From 56d509ad3001101f04c4af050c3da7472032e4cb Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Fri, 9 Oct 2020 15:26:39 +0200

Subject: [PATCH 53/53] negcache: do not use default_domain_suffix

When splitting the names from the filter_users and filter_groups options

do not use the default_domain_suffix because it will hide that the

original name is a short name and should be added everywhere.

Additionally this patch fixes a typo where sss_parse_name() was used

instead of sss_parse_name_for_domains().

Resolves: https://github.com/SSSD/sssd/issues/5238

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

(cherry picked from commit fa4b46e7de7297da3c0e37913eab8cba7f103629)

---

 src/responder/common/negcache.c  | 29 +++++++++++++++--------------

 src/tests/cmocka/test_negcache.c | 22 ++++++++++++++++++++--

 2 files changed, 35 insertions(+), 16 deletions(-)

diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c

index 47fbb2106..ff05aaea5 100644

--- a/src/responder/common/negcache.c

+++ b/src/responder/common/negcache.c

@@ -998,13 +998,13 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,

         for (i = 0; (filter_list && filter_list[i]); i++) {

             ret = sss_parse_name_for_domains(tmpctx, domain_list,

-                                             rctx->default_domain,

+                                             NULL,

                                              filter_list[i],

                                              &domainname, &name);

             if (ret == EAGAIN) {

                 DEBUG(SSSDBG_MINOR_FAILURE,

-                      "cannot add [%s] to negcache because the required or "

-                      "default domain are not known yet\n", filter_list[i]);

+                      "Can add [%s] only as UPN to negcache because the "

+                      "required domain is not known yet\n", filter_list[i]);

             } else if (ret != EOK) {

                 DEBUG(SSSDBG_CRIT_FAILURE,

                       "Invalid name in filterUsers list: [%s] (%d)\n",

@@ -1064,12 +1064,12 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,

     for (i = 0; (filter_list && filter_list[i]); i++) {

         ret = sss_parse_name_for_domains(tmpctx, domain_list,

-                                         rctx->default_domain, filter_list[i],

+                                         NULL, filter_list[i],

                                          &domainname, &name);

         if (ret == EAGAIN) {

             DEBUG(SSSDBG_MINOR_FAILURE,

-                  "Cannot add [%s] to negcache because the required or "

-                  "default domain are not known yet\n", filter_list[i]);

+                  "Can add [%s] only as UPN to negcache because the "

+                  "required domain is not known yet\n", filter_list[i]);

         } else if (ret != EOK) {

             DEBUG(SSSDBG_CRIT_FAILURE,

                   "Invalid name in filterUsers list: [%s] (%d)\n",

@@ -1156,9 +1156,12 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,

         if (ret != EOK) goto done;

         for (i = 0; (filter_list && filter_list[i]); i++) {

-            ret = sss_parse_name(tmpctx, dom->names, filter_list[i],

-                                 &domainname, &name);

+            ret = sss_parse_name_for_domains(tmpctx, domain_list,

+                                             NULL, filter_list[i],

+                                             &domainname, &name);

             if (ret != EOK) {

+                /* Groups do not have UPNs, so domain names, if present,

+                 * must be known */

                 DEBUG(SSSDBG_CRIT_FAILURE,

                       "Invalid name in filterGroups list: [%s] (%d)\n",

                          filter_list[i], ret);

@@ -1205,13 +1208,11 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,

     for (i = 0; (filter_list && filter_list[i]); i++) {

         ret = sss_parse_name_for_domains(tmpctx, domain_list,

-                                         rctx->default_domain, filter_list[i],

+                                         NULL, filter_list[i],

                                          &domainname, &name);

-        if (ret == EAGAIN) {

-            DEBUG(SSSDBG_MINOR_FAILURE,

-                  "Cannot add [%s] to negcache because the required or "

-                  "default domain are not known yet\n", filter_list[i]);

-        } else if (ret != EOK) {

+        if (ret != EOK) {

+            /* Groups do not have UPNs, so domain names, if present,

+             * must be known */

             DEBUG(SSSDBG_CRIT_FAILURE,

                   "Invalid name in filterGroups list: [%s] (%d)\n",

                      filter_list[i], ret);

diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c

index 7a8827685..f8cbbc1fe 100644

--- a/src/tests/cmocka/test_negcache.c

+++ b/src/tests/cmocka/test_negcache.c

@@ -916,7 +916,9 @@ static void test_sss_ncache_reset_prepopulate(void **state)

  *

  * The result should of course be independent of the present domains. To

  * verify this the domains are added one after the other and the negative

- * cache is repopulated each time.

+ * cache is repopulated each time. The result should be also independent of

+ * the setting of default_domain_suffix option which is tested by

+ * test_sss_ncache_short_name_in_domain_with_prefix.

  *

  * With the given domains, users and group we have to following expectations:

  *  - the short name entry will be added to the domain and all sub-domains as

@@ -1064,7 +1066,8 @@ static void expect_no_entries_in_dom(struct sss_nc_ctx *ncache,

     assert_int_equal(ret, ENOENT);

 }

-static void test_sss_ncache_short_name_in_domain(void **state)

+static void run_sss_ncache_short_name_in_domain(void **state,

+                                                bool use_default_domain_prefix)

 {

     int ret;

     struct test_state *ts;

@@ -1114,6 +1117,9 @@ static void test_sss_ncache_short_name_in_domain(void **state)

     ncache = ts->ctx;

     ts->rctx = mock_rctx(ts, ev, dom, ts->nctx);

     assert_non_null(ts->rctx);

+    if (use_default_domain_prefix) {

+        ts->rctx->default_domain = discard_const(TEST_DOM_NAME);

+    }

     ts->rctx->cdb = tc->confdb;

     ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &dom->names);

@@ -1156,6 +1162,16 @@ static void test_sss_ncache_short_name_in_domain(void **state)

     expect_no_entries_in_dom(ncache, dom2);

 }

+static void test_sss_ncache_short_name_in_domain(void **state)

+{

+    run_sss_ncache_short_name_in_domain(state, false);

+}

+

+static void test_sss_ncache_short_name_in_domain_with_prefix(void **state)

+{

+    run_sss_ncache_short_name_in_domain(state, true);

+}

+

 static void test_sss_ncache_reset(void **state)

 {

     errno_t ret;

@@ -1320,6 +1336,8 @@ int main(void)

                                         setup, teardown),

         cmocka_unit_test_setup_teardown(test_sss_ncache_short_name_in_domain,

                                         setup, teardown),

+        cmocka_unit_test_setup_teardown(test_sss_ncache_short_name_in_domain_with_prefix,

+                                        setup, teardown),

         cmocka_unit_test_setup_teardown(test_sss_ncache_reset,

                                         setup, teardown),

         cmocka_unit_test_setup_teardown(test_sss_ncache_locate_uid_gid,

-- 

2.21.3