+ From 15d7d34b20219e2fd45c43881088f5d542e9603e Mon Sep 17 00:00:00 2001

+ From: Sumit Bose <sbose@redhat.com>

+ Date: Tue, 4 Jul 2023 18:56:35 +0200

+ Subject: [PATCH 2/3] sssct: allow cert-show and cert-eval-rule as non-root

+ MIME-Version: 1.0

+ Content-Type: text/plain; charset=UTF-8

+ Content-Transfer-Encoding: 8bit

+ 

+ The cert-show and cert-eval-rule sub-commands do not need root access and

+ do not require SSSD to be configured on the host.

+ 

+ Resolves: https://github.com/SSSD/sssd/issues/6802

+ 

+ Reviewed-by: Alejandro López <allopez@redhat.com>

+ Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

+ (cherry picked from commit 8466f0e4d0c6cd2b98d2789970847b9adc01d7d4)

+ ---

+  src/tools/sssctl/sssctl.c | 4 ++--

+  1 file changed, 2 insertions(+), 2 deletions(-)

+ 

+ diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c

+ index 855260aed..04c41aa9a 100644

+ --- a/src/tools/sssctl/sssctl.c

+ +++ b/src/tools/sssctl/sssctl.c

+ @@ -340,9 +340,9 @@ int main(int argc, const char **argv)

+          SSS_TOOL_COMMAND_FLAGS("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check, SSS_TOOL_FLAG_SKIP_CMD_INIT),

+  #endif

+          SSS_TOOL_DELIMITER("Certificate related tools:"),

+ -        SSS_TOOL_COMMAND("cert-show", "Print information about the certificate", 0, sssctl_cert_show),

+ +        SSS_TOOL_COMMAND_FLAGS("cert-show", "Print information about the certificate", 0, sssctl_cert_show, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK),

+          SSS_TOOL_COMMAND("cert-map", "Show users mapped to the certificate", 0, sssctl_cert_map),

+ -        SSS_TOOL_COMMAND("cert-eval-rule", "Check mapping and matching rule with a certificate", 0, sssctl_cert_eval_rule),

+ +        SSS_TOOL_COMMAND_FLAGS("cert-eval-rule", "Check mapping and matching rule with a certificate", 0, sssctl_cert_eval_rule, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK),

+  #ifdef BUILD_PASSKEY

+          SSS_TOOL_DELIMITER("Passkey related tools:"),

+          SSS_TOOL_COMMAND_FLAGS("passkey-register", "Perform passkey registration", 0, sssctl_passkey_register, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK),

+ -- 

+ 2.38.1

+ 

+ From 11afa7a6ef7e15f1e98c7145ad5c80bbdfc520e2 Mon Sep 17 00:00:00 2001

+ From: Sumit Bose <sbose@redhat.com>

+ Date: Tue, 4 Jul 2023 19:06:27 +0200

+ Subject: [PATCH 3/3] certmap: fix partial string comparison

+ MIME-Version: 1.0

+ Content-Type: text/plain; charset=UTF-8

+ Content-Transfer-Encoding: 8bit

+ 

+ If the formatting option of the certificate digest/hash function

+ contained and additional specifier separated with a '_' the comparison

+ of the provided digest name and the available ones was incomplete, the

+ last character was ignored and the comparison was successful if even if

+ there was only a partial match.

+ 

+ Resolves: https://github.com/SSSD/sssd/issues/6802

+ 

+ Reviewed-by: Alejandro López <allopez@redhat.com>

+ Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

+ (cherry picked from commit 0817ca3b366f51510705ab77d7900c0b65b7d2fc)

+ ---

+  src/lib/certmap/sss_certmap_ldap_mapping.c |  9 ++++++++-

+  src/tests/cmocka/test_certmap.c            | 22 ++++++++++++++++++++++

+  2 files changed, 30 insertions(+), 1 deletion(-)

+ 

+ diff --git a/src/lib/certmap/sss_certmap_ldap_mapping.c b/src/lib/certmap/sss_certmap_ldap_mapping.c

+ index 2f16837a1..354b0310b 100644

+ --- a/src/lib/certmap/sss_certmap_ldap_mapping.c

+ +++ b/src/lib/certmap/sss_certmap_ldap_mapping.c

+ @@ -228,14 +228,21 @@ int check_digest_conversion(const char *inp, const char **digest_list,

+      bool colon = false;

+      bool reverse = false;

+      char *c;

+ +    size_t len = 0;

+  

+      sep = strchr(inp, '_');

+ +    if (sep != NULL) {

+ +        len = sep - inp;

+ +    }

+  

+      for (d = 0; digest_list[d] != NULL; d++) {

+          if (sep == NULL) {

+              cmp = strcasecmp(digest_list[d], inp);

+          } else {

+ -            cmp = strncasecmp(digest_list[d], inp, (sep - inp -1));

+ +            if (strlen(digest_list[d]) != len) {

+ +                continue;

+ +            }

+ +            cmp = strncasecmp(digest_list[d], inp, len);

+          }

+  

+          if (cmp == 0) {

+ diff --git a/src/tests/cmocka/test_certmap.c b/src/tests/cmocka/test_certmap.c

+ index da312beaf..a15984d60 100644

+ --- a/src/tests/cmocka/test_certmap.c

+ +++ b/src/tests/cmocka/test_certmap.c

+ @@ -2183,6 +2183,28 @@ static void test_sss_certmap_ldapu1_cert(void **state)

+      assert_non_null(ctx);

+      assert_null(ctx->prio_list);

+  

+ +    /* cert!sha */

+ +    ret = sss_certmap_add_rule(ctx, 91,

+ +                            "KRB5:<ISSUER>.*",

+ +                            "LDAP:rule91={cert!sha}", NULL);

+ +    assert_int_equal(ret, EINVAL);

+ +

+ +    ret = sss_certmap_add_rule(ctx, 91,

+ +                            "KRB5:<ISSUER>.*",

+ +                            "LDAPU1:rule91={cert!sha}", NULL);

+ +    assert_int_equal(ret, EINVAL);

+ +

+ +    /* cert!sha_u */

+ +    ret = sss_certmap_add_rule(ctx, 90,

+ +                            "KRB5:<ISSUER>.*",

+ +                            "LDAP:rule90={cert!sha_u}", NULL);

+ +    assert_int_equal(ret, EINVAL);

+ +

+ +    ret = sss_certmap_add_rule(ctx, 99,

+ +                            "KRB5:<ISSUER>.*",

+ +                            "LDAPU1:rule90={cert!sha_u}", NULL);

+ +    assert_int_equal(ret, EINVAL);

+ +

+      /* cert!sha555 */

+      ret = sss_certmap_add_rule(ctx, 89,

+                              "KRB5:<ISSUER>.*",

+ -- 

+ 2.38.1

+ 

+ Release: 4%{?dist}

+ Patch0002: 0002-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch

+ Patch0003: 0003-certmap-fix-partial-string-comparison.patch

+ * Tue Aug 15 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.1-4

+ - Resolves sss_certmap_test fail

+