From 536dc9e4f72503942e659ca0dbd022d3dfac148f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 2 Jun 2022 17:02:31 +0200
Subject: [PATCH] names: only check sub-domains for regex match
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

It is allowed to have different regular-expression to split the input
name for different domains. After the regex is evaluated and a domain
name was found in the input it has to be check if the domain name
corresponds to the domain the regex is coming from.

E.g. with the implicit files provider enabled the file provider might
use a simple default regex while and additional IPA or AD provider will
have a more complex one which e.g. properly handles @-characters in
names. When evaluation in input the simple regex will come first and
will split the name but will miss part of the user name part if the name
contains an @-character. Currently SSSD check if the found domain name
matches any of the know domains or sub-domains which is wrong because
the regex was coming from the files provider and hence it should only
handle its own objects.

With this patch not all domains are checked but only the current one and
its sub-domains, if any. This behavior is also mentioned in a comment
already in the code. As a result in the above example the check with
the results form the simple regex with fail and then the more complex
regex of the other domain will be used which can split the name
properly.

Resolves: https://github.com/SSSD/sssd/issues/6055

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 9656516b9af2b3ea4627eab42f11c7667564020f)
---
 src/tests/cmocka/test_fqnames.c | 50 +++++++++++++++++++++++++++++++++
 src/util/usertools.c            |  2 +-
 2 files changed, 51 insertions(+), 1 deletion(-)

diff --git a/src/tests/cmocka/test_fqnames.c b/src/tests/cmocka/test_fqnames.c
index 406ef55a9..5de4faf9a 100644
--- a/src/tests/cmocka/test_fqnames.c
+++ b/src/tests/cmocka/test_fqnames.c
@@ -318,6 +318,41 @@ static int parse_name_test_setup(void **state)
     return 0;
 }
 
+static int parse_name_test_two_names_ctx_setup(void **state)
+{
+    struct parse_name_test_ctx *test_ctx;
+    struct sss_names_ctx *nctx1 = NULL;
+    struct sss_names_ctx *nctx2 = NULL;
+    struct sss_domain_info *dom;
+    int ret;
+
+    assert_true(leak_check_setup());
+
+    test_ctx = talloc_zero(global_talloc_context, struct parse_name_test_ctx);
+    assert_non_null(test_ctx);
+
+    ret = sss_names_init_from_args(test_ctx, SSS_DEFAULT_RE,
+                                   "%1$s@%2$s", &nctx1);
+    assert_int_equal(ret, EOK);
+
+    ret = sss_names_init_from_args(test_ctx, SSS_IPA_AD_DEFAULT_RE,
+                                   "%1$s@%2$s", &nctx2);
+    assert_int_equal(ret, EOK);
+
+    test_ctx->dom = create_test_domain(test_ctx, DOMNAME, FLATNAME,
+                                       NULL, nctx1);
+    assert_non_null(test_ctx->dom);
+
+    dom = create_test_domain(test_ctx, DOMNAME2, FLATNAME2,
+                                       NULL, nctx2);
+    assert_non_null(dom);
+    DLIST_ADD_END(test_ctx->dom, dom, struct sss_domain_info *);
+
+    check_leaks_push(test_ctx);
+    *state = test_ctx;
+    return 0;
+}
+
 static int parse_name_test_teardown(void **state)
 {
     struct parse_name_test_ctx *test_ctx = talloc_get_type(*state,
@@ -448,6 +483,18 @@ void test_init_nouser(void **state)
     assert_int_not_equal(ret, EOK);
 }
 
+void test_different_regexps(void **state)
+{
+    struct parse_name_test_ctx *test_ctx = talloc_get_type(*state,
+                                                     struct parse_name_test_ctx);
+    parse_name_check(test_ctx, NAME"@"DOMNAME, NULL, EOK, NAME, DOMNAME);
+    parse_name_check(test_ctx, NAME"@"DOMNAME2, NULL, EOK, NAME, DOMNAME2);
+    parse_name_check(test_ctx, NAME"@WITH_AT@"DOMNAME2, NULL, EOK, NAME"@WITH_AT", DOMNAME2);
+    parse_name_check(test_ctx, FLATNAME"\\"NAME, NULL, EOK, FLATNAME"\\"NAME, NULL);
+    parse_name_check(test_ctx, FLATNAME2"\\"NAME, NULL, EOK, NAME, DOMNAME2);
+    parse_name_check(test_ctx, FLATNAME2"\\"NAME"@WITH_AT", NULL, EOK, NAME"@WITH_AT", DOMNAME2);
+}
+
 void sss_parse_name_fail(void **state)
 {
     struct parse_name_test_ctx *test_ctx = talloc_get_type(*state,
@@ -502,6 +549,9 @@ int main(int argc, const char *argv[])
         cmocka_unit_test_setup_teardown(sss_parse_name_fail,
                                         parse_name_test_setup,
                                         parse_name_test_teardown),
+        cmocka_unit_test_setup_teardown(test_different_regexps,
+                                        parse_name_test_two_names_ctx_setup,
+                                        parse_name_test_teardown),
     };
 
     /* Set debug level to invalid value so we can decide if -d 0 was used. */
diff --git a/src/util/usertools.c b/src/util/usertools.c
index 511fb2d5d..91df7129e 100644
--- a/src/util/usertools.c
+++ b/src/util/usertools.c
@@ -321,7 +321,7 @@ static struct sss_domain_info * match_any_domain_or_subdomain_name(
         return dom;
     }
 
-    return find_domain_by_name(dom, dmatch, true);
+    return find_domain_by_name_ex(dom, dmatch, true, SSS_GND_SUBDOMAINS);
 }
 
 int sss_parse_name_for_domains(TALLOC_CTX *memctx,
-- 
2.35.3