From 87a0027c7dbc54422ac519ef8eef0323baff4b60 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Mon, 19 Feb 2018 12:43:06 +0100
Subject: [PATCH] SDAP: Add sdap_handle_id_collision_for_incomplete_groups()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This newly added function is a helper to properly hadle group
id-collisions when renaming incomplete groups and it does:
- Deletes the group from sysdb
- Adds the new incomplete group
- Notifies the NSS responder that the entry also has to be deleted from
  the memory cache

This function will be called from
sdap_ad_save_group_membership_with_idmapping() and from
sdap_add_incomplete_groups().

Related:
https://pagure.io/SSSD/sssd/issue/2653

Signed-off-by: Fabiano FidĂȘncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit a537df2ea99acb0181dc360ddf9a60b69c16faf0)
---
 src/providers/ldap/sdap_async.h            | 11 ++++++++++
 src/providers/ldap/sdap_async_initgroups.c | 34 ++++++++++++++++++++++++++++++
 2 files changed, 45 insertions(+)

diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
index 40da81fb9..6ca3ed8d8 100644
--- a/src/providers/ldap/sdap_async.h
+++ b/src/providers/ldap/sdap_async.h
@@ -412,4 +412,15 @@ sdap_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx,
 errno_t
 sdap_ad_tokengroups_initgroups_recv(struct tevent_req *req);
 
+errno_t
+sdap_handle_id_collision_for_incomplete_groups(struct data_provider *dp,
+                                               struct sss_domain_info *domain,
+                                               const char *name,
+                                               gid_t gid,
+                                               const char *original_dn,
+                                               const char *sid_str,
+                                               const char *uuid,
+                                               bool posix,
+                                               time_t now);
+
 #endif /* _SDAP_ASYNC_H_ */
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index 326294a1c..34747be59 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -3543,3 +3543,37 @@ errno_t get_sysdb_grouplist_dn(TALLOC_CTX *mem_ctx,
     return get_sysdb_grouplist_ex(mem_ctx, sysdb, domain,
                                   name, grouplist, true);
 }
+
+errno_t
+sdap_handle_id_collision_for_incomplete_groups(struct data_provider *dp,
+                                               struct sss_domain_info *domain,
+                                               const char *name,
+                                               gid_t gid,
+                                               const char *original_dn,
+                                               const char *sid_str,
+                                               const char *uuid,
+                                               bool posix,
+                                               time_t now)
+{
+    errno_t ret;
+
+    ret = sysdb_delete_group(domain, NULL, gid);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_MINOR_FAILURE,
+              "Due to an id collision, the new group with gid [\"%"PRIu32"\"] "
+              "will not be added as the old group (with the same gid) could "
+              "not be removed from the sysdb!",
+              gid);
+        return ret;
+    }
+
+    ret = sysdb_add_incomplete_group(domain, name, gid, original_dn, sid_str,
+                                     uuid, posix, now);
+    if (ret != EOK) {
+        return ret;
+    }
+
+    dp_sbus_invalidate_group_memcache(dp, gid);
+
+    return EOK;
+}
-- 
2.14.3