From 1360c8b09f0862fe961fbb015f55d6b3cbd9aee9 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Oct 06 2022 08:13:45 +0000
Subject: extdom: avoid sss_nss_getorigby*() calls when get*_r_wrapper() returns object from a wrong domain (performance optimization)


Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>

---

diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index c6594e9..a3d37a3 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -41,6 +41,7 @@
 #define _GNU_SOURCE 1 /* for asprintf() */
 #endif
 
+#include <stdbool.h>
 #include <errno.h>
 #include <stdio.h>
 #include <sys/param.h>
@@ -526,6 +527,16 @@ int pack_ber_sid(const char *sid, struct berval **berval)
     return LDAP_SUCCESS;
 }
 
+static bool verify_domain(const char *fqdn, const char *domain_name)
+{
+    const char *pos = strrchr(fqdn, SSSD_DOMAIN_SEPARATOR);
+    if (pos == NULL) {
+        return false;
+    }
+
+    return (strcasecmp(pos + 1, domain_name) == 0);
+}
+
 static char *get_short_name(const char *fqdn, const char *domain_name)
 {
     const char *pos = strrchr(fqdn, SSSD_DOMAIN_SEPARATOR);
@@ -894,6 +905,10 @@ static int handle_uid_request(struct ipa_extdom_ctx *ctx,
             }
             goto done;
         }
+        if (!verify_domain(pwd.pw_name, domain_name)) {
+            ret = LDAP_NO_SUCH_OBJECT;
+            goto done;
+        }
 
         if (request_type == REQ_FULL_WITH_GROUPS) {
             ret = sss_nss_getorigbyusername_timeout(pwd.pw_name, get_timeout(ctx),
@@ -973,6 +988,10 @@ static int handle_gid_request(struct ipa_extdom_ctx *ctx,
             }
             goto done;
         }
+        if (!verify_domain(grp.gr_name, domain_name)) {
+            ret = LDAP_NO_SUCH_OBJECT;
+            goto done;
+        }
 
         if (request_type == REQ_FULL_WITH_GROUPS) {
             ret = sss_nss_getorigbygroupname_timeout(grp.gr_name, get_timeout(ctx),
@@ -1275,6 +1294,10 @@ static int handle_username_request(struct ipa_extdom_ctx *ctx,
     ret = getpwnam_r_wrapper(ctx, fq_name, &pwd, &buf, &buf_len);
     switch(ret) {
     case 0:
+        if (!verify_domain(pwd.pw_name, domain_name)) {
+            ret = LDAP_NO_SUCH_OBJECT;
+            goto done;
+        }
         if (request_type == REQ_FULL_WITH_GROUPS) {
             ret = sss_nss_getorigbyusername_timeout(pwd.pw_name,
                                                     get_timeout(ctx),
@@ -1365,6 +1388,10 @@ static int handle_groupname_request(struct ipa_extdom_ctx *ctx,
         }
         goto done;
     }
+    if (!verify_domain(grp.gr_name, domain_name)) {
+        ret = LDAP_NO_SUCH_OBJECT;
+        goto done;
+    }
 
     if (request_type == REQ_FULL_WITH_GROUPS) {
         ret = sss_nss_getorigbygroupname_timeout(grp.gr_name, get_timeout(ctx),