From b0af402f8201d28922892b18792474f4ec546f36 Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Fri, 13 Dec 2013 11:44:59 +0100

Subject: [PATCH 39/41] Use lower-case name for case-insensitive searches

The patch makes sure that a completely lower-cased version of a fully

qualified name is used for case insensitive searches. Currently there

are code paths where the domain name was used as configured and was not

lower-cased.

To make sure this patch does not break with old entries in the cache or

case sensitive domains a third template was added to the related filters

templates which is either filled with a completely lower-cased version or

with the old version. The other two template values are unchanged.

---

 src/db/sysdb.h                       | 10 +++++-----

 src/db/sysdb_ops.c                   |  8 +++++---

 src/db/sysdb_search.c                | 30 ++++++++++++++++++++--------

 src/responder/pam/pam_LOCAL_domain.c |  4 ++--

 src/tests/cmocka/test_utils.c        | 38 ++++++++++++++++++++++++++++++++++++

 src/util/sss_tc_utf8.c               | 30 ++++++++++++++++++++++++++++

 src/util/util.h                      |  6 ++++++

 7 files changed, 108 insertions(+), 18 deletions(-)

diff --git a/src/db/sysdb.h b/src/db/sysdb.h

index f3358d642efd1c13203061c43e455a5c26c72740..f1ed8158ccff70f85940d63f247e23451c22c30f 100644

--- a/src/db/sysdb.h

+++ b/src/db/sysdb.h

@@ -144,23 +144,23 @@

 #define SYSDB_NC "objectclass="SYSDB_NETGROUP_CLASS

 #define SYSDB_MPGC "|("SYSDB_UC")("SYSDB_GC")"

-#define SYSDB_PWNAM_FILTER "(&("SYSDB_UC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))"

+#define SYSDB_PWNAM_FILTER "(&("SYSDB_UC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))"

 #define SYSDB_PWUID_FILTER "(&("SYSDB_UC")("SYSDB_UIDNUM"=%lu))"

 #define SYSDB_PWSID_FILTER "(&("SYSDB_UC")("SYSDB_SID_STR"=%s))"

 #define SYSDB_PWENT_FILTER "("SYSDB_UC")"

-#define SYSDB_GRNAM_FILTER "(&("SYSDB_GC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))"

+#define SYSDB_GRNAM_FILTER "(&("SYSDB_GC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))"

 #define SYSDB_GRGID_FILTER "(&("SYSDB_GC")("SYSDB_GIDNUM"=%lu))"

 #define SYSDB_GRSID_FILTER "(&("SYSDB_GC")("SYSDB_SID_STR"=%s))"

 #define SYSDB_GRENT_FILTER "("SYSDB_GC")"

-#define SYSDB_GRNAM_MPG_FILTER "(&("SYSDB_MPGC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))"

+#define SYSDB_GRNAM_MPG_FILTER "(&("SYSDB_MPGC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))"

 #define SYSDB_GRGID_MPG_FILTER "(&("SYSDB_MPGC")("SYSDB_GIDNUM"=%lu))"

 #define SYSDB_GRENT_MPG_FILTER "("SYSDB_MPGC")"

 #define SYSDB_INITGR_FILTER "(&("SYSDB_GC")("SYSDB_GIDNUM"=*))"

-#define SYSDB_NETGR_FILTER "(&("SYSDB_NC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))"

-#define SYSDB_NETGR_TRIPLES_FILTER "(|("SYSDB_NAME"=%s)("SYSDB_NAME_ALIAS"=%s)("SYSDB_MEMBEROF"=%s))"

+#define SYSDB_NETGR_FILTER "(&("SYSDB_NC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))"

+#define SYSDB_NETGR_TRIPLES_FILTER "(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)("SYSDB_NAME_ALIAS"=%s)("SYSDB_MEMBEROF"=%s))"

 #define SYSDB_SID_FILTER "(&(|("SYSDB_UC")("SYSDB_GC"))("SYSDB_SID_STR"=%s))"

diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c

index 890bf1eb3cc5fc0b6eb6f7a145aee6d87945cd8d..a5dfd443c84b87609881f9042b3e82958c3b0e5f 100644

--- a/src/db/sysdb_ops.c

+++ b/src/db/sysdb_ops.c

@@ -305,6 +305,7 @@ int sysdb_search_user_by_name(TALLOC_CTX *mem_ctx,

     struct ldb_dn *basedn;

     size_t msgs_count = 0;

     char *sanitized_name;

+    char *lc_sanitized_name;

     char *filter;

     int ret;

@@ -320,13 +321,14 @@ int sysdb_search_user_by_name(TALLOC_CTX *mem_ctx,

         goto done;

     }

-    ret = sss_filter_sanitize(tmp_ctx, name, &sanitized_name);

+    ret = sss_filter_sanitize_for_dom(tmp_ctx, name, domain, &sanitized_name,

+                                      &lc_sanitized_name);

     if (ret != EOK) {

         goto done;

     }

-    filter = talloc_asprintf(tmp_ctx, SYSDB_PWNAM_FILTER, sanitized_name,

-                             sanitized_name);

+    filter = talloc_asprintf(tmp_ctx, SYSDB_PWNAM_FILTER, lc_sanitized_name,

+                             sanitized_name, sanitized_name);

     if (!filter) {

         ret = ENOMEM;

         goto done;

diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c

index d15fc73ce2272bff53650ae9dd0dbdad99a849e6..308710a2c780b9a709930b7d8a16a0c07471aff7 100644

--- a/src/db/sysdb_search.c

+++ b/src/db/sysdb_search.c

@@ -38,6 +38,7 @@ int sysdb_getpwnam(TALLOC_CTX *mem_ctx,

     struct ldb_dn *base_dn;

     struct ldb_result *res;

     char *sanitized_name;

+    char *lc_sanitized_name;

     const char *src_name;

     int ret;

@@ -61,13 +62,15 @@ int sysdb_getpwnam(TALLOC_CTX *mem_ctx,

         goto done;

     }

-    ret = sss_filter_sanitize(tmp_ctx, src_name, &sanitized_name);

+    ret = sss_filter_sanitize_for_dom(tmp_ctx, src_name, domain,

+                                      &sanitized_name, &lc_sanitized_name);

     if (ret != EOK) {

         goto done;

     }

     ret = ldb_search(sysdb->ldb, tmp_ctx, &res, base_dn,

                      LDB_SCOPE_SUBTREE, attrs, SYSDB_PWNAM_FILTER,

+                     lc_sanitized_name,

                      sanitized_name, sanitized_name);

     if (ret) {

         ret = sysdb_error_to_errno(ret);

@@ -214,6 +217,7 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx,

     struct ldb_dn *base_dn;

     struct ldb_result *res;

     const char *src_name;

+    char *lc_sanitized_name;

     int ret;

     tmp_ctx = talloc_new(NULL);

@@ -243,14 +247,15 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx,

         goto done;

     }

-    ret = sss_filter_sanitize(tmp_ctx, src_name, &sanitized_name);

+    ret = sss_filter_sanitize_for_dom(tmp_ctx, src_name, domain,

+                                      &sanitized_name, &lc_sanitized_name);

     if (ret != EOK) {

         goto done;

     }

     ret = ldb_search(sysdb->ldb, tmp_ctx, &res, base_dn,

                      LDB_SCOPE_SUBTREE, attrs, fmt_filter,

-                     sanitized_name, sanitized_name);

+                     lc_sanitized_name, sanitized_name, sanitized_name);

     if (ret) {

         ret = sysdb_error_to_errno(ret);

         goto done;

@@ -481,6 +486,7 @@ int sysdb_get_user_attr(TALLOC_CTX *mem_ctx,

     struct ldb_dn *base_dn;

     struct ldb_result *res;

     char *sanitized_name;

+    char *lc_sanitized_name;

     int ret;

     tmp_ctx = talloc_new(NULL);

@@ -495,14 +501,15 @@ int sysdb_get_user_attr(TALLOC_CTX *mem_ctx,

         goto done;

     }

-    ret = sss_filter_sanitize(tmp_ctx, name, &sanitized_name);

+    ret = sss_filter_sanitize_for_dom(tmp_ctx, name, domain, &sanitized_name,

+                                      &lc_sanitized_name);

     if (ret != EOK) {

         goto done;

     }

     ret = ldb_search(sysdb->ldb, tmp_ctx, &res, base_dn,

                      LDB_SCOPE_SUBTREE, attributes,

-                     SYSDB_PWNAM_FILTER, sanitized_name,

+                     SYSDB_PWNAM_FILTER, lc_sanitized_name, sanitized_name,

                      sanitized_name);

     if (ret) {

         ret = sysdb_error_to_errno(ret);

@@ -785,6 +792,7 @@ errno_t sysdb_getnetgr(TALLOC_CTX *mem_ctx,

     struct ldb_dn *base_dn;

     struct ldb_result *result;

     char *sanitized_netgroup;

+    char *lc_sanitized_netgroup;

     char *netgroup_dn;

     int lret;

     errno_t ret;

@@ -802,7 +810,9 @@ errno_t sysdb_getnetgr(TALLOC_CTX *mem_ctx,

         goto done;

     }

-    ret = sss_filter_sanitize(tmp_ctx, netgroup, &sanitized_netgroup);

+    ret = sss_filter_sanitize_for_dom(tmp_ctx, netgroup, domain,

+                                      &sanitized_netgroup,

+                                      &lc_sanitized_netgroup);

     if (ret != EOK) {

         goto done;

     }

@@ -816,7 +826,7 @@ errno_t sysdb_getnetgr(TALLOC_CTX *mem_ctx,

     lret = ldb_search(sysdb->ldb, tmp_ctx, &result, base_dn,

                      LDB_SCOPE_SUBTREE, attrs,

-                     SYSDB_NETGR_TRIPLES_FILTER,

+                     SYSDB_NETGR_TRIPLES_FILTER, lc_sanitized_netgroup,

                      sanitized_netgroup, sanitized_netgroup,

                      netgroup_dn);

     ret = sysdb_error_to_errno(lret);

@@ -843,6 +853,7 @@ int sysdb_get_netgroup_attr(TALLOC_CTX *mem_ctx,

     struct ldb_dn *base_dn;

     struct ldb_result *result;

     char *sanitized_netgroup;

+    char *lc_sanitized_netgroup;

     int ret;

     tmp_ctx = talloc_new(NULL);

@@ -857,7 +868,9 @@ int sysdb_get_netgroup_attr(TALLOC_CTX *mem_ctx,

         goto done;

     }

-    ret = sss_filter_sanitize(tmp_ctx, netgrname, &sanitized_netgroup);

+    ret = sss_filter_sanitize_for_dom(tmp_ctx, netgrname, domain,

+                                      &sanitized_netgroup,

+                                      &lc_sanitized_netgroup);

     if (ret != EOK) {

         goto done;

     }

@@ -865,6 +878,7 @@ int sysdb_get_netgroup_attr(TALLOC_CTX *mem_ctx,

     ret = ldb_search(sysdb->ldb, tmp_ctx, &result, base_dn,

                      LDB_SCOPE_SUBTREE, attributes,

                      SYSDB_NETGR_FILTER,

+                     lc_sanitized_netgroup,

                      sanitized_netgroup,

                      sanitized_netgroup);

     if (ret) {

diff --git a/src/responder/pam/pam_LOCAL_domain.c b/src/responder/pam/pam_LOCAL_domain.c

index e7776cba3b74a86ef63dad30f08b4436a59a89be..49ddbcda39468e6a4f2065d97df309ce881b6aa4 100644

--- a/src/responder/pam/pam_LOCAL_domain.c

+++ b/src/responder/pam/pam_LOCAL_domain.c

@@ -258,12 +258,12 @@ int LOCAL_pam_handler(struct pam_auth_req *preq)

     if (res->count < 1) {

         DEBUG(4, ("No user found with filter ["SYSDB_PWNAM_FILTER"]\n",

-                  pd->user, pd->user));

+                  pd->user, pd->user, pd->user));

         pd->pam_status = PAM_USER_UNKNOWN;

         goto done;

     } else if (res->count > 1) {

         DEBUG(4, ("More than one object found with filter ["SYSDB_PWNAM_FILTER"]\n",

-                  pd->user, pd->user));

+                  pd->user, pd->user, pd->user));

         lreq->error = EFAULT;

         goto done;

     }

diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c

index 1be59ab69cfa632010c5e1700dc79f59b6f48fde..61e8e9f07ca2f6772b12fe602acb3d2872b39c10 100644

--- a/src/tests/cmocka/test_utils.c

+++ b/src/tests/cmocka/test_utils.c

@@ -177,6 +177,41 @@ void test_find_subdomain_by_sid_missing_sid(void **state)

     }

 }

+#define TEST_SANITIZE_INPUT "TestUser@Test.Domain"

+#define TEST_SANITIZE_LC_INPUT "testuser@test.domain"

+

+void test_sss_filter_sanitize_for_dom(void **state)

+{

+    struct dom_list_test_ctx *test_ctx;

+    int ret;

+    char *sanitized;

+    char *lc_sanitized;

+    struct sss_domain_info *dom;

+

+    test_ctx = talloc_get_type(*state, struct dom_list_test_ctx);

+    dom = test_ctx->dom_list;

+

+    dom->case_sensitive = true;

+

+    ret = sss_filter_sanitize_for_dom(test_ctx, TEST_SANITIZE_INPUT, dom,

+                                      &sanitized, &lc_sanitized);

+    assert_int_equal(ret, EOK);

+    assert_string_equal(sanitized, TEST_SANITIZE_INPUT);

+    assert_string_equal(lc_sanitized, TEST_SANITIZE_INPUT);

+    talloc_free(sanitized);

+    talloc_free(lc_sanitized);

+

+    dom->case_sensitive = false;

+

+    ret = sss_filter_sanitize_for_dom(test_ctx, TEST_SANITIZE_INPUT, dom,

+                                      &sanitized, &lc_sanitized);

+    assert_int_equal(ret, EOK);

+    assert_string_equal(sanitized, TEST_SANITIZE_INPUT);

+    assert_string_equal(lc_sanitized, TEST_SANITIZE_LC_INPUT);

+    talloc_free(sanitized);

+    talloc_free(lc_sanitized);

+}

+

 int main(int argc, const char *argv[])

 {

     poptContext pc;

@@ -194,6 +229,9 @@ int main(int argc, const char *argv[])

                                  setup_dom_list, teardown_dom_list),

         unit_test_setup_teardown(test_find_subdomain_by_sid_missing_sid,

                                  setup_dom_list, teardown_dom_list),

+

+        unit_test_setup_teardown(test_sss_filter_sanitize_for_dom,

+                                 setup_dom_list, teardown_dom_list),

     };

     /* Set debug level to invalid value so we can deside if -d 0 was used. */

diff --git a/src/util/sss_tc_utf8.c b/src/util/sss_tc_utf8.c

index 6a976211f7b77d329ba3261577c43466406f3da9..e1426a44f3518783dca4f22cd6016cdde92d0f56 100644

--- a/src/util/sss_tc_utf8.c

+++ b/src/util/sss_tc_utf8.c

@@ -55,3 +55,33 @@ sss_tc_utf8_tolower(TALLOC_CTX *mem_ctx, const uint8_t *s, size_t len, size_t *_

     return ret;

 }

+errno_t sss_filter_sanitize_for_dom(TALLOC_CTX *mem_ctx,

+                                    const char *input,

+                                    struct sss_domain_info *dom,

+                                    char **sanitized,

+                                    char **lc_sanitized)

+{

+    int ret;

+

+    ret = sss_filter_sanitize(mem_ctx, input, sanitized);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_OP_FAILURE, ("sss_filter_sanitize failed.\n"));

+        return ret;

+    }

+

+    if (dom->case_sensitive) {

+        *lc_sanitized = talloc_strdup(mem_ctx, *sanitized);

+    } else {

+        *lc_sanitized = sss_tc_utf8_str_tolower(mem_ctx, *sanitized);

+    }

+

+    if (*lc_sanitized == NULL) {

+        DEBUG(SSSDBG_OP_FAILURE, ("%s failed.\n",

+                                              dom->case_sensitive ?

+                                                    "talloc_strdup" :

+                                                    "sss_tc_utf8_str_tolower"));

+        return ENOMEM;

+    }

+

+    return EOK;

+}

diff --git a/src/util/util.h b/src/util/util.h

index 058c1c27986f9749a18dd4c92ddb9428349a1dac..3334476ab83a137d957765fe2c9afba4ad0d014c 100644

--- a/src/util/util.h

+++ b/src/util/util.h

@@ -484,6 +484,12 @@ errno_t sss_filter_sanitize(TALLOC_CTX *mem_ctx,

                             const char *input,

                             char **sanitized);

+errno_t sss_filter_sanitize_for_dom(TALLOC_CTX *mem_ctx,

+                                    const char *input,

+                                    struct sss_domain_info *dom,

+                                    char **sanitized,

+                                    char **lc_sanitized);

+

 char *

 sss_escape_ip_address(TALLOC_CTX *mem_ctx, int family, const char *addr);

-- 

1.8.4.2