'=?utf-8?b?W1NTU0Rd?= [sssd PR#716][synchronized] CACHE: SSSD doesn't clear cache entries'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sssd-devel
Subject:    =?utf-8?b?W1NTU0Rd?= [sssd PR#716][synchronized] CACHE: SSSD doesn't clear cache entries
From:       thalman <sssd-github-notification () fedorahosted ! org>
Date:       2018-12-18 17:02:24
Message-ID: gh-SSSD/sssd-716-2018-a4cdc3bd-8ea7-490a-86d1-fb5baa263d53 () sssd-github-notification ! fedorahosted ! org
[Download RAW message or body]

[Attachment #2 (unknown)]

   URL: https://github.com/SSSD/sssd/pull/716
Author: thalman
 Title: #716: CACHE: SSSD doesn't clear cache entries
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/716/head:pr716
git checkout pr716

["sssd-pr-716.patch" (sssd-pr-716.patch)]

From 8bfdebba894e07b1b2c809dbfbf92b3533c43074 Mon Sep 17 00:00:00 2001
From: Tomas Halman <thalman@redhat.com>
Date: Sun, 16 Dec 2018 08:46:24 +0100
Subject: [PATCH] CACHE: SSSD doesn't clear cache entries

Once object is in cache it is refreshed when it is expired and
requested by the system. Object ID is not checked before refresh,
but config parameter ldap_(min|max)_id could be changed by admin.
We should check object ID and not refresh objects outside min/max
ID interval.

Resolves:
https://pagure.io/SSSD/sssd/issue/3905
---
 .../common/cache_req/cache_req_search.c       | 49 +++++++++++++++++--
 1 file changed, 46 insertions(+), 3 deletions(-)

diff --git a/src/responder/common/cache_req/cache_req_search.c \
b/src/responder/common/cache_req/cache_req_search.c index 7423feb63..334af7bbe 100644
--- a/src/responder/common/cache_req/cache_req_search.c
+++ b/src/responder/common/cache_req/cache_req_search.c
@@ -25,6 +25,7 @@
 #include "util/util.h"
 #include "responder/common/cache_req/cache_req_private.h"
 #include "responder/common/cache_req/cache_req_plugin.h"
+#include "db/sysdb.h"
 
 static errno_t cache_req_search_ncache(struct cache_req *cr)
 {
@@ -268,6 +269,41 @@ static errno_t cache_req_search_dp(struct tevent_req *req,
 static void cache_req_search_oob_done(struct tevent_req *subreq);
 static void cache_req_search_done(struct tevent_req *subreq);
 
+static bool
+cache_req_should_be_in_cache (struct cache_req *cr,
+                              struct ldb_result *result)
+{
+    unsigned int id = 0;
+    const char *object_class;
+
+
+    if (result == NULL || result->count == 0) {
+        /* can't decide so keep it */
+        return true;
+    }
+
+    object_class = ldb_msg_find_attr_as_string(result->msgs[0],
+                                               SYSDB_OBJECTCATEGORY, NULL);
+    if (! object_class) {
+        /* no object_class => can't decide so keep it in cache */
+        return true;
+    }
+
+    if (strcasecmp(object_class, SYSDB_USER_CLASS) == 0) {
+        id = ldb_msg_find_attr_as_uint(result->msgs[0], SYSDB_UIDNUM, 0);
+    } else if (strcasecmp(object_class, SYSDB_GROUP_CLASS) == 0) {
+        id = ldb_msg_find_attr_as_uint(result->msgs[0], SYSDB_GIDNUM, 0);
+    }
+
+    if (id && (id < cr->domain->id_min || id > cr->domain->id_max)) {
+        /* uid/gid is out of domain limit */
+        CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, "id %d should not be there\n", id);
+        return false;
+    }
+
+    return true;
+}
+
 struct tevent_req *
 cache_req_search_send(TALLOC_CTX *mem_ctx,
                       struct tevent_context *ev,
@@ -325,9 +361,16 @@ cache_req_search_send(TALLOC_CTX *mem_ctx,
          * we can return it without searching the rest of the domains.
          */
         if (status != CACHE_OBJECT_MISSING) {
-            CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr,
-                            "Object found, but needs to be refreshed.\n");
-            bypass_dp = false;
+            if (cache_req_should_be_in_cache (cr, state->result)) {
+                CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr,
+                                "Object found, but needs to be refreshed.\n");
+                bypass_dp = false;
+            } else {
+                CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr,
+                                "Object found, but should not be in cache "
+                                "- not returning it.\n");
+                ret = ENOENT;
+            }
         } else {
             ret = ENOENT;
         }


[Attachment #4 (text/plain)]

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic