URL: https://github.com/SSSD/sssd/pull/138 Author: justin-stephenson Title: #138: IPA: Skip conflict entries associated with sudo rules Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/138/head:pr138 git checkout pr138
From ec35e06e6758839798731d6f1de2ac4b05e47b4e Mon Sep 17 00:00:00 2001 From: Justin Stephenson <jstep...@redhat.com> Date: Fri, 20 Jan 2017 15:43:34 -0500 Subject: [PATCH 1/3] SUDO: Add skip_entry boolean to convert_ functions Pass boolean as argument to sudo conversion functions to add logic for skipping unexpected entries like replication conflicts. Resolves: https://fedorahosted.org/sssd/ticket/3288 --- src/providers/ipa/ipa_sudo_conversion.c | 37 +++++++++++++++++++++++++-------- 1 file changed, 28 insertions(+), 9 deletions(-) diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c index 9dbc860..04a4135 100644 --- a/src/providers/ipa/ipa_sudo_conversion.c +++ b/src/providers/ipa/ipa_sudo_conversion.c @@ -746,12 +746,15 @@ struct ipa_sudo_conv_result_ctx { static const char * convert_host(TALLOC_CTX *mem_ctx, struct ipa_sudo_conv *conv, - const char *value) + const char *value, + bool *skip_entry) { char *rdn; const char *group; errno_t ret; + *skip_entry = false; + ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn, MATCHRDN_HOST(conv->map_host)); if (ret == EOK) { @@ -765,7 +768,8 @@ convert_host(TALLOC_CTX *mem_ctx, ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn, MATCHRDN_HOSTGROUP(conv->map_hostgroup)); if (ret == ENOENT) { - DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s\n", value); + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s: Skipping\n", value); + *skip_entry = true; return NULL; } else if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n", @@ -782,12 +786,15 @@ convert_host(TALLOC_CTX *mem_ctx, static const char * convert_user(TALLOC_CTX *mem_ctx, struct ipa_sudo_conv *conv, - const char *value) + const char *value, + bool *skip_entry) { char *rdn; const char *group; errno_t ret; + *skip_entry = false; + ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn, MATCHRDN_USER(conv->map_user)); if (ret == EOK) { @@ -801,7 +808,8 @@ convert_user(TALLOC_CTX *mem_ctx, ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn, MATCHRDN_GROUP(conv->map_group)); if (ret == ENOENT) { - DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s\n", value); + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s: Skipping\n", value); + *skip_entry = true; return NULL; } else if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n", @@ -818,12 +826,15 @@ convert_user(TALLOC_CTX *mem_ctx, static const char * convert_user_fqdn(TALLOC_CTX *mem_ctx, struct ipa_sudo_conv *conv, - const char *value) + const char *value, + bool *skip_entry) { const char *shortname = NULL; char *fqdn = NULL; - shortname = convert_user(mem_ctx, conv, value); + *skip_entry = false; + + shortname = convert_user(mem_ctx, conv, value, skip_entry); if (shortname == NULL) { return NULL; } @@ -836,15 +847,19 @@ convert_user_fqdn(TALLOC_CTX *mem_ctx, static const char * convert_group(TALLOC_CTX *mem_ctx, struct ipa_sudo_conv *conv, - const char *value) + const char *value, + bool *skip_entry) { char *rdn; errno_t ret; + *skip_entry = false; + ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn, MATCHRDN_GROUP(conv->map_group)); if (ret == ENOENT) { - DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s\n", value); + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s: Skipping\n", value); + *skip_entry = true; return NULL; } else if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n", @@ -866,8 +881,12 @@ convert_runasextusergroup(TALLOC_CTX *mem_ctx, static const char * convert_cat(TALLOC_CTX *mem_ctx, struct ipa_sudo_conv *conv, - const char *value) + const char *value, + bool *skip_entry) { + + *skip_entry = false; + if (strcmp(value, "all") == 0) { return talloc_strdup(mem_ctx, "ALL"); } From 5acc2603977c7449871843a1883eafa8acbd2a75 Mon Sep 17 00:00:00 2001 From: Justin Stephenson <jstep...@redhat.com> Date: Fri, 20 Jan 2017 15:48:43 -0500 Subject: [PATCH 2/3] SUDO: Add boolean to primary conversion function Add boolean to convert_attributes function allowing certain entries to be skipped instead of failing the complete conversion operation entirely Resolves: https://fedorahosted.org/sssd/ticket/3288 --- src/providers/ipa/ipa_sudo_conversion.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c index 04a4135..951a534 100644 --- a/src/providers/ipa/ipa_sudo_conversion.c +++ b/src/providers/ipa/ipa_sudo_conversion.c @@ -904,12 +904,14 @@ convert_attributes(struct ipa_sudo_conv *conv, const char *value; errno_t ret; int i, j; + bool skip_entry; static struct { const char *ipa; const char *sudo; const char *(*conv_fn)(TALLOC_CTX *mem_ctx, struct ipa_sudo_conv *conv, - const char *value); + const char *value, + bool *skip_entry); } table[] = {{SYSDB_NAME, SYSDB_SUDO_CACHE_AT_CN , NULL}, {SYSDB_IPA_SUDORULE_HOST, SYSDB_SUDO_CACHE_AT_HOST , convert_host}, {SYSDB_IPA_SUDORULE_USER, SYSDB_SUDO_CACHE_AT_USER , convert_user_fqdn}, @@ -950,10 +952,15 @@ convert_attributes(struct ipa_sudo_conv *conv, for (j = 0; values[j] != NULL; j++) { if (table[i].conv_fn != NULL) { - value = table[i].conv_fn(tmp_ctx, conv, values[j]); + value = table[i].conv_fn(tmp_ctx, conv, values[j], &skip_entry); if (value == NULL) { - ret = ENOMEM; - goto done; + if (skip_entry) { + ret = ENOENT; + continue; + } else { + ret = ENOMEM; + goto done; + } } } else { value = values[j]; From 9743b6dbc1f044a6c1505ed283b8dd9f24d71df5 Mon Sep 17 00:00:00 2001 From: Justin Stephenson <jstep...@redhat.com> Date: Wed, 25 Jan 2017 17:05:01 -0500 Subject: [PATCH 3/3] TESTS: Add to IPA DN test Add test to ensure conflict entries return ENOENT Resolves: https://fedorahosted.org/sssd/ticket/3288 --- src/tests/cmocka/test_ipa_dn.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/tests/cmocka/test_ipa_dn.c b/src/tests/cmocka/test_ipa_dn.c index a6e26ec..1cd5013 100644 --- a/src/tests/cmocka/test_ipa_dn.c +++ b/src/tests/cmocka/test_ipa_dn.c @@ -169,6 +169,11 @@ static void ipa_get_rdn_test(void **state) ret = ipa_get_rdn(test_ctx, test_ctx->sysdb, "cn=rdn,attr1=value1", &rdn, "cn", "attr1", "value1"); assert_int_equal(ret, ENOENT); assert_null(rdn); + + ret = ipa_get_rdn(test_ctx, test_ctx->sysdb, "cn=rdn+nsuniqueid=9b1e3301-c32611e6-bdcae37a-ef905e7c,attr1=value1,attr2=value2,dc=example,dc=com", + &rdn, "cn", "attr1", "value1", "attr2", "value2"); + assert_int_equal(ret, ENOENT); + assert_null(rdn); } int main(int argc, const char *argv[])
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org