>From 4438b336dbb9333b3b056010daa8a58eab0aef17 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 27 Mar 2015 12:30:53 +0100
Subject: [PATCH 2/5] ncache: Silence critical error from filter_users when
 default_domain_suffix is set

When default_domain_suffix is used and filter_users is set (at least
root is always, by default), SSSD tried to add the negcache entry to the
default domain. But since the default domain is not known after start
up, adding the entries fail with a verbose error message.

This patch handles EAGAIN returned from the parsing function while
setting negcache entries gracefully and also makes the debug message in
parsing function more precise.
---
 src/responder/common/negcache.c  | 18 ++++++--
 src/tests/cmocka/test_negcache.c | 88 ++++++++++++++++++++++++++++++++++++++--
 src/util/usertools.c             |  3 +-
 3 files changed, 101 insertions(+), 8 deletions(-)

diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
index 04c9a53f556497173daf1ef9c562896cb2d5bbc9..3e58c3e7f3888992069dc573ae458e0da641dc7b 100644
--- a/src/responder/common/negcache.c
+++ b/src/responder/common/negcache.c
@@ -630,7 +630,11 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
                                              rctx->default_domain,
                                              filter_list[i],
                                              &domainname, &name);
-            if (ret != EOK) {
+            if (ret == EAGAIN) {
+                DEBUG(SSSDBG_MINOR_FAILURE,
+                      "cannot add [%s] to negcache because the required or "
+                      "default domain are not known yet\n", filter_list[i]);
+            } else if (ret != EOK) {
                 DEBUG(SSSDBG_CRIT_FAILURE,
                       "Invalid name in filterUsers list: [%s] (%d)\n",
                          filter_list[i], ret);
@@ -679,7 +683,11 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
         ret = sss_parse_name_for_domains(tmpctx, domain_list,
                                          rctx->default_domain, filter_list[i],
                                          &domainname, &name);
-        if (ret != EOK) {
+        if (ret == EAGAIN) {
+            DEBUG(SSSDBG_MINOR_FAILURE,
+                  "Cannot add [%s] to negcache because the required or "
+                  "default domain are not known yet\n", filter_list[i]);
+        } else if (ret != EOK) {
             DEBUG(SSSDBG_CRIT_FAILURE,
                   "Invalid name in filterUsers list: [%s] (%d)\n",
                      filter_list[i], ret);
@@ -783,7 +791,11 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
         ret = sss_parse_name_for_domains(tmpctx, domain_list,
                                          rctx->default_domain, filter_list[i],
                                          &domainname, &name);
-        if (ret != EOK) {
+        if (ret == EAGAIN) {
+            DEBUG(SSSDBG_MINOR_FAILURE,
+                  "Cannot add [%s] to negcache because the required or "
+                  "default domain are not known yet\n", filter_list[i]);
+        } else if (ret != EOK) {
             DEBUG(SSSDBG_CRIT_FAILURE,
                   "Invalid name in filterGroups list: [%s] (%d)\n",
                      filter_list[i], ret);
diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c
index 4502c0294e772b15bf230d485e02c40e2ffbf2d6..cab457434a1195d14c6a83b09b8dc8e309902500 100644
--- a/src/tests/cmocka/test_negcache.c
+++ b/src/tests/cmocka/test_negcache.c
@@ -590,8 +590,8 @@ static void test_sss_ncache_prepopulate(void **state)
     struct sss_domain_info *dom;
 
     struct sss_test_conf_param params[] = {
-        { "filter_users", "testuser1" },
-        { "filter_groups", "testgroup1" },
+        { "filter_users", "testuser1, testuser2@"TEST_DOM_NAME", testuser3@somedomain" },
+        { "filter_groups", "testgroup1, testgroup2@"TEST_DOM_NAME", testgroup3@somedomain" },
         { NULL, NULL },
     };
 
@@ -628,6 +628,86 @@ static void test_sss_ncache_prepopulate(void **state)
 
     ret = sss_ncache_check_group(ncache, 1, dom, "testgroup1");
     assert_int_equal(ret, EEXIST);
+
+    ret = sss_ncache_check_user(ncache, 1, dom, "testuser2");
+    assert_int_equal(ret, EEXIST);
+
+    ret = sss_ncache_check_group(ncache, 1, dom, "testgroup2");
+    assert_int_equal(ret, EEXIST);
+
+    ret = sss_ncache_check_user(ncache, 1, dom, "testuser3");
+    assert_int_equal(ret, ENOENT);
+
+    ret = sss_ncache_check_group(ncache, 1, dom, "testgroup3");
+    assert_int_equal(ret, ENOENT);
+
+    ret = sss_ncache_check_user(ncache, 1, dom, "testuser3@somedomain");
+    assert_int_equal(ret, ENOENT);
+
+    ret = sss_ncache_check_group(ncache, 1, dom, "testgroup3@somedomain");
+    assert_int_equal(ret, ENOENT);
+}
+
+static void test_sss_ncache_default_domain_suffix(void **state)
+{
+    int ret;
+    struct test_state *ts;
+    struct tevent_context *ev;
+    struct sss_nc_ctx *ncache;
+    struct sss_test_ctx *tc;
+    struct sss_domain_info *dom;
+
+    struct sss_test_conf_param params[] = {
+        { "filter_users", "testuser1, testuser2@"TEST_DOM_NAME", testuser3@somedomain" },
+        { "filter_groups", "testgroup1, testgroup2@"TEST_DOM_NAME", testgroup3@somedomain" },
+        { NULL, NULL },
+    };
+
+    ts = talloc_get_type_abort(*state, struct test_state);
+
+    ev = tevent_context_init(ts);
+    assert_non_null(ev);
+
+    dom = talloc_zero(ts, struct sss_domain_info);
+    assert_non_null(dom);
+    dom->name = discard_const_p(char, TEST_DOM_NAME);
+
+    ts->nctx = mock_nctx(ts);
+    assert_non_null(ts->nctx);
+
+    tc = create_dom_test_ctx(ts, TESTS_PATH, TEST_CONF_DB,
+                             TEST_DOM_NAME, TEST_ID_PROVIDER, params);
+    assert_non_null(tc);
+
+    ncache = ts->ctx;
+    ts->rctx = mock_rctx(ts, ev, dom, ts->nctx);
+    assert_non_null(ts->rctx);
+    ts->rctx->default_domain = discard_const(TEST_DOM_NAME);
+
+    ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &dom->names);
+    assert_int_equal(ret, EOK);
+
+    ret = sss_ncache_prepopulate(ncache, tc->confdb, ts->rctx);
+    assert_int_equal(ret, EOK);
+
+    ret = sss_ncache_check_user(ncache, 1, dom, "testuser1");
+    assert_int_equal(ret, EEXIST);
+
+    ret = sss_ncache_check_group(ncache, 1, dom, "testgroup1");
+    assert_int_equal(ret, EEXIST);
+
+    ret = sss_ncache_check_user(ncache, 1, dom, "testuser2");
+    assert_int_equal(ret, EEXIST);
+
+    ret = sss_ncache_check_group(ncache, 1, dom, "testgroup2");
+    assert_int_equal(ret, EEXIST);
+
+    ret = sss_ncache_check_user(ncache, 1, dom, "testuser3");
+    assert_int_equal(ret, ENOENT);
+
+    ret = sss_ncache_check_group(ncache, 1, dom, "testgroup3");
+    assert_int_equal(ret, ENOENT);
+
 }
 
 int main(void)
@@ -648,7 +728,9 @@ int main(void)
         cmocka_unit_test_setup_teardown(test_sss_ncache_reset_permanent, setup,
                                         teardown),
         cmocka_unit_test_setup_teardown(test_sss_ncache_prepopulate,
-                                        setup, teardown)
+                                        setup, teardown),
+        cmocka_unit_test_setup_teardown(test_sss_ncache_default_domain_suffix,
+                                        setup, teardown),
     };
 
     tests_set_cwd();
diff --git a/src/util/usertools.c b/src/util/usertools.c
index 439c1494ae5f4c8c46a7e36ad7c8af627ef83cdf..c43d420e31c6c690628ef6179d932eaf99826fee 100644
--- a/src/util/usertools.c
+++ b/src/util/usertools.c
@@ -481,8 +481,7 @@ int sss_parse_name_for_domains(TALLOC_CTX *memctx,
                 }
                 if (match == NULL) {
                     DEBUG(SSSDBG_FUNC_DATA, "default domain [%s] is currently " \
-                                            "not known, trying to look it up.\n",
-                                            rdomain);
+                                            "not known\n", rdomain);
                     *domain = talloc_steal(memctx, rdomain);
                     ret = EAGAIN;
                     goto done;
-- 
2.1.0