diff options
| author | Simo Sorce <simo@redhat.com> | 2013-09-04 15:02:43 -0400 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-09-09 13:52:27 +0200 |
| commit | 9e9a52aec48e11de87bade0b006a2fec1bddd7b9 (patch) | |
| tree | 691c86190ca886a04c30a8bfbdfb14c7857a259d | |
| parent | 826a7d1368f7dc5cfac37b08f3d3b952dd3e0a53 (diff) | |
| download | sssd-9e9a52aec48e11de87bade0b006a2fec1bddd7b9.tar.gz sssd-9e9a52aec48e11de87bade0b006a2fec1bddd7b9.tar.xz sssd-9e9a52aec48e11de87bade0b006a2fec1bddd7b9.zip | |
krb5: Ingnore unknown expansion sequences
Recently support was added to use also libkrb5 style expansions that
uses a %{varname} type of template.
There are a number of templates we do not care/can't expand in sssd.
The current code misses tests and failed to properly preserve some of
the templates we do not want to handle.
Addiotionally in order to be future proof this patch treats unknown
templates as pass-through templates and defer any error checking to
libkrb5, so that sssd is consistent with how kinit would behave.
Resolves:
https://fedorahosted.org/sssd/ticket/2076
| -rw-r--r-- | src/providers/krb5/krb5_utils.c | 45 | ||||
| -rw-r--r-- | src/tests/krb5_utils-tests.c | 30 |
2 files changed, 45 insertions, 30 deletions
diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c index f84e18df1..6c55552e9 100644 --- a/src/providers/krb5/krb5_utils.c +++ b/src/providers/krb5/krb5_utils.c @@ -157,24 +157,14 @@ done: return ret; } -#define S_EXP_TEMP "{TEMP}" -#define L_EXP_TEMP (sizeof(S_EXP_TEMP) - 1) #define S_EXP_UID "{uid}" #define L_EXP_UID (sizeof(S_EXP_UID) - 1) #define S_EXP_USERID "{USERID}" #define L_EXP_USERID (sizeof(S_EXP_USERID) - 1) #define S_EXP_EUID "{euid}" #define L_EXP_EUID (sizeof(S_EXP_EUID) - 1) -#define S_EXP_NULL "{null}" -#define L_EXP_NULL (sizeof(S_EXP_NULL) - 1) #define S_EXP_USERNAME "{username}" #define L_EXP_USERNAME (sizeof(S_EXP_USERNAME) - 1) -#define S_EXP_LIBDIR "{LIBDIR}" -#define L_EXP_LIBDIR (sizeof(S_EXP_LIBDIR) - 1) -#define S_EXP_BINDIR "{BINDIR}" -#define L_EXP_BINDIR (sizeof(S_EXP_BINDIR) - 1) -#define S_EXP_SBINDIR "{SBINDIR}" -#define L_EXP_SBINDIR (sizeof(S_EXP_SBINDIR) - 1) char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, const char *template, bool file_mode, @@ -325,11 +315,7 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, /* Additional syntax from krb5.conf default_ccache_name */ case '{': - if (strncmp(n, S_EXP_TEMP, L_EXP_TEMP) == 0) { - /* let the libkrb5 library resolve this */ - result = talloc_asprintf_append(result, "%%"S_EXP_TEMP); - n += L_EXP_TEMP - 1; - } else if (strncmp(n , S_EXP_UID, L_EXP_UID) == 0) { + if (strncmp(n , S_EXP_UID, L_EXP_UID) == 0) { action = 'U'; n += L_EXP_UID - 1; rerun = true; @@ -346,26 +332,25 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, n += L_EXP_EUID - 1; rerun = true; continue; - } else if (strncmp(n , S_EXP_NULL, L_EXP_NULL) == 0) { - /* skip immediately */ - n += L_EXP_NULL - 1; } else if (strncmp(n , S_EXP_USERNAME, L_EXP_USERNAME) == 0) { action = 'u'; n += L_EXP_USERNAME - 1; rerun = true; continue; - } else if (strncmp(n , S_EXP_LIBDIR, L_EXP_LIBDIR) == 0) { - /* skip, only the libkrb5 library can resolve this */ - result = talloc_asprintf_append(result, "%%"S_EXP_LIBDIR); - n += L_EXP_LIBDIR - 1; - } else if (strncmp(n , S_EXP_BINDIR, L_EXP_BINDIR) == 0) { - /* skip, only the libkrb5 library can resolve this */ - result = talloc_asprintf_append(result, "%%"S_EXP_BINDIR); - n += L_EXP_BINDIR - 1; - } else if (strncmp(n , S_EXP_SBINDIR, L_EXP_SBINDIR) == 0) { - /* skip, only the libkrb5 library can resolve this */ - result = talloc_asprintf_append(result, "%%"S_EXP_SBINDIR); - n += L_EXP_SBINDIR - 1; + } else { + /* ignore any expansion variable we do not understand and + * let libkrb5 hndle it or fail */ + name = n; + n = strchr(name, '}'); + if (!n) { + DEBUG(SSSDBG_CRIT_FAILURE, ( + "Invalid substitution sequence in cache " + "template. Missing closing '}' in [%s].\n", + template)); + goto done; + } + result = talloc_asprintf_append(result, "%s%%%.*s", p, + (int)(n - name + 1), name); } break; default: diff --git a/src/tests/krb5_utils-tests.c b/src/tests/krb5_utils-tests.c index 4be3ad04e..beb463b54 100644 --- a/src/tests/krb5_utils-tests.c +++ b/src/tests/krb5_utils-tests.c @@ -673,6 +673,35 @@ START_TEST(test_no_substitution) } END_TEST +START_TEST(test_krb5_style_expansion) +{ + char *result; + bool private_path = false; + const char *file_template; + const char *expected; + + file_template = BASE"/%{uid}/%{USERID}/%{euid}/%{username}"; + expected = BASE"/"UID"/"UID"/"UID"/"USERNAME; + result = expand_ccname_template(tmp_ctx, kr, file_template, true, + true, &private_path); + + fail_unless(result != NULL, "Cannot expand template [%s].", file_template); + fail_unless(strcmp(result, expected) == 0, + "Expansion failed, result [%s], expected [%s].", + result, expected); + + file_template = BASE"/%{unknown}"; + expected = BASE"/%{unknown}"; + result = expand_ccname_template(tmp_ctx, kr, file_template, true, + false, &private_path); + + fail_unless(result != NULL, "Cannot expand template [%s].", file_template); + fail_unless(strcmp(result, expected) == 0, + "Expansion failed, result [%s], expected [%s].", + result, expected); +} +END_TEST + START_TEST(test_compare_principal_realm) { int ret; @@ -738,6 +767,7 @@ Suite *krb5_utils_suite (void) tcase_add_test (tc_ccname_template, test_pid); tcase_add_test (tc_ccname_template, test_percent); tcase_add_test (tc_ccname_template, test_multiple_substitutions); + tcase_add_test (tc_ccname_template, test_krb5_style_expansion); suite_add_tcase (s, tc_ccname_template); TCase *tc_create_dir = tcase_create("create_dir"); |