sss_cache: User/groups invalidation in domain cache

When a group/users are invalidated from sss_cache, the group/user information in domain and timestamps cache are inconsistent with regard to dataExpireTimestamp attribute. This patch fixes the problem by explicitly invalidating the domain cache's entry when the timestamp cache entry is invalidated by sss_cache call. There is one new function: * sysdb_invalidate_cache_entry() provided for this purpose and used only in sss_cache utility. Resolves: https://fedorahosted.org/sssd/ticket/3164 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
author: Petr Čech <pcech@redhat.com> 2017-02-14 12:07:19 +0100
committer: Jakub Hrozek <jhrozek@redhat.com> 2017-03-08 12:36:56 +0100
commit: 57a924e71230ea360b19a88e0d5818cf01017161 (patch)
tree: a046c67a239f969f1183a876c182d35eccbf2f52 /src/tests
parent: 4358d76475f0292461a2a479d2149472db103c1d (diff)
download: sssd-57a924e71230ea360b19a88e0d5818cf01017161.tar.gz
sssd-57a924e71230ea360b19a88e0d5818cf01017161.tar.xz
sssd-57a924e71230ea360b19a88e0d5818cf01017161.zip
2 files changed, 73 insertions, 8 deletions
diff --git a/src/tests/intg/sssd_ldb.py b/src/tests/intg/sssd_ldb.py
index 399ec8a28..7c6a5f418 100644
--- a/src/tests/intg/sssd_ldb.py
+++ b/src/tests/intg/sssd_ldb.py
@@ -19,6 +19,7 @@
 import os
 import ldb
 import config
+import subprocess
 
 
 class CacheType(object):
@@ -83,3 +84,13 @@ class SssdLdb(object):
             return None
 
         return res.msgs[0].get(attr).get(0)
+
+    def invalidate_entry(self, name, entry_type, domain):
+        dbconn = self._get_dbconn(CacheType.timestamps)
+
+        m = ldb.Message()
+        m.dn = ldb.Dn(dbconn, self._basedn(name, domain, entry_type))
+        m["dataExpireTimestamp"] = ldb.MessageElement(str(1),
+                                                      ldb.FLAG_MOD_REPLACE,
+                                                      "dataExpireTimestamp")
+        dbconn.modify(m)
diff --git a/src/tests/intg/test_ts_cache.py b/src/tests/intg/test_ts_cache.py
index 445cdf608..5a8d99744 100644
--- a/src/tests/intg/test_ts_cache.py
+++ b/src/tests/intg/test_ts_cache.py
@@ -199,13 +199,11 @@ def ldb_examine(request):
     return ldb_conn
 
 
-def invalidate_group(name):
-    subprocess.call(["sss_cache", "-g", name])
-
-
-def invalidate_user(name):
-    subprocess.call(["sss_cache", "-u", name])
+def invalidate_group(ldb_conn, name):
+    ldb_conn.invalidate_entry(name, sssd_ldb.TsCacheEntry.group, SSSD_DOMAIN)
 
+def invalidate_user(ldb_conn, name):
+    ldb_conn.invalidate_entry(name, sssd_ldb.TsCacheEntry.user, SSSD_DOMAIN)
 
 def get_attrs(ldb_conn, type, name, domain, attr_list):
     sysdb_attrs = dict()
@@ -252,7 +250,7 @@ def prime_cache_group(ldb_conn, name, members):
 
     # just to force different stamps and make sure memcache is gone
     time.sleep(1)
-    invalidate_group(name)
+    invalidate_group(ldb_conn, name)
 
     return sysdb_attrs, ts_attrs
 
@@ -271,7 +269,7 @@ def prime_cache_user(ldb_conn, name, primary_gid):
 
     # just to force different stamps and make sure memcache is gone
     time.sleep(1)
-    invalidate_user(name)
+    invalidate_user(ldb_conn, name)
 
     return sysdb_attrs, ts_attrs
 
@@ -615,3 +613,59 @@ def test_user_2307bis_delete_user(ldap_conn,
     assert sysdb_attrs.get("originalModifyTimestamp") is None
     assert ts_attrs.get("dataExpireTimestamp") is None
     assert ts_attrs.get("originalModifyTimestamp") is None
+
+
+def test_sss_cache_invalidate_user(ldap_conn,
+                                   ldb_examine,
+                                   setup_rfc2307bis ):
+    """
+    Test that sss_cache invalidate user in both caches
+    """
+
+    ldb_conn = ldb_examine
+    old_sysdb_attrs, old_ts_attrs = prime_cache_user(ldb_conn, "user1", 2001)
+
+    subprocess.call(["sss_cache", "-u", "user1"])
+
+    sysdb_attrs, ts_attrs = get_user_attrs(ldb_conn, "user1",
+                                           SSSD_DOMAIN, TS_ATTRLIST)
+
+    assert sysdb_attrs.get("dataExpireTimestamp") == '1'
+    assert ts_attrs.get("dataExpireTimestamp") == '1'
+
+    time.sleep(1)
+    pwd.getpwnam("user1")
+    sysdb_attrs, ts_attrs = get_user_attrs(ldb_conn, "user1",
+                                           SSSD_DOMAIN, TS_ATTRLIST)
+
+    assert sysdb_attrs.get("dataExpireTimestamp") == '1'
+    assert_diff_attrval(ts_attrs, sysdb_attrs, "dataExpireTimestamp")
+
+
+def test_sss_cache_invalidate_group(ldap_conn,
+                                    ldb_examine,
+                                    setup_rfc2307bis ):
+    """
+    Test that sss_cache invalidate group in both caches
+    """
+
+    ldb_conn = ldb_examine
+    old_sysdb_attrs, old_ts_attrs = prime_cache_group(
+                                                ldb_conn, "group1",
+                                                ("user1", "user11", "user21"))
+
+    subprocess.call(["sss_cache", "-g", "group1"])
+
+    sysdb_attrs, ts_attrs = get_group_attrs(ldb_conn, "group1",
+                                            SSSD_DOMAIN, TS_ATTRLIST)
+
+    assert sysdb_attrs.get("dataExpireTimestamp") == '1'
+    assert ts_attrs.get("dataExpireTimestamp") == '1'
+
+    time.sleep(1)
+    grp.getgrnam("group1")
+    sysdb_attrs, ts_attrs = get_group_attrs(ldb_conn, "group1",
+                                            SSSD_DOMAIN, TS_ATTRLIST)
+
+    assert sysdb_attrs.get("dataExpireTimestamp") == '1'
+    assert_diff_attrval(ts_attrs, sysdb_attrs, "dataExpireTimestamp")
author	Petr Čech <pcech@redhat.com>	2017-02-14 12:07:19 +0100
committer	Jakub Hrozek <jhrozek@redhat.com>	2017-03-08 12:36:56 +0100
commit	57a924e71230ea360b19a88e0d5818cf01017161 (patch)
tree	a046c67a239f969f1183a876c182d35eccbf2f52 /src/tests
parent	4358d76475f0292461a2a479d2149472db103c1d (diff)
download	sssd-57a924e71230ea360b19a88e0d5818cf01017161.tar.gz sssd-57a924e71230ea360b19a88e0d5818cf01017161.tar.xz sssd-57a924e71230ea360b19a88e0d5818cf01017161.zip