From b2cd4a74e231611f7862a8bb39a655c5194a035a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 30 May 2019 12:52:33 +0200
Subject: [PATCH 41/44] sysdb: read and interpret domain's enabled attribute
Disable domain if its sysdb object has enabled=false.
Resolves:
https://pagure.io/SSSD/sssd/issue/4009
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit d278704d85fea74c229b67e6a63b650b0d776c88)
---
src/db/sysdb_private.h | 3 ++-
src/db/sysdb_subdomains.c | 29 ++++++++++++++++++---
src/tests/cmocka/test_fqnames.c | 2 +-
src/tests/cmocka/test_negcache.c | 2 +-
src/tests/cmocka/test_nss_srv.c | 2 +-
src/tests/cmocka/test_responder_cache_req.c | 2 +-
src/tests/sysdb-tests.c | 8 +++---
7 files changed, 35 insertions(+), 13 deletions(-)
diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h
index 58544d826..f3d34dd6f 100644
--- a/src/db/sysdb_private.h
+++ b/src/db/sysdb_private.h
@@ -206,7 +206,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
const char *forest,
const char **upn_suffixes,
uint32_t trust_direction,
- struct confdb_ctx *confdb);
+ struct confdb_ctx *confdb,
+ bool enabled);
/* Helper functions to deal with the timestamp cache should not be used
* outside the sysdb itself. The timestamp cache should be completely
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
index d467dfce5..cf09b424e 100644
--- a/src/db/sysdb_subdomains.c
+++ b/src/db/sysdb_subdomains.c
@@ -39,7 +39,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
const char *forest,
const char **upn_suffixes,
uint32_t trust_direction,
- struct confdb_ctx *confdb)
+ struct confdb_ctx *confdb,
+ bool enabled)
{
struct sss_domain_info *dom;
bool inherit_option;
@@ -127,7 +128,7 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
dom->enumerate = enumerate;
dom->fqnames = true;
dom->mpg_mode = mpg_mode;
- dom->state = DOM_ACTIVE;
+ dom->state = enabled ? DOM_ACTIVE : DOM_DISABLED;
/* use fully qualified names as output in order to avoid causing
* conflicts with users who have the same name and either the
@@ -313,6 +314,7 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
SYSDB_SUBDOMAIN_FOREST,
SYSDB_SUBDOMAIN_TRUST_DIRECTION,
SYSDB_UPN_SUFFIXES,
+ SYSDB_ENABLED,
NULL};
struct sss_domain_info *dom;
struct ldb_dn *basedn;
@@ -322,6 +324,7 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
const char *id;
const char *forest;
const char *str_mpg_mode;
+ bool enabled;
enum sss_domain_mpg_mode mpg_mode;
bool enumerate;
uint32_t trust_direction;
@@ -406,10 +409,14 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
SYSDB_SUBDOMAIN_TRUST_DIRECTION,
0);
+ enabled = ldb_msg_find_attr_as_bool(res->msgs[i], SYSDB_ENABLED, true);
+
for (dom = domain->subdomains; dom;
dom = get_next_domain(dom, SSS_GND_INCLUDE_DISABLED)) {
if (strcasecmp(dom->name, name) == 0) {
- sss_domain_set_state(dom, DOM_ACTIVE);
+ if (enabled) {
+ sss_domain_set_state(dom, DOM_ACTIVE);
+ }
/* in theory these may change, but it should never happen */
if (strcasecmp(dom->realm, realm) != 0) {
@@ -522,7 +529,8 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
if (dom == NULL) {
dom = new_subdomain(domain, domain, name, realm,
flat, id, mpg_mode, enumerate, forest,
- upn_suffixes, trust_direction, confdb);
+ upn_suffixes, trust_direction, confdb,
+ enabled);
if (dom == NULL) {
ret = ENOMEM;
goto done;
@@ -548,12 +556,15 @@ errno_t sysdb_master_domain_update(struct sss_domain_info *domain)
struct ldb_message_element *tmp_el;
struct ldb_dn *basedn;
struct ldb_result *res;
+ enum sss_domain_state state;
+ bool enabled;
const char *attrs[] = {"cn",
SYSDB_SUBDOMAIN_REALM,
SYSDB_SUBDOMAIN_FLAT,
SYSDB_SUBDOMAIN_ID,
SYSDB_SUBDOMAIN_FOREST,
SYSDB_UPN_SUFFIXES,
+ SYSDB_ENABLED,
NULL};
char *view_name = NULL;
@@ -650,6 +661,16 @@ errno_t sysdb_master_domain_update(struct sss_domain_info *domain)
talloc_zfree(domain->upn_suffixes);
}
+ state = sss_domain_get_state(domain);
+ enabled = ldb_msg_find_attr_as_bool(res->msgs[0], SYSDB_ENABLED, true);
+ if (!enabled) {
+ sss_domain_set_state(domain, DOM_DISABLED);
+ } else if (state == DOM_DISABLED) {
+ /* We do not want to enable INACTIVE or INCONSISTENT domain. This
+ * is managed by data provider. */
+ sss_domain_set_state(domain, DOM_ACTIVE);
+ }
+
ret = sysdb_get_view_name(tmp_ctx, domain->sysdb, &view_name);
if (ret != EOK && ret != ENOENT) {
DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_view_name failed.\n");
diff --git a/src/tests/cmocka/test_fqnames.c b/src/tests/cmocka/test_fqnames.c
index 09f7db0d1..770c0d7bf 100644
--- a/src/tests/cmocka/test_fqnames.c
+++ b/src/tests/cmocka/test_fqnames.c
@@ -310,7 +310,7 @@ static int parse_name_test_setup(void **state)
*/
test_ctx->subdom = new_subdomain(dom, dom, SUBDOMNAME, NULL, SUBFLATNAME,
NULL, MPG_DISABLED, false,
- NULL, NULL, 0, NULL);
+ NULL, NULL, 0, NULL, true);
assert_non_null(test_ctx->subdom);
check_leaks_push(test_ctx);
diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c
index 0a7e563e0..0876cfdaf 100644
--- a/src/tests/cmocka/test_negcache.c
+++ b/src/tests/cmocka/test_negcache.c
@@ -645,7 +645,7 @@ static void test_sss_ncache_prepopulate(void **state)
subdomain = new_subdomain(tc, tc->dom,
testdom[0], testdom[1], testdom[2], testdom[3],
false, false, NULL, NULL, 0,
- tc->confdb);
+ tc->confdb, true);
assert_non_null(subdomain);
ret = sysdb_subdomain_store(tc->sysdb,
diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c
index 0ae177571..95c080caf 100644
--- a/src/tests/cmocka/test_nss_srv.c
+++ b/src/tests/cmocka/test_nss_srv.c
@@ -3475,7 +3475,7 @@ static int nss_subdom_test_setup_common(void **state, bool nonfqnames)
subdomain = new_subdomain(nss_test_ctx, nss_test_ctx->tctx->dom,
testdom[0], testdom[1], testdom[2], testdom[3],
false, false, NULL, NULL, 0,
- nss_test_ctx->tctx->confdb);
+ nss_test_ctx->tctx->confdb, true);
assert_non_null(subdomain);
ret = sysdb_subdomain_store(nss_test_ctx->tctx->sysdb,
diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c
index 47d9aab54..9f3b49cd9 100644
--- a/src/tests/cmocka/test_responder_cache_req.c
+++ b/src/tests/cmocka/test_responder_cache_req.c
@@ -687,7 +687,7 @@ static int test_subdomain_setup(void **state)
test_ctx->subdomain = new_subdomain(test_ctx, test_ctx->tctx->dom,
testdom[0], testdom[1], testdom[2], testdom[3],
MPG_DISABLED, false, NULL, NULL, 0,
- test_ctx->tctx->confdb);
+ test_ctx->tctx->confdb, true);
assert_non_null(test_ctx->subdomain);
ret = sysdb_subdomain_store(test_ctx->tctx->sysdb,
diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
index ed98fe6ce..832d60466 100644
--- a/src/tests/sysdb-tests.c
+++ b/src/tests/sysdb-tests.c
@@ -1541,7 +1541,7 @@ START_TEST (test_sysdb_get_user_attr_subdomain)
/* Create subdomain */
subdomain = new_subdomain(test_ctx, test_ctx->domain,
"test.sub", "TEST.SUB", "test", "S-3",
- MPG_DISABLED, false, NULL, NULL, 0, NULL);
+ MPG_DISABLED, false, NULL, NULL, 0, NULL, true);
fail_if(subdomain == NULL, "Failed to create new subdomain.");
ret = sss_names_init_from_args(test_ctx,
@@ -6143,7 +6143,7 @@ START_TEST(test_sysdb_subdomain_store_user)
subdomain = new_subdomain(test_ctx, test_ctx->domain,
testdom[0], testdom[1], testdom[2], testdom[3],
- MPG_DISABLED, false, NULL, NULL, 0, NULL);
+ MPG_DISABLED, false, NULL, NULL, 0, NULL, true);
fail_unless(subdomain != NULL, "Failed to create new subdomain.");
ret = sysdb_subdomain_store(test_ctx->sysdb,
testdom[0], testdom[1], testdom[2], testdom[3],
@@ -6222,7 +6222,7 @@ START_TEST(test_sysdb_subdomain_user_ops)
subdomain = new_subdomain(test_ctx, test_ctx->domain,
testdom[0], testdom[1], testdom[2], testdom[3],
- MPG_DISABLED, false, NULL, NULL, 0, NULL);
+ MPG_DISABLED, false, NULL, NULL, 0, NULL, true);
fail_unless(subdomain != NULL, "Failed to create new subdomain.");
ret = sysdb_subdomain_store(test_ctx->sysdb,
testdom[0], testdom[1], testdom[2], testdom[3],
@@ -6295,7 +6295,7 @@ START_TEST(test_sysdb_subdomain_group_ops)
subdomain = new_subdomain(test_ctx, test_ctx->domain,
testdom[0], testdom[1], testdom[2], testdom[3],
- MPG_DISABLED, false, NULL, NULL, 0, NULL);
+ MPG_DISABLED, false, NULL, NULL, 0, NULL, true);
fail_unless(subdomain != NULL, "Failed to create new subdomain.");
ret = sysdb_subdomain_store(test_ctx->sysdb,
testdom[0], testdom[1], testdom[2], testdom[3],
--
2.20.1