diff options
| author | Sumit Bose <sbose@redhat.com> | 2013-12-13 11:44:59 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-12-19 10:24:16 +0100 |
| commit | 15a1519ec9c23f598716ffa89e533cd9bfb2a4f3 (patch) | |
| tree | 8dda85aa957c9b29cd7db696c6caae7fb8ac64ae /src | |
| parent | c9124effceb40890bc9dd157155618067a7b8d2f (diff) | |
| download | sssd-15a1519ec9c23f598716ffa89e533cd9bfb2a4f3.tar.gz sssd-15a1519ec9c23f598716ffa89e533cd9bfb2a4f3.tar.xz sssd-15a1519ec9c23f598716ffa89e533cd9bfb2a4f3.zip | |
Use lower-case name for case-insensitive searches
The patch makes sure that a completely lower-cased version of a fully
qualified name is used for case insensitive searches. Currently there
are code paths where the domain name was used as configured and was not
lower-cased.
To make sure this patch does not break with old entries in the cache or
case sensitive domains a third template was added to the related filters
templates which is either filled with a completely lower-cased version or
with the old version. The other two template values are unchanged.
Diffstat (limited to 'src')
| -rw-r--r-- | src/db/sysdb.h | 10 | ||||
| -rw-r--r-- | src/db/sysdb_ops.c | 8 | ||||
| -rw-r--r-- | src/db/sysdb_search.c | 30 | ||||
| -rw-r--r-- | src/responder/pam/pam_LOCAL_domain.c | 4 | ||||
| -rw-r--r-- | src/tests/cmocka/test_utils.c | 38 | ||||
| -rw-r--r-- | src/util/sss_tc_utf8.c | 30 | ||||
| -rw-r--r-- | src/util/util.h | 6 |
7 files changed, 108 insertions, 18 deletions
diff --git a/src/db/sysdb.h b/src/db/sysdb.h index cec8bdd20..2230f2c4b 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -144,23 +144,23 @@ #define SYSDB_NC "objectclass="SYSDB_NETGROUP_CLASS #define SYSDB_MPGC "|("SYSDB_UC")("SYSDB_GC")" -#define SYSDB_PWNAM_FILTER "(&("SYSDB_UC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))" +#define SYSDB_PWNAM_FILTER "(&("SYSDB_UC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))" #define SYSDB_PWUID_FILTER "(&("SYSDB_UC")("SYSDB_UIDNUM"=%lu))" #define SYSDB_PWSID_FILTER "(&("SYSDB_UC")("SYSDB_SID_STR"=%s))" #define SYSDB_PWENT_FILTER "("SYSDB_UC")" -#define SYSDB_GRNAM_FILTER "(&("SYSDB_GC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))" +#define SYSDB_GRNAM_FILTER "(&("SYSDB_GC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))" #define SYSDB_GRGID_FILTER "(&("SYSDB_GC")("SYSDB_GIDNUM"=%lu))" #define SYSDB_GRSID_FILTER "(&("SYSDB_GC")("SYSDB_SID_STR"=%s))" #define SYSDB_GRENT_FILTER "("SYSDB_GC")" -#define SYSDB_GRNAM_MPG_FILTER "(&("SYSDB_MPGC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))" +#define SYSDB_GRNAM_MPG_FILTER "(&("SYSDB_MPGC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))" #define SYSDB_GRGID_MPG_FILTER "(&("SYSDB_MPGC")("SYSDB_GIDNUM"=%lu))" #define SYSDB_GRENT_MPG_FILTER "("SYSDB_MPGC")" #define SYSDB_INITGR_FILTER "(&("SYSDB_GC")("SYSDB_GIDNUM"=*))" -#define SYSDB_NETGR_FILTER "(&("SYSDB_NC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))" -#define SYSDB_NETGR_TRIPLES_FILTER "(|("SYSDB_NAME"=%s)("SYSDB_NAME_ALIAS"=%s)("SYSDB_MEMBEROF"=%s))" +#define SYSDB_NETGR_FILTER "(&("SYSDB_NC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))" +#define SYSDB_NETGR_TRIPLES_FILTER "(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)("SYSDB_NAME_ALIAS"=%s)("SYSDB_MEMBEROF"=%s))" #define SYSDB_SID_FILTER "(&(|("SYSDB_UC")("SYSDB_GC"))("SYSDB_SID_STR"=%s))" diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index adbe9a158..cb331e1e2 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -305,6 +305,7 @@ int sysdb_search_user_by_name(TALLOC_CTX *mem_ctx, struct ldb_dn *basedn; size_t msgs_count = 0; char *sanitized_name; + char *lc_sanitized_name; char *filter; int ret; @@ -320,13 +321,14 @@ int sysdb_search_user_by_name(TALLOC_CTX *mem_ctx, goto done; } - ret = sss_filter_sanitize(tmp_ctx, name, &sanitized_name); + ret = sss_filter_sanitize_for_dom(tmp_ctx, name, domain, &sanitized_name, + &lc_sanitized_name); if (ret != EOK) { goto done; } - filter = talloc_asprintf(tmp_ctx, SYSDB_PWNAM_FILTER, sanitized_name, - sanitized_name); + filter = talloc_asprintf(tmp_ctx, SYSDB_PWNAM_FILTER, lc_sanitized_name, + sanitized_name, sanitized_name); if (!filter) { ret = ENOMEM; goto done; diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c index 83681384f..d5b7a305f 100644 --- a/src/db/sysdb_search.c +++ b/src/db/sysdb_search.c @@ -37,6 +37,7 @@ int sysdb_getpwnam(TALLOC_CTX *mem_ctx, struct ldb_dn *base_dn; struct ldb_result *res; char *sanitized_name; + char *lc_sanitized_name; const char *src_name; int ret; @@ -60,13 +61,15 @@ int sysdb_getpwnam(TALLOC_CTX *mem_ctx, goto done; } - ret = sss_filter_sanitize(tmp_ctx, src_name, &sanitized_name); + ret = sss_filter_sanitize_for_dom(tmp_ctx, src_name, domain, + &sanitized_name, &lc_sanitized_name); if (ret != EOK) { goto done; } ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn, LDB_SCOPE_SUBTREE, attrs, SYSDB_PWNAM_FILTER, + lc_sanitized_name, sanitized_name, sanitized_name); if (ret) { ret = sysdb_error_to_errno(ret); @@ -210,6 +213,7 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx, struct ldb_dn *base_dn; struct ldb_result *res; const char *src_name; + char *lc_sanitized_name; int ret; tmp_ctx = talloc_new(NULL); @@ -239,14 +243,15 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx, goto done; } - ret = sss_filter_sanitize(tmp_ctx, src_name, &sanitized_name); + ret = sss_filter_sanitize_for_dom(tmp_ctx, src_name, domain, + &sanitized_name, &lc_sanitized_name); if (ret != EOK) { goto done; } ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn, LDB_SCOPE_SUBTREE, attrs, fmt_filter, - sanitized_name, sanitized_name); + lc_sanitized_name, sanitized_name, sanitized_name); if (ret) { ret = sysdb_error_to_errno(ret); goto done; @@ -473,6 +478,7 @@ int sysdb_get_user_attr(TALLOC_CTX *mem_ctx, struct ldb_dn *base_dn; struct ldb_result *res; char *sanitized_name; + char *lc_sanitized_name; int ret; tmp_ctx = talloc_new(NULL); @@ -487,14 +493,15 @@ int sysdb_get_user_attr(TALLOC_CTX *mem_ctx, goto done; } - ret = sss_filter_sanitize(tmp_ctx, name, &sanitized_name); + ret = sss_filter_sanitize_for_dom(tmp_ctx, name, domain, &sanitized_name, + &lc_sanitized_name); if (ret != EOK) { goto done; } ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn, LDB_SCOPE_SUBTREE, attributes, - SYSDB_PWNAM_FILTER, sanitized_name, + SYSDB_PWNAM_FILTER, lc_sanitized_name, sanitized_name, sanitized_name); if (ret) { ret = sysdb_error_to_errno(ret); @@ -776,6 +783,7 @@ errno_t sysdb_getnetgr(TALLOC_CTX *mem_ctx, struct ldb_dn *base_dn; struct ldb_result *result; char *sanitized_netgroup; + char *lc_sanitized_netgroup; char *netgroup_dn; int lret; errno_t ret; @@ -793,7 +801,9 @@ errno_t sysdb_getnetgr(TALLOC_CTX *mem_ctx, goto done; } - ret = sss_filter_sanitize(tmp_ctx, netgroup, &sanitized_netgroup); + ret = sss_filter_sanitize_for_dom(tmp_ctx, netgroup, domain, + &sanitized_netgroup, + &lc_sanitized_netgroup); if (ret != EOK) { goto done; } @@ -807,7 +817,7 @@ errno_t sysdb_getnetgr(TALLOC_CTX *mem_ctx, lret = ldb_search(domain->sysdb->ldb, tmp_ctx, &result, base_dn, LDB_SCOPE_SUBTREE, attrs, - SYSDB_NETGR_TRIPLES_FILTER, + SYSDB_NETGR_TRIPLES_FILTER, lc_sanitized_netgroup, sanitized_netgroup, sanitized_netgroup, netgroup_dn); ret = sysdb_error_to_errno(lret); @@ -833,6 +843,7 @@ int sysdb_get_netgroup_attr(TALLOC_CTX *mem_ctx, struct ldb_dn *base_dn; struct ldb_result *result; char *sanitized_netgroup; + char *lc_sanitized_netgroup; int ret; tmp_ctx = talloc_new(NULL); @@ -847,7 +858,9 @@ int sysdb_get_netgroup_attr(TALLOC_CTX *mem_ctx, goto done; } - ret = sss_filter_sanitize(tmp_ctx, netgrname, &sanitized_netgroup); + ret = sss_filter_sanitize_for_dom(tmp_ctx, netgrname, domain, + &sanitized_netgroup, + &lc_sanitized_netgroup); if (ret != EOK) { goto done; } @@ -855,6 +868,7 @@ int sysdb_get_netgroup_attr(TALLOC_CTX *mem_ctx, ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &result, base_dn, LDB_SCOPE_SUBTREE, attributes, SYSDB_NETGR_FILTER, + lc_sanitized_netgroup, sanitized_netgroup, sanitized_netgroup); if (ret) { diff --git a/src/responder/pam/pam_LOCAL_domain.c b/src/responder/pam/pam_LOCAL_domain.c index bb7378581..036b47fda 100644 --- a/src/responder/pam/pam_LOCAL_domain.c +++ b/src/responder/pam/pam_LOCAL_domain.c @@ -258,12 +258,12 @@ int LOCAL_pam_handler(struct pam_auth_req *preq) if (res->count < 1) { DEBUG(4, ("No user found with filter ["SYSDB_PWNAM_FILTER"]\n", - pd->user, pd->user)); + pd->user, pd->user, pd->user)); pd->pam_status = PAM_USER_UNKNOWN; goto done; } else if (res->count > 1) { DEBUG(4, ("More than one object found with filter ["SYSDB_PWNAM_FILTER"]\n", - pd->user, pd->user)); + pd->user, pd->user, pd->user)); lreq->error = EFAULT; goto done; } diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c index f2251271b..eeef9ee0c 100644 --- a/src/tests/cmocka/test_utils.c +++ b/src/tests/cmocka/test_utils.c @@ -654,6 +654,41 @@ void test_name_to_well_known_sid(void **state) assert_string_equal(sid, "S-1-5-1"); } +#define TEST_SANITIZE_INPUT "TestUser@Test.Domain" +#define TEST_SANITIZE_LC_INPUT "testuser@test.domain" + +void test_sss_filter_sanitize_for_dom(void **state) +{ + struct dom_list_test_ctx *test_ctx; + int ret; + char *sanitized; + char *lc_sanitized; + struct sss_domain_info *dom; + + test_ctx = talloc_get_type(*state, struct dom_list_test_ctx); + dom = test_ctx->dom_list; + + dom->case_sensitive = true; + + ret = sss_filter_sanitize_for_dom(test_ctx, TEST_SANITIZE_INPUT, dom, + &sanitized, &lc_sanitized); + assert_int_equal(ret, EOK); + assert_string_equal(sanitized, TEST_SANITIZE_INPUT); + assert_string_equal(lc_sanitized, TEST_SANITIZE_INPUT); + talloc_free(sanitized); + talloc_free(lc_sanitized); + + dom->case_sensitive = false; + + ret = sss_filter_sanitize_for_dom(test_ctx, TEST_SANITIZE_INPUT, dom, + &sanitized, &lc_sanitized); + assert_int_equal(ret, EOK); + assert_string_equal(sanitized, TEST_SANITIZE_INPUT); + assert_string_equal(lc_sanitized, TEST_SANITIZE_LC_INPUT); + talloc_free(sanitized); + talloc_free(lc_sanitized); +} + int main(int argc, const char *argv[]) { poptContext pc; @@ -688,6 +723,9 @@ int main(int argc, const char *argv[]) unit_test(test_well_known_sid_to_name), unit_test(test_name_to_well_known_sid), + + unit_test_setup_teardown(test_sss_filter_sanitize_for_dom, + setup_dom_list, teardown_dom_list), }; /* Set debug level to invalid value so we can deside if -d 0 was used. */ diff --git a/src/util/sss_tc_utf8.c b/src/util/sss_tc_utf8.c index 6a976211f..e1426a44f 100644 --- a/src/util/sss_tc_utf8.c +++ b/src/util/sss_tc_utf8.c @@ -55,3 +55,33 @@ sss_tc_utf8_tolower(TALLOC_CTX *mem_ctx, const uint8_t *s, size_t len, size_t *_ return ret; } +errno_t sss_filter_sanitize_for_dom(TALLOC_CTX *mem_ctx, + const char *input, + struct sss_domain_info *dom, + char **sanitized, + char **lc_sanitized) +{ + int ret; + + ret = sss_filter_sanitize(mem_ctx, input, sanitized); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("sss_filter_sanitize failed.\n")); + return ret; + } + + if (dom->case_sensitive) { + *lc_sanitized = talloc_strdup(mem_ctx, *sanitized); + } else { + *lc_sanitized = sss_tc_utf8_str_tolower(mem_ctx, *sanitized); + } + + if (*lc_sanitized == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("%s failed.\n", + dom->case_sensitive ? + "talloc_strdup" : + "sss_tc_utf8_str_tolower")); + return ENOMEM; + } + + return EOK; +} diff --git a/src/util/util.h b/src/util/util.h index c2499555b..101270571 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -511,6 +511,12 @@ errno_t sss_filter_sanitize(TALLOC_CTX *mem_ctx, const char *input, char **sanitized); +errno_t sss_filter_sanitize_for_dom(TALLOC_CTX *mem_ctx, + const char *input, + struct sss_domain_info *dom, + char **sanitized, + char **lc_sanitized); + char * sss_escape_ip_address(TALLOC_CTX *mem_ctx, int family, const char *addr); |