Re: [Freeipa-devel] [PATCH 0038] Perform secondary rid range overlap check for local ranges
On 03/08/2013 04:41 PM, Tomas Babej wrote: On 03/08/2013 12:10 PM, Martin Kosek wrote: On 03/05/2013 12:59 PM, Tomas Babej wrote: Hi, Any of the following checks: - overlap between primary RID range and secondary RID range - overlap between secondary RID range and secondary RID range is performed now only if both of the ranges involved are local domain ranges. https://fedorahosted.org/freeipa/ticket/3391 I think the patch is functionally OK (I tested it), I would just change the flow of the following: @@ -194,19 +198,22 @@ static int ranges_overlap(struct range_info *r1, struct range_info *r2) r1->id_range_size, r2->id_range_size)) return 2; -/* check if secondary rid range overlaps with existing secondary rid range */ +/** + * The following 3 checks are relevant only if both ranges are local. + * Check if secondary rid range overlaps with existing secondary rid + * range. **/ if (intervals_overlap(r1->secondary_base_rid, r2->secondary_base_rid, -r1->id_range_size, r2->id_range_size)) +r1->id_range_size, r2->id_range_size) && local_ranges) return 3; ... TO something like ... /** * The following checks are relevant only if both ranges are local. * Check if secondary rid range overlaps with existing secondary rid * range. **/ if (local_ranges) { ... do the checks } ... Doing it your way, intervals_overlap() function is called 3 times when not needed + it is not so obvious that these checks are only done with "local_ranges" only. Martin Refactored. Tomas ACK. Pushed to master, ipa-3-1. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0038] Perform secondary rid range overlap check for local ranges
On 03/08/2013 12:10 PM, Martin Kosek wrote: On 03/05/2013 12:59 PM, Tomas Babej wrote: Hi, Any of the following checks: - overlap between primary RID range and secondary RID range - overlap between secondary RID range and secondary RID range is performed now only if both of the ranges involved are local domain ranges. https://fedorahosted.org/freeipa/ticket/3391 I think the patch is functionally OK (I tested it), I would just change the flow of the following: @@ -194,19 +198,22 @@ static int ranges_overlap(struct range_info *r1, struct range_info *r2) r1->id_range_size, r2->id_range_size)) return 2; -/* check if secondary rid range overlaps with existing secondary rid range */ +/** + * The following 3 checks are relevant only if both ranges are local. + * Check if secondary rid range overlaps with existing secondary rid + * range. **/ if (intervals_overlap(r1->secondary_base_rid, r2->secondary_base_rid, -r1->id_range_size, r2->id_range_size)) +r1->id_range_size, r2->id_range_size) && local_ranges) return 3; ... TO something like ... /** * The following checks are relevant only if both ranges are local. * Check if secondary rid range overlaps with existing secondary rid * range. **/ if (local_ranges) { ... do the checks } ... Doing it your way, intervals_overlap() function is called 3 times when not needed + it is not so obvious that these checks are only done with "local_ranges" only. Martin Refactored. Tomas >From 5bffce519949c5b394a2d0c4a09bd0d5d9b258bf Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Tue, 5 Mar 2013 09:17:20 +0100 Subject: [PATCH] Perform secondary rid range overlap check for local ranges only Any of the following checks: - overlap between primary RID range and secondary RID range - overlap between secondary RID range and secondary RID range is performed now only if both of the ranges involved are local domain ranges. https://fedorahosted.org/freeipa/ticket/3391 --- .../ipa-range-check/ipa_range_check.c | 37 ++ 1 file changed, 23 insertions(+), 14 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c index 3a607636dc3ad9efc80ac7a2cef27eab524ad251..391e2259b6eced31fed399c927cfe44c1d3e237e 100644 --- a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c +++ b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c @@ -178,6 +178,11 @@ static int ranges_overlap(struct range_info *r1, struct range_info *r2) bool rid_ranges_set = (r1->base_rid != 0 || r1->secondary_base_rid != 0) && (r2->base_rid != 0 || r2->secondary_base_rid != 0); +/** + * ipaNTTrustedDomainSID is not set for local ranges, use it to + * determine the type of the range **/ +bool local_ranges = r1->domain_id == NULL && r2->domain_id == NULL; + bool ranges_from_same_domain = (r1->domain_id == NULL && r2->domain_id == NULL) || (r1->domain_id != NULL && r2->domain_id != NULL && @@ -185,8 +190,7 @@ static int ranges_overlap(struct range_info *r1, struct range_info *r2) /** * in case rid range is not set or ranges belong to different domains - * we can skip rid range tests as they are irrelevant - */ + * we can skip rid range tests as they are irrelevant **/ if (rid_ranges_set && ranges_from_same_domain){ /* check if rid range overlaps with existing rid range */ @@ -194,20 +198,25 @@ static int ranges_overlap(struct range_info *r1, struct range_info *r2) r1->id_range_size, r2->id_range_size)) return 2; -/* check if secondary rid range overlaps with existing secondary rid range */ -if (intervals_overlap(r1->secondary_base_rid, r2->secondary_base_rid, -r1->id_range_size, r2->id_range_size)) -return 3; +/** + * The following 3 checks are relevant only if both ranges are local. + * Check if secondary rid range overlaps with existing secondary rid + * range. **/ +if (local_ranges){ +if (intervals_overlap(r1->secondary_base_rid, +r2->secondary_base_rid, r1->id_range_size, r2->id_range_size)) +return 3; -/* check if rid range overlaps with existing secondary rid range */ -if (intervals_overlap(r1->base_rid, r2->secondary_base_rid, -r1->id_range_size, r2->id_range_size)) -return 4; +/* check if rid range overlaps with existing secondary rid range */ +if (intervals_overlap(r1->base_rid, r2->secondary_base_rid, +r1->id_range_size, r2->id_range_size)) +return 4; -/* check if secondary rid range overlaps with ex
Re: [Freeipa-devel] [PATCH 0038] Perform secondary rid range overlap check for local ranges
On 03/07/2013 11:48 PM, Rob Crittenden wrote: Tomas Babej wrote: Hi, Any of the following checks: - overlap between primary RID range and secondary RID range - overlap between secondary RID range and secondary RID range is performed now only if both of the ranges involved are local domain ranges. https://fedorahosted.org/freeipa/ticket/3391 Tomas So I assume in your reproduction steps the secondary range for both is 0 hence the overlap? Yes, that causes the issue. rob Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0038] Perform secondary rid range overlap check for local ranges
On 03/05/2013 12:59 PM, Tomas Babej wrote: Hi, Any of the following checks: - overlap between primary RID range and secondary RID range - overlap between secondary RID range and secondary RID range is performed now only if both of the ranges involved are local domain ranges. https://fedorahosted.org/freeipa/ticket/3391 I think the patch is functionally OK (I tested it), I would just change the flow of the following: @@ -194,19 +198,22 @@ static int ranges_overlap(struct range_info *r1, struct range_info *r2) r1->id_range_size, r2->id_range_size)) return 2; -/* check if secondary rid range overlaps with existing secondary rid range */ +/** + * The following 3 checks are relevant only if both ranges are local. + * Check if secondary rid range overlaps with existing secondary rid + * range. **/ if (intervals_overlap(r1->secondary_base_rid, r2->secondary_base_rid, -r1->id_range_size, r2->id_range_size)) +r1->id_range_size, r2->id_range_size) && local_ranges) return 3; ... TO something like ... /** * The following checks are relevant only if both ranges are local. * Check if secondary rid range overlaps with existing secondary rid * range. **/ if (local_ranges) { ... do the checks } ... Doing it your way, intervals_overlap() function is called 3 times when not needed + it is not so obvious that these checks are only done with "local_ranges" only. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0038] Perform secondary rid range overlap check for local ranges
Tomas Babej wrote: Hi, Any of the following checks: - overlap between primary RID range and secondary RID range - overlap between secondary RID range and secondary RID range is performed now only if both of the ranges involved are local domain ranges. https://fedorahosted.org/freeipa/ticket/3391 Tomas So I assume in your reproduction steps the secondary range for both is 0 hence the overlap? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0038] Perform secondary rid range overlap check for local ranges
Hi, Any of the following checks: - overlap between primary RID range and secondary RID range - overlap between secondary RID range and secondary RID range is performed now only if both of the ranges involved are local domain ranges. https://fedorahosted.org/freeipa/ticket/3391 Tomas >From 1a18bc43b561a1bbcfa1f5da3c2f1d6482571d18 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Tue, 5 Mar 2013 09:17:20 +0100 Subject: [PATCH] Perform secondary rid range overlap check for local ranges only Any of the following checks: - overlap between primary RID range and secondary RID range - overlap between secondary RID range and secondary RID range is performed now only if both of the ranges involved are local domain ranges. https://fedorahosted.org/freeipa/ticket/3391 --- .../ipa-range-check/ipa_range_check.c | 19 +-- 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c index 3a607636dc3ad9efc80ac7a2cef27eab524ad251..b7e0ea7af74e761dedd42d71d3b2ca7bc8aa3655 100644 --- a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c +++ b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c @@ -178,6 +178,11 @@ static int ranges_overlap(struct range_info *r1, struct range_info *r2) bool rid_ranges_set = (r1->base_rid != 0 || r1->secondary_base_rid != 0) && (r2->base_rid != 0 || r2->secondary_base_rid != 0); +/** + * ipaNTTrustedDomainSID is not set for local ranges, use it to + * determine the type of the range **/ +bool local_ranges = r1->domain_id == NULL && r2->domain_id == NULL; + bool ranges_from_same_domain = (r1->domain_id == NULL && r2->domain_id == NULL) || (r1->domain_id != NULL && r2->domain_id != NULL && @@ -185,8 +190,7 @@ static int ranges_overlap(struct range_info *r1, struct range_info *r2) /** * in case rid range is not set or ranges belong to different domains - * we can skip rid range tests as they are irrelevant - */ + * we can skip rid range tests as they are irrelevant **/ if (rid_ranges_set && ranges_from_same_domain){ /* check if rid range overlaps with existing rid range */ @@ -194,19 +198,22 @@ static int ranges_overlap(struct range_info *r1, struct range_info *r2) r1->id_range_size, r2->id_range_size)) return 2; -/* check if secondary rid range overlaps with existing secondary rid range */ +/** + * The following 3 checks are relevant only if both ranges are local. + * Check if secondary rid range overlaps with existing secondary rid + * range. **/ if (intervals_overlap(r1->secondary_base_rid, r2->secondary_base_rid, -r1->id_range_size, r2->id_range_size)) +r1->id_range_size, r2->id_range_size) && local_ranges) return 3; /* check if rid range overlaps with existing secondary rid range */ if (intervals_overlap(r1->base_rid, r2->secondary_base_rid, -r1->id_range_size, r2->id_range_size)) +r1->id_range_size, r2->id_range_size) && local_ranges) return 4; /* check if secondary rid range overlaps with existing rid range */ if (intervals_overlap(r1->secondary_base_rid, r2->base_rid, -r1->id_range_size, r2->id_range_size)) +r1->id_range_size, r2->id_range_size) && local_ranges) return 5; } -- 1.7.11.7 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel