|
 |
ecf709 |
From b94b578fac8f94d42fd6fb691438d2dbe5248309 Mon Sep 17 00:00:00 2001
|
|
|
ecf709 |
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
|
|
ecf709 |
Date: Wed, 31 May 2017 14:21:02 +0200
|
|
|
ecf709 |
Subject: [PATCH 149/152] VALIDATORS: Detect inherit_from in normal domain
|
|
|
ecf709 |
MIME-Version: 1.0
|
|
|
ecf709 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ecf709 |
Content-Transfer-Encoding: 8bit
|
|
|
ecf709 |
|
|
|
ecf709 |
This patch adds new sssd specific validator. In the future we
|
|
|
ecf709 |
can add more checks in it, but currently it only checks if
|
|
|
ecf709 |
the option inherit_from is used on normal domain and reports
|
|
|
ecf709 |
error if it is.
|
|
|
ecf709 |
|
|
|
ecf709 |
Resolves:
|
|
|
ecf709 |
https://pagure.io/SSSD/sssd/issue/3356
|
|
|
ecf709 |
|
|
|
ecf709 |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
ecf709 |
---
|
|
|
ecf709 |
src/config/cfg_rules.ini | 3 ++
|
|
|
ecf709 |
src/tests/cmocka/test_config_check.c | 22 +++++++++++++++
|
|
|
ecf709 |
src/util/sss_ini.c | 53 +++++++++++++++++++++++++++++++++++-
|
|
|
ecf709 |
3 files changed, 77 insertions(+), 1 deletion(-)
|
|
|
ecf709 |
|
|
|
ecf709 |
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
|
|
ecf709 |
index 2c8c0cb98ed039c374c827775798f61369c1521e..744446478e5d5489cd86d8e15ce8e178cf5e3a91 100644
|
|
|
ecf709 |
--- a/src/config/cfg_rules.ini
|
|
|
ecf709 |
+++ b/src/config/cfg_rules.ini
|
|
|
ecf709 |
@@ -711,3 +711,6 @@ option = ad_server
|
|
|
ecf709 |
option = ad_backup_server
|
|
|
ecf709 |
option = ad_site
|
|
|
ecf709 |
option = use_fully_qualified_names
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+[rule/sssd_checks]
|
|
|
ecf709 |
+validator = sssd_checks
|
|
|
ecf709 |
diff --git a/src/tests/cmocka/test_config_check.c b/src/tests/cmocka/test_config_check.c
|
|
|
ecf709 |
index 8fc0b01f3ef3fe03152efd979a3e96c21ba567cc..bab3226c004fb9495471af7c7d3f6861552d8a86 100644
|
|
|
ecf709 |
--- a/src/tests/cmocka/test_config_check.c
|
|
|
ecf709 |
+++ b/src/tests/cmocka/test_config_check.c
|
|
|
ecf709 |
@@ -217,6 +217,27 @@ void config_check_test_good_sections(void **state)
|
|
|
ecf709 |
config_check_test_common(cfg_str, 0, expected_errors);
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
+void config_check_test_inherit_from_in_normal_dom(void **state)
|
|
|
ecf709 |
+{
|
|
|
ecf709 |
+ char cfg_str[] = "[domain/A.test]\n"
|
|
|
ecf709 |
+ "inherit_from = domain\n";
|
|
|
ecf709 |
+ const char *expected_errors[] = {
|
|
|
ecf709 |
+ "[rule/sssd_checks]: Attribute 'inherit_from' is not allowed in "
|
|
|
ecf709 |
+ "section 'domain/A.test'. Check for typos.",
|
|
|
ecf709 |
+ };
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ config_check_test_common(cfg_str, 1, expected_errors);
|
|
|
ecf709 |
+}
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+void config_check_test_inherit_from_in_app_dom(void **state)
|
|
|
ecf709 |
+{
|
|
|
ecf709 |
+ char cfg_str[] = "[application/A.test]\n"
|
|
|
ecf709 |
+ "inherit_from = domain\n";
|
|
|
ecf709 |
+ const char *expected_errors[] = { NULL };
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ config_check_test_common(cfg_str, 0, expected_errors);
|
|
|
ecf709 |
+}
|
|
|
ecf709 |
+
|
|
|
ecf709 |
int main(int argc, const char *argv[])
|
|
|
ecf709 |
{
|
|
|
ecf709 |
poptContext pc;
|
|
|
ecf709 |
@@ -235,6 +256,7 @@ int main(int argc, const char *argv[])
|
|
|
ecf709 |
cmocka_unit_test(config_check_test_bad_pac_option_name),
|
|
|
ecf709 |
cmocka_unit_test(config_check_test_bad_ifp_option_name),
|
|
|
ecf709 |
cmocka_unit_test(config_check_test_good_sections),
|
|
|
ecf709 |
+ cmocka_unit_test(config_check_test_inherit_from_in_normal_dom),
|
|
|
ecf709 |
};
|
|
|
ecf709 |
|
|
|
ecf709 |
/* Set debug level to invalid value so we can decide if -d 0 was used. */
|
|
|
ecf709 |
diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
|
|
|
ecf709 |
index e56006c05555d6e0c5e726e83771abce5a72b139..175a4cfaba7ea964aee174e928d5e3c1e81de638 100644
|
|
|
ecf709 |
--- a/src/util/sss_ini.c
|
|
|
ecf709 |
+++ b/src/util/sss_ini.c
|
|
|
ecf709 |
@@ -561,12 +561,63 @@ error:
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
#ifdef HAVE_LIBINI_CONFIG_V1_3
|
|
|
ecf709 |
+/* Here we can put custom SSSD specific checks that can not be implemented
|
|
|
ecf709 |
+ * using libini validators */
|
|
|
ecf709 |
+static int custom_sssd_checks(const char *rule_name,
|
|
|
ecf709 |
+ struct ini_cfgobj *rules_obj,
|
|
|
ecf709 |
+ struct ini_cfgobj *config_obj,
|
|
|
ecf709 |
+ struct ini_errobj *errobj,
|
|
|
ecf709 |
+ void **data)
|
|
|
ecf709 |
+{
|
|
|
ecf709 |
+ char **cfg_sections = NULL;
|
|
|
ecf709 |
+ int num_cfg_sections;
|
|
|
ecf709 |
+ struct value_obj *vo = NULL;
|
|
|
ecf709 |
+ char dom_prefix[] = "domain/";
|
|
|
ecf709 |
+ int ret;
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ /* Get all sections in configuration */
|
|
|
ecf709 |
+ cfg_sections = ini_get_section_list(config_obj, &num_cfg_sections, &ret;;
|
|
|
ecf709 |
+ if (ret != EOK) {
|
|
|
ecf709 |
+ goto done;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ /* Check if a normal domain section (not application domains) has option
|
|
|
ecf709 |
+ * inherit_from and report error if it does */
|
|
|
ecf709 |
+ for (int i = 0; i < num_cfg_sections; i++) {
|
|
|
ecf709 |
+ if (strncmp(dom_prefix, cfg_sections[i], strlen(dom_prefix)) == 0) {
|
|
|
ecf709 |
+ ret = ini_get_config_valueobj(cfg_sections[i],
|
|
|
ecf709 |
+ "inherit_from",
|
|
|
ecf709 |
+ config_obj,
|
|
|
ecf709 |
+ INI_GET_NEXT_VALUE,
|
|
|
ecf709 |
+ &vo);
|
|
|
ecf709 |
+ if (vo != NULL) {
|
|
|
ecf709 |
+ ret = ini_errobj_add_msg(errobj,
|
|
|
ecf709 |
+ "Attribute 'inherit_from' is not "
|
|
|
ecf709 |
+ "allowed in section '%s'. Check for "
|
|
|
ecf709 |
+ "typos.",
|
|
|
ecf709 |
+ cfg_sections[i]);
|
|
|
ecf709 |
+ if (ret != EOK) {
|
|
|
ecf709 |
+ goto done;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ ret = EOK;
|
|
|
ecf709 |
+done:
|
|
|
ecf709 |
+ ini_free_section_list(cfg_sections);
|
|
|
ecf709 |
+ return EOK;
|
|
|
ecf709 |
+}
|
|
|
ecf709 |
+
|
|
|
ecf709 |
static int sss_ini_call_validators_errobj(struct sss_ini_initdata *data,
|
|
|
ecf709 |
const char *rules_path,
|
|
|
ecf709 |
struct ini_errobj *errobj)
|
|
|
ecf709 |
{
|
|
|
ecf709 |
int ret;
|
|
|
ecf709 |
struct ini_cfgobj *rules_cfgobj = NULL;
|
|
|
ecf709 |
+ struct ini_validator custom_sssd = { "sssd_checks", custom_sssd_checks,
|
|
|
ecf709 |
+ NULL };
|
|
|
ecf709 |
+ struct ini_validator *sss_validators[] = { &custom_sssd, NULL };
|
|
|
ecf709 |
|
|
|
ecf709 |
ret = ini_rules_read_from_file(rules_path, &rules_cfgobj);
|
|
|
ecf709 |
if (ret != EOK) {
|
|
|
ecf709 |
@@ -575,7 +626,7 @@ static int sss_ini_call_validators_errobj(struct sss_ini_initdata *data,
|
|
|
ecf709 |
goto done;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
- ret = ini_rules_check(rules_cfgobj, data->sssd_config, NULL, errobj);
|
|
|
ecf709 |
+ ret = ini_rules_check(rules_cfgobj, data->sssd_config, sss_validators, errobj);
|
|
|
ecf709 |
if (ret != EOK) {
|
|
|
ecf709 |
DEBUG(SSSDBG_FATAL_FAILURE,
|
|
|
ecf709 |
"ini_rules_check failed %d [%s]\n", ret, strerror(ret));
|
|
|
ecf709 |
--
|
|
|
ecf709 |
2.9.4
|
|
|
ecf709 |
|