summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSimo Sorce <ssorce@redhat.com>2010-03-01 23:41:26 -0500
committerStephen Gallagher <sgallagh@redhat.com>2010-04-12 09:22:13 -0400
commitbb0b6b4e39242577f60729fbcbd9e46e7a7af30d (patch)
tree487a6658ff978c56022e7ea5e924d93335e70013
parent02a9d8a40dc3a5fd671ede0e4fa7dac5178fbc75 (diff)
downloadsssd-bb0b6b4e39242577f60729fbcbd9e46e7a7af30d.tar.gz
sssd-bb0b6b4e39242577f60729fbcbd9e46e7a7af30d.tar.bz2
sssd-bb0b6b4e39242577f60729fbcbd9e46e7a7af30d.zip
sysdb: convert sysdb_cache_password
-rw-r--r--src/db/sysdb.h14
-rw-r--r--src/db/sysdb_ops.c126
-rw-r--r--src/providers/krb5/krb5_auth.c37
-rw-r--r--src/providers/ldap/ldap_auth.c43
-rw-r--r--src/providers/proxy.c37
-rw-r--r--src/tests/sysdb-tests.c14
6 files changed, 62 insertions, 209 deletions
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 29dac35d..baa98904 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -495,15 +495,11 @@ int sysdb_remove_group_member(TALLOC_CTX *mem_ctx,
* If you are not in a transaction pass NULL in handle and provide sysdb,
* in this case a transaction will be automatically started and the
* function will be completely wrapped in it's own sysdb transaction */
-struct tevent_req *sysdb_cache_password_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- struct sysdb_ctx *sysdb,
- struct sysdb_handle *handle,
- struct sss_domain_info *domain,
- const char *username,
- const char *password);
-int sysdb_cache_password_recv(struct tevent_req *req);
-
+int sysdb_cache_password(TALLOC_CTX *mem_ctx,
+ struct sysdb_ctx *sysdb,
+ struct sss_domain_info *domain,
+ const char *username,
+ const char *password);
errno_t check_failed_login_attempts(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb,
struct ldb_message *ldb_msg,
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index cdbe9aaf..0ea22f1e 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -1390,140 +1390,66 @@ int sysdb_remove_group_member(TALLOC_CTX *mem_ctx,
/* =Password-Caching====================================================== */
-struct sysdb_cache_pw_state {
- struct tevent_context *ev;
- struct sss_domain_info *domain;
-
- const char *username;
- struct sysdb_attrs *attrs;
-
- struct sysdb_handle *handle;
- bool commit;
-};
-
-static void sysdb_cache_password_trans(struct tevent_req *subreq);
-
-struct tevent_req *sysdb_cache_password_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- struct sysdb_ctx *sysdb,
- struct sysdb_handle *handle,
- struct sss_domain_info *domain,
- const char *username,
- const char *password)
+int sysdb_cache_password(TALLOC_CTX *mem_ctx,
+ struct sysdb_ctx *sysdb,
+ struct sss_domain_info *domain,
+ const char *username,
+ const char *password)
{
- struct tevent_req *req, *subreq;
- struct sysdb_cache_pw_state *state;
+ TALLOC_CTX *tmpctx;
+ struct sysdb_attrs *attrs;
char *hash = NULL;
char *salt;
int ret;
- req = tevent_req_create(mem_ctx, &state, struct sysdb_cache_pw_state);
- if (!req) return NULL;
-
- state->ev = ev;
- state->domain = domain;
- state->username = username;
+ tmpctx = talloc_new(mem_ctx);
+ if (!tmpctx) {
+ return ENOMEM;
+ }
- ret = s3crypt_gen_salt(state, &salt);
+ ret = s3crypt_gen_salt(tmpctx, &salt);
if (ret) {
DEBUG(4, ("Failed to generate random salt.\n"));
goto fail;
}
- ret = s3crypt_sha512(state, password, salt, &hash);
+ ret = s3crypt_sha512(tmpctx, password, salt, &hash);
if (ret) {
DEBUG(4, ("Failed to create password hash.\n"));
goto fail;
}
- state->attrs = sysdb_new_attrs(state);
- if (!state->attrs) {
+ attrs = sysdb_new_attrs(tmpctx);
+ if (!attrs) {
ERROR_OUT(ret, ENOMEM, fail);
}
- ret = sysdb_attrs_add_string(state->attrs, SYSDB_CACHEDPWD, hash);
+ ret = sysdb_attrs_add_string(attrs, SYSDB_CACHEDPWD, hash);
if (ret) goto fail;
/* FIXME: should we use a different attribute for chache passwords ?? */
- ret = sysdb_attrs_add_long(state->attrs, "lastCachedPasswordChange",
+ ret = sysdb_attrs_add_long(attrs, "lastCachedPasswordChange",
(long)time(NULL));
if (ret) goto fail;
- ret = sysdb_attrs_add_uint32(state->attrs, SYSDB_FAILED_LOGIN_ATTEMPTS, 0U);
+ ret = sysdb_attrs_add_uint32(attrs, SYSDB_FAILED_LOGIN_ATTEMPTS, 0U);
if (ret) goto fail;
- state->handle = NULL;
-
- if (handle) {
- state->handle = handle;
- state->commit = false;
-
- ret = sysdb_set_user_attr(state, state->handle->ctx,
- state->domain, state->username,
- state->attrs, SYSDB_MOD_REP);
- if (ret) {
- goto fail;
- }
- tevent_req_done(req);
- tevent_req_post(req, ev);
-
- } else {
- state->commit = true;
- subreq = sysdb_transaction_send(state, state->ev, sysdb);
- if (!subreq) {
- ret = ENOMEM;
- goto fail;
- }
- tevent_req_set_callback(subreq, sysdb_cache_password_trans, req);
+ ret = sysdb_set_user_attr(tmpctx, sysdb,
+ domain, username, attrs, SYSDB_MOD_REP);
+ if (ret) {
+ goto fail;
}
-
- return req;
+ talloc_zfree(tmpctx);
+ return EOK;
fail:
- DEBUG(6, ("Error: %d (%s)\n", ret, strerror(ret)));
- tevent_req_error(req, ret);
- tevent_req_post(req, ev);
- return req;
-}
-
-static void sysdb_cache_password_trans(struct tevent_req *subreq)
-{
- struct tevent_req *req = tevent_req_callback_data(subreq,
- struct tevent_req);
- struct sysdb_cache_pw_state *state = tevent_req_data(req,
- struct sysdb_cache_pw_state);
- int ret;
-
- ret = sysdb_transaction_recv(subreq, state, &state->handle);
- talloc_zfree(subreq);
if (ret) {
DEBUG(6, ("Error: %d (%s)\n", ret, strerror(ret)));
- tevent_req_error(req, ret);
- return;
}
-
- ret = sysdb_set_user_attr(state, state->handle->ctx,
- state->domain, state->username,
- state->attrs, SYSDB_MOD_REP);
- if (ret) {
- tevent_req_error(req, ret);
- return;
- }
-
- subreq = sysdb_transaction_commit_send(state, state->ev,
- state->handle);
- if (!subreq) {
- DEBUG(6, ("Error: Out of memory\n"));
- tevent_req_error(req, ENOMEM);
- return;
- }
- tevent_req_set_callback(subreq, sysdb_transaction_complete, req);
-}
-
-int sysdb_cache_password_recv(struct tevent_req *req)
-{
- return sysdb_op_default_recv(req);
+ talloc_zfree(tmpctx);
+ return ret;
}
/* = sysdb_check_handle ================== */
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 6b1f54d6..57ce673c 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -662,7 +662,6 @@ static void krb5_resolve_kpasswd_done(struct tevent_req *req);
static void krb5_find_ccache_step(struct krb5child_req *kr);
static void krb5_save_ccname_done(struct tevent_req *req);
static void krb5_child_done(struct tevent_req *req);
-static void krb5_pam_handler_cache_done(struct tevent_req *treq);
void krb5_pam_handler(struct be_req *be_req)
{
@@ -1189,7 +1188,8 @@ static void krb5_save_ccname_done(struct tevent_req *req)
if (be_req->be_ctx->domain->cache_credentials == TRUE) {
/* password caching failures are not fatal errors */
- pd->pam_status = PAM_SUCCESS;
+ pam_status = PAM_SUCCESS;
+ dp_err = DP_ERR_OK;
switch(pd->cmd) {
case SSS_PAM_AUTHENTICATE:
@@ -1218,16 +1218,13 @@ static void krb5_save_ccname_done(struct tevent_req *req)
talloc_set_destructor((TALLOC_CTX *)password, password_destructor);
- req = sysdb_cache_password_send(be_req, be_req->be_ctx->ev,
- be_req->be_ctx->sysdb, NULL,
- be_req->be_ctx->domain, pd->user,
- password);
- if (req == NULL) {
- DEBUG(2, ("cache_password_send failed, offline auth may not work.\n"));
- goto failed;
+ ret = sysdb_cache_password(be_req, be_req->be_ctx->sysdb,
+ be_req->be_ctx->domain, pd->user,
+ password);
+ if (ret) {
+ DEBUG(2, ("Failed to cache password, offline auth may not work."
+ " (%d)[%s]!?\n", ret, strerror(ret)));
}
- tevent_req_set_callback(req, krb5_pam_handler_cache_done, be_req);
- return;
}
pam_status = PAM_SUCCESS;
@@ -1240,24 +1237,6 @@ failed:
krb_reply(be_req, dp_err, pd->pam_status);
}
-static void krb5_pam_handler_cache_done(struct tevent_req *subreq)
-{
- struct be_req *be_req = tevent_req_callback_data(subreq, struct be_req);
- int ret;
-
- /* password caching failures are not fatal errors */
- ret = sysdb_cache_password_recv(subreq);
- talloc_zfree(subreq);
-
- /* so we just log it any return */
- if (ret) {
- DEBUG(2, ("Failed to cache password (%d)[%s]!?\n",
- ret, strerror(ret)));
- }
-
- krb_reply(be_req, DP_ERR_OK, PAM_SUCCESS);
-}
-
static void krb_reply(struct be_req *req, int dp_err, int result)
{
req->fn(req, dp_err, result, NULL);
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index c78f5031..7eabd6cf 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -899,7 +899,6 @@ struct sdap_pam_auth_state {
};
static void sdap_pam_auth_done(struct tevent_req *req);
-static void sdap_password_cache_done(struct tevent_req *req);
void sdap_pam_auth_handler(struct be_req *breq)
{
@@ -965,7 +964,6 @@ static void sdap_pam_auth_done(struct tevent_req *req)
{
struct sdap_pam_auth_state *state =
tevent_req_callback_data(req, struct sdap_pam_auth_state);
- struct tevent_req *subreq;
enum sdap_result result;
enum pwexpire pw_expire_type;
void *pw_expire_data;
@@ -1059,45 +1057,26 @@ static void sdap_pam_auth_done(struct tevent_req *req)
}
talloc_set_destructor((TALLOC_CTX *)password, password_destructor);
- subreq = sysdb_cache_password_send(state,
- state->breq->be_ctx->ev,
- state->breq->be_ctx->sysdb,
- NULL,
- state->breq->be_ctx->domain,
- state->username, password);
+ ret = sysdb_cache_password(state,
+ state->breq->be_ctx->sysdb,
+ state->breq->be_ctx->domain,
+ state->username, password);
/* password caching failures are not fatal errors */
- if (!subreq) {
- DEBUG(2, ("Failed to cache password for %s\n", state->username));
- goto done;
+ if (!ret) {
+ DEBUG(2, ("Failed to cache password for %s\n",
+ state->username));
+ } else {
+ DEBUG(4, ("Password successfully cached for %s\n",
+ state->username));
}
-
- tevent_req_set_callback(subreq, sdap_password_cache_done, state);
- return;
+ goto done;
}
done:
sdap_pam_auth_reply(state->breq, dp_err, state->pd->pam_status);
}
-static void sdap_password_cache_done(struct tevent_req *subreq)
-{
- struct sdap_pam_auth_state *state = tevent_req_callback_data(subreq,
- struct sdap_pam_auth_state);
- int ret;
-
- ret = sysdb_cache_password_recv(subreq);
- talloc_zfree(subreq);
- if (ret) {
- /* password caching failures are not fatal errors */
- DEBUG(2, ("Failed to cache password for %s\n", state->username));
- } else {
- DEBUG(4, ("Password successfully cached for %s\n", state->username));
- }
-
- sdap_pam_auth_reply(state->breq, DP_ERR_OK, state->pd->pam_status);
-}
-
static void sdap_pam_auth_reply(struct be_req *req, int dp_err, int result)
{
req->fn(req, dp_err, result, NULL);
diff --git a/src/providers/proxy.c b/src/providers/proxy.c
index b499a151..4426f130 100644
--- a/src/providers/proxy.c
+++ b/src/providers/proxy.c
@@ -115,7 +115,6 @@ failed:
return PAM_CONV_ERR;
}
-static void proxy_pam_handler_cache_done(struct tevent_req *treq);
static void proxy_reply(struct be_req *req, int dp_err,
int error, const char *errstr);
@@ -249,7 +248,6 @@ static void proxy_pam_handler(struct be_req *req) {
pd->pam_status = pam_status;
if (cache_auth_data) {
- struct tevent_req *subreq;
char *password;
password = talloc_size(req, auth_data->authtok_size + 1);
@@ -261,38 +259,21 @@ static void proxy_pam_handler(struct be_req *req) {
password[auth_data->authtok_size] = '\0';
talloc_set_destructor((TALLOC_CTX *)password, password_destructor);
- subreq = sysdb_cache_password_send(req, req->be_ctx->ev,
- req->be_ctx->sysdb, NULL,
- req->be_ctx->domain,
- pd->user, password);
- if (!subreq) {
- /* password caching failures are not fatal errors */
- return proxy_reply(req, DP_ERR_OK, EOK, NULL);
+ ret = sysdb_cache_password(req, req->be_ctx->sysdb,
+ req->be_ctx->domain,
+ pd->user, password);
+
+ /* password caching failures are not fatal errors */
+ /* so we just log it any return */
+ if (ret) {
+ DEBUG(2, ("Failed to cache password (%d)[%s]!?\n",
+ ret, strerror(ret)));
}
- tevent_req_set_callback(subreq, proxy_pam_handler_cache_done, req);
}
proxy_reply(req, DP_ERR_OK, EOK, NULL);
}
-static void proxy_pam_handler_cache_done(struct tevent_req *subreq)
-{
- struct be_req *req = tevent_req_callback_data(subreq, struct be_req);
- int ret;
-
- /* password caching failures are not fatal errors */
- ret = sysdb_cache_password_recv(subreq);
- talloc_zfree(subreq);
-
- /* so we just log it any return */
- if (ret) {
- DEBUG(2, ("Failed to cache password (%d)[%s]!?\n",
- ret, strerror(ret)));
- }
-
- return proxy_reply(req, DP_ERR_OK, EOK, NULL);
-}
-
static void proxy_reply(struct be_req *req, int dp_err,
int error, const char *errstr)
{
diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
index 14017963..d1abf82c 100644
--- a/src/tests/sysdb-tests.c
+++ b/src/tests/sysdb-tests.c
@@ -2043,7 +2043,6 @@ START_TEST (test_sysdb_cache_password)
{
struct sysdb_test_ctx *test_ctx;
struct test_data *data;
- struct tevent_req *req;
int ret;
/* Setup */
@@ -2055,17 +2054,10 @@ START_TEST (test_sysdb_cache_password)
data->ev = test_ctx->ev;
data->username = talloc_asprintf(data, "testuser%d", _i);
- req = sysdb_cache_password_send(data, test_ctx->ev, test_ctx->sysdb, NULL,
- test_ctx->domain, data->username,
- data->username);
- fail_unless(req != NULL, "sysdb_cache_password_send failed [%d].", ret);
-
- tevent_req_set_callback(req, test_search_done, data);
-
- ret = test_loop(data);
- fail_unless(ret == EOK, "test_loop failed [%d].", ret);
+ ret = sysdb_cache_password(data, test_ctx->sysdb,
+ test_ctx->domain, data->username,
+ data->username);
- ret = sysdb_cache_password_recv(req);
fail_unless(ret == EOK, "sysdb_cache_password request failed [%d].", ret);
talloc_free(test_ctx);