Blob Blame History Raw
From f2a81a22124e93a026ec0f06b77eab50998ecba5 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 15 Mar 2017 14:21:26 +0100
Subject: [PATCH 12/15] nss-idmap: add sss_nss_getlistbycert()

This patch adds a getlistbycert() call to libsss_nss_idmap to make it on
par with InfoPipe.

Related to https://pagure.io/SSSD/sssd/issue/3050

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 Makefile.am                                |   2 +-
 src/python/pysss_nss_idmap.c               | 103 ++++++++++++++++++-
 src/responder/nss/nss_cmd.c                |   7 ++
 src/responder/nss/nss_protocol.h           |   6 ++
 src/responder/nss/nss_protocol_sid.c       |  63 ++++++++++++
 src/sss_client/idmap/sss_nss_idmap.c       | 110 +++++++++++++++++++-
 src/sss_client/idmap/sss_nss_idmap.exports |   6 ++
 src/sss_client/idmap/sss_nss_idmap.h       |  17 +++-
 src/sss_client/sss_cli.h                   |   5 +
 src/tests/cmocka/test_nss_srv.c            | 158 +++++++++++++++++++++++++++++
 10 files changed, 471 insertions(+), 6 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index bd0ca0d303e1742ad26c7648cd24e2c0135af34e..7516338bc6fd95045d20db8155a0c82fd7003358 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1128,7 +1128,7 @@ libsss_nss_idmap_la_LIBADD = \
     $(CLIENT_LIBS)
 libsss_nss_idmap_la_LDFLAGS = \
     -Wl,--version-script,$(srcdir)/src/sss_client/idmap/sss_nss_idmap.exports \
-    -version-info 2:0:2
+    -version-info 3:0:3
 
 dist_noinst_DATA += src/sss_client/idmap/sss_nss_idmap.exports
 
diff --git a/src/python/pysss_nss_idmap.c b/src/python/pysss_nss_idmap.c
index c57cc10a86a7a9a22a791c1eae027a1aafa8f780..2e5851c7a6e48629fd93e428aada499fcbe36ebb 100644
--- a/src/python/pysss_nss_idmap.c
+++ b/src/python/pysss_nss_idmap.c
@@ -36,9 +36,37 @@ enum lookup_type {
     SIDBYID,
     NAMEBYSID,
     IDBYSID,
-    NAMEBYCERT
+    NAMEBYCERT,
+    LISTBYCERT
 };
 
+static int add_dict_to_list(PyObject *py_list, PyObject *res_type,
+                            PyObject *res, PyObject *id_type)
+{
+    int ret;
+    PyObject *py_dict;
+
+    py_dict =  PyDict_New();
+    if (py_dict == NULL) {
+        return ENOMEM;
+    }
+
+    ret = PyDict_SetItem(py_dict, res_type, res);
+    if (ret != 0) {
+        Py_XDECREF(py_dict);
+        return ret;
+    }
+
+    ret = PyDict_SetItem(py_dict, PyBytes_FromString(SSS_TYPE_KEY), id_type);
+    if (ret != 0) {
+        Py_XDECREF(py_dict);
+        return ret;
+    }
+
+    ret = PyList_Append(py_list, py_dict);
+
+    return ret;
+}
 static int add_dict(PyObject *py_result, PyObject *key, PyObject *res_type,
                     PyObject *res, PyObject *id_type)
 {
@@ -191,6 +219,57 @@ static int do_getnamebycert(PyObject *py_result, PyObject *py_cert)
     return ret;
 }
 
+static int do_getlistbycert(PyObject *py_result, PyObject *py_cert)
+{
+    int ret;
+    const char *cert;
+    char **names = NULL;
+    enum sss_id_type *id_types = NULL;
+    size_t c;
+
+    cert = py_string_or_unicode_as_string(py_cert);
+    if (cert == NULL) {
+        return EINVAL;
+    }
+
+    ret = sss_nss_getlistbycert(cert, &names, &id_types);
+    if (ret == 0) {
+
+        PyObject *py_list;
+
+        py_list =  PyList_New(0);
+        if (py_list == NULL) {
+            return ENOMEM;
+        }
+
+        for (c = 0; names[c] != NULL; c++) {
+            ret = add_dict_to_list(py_list,
+                                   PyBytes_FromString(SSS_NAME_KEY),
+                                   PyUnicode_FromString(names[c]),
+                                   PYNUMBER_FROMLONG(id_types[c]));
+            if (ret != 0) {
+                goto done;
+            }
+        }
+        ret = PyDict_SetItem(py_result, py_cert, py_list);
+        if (ret != 0) {
+            goto done;
+        }
+    }
+
+done:
+    free(id_types);
+    if (names != NULL) {
+        for (c = 0; names[c] != NULL; c++) {
+            free(names[c]);
+        }
+        free(names);
+    }
+
+    return ret;
+}
+
+
 static int do_getidbysid(PyObject *py_result, PyObject *py_sid)
 {
     const char *sid;
@@ -231,6 +310,9 @@ static int do_lookup(enum lookup_type type, PyObject *py_result,
     case NAMEBYCERT:
         return do_getnamebycert(py_result, py_inp);
         break;
+    case LISTBYCERT:
+        return do_getlistbycert(py_result, py_inp);
+        break;
     default:
         return ENOSYS;
     }
@@ -368,7 +450,7 @@ static PyObject * py_getidbysid(PyObject *module, PyObject *args)
 }
 
 PyDoc_STRVAR(getnamebycert_doc,
-"getnamebycert(sid or list/tuple of certificates) -> dict(sid => dict(results))\n\
+"getnamebycert(certificate or list/tuple of certificates) -> dict(certificate => dict(results))\n\
 \n\
 Returns a dictionary with a dictonary of results for each given certificates.\n\
 The result dictonary contain the name and the type of the object which can be\n\
@@ -382,6 +464,21 @@ static PyObject * py_getnamebycert(PyObject *module, PyObject *args)
     return check_args(NAMEBYCERT, args);
 }
 
+PyDoc_STRVAR(getlistbycert_doc,
+"getnamebycert(certificate or list/tuple of certificates) -> dict(certificate => dict(results))\n\
+\n\
+Returns a dictionary with a dictonary of results for each given certificates.\n\
+The result dictonary contain the name and the type of the object which can be\n\
+accessed with the key constants NAME_KEY and TYPE_KEY, respectively.\n\
+\n\
+NOTE: getlistbycert currently works only with id_provider set as \"ad\" or \"ipa\""
+);
+
+static PyObject * py_getlistbycert(PyObject *module, PyObject *args)
+{
+    return check_args(LISTBYCERT, args);
+}
+
 static PyMethodDef methods[] = {
     { sss_py_const_p(char, "getsidbyname"), (PyCFunction) py_getsidbyname,
       METH_VARARGS, getsidbyname_doc },
@@ -393,6 +490,8 @@ static PyMethodDef methods[] = {
       METH_VARARGS, getidbysid_doc },
     { sss_py_const_p(char, "getnamebycert"), (PyCFunction) py_getnamebycert,
       METH_VARARGS, getnamebycert_doc },
+    { sss_py_const_p(char, "getlistbycert"), (PyCFunction) py_getlistbycert,
+      METH_VARARGS, getlistbycert_doc },
     { NULL,NULL, 0, NULL }
 };
 
diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c
index 08b3d32f2662efc1cc803f6e9e5f2d064f7d3033..1931bf62a686c7f30852dac547866609cf54a81b 100644
--- a/src/responder/nss/nss_cmd.c
+++ b/src/responder/nss/nss_cmd.c
@@ -932,6 +932,12 @@ static errno_t nss_cmd_getnamebycert(struct cli_ctx *cli_ctx)
                           nss_protocol_fill_single_name);
 }
 
+static errno_t nss_cmd_getlistbycert(struct cli_ctx *cli_ctx)
+{
+    return nss_getby_cert(cli_ctx, CACHE_REQ_USER_BY_CERT,
+                          nss_protocol_fill_name_list);
+}
+
 struct sss_cmd_table *get_nss_cmds(void)
 {
     static struct sss_cmd_table nss_cmds[] = {
@@ -961,6 +967,7 @@ struct sss_cmd_table *get_nss_cmds(void)
         { SSS_NSS_GETIDBYSID, nss_cmd_getidbysid },
         { SSS_NSS_GETORIGBYNAME, nss_cmd_getorigbyname },
         { SSS_NSS_GETNAMEBYCERT, nss_cmd_getnamebycert },
+        { SSS_NSS_GETLISTBYCERT, nss_cmd_getlistbycert },
         { SSS_CLI_NULL, NULL }
     };
 
diff --git a/src/responder/nss/nss_protocol.h b/src/responder/nss/nss_protocol.h
index c94e7b911eb3c0f97b8c06b1766573311cde41ae..e4c0e52c0e642e885ef2c8423ea564beff7242cf 100644
--- a/src/responder/nss/nss_protocol.h
+++ b/src/responder/nss/nss_protocol.h
@@ -175,6 +175,12 @@ nss_protocol_fill_single_name(struct nss_ctx *nss_ctx,
                               struct cache_req_result *result);
 
 errno_t
+nss_protocol_fill_name_list(struct nss_ctx *nss_ctx,
+                            struct nss_cmd_ctx *cmd_ctx,
+                            struct sss_packet *packet,
+                            struct cache_req_result *result);
+
+errno_t
 nss_protocol_fill_id(struct nss_ctx *nss_ctx,
                      struct nss_cmd_ctx *cmd_ctx,
                      struct sss_packet *packet,
diff --git a/src/responder/nss/nss_protocol_sid.c b/src/responder/nss/nss_protocol_sid.c
index 0b97e65f75412d40832d861568d8e2f9de5e1732..a6a4e27d039c67ef98f6d5900d5e3fcadb3ee717 100644
--- a/src/responder/nss/nss_protocol_sid.c
+++ b/src/responder/nss/nss_protocol_sid.c
@@ -498,3 +498,66 @@ nss_protocol_fill_id(struct nss_ctx *nss_ctx,
 
     return EOK;
 }
+
+errno_t
+nss_protocol_fill_name_list(struct nss_ctx *nss_ctx,
+                            struct nss_cmd_ctx *cmd_ctx,
+                            struct sss_packet *packet,
+                            struct cache_req_result *result)
+{
+    enum sss_id_type *id_types;
+    size_t rp = 0;
+    size_t body_len;
+    uint8_t *body;
+    errno_t ret;
+    struct sized_string *sz_names;
+    size_t len;
+    size_t c;
+    const char *tmp_str;
+
+    sz_names = talloc_array(cmd_ctx, struct sized_string, result->count);
+    if (sz_names == NULL) {
+        return ENOMEM;
+    }
+
+    id_types = talloc_array(cmd_ctx, enum sss_id_type, result->count);
+    if (id_types == NULL) {
+        return ENOMEM;
+    }
+
+    len = 0;
+    for (c = 0; c < result->count; c++) {
+        ret = nss_get_id_type(cmd_ctx, result, &(id_types[c]));
+        if (ret != EOK) {
+            return ret;
+        }
+
+        tmp_str = nss_get_name_from_msg(result->domain, result->msgs[c]);
+        if (tmp_str == NULL) {
+            return EINVAL;
+        }
+        to_sized_string(&(sz_names[c]), tmp_str);
+
+        len += sz_names[c].len;
+    }
+
+    len += (2 + result->count) * sizeof(uint32_t);
+
+    ret = sss_packet_grow(packet, len);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "sss_packet_grow failed.\n");
+        return ret;
+    }
+
+    sss_packet_get_body(packet, &body, &body_len);
+
+    SAFEALIGN_SET_UINT32(&body[rp], result->count, &rp); /* Num results. */
+    SAFEALIGN_SET_UINT32(&body[rp], 0, &rp); /* Reserved. */
+    for (c = 0; c < result->count; c++) {
+        SAFEALIGN_SET_UINT32(&body[rp], id_types[c], &rp);
+        SAFEALIGN_SET_STRING(&body[rp], sz_names[c].str, sz_names[c].len,
+                             &rp);
+    }
+
+    return EOK;
+}
diff --git a/src/sss_client/idmap/sss_nss_idmap.c b/src/sss_client/idmap/sss_nss_idmap.c
index fa5a499e3606f7e45a406de4d63002ba35365cb1..6f3af267a1e763e7dce77e3862be377ae2bfe984 100644
--- a/src/sss_client/idmap/sss_nss_idmap.c
+++ b/src/sss_client/idmap/sss_nss_idmap.c
@@ -31,6 +31,7 @@
 #include "util/strtonum.h"
 
 #define DATA_START (3 * sizeof(uint32_t))
+#define LIST_START (2 * sizeof(uint32_t))
 union input {
     const char *str;
     uint32_t id;
@@ -38,10 +39,12 @@ union input {
 
 struct output {
     enum sss_id_type type;
+    enum sss_id_type *types;
     union {
         char *str;
         uint32_t id;
         struct sss_nss_kv *kv_list;
+        char **names;
     } d;
 };
 
@@ -72,6 +75,63 @@ void sss_nss_free_kv(struct sss_nss_kv *kv_list)
     }
 }
 
+void sss_nss_free_list(char **l)
+{
+    size_t c;
+
+    if (l != NULL) {
+        for (c = 0; l[c] != NULL; c++) {
+            free(l[c]);
+        }
+        free(l);
+    }
+}
+
+static int buf_to_name_type_list(uint8_t *buf, size_t buf_len, uint32_t num,
+                                 char ***names, enum sss_id_type **types)
+{
+    int ret;
+    size_t c;
+    char **n = NULL;
+    enum sss_id_type *t = NULL;
+    size_t rp = 0;
+
+    n = calloc(num + 1, sizeof(char *));
+    if (n == NULL) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    t = calloc(num + 1, sizeof(enum sss_id_type));
+    if (t == NULL) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    for (c = 0; c < num; c++) {
+        SAFEALIGN_COPY_UINT32(&(t[c]), buf + rp, &rp);
+        n[c] = strdup((char *) buf + rp);
+        if (n[c] == NULL) {
+            ret = ENOMEM;
+            goto done;
+        }
+        rp += strlen(n[c]) + 1;
+    }
+
+    ret = EOK;
+
+done:
+    if (ret != EOK) {
+        sss_nss_free_list(n);
+        free(t);
+    } else {
+        *names = n;
+        *types = t;
+    }
+
+    return ret;
+}
+
 static int  buf_to_kv_list(uint8_t *buf, size_t buf_len,
                            struct sss_nss_kv **kv_list)
 {
@@ -153,13 +213,14 @@ static int sss_nss_getyyybyxxx(union input inp, enum sss_cli_command cmd ,
     size_t data_len;
     uint32_t c;
     struct sss_nss_kv *kv_list;
+    char **names;
+    enum sss_id_type *types;
 
     switch (cmd) {
     case SSS_NSS_GETSIDBYNAME:
     case SSS_NSS_GETNAMEBYSID:
     case SSS_NSS_GETIDBYSID:
     case SSS_NSS_GETORIGBYNAME:
-    case SSS_NSS_GETNAMEBYCERT:
         ret = sss_strnlen(inp.str, 2048, &inp_len);
         if (ret != EOK) {
             return EINVAL;
@@ -169,6 +230,17 @@ static int sss_nss_getyyybyxxx(union input inp, enum sss_cli_command cmd ,
         rd.data = inp.str;
 
         break;
+    case SSS_NSS_GETNAMEBYCERT:
+    case SSS_NSS_GETLISTBYCERT:
+        ret = sss_strnlen(inp.str, 10 * 1024 , &inp_len);
+        if (ret != EOK) {
+            return EINVAL;
+        }
+
+        rd.len = inp_len + 1;
+        rd.data = inp.str;
+
+        break;
     case SSS_NSS_GETSIDBYID:
         rd.len = sizeof(uint32_t);
         rd.data = &inp.id;
@@ -195,7 +267,7 @@ static int sss_nss_getyyybyxxx(union input inp, enum sss_cli_command cmd ,
     if (num_results == 0) {
         ret = ENOENT;
         goto done;
-    } else if (num_results > 1) {
+    } else if (num_results > 1 && cmd != SSS_NSS_GETLISTBYCERT) {
         ret = EBADMSG;
         goto done;
     }
@@ -237,6 +309,18 @@ static int sss_nss_getyyybyxxx(union input inp, enum sss_cli_command cmd ,
         out->d.id = c;
 
         break;
+    case SSS_NSS_GETLISTBYCERT:
+        ret = buf_to_name_type_list(repbuf + LIST_START, replen - LIST_START,
+                                    num_results,
+                                    &names, &types);
+        if (ret != EOK) {
+            goto done;
+        }
+
+        out->types = types;
+        out->d.names = names;
+
+        break;
     case SSS_NSS_GETORIGBYNAME:
         ret = buf_to_kv_list(repbuf + DATA_START, data_len, &kv_list);
         if (ret != EOK) {
@@ -392,3 +476,25 @@ int sss_nss_getnamebycert(const char *cert, char **fq_name,
 
     return ret;
 }
+
+int sss_nss_getlistbycert(const char *cert, char ***fq_name,
+                          enum sss_id_type **type)
+{
+    int ret;
+    union input inp;
+    struct output out;
+
+    if (fq_name == NULL || cert == NULL || *cert == '\0') {
+        return EINVAL;
+    }
+
+    inp.str = cert;
+
+    ret = sss_nss_getyyybyxxx(inp, SSS_NSS_GETLISTBYCERT, &out);
+    if (ret == EOK) {
+        *fq_name = out.d.names;
+        *type = out.types;
+    }
+
+    return ret;
+}
diff --git a/src/sss_client/idmap/sss_nss_idmap.exports b/src/sss_client/idmap/sss_nss_idmap.exports
index bd5d80212017d38334c3cdeefa47d6029f42aebb..49dac6fc9351b0ca98cd46e83b85ec8ef0075a0d 100644
--- a/src/sss_client/idmap/sss_nss_idmap.exports
+++ b/src/sss_client/idmap/sss_nss_idmap.exports
@@ -25,3 +25,9 @@ SSS_NSS_IDMAP_0.2.0 {
     global:
         sss_nss_getnamebycert;
 } SSS_NSS_IDMAP_0.1.0;
+
+SSS_NSS_IDMAP_0.3.0 {
+    # public functions
+    global:
+        sss_nss_getlistbycert;
+} SSS_NSS_IDMAP_0.2.0;
diff --git a/src/sss_client/idmap/sss_nss_idmap.h b/src/sss_client/idmap/sss_nss_idmap.h
index 8a6299194e7b91e084b26c0c96e2f93875a832e7..cbf19479ff9ec6e0d6e07e1f7e48a1571e147740 100644
--- a/src/sss_client/idmap/sss_nss_idmap.h
+++ b/src/sss_client/idmap/sss_nss_idmap.h
@@ -130,7 +130,7 @@ int sss_nss_getorigbyname(const char *fq_name, struct sss_nss_kv **kv_list,
  * @param[in] cert     base64 encoded certificate
  * @param[out] fq_name Fully qualified name of a user or a group,
  *                     must be freed by the caller
- * @param[out] type    Type of the object related to the SID
+ * @param[out] type    Type of the object related to the cert
  *
  * @return
  *  - see #sss_nss_getsidbyname
@@ -139,6 +139,21 @@ int sss_nss_getnamebycert(const char *cert, char **fq_name,
                           enum sss_id_type *type);
 
 /**
+ * @brief Return a list of fully qualified names for the given base64 encoded
+ * X.509 certificate in DER format
+ *
+ * @param[in] cert     base64 encoded certificate
+ * @param[out] fq_name List of fully qualified name of users or groups,
+ *                     must be freed by the caller
+ * @param[out] type    List of types of the objects related to the cert
+ *
+ * @return
+ *  - see #sss_nss_getsidbyname
+ */
+int sss_nss_getlistbycert(const char *cert, char ***fq_name,
+                          enum sss_id_type **type);
+
+/**
  * @brief Free key-value list returned by sss_nss_getorigbyname()
  *
  * @param[in] kv_list Key-value list returned by sss_nss_getorigbyname().
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index 8091e11515184dc9b7f32eed535055d9eee3143f..59fee7a4eceb2c185e156e812af7f2f4c6b2a0dd 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -260,6 +260,11 @@ SSS_NSS_GETNAMEBYCERT = 0x0116, /**< Takes the zero terminated string
                                      of a X509 certificate and returns the zero
                                      terminated fully qualified name of the
                                      related object. */
+SSS_NSS_GETLISTBYCERT = 0x0117, /**< Takes the zero terminated string
+                                     of the base64 encoded DER representation
+                                     of a X509 certificate and returns a list
+                                     of zero terminated fully qualified names
+                                     of the related objects. */
 };
 
 /**
diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c
index 76b9c6fb05673130de0957e93291919c263a28f3..50714715cc80338640f2a77ecbe17bd5e0d6e911 100644
--- a/src/tests/cmocka/test_nss_srv.c
+++ b/src/tests/cmocka/test_nss_srv.c
@@ -3454,6 +3454,16 @@ struct passwd testbycert = {
     .pw_passwd = discard_const("*"),
 };
 
+struct passwd testbycert2 = {
+    .pw_name = discard_const("testcertuser2"),
+    .pw_uid = 23457,
+    .pw_gid = 6890,
+    .pw_dir = discard_const("/home/testcertuser2"),
+    .pw_gecos = discard_const("test cert user2"),
+    .pw_shell = discard_const("/bin/sh"),
+    .pw_passwd = discard_const("*"),
+};
+
 #define TEST_TOKEN_CERT \
 "MIIECTCCAvGgAwIBAgIBCDANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEu" \
 "REVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA2MjMx" \
@@ -3495,6 +3505,57 @@ static int test_nss_getnamebycert_check(uint32_t status, uint8_t *body, size_t b
     return EOK;
 }
 
+static int test_nss_getlistbycert_check(uint32_t status, uint8_t *body, size_t blen)
+{
+    size_t rp = 0;
+    uint32_t id_type;
+    uint32_t num;
+    uint32_t reserved;
+    const char *name;
+    int found = 0;
+    const char *fq_name1 = "testcertuser@"TEST_DOM_NAME ;
+    const char *fq_name2 = "testcertuser2@"TEST_DOM_NAME;
+
+    assert_int_equal(status, EOK);
+
+    /* num_results and reserved */
+    SAFEALIGN_COPY_UINT32(&num, body + rp, &rp);
+    assert_in_range(num, 1, 2);
+    SAFEALIGN_COPY_UINT32(&reserved, body + rp, &rp);
+    assert_int_equal(reserved, 0);
+
+    SAFEALIGN_COPY_UINT32(&id_type, body + rp, &rp);
+    assert_int_equal(id_type, SSS_ID_TYPE_UID);
+
+    name = (const char *)body + rp;
+    if (num == 1) {
+        assert_string_equal(name, fq_name1);
+        return EOK;
+    }
+
+    rp += strlen(name) + 1;
+    if (strcmp(name, fq_name1) == 0) {
+        found = 1;
+    } else if (strcmp(name, fq_name2) == 0) {
+        found = 2;
+    }
+    assert_in_range(found, 1, 2);
+
+    SAFEALIGN_COPY_UINT32(&id_type, body + rp, &rp);
+    assert_int_equal(id_type, SSS_ID_TYPE_UID);
+
+    name = (const char *)body + rp;
+    if (found == 1) {
+        assert_string_equal(name, fq_name2);
+    } else {
+        assert_string_equal(name, fq_name1);
+    }
+
+
+    return EOK;
+}
+
+
 static void test_nss_getnamebycert(void **state)
 {
     errno_t ret;
@@ -3572,6 +3633,99 @@ void test_nss_getnamebycert_neg(void **state)
     assert_int_equal(nss_test_ctx->ncache_hits, 1);
 }
 
+static void test_nss_getlistbycert(void **state)
+{
+    errno_t ret;
+    struct sysdb_attrs *attrs;
+    unsigned char *der = NULL;
+    size_t der_size;
+
+    attrs = sysdb_new_attrs(nss_test_ctx);
+    assert_non_null(attrs);
+
+    der = sss_base64_decode(nss_test_ctx, TEST_TOKEN_CERT, &der_size);
+    assert_non_null(der);
+
+    ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_CERT, der, der_size);
+    talloc_free(der);
+    assert_int_equal(ret, EOK);
+
+    /* Prime the cache with a valid user */
+    ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom,
+                     &testbycert, attrs, 0);
+    assert_int_equal(ret, EOK);
+    talloc_free(attrs);
+
+    mock_input_cert(TEST_TOKEN_CERT);
+    will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETLISTBYCERT);
+    mock_fill_bysid();
+
+    /* Query for that user, call a callback when command finishes */
+    /* Should go straight to back end, without contacting DP. */
+    /* If there is only a single user mapped the result will look like the */
+    /* result of getnamebycert. */
+    set_cmd_cb(test_nss_getlistbycert_check);
+    ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETLISTBYCERT,
+                          nss_test_ctx->nss_cmds);
+    assert_int_equal(ret, EOK);
+
+    /* Wait until the test finishes with EOK */
+    ret = test_ev_loop(nss_test_ctx->tctx);
+    assert_int_equal(ret, EOK);
+}
+
+static void test_nss_getlistbycert_multi(void **state)
+{
+    errno_t ret;
+    struct sysdb_attrs *attrs;
+    unsigned char *der = NULL;
+    size_t der_size;
+
+    der = sss_base64_decode(nss_test_ctx, TEST_TOKEN_CERT, &der_size);
+    assert_non_null(der);
+
+    attrs = sysdb_new_attrs(nss_test_ctx);
+    assert_non_null(attrs);
+
+    ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_CERT, der, der_size);
+    assert_int_equal(ret, EOK);
+
+    /* Prime the cache with two valid user */
+    ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom,
+                     &testbycert, attrs, 0);
+    assert_int_equal(ret, EOK);
+    talloc_free(attrs);
+
+    /* Looks like attrs is modified during store_user() makes sure we start
+     * with fresh data. */
+    attrs = sysdb_new_attrs(nss_test_ctx);
+    assert_non_null(attrs);
+
+    ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_CERT, der, der_size);
+    talloc_free(der);
+    assert_int_equal(ret, EOK);
+
+    ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom,
+                     &testbycert2, attrs, 0);
+    assert_int_equal(ret, EOK);
+    talloc_free(attrs);
+
+    mock_input_cert(TEST_TOKEN_CERT);
+    will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETLISTBYCERT);
+    mock_fill_bysid();
+
+    /* Query for that user, call a callback when command finishes */
+    /* Should go straight to back end, without contacting DP */
+    set_cmd_cb(test_nss_getlistbycert_check);
+    ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETLISTBYCERT,
+                          nss_test_ctx->nss_cmds);
+    assert_int_equal(ret, EOK);
+
+    /* Wait until the test finishes with EOK */
+    ret = test_ev_loop(nss_test_ctx->tctx);
+    assert_int_equal(ret, EOK);
+}
+
 struct passwd sid_user = {
     .pw_name = discard_const("testusersid"),
     .pw_uid = 1234,
@@ -3818,6 +3972,10 @@ int main(int argc, const char *argv[])
                                         nss_test_setup, nss_test_teardown),
         cmocka_unit_test_setup_teardown(test_nss_getnamebycert,
                                         nss_test_setup, nss_test_teardown),
+        cmocka_unit_test_setup_teardown(test_nss_getlistbycert,
+                                        nss_test_setup, nss_test_teardown),
+        cmocka_unit_test_setup_teardown(test_nss_getlistbycert_multi,
+                                        nss_test_setup, nss_test_teardown),
         cmocka_unit_test_setup_teardown(test_nss_getsidbyname,
                                         nss_test_setup, nss_test_teardown),
         cmocka_unit_test_setup_teardown(test_nss_getsidbyupn,
-- 
2.9.3