Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • mika/sssd
  • guillem/debian-pkg-sssd
  • john.veitch/sssd
  • jgullberg/sssd
  • gioele/sssd
  • oktay454/sssd
  • sergiodj/sssd
  • 3v1n0/sssd
  • jfalk-guest/sssd
  • sathieu/sssd
  • dpward/sssd
  • sssd-team/sssd
  • ahasenack/sssd
  • jbicha/sssd
  • yrro-guest/sssd
15 results
Show changes
Commits on Source (306)
Showing
with 485 additions and 124 deletions
......@@ -33,6 +33,7 @@ jobs:
runs-on: covscan
permissions:
contents: read
timeout-minutes: 1440
steps:
- name: Checkout target branch
uses: actions/checkout@v3
......
......@@ -247,12 +247,136 @@ jobs:
multihost-install.log
multihost-pytest.log
system:
needs: [prepare, build]
strategy:
fail-fast: false
matrix:
tag: ${{ fromJson(needs.prepare.outputs.matrix).multihost }}
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout sssd repository
uses: actions/checkout@v3
with:
path: sssd
- name: Setup containers
uses: SSSD/sssd-ci-containers/actions/setup@master
with:
path: sssd-ci-containers
tag: ${{ matrix.tag }}
override: |
services:
client:
image: ${REGISTRY}/ci-client-devel:${TAG}
shm_size: 4G
tmpfs:
- /dev/shm
volumes:
- ../sssd:/sssd:rw
- name: Build SSSD on the client
uses: SSSD/sssd-ci-containers/actions/exec@master
with:
log-file: build.log
working-directory: /sssd
script: |
#!/bin/bash
set -ex
./contrib/ci/run --deps-only
autoreconf -if
mkdir -p /dev/shm/sssd
pushd /dev/shm/sssd
/sssd/configure --enable-silent-rules
make rpms
- name: Install SSSD on the client
uses: SSSD/sssd-ci-containers/actions/exec@master
with:
log-file: install.log
user: root
script: |
#!/bin/bash
set -ex
dnf remove -y --noautoremove sssd\*
dnf install -y /dev/shm/sssd/rpmbuild/RPMS/*/*.rpm
rm -fr /dev/shm/sssd
# We need to reenable sssd-kcm since it was disabled by removing sssd not not enabled again
systemctl enable --now sssd-kcm.socket
- name: Install system tests dependencies
shell: bash
working-directory: ./sssd/src/tests/system
run: |
set -ex
sudo apt-get update
# Install dependencies for python-ldap
sudo apt-get install -y libsasl2-dev python3-dev libldap2-dev libssl-dev
# Virtualenv
pip3 install virtualenv
python3 -m venv .venv
source .venv/bin/activate
# Install system tests requirements
pip3 install -r ./requirements.txt
# Install yq to parse yaml files
sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
sudo chmod a+x /usr/local/bin/yq
- name: Remove ad from mhc.yaml
shell: bash
working-directory: ./sssd/src/tests/system
run: |
yq -i 'del(.domains[0].hosts.[] | select(.role == "ad"))' mhc.yaml
- name: Run tests
shell: bash
working-directory: ./sssd/src/tests/system
run: |
set -ex -o pipefail
source .venv/bin/activate
pytest \
--color=yes \
--mh-config=./mhc.yaml \
--mh-log-path=$GITHUB_WORKSPACE/mh.log \
--mh-artifacts-dir=$GITHUB_WORKSPACE/artifacts \
-vvv . |& tee $GITHUB_WORKSPACE/pytest.log
- name: Upload artifacts
if: always()
uses: actions/upload-artifact@v3
with:
if-no-files-found: ignore
name: ${{ matrix.tag }}-system
path: |
sssd/ci-install-deps.log
artifacts
mh.log
build.log
install.log
pytest.log
result:
name: All tests are successful
if: ${{ always() }}
runs-on: ubuntu-latest
needs: [build, intgcheck, multihost]
needs: [build, intgcheck, multihost, system]
steps:
- name: Fail on failure
if: ${{ needs.build.result != 'success' || needs.intgcheck.result != 'success' || needs.multihost.result != 'success' }}
if: |
needs.build.result != 'success'
|| needs.intgcheck.result != 'success'
|| needs.multihost.result != 'success'
|| needs.system.result != 'success'
run: exit 1
......@@ -50,7 +50,7 @@ jobs:
id: srpm
uses: ./.github/actions/build-sssd-srpm
with:
version: ${{ env.COPR_PROJECT }}
version: 9.${{ env.COPR_PROJECT }}
- name: Upload source rpm as an artifact
uses: actions/upload-artifact@v3
......
......@@ -38,28 +38,72 @@ jobs:
PROCESSORS=$(/usr/bin/getconf _NPROCESSORS_ONLN)
make -j$PROCESSORS
- name: Upload configuration artifacts
uses: actions/upload-artifact@v3
if: always()
with:
name: codeql-build
path: |
x86_64/config.log
x86_64/config.h
if-no-files-found: ignore
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
flake8:
python-system-tests:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Run flake8
uses: grantmcconnaughey/lintly-flake8-github-action@d9db4fd0be9fb1cd19206a48ec0773bd93b82cbd
if: github.event_name == 'pull_request'
with:
token: ${{ secrets.GITHUB_TOKEN }}
failIf: new
- name: Setup virtual environment
working-directory: ./src/tests/system
run: |
sudo apt-get update
# Install dependencies for python-ldap
sudo apt-get install -y libsasl2-dev python3-dev libldap2-dev libssl-dev
pip3 install virtualenv
python3 -m venv .venv
source .venv/bin/activate
pip3 install -r ./requirements.txt
pip3 install flake8 pycodestyle isort mypy black
- name: flake8
if: always()
working-directory: ./src/tests/system
run: source .venv/bin/activate && flake8 .
- name: pycodestyle
if: always()
working-directory: ./src/tests/system
run: source .venv/bin/activate && pycodestyle .
- name: isort
if: always()
working-directory: ./src/tests/system
run: source .venv/bin/activate && isort --check-only .
- name: black
if: always()
working-directory: ./src/tests/system
run: source .venv/bin/activate && black --check --diff .
- name: mypy
if: always()
working-directory: ./src/tests/system
run: source .venv/bin/activate && mypy --install-types --non-interactive tests
result:
name: All tests are successful
if: ${{ always() }}
runs-on: ubuntu-latest
needs: [codeql, flake8]
needs: [codeql]
steps:
- name: Fail on failure
if: ${{ needs.codeql.result != 'success' || needs.flake8.result != 'success' }}
if: ${{ needs.codeql.result != 'success' }}
run: exit 1
......@@ -112,9 +112,20 @@ sss_ssh_knownhostsproxy
sssd_ssh
test-authtok
/ci-build-*
.pytest_cache
__pycache__
.venv
src/man/sssd_user_name.include
# multihost tests
!src/tests/multihost/sssd
!src/tests/multihost/docs/Makefile
!src/tests/multihost/setup.py
!src/tests/multihost/sssd-testlib.spec
# system tests
src/tests/system/artifacts
src/tests/system/docs/_build
src/tests/system/docs/api
!src/tests/system/docs/Makefile
!src/tests/system/lib/sssd
......@@ -9,7 +9,6 @@ endif
DISTCHECK_CONFIGURE_FLAGS = --with-ldb-lib-dir="$$dc_install_base"/lib/ldb \
--disable-dbus-tests \
--enable-all-experimental-features \
$(extra_distcheck_flags) \
$(AUX_DISTCHECK_CONFIGURE_FLAGS)
CLEANFILES = $(NULL)
......@@ -58,7 +57,7 @@ sssddatadir = $(datadir)/sssd
sssdapiplugindir = $(sssddatadir)/sssd.api.d
sssdtapscriptdir = $(sssddatadir)/systemtap
krb5snippetsdir = $(sssddatadir)/krb5-snippets
dbuspolicydir = $(sysconfdir)/dbus-1/system.d
dbuspolicydir = $(datadir)/dbus-1/system.d
dbusservicedir = $(datadir)/dbus-1/system-services
sss_statedir = $(localstatedir)/lib/sss
runstatedir = @runstatedir@
......@@ -94,15 +93,9 @@ if HAVE_SYSTEMD_UNIT
ifp_exec_cmd = $(sssdlibexecdir)/sssd_ifp --uid 0 --gid 0 --dbus-activated
ifp_systemdservice = SystemdService=sssd-ifp.service
ifp_restart = Restart=on-failure
# If sssd is configured with --enable-files-domain, the service is
# able to start even without a configuration file. Otherwise, sssd
# requires a configuration file (either /etc/sssd/sssd.conf, or some
# snippet under /etc/sssd/sssd.conf.d/) to be present.
if ADD_FILES_DOMAIN
condconfigexists =
else
# SSSD requires a configuration file (either /etc/sssd/sssd.conf,
# or some snippet under /etc/sssd/sssd.conf.d/) to be present.
condconfigexists = ConditionPathExists=\|/etc/sssd/sssd.conf\nConditionDirectoryNotEmpty=\|/etc/sssd/conf.d/
endif
# If sssd is configured with --with-sssd-user=<user> where <user>!='root'
# but is actually run under the root we need CAP_DAC_OVERRIDE to access
# files owned by <user>:<user>
......@@ -188,6 +181,9 @@ if BUILD_SEMANAGE
sssdlibexec_PROGRAMS += selinux_child
endif
sssdlibexec_PROGRAMS += p11_child
if BUILD_PASSKEY
sssdlibexec_PROGRAMS += passkey_child
endif # BUILD_PASSKEY
if BUILD_OIDC_CHILD
sssdlibexec_PROGRAMS += oidc_child
endif
......@@ -219,6 +215,7 @@ if HAVE_CHECK
krb5-utils-tests \
check_file-tests \
files-tests \
file_watch-tests \
refcount-tests \
fail_over-tests \
find_uid-tests \
......@@ -259,7 +256,6 @@ if HAVE_CMOCKA
dp_opt_tests \
responder-get-domains-tests \
config_check-tests \
sss_sifp-tests \
test_search_bases \
test_ldap_auth \
test_sdap_access \
......@@ -307,6 +303,9 @@ endif # HAVE_LIBRESOLV
if BUILD_IFP
non_interactive_cmocka_based_tests += ifp_tests
if BUILD_LIBSIFP
non_interactive_cmocka_based_tests += sss_sifp-tests
endif # BUILD_LIBSIFP
endif # BUILD_IFP
if HAVE_INOTIFY
......@@ -324,6 +323,10 @@ if BUILD_KCM_RENEWAL
non_interactive_cmocka_based_tests += test_kcm_renewals
endif # BUILD_KCM_RENEWAL
if BUILD_PASSKEY
non_interactive_cmocka_based_tests += test_passkey test_krb5_passkey_plugin
endif # BUILD_PASSKEY
if BUILD_SAMBA
non_interactive_cmocka_based_tests += \
......@@ -393,9 +396,11 @@ sssdlib_LTLIBRARIES += \
endif
if HAVE_INOTIFY
if BUILD_FILES_PROVIDER
sssdlib_LTLIBRARIES += \
libsss_files.la \
$(NULL)
endif # BUILD_FILES_PROVIDER
endif # HAVE_INOTIFY
ldblib_LTLIBRARIES = \
......@@ -708,6 +713,7 @@ dist_noinst_HEADERS = \
src/util/sss_format.h \
src/util/sss_pam_data.h \
src/util/refcount.h \
src/util/file_watch.h \
src/util/find_uid.h \
src/util/user_info_msg.h \
src/util/mmap_cache.h \
......@@ -725,13 +731,13 @@ dist_noinst_HEADERS = \
src/monitor/monitor.h \
src/responder/common/responder.h \
src/responder/common/responder_packet.h \
src/responder/common/responder_sbus.h \
src/responder/common/cache_req/cache_req.h \
src/responder/common/cache_req/cache_req_domain.h \
src/responder/common/cache_req/cache_req_plugin.h \
src/responder/common/cache_req/cache_req_private.h \
src/responder/pam/pamsrv.h \
src/responder/pam/pam_helpers.h \
src/responder/pam/pamsrv_passkey.h \
src/responder/nss/nss_private.h \
src/responder/nss/nss_protocol.h \
src/responder/nss/nss_iface.h \
......@@ -801,6 +807,7 @@ dist_noinst_HEADERS = \
src/db/sysdb_ssh.h \
src/db/sysdb_subid.h \
src/db/sysdb_domain_resolution_order.h \
src/db/sysdb_passkey_user_verification.h \
src/db/sysdb_computer.h \
src/db/sysdb_iphosts.h \
src/db/sysdb_ipnetworks.h \
......@@ -860,6 +867,7 @@ dist_noinst_HEADERS = \
src/providers/ipa/ipa_auth.h \
src/providers/ipa/ipa_dyndns.h \
src/providers/ipa/ipa_subdomains.h \
src/providers/ipa/ipa_subdomains_passkey.h \
src/providers/ipa/ipa_id.h \
src/providers/ipa/ipa_opts.h \
src/providers/ipa/ipa_srv.h \
......@@ -877,7 +885,6 @@ dist_noinst_HEADERS = \
src/providers/ad/ad_subdomains.h \
src/providers/ad/ad_resolver.h \
src/providers/proxy/proxy.h \
src/providers/files/files_private.h \
src/tools/tools_util.h \
src/resolv/async_resolv.h \
src/tests/common.h \
......@@ -896,7 +903,6 @@ dist_noinst_HEADERS = \
src/sss_client/sudo/sss_sudo.h \
src/sss_client/nfs/nfsidmap_internal.h \
src/lib/idmap/sss_idmap_private.h \
src/lib/sifp/sss_sifp_private.h \
src/lib/winbind_idmap_sss/winbind_idmap_sss.h \
src/tests/cmocka/test_utils.h \
src/tools/common/sss_tools.h \
......@@ -909,6 +915,10 @@ dist_noinst_HEADERS = \
src/shared/safealign.h \
src/p11_child/p11_child.h \
src/oidc_child/oidc_child_util.h \
src/passkey_child/passkey_child.h \
src/krb5_plugin/common/radius_kdcpreauth.h \
src/krb5_plugin/common/radius_clpreauth.h \
src/krb5_plugin/common/utils.h \
$(NULL)
......@@ -919,8 +929,10 @@ SSSD_DOCS = \
nss_idmap_doc
if BUILD_IFP
if BUILD_LIBSIFP
SSSD_DOCS += sss_simpleifp_doc
endif
endif # BUILD_LIBSIFP
endif # BUILD_IFP
CLIENT_LIBS = $(LTLIBINTL)
......@@ -1260,6 +1272,8 @@ libsss_util_la_SOURCES = \
src/util/domain_info_utils.c \
src/util/util_lock.c \
src/util/util_errors.c \
src/util/inotify.c \
src/util/file_watch.c \
src/util/find_uid.c \
src/util/sss_ini.c \
src/util/io.c \
......@@ -1303,6 +1317,7 @@ endif
if BUILD_SYSTEMTAP
libsss_util_la_LIBADD += stap_generated_probes.lo
endif
libsss_util_la_SOURCES += src/db/sysdb_passkey_user_verification.c
libsss_util_la_LDFLAGS = -avoid-version
pkglib_LTLIBRARIES += libsss_semanage.la
......@@ -1409,6 +1424,7 @@ include_HEADERS = \
$(NULL)
if BUILD_IFP
if BUILD_LIBSIFP
lib_LTLIBRARIES += libsss_simpleifp.la
pkgconfig_DATA += src/lib/sifp/sss_simpleifp.pc
......@@ -1429,12 +1445,14 @@ libsss_simpleifp_la_LDFLAGS = \
-Wl,--version-script,$(srcdir)/src/lib/sifp/sss_simpleifp.exports \
-version-info 1:1:1
dist_noinst_HEADERS += src/lib/sifp/sss_sifp_private.h
dist_noinst_DATA += src/lib/sifp/sss_simpleifp.exports
include_HEADERS += \
src/lib/sifp/sss_sifp.h \
src/lib/sifp/sss_sifp_dbus.h
endif
endif # BUILD_LIBSIFP
endif # BUILD_IFP
#########################
# Systemtap tracing #
......@@ -1489,7 +1507,6 @@ sssd_SOURCES = \
src/monitor/monitor_netlink.c \
src/confdb/confdb_setup.c \
src/util/nscd.c \
src/util/inotify.c \
$(NULL)
sssd_LDADD = \
$(SSSD_LIBS) \
......@@ -1543,6 +1560,7 @@ sssd_pam_SOURCES = \
src/responder/pam/pam_prompting_config.c \
src/sss_client/pam_sss_prompt_config.c \
src/responder/pam/pam_helpers.c \
src/responder/pam/pamsrv_passkey.c \
$(SSSD_RESPONDER_OBJ)
sssd_pam_CFLAGS = \
$(AM_CFLAGS) \
......@@ -1911,6 +1929,9 @@ sssctl_SOURCES = \
src/tools/sssctl/sssctl_cert.c \
$(SSSD_TOOLS_OBJ) \
$(NULL)
if BUILD_PASSKEY
sssctl_SOURCES += src/tools/sssctl/sssctl_passkey.c
endif
sssctl_LDADD = \
$(TOOLS_LIBS) \
$(INI_CONFIG_LIBS) \
......@@ -2230,6 +2251,19 @@ resolv_tests_LDADD = \
libsss_debug.la \
libsss_test_common.la
file_watch_tests_SOURCES = \
src/tests/file_watch-tests.c \
$(NULL)
file_watch_tests_CFLAGS = \
$(AM_CFLAGS) \
$(CHECK_CFLAGS)
file_watch_tests_LDADD = \
$(SSSD_LIBS) \
$(CHECK_LIBS) \
$(INOTIFY_LIBS) \
$(SSSD_INTERNAL_LTLIBS) \
libsss_test_common.la
refcount_tests_SOURCES = \
src/tests/refcount-tests.c \
$(NULL)
......@@ -2582,6 +2616,7 @@ pam_srv_tests_SOURCES = \
src/responder/pam/pamsrv_cmd.c \
src/responder/pam/pamsrv_p11.c \
src/responder/pam/pamsrv_gssapi.c \
src/responder/pam/pamsrv_passkey.c \
src/responder/pam/pam_helpers.c \
src/responder/pam/pamsrv_dp.c \
src/responder/pam/pam_prompting_config.c \
......@@ -3132,6 +3167,7 @@ ifp_tests_LDADD = \
libsss_sbus.la \
$(NULL)
if BUILD_LIBSIFP
sss_sifp_tests_SOURCES = \
src/tests/cmocka/test_sss_sifp.c \
src/lib/sifp/sss_sifp_attrs.c \
......@@ -3154,6 +3190,7 @@ sss_sifp_tests_LDADD = \
$(DHASH_LIBS) \
$(POPT_LIBS) \
$(SSSD_INTERNAL_LTLIBS)
endif # BUILD_LIBSIFP
endif # BUILD_IFP
test_sysdb_views_SOURCES = \
......@@ -3782,6 +3819,61 @@ test_sssd_krb5_locator_plugin_LDADD = \
libsss_test_common.la \
$(NULL)
if BUILD_PASSKEY
test_passkey_SOURCES = \
src/passkey_child/passkey_child_common.c \
src/passkey_child/passkey_child_credentials.c \
src/passkey_child/passkey_child_devices.c \
src/passkey_child/passkey_child_assert.c \
src/tests/cmocka/test_passkey_child.c \
$(NULL)
test_passkey_CFLAGS = \
$(AM_CFLAGS) \
$(NULL)
test_passkey_LDFLAGS = \
-Wl,-wrap,sleep \
-Wl,-wrap,tcgetattr \
-Wl,-wrap,tcsetattr \
-Wl,-wrap,getline \
-Wl,-wrap,fido_dev_info_manifest \
-Wl,-wrap,fido_dev_info_path \
-Wl,-wrap,fido_dev_open \
-Wl,-wrap,fido_dev_has_uv \
-Wl,-wrap,fido_dev_has_pin \
-Wl,-wrap,fido_dev_make_cred \
-Wl,-wrap,fido_cred_x5c_ptr \
-Wl,-wrap,fido_cred_verify \
-Wl,-wrap,fido_cred_verify_self \
-Wl,-wrap,fido_cred_id_ptr \
-Wl,-wrap,fido_cred_id_len \
-Wl,-wrap,fido_cred_pubkey_ptr \
-Wl,-wrap,fido_cred_pubkey_len \
-Wl,-wrap,fido_assert_set_rp \
-Wl,-wrap,fido_assert_allow_cred \
-Wl,-wrap,fido_assert_set_uv \
-Wl,-wrap,fido_assert_user_id_len \
-Wl,-wrap,fido_assert_set_clientdata_hash \
-Wl,-wrap,fido_dev_get_assert \
-Wl,-wrap,fido_dev_is_fido2 \
-Wl,-wrap,fido_assert_verify \
-Wl,-wrap,fido_assert_authdata_ptr \
-Wl,-wrap,fido_assert_authdata_len \
-Wl,-wrap,fido_assert_sig_ptr \
-Wl,-wrap,fido_assert_sig_len \
-Wl,-wrap,fido_assert_set_count \
-Wl,-wrap,fido_assert_set_authdata \
-Wl,-wrap,fido_assert_set_sig
test_passkey_LDADD = \
$(CMOCKA_LIBS) \
$(SSSD_LIBS) \
$(SSSD_INTERNAL_LTLIBS) \
$(LIBADD_DL) \
$(PASSKEY_LIBS) \
libsss_test_common.la \
$(JANSSON_LIBS) \
$(NULL)
endif # BUILD_PASSKEY
if BUILD_KCM
test_kcm_marshalling_SOURCES = \
src/tests/cmocka/test_kcm_marshalling.c \
......@@ -3824,6 +3916,7 @@ test_kcm_queue_LDADD = \
test_krb5_idp_plugin_SOURCES = \
src/tests/cmocka/test_krb5_idp_plugin.c \
src/krb5_plugin/common/utils.c \
src/krb5_plugin/idp/idp_utils.c \
$(NULL)
test_krb5_idp_plugin_CFLAGS = \
......@@ -3834,6 +3927,21 @@ test_krb5_idp_plugin_LDADD = \
$(JANSSON_LIBS) \
$(NULL)
if BUILD_PASSKEY
test_krb5_passkey_plugin_SOURCES = \
src/tests/cmocka/test_krb5_passkey_plugin.c \
src/krb5_plugin/common/utils.c \
src/krb5_plugin/passkey/passkey_utils.c \
$(NULL)
test_krb5_passkey_plugin_CFLAGS = \
$(AM_CFLAGS) \
$(NULL)
test_krb5_passkey_plugin_LDADD = \
$(CMOCKA_LIBS) \
$(JANSSON_LIBS) \
$(NULL)
endif # BUILD_PASSKEY
if BUILD_KCM_RENEWAL
test_kcm_renewals_SOURCES = \
$(TEST_MOCK_RESP_OBJ) \
......@@ -3924,8 +4032,8 @@ intgcheck-prepare:
--with-ldb-lib-dir="$$prefix"/lib/ldb \
--enable-intgcheck-reqs \
--without-semanage \
--with-files-provider \
--with-session-recording-shell=/bin/false \
--enable-files-domain \
$(INTGCHECK_CONFIGURE_FLAGS) \
CFLAGS="-O2 -g $$CFLAGS"; \
$(MAKE) $(AM_MAKEFLAGS) ; \
......@@ -4147,7 +4255,6 @@ libsss_ldap_common_la_SOURCES = \
src/providers/ldap/sdap_async_users.c \
src/providers/ldap/sdap_async_groups.c \
src/providers/ldap/sdap_async_nested_groups.c \
src/providers/ldap/sdap_async_groups_ad.c \
src/providers/ldap/sdap_async_initgroups.c \
src/providers/ldap/sdap_async_initgroups_ad.c \
src/providers/ldap/sdap_async_connection.c \
......@@ -4303,6 +4410,9 @@ libsss_proxy_la_LDFLAGS = \
-avoid-version \
-module
if BUILD_FILES_PROVIDER
dist_noinst_HEADERS += src/providers/files/files_private.h
libsss_files_la_SOURCES = \
src/providers/files/files_init.c \
src/providers/files/files_id.c \
......@@ -4327,6 +4437,7 @@ libsss_files_la_LDFLAGS = \
-avoid-version \
-module \
$(NULL)
endif # BUILD_FILES_PROVIDER
libsss_simple_la_SOURCES = \
src/providers/simple/simple_access_check.c \
......@@ -4459,6 +4570,9 @@ if BUILD_SSH
libsss_ipa_la_SOURCES += src/providers/ipa/ipa_hostid.c
endif
libsss_ipa_la_SOURCES += \
src/providers/ipa/ipa_subdomains_passkey.c
libsss_ad_la_SOURCES = \
src/providers/ad/ad_opts.c \
......@@ -4539,7 +4653,9 @@ krb5_child_SOURCES = \
src/util/become_user.c \
src/util/util_errors.c \
src/sss_client/common.c \
src/krb5_plugin/common/utils.c \
src/krb5_plugin/idp/idp_utils.c \
src/krb5_plugin/passkey/passkey_utils.c \
$(NULL)
krb5_child_CFLAGS = \
$(AM_CFLAGS) \
......@@ -4556,6 +4672,7 @@ krb5_child_LDADD = \
$(CLIENT_LIBS) \
$(SYSTEMD_LOGIN_LIBS) \
$(JANSSON_LIBS) \
libsss_sbus.la \
$(NULL)
ldap_child_SOURCES = \
......@@ -4679,6 +4796,32 @@ p11_child_LDADD += \
$(SSL_LIBS) \
$(NULL)
if BUILD_PASSKEY
passkey_child_SOURCES = \
src/passkey_child/passkey_child.c \
src/passkey_child/passkey_child_common.c \
src/passkey_child/passkey_child_credentials.c \
src/passkey_child/passkey_child_devices.c \
src/passkey_child/passkey_child_assert.c \
$(NULL)
passkey_child_CFLAGS = \
$(AM_CFLAGS) \
$(POPT_CFLAGS)
passkey_child_LDADD = \
libsss_crypt.la \
libsss_debug.la \
$(TALLOC_LIBS) \
$(DHASH_LIBS) \
$(POPT_LIBS) \
$(PASSKEY_LIBS) \
$(SSSD_INTERNAL_LTLIBS) \
$(CRYPTO_LIBS) \
$(JANSSON_LIBS) \
$(NULL)
endif # BUILD_PASSKEY
if BUILD_OIDC_CHILD
oidc_child_SOURCES = \
src/oidc_child/oidc_child.c \
......@@ -4763,6 +4906,9 @@ krb5_plugin_LTLIBRARIES = \
$(NULL)
sssd_krb5_idp_plugin_la_SOURCES = \
src/krb5_plugin/common/utils.c \
src/krb5_plugin/common/radius_clpreauth.c \
src/krb5_plugin/common/radius_kdcpreauth.c \
src/krb5_plugin/idp/idp_clpreauth.c \
src/krb5_plugin/idp/idp_kdcpreauth.c \
src/krb5_plugin/idp/idp_utils.c \
......@@ -4784,6 +4930,35 @@ sssd_krb5_idp_plugin_la_LDFLAGS = \
dist_noinst_HEADERS += src/krb5_plugin/idp/idp.h
dist_krb5snippets_DATA += src/krb5_plugin/idp/sssd_enable_idp
if BUILD_PASSKEY
krb5_plugin_LTLIBRARIES += sssd_krb5_passkey_plugin.la
sssd_krb5_passkey_plugin_la_SOURCES = \
src/krb5_plugin/common/utils.c \
src/krb5_plugin/common/radius_kdcpreauth.c \
src/krb5_plugin/common/radius_clpreauth.c \
src/krb5_plugin/passkey/passkey_clpreauth.c \
src/krb5_plugin/passkey/passkey_kdcpreauth.c \
src/krb5_plugin/passkey/passkey_utils.c \
$(NULL)
sssd_krb5_passkey_plugin_la_CFLAGS = \
$(AM_CFLAGS) \
$(KRB5_CFLAGS) \
$(NULL)
sssd_krb5_passkey_plugin_la_LIBADD = \
$(KRB5_LIBS) \
$(KRAD_LIBS) \
$(JANSSON_LIBS) \
$(NULL)
sssd_krb5_passkey_plugin_la_LDFLAGS = \
-avoid-version \
-module \
$(NULL)
dist_noinst_HEADERS += src/krb5_plugin/passkey/passkey.h
dist_krb5snippets_DATA += src/krb5_plugin/passkey/sssd_enable_passkey
endif # BUILD_PASSKEY
sssd_pac_plugin_la_SOURCES = \
src/sss_client/sssd_pac.c \
src/sss_client/common.c \
......@@ -5045,8 +5220,11 @@ dist_sssdapiplugin_DATA = \
src/config/etc/sssd.api.d/sssd-krb5.conf \
src/config/etc/sssd.api.d/sssd-ldap.conf \
src/config/etc/sssd.api.d/sssd-proxy.conf \
src/config/etc/sssd.api.d/sssd-simple.conf \
src/config/etc/sssd.api.d/sssd-files.conf
src/config/etc/sssd.api.d/sssd-simple.conf
if BUILD_FILES_PROVIDER
dist_sssdapiplugin_DATA += src/config/etc/sssd.api.d/sssd-files.conf
endif # BUILD_FILES_PROVIDER
edit_cmd = $(SED) \
-e 's|@sbindir[@]|$(sbindir)|g' \
......@@ -5237,8 +5415,10 @@ docs:
$(DOXYGEN) src/sss_client/idmap/sss_nss_idmap.doxy
$(DOXYGEN) src/lib/certmap/sss_certmap.doxy
if BUILD_IFP
if BUILD_LIBSIFP
$(DOXYGEN) src/lib/sifp/sss_simpleifp.doxy
endif
endif # BUILD_LIBSIFP
endif # BUILD_IFP
else !HAVE_DOXYGEN
docs:
@echo "Doxygen not installed, cannot generate documentation"
......
......@@ -184,10 +184,13 @@ WITH_APP_LIBS
WITH_SUDO
WITH_SUDO_LIB_PATH
WITH_AUTOFS
WITH_FILES_PROVIDER
WITH_SUBID
WITH_SUBID_LIB_PATH
WITH_PASSKEY
WITH_SSH
WITH_IFP
WITH_LIBSIFP
WITH_SYSLOG
WITH_SAMBA
WITH_NFS
......@@ -260,6 +263,14 @@ AS_IF([test x$with_kcm = xyes], [
])
m4_include([src/external/libunistring.m4])
AS_IF([test x$with_passkey = xyes], [
m4_include([src/external/libpasskey.m4])
])
if test x"$found_passkey" = xyes; then
AC_DEFINE(BUILD_PASSKEY, 1, [whether to build with passkey support])
fi
AM_CONDITIONAL([BUILD_PASSKEY], [test x"$found_passkey" = xyes])
UNICODE_LIBS=$UNISTRING_LIBS
AC_SUBST(UNICODE_LIBS)
......
......@@ -81,6 +81,12 @@ if [[ "$DISTRO_BRANCH" == -redhat-fedora-3[5-9]* ||
)
fi
if [[ "$DISTRO_BRANCH" == -redhat-fedora-* ]]; then
CONFIGURE_ARG_LIST+=(
"--with-passkey"
)
fi
declare -r -a CONFIGURE_ARG_LIST
fi # _CONFIGURE_SH
......@@ -88,6 +88,7 @@ if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then
if [[ "$DISTRO_BRANCH" == -redhat-fedora-* ]]; then
DEPS_LIST+=(
http-parser-devel
libfido2-devel
)
fi
......@@ -118,6 +119,7 @@ if [[ "$DISTRO_BRANCH" == -debian-* ]]; then
libcollection-dev
libdbus-1-dev
libdhash-dev
libfido2-dev
libglib2.0-dev
libini-config-dev
libkeyutils-dev
......
......@@ -134,6 +134,7 @@
fun:malloc
...
fun:poptGetNextOpt
...
fun:main
}
......@@ -256,3 +257,16 @@
fun:_dlerror_run
fun:dlopen@@GLIBC_2.34
}
# sssd debug initialization leak
{
sss_debug_backtrace_init-malloc
Memcheck:Leak
fun:malloc
...
fun:sss_debug_backtrace_init
...
fun:test_parse_*_args
...
fun:main
}
......@@ -49,8 +49,8 @@ fedconfig()
--with-initscript=systemd \
--with-syslog=journald \
--with-test-dir=/dev/shm \
--enable-all-experimental-features \
--cache-file=/tmp/fedconfig.cache \
--with-passkey \
${SSSD_NO_MANPAGES-} \
"$@"
}
......
......@@ -30,6 +30,12 @@
%global build_kcm_renewals 0
%endif
%if 0%{?fedora} >= 39
%global build_passkey 1
%else
%global build_passkey 0
%endif
# we don't want to provide private python extension libs
%define __provides_exclude_from %{python3_sitearch}/.*\.so$
......@@ -104,6 +110,9 @@ BuildRequires: keyutils-libs-devel
BuildRequires: krb5-devel
BuildRequires: libcmocka-devel >= 1.0.0
BuildRequires: libdhash-devel >= 0.4.2
%if %{build_passkey}
BuildRequires: libfido2-devel
%endif
BuildRequires: libini_config-devel >= 1.1
BuildRequires: libldb-devel >= %{ldb_version}
BuildRequires: libnfsidmap-devel
......@@ -166,6 +175,9 @@ the existing back ends.
%package common
Summary: Common files for the SSSD
License: GPLv3+
# libsss_simpleifp is removed starting 2.9.0
Obsoletes: libsss_simpleifp < 2.9.0
Obsoletes: libsss_simpleifp-debuginfo < 2.9.0
# Requires
# due to ABI changes in 1.1.30/1.2.0
Requires: libldb >= %{ldb_version}
......@@ -436,23 +448,6 @@ Provides rules for polkit integration with SSSD. This is required
for smartcard support.
%endif
%package -n libsss_simpleifp
Summary: The SSSD D-Bus responder helper library
License: GPLv3+
Requires: sssd-dbus = %{version}-%{release}
%description -n libsss_simpleifp
Provides library that simplifies D-Bus API for the SSSD InfoPipe responder.
%package -n libsss_simpleifp-devel
Summary: The SSSD D-Bus responder helper library
License: GPLv3+
Requires: dbus-devel
Requires: libsss_simpleifp = %{version}-%{release}
%description -n libsss_simpleifp-devel
Provides library that simplifies D-Bus API for the SSSD InfoPipe responder.
%package winbind-idmap
Summary: SSSD's idmap_sss Backend for Winbind
License: GPLv3+ and LGPLv3+
......@@ -513,6 +508,18 @@ This package provides Kerberos plugins that are required to enable
authentication against external identity providers. Additionally a helper
program to handle the OAuth 2.0 Device Authorization Grant is provided.
%if %{build_passkey}
%package passkey
Summary: SSSD helpers and plugins needed for authentication with passkey token
License: GPLv3+
Requires: sssd-common = %{version}-%{release}
Requires: libfido2
%description passkey
This package provides helper processes and Kerberos plugins that are required to
enable authentication with passkey token.
%endif
%prep
%autosetup -p1
......@@ -546,6 +553,9 @@ autoreconf -ivf
%endif
%if 0%{?fedora}
--disable-polkit-rules-path \
%endif
%if %{build_passkey}
--with-passkey \
%endif
%{nil}
......@@ -583,6 +593,12 @@ cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_idp \
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_idp
# Enable krb5 passkey plugins by default (when sssd-passkey package is installed)
%if %{build_passkey}
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_passkey \
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_passkey
%endif
# krb5 configuration snippet
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
......@@ -718,8 +734,6 @@ done
%{_libexecdir}/%{servicename}/sssd_check_socket_activated_responders
%dir %{_libdir}/%{name}
# The files provider is intentionally packaged in -common
%{_libdir}/%{name}/libsss_files.so
%{_libdir}/%{name}/libsss_simple.so
#Internal shared libraries
......@@ -775,7 +789,6 @@ done
%{_mandir}/man1/sss_ssh_authorizedkeys.1*
%{_mandir}/man1/sss_ssh_knownhostsproxy.1*
%{_mandir}/man5/sssd.conf.5*
%{_mandir}/man5/sssd-files.5*
%{_mandir}/man5/sssd-simple.5*
%{_mandir}/man5/sssd-sudo.5*
%{_mandir}/man5/sssd-session-recording.5*
......@@ -845,19 +858,9 @@ done
%{_mandir}/man5/sssd-ifp.5*
%{_unitdir}/sssd-ifp.service
# InfoPipe DBus plumbing
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
%{_datadir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
%{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service
%files -n libsss_simpleifp
%{_libdir}/libsss_simpleifp.so.*
%files -n libsss_simpleifp-devel
%doc sss_simpleifp_doc/html
%{_includedir}/sss_sifp.h
%{_includedir}/sss_sifp_dbus.h
%{_libdir}/libsss_simpleifp.so
%{_libdir}/pkgconfig/sss_simpleifp.pc
%files client -f sssd_client.lang
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
%{_libdir}/libnss_sss.so.2
......@@ -990,6 +993,14 @@ done
%{_datadir}/sssd/krb5-snippets/sssd_enable_idp
%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_idp
%if %{build_passkey}
%files passkey
%attr(755,%{sssd_user},%{sssd_user}) %{_libexecdir}/%{servicename}/passkey_child
%{_libdir}/%{name}/modules/sssd_krb5_passkey_plugin.so
%{_datadir}/sssd/krb5-snippets/sssd_enable_passkey
%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_passkey
%endif
%if 0%{?rhel}
%pre common
getent group sssd >/dev/null || groupadd -r sssd
......
sssd (2.8.2-5) UNRELEASED; urgency=medium
sssd (2.9.0-1) UNRELEASED; urgency=medium
* New upstream release.
* libnss-sss.postinst: Migrate to use 'case' like the other postinsts.
* patches: Drop an upstreamed patch.
* Drop deprecated simple-ifp library and files provider.
* control, rules: Add sssd-passkey, and libfido2-dev to build-depends.
-- Timo Aaltonen <tjaalton@debian.org> Thu, 27 Apr 2023 17:24:24 +0300
......
......@@ -27,6 +27,7 @@ Build-Depends:
libcurl4-openssl-dev,
libdbus-1-dev,
libdhash-dev,
libfido2-dev,
libgdm-dev [!s390x !kfreebsd-any !hurd-any],
libglib2.0-dev,
libini-config-dev,
......@@ -223,6 +224,13 @@ Description: System Security Services Daemon -- LDAP back end
Provides the LDAP back end that the SSSD can utilize to fetch identity data
from and authenticate against an LDAP server.
Package: sssd-passkey
Architecture: any
Depends: sssd-common (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends}
Description: System Security Services Daemon -- passkey helpers and plugins
Provides the helper processes and Kerberos plugins that are required to
enable authentication with a passkey token.
Package: sssd-proxy
Architecture: any
Depends: sssd-common (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends}
......@@ -359,24 +367,6 @@ Description: Communicator library for sudo
Utility library to allow communication between sudo and SSSD for caching
sudo rules by SSSD.
Package: libsss-simpleifp0
Section: libs
Architecture: any
Depends: ${misc:Depends}, ${shlibs:Depends},
sssd-dbus (= ${binary:Version}),
Description: SSSD D-Bus responder helper library
Provides library that simplifies D-Bus API for the SSSD InfoPipe responder.
Package: libsss-simpleifp-dev
Section: libdevel
Architecture: any
Depends: libsss-simpleifp0 (= ${binary:Version}), ${misc:Depends}
Description: SSSD D-Bus responder helper library -- development files
Provides library that simplifies D-Bus API for the SSSD InfoPipe responder.
.
This package contains header files and symlinks to develop programs which will
use the libsss-simpleifp0 library.
Package: python3-libipa-hbac
Section: python
Architecture: any
......
usr/include/sss_sifp*
usr/lib/*/libsss_simpleifp.so
usr/lib/*/pkgconfig/sss_simpleifp.pc
usr/lib/*/libsss_simpleifp.so.*
From: Gioele Barabucci <gioele@svario.it>
Date: Sat, 18 Feb 2023 10:53:27 +0100
Subject: Makefile: Install dbus policy in /usr, not /etc
Forwarded: https://github.com/SSSD/sssd/pull/6580
From <https://bugs.debian.org/1006631>:
> dbus supports policy files in both `/usr/share/dbus-1/system.d` and
> `/etc/dbus-1/systemd`. [The] recently released dbus 1.14.0, officially
> deprecates installing packages' default policies into `/etc/dbus-1/systemd`,
> instead reserving it for the sysadmin. This is the same idea as the
> difference between `/usr/lib/udev/rules.d` and `/etc/udev/rules.d`.
---
Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile.am b/Makefile.am
index 99209e6..3aa73c5 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -58,7 +58,7 @@ sssddatadir = $(datadir)/sssd
sssdapiplugindir = $(sssddatadir)/sssd.api.d
sssdtapscriptdir = $(sssddatadir)/systemtap
krb5snippetsdir = $(sssddatadir)/krb5-snippets
-dbuspolicydir = $(sysconfdir)/dbus-1/system.d
+dbuspolicydir = $(datadir)/dbus-1/system.d
dbusservicedir = $(datadir)/dbus-1/system-services
sss_statedir = $(localstatedir)/lib/sss
runstatedir = @runstatedir@
fix-whitespace-test.diff
default-to-socket-activated-services.diff
fix-shebang-on-sss_analyze.patch
0004-Makefile-Install-dbus-policy-in-usr-not-etc.patch
......@@ -47,7 +47,8 @@ override_dh_auto_configure:
--with-pid-path=/run \
--with-sssd-user=root \
--with-sudo \
--with-subid
--with-subid \
--with-passkey
override_dh_auto_test:
ifeq ($(filter nocheck,$(DEB_BUILD_OPTIONS)),)
......
......@@ -27,7 +27,6 @@ usr/lib/*/sssd/libsss_cert.so
usr/lib/*/sssd/libsss_child.so
usr/lib/*/sssd/libsss_crypt.so
usr/lib/*/sssd/libsss_debug.so
usr/lib/*/sssd/libsss_files.so
usr/lib/*/sssd/libsss_iface.so
usr/lib/*/sssd/libsss_iface_sync.so
usr/lib/*/sssd/libsss_krb5_common.so
......@@ -53,7 +52,6 @@ usr/share/locale/*/LC_MESSAGES/*
usr/share/man/man1/sss_ssh_authorizedkeys.1*
usr/share/man/man1/sss_ssh_knownhostsproxy.1*
usr/share/man/man5/sss_rpcidmapd.5*
usr/share/man/man5/sssd-files.5*
usr/share/man/man5/sssd-session-recording.5*
usr/share/man/man5/sssd-simple.5*
usr/share/man/man5/sssd-sudo.5*
......