From d30966807cbf280b982b32f3b27f597b2af0ce32 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 22 Nov 2011 11:27:08 +0100
Subject: [PATCH 2/3] sss_ldap_dn_in_search_bases - corrected behaviour

---
 src/util/sss_ldap.c |  111 +++++++++++++++++++++++++++++++--------------------
 1 files changed, 67 insertions(+), 44 deletions(-)

diff --git a/src/util/sss_ldap.c b/src/util/sss_ldap.c
index 118190a..5cb410f 100644
--- a/src/util/sss_ldap.c
+++ b/src/util/sss_ldap.c
@@ -479,6 +479,10 @@ int sss_ldap_init_recv(struct tevent_req *req, LDAP **ldap, int *sd)
     return EOK;
 }
 
+/*
+ * _filter will contain combined filters from all possible search bases
+ * or NULL if it should be empty
+ */
 bool sss_ldap_dn_in_search_bases(TALLOC_CTX *mem_ctx,
                                  const char *dn,
                                  struct sdap_search_base **search_bases,
@@ -496,24 +500,16 @@ bool sss_ldap_dn_in_search_bases(TALLOC_CTX *mem_ctx,
 
     if (dn == NULL) {
         DEBUG(SSSDBG_FUNC_DATA, ("dn is NULL"));
-        return false;
+        goto fail;
     }
 
     if (search_bases == NULL) {
         DEBUG(SSSDBG_FUNC_DATA, ("search_bases is NULL"));
-        return false;
-    }
-
-    if (_filter != NULL) {
-        filter = talloc_strdup(mem_ctx, "(|");
-        if (filter == NULL) {
-            DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_strdup() failed\n"));
-            return false;
-        }
+        goto fail;
     }
 
     dn_len = strlen(dn);
-    for (i = 0; search_bases[i]; i++) {
+    for (i = 0; search_bases[i] != NULL; i++) {
         base = search_bases[i];
         basedn_len = strlen(base->basedn);
 
@@ -522,21 +518,32 @@ bool sss_ldap_dn_in_search_bases(TALLOC_CTX *mem_ctx,
         }
 
         len_diff = dn_len - basedn_len;
-        base_confirmed = (strcasecmp(&dn[len_diff], base->basedn) == 0);
+        base_confirmed = (strncasecmp(&dn[len_diff], base->basedn, basedn_len) == 0);
         if (!base_confirmed) {
             continue;
         }
 
-        if (base->scope == LDAP_SCOPE_BASE && len_diff == 0) {
-            if (filter && base->filter) {
-                filter = talloc_asprintf_append(filter, "%s", base->filter);
-                if (filter == NULL) {
-                    DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_asprintf_append() failed\n"));
-                    return false;
+        /*
+         * base:     dc=example,dc=com
+         * dn:   somedc=example,dc=com
+         * dn: some\,dc=example,dc=com
+         */
+        if (len_diff != 0) {
+            if (len_diff >= 1 && dn[len_diff - 1] != ',') {
+                if (len_diff >= 2 && dn[len_diff - 2] == '\\') {
+                    continue;
                 }
             }
-            ret = true;
-        } else if (base->scope == LDAP_SCOPE_ONELEVEL) {
+        }
+
+        switch (base->scope) {
+        case LDAP_SCOPE_BASE:
+            /* dn > base? */
+            if (len_diff != 0) {
+                continue;
+            }
+            break;
+        case LDAP_SCOPE_ONELEVEL:
             if (len_diff == 0) {
                 /* Base object doesn't belong to scope=one
                  * search */
@@ -544,7 +551,7 @@ bool sss_ldap_dn_in_search_bases(TALLOC_CTX *mem_ctx,
             }
 
             comma_found = false;
-            for (j = 0; j < len_diff; j++) {
+            for (j = 0; j < len_diff - 1; j++) { /* ignore comma before base */
                 if (dn[j] == '\\') {
                     backslash_found = true;
                 } else if (dn[j] == ',' && !backslash_found) {
@@ -555,37 +562,53 @@ bool sss_ldap_dn_in_search_bases(TALLOC_CTX *mem_ctx,
                 }
             }
 
-            if (!comma_found) {
-                if (filter && base->filter) {
-                    filter = talloc_asprintf_append(filter, "%s", base->filter);
-                    if (filter == NULL) {
-                        DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_asprintf_append() failed\n"));
-                        return false;
-                    }
-                }
-                ret = true;
+            /* it has at least one more level */
+            if (comma_found) {
+                continue;
             }
-        } else {
-            if (filter && base->filter) {
-                filter = talloc_asprintf_append(filter, "%s", base->filter);
-                if (filter == NULL) {
-                    DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_asprintf_append() failed\n"));
-                    return false;
-                }
+
+            break;
+        case LDAP_SCOPE_SUBTREE:
+            /* dn length >= base dn length && base_confirmed == true */
+            break;
+        default:
+            DEBUG(SSSDBG_FUNC_DATA, ("Unsupported scope: %d\n", base->scope));
+            continue;
+        }
+
+        /* if we get here, the dn is valid, append filter if any */
+        if (_filter != NULL && base->filter != NULL) {
+            filter = talloc_strdup_append(filter, base->filter);
+            if (filter == NULL) {
+                DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_strdup_append() failed\n"));
+                goto fail;
             }
-            ret = true;
         }
+
+        ret = true;
     }
 
-    if (filter) {
-        filter = talloc_asprintf_append(filter, ")");
-        if (filter == NULL) {
-            DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_asprintf_append() failed\n"));
-            return false;
+    if (_filter != NULL) {
+        if (filter != NULL) {
+            *_filter = talloc_asprintf(mem_ctx, "(|%s)", filter);
+            if (filter == NULL) {
+                DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_asprintf_append() failed\n"));
+                goto fail;
+            }
+        } else {
+            *_filter = NULL;
         }
+    }
 
-        *_filter = filter;
+    goto done;
+
+fail:
+    if (_filter != NULL) {
+        *_filter = NULL;
     }
+    ret = false;
 
+done:
+    talloc_free(filter);
     return ret;
 }
-- 
1.7.6.4