Hello community, here is the log from the commit of package sssd for openSUSE:Factory checked in at 2013-03-21 10:40:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sssd (Old) and /work/SRC/openSUSE:Factory/.sssd.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sssd", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/sssd/sssd.changes 2013-03-05 06:50:15.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.sssd.new/sssd.changes 2013-03-21 10:40:30.000000000 +0100 @@ -1,0 +2,15 @@ +Wed Mar 20 10:05:00 UTC 2013 - [email protected] + +- Fixed security issue: CVE-2013-0287 (bnc#809153): + When SSSD is configured as an Active Directory client by using + the new Active Directory provider or equivalent configuration + of the LDAP provider, the Simple Access Provider does not + handle access control correctly. If any groups are specified + with the simple_deny_groups option, the group members are + permitted access. New patches: + * Provide-a-be_get_account_info_send-function.patch + * Add-unit-tests-for-simple-access-test-by-groups.patch + * Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch + * Resolve-GIDs-in-the-simple-access-provider.patch + +------------------------------------------------------------------- New: ---- Add-unit-tests-for-simple-access-test-by-groups.patch Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch Provide-a-be_get_account_info_send-function.patch Resolve-GIDs-in-the-simple-access-provider.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sssd.spec ++++++ --- /var/tmp/diff_new_pack.h3PIBc/_old 2013-03-21 10:40:32.000000000 +0100 +++ /var/tmp/diff_new_pack.h3PIBc/_new 2013-03-21 10:40:32.000000000 +0100 @@ -32,6 +32,12 @@ Patch2: sssd-ldflags.diff Patch3: sssd-no-ldb-check.diff Patch4: sssd-sysdb-binary-attrs.diff +# Fixes for CVE-2013-0287 (will be part of 1.9.5) when released +Patch5: Provide-a-be_get_account_info_send-function.patch +Patch6: Add-unit-tests-for-simple-access-test-by-groups.patch +Patch7: Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch +Patch8: Resolve-GIDs-in-the-simple-access-provider.patch +# End Fixed for CVE-2013-0287 BuildRoot: %{_tmppath}/%{name}-%{version}-build %define servicename sssd @@ -200,7 +206,7 @@ %prep %setup -q -%patch -P 1 -P 2 -P 3 -P 4 -p1 +%patch -P 1 -P 2 -P 3 -P 4 -P 5 -P 6 -P 7 -P 8 -p1 %build %if 0%{?suse_version} < 1210 ++++++ Add-unit-tests-for-simple-access-test-by-groups.patch ++++++ >From e5f0ef211e81fcd7a87d5e37b0aadca50201c6d6 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <[email protected]> Date: Sun, 3 Mar 2013 21:43:44 +0100 Subject: Add unit tests for simple access test by groups I realized that the current unit tests for the simple access provider only tested the user directives. To have a baseline and be able to detect new bugs in the upcoming patch, I implemented unit tests for the group lists, too. (cherry picked from commit 754b09b5444e6da88ed58d6deaed8b815e268b6b) --- src/tests/simple_access-tests.c | 285 +++++++++++++++++++++++++++++++++++----- 1 file changed, 253 insertions(+), 32 deletions(-) diff --git a/src/tests/simple_access-tests.c b/src/tests/simple_access-tests.c index c61814e..577c6d3 100644 --- a/src/tests/simple_access-tests.c +++ b/src/tests/simple_access-tests.c @@ -30,39 +30,152 @@ #include "providers/simple/simple_access.h" #include "tests/common.h" +#define TESTS_PATH "tests_simple_access" +#define TEST_CONF_FILE "tests_conf.ldb" + const char *ulist_1[] = {"u1", "u2", NULL}; +const char *glist_1[] = {"g1", "g2", NULL}; + +struct simple_test_ctx *test_ctx = NULL; + +struct simple_test_ctx { + struct sysdb_ctx *sysdb; + struct confdb_ctx *confdb; -struct simple_ctx *ctx = NULL; + struct simple_ctx *ctx; +}; void setup_simple(void) { - fail_unless(ctx == NULL, "Simple context already initialized."); - ctx = talloc_zero(NULL, struct simple_ctx); - fail_unless(ctx != NULL, "Cannot create simple context."); - - ctx->domain = talloc_zero(ctx, struct sss_domain_info); - fail_unless(ctx != NULL, "Cannot create domain in simple context."); - ctx->domain->case_sensitive = true; + errno_t ret; + char *conf_db; + const char *val[2]; + val[1] = NULL; + + /* Create tests directory if it doesn't exist */ + /* (relative to current dir) */ + ret = mkdir(TESTS_PATH, 0775); + fail_if(ret == -1 && errno != EEXIST, + "Could not create %s directory", TESTS_PATH); + + fail_unless(test_ctx == NULL, "Simple context already initialized."); + test_ctx = talloc_zero(NULL, struct simple_test_ctx); + fail_unless(test_ctx != NULL, "Cannot create simple test context."); + + test_ctx->ctx = talloc_zero(test_ctx, struct simple_ctx); + fail_unless(test_ctx->ctx != NULL, "Cannot create simple context."); + + conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE); + fail_if(conf_db == NULL, "Out of memory, aborting!"); + DEBUG(SSSDBG_TRACE_LIBS, ("CONFDB: %s\n", conf_db)); + + /* Connect to the conf db */ + ret = confdb_init(test_ctx, &test_ctx->confdb, conf_db); + fail_if(ret != EOK, "Could not initialize connection to the confdb"); + + val[0] = "LOCAL"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/sssd", "domains", val); + fail_if(ret != EOK, "Could not initialize domains placeholder"); + + val[0] = "local"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/domain/LOCAL", "id_provider", val); + fail_if(ret != EOK, "Could not initialize provider"); + + val[0] = "TRUE"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/domain/LOCAL", "enumerate", val); + fail_if(ret != EOK, "Could not initialize LOCAL domain"); + + val[0] = "TRUE"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/domain/LOCAL", "cache_credentials", val); + fail_if(ret != EOK, "Could not initialize LOCAL domain"); + + ret = sysdb_init_domain_and_sysdb(test_ctx, test_ctx->confdb, "local", + TESTS_PATH, + &test_ctx->ctx->domain, &test_ctx->ctx->sysdb); + fail_if(ret != EOK, "Could not initialize connection to the sysdb (%d)", ret); + test_ctx->ctx->domain->case_sensitive = true; } void teardown_simple(void) { int ret; - fail_unless(ctx != NULL, "Simple context already freed."); - ret = talloc_free(ctx); - ctx = NULL; + fail_unless(test_ctx != NULL, "Simple context already freed."); + ret = talloc_free(test_ctx); + test_ctx = NULL; fail_unless(ret == 0, "Connot free simple context."); } +void setup_simple_group(void) +{ + errno_t ret; + + setup_simple(); + + /* Add test users u1 and u2 that would be members of test groups + * g1 and g2 respectively */ + ret = sysdb_store_user(test_ctx->ctx->sysdb, + "u1", NULL, 123, 0, "u1", "/home/u1", + "/bin/bash", NULL, NULL, NULL, -1, 0); + fail_if(ret != EOK, "Could not add u1"); + + ret = sysdb_store_user(test_ctx->ctx->sysdb, + "u2", NULL, 456, 0, "u1", "/home/u1", + "/bin/bash", NULL, NULL, NULL, -1, 0); + fail_if(ret != EOK, "Could not add u2"); + + ret = sysdb_store_user(test_ctx->ctx->sysdb, + "u3", NULL, 789, 0, "u1", "/home/u1", + "/bin/bash", NULL, NULL, NULL, -1, 0); + fail_if(ret != EOK, "Could not add u3"); + + ret = sysdb_add_group(test_ctx->ctx->sysdb, + "g1", 321, NULL, 0, 0); + fail_if(ret != EOK, "Could not add g1"); + + ret = sysdb_add_group(test_ctx->ctx->sysdb, + "g2", 654, NULL, 0, 0); + fail_if(ret != EOK, "Could not add g2"); + + ret = sysdb_add_group_member(test_ctx->ctx->sysdb, + "g1", "u1", SYSDB_MEMBER_USER); + fail_if(ret != EOK, "Could not add u1 to g1"); + + ret = sysdb_add_group_member(test_ctx->ctx->sysdb, + "g2", "u2", SYSDB_MEMBER_USER); + fail_if(ret != EOK, "Could not add u2 to g2"); +} + +void teardown_simple_group(void) +{ + errno_t ret; + + ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u1", 0); + fail_if(ret != EOK, "Could not delete u1"); + ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u2", 0); + fail_if(ret != EOK, "Could not delete u2"); + ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u3", 0); + fail_if(ret != EOK, "Could not delete u3"); + ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g1", 0); + fail_if(ret != EOK, "Could not delete g1"); + ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g2", 0); + fail_if(ret != EOK, "Could not delete g2"); + + teardown_simple(); +} + START_TEST(test_both_empty) { int ret; bool access_granted = false; - ctx->allow_users = NULL; - ctx->deny_users = NULL; + test_ctx->ctx->allow_users = NULL; + test_ctx->ctx->deny_users = NULL; - ret = simple_access_check(ctx, "u1", &access_granted); + ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); fail_unless(ret == EOK, "access_simple_check failed."); fail_unless(access_granted == true, "Access denied " "while both lists are empty."); @@ -74,15 +187,15 @@ START_TEST(test_allow_empty) int ret; bool access_granted = true; - ctx->allow_users = NULL; - ctx->deny_users = discard_const(ulist_1); + test_ctx->ctx->allow_users = NULL; + test_ctx->ctx->deny_users = discard_const(ulist_1); - ret = simple_access_check(ctx, "u1", &access_granted); + ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); fail_unless(ret == EOK, "access_simple_check failed."); fail_unless(access_granted == false, "Access granted " "while user is in deny list."); - ret = simple_access_check(ctx, "u3", &access_granted); + ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); fail_unless(ret == EOK, "access_simple_check failed."); fail_unless(access_granted == true, "Access denied " "while user is not in deny list."); @@ -94,15 +207,15 @@ START_TEST(test_deny_empty) int ret; bool access_granted = false; - ctx->allow_users = discard_const(ulist_1); - ctx->deny_users = NULL; + test_ctx->ctx->allow_users = discard_const(ulist_1); + test_ctx->ctx->deny_users = NULL; - ret = simple_access_check(ctx, "u1", &access_granted); + ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); fail_unless(ret == EOK, "access_simple_check failed."); fail_unless(access_granted == true, "Access denied " "while user is in allow list."); - ret = simple_access_check(ctx, "u3", &access_granted); + ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); fail_unless(ret == EOK, "access_simple_check failed."); fail_unless(access_granted == false, "Access granted " "while user is not in allow list."); @@ -114,15 +227,15 @@ START_TEST(test_both_set) int ret; bool access_granted = false; - ctx->allow_users = discard_const(ulist_1); - ctx->deny_users = discard_const(ulist_1); + test_ctx->ctx->allow_users = discard_const(ulist_1); + test_ctx->ctx->deny_users = discard_const(ulist_1); - ret = simple_access_check(ctx, "u1", &access_granted); + ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); fail_unless(ret == EOK, "access_simple_check failed."); fail_unless(access_granted == false, "Access granted " "while user is in deny list."); - ret = simple_access_check(ctx, "u3", &access_granted); + ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); fail_unless(ret == EOK, "access_simple_check failed."); fail_unless(access_granted == false, "Access granted " "while user is not in allow list."); @@ -134,18 +247,18 @@ START_TEST(test_case) int ret; bool access_granted = false; - ctx->allow_users = discard_const(ulist_1); - ctx->deny_users = NULL; + test_ctx->ctx->allow_users = discard_const(ulist_1); + test_ctx->ctx->deny_users = NULL; - ret = simple_access_check(ctx, "U1", &access_granted); + ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); fail_unless(ret == EOK, "access_simple_check failed."); fail_unless(access_granted == false, "Access granted " "for user with different case " "in case-sensitive domain"); - ctx->domain->case_sensitive = false; + test_ctx->ctx->domain->case_sensitive = false; - ret = simple_access_check(ctx, "U1", &access_granted); + ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); fail_unless(ret == EOK, "access_simple_check failed."); fail_unless(access_granted == true, "Access denied " "for user with different case " @@ -153,11 +266,95 @@ START_TEST(test_case) } END_TEST +START_TEST(test_group_allow_empty) +{ + int ret; + bool access_granted = true; + + test_ctx->ctx->allow_groups = NULL; + test_ctx->ctx->deny_groups = discard_const(glist_1); + + ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); + fail_unless(ret == EOK, "access_simple_check failed."); + fail_unless(access_granted == false, "Access granted " + "while group is in deny list."); + + ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); + fail_unless(ret == EOK, "access_simple_check failed."); + fail_unless(access_granted == true, "Access denied " + "while group is not in deny list."); +} +END_TEST + +START_TEST(test_group_deny_empty) +{ + int ret; + bool access_granted = false; + + test_ctx->ctx->allow_groups = discard_const(glist_1); + test_ctx->ctx->deny_groups = NULL; + + ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); + fail_unless(ret == EOK, "access_simple_check failed."); + fail_unless(access_granted == true, "Access denied " + "while group is in allow list."); + + ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); + fail_unless(ret == EOK, "access_simple_check failed."); + fail_unless(access_granted == false, "Access granted " + "while group is not in allow list."); +} +END_TEST + +START_TEST(test_group_both_set) +{ + int ret; + bool access_granted = false; + + test_ctx->ctx->allow_groups = discard_const(ulist_1); + test_ctx->ctx->deny_groups = discard_const(ulist_1); + + ret = simple_access_check(test_ctx->ctx, "u1", &access_granted); + fail_unless(ret == EOK, "access_simple_check failed."); + fail_unless(access_granted == false, "Access granted " + "while group is in deny list."); + + ret = simple_access_check(test_ctx->ctx, "u3", &access_granted); + fail_unless(ret == EOK, "access_simple_check failed."); + fail_unless(access_granted == false, "Access granted " + "while group is not in allow list."); +} +END_TEST + +START_TEST(test_group_case) +{ + int ret; + bool access_granted = false; + + test_ctx->ctx->allow_groups = discard_const(ulist_1); + test_ctx->ctx->deny_groups = NULL; + + ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); + fail_unless(ret == EOK, "access_simple_check failed."); + fail_unless(access_granted == false, "Access granted " + "for group with different case " + "in case-sensitive domain"); + + test_ctx->ctx->domain->case_sensitive = false; + + ret = simple_access_check(test_ctx->ctx, "U1", &access_granted); + fail_unless(ret == EOK, "access_simple_check failed."); + fail_unless(access_granted == true, "Access denied " + "for group with different case " + "in case-insensitive domain"); +} +END_TEST + Suite *access_simple_suite (void) { Suite *s = suite_create("access_simple"); - TCase *tc_allow_deny = tcase_create("allow/deny"); + TCase *tc_allow_deny = tcase_create("user allow/deny"); tcase_add_checked_fixture(tc_allow_deny, setup_simple, teardown_simple); tcase_add_test(tc_allow_deny, test_both_empty); tcase_add_test(tc_allow_deny, test_allow_empty); @@ -166,6 +363,15 @@ Suite *access_simple_suite (void) tcase_add_test(tc_allow_deny, test_case); suite_add_tcase(s, tc_allow_deny); + TCase *tc_grp_allow_deny = tcase_create("group allow/deny"); + tcase_add_checked_fixture(tc_grp_allow_deny, + setup_simple_group, teardown_simple_group); + tcase_add_test(tc_grp_allow_deny, test_group_allow_empty); + tcase_add_test(tc_grp_allow_deny, test_group_deny_empty); + tcase_add_test(tc_grp_allow_deny, test_group_both_set); + tcase_add_test(tc_grp_allow_deny, test_group_case); + suite_add_tcase(s, tc_grp_allow_deny); + return s; } @@ -174,6 +380,7 @@ int main(int argc, const char *argv[]) int opt; poptContext pc; int number_failed; + int ret; struct poptOption long_options[] = { POPT_AUTOHELP @@ -205,6 +412,20 @@ int main(int argc, const char *argv[]) srunner_run_all(sr, CK_ENV); number_failed = srunner_ntests_failed(sr); srunner_free(sr); + + ret = unlink(TESTS_PATH"/"TEST_CONF_FILE); + if (ret != EOK) { + fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n", + errno, strerror(errno)); + return EXIT_FAILURE; + } + ret = unlink(TESTS_PATH"/"LOCAL_SYSDB_FILE); + if (ret != EOK) { + fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n", + errno, strerror(errno)); + return EXIT_FAILURE; + } + return (number_failed==0 ? EXIT_SUCCESS : EXIT_FAILURE); } -- 1.8.1.4 ++++++ Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch ++++++ >From 8dfcfe629db83eb58dd6613aa174222cb853afb1 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <[email protected]> Date: Mon, 4 Mar 2013 16:37:04 +0100 Subject: Do not compile main() in DP if UNIT_TESTING is defined The simple access provider unit tests now need to link against the Data Provider when they start using the be_file_account_request() function. But then we would start having conflicts as at least the main() functions would clash. If UNIT_TESTING is defined, then the data_provider_be.c module does not contain the main() function and can be linked against directly from another module that contains its own main() function (cherry picked from commit 26590d31f492dbbd36be6d0bde46a4bd3b221edb) --- src/providers/data_provider_be.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c index f85a04d..33590ae 100644 --- a/src/providers/data_provider_be.c +++ b/src/providers/data_provider_be.c @@ -2651,6 +2651,7 @@ fail: return ret; } +#ifndef UNIT_TESTING int main(int argc, const char *argv[]) { int opt; @@ -2732,6 +2733,7 @@ int main(int argc, const char *argv[]) return 0; } +#endif static int data_provider_res_init(DBusMessage *message, struct sbus_connection *conn) -- 1.8.1.4 ++++++ Provide-a-be_get_account_info_send-function.patch ++++++ >From 455737c0b4b0c1bfeed54f2e27e397ce403acbca Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <[email protected]> Date: Fri, 22 Feb 2013 11:01:38 +0100 Subject: Provide a be_get_account_info_send function In order to resolve group names in the simple access provider we need to contact the Data Provider in a generic fashion from the access provider. We can't call any particular implementation (like sdap_generic_send()) because we have no idea what kind of provider is configured as the id_provider. This patch splits introduces the be_file_account_request() function into the data_provider_be module and makes it public. A future patch should make the be_get_account_info function use the be_get_account_info_send function. (cherry picked from commit b63830b142053f99bfe954d4be5a2b0f68ce3a93) --- src/providers/data_provider_be.c | 153 ++++++++++++++++++++++++++++++++++----- src/providers/dp_backend.h | 15 ++++ 2 files changed, 149 insertions(+), 19 deletions(-) diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c index b261bf8..f85a04d 100644 --- a/src/providers/data_provider_be.c +++ b/src/providers/data_provider_be.c @@ -717,6 +717,34 @@ static errno_t be_initgroups_prereq(struct be_req *be_req) } static errno_t +be_file_account_request(struct be_req *be_req, struct be_acct_req *ar) +{ + errno_t ret; + struct be_ctx *be_ctx = be_req->be_ctx; + + be_req->req_data = ar; + + /* see if we need a pre request call, only done for initgroups for now */ + if ((ar->entry_type & 0xFF) == BE_REQ_INITGROUPS) { + ret = be_initgroups_prereq(be_req); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Prerequest failed")); + return ret; + } + } + + /* process request */ + ret = be_file_request(be_ctx, be_req, + be_ctx->bet_info[BET_ID].bet_ops->handler); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to file request")); + return ret; + } + + return EOK; +} + +static errno_t split_name_extended(TALLOC_CTX *mem_ctx, const char *filter, char **name, @@ -742,6 +770,110 @@ split_name_extended(TALLOC_CTX *mem_ctx, return EOK; } +static void +be_get_account_info_done(struct be_req *be_req, + int dp_err, int dp_ret, + const char *errstr); + +struct be_get_account_info_state { + int err_maj; + int err_min; + const char *err_msg; +}; + +struct tevent_req * +be_get_account_info_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_client *becli, + struct be_ctx *be_ctx, + struct be_acct_req *ar) +{ + struct tevent_req *req; + struct be_get_account_info_state *state; + struct be_req *be_req; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct be_get_account_info_state); + if (!req) return NULL; + + be_req = talloc_zero(mem_ctx, struct be_req); + if (be_req == NULL) { + ret = ENOMEM; + goto done; + } + + be_req->becli = becli; + be_req->be_ctx = be_ctx; + be_req->fn = be_get_account_info_done; + be_req->pvt = req; + + ret = be_file_account_request(be_req, ar); + if (ret != EOK) { + goto done; + } + + return req; + +done: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void +be_get_account_info_done(struct be_req *be_req, + int dp_err, int dp_ret, + const char *errstr) +{ + struct tevent_req *req; + struct be_get_account_info_state *state; + + req = talloc_get_type(be_req->pvt, struct tevent_req); + state = tevent_req_data(req, struct be_get_account_info_state); + + state->err_maj = dp_err; + state->err_min = dp_ret; + if (errstr) { + state->err_msg = talloc_strdup(state, errstr); + if (state->err_msg == NULL) { + talloc_free(be_req); + tevent_req_error(req, ENOMEM); + return; + } + } + + talloc_free(be_req); + tevent_req_done(req); +} + +errno_t be_get_account_info_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + int *_err_maj, + int *_err_min, + const char **_err_msg) +{ + struct be_get_account_info_state *state; + + state = tevent_req_data(req, struct be_get_account_info_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (_err_maj) { + *_err_maj = state->err_maj; + } + + if (_err_min) { + *_err_min = state->err_min; + } + + if (_err_msg) { + *_err_msg = talloc_steal(mem_ctx, state->err_msg); + } + + return EOK; +} + static int be_get_account_info(DBusMessage *message, struct sbus_connection *conn) { struct be_acct_req *req; @@ -845,8 +977,6 @@ static int be_get_account_info(DBusMessage *message, struct sbus_connection *con goto done; } - be_req->req_data = req; - if ((attr_type != BE_ATTR_CORE) && (attr_type != BE_ATTR_MEM) && (attr_type != BE_ATTR_ALL)) { @@ -893,26 +1023,11 @@ static int be_get_account_info(DBusMessage *message, struct sbus_connection *con goto done; } - /* see if we need a pre request call, only done for initgroups for now */ - if ((type & 0xFF) == BE_REQ_INITGROUPS) { - ret = be_initgroups_prereq(be_req); - if (ret) { - err_maj = DP_ERR_FATAL; - err_min = ret; - err_msg = "Prerequest failed"; - goto done; - } - } - - /* process request */ - - ret = be_file_request(becli->bectx->bet_info[BET_ID].pvt_bet_data, - be_req, - becli->bectx->bet_info[BET_ID].bet_ops->handler); + ret = be_file_account_request(be_req, req); if (ret != EOK) { err_maj = DP_ERR_FATAL; err_min = ret; - err_msg = "Failed to file request"; + err_msg = "Cannot file account request"; goto done; } diff --git a/src/providers/dp_backend.h b/src/providers/dp_backend.h index 58a9b74..743b6f4 100644 --- a/src/providers/dp_backend.h +++ b/src/providers/dp_backend.h @@ -258,4 +258,19 @@ int be_fo_run_callbacks_at_next_request(struct be_ctx *ctx, const char *service_name); void reset_fo(struct be_ctx *be_ctx); + +/* Request account information */ +struct tevent_req * +be_get_account_info_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_client *becli, + struct be_ctx *be_ctx, + struct be_acct_req *ar); + +errno_t be_get_account_info_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + int *_err_maj, + int *_err_min, + const char **_err_msg); + #endif /* __DP_BACKEND_H___ */ -- 1.8.1.4 ++++++ Resolve-GIDs-in-the-simple-access-provider.patch ++++++ ++++ 1624 lines (skipped) -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
