IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

extdom: make sure result doesn't miss domain part

Browse Source 
This is required to ensure that only objects from requested domain
are returned.

Resolves: https://pagure.io/freeipa/issue/9245
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
This commit is contained in:
Alexey Tikhonov 2022-08-24 21:27:18 +02:00 committed by Florence Blanc-Renaud
parent f0c26fe094
commit b381acb3d0
2 changed files with 32 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
View File

@ -503,8 +503,8 @@ void test_pack_ber_user_timeout(void **state)
oldgetgrgid_r = test_data->ctx->nss_ctx->getgrgid_r; oldgetgrgid_r = test_data->ctx->nss_ctx->getgrgid_r;
test_data->ctx->nss_ctx->getgrgid_r = getgrgid_r_timeout; test_data->ctx->nss_ctx->getgrgid_r = getgrgid_r_timeout;
ret = pack_ber_user(test_data->ctx, RESP_USER_GROUPLIST, ret = pack_ber_user(test_data->ctx, RESP_USER_GROUPLIST, TEST_DOMAIN_NAME,
TEST_DOMAIN_NAME, "member001", 12345, 54321, "member001@"TEST_DOMAIN_NAME, 12345, 54321,
"gecos", "homedir", "shell", NULL, &resp_val); "gecos", "homedir", "shell", NULL, &resp_val);
test_data->ctx->nss_ctx->getgrgid_r = oldgetgrgid_r; test_data->ctx->nss_ctx->getgrgid_r = oldgetgrgid_r;
assert_int_equal(ret, LDAP_TIMELIMIT_EXCEEDED); assert_int_equal(ret, LDAP_TIMELIMIT_EXCEEDED);
@ -548,15 +548,17 @@ void test_encode(void **state)
assert_memory_equal(res_nam, resp_val->bv_val, resp_val->bv_len); assert_memory_equal(res_nam, resp_val->bv_val, resp_val->bv_len);
ber_bvfree(resp_val); ber_bvfree(resp_val);
ret = pack_ber_user(ctx, RESP_USER, TEST_DOMAIN_NAME, "test", 12345, 54321, ret = pack_ber_user(ctx, RESP_USER, TEST_DOMAIN_NAME,
NULL, NULL, NULL, NULL, &resp_val); "test@"TEST_DOMAIN_NAME, 12345, 54321, NULL, NULL,
NULL, NULL, &resp_val);
assert_int_equal(ret, LDAP_SUCCESS); assert_int_equal(ret, LDAP_SUCCESS);
assert_int_equal(sizeof(res_uid), resp_val->bv_len); assert_int_equal(sizeof(res_uid), resp_val->bv_len);
assert_memory_equal(res_uid, resp_val->bv_val, resp_val->bv_len); assert_memory_equal(res_uid, resp_val->bv_val, resp_val->bv_len);
ber_bvfree(resp_val); ber_bvfree(resp_val);
ret = pack_ber_group(RESP_GROUP, TEST_DOMAIN_NAME, "test_group", 54321, ret = pack_ber_group(RESP_GROUP, TEST_DOMAIN_NAME,
NULL, NULL, &resp_val); "test_group@"TEST_DOMAIN_NAME, 54321, NULL, NULL,
&resp_val);
assert_int_equal(ret, LDAP_SUCCESS); assert_int_equal(ret, LDAP_SUCCESS);
assert_int_equal(sizeof(res_gid), resp_val->bv_len); assert_int_equal(sizeof(res_gid), resp_val->bv_len);
assert_memory_equal(res_gid, resp_val->bv_val, resp_val->bv_len); assert_memory_equal(res_gid, resp_val->bv_val, resp_val->bv_len);

46
daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
View File

@ -526,6 +526,20 @@ int pack_ber_sid(const char *sid, struct berval **berval)
return LDAP_SUCCESS; return LDAP_SUCCESS;
} }
static char *get_short_name(const char *fqdn, const char *domain_name)
{
const char *pos = strrchr(fqdn, SSSD_DOMAIN_SEPARATOR);
if (pos == NULL) {
return NULL;
}
if (strcasecmp(pos + 1, domain_name) != 0) {
return NULL;
}
return strndup(fqdn, pos - fqdn);
}
int pack_ber_user(struct ipa_extdom_ctx *ctx, int pack_ber_user(struct ipa_extdom_ctx *ctx,
enum response_types response_type, enum response_types response_type,
const char *domain_name, const char *user_name, const char *domain_name, const char *user_name,
@ -542,19 +556,13 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
char *buf = NULL; char *buf = NULL;
struct group grp; struct group grp;
size_t c; size_t c;
char *locat;
char *short_user_name = NULL; char *short_user_name = NULL;
short_user_name = strdup(user_name); short_user_name = get_short_name(user_name, domain_name);
if ((locat = strrchr(short_user_name, SSSD_DOMAIN_SEPARATOR)) != NULL) { if (short_user_name == NULL) {
if (strcasecmp(locat+1, domain_name) == 0 ) { /* domain mismatch */
locat[0] = '\0'; ret = LDAP_NO_SUCH_OBJECT;
} else { goto done;
/* The found object is from a different domain than requested,
* that means it does not exist in the requested domain */
ret = LDAP_NO_SUCH_OBJECT;
goto done;
}
} }
ber = ber_alloc_t( LBER_USE_DER ); ber = ber_alloc_t( LBER_USE_DER );
@ -657,19 +665,13 @@ int pack_ber_group(enum response_types response_type,
BerElement *ber = NULL; BerElement *ber = NULL;
int ret; int ret;
size_t c; size_t c;
char *locat;
char *short_group_name = NULL; char *short_group_name = NULL;
short_group_name = strdup(group_name); short_group_name = get_short_name(group_name, domain_name);
if ((locat = strrchr(short_group_name, SSSD_DOMAIN_SEPARATOR)) != NULL) { if (short_group_name == NULL) {
if (strcasecmp(locat+1, domain_name) == 0 ) { /* domain mismatch */
locat[0] = '\0'; ret = LDAP_NO_SUCH_OBJECT;
} else { goto done;
/* The found object is from a different domain than requested,
* that means it does not exist in the requested domain */
ret = LDAP_NO_SUCH_OBJECT;
goto done;
}
} }
ber = ber_alloc_t( LBER_USE_DER ); ber = ber_alloc_t( LBER_USE_DER );