Hi,
this patch fixes and issue found by Simo when he called
get_authz_data_types() with the second argument being NULL.
This function determines which type of authorization data should be
added to the Kerberos ticket. There are global default and it is
possible to configure this per service as well. The second argument is
the data base entry of a service. If no service is given it makes sens
to return the global defaults and most parts of get_authz_data_types()
handle this case well and this patch fixes the remain issue and adds a
test for this as well.
Please note that currently get_authz_data_types() is used in a code path
where the service entry is expected to be not NULL and it turned out
that in Simo's case it will be non-NULL as well. Nevertheless the patch
makes the code more robust and makes the future use of
get_authz_data_types() more safe.
bye,
Sumit
From ac3468375a71da08d1437362caabae4504c87386 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Wed, 16 Dec 2015 12:37:50 +0100
Subject: [PATCH] ipa-kdb: get_authz_data_types() make sure entry can be NULL
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 2 +-
daemons/ipa-kdb/tests/ipa_kdb_tests.c | 8 ++++++++
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index
8594309dbd27b45abda68de5f7ebf0c31e16904d..daa42e369014f2ed401742474453ebb1aadef07c
100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2005,7 +2005,7 @@ void get_authz_data_types(krb5_context context,
krb5_db_entry *entry,
service_specific = false;
authz_data_type = authz_data_list[c];
sep = strchr(authz_data_list[c], ':');
- if (sep != NULL) {
+ if (sep != NULL && entry != NULL) {
if (entry->princ == NULL) {
krb5_klog_syslog(LOG_ERR, "Missing principal in database "
"entry, no authorization data will "
\
diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
index
0811972d3bb306e86a97d3c979a8e5cd0182cadd..1220d889ef76929161846dd41fa49df79b7b46f3
100644
--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
@@ -410,6 +410,14 @@ void test_get_authz_data_types(void **state)
get_authz_data_types(test_ctx->krb5_ctx, entry, &with_pac, &with_pad);
assert_true(with_pad == test_set[c].exp_with_pad);
assert_true(with_pac == test_set[c].exp_with_pac);
+
+ /* test if global default are returned if there is no server entry */
+ if (test_set[c].authz_data == NULL && test_set[c].princ == NULL) {
+ get_authz_data_types(test_ctx->krb5_ctx, NULL, &with_pac,
+ &with_pad);
+ assert_true(with_pad == test_set[c].exp_with_pad);
+ assert_true(with_pac == test_set[c].exp_with_pac);
+ }
}
free(ied);
--
2.4.3
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
