diff options
author | Fabiano FidĂȘncio <fidencio@redhat.com> | 2017-06-19 09:05:00 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2017-06-21 11:28:08 +0200 |
commit | 86526891366c4bc3e1ee861143b736d2670a6ba8 (patch) | |
tree | 8adb299e99742a0416e135ebe06dc6ed0f5b214e /src/responder | |
parent | 7c0402b85627587bcac004d4bfdbf181bbae8549 (diff) | |
download | sssd-86526891366c4bc3e1ee861143b736d2670a6ba8.tar.gz sssd-86526891366c4bc3e1ee861143b736d2670a6ba8.tar.xz sssd-86526891366c4bc3e1ee861143b736d2670a6ba8.zip |
RESPONDER: Use fqnames as output when needed
As some regressions have been caused by not handling properly naming
conflicts when using shortnames, last explicitly use fully qualified
names as output in the following situations:
- domain resolution order is set;
- a trusted domain has been using `use_fully_qualified_name = false`
In both cases we want to ensure that even handling shortnames as input,
the output will always be fully qualified.
As part of this patch, our tests ended up being modified to reflect the
changes done. In other words, the tests related to shortnames now return
expect as return a fully qualified name for trusted domains.
Resolves:
https://pagure.io/SSSD/sssd/issue/3403
Signed-off-by: Fabiano FidĂȘncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/responder')
-rw-r--r-- | src/responder/common/cache_req/cache_req_domain.c | 14 | ||||
-rw-r--r-- | src/responder/common/cache_req/cache_req_domain.h | 8 |
2 files changed, 22 insertions, 0 deletions
diff --git a/src/responder/common/cache_req/cache_req_domain.c b/src/responder/common/cache_req/cache_req_domain.c index 8bf7fc6dc..bad4bf9a6 100644 --- a/src/responder/common/cache_req/cache_req_domain.c +++ b/src/responder/common/cache_req/cache_req_domain.c @@ -132,6 +132,12 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx, cr_domain->fqnames = cache_req_domain_use_fqnames(dom, enforce_non_fqnames); + /* when using the domain resolution order, using shortnames as + * input is allowed by default. However, we really want to use + * the fully qualified name as output in order to avoid + * conflicts whith users who have the very same name. */ + cr_domain->domain->output_fqnames = true; + DLIST_ADD_END(cr_domains, cr_domain, struct cache_req_domain *); break; @@ -155,6 +161,14 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx, cr_domain->fqnames = cache_req_domain_use_fqnames(dom, enforce_non_fqnames); + /* when using the domain resolution order, using shortnames as input + * is allowed by default. However, we really want to use the fully + * qualified name as output in order to avoid conflicts whith users + * who have the very same name. */ + if (resolution_order != NULL) { + cr_domain->domain->output_fqnames = true; + } + DLIST_ADD_END(cr_domains, cr_domain, struct cache_req_domain *); } diff --git a/src/responder/common/cache_req/cache_req_domain.h b/src/responder/common/cache_req/cache_req_domain.h index 5bcbb9b49..3780a5d8d 100644 --- a/src/responder/common/cache_req/cache_req_domain.h +++ b/src/responder/common/cache_req/cache_req_domain.h @@ -35,6 +35,14 @@ struct cache_req_domain * cache_req_domain_get_domain_by_name(struct cache_req_domain *domains, const char *name); +/* + * This function may have a side effect of setting the output_fqnames' domain + * property when it's called. + * + * It happens as the output_fqnames' domain property must only be set depending + * on whether a domain resolution order is set or not, and the saner place to + * set it to all domains is when flattening those (thus, in this function). + */ errno_t cache_req_domain_new_list_from_domain_resolution_order( TALLOC_CTX *mem_ctx, |