andykimpe / rpms / 389-ds-base

Forked from rpms/389-ds-base 6 months ago
Clone

Blame SOURCES/0033-Ticket-47810-memberOf-plugin-not-properly-rejecting-.patch

a2f18f
From 0536984f7b3e9d6e143936b0eda92b510f63d304 Mon Sep 17 00:00:00 2001
a2f18f
From: Mark Reynolds <mreynolds@redhat.com>
a2f18f
Date: Tue, 4 Aug 2015 12:15:31 -0400
a2f18f
Subject: [PATCH 33/39] Ticket 47810 - memberOf plugin not properly rejecting
a2f18f
 updates
a2f18f
a2f18f
Bug Description:  When the memberOf plugin tries to add memberOf attribute to
a2f18f
                  an entry during a mod-replace on a group, even though the
a2f18f
                  update to the user entry fails, but plugin still allows
a2f18f
                  the member to be added to the group.
a2f18f
a2f18f
Fix Description:  During a mod/replace check and return an error if the member
a2f18f
                  update fails.
a2f18f
a2f18f
https://fedorahosted.org/389/ticket/47810
a2f18f
a2f18f
Reviewed by: nhosoi(Thanks!)
a2f18f
a2f18f
(cherry picked from commit eb54f03e240402a4bd16f9cde1d66539805f56ea)
a2f18f
(cherry picked from commit b4b6adcec7d810c7893fd9cb888fa906b9ffa836)
a2f18f
---
a2f18f
 dirsrvtests/suites/betxns/betxn_test.py  | 64 +++++++++++++++++++++++++++++++-
a2f18f
 ldap/servers/plugins/memberof/memberof.c | 13 ++++---
a2f18f
 2 files changed, 70 insertions(+), 7 deletions(-)
a2f18f
a2f18f
diff --git a/dirsrvtests/suites/betxns/betxn_test.py b/dirsrvtests/suites/betxns/betxn_test.py
a2f18f
index 93c4c31..5da6e50 100644
a2f18f
--- a/dirsrvtests/suites/betxns/betxn_test.py
a2f18f
+++ b/dirsrvtests/suites/betxns/betxn_test.py
a2f18f
@@ -3,7 +3,7 @@
a2f18f
 # All rights reserved.
a2f18f
 #
a2f18f
 # License: GPL (version 3 or any later version).
a2f18f
-# See LICENSE for details. 
a2f18f
+# See LICENSE for details.
a2f18f
 # --- END COPYRIGHT BLOCK ---
a2f18f
 #
a2f18f
 import os
a2f18f
@@ -174,6 +174,67 @@ def test_betxn_attr_uniqueness(topology):
a2f18f
     log.info('test_betxn_attr_uniqueness: PASSED')
a2f18f
 
a2f18f
 
a2f18f
+def test_betxn_memberof(topology):
a2f18f
+    ENTRY1_DN = 'cn=group1,' + DEFAULT_SUFFIX
a2f18f
+    ENTRY2_DN = 'cn=group2,' + DEFAULT_SUFFIX
a2f18f
+    PLUGIN_DN = 'cn=' + PLUGIN_MEMBER_OF + ',cn=plugins,cn=config'
a2f18f
+
a2f18f
+    # Enable and configure memberOf plugin
a2f18f
+    topology.standalone.plugins.enable(name=PLUGIN_MEMBER_OF)
a2f18f
+    try:
a2f18f
+        topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_REPLACE, 'memberofgroupattr', 'member')])
a2f18f
+    except ldap.LDAPError, e:
a2f18f
+        log.fatal('test_betxn_memberof: Failed to update config(member): error ' + e.message['desc'])
a2f18f
+        assert False
a2f18f
+
a2f18f
+    # Add our test entries
a2f18f
+    try:
a2f18f
+        topology.standalone.add_s(Entry((ENTRY1_DN, {'objectclass': "top groupofnames".split(),
a2f18f
+                                     'cn': 'group1'})))
a2f18f
+    except ldap.LDAPError, e:
a2f18f
+        log.error('test_betxn_memberof: Failed to add group1:' +
a2f18f
+                  ENTRY1_DN + ', error ' + e.message['desc'])
a2f18f
+        assert False
a2f18f
+
a2f18f
+    try:
a2f18f
+        topology.standalone.add_s(Entry((ENTRY2_DN, {'objectclass': "top groupofnames".split(),
a2f18f
+                                     'cn': 'group1'})))
a2f18f
+    except ldap.LDAPError, e:
a2f18f
+        log.error('test_betxn_memberof: Failed to add group2:' +
a2f18f
+                  ENTRY2_DN + ', error ' + e.message['desc'])
a2f18f
+        assert False
a2f18f
+
a2f18f
+    #
a2f18f
+    # Test mod replace
a2f18f
+    #
a2f18f
+
a2f18f
+    # Add group2 to group1 - it should fail with objectclass violation
a2f18f
+    try:
a2f18f
+        topology.standalone.modify_s(ENTRY1_DN, [(ldap.MOD_REPLACE, 'member', ENTRY2_DN)])
a2f18f
+        log.fatal('test_betxn_memberof: Group2 was incorrectly allowed to be added to group1')
a2f18f
+        assert False
a2f18f
+    except ldap.LDAPError, e:
a2f18f
+        log.info('test_betxn_memberof: Group2 was correctly rejected (mod replace): error ' + e.message['desc'])
a2f18f
+
a2f18f
+    #
a2f18f
+    # Test mod add
a2f18f
+    #
a2f18f
+
a2f18f
+    # Add group2 to group1 - it should fail with objectclass violation
a2f18f
+    try:
a2f18f
+        topology.standalone.modify_s(ENTRY1_DN, [(ldap.MOD_ADD, 'member', ENTRY2_DN)])
a2f18f
+        log.fatal('test_betxn_memberof: Group2 was incorrectly allowed to be added to group1')
a2f18f
+        assert False
a2f18f
+    except ldap.LDAPError, e:
a2f18f
+        log.info('test_betxn_memberof: Group2 was correctly rejected (mod add): error ' + e.message['desc'])
a2f18f
+
a2f18f
+    #
a2f18f
+    # Done
a2f18f
+    #
a2f18f
+
a2f18f
+    log.info('test_betxn_memberof: PASSED')
a2f18f
+
a2f18f
+
a2f18f
 def test_betxn_final(topology):
a2f18f
     topology.standalone.delete()
a2f18f
     log.info('betxn test suite PASSED')
a2f18f
@@ -187,6 +248,7 @@ def run_isolated():
a2f18f
     test_betxn_init(topo)
a2f18f
     test_betxt_7bit(topo)
a2f18f
     test_betxn_attr_uniqueness(topo)
a2f18f
+    test_betxn_memberof(topo)
a2f18f
     test_betxn_final(topo)
a2f18f
 
a2f18f
 
a2f18f
diff --git a/ldap/servers/plugins/memberof/memberof.c b/ldap/servers/plugins/memberof/memberof.c
a2f18f
index 144285b..da52bc8 100644
a2f18f
--- a/ldap/servers/plugins/memberof/memberof.c
a2f18f
+++ b/ldap/servers/plugins/memberof/memberof.c
a2f18f
@@ -2373,6 +2373,7 @@ memberof_replace_list(Slapi_PBlock *pb, MemberOfConfig *config,
a2f18f
 	struct slapi_entry *post_e = NULL;
a2f18f
 	Slapi_Attr *pre_attr = 0;
a2f18f
 	Slapi_Attr *post_attr = 0;
a2f18f
+	int rc = 0;
a2f18f
 	int i = 0;
a2f18f
 
a2f18f
 	slapi_pblock_get( pb, SLAPI_ENTRY_PRE_OP, &pre_e );
a2f18f
@@ -2449,14 +2450,14 @@ memberof_replace_list(Slapi_PBlock *pb, MemberOfConfig *config,
a2f18f
 				in pre, not in post, delete from entry
a2f18f
 				not in pre, in post, add to entry
a2f18f
 			*/
a2f18f
-			while(pre_index < pre_total || post_index < post_total)
a2f18f
+			while(rc == 0 && (pre_index < pre_total || post_index < post_total))
a2f18f
 			{
a2f18f
 				if(pre_index == pre_total)
a2f18f
 				{
a2f18f
 					/* add the rest of post */
a2f18f
 					slapi_sdn_set_normdn_byref(sdn,
a2f18f
 					            slapi_value_get_string(post_array[post_index]));
a2f18f
-					memberof_add_one(pb, config, group_sdn, sdn);
a2f18f
+					rc = memberof_add_one(pb, config, group_sdn, sdn);
a2f18f
 
a2f18f
 					post_index++;
a2f18f
 				}
a2f18f
@@ -2465,7 +2466,7 @@ memberof_replace_list(Slapi_PBlock *pb, MemberOfConfig *config,
a2f18f
 					/* delete the rest of pre */
a2f18f
 					slapi_sdn_set_normdn_byref(sdn,
a2f18f
 					            slapi_value_get_string(pre_array[pre_index]));
a2f18f
-					memberof_del_one(pb, config, group_sdn, sdn);
a2f18f
+					rc = memberof_del_one(pb, config, group_sdn, sdn);
a2f18f
 
a2f18f
 					pre_index++;
a2f18f
 				}
a2f18f
@@ -2482,7 +2483,7 @@ memberof_replace_list(Slapi_PBlock *pb, MemberOfConfig *config,
a2f18f
 						/* delete pre array */
a2f18f
 						slapi_sdn_set_normdn_byref(sdn,
a2f18f
 					            slapi_value_get_string(pre_array[pre_index]));
a2f18f
-						memberof_del_one(pb, config, group_sdn, sdn);
a2f18f
+						rc = memberof_del_one(pb, config, group_sdn, sdn);
a2f18f
 
a2f18f
 						pre_index++;
a2f18f
 					}
a2f18f
@@ -2491,7 +2492,7 @@ memberof_replace_list(Slapi_PBlock *pb, MemberOfConfig *config,
a2f18f
 						/* add post array */
a2f18f
 						slapi_sdn_set_normdn_byref(sdn,
a2f18f
 					            slapi_value_get_string(post_array[post_index]));
a2f18f
-						memberof_add_one(pb, config, group_sdn, sdn);
a2f18f
+						rc = memberof_add_one(pb, config, group_sdn, sdn);
a2f18f
 
a2f18f
 						post_index++;
a2f18f
 					}
a2f18f
@@ -2509,7 +2510,7 @@ memberof_replace_list(Slapi_PBlock *pb, MemberOfConfig *config,
a2f18f
 		}
a2f18f
 	}
a2f18f
 	
a2f18f
-	return 0;
a2f18f
+	return rc;
a2f18f
 }
a2f18f
 
a2f18f
 /* memberof_load_array()
a2f18f
-- 
a2f18f
1.9.3
a2f18f