From 0b82f8ef55ce5f02519b07368e04536067a03d02 Mon Sep 17 00:00:00 2001 From: Ondrej Valousek Date: Tue, 17 Sep 2024 11:32:56 +0200 Subject: [PATCH] Precision FSP detection update (optional) --- src/lib/idmap/sss_idmap.c | 6 ++--- src/lib/idmap/sss_idmap.exports | 2 +- src/lib/idmap/sss_idmap.h | 22 ++++++++++++++++++- src/providers/ldap/sdap_async_nested_groups.c | 13 ++++++++++- 4 files changed, 37 insertions(+), 6 deletions(-) diff --git a/src/lib/idmap/sss_idmap.c b/src/lib/idmap/sss_idmap.c index 7ad05659a76..13680a35dad 100644 --- a/src/lib/idmap/sss_idmap.c +++ b/src/lib/idmap/sss_idmap.c @@ -201,7 +201,7 @@ const char *idmap_error_string(enum idmap_error_code err) } } -bool is_domain_sid(const char *sid) +bool is_str_sid(const char *sid, int count) { const char *p; long long a; @@ -228,9 +228,9 @@ bool is_domain_sid(const char *sid) return false; } c++; - } while(c < 3 && *endptr != '\0'); + } while(c < count && *endptr != '\0'); - if (c != 3 || *endptr != '\0') { + if (c != count || *endptr != '\0') { return false; } diff --git a/src/lib/idmap/sss_idmap.exports b/src/lib/idmap/sss_idmap.exports index 840677794bd..8ab2a3af48f 100644 --- a/src/lib/idmap/sss_idmap.exports +++ b/src/lib/idmap/sss_idmap.exports @@ -34,7 +34,7 @@ SSS_IDMAP_0.4 { sss_idmap_free_smb_sid; sss_idmap_free_bin_sid; idmap_error_string; - is_domain_sid; + is_str_sid; sss_idmap_domain_has_algorithmic_mapping; sss_idmap_domain_by_name_has_algorithmic_mapping; sss_idmap_bin_sid_to_dom_sid; diff --git a/src/lib/idmap/sss_idmap.h b/src/lib/idmap/sss_idmap.h index 9c27a160004..824d1ba3a87 100644 --- a/src/lib/idmap/sss_idmap.h +++ b/src/lib/idmap/sss_idmap.h @@ -695,6 +695,8 @@ enum idmap_error_code sss_idmap_free_bin_sid(struct sss_idmap_ctx *ctx, */ const char *idmap_error_string(enum idmap_error_code err); +bool is_str_sid(const char *str, int count); + /** * @brief Check if given string can be used as domain SID * @@ -704,7 +706,25 @@ const char *idmap_error_string(enum idmap_error_code err); * - true: String can be used as domain SID * - false: String can not be used as domain SID */ -bool is_domain_sid(const char *str); +static inline bool is_domain_sid(const char *str) +{ + return is_str_sid(str, 3); +} + +/** + * @brief Check if given string can be used as principal SID + * + * @param[in] str String to check + * + * @return + * - true: String can be used as principal SID + * - false: String can not be used as principal SID + */ +static inline bool is_principal_sid(const char *str) +{ + return is_str_sid(str, 4); +} + /** * @brief Check if a domain is configured with algorithmic mapping diff --git a/src/providers/ldap/sdap_async_nested_groups.c b/src/providers/ldap/sdap_async_nested_groups.c index ef995697dea..12c550de590 100644 --- a/src/providers/ldap/sdap_async_nested_groups.c +++ b/src/providers/ldap/sdap_async_nested_groups.c @@ -553,12 +553,23 @@ sdap_nested_member_is_fsp(struct sdap_nested_group_ctx *group_ctx, fspdn_len = strlen(fspdn); dn_len = strlen(dn); len_diff = dn_len - fspdn_len; - if (len_diff < 0) { + if (len_diff < 5) { talloc_free(fspdn); return false; } ret = strncasecmp(&dn[len_diff], fspdn, fspdn_len) == 0; talloc_free(fspdn); + + if (ret) { /* looks like FSP, so just double check to be 100% sure */ + char *fsp_str = talloc_strdup(group_ctx, dn); + + if (fsp_str == NULL) + return false; + fsp_str[len_diff - 1] = '\0'; /* replace comma with NULL */ + ret = is_principal_sid(&fsp_str[3]); + talloc_free(fsp_str); + } + return ret; }