ipa: filter DNs for ipa_add_trusted_memberships_send()

[sumit-bose]

The ipa_add_trusted_memberships_send() request will use groups_get_send() to lookup missing groups. groups_get_send() can currently only lookup "proper" groups which besides other items means that the group name must be stored under the LDAP attribute given by the 'ldap_group_name' option. So currently it does not make sense to try to lookup other objects where the RDN attribute name is different than this value because those will always be treated as missing in the cache and always trigger an LDAP search which will fail. This will typically happen for iPAAssociation objects which are used to connect users and hosts with HBAC and sudo rules. If in future a more generic search is used this filter can be removed.

[gemini-code-assist]

Code Review

This pull request introduces a filter to ipa_add_trusted_memberships_send to process only 'proper' group DNs, avoiding unnecessary and failing LDAP lookups for other object types. The implementation adds a new function filter_groups_by_attribute_name. My review has identified a couple of critical issues in this new function, including a potential buffer over-read and incorrect memory context usage in talloc. I've also suggested a minor refactoring to remove an unused parameter.

[sumit-bose]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a filtering mechanism for group Distinguished Names (DNs) within ipa_add_trusted_memberships_send(). The purpose is to prevent unnecessary and failing LDAP lookups for objects that are not standard groups, such as iPAAssociation objects used for HBAC and sudo rules. This is achieved by adding a new static function, filter_groups_by_attribute_name, which filters a list of DNs to include only those with a specific RDN attribute name (configured via ldap_group_name). The implementation is clean, well-commented, and appears to correctly solve the issue described. After a thorough review, I have not identified any issues of high or critical severity.

[sumit-bose]

Hi @alexey-tikhonov,

I tired to address you review comments form #8094 about the filtering and tried to avoid memory allocations as much as possible.

I didn't move the filtering closer to the point where the list is actually used because the first usage of the list is in diff_string_lists() where a shorter list would already help to improve the performance.

bye,
Sumit

[alexey-tikhonov]

Note: Covscan is green.

[alexey-tikhonov]

@sumit-bose, could you please rebase?
@thalman, could you please take a look? Patch isn't too big.

[sumit-bose]

@sumit-bose, could you please rebase?

done

[thalman]

LGTM, thanks

[alexey-tikhonov]

CI failures not related.

[sssd-bot]

The pull request was accepted by @alexey-tikhonov with the following PR CI status:

---

🟢 CodeFactor (success)
🟢 CodeQL (success)
NEUTRAL osh-diff-scan:fedora-rawhide-x86_64:upstream (neutral)
🟢 rpm-build:centos-stream-10-x86_64:upstream (success)
🟢 rpm-build:fedora-41-x86_64:upstream (success)
🟢 rpm-build:fedora-42-x86_64:upstream (success)
🟢 rpm-build:fedora-43-x86_64:upstream (success)
🟢 rpm-build:fedora-rawhide-x86_64:upstream (success)
🟢 Analyze (target) / cppcheck (success)
🟢 Build / freebsd (success)
🟢 Build / make-distcheck (success)
🟢 ci / intgcheck (centos-10) (success)
🟢 ci / intgcheck (fedora-41) (success)
🟢 ci / intgcheck (fedora-42) (success)
🟢 ci / intgcheck (fedora-43) (success)
🟢 ci / intgcheck (fedora-44) (success)
🟢 ci / prepare (success)
🔴 ci / system (centos-10) (failure)
🟢 ci / system (fedora-41) (success)
🟢 ci / system (fedora-42) (success)
⚪ ci / system (fedora-43) (cancelled)
🟢 ci / system (fedora-44) (success)
➖ Coverity scan / coverity (skipped)
🟢 Static code analysis / codeql (success)
🟢 Static code analysis / pre-commit (success)
🟢 Static code analysis / python-system-tests (success)

---

There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging.