URL: https://github.com/SSSD/sssd/pull/223 Author: sumit-bose Title: #223: KRB5_LOCATOR: add env variable to disable plugin Action: opened
PR body: """ If the new environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value SSSD's krb5 locator plugin is disabled. The variable is needed because there is currently no other way than removing the plugin completely to disable it. For a use-case see e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1072939. Related to https://pagure.io/SSSD/sssd/issue/3359 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/223/head:pr223 git checkout pr223
From 5231ba679402eeb0705a3ecd41f97fdd67d42a69 Mon Sep 17 00:00:00 2001 From: David Kupka <dku...@redhat.com> Date: Fri, 31 Mar 2017 21:31:23 +0200 Subject: [PATCH 1/2] libsss_certmap: Accept certificate with data before header MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit According to RFC 7468 parser must not fail when some data are present before the encapsulation boundary. sss_cert_pem_to_der didn't respect this and refused valid input. Changing it's code to first locate the certificate header fixes the issue. Resolves: https://pagure.io/SSSD/sssd/issue/3354 Reviewed-by: Sumit Bose <sb...@redhat.com> Reviewed-by: Fabiano FidĂȘncio <fiden...@redhat.com> --- src/tests/cmocka/test_cert_utils.c | 16 ++++++++++++++++ src/util/cert/nss/cert.c | 9 +++++---- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/src/tests/cmocka/test_cert_utils.c b/src/tests/cmocka/test_cert_utils.c index 5830131..8003d8d 100644 --- a/src/tests/cmocka/test_cert_utils.c +++ b/src/tests/cmocka/test_cert_utils.c @@ -128,6 +128,13 @@ const uint8_t test_cert_der[] = { "lBPDhfTVcWXQwN385uycW/ARtSzzSME2jKKWSIQ=\n" \ "-----END CERTIFICATE-----\n" +#define TEST_CERT_PEM_WITH_METADATA "Bag Attributes\n" \ +" friendlyName: ipa-devel\n" \ +" localKeyID: 8E 0D 04 1F BC 13 73 54 00 8F 65 57 D7 A8 AF 34 0C 18 B3 99\n" \ +"subject= /O=IPA.DEVEL/CN=ipa-devel.ipa.devel\n" \ +"issuer= /O=IPA.DEVEL/CN=Certificate Authority\n" \ +TEST_CERT_PEM + #define TEST_CERT_DERB64 \ "MIIECTCCAvGgAwIBAgIBCTANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEu" \ "REVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA0Mjgx" \ @@ -219,6 +226,15 @@ void test_sss_cert_pem_to_der(void **state) assert_memory_equal(der, test_cert_der, der_size); talloc_free(der); + + /* https://pagure.io/SSSD/sssd/issue/3354 + https://tools.ietf.org/html/rfc7468#section-2 */ + ret = sss_cert_pem_to_der(ts, TEST_CERT_PEM_WITH_METADATA, &der, &der_size); + assert_int_equal(ret, EOK); + assert_int_equal(sizeof(test_cert_der), der_size); + assert_memory_equal(der, test_cert_der, der_size); + + talloc_free(der); } void test_sss_cert_derb64_to_pem(void **state) diff --git a/src/util/cert/nss/cert.c b/src/util/cert/nss/cert.c index 9d31cfe..93d4e04 100644 --- a/src/util/cert/nss/cert.c +++ b/src/util/cert/nss/cert.c @@ -147,16 +147,17 @@ errno_t sss_cert_pem_to_der(TALLOC_CTX *mem_ctx, const char *pem, return EINVAL; } + if ((pem = strstr(pem, NS_CERT_HEADER)) == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing PEM header."); + return EINVAL; + } + pem_len = strlen(pem); if (pem_len <= NS_CERT_HEADER_LEN + NS_CERT_TRAILER_LEN) { DEBUG(SSSDBG_CRIT_FAILURE, "PEM data too short.\n"); return EINVAL; } - if (strncmp(pem, NS_CERT_HEADER, NS_CERT_HEADER_LEN) != 0) { - DEBUG(SSSDBG_CRIT_FAILURE, "Wrong PEM header.\n"); - return EINVAL; - } if (pem[NS_CERT_HEADER_LEN] != '\n') { DEBUG(SSSDBG_CRIT_FAILURE, "Missing newline in PEM data.\n"); return EINVAL; From 32892ed65bf5d76a137a63259221e5d169ae3e4d Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Thu, 17 Nov 2016 10:55:43 +0100 Subject: [PATCH 2/2] KRB5_LOCATOR: add env variable to disable plugin If the new environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value SSSD's krb5 locator plugin is disabled. The variable is needed because there is currently no other way than removing the plugin completely to disable it. For a use-case see e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1072939. Related to https://pagure.io/SSSD/sssd/issue/3359 --- src/krb5_plugin/sssd_krb5_locator_plugin.c | 15 +++++++++++++++ src/man/sssd_krb5_locator_plugin.8.xml | 5 +++++ 2 files changed, 20 insertions(+) diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c index aa8d387..7c17fcb 100644 --- a/src/krb5_plugin/sssd_krb5_locator_plugin.c +++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c @@ -45,6 +45,7 @@ #define BUFSIZE 512 #define PORT_STR_SIZE 7 #define SSSD_KRB5_LOCATOR_DEBUG "SSSD_KRB5_LOCATOR_DEBUG" +#define SSSD_KRB5_LOCATOR_DISABLE "SSSD_KRB5_LOCATOR_DISABLE" #define DEBUG_KEY "[sssd_krb5_locator] " #define PLUGIN_DEBUG(body) do { \ if (ctx->debug) { \ @@ -59,6 +60,7 @@ struct sssd_ctx { char *kpasswd_addr; uint16_t kpasswd_port; bool debug; + bool disabled; }; void plugin_debug_fn(const char *format, ...) @@ -232,6 +234,14 @@ krb5_error_code sssd_krb5_locator_init(krb5_context context, PLUGIN_DEBUG(("sssd_krb5_locator_init called\n")); } + dummy = getenv(SSSD_KRB5_LOCATOR_DISABLE); + if (dummy == NULL) { + ctx->disabled = false; + } else { + ctx->disabled = true; + PLUGIN_DEBUG(("SSSD KRB5 locator plugin is disabled.\n")); + } + *private_data = ctx; return 0; @@ -273,6 +283,11 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data, if (private_data == NULL) return KRB5_PLUGIN_NO_HANDLE; ctx = (struct sssd_ctx *) private_data; + if (ctx->disabled) { + PLUGIN_DEBUG(("Plugin disabled, nothing to do.\n")); + return KRB5_PLUGIN_NO_HANDLE; + } + if (ctx->sssd_realm == NULL || strcmp(ctx->sssd_realm, realm) != 0) { free(ctx->sssd_realm); ctx->sssd_realm = strdup(realm); diff --git a/src/man/sssd_krb5_locator_plugin.8.xml b/src/man/sssd_krb5_locator_plugin.8.xml index 25a20c8..d285460 100644 --- a/src/man/sssd_krb5_locator_plugin.8.xml +++ b/src/man/sssd_krb5_locator_plugin.8.xml @@ -69,6 +69,11 @@ If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value debug messages will be sent to stderr. </para> + <para> + If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any + value the plugin is disabled and will just return + KRB5_PLUGIN_NO_HANDLE to the caller. + </para> </refsect1> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"; href="include/seealso.xml" />
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
