diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2016-06-19 19:54:50 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2016-07-07 10:25:57 +0200 |
| commit | 27bf39ed3e197497cf4aca58038d788ea5b5ddbc (patch) | |
| tree | 004c1ff348b90ff519f60047bdd4a72cbcda16ba | |
| parent | e43929e2cebc3140b550fb6305ba42b8465efc59 (diff) | |
| download | sssd-27bf39ed3e197497cf4aca58038d788ea5b5ddbc.tar.gz sssd-27bf39ed3e197497cf4aca58038d788ea5b5ddbc.tar.xz sssd-27bf39ed3e197497cf4aca58038d788ea5b5ddbc.zip | |
NCACHE: Store FQDNs internaly, check for shortnames in files
When storing users and groups by their name in the negative cache, store
them fully qualfied so that the responder only has to track the name in
the internal format once the input is converted.
Reviewed-by: Sumit Bose <sbose@redhat.com>
| -rw-r--r-- | src/responder/common/negcache.c | 53 | ||||
| -rw-r--r-- | src/responder/common/negcache_files.c | 18 | ||||
| -rw-r--r-- | src/tests/cmocka/test_negcache.c | 84 | ||||
| -rw-r--r-- | src/tests/cwrap/test_negcache.c | 120 |
4 files changed, 216 insertions, 59 deletions
diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c index 025455238..dfeb0d483 100644 --- a/src/responder/common/negcache.c +++ b/src/responder/common/negcache.c @@ -679,6 +679,11 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, char *conf_path = NULL; TALLOC_CTX *tmpctx = talloc_new(NULL); int i; + char *fqname = NULL; + + if (tmpctx == NULL) { + return ENOMEM; + } /* Populate domain-specific negative cache entries */ for (dom = domain_list; dom; dom = get_next_domain(dom, 0)) { @@ -721,7 +726,13 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, continue; } - ret = sss_ncache_set_user(ncache, true, dom, name); + fqname = sss_create_internal_fqname(tmpctx, name, dom->name); + if (fqname == NULL) { + continue; + } + + ret = sss_ncache_set_user(ncache, true, dom, fqname); + talloc_zfree(fqname); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Failed to store permanent user filter for [%s]" @@ -773,7 +784,13 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, continue; } - ret = sss_ncache_set_user(ncache, true, dom, name); + fqname = sss_create_internal_fqname(tmpctx, name, dom->name); + if (fqname == NULL) { + continue; + } + + ret = sss_ncache_set_user(ncache, true, dom, fqname); + talloc_zfree(fqname); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Failed to store permanent user filter for [%s]" @@ -783,7 +800,13 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, } } else { for (dom = domain_list; dom; dom = get_next_domain(dom, 0)) { - ret = sss_ncache_set_user(ncache, true, dom, name); + fqname = sss_create_internal_fqname(tmpctx, name, dom->name); + if (fqname == NULL) { + continue; + } + + ret = sss_ncache_set_user(ncache, true, dom, fqname); + talloc_zfree(fqname); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Failed to store permanent user filter for" @@ -829,7 +852,13 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, continue; } - ret = sss_ncache_set_group(ncache, true, dom, name); + fqname = sss_create_internal_fqname(tmpctx, name, dom->name); + if (fqname == NULL) { + continue; + } + + ret = sss_ncache_set_group(ncache, true, dom, fqname); + talloc_zfree(fqname); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Failed to store permanent group filter for [%s]" @@ -881,7 +910,13 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, continue; } - ret = sss_ncache_set_group(ncache, true, dom, name); + fqname = sss_create_internal_fqname(tmpctx, name, dom->name); + if (fqname == NULL) { + continue; + } + + ret = sss_ncache_set_group(ncache, true, dom, fqname); + talloc_zfree(fqname); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Failed to store permanent group filter for" @@ -891,7 +926,13 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, } } else { for (dom = domain_list; dom; dom = get_next_domain(dom, 0)) { - ret = sss_ncache_set_group(ncache, true, dom, name); + fqname = sss_create_internal_fqname(tmpctx, name, dom->name); + if (fqname == NULL) { + continue; + } + + ret = sss_ncache_set_group(ncache, true, dom, fqname); + talloc_zfree(fqname); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Failed to store permanent group filter for" diff --git a/src/responder/common/negcache_files.c b/src/responder/common/negcache_files.c index 1b9a4be43..4256186d9 100644 --- a/src/responder/common/negcache_files.c +++ b/src/responder/common/negcache_files.c @@ -34,8 +34,15 @@ bool is_user_local_by_name(const char *name) char buffer[BUFFER_SIZE]; bool is_local = false; int ret; + char *shortname = NULL; - ret = getpwnam_r(name, &pwd, buffer, BUFFER_SIZE, &pwd_result); + ret = sss_parse_internal_fqname(NULL, name, &shortname, NULL); + if (ret != EOK) { + return false; + } + + ret = getpwnam_r(shortname, &pwd, buffer, BUFFER_SIZE, &pwd_result); + talloc_free(shortname); if (ret == EOK && pwd_result != NULL) { DEBUG(SSSDBG_TRACE_FUNC, "User %s is a local user\n", name); is_local = true; @@ -69,8 +76,15 @@ bool is_group_local_by_name(const char *name) char buffer[BUFFER_SIZE]; bool is_local = false; int ret; + char *shortname = NULL; + + ret = sss_parse_internal_fqname(NULL, name, &shortname, NULL); + if (ret != EOK) { + return false; + } - ret = getgrnam_r(name, &grp, buffer, BUFFER_SIZE, &grp_result); + ret = getgrnam_r(shortname, &grp, buffer, BUFFER_SIZE, &grp_result); + talloc_free(shortname); if (ret == EOK && grp_result != NULL) { DEBUG(SSSDBG_TRACE_FUNC, "Group %s is a local group\n", name); is_local = true; diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c index 322541769..2e3575771 100644 --- a/src/tests/cmocka/test_negcache.c +++ b/src/tests/cmocka/test_negcache.c @@ -305,7 +305,7 @@ static void test_sss_ncache_user(void **state) { int ret; bool permanent; - const char *name = NAME; + char *name; struct test_state *ts; struct sss_domain_info *dom; @@ -313,6 +313,9 @@ static void test_sss_ncache_user(void **state) dom = talloc(ts, struct sss_domain_info); dom->name = discard_const_p(char, TEST_DOM_NAME); + name = sss_create_internal_fqname(ts, NAME, dom->name); + assert_non_null(name); + /* test when domain name is not present in database */ dom->case_sensitive = false; ret = sss_ncache_check_user(ts->ctx, dom, name); @@ -336,6 +339,8 @@ static void test_sss_ncache_user(void **state) ret = sss_ncache_check_user(ts->ctx, dom, name); assert_int_equal(ret, EEXIST); + + talloc_free(name); } /* @test_sss_ncache_group : test following functions @@ -346,7 +351,7 @@ static void test_sss_ncache_group(void **state) { int ret; bool permanent; - const char *name = NAME; + char *name; struct test_state *ts; struct sss_domain_info *dom; @@ -354,6 +359,9 @@ static void test_sss_ncache_group(void **state) dom = talloc(ts, struct sss_domain_info); dom->name = discard_const_p(char, TEST_DOM_NAME); + name = sss_create_internal_fqname(ts, NAME, dom->name); + assert_non_null(name); + /* test when domain name is not present in database */ dom->case_sensitive = false; ret = sss_ncache_check_group(ts->ctx, dom, name); @@ -377,6 +385,8 @@ static void test_sss_ncache_group(void **state) ret = sss_ncache_check_group(ts->ctx, dom, name); assert_int_equal(ret, EEXIST); + + talloc_free(name); } /* @test_sss_ncache_netgr : test following functions @@ -529,6 +539,32 @@ static void test_sss_ncache_reset_permanent(void **state) assert_int_equal(ret, ENOENT); } +static int check_user_in_ncache(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, + const char *name) +{ + char *fqdn; + int ret; + + fqdn = sss_create_internal_fqname(ctx, name, dom->name); + ret = sss_ncache_check_user(ctx, dom, fqdn); + talloc_free(fqdn); + return ret; +} + +static int check_group_in_ncache(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, + const char *name) +{ + char *fqdn; + int ret; + + fqdn = sss_create_internal_fqname(ctx, name, dom->name); + ret = sss_ncache_check_group(ctx, dom, fqdn); + talloc_free(fqdn); + return ret; +} + static void test_sss_ncache_prepopulate(void **state) { int ret; @@ -572,28 +608,28 @@ static void test_sss_ncache_prepopulate(void **state) sleep(SHORTSPAN); - ret = sss_ncache_check_user(ncache, dom, "testuser1"); + ret = check_user_in_ncache(ncache, dom, "testuser1"); assert_int_equal(ret, EEXIST); - ret = sss_ncache_check_group(ncache, dom, "testgroup1"); + ret = check_group_in_ncache(ncache, dom, "testgroup1"); assert_int_equal(ret, EEXIST); - ret = sss_ncache_check_user(ncache, dom, "testuser2"); + ret = check_user_in_ncache(ncache, dom, "testuser2"); assert_int_equal(ret, EEXIST); - ret = sss_ncache_check_group(ncache, dom, "testgroup2"); + ret = check_group_in_ncache(ncache, dom, "testgroup2"); assert_int_equal(ret, EEXIST); - ret = sss_ncache_check_user(ncache, dom, "testuser3"); + ret = check_user_in_ncache(ncache, dom, "testuser3"); assert_int_equal(ret, ENOENT); - ret = sss_ncache_check_group(ncache, dom, "testgroup3"); + ret = check_group_in_ncache(ncache, dom, "testgroup3"); assert_int_equal(ret, ENOENT); - ret = sss_ncache_check_user(ncache, dom, "testuser3@somedomain"); + ret = check_user_in_ncache(ncache, dom, "testuser3@somedomain"); assert_int_equal(ret, ENOENT); - ret = sss_ncache_check_group(ncache, dom, "testgroup3@somedomain"); + ret = check_group_in_ncache(ncache, dom, "testgroup3@somedomain"); assert_int_equal(ret, ENOENT); } @@ -639,22 +675,22 @@ static void test_sss_ncache_default_domain_suffix(void **state) ret = sss_ncache_prepopulate(ncache, tc->confdb, ts->rctx); assert_int_equal(ret, EOK); - ret = sss_ncache_check_user(ncache, dom, "testuser1"); + ret = check_user_in_ncache(ncache, dom, "testuser1"); assert_int_equal(ret, EEXIST); - ret = sss_ncache_check_group(ncache, dom, "testgroup1"); + ret = check_group_in_ncache(ncache, dom, "testgroup1"); assert_int_equal(ret, EEXIST); - ret = sss_ncache_check_user(ncache, dom, "testuser2"); + ret = check_user_in_ncache(ncache, dom, "testuser2"); assert_int_equal(ret, EEXIST); - ret = sss_ncache_check_group(ncache, dom, "testgroup2"); + ret = check_group_in_ncache(ncache, dom, "testgroup2"); assert_int_equal(ret, EEXIST); - ret = sss_ncache_check_user(ncache, dom, "testuser3"); + ret = check_user_in_ncache(ncache, dom, "testuser3"); assert_int_equal(ret, ENOENT); - ret = sss_ncache_check_group(ncache, dom, "testgroup3"); + ret = check_group_in_ncache(ncache, dom, "testgroup3"); assert_int_equal(ret, ENOENT); } @@ -722,32 +758,32 @@ static void test_sss_ncache_reset_prepopulate(void **state) dom2->names = dom->names; /* First domain should not be known, the second not */ - ret = sss_ncache_check_user(ncache, dom, "testuser1"); + ret = check_user_in_ncache(ncache, dom, "testuser1"); assert_int_equal(ret, EEXIST); - ret = sss_ncache_check_group(ncache, dom, "testgroup1"); + ret = check_group_in_ncache(ncache, dom, "testgroup1"); assert_int_equal(ret, EEXIST); - ret = sss_ncache_check_user(ncache, dom2, "testuser2"); + ret = check_user_in_ncache(ncache, dom2, "testuser2"); assert_int_equal(ret, ENOENT); - ret = sss_ncache_check_group(ncache, dom2, "testgroup2"); + ret = check_group_in_ncache(ncache, dom2, "testgroup2"); assert_int_equal(ret, ENOENT); ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache); assert_int_equal(ret, EOK); /* First domain should not be known, the second not */ - ret = sss_ncache_check_user(ncache, dom, "testuser1"); + ret = check_user_in_ncache(ncache, dom, "testuser1"); assert_int_equal(ret, EEXIST); - ret = sss_ncache_check_group(ncache, dom, "testgroup1"); + ret = check_group_in_ncache(ncache, dom, "testgroup1"); assert_int_equal(ret, EEXIST); - ret = sss_ncache_check_user(ncache, dom2, "testuser2"); + ret = check_user_in_ncache(ncache, dom2, "testuser2"); assert_int_equal(ret, EEXIST); - ret = sss_ncache_check_group(ncache, dom2, "testgroup2"); + ret = check_group_in_ncache(ncache, dom2, "testgroup2"); assert_int_equal(ret, EEXIST); } int main(void) diff --git a/src/tests/cwrap/test_negcache.c b/src/tests/cwrap/test_negcache.c index 32a78ba7f..d43ef98ae 100644 --- a/src/tests/cwrap/test_negcache.c +++ b/src/tests/cwrap/test_negcache.c @@ -32,7 +32,7 @@ #define TIMEOUT 10000 #define TESTS_PATH "tp_" BASE_FILE_STEM -#define TEST_CONF_DB "test_sysdb_sudorules.ldb" +#define TEST_CONF_DB "test_negcache_confdb.ldb" #define TEST_DOM_NAME "test_domain.test" #define TEST_LOCAL_USER_NAME_1 "foobar" @@ -54,14 +54,22 @@ struct test_user { } users[] = { { "test_user1", 1001, 50001 }, { "test_user2", 1002, 50002 } }; -static void create_users(struct sss_domain_info *domain) +static void create_users(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain) { errno_t ret; + char *fqname; for (int i = 0; i < 2; i++) { + fqname = sss_create_internal_fqname(mem_ctx, + users[i].name, + domain->name); + assert_non_null(fqname); + ret = sysdb_add_user(domain, users[i].name, users[i].uid, users[i].gid, - users[i].name, NULL, "/bin/bash", domain->name, + fqname, NULL, "/bin/bash", domain->name, NULL, 30, time(NULL)); + talloc_free(fqname); assert_int_equal(ret, EOK); } } @@ -77,13 +85,21 @@ struct ncache_test_ctx { struct sss_nc_ctx *ncache; }; -static void create_groups(struct sss_domain_info *domain) +static void create_groups(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain) { errno_t ret; + char *fqname; for (int i = 0; i < 2; i++) { - ret = sysdb_add_group(domain, groups[i].name, groups[i].gid, + fqname = sss_create_internal_fqname(mem_ctx, + groups[i].name, + domain->name); + assert_non_null(fqname); + + ret = sysdb_add_group(domain, fqname, groups[i].gid, NULL, 30, time(NULL)); + talloc_free(fqname); assert_int_equal(ret, EOK); } } @@ -115,8 +131,8 @@ static int test_ncache_setup(void **state) TEST_DOM_NAME, "ipa", NULL); assert_non_null(test_ctx->tctx); - create_groups(test_ctx->tctx->dom); - create_users(test_ctx->tctx->dom); + create_groups(test_ctx, test_ctx->tctx->dom); + create_users(test_ctx, test_ctx->tctx->dom); check_leaks_push(test_ctx); @@ -140,18 +156,68 @@ static int test_ncache_teardown(void **state) return 0; } +static int set_user_in_ncache(struct sss_nc_ctx *ctx, bool permanent, + struct sss_domain_info *dom, const char *name) +{ + char *fqdn; + int ret; + + fqdn = sss_create_internal_fqname(ctx, name, dom->name); + ret = sss_ncache_set_user(ctx, permanent, dom, fqdn); + talloc_free(fqdn); + return ret; +} + +static int set_group_in_ncache(struct sss_nc_ctx *ctx, bool permanent, + struct sss_domain_info *dom, const char *name) +{ + char *fqdn; + int ret; + + fqdn = sss_create_internal_fqname(ctx, name, dom->name); + ret = sss_ncache_set_group(ctx, permanent, dom, fqdn); + talloc_free(fqdn); + return ret; +} + +static int check_user_in_ncache(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, + const char *name) +{ + char *fqdn; + int ret; + + fqdn = sss_create_internal_fqname(ctx, name, dom->name); + ret = sss_ncache_check_user(ctx, dom, fqdn); + talloc_free(fqdn); + return ret; +} + +static int check_group_in_ncache(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, + const char *name) +{ + char *fqdn; + int ret; + + fqdn = sss_create_internal_fqname(ctx, name, dom->name); + ret = sss_ncache_check_group(ctx, dom, fqdn); + talloc_free(fqdn); + return ret; +} + /* user utils */ static void set_users(struct ncache_test_ctx *test_ctx) { int ret; - ret = sss_ncache_set_user(test_ctx->ncache, false, test_ctx->tctx->dom, + ret = set_user_in_ncache(test_ctx->ncache, false, test_ctx->tctx->dom, users[0].name); assert_int_equal(ret, EOK); - ret = sss_ncache_set_user(test_ctx->ncache, false, test_ctx->tctx->dom, - TEST_LOCAL_USER_NAME_1); + ret = set_user_in_ncache(test_ctx->ncache, false, test_ctx->tctx->dom, + TEST_LOCAL_USER_NAME_1); assert_int_equal(ret, EOK); } @@ -160,19 +226,19 @@ static void check_users(struct ncache_test_ctx *test_ctx, { int ret; - ret = sss_ncache_check_user(test_ctx->ncache, test_ctx->tctx->dom, + ret = check_user_in_ncache(test_ctx->ncache, test_ctx->tctx->dom, users[0].name); assert_int_equal(ret, case_a); - ret = sss_ncache_check_user(test_ctx->ncache, test_ctx->tctx->dom, + ret = check_user_in_ncache(test_ctx->ncache, test_ctx->tctx->dom, users[1].name); assert_int_equal(ret, case_b); - ret = sss_ncache_check_user(test_ctx->ncache, test_ctx->tctx->dom, + ret = check_user_in_ncache(test_ctx->ncache, test_ctx->tctx->dom, TEST_LOCAL_USER_NAME_1); assert_int_equal(ret, case_c); - ret = sss_ncache_check_user(test_ctx->ncache, test_ctx->tctx->dom, + ret = check_user_in_ncache(test_ctx->ncache, test_ctx->tctx->dom, TEST_LOCAL_USER_NAME_2); assert_int_equal(ret, case_d); } @@ -368,12 +434,12 @@ static void set_groups(struct ncache_test_ctx *test_ctx) { int ret; - ret = sss_ncache_set_group(test_ctx->ncache, false, test_ctx->tctx->dom, - groups[0].name); + ret = set_group_in_ncache(test_ctx->ncache, false, test_ctx->tctx->dom, + groups[0].name); assert_int_equal(ret, EOK); - ret = sss_ncache_set_group(test_ctx->ncache, false, test_ctx->tctx->dom, - TEST_LOCAL_GROUP_NAME_1); + ret = set_group_in_ncache(test_ctx->ncache, false, test_ctx->tctx->dom, + TEST_LOCAL_GROUP_NAME_1); assert_int_equal(ret, EOK); } @@ -382,20 +448,20 @@ static void check_groups(struct ncache_test_ctx *test_ctx, { int ret; - ret = sss_ncache_check_group(test_ctx->ncache, test_ctx->tctx->dom, - groups[0].name); + ret = check_group_in_ncache(test_ctx->ncache, test_ctx->tctx->dom, + groups[0].name); assert_int_equal(ret, case_a); - ret = sss_ncache_check_group(test_ctx->ncache, test_ctx->tctx->dom, - groups[1].name); + ret = check_group_in_ncache(test_ctx->ncache, test_ctx->tctx->dom, + groups[1].name); assert_int_equal(ret, case_b); - ret = sss_ncache_check_group(test_ctx->ncache, test_ctx->tctx->dom, - TEST_LOCAL_GROUP_NAME_1); + ret = check_group_in_ncache(test_ctx->ncache, test_ctx->tctx->dom, + TEST_LOCAL_GROUP_NAME_1); assert_int_equal(ret, case_c); - ret = sss_ncache_check_group(test_ctx->ncache, test_ctx->tctx->dom, - TEST_LOCAL_GROUP_NAME_2); + ret = check_group_in_ncache(test_ctx->ncache, test_ctx->tctx->dom, + TEST_LOCAL_GROUP_NAME_2); assert_int_equal(ret, case_d); } @@ -672,4 +738,4 @@ int main(int argc, const char *argv[]) rv = cmocka_run_group_tests(tests, NULL, NULL); return rv; -}
\ No newline at end of file +} |