URL: https://github.com/SSSD/sssd/pull/905 Author: dmulder Title: #905: Don't ignore host entries in Group Policy security filters Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/905/head:pr905 git checkout pr905
From 7a4aa7d4daa919cb823c384f58258f235604ebdb Mon Sep 17 00:00:00 2001 From: David Mulder <dmul...@suse.com> Date: Fri, 4 Oct 2019 13:04:01 -0600 Subject: [PATCH 1/2] SSSD should accept host entries from GPO's security filter --- Makefile.am | 2 + src/db/sysdb_computer.c | 165 +++++++++++++++++++++++++++++ src/db/sysdb_computer.h | 49 +++++++++ src/providers/ad/ad_gpo.c | 189 ++++++++++++++++++++++++++++++++-- src/providers/ad/ad_gpo_ndr.c | 2 +- 5 files changed, 397 insertions(+), 10 deletions(-) create mode 100644 src/db/sysdb_computer.c create mode 100644 src/db/sysdb_computer.h diff --git a/Makefile.am b/Makefile.am index f6ae4f8de3..66319f29f1 100644 --- a/Makefile.am +++ b/Makefile.am @@ -781,6 +781,7 @@ dist_noinst_HEADERS = \ src/db/sysdb_services.h \ src/db/sysdb_ssh.h \ src/db/sysdb_domain_resolution_order.h \ + src/db/sysdb_computer.h \ src/confdb/confdb.h \ src/confdb/confdb_private.h \ src/confdb/confdb_setup.h \ @@ -1245,6 +1246,7 @@ libsss_util_la_SOURCES = \ src/db/sysdb_certmap.c \ src/db/sysdb_domain_resolution_order.c \ src/util/sss_pam_data.c \ + src/db/sysdb_computer.c \ src/util/util.c \ src/util/util_ext.c \ src/util/util_preauth.c \ diff --git a/src/db/sysdb_computer.c b/src/db/sysdb_computer.c new file mode 100644 index 0000000000..6a7e4a9cf4 --- /dev/null +++ b/src/db/sysdb_computer.c @@ -0,0 +1,165 @@ +/* + SSSD + + Authors: + Samuel Cabrero <scabr...@suse.com> + David Mulder <dmul...@suse.com> + + Copyright (C) 2019 SUSE LINUX GmbH, Nuernberg, Germany. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include <arpa/inet.h> + +#include "db/sysdb.h" +#include "db/sysdb_private.h" +#include "db/sysdb_computer.h" + +static errno_t +sysdb_search_computer(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *filter, + const char **attrs, + size_t *num_hosts, + struct ldb_message ***hosts) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx; + struct ldb_message **results; + size_t num_results; + struct ldb_dn *dn; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + ret = sysdb_search_custom(tmp_ctx, domain, filter, + COMPUTERS_SUBDIR, attrs, + &num_results, &results); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Error looking up host [%d]: %s\n", + ret, strerror(ret)); + goto done; + } else if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_FUNC, "No such host\n"); + *hosts = NULL; + *num_hosts = 0; + goto done; + } + + *hosts = talloc_steal(mem_ctx, results); + *num_hosts = num_results; + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +int +sysdb_get_computer(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *computer_name, + const char **attrs, + struct ldb_message **computer) +{ + TALLOC_CTX *tmp_ctx; + errno_t ret; + const char *filter; + struct ldb_message **hosts; + size_t num_hosts; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + filter = talloc_asprintf(tmp_ctx, SYSDB_COMP_FILTER, computer_name); + if (!filter) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_search_computer(tmp_ctx, domain, filter, attrs, + &num_hosts, &hosts); + if (ret != EOK) { + goto done; + } + + if (num_hosts != 1) { + ret = EINVAL; + DEBUG(SSSDBG_CRIT_FAILURE, + "Did not find a single host with name %s\n", computer_name); + goto done; + } + + *computer = talloc_steal(mem_ctx, hosts[0]); + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +int +sysdb_set_computer(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *computer_name, + const char *sid_str) +{ + TALLOC_CTX *tmp_ctx; + int ret; + struct sysdb_attrs *attrs; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + attrs = sysdb_new_attrs(tmp_ctx); + if (!attrs) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_add_string(attrs, SYSDB_SID_STR, sid_str); + if (ret) goto done; + + ret = sysdb_attrs_add_string(attrs, SYSDB_OBJECTCLASS, SYSDB_COMPUTER_CLASS); + if (ret) goto done; + + ret = sysdb_attrs_add_string(attrs, SYSDB_NAME, computer_name); + if (ret) goto done; + + /* creation time */ + ret = sysdb_attrs_add_time_t(attrs, SYSDB_CREATE_TIME, time(NULL)); + if (ret) goto done; + + ret = sysdb_store_custom(domain, computer_name, COMPUTERS_SUBDIR, attrs); + if (ret) goto done; + + +done: + if (ret) { + DEBUG(SSSDBG_TRACE_FUNC, "Error: %d (%s)\n", ret, strerror(ret)); + } + talloc_zfree(tmp_ctx); + + return ret; +} diff --git a/src/db/sysdb_computer.h b/src/db/sysdb_computer.h new file mode 100644 index 0000000000..7c937003d1 --- /dev/null +++ b/src/db/sysdb_computer.h @@ -0,0 +1,49 @@ +/* + SSSD + + Authors: + Samuel Cabrero <scabr...@suse.com> + David Mulder <dmul...@suse.com> + + Copyright (C) 2019 SUSE LINUX GmbH, Nuernberg, Germany. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef SYSDB_COMPUTERS_H_ +#define SYSDB_COMPUTERS_H_ + +#include "db/sysdb.h" + +#define COMPUTERS_SUBDIR "computers" +#define SYSDB_COMPUTER_CLASS "computer" +#define SYSDB_COMPUTERS_CONTAINER "cn="COMPUTERS_SUBDIR +#define SYSDB_TMPL_COMPUTER_BASE SYSDB_COMPUTERS_CONTAINER","SYSDB_DOM_BASE +#define SYSDB_TMPL_COMPUTER SYSDB_NAME"=%s,"SYSDB_TMPL_COMPUTER_BASE +#define SYSDB_COMP_FILTER "(&("SYSDB_NAME"=%s)("SYSDB_OBJECTCLASS"="SYSDB_COMPUTER_CLASS"))" + +int +sysdb_get_computer(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *computer_name, + const char **attrs, + struct ldb_message **computer); + +int +sysdb_set_computer(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *computer_name, + const char *sid_str); + +#endif /* SYSDB_COMPUTERS_H_ */ diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c index 7442f27cca..1de2e28bc4 100644 --- a/src/providers/ad/ad_gpo.c +++ b/src/providers/ad/ad_gpo.c @@ -51,6 +51,7 @@ #include "util/util_sss_idmap.h" #include <ndr.h> #include <gen_ndr/security.h> +#include <db/sysdb_computer.h> /* == gpo-ldap constants =================================================== */ @@ -65,6 +66,7 @@ #define AD_AT_MACHINE_EXT_NAMES "gPCMachineExtensionNames" #define AD_AT_FUNC_VERSION "gPCFunctionalityVersion" #define AD_AT_FLAGS "flags" +#define AD_AT_SID "objectSid" #define UAC_WORKSTATION_TRUST_ACCOUNT 0x00001000 #define UAC_SERVER_TRUST_ACCOUNT 0x00002000 @@ -573,8 +575,10 @@ ad_gpo_dom_sid_equal(const struct dom_sid *sid1, const struct dom_sid *sid2) static errno_t ad_gpo_get_sids(TALLOC_CTX *mem_ctx, const char *user, + const char *ad_hostname, struct sss_domain_info *domain, const char **_user_sid, + const char **_host_sid, const char ***_group_sids, int *_group_size) { @@ -584,6 +588,7 @@ ad_gpo_get_sids(TALLOC_CTX *mem_ctx, int i = 0; int num_group_sids = 0; const char *user_sid = NULL; + const char *host_sid = NULL; const char *group_sid = NULL; const char **group_sids = NULL; @@ -641,6 +646,24 @@ ad_gpo_get_sids(TALLOC_CTX *mem_ctx, *_group_size = num_group_sids + 1; *_group_sids = talloc_steal(mem_ctx, group_sids); *_user_sid = talloc_steal(mem_ctx, user_sid); + + /* Get the cached computer object by computer name */ + if (ad_hostname != NULL) { + static const char *host_attrs[] = { SYSDB_SID_STR, NULL }; + struct ldb_message *msg; + ret = sysdb_get_computer(tmp_ctx, domain, ad_hostname, host_attrs, &msg); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_get_computer failed: [%d](%s)\n", + ret, sss_strerror(ret)); + goto done; + } + + /* Get the computer SID from the cached entry */ + host_sid = ldb_msg_find_attr_as_string(msg, SYSDB_SID_STR, NULL); + *_host_sid = talloc_steal(mem_ctx, host_sid); + } + ret = EOK; done: @@ -654,6 +677,7 @@ ad_gpo_get_sids(TALLOC_CTX *mem_ctx, */ static errno_t ad_gpo_ace_includes_client_sid(const char *user_sid, + const char *host_sid, const char **group_sids, int group_size, struct dom_sid ace_dom_sid, @@ -662,6 +686,7 @@ ad_gpo_ace_includes_client_sid(const char *user_sid, { int i = 0; struct dom_sid *user_dom_sid; + struct dom_sid *host_dom_sid; struct dom_sid *group_dom_sid; enum idmap_error_code err; bool included = false; @@ -679,6 +704,19 @@ ad_gpo_ace_includes_client_sid(const char *user_sid, return EOK; } + err = sss_idmap_sid_to_smb_sid(idmap_ctx, host_sid, &host_dom_sid); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to initialize idmap context.\n"); + return EFAULT; + } + + included = ad_gpo_dom_sid_equal(&ace_dom_sid, host_dom_sid); + sss_idmap_free_smb_sid(idmap_ctx, host_dom_sid); + if (included) { + *_included = true; + return EOK; + } + for (i = 0; i < group_size; i++) { err = sss_idmap_sid_to_smb_sid(idmap_ctx, group_sids[i], &group_dom_sid); if (err != IDMAP_SUCCESS) { @@ -728,6 +766,7 @@ ad_gpo_ace_includes_client_sid(const char *user_sid, static enum ace_eval_status ad_gpo_evaluate_ace(struct security_ace *ace, struct sss_idmap_ctx *idmap_ctx, const char *user_sid, + const char *host_sid, const char **group_sids, int group_size) { @@ -741,8 +780,9 @@ static enum ace_eval_status ad_gpo_evaluate_ace(struct security_ace *ace, return AD_GPO_ACE_NEUTRAL; } - ret = ad_gpo_ace_includes_client_sid(user_sid, group_sids, group_size, - ace->trustee, idmap_ctx, &included); + ret = ad_gpo_ace_includes_client_sid(user_sid, host_sid, group_sids, + group_size, ace->trustee, idmap_ctx, + &included); if (ret != EOK) { return AD_GPO_ACE_DENIED; @@ -786,6 +826,7 @@ static enum ace_eval_status ad_gpo_evaluate_ace(struct security_ace *ace, static errno_t ad_gpo_evaluate_dacl(struct security_acl *dacl, struct sss_idmap_ctx *idmap_ctx, const char *user_sid, + const char *host_sid, const char **group_sids, int group_size, bool *_dacl_access_allowed) @@ -810,7 +851,7 @@ static errno_t ad_gpo_evaluate_dacl(struct security_acl *dacl, for (i = 0; i < dacl->num_aces; i ++) { ace = &dacl->aces[i]; - ace_status = ad_gpo_evaluate_ace(ace, idmap_ctx, user_sid, + ace_status = ad_gpo_evaluate_ace(ace, idmap_ctx, user_sid, host_sid, group_sids, group_size); switch (ace_status) { @@ -838,6 +879,7 @@ static errno_t ad_gpo_evaluate_dacl(struct security_acl *dacl, static errno_t ad_gpo_filter_gpos_by_dacl(TALLOC_CTX *mem_ctx, const char *user, + const char *ad_hostname, struct sss_domain_info *domain, struct sss_idmap_ctx *idmap_ctx, struct gp_gpo **candidate_gpos, @@ -852,6 +894,7 @@ ad_gpo_filter_gpos_by_dacl(TALLOC_CTX *mem_ctx, struct security_descriptor *sd = NULL; struct security_acl *dacl = NULL; const char *user_sid = NULL; + const char *host_sid = NULL; const char **group_sids = NULL; int group_size = 0; int gpo_dn_idx = 0; @@ -864,8 +907,8 @@ ad_gpo_filter_gpos_by_dacl(TALLOC_CTX *mem_ctx, goto done; } - ret = ad_gpo_get_sids(tmp_ctx, user, domain, &user_sid, - &group_sids, &group_size); + ret = ad_gpo_get_sids(tmp_ctx, user, ad_hostname, domain, &user_sid, + &host_sid, &group_sids, &group_size); if (ret != EOK) { ret = ERR_NO_SIDS; DEBUG(SSSDBG_OP_FAILURE, @@ -927,8 +970,8 @@ ad_gpo_filter_gpos_by_dacl(TALLOC_CTX *mem_ctx, break; } - ret = ad_gpo_evaluate_dacl(dacl, idmap_ctx, user_sid, group_sids, - group_size, &access_allowed); + ret = ad_gpo_evaluate_dacl(dacl, idmap_ctx, user_sid, host_sid, + group_sids, group_size, &access_allowed); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, "Could not determine if GPO is applicable\n"); continue; @@ -1388,7 +1431,7 @@ ad_gpo_access_check(TALLOC_CTX *mem_ctx, DEBUG(SSSDBG_TRACE_FUNC, " denied_sids[%d] = %s\n", j, denied_sids[j]); } - ret = ad_gpo_get_sids(mem_ctx, user, domain, &user_sid, + ret = ad_gpo_get_sids(mem_ctx, user, NULL, domain, &user_sid, NULL, &group_sids, &group_size); if (ret != EOK) { ret = ERR_NO_SIDS; @@ -1617,6 +1660,7 @@ static void ad_gpo_process_gpo_done(struct tevent_req *subreq); static errno_t ad_gpo_cse_step(struct tevent_req *req); static void ad_gpo_cse_done(struct tevent_req *subreq); +static void ad_gpo_get_host_sid_retrieval_done(struct tevent_req *subreq); struct tevent_req * ad_gpo_access_send(TALLOC_CTX *mem_ctx, @@ -1924,6 +1968,9 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq) struct sysdb_attrs **reply; const char *target_dn = NULL; uint32_t uac; + char *filter = NULL; + char *domain_dn; + const char *attrs[] = {AD_AT_SID, NULL}; req = tevent_req_callback_data(subreq, struct tevent_req); state = tevent_req_data(req, struct ad_gpo_access_state); @@ -2008,6 +2055,129 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq) goto done; } + /* Convert the domain name into domain DN */ + ret = domain_to_basedn(state, state->host_domain->name, &domain_dn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot convert domain name [%s] to base DN [%d]: %s\n", + state->host_domain->name, ret, sss_strerror(ret)); + goto done; + } + + /* Query the computer sid from LDAP, if computer does not exist in cache */ + filter = talloc_asprintf(subreq, SYSDB_COMP_FILTER, state->ad_hostname); + if (!filter) { + ret = ENOMEM; + goto done; + } + + subreq = sdap_get_generic_send(state, state->ev, state->opts, + sdap_id_op_handle(state->sdap_op), + domain_dn, LDAP_SCOPE_SUBTREE, + filter, attrs, NULL, 0, + state->timeout, + false); + + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n"); + ret = EIO; + goto done; + } + + tevent_req_set_callback(subreq, ad_gpo_get_host_sid_retrieval_done, req); + ret = EOK; + + done: + + if (ret != EOK) { + tevent_req_error(req, ret); + } + +} + +enum ndr_err_code +ndr_pull_dom_sid(struct ndr_pull *ndr, + int ndr_flags, + struct dom_sid *r); + +static void ad_gpo_get_host_sid_retrieval_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct ad_gpo_access_state *state; + int ret; + int dp_error; + size_t reply_count; + struct sysdb_attrs **reply; + struct ldb_message_element *el = NULL; + enum ndr_err_code ndr_err; + struct dom_sid host_sid; + char *sid_str; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_gpo_access_state); + + ret = sdap_get_generic_recv(subreq, state, + &reply_count, &reply); + talloc_zfree(subreq); + + if (ret != EOK) { + ret = sdap_id_op_done(state->sdap_op, ret, &dp_error); + + DEBUG(SSSDBG_OP_FAILURE, + "sdap_get_generic_recv failed: [%d](%s)\n", + ret, sss_strerror(ret)); + ret = ENOENT; + tevent_req_error(req, ret); + return; + } + + /* reply[0] holds the requested attribute */ + ret = sysdb_attrs_get_el(reply[0], AD_AT_SID, &el); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_attrs_get_el failed: [%d](%s)\n", + ret, sss_strerror(ret)); + goto done; + } + if (el->num_values != 1) { + DEBUG(SSSDBG_OP_FAILURE, + "ad_gpo_get_host_sid_retrieval_done failed: sid not present\n"); + ret = EIO; + goto done; + } + + /* parse the dom_sid from the ldb blob */ + ndr_err = ndr_pull_struct_blob_all((DATA_BLOB*)&(el->values[0]), + subreq, &host_sid, + (ndr_pull_flags_fn_t)ndr_pull_dom_sid); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + DEBUG(SSSDBG_OP_FAILURE, + "ndr_pull_struct_blob_all failed: [%d]\n", + ndr_err); + ret = EIO; + goto done; + } + + /* Convert the dom_sid to a sid string */ + ret = sss_idmap_smb_sid_to_sid(state->opts->idmap_ctx->map, + &host_sid, &sid_str); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_idmap_smb_sid_to_sid failed: [%d](%s)\n", + ret, sss_strerror(ret)); + goto done; + } + + /* Put the sid string in the sysdb */ + ret = sysdb_set_computer(subreq, state->user_domain, + state->ad_hostname, sid_str); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_set_computer failed: [%d](%s)\n", + ret, sss_strerror(ret)); + goto done; + } + subreq = ad_gpo_process_som_send(state, state->ev, state->conn, @@ -2143,7 +2313,8 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq) goto done; } - ret = ad_gpo_filter_gpos_by_dacl(state, state->user, state->user_domain, + ret = ad_gpo_filter_gpos_by_dacl(state, state->user, state->ad_hostname, + state->user_domain, state->opts->idmap_ctx->map, candidate_gpos, num_candidate_gpos, &state->dacl_filtered_gpos, diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c index 101701cd52..d573033494 100644 --- a/src/providers/ad/ad_gpo_ndr.c +++ b/src/providers/ad/ad_gpo_ndr.c @@ -248,7 +248,7 @@ ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr, return NDR_ERR_SUCCESS; } -static enum ndr_err_code +enum ndr_err_code ndr_pull_dom_sid(struct ndr_pull *ndr, int ndr_flags, struct dom_sid *r) From 5335980eeafcc9f0f30bff05dd38ae03715eb3e8 Mon Sep 17 00:00:00 2001 From: David Mulder <dmul...@suse.com> Date: Fri, 4 Oct 2019 21:14:39 +0000 Subject: [PATCH 2/2] Test the host sid checking --- src/tests/cmocka/test_ad_gpo.c | 33 +++++++++++++++++++++++++++------ 1 file changed, 27 insertions(+), 6 deletions(-) diff --git a/src/tests/cmocka/test_ad_gpo.c b/src/tests/cmocka/test_ad_gpo.c index 0589adcc3d..97f70408a1 100644 --- a/src/tests/cmocka/test_ad_gpo.c +++ b/src/tests/cmocka/test_ad_gpo.c @@ -267,6 +267,7 @@ void test_populate_gplink_list_malformed(void **state) * Test SID-matching logic */ static void test_ad_gpo_ace_includes_client_sid(const char *user_sid, + const char *host_sid, const char **group_sids, int group_size, struct dom_sid ace_dom_sid, @@ -286,8 +287,8 @@ static void test_ad_gpo_ace_includes_client_sid(const char *user_sid, &idmap_ctx); assert_int_equal(err, IDMAP_SUCCESS); - ret = ad_gpo_ace_includes_client_sid(user_sid, group_sids, group_size, - ace_dom_sid, idmap_ctx, + ret = ad_gpo_ace_includes_client_sid(user_sid, host_sid, group_sids, + group_size, ace_dom_sid, idmap_ctx, &includes_client_sid); talloc_free(idmap_ctx); @@ -305,13 +306,14 @@ void test_ad_gpo_ace_includes_client_sid_true(void **state) struct dom_sid ace_dom_sid = {1, 4, {0, 0, 0, 0, 0, 5}, {21, 2, 3, 4}}; const char *user_sid = "S-1-5-21-1175337206-4250576914-2321192831-1103"; + const char *host_sid = "S-1-5-21-1898687337-2196588786-2775055786-2102"; int group_size = 2; const char *group_sids[] = {"S-1-5-21-2-3-4", "S-1-5-21-2-3-5"}; - test_ad_gpo_ace_includes_client_sid(user_sid, group_sids, group_size, - ace_dom_sid, true); + test_ad_gpo_ace_includes_client_sid(user_sid, host_sid, group_sids, + group_size, ace_dom_sid, true); } void test_ad_gpo_ace_includes_client_sid_false(void **state) @@ -320,13 +322,29 @@ void test_ad_gpo_ace_includes_client_sid_false(void **state) struct dom_sid ace_dom_sid = {1, 4, {0, 0, 0, 0, 0, 5}, {21, 2, 3, 4}}; const char *user_sid = "S-1-5-21-1175337206-4250576914-2321192831-1103"; + const char *host_sid = "S-1-5-21-1898687337-2196588786-2775055786-2102"; int group_size = 2; const char *group_sids[] = {"S-1-5-21-2-3-5", "S-1-5-21-2-3-6"}; - test_ad_gpo_ace_includes_client_sid(user_sid, group_sids, group_size, - ace_dom_sid, false); + test_ad_gpo_ace_includes_client_sid(user_sid, host_sid, group_sids, + group_size, ace_dom_sid, false); +} + +void test_ad_gpo_ace_includes_host_sid_true(void **state) +{ + /* ace_dom_sid represents "S-1-5-21-1898687337-2196588786-2775055786-2102" */ + struct dom_sid ace_dom_sid = {1, 5, {0, 0, 0, 0, 0, 5}, {21, 1898687337, 2196588786, 2775055786, 2102}}; + + const char *user_sid = "S-1-5-21-1175337206-4250576914-2321192831-1103"; + const char *host_sid = "S-1-5-21-1898687337-2196588786-2775055786-2102"; + + int group_size = 0; + const char *group_sids[] = {}; + + test_ad_gpo_ace_includes_client_sid(user_sid, host_sid, group_sids, + group_size, ace_dom_sid, true); } int main(int argc, const char *argv[]) @@ -364,6 +382,9 @@ int main(int argc, const char *argv[]) cmocka_unit_test_setup_teardown(test_ad_gpo_ace_includes_client_sid_false, ad_gpo_test_setup, ad_gpo_test_teardown), + cmocka_unit_test_setup_teardown(test_ad_gpo_ace_includes_host_sid_true, + ad_gpo_test_setup, + ad_gpo_test_teardown), }; /* Set debug level to invalid value so we can decide if -d 0 was used. */
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org