mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
ipa-kdb: use predefined filters for a wild-card searches
In case we've got a principal name as '*', we don't need to specify the principal itself, use pre-defined filter for a wild-card search. Previously, we had to escape the '*' as specifying it with an explicit matching rule would have violated RFC 4515 section 3. However, since we don't really need to specify a different matching rule for a wild-card search, we can remove this part completely. Use this change as an opportunity to simplify the code and reduce number of duplicated filter constants -- if extra filter is NULL, we can simply pass "" and use _EXTRA filter constants to format the final filter. Fixes: https://pagure.io/freeipa/issue/8624 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com>
This commit is contained in:
parent
249c76b172
commit
35362d3033
@ -28,16 +28,6 @@
|
|||||||
* During TGS request search by ipaKrbPrincipalName (case-insensitive)
|
* During TGS request search by ipaKrbPrincipalName (case-insensitive)
|
||||||
* and krbPrincipalName (case-sensitive)
|
* and krbPrincipalName (case-sensitive)
|
||||||
*/
|
*/
|
||||||
#define PRINC_TGS_SEARCH_FILTER "(&(|(objectclass=krbprincipalaux)" \
|
|
||||||
"(objectclass=krbprincipal)" \
|
|
||||||
"(objectclass=ipakrbprincipal))" \
|
|
||||||
"(|(ipakrbprincipalalias=%s)" \
|
|
||||||
"(krbprincipalname:caseIgnoreIA5Match:=%s)))"
|
|
||||||
|
|
||||||
#define PRINC_SEARCH_FILTER "(&(|(objectclass=krbprincipalaux)" \
|
|
||||||
"(objectclass=krbprincipal))" \
|
|
||||||
"(krbprincipalname=%s))"
|
|
||||||
|
|
||||||
#define PRINC_TGS_SEARCH_FILTER_EXTRA "(&(|(objectclass=krbprincipalaux)" \
|
#define PRINC_TGS_SEARCH_FILTER_EXTRA "(&(|(objectclass=krbprincipalaux)" \
|
||||||
"(objectclass=krbprincipal)" \
|
"(objectclass=krbprincipal)" \
|
||||||
"(objectclass=ipakrbprincipal))" \
|
"(objectclass=ipakrbprincipal))" \
|
||||||
@ -49,6 +39,13 @@
|
|||||||
"(objectclass=krbprincipal))" \
|
"(objectclass=krbprincipal))" \
|
||||||
"(krbprincipalname=%s)" \
|
"(krbprincipalname=%s)" \
|
||||||
"%s)"
|
"%s)"
|
||||||
|
|
||||||
|
#define PRINC_TGS_SEARCH_FILTER_WILD_EXTRA "(&(|(objectclass=krbprincipalaux)" \
|
||||||
|
"(objectclass=krbprincipal)" \
|
||||||
|
"(objectclass=ipakrbprincipal))" \
|
||||||
|
"(|(ipakrbprincipalalias=*)" \
|
||||||
|
"(krbprincipalname=*))" \
|
||||||
|
"%s)"
|
||||||
static char *std_principal_attrs[] = {
|
static char *std_principal_attrs[] = {
|
||||||
"krbPrincipalName",
|
"krbPrincipalName",
|
||||||
"krbCanonicalName",
|
"krbCanonicalName",
|
||||||
@ -998,34 +995,22 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
|
|||||||
/* Starting in DAL 8.0, aliases are always okay. */
|
/* Starting in DAL 8.0, aliases are always okay. */
|
||||||
#ifdef KRB5_KDB_FLAG_ALIAS_OK
|
#ifdef KRB5_KDB_FLAG_ALIAS_OK
|
||||||
if (!(flags & KRB5_KDB_FLAG_ALIAS_OK)) {
|
if (!(flags & KRB5_KDB_FLAG_ALIAS_OK)) {
|
||||||
if (filter == NULL) {
|
ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA,
|
||||||
ret = asprintf(&src_filter, PRINC_SEARCH_FILTER,
|
esc_original_princ,
|
||||||
esc_original_princ);
|
filter ? filter : "");
|
||||||
} else {
|
|
||||||
ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA,
|
|
||||||
esc_original_princ, filter);
|
|
||||||
}
|
|
||||||
} else
|
} else
|
||||||
#endif
|
#endif
|
||||||
{
|
{
|
||||||
/* In case we've got a principal name as '*' we have to
|
/* In case we've got a principal name as '*', we don't need to specify
|
||||||
* follow RFC 4515 section 3 and reencode it using
|
* the principal itself, use pre-defined filter for a wild-card search.
|
||||||
* <valueencoding> rule from RFC 4511 section 4.1.6 but
|
*/
|
||||||
* only to the part of the filter that does use assertion
|
|
||||||
* value. */
|
|
||||||
const char *asterisk = "%x2A";
|
|
||||||
const char *assertion_value = esc_original_princ;
|
|
||||||
|
|
||||||
if ((len == 1) && (esc_original_princ[0] == '*')) {
|
if ((len == 1) && (esc_original_princ[0] == '*')) {
|
||||||
assertion_value = asterisk;
|
ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_WILD_EXTRA,
|
||||||
}
|
filter ? filter : "");
|
||||||
|
|
||||||
if (filter == NULL) {
|
|
||||||
ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER,
|
|
||||||
esc_original_princ, assertion_value);
|
|
||||||
} else {
|
} else {
|
||||||
ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA,
|
ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA,
|
||||||
esc_original_princ, assertion_value, filter);
|
esc_original_princ, esc_original_princ,
|
||||||
|
filter ? filter : "");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user