From fa4b46e7de7297da3c0e37913eab8cba7f103629 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 9 Oct 2020 15:26:39 +0200 Subject: [PATCH 8/8] negcache: do not use default_domain_suffix When splitting the names from the filter_users and filter_groups options do not use the default_domain_suffix because it will hide that the original name is a short name and should be added everywhere. Additionally this patch fixes a typo where sss_parse_name() was used instead of sss_parse_name_for_domains(). Resolves: https://github.com/SSSD/sssd/issues/5238 Reviewed-by: Alexey Tikhonov --- src/responder/common/negcache.c | 29 +++++++++++++++-------------- src/tests/cmocka/test_negcache.c | 22 ++++++++++++++++++++-- 2 files changed, 35 insertions(+), 16 deletions(-) diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c index 9ee39ce3e..59e8ad7e7 100644 --- a/src/responder/common/negcache.c +++ b/src/responder/common/negcache.c @@ -1000,13 +1000,13 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, for (i = 0; (filter_list && filter_list[i]); i++) { ret = sss_parse_name_for_domains(tmpctx, domain_list, - rctx->default_domain, + NULL, filter_list[i], &domainname, &name); if (ret == EAGAIN) { DEBUG(SSSDBG_MINOR_FAILURE, - "cannot add [%s] to negcache because the required or " - "default domain are not known yet\n", filter_list[i]); + "Can add [%s] only as UPN to negcache because the " + "required domain is not known yet\n", filter_list[i]); } else if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Invalid name in filterUsers list: [%s] (%d)\n", @@ -1066,12 +1066,12 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, for (i = 0; (filter_list && filter_list[i]); i++) { ret = sss_parse_name_for_domains(tmpctx, domain_list, - rctx->default_domain, filter_list[i], + NULL, filter_list[i], &domainname, &name); if (ret == EAGAIN) { DEBUG(SSSDBG_MINOR_FAILURE, - "Cannot add [%s] to negcache because the required or " - "default domain are not known yet\n", filter_list[i]); + "Can add [%s] only as UPN to negcache because the " + "required domain is not known yet\n", filter_list[i]); } else if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Invalid name in filterUsers list: [%s] (%d)\n", @@ -1158,9 +1158,12 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, if (ret != EOK) goto done; for (i = 0; (filter_list && filter_list[i]); i++) { - ret = sss_parse_name(tmpctx, dom->names, filter_list[i], - &domainname, &name); + ret = sss_parse_name_for_domains(tmpctx, domain_list, + NULL, filter_list[i], + &domainname, &name); if (ret != EOK) { + /* Groups do not have UPNs, so domain names, if present, + * must be known */ DEBUG(SSSDBG_CRIT_FAILURE, "Invalid name in filterGroups list: [%s] (%d)\n", filter_list[i], ret); @@ -1207,13 +1210,11 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, for (i = 0; (filter_list && filter_list[i]); i++) { ret = sss_parse_name_for_domains(tmpctx, domain_list, - rctx->default_domain, filter_list[i], + NULL, filter_list[i], &domainname, &name); - if (ret == EAGAIN) { - DEBUG(SSSDBG_MINOR_FAILURE, - "Cannot add [%s] to negcache because the required or " - "default domain are not known yet\n", filter_list[i]); - } else if (ret != EOK) { + if (ret != EOK) { + /* Groups do not have UPNs, so domain names, if present, + * must be known */ DEBUG(SSSDBG_CRIT_FAILURE, "Invalid name in filterGroups list: [%s] (%d)\n", filter_list[i], ret); diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c index fb306b110..30218d52a 100644 --- a/src/tests/cmocka/test_negcache.c +++ b/src/tests/cmocka/test_negcache.c @@ -933,7 +933,9 @@ static void test_sss_ncache_reset_prepopulate(void **state) * * The result should of course be independent of the present domains. To * verify this the domains are added one after the other and the negative - * cache is repopulated each time. + * cache is repopulated each time. The result should be also independent of + * the setting of default_domain_suffix option which is tested by + * test_sss_ncache_short_name_in_domain_with_prefix. * * With the given domains, users and group we have to following expectations: * - the short name entry will be added to the domain and all sub-domains as @@ -1081,7 +1083,8 @@ static void expect_no_entries_in_dom(struct sss_nc_ctx *ncache, assert_int_equal(ret, ENOENT); } -static void test_sss_ncache_short_name_in_domain(void **state) +static void run_sss_ncache_short_name_in_domain(void **state, + bool use_default_domain_prefix) { int ret; struct test_state *ts; @@ -1131,6 +1134,9 @@ static void test_sss_ncache_short_name_in_domain(void **state) ncache = ts->ctx; ts->rctx = mock_rctx(ts, ev, dom, ts->nctx); assert_non_null(ts->rctx); + if (use_default_domain_prefix) { + ts->rctx->default_domain = discard_const(TEST_DOM_NAME); + } ts->rctx->cdb = tc->confdb; ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &dom->names); @@ -1173,6 +1179,16 @@ static void test_sss_ncache_short_name_in_domain(void **state) expect_no_entries_in_dom(ncache, dom2); } +static void test_sss_ncache_short_name_in_domain(void **state) +{ + run_sss_ncache_short_name_in_domain(state, false); +} + +static void test_sss_ncache_short_name_in_domain_with_prefix(void **state) +{ + run_sss_ncache_short_name_in_domain(state, true); +} + static void test_sss_ncache_reset(void **state) { errno_t ret; @@ -1337,6 +1353,8 @@ int main(void) setup, teardown), cmocka_unit_test_setup_teardown(test_sss_ncache_short_name_in_domain, setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_ncache_short_name_in_domain_with_prefix, + setup, teardown), cmocka_unit_test_setup_teardown(test_sss_ncache_reset, setup, teardown), cmocka_unit_test_setup_teardown(test_sss_ncache_locate_uid_gid, -- 2.21.3