Option filter_users had no effect for retrieving sudo rules

Previously sssd_sudo always obtained sudo rules for user from LDAP even
when user was enlisted in filter_users.

Resolves https://fedorahosted.org/sssd/ticket/2625

Reviewed-by: Pavel Březina <pbrezina@redhat.com>

3 files changed, 39 insertions, 0 deletions

diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c
index 5d46222c9..2499586eb 100644
--- a/src/responder/sudo/sudosrv.c
+++ b/src/responder/sudo/sudosrv.c
@@ -27,6 +27,7 @@
 #include "responder/common/responder_sbus.h"
 #include "responder/sudo/sudosrv_private.h"
 #include "providers/data_provider.h"
+#include "responder/common/negcache.h"
 
 struct mon_cli_iface monitor_sudo_methods = {
     { &mon_cli_iface_meta, 0 },
@@ -113,9 +114,32 @@ int sudo_process_init(TALLOC_CTX *mem_ctx,
         goto fail;
     }
 
+    ret = sss_ncache_init(rctx, &sudo_ctx->ncache);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE,
+              "fatal error initializing ncache\n");
+        goto fail;
+    }
+
     sudo_ctx->rctx = rctx;
     sudo_ctx->rctx->pvt_ctx = sudo_ctx;
 
+    ret = confdb_get_int(cdb, CONFDB_NSS_CONF_ENTRY,
+                         CONFDB_NSS_ENTRY_NEG_TIMEOUT, 15,
+                         &sudo_ctx->neg_timeout);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE,
+              "fatal error getting ncache timeout\n");
+        goto fail;
+    }
+
+    sss_ncache_prepopulate(sudo_ctx->ncache, sudo_ctx->rctx->cdb, rctx);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE,
+              "failed to set ncache for sudo's filter_users\n");
+        goto fail;
+    }
+
     /* Enable automatic reconnection to the Data Provider */
     ret = confdb_get_int(sudo_ctx->rctx->cdb,
                          CONFDB_SUDO_CONF_ENTRY,
diff --git a/src/responder/sudo/sudosrv_cmd.c b/src/responder/sudo/sudosrv_cmd.c
index fd8c46d63..dd636e949 100644
--- a/src/responder/sudo/sudosrv_cmd.c
+++ b/src/responder/sudo/sudosrv_cmd.c
@@ -28,6 +28,7 @@
 #include "responder/sudo/sudosrv_private.h"
 #include "db/sysdb_sudo.h"
 #include "sss_client/sss_cli.h"
+#include "responder/common/negcache.h"
 
 static errno_t sudosrv_cmd_send_reply(struct sudo_cmd_ctx *cmd_ctx,
                                       uint8_t *response_body,
@@ -239,6 +240,7 @@ static void sudosrv_cmd_parse_query_done(struct tevent_req *req)
 {
     struct sudo_cmd_ctx *cmd_ctx = NULL;
     struct sudo_dom_ctx *dom_ctx = NULL;
+    struct sudo_ctx *sudo_ctx = NULL;
     errno_t ret;
 
     cmd_ctx = tevent_req_callback_data(req, struct sudo_cmd_ctx);
@@ -278,6 +280,16 @@ static void sudosrv_cmd_parse_query_done(struct tevent_req *req)
     dom_ctx->domain = cmd_ctx->domain != NULL ? cmd_ctx->domain
                                               : cmd_ctx->cli_ctx->rctx->domains;
 
+    sudo_ctx = talloc_get_type(cmd_ctx->cli_ctx->rctx->pvt_ctx, struct sudo_ctx);
+    ret = sss_ncache_check_user(sudo_ctx->ncache, sudo_ctx->neg_timeout,
+                                dom_ctx->domain, cmd_ctx->username);
+    if (ret == EEXIST) {
+        DEBUG(SSSDBG_TRACE_FUNC, "User [%s@%s] filtered out (ncache)\n",
+              cmd_ctx->username, dom_ctx->domain->name);
+        ret = ENOENT;
+        goto done;
+    }
+
     ret = sudosrv_get_sudorules(dom_ctx);
 
 done:
diff --git a/src/responder/sudo/sudosrv_private.h b/src/responder/sudo/sudosrv_private.h
index 71a272ab4..3c53755f9 100644
--- a/src/responder/sudo/sudosrv_private.h
+++ b/src/responder/sudo/sudosrv_private.h
@@ -43,6 +43,9 @@ enum sss_sudo_type {
 struct sudo_ctx {
     struct resp_ctx *rctx;
 
+    int neg_timeout;
+    struct sss_nc_ctx *ncache;
+
     /*
      * options
      */