URL: https://github.com/SSSD/sssd/pull/716 Author: thalman Title: #716: CACHE: SSSD doesn't clear cache entries Action: opened
PR body: """ Once object is in cache it is refreshed when it is expired and requested by the system. Object ID is not checked before refresh, but config parameter ldap_(min|max)_id could be changed by admin. We should check object ID and not refresh objects outside min/max ID interval. Resolves: https://pagure.io/SSSD/sssd/issue/3905 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/716/head:pr716 git checkout pr716
From 7be727716d4c19c176f0a1f39d6005361b979b21 Mon Sep 17 00:00:00 2001 From: Tomas Halman <thal...@redhat.com> Date: Sun, 16 Dec 2018 08:46:24 +0100 Subject: [PATCH] CACHE: SSSD doesn't clear cache entries Once object is in cache it is refreshed when it is expired and requested by the system. Object ID is not checked before refresh, but config parameter ldap_(min|max)_id could be changed by admin. We should check object ID and not refresh objects outside min/max ID interval. Resolves: https://pagure.io/SSSD/sssd/issue/3905 --- .../common/cache_req/cache_req_search.c | 49 +++++++++++++++++-- 1 file changed, 46 insertions(+), 3 deletions(-) diff --git a/src/responder/common/cache_req/cache_req_search.c b/src/responder/common/cache_req/cache_req_search.c index 7423feb63..11c747316 100644 --- a/src/responder/common/cache_req/cache_req_search.c +++ b/src/responder/common/cache_req/cache_req_search.c @@ -25,6 +25,7 @@ #include "util/util.h" #include "responder/common/cache_req/cache_req_private.h" #include "responder/common/cache_req/cache_req_plugin.h" +#include "db/sysdb.h" static errno_t cache_req_search_ncache(struct cache_req *cr) { @@ -268,6 +269,41 @@ static errno_t cache_req_search_dp(struct tevent_req *req, static void cache_req_search_oob_done(struct tevent_req *subreq); static void cache_req_search_done(struct tevent_req *subreq); +static bool +cache_req_should_be_in_cache (struct cache_req *cr, + struct ldb_result *result) +{ + unsigned int id = 0; + const char *object_class; + + + if (result == NULL || result->count == 0) { + /* can't decide so keep it */ + return true; + } + + object_class = ldb_msg_find_attr_as_string(result->msgs[0], + SYSDB_OBJECTCATEGORY, NULL); + if (! object_class) { + /* no object_class => can't decide so keep it in cache */ + return true; + } + + if (strcasecmp(object_class, SYSDB_USER_CLASS) == 0) { + id = ldb_msg_find_attr_as_uint(result->msgs[0], SYSDB_UIDNUM, 0); + } else if (strcasecmp(object_class, SYSDB_GROUP_CLASS) == 0) { + id = ldb_msg_find_attr_as_uint(result->msgs[0], SYSDB_GIDNUM, 0); + } + + if (id && (id < cr->domain->id_min || id > cr->domain->id_max)) { + /* uid/gid is out of domain limit */ + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, "should not be there\n"); + return false; + } + + return true; +} + struct tevent_req * cache_req_search_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, @@ -325,9 +361,16 @@ cache_req_search_send(TALLOC_CTX *mem_ctx, * we can return it without searching the rest of the domains. */ if (status != CACHE_OBJECT_MISSING) { - CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, - "Object found, but needs to be refreshed.\n"); - bypass_dp = false; + if (cache_req_should_be_in_cache (cr, state->result)) { + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, + "Object found, but needs to be refreshed.\n"); + bypass_dp = false; + } else { + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, + "Object found, but should not be in cache " + "- not returning it.\n"); + ret = ENOENT; + } } else { ret = ENOENT; }
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org