diff options
author | Sumit Bose <sbose@redhat.com> | 2013-10-09 15:22:53 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-10-17 13:45:44 +0200 |
commit | d9059ad391cc73ad91893c3eab509d08699d5aba (patch) | |
tree | 34518dc1085578c15eff447812bdf42defcfb50a | |
parent | 222f2484ea37c8bd434184ccd38160fb58c8087f (diff) | |
download | sssd-d9059ad391cc73ad91893c3eab509d08699d5aba.tar.gz sssd-d9059ad391cc73ad91893c3eab509d08699d5aba.tar.xz sssd-d9059ad391cc73ad91893c3eab509d08699d5aba.zip |
idmap: allow ranges with external mapping to overlap
If POSIX IDs are managed externally e.g. by AD it might be possible that
the IDs are centrally manages for the whole forest. Hence there might
not be a single ID range for each member domain in the forest but only a
single ID range for the whole forest. This means that we have to allow
collisions if ID ranges in this case.
Unit tests are added to make sure that the collisions are only allowed
for external mappings.
-rw-r--r-- | src/lib/idmap/sss_idmap.c | 12 | ||||
-rw-r--r-- | src/tests/sss_idmap-tests.c | 64 |
2 files changed, 71 insertions, 5 deletions
diff --git a/src/lib/idmap/sss_idmap.c b/src/lib/idmap/sss_idmap.c index 89c55fc95..17bd5779e 100644 --- a/src/lib/idmap/sss_idmap.c +++ b/src/lib/idmap/sss_idmap.c @@ -357,11 +357,13 @@ static enum idmap_error_code dom_check_collision( /* TODO: if both ranges have the same ID check if an update is * needed. */ - /* check if ID ranges overlap */ - if ((new_dom->range->min >= dom->range->min - && new_dom->range->min <= dom->range->max) - || (new_dom->range->max >= dom->range->min - && new_dom->range->max <= dom->range->max)) { + /* Check if ID ranges overlap. + * ID ranges with external mapping may overlap. */ + if ((!new_dom->external_mapping && !dom->external_mapping) + && ((new_dom->range->min >= dom->range->min + && new_dom->range->min <= dom->range->max) + || (new_dom->range->max >= dom->range->min + && new_dom->range->max <= dom->range->max))) { return IDMAP_COLLISION; } diff --git a/src/tests/sss_idmap-tests.c b/src/tests/sss_idmap-tests.c index eb204137a..65e61351d 100644 --- a/src/tests/sss_idmap-tests.c +++ b/src/tests/sss_idmap-tests.c @@ -29,6 +29,9 @@ #define IDMAP_RANGE_MIN 1234 #define IDMAP_RANGE_MAX 9876 +#define IDMAP_RANGE_MIN2 11234 +#define IDMAP_RANGE_MAX2 19876 + const char test_sid[] = "S-1-5-21-2127521184-1604012920-1887927527-72713"; uint8_t test_bin_sid[] = {0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, 0xA0, 0x65, 0xCF, 0x7E, 0x78, 0x4B, @@ -142,6 +145,65 @@ START_TEST(idmap_test_add_domain) } END_TEST +START_TEST(idmap_test_add_domain_collisions) +{ + enum idmap_error_code err; + struct sss_idmap_range range = {IDMAP_RANGE_MIN, IDMAP_RANGE_MAX}; + struct sss_idmap_range range2 = {IDMAP_RANGE_MIN2, IDMAP_RANGE_MAX2}; + + err = sss_idmap_add_domain(idmap_ctx, "test.dom", "S-1-5-21-1-2-3", &range); + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_add_domain failed."); + + err = sss_idmap_add_domain(idmap_ctx, "test.dom", "S-1-5-21-1-2-4", + &range2); + fail_unless(err == IDMAP_COLLISION, + "sss_idmap_add_domain added domain with the same name."); + + err = sss_idmap_add_domain(idmap_ctx, "test.dom2", "S-1-5-21-1-2-3", + &range2); + fail_unless(err == IDMAP_COLLISION, + "sss_idmap_add_domain added domain with the same SID."); + + err = sss_idmap_add_domain(idmap_ctx, "test.dom2", "S-1-5-21-1-2-4", + &range); + fail_unless(err == IDMAP_COLLISION, + "sss_idmap_add_domain added domain with the same range."); + + err = sss_idmap_add_domain(idmap_ctx, "test.dom2", "S-1-5-21-1-2-4", + &range2); + fail_unless(err == IDMAP_SUCCESS, + "sss_idmap_add_domain failed to add second domain."); +} +END_TEST + +START_TEST(idmap_test_add_domain_collisions_ext_mapping) +{ + enum idmap_error_code err; + struct sss_idmap_range range = {IDMAP_RANGE_MIN, IDMAP_RANGE_MAX}; + struct sss_idmap_range range2 = {IDMAP_RANGE_MIN2, IDMAP_RANGE_MAX2}; + + err = sss_idmap_add_domain_ex(idmap_ctx, "test.dom", "S-1-5-21-1-2-3", + &range, NULL, 0, true); + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_add_domain failed."); + + err = sss_idmap_add_domain_ex(idmap_ctx, "test.dom", "S-1-5-21-1-2-4", + &range2, NULL, 0, true); + fail_unless(err == IDMAP_COLLISION, + "sss_idmap_add_domain added domain with the same name."); + + err = sss_idmap_add_domain_ex(idmap_ctx, "test.dom2", "S-1-5-21-1-2-3", + &range2, NULL, 0, true); + fail_unless(err == IDMAP_COLLISION, + "sss_idmap_add_domain added domain with the same SID."); + + err = sss_idmap_add_domain_ex(idmap_ctx, "test.dom2", "S-1-5-21-1-2-4", + &range, NULL, 0, true); + fail_unless(err == IDMAP_SUCCESS, + "sss_idmap_add_domain failed to add second domain with " \ + "external mapping and the same range."); +} +END_TEST + START_TEST(idmap_test_sid2uid) { enum idmap_error_code err; @@ -510,6 +572,8 @@ Suite *idmap_test_suite (void) idmap_ctx_teardown); tcase_add_test(tc_dom, idmap_test_add_domain); + tcase_add_test(tc_dom, idmap_test_add_domain_collisions); + tcase_add_test(tc_dom, idmap_test_add_domain_collisions_ext_mapping); suite_add_tcase(s, tc_dom); |