Resolves: upstream#3573 - sssd won't show netgroups with blank domai

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 40fe76feb8)
(cherry picked from commit 928c3e94ab)

0001-IPA-Handle-empty-nisDomainName.patch

@@ -0,0 +1,87 @@
+From f9b7073e5cd057cf961b34f99ea1dff0c86b5b6a Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Fri, 17 Nov 2017 20:15:34 +0100
+Subject: [PATCH 01/15] IPA: Handle empty nisDomainName
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/3573
+
+If nisdomain=, i.e. a blank NIS domain name, sssd was not processing the
+netgroup at all. This is not in agreement with man innetgr which says "Any of
+the elements in a triple can be empty, which means that anything matches. The
+functions described here allow access to the netgroup databases".
+
+This patch instead returns an empty domain as well, which eventually
+produces the same output as if the netgroup was requested from the
+compat tree.
+
+To reproduce the bug:
+$ ipa netgroup-add
+Netgroup name: emptydom
+-------------------------
+Added netgroup "emptydom"
+-------------------------
+  Netgroup name: emptydom
+  NIS domain name: ipa.test
+  IPA unique ID: 164bc15a-f4b3-11e7-acdb-525400ca6df3
+$ ipa netgroup-add-member
+Netgroup name: emptydom
+[member user]: admin
+[member group]:
+[member host]:
+[member host group]:
+[member netgroup]:
+  Netgroup name: emptydom
+  NIS domain name: ipa.test
+  Member User: admin
+-------------------------
+Number of members added 1
+-------------------------
+$ ipa netgroup-mod --nisdomain="" emptydom
+----------------------------
+Modified netgroup "emptydom"
+----------------------------
+  Netgroup name: emptydom
+  Member User: admin
+
+Then run:
+    getent negroup emptydom
+without the patch, the netgroup won't be resolvable. It will resolve to
+a netgroup triple that looks like this after the patch:
+    emptydom              (-,admin,)
+
+Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
+---
+ src/providers/ipa/ipa_netgroups.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c
+index 5c929a485..05ebac758 100644
+--- a/src/providers/ipa/ipa_netgroups.c
++++ b/src/providers/ipa/ipa_netgroups.c
+@@ -953,7 +953,9 @@ static int ipa_netgr_process_all(struct ipa_get_netgroups_state *state)
+ 
+         ret = sysdb_attrs_get_string(state->netgroups[i], SYSDB_NETGROUP_DOMAIN,
+                                      &domain);
+-        if (ret != EOK) {
++        if (ret == ENOENT) {
++            domain = NULL;
++        } else if (ret != EOK) {
+             goto done;
+         }
+ 
+@@ -974,7 +976,7 @@ static int ipa_netgr_process_all(struct ipa_get_netgroups_state *state)
+                 for (k = 0; k < hosts_count; k++) {
+                     triple = talloc_asprintf(state, "(%s,%s,%s)",
+                                              hosts[k], uids[j],
+-                                             domain);
++                                             domain ? domain : "");
+                     if (triple == NULL) {
+                         ret = ENOMEM;
+                         goto done;
+-- 
+2.14.3
+

0002-intg-enhance-netgroups-test.patch

@@ -0,0 +1,85 @@
+From 3adc0a2fac5f7f1f30f6b1f75f098d4b50e7cf35 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 5 Mar 2018 12:29:58 +0100
+Subject: [PATCH 02/15] intg: enhance netgroups test
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+---
+ src/tests/intg/sssd_netgroup.py |  9 ++++++---
+ src/tests/intg/test_netgroup.py | 26 ++++++++++++++++++++++++++
+ 2 files changed, 32 insertions(+), 3 deletions(-)
+
+diff --git a/src/tests/intg/sssd_netgroup.py b/src/tests/intg/sssd_netgroup.py
+index 3668d2e29..4c34ea61f 100644
+--- a/src/tests/intg/sssd_netgroup.py
++++ b/src/tests/intg/sssd_netgroup.py
+@@ -209,9 +209,12 @@ class NetgroupRetriever(object):
+ 
+             if result_p[0].type == NetgroupType.TRIPLE_VAL:
+                 triple = result_p[0].val.triple
+-                result.append((triple.host.decode('utf-8'),
+-                               triple.user.decode('utf-8'),
+-                               triple.domain.decode('utf-8')))
++                result.append((triple.host and triple.host.decode('utf-8')
++                               or "",
++                               triple.user and triple.user.decode('utf-8')
++                               or "",
++                               triple.domain and triple.domain.decode('utf-8')
++                               or ""))
+ 
+             res, errno, result_p = self._getnetgrent_r(result_p, buff,
+                                                        buff_len)
+diff --git a/src/tests/intg/test_netgroup.py b/src/tests/intg/test_netgroup.py
+index 3cf5dac2e..06a1cfafd 100644
+--- a/src/tests/intg/test_netgroup.py
++++ b/src/tests/intg/test_netgroup.py
+@@ -106,6 +106,8 @@ def format_basic_conf(ldap_conn, schema):
+         services            = nss
+         disable_netlink     = true
+ 
++        [nss]
++
+         [domain/LDAP]
+         {schema_conf}
+         id_provider         = ldap
+@@ -222,6 +224,14 @@ def add_tripled_netgroup(request, ldap_conn):
+     ent_list.add_netgroup("adv_tripled_netgroup", ["(host1,user1,domain1)",
+                                                    "(host2,user2,domain2)"])
+ 
++    ent_list.add_netgroup("tripled_netgroup_no_domain", ["(host,user,)"])
++
++    ent_list.add_netgroup("tripled_netgroup_no_user", ["(host,,domain)"])
++
++    ent_list.add_netgroup("tripled_netgroup_no_host", ["(,user,domain)"])
++
++    ent_list.add_netgroup("tripled_netgroup_none", ["(,,)"])
++
+     create_ldap_fixture(request, ldap_conn, ent_list)
+     conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
+     create_conf_fixture(request, conf)
+@@ -243,6 +253,22 @@ def test_add_tripled_netgroup(add_tripled_netgroup):
+     assert sorted(netgrps) == sorted([("host1", "user1", "domain1"),
+                                       ("host2", "user2", "domain2")])
+ 
++    res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup_no_domain")
++    assert res == sssd_netgroup.NssReturnCode.SUCCESS
++    assert netgrps == [("host", "user", "")]
++
++    res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup_no_user")
++    assert res == sssd_netgroup.NssReturnCode.SUCCESS
++    assert netgrps == [("host", "", "domain")]
++
++    res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup_no_host")
++    assert res == sssd_netgroup.NssReturnCode.SUCCESS
++    assert netgrps == [("", "user", "domain")]
++
++    res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup_none")
++    assert res == sssd_netgroup.NssReturnCode.SUCCESS
++    assert netgrps == [("", "", "")]
++
+ 
+ @pytest.fixture
+ def add_mixed_netgroup(request, ldap_conn):
+-- 
+2.14.3
+

sssd.spec

@@ -34,7 +34,7 @@
 
 Name: sssd
 Version: 1.16.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@@ -43,6 +43,8 @@ Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz
 BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
 ### Patches ###
+Patch0001: 0001-IPA-Handle-empty-nisDomainName.patch
+Patch0002: 0002-intg-enhance-netgroups-test.patch
 
 Patch0502: 0502-SYSTEMD-Use-capabilities.patch
 Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch
@@ -1244,6 +1246,9 @@ fi
                                 %{_libdir}/%{name}/modules/libwbclient.so
 
 %changelog
+* Fri Mar 30 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-2
+- Resolves: upstream#3573 - sssd won't show netgroups with blank domain
+
 * Fri Mar  9 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-1
 - New upstream release 1.16.1
 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_1.html