sssd/0070-simple-access-provider-make-user-grp-res-more-robust.patch

From 45a089a7bcf54e27fb46dc1a2c08c21ac07db96a Mon Sep 17 00:00:00 2001
From: Pavel Reichl <preichl@redhat.com>
Date: Mon, 20 Apr 2015 11:33:29 -0400
Subject: [PATCH 70/99] simple-access-provider: make user grp res more robust

Not all user groups need to be resolved if group deny list is empty.

Resolves:
https://fedorahosted.org/sssd/ticket/2519

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 82a958e6592c4a4078e45b7197bbe4751b70f511)
---
 src/providers/simple/simple_access_check.c | 26 ++++++++++++++++++++++----
 src/util/util_errors.c                     |  1 +
 src/util/util_errors.h                     |  1 +
 3 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/src/providers/simple/simple_access_check.c b/src/providers/simple/simple_access_check.c
index c8217f6d4ef2560931d3151276085eb2a6028be5..14d833be2bccda9ded3b04b881b09fd0be6684bf 100644
--- a/src/providers/simple/simple_access_check.c
+++ b/src/providers/simple/simple_access_check.c
@@ -395,6 +395,8 @@ struct simple_check_groups_state {
 
     const char **group_names;
     size_t num_names;
+
+    bool failed_to_resolve_groups;
 };
 
 static void simple_check_get_groups_next(struct tevent_req *subreq);
@@ -430,6 +432,7 @@ simple_check_get_groups_send(TALLOC_CTX *mem_ctx,
 
     state->ev = ev;
     state->ctx = ctx;
+    state->failed_to_resolve_groups = false;
 
     DEBUG(SSSDBG_TRACE_LIBS, "Looking up groups for user %s\n", username);
 
@@ -548,11 +551,10 @@ static void simple_check_get_groups_next(struct tevent_req *subreq)
         DEBUG(SSSDBG_OP_FAILURE,
               "Could not resolve name of group with GID %"SPRIgid"\n",
               state->lookup_groups[state->giter].gid);
-        tevent_req_error(req, ret);
-        return;
+        state->failed_to_resolve_groups = true;
+    } else {
+        state->num_names++;
     }
-
-    state->num_names++;
     state->giter++;
 
     if (state->giter < state->num_groups) {
@@ -686,6 +688,9 @@ simple_check_get_groups_recv(struct tevent_req *req,
     TEVENT_REQ_RETURN_ON_ERROR(req);
 
     *_group_names = talloc_steal(mem_ctx, state->group_names);
+    if (state->failed_to_resolve_groups) {
+        return ERR_SIMPLE_GROUPS_MISSING;
+    }
     return EOK;
 }
 
@@ -775,12 +780,25 @@ static void simple_access_check_done(struct tevent_req *subreq)
 
     /* We know the names now. Run the check. */
     ret = simple_check_get_groups_recv(subreq, state, &state->group_names);
+
     talloc_zfree(subreq);
     if (ret == ENOENT) {
         /* If the user wasn't found, just shortcut */
         state->access_granted = false;
         tevent_req_done(req);
         return;
+    } else if (ret == ERR_SIMPLE_GROUPS_MISSING) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              "Could not collect groups of user %s\n", state->username);
+        if (state->ctx->deny_groups == NULL) {
+            DEBUG(SSSDBG_TRACE_FUNC,
+                  "But no deny groups were defined so we can continue.\n");
+        } else {
+            DEBUG(SSSDBG_OP_FAILURE,
+                  "Some deny groups were defined, we can't continue\n");
+            tevent_req_error(req, ret);
+            return;
+        }
     } else if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE,
               "Could not collect groups of user %s\n", state->username);
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
index b481210aa21e05eda3a4c5b0699836d085baa892..4f9a2e7001695e0babe8342c497480b325f3322a 100644
--- a/src/util/util_errors.c
+++ b/src/util/util_errors.c
@@ -71,6 +71,7 @@ struct err_string error_to_str[] = {
     { "Time specification not supported" }, /* ERR_TIMESPEC_NOT_SUPPORTED */
     { "Malformed cache entry" }, /* ERR_MALFORMED_ENTRY */
     { "Unexpected cache entry type" }, /* ERR_UNEXPECTED_ENTRY_TYPE */
+    { "Failed to resolve one of user groups." }, /* ERR_SIMPLE_GROUPS_MISSING */
     { "ERR_LAST" } /* ERR_LAST */
 };
 
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
index b6a667fffbbddc77de53e501e185defbd30b23e0..5842a71550a7d14342f976c69f117f41bee1f531 100644
--- a/src/util/util_errors.h
+++ b/src/util/util_errors.h
@@ -93,6 +93,7 @@ enum sssd_errors {
     ERR_TIMESPEC_NOT_SUPPORTED,
     ERR_MALFORMED_ENTRY,
     ERR_UNEXPECTED_ENTRY_TYPE,
+    ERR_SIMPLE_GROUPS_MISSING,
     ERR_LAST            /* ALWAYS LAST */
 };
 
-- 
2.4.0