andykimpe / rpms / 389-ds-base

Forked from rpms/389-ds-base 6 months ago
Clone
Blob Blame History Raw
From 18491418e661b5dc1b9ca4c6bb4adb85bfb0bf0d Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 9 May 2017 16:31:52 -0400
Subject: [PATCH] Ticket 49246 - ns-slapd crashes in role cache creation

Bug Description:  Using a nested filter for a filtered role can
                  cause a crash.  This was due to the way the filter
                  was being checked by the roles plugin.

Fix Description:  Properly resurse over a filter.

https://pagure.io/389-ds-base/issue/49246

Reviewed by: firstyear & tbordaz(Thanks!!)

(cherry picked from commit 54e4fca35899550e0c25b25e7f7c756302d258ce)
---
 dirsrvtests/tests/tickets/ticket49122_test.py | 61 ++++++++++++++++++---------
 ldap/servers/plugins/roles/roles_cache.c      | 34 +++++++++++----
 2 files changed, 66 insertions(+), 29 deletions(-)

diff --git a/dirsrvtests/tests/tickets/ticket49122_test.py b/dirsrvtests/tests/tickets/ticket49122_test.py
index ff1e8d1..0945122 100644
--- a/dirsrvtests/tests/tickets/ticket49122_test.py
+++ b/dirsrvtests/tests/tickets/ticket49122_test.py
@@ -2,8 +2,7 @@ import time
 import ldap
 import logging
 import pytest
-from lib389 import DirSrv, Entry, tools, tasks
-from lib389.tools import DirSrvTools
+from lib389 import Entry
 from lib389._constants import *
 from lib389.properties import *
 from lib389.tasks import *
@@ -19,6 +18,15 @@ log = logging.getLogger(__name__)
 
 USER_DN = 'uid=user,' + DEFAULT_SUFFIX
 ROLE_DN = 'cn=Filtered_Role_That_Includes_Empty_Role,' + DEFAULT_SUFFIX
+filters = ['nsrole=cn=empty,dc=example,dc=com',
+           '(nsrole=cn=empty,dc=example,dc=com)',
+           '(&(nsrole=cn=empty,dc=example,dc=com))',
+           '(!(nsrole=cn=empty,dc=example,dc=com))',
+           '(&(|(objectclass=person)(sn=app*))(userpassword=*))',
+           '(&(|(objectclass=person)(nsrole=cn=empty,dc=example,dc=com))(userpassword=*))',
+           '(&(|(nsrole=cn=empty,dc=example,dc=com)(sn=app*))(userpassword=*))',
+           '(&(|(objectclass=person)(sn=app*))(nsrole=cn=empty,dc=example,dc=com))',
+           '(&(|(&(cn=*)(objectclass=person)(nsrole=cn=empty,dc=example,dc=com)))(uid=*))']
 
 
 def test_ticket49122(topo):
@@ -29,18 +37,6 @@ def test_ticket49122(topo):
     topo.standalone.plugins.enable(name=PLUGIN_ROLES)
     topo.standalone.restart()
 
-    # Add invalid role
-    try:
-        topo.standalone.add_s(Entry((
-            ROLE_DN, {'objectclass': ['top', 'ldapsubentry', 'nsroledefinition',
-                                      'nscomplexroledefinition', 'nsfilteredroledefinition'],
-                      'cn': 'Filtered_Role_That_Includes_Empty_Role',
-                      'nsRoleFilter': '(!(nsrole=cn=This_Is_An_Empty_Managed_NsRoleDefinition,dc=example,dc=com))',
-                      'description': 'A filtered role with filter that will crash the server'})))
-    except ldap.LDAPError as e:
-        topo.standalone.log.fatal('Failed to add filtered role: error ' + e.message['desc'])
-        assert False
-
     # Add test user
     try:
         topo.standalone.add_s(Entry((
@@ -51,16 +47,39 @@ def test_ticket49122(topo):
         assert False
 
     if DEBUGGING:
-        # Add debugging steps(if any)...
         print("Attach gdb")
         time.sleep(20)
 
-    # Search for the role
-    try:
-        topo.standalone.search_s(USER_DN, ldap.SCOPE_SUBTREE, 'objectclass=*', ['nsrole'])
-    except ldap.LDAPError as e:
-        topo.standalone.log.fatal('Search failed: error ' + str(e))
-        assert False
+    # Loop over filters
+    for role_filter in filters:
+        log.info('Testing filter: ' + role_filter)
+
+        # Add invalid role
+        try:
+            topo.standalone.add_s(Entry((
+                ROLE_DN, {'objectclass': ['top', 'ldapsubentry', 'nsroledefinition',
+                                          'nscomplexroledefinition', 'nsfilteredroledefinition'],
+                          'cn': 'Filtered_Role_That_Includes_Empty_Role',
+                          'nsRoleFilter': role_filter,
+                          'description': 'A filtered role with filter that will crash the server'})))
+        except ldap.LDAPError as e:
+            topo.standalone.log.fatal('Failed to add filtered role: error ' + e.message['desc'])
+            assert False
+
+        # Search for the role
+        try:
+            topo.standalone.search_s(USER_DN, ldap.SCOPE_SUBTREE, 'objectclass=*', ['nsrole'])
+        except ldap.LDAPError as e:
+            topo.standalone.log.fatal('Search failed: error ' + str(e))
+            assert False
+
+        # Cleanup
+        try:
+            topo.standalone.delete_s(ROLE_DN)
+        except ldap.LDAPError as e:
+            topo.standalone.log.fatal('delete failed: error ' + str(e))
+            assert False
+        time.sleep(1)
 
     topo.standalone.log.info('Test Passed')
 
diff --git a/ldap/servers/plugins/roles/roles_cache.c b/ldap/servers/plugins/roles/roles_cache.c
index 4f27c4c..3697eaa 100644
--- a/ldap/servers/plugins/roles/roles_cache.c
+++ b/ldap/servers/plugins/roles/roles_cache.c
@@ -1073,20 +1073,38 @@ static int roles_cache_create_role_under(roles_cache_def** roles_cache_suffix, S
 }
 
 /*
- * Check that we are not using nsrole in the filter
+ * Check that we are not using nsrole in the filter, recurse over all the
+ * nested filters.
  */
 static int roles_check_filter(Slapi_Filter *filter_list)
 {
 	Slapi_Filter  *f;
 	char *type = NULL;
 
-	for ( f = slapi_filter_list_first( filter_list );
-	          f != NULL;
-	          f = slapi_filter_list_next( filter_list, f ) )
-	{
-		slapi_filter_get_attribute_type(f, &type);
-		if (strcasecmp(type, NSROLEATTR) == 0){
-			return -1;
+	f = slapi_filter_list_first( filter_list );
+	if (f == NULL){
+		/* Single filter */
+		if (slapi_filter_get_attribute_type(filter_list, &type) == 0){
+			if (strcasecmp(type, NSROLEATTR) == 0){
+				return -1;
+			}
+		}
+	}
+	for ( ; f != NULL; f = slapi_filter_list_next(filter_list, f) ){
+		/* Complex filter */
+		if (slapi_filter_list_first(f)) {
+			/* Another filter list - recurse */
+			if (roles_check_filter(f) == -1){
+				/* Done, break out */
+				return -1;
+			}
+		} else {
+			/* Not a filter list, so check the type */
+			if (slapi_filter_get_attribute_type(f, &type) == 0){
+				if (strcasecmp(type, NSROLEATTR) == 0){
+					return -1;
+				}
+			}
 		}
 	}
 
-- 
2.9.4