URL: https://github.com/freeipa/freeipa/pull/5351 Author: abbra Title: #5351: ipa-kdb: use predefined filters for a wild-card searches Action: opened
PR body: """ In case we've got a principal name as '*', we don't need to specify the principal itself, use pre-defined filter for a wild-card search. Previously, we had to escape the '*' as specifying it with an explicit matching rule would have violated RFC 4515 section 3. However, since we don't really need to specify a different matching rule for a wild-card search, we can remove this part completely. Fixes: https://pagure.io/freeipa/issue/8624 Signed-off-by: Alexander Bokovoy <aboko...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5351/head:pr5351 git checkout pr5351
From 2623241b17febc3d66185b55b09f9e5083123d0a Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Thu, 17 Dec 2020 12:22:47 +0200 Subject: [PATCH] ipa-kdb: use predefined filters for a wild-card searches In case we've got a principal name as '*', we don't need to specify the principal itself, use pre-defined filter for a wild-card search. Previously, we had to escape the '*' as specifying it with an explicit matching rule would have violated RFC 4515 section 3. However, since we don't really need to specify a different matching rule for a wild-card search, we can remove this part completely. Fixes: https://pagure.io/freeipa/issue/8624 Signed-off-by: Alexander Bokovoy <aboko...@redhat.com> --- daemons/ipa-kdb/ipa_kdb_principals.c | 46 ++++++++++++++++++---------- 1 file changed, 30 insertions(+), 16 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 197b7980974..47476ee04b2 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -49,6 +49,19 @@ "(objectclass=krbprincipal))" \ "(krbprincipalname=%s)" \ "%s)" + +#define PRINC_TGS_SEARCH_FILTER_WILD "(&(|(objectclass=krbprincipalaux)" \ + "(objectclass=krbprincipal)" \ + "(objectclass=ipakrbprincipal))" \ + "(|(ipakrbprincipalalias=*)" \ + "(krbprincipalname=*)))" + +#define PRINC_TGS_SEARCH_FILTER_WILD_EXTRA "(&(|(objectclass=krbprincipalaux)" \ + "(objectclass=krbprincipal)" \ + "(objectclass=ipakrbprincipal))" \ + "(|(ipakrbprincipalalias=*)" \ + "(krbprincipalname==*))" \ + "%s)" static char *std_principal_attrs[] = { "krbPrincipalName", "krbCanonicalName", @@ -1008,24 +1021,25 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx, } else #endif { - /* In case we've got a principal name as '*' we have to - * follow RFC 4515 section 3 and reencode it using - * <valueencoding> rule from RFC 4511 section 4.1.6 but - * only to the part of the filter that does use assertion - * value. */ - const char *asterisk = "%x2A"; - const char *assertion_value = esc_original_princ; - - if ((len == 1) && (esc_original_princ[0] == '*')) { - assertion_value = asterisk; - } + /* In case we've got a principal name as '*', we don't need to specify + * the principal itself, use pre-defined filter for a wild-card search. + */ + bool asterisk = ((len == 1) && (esc_original_princ[0] == '*')); - if (filter == NULL) { - ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER, - esc_original_princ, assertion_value); + if (asterisk) { + if (filter == NULL) { + ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_WILD); + } else { + ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_WILD_EXTRA, filter); + } } else { - ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA, - esc_original_princ, assertion_value, filter); + if (filter == NULL) { + ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER, + esc_original_princ, esc_original_princ); + } else { + ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA, + esc_original_princ, esc_original_princ, filter); + } } }
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
