diff options
author | Pavel Březina <pbrezina@redhat.com> | 2016-05-26 11:37:30 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2016-07-07 10:30:26 +0200 |
commit | 61913b8f0d1ba54d82640500d7486fac5f72b030 (patch) | |
tree | 21ed1952b88d463468d690a22f40328e4bbf4d7c /src/tests | |
parent | 552390afcc81af96ca201fa6c25ddefbbecbeb4e (diff) | |
download | sssd-61913b8f0d1ba54d82640500d7486fac5f72b030.tar.gz sssd-61913b8f0d1ba54d82640500d7486fac5f72b030.tar.xz sssd-61913b8f0d1ba54d82640500d7486fac5f72b030.zip |
sudo: solve problems with fully qualified names
sudo expects the same name in sudo rule as login name. Therefore
if fully qualified name is used or even enforced by setting
use_fully_qualified_names to true or by forcing default domain
with default_domain_suffix sssd is able to correctly return the
rules but sudo can't match the user with contect of sudoUser
attribute since it is not qualified.
This patch changes the rules on the fly to avoid using names at all.
We do this in two steps:
1. We fetch all rules that match current user name, id or groups and
replace sudoUser attribute with sudoUser: #uid.
2. We fetch complementry rules that contain netgroups since it is
expected we don't have infromation about existing netgroups in
cache, sudo still needs to evaluate it for us if needed.
This patch also remove test for sysdb_get_sudo_filter since it wasn't
sufficient anyway and I did not rewrite it since I don't thing it
is a good thing to have filter tests that depends on exact filter
order.
Resolves:
https://fedorahosted.org/sssd/ticket/2919
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/tests')
-rw-r--r-- | src/tests/cmocka/test_sysdb_sudo.c | 72 |
1 files changed, 12 insertions, 60 deletions
diff --git a/src/tests/cmocka/test_sysdb_sudo.c b/src/tests/cmocka/test_sysdb_sudo.c index aebad88eb..889de7237 100644 --- a/src/tests/cmocka/test_sysdb_sudo.c +++ b/src/tests/cmocka/test_sysdb_sudo.c @@ -167,8 +167,6 @@ void test_store_sudo(void **state) { errno_t ret; char *filter; - int uid = 0; - char **groupnames = NULL; const char *attrs[] = { SYSDB_SUDO_CACHE_AT_CN, SYSDB_SUDO_CACHE_AT_HOST, SYSDB_SUDO_CACHE_AT_RUNASUSER, SYSDB_SUDO_CACHE_AT_USER, NULL }; @@ -186,10 +184,8 @@ void test_store_sudo(void **state) ret = sysdb_sudo_store(test_ctx->tctx->dom, &rule, 1); assert_int_equal(ret, EOK); - ret = sysdb_get_sudo_filter(test_ctx, users[0].name, - uid, groupnames, SYSDB_SUDO_FILTER_USERNAME, - &filter); - assert_int_equal(ret, EOK); + filter = sysdb_sudo_filter_user(test_ctx, users[0].name, NULL, 0); + assert_non_null(filter); ret = sysdb_search_sudo_rules(test_ctx, test_ctx->tctx->dom, filter, attrs, &msgs_count, &msgs); @@ -226,8 +222,6 @@ void test_sudo_purge_by_filter(void **state) errno_t ret; struct sysdb_attrs *rule; char *delete_filter; - int uid = 0; - char **groupnames = NULL; struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, struct sysdb_test_ctx); @@ -239,12 +233,8 @@ void test_sudo_purge_by_filter(void **state) assert_int_equal(ret, EOK); assert_int_equal(get_stored_rules_count(test_ctx), 1); - ret = sysdb_get_sudo_filter(test_ctx, users[0].name, - uid, groupnames, SYSDB_SUDO_FILTER_USERNAME, - &delete_filter); - assert_int_equal(ret, EOK); - assert_string_equal(delete_filter, - "(&(objectClass=sudoRule)(|(sudoUser=test_user1)))"); + delete_filter = sysdb_sudo_filter_user(test_ctx, users[0].name, NULL, 0); + assert_non_null(delete_filter); ret = sysdb_sudo_purge(test_ctx->tctx->dom, delete_filter, NULL, 0); assert_int_equal(ret, EOK); @@ -293,25 +283,6 @@ void test_sudo_set_get_last_full_refresh(void **state) assert_int_equal(now, loaded_time); } -void test_sudo_get_filter(void **state) -{ - errno_t ret; - char *filter; - int uid = 0; - char **groupnames = NULL; - struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, - struct sysdb_test_ctx); - - ret = sysdb_get_sudo_filter(test_ctx, users[0].name, - uid, groupnames, SYSDB_SUDO_FILTER_USERNAME, - &filter); - assert_int_equal(ret, EOK); - assert_string_equal(filter, - "(&(objectClass=sudoRule)(|(sudoUser=test_user1)))"); - - talloc_zfree(filter); -} - void test_get_sudo_user_info(void **state) { errno_t ret; @@ -364,8 +335,6 @@ void test_set_sudo_rule_attr_add(void **state) const char *attrs[] = { SYSDB_SUDO_CACHE_AT_CN, SYSDB_SUDO_CACHE_AT_COMMAND, NULL }; char *filter; - int uid = 0; - char **groupnames = NULL; struct ldb_message **msgs = NULL; size_t msgs_count; const char *result; @@ -390,10 +359,8 @@ void test_set_sudo_rule_attr_add(void **state) new_rule, SYSDB_MOD_ADD); assert_int_equal(ret, EOK); - ret = sysdb_get_sudo_filter(test_ctx, users[0].name, - uid, groupnames, SYSDB_SUDO_FILTER_USERNAME, - &filter); - assert_int_equal(ret, EOK); + filter = sysdb_sudo_filter_user(test_ctx, users[0].name, NULL, 0); + assert_non_null(filter); ret = sysdb_search_sudo_rules(test_ctx, test_ctx->tctx->dom, filter, attrs, &msgs_count, &msgs); @@ -422,8 +389,6 @@ void test_set_sudo_rule_attr_replace(void **state) struct sysdb_attrs *new_rule; const char *attrs[] = { SYSDB_SUDO_CACHE_AT_CN, SYSDB_CACHE_EXPIRE, NULL }; char *filter; - int uid = 0; - char **groupnames = NULL; struct ldb_message **msgs = NULL; size_t msgs_count; const char *result; @@ -447,10 +412,8 @@ void test_set_sudo_rule_attr_replace(void **state) new_rule, SYSDB_MOD_REP); assert_int_equal(ret, EOK); - ret = sysdb_get_sudo_filter(test_ctx, users[0].name, - uid, groupnames, SYSDB_SUDO_FILTER_USERNAME, - &filter); - assert_int_equal(ret, EOK); + filter = sysdb_sudo_filter_user(test_ctx, users[0].name, NULL, 0); + assert_non_null(filter); ret = sysdb_search_sudo_rules(test_ctx, test_ctx->tctx->dom, filter, attrs, &msgs_count, &msgs); @@ -479,8 +442,6 @@ void test_set_sudo_rule_attr_delete(void **state) const char *attrs[] = { SYSDB_SUDO_CACHE_AT_CN, SYSDB_SUDO_CACHE_AT_HOST, NULL }; char *filter; - int uid = 0; - char **groupnames = NULL; struct ldb_message **msgs = NULL; size_t msgs_count; const char *result; @@ -505,10 +466,8 @@ void test_set_sudo_rule_attr_delete(void **state) new_rule, LDB_FLAG_MOD_DELETE); assert_int_equal(ret, EOK); - ret = sysdb_get_sudo_filter(test_ctx, users[0].name, - uid, groupnames, SYSDB_SUDO_FILTER_USERNAME, - &filter); - assert_int_equal(ret, EOK); + filter = sysdb_sudo_filter_user(test_ctx, users[0].name, NULL, 0); + assert_non_null(filter); ret = sysdb_search_sudo_rules(test_ctx, test_ctx->tctx->dom, filter, attrs, &msgs_count, &msgs); @@ -533,7 +492,7 @@ void test_set_sudo_rule_attr_delete(void **state) void test_search_sudo_rules(void **state) { errno_t ret; - char *filter; + const char *filter; const char *attrs[] = { SYSDB_NAME, NULL }; struct ldb_message **msgs = NULL; size_t msgs_count; @@ -556,9 +515,7 @@ void test_search_sudo_rules(void **state) assert_int_equal(ret, EOK); assert_int_equal(get_stored_rules_count(test_ctx), 2); - ret = sysdb_get_sudo_filter(test_ctx, NULL, 0, NULL, - SYSDB_SUDO_FILTER_NONE, &filter); - assert_int_equal(ret, EOK); + filter = "(objectClass=" SYSDB_SUDO_CACHE_OC ")"; ret = sysdb_search_sudo_rules(test_ctx, test_ctx->tctx->dom, filter, attrs, &msgs_count, &msgs); @@ -581,7 +538,6 @@ void test_search_sudo_rules(void **state) talloc_zfree(tmp_rules[0]); talloc_zfree(tmp_rules[1]); talloc_zfree(msgs); - talloc_zfree(filter); } void test_filter_rules_by_time(void **state) @@ -710,10 +666,6 @@ int main(int argc, const char *argv[]) test_sysdb_setup, test_sysdb_teardown), - /* sysdb_get_sudo_filter() */ - cmocka_unit_test_setup_teardown(test_sudo_get_filter, - test_sysdb_setup, - test_sysdb_teardown), /* sysdb_get_sudo_user_info() */ cmocka_unit_test_setup_teardown(test_get_sudo_user_info, test_sysdb_setup, |