From 7c6fd66fa9ca942bc240b49f903d9d3d85340c4c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 11 Apr 2017 17:19:29 +0200
Subject: [PATCH 107/110] CACHE_REQ: Allow configurationless shortname lookups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Configurationless shortnames lookups must be allowed when a domains'
resolution order is present and the (head) domain is not enforcing the
usage of fully-qualified-names.

With this patch SSSD does not require any kind of changes from client
side for taking advantage of shortname lookups.

Related:
https://pagure.io/SSSD/sssd/issue/3001

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit dae798231fc2c575f213785768bc24ed765ba243)
---
 src/responder/common/cache_req/cache_req.c        |  2 +-
 src/responder/common/cache_req/cache_req_domain.c | 48 +++++++++++++++++++++++
 src/responder/common/cache_req/cache_req_domain.h |  1 +
 3 files changed, 50 insertions(+), 1 deletion(-)

diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
index 3a5fecf34427437bbf95317e05c5bd8b07b4537d..797325a30e6c1ed5f1d4b4c147c65391d5204b52 100644
--- a/src/responder/common/cache_req/cache_req.c
+++ b/src/responder/common/cache_req/cache_req.c
@@ -480,7 +480,7 @@ static errno_t cache_req_search_domains_next(struct tevent_req *req)
          * qualified names on domain less search. We do not descend into
          * subdomains here since those are implicitly qualified.
          */
-        if (state->check_next && !allow_no_fqn && domain->fqnames) {
+        if (state->check_next && !allow_no_fqn && state->cr_domain->fqnames) {
             state->cr_domain = state->cr_domain->next;
             continue;
         }
diff --git a/src/responder/common/cache_req/cache_req_domain.c b/src/responder/common/cache_req/cache_req_domain.c
index 86a88efd54ca0f4a0748b44ece1b8515438d4628..bfdd2b7f640178f6d0a0d92f2fed329c856b478c 100644
--- a/src/responder/common/cache_req/cache_req_domain.c
+++ b/src/responder/common/cache_req/cache_req_domain.c
@@ -60,6 +60,48 @@ void cache_req_domain_list_zfree(struct cache_req_domain **cr_domains)
     *cr_domains = NULL;
 }
 
+static bool
+cache_req_domain_use_fqnames(struct sss_domain_info *domain,
+                             bool enforce_non_fqnames)
+{
+    struct sss_domain_info *head;
+
+    head = get_domains_head(domain);
+
+    /*
+     * In order to decide whether fully_qualified_names must be used on the
+     * lookups we have to take into consideration:
+     * - use_fully_qualified_name value of the head of the domains;
+     *   (head->fqnames)
+     * - the presence of a domains' resolution order list;
+     *   (non_fqnames_enforced)
+     *
+     * The relationship between those two can be described by:
+     * - head->fqnames:
+     *   - true: in this case doesn't matter whether it's enforced or not,
+     *           fully-qualified-names will _always_ be used
+     *   - false: in this case (which is also the default case), the usage
+     *            depends on it being enforced;
+     *
+     *     - enforce_non_fqnames:
+     *       - true: in this case, the usage of fully-qualified-names is not
+     *               needed;
+     *       - false: in this case, the usage of fully-qualified-names will be
+     *                done accordingly to what's set for the domain itself.
+     */
+    switch (head->fqnames) {
+    case true:
+        return true;
+    case false:
+        switch (enforce_non_fqnames) {
+        case true:
+            return false;
+        case false:
+            return domain->fqnames;
+        }
+    }
+}
+
 static struct cache_req_domain *
 cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx,
                                            struct sss_domain_info *domains,
@@ -71,9 +113,11 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx,
     char *name;
     int flag = SSS_GND_ALL_DOMAINS;
     int i;
+    bool enforce_non_fqnames = false;
     errno_t ret;
 
     if (resolution_order != NULL) {
+        enforce_non_fqnames = true;
         for (i = 0; resolution_order[i] != NULL; i++) {
             name = resolution_order[i];
             for (dom = domains; dom; dom = get_next_domain(dom, flag)) {
@@ -87,6 +131,8 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx,
                     goto done;
                 }
                 cr_domain->domain = dom;
+                cr_domain->fqnames =
+                    cache_req_domain_use_fqnames(dom, enforce_non_fqnames);
 
                 DLIST_ADD_END(cr_domains, cr_domain,
                               struct cache_req_domain *);
@@ -106,6 +152,8 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx,
             goto done;
         }
         cr_domain->domain = dom;
+        cr_domain->fqnames =
+            cache_req_domain_use_fqnames(dom, enforce_non_fqnames);
 
         DLIST_ADD_END(cr_domains, cr_domain, struct cache_req_domain *);
     }
diff --git a/src/responder/common/cache_req/cache_req_domain.h b/src/responder/common/cache_req/cache_req_domain.h
index 000087e5ca2074f22169a4af627810f4f287e430..5bcbb9b493caf05bf71aac5cf7633ded91f22e73 100644
--- a/src/responder/common/cache_req/cache_req_domain.h
+++ b/src/responder/common/cache_req/cache_req_domain.h
@@ -25,6 +25,7 @@
 
 struct cache_req_domain {
     struct sss_domain_info *domain;
+    bool fqnames;
 
     struct cache_req_domain *prev;
     struct cache_req_domain *next;
-- 
2.9.3