[SSSD] [sssd PR#39][synchronized] RESPONDER: Enable sudoRule in case insen. domains (1.13)

2016-11-23 Thread celestian 
   URL: https://github.com/SSSD/sssd/pull/39
Author: celestian
 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13)
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/39/head:pr39
git checkout pr39
From 40ecde220e26109b81c9be5676b4c8ef4084de03 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Wed, 12 Oct 2016 16:48:38 +0200
Subject: [PATCH] SYSDB: Adding lowercase sudoUser form

If domain is not case sensitive we add lowercase form of usernames
to sudoUser attributes. So we actually able to apply sudoRule on
user Administrator@... with login admnistrator@...

This patch is squashed with

Resolves:
https://fedorahosted.org/sssd/ticket/3203
(cherry picked from commit f4a1046bb88d7a0ab3617e49ae94bfa849d10645)

Squashed with:
SYSDB: Fixing of sudorule without a sudoUser

This patch solved a regression caused by the recent patches
to lowercase sudoUser -- in case sudoUser is missing completely,
we abort the processing of this rule and all others.

With this patch, we return ERR_MALFORMED_ENTRY and gracefully
skip the malformed rule instead.

Resolves:
https://fedorahosted.org/sssd/ticket/3241

Reviewed-by: Jakub Hrozek 
(cherry picked from commit 7e23edbaa7a6bbd0b461d5792535896b6a77928b)
---
 src/db/sysdb_sudo.c| 110 -
 src/db/sysdb_sudo.h|   7 +-
 src/responder/sudo/sudosrv_get_sudorules.c |  15 ++--
 3 files changed, 122 insertions(+), 10 deletions(-)

diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
index 76116ab..de1e8da 100644
--- a/src/db/sysdb_sudo.c
+++ b/src/db/sysdb_sudo.c
@@ -216,9 +216,9 @@ errno_t sysdb_sudo_filter_rules_by_time(TALLOC_CTX *mem_ctx,
 }
 
 errno_t
-sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username,
-  uid_t uid, char **groupnames, unsigned int flags,
-  char **_filter)
+sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, char **aliases,
+  uid_t uid, char **groupnames, bool case_sensitive_domain,
+  unsigned int flags, char **_filter)
 {
 TALLOC_CTX *tmp_ctx = NULL;
 char *filter = NULL;
@@ -258,6 +258,15 @@ sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username,
  SYSDB_SUDO_CACHE_AT_USER,
  sanitized);
 NULL_CHECK(specific_filter, ret, done);
+
+if (case_sensitive_domain == false) {
+for (i = 0; aliases[i] != NULL; i++) {
+specific_filter = talloc_asprintf_append(specific_filter, "(%s=%s)",
+ SYSDB_SUDO_CACHE_AT_USER,
+ aliases[i]);
+NULL_CHECK(specific_filter, ret, done);
+}
+}
 }
 
 if ((flags & SYSDB_SUDO_FILTER_UID) && (uid != 0)) {
@@ -320,6 +329,7 @@ errno_t
 sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
  struct sss_domain_info *domain,
  const char *username, uid_t *_uid,
+ char ***_aliases,
  char ***groupnames)
 {
 TALLOC_CTX *tmp_ctx;
@@ -327,15 +337,19 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
 struct ldb_message *msg;
 struct ldb_message *group_msg = NULL;
 char **sysdb_groupnames = NULL;
+char **sysdb_aliases = NULL;
 const char *primary_group = NULL;
 struct ldb_message_element *groups;
+struct ldb_message_element *aliases;
 uid_t uid = 0;
 gid_t gid = 0;
 size_t num_groups = 0;
+size_t num_aliases = 0;
 int i;
 const char *attrs[] = { SYSDB_MEMBEROF,
 SYSDB_GIDNUM,
 SYSDB_UIDNUM,
+SYSDB_NAME_ALIAS,
 NULL };
 const char *group_attrs[] = { SYSDB_NAME,
   NULL };
@@ -358,6 +372,24 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
 }
 }
 
+aliases = ldb_msg_find_element(msg, SYSDB_NAME_ALIAS);
+if (!aliases || aliases->num_values == 0) {
+/* No nameAlias for this user in sysdb currently */
+sysdb_aliases = NULL;
+num_aliases = 0;
+} else {
+num_aliases = aliases->num_values;
+sysdb_aliases = talloc_array(tmp_ctx, char *, num_aliases + 1);
+NULL_CHECK(sysdb_aliases, ret, done);
+
+for (i = 0; i < aliases->num_values; i++) {
+sysdb_aliases[i] = talloc_strdup(sysdb_aliases,
+ (const char *)aliases->values[i].data);
+NULL_CHECK(sysdb_aliases[i], ret, done);
+}
+sysdb_aliases[aliases->num_values] = NULL;
+}
+
 /* resolve secondary groups */
 if (groupnames != NULL) {

[SSSD] [sssd PR#39][synchronized] RESPONDER: Enable sudoRule in case insen. domains (1.13)

2016-11-23 Thread celestian 
   URL: https://github.com/SSSD/sssd/pull/39
Author: celestian
 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13)
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/39/head:pr39
git checkout pr39
From dbba27272c8ab358dbf6dea8adfedfe9d511c36d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Wed, 12 Oct 2016 16:48:38 +0200
Subject: [PATCH 1/2] SYSDB: Adding lowercase sudoUser form

If domain is not case sensitive we add lowercase form of usernames
to sudoUser attributes. So we actually able to apply sudoRule on
user Administrator@... with login admnistrator@...

Resolves:
https://fedorahosted.org/sssd/ticket/3203
(cherry picked from commit f4a1046bb88d7a0ab3617e49ae94bfa849d10645)
---
 src/db/sysdb_sudo.c| 105 -
 src/db/sysdb_sudo.h|   7 +-
 src/responder/sudo/sudosrv_get_sudorules.c |  15 +++--
 3 files changed, 117 insertions(+), 10 deletions(-)

diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
index 76116ab..39a6558 100644
--- a/src/db/sysdb_sudo.c
+++ b/src/db/sysdb_sudo.c
@@ -216,9 +216,9 @@ errno_t sysdb_sudo_filter_rules_by_time(TALLOC_CTX *mem_ctx,
 }
 
 errno_t
-sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username,
-  uid_t uid, char **groupnames, unsigned int flags,
-  char **_filter)
+sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, char **aliases,
+  uid_t uid, char **groupnames, bool case_sensitive_domain,
+  unsigned int flags, char **_filter)
 {
 TALLOC_CTX *tmp_ctx = NULL;
 char *filter = NULL;
@@ -258,6 +258,15 @@ sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username,
  SYSDB_SUDO_CACHE_AT_USER,
  sanitized);
 NULL_CHECK(specific_filter, ret, done);
+
+if (case_sensitive_domain == false) {
+for (i = 0; aliases[i] != NULL; i++) {
+specific_filter = talloc_asprintf_append(specific_filter, "(%s=%s)",
+ SYSDB_SUDO_CACHE_AT_USER,
+ aliases[i]);
+NULL_CHECK(specific_filter, ret, done);
+}
+}
 }
 
 if ((flags & SYSDB_SUDO_FILTER_UID) && (uid != 0)) {
@@ -320,6 +329,7 @@ errno_t
 sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
  struct sss_domain_info *domain,
  const char *username, uid_t *_uid,
+ char ***_aliases,
  char ***groupnames)
 {
 TALLOC_CTX *tmp_ctx;
@@ -327,15 +337,19 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
 struct ldb_message *msg;
 struct ldb_message *group_msg = NULL;
 char **sysdb_groupnames = NULL;
+char **sysdb_aliases = NULL;
 const char *primary_group = NULL;
 struct ldb_message_element *groups;
+struct ldb_message_element *aliases;
 uid_t uid = 0;
 gid_t gid = 0;
 size_t num_groups = 0;
+size_t num_aliases = 0;
 int i;
 const char *attrs[] = { SYSDB_MEMBEROF,
 SYSDB_GIDNUM,
 SYSDB_UIDNUM,
+SYSDB_NAME_ALIAS,
 NULL };
 const char *group_attrs[] = { SYSDB_NAME,
   NULL };
@@ -358,6 +372,24 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
 }
 }
 
+aliases = ldb_msg_find_element(msg, SYSDB_NAME_ALIAS);
+if (!aliases || aliases->num_values == 0) {
+/* No nameAlias for this user in sysdb currently */
+sysdb_aliases = NULL;
+num_aliases = 0;
+} else {
+num_aliases = aliases->num_values;
+sysdb_aliases = talloc_array(tmp_ctx, char *, num_aliases + 1);
+NULL_CHECK(sysdb_aliases, ret, done);
+
+for (i = 0; i < aliases->num_values; i++) {
+sysdb_aliases[i] = talloc_strdup(sysdb_aliases,
+ (const char *)aliases->values[i].data);
+NULL_CHECK(sysdb_aliases[i], ret, done);
+}
+sysdb_aliases[aliases->num_values] = NULL;
+}
+
 /* resolve secondary groups */
 if (groupnames != NULL) {
 groups = ldb_msg_find_element(msg, SYSDB_MEMBEROF);
@@ -421,6 +453,10 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
 *_uid = uid;
 }
 
+if (sysdb_aliases != NULL) {
+*_aliases = talloc_steal(mem_ctx, sysdb_aliases);
+}
+
 if (groupnames != NULL) {
 *groupnames = talloc_steal(mem_ctx, sysdb_groupnames);
 }
@@ -801,6 +837,64 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule,
 return EOK;
 }
 
+static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info

[SSSD] [sssd PR#39][synchronized] RESPONDER: Enable sudoRule in case insen. domains (1.13)

2016-11-21 Thread celestian 
   URL: https://github.com/SSSD/sssd/pull/39
Author: celestian
 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13)
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/39/head:pr39
git checkout pr39
From dbba27272c8ab358dbf6dea8adfedfe9d511c36d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Wed, 12 Oct 2016 16:48:38 +0200
Subject: [PATCH] SYSDB: Adding lowercase sudoUser form

If domain is not case sensitive we add lowercase form of usernames
to sudoUser attributes. So we actually able to apply sudoRule on
user Administrator@... with login admnistrator@...

Resolves:
https://fedorahosted.org/sssd/ticket/3203
(cherry picked from commit f4a1046bb88d7a0ab3617e49ae94bfa849d10645)
---
 src/db/sysdb_sudo.c| 105 -
 src/db/sysdb_sudo.h|   7 +-
 src/responder/sudo/sudosrv_get_sudorules.c |  15 +++--
 3 files changed, 117 insertions(+), 10 deletions(-)

diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
index 76116ab..39a6558 100644
--- a/src/db/sysdb_sudo.c
+++ b/src/db/sysdb_sudo.c
@@ -216,9 +216,9 @@ errno_t sysdb_sudo_filter_rules_by_time(TALLOC_CTX *mem_ctx,
 }
 
 errno_t
-sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username,
-  uid_t uid, char **groupnames, unsigned int flags,
-  char **_filter)
+sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, char **aliases,
+  uid_t uid, char **groupnames, bool case_sensitive_domain,
+  unsigned int flags, char **_filter)
 {
 TALLOC_CTX *tmp_ctx = NULL;
 char *filter = NULL;
@@ -258,6 +258,15 @@ sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username,
  SYSDB_SUDO_CACHE_AT_USER,
  sanitized);
 NULL_CHECK(specific_filter, ret, done);
+
+if (case_sensitive_domain == false) {
+for (i = 0; aliases[i] != NULL; i++) {
+specific_filter = talloc_asprintf_append(specific_filter, "(%s=%s)",
+ SYSDB_SUDO_CACHE_AT_USER,
+ aliases[i]);
+NULL_CHECK(specific_filter, ret, done);
+}
+}
 }
 
 if ((flags & SYSDB_SUDO_FILTER_UID) && (uid != 0)) {
@@ -320,6 +329,7 @@ errno_t
 sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
  struct sss_domain_info *domain,
  const char *username, uid_t *_uid,
+ char ***_aliases,
  char ***groupnames)
 {
 TALLOC_CTX *tmp_ctx;
@@ -327,15 +337,19 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
 struct ldb_message *msg;
 struct ldb_message *group_msg = NULL;
 char **sysdb_groupnames = NULL;
+char **sysdb_aliases = NULL;
 const char *primary_group = NULL;
 struct ldb_message_element *groups;
+struct ldb_message_element *aliases;
 uid_t uid = 0;
 gid_t gid = 0;
 size_t num_groups = 0;
+size_t num_aliases = 0;
 int i;
 const char *attrs[] = { SYSDB_MEMBEROF,
 SYSDB_GIDNUM,
 SYSDB_UIDNUM,
+SYSDB_NAME_ALIAS,
 NULL };
 const char *group_attrs[] = { SYSDB_NAME,
   NULL };
@@ -358,6 +372,24 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
 }
 }
 
+aliases = ldb_msg_find_element(msg, SYSDB_NAME_ALIAS);
+if (!aliases || aliases->num_values == 0) {
+/* No nameAlias for this user in sysdb currently */
+sysdb_aliases = NULL;
+num_aliases = 0;
+} else {
+num_aliases = aliases->num_values;
+sysdb_aliases = talloc_array(tmp_ctx, char *, num_aliases + 1);
+NULL_CHECK(sysdb_aliases, ret, done);
+
+for (i = 0; i < aliases->num_values; i++) {
+sysdb_aliases[i] = talloc_strdup(sysdb_aliases,
+ (const char *)aliases->values[i].data);
+NULL_CHECK(sysdb_aliases[i], ret, done);
+}
+sysdb_aliases[aliases->num_values] = NULL;
+}
+
 /* resolve secondary groups */
 if (groupnames != NULL) {
 groups = ldb_msg_find_element(msg, SYSDB_MEMBEROF);
@@ -421,6 +453,10 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
 *_uid = uid;
 }
 
+if (sysdb_aliases != NULL) {
+*_aliases = talloc_steal(mem_ctx, sysdb_aliases);
+}
+
 if (groupnames != NULL) {
 *groupnames = talloc_steal(mem_ctx, sysdb_groupnames);
 }
@@ -801,6 +837,64 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule,
 return EOK;
 }
 
+static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain,
+

[SSSD] [sssd PR#39][synchronized] RESPONDER: Enable sudoRule in case insen. domains (1.13)

2016-11-14 Thread celestian 
   URL: https://github.com/SSSD/sssd/pull/39
Author: celestian
 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13)
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/39/head:pr39
git checkout pr39
From b268ea119a295ad20c7270ae7d0a5fc6bbcc04ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Wed, 12 Oct 2016 16:48:38 +0200
Subject: [PATCH] SYSDB: Adding lowercase sudoUser form

If domain is not case sensitive we add lowercase form of usernames
to sudoUser attributes. So we actually able to apply sudoRule on
user Administrator@... with login admnistrator@...

Resolves:
https://fedorahosted.org/sssd/ticket/3203
(cherry picked from commit f4a1046bb88d7a0ab3617e49ae94bfa849d10645)
---
 src/db/sysdb_sudo.c| 89 +-
 src/db/sysdb_sudo.h|  4 +-
 src/responder/sudo/sudosrv_get_sudorules.c |  2 +-
 3 files changed, 90 insertions(+), 5 deletions(-)

diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
index 76116ab..6368c64 100644
--- a/src/db/sysdb_sudo.c
+++ b/src/db/sysdb_sudo.c
@@ -217,13 +217,14 @@ errno_t sysdb_sudo_filter_rules_by_time(TALLOC_CTX *mem_ctx,
 
 errno_t
 sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username,
-  uid_t uid, char **groupnames, unsigned int flags,
-  char **_filter)
+  uid_t uid, char **groupnames, bool case_sensitive_domain,
+  unsigned int flags, char **_filter)
 {
 TALLOC_CTX *tmp_ctx = NULL;
 char *filter = NULL;
 char *specific_filter = NULL;
 char *sanitized = NULL;
+const char *lowered = NULL;
 time_t now;
 errno_t ret;
 int i;
@@ -258,6 +259,27 @@ sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username,
  SYSDB_SUDO_CACHE_AT_USER,
  sanitized);
 NULL_CHECK(specific_filter, ret, done);
+
+if (case_sensitive_domain == false) {
+lowered = sss_tc_utf8_str_tolower(tmp_ctx, username);
+if (lowered == NULL) {
+DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
+ret = ENOMEM;
+goto done;
+}
+
+if (strcmp(username, lowered) != 0) {
+ret = sss_filter_sanitize(tmp_ctx, lowered, );
+if (ret != EOK) {
+goto done;
+}
+
+specific_filter = talloc_asprintf_append(specific_filter, "(%s=%s)",
+ SYSDB_SUDO_CACHE_AT_USER,
+ sanitized);
+NULL_CHECK(specific_filter, ret, done);
+}
+}
 }
 
 if ((flags & SYSDB_SUDO_FILTER_UID) && (uid != 0)) {
@@ -801,6 +823,64 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule,
 return EOK;
 }
 
+static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain,
+struct sysdb_attrs *rule)
+{
+TALLOC_CTX *tmp_ctx;
+const char **users = NULL;
+const char *lowered = NULL;
+errno_t ret;
+
+if (domain->case_sensitive == true || rule == NULL) {
+return EOK;
+}
+
+tmp_ctx = talloc_new(NULL);
+if (tmp_ctx == NULL) {
+return ENOMEM;
+}
+
+ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx,
+   );
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n",
+SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret));
+goto done;
+}
+if (users == NULL) {
+ret =  EOK;
+goto done;
+}
+
+for (int i = 0; users[i] != NULL; i++) {
+lowered = sss_tc_utf8_str_tolower(tmp_ctx, users[i]);
+if (lowered == NULL) {
+DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
+ret = ENOMEM;
+goto done;
+}
+
+if (strcmp(users[i], lowered) == 0) {
+/* It protects us from adding duplicate. */
+continue;
+}
+
+ret = sysdb_attrs_add_string(rule, SYSDB_SUDO_CACHE_AT_USER, lowered);
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE,
+  "Unable to add %s attribute [%d]: %s\n",
+  SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret));
+goto done;
+}
+}
+
+ret = EOK;
+
+done:
+talloc_zfree(tmp_ctx);
+return ret;
+}
+
 static errno_t
 sysdb_sudo_store_rule(struct sss_domain_info *domain,
   struct sysdb_attrs *rule,
@@ -817,6 +897,11 @@ sysdb_sudo_store_rule(struct sss_domain_info *domain,
 
 DEBUG(SSSDBG_TRACE_FUNC, "Adding sudo rule %s\n", name);
 
+ret =

[SSSD] [sssd PR#39][synchronized] RESPONDER: Enable sudoRule in case insen. domains (1.13)

2016-11-08 Thread celestian 
   URL: https://github.com/SSSD/sssd/pull/39
Author: celestian
 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13)
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/39/head:pr39
git checkout pr39
From d83eb122f75ff1204cfdac6d5bc1ec138056 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Wed, 12 Oct 2016 16:48:38 +0200
Subject: [PATCH] SYSDB: Adding lowercase sudoUser form

If domain is not case sensitive we add lowercase form of usernames
to sudoUser attributes. So we actually able to apply sudoRule on
user Administrator@... with login admnistrator@...

Resolves:
https://fedorahosted.org/sssd/ticket/3203
(cherry picked from commit f4a1046bb88d7a0ab3617e49ae94bfa849d10645)
---
 src/db/sysdb_sudo.c | 63 +
 1 file changed, 63 insertions(+)

diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
index 76116ab..ecf350f 100644
--- a/src/db/sysdb_sudo.c
+++ b/src/db/sysdb_sudo.c
@@ -801,6 +801,64 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule,
 return EOK;
 }
 
+static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain,
+struct sysdb_attrs *rule)
+{
+TALLOC_CTX *tmp_ctx;
+const char **users = NULL;
+const char *lowered = NULL;
+errno_t ret;
+
+if (domain->case_sensitive == true || rule == NULL) {
+return EOK;
+}
+
+tmp_ctx = talloc_new(NULL);
+if (tmp_ctx == NULL) {
+return ENOMEM;
+}
+
+ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx,
+   );
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n",
+SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret));
+goto done;
+}
+if (users == NULL) {
+ret =  EOK;
+goto done;
+}
+
+for (int i = 0; users[i] != NULL; i++) {
+lowered = sss_tc_utf8_str_tolower(tmp_ctx, users[i]);
+if (lowered == NULL) {
+DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
+ret = ENOMEM;
+goto done;
+}
+
+if (strcmp(users[i], lowered) == 0) {
+/* It protects us from adding duplicate. */
+continue;
+}
+
+ret = sysdb_attrs_add_string(rule, SYSDB_SUDO_CACHE_AT_USER, lowered);
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE,
+  "Unable to add %s attribute [%d]: %s\n",
+  SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret));
+goto done;
+}
+}
+
+ret = EOK;
+
+done:
+talloc_zfree(tmp_ctx);
+return ret;
+}
+
 static errno_t
 sysdb_sudo_store_rule(struct sss_domain_info *domain,
   struct sysdb_attrs *rule,
@@ -817,6 +875,11 @@ sysdb_sudo_store_rule(struct sss_domain_info *domain,
 
 DEBUG(SSSDBG_TRACE_FUNC, "Adding sudo rule %s\n", name);
 
+ret = sysdb_sudo_add_lowered_users(domain, rule);
+if (ret != EOK) {
+return ret;
+}
+
 ret = sysdb_sudo_add_sss_attrs(rule, name, cache_timeout, now);
 if (ret != EOK) {
 return ret;
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#39][synchronized] RESPONDER: Enable sudoRule in case insen. domains (1.13)

2016-11-08 Thread celestian 
   URL: https://github.com/SSSD/sssd/pull/39
Author: celestian
 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13)
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/39/head:pr39
git checkout pr39
From 92c5b11f1c17454a5b258f3776224124a808af3c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Wed, 12 Oct 2016 16:48:38 +0200
Subject: [PATCH 1/2] SYSDB: Adding lowercase sudoUser form

If domain is not case sensitive we add lowercase form of usernames
to sudoUser attributes. So we actually able to apply sudoRule on
user Administrator@... with login admnistrator@...

Resolves:
https://fedorahosted.org/sssd/ticket/3203
(cherry picked from commit f4a1046bb88d7a0ab3617e49ae94bfa849d10645)
---
 src/db/sysdb_sudo.c | 63 +
 1 file changed, 63 insertions(+)

diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
index 76116ab..ecf350f 100644
--- a/src/db/sysdb_sudo.c
+++ b/src/db/sysdb_sudo.c
@@ -801,6 +801,64 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule,
 return EOK;
 }
 
+static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain,
+struct sysdb_attrs *rule)
+{
+TALLOC_CTX *tmp_ctx;
+const char **users = NULL;
+const char *lowered = NULL;
+errno_t ret;
+
+if (domain->case_sensitive == true || rule == NULL) {
+return EOK;
+}
+
+tmp_ctx = talloc_new(NULL);
+if (tmp_ctx == NULL) {
+return ENOMEM;
+}
+
+ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx,
+   );
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n",
+SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret));
+goto done;
+}
+if (users == NULL) {
+ret =  EOK;
+goto done;
+}
+
+for (int i = 0; users[i] != NULL; i++) {
+lowered = sss_tc_utf8_str_tolower(tmp_ctx, users[i]);
+if (lowered == NULL) {
+DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
+ret = ENOMEM;
+goto done;
+}
+
+if (strcmp(users[i], lowered) == 0) {
+/* It protects us from adding duplicate. */
+continue;
+}
+
+ret = sysdb_attrs_add_string(rule, SYSDB_SUDO_CACHE_AT_USER, lowered);
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE,
+  "Unable to add %s attribute [%d]: %s\n",
+  SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret));
+goto done;
+}
+}
+
+ret = EOK;
+
+done:
+talloc_zfree(tmp_ctx);
+return ret;
+}
+
 static errno_t
 sysdb_sudo_store_rule(struct sss_domain_info *domain,
   struct sysdb_attrs *rule,
@@ -817,6 +875,11 @@ sysdb_sudo_store_rule(struct sss_domain_info *domain,
 
 DEBUG(SSSDBG_TRACE_FUNC, "Adding sudo rule %s\n", name);
 
+ret = sysdb_sudo_add_lowered_users(domain, rule);
+if (ret != EOK) {
+return ret;
+}
+
 ret = sysdb_sudo_add_sss_attrs(rule, name, cache_timeout, now);
 if (ret != EOK) {
 return ret;

From d521c43a46689730ad92c5bdfa13a69590c66307 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Tue, 18 Oct 2016 10:01:43 +0200
Subject: [PATCH 2/2] SYSDB: Adding fq user names to cached sudoRules

This patch adds fg user names to sudoUser attribute of
cached sudoRules.

Resolves:
https://fedorahosted.org/sssd/ticket/3203
---
 src/db/sysdb_sudo.c | 55 +
 1 file changed, 55 insertions(+)

diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
index ecf350f..3c37f9b 100644
--- a/src/db/sysdb_sudo.c
+++ b/src/db/sysdb_sudo.c
@@ -801,6 +801,56 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule,
 return EOK;
 }
 
+static errno_t sysdb_sudo_add_fq_users(struct sss_domain_info *domain,
+   struct sysdb_attrs *rule)
+{
+TALLOC_CTX *tmp_ctx;
+const char **users = NULL;
+const char *fqname = NULL;
+errno_t ret;
+
+tmp_ctx = talloc_new(NULL);
+if (tmp_ctx == NULL) {
+return ENOMEM;
+}
+
+ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx,
+   );
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n",
+SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret));
+goto done;
+}
+if (users == NULL) {
+ret =  EOK;
+goto done;
+}
+
+for (int i = 0; users[i] != NULL; i++) {
+fqname = sss_tc_fqname(tmp_ctx, domain->names, domain, users[i]);
+if (fqname == NULL) {
+DEBUG(SSSDBG_OP_FAILURE, "Could not create fgname.\n");
+ret = ENOMEM;
+

[SSSD] [sssd PR#39][synchronized] RESPONDER: Enable sudoRule in case insen. domains (1.13)

2016-11-04 Thread celestian 
   URL: https://github.com/SSSD/sssd/pull/39
Author: celestian
 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13)
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/39/head:pr39
git checkout pr39
From 989460d4ed0a8c33ba12f73b6e73bf905a877116 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Wed, 12 Oct 2016 16:48:38 +0200
Subject: [PATCH 1/2] SYSDB: Adding lowercase sudoUser form

If domain is not case sensitive we add lowercase form of usernames
to sudoUser attributes. So we actually able to apply sudoRule on
user Administrator@... with login admnistrator@...

Resolves:
https://fedorahosted.org/sssd/ticket/3203
(cherry picked from commit fbc12bcdad4547d698ddbb9771e125ff7ae981df)
---
 src/db/sysdb_sudo.c | 63 +
 1 file changed, 63 insertions(+)

diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
index 76116ab..ecf350f 100644
--- a/src/db/sysdb_sudo.c
+++ b/src/db/sysdb_sudo.c
@@ -801,6 +801,64 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule,
 return EOK;
 }
 
+static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain,
+struct sysdb_attrs *rule)
+{
+TALLOC_CTX *tmp_ctx;
+const char **users = NULL;
+const char *lowered = NULL;
+errno_t ret;
+
+if (domain->case_sensitive == true || rule == NULL) {
+return EOK;
+}
+
+tmp_ctx = talloc_new(NULL);
+if (tmp_ctx == NULL) {
+return ENOMEM;
+}
+
+ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx,
+   );
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n",
+SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret));
+goto done;
+}
+if (users == NULL) {
+ret =  EOK;
+goto done;
+}
+
+for (int i = 0; users[i] != NULL; i++) {
+lowered = sss_tc_utf8_str_tolower(tmp_ctx, users[i]);
+if (lowered == NULL) {
+DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
+ret = ENOMEM;
+goto done;
+}
+
+if (strcmp(users[i], lowered) == 0) {
+/* It protects us from adding duplicate. */
+continue;
+}
+
+ret = sysdb_attrs_add_string(rule, SYSDB_SUDO_CACHE_AT_USER, lowered);
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE,
+  "Unable to add %s attribute [%d]: %s\n",
+  SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret));
+goto done;
+}
+}
+
+ret = EOK;
+
+done:
+talloc_zfree(tmp_ctx);
+return ret;
+}
+
 static errno_t
 sysdb_sudo_store_rule(struct sss_domain_info *domain,
   struct sysdb_attrs *rule,
@@ -817,6 +875,11 @@ sysdb_sudo_store_rule(struct sss_domain_info *domain,
 
 DEBUG(SSSDBG_TRACE_FUNC, "Adding sudo rule %s\n", name);
 
+ret = sysdb_sudo_add_lowered_users(domain, rule);
+if (ret != EOK) {
+return ret;
+}
+
 ret = sysdb_sudo_add_sss_attrs(rule, name, cache_timeout, now);
 if (ret != EOK) {
 return ret;

From d257d03b9c480747433096f410cbd36165c3c532 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Tue, 18 Oct 2016 10:01:43 +0200
Subject: [PATCH 2/2] SYSDB: Adding fq user names to cached sudoRules

This patch adds fg user names to sudoUser attribute of
cached sudoRules.

Resolves:
https://fedorahosted.org/sssd/ticket/3203
---
 src/db/sysdb_sudo.c | 55 +
 1 file changed, 55 insertions(+)

diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
index ecf350f..3c37f9b 100644
--- a/src/db/sysdb_sudo.c
+++ b/src/db/sysdb_sudo.c
@@ -801,6 +801,56 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule,
 return EOK;
 }
 
+static errno_t sysdb_sudo_add_fq_users(struct sss_domain_info *domain,
+   struct sysdb_attrs *rule)
+{
+TALLOC_CTX *tmp_ctx;
+const char **users = NULL;
+const char *fqname = NULL;
+errno_t ret;
+
+tmp_ctx = talloc_new(NULL);
+if (tmp_ctx == NULL) {
+return ENOMEM;
+}
+
+ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx,
+   );
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n",
+SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret));
+goto done;
+}
+if (users == NULL) {
+ret =  EOK;
+goto done;
+}
+
+for (int i = 0; users[i] != NULL; i++) {
+fqname = sss_tc_fqname(tmp_ctx, domain->names, domain, users[i]);
+if (fqname == NULL) {
+DEBUG(SSSDBG_OP_FAILURE, "Could not create fgname.\n");
+ret = ENOMEM;
+

[SSSD] [sssd PR#39][synchronized] RESPONDER: Enable sudoRule in case insen. domains (1.13)

2016-10-18 Thread celestian 
   URL: https://github.com/SSSD/sssd/pull/39
Author: celestian
 Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13)
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/39/head:pr39
git checkout pr39
From dbeb8eef5e1732b0d8b578f6648f27983b3147e4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Wed, 12 Oct 2016 16:48:38 +0200
Subject: [PATCH 1/2] SYSDB: Adding lowercase sudoUser form

If domain is not case sensitive we add lowercase form of usernames
to sudoUser attributes. So we actually able to apply sudoRule on
user Administrator@... with login admnistrator@...

Resolves:
https://fedorahosted.org/sssd/ticket/3203
(cherry picked from commit fbc12bcdad4547d698ddbb9771e125ff7ae981df)
---
 src/db/sysdb_sudo.c | 63 +
 1 file changed, 63 insertions(+)

diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
index 76116ab..ecf350f 100644
--- a/src/db/sysdb_sudo.c
+++ b/src/db/sysdb_sudo.c
@@ -801,6 +801,64 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule,
 return EOK;
 }
 
+static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain,
+struct sysdb_attrs *rule)
+{
+TALLOC_CTX *tmp_ctx;
+const char **users = NULL;
+const char *lowered = NULL;
+errno_t ret;
+
+if (domain->case_sensitive == true || rule == NULL) {
+return EOK;
+}
+
+tmp_ctx = talloc_new(NULL);
+if (tmp_ctx == NULL) {
+return ENOMEM;
+}
+
+ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx,
+   );
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n",
+SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret));
+goto done;
+}
+if (users == NULL) {
+ret =  EOK;
+goto done;
+}
+
+for (int i = 0; users[i] != NULL; i++) {
+lowered = sss_tc_utf8_str_tolower(tmp_ctx, users[i]);
+if (lowered == NULL) {
+DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
+ret = ENOMEM;
+goto done;
+}
+
+if (strcmp(users[i], lowered) == 0) {
+/* It protects us from adding duplicate. */
+continue;
+}
+
+ret = sysdb_attrs_add_string(rule, SYSDB_SUDO_CACHE_AT_USER, lowered);
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE,
+  "Unable to add %s attribute [%d]: %s\n",
+  SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret));
+goto done;
+}
+}
+
+ret = EOK;
+
+done:
+talloc_zfree(tmp_ctx);
+return ret;
+}
+
 static errno_t
 sysdb_sudo_store_rule(struct sss_domain_info *domain,
   struct sysdb_attrs *rule,
@@ -817,6 +875,11 @@ sysdb_sudo_store_rule(struct sss_domain_info *domain,
 
 DEBUG(SSSDBG_TRACE_FUNC, "Adding sudo rule %s\n", name);
 
+ret = sysdb_sudo_add_lowered_users(domain, rule);
+if (ret != EOK) {
+return ret;
+}
+
 ret = sysdb_sudo_add_sss_attrs(rule, name, cache_timeout, now);
 if (ret != EOK) {
 return ret;

From 467feba75a6681fc41a2c87c0c82f2189ff059ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Tue, 18 Oct 2016 10:01:43 +0200
Subject: [PATCH 2/2] SYSDB: Adding fq user names to cached sudoRules

This patch adds fg user names to sudoUser attribute of
cached sudoRules.

Resolves:
https://fedorahosted.org/sssd/ticket/3203
---
 src/db/sysdb_sudo.c | 54 +
 1 file changed, 54 insertions(+)

diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
index ecf350f..fb14912 100644
--- a/src/db/sysdb_sudo.c
+++ b/src/db/sysdb_sudo.c
@@ -801,6 +801,55 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule,
 return EOK;
 }
 
+static errno_t sysdb_sudo_add_fq_users(struct sss_domain_info *domain,
+   struct sysdb_attrs *rule)
+{
+TALLOC_CTX *tmp_ctx;
+const char **users = NULL;
+const char *fqname = NULL;
+errno_t ret;
+
+tmp_ctx = talloc_new(NULL);
+if (tmp_ctx == NULL) {
+return ENOMEM;
+}
+
+ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx,
+   );
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n",
+SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret));
+goto done;
+}
+if (users == NULL) {
+ret =  EOK;
+goto done;
+}
+
+for (int i = 0; users[i] != NULL; i++) {
+fqname = sss_tc_fqname(tmp_ctx, domain->names, domain, users[i]);
+if (fqname == NULL) {
+DEBUG(SSSDBG_OP_FAILURE, "Could not create fgname.\n");
+ret = ENOMEM;
+