URL: https://github.com/SSSD/sssd/pull/258 Author: jhrozek Title: #258: IFP: Fix name qualification for user groups (1.14 backport) Action: opened
PR body: """ This PR back-ports patches that fix qualification of user groups coming through the org.freedesktop.sssd.infopipe.GetUserGroups interface in the 1.14 branch. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/258/head:pr258 git checkout pr258
From 47112c9a346638920024057689cb106cc4b8fd60 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <[email protected]> Date: Wed, 19 Apr 2017 17:44:40 +0200 Subject: [PATCH 1/2] Move sized_output_name() and sized_domain_name() into responder common code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit These functions are used to format a name into a format that the user configured for output, including case sensitiveness, replacing whitespace and qualified format. They were used only in the NSS responder, which typically returns strings to the NSS client library and then the user. But it makes sense to just reuse the same code in the IFP responder as well, since it does essentially the same job. The patch also renames sized_member_name to sized_domain_name. Previously, the function was only used to format a group member, the IFP responder would use the same function to format a group the user is a member of. Related to: https://pagure.io/SSSD/sssd/issue/3268 Reviewed-by: Pavel Březina <[email protected]> (cherry picked from commit 7c074ba2f923985ab0d4f9d6a5e01ff3f2f0a7a8) --- src/responder/common/responder.h | 21 ++++++++ src/responder/common/responder_common.c | 90 +++++++++++++++++++++++++++++++++ src/responder/nss/nsssrv_cmd.c | 89 +------------------------------- 3 files changed, 112 insertions(+), 88 deletions(-) diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h index 9e3b2fd..fd6a67b 100644 --- a/src/responder/common/responder.h +++ b/src/responder/common/responder.h @@ -358,4 +358,25 @@ char *sss_resp_create_fqname(TALLOC_CTX *mem_ctx, bool name_is_upn, const char *orig_name); +/** + * Helper functions to format output names + */ + +/* Format orig_name into a sized_string in output format as prescribed + * by the name_dom domain + */ +int sized_output_name(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + const char *orig_name, + struct sss_domain_info *name_dom, + struct sized_string **_name); + +/* Format orig_name into a sized_string in output format as prescribed + * by the domain read from the fully qualified name. + */ +int sized_domain_name(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + const char *member_name, + struct sized_string **_name); + #endif /* __SSS_RESPONDER_H__ */ diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c index f6f701e..cc0464e 100644 --- a/src/responder/common/responder_common.c +++ b/src/responder/common/responder_common.c @@ -1269,3 +1269,93 @@ void responder_set_fd_limit(rlim_t fd_limit) "Proceeding with system values\n"); } } + +/** + * Helper functions to format output names + */ +int sized_output_name(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + const char *orig_name, + struct sss_domain_info *name_dom, + struct sized_string **_name) +{ + TALLOC_CTX *tmp_ctx = NULL; + errno_t ret; + char *username; + struct sized_string *name; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + username = sss_output_name(tmp_ctx, orig_name, name_dom->case_preserve, + rctx->override_space); + if (username == NULL) { + ret = EIO; + goto done; + } + + if (name_dom->fqnames) { + username = sss_tc_fqname(tmp_ctx, name_dom->names, name_dom, username); + if (username == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_replace_space failed\n"); + ret = EIO; + goto done; + } + } + + name = talloc_zero(tmp_ctx, struct sized_string); + if (name == NULL) { + ret = ENOMEM; + goto done; + } + + to_sized_string(name, username); + name->str = talloc_steal(name, username); + *_name = talloc_steal(mem_ctx, name); + ret = EOK; +done: + talloc_zfree(tmp_ctx); + return ret; +} + +int sized_domain_name(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + const char *member_name, + struct sized_string **_name) +{ + TALLOC_CTX *tmp_ctx = NULL; + errno_t ret; + char *domname; + struct sss_domain_info *member_dom; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = sss_parse_internal_fqname(tmp_ctx, member_name, NULL, &domname); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_parse_internal_fqname failed\n"); + goto done; + } + + if (domname == NULL) { + ret = ERR_WRONG_NAME_FORMAT; + goto done; + } + + member_dom = find_domain_by_name(get_domains_head(rctx->domains), + domname, true); + if (member_dom == NULL) { + ret = ERR_DOMAIN_NOT_FOUND; + goto done; + } + + ret = sized_output_name(mem_ctx, rctx, member_name, + member_dom, _name); +done: + talloc_free(tmp_ctx); + return ret; +} diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c index 48d8416..44a5e59 100644 --- a/src/responder/nss/nsssrv_cmd.c +++ b/src/responder/nss/nsssrv_cmd.c @@ -253,93 +253,6 @@ static const char *get_shell_override(TALLOC_CTX *mem_ctx, return talloc_strdup(mem_ctx, NOLOGIN_SHELL); } -static int sized_output_name(TALLOC_CTX *mem_ctx, - struct resp_ctx *rctx, - const char *orig_name, - struct sss_domain_info *name_dom, - struct sized_string **_name) -{ - TALLOC_CTX *tmp_ctx = NULL; - errno_t ret; - char *username; - struct sized_string *name; - - tmp_ctx = talloc_new(NULL); - if (tmp_ctx == NULL) { - return ENOMEM; - } - - username = sss_output_name(tmp_ctx, orig_name, name_dom->case_preserve, - rctx->override_space); - if (username == NULL) { - ret = EIO; - goto done; - } - - if (name_dom->fqnames) { - username = sss_tc_fqname(tmp_ctx, name_dom->names, name_dom, username); - if (username == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "sss_replace_space failed\n"); - ret = EIO; - goto done; - } - } - - name = talloc_zero(tmp_ctx, struct sized_string); - if (name == NULL) { - ret = ENOMEM; - goto done; - } - - to_sized_string(name, username); - name->str = talloc_steal(name, username); - *_name = talloc_steal(mem_ctx, name); - ret = EOK; -done: - talloc_zfree(tmp_ctx); - return ret; -} - -static int sized_member_name(TALLOC_CTX *mem_ctx, - struct resp_ctx *rctx, - const char *member_name, - struct sized_string **_name) -{ - TALLOC_CTX *tmp_ctx = NULL; - errno_t ret; - char *domname; - struct sss_domain_info *member_dom; - - tmp_ctx = talloc_new(NULL); - if (tmp_ctx == NULL) { - return ENOMEM; - } - - ret = sss_parse_internal_fqname(tmp_ctx, member_name, NULL, &domname); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, "sss_parse_internal_fqname failed\n"); - goto done; - } - - if (domname == NULL) { - ret = ERR_WRONG_NAME_FORMAT; - goto done; - } - - member_dom = find_domain_by_name(get_domains_head(rctx->domains), - domname, true); - if (member_dom == NULL) { - ret = ERR_DOMAIN_NOT_FOUND; - goto done; - } - - ret = sized_output_name(mem_ctx, rctx, member_name, - member_dom, _name); -done: - talloc_free(tmp_ctx); - return ret; -} - static int fill_pwent(struct sss_packet *packet, struct sss_domain_info *dom, struct nss_ctx *nctx, @@ -2736,7 +2649,7 @@ static int fill_members(struct sss_packet *packet, } } - ret = sized_member_name(tmp_ctx, rctx, fqname, &name); + ret = sized_domain_name(tmp_ctx, rctx, fqname, &name); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "sized_member_name failed: %d\n", ret); goto done; From 7ea8cf3b66f6890f677144fa495545bc8c6190aa Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <[email protected]> Date: Wed, 19 Apr 2017 17:46:03 +0200 Subject: [PATCH 2/2] IFP: Use sized_domain_name to format the groups the user is a member of MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Resolves: https://pagure.io/SSSD/sssd/issue/3268 Uses the common function sized_domain_name() to format a group the user is a member of to the appropriate format. To see the code is working correctly, run: dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserGroups string:trusted_user Where trusted_user is a user from a trusted domain that is a member of groups from the joined domain and a trusted domain as well. The groups from the joined domain should not be qualified, the groups from the trusted domain should be qualified. Reviewed-by: Pavel Březina <[email protected]> (cherry picked from commit c9a73bb6ffa010ef206896a0d1c2801bc056fa45) --- src/responder/ifp/ifpsrv_cmd.c | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c index 97fad47..f14a41d 100644 --- a/src/responder/ifp/ifpsrv_cmd.c +++ b/src/responder/ifp/ifpsrv_cmd.c @@ -369,10 +369,11 @@ ifp_user_get_groups_reply(struct sss_domain_info *domain, struct ifp_req *ireq, struct ldb_result *res) { - int i, num; + int i, gri, num; const char *name; const char **groupnames; - char *out_name; + struct sized_string *group_name; + errno_t ret; /* one less, the first one is the user entry */ num = res->count - 1; @@ -381,6 +382,7 @@ ifp_user_get_groups_reply(struct sss_domain_info *domain, return sbus_request_finish(ireq->dbus_req, NULL); } + gri = 0; for (i = 0; i < num; i++) { name = sss_view_ldb_msg_find_attr_as_string(domain, res->msgs[i + 1], @@ -390,22 +392,21 @@ ifp_user_get_groups_reply(struct sss_domain_info *domain, continue; } - out_name = sss_output_name(ireq, name, domain->case_preserve, - ireq->ifp_ctx->rctx->override_space); - if (out_name == NULL) { + ret = sized_domain_name(ireq, ireq->ifp_ctx->rctx, name, &group_name); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Unable to get sized name for %s [%d]: %s\n", + name, ret, sss_strerror(ret)); continue; } - if (domain->fqnames) { - groupnames[i] = sss_tc_fqname(groupnames, domain->names, - domain, out_name); - if (out_name == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "sss_tc_fqname failed\n"); - continue; - } - } else { - groupnames[i] = talloc_steal(groupnames, out_name); + groupnames[gri] = talloc_strndup(groupnames, + group_name->str, group_name->len); + if (groupnames[gri] == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "talloc_strndup failed\n"); + continue; } + gri++; DEBUG(SSSDBG_TRACE_FUNC, "Adding group %s\n", groupnames[i]); }
_______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
