diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2011-12-12 16:35:22 +0100 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2011-12-16 14:46:16 -0500 |
| commit | b3b42c49656e192787a983aaa8b9ec744ba4cb9d (patch) | |
| tree | c0fd6415e043835c499ecf0bf0322ab4cb187e0d /src/responder | |
| parent | df5adbad4f5e938a000aee6527628ad63a0bd4c3 (diff) | |
| download | sssd-b3b42c49656e192787a983aaa8b9ec744ba4cb9d.tar.gz sssd-b3b42c49656e192787a983aaa8b9ec744ba4cb9d.tar.bz2 sssd-b3b42c49656e192787a983aaa8b9ec744ba4cb9d.zip | |
Use the case sensitivity flag in responders
Diffstat (limited to 'src/responder')
| -rw-r--r-- | src/responder/common/negcache.c | 135 | ||||
| -rw-r--r-- | src/responder/common/negcache.h | 10 | ||||
| -rw-r--r-- | src/responder/common/responder_common.c | 1 | ||||
| -rw-r--r-- | src/responder/nss/nsssrv_cmd.c | 39 | ||||
| -rw-r--r-- | src/responder/nss/nsssrv_netgroup.c | 21 | ||||
| -rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 8 |
6 files changed, 168 insertions, 46 deletions
diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c index 3926574a..0b25baf5 100644 --- a/src/responder/common/negcache.c +++ b/src/responder/common/negcache.c @@ -21,6 +21,7 @@ #include "util/util.h" #include "confdb/confdb.h" +#include "responder/common/responder.h" #include <fcntl.h> #include <time.h> #include "tdb.h" @@ -158,8 +159,8 @@ done: return ret; } -int sss_ncache_check_user(struct sss_nc_ctx *ctx, int ttl, - const char *domain, const char *name) +static int sss_ncache_check_user_int(struct sss_nc_ctx *ctx, int ttl, + const char *domain, const char *name) { char *str; int ret; @@ -175,8 +176,8 @@ int sss_ncache_check_user(struct sss_nc_ctx *ctx, int ttl, return ret; } -int sss_ncache_check_group(struct sss_nc_ctx *ctx, int ttl, - const char *domain, const char *name) +static int sss_ncache_check_group_int(struct sss_nc_ctx *ctx, int ttl, + const char *domain, const char *name) { char *str; int ret; @@ -192,8 +193,8 @@ int sss_ncache_check_group(struct sss_nc_ctx *ctx, int ttl, return ret; } -int sss_ncache_check_netgr(struct sss_nc_ctx *ctx, int ttl, - const char *domain, const char *name) +static int sss_ncache_check_netgr_int(struct sss_nc_ctx *ctx, int ttl, + const char *domain, const char *name) { char *str; int ret; @@ -209,6 +210,49 @@ int sss_ncache_check_netgr(struct sss_nc_ctx *ctx, int ttl, return ret; } +typedef int (*ncache_check_byname_fn_t)(struct sss_nc_ctx *, int, + const char *, const char *); + +static int sss_cache_check_ent(struct sss_nc_ctx *ctx, int ttl, + struct sss_domain_info *dom, const char *name, + ncache_check_byname_fn_t checker) +{ + char *lower; + errno_t ret; + + if (dom->case_sensitive == false) { + lower = sss_tc_utf8_str_tolower(ctx, name); + if (!lower) return ENOMEM; + ret = checker(ctx, ttl, dom->name, lower); + talloc_free(lower); + } else { + ret = checker(ctx, ttl, dom->name, name); + } + + return ret; +} + +int sss_ncache_check_user(struct sss_nc_ctx *ctx, int ttl, + struct sss_domain_info *dom, const char *name) +{ + return sss_cache_check_ent(ctx, ttl, dom, name, + sss_ncache_check_user_int); +} + +int sss_ncache_check_group(struct sss_nc_ctx *ctx, int ttl, + struct sss_domain_info *dom, const char *name) +{ + return sss_cache_check_ent(ctx, ttl, dom, name, + sss_ncache_check_group_int); +} + +int sss_ncache_check_netgr(struct sss_nc_ctx *ctx, int ttl, + struct sss_domain_info *dom, const char *name) +{ + return sss_cache_check_ent(ctx, ttl, dom, name, + sss_ncache_check_netgr_int); +} + int sss_ncache_check_uid(struct sss_nc_ctx *ctx, int ttl, uid_t uid) { char *str; @@ -237,8 +281,8 @@ int sss_ncache_check_gid(struct sss_nc_ctx *ctx, int ttl, gid_t gid) return ret; } -int sss_ncache_set_user(struct sss_nc_ctx *ctx, bool permanent, - const char *domain, const char *name) +static int sss_ncache_set_user_int(struct sss_nc_ctx *ctx, bool permanent, + const char *domain, const char *name) { char *str; int ret; @@ -254,8 +298,8 @@ int sss_ncache_set_user(struct sss_nc_ctx *ctx, bool permanent, return ret; } -int sss_ncache_set_group(struct sss_nc_ctx *ctx, bool permanent, - const char *domain, const char *name) +static int sss_ncache_set_group_int(struct sss_nc_ctx *ctx, bool permanent, + const char *domain, const char *name) { char *str; int ret; @@ -271,8 +315,8 @@ int sss_ncache_set_group(struct sss_nc_ctx *ctx, bool permanent, return ret; } -int sss_ncache_set_netgr(struct sss_nc_ctx *ctx, bool permanent, - const char *domain, const char *name) +static int sss_ncache_set_netgr_int(struct sss_nc_ctx *ctx, bool permanent, + const char *domain, const char *name) { char *str; int ret; @@ -288,6 +332,47 @@ int sss_ncache_set_netgr(struct sss_nc_ctx *ctx, bool permanent, return ret; } +typedef int (*ncache_set_byname_fn_t)(struct sss_nc_ctx *, bool, + const char *, const char *); + +static int sss_ncache_set_ent(struct sss_nc_ctx *ctx, bool permanent, + struct sss_domain_info *dom, const char *name, + ncache_set_byname_fn_t setter) +{ + char *lower; + errno_t ret; + + if (dom->case_sensitive == false) { + lower = sss_tc_utf8_str_tolower(ctx, name); + if (!lower) return ENOMEM; + ret = setter(ctx, permanent, dom->name, lower); + talloc_free(lower); + } else { + ret = setter(ctx, permanent, dom->name, name); + } + + return ret; +} + + +int sss_ncache_set_user(struct sss_nc_ctx *ctx, bool permanent, + struct sss_domain_info *dom, const char *name) +{ + return sss_ncache_set_ent(ctx, permanent, dom, name, sss_ncache_set_user_int); +} + +int sss_ncache_set_group(struct sss_nc_ctx *ctx, bool permanent, + struct sss_domain_info *dom, const char *name) +{ + return sss_ncache_set_ent(ctx, permanent, dom, name, sss_ncache_set_group_int); +} + +int sss_ncache_set_netgr(struct sss_nc_ctx *ctx, bool permanent, + struct sss_domain_info *dom, const char *name) +{ + return sss_ncache_set_ent(ctx, permanent, dom, name, sss_ncache_set_netgr_int); +} + int sss_ncache_set_uid(struct sss_nc_ctx *ctx, bool permanent, uid_t uid) { char *str; @@ -409,7 +494,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, continue; } - ret = sss_ncache_set_user(ncache, true, dom->name, name); + ret = sss_ncache_set_user(ncache, true, dom, name); if (ret != EOK) { DEBUG(1, ("Failed to store permanent user filter for [%s]" " (%d [%s])\n", filter_list[i], @@ -447,7 +532,14 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, continue; } if (domainname) { - ret = sss_ncache_set_user(ncache, true, domainname, name); + dom = responder_get_domain(domain_list, domainname); + if (!dom) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Invalid domain name [%s]\n", domainname)); + continue; + } + + ret = sss_ncache_set_user(ncache, true, dom, name); if (ret != EOK) { DEBUG(1, ("Failed to store permanent user filter for [%s]" " (%d [%s])\n", filter_list[i], @@ -456,7 +548,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, } } else { for (dom = domain_list; dom; dom = dom->next) { - ret = sss_ncache_set_user(ncache, true, dom->name, name); + ret = sss_ncache_set_user(ncache, true, dom, name); if (ret != EOK) { DEBUG(1, ("Failed to store permanent user filter for" " [%s:%s] (%d [%s])\n", @@ -499,7 +591,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, continue; } - ret = sss_ncache_set_group(ncache, true, dom->name, name); + ret = sss_ncache_set_group(ncache, true, dom, name); if (ret != EOK) { DEBUG(1, ("Failed to store permanent group filter for [%s]" " (%d [%s])\n", filter_list[i], @@ -537,7 +629,14 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, continue; } if (domainname) { - ret = sss_ncache_set_group(ncache, true, domainname, name); + dom = responder_get_domain(domain_list, domainname); + if (!dom) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Invalid domain name [%s]\n", domainname)); + continue; + } + + ret = sss_ncache_set_group(ncache, true, dom, name); if (ret != EOK) { DEBUG(1, ("Failed to store permanent group filter for" " [%s] (%d [%s])\n", filter_list[i], @@ -546,7 +645,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, } } else { for (dom = domain_list; dom; dom = dom->next) { - ret = sss_ncache_set_group(ncache, true, dom->name, name); + ret = sss_ncache_set_group(ncache, true, dom, name); if (ret != EOK) { DEBUG(1, ("Failed to store permanent group filter for" " [%s:%s] (%d [%s])\n", diff --git a/src/responder/common/negcache.h b/src/responder/common/negcache.h index fc857fce..72b99c96 100644 --- a/src/responder/common/negcache.h +++ b/src/responder/common/negcache.h @@ -29,9 +29,9 @@ int sss_ncache_init(TALLOC_CTX *memctx, struct sss_nc_ctx **_ctx); /* check if the user is expired according to the passed in time to live */ int sss_ncache_check_user(struct sss_nc_ctx *ctx, int ttl, - const char *domain, const char *name); + struct sss_domain_info *dom, const char *name); int sss_ncache_check_group(struct sss_nc_ctx *ctx, int ttl, - const char *domain, const char *name); + struct sss_domain_info *dom, const char *name); int sss_ncache_check_netgr(struct sss_nc_ctx *ctx, int ttl, const char *domain, const char *name); int sss_ncache_check_uid(struct sss_nc_ctx *ctx, int ttl, uid_t uid); @@ -42,11 +42,11 @@ int sss_ncache_check_gid(struct sss_nc_ctx *ctx, int ttl, gid_t gid); * and the negative cache never expires (used to permanently filter out * users and groups) */ int sss_ncache_set_user(struct sss_nc_ctx *ctx, bool permanent, - const char *domain, const char *name); + struct sss_domain_info *dom, const char *name); int sss_ncache_set_group(struct sss_nc_ctx *ctx, bool permanent, - const char *domain, const char *name); + struct sss_domain_info *dom, const char *name); int sss_ncache_set_netgr(struct sss_nc_ctx *ctx, bool permanent, - const char *domain, const char *name); + struct sss_domain_info *dom, const char *name); int sss_ncache_set_uid(struct sss_nc_ctx *ctx, bool permanent, uid_t uid); int sss_ncache_set_gid(struct sss_nc_ctx *ctx, bool permanent, gid_t gid); diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c index 99b1a23a..a48ac556 100644 --- a/src/responder/common/responder_common.c +++ b/src/responder/common/responder_common.c @@ -33,7 +33,6 @@ #include <errno.h> #include <popt.h> #include "util/util.h" -#include "util/sss_utf8.h" #include "db/sysdb.h" #include "confdb/confdb.h" #include "dbus/dbus.h" diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c index f0270acd..d8eb8b21 100644 --- a/src/responder/nss/nsssrv_cmd.c +++ b/src/responder/nss/nsssrv_cmd.c @@ -394,7 +394,7 @@ static int fill_pwent(struct sss_packet *packet, if (filter_users) { ncret = sss_ncache_check_user(nctx->ncache, nctx->neg_timeout, - domain, name); + dom, name); if (ncret == EEXIST) { DEBUG(4, ("User [%s@%s] filtered out! (negative cache)\n", name, domain)); @@ -715,7 +715,7 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx) struct nss_cmd_ctx *cmdctx = dctx->cmdctx; struct sss_domain_info *dom = dctx->domain; struct cli_ctx *cctx = cmdctx->cctx; - const char *name = cmdctx->name; + char *name = NULL; struct sysdb_ctx *sysdb; struct nss_ctx *nctx; int ret; @@ -740,10 +740,15 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx) /* make sure to update the dctx if we changed domain */ dctx->domain = dom; + talloc_free(name); + name = dom->case_sensitive ? talloc_strdup(dctx, cmdctx->name) : + sss_tc_utf8_str_tolower(dctx, cmdctx->name); + if (!name) return ENOMEM; + /* verify this user has not yet been negatively cached, * or has been permanently filtered */ ret = sss_ncache_check_user(nctx->ncache, nctx->neg_timeout, - dom->name, name); + dom, name); /* if neg cached, return we didn't find it */ if (ret == EEXIST) { @@ -781,7 +786,7 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx) if (dctx->res->count == 0 && !dctx->check_provider) { /* set negative cache only if not result of cache check */ - ret = sss_ncache_set_user(nctx->ncache, false, dom->name, name); + ret = sss_ncache_set_user(nctx->ncache, false, dom, name); if (ret != EOK) { return ret; } @@ -1788,7 +1793,7 @@ static int fill_grent(struct sss_packet *packet, if (filter_groups) { ret = sss_ncache_check_group(nctx->ncache, - nctx->neg_timeout, domain, name); + nctx->neg_timeout, dom, name); if (ret == EEXIST) { DEBUG(4, ("Group [%s@%s] filtered out! (negative cache)\n", name, domain)); @@ -1866,7 +1871,7 @@ static int fill_grent(struct sss_packet *packet, if (nctx->filter_users_in_groups) { ret = sss_ncache_check_user(nctx->ncache, nctx->neg_timeout, - domain, name); + dom, name); if (ret == EEXIST) { DEBUG(6, ("Group [%s] member [%s@%s] filtered out!" " (negative cache)\n", @@ -2002,7 +2007,7 @@ static int nss_cmd_getgrnam_search(struct nss_dom_ctx *dctx) struct nss_cmd_ctx *cmdctx = dctx->cmdctx; struct sss_domain_info *dom = dctx->domain; struct cli_ctx *cctx = cmdctx->cctx; - const char *name = cmdctx->name; + char *name = NULL; struct sysdb_ctx *sysdb; struct nss_ctx *nctx; int ret; @@ -2027,10 +2032,15 @@ static int nss_cmd_getgrnam_search(struct nss_dom_ctx *dctx) /* make sure to update the dctx if we changed domain */ dctx->domain = dom; + talloc_free(name); + name = dom->case_sensitive ? talloc_strdup(dctx, cmdctx->name) : + sss_tc_utf8_str_tolower(dctx, cmdctx->name); + if (!name) return ENOMEM; + /* verify this group has not yet been negatively cached, * or has been permanently filtered */ ret = sss_ncache_check_group(nctx->ncache, nctx->neg_timeout, - dom->name, name); + dom, name); /* if neg cached, return we didn't find it */ if (ret == EEXIST) { @@ -2068,7 +2078,7 @@ static int nss_cmd_getgrnam_search(struct nss_dom_ctx *dctx) if (dctx->res->count == 0 && !dctx->check_provider) { /* set negative cache only if not result of cache check */ - ret = sss_ncache_set_group(nctx->ncache, false, dom->name, name); + ret = sss_ncache_set_group(nctx->ncache, false, dom, name); if (ret != EOK) { return ret; } @@ -3068,7 +3078,7 @@ static int nss_cmd_initgroups_search(struct nss_dom_ctx *dctx) struct nss_cmd_ctx *cmdctx = dctx->cmdctx; struct sss_domain_info *dom = dctx->domain; struct cli_ctx *cctx = cmdctx->cctx; - const char *name = cmdctx->name; + char *name = NULL; struct sysdb_ctx *sysdb; struct nss_ctx *nctx; int ret; @@ -3093,10 +3103,15 @@ static int nss_cmd_initgroups_search(struct nss_dom_ctx *dctx) /* make sure to update the dctx if we changed domain */ dctx->domain = dom; + talloc_free(name); + name = dom->case_sensitive ? talloc_strdup(dctx, cmdctx->name) : + sss_tc_utf8_str_tolower(dctx, cmdctx->name); + if (!name) return ENOMEM; + /* verify this user has not yet been negatively cached, * or has been permanently filtered */ ret = sss_ncache_check_user(nctx->ncache, nctx->neg_timeout, - dom->name, name); + dom, name); /* if neg cached, return we didn't find it */ if (ret == EEXIST) { @@ -3130,7 +3145,7 @@ static int nss_cmd_initgroups_search(struct nss_dom_ctx *dctx) if (dctx->res->count == 0 && !dctx->check_provider) { /* set negative cache only if not result of cache check */ - ret = sss_ncache_set_user(nctx->ncache, false, dom->name, name); + ret = sss_ncache_set_user(nctx->ncache, false, dom, name); if (ret != EOK) { return ret; } diff --git a/src/responder/nss/nsssrv_netgroup.c b/src/responder/nss/nsssrv_netgroup.c index 09b7fa63..39ba4ff7 100644 --- a/src/responder/nss/nsssrv_netgroup.c +++ b/src/responder/nss/nsssrv_netgroup.c @@ -378,6 +378,7 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx) struct sss_domain_info *dom = step_ctx->dctx->domain; struct getent_ctx *netgr; struct sysdb_ctx *sysdb; + char *name = NULL; /* Check each domain for this netgroup name */ while (dom) { @@ -400,8 +401,13 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx) /* make sure to update the dctx if we changed domain */ step_ctx->dctx->domain = dom; + talloc_free(name); + name = dom->case_sensitive ? \ + talloc_strdup(step_ctx, step_ctx->name) : + sss_tc_utf8_str_tolower(step_ctx, step_ctx->name); + DEBUG(4, ("Requesting info for [%s@%s]\n", - step_ctx->name, dom->name)); + name, dom->name)); ret = sysdb_get_ctx_from_list(step_ctx->rctx->db_list, dom, &sysdb); if (ret != EOK) { DEBUG(0, ("Fatal: Sysdb CTX not found for this domain!\n")); @@ -409,7 +415,7 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx) } /* Look up the netgroup in the cache */ - ret = sysdb_getnetgr(step_ctx->dctx, sysdb, step_ctx->name, + ret = sysdb_getnetgr(step_ctx->dctx, sysdb, name, &step_ctx->dctx->res); if (ret == ENOENT) { /* This netgroup was not found in this domain */ @@ -442,7 +448,7 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx) if (ret == ENOENT) { /* This netgroup was not found in this domain */ DEBUG(2, ("No results for netgroup %s (domain %s)\n", - step_ctx->name, dom->name)); + name, dom->name)); if (!step_ctx->dctx->check_provider) { if (step_ctx->check_next) { @@ -469,7 +475,7 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx) step_ctx->nctx, step_ctx->dctx->res, SSS_DP_NETGR, - step_ctx->name, 0, + name, 0, lookup_netgr_dp_callback, step_ctx); if (ret != EOK) { @@ -482,7 +488,7 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx) /* Results found */ DEBUG(6, ("Returning info for netgroup [%s@%s]\n", - step_ctx->name, dom->name)); + name, dom->name)); netgr->ready = true; netgr->found = true; set_netgr_lifetime(dom->entry_cache_timeout, step_ctx, netgr); @@ -490,8 +496,7 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx) } /* If we've gotten here, then no domain contained this netgroup */ - DEBUG(2, ("No matching domain found for [%s], fail!\n", - step_ctx->name)); + DEBUG(2, ("No matching domain found for [%s], fail!\n", name)); netgr = talloc_zero(step_ctx->nctx, struct getent_ctx); if (netgr == NULL) { @@ -501,7 +506,7 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx) netgr->found = false; netgr->entries = NULL; netgr->lookup_table = step_ctx->nctx->netgroups; - netgr->name = talloc_strdup(netgr, step_ctx->name); + netgr->name = talloc_strdup(netgr, name); if (netgr->name == NULL) { DEBUG(1, ("talloc_strdup failed.\n")); talloc_free(netgr); diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 7ae54ac2..7c13ab11 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -787,7 +787,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) if (dom->fqnames) continue; ncret = sss_ncache_check_user(pctx->ncache, pctx->neg_timeout, - dom->name, pd->user); + dom, pd->user); if (ncret == ENOENT) { /* User not found in the negative cache * Proceed with PAM actions @@ -830,7 +830,7 @@ static int pam_check_user_search(struct pam_auth_req *preq) { struct sss_domain_info *dom = preq->domain; struct cli_ctx *cctx = preq->cctx; - const char *name = preq->pd->user; + char *name = NULL; struct sysdb_ctx *sysdb; time_t cacheExpire; int ret; @@ -855,6 +855,10 @@ static int pam_check_user_search(struct pam_auth_req *preq) /* make sure to update the preq if we changed domain */ preq->domain = dom; + talloc_free(name); + name = dom->case_sensitive ? talloc_strdup(preq, preq->pd->user) : + sss_tc_utf8_str_tolower(preq, preq->pd->user); + /* Refresh the user's cache entry on any PAM query * We put a timeout in the client context so that we limit * the number of updates within a reasonable timeout |