dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone
Blob Blame History Raw
From e7e212b49bbd357129aab410cbbd5c7b1b0965a2 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 24 Jun 2019 14:01:02 +0200
Subject: [PATCH] negcache: add fq-usernames of know domains to all UPN
 neg-caches

The previous patch for this issue did not handle user with
fully-qualified names from known domains correctly. Here the user was
only added to the negative cache of the known domain but not to the
negative UPN caches for all domains. This patch fixes this.

Related to https://pagure.io/SSSD/sssd/issue/3978

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/responder/common/negcache.c  | 54 ++++++++++++++++----------------
 src/tests/cmocka/test_negcache.c | 17 +++++++++-
 2 files changed, 43 insertions(+), 28 deletions(-)

diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
index d6f72d816..d9bf1417e 100644
--- a/src/responder/common/negcache.c
+++ b/src/responder/common/negcache.c
@@ -1070,37 +1070,37 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
             continue;
         }
         if (domainname) {
-            dom = responder_get_domain(rctx, domainname);
-            if (!dom) {
-                DEBUG(SSSDBG_CRIT_FAILURE,
-                      "Unknown domain name [%s], assuming [%s] is UPN\n",
-                      domainname, filter_list[i]);
-                for (dom = domain_list;
-                     dom != NULL;
-                     dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) {
-                    ret = sss_ncache_set_upn(ncache, true, dom, filter_list[i]);
-                    if (ret != EOK) {
-                        DEBUG(SSSDBG_OP_FAILURE,
-                              "sss_ncache_set_upn failed (%d [%s]), ignored\n",
-                              ret, sss_strerror(ret));
-                    }
+            DEBUG(SSSDBG_TRACE_ALL,
+                  "Adding [%s] to UPN negative cache of all domains.\n",
+                  filter_list[i]);
+            for (dom = domain_list;
+                 dom != NULL;
+                 dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) {
+                ret = sss_ncache_set_upn(ncache, true, dom, filter_list[i]);
+                if (ret != EOK) {
+                    DEBUG(SSSDBG_OP_FAILURE,
+                          "sss_ncache_set_upn failed (%d [%s]), ignored\n",
+                          ret, sss_strerror(ret));
                 }
-                continue;
             }
 
-            fqname = sss_create_internal_fqname(tmpctx, name, dom->name);
-            if (fqname == NULL) {
-                continue;
-            }
+            /* Add name to domain specific cache for known domain names */
+            dom = responder_get_domain(rctx, domainname);
+            if (dom != NULL) {
+                fqname = sss_create_internal_fqname(tmpctx, name, dom->name);
+                if (fqname == NULL) {
+                    continue;
+                }
 
-            ret = sss_ncache_set_user(ncache, true, dom, fqname);
-            talloc_zfree(fqname);
-            if (ret != EOK) {
-                DEBUG(SSSDBG_CRIT_FAILURE,
-                      "Failed to store permanent user filter for [%s]"
-                          " (%d [%s])\n", filter_list[i],
-                          ret, strerror(ret));
-                continue;
+                ret = sss_ncache_set_user(ncache, true, dom, fqname);
+                talloc_zfree(fqname);
+                if (ret != EOK) {
+                    DEBUG(SSSDBG_CRIT_FAILURE,
+                          "Failed to store permanent user filter for [%s]"
+                              " (%d [%s])\n", filter_list[i],
+                              ret, strerror(ret));
+                    continue;
+                }
             }
         } else {
             for (dom = domain_list;
diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c
index 7ab8a0981..9d4bdde14 100644
--- a/src/tests/cmocka/test_negcache.c
+++ b/src/tests/cmocka/test_negcache.c
@@ -637,7 +637,7 @@ static void test_sss_ncache_prepopulate(void **state)
     struct sss_domain_info *subdomain;
 
     struct sss_test_conf_param nss_params[] = {
-        { "filter_users", "testuser_nss@UPN.REALM, testuser_nss_short" },
+        { "filter_users", "testuser_nss@UPN.REALM, testuser_nss_short, all_dom_upn@"TEST_DOM_NAME },
         { NULL, NULL },
     };
     struct sss_test_conf_param dom_params[] = {
@@ -752,6 +752,21 @@ static void test_sss_ncache_prepopulate(void **state)
 
     ret = sss_ncache_check_upn(ncache, tc->dom, "testuser3@somedomain");
     assert_int_equal(ret, EEXIST);
+
+    /* Fully qualified names with a known domain part should be added to all
+     * negative UPN caches and to the negative cache of the know domain. */
+    ret = sss_ncache_check_upn(ncache, tc->dom, "all_dom_upn@"TEST_DOM_NAME);
+    assert_int_equal(ret, EEXIST);
+
+    ret = sss_ncache_check_upn(ncache, tc->dom->subdomains,
+                               "all_dom_upn@"TEST_DOM_NAME);
+    assert_int_equal(ret, EEXIST);
+
+    ret = check_user_in_ncache(ncache, tc->dom, "all_dom_upn");
+    assert_int_equal(ret, EEXIST);
+
+    ret = check_user_in_ncache(ncache, tc->dom->subdomains, "all_dom_upn");
+    assert_int_equal(ret, ENOENT);
 }
 
 static void test_sss_ncache_default_domain_suffix(void **state)
-- 
2.20.1