URL: https://github.com/SSSD/sssd/pull/777 Author: jhrozek Title: #777: TESTS: Add a unit test for UPNs stored by sss_ncache_prepopulate Action: opened
PR body: """ This is a test for https://github.com/SSSD/sssd/pull/776 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/777/head:pr777 git checkout pr777
From baed499792a7c6576be8b2cb31b78871a6ebf2bc Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Tue, 12 Mar 2019 13:02:18 +0100 Subject: [PATCH 1/4] NEGCACHE: initialize UPN negative cache as well UPNs are handled separately in the negative cache. To properly filter user names even in the case of the fallback to a UPN lookup the negative cahe for UPNs has to be initialized with the names from the filter_user option as well. If the name from the option is a short name it will be added to the negative UPN cache for each domain with the respective domain name. If the name from the option is fully-qualified it will be added as is to the negative UPN cache for each domain. Related to https://pagure.io/SSSD/sssd/issue/3978 --- src/man/sssd.conf.5.xml | 3 ++- src/responder/common/negcache.c | 42 +++++++++++++++++++++++++++++---- 2 files changed, 39 insertions(+), 6 deletions(-) diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index bea25c6228..180fc2486d 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -849,7 +849,8 @@ from the sss NSS database. This is particularly useful for system accounts. This option can also be set per-domain or include fully-qualified names - to filter only users from the particular domain. + to filter only users from the particular domain or + by a user princiapal name (UPN). </para> <para> NOTE: The filter_groups option doesn't affect diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c index c5c43178f0..ca3b062a9c 100644 --- a/src/responder/common/negcache.c +++ b/src/responder/common/negcache.c @@ -974,10 +974,16 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, } if (domainname && strcmp(domainname, dom->name)) { - DEBUG(SSSDBG_CRIT_FAILURE, + DEBUG(SSSDBG_TRACE_FUNC, "Mismatch between domain name (%s) and name " - "set in FQN (%s), skipping user %s\n", - dom->name, domainname, name); + "set in FQN (%s), assuming %s is UPN\n", + dom->name, domainname, filter_list[i]); + ret = sss_ncache_set_upn(ncache, true, dom, filter_list[i]); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_ncache_set_upn failed (%d [%s]), ignored\n", + ret, sss_strerror(ret)); + } continue; } @@ -986,13 +992,19 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, continue; } + ret = sss_ncache_set_upn(ncache, true, dom, fqname); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_ncache_set_upn failed (%d [%s]), ignored\n", + ret, sss_strerror(ret)); + } ret = sss_ncache_set_user(ncache, true, dom, fqname); talloc_zfree(fqname); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Failed to store permanent user filter for [%s]" " (%d [%s])\n", filter_list[i], - ret, strerror(ret)); + ret, sss_strerror(ret)); continue; } } @@ -1023,7 +1035,18 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, dom = responder_get_domain(rctx, domainname); if (!dom) { DEBUG(SSSDBG_CRIT_FAILURE, - "Invalid domain name [%s]\n", domainname); + "Unknown domain name [%s], assuming [%s] is UPN\n", + domainname, filter_list[i]); + for (dom = domain_list; + dom != NULL; + dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) { + ret = sss_ncache_set_upn(ncache, true, dom, filter_list[i]); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_ncache_set_upn failed (%d [%s]), ignored\n", + ret, sss_strerror(ret)); + } + } continue; } @@ -1050,6 +1073,15 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, continue; } + ret = sss_ncache_set_upn(ncache, true, dom, fqname); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to store permanent upn filter for" + " [%s:%s] (%d [%s])\n", + dom->name, filter_list[i], + ret, strerror(ret)); + } + ret = sss_ncache_set_user(ncache, true, dom, fqname); talloc_zfree(fqname); if (ret != EOK) { From 987f184619a86a90fd8065498f1fcd37cb3d49af Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Tue, 12 Mar 2019 18:16:38 +0100 Subject: [PATCH 2/4] NEGCACHE: fix typo in debug message --- src/responder/common/responder_get_domains.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c index b60d0e0232..bf43bbfd0e 100644 --- a/src/responder/common/responder_get_domains.c +++ b/src/responder/common/responder_get_domains.c @@ -442,7 +442,8 @@ static void get_domains_at_startup_done(struct tevent_req *req) ret = sss_ncache_reset_repopulate_permanent(state->rctx, state->optional_ncache); if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, "sss_dp_get_domains request failed.\n"); + DEBUG(SSSDBG_MINOR_FAILURE, + "sss_ncache_reset_repopulate_permanent failed.\n"); } } From e547865f1acb9d9982bc379fb14d6e6682b58b2a Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Tue, 12 Mar 2019 18:26:58 +0100 Subject: [PATCH 3/4] NEGCACHE: repopulate negative cache after get_domains If SSSD starts offline the responders might only know about the configured domain because the sub-domains have not been discovered yet. As a result the permanent negative cache is only populated for the configured domain. If later the system goes online and the sub-domains are discovered or a new sub-domain was discovered at runtime the permanent negative cache is currently not created for those domains. This patch repopulates the negative cache for all known domains to the end of the get_domains request. Related to https://pagure.io/SSSD/sssd/issue/3983 --- src/responder/common/responder_get_domains.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c index bf43bbfd0e..8f25885c08 100644 --- a/src/responder/common/responder_get_domains.c +++ b/src/responder/common/responder_get_domains.c @@ -308,6 +308,13 @@ sss_dp_get_domains_process(struct tevent_req *subreq) sss_resp_update_certmaps(state->rctx); + ret = sss_ncache_reset_repopulate_permanent(state->rctx, + state->rctx->ncache); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_ncache_reset_repopulate_permanent failed, ignored.\n"); + } + tevent_req_done(req); return; } From bca555f3bdfa329514ef5f5d4558aebb856af489 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jhro...@redhat.com> Date: Wed, 13 Mar 2019 17:41:29 +0100 Subject: [PATCH 4/4] TESTS: Add a unit test for UPNs stored by sss_ncache_prepopulate --- src/tests/cmocka/test_negcache.c | 90 +++++++++++++++++++++++++------- 1 file changed, 71 insertions(+), 19 deletions(-) diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c index a0210928bd..f7a3b3fda6 100644 --- a/src/tests/cmocka/test_negcache.c +++ b/src/tests/cmocka/test_negcache.c @@ -39,6 +39,7 @@ #include "lib/idmap/sss_idmap.h" #include "util/util.h" #include "util/util_sss_idmap.h" +#include "db/sysdb_private.h" #include "responder/common/responder.h" #include "responder/common/negcache.h" @@ -52,6 +53,7 @@ #define TEST_CONF_DB "test_nss_conf.ldb" #define TEST_DOM_NAME "nss_test" #define TEST_ID_PROVIDER "ldap" +#define TEST_SUBDOM_NAME "test.subdomain" /* register_cli_protocol_version is required in test since it links with * responder_common.c module @@ -582,6 +584,29 @@ static int check_gid_in_ncache(struct sss_nc_ctx *ctx, return ret; } +static int add_confdb_params(struct sss_test_conf_param params[], + struct confdb_ctx *cdb, const char *section) +{ + const char *val[2]; + int ret; + + val[1] = NULL; + + for (int i = 0; params[i].key; i++) { + val[0] = params[i].value; + ret = confdb_add_param(cdb, true, section, params[i].key, val); + assert_int_equal(ret, EOK); + } + + return EOK; +} + +static int add_nss_params(struct sss_test_conf_param nss_params[], + struct confdb_ctx *cdb) +{ + return add_confdb_params(nss_params, cdb, CONFDB_NSS_CONF_ENTRY); +} + static void test_sss_ncache_prepopulate(void **state) { int ret; @@ -589,9 +614,14 @@ static void test_sss_ncache_prepopulate(void **state) struct tevent_context *ev; struct sss_nc_ctx *ncache; struct sss_test_ctx *tc; - struct sss_domain_info *dom; + const char *const testdom[4] = { TEST_SUBDOM_NAME, "TEST.SUB", "test", "S-3" }; + struct sss_domain_info *subdomain; - struct sss_test_conf_param params[] = { + struct sss_test_conf_param nss_params[] = { + { "filter_users", "testuser_nss@UPN.REALM" }, + { NULL, NULL }, + }; + struct sss_test_conf_param dom_params[] = { { "filter_users", "testuser1, testuser2@"TEST_DOM_NAME", testuser3@somedomain" }, { "filter_groups", "testgroup1, testgroup2@"TEST_DOM_NAME", testgroup3@somedomain" }, { NULL, NULL }, @@ -602,22 +632,35 @@ static void test_sss_ncache_prepopulate(void **state) ev = tevent_context_init(ts); assert_non_null(ev); - dom = talloc_zero(ts, struct sss_domain_info); - assert_non_null(dom); - dom->name = discard_const_p(char, TEST_DOM_NAME); - ts->nctx = mock_nctx(ts); assert_non_null(ts->nctx); tc = create_dom_test_ctx(ts, TESTS_PATH, TEST_CONF_DB, - TEST_DOM_NAME, TEST_ID_PROVIDER, params); + TEST_DOM_NAME, TEST_ID_PROVIDER, dom_params); assert_non_null(tc); + ret = add_nss_params(nss_params, tc->confdb); + assert_int_equal(ret, EOK); + + subdomain = new_subdomain(tc, tc->dom, + testdom[0], testdom[1], testdom[2], testdom[3], + false, false, NULL, NULL, 0, + tc->confdb); + assert_non_null(subdomain); + + ret = sysdb_subdomain_store(tc->sysdb, + testdom[0], testdom[1], testdom[2], testdom[3], + false, false, NULL, 0, NULL); + assert_int_equal(ret, EOK); + + ret = sysdb_update_subdomains(tc->dom, tc->confdb); + assert_int_equal(ret, EOK); + ncache = ts->ctx; - ts->rctx = mock_rctx(ts, ev, dom, ts->nctx); + ts->rctx = mock_rctx(ts, ev, tc->dom, ts->nctx); assert_non_null(ts->rctx); - ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &dom->names); + ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &tc->dom->names); assert_int_equal(ret, EOK); ret = sss_ncache_prepopulate(ncache, tc->confdb, ts->rctx); @@ -625,34 +668,37 @@ static void test_sss_ncache_prepopulate(void **state) sleep(SHORTSPAN); - ret = check_user_in_ncache(ncache, dom, "testuser1"); + ret = check_user_in_ncache(ncache, tc->dom, "testuser1"); assert_int_equal(ret, EEXIST); - ret = check_group_in_ncache(ncache, dom, "testgroup1"); + ret = check_group_in_ncache(ncache, tc->dom, "testgroup1"); assert_int_equal(ret, EEXIST); - ret = check_user_in_ncache(ncache, dom, "testuser2"); + ret = check_user_in_ncache(ncache, tc->dom, "testuser2"); assert_int_equal(ret, EEXIST); - ret = check_group_in_ncache(ncache, dom, "testgroup2"); + ret = check_group_in_ncache(ncache, tc->dom, "testgroup2"); assert_int_equal(ret, EEXIST); - ret = check_user_in_ncache(ncache, dom, "testuser3"); + ret = check_user_in_ncache(ncache, tc->dom, "testuser3"); assert_int_equal(ret, ENOENT); - ret = check_group_in_ncache(ncache, dom, "testgroup3"); + ret = check_group_in_ncache(ncache, tc->dom, "testgroup3"); assert_int_equal(ret, ENOENT); - ret = check_user_in_ncache(ncache, dom, "testuser3@somedomain"); + ret = check_user_in_ncache(ncache, tc->dom, "testuser3@somedomain"); assert_int_equal(ret, ENOENT); - ret = check_group_in_ncache(ncache, dom, "testgroup3@somedomain"); + ret = sss_ncache_check_upn(ncache, tc->dom, "testuser3@somedomain"); + assert_int_equal(ret, EEXIST); + + ret = check_group_in_ncache(ncache, tc->dom, "testgroup3@somedomain"); assert_int_equal(ret, ENOENT); - ret = check_user_in_ncache(ncache, dom, "root"); + ret = check_user_in_ncache(ncache, tc->dom, "root"); assert_int_equal(ret, EEXIST); - ret = check_group_in_ncache(ncache, dom, "root"); + ret = check_group_in_ncache(ncache, tc->dom, "root"); assert_int_equal(ret, EEXIST); ret = check_uid_in_ncache(ncache, 0); @@ -660,6 +706,12 @@ static void test_sss_ncache_prepopulate(void **state) ret = check_gid_in_ncache(ncache, 0); assert_int_equal(ret, EEXIST); + + ret = sss_ncache_check_upn(ncache, tc->dom, "testuser_nss@UPN.REALM"); + assert_int_equal(ret, EEXIST); + + ret = sss_ncache_check_upn(ncache, tc->dom->subdomains, "testuser_nss@UPN.REALM"); + assert_int_equal(ret, EEXIST); } static void test_sss_ncache_default_domain_suffix(void **state)
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
