[SSSD] [sssd PR#670][opened] FILES: The files provider should not enumerate

Tue, 09 Oct 2018 03:19:08 -0700 

   URL: https://github.com/SSSD/sssd/pull/670
Author: jhrozek
 Title: #670: FILES: The files provider should not enumerate
Action: opened

PR body:
"""
Resolves: https://pagure.io/SSSD/sssd/issue/3849

For reason I cannot explain now, the files provider always enumerates.
There is commit a60e6ec which implements this, but it's clearly wrong,
because then the plain getent passwd output contains duplicates from
nss_files and nss_sss:

$ getent passwd | sort adm:x:3:4:adm:/var/adm:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin bin:x:1:1:bin:/bin:/sbin/nologin
bin:x:1:1:bin:/bin:/sbin/nologin
certuser:x:10329:10330::/home/certuser:/bin/bash
certuser:x:10329:10330::/home/certuser:/bin/bash
chrony:x:997:994::/var/lib/chrony:/sbin/nologin
chrony:x:997:994::/var/lib/chrony:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/670/head:pr670
git checkout pr670

From 657ef29211d24f08ec6eb7c1da340e09938e7611 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Tue, 9 Oct 2018 12:03:09 +0200
Subject: [PATCH 1/2] TESTS: Add two basic multihost tests for the files
 provider

---
 src/tests/multihost/basic/conftest.py   | 33 +++++++++++++++++++++++++
 src/tests/multihost/basic/test_files.py | 33 +++++++++++++++++++++++++
 2 files changed, 66 insertions(+)
 create mode 100644 src/tests/multihost/basic/test_files.py

diff --git a/src/tests/multihost/basic/conftest.py b/src/tests/multihost/basic/conftest.py
index 076dd3944..0d3b831be 100644
--- a/src/tests/multihost/basic/conftest.py
+++ b/src/tests/multihost/basic/conftest.py
@@ -209,6 +209,39 @@ def set_case_sensitive_false(session_multihost):
     session_multihost.master[0].service_sssd('restart')
 
 
+@pytest.fixture
+def enable_files_domain(session_multihost):
+    """
+    Enable the implicit files domain
+    """
+    session_multihost.master[0].transport.get_file('/etc/sssd/sssd.conf',
+                                                   '/tmp/sssd.conf')
+    sssdconfig = ConfigParser.SafeConfigParser()
+    sssdconfig.read('/tmp/sssd.conf')
+    sssd_section = 'sssd'
+    if sssd_section in sssdconfig.sections():
+        sssdconfig.set(sssd_section, 'enable_files_domain', 'true')
+        with open('/tmp/sssd.conf', "w") as sssconf:
+            sssdconfig.write(sssconf)
+    session_multihost.master[0].transport.put_file('/tmp/sssd.conf',
+                                                   '/etc/sssd/sssd.conf')
+    session_multihost.master[0].service_sssd('restart')
+
+
+@pytest.fixture(scope="class")
+def files_domain_users_class(request, session_multihost):
+    users = ('lcl1', 'lcl2', 'lcl3')
+    for user in users:
+        useradd_cmd = "useradd %s" % (user)
+        session_multihost.master[0].run_command(useradd_cmd)
+
+    def teardown_files_domain_users():
+        for user in users:
+            userdel_cmd = "userdel %s" % (user)
+            session_multihost.master[0].run_command(userdel_cmd)
+    request.addfinalizer(teardown_files_domain_users)
+
+
 @pytest.fixture
 def create_sudorule(session_multihost, create_casesensitive_posix_user):
     """ Create posix user and groups """
diff --git a/src/tests/multihost/basic/test_files.py b/src/tests/multihost/basic/test_files.py
new file mode 100644
index 000000000..dcfd58929
--- /dev/null
+++ b/src/tests/multihost/basic/test_files.py
@@ -0,0 +1,33 @@
+"""
+Files test provider cases
+"""
+import pytest
+from sssd.testlib.common.utils import SSHClient
+
+
+def get_sss_entry(multihost, db, ent_name):
+    cmd = multihost.master[0].run_command('getent %s -s sss %s' % (db, ent_name),
+                                          raiseonerr=False)
+    return cmd.returncode, cmd.stdout_text
+
+
+def get_sss_user(multihost, username):
+    return get_sss_entry(multihost, 'passwd', username)
+
+
+@pytest.mark.usefixtures('enable_files_domain', 'files_domain_users_class')
+class TestImplicitFilesProvider(object):
+    """
+    Test the files provider. This test runs the implicit files provider
+    together with another domain to stick close to what users use in Fedora
+    """
+    def test_files_does_not_handle_root(self, multihost):
+        """ The files provider does not handle root """
+        exit_status, _ = get_sss_user(multihost, 'root')
+        assert exit_status == 2
+
+
+    def test_files_sanity(self, multihost):
+        """ Test that the files provider can resolve a user """
+        exit_status, _ = get_sss_user(multihost, 'lcl1')
+        assert exit_status == 0

From f3f26977108d7369765bab26f6737a8405048d5d Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Tue, 9 Oct 2018 12:12:44 +0200
Subject: [PATCH 2/2] FILES: The files provider should not enumerate

Resolves:
https://pagure.io/SSSD/sssd/issue/3849

For reason I cannot explain now, the files provider always enumerates.
There is commit a60e6ec which implements this, but it's clearly wrong,
because then the plain getent passwd output contains duplicates from
nss_files and nss_sss:

$ getent passwd | sort
adm:x:3:4:adm:/var/adm:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
bin:x:1:1:bin:/bin:/sbin/nologin
bin:x:1:1:bin:/bin:/sbin/nologin
certuser:x:10329:10330::/home/certuser:/bin/bash
certuser:x:10329:10330::/home/certuser:/bin/bash
chrony:x:997:994::/var/lib/chrony:/sbin/nologin
chrony:x:997:994::/var/lib/chrony:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
---
 src/confdb/confdb.c                     | 5 +----
 src/tests/multihost/basic/test_files.py | 8 ++++++++
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 2f3d90087..fdc61226f 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -875,7 +875,6 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
     char *default_domain;
     bool fqnames_default = false;
     int memcache_timeout;
-    bool enum_default;
 
     tmp_ctx = talloc_new(mem_ctx);
     if (!tmp_ctx) return ENOMEM;
@@ -1009,10 +1008,8 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
                   "Interpreting as true\n", domain->name);
         domain->enumerate = true;
     } else { /* assume the new format */
-        enum_default = is_files_provider(domain);
-
         ret = get_entry_as_bool(res->msgs[0], &domain->enumerate,
-                                CONFDB_DOMAIN_ENUMERATE, enum_default);
+                                CONFDB_DOMAIN_ENUMERATE, 0);
         if(ret != EOK) {
             DEBUG(SSSDBG_FATAL_FAILURE,
                   "Invalid value for %s\n", CONFDB_DOMAIN_ENUMERATE);
diff --git a/src/tests/multihost/basic/test_files.py b/src/tests/multihost/basic/test_files.py
index dcfd58929..5c8d03d02 100644
--- a/src/tests/multihost/basic/test_files.py
+++ b/src/tests/multihost/basic/test_files.py
@@ -31,3 +31,11 @@ def test_files_sanity(self, multihost):
         """ Test that the files provider can resolve a user """
         exit_status, _ = get_sss_user(multihost, 'lcl1')
         assert exit_status == 0
+
+    def test_files_enumeration(self, multihost):
+        """
+        Since nss_files enumerates and libc would concatenate the results,
+        the files provider of SSSD should not enumerate
+        """
+        cmd = multihost.master[0].run_command('getent passwd -s sss')
+        assert len(cmd.stdout_text) == 0

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

Reply via email to