dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone

Blame SOURCES/0119-AD-Make-ad_account_can_shortcut-reusable-by-SSSD-on-.patch

ecf709
From 54790675d0fd0627f7db8449ef97d59c0632006e Mon Sep 17 00:00:00 2001
ecf709
From: Jakub Hrozek <jhrozek@redhat.com>
ecf709
Date: Mon, 24 Apr 2017 10:13:44 +0200
ecf709
Subject: [PATCH 119/119] AD: Make ad_account_can_shortcut() reusable by SSSD
ecf709
 on an IPA server
ecf709
MIME-Version: 1.0
ecf709
Content-Type: text/plain; charset=UTF-8
ecf709
Content-Transfer-Encoding: 8bit
ecf709
ecf709
Resolves:
ecf709
    https://pagure.io/SSSD/sssd/issue/3318
ecf709
ecf709
The ad_account_can_shortcut() function is helpful to avoid unnecessary
ecf709
searches when SSSD is configured with an Active Directory domain that
ecf709
uses ID-mapping in the sense that if we find that an ID is outside our
ecf709
range, we can just abort the search in this domain and carry on.
ecf709
ecf709
This function was only used in the AD provider functions which are used
ecf709
when SSSD is enrolled direcly with an AD server. This patch moves the
ecf709
function to a codepath that is shared between directly enrolled SSSD and
ecf709
SSSD running on an IPA server.
ecf709
ecf709
Apart from moving the code, there are some minor changes to the function
ecf709
signature, namely the domain is passed as as struct (previously the
ecf709
domain name from the DP input was passed).
ecf709
ecf709
Reviewed-by: Michal Židek <mzidek@redhat.com>
ecf709
(cherry picked from commit dfe05f505dcfea16e7d66ca1a44206aa2570e861)
ecf709
---
ecf709
 src/providers/ad/ad_id.c | 162 ++++++++++++++++++++++++-----------------------
ecf709
 1 file changed, 84 insertions(+), 78 deletions(-)
ecf709
ecf709
diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c
ecf709
index 8f26cb8744d2372c6180342c0d1bca025b16f52c..d1f6c444f5ddbcbbac6ff7f41fb6c8bf9ca976cb 100644
ecf709
--- a/src/providers/ad/ad_id.c
ecf709
+++ b/src/providers/ad/ad_id.c
ecf709
@@ -50,6 +50,77 @@ disable_gc(struct ad_options *ad_options)
ecf709
     }
ecf709
 }
ecf709
 
ecf709
+static bool ad_account_can_shortcut(struct sdap_idmap_ctx *idmap_ctx,
ecf709
+                                    struct sss_domain_info *domain,
ecf709
+                                    int filter_type,
ecf709
+                                    const char *filter_value)
ecf709
+{
ecf709
+    struct sss_domain_info *dom_head = NULL;
ecf709
+    struct sss_domain_info *sid_dom = NULL;
ecf709
+    enum idmap_error_code err;
ecf709
+    char *sid = NULL;
ecf709
+    const char *csid = NULL;
ecf709
+    uint32_t id;
ecf709
+    bool shortcut = false;
ecf709
+    errno_t ret;
ecf709
+
ecf709
+    if (!sdap_idmap_domain_has_algorithmic_mapping(idmap_ctx, domain->name,
ecf709
+                                                   domain->domain_id)) {
ecf709
+        goto done;
ecf709
+    }
ecf709
+
ecf709
+    switch (filter_type) {
ecf709
+    case BE_FILTER_IDNUM:
ecf709
+        /* convert value to ID */
ecf709
+        errno = 0;
ecf709
+        id = strtouint32(filter_value, NULL, 10);
ecf709
+        if (errno != 0) {
ecf709
+            ret = errno;
ecf709
+            DEBUG(SSSDBG_MINOR_FAILURE, "Unable to convert filter value to "
ecf709
+                  "number [%d]: %s\n", ret, strerror(ret));
ecf709
+            goto done;
ecf709
+        }
ecf709
+
ecf709
+        /* convert the ID to its SID equivalent */
ecf709
+        err = sss_idmap_unix_to_sid(idmap_ctx->map, id, &sid;;
ecf709
+        if (err != IDMAP_SUCCESS) {
ecf709
+            DEBUG(SSSDBG_MINOR_FAILURE, "Mapping ID [%s] to SID failed: "
ecf709
+                  "[%s]\n", filter_value, idmap_error_string(err));
ecf709
+            goto done;
ecf709
+        }
ecf709
+        /* fall through */
ecf709
+        SSS_ATTRIBUTE_FALLTHROUGH;
ecf709
+    case BE_FILTER_SECID:
ecf709
+        csid = sid == NULL ? filter_value : sid;
ecf709
+
ecf709
+        dom_head = get_domains_head(domain);
ecf709
+        if (dom_head == NULL) {
ecf709
+            DEBUG(SSSDBG_CRIT_FAILURE, "Cannot find domain head\n");
ecf709
+            goto done;
ecf709
+        }
ecf709
+
ecf709
+        sid_dom = find_domain_by_sid(dom_head, csid);
ecf709
+        if (sid_dom == NULL) {
ecf709
+            DEBUG(SSSDBG_OP_FAILURE, "Invalid domain for SID:%s\n", csid);
ecf709
+            goto done;
ecf709
+        }
ecf709
+
ecf709
+        if (strcasecmp(sid_dom->name, domain->name) != 0) {
ecf709
+            shortcut = true;
ecf709
+        }
ecf709
+        break;
ecf709
+    default:
ecf709
+        break;
ecf709
+    }
ecf709
+
ecf709
+done:
ecf709
+    if (sid != NULL) {
ecf709
+        sss_idmap_free_sid(idmap_ctx->map, sid);
ecf709
+    }
ecf709
+
ecf709
+    return shortcut;
ecf709
+}
ecf709
+
ecf709
 struct ad_handle_acct_info_state {
ecf709
     struct dp_id_data *ar;
ecf709
     struct sdap_id_ctx *ctx;
ecf709
@@ -78,6 +149,7 @@ ad_handle_acct_info_send(TALLOC_CTX *mem_ctx,
ecf709
     struct ad_handle_acct_info_state *state;
ecf709
     struct be_ctx *be_ctx = ctx->be;
ecf709
     errno_t ret;
ecf709
+    bool shortcut;
ecf709
 
ecf709
     req = tevent_req_create(mem_ctx, &state, struct ad_handle_acct_info_state);
ecf709
     if (req == NULL) {
ecf709
@@ -90,6 +162,18 @@ ad_handle_acct_info_send(TALLOC_CTX *mem_ctx,
ecf709
     state->ad_options = ad_options;
ecf709
     state->cindex = 0;
ecf709
 
ecf709
+    /* Try to shortcut if this is ID or SID search and it belongs to
ecf709
+     * other domain range than is in ar->domain. */
ecf709
+    shortcut = ad_account_can_shortcut(ctx->opts->idmap_ctx,
ecf709
+                                       sdom->dom,
ecf709
+                                       ar->filter_type,
ecf709
+                                       ar->filter_value);
ecf709
+    if (shortcut) {
ecf709
+        DEBUG(SSSDBG_TRACE_FUNC, "This ID is from different domain\n");
ecf709
+        ret = EOK;
ecf709
+        goto immediate;
ecf709
+    }
ecf709
+
ecf709
     if (sss_domain_get_state(sdom->dom) == DOM_INACTIVE) {
ecf709
         ret = ERR_SUBDOM_INACTIVE;
ecf709
         goto immediate;
ecf709
@@ -297,72 +381,6 @@ get_conn_list(TALLOC_CTX *mem_ctx, struct ad_id_ctx *ad_ctx,
ecf709
     return clist;
ecf709
 }
ecf709
 
ecf709
-static bool ad_account_can_shortcut(struct be_ctx *be_ctx,
ecf709
-                                    struct sdap_idmap_ctx *idmap_ctx,
ecf709
-                                    int filter_type,
ecf709
-                                    const char *filter_value,
ecf709
-                                    const char *filter_domain)
ecf709
-{
ecf709
-    struct sss_domain_info *domain = be_ctx->domain;
ecf709
-    struct sss_domain_info *req_dom = NULL;
ecf709
-    enum idmap_error_code err;
ecf709
-    char *sid = NULL;
ecf709
-    const char *csid = NULL;
ecf709
-    uint32_t id;
ecf709
-    bool shortcut = false;
ecf709
-    errno_t ret;
ecf709
-
ecf709
-    if (!sdap_idmap_domain_has_algorithmic_mapping(idmap_ctx, domain->name,
ecf709
-                                                   domain->domain_id)) {
ecf709
-        goto done;
ecf709
-    }
ecf709
-
ecf709
-    switch (filter_type) {
ecf709
-    case BE_FILTER_IDNUM:
ecf709
-        /* convert value to ID */
ecf709
-        errno = 0;
ecf709
-        id = strtouint32(filter_value, NULL, 10);
ecf709
-        if (errno != 0) {
ecf709
-            ret = errno;
ecf709
-            DEBUG(SSSDBG_MINOR_FAILURE, "Unable to convert filter value to "
ecf709
-                  "number [%d]: %s\n", ret, strerror(ret));
ecf709
-            goto done;
ecf709
-        }
ecf709
-
ecf709
-        /* convert the ID to its SID equivalent */
ecf709
-        err = sss_idmap_unix_to_sid(idmap_ctx->map, id, &sid;;
ecf709
-        if (err != IDMAP_SUCCESS) {
ecf709
-            DEBUG(SSSDBG_MINOR_FAILURE, "Mapping ID [%s] to SID failed: "
ecf709
-                  "[%s]\n", filter_value, idmap_error_string(err));
ecf709
-            goto done;
ecf709
-        }
ecf709
-        /* fall through */
ecf709
-        SSS_ATTRIBUTE_FALLTHROUGH;
ecf709
-    case BE_FILTER_SECID:
ecf709
-        csid = sid == NULL ? filter_value : sid;
ecf709
-
ecf709
-        req_dom = find_domain_by_sid(domain, csid);
ecf709
-        if (req_dom == NULL) {
ecf709
-            DEBUG(SSSDBG_OP_FAILURE, "Invalid domain for SID:%s\n", csid);
ecf709
-            goto done;
ecf709
-        }
ecf709
-
ecf709
-        if (strcasecmp(req_dom->name, filter_domain) != 0) {
ecf709
-            shortcut = true;
ecf709
-        }
ecf709
-        break;
ecf709
-    default:
ecf709
-        break;
ecf709
-    }
ecf709
-
ecf709
-done:
ecf709
-    if (sid != NULL) {
ecf709
-        sss_idmap_free_sid(idmap_ctx->map, sid);
ecf709
-    }
ecf709
-
ecf709
-    return shortcut;
ecf709
-}
ecf709
-
ecf709
 struct ad_account_info_handler_state {
ecf709
     struct sss_domain_info *domain;
ecf709
     struct dp_reply_std reply;
ecf709
@@ -384,7 +402,6 @@ ad_account_info_handler_send(TALLOC_CTX *mem_ctx,
ecf709
     struct tevent_req *subreq;
ecf709
     struct tevent_req *req;
ecf709
     struct be_ctx *be_ctx;
ecf709
-    bool shortcut;
ecf709
     errno_t ret;
ecf709
 
ecf709
     sdap_id_ctx = id_ctx->sdap_id_ctx;
ecf709
@@ -403,17 +420,6 @@ ad_account_info_handler_send(TALLOC_CTX *mem_ctx,
ecf709
         goto immediately;
ecf709
     }
ecf709
 
ecf709
-    /* Try to shortcut if this is ID or SID search and it belongs to
ecf709
-     * other domain range than is in ar->domain. */
ecf709
-    shortcut = ad_account_can_shortcut(be_ctx, sdap_id_ctx->opts->idmap_ctx,
ecf709
-                                       data->filter_type, data->filter_value,
ecf709
-                                       data->domain);
ecf709
-    if (shortcut) {
ecf709
-        DEBUG(SSSDBG_TRACE_FUNC, "This ID is from different domain\n");
ecf709
-        ret = EOK;
ecf709
-        goto immediately;
ecf709
-    }
ecf709
-
ecf709
     domain = be_ctx->domain;
ecf709
     if (strcasecmp(data->domain, be_ctx->domain->name) != 0) {
ecf709
         /* Subdomain request, verify subdomain. */
ecf709
-- 
ecf709
2.9.3
ecf709