ncache: Add sss_ncache_reset_repopulate_permanent

This new function resets the negative cache and then re-adds the
permanent entries.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

3 files changed, 113 insertions, 0 deletions

diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
index 3e58c3e7f..2fa61af53 100644
--- a/src/responder/common/negcache.c
+++ b/src/responder/common/negcache.c
@@ -838,3 +838,17 @@ done:
     talloc_free(tmpctx);
     return ret;
 }
+
+/* Reset permanent negcache after checking the domains */
+errno_t sss_ncache_reset_repopulate_permanent(struct resp_ctx *rctx,
+                                              struct sss_nc_ctx *ncache)
+{
+    int ret;
+
+    ret = sss_ncache_reset_permanent(ncache);
+    if (ret == EOK) {
+        ret = sss_ncache_prepopulate(ncache, rctx->cdb, rctx);
+    }
+
+    return ret;
+}
diff --git a/src/responder/common/negcache.h b/src/responder/common/negcache.h
index 00f979dbb..b96fbfda5 100644
--- a/src/responder/common/negcache.h
+++ b/src/responder/common/negcache.h
@@ -69,6 +69,8 @@ int sss_ncache_set_service_port(struct sss_nc_ctx *ctx, bool permanent,
 
 int sss_ncache_reset_permanent(struct sss_nc_ctx *ctx);
 
+struct resp_ctx;
+
 /* Set up the negative cache with values from filter_users and
  * filter_groups in the sssd.conf
  */
@@ -76,4 +78,8 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
                                struct confdb_ctx *cdb,
                                struct resp_ctx *rctx);
 
+/* Flush the negcache and then repopulate */
+errno_t sss_ncache_reset_repopulate_permanent(struct resp_ctx *rctx,
+                                              struct sss_nc_ctx *ncache);
+
 #endif /* _NSS_NEG_CACHE_H_ */
diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c
index cab457434..6f9802a38 100644
--- a/src/tests/cmocka/test_negcache.c
+++ b/src/tests/cmocka/test_negcache.c
@@ -710,6 +710,97 @@ static void test_sss_ncache_default_domain_suffix(void **state)
 
 }
 
+static void test_sss_ncache_reset_prepopulate(void **state)
+{
+    int ret;
+    struct test_state *ts;
+    struct tevent_context *ev;
+    struct sss_nc_ctx *ncache;
+    struct sss_test_ctx *tc;
+    struct sss_domain_info *dom;
+    struct sss_domain_info *dom2;
+
+    struct sss_test_conf_param params[] = {
+        { "filter_users", "testuser1@"TEST_DOM_NAME", testuser2@"TEST_DOM_NAME"2" },
+        { "filter_groups", "testgroup1@"TEST_DOM_NAME", testgroup2@"TEST_DOM_NAME"2" },
+        { NULL, NULL },
+    };
+
+    const char *nss_filter_users[] = { params[0].value, NULL};
+    const char *nss_filter_groups[] = { params[1].value, NULL};
+
+    ts = talloc_get_type_abort(*state, struct test_state);
+
+    ev = tevent_context_init(ts);
+    assert_non_null(ev);
+
+    dom = talloc_zero(ts, struct sss_domain_info);
+    assert_non_null(dom);
+    dom->name = discard_const_p(char, TEST_DOM_NAME);
+
+    ts->nctx = mock_nctx(ts);
+    assert_non_null(ts->nctx);
+
+    tc = create_dom_test_ctx(ts, TESTS_PATH, TEST_CONF_DB,
+                             TEST_DOM_NAME, TEST_ID_PROVIDER, params);
+    assert_non_null(tc);
+
+    ret = confdb_add_param(tc->confdb, true, "config/nss",
+                           "filter_users", nss_filter_users);
+    assert_int_equal(ret, EOK);
+
+    ret = confdb_add_param(tc->confdb, true, "config/nss",
+                           "filter_groups", nss_filter_groups);
+    assert_int_equal(ret, EOK);
+
+    ncache = ts->ctx;
+    ts->rctx = mock_rctx(ts, ev, dom, ts->nctx);
+    assert_non_null(ts->rctx);
+    ts->rctx->default_domain = discard_const(TEST_DOM_NAME);
+    ts->rctx->cdb = tc->confdb;
+
+    ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &dom->names);
+    assert_int_equal(ret, EOK);
+
+    ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache);
+    assert_int_equal(ret, EOK);
+
+    /* Add another domain */
+    dom2 = talloc_zero(ts, struct sss_domain_info);
+    assert_non_null(dom2);
+    dom2->name = discard_const_p(char, TEST_DOM_NAME"2");
+    dom->next = dom2;
+    dom2->names = dom->names;
+
+    /* First domain should not be known, the second not */
+    ret = sss_ncache_check_user(ncache, 1, dom, "testuser1");
+    assert_int_equal(ret, EEXIST);
+
+    ret = sss_ncache_check_group(ncache, 1, dom, "testgroup1");
+    assert_int_equal(ret, EEXIST);
+
+    ret = sss_ncache_check_user(ncache, 1, dom2, "testuser2");
+    assert_int_equal(ret, ENOENT);
+
+    ret = sss_ncache_check_group(ncache, 1, dom2, "testgroup2");
+    assert_int_equal(ret, ENOENT);
+
+    ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache);
+    assert_int_equal(ret, EOK);
+
+    /* First domain should not be known, the second not */
+    ret = sss_ncache_check_user(ncache, 1, dom, "testuser1");
+    assert_int_equal(ret, EEXIST);
+
+    ret = sss_ncache_check_group(ncache, 1, dom, "testgroup1");
+    assert_int_equal(ret, EEXIST);
+
+    ret = sss_ncache_check_user(ncache, 1, dom2, "testuser2");
+    assert_int_equal(ret, EEXIST);
+
+    ret = sss_ncache_check_group(ncache, 1, dom2, "testgroup2");
+    assert_int_equal(ret, EEXIST);
+}
 int main(void)
 {
     int rv;
@@ -731,6 +822,8 @@ int main(void)
                                         setup, teardown),
         cmocka_unit_test_setup_teardown(test_sss_ncache_default_domain_suffix,
                                         setup, teardown),
+        cmocka_unit_test_setup_teardown(test_sss_ncache_reset_prepopulate,
+                                        setup, teardown),
     };
 
     tests_set_cwd();