diff options
author | Simo Sorce <ssorce@redhat.com> | 2010-03-01 23:41:26 -0500 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2010-04-12 09:22:13 -0400 |
commit | bb0b6b4e39242577f60729fbcbd9e46e7a7af30d (patch) | |
tree | 487a6658ff978c56022e7ea5e924d93335e70013 /src | |
parent | 02a9d8a40dc3a5fd671ede0e4fa7dac5178fbc75 (diff) | |
download | sssd-bb0b6b4e39242577f60729fbcbd9e46e7a7af30d.tar.gz sssd-bb0b6b4e39242577f60729fbcbd9e46e7a7af30d.tar.bz2 sssd-bb0b6b4e39242577f60729fbcbd9e46e7a7af30d.zip |
sysdb: convert sysdb_cache_password
Diffstat (limited to 'src')
-rw-r--r-- | src/db/sysdb.h | 14 | ||||
-rw-r--r-- | src/db/sysdb_ops.c | 126 | ||||
-rw-r--r-- | src/providers/krb5/krb5_auth.c | 37 | ||||
-rw-r--r-- | src/providers/ldap/ldap_auth.c | 43 | ||||
-rw-r--r-- | src/providers/proxy.c | 37 | ||||
-rw-r--r-- | src/tests/sysdb-tests.c | 14 |
6 files changed, 62 insertions, 209 deletions
diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 29dac35d..baa98904 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -495,15 +495,11 @@ int sysdb_remove_group_member(TALLOC_CTX *mem_ctx, * If you are not in a transaction pass NULL in handle and provide sysdb, * in this case a transaction will be automatically started and the * function will be completely wrapped in it's own sysdb transaction */ -struct tevent_req *sysdb_cache_password_send(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct sysdb_ctx *sysdb, - struct sysdb_handle *handle, - struct sss_domain_info *domain, - const char *username, - const char *password); -int sysdb_cache_password_recv(struct tevent_req *req); - +int sysdb_cache_password(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + const char *username, + const char *password); errno_t check_failed_login_attempts(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb, struct ldb_message *ldb_msg, diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index cdbe9aaf..0ea22f1e 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -1390,140 +1390,66 @@ int sysdb_remove_group_member(TALLOC_CTX *mem_ctx, /* =Password-Caching====================================================== */ -struct sysdb_cache_pw_state { - struct tevent_context *ev; - struct sss_domain_info *domain; - - const char *username; - struct sysdb_attrs *attrs; - - struct sysdb_handle *handle; - bool commit; -}; - -static void sysdb_cache_password_trans(struct tevent_req *subreq); - -struct tevent_req *sysdb_cache_password_send(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct sysdb_ctx *sysdb, - struct sysdb_handle *handle, - struct sss_domain_info *domain, - const char *username, - const char *password) +int sysdb_cache_password(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + const char *username, + const char *password) { - struct tevent_req *req, *subreq; - struct sysdb_cache_pw_state *state; + TALLOC_CTX *tmpctx; + struct sysdb_attrs *attrs; char *hash = NULL; char *salt; int ret; - req = tevent_req_create(mem_ctx, &state, struct sysdb_cache_pw_state); - if (!req) return NULL; - - state->ev = ev; - state->domain = domain; - state->username = username; + tmpctx = talloc_new(mem_ctx); + if (!tmpctx) { + return ENOMEM; + } - ret = s3crypt_gen_salt(state, &salt); + ret = s3crypt_gen_salt(tmpctx, &salt); if (ret) { DEBUG(4, ("Failed to generate random salt.\n")); goto fail; } - ret = s3crypt_sha512(state, password, salt, &hash); + ret = s3crypt_sha512(tmpctx, password, salt, &hash); if (ret) { DEBUG(4, ("Failed to create password hash.\n")); goto fail; } - state->attrs = sysdb_new_attrs(state); - if (!state->attrs) { + attrs = sysdb_new_attrs(tmpctx); + if (!attrs) { ERROR_OUT(ret, ENOMEM, fail); } - ret = sysdb_attrs_add_string(state->attrs, SYSDB_CACHEDPWD, hash); + ret = sysdb_attrs_add_string(attrs, SYSDB_CACHEDPWD, hash); if (ret) goto fail; /* FIXME: should we use a different attribute for chache passwords ?? */ - ret = sysdb_attrs_add_long(state->attrs, "lastCachedPasswordChange", + ret = sysdb_attrs_add_long(attrs, "lastCachedPasswordChange", (long)time(NULL)); if (ret) goto fail; - ret = sysdb_attrs_add_uint32(state->attrs, SYSDB_FAILED_LOGIN_ATTEMPTS, 0U); + ret = sysdb_attrs_add_uint32(attrs, SYSDB_FAILED_LOGIN_ATTEMPTS, 0U); if (ret) goto fail; - state->handle = NULL; - - if (handle) { - state->handle = handle; - state->commit = false; - - ret = sysdb_set_user_attr(state, state->handle->ctx, - state->domain, state->username, - state->attrs, SYSDB_MOD_REP); - if (ret) { - goto fail; - } - tevent_req_done(req); - tevent_req_post(req, ev); - - } else { - state->commit = true; - subreq = sysdb_transaction_send(state, state->ev, sysdb); - if (!subreq) { - ret = ENOMEM; - goto fail; - } - tevent_req_set_callback(subreq, sysdb_cache_password_trans, req); + ret = sysdb_set_user_attr(tmpctx, sysdb, + domain, username, attrs, SYSDB_MOD_REP); + if (ret) { + goto fail; } - - return req; + talloc_zfree(tmpctx); + return EOK; fail: - DEBUG(6, ("Error: %d (%s)\n", ret, strerror(ret))); - tevent_req_error(req, ret); - tevent_req_post(req, ev); - return req; -} - -static void sysdb_cache_password_trans(struct tevent_req *subreq) -{ - struct tevent_req *req = tevent_req_callback_data(subreq, - struct tevent_req); - struct sysdb_cache_pw_state *state = tevent_req_data(req, - struct sysdb_cache_pw_state); - int ret; - - ret = sysdb_transaction_recv(subreq, state, &state->handle); - talloc_zfree(subreq); if (ret) { DEBUG(6, ("Error: %d (%s)\n", ret, strerror(ret))); - tevent_req_error(req, ret); - return; } - - ret = sysdb_set_user_attr(state, state->handle->ctx, - state->domain, state->username, - state->attrs, SYSDB_MOD_REP); - if (ret) { - tevent_req_error(req, ret); - return; - } - - subreq = sysdb_transaction_commit_send(state, state->ev, - state->handle); - if (!subreq) { - DEBUG(6, ("Error: Out of memory\n")); - tevent_req_error(req, ENOMEM); - return; - } - tevent_req_set_callback(subreq, sysdb_transaction_complete, req); -} - -int sysdb_cache_password_recv(struct tevent_req *req) -{ - return sysdb_op_default_recv(req); + talloc_zfree(tmpctx); + return ret; } /* = sysdb_check_handle ================== */ diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 6b1f54d6..57ce673c 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -662,7 +662,6 @@ static void krb5_resolve_kpasswd_done(struct tevent_req *req); static void krb5_find_ccache_step(struct krb5child_req *kr); static void krb5_save_ccname_done(struct tevent_req *req); static void krb5_child_done(struct tevent_req *req); -static void krb5_pam_handler_cache_done(struct tevent_req *treq); void krb5_pam_handler(struct be_req *be_req) { @@ -1189,7 +1188,8 @@ static void krb5_save_ccname_done(struct tevent_req *req) if (be_req->be_ctx->domain->cache_credentials == TRUE) { /* password caching failures are not fatal errors */ - pd->pam_status = PAM_SUCCESS; + pam_status = PAM_SUCCESS; + dp_err = DP_ERR_OK; switch(pd->cmd) { case SSS_PAM_AUTHENTICATE: @@ -1218,16 +1218,13 @@ static void krb5_save_ccname_done(struct tevent_req *req) talloc_set_destructor((TALLOC_CTX *)password, password_destructor); - req = sysdb_cache_password_send(be_req, be_req->be_ctx->ev, - be_req->be_ctx->sysdb, NULL, - be_req->be_ctx->domain, pd->user, - password); - if (req == NULL) { - DEBUG(2, ("cache_password_send failed, offline auth may not work.\n")); - goto failed; + ret = sysdb_cache_password(be_req, be_req->be_ctx->sysdb, + be_req->be_ctx->domain, pd->user, + password); + if (ret) { + DEBUG(2, ("Failed to cache password, offline auth may not work." + " (%d)[%s]!?\n", ret, strerror(ret))); } - tevent_req_set_callback(req, krb5_pam_handler_cache_done, be_req); - return; } pam_status = PAM_SUCCESS; @@ -1240,24 +1237,6 @@ failed: krb_reply(be_req, dp_err, pd->pam_status); } -static void krb5_pam_handler_cache_done(struct tevent_req *subreq) -{ - struct be_req *be_req = tevent_req_callback_data(subreq, struct be_req); - int ret; - - /* password caching failures are not fatal errors */ - ret = sysdb_cache_password_recv(subreq); - talloc_zfree(subreq); - - /* so we just log it any return */ - if (ret) { - DEBUG(2, ("Failed to cache password (%d)[%s]!?\n", - ret, strerror(ret))); - } - - krb_reply(be_req, DP_ERR_OK, PAM_SUCCESS); -} - static void krb_reply(struct be_req *req, int dp_err, int result) { req->fn(req, dp_err, result, NULL); diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index c78f5031..7eabd6cf 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -899,7 +899,6 @@ struct sdap_pam_auth_state { }; static void sdap_pam_auth_done(struct tevent_req *req); -static void sdap_password_cache_done(struct tevent_req *req); void sdap_pam_auth_handler(struct be_req *breq) { @@ -965,7 +964,6 @@ static void sdap_pam_auth_done(struct tevent_req *req) { struct sdap_pam_auth_state *state = tevent_req_callback_data(req, struct sdap_pam_auth_state); - struct tevent_req *subreq; enum sdap_result result; enum pwexpire pw_expire_type; void *pw_expire_data; @@ -1059,45 +1057,26 @@ static void sdap_pam_auth_done(struct tevent_req *req) } talloc_set_destructor((TALLOC_CTX *)password, password_destructor); - subreq = sysdb_cache_password_send(state, - state->breq->be_ctx->ev, - state->breq->be_ctx->sysdb, - NULL, - state->breq->be_ctx->domain, - state->username, password); + ret = sysdb_cache_password(state, + state->breq->be_ctx->sysdb, + state->breq->be_ctx->domain, + state->username, password); /* password caching failures are not fatal errors */ - if (!subreq) { - DEBUG(2, ("Failed to cache password for %s\n", state->username)); - goto done; + if (!ret) { + DEBUG(2, ("Failed to cache password for %s\n", + state->username)); + } else { + DEBUG(4, ("Password successfully cached for %s\n", + state->username)); } - - tevent_req_set_callback(subreq, sdap_password_cache_done, state); - return; + goto done; } done: sdap_pam_auth_reply(state->breq, dp_err, state->pd->pam_status); } -static void sdap_password_cache_done(struct tevent_req *subreq) -{ - struct sdap_pam_auth_state *state = tevent_req_callback_data(subreq, - struct sdap_pam_auth_state); - int ret; - - ret = sysdb_cache_password_recv(subreq); - talloc_zfree(subreq); - if (ret) { - /* password caching failures are not fatal errors */ - DEBUG(2, ("Failed to cache password for %s\n", state->username)); - } else { - DEBUG(4, ("Password successfully cached for %s\n", state->username)); - } - - sdap_pam_auth_reply(state->breq, DP_ERR_OK, state->pd->pam_status); -} - static void sdap_pam_auth_reply(struct be_req *req, int dp_err, int result) { req->fn(req, dp_err, result, NULL); diff --git a/src/providers/proxy.c b/src/providers/proxy.c index b499a151..4426f130 100644 --- a/src/providers/proxy.c +++ b/src/providers/proxy.c @@ -115,7 +115,6 @@ failed: return PAM_CONV_ERR; } -static void proxy_pam_handler_cache_done(struct tevent_req *treq); static void proxy_reply(struct be_req *req, int dp_err, int error, const char *errstr); @@ -249,7 +248,6 @@ static void proxy_pam_handler(struct be_req *req) { pd->pam_status = pam_status; if (cache_auth_data) { - struct tevent_req *subreq; char *password; password = talloc_size(req, auth_data->authtok_size + 1); @@ -261,38 +259,21 @@ static void proxy_pam_handler(struct be_req *req) { password[auth_data->authtok_size] = '\0'; talloc_set_destructor((TALLOC_CTX *)password, password_destructor); - subreq = sysdb_cache_password_send(req, req->be_ctx->ev, - req->be_ctx->sysdb, NULL, - req->be_ctx->domain, - pd->user, password); - if (!subreq) { - /* password caching failures are not fatal errors */ - return proxy_reply(req, DP_ERR_OK, EOK, NULL); + ret = sysdb_cache_password(req, req->be_ctx->sysdb, + req->be_ctx->domain, + pd->user, password); + + /* password caching failures are not fatal errors */ + /* so we just log it any return */ + if (ret) { + DEBUG(2, ("Failed to cache password (%d)[%s]!?\n", + ret, strerror(ret))); } - tevent_req_set_callback(subreq, proxy_pam_handler_cache_done, req); } proxy_reply(req, DP_ERR_OK, EOK, NULL); } -static void proxy_pam_handler_cache_done(struct tevent_req *subreq) -{ - struct be_req *req = tevent_req_callback_data(subreq, struct be_req); - int ret; - - /* password caching failures are not fatal errors */ - ret = sysdb_cache_password_recv(subreq); - talloc_zfree(subreq); - - /* so we just log it any return */ - if (ret) { - DEBUG(2, ("Failed to cache password (%d)[%s]!?\n", - ret, strerror(ret))); - } - - return proxy_reply(req, DP_ERR_OK, EOK, NULL); -} - static void proxy_reply(struct be_req *req, int dp_err, int error, const char *errstr) { diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c index 14017963..d1abf82c 100644 --- a/src/tests/sysdb-tests.c +++ b/src/tests/sysdb-tests.c @@ -2043,7 +2043,6 @@ START_TEST (test_sysdb_cache_password) { struct sysdb_test_ctx *test_ctx; struct test_data *data; - struct tevent_req *req; int ret; /* Setup */ @@ -2055,17 +2054,10 @@ START_TEST (test_sysdb_cache_password) data->ev = test_ctx->ev; data->username = talloc_asprintf(data, "testuser%d", _i); - req = sysdb_cache_password_send(data, test_ctx->ev, test_ctx->sysdb, NULL, - test_ctx->domain, data->username, - data->username); - fail_unless(req != NULL, "sysdb_cache_password_send failed [%d].", ret); - - tevent_req_set_callback(req, test_search_done, data); - - ret = test_loop(data); - fail_unless(ret == EOK, "test_loop failed [%d].", ret); + ret = sysdb_cache_password(data, test_ctx->sysdb, + test_ctx->domain, data->username, + data->username); - ret = sysdb_cache_password_recv(req); fail_unless(ret == EOK, "sysdb_cache_password request failed [%d].", ret); talloc_free(test_ctx); |