nss_check_name_of_well_known_sid() improve name splitting

Currently in the default configuration
nss_check_name_of_well_known_sid() can only split fully-qualified names
in the user@domain.name style. DOM\user style names will cause an error
and terminate the whole request.

With this patch both styles can be handled by default, additionally if
the name could not be split nss_check_name_of_well_known_sid() returns
ENOENT which can be handled more gracefully by the caller.

Resolves https://fedorahosted.org/sssd/ticket/2717

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

3 files changed, 62 insertions, 41 deletions

diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index 012946730..b3998015f 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -1255,6 +1255,14 @@ static int nss_check_name_of_well_known_sid(struct nss_cmd_ctx *cmdctx,
         return ret;
     }
 
+    if (wk_dom_name == NULL || wk_name == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              "Unable to split [%s] in name and domain part. " \
+              "Skipping check for well-known name.\n", full_name);
+
+        return ENOENT;
+    }
+
     ret = name_to_well_known_sid(wk_dom_name, wk_name, &wk_sid);
     talloc_free(wk_dom_name);
     talloc_free(wk_name);
diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c
index 3ab8d39c4..84d3413be 100644
--- a/src/tests/cmocka/test_nss_srv.c
+++ b/src/tests/cmocka/test_nss_srv.c
@@ -1734,63 +1734,77 @@ void test_nss_well_known_getidbysid_failure(void **state)
 void test_nss_well_known_getsidbyname(void **state)
 {
     errno_t ret;
+    const char *names[] = { "Cryptographic Operators@BUILTIN",
+                            "BUILTIN\\Cryptographic Operators", NULL};
+    size_t c;
+
+    for (c = 0; names[c] != NULL; c++) {
+        will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);
+        will_return(__wrap_sss_packet_get_body, names[c]);
+        will_return(__wrap_sss_packet_get_body, 0);
+        will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME);
+        will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+        will_return(test_nss_well_known_sid_check, "S-1-5-32-569");
 
-    will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);
-    will_return(__wrap_sss_packet_get_body, "Cryptographic Operators@BUILTIN");
-    will_return(__wrap_sss_packet_get_body, 0);
-    will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME);
-    will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
-    will_return(test_nss_well_known_sid_check, "S-1-5-32-569");
+        set_cmd_cb(test_nss_well_known_sid_check);
+        ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME,
+                              nss_test_ctx->nss_cmds);
+        assert_int_equal(ret, EOK);
 
-    set_cmd_cb(test_nss_well_known_sid_check);
-    ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME,
-                          nss_test_ctx->nss_cmds);
-    assert_int_equal(ret, EOK);
-
-    /* Wait until the test finishes with EOK */
-    ret = test_ev_loop(nss_test_ctx->tctx);
-    assert_int_equal(ret, EOK);
+        /* Wait until the test finishes with EOK */
+        ret = test_ev_loop(nss_test_ctx->tctx);
+        assert_int_equal(ret, EOK);
+    }
 }
 
 void test_nss_well_known_getsidbyname_nonexisting(void **state)
 {
     errno_t ret;
+    const char *names[] = { "Abc@BUILTIN", "BUILTIN\\Abc", NULL };
+    size_t c;
 
-    will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);
-    will_return(__wrap_sss_packet_get_body, "Abc@BUILTIN");
-    will_return(__wrap_sss_packet_get_body, 0);
-    will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME);
-    will_return(test_nss_well_known_sid_check, NULL);
+    for (c = 0; names[c] != NULL; c++) {
+        will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);
+        will_return(__wrap_sss_packet_get_body, names[c]);
+        will_return(__wrap_sss_packet_get_body, 0);
+        will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME);
+        will_return(test_nss_well_known_sid_check, NULL);
 
-    set_cmd_cb(test_nss_well_known_sid_check);
-    ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME,
-                          nss_test_ctx->nss_cmds);
-    assert_int_equal(ret, EOK);
+        set_cmd_cb(test_nss_well_known_sid_check);
+        ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME,
+                              nss_test_ctx->nss_cmds);
+        assert_int_equal(ret, EOK);
 
-    /* Wait until the test finishes with EOK */
-    ret = test_ev_loop(nss_test_ctx->tctx);
-    assert_int_equal(ret, EOK);
+        /* Wait until the test finishes with EOK */
+        ret = test_ev_loop(nss_test_ctx->tctx);
+        assert_int_equal(ret, EOK);
+    }
 }
 
 void test_nss_well_known_getsidbyname_special(void **state)
 {
     errno_t ret;
+    const char *names[] = { "CREATOR OWNER@CREATOR AUTHORITY",
+                            "CREATOR AUTHORITY\\CREATOR OWNER", NULL };
+    size_t c;
 
-    will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);
-    will_return(__wrap_sss_packet_get_body, "CREATOR OWNER@CREATOR AUTHORITY");
-    will_return(__wrap_sss_packet_get_body, 0);
-    will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME);
-    will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
-    will_return(test_nss_well_known_sid_check, "S-1-3-0");
+    for (c = 0; names[c] != NULL; c++) {
+        will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);
+        will_return(__wrap_sss_packet_get_body, names[c]);
+        will_return(__wrap_sss_packet_get_body, 0);
+        will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME);
+        will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+        will_return(test_nss_well_known_sid_check, "S-1-3-0");
 
-    set_cmd_cb(test_nss_well_known_sid_check);
-    ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME,
-                          nss_test_ctx->nss_cmds);
-    assert_int_equal(ret, EOK);
+        set_cmd_cb(test_nss_well_known_sid_check);
+        ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME,
+                              nss_test_ctx->nss_cmds);
+        assert_int_equal(ret, EOK);
 
-    /* Wait until the test finishes with EOK */
-    ret = test_ev_loop(nss_test_ctx->tctx);
-    assert_int_equal(ret, EOK);
+        /* Wait until the test finishes with EOK */
+        ret = test_ev_loop(nss_test_ctx->tctx);
+        assert_int_equal(ret, EOK);
+    }
 }
 
 static int test_nss_getorigbyname_check(uint32_t status, uint8_t *body,
diff --git a/src/util/usertools.c b/src/util/usertools.c
index c43d420e3..87a8d7411 100644
--- a/src/util/usertools.c
+++ b/src/util/usertools.c
@@ -249,8 +249,7 @@ int sss_names_init(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb,
     }
 
     if (!re_pattern) {
-        re_pattern = talloc_strdup(tmpctx,
-                                   "(?P<name>[^@]+)@?(?P<domain>[^@]*$)");
+        re_pattern = talloc_strdup(tmpctx, IPA_AD_DEFAULT_RE);
         if (!re_pattern) {
             ret = ENOMEM;
             goto done;