nssidmap: fix sss_nss_getgrouplist_timeout() with empty secondary gro…

…up list sss_nss_getgrouplist_timeout() is intended as a replacement for getgrouplist() which only gets secondary groups from SSSD. Currently it returns an ENOENT error if there are no secondary groups returned by SSSD. However, as with getgrouplist(), there is the second parameter which expects a single GID which will be added to the result. This means that sss_nss_getgrouplist_timeout() will always return at least this GID as a result and an ENOENT error does not make sense. With this patch sss_nss_getgrouplist_timeout() will not return an error anymore if there are no secondary groups but just a result with the single GID from the second parameter. Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit cffe6e0)
SSSD · Dec 1, 2023 · e03921e · e03921e
1 parent ff52002
commit e03921e
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 2 deletions.
diff --git a/src/sss_client/idmap/sss_nss_ex.c b/src/sss_client/idmap/sss_nss_ex.c
@@ -241,8 +241,9 @@ static int sss_get_ex(struct nss_input *inp, uint32_t flags,
     /* Get number of results from repbuf. */
     SAFEALIGN_COPY_UINT32(&num_results, repbuf, NULL);
 
-    /* no results if not found */
-    if (num_results == 0) {
+    /* no results if not found, INITGR requests are handled separately */
+    if (num_results == 0 && inp->cmd != SSS_NSS_INITGR
+                         && inp->cmd != SSS_NSS_INITGR_EX) {
         ret = ENOENT;
         goto out;
     }

diff --git a/src/tests/cmocka/sss_nss_idmap-tests.c b/src/tests/cmocka/sss_nss_idmap-tests.c
@@ -30,6 +30,7 @@
 #include "util/util.h"
 #include "util/sss_endian.h"
 
+#define IPA_389DS_PLUGIN_HELPER_CALLS 1
 #include "sss_client/idmap/sss_nss_idmap.h"
 #include "tests/cmocka/common_mock.h"
 
@@ -50,17 +51,23 @@ uint8_t buf3[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x
 uint8_t buf4[] = {0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 't', 'e', 's', 't', 'x'};
 
 uint8_t buf_orig1[] = {0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 'k', 'e', 'y', 0x00, 'v', 'a', 'l', 'u', 'e', 0x00};
+
+uint8_t buf_initgr[] = {0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xde, 0x00, 0x00, 0x00};
 #elif (__BYTE_ORDER == __BIG_ENDIAN)
 uint8_t buf1[] = {0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 't', 'e', 's', 't', 0x00};
 uint8_t buf2[] = {0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 't', 'e', 's', 't', 0x00};
 uint8_t buf3[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 't', 'e', 's', 't', 0x00};
 uint8_t buf4[] = {0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 't', 'e', 's', 't', 'x'};
 
 uint8_t buf_orig1[] = {0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 'k', 'e', 'y', 0x00, 'v', 'a', 'l', 'u', 'e', 0x00};
+
+uint8_t buf_initgr[] = {0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xde};
 #else
  #error "unknow endianess"
 #endif
 
+uint8_t buf_initgr_no_gr[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
+
 enum nss_status __wrap_sss_nss_make_request_timeout(enum sss_cli_command cmd,
                                                     struct sss_cli_req_data *rd,
                                                     int timeout,
@@ -148,12 +155,37 @@ void test_getorigbyname(void **state)
     sss_nss_free_kv(kv_list);
 }
 
+void test_sss_nss_getgrouplist_timeout(void **state)
+{
+    int ret;
+    gid_t groups[10];
+    int ngroups = sizeof(groups);
+    struct sss_nss_make_request_test_data d = {buf_initgr, sizeof(buf_initgr), 0, NSS_STATUS_SUCCESS};
+
+    will_return(__wrap_sss_nss_make_request_timeout, &d);
+    ret = sss_nss_getgrouplist_timeout("test", 111, groups, &ngroups, 0, 0);
+    assert_int_equal(ret, EOK);
+    assert_int_equal(ngroups, 2);
+    assert_int_equal(groups[0], 111);
+    assert_int_equal(groups[1], 222);
+
+    d.repbuf = buf_initgr_no_gr;
+    d.replen = sizeof(buf_initgr_no_gr);
+
+    will_return(__wrap_sss_nss_make_request_timeout, &d);
+    ret = sss_nss_getgrouplist_timeout("test", 111, groups, &ngroups, 0, 0);
+    assert_int_equal(ret, EOK);
+    assert_int_equal(ngroups, 1);
+    assert_int_equal(groups[0], 111);
+}
+
 int main(int argc, const char *argv[])
 {
 
     const struct CMUnitTest tests[] = {
         cmocka_unit_test(test_getsidbyname),
         cmocka_unit_test(test_getorigbyname),
+        cmocka_unit_test(test_sss_nss_getgrouplist_timeout),
     };
 
     return cmocka_run_group_tests(tests, NULL, NULL);