diff options
author | Pavel Březina <pbrezina@redhat.com> | 2012-02-07 14:08:55 +0100 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2012-02-17 11:10:07 -0500 |
commit | f5d4b05027acce06e3509ecb68869d1c7ef37180 (patch) | |
tree | dedc9568ef72c85e3e3ac640854dcd0fa37e67db /src/providers/ldap | |
parent | 52ec1ebb88a1335500c4ae1c40bf973dd59d3349 (diff) | |
download | sssd-f5d4b05027acce06e3509ecb68869d1c7ef37180.tar.gz sssd-f5d4b05027acce06e3509ecb68869d1c7ef37180.tar.bz2 sssd-f5d4b05027acce06e3509ecb68869d1c7ef37180.zip |
Redesign purging of the sudo cache
https://fedorahosted.org/sssd/ticket/1173
Diffstat (limited to 'src/providers/ldap')
-rw-r--r-- | src/providers/ldap/sdap_sudo.c | 74 |
1 files changed, 55 insertions, 19 deletions
diff --git a/src/providers/ldap/sdap_sudo.c b/src/providers/ldap/sdap_sudo.c index 5c7448f9..4aaf04ce 100644 --- a/src/providers/ldap/sdap_sudo.c +++ b/src/providers/ldap/sdap_sudo.c @@ -653,7 +653,10 @@ int sdap_sudo_purge_sudoers(struct sysdb_ctx *sysdb_ctx, { TALLOC_CTX *tmp_ctx; char *filter = NULL; + char **sudouser = NULL; int ret = EOK; + errno_t sret; + bool in_transaction = false; tmp_ctx = talloc_new(NULL); if (tmp_ctx == NULL) { @@ -661,20 +664,52 @@ int sdap_sudo_purge_sudoers(struct sysdb_ctx *sysdb_ctx, return ENOMEM; } + ret = sysdb_transaction_start(sysdb_ctx); + if (ret != EOK) { + goto done; + } + in_transaction = true; + switch (sudo_req->type) { case BE_REQ_SUDO_ALL: - filter = NULL; + DEBUG(SSSDBG_TRACE_FUNC, ("Purging SUDOers cache of all rules\n")); + ret = sysdb_sudo_purge_all(sysdb_ctx); break; case BE_REQ_SUDO_DEFAULTS: - ret = sysdb_get_sudo_filter(tmp_ctx, NULL, 0, NULL, - SYSDB_SUDO_FILTER_INCLUDE_DFL, &filter); + DEBUG(SSSDBG_TRACE_FUNC, ("Purging SUDOers cache of default options\n")); + ret = sysdb_sudo_purge_byname(sysdb_ctx, SDAP_SUDO_DEFAULTS); break; case BE_REQ_SUDO_USER: - ret = sysdb_get_sudo_filter(tmp_ctx, sudo_req->username, sudo_req->uid, - sudo_req->groups, - SYSDB_SUDO_FILTER_USERINFO - | SYSDB_SUDO_FILTER_INCLUDE_ALL - | SYSDB_SUDO_FILTER_INCLUDE_DFL, &filter); + DEBUG(SSSDBG_TRACE_FUNC, ("Purging SUDOers cache of user's [%s] rules\n", + sudo_req->username)); + + /* netgroups */ + ret = sysdb_get_sudo_filter(tmp_ctx, NULL, 0, NULL, + SYSDB_SUDO_FILTER_NGRS, &filter); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to create filter to purge " + "SUDOers cache [%d]: %s\n", ret, strerror(ret))); + goto done; + } + + ret = sysdb_sudo_purge_byfilter(sysdb_ctx, filter); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to purge SUDOers cache " + "(netgroups) [%d]: %s\n", ret, strerror(ret))); + goto done; + } + + /* user, uid, groups */ + sudouser = sysdb_sudo_build_sudouser(tmp_ctx, sudo_req->username, + sudo_req->uid, sudo_req->groups, + true); + if (sudouser == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to create sudoUser to purge " + "SUDOers cache [%d]: %s\n", ret, strerror(ret))); + goto done; + } + + ret = sysdb_sudo_purge_bysudouser(sysdb_ctx, sudouser); break; default: DEBUG(SSSDBG_CRIT_FAILURE, ("Invalid request type %d\n", sudo_req->type)); @@ -682,23 +717,24 @@ int sdap_sudo_purge_sudoers(struct sysdb_ctx *sysdb_ctx, } if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to create filter to purge " - "sudoers cache [%d]: %s\n", ret, strerror(ret))); - goto done; - } - - /* Purge rules */ - DEBUG(SSSDBG_TRACE_FUNC, ("Purging sudo cache with filter [%s]\n", filter)); - ret = sysdb_purge_sudorule_subtree(sysdb_ctx, domain, filter); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to purge sudoers cache [%d]: %s\n", + DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to purge SUDOers cache [%d]: %s\n", ret, strerror(ret))); goto done; } - ret = EOK; + ret = sysdb_transaction_commit(sysdb_ctx); + if (ret == EOK) { + in_transaction = false; + } done: + if (in_transaction) { + sret = sysdb_transaction_cancel(sysdb_ctx); + if (sret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("Could not cancel transaction\n")); + } + } + talloc_free(tmp_ctx); return ret; } |