From 64eb7055b640e9c92701886effc36f74fe9e709f Mon Sep 17 00:00:00 2001

From: Lukas Slebodnik <lslebodn@redhat.com>

Date: Mon, 13 Apr 2015 09:44:35 +0200

Subject: [PATCH 199/200] SDAP: Extract filtering AD group to function

Patch remove code duplication.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

(cherry picked from commit bad2fc8133d941e5a6c8d8016c9689e039265c61)

---

 Makefile.am                                   |  2 +

 src/providers/ldap/sdap_ad_groups.c           | 68 +++++++++++++++++++++++++++

 src/providers/ldap/sdap_async_groups.c        | 40 ++++++----------

 src/providers/ldap/sdap_async_nested_groups.c | 31 ++++--------

 src/providers/ldap/sdap_async_private.h       |  7 +++

 5 files changed, 101 insertions(+), 47 deletions(-)

 create mode 100644 src/providers/ldap/sdap_ad_groups.c

diff --git a/Makefile.am b/Makefile.am

index 8202659e0933529ca7911952bbf1476dbb4a76fc..f402239af2cfaf77dde1ce6ff261015f5d9bfacc 100644

--- a/Makefile.am

+++ b/Makefile.am

@@ -1858,6 +1858,7 @@ nestedgroups_tests_SOURCES = \

     src/providers/ldap/sdap_idmap.c \

     src/tests/cmocka/test_nested_groups.c \

     src/providers/ldap/sdap_async_nested_groups.c \

+    src/providers/ldap/sdap_ad_groups.c \

     $(NULL)

 nestedgroups_tests_CFLAGS = \

     $(AM_CFLAGS) \

@@ -2307,6 +2308,7 @@ libsss_ldap_common_la_SOURCES = \

     src/providers/ldap/sdap_async_connection.c \

     src/providers/ldap/sdap_async_netgroups.c \

     src/providers/ldap/sdap_async_services.c \

+    src/providers/ldap/sdap_ad_groups.c \

     src/providers/ldap/sdap_child_helpers.c \

     src/providers/ldap/sdap_fd_events.c \

     src/providers/ldap/sdap_id_op.c \

diff --git a/src/providers/ldap/sdap_ad_groups.c b/src/providers/ldap/sdap_ad_groups.c

new file mode 100644

index 0000000000000000000000000000000000000000..0e36328b9b52643a2ec698b2a41f2a56a8ff69b6

--- /dev/null

+++ b/src/providers/ldap/sdap_ad_groups.c

@@ -0,0 +1,68 @@

+/*

+    SSSD

+

+    AD groups helper routines

+

+    Authors:

+        Lukas Slebodnik <lslebodn@redhat.com>

+

+    Copyright (C) 2013 Red Hat

+

+    This program is free software; you can redistribute it and/or modify

+    it under the terms of the GNU General Public License as published by

+    the Free Software Foundation; either version 3 of the License, or

+    (at your option) any later version.

+

+    This program is distributed in the hope that it will be useful,

+    but WITHOUT ANY WARRANTY; without even the implied warranty of

+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+    GNU General Public License for more details.

+

+    You should have received a copy of the GNU General Public License

+    along with this program.  If not, see <http://www.gnu.org/licenses/>.

+*/

+

+#include "db/sysdb.h"

+#include "providers/ldap/sdap.h"

+#include "providers/ldap/sdap_async_private.h"

+

+/* ==Group-Parsing Routines=============================================== */

+

+errno_t sdap_check_ad_group_type(struct sss_domain_info *dom,

+                                 struct sdap_options *opts,

+                                 struct sysdb_attrs *group_attrs,

+                                 const char *group_name,

+                                 bool *_need_filter)

+{

+    int32_t ad_group_type;

+    errno_t ret = EOK;

+    *_need_filter = false;

+

+    if (opts->schema_type == SDAP_SCHEMA_AD) {

+        ret = sysdb_attrs_get_int32_t(group_attrs, SYSDB_GROUP_TYPE,

+                                      &ad_group_type);

+        if (ret != EOK) {

+            DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_int32_t failed.\n");

+            return ret;

+        }

+

+        DEBUG(SSSDBG_TRACE_ALL,

+              "AD group [%s] has type flags %#x.\n",

+              group_name, ad_group_type);

+

+        /* Only security groups from AD are considered for POSIX groups.

+         * Additionally only global and universal group are taken to account

+         * for trusted domains. */

+        if (!(ad_group_type & SDAP_AD_GROUP_TYPE_SECURITY)

+            || (IS_SUBDOMAIN(dom)

+                && (!((ad_group_type & SDAP_AD_GROUP_TYPE_GLOBAL)

+                      || (ad_group_type & SDAP_AD_GROUP_TYPE_UNIVERSAL))))) {

+            DEBUG(SSSDBG_TRACE_FUNC,

+                  "Filtering AD group [%s].\n", group_name);

+

+            *_need_filter = true;

+        }

+    }

+

+    return ret;

+}

diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c

index 4be8c502ea77a3913ddac2a24fbacbc522b2ef6b..00a676372fa042dfc2d57e5799261f9a45ed4a73 100644

--- a/src/providers/ldap/sdap_async_groups.c

+++ b/src/providers/ldap/sdap_async_groups.c

@@ -510,10 +510,10 @@ static int sdap_save_group(TALLOC_CTX *memctx,

     TALLOC_CTX *tmpctx = NULL;

     bool posix_group;

     bool use_id_mapping;

+    bool need_filter;

     char *sid_str;

     const char *uuid;

     struct sss_domain_info *subdomain;

-    int32_t ad_group_type;

     tmpctx = talloc_new(NULL);

     if (!tmpctx) {

@@ -588,32 +588,20 @@ static int sdap_save_group(TALLOC_CTX *memctx,

     DEBUG(SSSDBG_TRACE_FUNC, "Processing group %s\n", group_name);

     posix_group = true;

-    if (opts->schema_type == SDAP_SCHEMA_AD) {

-        ret = sysdb_attrs_get_int32_t(attrs, SYSDB_GROUP_TYPE, &ad_group_type);

-        if (ret != EOK) {

-            DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_int32_t failed.\n");

-            goto done;

-        }

+    ret = sdap_check_ad_group_type(dom, opts, attrs, group_name,

+                                   &need_filter);

+    if (ret != EOK) {

+        goto done;

+    }

+    if (need_filter) {

+        posix_group = false;

+        gid = 0;

-        DEBUG(SSSDBG_TRACE_ALL, "AD group [%s] has type flags %#x.\n",

-                                 group_name, ad_group_type);

-        /* Only security groups from AD are considered for POSIX groups.

-         * Additionally only global and universal group are taken to account

-         * for trusted domains. */

-        if (!(ad_group_type & SDAP_AD_GROUP_TYPE_SECURITY)

-                || (IS_SUBDOMAIN(dom)

-                    && (!((ad_group_type & SDAP_AD_GROUP_TYPE_GLOBAL)

-                        || (ad_group_type & SDAP_AD_GROUP_TYPE_UNIVERSAL))))) {

-            posix_group = false;

-            gid = 0;

-            DEBUG(SSSDBG_TRACE_FUNC, "Filtering AD group [%s].\n",

-                                      group_name);

-            ret = sysdb_attrs_add_bool(group_attrs, SYSDB_POSIX, false);

-            if (ret != EOK) {

-                DEBUG(SSSDBG_OP_FAILURE,

-                      "Error: Failed to mark group as non-posix!\n");

-                return ret;

-            }

+        ret = sysdb_attrs_add_bool(group_attrs, SYSDB_POSIX, false);

+        if (ret != EOK) {

+            DEBUG(SSSDBG_OP_FAILURE,

+                  "Error: Failed to mark group as non-posix!\n");

+            return ret;

         }

     }

diff --git a/src/providers/ldap/sdap_async_nested_groups.c b/src/providers/ldap/sdap_async_nested_groups.c

index 1eba35ae8ac90acac8a2d46e8cc5f2b57e3a9256..08e199869ad16c3b19d998a2a28eae9a0dd0a371 100644

--- a/src/providers/ldap/sdap_async_nested_groups.c

+++ b/src/providers/ldap/sdap_async_nested_groups.c

@@ -240,32 +240,21 @@ sdap_nested_group_hash_group(struct sdap_nested_group_ctx *group_ctx,

 {

     struct sdap_attr_map *map = group_ctx->opts->group_map;

     gid_t gid;

-    errno_t ret = ENOENT;

-    int32_t ad_group_type;

+    errno_t ret;

     bool posix_group = true;

     bool use_id_mapping;

     bool can_find_gid;

+    bool need_filter;

-    if (group_ctx->opts->schema_type == SDAP_SCHEMA_AD) {

-        ret = sysdb_attrs_get_int32_t(group, SYSDB_GROUP_TYPE, &ad_group_type);

-        if (ret != EOK) {

-            DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_int32_t failed.\n");

-            return ret;

-        }

+    ret = sdap_check_ad_group_type(group_ctx->domain, group_ctx->opts,

+                                   group, "", &need_filter);

+    if (ret != EOK) {

+        return ret;

+    }

-        DEBUG(SSSDBG_TRACE_ALL, "AD group has type flags %#x.\n",

-                                 ad_group_type);

-        /* Only security groups from AD are considered for POSIX groups.

-         * Additionally only global and universal group are taken to account

-         * for trusted domains. */

-        if (!(ad_group_type & SDAP_AD_GROUP_TYPE_SECURITY)

-                || (IS_SUBDOMAIN(group_ctx->domain)

-                    && (!((ad_group_type & SDAP_AD_GROUP_TYPE_GLOBAL)

-                        || (ad_group_type & SDAP_AD_GROUP_TYPE_UNIVERSAL))))) {

-            posix_group = false;

-            gid = 0;

-            DEBUG(SSSDBG_TRACE_FUNC, "Filtering AD group.\n");

-        }

+    if (need_filter) {

+        posix_group = false;

+        gid = 0;

     }

     use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping(

diff --git a/src/providers/ldap/sdap_async_private.h b/src/providers/ldap/sdap_async_private.h

index 3995a2ac357c52f546696284d71d2127d0302409..db542eaf869efcd53d0937bef3fc6e99cc78b938 100644

--- a/src/providers/ldap/sdap_async_private.h

+++ b/src/providers/ldap/sdap_async_private.h

@@ -138,4 +138,11 @@ errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb,

                                    char **groupnames,

                                    struct sysdb_attrs **ldap_groups,

                                    int ldap_groups_count);

+

+/* from sdap_async_nested_groups.c */

+errno_t sdap_check_ad_group_type(struct sss_domain_info *dom,

+                                 struct sdap_options *opts,

+                                 struct sysdb_attrs *group_attrs,

+                                 const char *group_name,

+                                 bool *_need_filter);

 #endif /* _SDAP_ASYNC_PRIVATE_H_ */

-- 

2.1.0