From 00f3c5cd03625357e226552084e499965512bf53 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Aug 10 2016 10:17:14 +0000
Subject: SYSDB: Avoid optimisation with modifyTimestamp for users


The usage of modifyTimestamp needn't be a reliable way
for detecting of changes in user entry in LDAP.
The authorisation need to rely current data from LDAP
and therefore we will temporary disable optimisation with
modifyTimestamp and we will rather rely on deep comparison
of attributes. In he future, it might be changed and
responders might control the optimization level.

Resolves:
https://fedorahosted.org/sssd/ticket/3110

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

---

diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 67006c1..44fb5b7 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -1101,16 +1101,6 @@ done:
     return ret;
 }
 
-static errno_t sysdb_check_and_update_ts_usr(struct sss_domain_info *domain,
-                                             const char *grp_name,
-                                             struct sysdb_attrs *attrs,
-                                             uint64_t cache_timeout,
-                                             time_t now)
-{
-    return sysdb_check_and_update_ts_obj(domain, SYSDB_USER, grp_name,
-                                         attrs, cache_timeout, now);
-}
-
 static errno_t sysdb_check_and_update_ts_grp(struct sss_domain_info *domain,
                                              const char *grp_name,
                                              struct sysdb_attrs *attrs,
@@ -2470,15 +2460,6 @@ int sysdb_store_user(struct sss_domain_info *domain,
         now = time(NULL);
     }
 
-    ret = sysdb_check_and_update_ts_usr(domain, name, attrs,
-                                        cache_timeout, now);
-    if (ret == EOK) {
-        DEBUG(SSSDBG_TRACE_LIBS,
-              "The user record of %s did not change, only updated "
-              "the timestamp cache\n", name);
-        return EOK;
-    }
-
     tmp_ctx = talloc_new(NULL);
     if (!tmp_ctx) {
         return ENOMEM;
diff --git a/src/tests/cmocka/test_sysdb_ts_cache.c b/src/tests/cmocka/test_sysdb_ts_cache.c
index aa857e7..e950f88 100644
--- a/src/tests/cmocka/test_sysdb_ts_cache.c
+++ b/src/tests/cmocka/test_sysdb_ts_cache.c
@@ -980,20 +980,6 @@ static void test_sysdb_user_update(void **state)
     assert_int_equal(cache_expire_sysdb, TEST_CACHE_TIMEOUT + TEST_NOW_2);
     assert_int_equal(cache_expire_ts, TEST_CACHE_TIMEOUT + TEST_NOW_2);
 
-    /* Update the same attrs and the same modifyTimestamp.
-     * Only the timestamp cache must be bumped */
-    ret = sysdb_store_user(test_ctx->tctx->dom, TEST_USER_NAME, NULL,
-                           TEST_USER_UID, TEST_USER_GID, TEST_USER_NAME,
-                           "/home/"TEST_USER_NAME, "/bin/bash", NULL,
-                           user_attrs, NULL, TEST_CACHE_TIMEOUT,
-                           TEST_NOW_3);
-    assert_int_equal(ret, EOK);
-
-    get_pw_timestamp_attrs(test_ctx, TEST_USER_NAME,
-                           &cache_expire_sysdb, &cache_expire_ts);
-    assert_int_equal(cache_expire_sysdb, TEST_CACHE_TIMEOUT + TEST_NOW_2);
-    assert_int_equal(cache_expire_ts, TEST_CACHE_TIMEOUT + TEST_NOW_3);
-
     /* Update with different modifyTimestamp but same attrs as previously
      * saved to the timestamp cache. We should detect the 'real' attributes
      * are the same and only bump the timestamp cache