|
 |
ecf709 |
From 48b30d5a62e6af3d1f2b28eac3a2d39efa4349f1 Mon Sep 17 00:00:00 2001
|
|
|
ecf709 |
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
|
ecf709 |
Date: Mon, 19 Jun 2017 09:05:00 +0200
|
|
|
ecf709 |
Subject: [PATCH 183/186] RESPONDER: Use fqnames as output when needed
|
|
|
ecf709 |
MIME-Version: 1.0
|
|
|
ecf709 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ecf709 |
Content-Transfer-Encoding: 8bit
|
|
|
ecf709 |
|
|
|
ecf709 |
As some regressions have been caused by not handling properly naming
|
|
|
ecf709 |
conflicts when using shortnames, last explicitly use fully qualified
|
|
|
ecf709 |
names as output in the following situations:
|
|
|
ecf709 |
- domain resolution order is set;
|
|
|
ecf709 |
- a trusted domain has been using `use_fully_qualified_name = false`
|
|
|
ecf709 |
|
|
|
ecf709 |
In both cases we want to ensure that even handling shortnames as input,
|
|
|
ecf709 |
the output will always be fully qualified.
|
|
|
ecf709 |
|
|
|
ecf709 |
As part of this patch, our tests ended up being modified to reflect the
|
|
|
ecf709 |
changes done. In other words, the tests related to shortnames now return
|
|
|
ecf709 |
expect as return a fully qualified name for trusted domains.
|
|
|
ecf709 |
|
|
|
ecf709 |
Resolves:
|
|
|
ecf709 |
https://pagure.io/SSSD/sssd/issue/3403
|
|
|
ecf709 |
|
|
|
ecf709 |
Signed-off-by: Fabiano FidĂȘncio <fidencio@redhat.com>
|
|
|
ecf709 |
|
|
|
ecf709 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
ecf709 |
(cherry picked from commit 86526891366c4bc3e1ee861143b736d2670a6ba8)
|
|
|
ecf709 |
---
|
|
|
ecf709 |
src/confdb/confdb.h | 1 +
|
|
|
ecf709 |
src/db/sysdb_subdomains.c | 7 ++
|
|
|
ecf709 |
src/responder/common/cache_req/cache_req_domain.c | 14 +++
|
|
|
ecf709 |
src/responder/common/cache_req/cache_req_domain.h | 8 ++
|
|
|
ecf709 |
src/tests/cmocka/test_nss_srv.c | 104 +++++++++-------------
|
|
|
ecf709 |
src/util/usertools.c | 2 +-
|
|
|
ecf709 |
6 files changed, 72 insertions(+), 64 deletions(-)
|
|
|
ecf709 |
|
|
|
ecf709 |
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
|
|
ecf709 |
index 797353141edcccbf3341d161ca598c99492e54fe..32a422155abef428e8a75fc83a5fe14620c7028e 100644
|
|
|
ecf709 |
--- a/src/confdb/confdb.h
|
|
|
ecf709 |
+++ b/src/confdb/confdb.h
|
|
|
ecf709 |
@@ -291,6 +291,7 @@ struct sss_domain_info {
|
|
|
ecf709 |
bool enumerate;
|
|
|
ecf709 |
char **sd_enumerate;
|
|
|
ecf709 |
bool fqnames;
|
|
|
ecf709 |
+ bool output_fqnames;
|
|
|
ecf709 |
bool mpg;
|
|
|
ecf709 |
bool ignore_group_members;
|
|
|
ecf709 |
uint32_t id_min;
|
|
|
ecf709 |
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
|
|
|
ecf709 |
index e2a4f7bb1fcdf20b6b7e04efc7f396d1c3d08f0f..2789cc4949fb7be9ad272d7613ed18a64fa8a20a 100644
|
|
|
ecf709 |
--- a/src/db/sysdb_subdomains.c
|
|
|
ecf709 |
+++ b/src/db/sysdb_subdomains.c
|
|
|
ecf709 |
@@ -129,6 +129,13 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
dom->mpg = mpg;
|
|
|
ecf709 |
dom->state = DOM_ACTIVE;
|
|
|
ecf709 |
|
|
|
ecf709 |
+ /* use fully qualified names as output in order to avoid causing
|
|
|
ecf709 |
+ * conflicts with users who have the same name and either the
|
|
|
ecf709 |
+ * shortname user resolution is enabled or the trusted domain has
|
|
|
ecf709 |
+ * been explicitly set to use non-fully qualified names as input.
|
|
|
ecf709 |
+ */
|
|
|
ecf709 |
+ dom->output_fqnames = true;
|
|
|
ecf709 |
+
|
|
|
ecf709 |
/* If the parent domain filters out group members, the subdomain should
|
|
|
ecf709 |
* as well if configured */
|
|
|
ecf709 |
inherit_option = string_in_list(CONFDB_DOMAIN_IGNORE_GROUP_MEMBERS,
|
|
|
ecf709 |
diff --git a/src/responder/common/cache_req/cache_req_domain.c b/src/responder/common/cache_req/cache_req_domain.c
|
|
|
ecf709 |
index 2c238c9966d322bb542fa2047313ee9e5144edee..b5f7f6c2ffabdbd92ee46b3020cee6ef7fec32d8 100644
|
|
|
ecf709 |
--- a/src/responder/common/cache_req/cache_req_domain.c
|
|
|
ecf709 |
+++ b/src/responder/common/cache_req/cache_req_domain.c
|
|
|
ecf709 |
@@ -136,6 +136,12 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
cr_domain->fqnames =
|
|
|
ecf709 |
cache_req_domain_use_fqnames(dom, enforce_non_fqnames);
|
|
|
ecf709 |
|
|
|
ecf709 |
+ /* when using the domain resolution order, using shortnames as
|
|
|
ecf709 |
+ * input is allowed by default. However, we really want to use
|
|
|
ecf709 |
+ * the fully qualified name as output in order to avoid
|
|
|
ecf709 |
+ * conflicts whith users who have the very same name. */
|
|
|
ecf709 |
+ cr_domain->domain->output_fqnames = true;
|
|
|
ecf709 |
+
|
|
|
ecf709 |
DLIST_ADD_END(cr_domains, cr_domain,
|
|
|
ecf709 |
struct cache_req_domain *);
|
|
|
ecf709 |
break;
|
|
|
ecf709 |
@@ -159,6 +165,14 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
cr_domain->fqnames =
|
|
|
ecf709 |
cache_req_domain_use_fqnames(dom, enforce_non_fqnames);
|
|
|
ecf709 |
|
|
|
ecf709 |
+ /* when using the domain resolution order, using shortnames as input
|
|
|
ecf709 |
+ * is allowed by default. However, we really want to use the fully
|
|
|
ecf709 |
+ * qualified name as output in order to avoid conflicts whith users
|
|
|
ecf709 |
+ * who have the very same name. */
|
|
|
ecf709 |
+ if (resolution_order != NULL) {
|
|
|
ecf709 |
+ cr_domain->domain->output_fqnames = true;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
DLIST_ADD_END(cr_domains, cr_domain, struct cache_req_domain *);
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
diff --git a/src/responder/common/cache_req/cache_req_domain.h b/src/responder/common/cache_req/cache_req_domain.h
|
|
|
ecf709 |
index 5bcbb9b493caf05bf71aac5cf7633ded91f22e73..3780a5d8d88d76e100738d28d1dd0e697edf5eae 100644
|
|
|
ecf709 |
--- a/src/responder/common/cache_req/cache_req_domain.h
|
|
|
ecf709 |
+++ b/src/responder/common/cache_req/cache_req_domain.h
|
|
|
ecf709 |
@@ -35,6 +35,14 @@ struct cache_req_domain *
|
|
|
ecf709 |
cache_req_domain_get_domain_by_name(struct cache_req_domain *domains,
|
|
|
ecf709 |
const char *name);
|
|
|
ecf709 |
|
|
|
ecf709 |
+/*
|
|
|
ecf709 |
+ * This function may have a side effect of setting the output_fqnames' domain
|
|
|
ecf709 |
+ * property when it's called.
|
|
|
ecf709 |
+ *
|
|
|
ecf709 |
+ * It happens as the output_fqnames' domain property must only be set depending
|
|
|
ecf709 |
+ * on whether a domain resolution order is set or not, and the saner place to
|
|
|
ecf709 |
+ * set it to all domains is when flattening those (thus, in this function).
|
|
|
ecf709 |
+ */
|
|
|
ecf709 |
errno_t
|
|
|
ecf709 |
cache_req_domain_new_list_from_domain_resolution_order(
|
|
|
ecf709 |
TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c
|
|
|
ecf709 |
index 03b5bcc302322551a32f5b8cfe4b7698947abbe7..ccedf96beaecfaa4232bbe456d5e5a8394098483 100644
|
|
|
ecf709 |
--- a/src/tests/cmocka/test_nss_srv.c
|
|
|
ecf709 |
+++ b/src/tests/cmocka/test_nss_srv.c
|
|
|
ecf709 |
@@ -1648,29 +1648,23 @@ static int test_nss_getgrnam_members_check_subdom(uint32_t status,
|
|
|
ecf709 |
tmp_ctx = talloc_new(nss_test_ctx);
|
|
|
ecf709 |
assert_non_null(tmp_ctx);
|
|
|
ecf709 |
|
|
|
ecf709 |
- if (nss_test_ctx->subdom->fqnames) {
|
|
|
ecf709 |
- exp_members[0] = sss_tc_fqname(tmp_ctx,
|
|
|
ecf709 |
- nss_test_ctx->subdom->names,
|
|
|
ecf709 |
- nss_test_ctx->subdom,
|
|
|
ecf709 |
- submember1.pw_name);
|
|
|
ecf709 |
- assert_non_null(exp_members[0]);
|
|
|
ecf709 |
+ exp_members[0] = sss_tc_fqname(tmp_ctx,
|
|
|
ecf709 |
+ nss_test_ctx->subdom->names,
|
|
|
ecf709 |
+ nss_test_ctx->subdom,
|
|
|
ecf709 |
+ submember1.pw_name);
|
|
|
ecf709 |
+ assert_non_null(exp_members[0]);
|
|
|
ecf709 |
|
|
|
ecf709 |
- exp_members[1] = sss_tc_fqname(tmp_ctx,
|
|
|
ecf709 |
- nss_test_ctx->subdom->names,
|
|
|
ecf709 |
- nss_test_ctx->subdom,
|
|
|
ecf709 |
- submember2.pw_name);
|
|
|
ecf709 |
- assert_non_null(exp_members[1]);
|
|
|
ecf709 |
+ exp_members[1] = sss_tc_fqname(tmp_ctx,
|
|
|
ecf709 |
+ nss_test_ctx->subdom->names,
|
|
|
ecf709 |
+ nss_test_ctx->subdom,
|
|
|
ecf709 |
+ submember2.pw_name);
|
|
|
ecf709 |
+ assert_non_null(exp_members[1]);
|
|
|
ecf709 |
|
|
|
ecf709 |
- expected.gr_name = sss_tc_fqname(tmp_ctx,
|
|
|
ecf709 |
- nss_test_ctx->subdom->names,
|
|
|
ecf709 |
- nss_test_ctx->subdom,
|
|
|
ecf709 |
- testsubdomgroup.gr_name);
|
|
|
ecf709 |
- assert_non_null(expected.gr_name);
|
|
|
ecf709 |
- } else {
|
|
|
ecf709 |
- exp_members[0] = submember1.pw_name;
|
|
|
ecf709 |
- exp_members[1] = submember2.pw_name;
|
|
|
ecf709 |
- expected.gr_name = testsubdomgroup.gr_name;
|
|
|
ecf709 |
- }
|
|
|
ecf709 |
+ expected.gr_name = sss_tc_fqname(tmp_ctx,
|
|
|
ecf709 |
+ nss_test_ctx->subdom->names,
|
|
|
ecf709 |
+ nss_test_ctx->subdom,
|
|
|
ecf709 |
+ testsubdomgroup.gr_name);
|
|
|
ecf709 |
+ assert_non_null(expected.gr_name);
|
|
|
ecf709 |
|
|
|
ecf709 |
assert_int_equal(status, EOK);
|
|
|
ecf709 |
|
|
|
ecf709 |
@@ -1744,15 +1738,11 @@ static int test_nss_getgrnam_check_mix_dom(uint32_t status,
|
|
|
ecf709 |
tmp_ctx = talloc_new(nss_test_ctx);
|
|
|
ecf709 |
assert_non_null(tmp_ctx);
|
|
|
ecf709 |
|
|
|
ecf709 |
- if (nss_test_ctx->subdom->fqnames) {
|
|
|
ecf709 |
- exp_members[0] = sss_tc_fqname(tmp_ctx,
|
|
|
ecf709 |
- nss_test_ctx->subdom->names,
|
|
|
ecf709 |
- nss_test_ctx->subdom,
|
|
|
ecf709 |
- submember1.pw_name);
|
|
|
ecf709 |
- assert_non_null(exp_members[0]);
|
|
|
ecf709 |
- } else {
|
|
|
ecf709 |
- exp_members[0] = submember1.pw_name;
|
|
|
ecf709 |
- }
|
|
|
ecf709 |
+ exp_members[0] = sss_tc_fqname(tmp_ctx,
|
|
|
ecf709 |
+ nss_test_ctx->subdom->names,
|
|
|
ecf709 |
+ nss_test_ctx->subdom,
|
|
|
ecf709 |
+ submember1.pw_name);
|
|
|
ecf709 |
+ assert_non_null(exp_members[0]);
|
|
|
ecf709 |
exp_members[1] = testmember1.pw_name;
|
|
|
ecf709 |
exp_members[2] = testmember2.pw_name;
|
|
|
ecf709 |
|
|
|
ecf709 |
@@ -1840,15 +1830,12 @@ static int test_nss_getgrnam_check_mix_dom_fqdn(uint32_t status,
|
|
|
ecf709 |
tmp_ctx = talloc_new(nss_test_ctx);
|
|
|
ecf709 |
assert_non_null(tmp_ctx);
|
|
|
ecf709 |
|
|
|
ecf709 |
- if (nss_test_ctx->subdom->fqnames) {
|
|
|
ecf709 |
- exp_members[0] = sss_tc_fqname(tmp_ctx,
|
|
|
ecf709 |
- nss_test_ctx->subdom->names,
|
|
|
ecf709 |
- nss_test_ctx->subdom,
|
|
|
ecf709 |
- submember1.pw_name);
|
|
|
ecf709 |
- assert_non_null(exp_members[0]);
|
|
|
ecf709 |
- } else {
|
|
|
ecf709 |
- exp_members[0] = submember1.pw_name;
|
|
|
ecf709 |
- }
|
|
|
ecf709 |
+ exp_members[0] = sss_tc_fqname(tmp_ctx,
|
|
|
ecf709 |
+ nss_test_ctx->subdom->names,
|
|
|
ecf709 |
+ nss_test_ctx->subdom,
|
|
|
ecf709 |
+ submember1.pw_name);
|
|
|
ecf709 |
+ assert_non_null(exp_members[0]);
|
|
|
ecf709 |
+
|
|
|
ecf709 |
if (nss_test_ctx->tctx->dom->fqnames) {
|
|
|
ecf709 |
exp_members[1] = sss_tc_fqname(tmp_ctx, nss_test_ctx->tctx->dom->names,
|
|
|
ecf709 |
nss_test_ctx->tctx->dom, testmember1.pw_name);
|
|
|
ecf709 |
@@ -1961,37 +1948,28 @@ static int test_nss_getgrnam_check_mix_subdom(uint32_t status,
|
|
|
ecf709 |
tmp_ctx = talloc_new(nss_test_ctx);
|
|
|
ecf709 |
assert_non_null(tmp_ctx);
|
|
|
ecf709 |
|
|
|
ecf709 |
- if (nss_test_ctx->subdom->fqnames) {
|
|
|
ecf709 |
- exp_members[0] = sss_tc_fqname(tmp_ctx,
|
|
|
ecf709 |
- nss_test_ctx->subdom->names,
|
|
|
ecf709 |
- nss_test_ctx->subdom,
|
|
|
ecf709 |
- submember1.pw_name);
|
|
|
ecf709 |
- assert_non_null(exp_members[0]);
|
|
|
ecf709 |
+ exp_members[0] = sss_tc_fqname(tmp_ctx,
|
|
|
ecf709 |
+ nss_test_ctx->subdom->names,
|
|
|
ecf709 |
+ nss_test_ctx->subdom,
|
|
|
ecf709 |
+ submember1.pw_name);
|
|
|
ecf709 |
+ assert_non_null(exp_members[0]);
|
|
|
ecf709 |
|
|
|
ecf709 |
- exp_members[1] = sss_tc_fqname(tmp_ctx,
|
|
|
ecf709 |
- nss_test_ctx->subdom->names,
|
|
|
ecf709 |
- nss_test_ctx->subdom,
|
|
|
ecf709 |
- submember2.pw_name);
|
|
|
ecf709 |
- assert_non_null(exp_members[1]);
|
|
|
ecf709 |
- } else {
|
|
|
ecf709 |
- exp_members[0] = submember1.pw_name;
|
|
|
ecf709 |
- exp_members[1] = submember2.pw_name;
|
|
|
ecf709 |
- }
|
|
|
ecf709 |
+ exp_members[1] = sss_tc_fqname(tmp_ctx,
|
|
|
ecf709 |
+ nss_test_ctx->subdom->names,
|
|
|
ecf709 |
+ nss_test_ctx->subdom,
|
|
|
ecf709 |
+ submember2.pw_name);
|
|
|
ecf709 |
+ assert_non_null(exp_members[1]);
|
|
|
ecf709 |
|
|
|
ecf709 |
/* Important: this member is from a non-qualified domain, so his name will
|
|
|
ecf709 |
* not be qualified either
|
|
|
ecf709 |
*/
|
|
|
ecf709 |
exp_members[2] = testmember1.pw_name;
|
|
|
ecf709 |
|
|
|
ecf709 |
- if (nss_test_ctx->subdom->fqnames) {
|
|
|
ecf709 |
- expected.gr_name = sss_tc_fqname(tmp_ctx,
|
|
|
ecf709 |
- nss_test_ctx->subdom->names,
|
|
|
ecf709 |
- nss_test_ctx->subdom,
|
|
|
ecf709 |
- testsubdomgroup.gr_name);
|
|
|
ecf709 |
- assert_non_null(expected.gr_name);
|
|
|
ecf709 |
- } else {
|
|
|
ecf709 |
- expected.gr_name = testsubdomgroup.gr_name;
|
|
|
ecf709 |
- }
|
|
|
ecf709 |
+ expected.gr_name = sss_tc_fqname(tmp_ctx,
|
|
|
ecf709 |
+ nss_test_ctx->subdom->names,
|
|
|
ecf709 |
+ nss_test_ctx->subdom,
|
|
|
ecf709 |
+ testsubdomgroup.gr_name);
|
|
|
ecf709 |
+ assert_non_null(expected.gr_name);
|
|
|
ecf709 |
|
|
|
ecf709 |
assert_int_equal(status, EOK);
|
|
|
ecf709 |
|
|
|
ecf709 |
diff --git a/src/util/usertools.c b/src/util/usertools.c
|
|
|
ecf709 |
index 5dfe6d7765b8032c7447de75e10c6c2a1d4c49ec..83131da1cac25e60a5ec3fffa995a545673e53b9 100644
|
|
|
ecf709 |
--- a/src/util/usertools.c
|
|
|
ecf709 |
+++ b/src/util/usertools.c
|
|
|
ecf709 |
@@ -867,7 +867,7 @@ int sss_output_fqname(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
goto done;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
- if (domain->fqnames) {
|
|
|
ecf709 |
+ if (domain->output_fqnames || domain->fqnames) {
|
|
|
ecf709 |
output_name = sss_tc_fqname(tmp_ctx, domain->names,
|
|
|
ecf709 |
domain, output_name);
|
|
|
ecf709 |
if (output_name == NULL) {
|
|
|
ecf709 |
--
|
|
|
ecf709 |
2.9.4
|
|
|
ecf709 |
|