diff options
| author | Pavel Reichl <preichl@redhat.com> | 2015-08-04 09:25:08 -0400 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-08-17 15:10:14 +0200 |
| commit | e2e334b2f51118cb14c7391c4e4e44ff247ef638 (patch) | |
| tree | d8d8ff0540185feb43ffe94bdad2b62c405e702b | |
| parent | 9da121c08b785b56733a11fa46e14c708dda62e9 (diff) | |
| download | sssd-e2e334b2f51118cb14c7391c4e4e44ff247ef638.tar.gz sssd-e2e334b2f51118cb14c7391c4e4e44ff247ef638.tar.xz sssd-e2e334b2f51118cb14c7391c4e4e44ff247ef638.zip | |
LDAP: sanitize group name when used in filter
cleanup_groups() uses DN of group in filter for ldbsearch. But the name
might contain characters with special meaning for filtering
like - "*()\/"
Resolves:
https://fedorahosted.org/sssd/ticket/2744
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
| -rw-r--r-- | Makefile.am | 22 | ||||
| -rw-r--r-- | src/providers/ldap/ldap_id_cleanup.c | 88 | ||||
| -rw-r--r-- | src/tests/cmocka/test_ldap_id_cleanup.c | 313 |
3 files changed, 418 insertions, 5 deletions
diff --git a/Makefile.am b/Makefile.am index 7dc4875c9..9cc5f3845 100644 --- a/Makefile.am +++ b/Makefile.am @@ -219,6 +219,7 @@ if HAVE_CMOCKA sss_sifp-tests \ test_search_bases \ test_ldap_auth \ + test_ldap_id_cleanup \ test_sdap_access \ sdap-tests \ test_sysdb_views \ @@ -2145,6 +2146,27 @@ test_ldap_auth_LDADD = \ libsss_test_common.la \ $(NULL) +test_ldap_id_cleanup_SOURCES = \ + $(sssd_be_SOURCES) \ + src/tests/cmocka/test_ldap_id_cleanup.c \ + src/providers/ldap/ldap_id_cleanup.c \ + $(NULL) +test_ldap_id_cleanup_CFLAGS = \ + $(AM_CFLAGS) \ + -DUNIT_TESTING + $(NULL) +test_ldap_id_cleanup_LDADD = \ + $(PAM_LIBS) \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + $(SSSD_LIBS) \ + $(CARES_LIBS) \ + $(KRB5_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_ldap_common.la \ + libsss_test_common.la \ + $(NULL) + test_sdap_access_SOURCES = \ $(sssd_be_SOURCES) \ src/tests/cmocka/test_sdap_access.c \ diff --git a/src/providers/ldap/ldap_id_cleanup.c b/src/providers/ldap/ldap_id_cleanup.c index be9496a2e..e44e48549 100644 --- a/src/providers/ldap/ldap_id_cleanup.c +++ b/src/providers/ldap/ldap_id_cleanup.c @@ -32,6 +32,12 @@ #include "providers/ldap/ldap_common.h" #include "providers/ldap/sdap_async.h" +static errno_t +get_group_dn_with_filter_sanitized_name(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *group_name, + const char **_group_dn); + /* ==Cleanup-Task========================================================= */ struct ldap_id_cleanup_ctx { struct sdap_id_ctx *ctx; @@ -318,7 +324,6 @@ static int cleanup_groups(TALLOC_CTX *memctx, const char *attrs[] = { SYSDB_NAME, SYSDB_GIDNUM, NULL }; time_t now = time(NULL); char *subfilter; - const char *dn; gid_t gid; struct ldb_message **msgs; size_t count; @@ -359,10 +364,25 @@ static int cleanup_groups(TALLOC_CTX *memctx, } for (i = 0; i < count; i++) { - dn = ldb_dn_get_linearized(msgs[i]->dn); - if (!dn) { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot linearize DN!\n"); - ret = EFAULT; + const char *dn; + const char *group_name; + + group_name = ldb_msg_find_attr_as_string(msgs[i], SYSDB_NAME, NULL); + if (group_name == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "No '%s' attribute.\n", SYSDB_NAME); + ret = EINVAL; + goto done; + } + + /* DN might contain characters that need not to be sanitized in DN, + * but need to be sanitized in filter - e.g. '(', ')' + */ + ret = get_group_dn_with_filter_sanitized_name(tmpctx, domain, group_name, + &dn); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "get_group_dn_with_filter_sanitized_name failed: %s:[%d].\n", + sss_strerror(ret), ret); goto done; } @@ -429,3 +449,61 @@ done: talloc_zfree(tmpctx); return ret; } + +static errno_t +get_group_dn_with_filter_sanitized_name(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *group_name, + const char **_group_dn) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx; + const char *dn; + const char *sanitized_dn; + char *sanitized_group_name; + struct ldb_dn *group_base_dn; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + } + + /* sanitize group name */ + ret = sss_filter_sanitize(tmp_ctx, group_name, &sanitized_group_name); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "sss_filter_sanitize failed: %s:[%d]\n", + sss_strerror(ret), ret); + goto done; + } + + /* group base dn */ + group_base_dn = sysdb_group_base_dn(tmp_ctx, domain); + if (group_base_dn == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Cannot get group base DN!\n"); + ret = EFAULT; + goto done; + } + + dn = ldb_dn_get_linearized(group_base_dn); + if (dn == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Cannot linearize DN!\n"); + ret = EFAULT; + goto done; + } + + /* complete group DN with filter sanitized name */ + sanitized_dn = talloc_asprintf(tmp_ctx, "%s=%s,%s", + SYSDB_NAME, sanitized_group_name, dn); + if (sanitized_dn == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Failed to build DN\n"); + ret = ENOMEM; + goto done; + } + + ret = EOK; + *_group_dn = talloc_steal(mem_ctx, sanitized_dn); + +done: + talloc_free(tmp_ctx); + return ret; +} diff --git a/src/tests/cmocka/test_ldap_id_cleanup.c b/src/tests/cmocka/test_ldap_id_cleanup.c new file mode 100644 index 000000000..941427e12 --- /dev/null +++ b/src/tests/cmocka/test_ldap_id_cleanup.c @@ -0,0 +1,313 @@ +/* + Authors: + Pavel Reichl <preichl@redhat.com> + + Copyright (C) 2015 Red Hat + + SSSD tests - id cleanup + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include <stdarg.h> +#include <stdlib.h> +#include <stddef.h> +#include <setjmp.h> +#include <unistd.h> +#include <sys/types.h> +#include <cmocka.h> +#include <popt.h> + +#include "tests/cmocka/common_mock.h" +#include "providers/ldap/ldap_auth.h" +#include "tests/cmocka/test_expire_common.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/ldap_opts.h" +#include "providers/ipa/ipa_opts.h" + +#define TESTS_PATH "test_ldap_id_cleanup" +#define TEST_CONF_FILE "tests_conf.ldb" + +struct sysdb_test_ctx { + struct sysdb_ctx *sysdb; + struct confdb_ctx *confdb; + struct tevent_context *ev; + struct sss_domain_info *domain; + struct sdap_options *opts; +}; + +static int _setup_sysdb_tests(struct sysdb_test_ctx **ctx, bool enumerate) +{ + struct sysdb_test_ctx *test_ctx; + char *conf_db; + int ret; + + const char *val[2]; + val[1] = NULL; + + /* Create tests directory if it doesn't exist */ + /* (relative to current dir) */ + ret = mkdir(TESTS_PATH, 0775); + assert_true(ret == 0 || errno == EEXIST); + + test_ctx = talloc_zero(global_talloc_context, struct sysdb_test_ctx); + assert_non_null(test_ctx); + + /* Create an event context + * It will not be used except in confdb_init and sysdb_init + */ + test_ctx->ev = tevent_context_init(test_ctx); + assert_non_null(test_ctx->ev); + + conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE); + assert_non_null(conf_db); + DEBUG(SSSDBG_MINOR_FAILURE, "CONFDB: %s\n", conf_db); + + /* Connect to the conf db */ + ret = confdb_init(test_ctx, &test_ctx->confdb, conf_db); + assert_int_equal(ret, EOK); + + val[0] = "LOCAL"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/sssd", "domains", val); + assert_int_equal(ret, EOK); + + val[0] = "local"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/domain/LOCAL", "id_provider", val); + assert_int_equal(ret, EOK); + + val[0] = enumerate ? "TRUE" : "FALSE"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/domain/LOCAL", "enumerate", val); + assert_int_equal(ret, EOK); + + val[0] = "TRUE"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/domain/LOCAL", "cache_credentials", val); + assert_int_equal(ret, EOK); + + ret = sssd_domain_init(test_ctx, test_ctx->confdb, "local", + TESTS_PATH, &test_ctx->domain); + assert_int_equal(ret, EOK); + + test_ctx->domain->has_views = true; + test_ctx->sysdb = test_ctx->domain->sysdb; + + *ctx = test_ctx; + return EOK; +} + +#define setup_sysdb_tests(ctx) _setup_sysdb_tests((ctx), false) + +static int test_sysdb_setup(void **state) +{ + int ret; + struct sysdb_test_ctx *test_ctx; + + assert_true(leak_check_setup()); + + ret = setup_sysdb_tests(&test_ctx); + assert_int_equal(ret, EOK); + + test_ctx->domain->mpg = false; + + /* set options */ + test_ctx->opts = talloc_zero(test_ctx, struct sdap_options); + assert_non_null(test_ctx->opts); + + ret = sdap_copy_map(test_ctx->opts, rfc2307_user_map, + SDAP_OPTS_USER, &test_ctx->opts->user_map); + assert_int_equal(ret, ERR_OK); + + ret = dp_copy_defaults(test_ctx->opts, default_basic_opts, + SDAP_OPTS_BASIC, &test_ctx->opts->basic); + assert_int_equal(ret, ERR_OK); + + dp_opt_set_int(test_ctx->opts->basic, SDAP_ACCOUNT_CACHE_EXPIRATION, 1); + + *state = (void *) test_ctx; + return 0; +} + +static int test_sysdb_teardown(void **state) +{ + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + + talloc_free(test_ctx); + assert_true(leak_check_teardown()); + return 0; +} + +static errno_t invalidate_group(TALLOC_CTX *ctx, + struct sss_domain_info *domain, + const char *name) +{ + struct sysdb_attrs *sys_attrs = NULL; + errno_t ret; + + sys_attrs = sysdb_new_attrs(ctx); + if (sys_attrs) { + ret = sysdb_attrs_add_time_t(sys_attrs, + SYSDB_CACHE_EXPIRE, 1); + if (ret == EOK) { + ret = sysdb_set_group_attr(domain, name, sys_attrs, + SYSDB_MOD_REP); + } else { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not add expiration time to attributes\n"); + } + talloc_zfree(sys_attrs); + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not create sysdb attributes\n"); + ret = ENOMEM; + } + return ret; +} + +static void test_id_cleanup_exp_group(void **state) +{ + errno_t ret; + struct ldb_message *msg; + struct sdap_domain sdom; + const char *special_grp = "special_gr*o/u\\p(2016)"; + const char *empty_special_grp = "empty_gr*o/u\\p(2016)"; + const char *empty_grp = "empty_grp"; + const char *grp = "grp"; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + + ret = sysdb_store_group(test_ctx->domain, special_grp, + 10002, NULL, 1, 0); + assert_int_equal(ret, EOK); + + ret = sysdb_store_group(test_ctx->domain, empty_special_grp, + 10003, NULL, 1, 0); + assert_int_equal(ret, EOK); + + ret = sysdb_store_group(test_ctx->domain, grp, + 10004, NULL, 1, 0); + assert_int_equal(ret, EOK); + + ret = sysdb_store_group(test_ctx->domain, empty_grp, + 10005, NULL, 1, 0); + assert_int_equal(ret, EOK); + + ret = sysdb_store_user(test_ctx->domain, "test_user", NULL, + 10001, 10002, "Test user", + NULL, NULL, NULL, NULL, NULL, + 0,0); + assert_int_equal(ret, EOK); + + ret = sysdb_store_user(test_ctx->domain, "test_user2", NULL, + 10002, 10004, "Test user", + NULL, NULL, NULL, NULL, NULL, + 0,0); + assert_int_equal(ret, EOK); + + sdom.dom = test_ctx->domain; + + /* not expired */ + ret = ldap_id_cleanup(test_ctx->opts, &sdom); + assert_int_equal(ret, EOK); + + ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain, + special_grp, NULL, &msg); + assert_int_equal(ret, EOK); + + ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain, + empty_special_grp, NULL, &msg); + assert_int_equal(ret, EOK); + + ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain, + grp, NULL, &msg); + assert_int_equal(ret, EOK); + + ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain, + empty_grp, NULL, &msg); + assert_int_equal(ret, EOK); + + /* let records to expire */ + invalidate_group(test_ctx, test_ctx->domain, special_grp); + invalidate_group(test_ctx, test_ctx->domain, empty_special_grp); + invalidate_group(test_ctx, test_ctx->domain, grp); + invalidate_group(test_ctx, test_ctx->domain, empty_grp); + + ret = ldap_id_cleanup(test_ctx->opts, &sdom); + assert_int_equal(ret, EOK); + + ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain, + special_grp, NULL, &msg); + assert_int_equal(ret, EOK); + + ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain, + empty_special_grp, NULL, &msg); + assert_int_equal(ret, ENOENT); + + ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain, + grp, NULL, &msg); + assert_int_equal(ret, EOK); + + ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain, + empty_grp, NULL, &msg); + assert_int_equal(ret, ENOENT); +} + +int main(int argc, const char *argv[]) +{ + int rv; + int no_cleanup = 0; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + {"no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0, + _("Do not delete the test database after a test run"), NULL }, + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_id_cleanup_exp_group, + test_sysdb_setup, test_sysdb_teardown), + }; + + /* Set debug level to invalid value so we can deside if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + tests_set_cwd(); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_FILE, LOCAL_SYSDB_FILE); + test_dom_suite_setup(TESTS_PATH); + rv = cmocka_run_group_tests(tests, NULL, NULL); + + if (rv == 0 && no_cleanup == 0) { + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_FILE, LOCAL_SYSDB_FILE); + } + return rv; +} |