extdom: make sure result doesn't miss domain part

This is required to ensure that only objects from requested domain
are returned.

Resolves: https://pagure.io/freeipa/issue/9245
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
This commit is contained in:
Alexey Tikhonov 2022-08-24 21:27:18 +02:00 committed by Florence Blanc-Renaud
parent f0c26fe094
commit b381acb3d0
2 changed files with 32 additions and 28 deletions

View File

@ -503,8 +503,8 @@ void test_pack_ber_user_timeout(void **state)
oldgetgrgid_r = test_data->ctx->nss_ctx->getgrgid_r;
test_data->ctx->nss_ctx->getgrgid_r = getgrgid_r_timeout;
ret = pack_ber_user(test_data->ctx, RESP_USER_GROUPLIST,
TEST_DOMAIN_NAME, "member001", 12345, 54321,
ret = pack_ber_user(test_data->ctx, RESP_USER_GROUPLIST, TEST_DOMAIN_NAME,
"member001@"TEST_DOMAIN_NAME, 12345, 54321,
"gecos", "homedir", "shell", NULL, &resp_val);
test_data->ctx->nss_ctx->getgrgid_r = oldgetgrgid_r;
assert_int_equal(ret, LDAP_TIMELIMIT_EXCEEDED);
@ -548,15 +548,17 @@ void test_encode(void **state)
assert_memory_equal(res_nam, resp_val->bv_val, resp_val->bv_len);
ber_bvfree(resp_val);
ret = pack_ber_user(ctx, RESP_USER, TEST_DOMAIN_NAME, "test", 12345, 54321,
NULL, NULL, NULL, NULL, &resp_val);
ret = pack_ber_user(ctx, RESP_USER, TEST_DOMAIN_NAME,
"test@"TEST_DOMAIN_NAME, 12345, 54321, NULL, NULL,
NULL, NULL, &resp_val);
assert_int_equal(ret, LDAP_SUCCESS);
assert_int_equal(sizeof(res_uid), resp_val->bv_len);
assert_memory_equal(res_uid, resp_val->bv_val, resp_val->bv_len);
ber_bvfree(resp_val);
ret = pack_ber_group(RESP_GROUP, TEST_DOMAIN_NAME, "test_group", 54321,
NULL, NULL, &resp_val);
ret = pack_ber_group(RESP_GROUP, TEST_DOMAIN_NAME,
"test_group@"TEST_DOMAIN_NAME, 54321, NULL, NULL,
&resp_val);
assert_int_equal(ret, LDAP_SUCCESS);
assert_int_equal(sizeof(res_gid), resp_val->bv_len);
assert_memory_equal(res_gid, resp_val->bv_val, resp_val->bv_len);

View File

@ -526,6 +526,20 @@ int pack_ber_sid(const char *sid, struct berval **berval)
return LDAP_SUCCESS;
}
static char *get_short_name(const char *fqdn, const char *domain_name)
{
const char *pos = strrchr(fqdn, SSSD_DOMAIN_SEPARATOR);
if (pos == NULL) {
return NULL;
}
if (strcasecmp(pos + 1, domain_name) != 0) {
return NULL;
}
return strndup(fqdn, pos - fqdn);
}
int pack_ber_user(struct ipa_extdom_ctx *ctx,
enum response_types response_type,
const char *domain_name, const char *user_name,
@ -542,19 +556,13 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
char *buf = NULL;
struct group grp;
size_t c;
char *locat;
char *short_user_name = NULL;
short_user_name = strdup(user_name);
if ((locat = strrchr(short_user_name, SSSD_DOMAIN_SEPARATOR)) != NULL) {
if (strcasecmp(locat+1, domain_name) == 0 ) {
locat[0] = '\0';
} else {
/* The found object is from a different domain than requested,
* that means it does not exist in the requested domain */
ret = LDAP_NO_SUCH_OBJECT;
goto done;
}
short_user_name = get_short_name(user_name, domain_name);
if (short_user_name == NULL) {
/* domain mismatch */
ret = LDAP_NO_SUCH_OBJECT;
goto done;
}
ber = ber_alloc_t( LBER_USE_DER );
@ -657,19 +665,13 @@ int pack_ber_group(enum response_types response_type,
BerElement *ber = NULL;
int ret;
size_t c;
char *locat;
char *short_group_name = NULL;
short_group_name = strdup(group_name);
if ((locat = strrchr(short_group_name, SSSD_DOMAIN_SEPARATOR)) != NULL) {
if (strcasecmp(locat+1, domain_name) == 0 ) {
locat[0] = '\0';
} else {
/* The found object is from a different domain than requested,
* that means it does not exist in the requested domain */
ret = LDAP_NO_SUCH_OBJECT;
goto done;
}
short_group_name = get_short_name(group_name, domain_name);
if (short_group_name == NULL) {
/* domain mismatch */
ret = LDAP_NO_SUCH_OBJECT;
goto done;
}
ber = ber_alloc_t( LBER_USE_DER );