From fb3f1af38edff257d603da165e0d64d12d92644e Mon Sep 17 00:00:00 2001
From: Tomas Halman <thalman@redhat.com>
Date: Sun, 16 Dec 2018 08:46:24 +0100
Subject: [PATCH] CACHE: SSSD doesn't clear cache entries
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Once object is in cache it is refreshed when it is expired and
requested by the system. Object ID is not checked before refresh,
but config parameter ldap_(min|max)_id could be changed by admin.
We should check object ID and not refresh objects outside min/max
ID interval.

Resolves:
https://pagure.io/SSSD/sssd/issue/3905

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit d2adfcf54c3a37aeda675aec3ba3d174061fac1a)
---
 .../common/cache_req/cache_req_search.c       | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/src/responder/common/cache_req/cache_req_search.c b/src/responder/common/cache_req/cache_req_search.c
index 7423feb63..873214503 100644
--- a/src/responder/common/cache_req/cache_req_search.c
+++ b/src/responder/common/cache_req/cache_req_search.c
@@ -25,6 +25,7 @@
 #include "util/util.h"
 #include "responder/common/cache_req/cache_req_private.h"
 #include "responder/common/cache_req/cache_req_plugin.h"
+#include "db/sysdb.h"
 
 static errno_t cache_req_search_ncache(struct cache_req *cr)
 {
@@ -169,6 +170,30 @@ done:
     return ret;
 }
 
+static int
+cache_req_should_be_in_cache(struct cache_req *cr,
+                             struct ldb_result *result)
+{
+    id_t id = 0;
+
+    if (result == NULL || result->count != 1) {
+        /* can't decide so keep it */
+        return EOK;
+    }
+
+    id = ldb_msg_find_attr_as_uint(result->msgs[0], SYSDB_UIDNUM, 0);
+    if (id && OUT_OF_ID_RANGE(id, cr->domain->id_min, cr->domain->id_max)) {
+        return ERR_ID_OUTSIDE_RANGE;
+    }
+
+    id = ldb_msg_find_attr_as_uint(result->msgs[0], SYSDB_GIDNUM, 0);
+    if (id && OUT_OF_ID_RANGE(id, cr->domain->id_min, cr->domain->id_max)) {
+        return ERR_ID_OUTSIDE_RANGE;
+    }
+
+    return EOK;
+}
+
 static errno_t cache_req_search_cache(TALLOC_CTX *mem_ctx,
                                       struct cache_req *cr,
                                       struct ldb_result **_result)
@@ -191,6 +216,10 @@ static errno_t cache_req_search_cache(TALLOC_CTX *mem_ctx,
         ret = ENOENT;
     }
 
+    if (ret == EOK) {
+        ret = cache_req_should_be_in_cache(cr, result);
+    }
+
     switch (ret) {
     case EOK:
         if (cr->plugin->only_one_result && result->count > 1) {
-- 
2.20.1