From 64eb7055b640e9c92701886effc36f74fe9e709f Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 13 Apr 2015 09:44:35 +0200
Subject: [PATCH 199/200] SDAP: Extract filtering AD group to function
Patch remove code duplication.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit bad2fc8133d941e5a6c8d8016c9689e039265c61)
---
Makefile.am | 2 +
src/providers/ldap/sdap_ad_groups.c | 68 +++++++++++++++++++++++++++
src/providers/ldap/sdap_async_groups.c | 40 ++++++----------
src/providers/ldap/sdap_async_nested_groups.c | 31 ++++--------
src/providers/ldap/sdap_async_private.h | 7 +++
5 files changed, 101 insertions(+), 47 deletions(-)
create mode 100644 src/providers/ldap/sdap_ad_groups.c
diff --git a/Makefile.am b/Makefile.am
index 8202659e0933529ca7911952bbf1476dbb4a76fc..f402239af2cfaf77dde1ce6ff261015f5d9bfacc 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1858,6 +1858,7 @@ nestedgroups_tests_SOURCES = \
src/providers/ldap/sdap_idmap.c \
src/tests/cmocka/test_nested_groups.c \
src/providers/ldap/sdap_async_nested_groups.c \
+ src/providers/ldap/sdap_ad_groups.c \
$(NULL)
nestedgroups_tests_CFLAGS = \
$(AM_CFLAGS) \
@@ -2307,6 +2308,7 @@ libsss_ldap_common_la_SOURCES = \
src/providers/ldap/sdap_async_connection.c \
src/providers/ldap/sdap_async_netgroups.c \
src/providers/ldap/sdap_async_services.c \
+ src/providers/ldap/sdap_ad_groups.c \
src/providers/ldap/sdap_child_helpers.c \
src/providers/ldap/sdap_fd_events.c \
src/providers/ldap/sdap_id_op.c \
diff --git a/src/providers/ldap/sdap_ad_groups.c b/src/providers/ldap/sdap_ad_groups.c
new file mode 100644
index 0000000000000000000000000000000000000000..0e36328b9b52643a2ec698b2a41f2a56a8ff69b6
--- /dev/null
+++ b/src/providers/ldap/sdap_ad_groups.c
@@ -0,0 +1,68 @@
+/*
+ SSSD
+
+ AD groups helper routines
+
+ Authors:
+ Lukas Slebodnik <lslebodn@redhat.com>
+
+ Copyright (C) 2013 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "db/sysdb.h"
+#include "providers/ldap/sdap.h"
+#include "providers/ldap/sdap_async_private.h"
+
+/* ==Group-Parsing Routines=============================================== */
+
+errno_t sdap_check_ad_group_type(struct sss_domain_info *dom,
+ struct sdap_options *opts,
+ struct sysdb_attrs *group_attrs,
+ const char *group_name,
+ bool *_need_filter)
+{
+ int32_t ad_group_type;
+ errno_t ret = EOK;
+ *_need_filter = false;
+
+ if (opts->schema_type == SDAP_SCHEMA_AD) {
+ ret = sysdb_attrs_get_int32_t(group_attrs, SYSDB_GROUP_TYPE,
+ &ad_group_type);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_int32_t failed.\n");
+ return ret;
+ }
+
+ DEBUG(SSSDBG_TRACE_ALL,
+ "AD group [%s] has type flags %#x.\n",
+ group_name, ad_group_type);
+
+ /* Only security groups from AD are considered for POSIX groups.
+ * Additionally only global and universal group are taken to account
+ * for trusted domains. */
+ if (!(ad_group_type & SDAP_AD_GROUP_TYPE_SECURITY)
+ || (IS_SUBDOMAIN(dom)
+ && (!((ad_group_type & SDAP_AD_GROUP_TYPE_GLOBAL)
+ || (ad_group_type & SDAP_AD_GROUP_TYPE_UNIVERSAL))))) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Filtering AD group [%s].\n", group_name);
+
+ *_need_filter = true;
+ }
+ }
+
+ return ret;
+}
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index 4be8c502ea77a3913ddac2a24fbacbc522b2ef6b..00a676372fa042dfc2d57e5799261f9a45ed4a73 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -510,10 +510,10 @@ static int sdap_save_group(TALLOC_CTX *memctx,
TALLOC_CTX *tmpctx = NULL;
bool posix_group;
bool use_id_mapping;
+ bool need_filter;
char *sid_str;
const char *uuid;
struct sss_domain_info *subdomain;
- int32_t ad_group_type;
tmpctx = talloc_new(NULL);
if (!tmpctx) {
@@ -588,32 +588,20 @@ static int sdap_save_group(TALLOC_CTX *memctx,
DEBUG(SSSDBG_TRACE_FUNC, "Processing group %s\n", group_name);
posix_group = true;
- if (opts->schema_type == SDAP_SCHEMA_AD) {
- ret = sysdb_attrs_get_int32_t(attrs, SYSDB_GROUP_TYPE, &ad_group_type);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_int32_t failed.\n");
- goto done;
- }
+ ret = sdap_check_ad_group_type(dom, opts, attrs, group_name,
+ &need_filter);
+ if (ret != EOK) {
+ goto done;
+ }
+ if (need_filter) {
+ posix_group = false;
+ gid = 0;
- DEBUG(SSSDBG_TRACE_ALL, "AD group [%s] has type flags %#x.\n",
- group_name, ad_group_type);
- /* Only security groups from AD are considered for POSIX groups.
- * Additionally only global and universal group are taken to account
- * for trusted domains. */
- if (!(ad_group_type & SDAP_AD_GROUP_TYPE_SECURITY)
- || (IS_SUBDOMAIN(dom)
- && (!((ad_group_type & SDAP_AD_GROUP_TYPE_GLOBAL)
- || (ad_group_type & SDAP_AD_GROUP_TYPE_UNIVERSAL))))) {
- posix_group = false;
- gid = 0;
- DEBUG(SSSDBG_TRACE_FUNC, "Filtering AD group [%s].\n",
- group_name);
- ret = sysdb_attrs_add_bool(group_attrs, SYSDB_POSIX, false);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE,
- "Error: Failed to mark group as non-posix!\n");
- return ret;
- }
+ ret = sysdb_attrs_add_bool(group_attrs, SYSDB_POSIX, false);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Error: Failed to mark group as non-posix!\n");
+ return ret;
}
}
diff --git a/src/providers/ldap/sdap_async_nested_groups.c b/src/providers/ldap/sdap_async_nested_groups.c
index 1eba35ae8ac90acac8a2d46e8cc5f2b57e3a9256..08e199869ad16c3b19d998a2a28eae9a0dd0a371 100644
--- a/src/providers/ldap/sdap_async_nested_groups.c
+++ b/src/providers/ldap/sdap_async_nested_groups.c
@@ -240,32 +240,21 @@ sdap_nested_group_hash_group(struct sdap_nested_group_ctx *group_ctx,
{
struct sdap_attr_map *map = group_ctx->opts->group_map;
gid_t gid;
- errno_t ret = ENOENT;
- int32_t ad_group_type;
+ errno_t ret;
bool posix_group = true;
bool use_id_mapping;
bool can_find_gid;
+ bool need_filter;
- if (group_ctx->opts->schema_type == SDAP_SCHEMA_AD) {
- ret = sysdb_attrs_get_int32_t(group, SYSDB_GROUP_TYPE, &ad_group_type);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_int32_t failed.\n");
- return ret;
- }
+ ret = sdap_check_ad_group_type(group_ctx->domain, group_ctx->opts,
+ group, "", &need_filter);
+ if (ret != EOK) {
+ return ret;
+ }
- DEBUG(SSSDBG_TRACE_ALL, "AD group has type flags %#x.\n",
- ad_group_type);
- /* Only security groups from AD are considered for POSIX groups.
- * Additionally only global and universal group are taken to account
- * for trusted domains. */
- if (!(ad_group_type & SDAP_AD_GROUP_TYPE_SECURITY)
- || (IS_SUBDOMAIN(group_ctx->domain)
- && (!((ad_group_type & SDAP_AD_GROUP_TYPE_GLOBAL)
- || (ad_group_type & SDAP_AD_GROUP_TYPE_UNIVERSAL))))) {
- posix_group = false;
- gid = 0;
- DEBUG(SSSDBG_TRACE_FUNC, "Filtering AD group.\n");
- }
+ if (need_filter) {
+ posix_group = false;
+ gid = 0;
}
use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping(
diff --git a/src/providers/ldap/sdap_async_private.h b/src/providers/ldap/sdap_async_private.h
index 3995a2ac357c52f546696284d71d2127d0302409..db542eaf869efcd53d0937bef3fc6e99cc78b938 100644
--- a/src/providers/ldap/sdap_async_private.h
+++ b/src/providers/ldap/sdap_async_private.h
@@ -138,4 +138,11 @@ errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb,
char **groupnames,
struct sysdb_attrs **ldap_groups,
int ldap_groups_count);
+
+/* from sdap_async_nested_groups.c */
+errno_t sdap_check_ad_group_type(struct sss_domain_info *dom,
+ struct sdap_options *opts,
+ struct sysdb_attrs *group_attrs,
+ const char *group_name,
+ bool *_need_filter);
#endif /* _SDAP_ASYNC_PRIVATE_H_ */
--
2.1.0