Blame SOURCES/0050-Ticket-49231-force-EXTERNAL-always.patch

61f723
From d2648bbddbf087c4e3803a89cb67541a50682eae Mon Sep 17 00:00:00 2001
61f723
From: William Brown <firstyear@redhat.com>
61f723
Date: Mon, 15 May 2017 09:04:45 +1000
61f723
Subject: [PATCH] Ticket 49231 - force EXTERNAL always
61f723
61f723
Bug Description:  Because of how our sasl code works, EXTERNAL bypasses
61f723
a number of checks so is always available.
61f723
61f723
Fix Description:  Force EXTERNAL to the present mech list, regardless
61f723
of the whitelist.
61f723
61f723
https://pagure.io/389-ds-base/issue/49231
61f723
61f723
Author: wibrown
61f723
61f723
Review by: mreynosd (Thanks!)
61f723
61f723
(cherry picked from commit e6e0db35842fc6612134cff5a08c4968230d1b2f)
61f723
---
61f723
 dirsrvtests/tests/suites/sasl/allowed_mechs.py | 13 +++++++++++--
61f723
 ldap/servers/slapd/charray.c                   | 14 ++++++++++++++
61f723
 ldap/servers/slapd/saslbind.c                  |  9 +++++++++
61f723
 ldap/servers/slapd/slapi-private.h             |  2 ++
61f723
 4 files changed, 36 insertions(+), 2 deletions(-)
61f723
61f723
diff --git a/dirsrvtests/tests/suites/sasl/allowed_mechs.py b/dirsrvtests/tests/suites/sasl/allowed_mechs.py
61f723
index a3e385e..7958db4 100644
61f723
--- a/dirsrvtests/tests/suites/sasl/allowed_mechs.py
61f723
+++ b/dirsrvtests/tests/suites/sasl/allowed_mechs.py
61f723
@@ -25,12 +25,21 @@ def test_sasl_allowed_mechs(topology_st):
61f723
     assert('EXTERNAL' in orig_mechs)
61f723
 
61f723
     # Now edit the supported mechs. CHeck them again.
61f723
-    standalone.config.set('nsslapd-allowed-sasl-mechanisms', 'EXTERNAL, PLAIN')
61f723
+    standalone.config.set('nsslapd-allowed-sasl-mechanisms', 'PLAIN')
61f723
 
61f723
     limit_mechs = standalone.rootdse.supported_sasl()
61f723
-    print(limit_mechs)
61f723
     assert('PLAIN' in limit_mechs)
61f723
+    # Should always be in the allowed list, even if not set.
61f723
     assert('EXTERNAL' in limit_mechs)
61f723
+    # Should not be there!
61f723
+    assert('GSSAPI' not in limit_mechs)
61f723
+
61f723
+    standalone.config.set('nsslapd-allowed-sasl-mechanisms', 'PLAIN, EXTERNAL')
61f723
+
61f723
+    limit_mechs = standalone.rootdse.supported_sasl()
61f723
+    assert('PLAIN' in limit_mechs)
61f723
+    assert('EXTERNAL' in limit_mechs)
61f723
+    # Should not be there!
61f723
     assert('GSSAPI' not in limit_mechs)
61f723
 
61f723
     # Do a config reset
61f723
diff --git a/ldap/servers/slapd/charray.c b/ldap/servers/slapd/charray.c
61f723
index 6b89714..9056f16 100644
61f723
--- a/ldap/servers/slapd/charray.c
61f723
+++ b/ldap/servers/slapd/charray.c
61f723
@@ -272,6 +272,20 @@ charray_utf8_inlist(
61f723
     return( 0 );
61f723
 }
61f723
 
61f723
+/*
61f723
+ * Assert that some str s is in the charray, or add it.
61f723
+ */
61f723
+void
61f723
+charray_assert_present(char ***a, char *s)
61f723
+{
61f723
+    int result = charray_utf8_inlist(*a, s);
61f723
+    /* Not in the list */
61f723
+    if (result == 0) {
61f723
+        char *sdup = slapi_ch_strdup(s);
61f723
+        slapi_ch_array_add_ext(a, sdup);
61f723
+    }
61f723
+}
61f723
+
61f723
 int slapi_ch_array_utf8_inlist(char **a, char *s)
61f723
 {
61f723
 	return charray_utf8_inlist(a,s);
61f723
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
61f723
index 75b83fe..dd0c4fb 100644
61f723
--- a/ldap/servers/slapd/saslbind.c
61f723
+++ b/ldap/servers/slapd/saslbind.c
61f723
@@ -794,6 +794,15 @@ char **ids_sasl_listmech(Slapi_PBlock *pb)
61f723
         ret = sup_ret;
61f723
     }
61f723
 
61f723
+    /*
61f723
+     * https://pagure.io/389-ds-base/issue/49231
61f723
+     * Because of the way that SASL mechs are managed in bind.c and saslbind.c
61f723
+     * even if EXTERNAL was *not* in the list of allowed mechs, it was allowed
61f723
+     * in the bind process because it bypasses lots of our checking. As a result
61f723
+     * we have to always present it.
61f723
+     */
61f723
+    charray_assert_present(&ret, "EXTERNAL");
61f723
+
61f723
     slapi_log_err(SLAPI_LOG_TRACE, "ids_sasl_listmech", "<=\n");
61f723
 
61f723
     return ret;
61f723
diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
61f723
index 3f732e8..0836d66 100644
61f723
--- a/ldap/servers/slapd/slapi-private.h
61f723
+++ b/ldap/servers/slapd/slapi-private.h
61f723
@@ -834,6 +834,8 @@ void charray_subtract( char **a, char **b, char ***c );
61f723
 char **charray_intersection(char **a, char **b);
61f723
 int charray_get_index(char **array, char *s);
61f723
 int charray_normdn_add(char ***chararray, char *dn, char *errstr);
61f723
+void charray_assert_present(char ***a, char *s);
61f723
+
61f723
 
61f723
 /******************************************************************************
61f723
  * value array routines.
61f723
-- 
61f723
2.9.4
61f723