summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2015-07-14 14:41:34 +0200
committerJakub Hrozek <jhrozek@redhat.com>2015-07-16 15:26:29 +0200
commit4f1897ad419790834573643e88ac03e6c5c1c4be (patch)
treec4659332479e0be55ca84a7d6cf016194a7432c7 /src
parentf6a71ab5f06642727d5004b9a745a1b8e0393d78 (diff)
downloadsssd-4f1897ad419790834573643e88ac03e6c5c1c4be.tar.gz
sssd-4f1897ad419790834573643e88ac03e6c5c1c4be.tar.xz
sssd-4f1897ad419790834573643e88ac03e6c5c1c4be.zip
nss_check_name_of_well_known_sid() improve name splitting
Currently in the default configuration nss_check_name_of_well_known_sid() can only split fully-qualified names in the user@domain.name style. DOM\user style names will cause an error and terminate the whole request. With this patch both styles can be handled by default, additionally if the name could not be split nss_check_name_of_well_known_sid() returns ENOENT which can be handled more gracefully by the caller. Resolves https://fedorahosted.org/sssd/ticket/2717 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Diffstat (limited to 'src')
-rw-r--r--src/responder/nss/nsssrv_cmd.c8
-rw-r--r--src/tests/cmocka/test_nss_srv.c92
-rw-r--r--src/util/usertools.c3
3 files changed, 62 insertions, 41 deletions
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index 012946730..b3998015f 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -1255,6 +1255,14 @@ static int nss_check_name_of_well_known_sid(struct nss_cmd_ctx *cmdctx,
return ret;
}
+ if (wk_dom_name == NULL || wk_name == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Unable to split [%s] in name and domain part. " \
+ "Skipping check for well-known name.\n", full_name);
+
+ return ENOENT;
+ }
+
ret = name_to_well_known_sid(wk_dom_name, wk_name, &wk_sid);
talloc_free(wk_dom_name);
talloc_free(wk_name);
diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c
index 3ab8d39c4..84d3413be 100644
--- a/src/tests/cmocka/test_nss_srv.c
+++ b/src/tests/cmocka/test_nss_srv.c
@@ -1734,63 +1734,77 @@ void test_nss_well_known_getidbysid_failure(void **state)
void test_nss_well_known_getsidbyname(void **state)
{
errno_t ret;
+ const char *names[] = { "Cryptographic Operators@BUILTIN",
+ "BUILTIN\\Cryptographic Operators", NULL};
+ size_t c;
+
+ for (c = 0; names[c] != NULL; c++) {
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);
+ will_return(__wrap_sss_packet_get_body, names[c]);
+ will_return(__wrap_sss_packet_get_body, 0);
+ will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME);
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+ will_return(test_nss_well_known_sid_check, "S-1-5-32-569");
- will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);
- will_return(__wrap_sss_packet_get_body, "Cryptographic Operators@BUILTIN");
- will_return(__wrap_sss_packet_get_body, 0);
- will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME);
- will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
- will_return(test_nss_well_known_sid_check, "S-1-5-32-569");
+ set_cmd_cb(test_nss_well_known_sid_check);
+ ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME,
+ nss_test_ctx->nss_cmds);
+ assert_int_equal(ret, EOK);
- set_cmd_cb(test_nss_well_known_sid_check);
- ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME,
- nss_test_ctx->nss_cmds);
- assert_int_equal(ret, EOK);
-
- /* Wait until the test finishes with EOK */
- ret = test_ev_loop(nss_test_ctx->tctx);
- assert_int_equal(ret, EOK);
+ /* Wait until the test finishes with EOK */
+ ret = test_ev_loop(nss_test_ctx->tctx);
+ assert_int_equal(ret, EOK);
+ }
}
void test_nss_well_known_getsidbyname_nonexisting(void **state)
{
errno_t ret;
+ const char *names[] = { "Abc@BUILTIN", "BUILTIN\\Abc", NULL };
+ size_t c;
- will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);
- will_return(__wrap_sss_packet_get_body, "Abc@BUILTIN");
- will_return(__wrap_sss_packet_get_body, 0);
- will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME);
- will_return(test_nss_well_known_sid_check, NULL);
+ for (c = 0; names[c] != NULL; c++) {
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);
+ will_return(__wrap_sss_packet_get_body, names[c]);
+ will_return(__wrap_sss_packet_get_body, 0);
+ will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME);
+ will_return(test_nss_well_known_sid_check, NULL);
- set_cmd_cb(test_nss_well_known_sid_check);
- ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME,
- nss_test_ctx->nss_cmds);
- assert_int_equal(ret, EOK);
+ set_cmd_cb(test_nss_well_known_sid_check);
+ ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME,
+ nss_test_ctx->nss_cmds);
+ assert_int_equal(ret, EOK);
- /* Wait until the test finishes with EOK */
- ret = test_ev_loop(nss_test_ctx->tctx);
- assert_int_equal(ret, EOK);
+ /* Wait until the test finishes with EOK */
+ ret = test_ev_loop(nss_test_ctx->tctx);
+ assert_int_equal(ret, EOK);
+ }
}
void test_nss_well_known_getsidbyname_special(void **state)
{
errno_t ret;
+ const char *names[] = { "CREATOR OWNER@CREATOR AUTHORITY",
+ "CREATOR AUTHORITY\\CREATOR OWNER", NULL };
+ size_t c;
- will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);
- will_return(__wrap_sss_packet_get_body, "CREATOR OWNER@CREATOR AUTHORITY");
- will_return(__wrap_sss_packet_get_body, 0);
- will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME);
- will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
- will_return(test_nss_well_known_sid_check, "S-1-3-0");
+ for (c = 0; names[c] != NULL; c++) {
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);
+ will_return(__wrap_sss_packet_get_body, names[c]);
+ will_return(__wrap_sss_packet_get_body, 0);
+ will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME);
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+ will_return(test_nss_well_known_sid_check, "S-1-3-0");
- set_cmd_cb(test_nss_well_known_sid_check);
- ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME,
- nss_test_ctx->nss_cmds);
- assert_int_equal(ret, EOK);
+ set_cmd_cb(test_nss_well_known_sid_check);
+ ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME,
+ nss_test_ctx->nss_cmds);
+ assert_int_equal(ret, EOK);
- /* Wait until the test finishes with EOK */
- ret = test_ev_loop(nss_test_ctx->tctx);
- assert_int_equal(ret, EOK);
+ /* Wait until the test finishes with EOK */
+ ret = test_ev_loop(nss_test_ctx->tctx);
+ assert_int_equal(ret, EOK);
+ }
}
static int test_nss_getorigbyname_check(uint32_t status, uint8_t *body,
diff --git a/src/util/usertools.c b/src/util/usertools.c
index c43d420e3..87a8d7411 100644
--- a/src/util/usertools.c
+++ b/src/util/usertools.c
@@ -249,8 +249,7 @@ int sss_names_init(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb,
}
if (!re_pattern) {
- re_pattern = talloc_strdup(tmpctx,
- "(?P<name>[^@]+)@?(?P<domain>[^@]*$)");
+ re_pattern = talloc_strdup(tmpctx, IPA_AD_DEFAULT_RE);
if (!re_pattern) {
ret = ENOMEM;
goto done;