Precision FSP detection update (optional)

SSSD · Sep 17, 2024 · 0b82f8e · 0b82f8e
1 parent 10348f7
commit 0b82f8e
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 6 deletions.
diff --git a/src/lib/idmap/sss_idmap.c b/src/lib/idmap/sss_idmap.c
@@ -201,7 +201,7 @@ const char *idmap_error_string(enum idmap_error_code err)
     }
 }
 
-bool is_domain_sid(const char *sid)
+bool is_str_sid(const char *sid, int count)
 {
     const char *p;
     long long a;
@@ -228,9 +228,9 @@ bool is_domain_sid(const char *sid)
             return false;
         }
         c++;
-    } while(c < 3 && *endptr != '\0');
+    } while(c < count && *endptr != '\0');
 
-    if (c != 3 || *endptr != '\0') {
+    if (c != count || *endptr != '\0') {
         return false;
     }
 

diff --git a/src/lib/idmap/sss_idmap.exports b/src/lib/idmap/sss_idmap.exports
@@ -34,7 +34,7 @@ SSS_IDMAP_0.4 {
         sss_idmap_free_smb_sid;
         sss_idmap_free_bin_sid;
         idmap_error_string;
-        is_domain_sid;
+        is_str_sid;
         sss_idmap_domain_has_algorithmic_mapping;
         sss_idmap_domain_by_name_has_algorithmic_mapping;
         sss_idmap_bin_sid_to_dom_sid;

diff --git a/src/lib/idmap/sss_idmap.h b/src/lib/idmap/sss_idmap.h
@@ -695,6 +695,8 @@ enum idmap_error_code sss_idmap_free_bin_sid(struct sss_idmap_ctx *ctx,
  */
 const char *idmap_error_string(enum idmap_error_code err);
 
+bool is_str_sid(const char *str, int count);
+
 /**
  * @brief Check if given string can be used as domain SID
  *
@@ -704,7 +706,25 @@ const char *idmap_error_string(enum idmap_error_code err);
  *  - true: String can be used as domain SID
  *  - false: String can not be used as domain SID
  */
-bool is_domain_sid(const char *str);
+static inline bool is_domain_sid(const char *str)
+{
+    return is_str_sid(str, 3);
+}
+
+/**
+ * @brief Check if given string can be used as principal SID
+ *
+ * @param[in] str   String to check
+ *
+ * @return
+ *  - true: String can be used as principal SID
+ *  - false: String can not be used as principal SID
+ */
+static inline bool is_principal_sid(const char *str)
+{
+    return is_str_sid(str, 4);
+}
+
 
 /**
  * @brief Check if a domain is configured with algorithmic mapping

diff --git a/src/providers/ldap/sdap_async_nested_groups.c b/src/providers/ldap/sdap_async_nested_groups.c
@@ -553,12 +553,23 @@ sdap_nested_member_is_fsp(struct sdap_nested_group_ctx *group_ctx,
     fspdn_len = strlen(fspdn);
     dn_len = strlen(dn);
     len_diff = dn_len - fspdn_len;
-    if (len_diff < 0) {
+    if (len_diff < 5) {
        talloc_free(fspdn);
        return false;
     }
     ret = strncasecmp(&dn[len_diff], fspdn, fspdn_len) == 0;
     talloc_free(fspdn);
+
+    if (ret) { /* looks like FSP, so just double check to be 100% sure */
+       char *fsp_str = talloc_strdup(group_ctx, dn);
+
+       if (fsp_str == NULL)
+          return false;
+       fsp_str[len_diff - 1] = '\0';  /* replace comma with NULL */
+       ret = is_principal_sid(&fsp_str[3]);
+       talloc_free(fsp_str);
+    }
+
     return ret;
 }