From f2a81a22124e93a026ec0f06b77eab50998ecba5 Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Wed, 15 Mar 2017 14:21:26 +0100

Subject: [PATCH 12/15] nss-idmap: add sss_nss_getlistbycert()

This patch adds a getlistbycert() call to libsss_nss_idmap to make it on

par with InfoPipe.

Related to https://pagure.io/SSSD/sssd/issue/3050

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

---

 Makefile.am                                |   2 +-

 src/python/pysss_nss_idmap.c               | 103 ++++++++++++++++++-

 src/responder/nss/nss_cmd.c                |   7 ++

 src/responder/nss/nss_protocol.h           |   6 ++

 src/responder/nss/nss_protocol_sid.c       |  63 ++++++++++++

 src/sss_client/idmap/sss_nss_idmap.c       | 110 +++++++++++++++++++-

 src/sss_client/idmap/sss_nss_idmap.exports |   6 ++

 src/sss_client/idmap/sss_nss_idmap.h       |  17 +++-

 src/sss_client/sss_cli.h                   |   5 +

 src/tests/cmocka/test_nss_srv.c            | 158 +++++++++++++++++++++++++++++

 10 files changed, 471 insertions(+), 6 deletions(-)

diff --git a/Makefile.am b/Makefile.am

index bd0ca0d303e1742ad26c7648cd24e2c0135af34e..7516338bc6fd95045d20db8155a0c82fd7003358 100644

--- a/Makefile.am

+++ b/Makefile.am

@@ -1128,7 +1128,7 @@ libsss_nss_idmap_la_LIBADD = \

     $(CLIENT_LIBS)

 libsss_nss_idmap_la_LDFLAGS = \

     -Wl,--version-script,$(srcdir)/src/sss_client/idmap/sss_nss_idmap.exports \

-    -version-info 2:0:2

+    -version-info 3:0:3

 dist_noinst_DATA += src/sss_client/idmap/sss_nss_idmap.exports

diff --git a/src/python/pysss_nss_idmap.c b/src/python/pysss_nss_idmap.c

index c57cc10a86a7a9a22a791c1eae027a1aafa8f780..2e5851c7a6e48629fd93e428aada499fcbe36ebb 100644

--- a/src/python/pysss_nss_idmap.c

+++ b/src/python/pysss_nss_idmap.c

@@ -36,9 +36,37 @@ enum lookup_type {

     SIDBYID,

     NAMEBYSID,

     IDBYSID,

-    NAMEBYCERT

+    NAMEBYCERT,

+    LISTBYCERT

 };

+static int add_dict_to_list(PyObject *py_list, PyObject *res_type,

+                            PyObject *res, PyObject *id_type)

+{

+    int ret;

+    PyObject *py_dict;

+

+    py_dict =  PyDict_New();

+    if (py_dict == NULL) {

+        return ENOMEM;

+    }

+

+    ret = PyDict_SetItem(py_dict, res_type, res);

+    if (ret != 0) {

+        Py_XDECREF(py_dict);

+        return ret;

+    }

+

+    ret = PyDict_SetItem(py_dict, PyBytes_FromString(SSS_TYPE_KEY), id_type);

+    if (ret != 0) {

+        Py_XDECREF(py_dict);

+        return ret;

+    }

+

+    ret = PyList_Append(py_list, py_dict);

+

+    return ret;

+}

 static int add_dict(PyObject *py_result, PyObject *key, PyObject *res_type,

                     PyObject *res, PyObject *id_type)

 {

@@ -191,6 +219,57 @@ static int do_getnamebycert(PyObject *py_result, PyObject *py_cert)

     return ret;

 }

+static int do_getlistbycert(PyObject *py_result, PyObject *py_cert)

+{

+    int ret;

+    const char *cert;

+    char **names = NULL;

+    enum sss_id_type *id_types = NULL;

+    size_t c;

+

+    cert = py_string_or_unicode_as_string(py_cert);

+    if (cert == NULL) {

+        return EINVAL;

+    }

+

+    ret = sss_nss_getlistbycert(cert, &names, &id_types);

+    if (ret == 0) {

+

+        PyObject *py_list;

+

+        py_list =  PyList_New(0);

+        if (py_list == NULL) {

+            return ENOMEM;

+        }

+

+        for (c = 0; names[c] != NULL; c++) {

+            ret = add_dict_to_list(py_list,

+                                   PyBytes_FromString(SSS_NAME_KEY),

+                                   PyUnicode_FromString(names[c]),

+                                   PYNUMBER_FROMLONG(id_types[c]));

+            if (ret != 0) {

+                goto done;

+            }

+        }

+        ret = PyDict_SetItem(py_result, py_cert, py_list);

+        if (ret != 0) {

+            goto done;

+        }

+    }

+

+done:

+    free(id_types);

+    if (names != NULL) {

+        for (c = 0; names[c] != NULL; c++) {

+            free(names[c]);

+        }

+        free(names);

+    }

+

+    return ret;

+}

+

+

 static int do_getidbysid(PyObject *py_result, PyObject *py_sid)

 {

     const char *sid;

@@ -231,6 +310,9 @@ static int do_lookup(enum lookup_type type, PyObject *py_result,

     case NAMEBYCERT:

         return do_getnamebycert(py_result, py_inp);

         break;

+    case LISTBYCERT:

+        return do_getlistbycert(py_result, py_inp);

+        break;

     default:

         return ENOSYS;

     }

@@ -368,7 +450,7 @@ static PyObject * py_getidbysid(PyObject *module, PyObject *args)

 }

 PyDoc_STRVAR(getnamebycert_doc,

-"getnamebycert(sid or list/tuple of certificates) -> dict(sid => dict(results))\n\

+"getnamebycert(certificate or list/tuple of certificates) -> dict(certificate => dict(results))\n\

 \n\

 Returns a dictionary with a dictonary of results for each given certificates.\n\

 The result dictonary contain the name and the type of the object which can be\n\

@@ -382,6 +464,21 @@ static PyObject * py_getnamebycert(PyObject *module, PyObject *args)

     return check_args(NAMEBYCERT, args);

 }

+PyDoc_STRVAR(getlistbycert_doc,

+"getnamebycert(certificate or list/tuple of certificates) -> dict(certificate => dict(results))\n\

+\n\

+Returns a dictionary with a dictonary of results for each given certificates.\n\

+The result dictonary contain the name and the type of the object which can be\n\

+accessed with the key constants NAME_KEY and TYPE_KEY, respectively.\n\

+\n\

+NOTE: getlistbycert currently works only with id_provider set as \"ad\" or \"ipa\""

+);

+

+static PyObject * py_getlistbycert(PyObject *module, PyObject *args)

+{

+    return check_args(LISTBYCERT, args);

+}

+

 static PyMethodDef methods[] = {

     { sss_py_const_p(char, "getsidbyname"), (PyCFunction) py_getsidbyname,

       METH_VARARGS, getsidbyname_doc },

@@ -393,6 +490,8 @@ static PyMethodDef methods[] = {

       METH_VARARGS, getidbysid_doc },

     { sss_py_const_p(char, "getnamebycert"), (PyCFunction) py_getnamebycert,

       METH_VARARGS, getnamebycert_doc },

+    { sss_py_const_p(char, "getlistbycert"), (PyCFunction) py_getlistbycert,

+      METH_VARARGS, getlistbycert_doc },

     { NULL,NULL, 0, NULL }

 };

diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c

index 08b3d32f2662efc1cc803f6e9e5f2d064f7d3033..1931bf62a686c7f30852dac547866609cf54a81b 100644

--- a/src/responder/nss/nss_cmd.c

+++ b/src/responder/nss/nss_cmd.c

@@ -932,6 +932,12 @@ static errno_t nss_cmd_getnamebycert(struct cli_ctx *cli_ctx)

                           nss_protocol_fill_single_name);

 }

+static errno_t nss_cmd_getlistbycert(struct cli_ctx *cli_ctx)

+{

+    return nss_getby_cert(cli_ctx, CACHE_REQ_USER_BY_CERT,

+                          nss_protocol_fill_name_list);

+}

+

 struct sss_cmd_table *get_nss_cmds(void)

 {

     static struct sss_cmd_table nss_cmds[] = {

@@ -961,6 +967,7 @@ struct sss_cmd_table *get_nss_cmds(void)

         { SSS_NSS_GETIDBYSID, nss_cmd_getidbysid },

         { SSS_NSS_GETORIGBYNAME, nss_cmd_getorigbyname },

         { SSS_NSS_GETNAMEBYCERT, nss_cmd_getnamebycert },

+        { SSS_NSS_GETLISTBYCERT, nss_cmd_getlistbycert },

         { SSS_CLI_NULL, NULL }

     };

diff --git a/src/responder/nss/nss_protocol.h b/src/responder/nss/nss_protocol.h

index c94e7b911eb3c0f97b8c06b1766573311cde41ae..e4c0e52c0e642e885ef2c8423ea564beff7242cf 100644

--- a/src/responder/nss/nss_protocol.h

+++ b/src/responder/nss/nss_protocol.h

@@ -175,6 +175,12 @@ nss_protocol_fill_single_name(struct nss_ctx *nss_ctx,

                               struct cache_req_result *result);

 errno_t

+nss_protocol_fill_name_list(struct nss_ctx *nss_ctx,

+                            struct nss_cmd_ctx *cmd_ctx,

+                            struct sss_packet *packet,

+                            struct cache_req_result *result);

+

+errno_t

 nss_protocol_fill_id(struct nss_ctx *nss_ctx,

                      struct nss_cmd_ctx *cmd_ctx,

                      struct sss_packet *packet,

diff --git a/src/responder/nss/nss_protocol_sid.c b/src/responder/nss/nss_protocol_sid.c

index 0b97e65f75412d40832d861568d8e2f9de5e1732..a6a4e27d039c67ef98f6d5900d5e3fcadb3ee717 100644

--- a/src/responder/nss/nss_protocol_sid.c

+++ b/src/responder/nss/nss_protocol_sid.c

@@ -498,3 +498,66 @@ nss_protocol_fill_id(struct nss_ctx *nss_ctx,

     return EOK;

 }

+

+errno_t

+nss_protocol_fill_name_list(struct nss_ctx *nss_ctx,

+                            struct nss_cmd_ctx *cmd_ctx,

+                            struct sss_packet *packet,

+                            struct cache_req_result *result)

+{

+    enum sss_id_type *id_types;

+    size_t rp = 0;

+    size_t body_len;

+    uint8_t *body;

+    errno_t ret;

+    struct sized_string *sz_names;

+    size_t len;

+    size_t c;

+    const char *tmp_str;

+

+    sz_names = talloc_array(cmd_ctx, struct sized_string, result->count);

+    if (sz_names == NULL) {

+        return ENOMEM;

+    }

+

+    id_types = talloc_array(cmd_ctx, enum sss_id_type, result->count);

+    if (id_types == NULL) {

+        return ENOMEM;

+    }

+

+    len = 0;

+    for (c = 0; c < result->count; c++) {

+        ret = nss_get_id_type(cmd_ctx, result, &(id_types[c]));

+        if (ret != EOK) {

+            return ret;

+        }

+

+        tmp_str = nss_get_name_from_msg(result->domain, result->msgs[c]);

+        if (tmp_str == NULL) {

+            return EINVAL;

+        }

+        to_sized_string(&(sz_names[c]), tmp_str);

+

+        len += sz_names[c].len;

+    }

+

+    len += (2 + result->count) * sizeof(uint32_t);

+

+    ret = sss_packet_grow(packet, len);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_OP_FAILURE, "sss_packet_grow failed.\n");

+        return ret;

+    }

+

+    sss_packet_get_body(packet, &body, &body_len);

+

+    SAFEALIGN_SET_UINT32(&body[rp], result->count, &rp); /* Num results. */

+    SAFEALIGN_SET_UINT32(&body[rp], 0, &rp); /* Reserved. */

+    for (c = 0; c < result->count; c++) {

+        SAFEALIGN_SET_UINT32(&body[rp], id_types[c], &rp);

+        SAFEALIGN_SET_STRING(&body[rp], sz_names[c].str, sz_names[c].len,

+                             &rp);

+    }

+

+    return EOK;

+}

diff --git a/src/sss_client/idmap/sss_nss_idmap.c b/src/sss_client/idmap/sss_nss_idmap.c

index fa5a499e3606f7e45a406de4d63002ba35365cb1..6f3af267a1e763e7dce77e3862be377ae2bfe984 100644

--- a/src/sss_client/idmap/sss_nss_idmap.c

+++ b/src/sss_client/idmap/sss_nss_idmap.c

@@ -31,6 +31,7 @@

 #include "util/strtonum.h"

 #define DATA_START (3 * sizeof(uint32_t))

+#define LIST_START (2 * sizeof(uint32_t))

 union input {

     const char *str;

     uint32_t id;

@@ -38,10 +39,12 @@ union input {

 struct output {

     enum sss_id_type type;

+    enum sss_id_type *types;

     union {

         char *str;

         uint32_t id;

         struct sss_nss_kv *kv_list;

+        char **names;

     } d;

 };

@@ -72,6 +75,63 @@ void sss_nss_free_kv(struct sss_nss_kv *kv_list)

     }

 }

+void sss_nss_free_list(char **l)

+{

+    size_t c;

+

+    if (l != NULL) {

+        for (c = 0; l[c] != NULL; c++) {

+            free(l[c]);

+        }

+        free(l);

+    }

+}

+

+static int buf_to_name_type_list(uint8_t *buf, size_t buf_len, uint32_t num,

+                                 char ***names, enum sss_id_type **types)

+{

+    int ret;

+    size_t c;

+    char **n = NULL;

+    enum sss_id_type *t = NULL;

+    size_t rp = 0;

+

+    n = calloc(num + 1, sizeof(char *));

+    if (n == NULL) {

+        ret = ENOMEM;

+        goto done;

+    }

+

+    t = calloc(num + 1, sizeof(enum sss_id_type));

+    if (t == NULL) {

+        ret = ENOMEM;

+        goto done;

+    }

+

+    for (c = 0; c < num; c++) {

+        SAFEALIGN_COPY_UINT32(&(t[c]), buf + rp, &rp);

+        n[c] = strdup((char *) buf + rp);

+        if (n[c] == NULL) {

+            ret = ENOMEM;

+            goto done;

+        }

+        rp += strlen(n[c]) + 1;

+    }

+

+    ret = EOK;

+

+done:

+    if (ret != EOK) {

+        sss_nss_free_list(n);

+        free(t);

+    } else {

+        *names = n;

+        *types = t;

+    }

+

+    return ret;

+}

+

 static int  buf_to_kv_list(uint8_t *buf, size_t buf_len,

                            struct sss_nss_kv **kv_list)

 {

@@ -153,13 +213,14 @@ static int sss_nss_getyyybyxxx(union input inp, enum sss_cli_command cmd ,

     size_t data_len;

     uint32_t c;

     struct sss_nss_kv *kv_list;

+    char **names;

+    enum sss_id_type *types;

     switch (cmd) {

     case SSS_NSS_GETSIDBYNAME:

     case SSS_NSS_GETNAMEBYSID:

     case SSS_NSS_GETIDBYSID:

     case SSS_NSS_GETORIGBYNAME:

-    case SSS_NSS_GETNAMEBYCERT:

         ret = sss_strnlen(inp.str, 2048, &inp_len);

         if (ret != EOK) {

             return EINVAL;

@@ -169,6 +230,17 @@ static int sss_nss_getyyybyxxx(union input inp, enum sss_cli_command cmd ,

         rd.data = inp.str;

         break;

+    case SSS_NSS_GETNAMEBYCERT:

+    case SSS_NSS_GETLISTBYCERT:

+        ret = sss_strnlen(inp.str, 10 * 1024 , &inp_len);

+        if (ret != EOK) {

+            return EINVAL;

+        }

+

+        rd.len = inp_len + 1;

+        rd.data = inp.str;

+

+        break;

     case SSS_NSS_GETSIDBYID:

         rd.len = sizeof(uint32_t);

         rd.data = &inp.id;

@@ -195,7 +267,7 @@ static int sss_nss_getyyybyxxx(union input inp, enum sss_cli_command cmd ,

     if (num_results == 0) {

         ret = ENOENT;

         goto done;

-    } else if (num_results > 1) {

+    } else if (num_results > 1 && cmd != SSS_NSS_GETLISTBYCERT) {

         ret = EBADMSG;

         goto done;

     }

@@ -237,6 +309,18 @@ static int sss_nss_getyyybyxxx(union input inp, enum sss_cli_command cmd ,

         out->d.id = c;

         break;

+    case SSS_NSS_GETLISTBYCERT:

+        ret = buf_to_name_type_list(repbuf + LIST_START, replen - LIST_START,

+                                    num_results,

+                                    &names, &types);

+        if (ret != EOK) {

+            goto done;

+        }

+

+        out->types = types;

+        out->d.names = names;

+

+        break;

     case SSS_NSS_GETORIGBYNAME:

         ret = buf_to_kv_list(repbuf + DATA_START, data_len, &kv_list);

         if (ret != EOK) {

@@ -392,3 +476,25 @@ int sss_nss_getnamebycert(const char *cert, char **fq_name,

     return ret;

 }

+

+int sss_nss_getlistbycert(const char *cert, char ***fq_name,

+                          enum sss_id_type **type)

+{

+    int ret;

+    union input inp;

+    struct output out;

+

+    if (fq_name == NULL || cert == NULL || *cert == '\0') {

+        return EINVAL;

+    }

+

+    inp.str = cert;

+

+    ret = sss_nss_getyyybyxxx(inp, SSS_NSS_GETLISTBYCERT, &out;;

+    if (ret == EOK) {

+        *fq_name = out.d.names;

+        *type = out.types;

+    }

+

+    return ret;

+}

diff --git a/src/sss_client/idmap/sss_nss_idmap.exports b/src/sss_client/idmap/sss_nss_idmap.exports

index bd5d80212017d38334c3cdeefa47d6029f42aebb..49dac6fc9351b0ca98cd46e83b85ec8ef0075a0d 100644

--- a/src/sss_client/idmap/sss_nss_idmap.exports

+++ b/src/sss_client/idmap/sss_nss_idmap.exports

@@ -25,3 +25,9 @@ SSS_NSS_IDMAP_0.2.0 {

     global:

         sss_nss_getnamebycert;

 } SSS_NSS_IDMAP_0.1.0;

+

+SSS_NSS_IDMAP_0.3.0 {

+    # public functions

+    global:

+        sss_nss_getlistbycert;

+} SSS_NSS_IDMAP_0.2.0;

diff --git a/src/sss_client/idmap/sss_nss_idmap.h b/src/sss_client/idmap/sss_nss_idmap.h

index 8a6299194e7b91e084b26c0c96e2f93875a832e7..cbf19479ff9ec6e0d6e07e1f7e48a1571e147740 100644

--- a/src/sss_client/idmap/sss_nss_idmap.h

+++ b/src/sss_client/idmap/sss_nss_idmap.h

@@ -130,7 +130,7 @@ int sss_nss_getorigbyname(const char *fq_name, struct sss_nss_kv **kv_list,

  * @param[in] cert     base64 encoded certificate

  * @param[out] fq_name Fully qualified name of a user or a group,

  *                     must be freed by the caller

- * @param[out] type    Type of the object related to the SID

+ * @param[out] type    Type of the object related to the cert

  *

  * @return

  *  - see #sss_nss_getsidbyname

@@ -139,6 +139,21 @@ int sss_nss_getnamebycert(const char *cert, char **fq_name,

                           enum sss_id_type *type);

 /**

+ * @brief Return a list of fully qualified names for the given base64 encoded

+ * X.509 certificate in DER format

+ *

+ * @param[in] cert     base64 encoded certificate

+ * @param[out] fq_name List of fully qualified name of users or groups,

+ *                     must be freed by the caller

+ * @param[out] type    List of types of the objects related to the cert

+ *

+ * @return

+ *  - see #sss_nss_getsidbyname

+ */

+int sss_nss_getlistbycert(const char *cert, char ***fq_name,

+                          enum sss_id_type **type);

+

+/**

  * @brief Free key-value list returned by sss_nss_getorigbyname()

  *

  * @param[in] kv_list Key-value list returned by sss_nss_getorigbyname().

diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h

index 8091e11515184dc9b7f32eed535055d9eee3143f..59fee7a4eceb2c185e156e812af7f2f4c6b2a0dd 100644

--- a/src/sss_client/sss_cli.h

+++ b/src/sss_client/sss_cli.h

@@ -260,6 +260,11 @@ SSS_NSS_GETNAMEBYCERT = 0x0116, /**< Takes the zero terminated string

                                      of a X509 certificate and returns the zero

                                      terminated fully qualified name of the

                                      related object. */

+SSS_NSS_GETLISTBYCERT = 0x0117, /**< Takes the zero terminated string

+                                     of the base64 encoded DER representation

+                                     of a X509 certificate and returns a list

+                                     of zero terminated fully qualified names

+                                     of the related objects. */

 };

 /**

diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c

index 76b9c6fb05673130de0957e93291919c263a28f3..50714715cc80338640f2a77ecbe17bd5e0d6e911 100644

--- a/src/tests/cmocka/test_nss_srv.c

+++ b/src/tests/cmocka/test_nss_srv.c

@@ -3454,6 +3454,16 @@ struct passwd testbycert = {

     .pw_passwd = discard_const("*"),

 };

+struct passwd testbycert2 = {

+    .pw_name = discard_const("testcertuser2"),

+    .pw_uid = 23457,

+    .pw_gid = 6890,

+    .pw_dir = discard_const("/home/testcertuser2"),

+    .pw_gecos = discard_const("test cert user2"),

+    .pw_shell = discard_const("/bin/sh"),

+    .pw_passwd = discard_const("*"),

+};

+

 #define TEST_TOKEN_CERT \

 "MIIECTCCAvGgAwIBAgIBCDANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEu" \

 "REVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA2MjMx" \

@@ -3495,6 +3505,57 @@ static int test_nss_getnamebycert_check(uint32_t status, uint8_t *body, size_t b

     return EOK;

 }

+static int test_nss_getlistbycert_check(uint32_t status, uint8_t *body, size_t blen)

+{

+    size_t rp = 0;

+    uint32_t id_type;

+    uint32_t num;

+    uint32_t reserved;

+    const char *name;

+    int found = 0;

+    const char *fq_name1 = "testcertuser@"TEST_DOM_NAME ;

+    const char *fq_name2 = "testcertuser2@"TEST_DOM_NAME;

+

+    assert_int_equal(status, EOK);

+

+    /* num_results and reserved */

+    SAFEALIGN_COPY_UINT32(&num, body + rp, &rp);

+    assert_in_range(num, 1, 2);

+    SAFEALIGN_COPY_UINT32(&reserved, body + rp, &rp);

+    assert_int_equal(reserved, 0);

+

+    SAFEALIGN_COPY_UINT32(&id_type, body + rp, &rp);

+    assert_int_equal(id_type, SSS_ID_TYPE_UID);

+

+    name = (const char *)body + rp;

+    if (num == 1) {

+        assert_string_equal(name, fq_name1);

+        return EOK;

+    }

+

+    rp += strlen(name) + 1;

+    if (strcmp(name, fq_name1) == 0) {

+        found = 1;

+    } else if (strcmp(name, fq_name2) == 0) {

+        found = 2;

+    }

+    assert_in_range(found, 1, 2);

+

+    SAFEALIGN_COPY_UINT32(&id_type, body + rp, &rp);

+    assert_int_equal(id_type, SSS_ID_TYPE_UID);

+

+    name = (const char *)body + rp;

+    if (found == 1) {

+        assert_string_equal(name, fq_name2);

+    } else {

+        assert_string_equal(name, fq_name1);

+    }

+

+

+    return EOK;

+}

+

+

 static void test_nss_getnamebycert(void **state)

 {

     errno_t ret;

@@ -3572,6 +3633,99 @@ void test_nss_getnamebycert_neg(void **state)

     assert_int_equal(nss_test_ctx->ncache_hits, 1);

 }

+static void test_nss_getlistbycert(void **state)

+{

+    errno_t ret;

+    struct sysdb_attrs *attrs;

+    unsigned char *der = NULL;

+    size_t der_size;

+

+    attrs = sysdb_new_attrs(nss_test_ctx);

+    assert_non_null(attrs);

+

+    der = sss_base64_decode(nss_test_ctx, TEST_TOKEN_CERT, &der_size);

+    assert_non_null(der);

+

+    ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_CERT, der, der_size);

+    talloc_free(der);

+    assert_int_equal(ret, EOK);

+

+    /* Prime the cache with a valid user */

+    ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom,

+                     &testbycert, attrs, 0);

+    assert_int_equal(ret, EOK);

+    talloc_free(attrs);

+

+    mock_input_cert(TEST_TOKEN_CERT);

+    will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETLISTBYCERT);

+    mock_fill_bysid();

+

+    /* Query for that user, call a callback when command finishes */

+    /* Should go straight to back end, without contacting DP. */

+    /* If there is only a single user mapped the result will look like the */

+    /* result of getnamebycert. */

+    set_cmd_cb(test_nss_getlistbycert_check);

+    ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETLISTBYCERT,

+                          nss_test_ctx->nss_cmds);

+    assert_int_equal(ret, EOK);

+

+    /* Wait until the test finishes with EOK */

+    ret = test_ev_loop(nss_test_ctx->tctx);

+    assert_int_equal(ret, EOK);

+}

+

+static void test_nss_getlistbycert_multi(void **state)

+{

+    errno_t ret;

+    struct sysdb_attrs *attrs;

+    unsigned char *der = NULL;

+    size_t der_size;

+

+    der = sss_base64_decode(nss_test_ctx, TEST_TOKEN_CERT, &der_size);

+    assert_non_null(der);

+

+    attrs = sysdb_new_attrs(nss_test_ctx);

+    assert_non_null(attrs);

+

+    ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_CERT, der, der_size);

+    assert_int_equal(ret, EOK);

+

+    /* Prime the cache with two valid user */

+    ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom,

+                     &testbycert, attrs, 0);

+    assert_int_equal(ret, EOK);

+    talloc_free(attrs);

+

+    /* Looks like attrs is modified during store_user() makes sure we start

+     * with fresh data. */

+    attrs = sysdb_new_attrs(nss_test_ctx);

+    assert_non_null(attrs);

+

+    ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_CERT, der, der_size);

+    talloc_free(der);

+    assert_int_equal(ret, EOK);

+

+    ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom,

+                     &testbycert2, attrs, 0);

+    assert_int_equal(ret, EOK);

+    talloc_free(attrs);

+

+    mock_input_cert(TEST_TOKEN_CERT);

+    will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETLISTBYCERT);

+    mock_fill_bysid();

+

+    /* Query for that user, call a callback when command finishes */

+    /* Should go straight to back end, without contacting DP */

+    set_cmd_cb(test_nss_getlistbycert_check);

+    ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETLISTBYCERT,

+                          nss_test_ctx->nss_cmds);

+    assert_int_equal(ret, EOK);

+

+    /* Wait until the test finishes with EOK */

+    ret = test_ev_loop(nss_test_ctx->tctx);

+    assert_int_equal(ret, EOK);

+}

+