andykimpe / rpms / 389-ds-base

Forked from rpms/389-ds-base 5 months ago
Clone

Blame SOURCES/0044-Ticket-49246-ns-slapd-crashes-in-role-cache-creation.patch

b69e47
From 18491418e661b5dc1b9ca4c6bb4adb85bfb0bf0d Mon Sep 17 00:00:00 2001
b69e47
From: Mark Reynolds <mreynolds@redhat.com>
b69e47
Date: Tue, 9 May 2017 16:31:52 -0400
b69e47
Subject: [PATCH] Ticket 49246 - ns-slapd crashes in role cache creation
b69e47
b69e47
Bug Description:  Using a nested filter for a filtered role can
b69e47
                  cause a crash.  This was due to the way the filter
b69e47
                  was being checked by the roles plugin.
b69e47
b69e47
Fix Description:  Properly resurse over a filter.
b69e47
b69e47
https://pagure.io/389-ds-base/issue/49246
b69e47
b69e47
Reviewed by: firstyear & tbordaz(Thanks!!)
b69e47
b69e47
(cherry picked from commit 54e4fca35899550e0c25b25e7f7c756302d258ce)
b69e47
---
b69e47
 dirsrvtests/tests/tickets/ticket49122_test.py | 61 ++++++++++++++++++---------
b69e47
 ldap/servers/plugins/roles/roles_cache.c      | 34 +++++++++++----
b69e47
 2 files changed, 66 insertions(+), 29 deletions(-)
b69e47
b69e47
diff --git a/dirsrvtests/tests/tickets/ticket49122_test.py b/dirsrvtests/tests/tickets/ticket49122_test.py
b69e47
index ff1e8d1..0945122 100644
b69e47
--- a/dirsrvtests/tests/tickets/ticket49122_test.py
b69e47
+++ b/dirsrvtests/tests/tickets/ticket49122_test.py
b69e47
@@ -2,8 +2,7 @@ import time
b69e47
 import ldap
b69e47
 import logging
b69e47
 import pytest
b69e47
-from lib389 import DirSrv, Entry, tools, tasks
b69e47
-from lib389.tools import DirSrvTools
b69e47
+from lib389 import Entry
b69e47
 from lib389._constants import *
b69e47
 from lib389.properties import *
b69e47
 from lib389.tasks import *
b69e47
@@ -19,6 +18,15 @@ log = logging.getLogger(__name__)
b69e47
 
b69e47
 USER_DN = 'uid=user,' + DEFAULT_SUFFIX
b69e47
 ROLE_DN = 'cn=Filtered_Role_That_Includes_Empty_Role,' + DEFAULT_SUFFIX
b69e47
+filters = ['nsrole=cn=empty,dc=example,dc=com',
b69e47
+           '(nsrole=cn=empty,dc=example,dc=com)',
b69e47
+           '(&(nsrole=cn=empty,dc=example,dc=com))',
b69e47
+           '(!(nsrole=cn=empty,dc=example,dc=com))',
b69e47
+           '(&(|(objectclass=person)(sn=app*))(userpassword=*))',
b69e47
+           '(&(|(objectclass=person)(nsrole=cn=empty,dc=example,dc=com))(userpassword=*))',
b69e47
+           '(&(|(nsrole=cn=empty,dc=example,dc=com)(sn=app*))(userpassword=*))',
b69e47
+           '(&(|(objectclass=person)(sn=app*))(nsrole=cn=empty,dc=example,dc=com))',
b69e47
+           '(&(|(&(cn=*)(objectclass=person)(nsrole=cn=empty,dc=example,dc=com)))(uid=*))']
b69e47
 
b69e47
 
b69e47
 def test_ticket49122(topo):
b69e47
@@ -29,18 +37,6 @@ def test_ticket49122(topo):
b69e47
     topo.standalone.plugins.enable(name=PLUGIN_ROLES)
b69e47
     topo.standalone.restart()
b69e47
 
b69e47
-    # Add invalid role
b69e47
-    try:
b69e47
-        topo.standalone.add_s(Entry((
b69e47
-            ROLE_DN, {'objectclass': ['top', 'ldapsubentry', 'nsroledefinition',
b69e47
-                                      'nscomplexroledefinition', 'nsfilteredroledefinition'],
b69e47
-                      'cn': 'Filtered_Role_That_Includes_Empty_Role',
b69e47
-                      'nsRoleFilter': '(!(nsrole=cn=This_Is_An_Empty_Managed_NsRoleDefinition,dc=example,dc=com))',
b69e47
-                      'description': 'A filtered role with filter that will crash the server'})))
b69e47
-    except ldap.LDAPError as e:
b69e47
-        topo.standalone.log.fatal('Failed to add filtered role: error ' + e.message['desc'])
b69e47
-        assert False
b69e47
-
b69e47
     # Add test user
b69e47
     try:
b69e47
         topo.standalone.add_s(Entry((
b69e47
@@ -51,16 +47,39 @@ def test_ticket49122(topo):
b69e47
         assert False
b69e47
 
b69e47
     if DEBUGGING:
b69e47
-        # Add debugging steps(if any)...
b69e47
         print("Attach gdb")
b69e47
         time.sleep(20)
b69e47
 
b69e47
-    # Search for the role
b69e47
-    try:
b69e47
-        topo.standalone.search_s(USER_DN, ldap.SCOPE_SUBTREE, 'objectclass=*', ['nsrole'])
b69e47
-    except ldap.LDAPError as e:
b69e47
-        topo.standalone.log.fatal('Search failed: error ' + str(e))
b69e47
-        assert False
b69e47
+    # Loop over filters
b69e47
+    for role_filter in filters:
b69e47
+        log.info('Testing filter: ' + role_filter)
b69e47
+
b69e47
+        # Add invalid role
b69e47
+        try:
b69e47
+            topo.standalone.add_s(Entry((
b69e47
+                ROLE_DN, {'objectclass': ['top', 'ldapsubentry', 'nsroledefinition',
b69e47
+                                          'nscomplexroledefinition', 'nsfilteredroledefinition'],
b69e47
+                          'cn': 'Filtered_Role_That_Includes_Empty_Role',
b69e47
+                          'nsRoleFilter': role_filter,
b69e47
+                          'description': 'A filtered role with filter that will crash the server'})))
b69e47
+        except ldap.LDAPError as e:
b69e47
+            topo.standalone.log.fatal('Failed to add filtered role: error ' + e.message['desc'])
b69e47
+            assert False
b69e47
+
b69e47
+        # Search for the role
b69e47
+        try:
b69e47
+            topo.standalone.search_s(USER_DN, ldap.SCOPE_SUBTREE, 'objectclass=*', ['nsrole'])
b69e47
+        except ldap.LDAPError as e:
b69e47
+            topo.standalone.log.fatal('Search failed: error ' + str(e))
b69e47
+            assert False
b69e47
+
b69e47
+        # Cleanup
b69e47
+        try:
b69e47
+            topo.standalone.delete_s(ROLE_DN)
b69e47
+        except ldap.LDAPError as e:
b69e47
+            topo.standalone.log.fatal('delete failed: error ' + str(e))
b69e47
+            assert False
b69e47
+        time.sleep(1)
b69e47
 
b69e47
     topo.standalone.log.info('Test Passed')
b69e47
 
b69e47
diff --git a/ldap/servers/plugins/roles/roles_cache.c b/ldap/servers/plugins/roles/roles_cache.c
b69e47
index 4f27c4c..3697eaa 100644
b69e47
--- a/ldap/servers/plugins/roles/roles_cache.c
b69e47
+++ b/ldap/servers/plugins/roles/roles_cache.c
b69e47
@@ -1073,20 +1073,38 @@ static int roles_cache_create_role_under(roles_cache_def** roles_cache_suffix, S
b69e47
 }
b69e47
 
b69e47
 /*
b69e47
- * Check that we are not using nsrole in the filter
b69e47
+ * Check that we are not using nsrole in the filter, recurse over all the
b69e47
+ * nested filters.
b69e47
  */
b69e47
 static int roles_check_filter(Slapi_Filter *filter_list)
b69e47
 {
b69e47
 	Slapi_Filter  *f;
b69e47
 	char *type = NULL;
b69e47
 
b69e47
-	for ( f = slapi_filter_list_first( filter_list );
b69e47
-	          f != NULL;
b69e47
-	          f = slapi_filter_list_next( filter_list, f ) )
b69e47
-	{
b69e47
-		slapi_filter_get_attribute_type(f, &type);
b69e47
-		if (strcasecmp(type, NSROLEATTR) == 0){
b69e47
-			return -1;
b69e47
+	f = slapi_filter_list_first( filter_list );
b69e47
+	if (f == NULL){
b69e47
+		/* Single filter */
b69e47
+		if (slapi_filter_get_attribute_type(filter_list, &type) == 0){
b69e47
+			if (strcasecmp(type, NSROLEATTR) == 0){
b69e47
+				return -1;
b69e47
+			}
b69e47
+		}
b69e47
+	}
b69e47
+	for ( ; f != NULL; f = slapi_filter_list_next(filter_list, f) ){
b69e47
+		/* Complex filter */
b69e47
+		if (slapi_filter_list_first(f)) {
b69e47
+			/* Another filter list - recurse */
b69e47
+			if (roles_check_filter(f) == -1){
b69e47
+				/* Done, break out */
b69e47
+				return -1;
b69e47
+			}
b69e47
+		} else {
b69e47
+			/* Not a filter list, so check the type */
b69e47
+			if (slapi_filter_get_attribute_type(f, &type) == 0){
b69e47
+				if (strcasecmp(type, NSROLEATTR) == 0){
b69e47
+					return -1;
b69e47
+				}
b69e47
+			}
b69e47
 		}
b69e47
 	}
b69e47
 
b69e47
-- 
b69e47
2.9.4
b69e47