sssd/0054-HBAC-Fix-tevent-hierarchy-in-ipa_hbac_rule_info_send.patch

From b054e7d8c43b024ee33e9343b4a15e124861f68c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Thu, 3 Aug 2017 00:09:43 +0200
Subject: [PATCH 54/93] HBAC: Fix tevent hierarchy in ipa_hbac_rule_info_send()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The first thing a _send() function should o is call
`tevent_req_create()` in order to create both the state and the request
and then use the state as context for temporary data.

Also, `tevent_req_create()` should be only function returning NULL from
the _send function, while all the other calls should goto immediate and
return the proper error, as they have a valid request.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/providers/ipa/ipa_hbac_rules.c | 39 +++++++++++++++-----------------------
 1 file changed, 15 insertions(+), 24 deletions(-)

diff --git a/src/providers/ipa/ipa_hbac_rules.c b/src/providers/ipa/ipa_hbac_rules.c
index c860905cc5544100be22ef74379895b3adb94173..b8d45351994e7af1c31558238de8b5910a6ee943 100644
--- a/src/providers/ipa/ipa_hbac_rules.c
+++ b/src/providers/ipa/ipa_hbac_rules.c
@@ -60,35 +60,32 @@ ipa_hbac_rule_info_send(TALLOC_CTX *mem_ctx,
     size_t i;
     struct tevent_req *req = NULL;
     struct ipa_hbac_rule_state *state;
-    TALLOC_CTX *tmp_ctx;
     const char *host_dn;
     char *host_dn_clean;
     char *host_group_clean;
     char *rule_filter;
     const char **memberof_list;
 
+    req = tevent_req_create(mem_ctx, &state, struct ipa_hbac_rule_state);
+    if (req == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create failed.\n");
+        return NULL;
+    }
+
     if (ipa_host == NULL) {
+        ret = EINVAL;
         DEBUG(SSSDBG_CRIT_FAILURE, "Missing host\n");
-        return NULL;
+        goto immediate;
     }
 
-    tmp_ctx = talloc_new(mem_ctx);
-    if (tmp_ctx == NULL) return NULL;
-
     ret = sysdb_attrs_get_string(ipa_host, SYSDB_ORIG_DN, &host_dn);
     if (ret != EOK) {
         DEBUG(SSSDBG_CRIT_FAILURE, "Could not identify IPA hostname\n");
-        goto error;
+        goto immediate;
     }
 
-    ret = sss_filter_sanitize(tmp_ctx, host_dn, &host_dn_clean);
-    if (ret != EOK) goto error;
-
-    req = tevent_req_create(mem_ctx, &state, struct ipa_hbac_rule_state);
-    if (req == NULL) {
-        DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create failed.\n");
-        goto error;
-    }
+    ret = sss_filter_sanitize(state, host_dn, &host_dn_clean);
+    if (ret != EOK) goto immediate;
 
     state->ev = ev;
     state->sh = sh;
@@ -116,7 +113,7 @@ ipa_hbac_rule_info_send(TALLOC_CTX *mem_ctx,
     state->attrs[13] = IPA_HOST_CATEGORY;
     state->attrs[14] = NULL;
 
-    rule_filter = talloc_asprintf(tmp_ctx,
+    rule_filter = talloc_asprintf(state,
                                   "(&(objectclass=%s)"
                                   "(%s=%s)(%s=%s)"
                                   "(|(%s=%s)(%s=%s)",
@@ -132,12 +129,12 @@ ipa_hbac_rule_info_send(TALLOC_CTX *mem_ctx,
 
     /* Add all parent groups of ipa_hostname to the filter */
     ret = sysdb_attrs_get_string_array(ipa_host, SYSDB_ORIG_MEMBEROF,
-                                       tmp_ctx, &memberof_list);
+                                       state, &memberof_list);
     if (ret != EOK && ret != ENOENT) {
         DEBUG(SSSDBG_CRIT_FAILURE, "Could not identify.\n");
     } if (ret == ENOENT) {
         /* This host is not a member of any hostgroups */
-        memberof_list = talloc_array(tmp_ctx, const char *, 1);
+        memberof_list = talloc_array(state, const char *, 1);
         if (memberof_list == NULL) {
             ret = ENOMEM;
             goto immediate;
@@ -146,7 +143,7 @@ ipa_hbac_rule_info_send(TALLOC_CTX *mem_ctx,
     }
 
     for (i = 0; memberof_list[i]; i++) {
-        ret = sss_filter_sanitize(tmp_ctx,
+        ret = sss_filter_sanitize(state,
                                   memberof_list[i],
                                   &host_group_clean);
         if (ret != EOK) goto immediate;
@@ -176,7 +173,6 @@ ipa_hbac_rule_info_send(TALLOC_CTX *mem_ctx,
         goto immediate;
     }
 
-    talloc_free(tmp_ctx);
     return req;
 
 immediate:
@@ -186,12 +182,7 @@ immediate:
         tevent_req_error(req, ret);
     }
     tevent_req_post(req, ev);
-    talloc_free(tmp_ctx);
     return req;
-
-error:
-    talloc_free(tmp_ctx);
-    return NULL;
 }
 
 static errno_t
-- 
2.14.1
Backport few upstream patches/fixes (cherry picked from commit fa4807ec456a6e246d387bcadc4a1f237a3065b9) (cherry picked from commit 323dbdee02385eee933a04c0e86db88d00351f24) (cherry picked from commit 7e532024f07845d03735f64dbf10fcc285967722) 2017-09-01 18:52:07 +00:00			`From b054e7d8c43b024ee33e9343b4a15e124861f68c Mon Sep 17 00:00:00 2001`
			`From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>`
			`Date: Thu, 3 Aug 2017 00:09:43 +0200`
			`Subject: [PATCH 54/93] HBAC: Fix tevent hierarchy in ipa_hbac_rule_info_send()`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`The first thing a _send() function should o is call`
			`tevent_req_create()` in order to create both the state and the request
			`and then use the state as context for temporary data.`

			Also, `tevent_req_create()` should be only function returning NULL from
			`the _send function, while all the other calls should goto immediate and`
			`return the proper error, as they have a valid request.`

			`Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>`

			`Reviewed-by: Pavel Březina <pbrezina@redhat.com>`
			`Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>`
			`---`
			`src/providers/ipa/ipa_hbac_rules.c \| 39 +++++++++++++++-----------------------`
			`1 file changed, 15 insertions(+), 24 deletions(-)`

			`diff --git a/src/providers/ipa/ipa_hbac_rules.c b/src/providers/ipa/ipa_hbac_rules.c`
			`index c860905cc5544100be22ef74379895b3adb94173..b8d45351994e7af1c31558238de8b5910a6ee943 100644`
			`--- a/src/providers/ipa/ipa_hbac_rules.c`
			`+++ b/src/providers/ipa/ipa_hbac_rules.c`
			`@@ -60,35 +60,32 @@ ipa_hbac_rule_info_send(TALLOC_CTX *mem_ctx,`
			`size_t i;`
			`struct tevent_req *req = NULL;`
			`struct ipa_hbac_rule_state *state;`
			`- TALLOC_CTX *tmp_ctx;`
			`const char *host_dn;`
			`char *host_dn_clean;`
			`char *host_group_clean;`
			`char *rule_filter;`
			`const char **memberof_list;`

			`+ req = tevent_req_create(mem_ctx, &state, struct ipa_hbac_rule_state);`
			`+ if (req == NULL) {`
			`+ DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create failed.\n");`
			`+ return NULL;`
			`+ }`
			`+`
			`if (ipa_host == NULL) {`
			`+ ret = EINVAL;`
			`DEBUG(SSSDBG_CRIT_FAILURE, "Missing host\n");`
			`- return NULL;`
			`+ goto immediate;`
			`}`

			`- tmp_ctx = talloc_new(mem_ctx);`
			`- if (tmp_ctx == NULL) return NULL;`
			`-`
			`ret = sysdb_attrs_get_string(ipa_host, SYSDB_ORIG_DN, &host_dn);`
			`if (ret != EOK) {`
			`DEBUG(SSSDBG_CRIT_FAILURE, "Could not identify IPA hostname\n");`
			`- goto error;`
			`+ goto immediate;`
			`}`

			`- ret = sss_filter_sanitize(tmp_ctx, host_dn, &host_dn_clean);`
			`- if (ret != EOK) goto error;`
			`-`
			`- req = tevent_req_create(mem_ctx, &state, struct ipa_hbac_rule_state);`
			`- if (req == NULL) {`
			`- DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create failed.\n");`
			`- goto error;`
			`- }`
			`+ ret = sss_filter_sanitize(state, host_dn, &host_dn_clean);`
			`+ if (ret != EOK) goto immediate;`

			`state->ev = ev;`
			`state->sh = sh;`
			`@@ -116,7 +113,7 @@ ipa_hbac_rule_info_send(TALLOC_CTX *mem_ctx,`
			`state->attrs[13] = IPA_HOST_CATEGORY;`
			`state->attrs[14] = NULL;`

			`- rule_filter = talloc_asprintf(tmp_ctx,`
			`+ rule_filter = talloc_asprintf(state,`
			`"(&(objectclass=%s)"`
			`"(%s=%s)(%s=%s)"`
			`"(\|(%s=%s)(%s=%s)",`
			`@@ -132,12 +129,12 @@ ipa_hbac_rule_info_send(TALLOC_CTX *mem_ctx,`

			`/* Add all parent groups of ipa_hostname to the filter */`
			`ret = sysdb_attrs_get_string_array(ipa_host, SYSDB_ORIG_MEMBEROF,`
			`- tmp_ctx, &memberof_list);`
			`+ state, &memberof_list);`
			`if (ret != EOK && ret != ENOENT) {`
			`DEBUG(SSSDBG_CRIT_FAILURE, "Could not identify.\n");`
			`} if (ret == ENOENT) {`
			`/* This host is not a member of any hostgroups */`
			`- memberof_list = talloc_array(tmp_ctx, const char *, 1);`
			`+ memberof_list = talloc_array(state, const char *, 1);`
			`if (memberof_list == NULL) {`
			`ret = ENOMEM;`
			`goto immediate;`
			`@@ -146,7 +143,7 @@ ipa_hbac_rule_info_send(TALLOC_CTX *mem_ctx,`
			`}`

			`for (i = 0; memberof_list[i]; i++) {`
			`- ret = sss_filter_sanitize(tmp_ctx,`
			`+ ret = sss_filter_sanitize(state,`
			`memberof_list[i],`
			`&host_group_clean);`
			`if (ret != EOK) goto immediate;`
			`@@ -176,7 +173,6 @@ ipa_hbac_rule_info_send(TALLOC_CTX *mem_ctx,`
			`goto immediate;`
			`}`

			`- talloc_free(tmp_ctx);`
			`return req;`

			`immediate:`
			`@@ -186,12 +182,7 @@ immediate:`
			`tevent_req_error(req, ret);`
			`}`
			`tevent_req_post(req, ev);`
			`- talloc_free(tmp_ctx);`
			`return req;`
			`-`
			`-error:`
			`- talloc_free(tmp_ctx);`
			`- return NULL;`
			`}`

			`static errno_t`
			`--`
			`2.14.1`