Port providers to New Failover WIP

.github/workflows/analyze-target.yml

@@ -1,7 +1,7 @@
 name: "Analyze (target)"
 on:
   pull_request_target:
-    branches: [master]
+    branches: [master, failover]
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true

.github/workflows/ci.yml

@@ -1,9 +1,9 @@
 name: "ci"
 on:
   push:
-    branches: [master]
+    branches: [master, failover]
   pull_request:
-    branches: [master]
+    branches: [master, failover]
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -152,7 +152,6 @@ jobs:
         working-directory: /sssd
         where: |
           client
-          ipa
         script: |
           #!/bin/bash
           set -ex
@@ -172,7 +171,6 @@ jobs:
         user: root
         where: |
           client
-          ipa
         script: |
           #!/bin/bash
           set -ex
@@ -188,17 +186,6 @@ jobs:
           # We need to reenable sssd-kcm since it was disabled by removing sssd not not enabled again
           systemctl enable --now sssd-kcm.socket
 
-    - name: Restart SSSD on IPA server
-      uses: SSSD/sssd-ci-containers/actions/exec@master
-      with:
-        user: root
-        where: ipa
-        script: |
-          #!/bin/bash
-          set -ex
-
-          systemctl restart sssd || systemctl status sssd
-
     - name: Patch the SSH configuration
       uses: SSSD/sssd-ci-containers/actions/exec@master
       with:
@@ -311,6 +298,9 @@ jobs:
           --polarion-config=../polarion.yaml \
           --output-polarion-testcase=$GITHUB_WORKSPACE/artifacts/testcase.xml \
           ${{ steps.select-tests.outputs.SELECT_TESTS }} \
+          --mh-not-topology=ipa --mh-not-topology=samba --mh-not-topology=ad \
+          --mh-not-topology=ipa-trust-samba \
+          -k "not test_logging__default_settings_logs_ and not test_failover and not test_autofs__propagate_offline_status_for_multiple_domains" \
           --collect-only . |& tee $GITHUB_WORKSPACE/pytest-collect.log
 
     - name: Run tests
@@ -331,6 +321,9 @@ jobs:
           --output-polarion-testcase=$GITHUB_WORKSPACE/artifacts/testcase.xml \
           --output-polarion-testrun=$GITHUB_WORKSPACE/artifacts/testrun.xml \
           ${{ steps.select-tests.outputs.SELECT_TESTS }} \
+          --mh-not-topology=ipa --mh-not-topology=samba --mh-not-topology=ad \
+          --mh-not-topology=ipa-trust-samba \
+          -k "not test_logging__default_settings_logs_ and not test_failover and not test_autofs__propagate_offline_status_for_multiple_domains" \
           -vvv . |& tee $GITHUB_WORKSPACE/pytest.log
 
     - name: Upload artifacts

.github/workflows/coverity.yml

@@ -10,6 +10,7 @@ on:
   pull_request_target:
     branches:
       - master
+      - failover
     types:
       - labeled
   workflow_dispatch:

.github/workflows/static-code-analysis.yml

@@ -1,9 +1,9 @@
 name: "Static code analysis"
 on:
   push:
-    branches: [master]
+    branches: [master, failover]
   pull_request:
-    branches: [master]
+    branches: [master, failover]
   schedule:
     # Everyday at midnight
     - cron: '0 0 * * *'

Makefile.am

@@ -233,7 +233,6 @@ endif
 
 if HAVE_CHECK
     non_interactive_check_based_tests = \
-        dlopen-tests \
         sysdb-tests \
         strtonum-tests \
         resolv-tests \
@@ -270,13 +269,11 @@ if HAVE_CMOCKA
         test-authtok \
         test_prompt_config \
         sss_nss_idmap-tests \
-        deskprofile_utils-tests \
         dyndns-tests \
         domain_resolution_order-tests \
         fqnames-tests \
         nestedgroups-tests \
         test_sss_idmap \
-        test_ipa_idmap \
         test_utils \
         dp_opt_tests \
         responder-get-domains-tests \
@@ -301,17 +298,16 @@ if HAVE_CMOCKA
         test_sbus_message \
         test_sbus_opath \
         test_fo_srv \
+        test_failover_server \
         pam-srv-tests \
         ssh-srv-tests \
-        test_ipa_subdom_util \
         test_tools_colondb \
         test_krb5_wait_queue \
         test_cert_utils \
         test_ldap_id_cleanup \
         test_data_provider_be \
         test_dp_request \
         test_dp_builtin \
-        test_ipa_dn \
         simple-access-tests \
         krb5_common_test \
         test_iobuf \
@@ -352,12 +348,7 @@ endif # BUILD_PASSKEY
 
 if BUILD_SAMBA
 non_interactive_cmocka_based_tests += \
-    ad_access_filter_tests \
-    ad_gpo_tests \
-    ad_common_tests \
     test_sdap_initgr \
-    test_ad_subdom \
-    test_ipa_subdom_server \
     $(NULL)
 endif
 
@@ -412,8 +403,7 @@ sssdlib_LTLIBRARIES = \
 
 if BUILD_SAMBA
 sssdlib_LTLIBRARIES += \
-    libsss_ipa.la \
-    libsss_ad.la
+    $(NULL)
 endif
 
 if BUILD_ID_PROVIDER_IDP
@@ -648,6 +638,24 @@ SSSD_FAILOVER_OBJ = \
     src/providers/fail_over_srv.c \
     $(SSSD_RESOLV_OBJ)
 
+# Make sure to build new failover code to test compilation even though it is
+# not used anywhere yet.
+SSSD_NEW_FAILOVER_OBJ = \
+    src/providers/failover/failover.c \
+    src/providers/failover/failover_callback.c \
+    src/providers/failover/failover_refresh_candidates.c \
+    src/providers/failover/failover_group.c \
+    src/providers/failover/failover_server_resolve.c \
+    src/providers/failover/failover_server.c \
+    src/providers/failover/failover_srv.c \
+    src/providers/failover/failover_transaction.c \
+    src/providers/failover/failover_vtable_op.c \
+    src/providers/failover/failover_vtable.c \
+    src/providers/failover/ldap/failover_ldap_connect.c \
+    src/providers/failover/ldap/failover_ldap_kinit.c \
+    $(SSSD_RESOLV_OBJ) \
+    $(NULL)
+
 SSSD_LIBS = \
     $(TALLOC_LIBS) \
     $(TEVENT_LIBS) \
@@ -840,6 +848,16 @@ dist_noinst_HEADERS = \
     src/providers/be_refresh.h \
     src/providers/fail_over.h \
     src/providers/fail_over_srv.h \
+    src/providers/failover/failover.h \
+    src/providers/failover/failover_group.h \
+    src/providers/failover/failover_refresh_candidates.h \
+    src/providers/failover/failover_server.h \
+    src/providers/failover/failover_server_resolve.h \
+    src/providers/failover/failover_srv.h \
+    src/providers/failover/failover_transaction.h \
+    src/providers/failover/failover_vtable.h \
+    src/providers/failover/failover_vtable_op.h \
+    src/providers/failover/ldap/failover_ldap.h \
     src/util/child_common.h \
     src/util/child_bootstrap.h \
     src/providers/simple/simple_access.h \
@@ -859,7 +877,6 @@ dist_noinst_HEADERS = \
     src/providers/ldap/sdap_sudo.h \
     src/providers/ldap/sdap_sudo_shared.h \
     src/providers/ldap/sdap_autofs.h \
-    src/providers/ldap/sdap_id_op.h \
     src/providers/ldap/ldap_opts.h \
     src/providers/ldap/ldap_auth.h \
     src/providers/ldap/sdap_range.h \
@@ -1876,7 +1893,6 @@ sssctl_SOURCES = \
     src/tools/sssctl/sssctl_domains.c \
     src/tools/sssctl/sssctl_config.c \
     src/tools/sssctl/sssctl_user_checks.c \
-    src/tools/sssctl/sssctl_access_report.c \
     src/tools/sssctl/sssctl_cert.c \
     $(SSSD_TOOLS_OBJ) \
     $(NULL)
@@ -2036,7 +2052,6 @@ check_LTLIBRARIES += \
 
 if BUILD_SAMBA
 check_LTLIBRARIES += \
-    libsss_ad_tests.la \
     libdlopen_test_winbind_idmap.la \
     $(NULL)
 endif
@@ -3471,6 +3486,24 @@ test_fo_srv_LDADD = \
     libsss_test_common.la \
     $(NULL)
 
+test_failover_server_SOURCES = \
+    src/tests/cmocka/test_failover_server.c \
+    src/providers/failover/failover_server.c \
+    $(SSSD_RESOLV_TESTS_OBJ) \
+    $(NULL)
+test_failover_server_CFLAGS = \
+    $(AM_CFLAGS) \
+    $(CMOCKA_CFLAGS) \
+    $(NULL)
+test_failover_server_LDADD = \
+    $(CARES_LIBS) \
+    $(CMOCKA_LIBS) \
+    $(POPT_LIBS) \
+    $(SSSD_INTERNAL_LTLIBS) \
+    $(TALLOC_LIBS) \
+    libsss_test_common.la \
+    $(NULL)
+
 test_sdap_initgr_SOURCES = \
     src/tests/cmocka/common_mock_sdap.c \
     src/tests/cmocka/common_mock_sysdb_objects.c \
@@ -4313,12 +4346,10 @@ libsss_ldap_common_la_SOURCES = \
     src/providers/ldap/sdap_async_services.c \
     src/providers/ldap/sdap_async_iphost.c \
     src/providers/ldap/sdap_async_ipnetwork.c \
-    src/providers/ldap/sdap_online_check.c \
     src/providers/ldap/sdap_ad_groups.c \
     src/providers/ldap/sdap_child_helpers.c \
     src/providers/ldap/sdap_fd_events.c \
     src/providers/ldap/sdap_hostid.h \
-    src/providers/ldap/sdap_id_op.c \
     src/providers/ldap/sdap_certmap.c \
     src/providers/ldap/sdap_idmap.c \
     src/providers/ldap/sdap_idmap.h \
@@ -4335,6 +4366,7 @@ libsss_ldap_common_la_SOURCES = \
     src/util/sss_sockets.c \
     src/util/sss_ldap.c \
     src/util/cert_derb64_to_ldap_filter.c \
+    $(SSSD_NEW_FAILOVER_OBJ) \
     $(NULL)
 libsss_ldap_common_la_CFLAGS = \
     $(AM_CFLAGS) \
@@ -4414,7 +4446,8 @@ libsss_krb5_common_la_LDFLAGS = \
 
 libsss_ldap_la_SOURCES = \
     src/providers/ldap/ldap_init.c \
-    src/providers/ldap/ldap_access.c
+    src/providers/ldap/ldap_access.c \
+    $(SSSD_NEW_FAILOVER_OBJ)
 libsss_ldap_la_CFLAGS = \
     $(AM_CFLAGS) \
     $(OPENLDAP_CFLAGS)

contrib/sssd.spec.in

@@ -806,13 +806,13 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf
 %files ipa -f sssd_ipa.lang
 %license COPYING
 %attr(770,sssd,sssd) %dir %{keytabdir}
-%{_libdir}/%{name}/libsss_ipa.so
+#%{_libdir}/%{name}/libsss_ipa.so
 %attr(0750,root,sssd) %caps(cap_setuid,cap_setgid=p) %{_libexecdir}/%{servicename}/selinux_child
 %{_mandir}/man5/sssd-ipa.5*
 
 %files ad -f sssd_ad.lang
 %license COPYING
-%{_libdir}/%{name}/libsss_ad.so
+#%{_libdir}/%{name}/libsss_ad.so
 %{_libexecdir}/%{servicename}/gpo_child
 %{_mandir}/man5/sssd-ad.5*
 

minimal-provider-notes.txt

@@ -0,0 +1,88 @@
+# Minimal SSSD provider
+
+This is used as a proof of concept for the new failover implementation. It can
+also be used to see what changes are required in order to switch to the new
+code, however it really does only minimum amount of changes to get it working.
+It would be very good to provide more thorough refactoring in the real
+providers.
+
+The minimal provider supports:
+- services lookup (getent services)
+- user authentication
+
+## Populate LDAP
+
+```
+$ vim objects.ldif
+dn: ou=users,dc=ldap,dc=test
+objectClass: top
+objectClass: organizationalUnit
+ou: users
+
+# Password is Secret123
+dn: cn=user-1,ou=users,dc=ldap,dc=test
+uid: user-1
+uidNumber: 10000
+homeDirectory: /home/user-1
+gidNumber: 100000
+cn: user-1
+objectClass: posixAccount
+objectClass: top
+userPassword:: e1BCS0RGMi1TSEE1MTJ9MTAwMDAwJEVZU2lqOFgxTTVFZUIrMXlHQzdvZkhwZzd
+ XZXpYRGJwJG0vTVUyMUIrTGNNb2tkRVcvUFJ6YWlhc21zdlNDeVJWdGxPU3c3c05YbHk2NUxBcUcz
+ ODJqQUJWUEp2N1ZnOUtRdXhEamVlbmxEV3V5Ylg5UFdKMW5nPT0=
+
+dn: ou=services,dc=ldap,dc=test
+objectClass: top
+objectClass: organizationalUnit
+ou: services
+
+dn: cn=service0,ou=services,dc=ldap,dc=test
+objectClass: ipService
+cn: service0
+ipServiceProtocol: tcp
+ipServicePort: 12345
+
+$ ldapadd -D "cn=Directory Manager" -w Secret123 -H ldap://master.ldap.test -f objects.ldif -vv
+```
+
+## Verify LDAP contents
+
+```
+$ ldapsearch -D "cn=Directory Manager" -w Secret123 -H ldap://master.ldap.test -b dc=ldap,dc=test
+```
+
+## Configure SSSD for services lookup
+
+```
+[sssd]
+domains = minimal
+
+[domain/minimal]
+debug_level = 9
+id_provider = minimal
+
+$ getent services -s sss service0
+service0              12345/tcp
+```
+
+## Configure SSSD for user authentication
+
+Note: user lookup is done by id provider
+
+```
+[sssd]
+services = nss, pam
+domains = minimal
+
+[domain/minimal]
+debug_level = 9
+id_provider = ldap
+auth_provider = minimal
+ldap_uri = _srv_
+dns_discovery_domain = ldap.test
+ldap_tls_reqcert = never
+
+$ su user-1
+Password: Secret123
+```