|
|
976a3f |
From 7618d442a25a16940f0842d2ad4ae34e60079844 Mon Sep 17 00:00:00 2001
|
|
|
976a3f |
From: amitkuma <amitkuma@redhat.com>
|
|
|
976a3f |
Date: Thu, 30 Nov 2017 22:18:39 +0530
|
|
|
976a3f |
Subject: [PATCH 201/201] cache: Check for max_id/min_id in cache_req
|
|
|
976a3f |
MIME-Version: 1.0
|
|
|
976a3f |
Content-Type: text/plain; charset=UTF-8
|
|
|
976a3f |
Content-Transfer-Encoding: 8bit
|
|
|
976a3f |
|
|
|
976a3f |
The cache_req code doesn't check the min_id/max_id
|
|
|
976a3f |
boundaries for requests by ID.
|
|
|
976a3f |
Extending the .lookup_fn function in each plugin
|
|
|
976a3f |
that searches by ID for a check that returns non-zero
|
|
|
976a3f |
if the entry is out of the range and 0 if not.
|
|
|
976a3f |
|
|
|
976a3f |
Resolves: https://pagure.io/SSSD/sssd/issue/3569
|
|
|
976a3f |
|
|
|
976a3f |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
976a3f |
Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
|
|
|
976a3f |
(cherry picked from commit 2af80640f18966d65cf82106059ce3c060df93bf)
|
|
|
976a3f |
---
|
|
|
976a3f |
src/responder/common/cache_req/cache_req.c | 1 +
|
|
|
976a3f |
src/responder/common/cache_req/cache_req_private.h | 2 +
|
|
|
976a3f |
src/responder/common/cache_req/cache_req_search.c | 5 ++
|
|
|
976a3f |
.../common/cache_req/plugins/cache_req_common.c | 11 +++
|
|
|
976a3f |
.../cache_req/plugins/cache_req_group_by_id.c | 6 ++
|
|
|
976a3f |
.../cache_req/plugins/cache_req_object_by_id.c | 6 ++
|
|
|
976a3f |
.../cache_req/plugins/cache_req_user_by_id.c | 5 ++
|
|
|
976a3f |
src/tests/cmocka/test_responder_cache_req.c | 81 +++++++++++++++++++++-
|
|
|
976a3f |
src/util/util_errors.c | 1 +
|
|
|
976a3f |
src/util/util_errors.h | 1 +
|
|
|
976a3f |
10 files changed, 117 insertions(+), 2 deletions(-)
|
|
|
976a3f |
|
|
|
976a3f |
diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
|
|
|
976a3f |
index 83eab8ed2de0b5c7d25306d853aadc9b53cb4842..3ebf64af24bb9a2a67165dd17d27fd25fc7915c2 100644
|
|
|
976a3f |
--- a/src/responder/common/cache_req/cache_req.c
|
|
|
976a3f |
+++ b/src/responder/common/cache_req/cache_req.c
|
|
|
976a3f |
@@ -574,6 +574,7 @@ static void cache_req_search_domains_done(struct tevent_req *subreq)
|
|
|
976a3f |
}
|
|
|
976a3f |
|
|
|
976a3f |
break;
|
|
|
976a3f |
+ case ERR_ID_OUTSIDE_RANGE:
|
|
|
976a3f |
case ENOENT:
|
|
|
976a3f |
if (state->check_next == false) {
|
|
|
976a3f |
/* Not found. */
|
|
|
976a3f |
diff --git a/src/responder/common/cache_req/cache_req_private.h b/src/responder/common/cache_req/cache_req_private.h
|
|
|
976a3f |
index c0ee5f969f2a171b8a6eb396b3d14b593d157b76..5b79d9429bc29c47c28e0b5a6367a6e7035ca1c3 100644
|
|
|
976a3f |
--- a/src/responder/common/cache_req/cache_req_private.h
|
|
|
976a3f |
+++ b/src/responder/common/cache_req/cache_req_private.h
|
|
|
976a3f |
@@ -165,4 +165,6 @@ bool
|
|
|
976a3f |
cache_req_common_dp_recv(struct tevent_req *subreq,
|
|
|
976a3f |
struct cache_req *cr);
|
|
|
976a3f |
|
|
|
976a3f |
+errno_t cache_req_idminmax_check(struct cache_req_data *data,
|
|
|
976a3f |
+ struct sss_domain_info *domain);
|
|
|
976a3f |
#endif /* _CACHE_REQ_PRIVATE_H_ */
|
|
|
976a3f |
diff --git a/src/responder/common/cache_req/cache_req_search.c b/src/responder/common/cache_req/cache_req_search.c
|
|
|
976a3f |
index 56d0345cd8f98de574961d3c9628ae7a4c24f9be..ba25dcf578ef80aa8597bccb41da839d7bd146b3 100644
|
|
|
976a3f |
--- a/src/responder/common/cache_req/cache_req_search.c
|
|
|
976a3f |
+++ b/src/responder/common/cache_req/cache_req_search.c
|
|
|
976a3f |
@@ -197,6 +197,11 @@ static errno_t cache_req_search_cache(TALLOC_CTX *mem_ctx,
|
|
|
976a3f |
|
|
|
976a3f |
*_result = result;
|
|
|
976a3f |
break;
|
|
|
976a3f |
+ case ERR_ID_OUTSIDE_RANGE:
|
|
|
976a3f |
+ CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr,
|
|
|
976a3f |
+ "ID [%s] was filtered out\n",
|
|
|
976a3f |
+ cr->debugobj);
|
|
|
976a3f |
+ break;
|
|
|
976a3f |
case ENOENT:
|
|
|
976a3f |
CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr,
|
|
|
976a3f |
"Object [%s] was not found in cache\n",
|
|
|
976a3f |
diff --git a/src/responder/common/cache_req/plugins/cache_req_common.c b/src/responder/common/cache_req/plugins/cache_req_common.c
|
|
|
976a3f |
index b80f310feeebbdbc824db441ff5313632585d3fb..d7c6ab2eac412042f90d491eb8428116156f512b 100644
|
|
|
976a3f |
--- a/src/responder/common/cache_req/plugins/cache_req_common.c
|
|
|
976a3f |
+++ b/src/responder/common/cache_req/plugins/cache_req_common.c
|
|
|
976a3f |
@@ -26,6 +26,17 @@
|
|
|
976a3f |
#include "providers/data_provider.h"
|
|
|
976a3f |
#include "responder/common/cache_req/cache_req_plugin.h"
|
|
|
976a3f |
|
|
|
976a3f |
+errno_t cache_req_idminmax_check(struct cache_req_data *data,
|
|
|
976a3f |
+ struct sss_domain_info *domain)
|
|
|
976a3f |
+{
|
|
|
976a3f |
+ if (((domain->id_min != 0) && (data->id < domain->id_min)) ||
|
|
|
976a3f |
+ ((domain->id_max != 0) && (data->id > domain->id_max))) {
|
|
|
976a3f |
+ DEBUG(SSSDBG_FUNC_DATA, "id exceeds min/max boundaries\n");
|
|
|
976a3f |
+ return ERR_ID_OUTSIDE_RANGE;
|
|
|
976a3f |
+ }
|
|
|
976a3f |
+ return EOK;
|
|
|
976a3f |
+}
|
|
|
976a3f |
+
|
|
|
976a3f |
static struct ldb_message *
|
|
|
976a3f |
cache_req_well_known_sid_msg(TALLOC_CTX *mem_ctx,
|
|
|
976a3f |
const char *sid,
|
|
|
976a3f |
diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
|
|
|
976a3f |
index 121f95abe86d2466aaea69f0fe68dfb33b1fee9e..04e085456f38e154a04ce0a803f2ba22830c1827 100644
|
|
|
976a3f |
--- a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
|
|
|
976a3f |
+++ b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
|
|
|
976a3f |
@@ -64,6 +64,12 @@ cache_req_group_by_id_lookup(TALLOC_CTX *mem_ctx,
|
|
|
976a3f |
struct sss_domain_info *domain,
|
|
|
976a3f |
struct ldb_result **_result)
|
|
|
976a3f |
{
|
|
|
976a3f |
+ errno_t ret;
|
|
|
976a3f |
+
|
|
|
976a3f |
+ ret = cache_req_idminmax_check(data, domain);
|
|
|
976a3f |
+ if (ret != EOK) {
|
|
|
976a3f |
+ return ret;
|
|
|
976a3f |
+ }
|
|
|
976a3f |
return sysdb_getgrgid_with_views(mem_ctx, domain, data->id, _result);
|
|
|
976a3f |
}
|
|
|
976a3f |
|
|
|
976a3f |
diff --git a/src/responder/common/cache_req/plugins/cache_req_object_by_id.c b/src/responder/common/cache_req/plugins/cache_req_object_by_id.c
|
|
|
976a3f |
index 4c88e1035b41969703c1c38d740e15516ac0d622..50c149e8795a61307e445d4c063dc0df1166519c 100644
|
|
|
976a3f |
--- a/src/responder/common/cache_req/plugins/cache_req_object_by_id.c
|
|
|
976a3f |
+++ b/src/responder/common/cache_req/plugins/cache_req_object_by_id.c
|
|
|
976a3f |
@@ -90,6 +90,12 @@ cache_req_object_by_id_lookup(TALLOC_CTX *mem_ctx,
|
|
|
976a3f |
struct sss_domain_info *domain,
|
|
|
976a3f |
struct ldb_result **_result)
|
|
|
976a3f |
{
|
|
|
976a3f |
+ errno_t ret;
|
|
|
976a3f |
+
|
|
|
976a3f |
+ ret = cache_req_idminmax_check(data, domain);
|
|
|
976a3f |
+ if (ret != EOK) {
|
|
|
976a3f |
+ return ret;
|
|
|
976a3f |
+ }
|
|
|
976a3f |
return sysdb_search_object_by_id(mem_ctx, domain, data->id,
|
|
|
976a3f |
data->attrs, _result);
|
|
|
976a3f |
}
|
|
|
976a3f |
diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_id.c b/src/responder/common/cache_req/plugins/cache_req_user_by_id.c
|
|
|
976a3f |
index 3c25c7631b3da4a829ab577629334a7ee97980da..05add9564f57655bb53520b848971286bba6cab5 100644
|
|
|
976a3f |
--- a/src/responder/common/cache_req/plugins/cache_req_user_by_id.c
|
|
|
976a3f |
+++ b/src/responder/common/cache_req/plugins/cache_req_user_by_id.c
|
|
|
976a3f |
@@ -64,6 +64,11 @@ cache_req_user_by_id_lookup(TALLOC_CTX *mem_ctx,
|
|
|
976a3f |
struct sss_domain_info *domain,
|
|
|
976a3f |
struct ldb_result **_result)
|
|
|
976a3f |
{
|
|
|
976a3f |
+ errno_t ret;
|
|
|
976a3f |
+ ret = cache_req_idminmax_check(data, domain);
|
|
|
976a3f |
+ if (ret != EOK) {
|
|
|
976a3f |
+ return ret;
|
|
|
976a3f |
+ }
|
|
|
976a3f |
return sysdb_getpwuid_with_views(mem_ctx, domain, data->id, _result);
|
|
|
976a3f |
}
|
|
|
976a3f |
|
|
|
976a3f |
diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c
|
|
|
976a3f |
index 80086232fd437876c2b190fb972c2ee3194d9efd..82ba4125265d0bacd44a9f0082d588eef673a6f0 100644
|
|
|
976a3f |
--- a/src/tests/cmocka/test_responder_cache_req.c
|
|
|
976a3f |
+++ b/src/tests/cmocka/test_responder_cache_req.c
|
|
|
976a3f |
@@ -58,6 +58,11 @@ struct test_group {
|
|
|
976a3f |
test_single_domain_setup, \
|
|
|
976a3f |
test_single_domain_teardown)
|
|
|
976a3f |
|
|
|
976a3f |
+#define new_single_domain_id_limit_test(test) \
|
|
|
976a3f |
+ cmocka_unit_test_setup_teardown(test_ ## test, \
|
|
|
976a3f |
+ test_single_domain_id_limits_setup, \
|
|
|
976a3f |
+ test_single_domain_teardown)
|
|
|
976a3f |
+
|
|
|
976a3f |
#define new_multi_domain_test(test) \
|
|
|
976a3f |
cmocka_unit_test_setup_teardown(test_ ## test, \
|
|
|
976a3f |
test_multi_domain_setup, \
|
|
|
976a3f |
@@ -451,7 +456,8 @@ __wrap_sss_dp_get_account_send(TALLOC_CTX *mem_ctx,
|
|
|
976a3f |
return test_req_succeed_send(mem_ctx, rctx->ev);
|
|
|
976a3f |
}
|
|
|
976a3f |
|
|
|
976a3f |
-static int test_single_domain_setup(void **state)
|
|
|
976a3f |
+static int test_single_domain_setup_common(void **state,
|
|
|
976a3f |
+ struct sss_test_conf_param *params)
|
|
|
976a3f |
{
|
|
|
976a3f |
struct cache_req_test_ctx *test_ctx = NULL;
|
|
|
976a3f |
errno_t ret;
|
|
|
976a3f |
@@ -465,7 +471,7 @@ static int test_single_domain_setup(void **state)
|
|
|
976a3f |
*state = test_ctx;
|
|
|
976a3f |
|
|
|
976a3f |
test_ctx->tctx = create_dom_test_ctx(test_ctx, TESTS_PATH, TEST_CONF_DB,
|
|
|
976a3f |
- TEST_DOM_NAME, TEST_ID_PROVIDER, NULL);
|
|
|
976a3f |
+ TEST_DOM_NAME, TEST_ID_PROVIDER, params);
|
|
|
976a3f |
assert_non_null(test_ctx->tctx);
|
|
|
976a3f |
|
|
|
976a3f |
test_ctx->rctx = mock_rctx(test_ctx, test_ctx->tctx->ev,
|
|
|
976a3f |
@@ -480,6 +486,11 @@ static int test_single_domain_setup(void **state)
|
|
|
976a3f |
return 0;
|
|
|
976a3f |
}
|
|
|
976a3f |
|
|
|
976a3f |
+static int test_single_domain_setup(void **state)
|
|
|
976a3f |
+{
|
|
|
976a3f |
+ return test_single_domain_setup_common(state, NULL);
|
|
|
976a3f |
+}
|
|
|
976a3f |
+
|
|
|
976a3f |
static int test_single_domain_teardown(void **state)
|
|
|
976a3f |
{
|
|
|
976a3f |
struct cache_req_test_ctx *test_ctx;
|
|
|
976a3f |
@@ -495,6 +506,16 @@ static int test_single_domain_teardown(void **state)
|
|
|
976a3f |
return 0;
|
|
|
976a3f |
}
|
|
|
976a3f |
|
|
|
976a3f |
+static int test_single_domain_id_limits_setup(void **state)
|
|
|
976a3f |
+{
|
|
|
976a3f |
+ struct sss_test_conf_param params[] = {
|
|
|
976a3f |
+ { "min_id", "100" },
|
|
|
976a3f |
+ { "max_id", "10000" },
|
|
|
976a3f |
+ { NULL, NULL }, /* Sentinel */
|
|
|
976a3f |
+ };
|
|
|
976a3f |
+ return test_single_domain_setup_common(state, params);
|
|
|
976a3f |
+}
|
|
|
976a3f |
+
|
|
|
976a3f |
static int test_multi_domain_setup(void **state)
|
|
|
976a3f |
{
|
|
|
976a3f |
struct cache_req_test_ctx *test_ctx = NULL;
|
|
|
976a3f |
@@ -526,6 +547,32 @@ static int test_multi_domain_setup(void **state)
|
|
|
976a3f |
return 0;
|
|
|
976a3f |
}
|
|
|
976a3f |
|
|
|
976a3f |
+void test_user_by_id_below_id_range(void **state)
|
|
|
976a3f |
+{
|
|
|
976a3f |
+ struct cache_req_test_ctx *test_ctx = NULL;
|
|
|
976a3f |
+
|
|
|
976a3f |
+ test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
|
|
|
976a3f |
+
|
|
|
976a3f |
+ /* Test. */
|
|
|
976a3f |
+ run_cache_req(test_ctx, cache_req_user_by_id_send,
|
|
|
976a3f |
+ cache_req_user_by_id_test_done, test_ctx->tctx->dom,
|
|
|
976a3f |
+ 0, 10, ENOENT);
|
|
|
976a3f |
+ assert_false(test_ctx->dp_called);
|
|
|
976a3f |
+}
|
|
|
976a3f |
+
|
|
|
976a3f |
+void test_user_by_id_above_id_range(void **state)
|
|
|
976a3f |
+{
|
|
|
976a3f |
+ struct cache_req_test_ctx *test_ctx = NULL;
|
|
|
976a3f |
+
|
|
|
976a3f |
+ test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
|
|
|
976a3f |
+
|
|
|
976a3f |
+ /* Test. */
|
|
|
976a3f |
+ run_cache_req(test_ctx, cache_req_user_by_id_send,
|
|
|
976a3f |
+ cache_req_user_by_id_test_done, test_ctx->tctx->dom,
|
|
|
976a3f |
+ 0, 100000, ENOENT);
|
|
|
976a3f |
+ assert_false(test_ctx->dp_called);
|
|
|
976a3f |
+}
|
|
|
976a3f |
+
|
|
|
976a3f |
static int test_multi_domain_teardown(void **state)
|
|
|
976a3f |
{
|
|
|
976a3f |
struct cache_req_test_ctx *test_ctx;
|
|
|
976a3f |
@@ -1084,6 +1131,32 @@ void test_group_by_name_multiple_domains_found(void **state)
|
|
|
976a3f |
check_group(test_ctx, &groups[0], domain);
|
|
|
976a3f |
}
|
|
|
976a3f |
|
|
|
976a3f |
+void test_group_by_id_below_id_range(void **state)
|
|
|
976a3f |
+{
|
|
|
976a3f |
+ struct cache_req_test_ctx *test_ctx = NULL;
|
|
|
976a3f |
+
|
|
|
976a3f |
+ test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
|
|
|
976a3f |
+
|
|
|
976a3f |
+ /* Test. */
|
|
|
976a3f |
+ run_cache_req(test_ctx, cache_req_group_by_id_send,
|
|
|
976a3f |
+ cache_req_group_by_id_test_done, test_ctx->tctx->dom,
|
|
|
976a3f |
+ 0, 10, ENOENT);
|
|
|
976a3f |
+ assert_false(test_ctx->dp_called);
|
|
|
976a3f |
+}
|
|
|
976a3f |
+
|
|
|
976a3f |
+void test_group_by_id_above_id_range(void **state)
|
|
|
976a3f |
+{
|
|
|
976a3f |
+ struct cache_req_test_ctx *test_ctx = NULL;
|
|
|
976a3f |
+
|
|
|
976a3f |
+ test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
|
|
|
976a3f |
+
|
|
|
976a3f |
+ /* Test. */
|
|
|
976a3f |
+ run_cache_req(test_ctx, cache_req_group_by_id_send,
|
|
|
976a3f |
+ cache_req_group_by_id_test_done, test_ctx->tctx->dom,
|
|
|
976a3f |
+ 0, 100000, ENOENT);
|
|
|
976a3f |
+ assert_false(test_ctx->dp_called);
|
|
|
976a3f |
+}
|
|
|
976a3f |
+
|
|
|
976a3f |
void test_group_by_name_multiple_domains_notfound(void **state)
|
|
|
976a3f |
{
|
|
|
976a3f |
struct cache_req_test_ctx *test_ctx = NULL;
|
|
|
976a3f |
@@ -2170,6 +2243,8 @@ int main(int argc, const char *argv[])
|
|
|
976a3f |
new_single_domain_test(user_by_id_missing_notfound),
|
|
|
976a3f |
new_multi_domain_test(user_by_id_multiple_domains_found),
|
|
|
976a3f |
new_multi_domain_test(user_by_id_multiple_domains_notfound),
|
|
|
976a3f |
+ new_single_domain_id_limit_test(user_by_id_below_id_range),
|
|
|
976a3f |
+ new_single_domain_id_limit_test(user_by_id_above_id_range),
|
|
|
976a3f |
|
|
|
976a3f |
new_single_domain_test(group_by_name_cache_valid),
|
|
|
976a3f |
new_single_domain_test(group_by_name_cache_expired),
|
|
|
976a3f |
@@ -2180,6 +2255,8 @@ int main(int argc, const char *argv[])
|
|
|
976a3f |
new_multi_domain_test(group_by_name_multiple_domains_found),
|
|
|
976a3f |
new_multi_domain_test(group_by_name_multiple_domains_notfound),
|
|
|
976a3f |
new_multi_domain_test(group_by_name_multiple_domains_parse),
|
|
|
976a3f |
+ new_single_domain_id_limit_test(group_by_id_below_id_range),
|
|
|
976a3f |
+ new_single_domain_id_limit_test(group_by_id_above_id_range),
|
|
|
976a3f |
|
|
|
976a3f |
new_single_domain_test(group_by_id_cache_valid),
|
|
|
976a3f |
new_single_domain_test(group_by_id_cache_expired),
|
|
|
976a3f |
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
|
|
|
976a3f |
index 97eaf160f20bcc8cfe52254070a2d182e19addd4..9f6e413f0414f38dee4f0ee6b5f3fbeaac5d6612 100644
|
|
|
976a3f |
--- a/src/util/util_errors.c
|
|
|
976a3f |
+++ b/src/util/util_errors.c
|
|
|
976a3f |
@@ -116,6 +116,7 @@ struct err_string error_to_str[] = {
|
|
|
976a3f |
{ "Unable to initialize SSL" }, /* ERR_SSL_FAILURE */
|
|
|
976a3f |
{ "Unable to verify peer" }, /* ERR_UNABLE_TO_VERIFY_PEER */
|
|
|
976a3f |
{ "Unable to resolve host" }, /* ERR_UNABLE_TO_RESOLVE_HOST */
|
|
|
976a3f |
+ { "ID is outside the allowed range" }, /* ERR_ID_OUTSIDE_RANGE */
|
|
|
976a3f |
{ "ERR_LAST" } /* ERR_LAST */
|
|
|
976a3f |
};
|
|
|
976a3f |
|
|
|
976a3f |
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
|
|
|
976a3f |
index 4a250bf0339ba689680c155fa8e6d43f42c2467e..051111ea7c249a5d8e4f302022898648ba2ffdd2 100644
|
|
|
976a3f |
--- a/src/util/util_errors.h
|
|
|
976a3f |
+++ b/src/util/util_errors.h
|
|
|
976a3f |
@@ -138,6 +138,7 @@ enum sssd_errors {
|
|
|
976a3f |
ERR_SSL_FAILURE,
|
|
|
976a3f |
ERR_UNABLE_TO_VERIFY_PEER,
|
|
|
976a3f |
ERR_UNABLE_TO_RESOLVE_HOST,
|
|
|
976a3f |
+ ERR_ID_OUTSIDE_RANGE,
|
|
|
976a3f |
ERR_LAST /* ALWAYS LAST */
|
|
|
976a3f |
};
|
|
|
976a3f |
|
|
|
976a3f |
--
|
|
|
976a3f |
2.14.3
|
|
|
976a3f |
|