From 648a67f81ac84dc0585e58b4c5664f4b9cecab86 Mon Sep 17 00:00:00 2001
From: Edgar Aguilar <edgar.aguilar@oracle.com>
Date: Thu, 18 Jan 2024 17:02:59 -0600
Subject: [PATCH 1/3] Update OL8 sssd rules

Update rules sssd_enable_smartcards & sssd_offline_cred_expiration
to also look into files inside /etc/sssd/conf.d/

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
---
 .../sssd/sssd_enable_smartcards/ansible/shared.yml  | 13 +++++++++++++
 .../sssd/sssd_enable_smartcards/bash/shared.sh      |  2 +-
 .../sssd/sssd_enable_smartcards/oval/shared.xml     | 11 ++++++++---
 .../sssd_offline_cred_expiration/ansible/shared.yml | 13 +++++++++++++
 .../sssd_offline_cred_expiration/bash/shared.sh     |  2 +-
 .../sssd_offline_cred_expiration/oval/shared.xml    |  5 +++++
 .../sssd/sssd_offline_cred_expiration/rule.yml      |  2 +-
 7 files changed, 42 insertions(+), 6 deletions(-)

diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml
index f82c9e3862b..80f17d83c51 100644
--- a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml
@@ -34,6 +34,19 @@
     create: yes
     mode: 0600
 
+- name: Find all the conf files inside /etc/sssd/conf.d/
+  find:
+    paths: "/etc/sssd/conf.d/"
+    patterns: "*.conf"
+  register: sssd_conf_d_files
+
+- name: Fix pam_cert_auth configuration in /etc/sssd/conf.d/
+  ansible.builtin.replace:
+    path: "{{ item.path }}"
+    regexp: '[^#]*pam_cert_auth.*'
+    replace: 'pam_cert_auth = True'
+  with_items: "{{ sssd_conf_d_files.files }}"
+
 {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9"] %}}
 - name: '{{{ rule_title }}} - Check if system relies on authselect'
   ansible.builtin.stat:
diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/bash/shared.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/bash/shared.sh
index 4e2e00554e8..b896f4f7d9b 100644
--- a/linux_os/guide/services/sssd/sssd_enable_smartcards/bash/shared.sh
+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/bash/shared.sh
@@ -9,7 +9,7 @@
 OLD_UMASK=$(umask)
 umask u=rw,go=
 
-{{{ bash_ensure_ini_config("/etc/sssd/sssd.conf", "pam", "pam_cert_auth", "True") }}}
+{{{ bash_ensure_ini_config("/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf", "pam", "pam_cert_auth", "True") }}}
 
 umask $OLD_UMASK
 
diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/oval/shared.xml b/linux_os/guide/services/sssd/sssd_enable_smartcards/oval/shared.xml
index c2ae4d39a47..1cadee2e4a1 100644
--- a/linux_os/guide/services/sssd/sssd_enable_smartcards/oval/shared.xml
+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/oval/shared.xml
@@ -17,14 +17,19 @@
   comment="tests the value of pam_cert_auth setting in the /etc/sssd/sssd.conf file"
   id="test_sssd_enable_smartcards" version="1">
     <ind:object object_ref="obj_sssd_enable_smartcards" />
+    <ind:state state_ref="state_sssd_enable_smartcards" />
   </ind:textfilecontent54_test>
 
-  <ind:textfilecontent54_object id="obj_sssd_enable_smartcards" version="1">
-    <ind:filepath>/etc/sssd/sssd.conf</ind:filepath>
-    <ind:pattern operation="pattern match">^[\s]*\[pam](?:[^\n\[]*\n+)+?[\s]*pam_cert_auth[\s]*=[\s]*(?i)true\s*$</ind:pattern>
+  <ind:textfilecontent54_object id="obj_sssd_enable_smartcards" version="2">
+    <ind:filepath operation="pattern match">/etc/sssd/(sssd\.conf|conf.d/[^/]+\.conf)</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*\[pam](?:[^\n\[]*\n+)+?[\s]*pam_cert_auth[\s]*=[\s]*(\w+)\s*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
+  <ind:textfilecontent54_state id="state_sssd_enable_smartcards" version="1">
+    <ind:subexpression operation="pattern match">(?i)true</ind:subexpression>
+  </ind:textfilecontent54_state>
+
   {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9"] %}}
   <ind:textfilecontent54_test check="all" check_existence="all_exist"
   comment="tests the presence of try_cert_auth or require_cert_auth in /etc/pam.d/smartcard-auth"
diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml
index fb49e3af4b7..d0c1f203801 100644
--- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml
@@ -33,3 +33,16 @@
     value: 1
     create: yes
     mode: 0600
+
+- name: Find all the conf files inside /etc/sssd/conf.d/
+  find:
+    paths: "/etc/sssd/conf.d/"
+    patterns: "*.conf"
+  register: sssd_conf_d_files
+
+- name: Fix offline_credentials_expiration configuration in /etc/sssd/conf.d/
+  ansible.builtin.replace:
+    path: "{{ item.path }}"
+    regexp: '[^#]*offline_credentials_expiration.*'
+    replace: 'offline_credentials_expiration = 1'
+  with_items: "{{ sssd_conf_d_files.files }}"
diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/bash/shared.sh b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/bash/shared.sh
index b965aca901c..56f33112567 100644
--- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/bash/shared.sh
+++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/bash/shared.sh
@@ -9,6 +9,6 @@
 OLD_UMASK=$(umask)
 umask u=rw,go=
 
-{{{ bash_ensure_ini_config("/etc/sssd/sssd.conf", "pam", "offline_credentials_expiration", "1") }}}
+{{{ bash_ensure_ini_config("/etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf", "pam", "offline_credentials_expiration", "1") }}}
 
 umask $OLD_UMASK
diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/oval/shared.xml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/oval/shared.xml
index 3a5bd52c10b..a9e9a20b72c 100644
--- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/oval/shared.xml
+++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/oval/shared.xml
@@ -14,12 +14,17 @@
   comment="tests the value of offline_credentials_expiration setting in the /etc/sssd/sssd.conf file"
   id="test_sssd_offline_cred_expiration" version="1">
     <ind:object object_ref="obj_sssd_offline_cred_expiration" />
+    <ind:state state_ref="state_sssd_offline_cred_expiration" />
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="obj_sssd_offline_cred_expiration" version="1">
     <ind:filepath operation="pattern match">^\/etc\/sssd\/(sssd.conf|conf\.d\/.+\.conf)$</ind:filepath>
     <ind:pattern operation="pattern match">^[\s]*\[pam](?:[^\n\[]*\n+)+?[\s]*offline_credentials_expiration[\s]*=[\s]*1\s*(?:#.*)?$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state id="state_sssd_offline_cred_expiration" version="1">
+    <ind:subexpression>1</ind:subexpression>
+  </ind:textfilecontent54_state>
   {{% if product in ["ol8", "rhel8"] %}}
   <ind:textfilecontent54_test check="all" check_existence="any_exist"
   comment="tests the value of cache_credentials setting in the /etc/sssd/sssd.conf file"
diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml
index 36187d68336..c889c63bfc5 100644
--- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml
+++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml
@@ -64,7 +64,7 @@ ocil: |-
     If "cache_credentials" is set to "false" or is missing no further checks are required.<br/>
     {{% endif %}}
     To verify that SSSD expires offline credentials, run the following command:
-    <pre>$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf</pre>
+    <pre>$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf</pre>
     If configured properly, output should be
     <pre>offline_credentials_expiration = 1</pre>
 

From 8a7bcc05b42bcecd4490499a892ed07f15e916df Mon Sep 17 00:00:00 2001
From: Edgar Aguilar <edgar.aguilar@oracle.com>
Date: Thu, 18 Jan 2024 17:04:12 -0600
Subject: [PATCH 2/3] Add tests to OL8 sssd rules

These test are to take int account files inside /etc/sssd/conf.d/

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
---
 .../tests/authselect_smartcard_enabled_conf_d.pass.sh | 11 +++++++++++
 .../authselect_sssd_parameter_false_conf_d.fail.sh    | 11 +++++++++++
 .../tests/correct_value_conf_d.pass.sh                |  9 +++++++++
 .../tests/wrong_value_conf_d.fail.sh                  |  9 +++++++++
 4 files changed, 40 insertions(+)
 create mode 100644 linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled_conf_d.pass.sh
 create mode 100644 linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_false_conf_d.fail.sh
 create mode 100644 linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/correct_value_conf_d.pass.sh
 create mode 100644 linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/wrong_value_conf_d.fail.sh

diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled_conf_d.pass.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled_conf_d.pass.sh
new file mode 100644
index 00000000000..7e2019cff1f
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_smartcard_enabled_conf_d.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# packages = authselect,sssd
+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
+
+SSSD_FILE="/etc/sssd/conf.d/unused.conf"
+echo "[pam]" > $SSSD_FILE
+echo "pam_cert_auth = True" >> $SSSD_FILE
+
+authselect select sssd --force
+authselect enable-feature with-smartcard
+authselect apply-changes
diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_false_conf_d.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_false_conf_d.fail.sh
new file mode 100644
index 00000000000..b1ed28f3943
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/authselect_sssd_parameter_false_conf_d.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# packages = authselect,sssd
+# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
+
+SSSD_FILE="/etc/sssd/conf.d/unused.conf"
+echo "[pam]" > $SSSD_FILE
+echo "pam_cert_auth = False" >> $SSSD_FILE
+
+authselect select sssd --force
+authselect enable-feature with-smartcard
+authselect apply-changes
diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/correct_value_conf_d.pass.sh b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/correct_value_conf_d.pass.sh
new file mode 100644
index 00000000000..c8927040f19
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/correct_value_conf_d.pass.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+source common.sh
+
+SSSD_CONF_D_FILE="/etc/sssd/conf.d/unused.conf"
+
+echo -e "[pam]\noffline_credentials_expiration = 1" >> $SSSD_CONF_D_FILE
+
+echo -e "[domain/EXAMPLE]\ncache_credentials = true" >> $SSSD_CONF
diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/wrong_value_conf_d.fail.sh b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/wrong_value_conf_d.fail.sh
new file mode 100644
index 00000000000..f3185b6cd68
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/tests/wrong_value_conf_d.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+source common.sh
+
+SSSD_CONF_D_FILE="/etc/sssd/conf.d/unused.conf"
+
+echo -e "[pam]\noffline_credentials_expiration = 0" >> $SSSD_CONF_D_FILE
+
+echo -e "[domain/EXAMPLE]\ncache_credentials = true" >> $SSSD_CONF

From 028b55316587a14b777a64c8b17203c90c3468a1 Mon Sep 17 00:00:00 2001
From: Edgar Aguilar <edgar.aguilar@oracle.com>
Date: Mon, 12 Feb 2024 16:17:31 -0600
Subject: [PATCH 3/3] Fix regex in sssd_offline_cred_expiration

Update it to include a capturing group to use
a state to compare the captured subexpression

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
---
 .../services/sssd/sssd_offline_cred_expiration/oval/shared.xml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/oval/shared.xml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/oval/shared.xml
index a9e9a20b72c..2ecac5d70ee 100644
--- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/oval/shared.xml
+++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/oval/shared.xml
@@ -18,7 +18,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="obj_sssd_offline_cred_expiration" version="1">
     <ind:filepath operation="pattern match">^\/etc\/sssd\/(sssd.conf|conf\.d\/.+\.conf)$</ind:filepath>
-    <ind:pattern operation="pattern match">^[\s]*\[pam](?:[^\n\[]*\n+)+?[\s]*offline_credentials_expiration[\s]*=[\s]*1\s*(?:#.*)?$</ind:pattern>
+    <ind:pattern operation="pattern match">^[\s]*\[pam](?:[^\n\[]*\n+)+?[\s]*offline_credentials_expiration[\s]*=[\s]*(\d+)\s*(?:#.*)?$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>