diff options
| -rw-r--r-- | src/confdb/confdb.h | 1 | ||||
| -rw-r--r-- | src/db/sysdb.h | 4 | ||||
| -rw-r--r-- | src/db/sysdb_subdomains.c | 51 | ||||
| -rw-r--r-- | src/providers/ad/ad_subdomains.c | 2 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_subdomains.c | 2 | ||||
| -rw-r--r-- | src/tests/cmocka/test_fqnames.c | 2 | ||||
| -rw-r--r-- | src/tests/cmocka/test_nss_srv.c | 4 | ||||
| -rw-r--r-- | src/tests/sysdb-tests.c | 40 | ||||
| -rw-r--r-- | src/util/domain_info_utils.c | 4 | ||||
| -rw-r--r-- | src/util/util.h | 3 |
10 files changed, 91 insertions, 22 deletions
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 93fbce5e5..25b8fe8d3 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -260,6 +260,7 @@ struct sss_domain_info { char *flat_name; char *domain_id; char *forest; + uint32_t trust_direction; struct timeval subdomains_last_checked; bool has_views; diff --git a/src/db/sysdb.h b/src/db/sysdb.h index c3d2c1406..5649f2cb1 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -138,6 +138,7 @@ #define SYSDB_SUBDOMAIN_MPG "mpg" #define SYSDB_SUBDOMAIN_ENUM "enumerate" #define SYSDB_SUBDOMAIN_FOREST "memberOfForest" +#define SYSDB_SUBDOMAIN_TRUST_DIRECTION "trustDirection" #define SYSDB_BASE_ID "baseID" #define SYSDB_ID_RANGE_SIZE "idRangeSize" @@ -430,7 +431,8 @@ errno_t sysdb_domain_create(struct sysdb_ctx *sysdb, const char *domain_name); errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb, const char *name, const char *realm, const char *flat_name, const char *domain_id, - bool mpg, bool enumerate, const char *forest); + bool mpg, bool enumerate, const char *forest, + uint32_t trust_direction); errno_t sysdb_update_subdomains(struct sss_domain_info *domain); diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c index 06e9e094e..44cee5e03 100644 --- a/src/db/sysdb_subdomains.c +++ b/src/db/sysdb_subdomains.c @@ -36,6 +36,7 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain) SYSDB_SUBDOMAIN_MPG, SYSDB_SUBDOMAIN_ENUM, SYSDB_SUBDOMAIN_FOREST, + SYSDB_SUBDOMAIN_TRUST_DIRECTION, NULL}; struct sss_domain_info *dom; struct ldb_dn *basedn; @@ -46,6 +47,7 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain) const char *forest; bool mpg; bool enumerate; + uint32_t trust_direction; tmp_ctx = talloc_new(NULL); if (tmp_ctx == NULL) { @@ -106,6 +108,10 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain) forest = ldb_msg_find_attr_as_string(res->msgs[i], SYSDB_SUBDOMAIN_FOREST, NULL); + trust_direction = ldb_msg_find_attr_as_int(res->msgs[i], + SYSDB_SUBDOMAIN_TRUST_DIRECTION, + 0); + /* explicitly use dom->next as we need to check 'disabled' domains */ for (dom = domain->subdomains; dom; dom = dom->next) { if (strcasecmp(dom->name, name) == 0) { @@ -155,7 +161,7 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain) if (dom->enumerate != enumerate) { DEBUG(SSSDBG_TRACE_INTERNAL, - "MPG state change from [%s] to [%s]!\n", + "enumerate state change from [%s] to [%s]!\n", dom->enumerate ? "true" : "false", enumerate ? "true" : "false"); dom->enumerate = enumerate; @@ -204,13 +210,21 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain) } } + if (dom->trust_direction != trust_direction) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Trust direction change from [%d] to [%d]!\n", + dom->trust_direction, trust_direction); + dom->trust_direction = trust_direction; + } + break; } } /* If not found in loop it is a new subdomain */ if (dom == NULL) { dom = new_subdomain(domain, domain, name, realm, - flat, id, mpg, enumerate, forest); + flat, id, mpg, enumerate, forest, + trust_direction); if (dom == NULL) { ret = ENOMEM; goto done; @@ -524,7 +538,8 @@ done: errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb, const char *name, const char *realm, const char *flat_name, const char *domain_id, - bool mpg, bool enumerate, const char *forest) + bool mpg, bool enumerate, const char *forest, + uint32_t trust_direction) { TALLOC_CTX *tmp_ctx; struct ldb_message *msg; @@ -537,6 +552,7 @@ errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb, SYSDB_SUBDOMAIN_MPG, SYSDB_SUBDOMAIN_ENUM, SYSDB_SUBDOMAIN_FOREST, + SYSDB_SUBDOMAIN_TRUST_DIRECTION, NULL}; const char *tmp_str; bool tmp_bool; @@ -547,6 +563,8 @@ errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb, int mpg_flags = 0; int enum_flags = 0; int forest_flags = 0; + int td_flags = 0; + uint32_t tmp_td; int ret; tmp_ctx = talloc_new(NULL); @@ -578,6 +596,7 @@ errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb, mpg_flags = LDB_FLAG_MOD_ADD; enum_flags = LDB_FLAG_MOD_ADD; if (forest) forest_flags = LDB_FLAG_MOD_ADD; + if (trust_direction) td_flags = LDB_FLAG_MOD_ADD; } else if (res->count != 1) { ret = EINVAL; goto done; @@ -622,10 +641,18 @@ errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb, forest_flags = LDB_FLAG_MOD_REPLACE; } } + + tmp_td = ldb_msg_find_attr_as_uint(res->msgs[0], + SYSDB_SUBDOMAIN_TRUST_DIRECTION, + 0); + if (tmp_td != trust_direction) { + td_flags = LDB_FLAG_MOD_REPLACE; + } } if (!store && realm_flags == 0 && flat_flags == 0 && id_flags == 0 - && mpg_flags == 0 && enum_flags == 0 && forest_flags == 0) { + && mpg_flags == 0 && enum_flags == 0 && forest_flags == 0 + && td_flags == 0) { ret = EOK; goto done; } @@ -738,6 +765,22 @@ errno_t sysdb_subdomain_store(struct sysdb_ctx *sysdb, } } + if (td_flags) { + ret = ldb_msg_add_empty(msg, SYSDB_SUBDOMAIN_TRUST_DIRECTION, + td_flags, NULL); + if (ret != LDB_SUCCESS) { + ret = sysdb_error_to_errno(ret); + goto done; + } + + ret = ldb_msg_add_fmt(msg, SYSDB_SUBDOMAIN_TRUST_DIRECTION, + "%u", trust_direction); + if (ret != LDB_SUCCESS) { + ret = sysdb_error_to_errno(ret); + goto done; + } + } + ret = ldb_modify(sysdb->ldb, msg); if (ret != LDB_SUCCESS) { DEBUG(SSSDBG_FATAL_FAILURE, "Failed to add subdomain attributes to " diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c index 71c01b9d7..ac9d8baa1 100644 --- a/src/providers/ad/ad_subdomains.c +++ b/src/providers/ad/ad_subdomains.c @@ -313,7 +313,7 @@ ad_subdom_store(struct ad_subdomains_ctx *ctx, sid_str); ret = sysdb_subdomain_store(domain->sysdb, name, realm, flat, sid_str, - mpg, enumerate, domain->forest); + mpg, enumerate, domain->forest, 0); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "sysdb_subdomain_store failed.\n"); goto done; diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c index b0cf92e43..bd2fb47ee 100644 --- a/src/providers/ipa/ipa_subdomains.c +++ b/src/providers/ipa/ipa_subdomains.c @@ -697,7 +697,7 @@ static errno_t ipa_subdom_store(struct sss_domain_info *parent, } ret = sysdb_subdomain_store(parent->sysdb, name, realm, flat, - id, mpg, enumerate, forest); + id, mpg, enumerate, forest, 0); if (ret) { DEBUG(SSSDBG_OP_FAILURE, "sysdb_subdomain_store failed.\n"); goto done; diff --git a/src/tests/cmocka/test_fqnames.c b/src/tests/cmocka/test_fqnames.c index 0326d5a64..3932e9624 100644 --- a/src/tests/cmocka/test_fqnames.c +++ b/src/tests/cmocka/test_fqnames.c @@ -309,7 +309,7 @@ static int parse_name_test_setup(void **state) * discovered */ test_ctx->subdom = new_subdomain(dom, dom, SUBDOMNAME, NULL, SUBFLATNAME, - NULL, false, false, NULL); + NULL, false, false, NULL, 0); assert_non_null(test_ctx->subdom); check_leaks_push(test_ctx); diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c index 9119d4b15..2fbb1abbc 100644 --- a/src/tests/cmocka/test_nss_srv.c +++ b/src/tests/cmocka/test_nss_srv.c @@ -2666,12 +2666,12 @@ static int nss_subdom_test_setup(void **state) subdomain = new_subdomain(nss_test_ctx, nss_test_ctx->tctx->dom, testdom[0], testdom[1], testdom[2], testdom[3], - false, false, NULL); + false, false, NULL, 0); assert_non_null(subdomain); ret = sysdb_subdomain_store(nss_test_ctx->tctx->sysdb, testdom[0], testdom[1], testdom[2], testdom[3], - false, false, NULL); + false, false, NULL, 0); assert_int_equal(ret, EOK); ret = sysdb_update_subdomains(nss_test_ctx->tctx->dom); diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c index 6a77c6eeb..81e31363b 100644 --- a/src/tests/sysdb-tests.c +++ b/src/tests/sysdb-tests.c @@ -1312,7 +1312,7 @@ START_TEST (test_sysdb_get_user_attr_subdomain) /* Create subdomain */ subdomain = new_subdomain(test_ctx, test_ctx->domain, "test.sub", "TEST.SUB", "test", "S-3", - false, false, NULL); + false, false, NULL, 0); fail_if(subdomain == NULL, "Failed to create new subdomain."); ret = sss_names_init_from_args(test_ctx, @@ -5235,21 +5235,22 @@ START_TEST(test_sysdb_subdomain_create) ret = sysdb_subdomain_store(test_ctx->sysdb, dom1[0], dom1[1], dom1[2], dom1[3], - false, false, NULL); + false, false, NULL, 0); fail_if(ret != EOK, "Could not set up the test (dom1)"); ret = sysdb_update_subdomains(test_ctx->domain); fail_unless(ret == EOK, "sysdb_update_subdomains failed with [%d][%s]", ret, strerror(ret)); - fail_if(test_ctx->domain->subdomains == NULL, "Empyt sub-domain list."); + fail_if(test_ctx->domain->subdomains == NULL, "Empty sub-domain list."); fail_if(strcmp(test_ctx->domain->subdomains->name, dom1[0]) != 0, "Unexpected sub-domain found, expected [%s], got [%s]", dom1[0], test_ctx->domain->subdomains->name); + fail_unless(test_ctx->domain->subdomains->trust_direction == 0); ret = sysdb_subdomain_store(test_ctx->sysdb, dom2[0], dom2[1], dom2[2], dom2[3], - false, false, NULL); + false, false, NULL, 1); fail_if(ret != EOK, "Could not set up the test (dom2)"); ret = sysdb_update_subdomains(test_ctx->domain); @@ -5260,6 +5261,25 @@ START_TEST(test_sysdb_subdomain_create) fail_if(strcmp(test_ctx->domain->subdomains->next->name, dom2[0]) != 0, "Unexpected sub-domain found, expected [%s], got [%s]", dom2[0], test_ctx->domain->subdomains->next->name); + fail_unless(test_ctx->domain->subdomains->next->trust_direction == 1); + + /* Reverse the trust directions */ + ret = sysdb_subdomain_store(test_ctx->sysdb, + dom1[0], dom1[1], dom1[2], dom1[3], + false, false, NULL, 1); + fail_if(ret != EOK, "Could not set up the test (dom1)"); + + ret = sysdb_subdomain_store(test_ctx->sysdb, + dom2[0], dom2[1], dom2[2], dom2[3], + false, false, NULL, 0); + fail_if(ret != EOK, "Could not set up the test (dom2)"); + + ret = sysdb_update_subdomains(test_ctx->domain); + fail_unless(ret == EOK, "sysdb_update_subdomains failed with [%d][%s]", + ret, strerror(ret)); + + fail_unless(test_ctx->domain->subdomains->trust_direction == 1); + fail_unless(test_ctx->domain->subdomains->next->trust_direction == 0); ret = sysdb_subdomain_delete(test_ctx->sysdb, dom2[0]); fail_if(ret != EOK, "Could not delete subdomain"); @@ -5294,11 +5314,11 @@ START_TEST(test_sysdb_subdomain_store_user) subdomain = new_subdomain(test_ctx, test_ctx->domain, testdom[0], testdom[1], testdom[2], testdom[3], - false, false, NULL); + false, false, NULL, 0); fail_unless(subdomain != NULL, "Failed to create new subdomin."); ret = sysdb_subdomain_store(test_ctx->sysdb, testdom[0], testdom[1], testdom[2], testdom[3], - false, false, NULL); + false, false, NULL, 0); fail_if(ret != EOK, "Could not set up the test (test subdom)"); ret = sysdb_update_subdomains(test_ctx->domain); @@ -5365,11 +5385,11 @@ START_TEST(test_sysdb_subdomain_user_ops) subdomain = new_subdomain(test_ctx, test_ctx->domain, testdom[0], testdom[1], testdom[2], testdom[3], - false, false, NULL); + false, false, NULL, 0); fail_unless(subdomain != NULL, "Failed to create new subdomin."); ret = sysdb_subdomain_store(test_ctx->sysdb, testdom[0], testdom[1], testdom[2], testdom[3], - false, false, NULL); + false, false, NULL, 0); fail_if(ret != EOK, "Could not set up the test (test subdom)"); ret = sysdb_update_subdomains(test_ctx->domain); @@ -5420,11 +5440,11 @@ START_TEST(test_sysdb_subdomain_group_ops) subdomain = new_subdomain(test_ctx, test_ctx->domain, testdom[0], testdom[1], testdom[2], testdom[3], - false, false, NULL); + false, false, NULL, 0); fail_unless(subdomain != NULL, "Failed to create new subdomin."); ret = sysdb_subdomain_store(test_ctx->sysdb, testdom[0], testdom[1], testdom[2], testdom[3], - false, false, NULL); + false, false, NULL, 0); fail_if(ret != EOK, "Could not set up the test (test subdom)"); ret = sysdb_update_subdomains(test_ctx->domain); diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c index 073ba3c6a..aa5fc9ad0 100644 --- a/src/util/domain_info_utils.c +++ b/src/util/domain_info_utils.c @@ -203,7 +203,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx, const char *id, bool mpg, bool enumerate, - const char *forest) + const char *forest, + uint32_t trust_direction) { struct sss_domain_info *dom; bool inherit_option; @@ -290,6 +291,7 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx, dom->ignore_group_members = parent->ignore_group_members; } + dom->trust_direction = trust_direction; /* If the parent domain explicitly limits ID ranges, the subdomain * should honour the limits as well. */ diff --git a/src/util/util.h b/src/util/util.h index c86bcea5b..8eaeef45d 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -577,7 +577,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx, const char *id, bool mpg, bool enumerate, - const char *forest); + const char *forest, + uint32_t trust_direction); errno_t sssd_domain_init(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb, |