From e87e0059520de24047e8448a5b417393adc6c5b4 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 16 Sep 2016 11:47:40 +0200
Subject: [PATCH 142/143] p11: return a fully-qualified name
Related to https://fedorahosted.org/sssd/ticket/3165
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 3649b959709f1ab187092f054d4aace0798c98fa)
---
src/responder/pam/pamsrv_p11.c | 20 +++++++++-----------
src/tests/cmocka/test_pam_srv.c | 16 ++++++++--------
2 files changed, 17 insertions(+), 19 deletions(-)
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
index 22da33067d5c479153376927855dcd6b43322d8b..570bfe09d4385a038e7e03fcb64c72dd794774a6 100644
--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
@@ -521,33 +521,31 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
size_t msg_len;
size_t slot_len;
int ret;
- char *username;
if (sysdb_username == NULL || token_name == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Missing mandatory user or slot name.\n");
return EINVAL;
}
- ret = sss_parse_internal_fqname(pd, sysdb_username, &username, NULL);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot parse [%s]\n", sysdb_username);
- return ret;
- }
-
- user_len = strlen(username) + 1;
+ user_len = strlen(sysdb_username) + 1;
slot_len = strlen(token_name) + 1;
msg_len = user_len + slot_len;
msg = talloc_zero_size(pd, msg_len);
if (msg == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_size failed.\n");
- talloc_free(username);
return ENOMEM;
}
- memcpy(msg, username, user_len);
+ /* sysdb_username is a fully-qualified name which is used by pam_sss when
+ * prompting the user for the PIN and as login name if it wasn't set by
+ * the PAM caller but has to be determined based on the inserted
+ * Smartcard. If this type of name is irritating at the PIN prompt or the
+ * re_expression config option was set in a way that user@domain cannot be
+ * handled anymore some more logic has to be added here. But for the time
+ * being I think using sysdb_username is fine. */
+ memcpy(msg, sysdb_username, user_len);
memcpy(msg + user_len, token_name, slot_len);
- talloc_free(username);
ret = pam_add_response(pd, SSS_PAM_CERT_INFO, msg_len, msg);
talloc_free(msg);
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index 02199e6f121cab0784389256cdaac38baf9d73e3..4b2dea4be6a819b23afd243ba99cd9bd57c16c20 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -664,11 +664,11 @@ static int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body,
assert_int_equal(val, SSS_PAM_CERT_INFO);
SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
- assert_int_equal(val, (sizeof("pamuser") + sizeof(TEST_TOKEN_NAME)));
+ assert_int_equal(val, (sizeof("pamuser@"TEST_DOM_NAME) + sizeof(TEST_TOKEN_NAME)));
- assert_int_equal(*(body + rp + sizeof("pamuser") - 1), 0);
- assert_string_equal(body + rp, "pamuser");
- rp += sizeof("pamuser");
+ assert_int_equal(*(body + rp + sizeof("pamuser@"TEST_DOM_NAME) - 1), 0);
+ assert_string_equal(body + rp, "pamuser@"TEST_DOM_NAME);
+ rp += sizeof("pamuser@"TEST_DOM_NAME);
assert_int_equal(*(body + rp + sizeof(TEST_TOKEN_NAME) - 1), 0);
assert_string_equal(body + rp, TEST_TOKEN_NAME);
@@ -703,11 +703,11 @@ static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
assert_int_equal(val, SSS_PAM_CERT_INFO);
SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
- assert_int_equal(val, (sizeof("pamuser") + sizeof(TEST_TOKEN_NAME)));
+ assert_int_equal(val, (sizeof("pamuser@"TEST_DOM_NAME) + sizeof(TEST_TOKEN_NAME)));
- assert_int_equal(*(body + rp + sizeof("pamuser") - 1), 0);
- assert_string_equal(body + rp, "pamuser");
- rp += sizeof("pamuser");
+ assert_int_equal(*(body + rp + sizeof("pamuser@"TEST_DOM_NAME) - 1), 0);
+ assert_string_equal(body + rp, "pamuser@"TEST_DOM_NAME);
+ rp += sizeof("pamuser@"TEST_DOM_NAME);
assert_int_equal(*(body + rp + sizeof(TEST_TOKEN_NAME) - 1), 0);
assert_string_equal(body + rp, TEST_TOKEN_NAME);
--
2.7.4