From b2cd4a74e231611f7862a8bb39a655c5194a035a Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>

Date: Thu, 30 May 2019 12:52:33 +0200

Subject: [PATCH 41/44] sysdb: read and interpret domain's enabled attribute

Disable domain if its sysdb object has enabled=false.

Resolves:

https://pagure.io/SSSD/sssd/issue/4009

Reviewed-by: Sumit Bose <sbose@redhat.com>

(cherry picked from commit d278704d85fea74c229b67e6a63b650b0d776c88)

---

 src/db/sysdb_private.h                      |  3 ++-

 src/db/sysdb_subdomains.c                   | 29 ++++++++++++++++++---

 src/tests/cmocka/test_fqnames.c             |  2 +-

 src/tests/cmocka/test_negcache.c            |  2 +-

 src/tests/cmocka/test_nss_srv.c             |  2 +-

 src/tests/cmocka/test_responder_cache_req.c |  2 +-

 src/tests/sysdb-tests.c                     |  8 +++---

 7 files changed, 35 insertions(+), 13 deletions(-)

diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h

index 58544d826..f3d34dd6f 100644

--- a/src/db/sysdb_private.h

+++ b/src/db/sysdb_private.h

@@ -206,7 +206,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,

                                       const char *forest,

                                       const char **upn_suffixes,

                                       uint32_t trust_direction,

-                                      struct confdb_ctx *confdb);

+                                      struct confdb_ctx *confdb,

+                                      bool enabled);

 /* Helper functions to deal with the timestamp cache should not be used

  * outside the sysdb itself. The timestamp cache should be completely

diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c

index d467dfce5..cf09b424e 100644

--- a/src/db/sysdb_subdomains.c

+++ b/src/db/sysdb_subdomains.c

@@ -39,7 +39,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,

                                       const char *forest,

                                       const char **upn_suffixes,

                                       uint32_t trust_direction,

-                                      struct confdb_ctx *confdb)

+                                      struct confdb_ctx *confdb,

+                                      bool enabled)

 {

     struct sss_domain_info *dom;

     bool inherit_option;

@@ -127,7 +128,7 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,

     dom->enumerate = enumerate;

     dom->fqnames = true;

     dom->mpg_mode = mpg_mode;

-    dom->state = DOM_ACTIVE;

+    dom->state = enabled ? DOM_ACTIVE : DOM_DISABLED;

     /* use fully qualified names as output in order to avoid causing

      * conflicts with users who have the same name and either the

@@ -313,6 +314,7 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,

                            SYSDB_SUBDOMAIN_FOREST,

                            SYSDB_SUBDOMAIN_TRUST_DIRECTION,

                            SYSDB_UPN_SUFFIXES,

+                           SYSDB_ENABLED,

                            NULL};

     struct sss_domain_info *dom;

     struct ldb_dn *basedn;

@@ -322,6 +324,7 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,

     const char *id;

     const char *forest;

     const char *str_mpg_mode;

+    bool enabled;

     enum sss_domain_mpg_mode mpg_mode;

     bool enumerate;

     uint32_t trust_direction;

@@ -406,10 +409,14 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,

                                              SYSDB_SUBDOMAIN_TRUST_DIRECTION,

                                              0);

+        enabled = ldb_msg_find_attr_as_bool(res->msgs[i], SYSDB_ENABLED, true);

+

         for (dom = domain->subdomains; dom;

                 dom = get_next_domain(dom, SSS_GND_INCLUDE_DISABLED)) {

             if (strcasecmp(dom->name, name) == 0) {

-                sss_domain_set_state(dom, DOM_ACTIVE);

+                if (enabled) {

+                    sss_domain_set_state(dom, DOM_ACTIVE);

+                }

                 /* in theory these may change, but it should never happen */

                 if (strcasecmp(dom->realm, realm) != 0) {

@@ -522,7 +529,8 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,

         if (dom == NULL) {

             dom = new_subdomain(domain, domain, name, realm,

                                 flat, id, mpg_mode, enumerate, forest,

-                                upn_suffixes, trust_direction, confdb);

+                                upn_suffixes, trust_direction, confdb,

+                                enabled);

             if (dom == NULL) {

                 ret = ENOMEM;

                 goto done;

@@ -548,12 +556,15 @@ errno_t sysdb_master_domain_update(struct sss_domain_info *domain)

     struct ldb_message_element *tmp_el;

     struct ldb_dn *basedn;

     struct ldb_result *res;

+    enum sss_domain_state state;

+    bool enabled;

     const char *attrs[] = {"cn",

                            SYSDB_SUBDOMAIN_REALM,

                            SYSDB_SUBDOMAIN_FLAT,

                            SYSDB_SUBDOMAIN_ID,

                            SYSDB_SUBDOMAIN_FOREST,

                            SYSDB_UPN_SUFFIXES,

+                           SYSDB_ENABLED,

                            NULL};

     char *view_name = NULL;

@@ -650,6 +661,16 @@ errno_t sysdb_master_domain_update(struct sss_domain_info *domain)

         talloc_zfree(domain->upn_suffixes);

     }

+    state = sss_domain_get_state(domain);

+    enabled = ldb_msg_find_attr_as_bool(res->msgs[0], SYSDB_ENABLED, true);

+    if (!enabled) {

+        sss_domain_set_state(domain, DOM_DISABLED);

+    } else if (state == DOM_DISABLED) {

+        /* We do not want to enable INACTIVE or INCONSISTENT domain. This

+         * is managed by data provider. */

+        sss_domain_set_state(domain, DOM_ACTIVE);

+    }

+

     ret = sysdb_get_view_name(tmp_ctx, domain->sysdb, &view_name);

     if (ret != EOK && ret != ENOENT) {

         DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_view_name failed.\n");

diff --git a/src/tests/cmocka/test_fqnames.c b/src/tests/cmocka/test_fqnames.c

index 09f7db0d1..770c0d7bf 100644

--- a/src/tests/cmocka/test_fqnames.c

+++ b/src/tests/cmocka/test_fqnames.c

@@ -310,7 +310,7 @@ static int parse_name_test_setup(void **state)

      */

     test_ctx->subdom = new_subdomain(dom, dom, SUBDOMNAME, NULL, SUBFLATNAME,

                                      NULL, MPG_DISABLED, false,

-                                     NULL, NULL, 0, NULL);

+                                     NULL, NULL, 0, NULL, true);

     assert_non_null(test_ctx->subdom);

     check_leaks_push(test_ctx);

diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c

index 0a7e563e0..0876cfdaf 100644

--- a/src/tests/cmocka/test_negcache.c

+++ b/src/tests/cmocka/test_negcache.c

@@ -645,7 +645,7 @@ static void test_sss_ncache_prepopulate(void **state)

     subdomain = new_subdomain(tc, tc->dom,

                               testdom[0], testdom[1], testdom[2], testdom[3],

                               false, false, NULL, NULL, 0,

-                              tc->confdb);

+                              tc->confdb, true);

     assert_non_null(subdomain);

     ret = sysdb_subdomain_store(tc->sysdb,

diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c

index 0ae177571..95c080caf 100644

--- a/src/tests/cmocka/test_nss_srv.c

+++ b/src/tests/cmocka/test_nss_srv.c

@@ -3475,7 +3475,7 @@ static int nss_subdom_test_setup_common(void **state, bool nonfqnames)

     subdomain = new_subdomain(nss_test_ctx, nss_test_ctx->tctx->dom,

                               testdom[0], testdom[1], testdom[2], testdom[3],

                               false, false, NULL, NULL, 0,

-                              nss_test_ctx->tctx->confdb);

+                              nss_test_ctx->tctx->confdb, true);

     assert_non_null(subdomain);

     ret = sysdb_subdomain_store(nss_test_ctx->tctx->sysdb,

diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c

index 47d9aab54..9f3b49cd9 100644

--- a/src/tests/cmocka/test_responder_cache_req.c

+++ b/src/tests/cmocka/test_responder_cache_req.c

@@ -687,7 +687,7 @@ static int test_subdomain_setup(void **state)

     test_ctx->subdomain = new_subdomain(test_ctx, test_ctx->tctx->dom,

                               testdom[0], testdom[1], testdom[2], testdom[3],

                               MPG_DISABLED, false, NULL, NULL, 0,

-                              test_ctx->tctx->confdb);

+                              test_ctx->tctx->confdb, true);

     assert_non_null(test_ctx->subdomain);

     ret = sysdb_subdomain_store(test_ctx->tctx->sysdb,

diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c

index ed98fe6ce..832d60466 100644

--- a/src/tests/sysdb-tests.c

+++ b/src/tests/sysdb-tests.c

@@ -1541,7 +1541,7 @@ START_TEST (test_sysdb_get_user_attr_subdomain)

     /* Create subdomain */

     subdomain = new_subdomain(test_ctx, test_ctx->domain,

                               "test.sub", "TEST.SUB", "test", "S-3",

-                              MPG_DISABLED, false, NULL, NULL, 0, NULL);

+                              MPG_DISABLED, false, NULL, NULL, 0, NULL, true);

     fail_if(subdomain == NULL, "Failed to create new subdomain.");

     ret = sss_names_init_from_args(test_ctx,

@@ -6143,7 +6143,7 @@ START_TEST(test_sysdb_subdomain_store_user)

     subdomain = new_subdomain(test_ctx, test_ctx->domain,

                               testdom[0], testdom[1], testdom[2], testdom[3],

-                              MPG_DISABLED, false, NULL, NULL, 0, NULL);

+                              MPG_DISABLED, false, NULL, NULL, 0, NULL, true);

     fail_unless(subdomain != NULL, "Failed to create new subdomain.");

     ret = sysdb_subdomain_store(test_ctx->sysdb,

                                 testdom[0], testdom[1], testdom[2], testdom[3],

@@ -6222,7 +6222,7 @@ START_TEST(test_sysdb_subdomain_user_ops)

     subdomain = new_subdomain(test_ctx, test_ctx->domain,

                               testdom[0], testdom[1], testdom[2], testdom[3],

-                              MPG_DISABLED, false, NULL, NULL, 0, NULL);

+                              MPG_DISABLED, false, NULL, NULL, 0, NULL, true);

     fail_unless(subdomain != NULL, "Failed to create new subdomain.");

     ret = sysdb_subdomain_store(test_ctx->sysdb,

                                 testdom[0], testdom[1], testdom[2], testdom[3],

@@ -6295,7 +6295,7 @@ START_TEST(test_sysdb_subdomain_group_ops)

     subdomain = new_subdomain(test_ctx, test_ctx->domain,

                               testdom[0], testdom[1], testdom[2], testdom[3],

-                              MPG_DISABLED, false, NULL, NULL, 0, NULL);

+                              MPG_DISABLED, false, NULL, NULL, 0, NULL, true);

     fail_unless(subdomain != NULL, "Failed to create new subdomain.");

     ret = sysdb_subdomain_store(test_ctx->sysdb,

                                 testdom[0], testdom[1], testdom[2], testdom[3],

-- 

2.20.1