From f9f227bb5a7fe6e5af83debbbd892bdb4e13894d Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Tue, 14 Jul 2015 14:41:34 +0200

Subject: [PATCH 14/14] nss_check_name_of_well_known_sid() improve name

 splitting

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Currently in the default configuration

nss_check_name_of_well_known_sid() can only split fully-qualified names

in the user@domain.name style. DOM\user style names will cause an error

and terminate the whole request.

With this patch both styles can be handled by default, additionally if

the name could not be split nss_check_name_of_well_known_sid() returns

ENOENT which can be handled more gracefully by the caller.

Resolves https://fedorahosted.org/sssd/ticket/2717

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

---

 src/responder/nss/nsssrv_cmd.c  |  8 ++++

 src/tests/cmocka/test_nss_srv.c | 90 ++++++++++++++++++++++++-----------------

 src/util/usertools.c            |  3 +-

 3 files changed, 61 insertions(+), 40 deletions(-)

diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c

index 0129467302f16af318bbbb0a5be47ff2e235da65..b3998015fa621cad8e06a126a674f94d26158dda 100644

--- a/src/responder/nss/nsssrv_cmd.c

+++ b/src/responder/nss/nsssrv_cmd.c

@@ -1255,6 +1255,14 @@ static int nss_check_name_of_well_known_sid(struct nss_cmd_ctx *cmdctx,

         return ret;

     }

+    if (wk_dom_name == NULL || wk_name == NULL) {

+        DEBUG(SSSDBG_OP_FAILURE,

+              "Unable to split [%s] in name and domain part. " \

+              "Skipping check for well-known name.\n", full_name);

+

+        return ENOENT;

+    }

+

     ret = name_to_well_known_sid(wk_dom_name, wk_name, &wk_sid);

     talloc_free(wk_dom_name);

     talloc_free(wk_name);

diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c

index 3ab8d39c44a8bb8cacae20f534dcbeb6ca7dec08..84d3413be70bc0af433b7fd23cf7d78b4b9298f1 100644

--- a/src/tests/cmocka/test_nss_srv.c

+++ b/src/tests/cmocka/test_nss_srv.c

@@ -1734,63 +1734,77 @@ void test_nss_well_known_getidbysid_failure(void **state)

 void test_nss_well_known_getsidbyname(void **state)

 {

     errno_t ret;

+    const char *names[] = { "Cryptographic Operators@BUILTIN",

+                            "BUILTIN\\Cryptographic Operators", NULL};

+    size_t c;

-    will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);

-    will_return(__wrap_sss_packet_get_body, "Cryptographic Operators@BUILTIN");

-    will_return(__wrap_sss_packet_get_body, 0);

-    will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME);

-    will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);

-    will_return(test_nss_well_known_sid_check, "S-1-5-32-569");

+    for (c = 0; names[c] != NULL; c++) {

+        will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);

+        will_return(__wrap_sss_packet_get_body, names[c]);

+        will_return(__wrap_sss_packet_get_body, 0);

+        will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME);

+        will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);

+        will_return(test_nss_well_known_sid_check, "S-1-5-32-569");

-    set_cmd_cb(test_nss_well_known_sid_check);

-    ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME,

-                          nss_test_ctx->nss_cmds);

-    assert_int_equal(ret, EOK);

+        set_cmd_cb(test_nss_well_known_sid_check);

+        ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME,

+                              nss_test_ctx->nss_cmds);

+        assert_int_equal(ret, EOK);

-    /* Wait until the test finishes with EOK */

-    ret = test_ev_loop(nss_test_ctx->tctx);

-    assert_int_equal(ret, EOK);

+        /* Wait until the test finishes with EOK */

+        ret = test_ev_loop(nss_test_ctx->tctx);

+        assert_int_equal(ret, EOK);

+    }

 }

 void test_nss_well_known_getsidbyname_nonexisting(void **state)

 {

     errno_t ret;

+    const char *names[] = { "Abc@BUILTIN", "BUILTIN\\Abc", NULL };

+    size_t c;

-    will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);

-    will_return(__wrap_sss_packet_get_body, "Abc@BUILTIN");

-    will_return(__wrap_sss_packet_get_body, 0);

-    will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME);

-    will_return(test_nss_well_known_sid_check, NULL);

+    for (c = 0; names[c] != NULL; c++) {

+        will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);

+        will_return(__wrap_sss_packet_get_body, names[c]);

+        will_return(__wrap_sss_packet_get_body, 0);

+        will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME);

+        will_return(test_nss_well_known_sid_check, NULL);

-    set_cmd_cb(test_nss_well_known_sid_check);

-    ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME,

-                          nss_test_ctx->nss_cmds);

-    assert_int_equal(ret, EOK);

+        set_cmd_cb(test_nss_well_known_sid_check);

+        ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME,

+                              nss_test_ctx->nss_cmds);

+        assert_int_equal(ret, EOK);

-    /* Wait until the test finishes with EOK */

-    ret = test_ev_loop(nss_test_ctx->tctx);

-    assert_int_equal(ret, EOK);

+        /* Wait until the test finishes with EOK */

+        ret = test_ev_loop(nss_test_ctx->tctx);

+        assert_int_equal(ret, EOK);

+    }

 }

 void test_nss_well_known_getsidbyname_special(void **state)

 {

     errno_t ret;

+    const char *names[] = { "CREATOR OWNER@CREATOR AUTHORITY",

+                            "CREATOR AUTHORITY\\CREATOR OWNER", NULL };

+    size_t c;

-    will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);

-    will_return(__wrap_sss_packet_get_body, "CREATOR OWNER@CREATOR AUTHORITY");

-    will_return(__wrap_sss_packet_get_body, 0);

-    will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME);

-    will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);

-    will_return(test_nss_well_known_sid_check, "S-1-3-0");

+    for (c = 0; names[c] != NULL; c++) {

+        will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);

+        will_return(__wrap_sss_packet_get_body, names[c]);

+        will_return(__wrap_sss_packet_get_body, 0);

+        will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME);

+        will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);

+        will_return(test_nss_well_known_sid_check, "S-1-3-0");

-    set_cmd_cb(test_nss_well_known_sid_check);

-    ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME,

-                          nss_test_ctx->nss_cmds);

-    assert_int_equal(ret, EOK);

+        set_cmd_cb(test_nss_well_known_sid_check);

+        ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME,

+                              nss_test_ctx->nss_cmds);

+        assert_int_equal(ret, EOK);

-    /* Wait until the test finishes with EOK */

-    ret = test_ev_loop(nss_test_ctx->tctx);

-    assert_int_equal(ret, EOK);

+        /* Wait until the test finishes with EOK */

+        ret = test_ev_loop(nss_test_ctx->tctx);

+        assert_int_equal(ret, EOK);

+    }

 }

 static int test_nss_getorigbyname_check(uint32_t status, uint8_t *body,

diff --git a/src/util/usertools.c b/src/util/usertools.c

index c43d420e31c6c690628ef6179d932eaf99826fee..87a8d7411312c3a80c32374a1fd93bbf0e767a91 100644

--- a/src/util/usertools.c

+++ b/src/util/usertools.c

@@ -249,8 +249,7 @@ int sss_names_init(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb,

     }

     if (!re_pattern) {

-        re_pattern = talloc_strdup(tmpctx,

-                                   "(?P<name>[^@]+)@?(?P<domain>[^@]*$)");

+        re_pattern = talloc_strdup(tmpctx, IPA_AD_DEFAULT_RE);

         if (!re_pattern) {

             ret = ENOMEM;

             goto done;

-- 

2.4.3