From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 9 Feb 2023 14:04:26 +0000 (+0100)
Subject: s4:dsdb/extended_dn_out: hide backlinks with DSDB_RMD_FLAG_HIDDEN_BL by default
X-Git-Tag: talloc-2.4.1~1288
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e7ef43cead4ddab85e96b176c7c9123c28a033d2;p=thirdparty%2Fsamba.git

s4:dsdb/extended_dn_out: hide backlinks with DSDB_RMD_FLAG_HIDDEN_BL by default

Backlinks which are not allowed by the schema are hidden by default,
so we already set DSDB_RMD_FLAG_HIDDEN_BL on store, so we have a cheap
way to hide the backlinks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12967

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 23 08:19:20 UTC 2023 on atb-devel-224
---

diff --git a/selftest/knownfail.d/invisible_backlink b/selftest/knownfail.d/invisible_backlink
deleted file mode 100644
index 36ec6f3f0da..00000000000
--- a/selftest/knownfail.d/invisible_backlink
+++ /dev/null
@@ -1 +0,0 @@
-^samba4.ldap.linked_attributes.python.*.LATests.test_la_invisible_backlink
diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_out.c b/source4/dsdb/samdb/ldb_modules/extended_dn_out.c
index 300c926992b..a8b4437354c 100644
--- a/source4/dsdb/samdb/ldb_modules/extended_dn_out.c
+++ b/source4/dsdb/samdb/ldb_modules/extended_dn_out.c
@@ -303,6 +303,7 @@ static int extended_callback(struct ldb_request *req, struct ldb_reply *ares)
 	 * interpret the list with) */
 	for (i = 0; ac->schema && i < msg->num_elements; i++) {
 		bool make_extended_dn;
+		bool bl_requested = true;
 		const struct dsdb_attribute *attribute;
 
 		attribute = dsdb_attribute_by_lDAPDisplayName(ac->schema, msg->elements[i].name);
@@ -338,6 +339,20 @@ static int extended_callback(struct ldb_request *req, struct ldb_reply *ares)
 			make_extended_dn = (strcmp(attribute->syntax->ldap_oid, DSDB_SYNTAX_OR_NAME) != 0);
 		}
 
+		if (attribute->linkID & 1 &&
+		    attribute->bl_maybe_invisible &&
+		    !have_reveal_control)
+		{
+			const char * const *attrs = ac->req->op.search.attrs;
+
+			if (attrs != NULL) {
+				bl_requested = is_attr_in_list(attrs,
+						attribute->lDAPDisplayName);
+			} else {
+				bl_requested = false;
+			}
+		}
+
 		for (k = 0, j = 0; j < msg->elements[i].num_values; j++) {
 			const char *dn_str;
 			struct ldb_dn *dn;
@@ -356,7 +371,15 @@ static int extended_callback(struct ldb_request *req, struct ldb_reply *ares)
 				/* we won't keep this one, so not incrementing k */
 				continue;
 			}
-
+			if (rmd_flags & DSDB_RMD_FLAG_HIDDEN_BL && !bl_requested) {
+				/*
+				 * Hidden backlinks are not revealed unless
+				 * requested.
+				 *
+				 * we won't keep this one, so not incrementing k
+				 */
+				continue;
+			}
 
 			dsdb_dn = dsdb_dn_parse_trusted(msg, ldb, plain_dn, attribute->syntax->ldap_oid);