names: only check sub-domains for regex match

It is allowed to have different regular-expression to split the input
name for different domains. After the regex is evaluated and a domain
name was found in the input it has to be check if the domain name
corresponds to the domain the regex is coming from.

E.g. with the implicit files provider enabled the file provider might
use a simple default regex while and additional IPA or AD provider will
have a more complex one which e.g. properly handles @-characters in
names. When evaluation in input the simple regex will come first and
will split the name but will miss part of the user name part if the name
contains an @-character. Currently SSSD check if the found domain name
matches any of the know domains or sub-domains which is wrong because
the regex was coming from the files provider and hence it should only
handle its own objects.

With this patch not all domains are checked but only the current one and
its sub-domains, if any. This behavior is also mentioned in a comment
already in the code. As a result in the above example the check with
the results form the simple regex with fail and then the more complex
regex of the other domain will be used which can split the name
properly.

Resolves: #6055

Reviewed-by: Alexey Tikhonov <[email protected]>
Reviewed-by: Tomáš Halman <[email protected]>
(cherry picked from commit 9656516)

src/tests/cmocka/test_fqnames.c

@@ -318,6 +318,41 @@ static int parse_name_test_setup(void **state)
     return 0;
 }
 
+static int parse_name_test_two_names_ctx_setup(void **state)
+{
+    struct parse_name_test_ctx *test_ctx;
+    struct sss_names_ctx *nctx1 = NULL;
+    struct sss_names_ctx *nctx2 = NULL;
+    struct sss_domain_info *dom;
+    int ret;
+
+    assert_true(leak_check_setup());
+
+    test_ctx = talloc_zero(global_talloc_context, struct parse_name_test_ctx);
+    assert_non_null(test_ctx);
+
+    ret = sss_names_init_from_args(test_ctx, SSS_DEFAULT_RE,
+                                   "%1$s@%2$s", &nctx1);
+    assert_int_equal(ret, EOK);
+
+    ret = sss_names_init_from_args(test_ctx, SSS_IPA_AD_DEFAULT_RE,
+                                   "%1$s@%2$s", &nctx2);
+    assert_int_equal(ret, EOK);
+
+    test_ctx->dom = create_test_domain(test_ctx, DOMNAME, FLATNAME,
+                                       NULL, nctx1);
+    assert_non_null(test_ctx->dom);
+
+    dom = create_test_domain(test_ctx, DOMNAME2, FLATNAME2,
+                                       NULL, nctx2);
+    assert_non_null(dom);
+    DLIST_ADD_END(test_ctx->dom, dom, struct sss_domain_info *);
+
+    check_leaks_push(test_ctx);
+    *state = test_ctx;
+    return 0;
+}
+
 static int parse_name_test_teardown(void **state)
 {
     struct parse_name_test_ctx *test_ctx = talloc_get_type(*state,
@@ -448,6 +483,18 @@ void test_init_nouser(void **state)
     assert_int_not_equal(ret, EOK);
 }
 
+void test_different_regexps(void **state)
+{
+    struct parse_name_test_ctx *test_ctx = talloc_get_type(*state,
+                                                     struct parse_name_test_ctx);
+    parse_name_check(test_ctx, NAME"@"DOMNAME, NULL, EOK, NAME, DOMNAME);
+    parse_name_check(test_ctx, NAME"@"DOMNAME2, NULL, EOK, NAME, DOMNAME2);
+    parse_name_check(test_ctx, NAME"@WITH_AT@"DOMNAME2, NULL, EOK, NAME"@WITH_AT", DOMNAME2);
+    parse_name_check(test_ctx, FLATNAME"\\"NAME, NULL, EOK, FLATNAME"\\"NAME, NULL);
+    parse_name_check(test_ctx, FLATNAME2"\\"NAME, NULL, EOK, NAME, DOMNAME2);
+    parse_name_check(test_ctx, FLATNAME2"\\"NAME"@WITH_AT", NULL, EOK, NAME"@WITH_AT", DOMNAME2);
+}
+
 void sss_parse_name_fail(void **state)
 {
     struct parse_name_test_ctx *test_ctx = talloc_get_type(*state,
@@ -502,6 +549,9 @@ int main(int argc, const char *argv[])
         cmocka_unit_test_setup_teardown(sss_parse_name_fail,
                                         parse_name_test_setup,
                                         parse_name_test_teardown),
+        cmocka_unit_test_setup_teardown(test_different_regexps,
+                                        parse_name_test_two_names_ctx_setup,
+                                        parse_name_test_teardown),
     };
 
     /* Set debug level to invalid value so we can decide if -d 0 was used. */

src/util/usertools.c

@@ -321,7 +321,7 @@ static struct sss_domain_info * match_any_domain_or_subdomain_name(
         return dom;
     }
 
-    return find_domain_by_name(dom, dmatch, true);
+    return find_domain_by_name_ex(dom, dmatch, true, SSS_GND_SUBDOMAINS);
 }
 
 int sss_parse_name_for_domains(TALLOC_CTX *memctx,