dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone

Blame SOURCES/0052-negcache-make-sure-short-names-are-added-to-sub-doma.patch

32a074
From c3207deee7411456827e69d0b72d7d44e7458853 Mon Sep 17 00:00:00 2001
32a074
From: Sumit Bose <sbose@redhat.com>
32a074
Date: Fri, 9 Oct 2020 11:56:21 +0200
32a074
Subject: [PATCH 52/53] negcache: make sure short names are added to
32a074
 sub-domains
32a074
32a074
If short names are used with filter_users or filter_groups in a
32a074
[domain/...] section they should be added to the sub-domains of this
32a074
domain as well.
32a074
32a074
Resolves: https://github.com/SSSD/sssd/issues/5238
32a074
32a074
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
32a074
(cherry picked from commit 0dc81a52e2836010974e9f71b1f3e47c20fd498d)
32a074
---
32a074
 src/responder/common/negcache.c  | 105 +++++++------
32a074
 src/tests/cmocka/test_negcache.c | 254 +++++++++++++++++++++++++++++++
32a074
 2 files changed, 312 insertions(+), 47 deletions(-)
32a074
32a074
diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
32a074
index b9586f315..47fbb2106 100644
32a074
--- a/src/responder/common/negcache.c
32a074
+++ b/src/responder/common/negcache.c
32a074
@@ -969,6 +969,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
32a074
     char *name = NULL;
32a074
     struct sss_domain_info *dom = NULL;
32a074
     struct sss_domain_info *domain_list = rctx->domains;
32a074
+    struct sss_domain_info *ddom;
32a074
     char *domainname = NULL;
32a074
     char *conf_path = NULL;
32a074
     TALLOC_CTX *tmpctx = talloc_new(NULL);
32a074
@@ -1011,39 +1012,44 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
32a074
                 continue;
32a074
             }
32a074
 
32a074
-            if (domainname && strcmp(domainname, dom->name)) {
32a074
-                DEBUG(SSSDBG_TRACE_FUNC,
32a074
-                      "Mismatch between domain name (%s) and name "
32a074
-                          "set in FQN  (%s), assuming %s is UPN\n",
32a074
-                          dom->name, domainname, filter_list[i]);
32a074
-                ret = sss_ncache_set_upn(ncache, true, dom, filter_list[i]);
32a074
+            /* Check domain and its sub-domains */
32a074
+            for (ddom = dom; ddom != NULL;
32a074
+                        ddom = get_next_domain(ddom, SSS_GND_ALL_SUBDOMAINS)) {
32a074
+
32a074
+                if (domainname && strcmp(domainname, ddom->name)) {
32a074
+                    DEBUG(SSSDBG_TRACE_FUNC,
32a074
+                          "Mismatch between domain name (%s) and name "
32a074
+                              "set in FQN  (%s), assuming %s is UPN\n",
32a074
+                              ddom->name, domainname, filter_list[i]);
32a074
+                    ret = sss_ncache_set_upn(ncache, true, ddom, filter_list[i]);
32a074
+                    if (ret != EOK) {
32a074
+                        DEBUG(SSSDBG_OP_FAILURE,
32a074
+                              "sss_ncache_set_upn failed (%d [%s]), ignored\n",
32a074
+                              ret, sss_strerror(ret));
32a074
+                    }
32a074
+                    continue;
32a074
+                }
32a074
+
32a074
+                fqname = sss_create_internal_fqname(tmpctx, name, ddom->name);
32a074
+                if (fqname == NULL) {
32a074
+                    continue;
32a074
+                }
32a074
+
32a074
+                ret = sss_ncache_set_upn(ncache, true, ddom, fqname);
32a074
                 if (ret != EOK) {
32a074
                     DEBUG(SSSDBG_OP_FAILURE,
32a074
                           "sss_ncache_set_upn failed (%d [%s]), ignored\n",
32a074
                           ret, sss_strerror(ret));
32a074
                 }
32a074
-                continue;
32a074
-            }
32a074
-
32a074
-            fqname = sss_create_internal_fqname(tmpctx, name, dom->name);
32a074
-            if (fqname == NULL) {
32a074
-                continue;
32a074
-            }
32a074
-
32a074
-            ret = sss_ncache_set_upn(ncache, true, dom, fqname);
32a074
-            if (ret != EOK) {
32a074
-                DEBUG(SSSDBG_OP_FAILURE,
32a074
-                      "sss_ncache_set_upn failed (%d [%s]), ignored\n",
32a074
-                      ret, sss_strerror(ret));
32a074
-            }
32a074
-            ret = sss_ncache_set_user(ncache, true, dom, fqname);
32a074
-            talloc_zfree(fqname);
32a074
-            if (ret != EOK) {
32a074
-                DEBUG(SSSDBG_CRIT_FAILURE,
32a074
-                      "Failed to store permanent user filter for [%s]"
32a074
-                          " (%d [%s])\n", filter_list[i],
32a074
-                          ret, sss_strerror(ret));
32a074
-                continue;
32a074
+                ret = sss_ncache_set_user(ncache, true, ddom, fqname);
32a074
+                talloc_zfree(fqname);
32a074
+                if (ret != EOK) {
32a074
+                    DEBUG(SSSDBG_CRIT_FAILURE,
32a074
+                          "Failed to store permanent user filter for [%s]"
32a074
+                              " (%d [%s])\n", filter_list[i],
32a074
+                              ret, sss_strerror(ret));
32a074
+                    continue;
32a074
+                }
32a074
             }
32a074
         }
32a074
     }
32a074
@@ -1159,27 +1165,32 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
32a074
                 continue;
32a074
             }
32a074
 
32a074
-            if (domainname && strcmp(domainname, dom->name)) {
32a074
-                DEBUG(SSSDBG_CRIT_FAILURE,
32a074
-                      "Mismatch between domain name (%s) and name "
32a074
-                          "set in FQN  (%s), skipping group %s\n",
32a074
-                          dom->name, domainname, name);
32a074
-                continue;
32a074
-            }
32a074
+            /* Check domain and its sub-domains */
32a074
+            for (ddom = dom;
32a074
+                        ddom != NULL && (ddom == dom || ddom->parent != NULL);
32a074
+                        ddom = get_next_domain(ddom, SSS_GND_ALL_DOMAINS)) {
32a074
+                if (domainname && strcmp(domainname, ddom->name)) {
32a074
+                    DEBUG(SSSDBG_CRIT_FAILURE,
32a074
+                          "Mismatch between domain name (%s) and name "
32a074
+                              "set in FQN  (%s), skipping group %s\n",
32a074
+                              ddom->name, domainname, name);
32a074
+                    continue;
32a074
+                }
32a074
 
32a074
-            fqname = sss_create_internal_fqname(tmpctx, name, dom->name);
32a074
-            if (fqname == NULL) {
32a074
-                continue;
32a074
-            }
32a074
+                fqname = sss_create_internal_fqname(tmpctx, name, ddom->name);
32a074
+                if (fqname == NULL) {
32a074
+                    continue;
32a074
+                }
32a074
 
32a074
-            ret = sss_ncache_set_group(ncache, true, dom, fqname);
32a074
-            talloc_zfree(fqname);
32a074
-            if (ret != EOK) {
32a074
-                DEBUG(SSSDBG_CRIT_FAILURE,
32a074
-                      "Failed to store permanent group filter for [%s]"
32a074
-                          " (%d [%s])\n", filter_list[i],
32a074
-                          ret, strerror(ret));
32a074
-                continue;
32a074
+                ret = sss_ncache_set_group(ncache, true, ddom, fqname);
32a074
+                talloc_zfree(fqname);
32a074
+                if (ret != EOK) {
32a074
+                    DEBUG(SSSDBG_CRIT_FAILURE,
32a074
+                          "Failed to store permanent group filter for [%s]"
32a074
+                              " (%d [%s])\n", filter_list[i],
32a074
+                              ret, strerror(ret));
32a074
+                    continue;
32a074
+                }
32a074
             }
32a074
         }
32a074
     }
32a074
diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c
32a074
index 0876cfdaf..7a8827685 100644
32a074
--- a/src/tests/cmocka/test_negcache.c
32a074
+++ b/src/tests/cmocka/test_negcache.c
32a074
@@ -102,6 +102,8 @@ static int setup(void **state)
32a074
     int ret;
32a074
     struct test_state *ts;
32a074
 
32a074
+    test_dom_suite_setup(TESTS_PATH);
32a074
+
32a074
     ts = talloc(NULL, struct test_state);
32a074
     assert_non_null(ts);
32a074
 
32a074
@@ -116,6 +118,7 @@ static int setup(void **state)
32a074
 static int teardown(void **state)
32a074
 {
32a074
     struct test_state *ts = talloc_get_type_abort(*state, struct test_state);
32a074
+    test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME);
32a074
     talloc_free(ts);
32a074
     return 0;
32a074
 }
32a074
@@ -904,6 +907,255 @@ static void test_sss_ncache_reset_prepopulate(void **state)
32a074
     assert_int_equal(ret, EEXIST);
32a074
 }
32a074
 
32a074
+/* The main purpose of test_sss_ncache_short_name_in_domain is to test that
32a074
+ * short names in the filter_users or filter_groups options in a [domain/...]
32a074
+ * section are properly added to the related sub-domains as well (if there are
32a074
+ * any) and not added to domains from other [domain/...] sections. For
32a074
+ * completeness entries with fully-qualified names of the parent and the
32a074
+ * sub-domain and the generic UPN are added as well.
32a074
+ *
32a074
+ * The result should of course be independent of the present domains. To
32a074
+ * verify this the domains are added one after the other and the negative
32a074
+ * cache is repopulated each time.
32a074
+ *
32a074
+ * With the given domains, users and group we have to following expectations:
32a074
+ *  - the short name entry will be added to the domain and all sub-domains as
32a074
+ *    name and as upn by expanding it to a fully-qualified name with the
32a074
+ *    domain name or sub-domain name respectively
32a074
+ *  - the fully-qualified name from the parent domain is added as name and upn
32a074
+ *    to the parent domain and as upn to all sub-domains
32a074
+ *  - the fully-qualified name from the sub-domain is added as name to the
32a074
+ *    sub-domain and as upn to the parent and all sub-domains
32a074
+ *  - the generic upn is nowhere added as name and as upn to the parent and all
32a074
+ *    sub-domains
32a074
+ *  - none of the names is added to a different parent domain
32a074
+ *
32a074
+ * The following table should illustrated the expectations:
32a074
+ *
32a074
+ * user (name):
32a074
+ *                 | shortuser | parentu@TEST_DOM_NAME | subdomu@subTEST_DOM_NAME | upn@upn.dom
32a074
+ *-----------------+-----------+-----------------------+--------------------------+------------
32a074
+ * TEST_DOM_NAME   |  PRESENT  |  PRESENT              |  MISSING                 |  MISSING
32a074
+ * subTEST_DOM_NAME|  PRESENT  |  MISSING              |  PRESENT                 |  MISSING
32a074
+ * TEST_DOM_NAME2  |  MISSING  |  MISSING              |  MISSING                 |  MISSING
32a074
+ *
32a074
+ * user (upn):
32a074
+ *                 | shortuser | parentu@TEST_DOM_NAME | subdomu@subTEST_DOM_NAME | upn@upn.dom
32a074
+ *-----------------+-----------+-----------------------+--------------------------+------------
32a074
+ * TEST_DOM_NAME   |  PRESENT  |  PRESENT              |  PRESENT                 |  PRESENT
32a074
+ * subTEST_DOM_NAME|  PRESENT  |  PRESENT              |  PRESENT                 |  PRESENT
32a074
+ * TEST_DOM_NAME2  |  MISSING  |  MISSING              |  MISSING                 |  MISSING
32a074
+ *
32a074
+ *
32a074
+ *
32a074
+ * groups:
32a074
+ *                 | shortgroup | parentg@TEST_DOM_NAME | subdomg@subTEST_DOM_NAME
32a074
+ *-----------------+------------+-----------------------+-------------------------
32a074
+ * TEST_DOM_NAME   |  PRESENT   |  PRESENT              |  MISSING
32a074
+ * subTEST_DOM_NAME|  PRESENT   |  MISSING              |  PRESENT
32a074
+ * TEST_DOM_NAME2  |  MISSING   |  MISSING              |  MISSING
32a074
+ *
32a074
+ *
32a074
+ * The following expect_*() implement checks for the expextations:
32a074
+ */
32a074
+
32a074
+static void expect_in_parent(struct sss_nc_ctx *ncache,
32a074
+                             struct sss_domain_info *dom)
32a074
+{
32a074
+    int ret;
32a074
+
32a074
+    ret = check_user_in_ncache(ncache, dom, "shortuser");
32a074
+    assert_int_equal(ret, EEXIST);
32a074
+    ret = sss_ncache_check_upn(ncache, dom, "shortuser@"TEST_DOM_NAME);
32a074
+    assert_int_equal(ret, EEXIST);
32a074
+
32a074
+    ret = check_user_in_ncache(ncache, dom, "parentu");
32a074
+    assert_int_equal(ret, EEXIST);
32a074
+    ret = sss_ncache_check_upn(ncache, dom, "parentu@"TEST_DOM_NAME);
32a074
+    assert_int_equal(ret, EEXIST);
32a074
+
32a074
+    ret = check_user_in_ncache(ncache, dom, "subdomu");
32a074
+    assert_int_equal(ret, ENOENT);
32a074
+    ret = sss_ncache_check_upn(ncache, dom, "subdomu@sub"TEST_DOM_NAME);
32a074
+    assert_int_equal(ret, EEXIST);
32a074
+
32a074
+    ret = check_user_in_ncache(ncache, dom, "upn");
32a074
+    assert_int_equal(ret, ENOENT);
32a074
+    ret = sss_ncache_check_upn(ncache, dom, "upn@upn.dom");
32a074
+    assert_int_equal(ret, EEXIST);
32a074
+
32a074
+    ret = check_group_in_ncache(ncache, dom, "shortgroup");
32a074
+    assert_int_equal(ret, EEXIST);
32a074
+
32a074
+    ret = check_group_in_ncache(ncache, dom, "parentg");
32a074
+    assert_int_equal(ret, EEXIST);
32a074
+
32a074
+    ret = check_group_in_ncache(ncache, dom, "subdomg");
32a074
+    assert_int_equal(ret, ENOENT);
32a074
+}
32a074
+
32a074
+static void expect_in_subdomain(struct sss_nc_ctx *ncache,
32a074
+                                struct sss_domain_info *sub_dom)
32a074
+{
32a074
+    int ret;
32a074
+
32a074
+    ret = check_user_in_ncache(ncache, sub_dom, "shortuser");
32a074
+    assert_int_equal(ret, EEXIST);
32a074
+    ret = sss_ncache_check_upn(ncache, sub_dom, "shortuser@sub"TEST_DOM_NAME);
32a074
+    assert_int_equal(ret, EEXIST);
32a074
+
32a074
+    ret = check_user_in_ncache(ncache, sub_dom, "subdomu");
32a074
+    assert_int_equal(ret, EEXIST);
32a074
+    ret = sss_ncache_check_upn(ncache, sub_dom, "subdomu@sub"TEST_DOM_NAME);
32a074
+    assert_int_equal(ret, EEXIST);
32a074
+
32a074
+    ret = check_user_in_ncache(ncache, sub_dom, "upn");
32a074
+    assert_int_equal(ret, ENOENT);
32a074
+    ret = sss_ncache_check_upn(ncache, sub_dom, "upn@upn.dom");
32a074
+    assert_int_equal(ret, EEXIST);
32a074
+
32a074
+    ret = check_user_in_ncache(ncache, sub_dom, "parentu");
32a074
+    assert_int_equal(ret, ENOENT);
32a074
+    ret = sss_ncache_check_upn(ncache, sub_dom, "parentu@"TEST_DOM_NAME);
32a074
+    assert_int_equal(ret, EEXIST);
32a074
+
32a074
+
32a074
+    ret = check_group_in_ncache(ncache, sub_dom, "shortgroup");
32a074
+    assert_int_equal(ret, EEXIST);
32a074
+
32a074
+    ret = check_group_in_ncache(ncache, sub_dom, "parentg");
32a074
+    assert_int_equal(ret, ENOENT);
32a074
+
32a074
+    ret = check_group_in_ncache(ncache, sub_dom, "subdomg");
32a074
+    assert_int_equal(ret, EEXIST);
32a074
+}
32a074
+static void expect_no_entries_in_dom(struct sss_nc_ctx *ncache,
32a074
+                                     struct sss_domain_info *dom2)
32a074
+{
32a074
+    int ret;
32a074
+
32a074
+    ret = check_user_in_ncache(ncache, dom2, "shortuser");
32a074
+    assert_int_equal(ret, ENOENT);
32a074
+    ret = sss_ncache_check_upn(ncache, dom2, "shortuser"TEST_DOM_NAME);
32a074
+    assert_int_equal(ret, ENOENT);
32a074
+
32a074
+    ret = check_user_in_ncache(ncache, dom2, "parentu");
32a074
+    assert_int_equal(ret, ENOENT);
32a074
+    ret = sss_ncache_check_upn(ncache, dom2, "parentu@"TEST_DOM_NAME);
32a074
+    assert_int_equal(ret, ENOENT);
32a074
+
32a074
+    ret = check_user_in_ncache(ncache, dom2, "subdomu");
32a074
+    assert_int_equal(ret, ENOENT);
32a074
+    ret = sss_ncache_check_upn(ncache, dom2, "subdomu@sub"TEST_DOM_NAME);
32a074
+    assert_int_equal(ret, ENOENT);
32a074
+
32a074
+    ret = check_user_in_ncache(ncache, dom2, "upn");
32a074
+    assert_int_equal(ret, ENOENT);
32a074
+    ret = sss_ncache_check_upn(ncache, dom2, "upn@upn.dom");
32a074
+    assert_int_equal(ret, ENOENT);
32a074
+
32a074
+    ret = check_group_in_ncache(ncache, dom2, "shortgroup");
32a074
+    assert_int_equal(ret, ENOENT);
32a074
+
32a074
+    ret = check_group_in_ncache(ncache, dom2, "parentg");
32a074
+    assert_int_equal(ret, ENOENT);
32a074
+
32a074
+    ret = check_group_in_ncache(ncache, dom2, "subdomg");
32a074
+    assert_int_equal(ret, ENOENT);
32a074
+}
32a074
+
32a074
+static void test_sss_ncache_short_name_in_domain(void **state)
32a074
+{
32a074
+    int ret;
32a074
+    struct test_state *ts;
32a074
+    struct tevent_context *ev;
32a074
+    struct sss_nc_ctx *ncache;
32a074
+    struct sss_test_ctx *tc;
32a074
+    struct sss_domain_info *dom;
32a074
+    struct sss_domain_info *dom2;
32a074
+    struct sss_domain_info *sub_dom;
32a074
+
32a074
+    struct sss_test_conf_param params[] = {
32a074
+        { "filter_users", "shortuser, parentu@"TEST_DOM_NAME", "
32a074
+          "subdomu@sub"TEST_DOM_NAME", upn@upn.dom" },
32a074
+        { "filter_groups", "shortgroup, parentg@"TEST_DOM_NAME", "
32a074
+          "subdomg@sub"TEST_DOM_NAME },
32a074
+        { NULL, NULL },
32a074
+    };
32a074
+
32a074
+    const char *nss_filter_users[] = { params[0].value, NULL};
32a074
+    const char *nss_filter_groups[] = { params[1].value, NULL};
32a074
+
32a074
+    ts = talloc_get_type_abort(*state, struct test_state);
32a074
+
32a074
+    ev = tevent_context_init(ts);
32a074
+    assert_non_null(ev);
32a074
+
32a074
+    dom = talloc_zero(ts, struct sss_domain_info);
32a074
+    assert_non_null(dom);
32a074
+    dom->name = discard_const_p(char, TEST_DOM_NAME);
32a074
+    sss_domain_set_state(dom, DOM_ACTIVE);
32a074
+
32a074
+    ts->nctx = mock_nctx(ts);
32a074
+    assert_non_null(ts->nctx);
32a074
+
32a074
+    tc = create_dom_test_ctx(ts, TESTS_PATH, TEST_CONF_DB,
32a074
+                             TEST_DOM_NAME, TEST_ID_PROVIDER, params);
32a074
+    assert_non_null(tc);
32a074
+
32a074
+    ret = confdb_add_param(tc->confdb, true, "config/domain/"TEST_DOM_NAME,
32a074
+                           "filter_users", nss_filter_users);
32a074
+    assert_int_equal(ret, EOK);
32a074
+
32a074
+    ret = confdb_add_param(tc->confdb, true, "config/domain"TEST_DOM_NAME,
32a074
+                           "filter_groups", nss_filter_groups);
32a074
+    assert_int_equal(ret, EOK);
32a074
+
32a074
+    ncache = ts->ctx;
32a074
+    ts->rctx = mock_rctx(ts, ev, dom, ts->nctx);
32a074
+    assert_non_null(ts->rctx);
32a074
+    ts->rctx->cdb = tc->confdb;
32a074
+
32a074
+    ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &dom->names);
32a074
+    assert_int_equal(ret, EOK);
32a074
+
32a074
+    ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache);
32a074
+    assert_int_equal(ret, EOK);
32a074
+
32a074
+    /* Add another domain */
32a074
+    dom2 = talloc_zero(ts, struct sss_domain_info);
32a074
+    assert_non_null(dom2);
32a074
+    dom2->name = discard_const_p(char, TEST_DOM_NAME"2");
32a074
+    sss_domain_set_state(dom2, DOM_ACTIVE);
32a074
+    dom->next = dom2;
32a074
+    dom2->names = dom->names;
32a074
+
32a074
+    expect_in_parent(ncache, dom);
32a074
+    expect_no_entries_in_dom(ncache, dom2);
32a074
+
32a074
+    ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache);
32a074
+    assert_int_equal(ret, EOK);
32a074
+
32a074
+    expect_in_parent(ncache, dom);
32a074
+    expect_no_entries_in_dom(ncache, dom2);
32a074
+
32a074
+    /* Add a sub domain */
32a074
+    sub_dom = talloc_zero(ts, struct sss_domain_info);
32a074
+    assert_non_null(sub_dom);
32a074
+    sub_dom->name = discard_const_p(char, "sub"TEST_DOM_NAME);
32a074
+    sss_domain_set_state(sub_dom, DOM_ACTIVE);
32a074
+    sub_dom->parent = dom;
32a074
+    dom->subdomains = sub_dom;
32a074
+    sub_dom->names = dom->names;
32a074
+
32a074
+    ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache);
32a074
+    assert_int_equal(ret, EOK);
32a074
+
32a074
+    expect_in_parent(ncache, dom);
32a074
+    expect_in_subdomain(ncache, sub_dom);
32a074
+    expect_no_entries_in_dom(ncache, dom2);
32a074
+}
32a074
+
32a074
 static void test_sss_ncache_reset(void **state)
32a074
 {
32a074
     errno_t ret;
32a074
@@ -1066,6 +1318,8 @@ int main(void)
32a074
                                         setup, teardown),
32a074
         cmocka_unit_test_setup_teardown(test_sss_ncache_reset_prepopulate,
32a074
                                         setup, teardown),
32a074
+        cmocka_unit_test_setup_teardown(test_sss_ncache_short_name_in_domain,
32a074
+                                        setup, teardown),
32a074
         cmocka_unit_test_setup_teardown(test_sss_ncache_reset,
32a074
                                         setup, teardown),
32a074
         cmocka_unit_test_setup_teardown(test_sss_ncache_locate_uid_gid,
32a074
-- 
32a074
2.21.3
32a074