Blob Blame Raw
From 0536984f7b3e9d6e143936b0eda92b510f63d304 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 4 Aug 2015 12:15:31 -0400
Subject: [PATCH 33/39] Ticket 47810 - memberOf plugin not properly rejecting
 updates

Bug Description:  When the memberOf plugin tries to add memberOf attribute to
                  an entry during a mod-replace on a group, even though the
                  update to the user entry fails, but plugin still allows
                  the member to be added to the group.

Fix Description:  During a mod/replace check and return an error if the member
                  update fails.

https://fedorahosted.org/389/ticket/47810

Reviewed by: nhosoi(Thanks!)

(cherry picked from commit eb54f03e240402a4bd16f9cde1d66539805f56ea)
(cherry picked from commit b4b6adcec7d810c7893fd9cb888fa906b9ffa836)
---
 dirsrvtests/suites/betxns/betxn_test.py  | 64 +++++++++++++++++++++++++++++++-
 ldap/servers/plugins/memberof/memberof.c | 13 ++++---
 2 files changed, 70 insertions(+), 7 deletions(-)

diff --git a/dirsrvtests/suites/betxns/betxn_test.py b/dirsrvtests/suites/betxns/betxn_test.py
index 93c4c31..5da6e50 100644
--- a/dirsrvtests/suites/betxns/betxn_test.py
+++ b/dirsrvtests/suites/betxns/betxn_test.py
@@ -3,7 +3,7 @@
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
-# See LICENSE for details. 
+# See LICENSE for details.
 # --- END COPYRIGHT BLOCK ---
 #
 import os
@@ -174,6 +174,67 @@ def test_betxn_attr_uniqueness(topology):
     log.info('test_betxn_attr_uniqueness: PASSED')
 
 
+def test_betxn_memberof(topology):
+    ENTRY1_DN = 'cn=group1,' + DEFAULT_SUFFIX
+    ENTRY2_DN = 'cn=group2,' + DEFAULT_SUFFIX
+    PLUGIN_DN = 'cn=' + PLUGIN_MEMBER_OF + ',cn=plugins,cn=config'
+
+    # Enable and configure memberOf plugin
+    topology.standalone.plugins.enable(name=PLUGIN_MEMBER_OF)
+    try:
+        topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_REPLACE, 'memberofgroupattr', 'member')])
+    except ldap.LDAPError, e:
+        log.fatal('test_betxn_memberof: Failed to update config(member): error ' + e.message['desc'])
+        assert False
+
+    # Add our test entries
+    try:
+        topology.standalone.add_s(Entry((ENTRY1_DN, {'objectclass': "top groupofnames".split(),
+                                     'cn': 'group1'})))
+    except ldap.LDAPError, e:
+        log.error('test_betxn_memberof: Failed to add group1:' +
+                  ENTRY1_DN + ', error ' + e.message['desc'])
+        assert False
+
+    try:
+        topology.standalone.add_s(Entry((ENTRY2_DN, {'objectclass': "top groupofnames".split(),
+                                     'cn': 'group1'})))
+    except ldap.LDAPError, e:
+        log.error('test_betxn_memberof: Failed to add group2:' +
+                  ENTRY2_DN + ', error ' + e.message['desc'])
+        assert False
+
+    #
+    # Test mod replace
+    #
+
+    # Add group2 to group1 - it should fail with objectclass violation
+    try:
+        topology.standalone.modify_s(ENTRY1_DN, [(ldap.MOD_REPLACE, 'member', ENTRY2_DN)])
+        log.fatal('test_betxn_memberof: Group2 was incorrectly allowed to be added to group1')
+        assert False
+    except ldap.LDAPError, e:
+        log.info('test_betxn_memberof: Group2 was correctly rejected (mod replace): error ' + e.message['desc'])
+
+    #
+    # Test mod add
+    #
+
+    # Add group2 to group1 - it should fail with objectclass violation
+    try:
+        topology.standalone.modify_s(ENTRY1_DN, [(ldap.MOD_ADD, 'member', ENTRY2_DN)])
+        log.fatal('test_betxn_memberof: Group2 was incorrectly allowed to be added to group1')
+        assert False
+    except ldap.LDAPError, e:
+        log.info('test_betxn_memberof: Group2 was correctly rejected (mod add): error ' + e.message['desc'])
+
+    #
+    # Done
+    #
+
+    log.info('test_betxn_memberof: PASSED')
+
+
 def test_betxn_final(topology):
     topology.standalone.delete()
     log.info('betxn test suite PASSED')
@@ -187,6 +248,7 @@ def run_isolated():
     test_betxn_init(topo)
     test_betxt_7bit(topo)
     test_betxn_attr_uniqueness(topo)
+    test_betxn_memberof(topo)
     test_betxn_final(topo)
 
 
diff --git a/ldap/servers/plugins/memberof/memberof.c b/ldap/servers/plugins/memberof/memberof.c
index 144285b..da52bc8 100644
--- a/ldap/servers/plugins/memberof/memberof.c
+++ b/ldap/servers/plugins/memberof/memberof.c
@@ -2373,6 +2373,7 @@ memberof_replace_list(Slapi_PBlock *pb, MemberOfConfig *config,
 	struct slapi_entry *post_e = NULL;
 	Slapi_Attr *pre_attr = 0;
 	Slapi_Attr *post_attr = 0;
+	int rc = 0;
 	int i = 0;
 
 	slapi_pblock_get( pb, SLAPI_ENTRY_PRE_OP, &pre_e );
@@ -2449,14 +2450,14 @@ memberof_replace_list(Slapi_PBlock *pb, MemberOfConfig *config,
 				in pre, not in post, delete from entry
 				not in pre, in post, add to entry
 			*/
-			while(pre_index < pre_total || post_index < post_total)
+			while(rc == 0 && (pre_index < pre_total || post_index < post_total))
 			{
 				if(pre_index == pre_total)
 				{
 					/* add the rest of post */
 					slapi_sdn_set_normdn_byref(sdn,
 					            slapi_value_get_string(post_array[post_index]));
-					memberof_add_one(pb, config, group_sdn, sdn);
+					rc = memberof_add_one(pb, config, group_sdn, sdn);
 
 					post_index++;
 				}
@@ -2465,7 +2466,7 @@ memberof_replace_list(Slapi_PBlock *pb, MemberOfConfig *config,
 					/* delete the rest of pre */
 					slapi_sdn_set_normdn_byref(sdn,
 					            slapi_value_get_string(pre_array[pre_index]));
-					memberof_del_one(pb, config, group_sdn, sdn);
+					rc = memberof_del_one(pb, config, group_sdn, sdn);
 
 					pre_index++;
 				}
@@ -2482,7 +2483,7 @@ memberof_replace_list(Slapi_PBlock *pb, MemberOfConfig *config,
 						/* delete pre array */
 						slapi_sdn_set_normdn_byref(sdn,
 					            slapi_value_get_string(pre_array[pre_index]));
-						memberof_del_one(pb, config, group_sdn, sdn);
+						rc = memberof_del_one(pb, config, group_sdn, sdn);
 
 						pre_index++;
 					}
@@ -2491,7 +2492,7 @@ memberof_replace_list(Slapi_PBlock *pb, MemberOfConfig *config,
 						/* add post array */
 						slapi_sdn_set_normdn_byref(sdn,
 					            slapi_value_get_string(post_array[post_index]));
-						memberof_add_one(pb, config, group_sdn, sdn);
+						rc = memberof_add_one(pb, config, group_sdn, sdn);
 
 						post_index++;
 					}
@@ -2509,7 +2510,7 @@ memberof_replace_list(Slapi_PBlock *pb, MemberOfConfig *config,
 		}
 	}
 	
-	return 0;
+	return rc;
 }
 
 /* memberof_load_array()
-- 
1.9.3