|
 |
836b22 |
From f68b4dae7faea871b925fd551aefd6c428200cc4 Mon Sep 17 00:00:00 2001
|
|
|
836b22 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
836b22 |
Date: Fri, 27 Mar 2020 17:05:14 +0100
|
|
|
836b22 |
Subject: [PATCH 7/7] sysdb: sanitize certmap rule name before using it in DN
|
|
|
836b22 |
MIME-Version: 1.0
|
|
|
836b22 |
Content-Type: text/plain; charset=UTF-8
|
|
|
836b22 |
Content-Transfer-Encoding: 8bit
|
|
|
836b22 |
|
|
|
836b22 |
The name of a certificate mapping and matching rule might contain
|
|
|
836b22 |
characters which are not allowed in RDNs an must be escaped before if
|
|
|
836b22 |
can be used in the DN of the cached certmap object.
|
|
|
836b22 |
|
|
|
836b22 |
Resolves: https://pagure.io/SSSD/sssd/issue/3721
|
|
|
836b22 |
|
|
|
836b22 |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
836b22 |
(cherry picked from commit 27a3c0cf354bf2e85f50d7b4650d8a22120a5691)
|
|
|
836b22 |
---
|
|
|
836b22 |
src/db/sysdb_certmap.c | 29 ++++++++++++++++++++++++---
|
|
|
836b22 |
src/tests/cmocka/test_sysdb_certmap.c | 25 +++++++++++++++++++++--
|
|
|
836b22 |
2 files changed, 49 insertions(+), 5 deletions(-)
|
|
|
836b22 |
|
|
|
836b22 |
diff --git a/src/db/sysdb_certmap.c b/src/db/sysdb_certmap.c
|
|
|
836b22 |
index 6d83ba088..eda20f5a7 100644
|
|
|
836b22 |
--- a/src/db/sysdb_certmap.c
|
|
|
836b22 |
+++ b/src/db/sysdb_certmap.c
|
|
|
836b22 |
@@ -70,6 +70,30 @@ done:
|
|
|
836b22 |
return ret;
|
|
|
836b22 |
}
|
|
|
836b22 |
|
|
|
836b22 |
+static struct ldb_dn *sysdb_certmap_dn(TALLOC_CTX *mem_ctx,
|
|
|
836b22 |
+ struct sysdb_ctx *sysdb,
|
|
|
836b22 |
+ const char *name)
|
|
|
836b22 |
+{
|
|
|
836b22 |
+ int ret;
|
|
|
836b22 |
+ char *clean_name;
|
|
|
836b22 |
+ struct ldb_dn *dn = NULL;
|
|
|
836b22 |
+
|
|
|
836b22 |
+ ret = sysdb_dn_sanitize(mem_ctx, name, &clean_name);
|
|
|
836b22 |
+ if (ret != EOK) {
|
|
|
836b22 |
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_dn_sanitize failed.\n");
|
|
|
836b22 |
+ return NULL;
|
|
|
836b22 |
+ }
|
|
|
836b22 |
+
|
|
|
836b22 |
+ dn = ldb_dn_new_fmt(mem_ctx, sysdb->ldb, SYSDB_TMPL_CERTMAP, clean_name);
|
|
|
836b22 |
+ talloc_free(clean_name);
|
|
|
836b22 |
+ if (dn == NULL) {
|
|
|
836b22 |
+ DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new_fmt failed.\n");
|
|
|
836b22 |
+ return NULL;
|
|
|
836b22 |
+ }
|
|
|
836b22 |
+
|
|
|
836b22 |
+ return dn;
|
|
|
836b22 |
+}
|
|
|
836b22 |
+
|
|
|
836b22 |
static errno_t sysdb_certmap_add(struct sysdb_ctx *sysdb,
|
|
|
836b22 |
struct certmap_info *certmap)
|
|
|
836b22 |
{
|
|
|
836b22 |
@@ -92,10 +116,9 @@ static errno_t sysdb_certmap_add(struct sysdb_ctx *sysdb,
|
|
|
836b22 |
goto done;
|
|
|
836b22 |
}
|
|
|
836b22 |
|
|
|
836b22 |
- msg->dn = ldb_dn_new_fmt(tmp_ctx, sysdb->ldb,
|
|
|
836b22 |
- SYSDB_TMPL_CERTMAP, certmap->name);
|
|
|
836b22 |
+ msg->dn = sysdb_certmap_dn(tmp_ctx, sysdb, certmap->name);
|
|
|
836b22 |
if (msg->dn == NULL) {
|
|
|
836b22 |
- DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new_fmt failed.\n");
|
|
|
836b22 |
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_certmap_dn failed.\n");
|
|
|
836b22 |
ret = ENOMEM;
|
|
|
836b22 |
goto done;
|
|
|
836b22 |
}
|
|
|
836b22 |
diff --git a/src/tests/cmocka/test_sysdb_certmap.c b/src/tests/cmocka/test_sysdb_certmap.c
|
|
|
836b22 |
index e78ea8504..57b28bd6c 100644
|
|
|
836b22 |
--- a/src/tests/cmocka/test_sysdb_certmap.c
|
|
|
836b22 |
+++ b/src/tests/cmocka/test_sysdb_certmap.c
|
|
|
836b22 |
@@ -133,12 +133,20 @@ static void test_sysdb_update_certmap(void **state)
|
|
|
836b22 |
{
|
|
|
836b22 |
int ret;
|
|
|
836b22 |
const char *domains[] = { "dom1.test", "dom2.test", "dom3.test", NULL };
|
|
|
836b22 |
- struct certmap_info map_a = { discard_const("map_a"), 11, discard_const("abc"), discard_const("def"), NULL };
|
|
|
836b22 |
- struct certmap_info map_b = { discard_const("map_b"), UINT_MAX, discard_const("abc"), NULL, domains };
|
|
|
836b22 |
+ struct certmap_info map_a = { discard_const("map_a"), 11,
|
|
|
836b22 |
+ discard_const("abc"), discard_const("def"),
|
|
|
836b22 |
+ NULL };
|
|
|
836b22 |
+ struct certmap_info map_b = { discard_const("map_b"), UINT_MAX,
|
|
|
836b22 |
+ discard_const("abc"), NULL, domains };
|
|
|
836b22 |
+ struct certmap_info map_c = { discard_const("cn=map_c,dc=sssd,dc=org"),
|
|
|
836b22 |
+ UINT_MAX, discard_const("abc"), NULL,
|
|
|
836b22 |
+ domains };
|
|
|
836b22 |
+
|
|
|
836b22 |
struct certmap_info *certmap_empty[] = { NULL };
|
|
|
836b22 |
struct certmap_info *certmap_a[] = { &map_a, NULL };
|
|
|
836b22 |
struct certmap_info *certmap_b[] = { &map_b, NULL };
|
|
|
836b22 |
struct certmap_info *certmap_ab[] = { &map_a, &map_b, NULL };
|
|
|
836b22 |
+ struct certmap_info *certmap_c[] = { &map_c, NULL };
|
|
|
836b22 |
struct certmap_info **certmap;
|
|
|
836b22 |
struct certmap_test_ctx *ctctx = talloc_get_type(*state,
|
|
|
836b22 |
struct certmap_test_ctx);
|
|
|
836b22 |
@@ -207,6 +215,19 @@ static void test_sysdb_update_certmap(void **state)
|
|
|
836b22 |
check_certmap(certmap[1], &map_a, 0);
|
|
|
836b22 |
}
|
|
|
836b22 |
talloc_free(certmap);
|
|
|
836b22 |
+
|
|
|
836b22 |
+ ret = sysdb_update_certmap(ctctx->tctx->sysdb, certmap_c, false);
|
|
|
836b22 |
+ assert_int_equal(ret, EOK);
|
|
|
836b22 |
+
|
|
|
836b22 |
+ ret = sysdb_get_certmap(ctctx, ctctx->tctx->sysdb, &certmap,
|
|
|
836b22 |
+ &user_name_hint);
|
|
|
836b22 |
+ assert_int_equal(ret, EOK);
|
|
|
836b22 |
+ assert_false(user_name_hint);
|
|
|
836b22 |
+ assert_non_null(certmap);
|
|
|
836b22 |
+ assert_non_null(certmap[0]);
|
|
|
836b22 |
+ check_certmap(certmap[0], &map_c, 3);
|
|
|
836b22 |
+ assert_null(certmap[1]);
|
|
|
836b22 |
+ talloc_free(certmap);
|
|
|
836b22 |
}
|
|
|
836b22 |
|
|
|
836b22 |
int main(int argc, const char *argv[])
|
|
|
836b22 |
--
|
|
|
836b22 |
2.21.1
|
|
|
836b22 |
|