Blame SOURCES/0007-sysdb-sanitize-certmap-rule-name-before-using-it-in-.patch

836b22
From f68b4dae7faea871b925fd551aefd6c428200cc4 Mon Sep 17 00:00:00 2001
836b22
From: Sumit Bose <sbose@redhat.com>
836b22
Date: Fri, 27 Mar 2020 17:05:14 +0100
836b22
Subject: [PATCH 7/7] sysdb: sanitize certmap rule name before using it in DN
836b22
MIME-Version: 1.0
836b22
Content-Type: text/plain; charset=UTF-8
836b22
Content-Transfer-Encoding: 8bit
836b22
836b22
The name of a certificate mapping and matching rule might contain
836b22
characters which are not allowed in RDNs an must be escaped before if
836b22
can be used in the DN of the cached certmap object.
836b22
836b22
Resolves: https://pagure.io/SSSD/sssd/issue/3721
836b22
836b22
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
836b22
(cherry picked from commit 27a3c0cf354bf2e85f50d7b4650d8a22120a5691)
836b22
---
836b22
 src/db/sysdb_certmap.c                | 29 ++++++++++++++++++++++++---
836b22
 src/tests/cmocka/test_sysdb_certmap.c | 25 +++++++++++++++++++++--
836b22
 2 files changed, 49 insertions(+), 5 deletions(-)
836b22
836b22
diff --git a/src/db/sysdb_certmap.c b/src/db/sysdb_certmap.c
836b22
index 6d83ba088..eda20f5a7 100644
836b22
--- a/src/db/sysdb_certmap.c
836b22
+++ b/src/db/sysdb_certmap.c
836b22
@@ -70,6 +70,30 @@ done:
836b22
     return ret;
836b22
 }
836b22
 
836b22
+static struct ldb_dn *sysdb_certmap_dn(TALLOC_CTX *mem_ctx,
836b22
+                                       struct sysdb_ctx *sysdb,
836b22
+                                       const char *name)
836b22
+{
836b22
+    int ret;
836b22
+    char *clean_name;
836b22
+    struct ldb_dn *dn = NULL;
836b22
+
836b22
+    ret = sysdb_dn_sanitize(mem_ctx, name, &clean_name);
836b22
+    if (ret != EOK) {
836b22
+        DEBUG(SSSDBG_OP_FAILURE, "sysdb_dn_sanitize failed.\n");
836b22
+        return NULL;
836b22
+    }
836b22
+
836b22
+    dn = ldb_dn_new_fmt(mem_ctx, sysdb->ldb, SYSDB_TMPL_CERTMAP, clean_name);
836b22
+    talloc_free(clean_name);
836b22
+    if (dn == NULL) {
836b22
+        DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new_fmt failed.\n");
836b22
+        return NULL;
836b22
+    }
836b22
+
836b22
+    return dn;
836b22
+}
836b22
+
836b22
 static errno_t sysdb_certmap_add(struct sysdb_ctx *sysdb,
836b22
                                  struct certmap_info *certmap)
836b22
 {
836b22
@@ -92,10 +116,9 @@ static errno_t sysdb_certmap_add(struct sysdb_ctx *sysdb,
836b22
         goto done;
836b22
     }
836b22
 
836b22
-    msg->dn = ldb_dn_new_fmt(tmp_ctx, sysdb->ldb,
836b22
-                             SYSDB_TMPL_CERTMAP, certmap->name);
836b22
+    msg->dn = sysdb_certmap_dn(tmp_ctx, sysdb, certmap->name);
836b22
     if (msg->dn == NULL) {
836b22
-        DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new_fmt failed.\n");
836b22
+        DEBUG(SSSDBG_OP_FAILURE, "sysdb_certmap_dn failed.\n");
836b22
         ret = ENOMEM;
836b22
         goto done;
836b22
     }
836b22
diff --git a/src/tests/cmocka/test_sysdb_certmap.c b/src/tests/cmocka/test_sysdb_certmap.c
836b22
index e78ea8504..57b28bd6c 100644
836b22
--- a/src/tests/cmocka/test_sysdb_certmap.c
836b22
+++ b/src/tests/cmocka/test_sysdb_certmap.c
836b22
@@ -133,12 +133,20 @@ static void test_sysdb_update_certmap(void **state)
836b22
 {
836b22
     int ret;
836b22
     const char *domains[] = { "dom1.test", "dom2.test", "dom3.test", NULL };
836b22
-    struct certmap_info map_a = { discard_const("map_a"), 11, discard_const("abc"), discard_const("def"), NULL };
836b22
-    struct certmap_info map_b = { discard_const("map_b"), UINT_MAX, discard_const("abc"), NULL, domains };
836b22
+    struct certmap_info map_a = { discard_const("map_a"), 11,
836b22
+                                  discard_const("abc"), discard_const("def"),
836b22
+                                  NULL };
836b22
+    struct certmap_info map_b = { discard_const("map_b"), UINT_MAX,
836b22
+                                  discard_const("abc"), NULL, domains };
836b22
+    struct certmap_info map_c = { discard_const("cn=map_c,dc=sssd,dc=org"),
836b22
+                                  UINT_MAX, discard_const("abc"), NULL,
836b22
+                                  domains };
836b22
+
836b22
     struct certmap_info *certmap_empty[] = { NULL };
836b22
     struct certmap_info *certmap_a[] = { &map_a, NULL };
836b22
     struct certmap_info *certmap_b[] = { &map_b, NULL };
836b22
     struct certmap_info *certmap_ab[] = { &map_a, &map_b, NULL };
836b22
+    struct certmap_info *certmap_c[] = { &map_c, NULL };
836b22
     struct certmap_info **certmap;
836b22
     struct certmap_test_ctx *ctctx = talloc_get_type(*state,
836b22
                                                      struct certmap_test_ctx);
836b22
@@ -207,6 +215,19 @@ static void test_sysdb_update_certmap(void **state)
836b22
         check_certmap(certmap[1], &map_a, 0);
836b22
     }
836b22
     talloc_free(certmap);
836b22
+
836b22
+    ret = sysdb_update_certmap(ctctx->tctx->sysdb, certmap_c, false);
836b22
+    assert_int_equal(ret, EOK);
836b22
+
836b22
+    ret = sysdb_get_certmap(ctctx, ctctx->tctx->sysdb, &certmap,
836b22
+                            &user_name_hint);
836b22
+    assert_int_equal(ret, EOK);
836b22
+    assert_false(user_name_hint);
836b22
+    assert_non_null(certmap);
836b22
+    assert_non_null(certmap[0]);
836b22
+    check_certmap(certmap[0], &map_c, 3);
836b22
+    assert_null(certmap[1]);
836b22
+    talloc_free(certmap);
836b22
 }
836b22
 
836b22
 int main(int argc, const char *argv[])
836b22
-- 
836b22
2.21.1
836b22