Hi, this patch fixes and issue found by Simo when he called get_authz_data_types() with the second argument being NULL. This function determines which type of authorization data should be added to the Kerberos ticket. There are global default and it is possible to configure this per service as well. The second argument is the data base entry of a service. If no service is given it makes sens to return the global defaults and most parts of get_authz_data_types() handle this case well and this patch fixes the remain issue and adds a test for this as well.
Please note that currently get_authz_data_types() is used in a code path where the service entry is expected to be not NULL and it turned out that in Simo's case it will be non-NULL as well. Nevertheless the patch makes the code more robust and makes the future use of get_authz_data_types() more safe. bye, Sumit
From ac3468375a71da08d1437362caabae4504c87386 Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Wed, 16 Dec 2015 12:37:50 +0100 Subject: [PATCH] ipa-kdb: get_authz_data_types() make sure entry can be NULL --- daemons/ipa-kdb/ipa_kdb_mspac.c | 2 +- daemons/ipa-kdb/tests/ipa_kdb_tests.c | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 8594309dbd27b45abda68de5f7ebf0c31e16904d..daa42e369014f2ed401742474453ebb1aadef07c 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -2005,7 +2005,7 @@ void get_authz_data_types(krb5_context context, krb5_db_entry *entry, service_specific = false; authz_data_type = authz_data_list[c]; sep = strchr(authz_data_list[c], ':'); - if (sep != NULL) { + if (sep != NULL && entry != NULL) { if (entry->princ == NULL) { krb5_klog_syslog(LOG_ERR, "Missing principal in database " "entry, no authorization data will " \ diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c index 0811972d3bb306e86a97d3c979a8e5cd0182cadd..1220d889ef76929161846dd41fa49df79b7b46f3 100644 --- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c +++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c @@ -410,6 +410,14 @@ void test_get_authz_data_types(void **state) get_authz_data_types(test_ctx->krb5_ctx, entry, &with_pac, &with_pad); assert_true(with_pad == test_set[c].exp_with_pad); assert_true(with_pac == test_set[c].exp_with_pac); + + /* test if global default are returned if there is no server entry */ + if (test_set[c].authz_data == NULL && test_set[c].princ == NULL) { + get_authz_data_types(test_ctx->krb5_ctx, NULL, &with_pac, + &with_pad); + assert_true(with_pad == test_set[c].exp_with_pad); + assert_true(with_pac == test_set[c].exp_with_pac); + } } free(ied); -- 2.4.3
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code