10); 

This is a case `dbus_error_has_name(error, SBUS_ERROR_ERRNO)`, i.e. (IIUC) 
`error->message` is set by another SSSD process, i.e. can be treated as a more 
or less "safe" source.
But imagine we want to be prudent and catch a case "123abc". How are we going 
to handle this?
This is a helper function that translates `error` to error code. So instead of 
`123` in this case of malformed error text we can return, for example, 
`ERR_INTERNAL`. Does it make some sense? Perhaps. Much sense? Imo, no.
 
> src/responder/kcm/kcmsrv_ccache_secdb.c   
>  
> 846:uid = strtouint32(uid_list[i], NULL, 10);  

`uid_list` originates from sssd-kcm ccache DB, so again, more or less reliable.

> src/tests/cwrap/test_server.c 
>  
> 79:tmp = strtouint32(buf, NULL, 10);  
>  

That's a test.

> src/providers/ldap/ldap_id_services.c 
>  
> 266:port = strtouint16(state->name, NULL, 10);
>  

Again, internal stuff. But ok, to be consistent I will add checks here...

>   
>  
> src/providers/ldap/sdap_access.c  
>  
> 1859:duration = strtouint32(pwdAccountLockedDurationTime, NULL, 
> 0);

This value is from LDAP - "pwdLockoutDuration" . I just wasn't sure what weird 
format it might have...
But it looks https://ldapwiki.com/wiki/PwdLockoutDuration says "Integer" so ok, 
I will update this as well.


> ```
> 
> If those are outside of the scope of this PR?


"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5827#issuecomment-946114494
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[SSSD] [sssd PR#5830][synchronized] Tests: Port the old ns_account_lock.sh script to pytest

2021-10-18 Thread aborah-sudo
   URL: https://github.com/SSSD/sssd/pull/5830
Author: aborah-sudo
 Title: #5830: Tests: Port the old ns_account_lock.sh script to pytest
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5830/head:pr5830
git checkout pr5830
From da6d624a3a1f709dad83de5ec44244c74269e95c Mon Sep 17 00:00:00 2001
From: Anuj Borah 
Date: Tue, 19 Oct 2021 00:18:27 +0530
Subject: [PATCH] Tests: Port the old ns_account_lock.sh script to pytest

Port the old ns_account_lock.sh script to pytest
---
 src/tests/multihost/alltests/pytest.ini   |   1 +
 src/tests/multihost/alltests/readme.rst   |   1 +
 .../alltests/test_ns_account_lock.py  | 413 ++
 3 files changed, 415 insertions(+)
 create mode 100644 src/tests/multihost/alltests/test_ns_account_lock.py

diff --git a/src/tests/multihost/alltests/pytest.ini b/src/tests/multihost/alltests/pytest.ini
index 66519e8003..8702cf9b8d 100644
--- a/src/tests/multihost/alltests/pytest.ini
+++ b/src/tests/multihost/alltests/pytest.ini
@@ -11,6 +11,7 @@ markers =
 ldapextraattrs: Tests related to Ldap Extra attributes
 multidomain: Tests related to SSSD Multiple Domains
 netgroup: Tests related to netgroup
+nsaccountlock: Tests related to nsaccountlock
 offline: Tests related to ldap offline suite
 services: Tests related to SSSD sanity services
 sssctl: Tests related to sssctl tool
diff --git a/src/tests/multihost/alltests/readme.rst b/src/tests/multihost/alltests/readme.rst
index dd750b358a..3fab51efe4 100644
--- a/src/tests/multihost/alltests/readme.rst
+++ b/src/tests/multihost/alltests/readme.rst
@@ -22,6 +22,7 @@ Following are the pytest markers used
 * ldapextraattrs: Tests related to Ldap Extra attributes
 * multidomain: Tests related to SSSD Multiple Domains
 * netgroup: Tests related to netgroup
+* nsaccountlock: Tests related to nsaccountlock
 * offline: Tests related to ldap offline suite
 * services: Tests related to SSSD sanity services
 * sssctl: Tests related to sssctl tool
diff --git a/src/tests/multihost/alltests/test_ns_account_lock.py b/src/tests/multihost/alltests/test_ns_account_lock.py
new file mode 100644
index 00..70fb4dad35
--- /dev/null
+++ b/src/tests/multihost/alltests/test_ns_account_lock.py
@@ -0,0 +1,413 @@
+""" Automation of nsaccount lock
+
+:subsystemteam: sst_idm_sssd
+:upstream: yes
+"""
+
+from __future__ import print_function
+import re
+import pytest
+import threading
+import time
+import paramiko
+import subprocess
+from sssd.testlib.common.expect import pexpect_ssh
+from sssd.testlib.common.exceptions import SSHLoginException
+from sssd.testlib.common.utils import sssdTools, LdapOperations
+from sssd.testlib.common.utils import SSHClient
+import ldap
+
+
+def execute_cmd(multihost, command):
+""" Execute command on client """
+cmd = multihost.client[0].run_command(command)
+return cmd
+
+
+def lock_check(multihost, user):
+"Check if user is locked"
+assert f"Performing RHDS access check for user" \
+   f" [{user}@example1]" \
+   in execute_cmd(multihost,
+  'grep "Performing RHDS'
+  ' access check for user"'
+  ' /var/log/sssd/*').stdout_text
+assert "pam_sss(sshd:account): system info:" \
+   " [The user account is locked on the server]" \
+   in execute_cmd(multihost,
+  'grep "pam_sss(sshd:account): '
+  'system info" /var/log/secure*').stdout_text
+assert f"pam_sss(sshd:account):" \
+   f" Access denied for user" \
+   f" {user}@example1: 6 (Permission denied)"\
+   in execute_cmd(multihost, 'grep '
+ '"Access denied '
+ 'for user" '
+ '/var/log/secure*').stdout_text
+
+
+def unlock_check(multihost, user):
+"Check if user is unlocked"
+assert f"Performing RHDS access " \
+   f"check for user [{user}@example1]" \
+   in execute_cmd(multihost,
+  'grep "Performing RHDS '
+  'access check for user"'
+  ' /var/log/sssd/*').stdout_text
+assert f"{user}@example1" in \
+   execute_cmd(multihost,
+   'grep "is not locked." '
+   '/var/log/sssd/*').stdout_text
+
+
+def manage_user_roles(multihost, user, lock, type1):
+"Manage users and roles"
+master_e = multihost.master[0].ip
+assert f"Entry {user},ou=people," \
+   f"dc=example,dc=test is {lock}" in \
+   execute_cmd(multihost, f"dsidm "
+  f"ldap://{master_e}:389 -D"
+  f" 'cn=Directory Manager'"
+  f" -w Secret123 -b dc=example,"
+  f"dc=test {type1}"
+ 

[SSSD] [sssd PR#5830][synchronized] Tests: Port the old ns_account_lock.sh script to pytest

2021-10-18 Thread aborah-sudo
   URL: https://github.com/SSSD/sssd/pull/5830
Author: aborah-sudo
 Title: #5830: Tests: Port the old ns_account_lock.sh script to pytest
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5830/head:pr5830
git checkout pr5830
From 7f5941c41e00a45652f22b0ce1afb6dd0fc6797c Mon Sep 17 00:00:00 2001
From: Anuj Borah 
Date: Tue, 19 Oct 2021 00:18:27 +0530
Subject: [PATCH] Tests: Port the old ns_account_lock.sh script to pytest

Port the old ns_account_lock.sh script to pytest
---
 src/tests/multihost/alltests/pytest.ini   |   1 +
 src/tests/multihost/alltests/readme.rst   |   1 +
 .../alltests/test_ns_account_lock.py  | 429 ++
 3 files changed, 431 insertions(+)
 create mode 100644 src/tests/multihost/alltests/test_ns_account_lock.py

diff --git a/src/tests/multihost/alltests/pytest.ini b/src/tests/multihost/alltests/pytest.ini
index 66519e8003..8702cf9b8d 100644
--- a/src/tests/multihost/alltests/pytest.ini
+++ b/src/tests/multihost/alltests/pytest.ini
@@ -11,6 +11,7 @@ markers =
 ldapextraattrs: Tests related to Ldap Extra attributes
 multidomain: Tests related to SSSD Multiple Domains
 netgroup: Tests related to netgroup
+nsaccountlock: Tests related to nsaccountlock
 offline: Tests related to ldap offline suite
 services: Tests related to SSSD sanity services
 sssctl: Tests related to sssctl tool
diff --git a/src/tests/multihost/alltests/readme.rst b/src/tests/multihost/alltests/readme.rst
index dd750b358a..3fab51efe4 100644
--- a/src/tests/multihost/alltests/readme.rst
+++ b/src/tests/multihost/alltests/readme.rst
@@ -22,6 +22,7 @@ Following are the pytest markers used
 * ldapextraattrs: Tests related to Ldap Extra attributes
 * multidomain: Tests related to SSSD Multiple Domains
 * netgroup: Tests related to netgroup
+* nsaccountlock: Tests related to nsaccountlock
 * offline: Tests related to ldap offline suite
 * services: Tests related to SSSD sanity services
 * sssctl: Tests related to sssctl tool
diff --git a/src/tests/multihost/alltests/test_ns_account_lock.py b/src/tests/multihost/alltests/test_ns_account_lock.py
new file mode 100644
index 00..4d6113efaa
--- /dev/null
+++ b/src/tests/multihost/alltests/test_ns_account_lock.py
@@ -0,0 +1,429 @@
+""" Automation of nsaccount lock
+
+:subsystemteam: sst_idm_sssd
+:upstream: yes
+"""
+
+from __future__ import print_function
+import re
+import pytest
+import threading
+import time
+import paramiko
+import subprocess
+from sssd.testlib.common.expect import pexpect_ssh
+from sssd.testlib.common.exceptions import SSHLoginException
+from sssd.testlib.common.utils import sssdTools, LdapOperations
+from sssd.testlib.common.utils import SSHClient
+import ldap
+
+
+def execute_cmd(multihost, command):
+""" Execute command on client """
+cmd = multihost.client[0].run_command(command)
+return cmd
+
+
+def lock_check(multihost, user):
+"Check if user is locked"
+assert f"Performing RHDS access check for user" \
+   f" [{user}@example1]" \
+   in execute_cmd(multihost,
+  'grep "Performing RHDS'
+  ' access check for user"'
+  ' /var/log/sssd/*').stdout_text
+assert "pam_sss(sshd:account): system info:" \
+   " [The user account is locked on the server]" \
+   in execute_cmd(multihost,
+  'grep "pam_sss(sshd:account): '
+  'system info" /var/log/secure*').stdout_text
+assert f"pam_sss(sshd:account):" \
+   f" Access denied for user" \
+   f" {user}@example1: 6 (Permission denied)"\
+   in execute_cmd(multihost, 'grep '
+ '"Access denied '
+ 'for user" '
+ '/var/log/secure*').stdout_text
+
+
+def unlock_check(multihost, user):
+"Check if user is unlocked"
+assert f"Performing RHDS access " \
+   f"check for user [{user}@example1]" \
+   in execute_cmd(multihost,
+  'grep "Performing RHDS '
+  'access check for user"'
+  ' /var/log/sssd/*').stdout_text
+assert f"{user}@example1" in \
+   execute_cmd(multihost,
+   'grep "is not locked." '
+   '/var/log/sssd/*').stdout_text
+
+
+def manage_user_roles(multihost, user, lock, type1):
+"Manage users and roles"
+master_e = multihost.master[0].ip
+assert f"Entry {user},ou=people," \
+   f"dc=example,dc=test is {lock}" in \
+   execute_cmd(multihost, f"dsidm "
+  f"ldap://{master_e}:389 -D"
+  f" 'cn=Directory Manager'"
+  f" -w Secret123 -b dc=example,"
+  f"dc=test {type1}"
+ 

[SSSD] [sssd PR#5830][synchronized] Tests: Port the old ns_account_lock.sh script to pytest

2021-10-18 Thread aborah-sudo
   URL: https://github.com/SSSD/sssd/pull/5830
Author: aborah-sudo
 Title: #5830: Tests: Port the old ns_account_lock.sh script to pytest
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5830/head:pr5830
git checkout pr5830
From 194e1bc151e190d79501caa49058b04ce1f094f8 Mon Sep 17 00:00:00 2001
From: Anuj Borah 
Date: Tue, 19 Oct 2021 00:18:27 +0530
Subject: [PATCH] Tests: Port the old ns_account_lock.sh script to pytest

Port the old ns_account_lock.sh script to pytest
---
 src/tests/multihost/alltests/pytest.ini   |   1 +
 src/tests/multihost/alltests/readme.rst   |   1 +
 .../alltests/test_ns_account_lock.py  | 429 ++
 3 files changed, 431 insertions(+)
 create mode 100644 src/tests/multihost/alltests/test_ns_account_lock.py

diff --git a/src/tests/multihost/alltests/pytest.ini b/src/tests/multihost/alltests/pytest.ini
index 66519e8003..8702cf9b8d 100644
--- a/src/tests/multihost/alltests/pytest.ini
+++ b/src/tests/multihost/alltests/pytest.ini
@@ -11,6 +11,7 @@ markers =
 ldapextraattrs: Tests related to Ldap Extra attributes
 multidomain: Tests related to SSSD Multiple Domains
 netgroup: Tests related to netgroup
+nsaccountlock: Tests related to nsaccountlock
 offline: Tests related to ldap offline suite
 services: Tests related to SSSD sanity services
 sssctl: Tests related to sssctl tool
diff --git a/src/tests/multihost/alltests/readme.rst b/src/tests/multihost/alltests/readme.rst
index dd750b358a..3fab51efe4 100644
--- a/src/tests/multihost/alltests/readme.rst
+++ b/src/tests/multihost/alltests/readme.rst
@@ -22,6 +22,7 @@ Following are the pytest markers used
 * ldapextraattrs: Tests related to Ldap Extra attributes
 * multidomain: Tests related to SSSD Multiple Domains
 * netgroup: Tests related to netgroup
+* nsaccountlock: Tests related to nsaccountlock
 * offline: Tests related to ldap offline suite
 * services: Tests related to SSSD sanity services
 * sssctl: Tests related to sssctl tool
diff --git a/src/tests/multihost/alltests/test_ns_account_lock.py b/src/tests/multihost/alltests/test_ns_account_lock.py
new file mode 100644
index 00..e7dc710a32
--- /dev/null
+++ b/src/tests/multihost/alltests/test_ns_account_lock.py
@@ -0,0 +1,429 @@
+""" Automation of nsaccount lock
+
+:subsystemteam: sst_idm_sssd
+:upstream: yes
+"""
+
+from __future__ import print_function
+import re
+import pytest
+import threading
+import time
+import paramiko
+import subprocess
+from sssd.testlib.common.expect import pexpect_ssh
+from sssd.testlib.common.exceptions import SSHLoginException
+from sssd.testlib.common.utils import sssdTools, LdapOperations
+from sssd.testlib.common.utils import SSHClient
+import ldap
+
+
+def execute_cmd(multihost, command):
+""" Execute command on client """
+cmd = multihost.client[0].run_command(command)
+return cmd
+
+
+def lock_check(multihost, user):
+"Check if user is locked"
+assert f"Performing RHDS access check for user" \
+   f" [{user}@example1]" \
+   in execute_cmd(multihost,
+  'grep "Performing RHDS'
+  ' access check for user"'
+  ' /var/log/sssd/*').stdout_text
+assert "pam_sss(sshd:account): system info:" \
+   " [The user account is locked on the server]" \
+   in execute_cmd(multihost,
+  'grep "pam_sss(sshd:account): '
+  'system info" /var/log/secure*').stdout_text
+assert f"pam_sss(sshd:account):" \
+   f" Access denied for user" \
+   f" {user}@example1: 6 (Permission denied)"\
+   in execute_cmd(multihost, 'grep '
+ '"Access denied '
+ 'for user" '
+ '/var/log/secure*').stdout_text
+
+
+def unlock_check(multihost, user):
+"Check if user is unlocked"
+assert f"Performing RHDS access " \
+   f"check for user [{user}@example1]" \
+   in execute_cmd(multihost,
+  'grep "Performing RHDS '
+  'access check for user"'
+  ' /var/log/sssd/*').stdout_text
+assert f"{user}@example1" in \
+   execute_cmd(multihost,
+   'grep "is not locked." '
+   '/var/log/sssd/*').stdout_text
+
+
+def manage_user_roles(multihost, user, lock, type1):
+"Manage users and roles"
+master_e = multihost.master[0].ip
+assert f"Entry {user},ou=people," \
+   f"dc=example,dc=test is {lock}" in \
+   execute_cmd(multihost, f"dsidm "
+  f"ldap://{master_e}:389 -D"
+  f" 'cn=Directory Manager'"
+  f" -w Secret123 -b dc=example,"
+  f"dc=test {type1}"
+ 

[SSSD] [sssd PR#5830][opened] Tests: Port the old ns_account_lock.sh script to pytest

2021-10-18 Thread aborah-sudo
   URL: https://github.com/SSSD/sssd/pull/5830
Author: aborah-sudo
 Title: #5830: Tests: Port the old ns_account_lock.sh script to pytest
Action: opened

PR body:
"""
Port the old ns_account_lock.sh script to pytest
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5830/head:pr5830
git checkout pr5830
From af869f2e24fb370ae86f302f9c24cf683deb6ed8 Mon Sep 17 00:00:00 2001
From: Anuj Borah 
Date: Tue, 19 Oct 2021 00:18:27 +0530
Subject: [PATCH] Tests: Port the old ns_account_lock.sh script to pytest

Port the old ns_account_lock.sh script to pytest
---
 src/tests/multihost/alltests/pytest.ini   |   1 +
 src/tests/multihost/alltests/readme.rst   |   1 +
 .../alltests/test_ns_account_lock.py  | 423 ++
 3 files changed, 425 insertions(+)
 create mode 100644 src/tests/multihost/alltests/test_ns_account_lock.py

diff --git a/src/tests/multihost/alltests/pytest.ini b/src/tests/multihost/alltests/pytest.ini
index 66519e8003..8702cf9b8d 100644
--- a/src/tests/multihost/alltests/pytest.ini
+++ b/src/tests/multihost/alltests/pytest.ini
@@ -11,6 +11,7 @@ markers =
 ldapextraattrs: Tests related to Ldap Extra attributes
 multidomain: Tests related to SSSD Multiple Domains
 netgroup: Tests related to netgroup
+nsaccountlock: Tests related to nsaccountlock
 offline: Tests related to ldap offline suite
 services: Tests related to SSSD sanity services
 sssctl: Tests related to sssctl tool
diff --git a/src/tests/multihost/alltests/readme.rst b/src/tests/multihost/alltests/readme.rst
index dd750b358a..3fab51efe4 100644
--- a/src/tests/multihost/alltests/readme.rst
+++ b/src/tests/multihost/alltests/readme.rst
@@ -22,6 +22,7 @@ Following are the pytest markers used
 * ldapextraattrs: Tests related to Ldap Extra attributes
 * multidomain: Tests related to SSSD Multiple Domains
 * netgroup: Tests related to netgroup
+* nsaccountlock: Tests related to nsaccountlock
 * offline: Tests related to ldap offline suite
 * services: Tests related to SSSD sanity services
 * sssctl: Tests related to sssctl tool
diff --git a/src/tests/multihost/alltests/test_ns_account_lock.py b/src/tests/multihost/alltests/test_ns_account_lock.py
new file mode 100644
index 00..17d1d2da51
--- /dev/null
+++ b/src/tests/multihost/alltests/test_ns_account_lock.py
@@ -0,0 +1,423 @@
+""" Automation of nsaccount lock
+
+:subsystemteam: sst_idm_sssd
+:upstream: yes
+"""
+
+from __future__ import print_function
+import re
+import pytest
+import threading
+import time
+import paramiko
+import subprocess
+from sssd.testlib.common.expect import pexpect_ssh
+from sssd.testlib.common.exceptions import SSHLoginException
+from sssd.testlib.common.utils import sssdTools, LdapOperations
+from sssd.testlib.common.utils import SSHClient
+import ldap
+
+
+def execute_cmd(multihost, command):
+""" Execute command on client """
+cmd = multihost.client[0].run_command(command)
+return cmd
+
+
+def lock_check(multihost, user):
+"Check if user is locked"
+assert f"Performing RHDS access check for user" \
+   f" [{user}@example1]" \
+   in execute_cmd(multihost,
+  'grep "Performing RHDS'
+  ' access check for user"'
+  ' /var/log/sssd/*').stdout_text
+assert "pam_sss(sshd:account): system info:" \
+   " [The user account is locked on the server]" \
+   in execute_cmd(multihost,
+  'grep "pam_sss(sshd:account): '
+  'system info" /var/log/secure*').stdout_text
+assert f"pam_sss(sshd:account):" \
+   f" Access denied for user" \
+   f" {user}@example1: 6 (Permission denied)"\
+   in execute_cmd(multihost, 'grep '
+ '"Access denied '
+ 'for user" '
+ '/var/log/secure*').stdout_text
+
+
+def unlock_check(multihost, user):
+"Check if user is unlocked"
+assert f"Performing RHDS access " \
+   f"check for user [{user}@example1]" \
+   in execute_cmd(multihost,
+  'grep "Performing RHDS '
+  'access check for user"'
+  ' /var/log/sssd/*').stdout_text
+assert f"{user}@example1" in \
+   execute_cmd(multihost,
+   'grep "is not locked." '
+   '/var/log/sssd/*').stdout_text
+
+
+def manage_user_roles(multihost, user, lock, type1):
+"Manage users and roles"
+master_e = multihost.master[0].ip
+assert f"Entry {user},ou=people," \
+   f"dc=example,dc=test is {lock}" in \
+   execute_cmd(multihost, f"dsidm "
+  f"ldap://{master_e}:389 -D"
+  f" 'cn=Directory Manager'"
+  f" -w Secret123 -b dc=example,"

[SSSD] [sssd PR#5829][+Bugzilla] DP: Resolve intermediate groups prior to SR overlay

2021-10-18 Thread alexey-tikhonov
  URL: https://github.com/SSSD/sssd/pull/5829
Title: #5829: DP: Resolve intermediate groups prior to SR overlay

Label: +Bugzilla
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[SSSD] [sssd PR#5829][synchronized] DP: Resolve intermediate groups prior to SR overlay

2021-10-18 Thread justin-stephenson
   URL: https://github.com/SSSD/sssd/pull/5829
Author: justin-stephenson
 Title: #5829: DP: Resolve intermediate groups prior to SR overlay
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5829/head:pr5829
git checkout pr5829
From 77978b4e3bf7b58164692ad29211797c33641b41 Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Thu, 7 Oct 2021 00:37:25 +
Subject: [PATCH] DP: Resolve intermediate groups prior to SR overlay

SSSD SR exclude_groups checking can fail when only intermediate
groups are fetched during the login process. Add a step to
resolve these groups during Initgroups processing to ensure
the exclude groups check matches against the group name correctly.

This logic exists already similarly in the simple access provider.
---
 src/providers/data_provider/dp_target_id.c | 259 -
 1 file changed, 253 insertions(+), 6 deletions(-)

diff --git a/src/providers/data_provider/dp_target_id.c b/src/providers/data_provider/dp_target_id.c
index a71cdf65c6..a7db5407c9 100644
--- a/src/providers/data_provider/dp_target_id.c
+++ b/src/providers/data_provider/dp_target_id.c
@@ -448,10 +448,231 @@ static void dp_req_initgr_pp_set_initgr_timestamp(struct dp_initgr_ctx *ctx,
 }
 }
 
+
+struct dp_sr_resolve_groups_state {
+struct data_provider *provider;
+struct dp_initgr_ctx *initgroups_ctx;
+struct dp_reply_std reply;
+
+uint32_t *resolve_gids; /* Groups needing resolution */
+int resolve_gnum;
+int num_iter;
+uint32_t gnum;
+};
+
+static errno_t dp_sr_resolve_groups_check(struct dp_sr_resolve_groups_state *state,
+   struct dp_initgr_ctx *initgr_ctx);
+static errno_t dp_sr_resolve_groups_next(struct tevent_req *req);
+static void dp_sr_resolve_groups_done(struct tevent_req *subreq);
+
+struct tevent_req *
+dp_sr_resolve_groups_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct dp_reply_std reply,
+ struct data_provider *provider,
+ struct dp_initgr_ctx *initgr_ctx)
+{
+
+struct dp_sr_resolve_groups_state *state;
+struct tevent_req *req;
+int ret;
+
+req = tevent_req_create(mem_ctx, &state, struct dp_sr_resolve_groups_state);
+if (req == NULL) {
+DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n");
+return NULL;
+}
+
+if (initgr_ctx->username == NULL) {
+ret = EOK;
+goto done;
+}
+
+	state->provider = provider;
+	state->initgroups_ctx = initgr_ctx;
+	state->reply = reply;
+	state->gnum = initgr_ctx->gnum;
+
+/* Check if group is intermediate(has gidNumber and isPosix == False) */
+state->resolve_gids = talloc_zero_array(state, uint32_t, initgr_ctx->gnum + 1);
+if (state->resolve_gids == NULL) {
+ret = ENOMEM;
+goto done;
+}
+
+ret = dp_sr_resolve_groups_check(state, initgr_ctx);
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE, "Failed checking groups to resolve\n");
+goto done;
+}
+
+	state->num_iter = 0;
+	ret = dp_sr_resolve_groups_next(req);
+	if (ret == EAGAIN) {
+/* async processing */
+return req;
+	}
+
+done:
+if (ret == EOK) {
+tevent_req_done(req);
+} else {
+tevent_req_error(req, ret);
+}
+tevent_req_post(req, ev);
+
+return req;
+}
+
+static errno_t dp_sr_resolve_groups_next(struct tevent_req *req)
+{
+struct dp_sr_resolve_groups_state *state;
+struct tevent_req *subreq;
+struct dp_id_data *ar;
+uint32_t gid;
+
+state = tevent_req_data(req, struct dp_sr_resolve_groups_state);
+
+if (state->num_iter >= state->resolve_gnum) {
+return EOK;
+}
+
+gid = state->resolve_gids[state->num_iter];
+
+ar = talloc(state, struct dp_id_data);
+if (!ar) {
+return ENOMEM;
+}
+
+ar->entry_type = BE_REQ_GROUP;
+ar->filter_type = BE_FILTER_IDNUM;
+ar->filter_value = talloc_asprintf(ar, "%llu", (unsigned long long) gid);
+ar->domain = talloc_strdup(ar, state->initgroups_ctx->domain_info->name);
+if (!ar->domain || !ar->filter_value) {
+return ENOMEM;
+}
+
+subreq = dp_req_send(state, state->provider, ar->domain,
+ "DP Resolve Group", 0, NULL,
+ DPT_ID, DPM_ACCOUNT_HANDLER, 0, ar, NULL);
+	if (!subreq) {
+return ENOMEM;
+	}
+
+tevent_req_set_callback(subreq, dp_sr_resolve_groups_done, req);
+
+state->num_iter++;
+return EAGAIN;
+}
+
+static void dp_sr_resolve_groups_done(struct tevent_req *subreq)
+{
+struct dp_sr_resolve_groups_state *state;
+struct tevent_req *req;
+struct dp_reply_std *reply;
+int ret;
+
+req = tevent_req_callback_data(subreq, struct tevent_req);
+state = tevent_req_data(req, struct dp_sr_resolve_groups_state);
+
+ret = dp_req_recv_ptr(state, subreq, struct dp_reply_std, &reply);
+ta

[SSSD][sssd PR#5814][-Changes requested] Tests: sss_override does not take precedence over override_homedir di…

2021-10-18 Thread sgoveas
  URL: https://github.com/SSSD/sssd/pull/5814
Title: #5814: Tests: sss_override does not take precedence over 
override_homedir di…

Label: -Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[SSSD][sssd PR#5814][+Accepted] Tests: sss_override does not take precedence over override_homedir di…

2021-10-18 Thread sgoveas
  URL: https://github.com/SSSD/sssd/pull/5814
Title: #5814: Tests: sss_override does not take precedence over 
override_homedir di…

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[SSSD] [sssd PR#5829][comment] DP: Resolve intermediate groups prior to SR overlay

2021-10-18 Thread justin-stephenson
  URL: https://github.com/SSSD/sssd/pull/5829
Title: #5829: DP: Resolve intermediate groups prior to SR overlay

justin-stephenson commented:
"""
https://bugzilla.redhat.com/show_bug.cgi?id=1968340
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5829#issuecomment-945898763
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[SSSD] [sssd PR#5829][opened] DP: Resolve intermediate groups prior to SR overlay

2021-10-18 Thread justin-stephenson
   URL: https://github.com/SSSD/sssd/pull/5829
Author: justin-stephenson
 Title: #5829: DP: Resolve intermediate groups prior to SR overlay
Action: opened

PR body:
"""
SSSD SR exclude_groups checking can fail when only intermediate
groups are fetched during the login process. Add a step to
resolve these groups during Initgroups processing to ensure
the exclude groups check matches against the group name correctly.

This logic exists already similarly in the simple access provider.
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5829/head:pr5829
git checkout pr5829
From 0f30d435bc7664e4d90b35e77b70d97bb0880530 Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Thu, 7 Oct 2021 00:37:25 +
Subject: [PATCH] DP: Resolve intermediate groups prior to SR overlay

SSSD SR exclude_groups checking can fail when only intermediate
groups are fetched during the login process. Add a step to
resolve these groups during Initgroups processing to ensure
the exclude groups check matches against the group name correctly.

This logic exists already similarly in the simple access provider.
---
 src/providers/data_provider/dp_target_id.c | 261 -
 1 file changed, 255 insertions(+), 6 deletions(-)

diff --git a/src/providers/data_provider/dp_target_id.c b/src/providers/data_provider/dp_target_id.c
index a71cdf65c6..8790367198 100644
--- a/src/providers/data_provider/dp_target_id.c
+++ b/src/providers/data_provider/dp_target_id.c
@@ -448,10 +448,233 @@ static void dp_req_initgr_pp_set_initgr_timestamp(struct dp_initgr_ctx *ctx,
 }
 }
 
+
+struct dp_sr_resolve_groups_state {
+struct data_provider *provider;
+struct dp_initgr_ctx *initgroups_ctx;
+struct dp_reply_std reply;
+
+uint32_t *resolve_gids; /* Groups needing resolution */
+int resolve_gnum;
+int num_iter;
+uint32_t gnum;
+};
+
+static errno_t dp_sr_resolve_groups_check(struct dp_sr_resolve_groups_state *state,
+   struct dp_initgr_ctx *initgr_ctx);
+static errno_t dp_sr_resolve_groups_next(struct tevent_req *req);
+static void dp_sr_resolve_groups_done(struct tevent_req *subreq);
+
+struct tevent_req *
+dp_sr_resolve_groups_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct dp_reply_std reply,
+ struct data_provider *provider,
+ struct dp_initgr_ctx *initgr_ctx)
+{
+
+struct dp_sr_resolve_groups_state *state;
+struct tevent_req *req;
+int ret;
+
+req = tevent_req_create(mem_ctx, &state, struct dp_sr_resolve_groups_state);
+if (req == NULL) {
+DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n");
+return NULL;
+}
+
+if (initgr_ctx->username == NULL) {
+ret = EOK;
+goto done;
+}
+
+	state->provider = provider;
+	state->initgroups_ctx = initgr_ctx;
+	state->reply = reply;
+	state->gnum = initgr_ctx->gnum;
+
+/* Check if group is intermediate(has gidNumber and isPosix == False) */
+state->resolve_gids = talloc_zero_array(state, uint32_t, initgr_ctx->gnum + 1);
+if (state->resolve_gids == NULL) {
+ret = ENOMEM;
+goto done;
+}
+
+ret = dp_sr_resolve_groups_check(state, initgr_ctx);
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE, "Failed checking groups to resolve\n");
+goto done;
+}
+
+	state->num_iter = 0;
+	ret = dp_sr_resolve_groups_next(req);
+	if (ret == EAGAIN) {
+/* async processing */
+return req;
+	}
+
+done:
+if (ret == EOK) {
+tevent_req_done(req);
+} else {
+tevent_req_error(req, ret);
+}
+tevent_req_post(req, ev);
+
+return req;
+}
+
+static errno_t dp_sr_resolve_groups_next(struct tevent_req *req)
+{
+struct dp_sr_resolve_groups_state *state;
+struct tevent_req *subreq;
+struct dp_id_data *ar;
+uint32_t gid;
+
+state = tevent_req_data(req, struct dp_sr_resolve_groups_state);
+
+if (state->num_iter >= state->resolve_gnum) {
+return EOK;
+}
+
+gid = state->resolve_gids[state->num_iter];
+
+ar = talloc(state, struct dp_id_data);
+if (!ar) {
+return ENOMEM;
+}
+
+ar->entry_type = BE_REQ_GROUP;
+ar->filter_type = BE_FILTER_IDNUM;
+ar->filter_value = talloc_asprintf(ar, "%llu", (unsigned long long) gid);
+ar->domain = talloc_strdup(ar, state->initgroups_ctx->domain_info->name);
+if (!ar->domain || !ar->filter_value) {
+return ENOMEM;
+}
+
+subreq = dp_req_send(state, state->provider, ar->domain,
+ "DP Resolve Group", 0, NULL,
+ DPT_ID, DPM_ACCOUNT_HANDLER, 0, ar, NULL);
+	if (!subreq) {
+return ENOMEM;
+	}
+
+tevent_req_set_callback(subreq, dp_sr_resolve_groups_done, req);
+
+state->num_iter++;
+return EAGAIN;
+}
+
+static void dp_sr_resolve_groups_done(struct tevent_req *subreq)
+{
+struc

[SSSD] [sssd PR#5782][-Changes requested] CONFDB: Change ownership of config.ldb

2021-10-18 Thread thalman
  URL: https://github.com/SSSD/sssd/pull/5782
Title: #5782: CONFDB: Change ownership of config.ldb

Label: -Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[SSSD] [sssd PR#5782][+Waiting for review] CONFDB: Change ownership of config.ldb

2021-10-18 Thread thalman
  URL: https://github.com/SSSD/sssd/pull/5782
Title: #5782: CONFDB: Change ownership of config.ldb

Label: +Waiting for review
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[SSSD] [sssd PR#5784][+Waiting for review] proxy: allow removing group members

2021-10-18 Thread ikerexxe
  URL: https://github.com/SSSD/sssd/pull/5784
Title: #5784: proxy: allow removing group members

Label: +Waiting for review
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[SSSD] [sssd PR#5784][-Changes requested] proxy: allow removing group members

2021-10-18 Thread ikerexxe
  URL: https://github.com/SSSD/sssd/pull/5784
Title: #5784: proxy: allow removing group members

Label: -Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[SSSD] [sssd PR#5784][comment] proxy: allow removing group members

2021-10-18 Thread ikerexxe
  URL: https://github.com/SSSD/sssd/pull/5784
Title: #5784: proxy: allow removing group members

ikerexxe commented:
"""
I've updated the patch taking into account your suggestions.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5784#issuecomment-945777100
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[SSSD] [sssd PR#5784][synchronized] proxy: allow removing group members

2021-10-18 Thread ikerexxe
   URL: https://github.com/SSSD/sssd/pull/5784
Author: ikerexxe
 Title: #5784: proxy: allow removing group members
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5784/head:pr5784
git checkout pr5784
From be0584db2c5ff898b9833116cfcda0a57a79415b Mon Sep 17 00:00:00 2001
From: Iker Pedrosa 
Date: Tue, 14 Sep 2021 12:35:09 +0200
Subject: [PATCH] proxy: allow removing group members

The proxy provider doesn't allow to remove group members once they have
been added. This patch allows to do it by looping the member list from
the cache and comparing it with the actual membership list. If a member
is missing then it's removed from the cache.

Resolves: https://github.com/SSSD/sssd/issues/5783

Signed-off-by: Iker Pedrosa 
---
 src/providers/proxy/proxy_id.c | 154 -
 1 file changed, 152 insertions(+), 2 deletions(-)

diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
index 25daea585d..6196c75020 100644
--- a/src/providers/proxy/proxy_id.c
+++ b/src/providers/proxy/proxy_id.c
@@ -908,6 +908,10 @@ handle_getgr_result(enum nss_status status, struct group *grp,
 struct sss_domain_info *dom,
 bool *delete_group)
 {
+if (delete_group) {
+*delete_group = false;
+}
+
 switch (status) {
 case NSS_STATUS_TRYAGAIN:
 DEBUG(SSSDBG_MINOR_FAILURE, "Buffer too small\n");
@@ -915,7 +919,9 @@ handle_getgr_result(enum nss_status status, struct group *grp,
 
 case NSS_STATUS_NOTFOUND:
 DEBUG(SSSDBG_MINOR_FAILURE, "Group not found.\n");
-*delete_group = true;
+if (delete_group) {
+*delete_group = true;
+}
 break;
 
 case NSS_STATUS_SUCCESS:
@@ -927,7 +933,9 @@ handle_getgr_result(enum nss_status status, struct group *grp,
 if (OUT_OF_ID_RANGE(grp->gr_gid, dom->id_min, dom->id_max)) {
 DEBUG(SSSDBG_MINOR_FAILURE,
   "Group filtered out! (id out of range)\n");
-*delete_group = true;
+if (delete_group) {
+*delete_group = true;
+}
 break;
 }
 break;
@@ -1488,6 +1496,136 @@ static int get_initgr(TALLOC_CTX *mem_ctx,
 return ret;
 }
 
+static int remove_group_members(struct proxy_id_ctx *ctx,
+struct sss_domain_info *dom,
+const struct passwd *pwd,
+long int num_gids,
+const gid_t *gids,
+long int num_cached_gids,
+const gid_t *cached_gids)
+{
+TALLOC_CTX *tmp_ctx = NULL;
+int i = 0, j = 0;
+int ret = EOK;
+const char *groupname = NULL;
+const char *username = NULL;
+bool group_found = false;
+struct ldb_result *res = NULL;
+
+tmp_ctx = talloc_new(NULL);
+if (!tmp_ctx) {
+ret = ENOMEM;
+DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n");
+goto done;
+}
+
+username = sss_create_internal_fqname(tmp_ctx, pwd->pw_name, dom->name);
+if (username == NULL) {
+DEBUG(SSSDBG_OP_FAILURE, "Failed to create fqdn '%s'\n", pwd->pw_name);
+ret = ENOMEM;
+goto done;
+}
+
+for (i = 0; i < num_cached_gids; i++) {
+group_found = false;
+/* group 0 is the primary group so it can be skipped */
+for (j = 1; j < num_gids; j++) {
+if (cached_gids[i] == gids[j]) {
+group_found = true;
+break;
+}
+}
+
+if (!group_found) {
+ret = sysdb_getgrgid(tmp_ctx, dom, cached_gids[i], &res);
+if (ret != EOK || res->count != 1) {
+DEBUG(SSSDBG_OP_FAILURE, "sysdb_getgrgid failed.\n");
+continue;
+}
+
+groupname = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, NULL);
+if (groupname == NULL) {
+DEBUG(SSSDBG_OP_FAILURE,
+  "Attribute is missing but this should never happen!\n");
+ret = EFAULT;
+continue;
+}
+
+ret = sysdb_remove_group_member(dom, groupname,
+username,
+SYSDB_MEMBER_USER, false);
+
+if (ret != EOK) {
+DEBUG(SSSDBG_CRIT_FAILURE,
+  "Could not remove member [%s] from group [%s]\n",
+  username, groupname);
+continue;
+}
+}
+}
+
+done:
+return ret;
+}
+
+static int get_cached_user_groups(struct sysdb_ctx *sysdb,
+  struct sss_domain_info *dom,
+  const struct passwd *pwd,
+  unsigned int *_num_cached_gids,
+ 

[SSSD] [sssd PR#5826][closed] DEBUG: fix missing "va_end"

2021-10-18 Thread pbrezina
   URL: https://github.com/SSSD/sssd/pull/5826
Author: alexey-tikhonov
 Title: #5826: DEBUG: fix missing "va_end"
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5826/head:pr5826
git checkout pr5826
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[SSSD] [sssd PR#5826][-Ready to push] DEBUG: fix missing "va_end"

2021-10-18 Thread pbrezina
  URL: https://github.com/SSSD/sssd/pull/5826
Title: #5826: DEBUG: fix missing "va_end"

Label: -Ready to push
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[SSSD] [sssd PR#5826][+Pushed] DEBUG: fix missing "va_end"

2021-10-18 Thread pbrezina
  URL: https://github.com/SSSD/sssd/pull/5826
Title: #5826: DEBUG: fix missing "va_end"

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[SSSD] [sssd PR#5826][-Accepted] DEBUG: fix missing "va_end"

2021-10-18 Thread pbrezina
  URL: https://github.com/SSSD/sssd/pull/5826
Title: #5826: DEBUG: fix missing "va_end"

Label: -Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[SSSD] [sssd PR#5826][comment] DEBUG: fix missing "va_end"

2021-10-18 Thread pbrezina
  URL: https://github.com/SSSD/sssd/pull/5826
Title: #5826: DEBUG: fix missing "va_end"

pbrezina commented:
"""
Pushed PR: https://github.com/SSSD/sssd/pull/5826

* `master`
* 625274738b5f68418608be99b68d35c43079e2a1 - DEBUG: fix missing "va_end"

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5826#issuecomment-945634551
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[SSSD] [sssd PR#5826][+Ready to push] DEBUG: fix missing "va_end"

2021-10-18 Thread pbrezina
  URL: https://github.com/SSSD/sssd/pull/5826
Title: #5826: DEBUG: fix missing "va_end"

Label: +Ready to push
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[SSSD] [sssd PR#5828][opened] sbus: maintain correct refcount before sending a reply

2021-10-18 Thread pbrezina
   URL: https://github.com/SSSD/sssd/pull/5828
Author: pbrezina
 Title: #5828: sbus: maintain correct refcount before sending a reply
Action: opened

PR body:
"""
`sbus_reply` decreases the refcount of `@reply`. This usuall means that
refcount drops to zero and the message is freed. However, under
special circumstances the refcount is increased inside libdbus,
the refcount will be 1 when we leave the function and we drop it
to zero in `talloc_free(state)` later in this function. This will
leave an invalid message to be send inside dbus connection and
eventually crash.

Increasing the refcount here makes sure that the refcount is always
correct.

Resolves: https://github.com/SSSD/sssd/issues/5672
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5828/head:pr5828
git checkout pr5828
From 42afe9b0b6ace3249d8021e077216d46c47dc728 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= 
Date: Wed, 29 Sep 2021 12:11:08 +0200
Subject: [PATCH] sbus: maintain correct refcount before sending a reply

sbus_reply decreases the refcount of @reply. This usuall means that
refcount drops to zero and the message is freed. However, under
special circumstances the refcount is increased inside libdbus,
the refcount will be 1 when we leave the function and we drop it
to zero in talloc_free(state) later in this function. This will
leave an invalid message to be send inside dbus connection and
eventually crash.

Increasing the refcount here makes sure that the refcount is always
correct.

Resolves: https://github.com/SSSD/sssd/issues/5672
---
 src/sbus/router/sbus_router_handler.c | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/src/sbus/router/sbus_router_handler.c b/src/sbus/router/sbus_router_handler.c
index d9a374b414..7b6c2441f1 100644
--- a/src/sbus/router/sbus_router_handler.c
+++ b/src/sbus/router/sbus_router_handler.c
@@ -160,6 +160,17 @@ static void sbus_issue_request_done(struct tevent_req *subreq)
 }
 
 if (ret == EOK) {
+/* sbus_reply decreases the refcount of @reply. This usuall means that
+ * refcount drops to zero and the message is freed. However, under
+ * special circumstances the refcount is increased inside libdbus,
+ * the refcount will be 1 when we leave the function and we drop it
+ * to zero in talloc_free(state) later in this function. This will
+ * leave an invalid message to be send inside dbus connection and
+ * eventually crash.
+ *
+ * Increasing the refcount here makes sure that the refcount is always
+ * correct. */
+dbus_message_ref(reply);
 sbus_reply(state->conn, reply);
 } else {
 sbus_errno_to_error(state, ret, &error_name, &error_msg);
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[SSSD] [sssd PR#5782][comment] CONFDB: Change ownership of config.ldb

2021-10-18 Thread alexey-tikhonov
  URL: https://github.com/SSSD/sssd/pull/5782
Title: #5782: CONFDB: Change ownership of config.ldb

alexey-tikhonov commented:
"""
> By the way, I haven't found why `debian10` is failing.

Isn't relevant to this PR (failed on attempt to setup machine before multihost 
tests that aren't run on this target anyway).
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5782#issuecomment-945603994
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure