Resolves: upstream#3684 - A group is not updated if its member is removed with the cleanup task, but the group does not change

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit f3d06df50d)
2018-04-27 21:16:31 +02:00 · 2018-04-27 21:16:31 +02:00 · 7809e6eedd
parent 2540bf426d
commit 7809e6eedd
2 changed files with 127 additions and 1 deletions
--- a/0016-SYSDB-When-marking-an-entry-as-expired-also-set-the-.patch
+++ b/0016-SYSDB-When-marking-an-entry-as-expired-also-set-the-.patch
@ -0,0 +1,120 @@
+From 68b14b6f94cf23fe2f66ee592e2e1fa5abfe3b9c Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Fri, 23 Mar 2018 13:40:34 +0100
+Subject: [PATCH] SYSDB: When marking an entry as expired, also set the
+ originalModifyTimestamp to 1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/3684
+
+If the cleanup task removes a user who was a fully resolved member (not a
+ghost), but then the group the user was a member of is requested, unless
+the group had changed, the user doesn't appear as a member of the group
+again. This is because the modify timestamp would prevent the group from
+updating and therefore the ghost attribute is not readded.
+
+To mitigate this, let's also set the originalModifyTimestamp attribute
+to 1, so that we never take the optimized path while updating the group.
+
+Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
+(cherry picked from commit 250751bf8b0532d6175e762b7f2f008cc1c39a78)
+---
+ src/db/sysdb_ops.c          | 13 +++++++++++
+ src/tests/intg/test_ldap.py | 54 +++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 67 insertions(+)
+
+diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
+index cc86a114e..09aa04a29 100644
+--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
+@@ -5410,6 +5410,19 @@ errno_t sysdb_mark_entry_as_expired_ldb_dn(struct sss_domain_info *dom,
+         goto done;
+     }
+ 
+    ret = ldb_msg_add_empty(msg, SYSDB_ORIG_MODSTAMP,
+                            LDB_FLAG_MOD_REPLACE, NULL);
+    if (ret != LDB_SUCCESS) {
+        ret = sysdb_error_to_errno(ret);
+        goto done;
+    }
+
+    ret = ldb_msg_add_string(msg, SYSDB_ORIG_MODSTAMP, "1");
+    if (ret != LDB_SUCCESS) {
+        ret = sysdb_error_to_errno(ret);
+        goto done;
+    }
+
+     ret = ldb_modify(dom->sysdb->ldb, msg);
+     if (ret != LDB_SUCCESS) {
+         ret = sysdb_error_to_errno(ret);
+diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py
+index a6659b1b7..db3253858 100644
+--- a/src/tests/intg/test_ldap.py
+++ b/src/tests/intg/test_ldap.py
+@@ -434,6 +434,60 @@ def test_refresh_after_cleanup_task(ldap_conn, refresh_after_cleanup_task):
+         dict(mem=ent.contains_only("user1")))
+ 
+ 
+@pytest.fixture
+def update_ts_after_cleanup_task(request, ldap_conn):
+    ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+    ent_list.add_user("user1", 1001, 2001)
+    ent_list.add_user("user2", 1002, 2001)
+
+    ent_list.add_group_bis("group1", 2001, ["user1", "user2"])
+
+    create_ldap_fixture(request, ldap_conn, ent_list)
+
+    conf = \
+        format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \
+        unindent("""
+            [domain/LDAP]
+            ldap_purge_cache_timeout = 3
+        """).format(**locals())
+    create_conf_fixture(request, conf)
+    create_sssd_fixture(request)
+    return None
+
+
+def test_update_ts_cache_after_cleanup_task(ldap_conn,
+                                            update_ts_after_cleanup_task):
+    """
+    Regression test for ticket:
+    https://fedorahosted.org/sssd/ticket/2676
+    """
+    ent.assert_group_by_name(
+        "group1",
+        dict(mem=ent.contains_only("user1", "user2")))
+
+    ent.assert_passwd_by_name(
+        'user1',
+        dict(name='user1', passwd='*', uid=1001, gid=2001,
+             gecos='1001', shell='/bin/bash'))
+
+    ent.assert_passwd_by_name(
+        'user2',
+        dict(name='user2', passwd='*', uid=1002, gid=2001,
+             gecos='1002', shell='/bin/bash'))
+
+    if subprocess.call(["sss_cache", "-u", "user1"]) != 0:
+        raise Exception("sssd_cache failed")
+
+    # The cleanup task runs every 3 seconds, so sleep for 6
+    # so that we know the cleanup task ran at least once
+    # even if we start sleeping during the first one
+    time.sleep(6)
+
+    ent.assert_group_by_name(
+        "group1",
+        dict(mem=ent.contains_only("user1", "user2")))
+
+
+ @pytest.fixture
+ def blank_rfc2307(request, ldap_conn):
+     """Create blank RFC2307 directory fixture with interactive SSSD conf"""
+-- 
+2.14.3
+
--- a/sssd.spec
+++ b/sssd.spec
@ -34,7 +34,7 @@

 Name: sssd
 Version: 1.16.1
-Release: 2%{?dist}
+Release: 3%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@ -57,6 +57,7 @@ Patch0012: 0012-KCM-Adjust-REPLY_MAX-to-the-one-used-in-krb5.patch
 Patch0013: 0013-intg-convert-results-returned-as-bytes-to-strings.patch
 Patch0014: 0014-KCM-Fix-typo-in-ccdb_sec_delete_list_done.patch
 Patch0015: 0015-KCM-Only-print-the-number-of-found-items-after-we-ha.patch
+Patch0016: 0016-SYSDB-When-marking-an-entry-as-expired-also-set-the-.patch

 Patch0502: 0502-SYSTEMD-Use-capabilities.patch
 Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch
@ -1257,6 +1258,11 @@ fi
                                %{_libdir}/%{name}/modules/libwbclient.so

 %changelog
+* Fri Apr 27 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-3
+- Resolves: upstream#3684 - A group is not updated if its member is removed
+                            with the cleanup task, but the group does not
+                            change
+
 * Fri Mar 30 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-2
 - Resolves: upstream#3573 - sssd won't show netgroups with blank domain
 - Resolves: upstream#3660 - confdb_expand_app_domains() always fails