URL: https://github.com/SSSD/sssd/pull/716 Author: thalman Title: #716: CACHE: SSSD doesn't clear cache entries Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/716/head:pr716 git checkout pr716
From 986220bfe651ecf93773388d34ff79349f99e913 Mon Sep 17 00:00:00 2001 From: Tomas Halman <thal...@redhat.com> Date: Sun, 16 Dec 2018 08:46:24 +0100 Subject: [PATCH] CACHE: SSSD doesn't clear cache entries Once object is in cache it is refreshed when it is expired and requested by the system. Object ID is not checked before refresh, but config parameter ldap_(min|max)_id could be changed by admin. We should check object ID and not refresh objects outside min/max ID interval. Resolves: https://pagure.io/SSSD/sssd/issue/3905 --- .../common/cache_req/cache_req_search.c | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/src/responder/common/cache_req/cache_req_search.c b/src/responder/common/cache_req/cache_req_search.c index 7423feb63..9e486468f 100644 --- a/src/responder/common/cache_req/cache_req_search.c +++ b/src/responder/common/cache_req/cache_req_search.c @@ -25,6 +25,7 @@ #include "util/util.h" #include "responder/common/cache_req/cache_req_private.h" #include "responder/common/cache_req/cache_req_plugin.h" +#include "db/sysdb.h" static errno_t cache_req_search_ncache(struct cache_req *cr) { @@ -169,6 +170,52 @@ static errno_t cache_req_search_ncache_filter(TALLOC_CTX *mem_ctx, return ret; } +static int +cache_req_should_be_in_cache (struct cache_req *cr, + struct ldb_result *result) +{ + unsigned int id = 0; + const char *object_class; + + + if (result == NULL || result->count == 0) { + /* can't decide so keep it */ + return EOK; + } + + object_class = ldb_msg_find_attr_as_string(result->msgs[0], + SYSDB_OBJECTCATEGORY, NULL); + if (! object_class) { + /* no object_class => can't decide so keep it in cache */ + return EOK; + } + + if (strcasecmp(object_class, SYSDB_USER_CLASS) == 0) { + /* user -> check uid and primary group */ + id = ldb_msg_find_attr_as_uint(result->msgs[0], SYSDB_UIDNUM, 0); + if (id && OUT_OF_ID_RANGE(id, cr->domain->id_min, cr->domain->id_max)) { + return ERR_ID_OUTSIDE_RANGE; + } + + id = ldb_msg_find_attr_as_uint(result->msgs[0], SYSDB_GIDNUM, 0); + if (id && OUT_OF_ID_RANGE(id, cr->domain->id_min, cr->domain->id_max)) { + return ERR_ID_OUTSIDE_RANGE; + } + + return EOK; + } + + if (strcasecmp(object_class, SYSDB_GROUP_CLASS) == 0) { + /* group -> check gidNumber */ + id = ldb_msg_find_attr_as_uint(result->msgs[0], SYSDB_GIDNUM, 0); + if (id && OUT_OF_ID_RANGE(id, cr->domain->id_min, cr->domain->id_max)) { + return ERR_ID_OUTSIDE_RANGE; + } + } + + return EOK; +} + static errno_t cache_req_search_cache(TALLOC_CTX *mem_ctx, struct cache_req *cr, struct ldb_result **_result) @@ -191,6 +238,10 @@ static errno_t cache_req_search_cache(TALLOC_CTX *mem_ctx, ret = ENOENT; } + if (ret == EOK && result && result->count == 1){ + ret = cache_req_should_be_in_cache(cr, result); + } + switch (ret) { case EOK: if (cr->plugin->only_one_result && result->count > 1) {
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org