CACHE_REQ_SEARCH: Check for filtered users/groups also on cache_req_send()

cache_req_send() may take some shortcuts in case the object is found in
the cache and it's still valid.

This behaviour may lead to exposing filtered users and groups when
they're searched by their uid/gid.

A solution for this issue was proposed on 4ef0b19a but, unfortunately,
didn't take into consideration that this shortcut could be taken.

There are basically two really easy ways to test this issue:
 1) Using enumeration:
    - Set "enumerate = True" in the domain section
    - restart SSSD cleaning up the cache;
    - getent passwd <uid of a user who is part of the filter_users>
    - Wait a little bit till the entry_negative_timeout is expired
    - getent passwd <same uid used above>

 2) Not using enumeration:
   - getent passwd <uid of a user who is part of the filter_users>
   - Wait a little bit till the entry_negative_timeout is expired
   - getent passwd <same uid used above>

A test covering this code path will be added in the follow-up commit.

Resolves:
https://pagure.io/SSSD/sssd/issue/3362

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>

1 files changed, 4 insertions, 0 deletions

diff --git a/src/responder/common/cache_req/cache_req_search.c b/src/responder/common/cache_req/cache_req_search.c
index d3aaa7542..56d0345cd 100644
--- a/src/responder/common/cache_req/cache_req_search.c
+++ b/src/responder/common/cache_req/cache_req_search.c
@@ -334,6 +334,10 @@ cache_req_search_send(TALLOC_CTX *mem_ctx,
 
 done:
     if (ret == EOK) {
+        ret = cache_req_search_ncache_filter(state, cr, &state->result);
+    }
+
+    if (ret == EOK) {
         tevent_req_done(req);
     } else {
         tevent_req_error(req, ret);