cache: Check for max_id/min_id in cache_req

[code-with-amitk]

The cache_req code doesn't check the min_id/max_id
boundaries for requests by ID.
Extending the .lookup_fn function in each plugin
that searches by ID for a check that returns 0
if the entry is out of the range.

Resolves: https://pagure.io/SSSD/sssd/issue/3569

[centos-ci]

Can one of the admins verify this patch?

[centos-ci]

Can one of the admins verify this patch?

[fidencio]

@amitkumar50, as usual, thanks a lot for your contribution!

I've asked a few questions inline.

[fidencio]

Why 20000 was chosen? Please, add a new #define with a meaningful name (or check if we already have one and use it) in order to have things more clear.

[code-with-amitk]

will do

[fidencio]

But why 20000 was chosen? I don't understand where the 20000 comes from.

[fidencio]

I've checked the code and seems that the check you'd like to do is based on domain.
So, you'd have to do something like (not tested):

if ((domain->max_id != 0 && id > domain->max_id) ||  id < domain->min_id ) {
...
}

The reason for this check is because:

• min_id and max_id may be defined by domain through sssd.conf
• defining max_id = 0 means there's no limit for the max_id

[fidencio]

Last but not least, I'd expect at least some debug message added warning that min_id/max_id conditions are not match.

[fidencio]

Also, I'd like to hear from @pbrezina whether he thinks would be better to do this check at the sysdb level or at the cache_req level.

[fidencio]

return EOK instead of 0.

[code-with-amitk]

As per https://pagure.io/SSSD/sssd/issue/3569
for a check that returns EOK but a NULL result if the entry is out of the range.

This is Error case. I believe returning EOK would not be good?
Also typedef int errno_t; So returning NULL would cause warning.
Again EOK is 0 and NULL is also 0. I believe we should only return 0 value on error path, since on good path we should allow function to go a head.

[fidencio]

EOK is 0. But it's way clear in the code if I read EOK instead of 0 as I know that EOK is OK and zero may mean anything else.

[fidencio]

Why have you decided to set ret to zero here?

[code-with-amitk]

At end of function, inside done label, If we not setting any value of ret, It would throw uninitialized warning.

[fidencio]

So, please, set the ret to EOK in the appropriate place (just before calling "goto done")

[fidencio]

Why 20000 was chosen? Please, add a new #define with a meaningful name (or check if we already have one and use it) in order to have things more clear.

[fidencio]

Why have you decided to set ret to zero here?

[fidencio]

Why 20000 was chosen? Please, add a new #define with a meaningful name (or check if we already have one and use it) in order to have things more clear.

[fidencio]

ok to test

[jhrozek]

I'm sorry, but this patch is incorrect.

As I wrote in the ticket, you want to check the input id (data->id inside cache_req) against the domain min/max limits inside the lookup_fn function of plugins that search by ID.

My initial idea was to return a special error code (ERR_UID_OUTSIDE_RANGE?) so that the lookup wouldn't even continue. But this would only handle requests where we actually search the cache.

Alternatively, we could add another plugin method. Not sure which way is more preferred, what do you think, @pbrezina

[pbrezina]

@jhrozek At this point, I think it will be better to wait for your cache req patches to come in. I think this check can be done during the phase where you check if the id is part of the domain. If it is outside the domain range, we can say it is not part of this domain.

[code-with-amitk]

Wrongly commited on this branch.

[jhrozek]

@pbrezina I'm still running some tests with my patches, but in general they are ready and published in my gc_uid branch.

btw see the downtream report - we were already asked for a backport to sssd-1-14, so while in general I'm OK with basing the patches to master atop mine (less work for me I guess :-)) we will also need patches for sssd-1-14.

[code-with-amitk]

@jhrozek Thanks for comments.
So Shall I not work on this patch as of now?
Or instead of EOK define ERR_UID_OUTSIDE_RANGE in ./src/util/util_errors.h and return.

[jhrozek]

This line removal does not belong to this patch, can you remove this hunk from the patch?

[code-with-amitk]

Sorry dint know how these creapt in. On my local checkout on branch I cannot see these.

[fidencio]

Still present in the current series.

[jhrozek]

Also please this line

[code-with-amitk]

ditto

[fidencio]

Same here!

[jhrozek]

Yes, you need to return some special error code here. Additionally, please check both id_max and id_min for being non-zero, like this:

 if ((domain->id_min && (data->id < domain->id_min)) ||
     (domain->id_max && (data->id > domain->id_max))) {

[jhrozek]

Also, please make the debug message level FUNC_DATA or something as low as that so that the debug message doesn't appear during normal operation

[jhrozek]

Finally, please add a case handler into the switch statement in cache_req_search_cache() so that we only print a very low-level debug message and don't hit the "default" handler.

[jhrozek]

Same comments as in the group lookup. I wonder if it makes sense to add a common function to avoid duplicating the same lines?

[jhrozek]

Same comment as in the object and group lookup.

[jhrozek]

@amitkumar50 please see the review comments

[jhrozek]

Removing changes requested since a new patch had arrived

[fidencio]

I have made some comments inline. Adding the "Changes Requested" label but still would like hear from @jhrozek whether the approach of the contributor is okay for him.

[fidencio]

Still present in the current series.

[fidencio]

Same here!

[fidencio]

This function as it is will generate a warning due to the missing return for a non-void function. IOW, you need to return EOK in case of success.

[fidencio]

My understanding is that you want to check the return of this function and then decide what to do based on that.

[fidencio]

Same here.

[fidencio]

Same here!

[fidencio]

As you added a new error in util_errors.h, please, also to add a new string for this error on util_errors.c