mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
extdom: avoid sss_nss_getorigby*() calls when get*_r_wrapper() returns object from a wrong domain (performance optimization)
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
This commit is contained in:
Alexey Tikhonov
Florence Blanc-Renaud
parent
4685f9d881
commit
1360c8b09f
@ -41,6 +41,7 @@
|
|||||||
#define _GNU_SOURCE 1 /* for asprintf() */
|
#define _GNU_SOURCE 1 /* for asprintf() */
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#include <stdbool.h>
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
@ -526,6 +527,16 @@ int pack_ber_sid(const char *sid, struct berval **berval)
|
|||||||
return LDAP_SUCCESS;
|
return LDAP_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static bool verify_domain(const char *fqdn, const char *domain_name)
|
||||||
|
{
|
||||||
|
const char *pos = strrchr(fqdn, SSSD_DOMAIN_SEPARATOR);
|
||||||
|
if (pos == NULL) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
return (strcasecmp(pos + 1, domain_name) == 0);
|
||||||
|
}
|
||||||
|
|
||||||
static char *get_short_name(const char *fqdn, const char *domain_name)
|
static char *get_short_name(const char *fqdn, const char *domain_name)
|
||||||
{
|
{
|
||||||
const char *pos = strrchr(fqdn, SSSD_DOMAIN_SEPARATOR);
|
const char *pos = strrchr(fqdn, SSSD_DOMAIN_SEPARATOR);
|
||||||
@ -894,6 +905,10 @@ static int handle_uid_request(struct ipa_extdom_ctx *ctx,
|
|||||||
}
|
}
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
if (!verify_domain(pwd.pw_name, domain_name)) {
|
||||||
|
ret = LDAP_NO_SUCH_OBJECT;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
if (request_type == REQ_FULL_WITH_GROUPS) {
|
if (request_type == REQ_FULL_WITH_GROUPS) {
|
||||||
ret = sss_nss_getorigbyusername_timeout(pwd.pw_name, get_timeout(ctx),
|
ret = sss_nss_getorigbyusername_timeout(pwd.pw_name, get_timeout(ctx),
|
||||||
@ -973,6 +988,10 @@ static int handle_gid_request(struct ipa_extdom_ctx *ctx,
|
|||||||
}
|
}
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
if (!verify_domain(grp.gr_name, domain_name)) {
|
||||||
|
ret = LDAP_NO_SUCH_OBJECT;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
if (request_type == REQ_FULL_WITH_GROUPS) {
|
if (request_type == REQ_FULL_WITH_GROUPS) {
|
||||||
ret = sss_nss_getorigbygroupname_timeout(grp.gr_name, get_timeout(ctx),
|
ret = sss_nss_getorigbygroupname_timeout(grp.gr_name, get_timeout(ctx),
|
||||||
@ -1275,6 +1294,10 @@ static int handle_username_request(struct ipa_extdom_ctx *ctx,
|
|||||||
ret = getpwnam_r_wrapper(ctx, fq_name, &pwd, &buf, &buf_len);
|
ret = getpwnam_r_wrapper(ctx, fq_name, &pwd, &buf, &buf_len);
|
||||||
switch(ret) {
|
switch(ret) {
|
||||||
case 0:
|
case 0:
|
||||||
|
if (!verify_domain(pwd.pw_name, domain_name)) {
|
||||||
|
ret = LDAP_NO_SUCH_OBJECT;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
if (request_type == REQ_FULL_WITH_GROUPS) {
|
if (request_type == REQ_FULL_WITH_GROUPS) {
|
||||||
ret = sss_nss_getorigbyusername_timeout(pwd.pw_name,
|
ret = sss_nss_getorigbyusername_timeout(pwd.pw_name,
|
||||||
get_timeout(ctx),
|
get_timeout(ctx),
|
||||||
@ -1365,6 +1388,10 @@ static int handle_groupname_request(struct ipa_extdom_ctx *ctx,
|
|||||||
}
|
}
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
if (!verify_domain(grp.gr_name, domain_name)) {
|
||||||
|
ret = LDAP_NO_SUCH_OBJECT;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
if (request_type == REQ_FULL_WITH_GROUPS) {
|
if (request_type == REQ_FULL_WITH_GROUPS) {
|
||||||
ret = sss_nss_getorigbygroupname_timeout(grp.gr_name, get_timeout(ctx),
|
ret = sss_nss_getorigbygroupname_timeout(grp.gr_name, get_timeout(ctx),
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user