nss_check_name_of_well_known_sid() improve name splitting

Currently in the default configuration
nss_check_name_of_well_known_sid() can only split fully-qualified names
in the user@domain.name style. DOM\user style names will cause an error
and terminate the whole request.

With this patch both styles can be handled by default, additionally if
the name could not be split nss_check_name_of_well_known_sid() returns
ENOENT which can be handled more gracefully by the caller.

Resolves https://fedorahosted.org/sssd/ticket/2717

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

3 files changed, 62 insertions, 41 deletions

diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index 01294673..b3998015 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -1255,6 +1255,14 @@ static int nss_check_name_of_well_known_sid(struct nss_cmd_ctx *cmdctx,
         return ret;
     }
 
+    if (wk_dom_name == NULL || wk_name == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              "Unable to split [%s] in name and domain part. " \
+              "Skipping check for well-known name.\n", full_name);
+
+        return ENOENT;
+    }
+
     ret = name_to_well_known_sid(wk_dom_name, wk_name, &wk_sid);
     talloc_free(wk_dom_name);
     talloc_free(wk_name);
diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c
index 3ab8d39c..84d3413b 100644
--- a/src/tests/cmocka/test_nss_srv.c
+++ b/src/tests/cmocka/test_nss_srv.c
@@ -1734,63 +1734,77 @@ void test_nss_well_known_getidbysid_failure(void **state)
 void test_nss_well_known_getsidbyname(void **state)
 {
     errno_t ret;
+    const char *names[] = { "Cryptographic Operators@BUILTIN",
+                            "BUILTIN\\Cryptographic Operators", NULL};
+    size_t c;
+
+    for (c = 0; names[c] != NULL; c++) {
+        will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);
+        will_return(__wrap_sss_packet_get_body, names[c]);
+        will_return(__wrap_sss_packet_get_body, 0);
+        will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME);
+        will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+        will_return(test_nss_well_known_sid_check, "S-1-5-32-569");
 
-    will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);
-    will_return(__wrap_sss_packet_get_body, "Cryptographic Operators@BUILTIN");
-    will_return(__wrap_sss_packet_get_body, 0);
-    will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME);
-    will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
-    will_return(test_nss_well_known_sid_check, "S-1-5-32-569");
+        set_cmd_cb(test_nss_well_known_sid_check);
+        ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME,
+                              nss_test_ctx->nss_cmds);
+        assert_int_equal(ret, EOK);
 
-    set_cmd_cb(test_nss_well_known_sid_check);
-    ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME,
-                          nss_test_ctx->nss_cmds);
-    assert_int_equal(ret, EOK);
-
-    /* Wait until the test finishes with EOK */
-    ret = test_ev_loop(nss_test_ctx->tctx);
-    assert_int_equal(ret, EOK);
+        /* Wait until the test finishes with EOK */
+        ret = test_ev_loop(nss_test_ctx->tctx);
+        assert_int_equal(ret, EOK);
+    }
 }
 
 void test_nss_well_known_getsidbyname_nonexisting(void **state)
 {
     errno_t ret;
+    const char *names[] = { "Abc@BUILTIN", "BUILTIN\\Abc", NULL };
+    size_t c;
 
-    will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);
-    will_return(__wrap_sss_packet_get_body, "Abc@BUILTIN");
-    will_return(__wrap_sss_packet_get_body, 0);
-    will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME);
-    will_return(test_nss_well_known_sid_check, NULL);
+    for (c = 0; names[c] != NULL; c++) {
+        will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);
+        will_return(__wrap_sss_packet_get_body, names[c]);
+        will_return(__wrap_sss_packet_get_body, 0);
+        will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME);
+        will_return(test_nss_well_known_sid_check, NULL);
 
-    set_cmd_cb(test_nss_well_known_sid_check);
-    ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME,
-                          nss_test_ctx->nss_cmds);
-    assert_int_equal(ret, EOK);
+        set_cmd_cb(test_nss_well_known_sid_check);
+        ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME,
+                              nss_test_ctx->nss_cmds);
+        assert_int_equal(ret, EOK);
 
-    /* Wait until the test finishes with EOK */
-    ret = test_ev_loop(nss_test_ctx->tctx);
-    assert_int_equal(ret, EOK);
+        /* Wait until the test finishes with EOK */
+        ret = test_ev_loop(nss_test_ctx->tctx);
+        assert_int_equal(ret, EOK);
+    }
 }
 
 void test_nss_well_known_getsidbyname_special(void **state)
 {
     errno_t ret;
+    const char *names[] = { "CREATOR OWNER@CREATOR AUTHORITY",
+                            "CREATOR AUTHORITY\\CREATOR OWNER", NULL };
+    size_t c;
 
-    will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);
-    will_return(__wrap_sss_packet_get_body, "CREATOR OWNER@CREATOR AUTHORITY");
-    will_return(__wrap_sss_packet_get_body, 0);
-    will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME);
-    will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
-    will_return(test_nss_well_known_sid_check, "S-1-3-0");
+    for (c = 0; names[c] != NULL; c++) {
+        will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER);
+        will_return(__wrap_sss_packet_get_body, names[c]);
+        will_return(__wrap_sss_packet_get_body, 0);
+        will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME);
+        will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+        will_return(test_nss_well_known_sid_check, "S-1-3-0");
 
-    set_cmd_cb(test_nss_well_known_sid_check);
-    ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME,
-                          nss_test_ctx->nss_cmds);
-    assert_int_equal(ret, EOK);
+        set_cmd_cb(test_nss_well_known_sid_check);
+        ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME,
+                              nss_test_ctx->nss_cmds);
+        assert_int_equal(ret, EOK);
 
-    /* Wait until the test finishes with EOK */
-    ret = test_ev_loop(nss_test_ctx->tctx);
-    assert_int_equal(ret, EOK);
+        /* Wait until the test finishes with EOK */
+        ret = test_ev_loop(nss_test_ctx->tctx);
+        assert_int_equal(ret, EOK);
+    }
 }
 
 static int test_nss_getorigbyname_check(uint32_t status, uint8_t *body,
diff --git a/src/util/usertools.c b/src/util/usertools.c
index c43d420e..87a8d741 100644
--- a/src/util/usertools.c
+++ b/src/util/usertools.c
@@ -249,8 +249,7 @@ int sss_names_init(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb,
     }
 
     if (!re_pattern) {
-        re_pattern = talloc_strdup(tmpctx,
-                                   "(?P<name>[^@]+)@?(?P<domain>[^@]*$)");
+        re_pattern = talloc_strdup(tmpctx, IPA_AD_DEFAULT_RE);
         if (!re_pattern) {
             ret = ENOMEM;
             goto done;