From b2cd4a74e231611f7862a8bb39a655c5194a035a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Thu, 30 May 2019 12:52:33 +0200 Subject: [PATCH 41/44] sysdb: read and interpret domain's enabled attribute Disable domain if its sysdb object has enabled=false. Resolves: https://pagure.io/SSSD/sssd/issue/4009 Reviewed-by: Sumit Bose (cherry picked from commit d278704d85fea74c229b67e6a63b650b0d776c88) --- src/db/sysdb_private.h | 3 ++- src/db/sysdb_subdomains.c | 29 ++++++++++++++++++--- src/tests/cmocka/test_fqnames.c | 2 +- src/tests/cmocka/test_negcache.c | 2 +- src/tests/cmocka/test_nss_srv.c | 2 +- src/tests/cmocka/test_responder_cache_req.c | 2 +- src/tests/sysdb-tests.c | 8 +++--- 7 files changed, 35 insertions(+), 13 deletions(-) diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h index 58544d826..f3d34dd6f 100644 --- a/src/db/sysdb_private.h +++ b/src/db/sysdb_private.h @@ -206,7 +206,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx, const char *forest, const char **upn_suffixes, uint32_t trust_direction, - struct confdb_ctx *confdb); + struct confdb_ctx *confdb, + bool enabled); /* Helper functions to deal with the timestamp cache should not be used * outside the sysdb itself. The timestamp cache should be completely diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c index d467dfce5..cf09b424e 100644 --- a/src/db/sysdb_subdomains.c +++ b/src/db/sysdb_subdomains.c @@ -39,7 +39,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx, const char *forest, const char **upn_suffixes, uint32_t trust_direction, - struct confdb_ctx *confdb) + struct confdb_ctx *confdb, + bool enabled) { struct sss_domain_info *dom; bool inherit_option; @@ -127,7 +128,7 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx, dom->enumerate = enumerate; dom->fqnames = true; dom->mpg_mode = mpg_mode; - dom->state = DOM_ACTIVE; + dom->state = enabled ? DOM_ACTIVE : DOM_DISABLED; /* use fully qualified names as output in order to avoid causing * conflicts with users who have the same name and either the @@ -313,6 +314,7 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain, SYSDB_SUBDOMAIN_FOREST, SYSDB_SUBDOMAIN_TRUST_DIRECTION, SYSDB_UPN_SUFFIXES, + SYSDB_ENABLED, NULL}; struct sss_domain_info *dom; struct ldb_dn *basedn; @@ -322,6 +324,7 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain, const char *id; const char *forest; const char *str_mpg_mode; + bool enabled; enum sss_domain_mpg_mode mpg_mode; bool enumerate; uint32_t trust_direction; @@ -406,10 +409,14 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain, SYSDB_SUBDOMAIN_TRUST_DIRECTION, 0); + enabled = ldb_msg_find_attr_as_bool(res->msgs[i], SYSDB_ENABLED, true); + for (dom = domain->subdomains; dom; dom = get_next_domain(dom, SSS_GND_INCLUDE_DISABLED)) { if (strcasecmp(dom->name, name) == 0) { - sss_domain_set_state(dom, DOM_ACTIVE); + if (enabled) { + sss_domain_set_state(dom, DOM_ACTIVE); + } /* in theory these may change, but it should never happen */ if (strcasecmp(dom->realm, realm) != 0) { @@ -522,7 +529,8 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain, if (dom == NULL) { dom = new_subdomain(domain, domain, name, realm, flat, id, mpg_mode, enumerate, forest, - upn_suffixes, trust_direction, confdb); + upn_suffixes, trust_direction, confdb, + enabled); if (dom == NULL) { ret = ENOMEM; goto done; @@ -548,12 +556,15 @@ errno_t sysdb_master_domain_update(struct sss_domain_info *domain) struct ldb_message_element *tmp_el; struct ldb_dn *basedn; struct ldb_result *res; + enum sss_domain_state state; + bool enabled; const char *attrs[] = {"cn", SYSDB_SUBDOMAIN_REALM, SYSDB_SUBDOMAIN_FLAT, SYSDB_SUBDOMAIN_ID, SYSDB_SUBDOMAIN_FOREST, SYSDB_UPN_SUFFIXES, + SYSDB_ENABLED, NULL}; char *view_name = NULL; @@ -650,6 +661,16 @@ errno_t sysdb_master_domain_update(struct sss_domain_info *domain) talloc_zfree(domain->upn_suffixes); } + state = sss_domain_get_state(domain); + enabled = ldb_msg_find_attr_as_bool(res->msgs[0], SYSDB_ENABLED, true); + if (!enabled) { + sss_domain_set_state(domain, DOM_DISABLED); + } else if (state == DOM_DISABLED) { + /* We do not want to enable INACTIVE or INCONSISTENT domain. This + * is managed by data provider. */ + sss_domain_set_state(domain, DOM_ACTIVE); + } + ret = sysdb_get_view_name(tmp_ctx, domain->sysdb, &view_name); if (ret != EOK && ret != ENOENT) { DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_view_name failed.\n"); diff --git a/src/tests/cmocka/test_fqnames.c b/src/tests/cmocka/test_fqnames.c index 09f7db0d1..770c0d7bf 100644 --- a/src/tests/cmocka/test_fqnames.c +++ b/src/tests/cmocka/test_fqnames.c @@ -310,7 +310,7 @@ static int parse_name_test_setup(void **state) */ test_ctx->subdom = new_subdomain(dom, dom, SUBDOMNAME, NULL, SUBFLATNAME, NULL, MPG_DISABLED, false, - NULL, NULL, 0, NULL); + NULL, NULL, 0, NULL, true); assert_non_null(test_ctx->subdom); check_leaks_push(test_ctx); diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c index 0a7e563e0..0876cfdaf 100644 --- a/src/tests/cmocka/test_negcache.c +++ b/src/tests/cmocka/test_negcache.c @@ -645,7 +645,7 @@ static void test_sss_ncache_prepopulate(void **state) subdomain = new_subdomain(tc, tc->dom, testdom[0], testdom[1], testdom[2], testdom[3], false, false, NULL, NULL, 0, - tc->confdb); + tc->confdb, true); assert_non_null(subdomain); ret = sysdb_subdomain_store(tc->sysdb, diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c index 0ae177571..95c080caf 100644 --- a/src/tests/cmocka/test_nss_srv.c +++ b/src/tests/cmocka/test_nss_srv.c @@ -3475,7 +3475,7 @@ static int nss_subdom_test_setup_common(void **state, bool nonfqnames) subdomain = new_subdomain(nss_test_ctx, nss_test_ctx->tctx->dom, testdom[0], testdom[1], testdom[2], testdom[3], false, false, NULL, NULL, 0, - nss_test_ctx->tctx->confdb); + nss_test_ctx->tctx->confdb, true); assert_non_null(subdomain); ret = sysdb_subdomain_store(nss_test_ctx->tctx->sysdb, diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c index 47d9aab54..9f3b49cd9 100644 --- a/src/tests/cmocka/test_responder_cache_req.c +++ b/src/tests/cmocka/test_responder_cache_req.c @@ -687,7 +687,7 @@ static int test_subdomain_setup(void **state) test_ctx->subdomain = new_subdomain(test_ctx, test_ctx->tctx->dom, testdom[0], testdom[1], testdom[2], testdom[3], MPG_DISABLED, false, NULL, NULL, 0, - test_ctx->tctx->confdb); + test_ctx->tctx->confdb, true); assert_non_null(test_ctx->subdomain); ret = sysdb_subdomain_store(test_ctx->tctx->sysdb, diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c index ed98fe6ce..832d60466 100644 --- a/src/tests/sysdb-tests.c +++ b/src/tests/sysdb-tests.c @@ -1541,7 +1541,7 @@ START_TEST (test_sysdb_get_user_attr_subdomain) /* Create subdomain */ subdomain = new_subdomain(test_ctx, test_ctx->domain, "test.sub", "TEST.SUB", "test", "S-3", - MPG_DISABLED, false, NULL, NULL, 0, NULL); + MPG_DISABLED, false, NULL, NULL, 0, NULL, true); fail_if(subdomain == NULL, "Failed to create new subdomain."); ret = sss_names_init_from_args(test_ctx, @@ -6143,7 +6143,7 @@ START_TEST(test_sysdb_subdomain_store_user) subdomain = new_subdomain(test_ctx, test_ctx->domain, testdom[0], testdom[1], testdom[2], testdom[3], - MPG_DISABLED, false, NULL, NULL, 0, NULL); + MPG_DISABLED, false, NULL, NULL, 0, NULL, true); fail_unless(subdomain != NULL, "Failed to create new subdomain."); ret = sysdb_subdomain_store(test_ctx->sysdb, testdom[0], testdom[1], testdom[2], testdom[3], @@ -6222,7 +6222,7 @@ START_TEST(test_sysdb_subdomain_user_ops) subdomain = new_subdomain(test_ctx, test_ctx->domain, testdom[0], testdom[1], testdom[2], testdom[3], - MPG_DISABLED, false, NULL, NULL, 0, NULL); + MPG_DISABLED, false, NULL, NULL, 0, NULL, true); fail_unless(subdomain != NULL, "Failed to create new subdomain."); ret = sysdb_subdomain_store(test_ctx->sysdb, testdom[0], testdom[1], testdom[2], testdom[3], @@ -6295,7 +6295,7 @@ START_TEST(test_sysdb_subdomain_group_ops) subdomain = new_subdomain(test_ctx, test_ctx->domain, testdom[0], testdom[1], testdom[2], testdom[3], - MPG_DISABLED, false, NULL, NULL, 0, NULL); + MPG_DISABLED, false, NULL, NULL, 0, NULL, true); fail_unless(subdomain != NULL, "Failed to create new subdomain."); ret = sysdb_subdomain_store(test_ctx->sysdb, testdom[0], testdom[1], testdom[2], testdom[3], -- 2.20.1