dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone

Blame SOURCES/0065-ipa-check-for-SYSDB_OVERRIDE_DN-in-process_members-a.patch

9f2ebf
From 53c6201539d24f8b929120565ca661977ecbb1a4 Mon Sep 17 00:00:00 2001
9f2ebf
From: Sumit Bose <sbose@redhat.com>
9f2ebf
Date: Mon, 20 Nov 2017 16:12:58 +0100
9f2ebf
Subject: [PATCH 65/67] ipa: check for SYSDB_OVERRIDE_DN in process_members and
9f2ebf
 get_group_dn_list
9f2ebf
MIME-Version: 1.0
9f2ebf
Content-Type: text/plain; charset=UTF-8
9f2ebf
Content-Transfer-Encoding: 8bit
9f2ebf
9f2ebf
process_members() and get_group_dn_list() are used on an IPA client to
9f2ebf
determine a list of users or groups which are missing in the cache and
9f2ebf
are needed to properly add a group or user object to the cache
9f2ebf
respectively.
9f2ebf
9f2ebf
If a non-default view is assigned to the client the SYSDB_OVERRIDE_DN
9f2ebf
must be set for all user and group objects to indicate that it was
9f2ebf
already checked if there is an id-override defined for the object or
9f2ebf
not. There a circumstances were SYSDB_OVERRIDE_DN is not set, e.g. after
9f2ebf
a view name change. To make sure the cache is in a consistent state with
9f2ebf
this patch  user and group entries without SYSDB_OVERRIDE_DN are
9f2ebf
considered as missing is a non-default view is assigned to the client.
9f2ebf
9f2ebf
Related to https://pagure.io/SSSD/sssd/issue/3579
9f2ebf
9f2ebf
Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
9f2ebf
(cherry picked from commit 919b5d76057d31877e0c25ca495711ff76c713d6)
9f2ebf
---
9f2ebf
 src/providers/ipa/ipa_s2n_exop.c | 145 ++++++++++++++++++++++-----------------
9f2ebf
 1 file changed, 83 insertions(+), 62 deletions(-)
9f2ebf
9f2ebf
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
9f2ebf
index 39ed17cbf0e8c523212084197e9f2963fed88dc8..c6132f509dcc8e7af84e03e8bfe20701107d1392 100644
9f2ebf
--- a/src/providers/ipa/ipa_s2n_exop.c
9f2ebf
+++ b/src/providers/ipa/ipa_s2n_exop.c
9f2ebf
@@ -1523,6 +1523,7 @@ fail:
9f2ebf
 }
9f2ebf
 
9f2ebf
 static errno_t process_members(struct sss_domain_info *domain,
9f2ebf
+                               bool is_default_view,
9f2ebf
                                struct sysdb_attrs *group_attrs,
9f2ebf
                                char **members,
9f2ebf
                                TALLOC_CTX *mem_ctx, char ***_missing_members)
9f2ebf
@@ -1536,6 +1537,7 @@ static errno_t process_members(struct sss_domain_info *domain,
9f2ebf
     struct sss_domain_info *parent_domain;
9f2ebf
     char **missing_members = NULL;
9f2ebf
     size_t miss_count = 0;
9f2ebf
+    const char *attrs[] = {SYSDB_NAME, SYSDB_OVERRIDE_DN, NULL};
9f2ebf
 
9f2ebf
     if (members == NULL) {
9f2ebf
         DEBUG(SSSDBG_TRACE_INTERNAL, "No members\n");
9f2ebf
@@ -1572,53 +1574,59 @@ static errno_t process_members(struct sss_domain_info *domain,
9f2ebf
             goto done;
9f2ebf
         }
9f2ebf
 
9f2ebf
-        ret = sysdb_search_user_by_name(tmp_ctx, obj_domain, members[c], NULL,
9f2ebf
+        ret = sysdb_search_user_by_name(tmp_ctx, obj_domain, members[c], attrs,
9f2ebf
                                         &msg;;
9f2ebf
-        if (ret == EOK) {
9f2ebf
-            if (group_attrs != NULL) {
9f2ebf
-                dn_str = ldb_dn_get_linearized(msg->dn);
9f2ebf
-                if (dn_str == NULL) {
9f2ebf
-                    DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_get_linearized failed.\n");
9f2ebf
-                    ret = EINVAL;
9f2ebf
-                    goto done;
9f2ebf
-                }
9f2ebf
-
9f2ebf
-                DEBUG(SSSDBG_TRACE_ALL, "Adding member [%s][%s]\n",
9f2ebf
-                                        members[c], dn_str);
9f2ebf
+        if (ret == EOK || ret == ENOENT) {
9f2ebf
+            if (ret == ENOENT
9f2ebf
+                    || (!is_default_view
9f2ebf
+                        && ldb_msg_find_attr_as_string(msg, SYSDB_OVERRIDE_DN,
9f2ebf
+                                                       NULL) == NULL)) {
9f2ebf
+                /* only add ghost if the member is really missing */
9f2ebf
+                if (group_attrs != NULL && ret == ENOENT) {
9f2ebf
+                    DEBUG(SSSDBG_TRACE_ALL, "Adding ghost member [%s]\n",
9f2ebf
+                                            members[c]);
9f2ebf
 
9f2ebf
-                ret = sysdb_attrs_add_string_safe(group_attrs, SYSDB_MEMBER,
9f2ebf
-                                                  dn_str);
9f2ebf
-                if (ret != EOK) {
9f2ebf
-                    DEBUG(SSSDBG_OP_FAILURE,
9f2ebf
-                          "sysdb_attrs_add_string_safe failed.\n");
9f2ebf
-                    goto done;
9f2ebf
+                    /* There were cases where the server returned the same user
9f2ebf
+                     * multiple times */
9f2ebf
+                    ret = sysdb_attrs_add_string_safe(group_attrs, SYSDB_GHOST,
9f2ebf
+                                                      members[c]);
9f2ebf
+                    if (ret != EOK) {
9f2ebf
+                        DEBUG(SSSDBG_OP_FAILURE,
9f2ebf
+                              "sysdb_attrs_add_string failed.\n");
9f2ebf
+                        goto done;
9f2ebf
+                    }
9f2ebf
                 }
9f2ebf
-            }
9f2ebf
-        } else if (ret == ENOENT) {
9f2ebf
-            if (group_attrs != NULL) {
9f2ebf
-                DEBUG(SSSDBG_TRACE_ALL, "Adding ghost member [%s]\n",
9f2ebf
-                                        members[c]);
9f2ebf
 
9f2ebf
-                /* There were cases where the server returned the same user
9f2ebf
-                 * multiple times */
9f2ebf
-                ret = sysdb_attrs_add_string_safe(group_attrs, SYSDB_GHOST,
9f2ebf
-                                                  members[c]);
9f2ebf
-                if (ret != EOK) {
9f2ebf
-                    DEBUG(SSSDBG_OP_FAILURE,
9f2ebf
-                          "sysdb_attrs_add_string failed.\n");
9f2ebf
-                    goto done;
9f2ebf
+                if (missing_members != NULL) {
9f2ebf
+                    missing_members[miss_count] = talloc_strdup(missing_members,
9f2ebf
+                                                                members[c]);
9f2ebf
+                    if (missing_members[miss_count] == NULL) {
9f2ebf
+                        DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
9f2ebf
+                        ret = ENOMEM;
9f2ebf
+                        goto done;
9f2ebf
+                    }
9f2ebf
+                    miss_count++;
9f2ebf
                 }
9f2ebf
-            }
9f2ebf
+            } else {
9f2ebf
+                if (group_attrs != NULL) {
9f2ebf
+                    dn_str = ldb_dn_get_linearized(msg->dn);
9f2ebf
+                    if (dn_str == NULL) {
9f2ebf
+                        DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_get_linearized failed.\n");
9f2ebf
+                        ret = EINVAL;
9f2ebf
+                        goto done;
9f2ebf
+                    }
9f2ebf
+
9f2ebf
+                    DEBUG(SSSDBG_TRACE_ALL, "Adding member [%s][%s]\n",
9f2ebf
+                                            members[c], dn_str);
9f2ebf
 
9f2ebf
-            if (missing_members != NULL) {
9f2ebf
-                missing_members[miss_count] = talloc_strdup(missing_members,
9f2ebf
-                                                            members[c]);
9f2ebf
-                if (missing_members[miss_count] == NULL) {
9f2ebf
-                    DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
9f2ebf
-                    ret = ENOMEM;
9f2ebf
-                    goto done;
9f2ebf
+                    ret = sysdb_attrs_add_string_safe(group_attrs, SYSDB_MEMBER,
9f2ebf
+                                                      dn_str);
9f2ebf
+                    if (ret != EOK) {
9f2ebf
+                        DEBUG(SSSDBG_OP_FAILURE,
9f2ebf
+                              "sysdb_attrs_add_string_safe failed.\n");
9f2ebf
+                        goto done;
9f2ebf
+                    }
9f2ebf
                 }
9f2ebf
-                miss_count++;
9f2ebf
             }
9f2ebf
         } else {
9f2ebf
             DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_user_by_name failed.\n");
9f2ebf
@@ -1649,6 +1657,7 @@ done:
9f2ebf
 }
9f2ebf
 
9f2ebf
 static errno_t get_group_dn_list(TALLOC_CTX *mem_ctx,
9f2ebf
+                                 bool is_default_view,
9f2ebf
                                  struct sss_domain_info *dom,
9f2ebf
                                  size_t ngroups, char **groups,
9f2ebf
                                  struct ldb_dn ***_dn_list,
9f2ebf
@@ -1664,6 +1673,7 @@ static errno_t get_group_dn_list(TALLOC_CTX *mem_ctx,
9f2ebf
     size_t n_missing = 0;
9f2ebf
     struct sss_domain_info *obj_domain;
9f2ebf
     struct sss_domain_info *parent_domain;
9f2ebf
+    const char *attrs[] = {SYSDB_NAME, SYSDB_OVERRIDE_DN, NULL};
9f2ebf
 
9f2ebf
     tmp_ctx = talloc_new(NULL);
9f2ebf
     if (tmp_ctx == NULL) {
9f2ebf
@@ -1689,25 +1699,31 @@ static errno_t get_group_dn_list(TALLOC_CTX *mem_ctx,
9f2ebf
             goto done;
9f2ebf
         }
9f2ebf
 
9f2ebf
-        ret = sysdb_search_group_by_name(tmp_ctx, obj_domain, groups[c], NULL,
9f2ebf
+        ret = sysdb_search_group_by_name(tmp_ctx, obj_domain, groups[c], attrs,
9f2ebf
                                          &msg;;
9f2ebf
-        if (ret == EOK) {
9f2ebf
-            dn_list[n_dns] = ldb_dn_copy(dn_list, msg->dn);
9f2ebf
-            if (dn_list[n_dns] == NULL) {
9f2ebf
-                DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_copy failed.\n");
9f2ebf
-                ret = ENOMEM;
9f2ebf
-                goto done;
9f2ebf
+        if (ret == EOK || ret == ENOENT) {
9f2ebf
+            if (ret == ENOENT
9f2ebf
+                    || (!is_default_view
9f2ebf
+                        && ldb_msg_find_attr_as_string(msg, SYSDB_OVERRIDE_DN,
9f2ebf
+                                                       NULL) == NULL)) {
9f2ebf
+                missing_groups[n_missing] = talloc_strdup(missing_groups,
9f2ebf
+                                                          groups[c]);
9f2ebf
+                if (missing_groups[n_missing] == NULL) {
9f2ebf
+                    DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
9f2ebf
+                    ret = ENOMEM;
9f2ebf
+                    goto done;
9f2ebf
+                }
9f2ebf
+                n_missing++;
9f2ebf
+
9f2ebf
+            } else {
9f2ebf
+                dn_list[n_dns] = ldb_dn_copy(dn_list, msg->dn);
9f2ebf
+                if (dn_list[n_dns] == NULL) {
9f2ebf
+                    DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_copy failed.\n");
9f2ebf
+                    ret = ENOMEM;
9f2ebf
+                    goto done;
9f2ebf
+                }
9f2ebf
+                n_dns++;
9f2ebf
             }
9f2ebf
-            n_dns++;
9f2ebf
-        } else if (ret == ENOENT) {
9f2ebf
-            missing_groups[n_missing] = talloc_strdup(missing_groups,
9f2ebf
-                                                      groups[c]);
9f2ebf
-            if (missing_groups[n_missing] == NULL) {
9f2ebf
-                DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
9f2ebf
-                ret = ENOMEM;
9f2ebf
-                goto done;
9f2ebf
-            }
9f2ebf
-            n_missing++;
9f2ebf
         } else {
9f2ebf
             DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_group_by_name failed.\n");
9f2ebf
             goto done;
9f2ebf
@@ -1803,7 +1819,9 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq)
9f2ebf
             }
9f2ebf
 
9f2ebf
 
9f2ebf
-            ret = get_group_dn_list(state, state->dom,
9f2ebf
+            ret = get_group_dn_list(state,
9f2ebf
+                                    is_default_view(state->ipa_ctx->view_name),
9f2ebf
+                                    state->dom,
9f2ebf
                                     attrs->ngroups, attrs->groups,
9f2ebf
                                     &group_dn_list, &missing_list);
9f2ebf
             if (ret != EOK) {
9f2ebf
@@ -1832,8 +1850,10 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq)
9f2ebf
             }
9f2ebf
             break;
9f2ebf
         } else if (attrs->response_type == RESP_GROUP_MEMBERS) {
9f2ebf
-            ret = process_members(state->dom, NULL, attrs->a.group.gr_mem,
9f2ebf
-                                  state, &missing_list);
9f2ebf
+            ret = process_members(state->dom,
9f2ebf
+                                  is_default_view(state->ipa_ctx->view_name),
9f2ebf
+                                  NULL, attrs->a.group.gr_mem, state,
9f2ebf
+                                  &missing_list);
9f2ebf
             if (ret != EOK) {
9f2ebf
                 DEBUG(SSSDBG_OP_FAILURE, "process_members failed.\n");
9f2ebf
                 goto done;
9f2ebf
@@ -2572,8 +2592,9 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
9f2ebf
                 }
9f2ebf
             }
9f2ebf
 
9f2ebf
-            ret = process_members(dom, attrs->sysdb_attrs,
9f2ebf
-                                  attrs->a.group.gr_mem, NULL, NULL);
9f2ebf
+            ret = process_members(dom, is_default_view(view_name),
9f2ebf
+                                  attrs->sysdb_attrs, attrs->a.group.gr_mem,
9f2ebf
+                                  NULL, NULL);
9f2ebf
             if (ret != EOK) {
9f2ebf
                 DEBUG(SSSDBG_OP_FAILURE, "process_members failed.\n");
9f2ebf
                 goto done;
9f2ebf
-- 
9f2ebf
2.14.3
9f2ebf