[SSSD] [PATCH] AD: Fix ad_access_filter parsing with empty filter

Wed, 30 Oct 2013 13:44:59 -0700 

I'm sorry about the breakage, but if the ad_access_filter was unset yet
access_provider was set to AD, access was denied. Even though the access
order was set correctly to "expire, filter", the filter being NULL
caused problems. A patch including unit test is attached.

>From 70892384b3d479c43b37a2fc3cf4c5dc032db1a9 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Wed, 30 Oct 2013 21:35:18 +0100
Subject: [PATCH] AD: Fix ad_access_filter parsing with empty filter

---
 src/providers/ad/ad_access.c             |  8 ++++++++
 src/tests/cmocka/test_ad_access_filter.c | 16 ++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/src/providers/ad/ad_access.c b/src/providers/ad/ad_access.c
index 
c16f049424d65b50c306fad7e782570868a664ea..6995172db304810899e538b37572e4ba953db3e7
 100644
--- a/src/providers/ad/ad_access.c
+++ b/src/providers/ad/ad_access.c
@@ -169,12 +169,20 @@ ad_parse_access_filter(TALLOC_CTX *mem_ctx,
     int flags;
     TALLOC_CTX *tmp_ctx;
 
+    if (_filter == NULL) return EINVAL;
+
     tmp_ctx = talloc_new(mem_ctx);
     if (tmp_ctx == NULL) {
         ret = ENOMEM;
         goto done;
     }
 
+    if (filter_list == NULL) {
+        *_filter = NULL;
+        ret = EOK;
+        goto done;
+    }
+
     ret = split_on_separator(tmp_ctx, filter_list, '?', true, true,
                              &filters, &nfilters);
     if (ret != EOK) {
diff --git a/src/tests/cmocka/test_ad_access_filter.c 
b/src/tests/cmocka/test_ad_access_filter.c
index 
e31f2dc37d7f78b0fa871839a57bd62a09c53944..3f4e44f14150a1a23eda5e7b914ddcee94203c65
 100644
--- a/src/tests/cmocka/test_ad_access_filter.c
+++ b/src/tests/cmocka/test_ad_access_filter.c
@@ -99,6 +99,18 @@ done:
     talloc_free(tmp_ctx);
 }
 
+/* Test that setting no filter lets all access through
+ */
+void test_no_filter(void **state)
+{
+    struct filter_parse_result expected = {
+        .result = EOK,
+        .best_match = NULL
+    };
+
+    test_parse_filter_generic(NULL, &expected);
+}
+
 /* Test that if one filter is provided, it is returned as-is
  */
 void test_single_filter(void **state)
@@ -304,6 +316,10 @@ int main(int argc, const char *argv[])
                                  parse_test_setup,
                                  parse_test_teardown),
 
+        unit_test_setup_teardown(test_no_filter,
+                                 ad_access_filter_test_setup,
+                                 ad_access_filter_test_teardown),
+
         unit_test_setup_teardown(test_single_filter,
                                  ad_access_filter_test_setup,
                                  ad_access_filter_test_teardown),
-- 
1.8.3.1


_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to