URL: https://github.com/SSSD/sssd/pull/246 Author: fidencio Title: #246: filter_users and filter_groups stop working properly in v 1.15 Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/246/head:pr246 git checkout pr246
From 6a6c9866301ed6bd7b35f5799e6c058ac81eea15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com> Date: Mon, 24 Apr 2017 12:11:46 +0200 Subject: [PATCH 1/5] NSS: Use fqnames when performing a ncache check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The names stored in the negative cache are fully qualified, so we have to use fully qualified names when checking whether a user/group is part of negative cache or not. Related: https://pagure.io/SSSD/sssd/issue/3362 Signed-off-by: Fabiano Fidêncio <fiden...@redhat.com> --- src/responder/nss/nss_protocol_grent.c | 12 +++++++++++- src/responder/nss/nss_protocol_pwent.c | 12 +++++++++++- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c index fae1d47..6f6ad9e 100644 --- a/src/responder/nss/nss_protocol_grent.c +++ b/src/responder/nss/nss_protocol_grent.c @@ -205,6 +205,7 @@ nss_protocol_fill_grent(struct nss_ctx *nss_ctx, uint32_t num_results; uint32_t num_members; char *members; + char *fqname; size_t members_size; size_t rp; size_t rp_members; @@ -243,8 +244,17 @@ nss_protocol_fill_grent(struct nss_ctx *nss_ctx, /* Check negative cache during enumeration. */ if (cmd_ctx->enumeration) { + fqname = sss_create_internal_fqname(tmp_ctx, name->str, + result->domain->name); + if (fqname == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_create_internal_fqname() failed\n"); + ret = ENOMEM; + goto done; + } + ret = sss_ncache_check_group(nss_ctx->rctx->ncache, - result->domain, name->str); + result->domain, fqname); if (ret == EEXIST) { DEBUG(SSSDBG_TRACE_FUNC, "User [%s] filtered out! (negative cache)\n", diff --git a/src/responder/nss/nss_protocol_pwent.c b/src/responder/nss/nss_protocol_pwent.c index edda9d3..e781352 100644 --- a/src/responder/nss/nss_protocol_pwent.c +++ b/src/responder/nss/nss_protocol_pwent.c @@ -273,6 +273,7 @@ nss_protocol_fill_pwent(struct nss_ctx *nss_ctx, struct sized_string gecos; struct sized_string homedir; struct sized_string shell; + char *fqname; uint32_t gid; uint32_t uid; uint32_t num_results; @@ -311,8 +312,17 @@ nss_protocol_fill_pwent(struct nss_ctx *nss_ctx, /* Check negative cache during enumeration. */ if (cmd_ctx->enumeration) { + fqname = sss_create_internal_fqname(tmp_ctx, name->str, + result->domain->name); + if (fqname == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_create_internal_fqname() failed\n"); + ret = ENOMEM; + goto done; + } + ret = sss_ncache_check_user(nss_ctx->rctx->ncache, - result->domain, name->str); + result->domain, fqname); if (ret == EEXIST) { DEBUG(SSSDBG_TRACE_FUNC, "User [%s] filtered out! (negative cache)\n", name->str); From 2b7bb36497e540429255d3d42d00919726a4f5a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com> Date: Tue, 25 Apr 2017 16:41:56 +0200 Subject: [PATCH 2/5] RESPONDER: Make nss_get_name_from_msg() part of responder_utils MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In order to do so, the function got renamed to sss_get_name_from_msg() and will be used as part of cache_req as well in the follow up patches. Related: https://pagure.io/SSSD/sssd/issue/3362 Signed-off-by: Fabiano Fidêncio <fiden...@redhat.com> --- src/responder/common/responder.h | 3 +++ src/responder/common/responder_utils.c | 26 ++++++++++++++++++++++++++ src/responder/nss/nss_private.h | 4 ---- src/responder/nss/nss_protocol_grent.c | 2 +- src/responder/nss/nss_protocol_pwent.c | 2 +- src/responder/nss/nss_protocol_sid.c | 2 +- src/responder/nss/nss_utils.c | 27 --------------------------- 7 files changed, 32 insertions(+), 34 deletions(-) diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h index dfe1ec4..e5b9c5b 100644 --- a/src/responder/common/responder.h +++ b/src/responder/common/responder.h @@ -391,6 +391,9 @@ char *sss_resp_create_fqname(TALLOC_CTX *mem_ctx, bool name_is_upn, const char *orig_name); +const char *sss_get_name_from_msg(struct sss_domain_info *domain, + struct ldb_message *msg); + errno_t sss_resp_populate_cr_domains(struct resp_ctx *rctx); /** diff --git a/src/responder/common/responder_utils.c b/src/responder/common/responder_utils.c index b02212d..a772ed6 100644 --- a/src/responder/common/responder_utils.c +++ b/src/responder/common/responder_utils.c @@ -193,3 +193,29 @@ char *sss_resp_create_fqname(TALLOC_CTX *mem_ctx, talloc_free(tmp_ctx); return name; } + +const char *sss_get_name_from_msg(struct sss_domain_info *domain, + struct ldb_message *msg) +{ + const char *name; + + /* If domain has a view associated we return overridden name + * if possible. */ + if (DOM_HAS_VIEWS(domain)) { + name = ldb_msg_find_attr_as_string(msg, OVERRIDE_PREFIX SYSDB_NAME, + NULL); + if (name != NULL) { + return name; + } + } + + /* Otherwise we try to return name override from + * Default Truest View for trusted users. */ + name = ldb_msg_find_attr_as_string(msg, SYSDB_DEFAULT_OVERRIDE_NAME, NULL); + if (name != NULL) { + return name; + } + + /* If no override is found we return the original name. */ + return ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); +} diff --git a/src/responder/nss/nss_private.h b/src/responder/nss/nss_private.h index 13de832..7232063 100644 --- a/src/responder/nss/nss_private.h +++ b/src/responder/nss/nss_private.h @@ -137,10 +137,6 @@ nss_setnetgrent_recv(struct tevent_req *req); /* Utils. */ const char * -nss_get_name_from_msg(struct sss_domain_info *domain, - struct ldb_message *msg); - -const char * nss_get_pwfield(struct nss_ctx *nctx, struct sss_domain_info *dom); diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c index 6f6ad9e..1da7f75 100644 --- a/src/responder/nss/nss_protocol_grent.c +++ b/src/responder/nss/nss_protocol_grent.c @@ -41,7 +41,7 @@ nss_get_grent(TALLOC_CTX *mem_ctx, } /* Get fields. */ - name = nss_get_name_from_msg(domain, msg); + name = sss_get_name_from_msg(domain, msg); gid = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, SYSDB_GIDNUM, 0); if (name == NULL || gid == 0) { diff --git a/src/responder/nss/nss_protocol_pwent.c b/src/responder/nss/nss_protocol_pwent.c index e781352..d5a2d51 100644 --- a/src/responder/nss/nss_protocol_pwent.c +++ b/src/responder/nss/nss_protocol_pwent.c @@ -225,7 +225,7 @@ nss_get_pwent(TALLOC_CTX *mem_ctx, /* Get fields. */ upn = ldb_msg_find_attr_as_string(msg, SYSDB_UPN, NULL); - name = nss_get_name_from_msg(domain, msg); + name = sss_get_name_from_msg(domain, msg); gid = nss_get_gid(domain, msg); uid = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, SYSDB_UIDNUM, 0); diff --git a/src/responder/nss/nss_protocol_sid.c b/src/responder/nss/nss_protocol_sid.c index a6a4e27..d4b7ee2 100644 --- a/src/responder/nss/nss_protocol_sid.c +++ b/src/responder/nss/nss_protocol_sid.c @@ -532,7 +532,7 @@ nss_protocol_fill_name_list(struct nss_ctx *nss_ctx, return ret; } - tmp_str = nss_get_name_from_msg(result->domain, result->msgs[c]); + tmp_str = sss_get_name_from_msg(result->domain, result->msgs[c]); if (tmp_str == NULL) { return EINVAL; } diff --git a/src/responder/nss/nss_utils.c b/src/responder/nss/nss_utils.c index 2cd9c33..b4950e5 100644 --- a/src/responder/nss/nss_utils.c +++ b/src/responder/nss/nss_utils.c @@ -27,33 +27,6 @@ #include "responder/nss/nss_private.h" const char * -nss_get_name_from_msg(struct sss_domain_info *domain, - struct ldb_message *msg) -{ - const char *name; - - /* If domain has a view associated we return overridden name - * if possible. */ - if (DOM_HAS_VIEWS(domain)) { - name = ldb_msg_find_attr_as_string(msg, OVERRIDE_PREFIX SYSDB_NAME, - NULL); - if (name != NULL) { - return name; - } - } - - /* Otherwise we try to return name override from - * Default Truest View for trusted users. */ - name = ldb_msg_find_attr_as_string(msg, SYSDB_DEFAULT_OVERRIDE_NAME, NULL); - if (name != NULL) { - return name; - } - - /* If no override is found we return the original name. */ - return ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); -} - -const char * nss_get_pwfield(struct nss_ctx *nctx, struct sss_domain_info *dom) { From 7efb13c34ffe129509851c5b734128d697a7e582 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com> Date: Tue, 25 Apr 2017 14:14:05 +0200 Subject: [PATCH 3/5] CACHE_REQ: Add a new cache_req_ncache_filter_fn() plugin function MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This function will be responsible for filtering out all the results that we have that are also present in the negative cache. This is useful mainly for plugins which don't use name as an input token but can still be affected by filter_{users,groups} options. For now this new function is not being used anywhere. Related: https://pagure.io/SSSD/sssd/issue/3362 Signed-off-by: Fabiano Fidêncio <fiden...@redhat.com> --- src/responder/common/cache_req/cache_req_plugin.h | 13 +++++++++++++ .../common/cache_req/plugins/cache_req_enum_groups.c | 1 + src/responder/common/cache_req/plugins/cache_req_enum_svc.c | 1 + .../common/cache_req/plugins/cache_req_enum_users.c | 1 + .../common/cache_req/plugins/cache_req_group_by_filter.c | 1 + .../common/cache_req/plugins/cache_req_group_by_id.c | 1 + .../common/cache_req/plugins/cache_req_group_by_name.c | 1 + .../common/cache_req/plugins/cache_req_host_by_name.c | 1 + .../common/cache_req/plugins/cache_req_initgroups_by_name.c | 1 + .../common/cache_req/plugins/cache_req_initgroups_by_upn.c | 1 + .../common/cache_req/plugins/cache_req_netgroup_by_name.c | 1 + .../common/cache_req/plugins/cache_req_object_by_id.c | 1 + .../common/cache_req/plugins/cache_req_object_by_name.c | 1 + .../common/cache_req/plugins/cache_req_object_by_sid.c | 1 + .../common/cache_req/plugins/cache_req_svc_by_name.c | 1 + .../common/cache_req/plugins/cache_req_svc_by_port.c | 1 + .../common/cache_req/plugins/cache_req_user_by_cert.c | 1 + .../common/cache_req/plugins/cache_req_user_by_filter.c | 1 + .../common/cache_req/plugins/cache_req_user_by_id.c | 1 + .../common/cache_req/plugins/cache_req_user_by_name.c | 1 + .../common/cache_req/plugins/cache_req_user_by_upn.c | 1 + 21 files changed, 33 insertions(+) diff --git a/src/responder/common/cache_req/cache_req_plugin.h b/src/responder/common/cache_req/cache_req_plugin.h index e0b6195..895ee52 100644 --- a/src/responder/common/cache_req/cache_req_plugin.h +++ b/src/responder/common/cache_req/cache_req_plugin.h @@ -93,6 +93,18 @@ typedef errno_t struct cache_req_data *data); /** + * Filter the result through the negative cache. + * + * This is useful for plugins which don't use name as an input + * takes but can be affected by filter_users and filter_groups + * options. + */ +typedef errno_t +(*cache_req_ncache_filter_fn)(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + char *name); + +/** * Add an object into global negative cache. * * @return EOK If everything went fine. @@ -207,6 +219,7 @@ struct cache_req_plugin { cache_req_global_ncache_add_fn global_ncache_add_fn; cache_req_ncache_check_fn ncache_check_fn; cache_req_ncache_add_fn ncache_add_fn; + cache_req_ncache_filter_fn ncache_filter_fn; cache_req_lookup_fn lookup_fn; cache_req_dp_send_fn dp_send_fn; cache_req_dp_recv_fn dp_recv_fn; diff --git a/src/responder/common/cache_req/plugins/cache_req_enum_groups.c b/src/responder/common/cache_req/plugins/cache_req_enum_groups.c index 49ce350..11ce9e9 100644 --- a/src/responder/common/cache_req/plugins/cache_req_enum_groups.c +++ b/src/responder/common/cache_req/plugins/cache_req_enum_groups.c @@ -75,6 +75,7 @@ const struct cache_req_plugin cache_req_enum_groups = { .global_ncache_add_fn = NULL, .ncache_check_fn = NULL, .ncache_add_fn = NULL, + .ncache_filter_fn = NULL, .lookup_fn = cache_req_enum_groups_lookup, .dp_send_fn = cache_req_enum_groups_dp_send, .dp_recv_fn = cache_req_common_dp_recv diff --git a/src/responder/common/cache_req/plugins/cache_req_enum_svc.c b/src/responder/common/cache_req/plugins/cache_req_enum_svc.c index 499b994..72b2f1a 100644 --- a/src/responder/common/cache_req/plugins/cache_req_enum_svc.c +++ b/src/responder/common/cache_req/plugins/cache_req_enum_svc.c @@ -76,6 +76,7 @@ const struct cache_req_plugin cache_req_enum_svc = { .global_ncache_add_fn = NULL, .ncache_check_fn = NULL, .ncache_add_fn = NULL, + .ncache_filter_fn = NULL, .lookup_fn = cache_req_enum_svc_lookup, .dp_send_fn = cache_req_enum_svc_dp_send, .dp_recv_fn = cache_req_common_dp_recv diff --git a/src/responder/common/cache_req/plugins/cache_req_enum_users.c b/src/responder/common/cache_req/plugins/cache_req_enum_users.c index b635354..e0647a0 100644 --- a/src/responder/common/cache_req/plugins/cache_req_enum_users.c +++ b/src/responder/common/cache_req/plugins/cache_req_enum_users.c @@ -75,6 +75,7 @@ const struct cache_req_plugin cache_req_enum_users = { .global_ncache_add_fn = NULL, .ncache_check_fn = NULL, .ncache_add_fn = NULL, + .ncache_filter_fn = NULL, .lookup_fn = cache_req_enum_users_lookup, .dp_send_fn = cache_req_enum_users_dp_send, .dp_recv_fn = cache_req_common_dp_recv diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c b/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c index 4377a47..aa89953 100644 --- a/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +++ b/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c @@ -131,6 +131,7 @@ const struct cache_req_plugin cache_req_group_by_filter = { .global_ncache_add_fn = NULL, .ncache_check_fn = NULL, .ncache_add_fn = NULL, + .ncache_filter_fn = NULL, .lookup_fn = cache_req_group_by_filter_lookup, .dp_send_fn = cache_req_group_by_filter_dp_send, .dp_recv_fn = cache_req_common_dp_recv diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c index ad5b7d8..5613bf6 100644 --- a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c +++ b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c @@ -144,6 +144,7 @@ const struct cache_req_plugin cache_req_group_by_id = { .global_ncache_add_fn = cache_req_group_by_id_global_ncache_add, .ncache_check_fn = cache_req_group_by_id_ncache_check, .ncache_add_fn = NULL, + .ncache_filter_fn = NULL, .lookup_fn = cache_req_group_by_id_lookup, .dp_send_fn = cache_req_group_by_id_dp_send, .dp_recv_fn = cache_req_common_dp_recv diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_name.c b/src/responder/common/cache_req/plugins/cache_req_group_by_name.c index de1e8f9..7706051 100644 --- a/src/responder/common/cache_req/plugins/cache_req_group_by_name.c +++ b/src/responder/common/cache_req/plugins/cache_req_group_by_name.c @@ -194,6 +194,7 @@ const struct cache_req_plugin cache_req_group_by_name = { .global_ncache_add_fn = NULL, .ncache_check_fn = cache_req_group_by_name_ncache_check, .ncache_add_fn = cache_req_group_by_name_ncache_add, + .ncache_filter_fn = NULL, .lookup_fn = cache_req_group_by_name_lookup, .dp_send_fn = cache_req_group_by_name_dp_send, .dp_recv_fn = cache_req_common_dp_recv diff --git a/src/responder/common/cache_req/plugins/cache_req_host_by_name.c b/src/responder/common/cache_req/plugins/cache_req_host_by_name.c index 1171cd6..9cb32f6 100644 --- a/src/responder/common/cache_req/plugins/cache_req_host_by_name.c +++ b/src/responder/common/cache_req/plugins/cache_req_host_by_name.c @@ -92,6 +92,7 @@ const struct cache_req_plugin cache_req_host_by_name = { .global_ncache_add_fn = NULL, .ncache_check_fn = NULL, .ncache_add_fn = NULL, + .ncache_filter_fn = NULL, .lookup_fn = cache_req_host_by_name_lookup, .dp_send_fn = cache_req_host_by_name_dp_send, .dp_recv_fn = cache_req_common_dp_recv diff --git a/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c b/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c index f100aef..75ac44e 100644 --- a/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +++ b/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c @@ -209,6 +209,7 @@ const struct cache_req_plugin cache_req_initgroups_by_name = { .global_ncache_add_fn = NULL, .ncache_check_fn = cache_req_initgroups_by_name_ncache_check, .ncache_add_fn = cache_req_initgroups_by_name_ncache_add, + .ncache_filter_fn = NULL, .lookup_fn = cache_req_initgroups_by_name_lookup, .dp_send_fn = cache_req_initgroups_by_name_dp_send, .dp_recv_fn = cache_req_common_dp_recv diff --git a/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c b/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c index 266ec7b..b6fb43e 100644 --- a/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +++ b/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c @@ -120,6 +120,7 @@ const struct cache_req_plugin cache_req_initgroups_by_upn = { .global_ncache_add_fn = NULL, .ncache_check_fn = cache_req_initgroups_by_upn_ncache_check, .ncache_add_fn = cache_req_initgroups_by_upn_ncache_add, + .ncache_filter_fn = NULL, .lookup_fn = cache_req_initgroups_by_upn_lookup, .dp_send_fn = cache_req_initgroups_by_upn_dp_send, .dp_recv_fn = cache_req_common_dp_recv diff --git a/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c b/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c index ab3e553..4d8bb18 100644 --- a/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +++ b/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c @@ -128,6 +128,7 @@ const struct cache_req_plugin cache_req_netgroup_by_name = { .global_ncache_add_fn = NULL, .ncache_check_fn = cache_req_netgroup_by_name_ncache_check, .ncache_add_fn = cache_req_netgroup_by_name_ncache_add, + .ncache_filter_fn = NULL, .lookup_fn = cache_req_netgroup_by_name_lookup, .dp_send_fn = cache_req_netgroup_by_name_dp_send, .dp_recv_fn = cache_req_common_dp_recv diff --git a/src/responder/common/cache_req/plugins/cache_req_object_by_id.c b/src/responder/common/cache_req/plugins/cache_req_object_by_id.c index 9557bd1..ff3d0e6 100644 --- a/src/responder/common/cache_req/plugins/cache_req_object_by_id.c +++ b/src/responder/common/cache_req/plugins/cache_req_object_by_id.c @@ -111,6 +111,7 @@ const struct cache_req_plugin cache_req_object_by_id = { .global_ncache_add_fn = cache_req_object_by_id_global_ncache_add, .ncache_check_fn = cache_req_object_by_id_ncache_check, .ncache_add_fn = NULL, + .ncache_filter_fn = NULL, .lookup_fn = cache_req_object_by_id_lookup, .dp_send_fn = cache_req_object_by_id_dp_send, .dp_recv_fn = cache_req_common_dp_recv diff --git a/src/responder/common/cache_req/plugins/cache_req_object_by_name.c b/src/responder/common/cache_req/plugins/cache_req_object_by_name.c index e236d1f..854d0b8 100644 --- a/src/responder/common/cache_req/plugins/cache_req_object_by_name.c +++ b/src/responder/common/cache_req/plugins/cache_req_object_by_name.c @@ -204,6 +204,7 @@ const struct cache_req_plugin cache_req_object_by_name = { .global_ncache_add_fn = NULL, .ncache_check_fn = cache_req_object_by_name_ncache_check, .ncache_add_fn = cache_req_object_by_name_ncache_add, + .ncache_filter_fn = NULL, .lookup_fn = cache_req_object_by_name_lookup, .dp_send_fn = cache_req_object_by_name_dp_send, .dp_recv_fn = cache_req_common_dp_recv diff --git a/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c b/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c index dfec79d..039a79d 100644 --- a/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +++ b/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c @@ -120,6 +120,7 @@ const struct cache_req_plugin cache_req_object_by_sid = { .global_ncache_add_fn = cache_req_object_by_sid_global_ncache_add, .ncache_check_fn = cache_req_object_by_sid_ncache_check, .ncache_add_fn = NULL, + .ncache_filter_fn = NULL, .lookup_fn = cache_req_object_by_sid_lookup, .dp_send_fn = cache_req_object_by_sid_dp_send, .dp_recv_fn = cache_req_common_dp_recv diff --git a/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c b/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c index b2bfb26..4c32d99 100644 --- a/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +++ b/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c @@ -152,6 +152,7 @@ const struct cache_req_plugin cache_req_svc_by_name = { .global_ncache_add_fn = NULL, .ncache_check_fn = cache_req_svc_by_name_ncache_check, .ncache_add_fn = cache_req_svc_by_name_ncache_add, + .ncache_filter_fn = NULL, .lookup_fn = cache_req_svc_by_name_lookup, .dp_send_fn = cache_req_svc_by_name_dp_send, .dp_recv_fn = cache_req_common_dp_recv diff --git a/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c b/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c index 0e48437..1e998f6 100644 --- a/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +++ b/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c @@ -125,6 +125,7 @@ const struct cache_req_plugin cache_req_svc_by_port = { .global_ncache_add_fn = NULL, .ncache_check_fn = cache_req_svc_by_port_ncache_check, .ncache_add_fn = cache_req_svc_by_port_ncache_add, + .ncache_filter_fn = NULL, .lookup_fn = cache_req_svc_by_port_lookup, .dp_send_fn = cache_req_svc_by_port_dp_send, .dp_recv_fn = cache_req_common_dp_recv diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c b/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c index 286a34d..7a0c7d8 100644 --- a/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +++ b/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c @@ -94,6 +94,7 @@ const struct cache_req_plugin cache_req_user_by_cert = { .global_ncache_add_fn = cache_req_user_by_cert_global_ncache_add, .ncache_check_fn = cache_req_user_by_cert_ncache_check, .ncache_add_fn = NULL, + .ncache_filter_fn = NULL, .lookup_fn = cache_req_user_by_cert_lookup, .dp_send_fn = cache_req_user_by_cert_dp_send, .dp_recv_fn = cache_req_common_dp_recv diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c b/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c index c476814..dd3f42e 100644 --- a/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +++ b/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c @@ -131,6 +131,7 @@ const struct cache_req_plugin cache_req_user_by_filter = { .global_ncache_add_fn = NULL, .ncache_check_fn = NULL, .ncache_add_fn = NULL, + .ncache_filter_fn = NULL, .lookup_fn = cache_req_user_by_filter_lookup, .dp_send_fn = cache_req_user_by_filter_dp_send, .dp_recv_fn = cache_req_common_dp_recv diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_id.c b/src/responder/common/cache_req/plugins/cache_req_user_by_id.c index 9ba7329..b14b373 100644 --- a/src/responder/common/cache_req/plugins/cache_req_user_by_id.c +++ b/src/responder/common/cache_req/plugins/cache_req_user_by_id.c @@ -144,6 +144,7 @@ const struct cache_req_plugin cache_req_user_by_id = { .global_ncache_add_fn = cache_req_user_by_id_global_ncache_add, .ncache_check_fn = cache_req_user_by_id_ncache_check, .ncache_add_fn = NULL, + .ncache_filter_fn = NULL, .lookup_fn = cache_req_user_by_id_lookup, .dp_send_fn = cache_req_user_by_id_dp_send, .dp_recv_fn = cache_req_common_dp_recv diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_name.c b/src/responder/common/cache_req/plugins/cache_req_user_by_name.c index 15da7d0..2e49de9 100644 --- a/src/responder/common/cache_req/plugins/cache_req_user_by_name.c +++ b/src/responder/common/cache_req/plugins/cache_req_user_by_name.c @@ -199,6 +199,7 @@ const struct cache_req_plugin cache_req_user_by_name = { .global_ncache_add_fn = NULL, .ncache_check_fn = cache_req_user_by_name_ncache_check, .ncache_add_fn = cache_req_user_by_name_ncache_add, + .ncache_filter_fn = NULL, .lookup_fn = cache_req_user_by_name_lookup, .dp_send_fn = cache_req_user_by_name_dp_send, .dp_recv_fn = cache_req_common_dp_recv diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c b/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c index 40a097b..b8bcd24 100644 --- a/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +++ b/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c @@ -125,6 +125,7 @@ const struct cache_req_plugin cache_req_user_by_upn = { .global_ncache_add_fn = NULL, .ncache_check_fn = cache_req_user_by_upn_ncache_check, .ncache_add_fn = cache_req_user_by_upn_ncache_add, + .ncache_filter_fn = NULL, .lookup_fn = cache_req_user_by_upn_lookup, .dp_send_fn = cache_req_user_by_upn_dp_send, .dp_recv_fn = cache_req_common_dp_recv From a4d0db5a6df166c2bcbcfd4bc14d04fa8d171223 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com> Date: Tue, 25 Apr 2017 16:33:58 +0200 Subject: [PATCH 4/5] CACHE_REQ: Make use of cache_req_ncache_filter_fn() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This patch makes use of cache_req_ncache_filter_fn() in order to process the result of a cache_req search and then filter out all the results that are present in the negative cache. The "post cache_req search" result processing is done for the plugins which don't use name as an input token (group_by_id, user_by_id and object_by_id), but still can be affected by filter_{users,groups} options. Resolves: https://pagure.io/SSSD/sssd/issue/3362 Signed-off-by: Fabiano Fidêncio <fiden...@redhat.com> --- src/responder/common/cache_req/cache_req_search.c | 143 ++++++++++++++++++++- .../cache_req/plugins/cache_req_group_by_id.c | 10 +- .../cache_req/plugins/cache_req_object_by_id.c | 17 ++- .../cache_req/plugins/cache_req_user_by_id.c | 10 +- 4 files changed, 176 insertions(+), 4 deletions(-) diff --git a/src/responder/common/cache_req/cache_req_search.c b/src/responder/common/cache_req/cache_req_search.c index 8bc1530..f42262d 100644 --- a/src/responder/common/cache_req/cache_req_search.c +++ b/src/responder/common/cache_req/cache_req_search.c @@ -84,6 +84,136 @@ static void cache_req_search_ncache_add(struct cache_req *cr) return; } +static errno_t +cache_req_search_get_name_from_msg(TALLOC_CTX *mem_ctx, + struct ldb_message *msg, + struct sss_domain_info *domain, + bool override_space, + char **_name) +{ + TALLOC_CTX *tmp_ctx; + const char *name; + char *output_name; + char *fqname; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + name = sss_get_name_from_msg(domain, msg); + + output_name = sss_output_name(tmp_ctx, name, domain->case_preserve, + override_space); + if (output_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_output_name() failed\n"); + ret = ENOMEM; + goto done; + } + + fqname = sss_create_internal_fqname(tmp_ctx, output_name, domain->name); + if (fqname == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_create_internal_fqname() failed\n"); + ret = ENOMEM; + goto done; + } + + *_name = talloc_steal(mem_ctx, fqname); + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t cache_req_search_ncache_filter(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct ldb_result *result, + struct ldb_result **_result) +{ + TALLOC_CTX *tmp_ctx; + struct ldb_result *filtered_result; + char *name = NULL; + errno_t ret; + + if (cr->plugin->ncache_filter_fn == NULL) { + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, + "This request type does not support filtering negative cache\n"); + *_result = result; + return EOK; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, + "Filtering out results from negative cache\n"); + + filtered_result = talloc_zero(mem_ctx, struct ldb_result); + if (filtered_result == NULL) { + ret = ENOMEM; + goto done; + } + + filtered_result->extended = result->extended; + filtered_result->controls = result->controls; + filtered_result->refs = result->refs; + filtered_result->msgs = talloc_zero(mem_ctx, struct ldb_message *); + + for (unsigned int i = 0; i < result->count; i++) { + ret = cache_req_search_get_name_from_msg(tmp_ctx, + result->msgs[i], + cr->domain, + cr->rctx->override_space, + &name); + if (ret != EOK) { + CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr, + "cache_req_search_get_name_from_msg() failed " + "[%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = cr->plugin->ncache_filter_fn(cr->ncache, cr->domain, name); + if (ret == EEXIST) { + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, + "[%s] filtered out! (negative cache)\n", + name); + continue; + } else if (ret != EOK && ret != ENOENT) { + CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr, + "Unable to check negative cache [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, + "[%s] is not present in negative cache\n", + name); + + filtered_result->count++; + filtered_result->msgs = talloc_realloc(mem_ctx, + filtered_result->msgs, + struct ldb_message *, + filtered_result->count); + filtered_result->msgs[filtered_result->count - 1] = result->msgs[i]; + } + + if (filtered_result->count == 0) { + ret = ENOENT; + } else { + ret = EOK; + *_result = filtered_result; + } + +done: + talloc_free(tmp_ctx); + return ret; +} + static errno_t cache_req_search_cache(TALLOC_CTX *mem_ctx, struct cache_req *cr, struct ldb_result **_result) @@ -340,6 +470,7 @@ static void cache_req_search_done(struct tevent_req *subreq) { struct cache_req_search_state *state; struct tevent_req *req; + struct ldb_result *result = NULL; errno_t ret; req = tevent_req_callback_data(subreq, struct tevent_req); @@ -349,7 +480,7 @@ static void cache_req_search_done(struct tevent_req *subreq) talloc_zfree(subreq); /* Get result from cache again. */ - ret = cache_req_search_cache(state, state->cr, &state->result); + ret = cache_req_search_cache(state, state->cr, &result); if (ret == ENOENT) { /* Only store entry in negative cache if DP request succeeded * because only then we know that the entry does not exist. */ @@ -363,6 +494,16 @@ static void cache_req_search_done(struct tevent_req *subreq) return; } + /* ret == EOK */ + ret = cache_req_search_ncache_filter(state, state->cr, result, + &state->result); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + state->result = result; + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, state->cr, "Returning updated object [%s]\n", state->cr->debugobj); diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c index 5613bf6..bcf90e7 100644 --- a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c +++ b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c @@ -43,6 +43,14 @@ cache_req_group_by_id_ncache_check(struct sss_nc_ctx *ncache, } static errno_t +cache_req_group_by_id_ncache_filter(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + char *name) +{ + return sss_ncache_check_group(ncache, domain, name); +} + +static errno_t cache_req_group_by_id_global_ncache_add(struct sss_nc_ctx *ncache, struct cache_req_data *data) { @@ -144,7 +152,7 @@ const struct cache_req_plugin cache_req_group_by_id = { .global_ncache_add_fn = cache_req_group_by_id_global_ncache_add, .ncache_check_fn = cache_req_group_by_id_ncache_check, .ncache_add_fn = NULL, - .ncache_filter_fn = NULL, + .ncache_filter_fn = cache_req_group_by_id_ncache_filter, .lookup_fn = cache_req_group_by_id_lookup, .dp_send_fn = cache_req_group_by_id_dp_send, .dp_recv_fn = cache_req_common_dp_recv diff --git a/src/responder/common/cache_req/plugins/cache_req_object_by_id.c b/src/responder/common/cache_req/plugins/cache_req_object_by_id.c index ff3d0e6..de894db 100644 --- a/src/responder/common/cache_req/plugins/cache_req_object_by_id.c +++ b/src/responder/common/cache_req/plugins/cache_req_object_by_id.c @@ -50,6 +50,21 @@ cache_req_object_by_id_ncache_check(struct sss_nc_ctx *ncache, } static errno_t +cache_req_object_by_id_ncache_filter(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + char *name) +{ + errno_t ret; + + ret = sss_ncache_check_user(ncache, domain, name); + if (ret == EEXIST) { + ret = sss_ncache_check_group(ncache, domain, name); + } + + return ret; +} + +static errno_t cache_req_object_by_id_global_ncache_add(struct sss_nc_ctx *ncache, struct cache_req_data *data) { @@ -111,7 +126,7 @@ const struct cache_req_plugin cache_req_object_by_id = { .global_ncache_add_fn = cache_req_object_by_id_global_ncache_add, .ncache_check_fn = cache_req_object_by_id_ncache_check, .ncache_add_fn = NULL, - .ncache_filter_fn = NULL, + .ncache_filter_fn = cache_req_object_by_id_ncache_filter, .lookup_fn = cache_req_object_by_id_lookup, .dp_send_fn = cache_req_object_by_id_dp_send, .dp_recv_fn = cache_req_common_dp_recv diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_id.c b/src/responder/common/cache_req/plugins/cache_req_user_by_id.c index b14b373..b18f083 100644 --- a/src/responder/common/cache_req/plugins/cache_req_user_by_id.c +++ b/src/responder/common/cache_req/plugins/cache_req_user_by_id.c @@ -43,6 +43,14 @@ cache_req_user_by_id_ncache_check(struct sss_nc_ctx *ncache, } static errno_t +cache_req_user_by_id_ncache_filter(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + char *name) +{ + return sss_ncache_check_user(ncache, domain, name); +} + +static errno_t cache_req_user_by_id_global_ncache_add(struct sss_nc_ctx *ncache, struct cache_req_data *data) { @@ -144,7 +152,7 @@ const struct cache_req_plugin cache_req_user_by_id = { .global_ncache_add_fn = cache_req_user_by_id_global_ncache_add, .ncache_check_fn = cache_req_user_by_id_ncache_check, .ncache_add_fn = NULL, - .ncache_filter_fn = NULL, + .ncache_filter_fn = cache_req_user_by_id_ncache_filter, .lookup_fn = cache_req_user_by_id_lookup, .dp_send_fn = cache_req_user_by_id_dp_send, .dp_recv_fn = cache_req_common_dp_recv From 90f2f21b4f87c448760a1668b4f3c484ed89e5de Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik <lsleb...@redhat.com> Date: Wed, 5 Apr 2017 17:56:40 +0200 Subject: [PATCH 5/5] test_ldap.py: Add test for filter_{users,groups} MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Related: https://pagure.io/SSSD/sssd/issue/3362 Reviewed-by: Fabiano Fidêncio <fiden...@redhat.com> --- src/tests/intg/test_ldap.py | 96 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py index 848cb41..ea7393f 100644 --- a/src/tests/intg/test_ldap.py +++ b/src/tests/intg/test_ldap.py @@ -980,3 +980,99 @@ def rfc2307bis_no_nesting(request, ldap_conn): def test_zero_nesting_level(ldap_conn, rfc2307bis_no_nesting): ent.assert_group_by_name("group1", dict(mem=ent.contains_only("user1"))) + + +@pytest.fixture +def sanity_nss_filter(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + ent_list.add_user("user2", 1002, 2002) + ent_list.add_user("user3", 1003, 2003) + + ent_list.add_group_bis("group1", 2001) + ent_list.add_group_bis("group2", 2002) + ent_list.add_group_bis("group3", 2003) + + ent_list.add_group_bis("empty_group1", 2010) + ent_list.add_group_bis("empty_group2", 2011) + + ent_list.add_group_bis("two_user_group", 2012, ["user1", "user2"]) + ent_list.add_group_bis("group_empty_group", 2013, [], ["empty_group1"]) + ent_list.add_group_bis("group_two_empty_groups", 2014, + [], ["empty_group1", "empty_group2"]) + ent_list.add_group_bis("one_user_group1", 2015, ["user1"]) + ent_list.add_group_bis("one_user_group2", 2016, ["user2"]) + ent_list.add_group_bis("group_one_user_group", 2017, + [], ["one_user_group1"]) + ent_list.add_group_bis("group_two_user_group", 2018, + [], ["two_user_group"]) + ent_list.add_group_bis("group_two_one_user_groups", 2019, + [], ["one_user_group1", "one_user_group2"]) + + create_ldap_fixture(request, ldap_conn, ent_list) + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \ + unindent(""" + [nss] + filter_users = user2 + filter_groups = group_two_one_user_groups + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_nss_filters(ldap_conn, sanity_nss_filter): + passwd_pattern = expected_list_to_name_dict([ + dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', + dir='/home/user1', shell='/bin/bash'), + dict(name='user3', passwd='*', uid=1003, gid=2003, gecos='1003', + dir='/home/user3', shell='/bin/bash') + ]) + + # test filtered user + ent.assert_each_passwd_by_name(passwd_pattern) + with pytest.raises(KeyError): + pwd.getpwnam("user2") + with pytest.raises(KeyError): + pwd.getpwuid(1002) + + group_pattern = expected_list_to_name_dict([ + dict(name='group1', passwd='*', gid=2001, mem=ent.contains_only()), + dict(name='group2', passwd='*', gid=2002, mem=ent.contains_only()), + dict(name='group3', passwd='*', gid=2003, mem=ent.contains_only()), + dict(name='empty_group1', passwd='*', gid=2010, + mem=ent.contains_only()), + dict(name='empty_group2', passwd='*', gid=2011, + mem=ent.contains_only()), + dict(name='two_user_group', passwd='*', gid=2012, + mem=ent.contains_only("user1")), + dict(name='group_empty_group', passwd='*', gid=2013, + mem=ent.contains_only()), + dict(name='group_two_empty_groups', passwd='*', gid=2014, + mem=ent.contains_only()), + dict(name='one_user_group1', passwd='*', gid=2015, + mem=ent.contains_only("user1")), + dict(name='one_user_group2', passwd='*', gid=2016, + mem=ent.contains_only()), + dict(name='group_one_user_group', passwd='*', gid=2017, + mem=ent.contains_only("user1")), + dict(name='group_two_user_group', passwd='*', gid=2018, + mem=ent.contains_only("user1")), + ]) + + # test filtered group + ent.assert_each_group_by_name(group_pattern) + with pytest.raises(KeyError): + grp.getgrnam("group_two_one_user_groups") + with pytest.raises(KeyError): + grp.getgrgid(2019) + + # test non-existing user/group + with pytest.raises(KeyError): + pwd.getpwnam("non_existent_user") + with pytest.raises(KeyError): + pwd.getpwuid(9) + with pytest.raises(KeyError): + grp.getgrnam("non_existent_group") + with pytest.raises(KeyError): + grp.getgrgid(14)
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
