diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/responder/common/responder.h | 11 | ||||
| -rw-r--r-- | src/responder/nss/nsssrv_cmd.c | 995 |
2 files changed, 717 insertions, 289 deletions
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h index deb1e5a3..0f59ffd4 100644 --- a/src/responder/common/responder.h +++ b/src/responder/common/responder.h @@ -92,6 +92,11 @@ struct resp_ctx { void *pvt_ctx; }; +/* Needed for the NSS responder */ +struct getent_ref_tracker { + void *pvt; +}; + struct cli_ctx { struct tevent_context *ev; struct resp_ctx *rctx; @@ -104,6 +109,12 @@ struct cli_ctx { int32_t client_euid; int32_t client_egid; int32_t client_pid; + + int pwent_dom_idx; + int pwent_cur; + + int grent_dom_idx; + int grent_cur; }; struct sss_cmd_table { diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c index 719608c0..6df705fb 100644 --- a/src/responder/nss/nsssrv_cmd.c +++ b/src/responder/nss/nsssrv_cmd.c @@ -35,18 +35,20 @@ struct nss_cmd_ctx { bool check_next; bool enum_cached; + int saved_dom_idx; + int saved_cur; }; struct dom_ctx { struct sss_domain_info *domain; struct ldb_result *res; - int cur; }; struct getent_ctx { struct dom_ctx *doms; int num; - int cur; + bool ready; + struct setent_req_list *reqs; }; struct nss_dom_ctx { @@ -172,6 +174,63 @@ static int nss_cmd_done(struct nss_cmd_ctx *cmdctx, int ret) return EOK; } +/*************************** + * Enumeration procedures * + ***************************/ + +struct setent_req_list { + struct setent_req_list *prev; + struct setent_req_list *next; + struct getent_ctx *getent_ctx; + + struct tevent_req *req; +}; + +static int +setent_remove_ref(TALLOC_CTX *ctx); +static errno_t +setent_add_ref(TALLOC_CTX *memctx, + struct getent_ctx *getent_ctx, + struct tevent_req *req) +{ + struct setent_req_list *entry = + talloc_zero(memctx, struct setent_req_list); + if (!entry) { + return ENOMEM; + } + + entry->req = req; + entry->getent_ctx = getent_ctx; + DLIST_ADD_END(getent_ctx->reqs, entry, struct setent_req_list *); + + talloc_set_destructor((TALLOC_CTX *)entry, setent_remove_ref); + return EOK; +} + +static int +setent_remove_ref(TALLOC_CTX *ctx) +{ + struct setent_req_list *entry = + talloc_get_type(ctx, struct setent_req_list); + DLIST_REMOVE(entry->getent_ctx->reqs, entry); + return 0; +} + +struct setent_ctx { + struct cli_ctx *client; + struct nss_ctx *nctx; + struct nss_dom_ctx *dctx; + struct getent_ctx *getent_ctx; +}; + +struct setent_step_ctx { + struct nss_ctx *nctx; + struct nss_dom_ctx *dctx; + struct getent_ctx *getent_ctx; + struct resp_ctx *rctx; + bool enum_cached; +}; + /**************************************************************************** * PASSWD db related functions ***************************************************************************/ @@ -944,32 +1003,176 @@ done: * the last returned user. */ static int nss_cmd_getpwent_immediate(struct nss_cmd_ctx *cmdctx); +struct tevent_req * nss_cmd_setpwent_send(TALLOC_CTX *mem_ctx, + struct cli_ctx *client); +static void nss_cmd_setpwent_done(struct tevent_req *req); +static int nss_cmd_setpwent(struct cli_ctx *cctx) +{ + struct nss_cmd_ctx *cmdctx; + struct tevent_req *req; + errno_t ret = EOK; -static void nss_cmd_getpwent_dp_callback(uint16_t err_maj, uint32_t err_min, - const char *err_msg, void *ptr); + cmdctx = talloc_zero(cctx, struct nss_cmd_ctx); + if (!cmdctx) { + return ENOMEM; + } + cmdctx->cctx = cctx; + + req = nss_cmd_setpwent_send(cmdctx, cctx); + if (!req) { + DEBUG(0, ("Fatal error calling nss_cmd_setpwent_send\n")); + ret = EIO; + goto done; + } + tevent_req_set_callback(req, nss_cmd_setpwent_done, cmdctx); + +done: + return nss_cmd_done(cmdctx, ret); +} -static int nss_cmd_getpwent_search(struct nss_dom_ctx *dctx) +static errno_t nss_cmd_setpwent_step(struct setent_step_ctx *step_ctx); +struct tevent_req *nss_cmd_setpwent_send(TALLOC_CTX *mem_ctx, + struct cli_ctx *client) { - struct nss_cmd_ctx *cmdctx = dctx->cmdctx; - struct sss_domain_info *dom = dctx->domain; - struct cli_ctx *cctx = cmdctx->cctx; - struct sysdb_ctx *sysdb; - struct ldb_result *res; - struct getent_ctx *pctx; + errno_t ret; struct nss_ctx *nctx; - int timeout; - int ret; + struct tevent_req *req; + struct setent_ctx *state; + struct sss_domain_info *dom; + struct setent_step_ctx *step_ctx; + bool enum_cached = false; + time_t now = time(NULL); - nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx); - pctx = nctx->pctx; - if (pctx == NULL) { - pctx = talloc_zero(nctx, struct getent_ctx); - if (!pctx) { - return ENOMEM; + DEBUG(4, ("Received setpwent request\n")); + nctx = talloc_get_type(client->rctx->pvt_ctx, struct nss_ctx); + + /* Reset the read pointers */ + client->pwent_dom_idx = 0; + client->pwent_cur = 0; + + req = tevent_req_create(mem_ctx, &state, struct setent_ctx); + if (!req) { + DEBUG(0, ("Could not create tevent request for setpwent\n")); + return NULL; + } + + state->nctx = nctx; + state->client = client; + + /* do not query backends if we have a recent enumeration */ + if (nctx->enum_cache_timeout) { + if (nctx->last_user_enum + nctx->enum_cache_timeout > now) { + enum_cached = true; + } + } + + state->dctx = talloc_zero(state, struct nss_dom_ctx); + if (!state->dctx) { + ret = ENOMEM; + goto error; + } + + /* check if enumeration is enabled in any domain */ + for (dom = client->rctx->domains; dom; dom = dom->next) { + if (dom->enumerate != 0) break; + } + state->dctx->domain = dom; + + if (state->dctx->domain == NULL) { + DEBUG(2, ("Enumeration disabled on all domains!\n")); + ret = ENOENT; + goto error; + } + + state->dctx->check_provider = + NEED_CHECK_PROVIDER(state->dctx->domain->provider); + + /* Is the result context already available */ + if (state->nctx->pctx) { + if (state->nctx->pctx->ready) { + /* All of the necessary data is in place + * We can return now, getpwent requests will work at this point + */ + tevent_req_done(req); + tevent_req_post(req, state->nctx->rctx->ev); + } + else { + /* Object is still being constructed + * Register for notification when it's + * ready. + */ + ret = setent_add_ref(state->client, state->nctx->pctx, req); + if (ret != EOK) { + talloc_free(req); + return NULL; + } } - nctx->pctx = pctx; + return req; } + /* Create a new result context + * We are creating it on the nss_ctx so that it doesn't + * go away if the original request does. We will delete + * it when the refcount goes to zero; + */ + state->nctx->pctx = talloc_zero(nctx, struct getent_ctx); + if (!state->nctx->pctx) { + ret = ENOMEM; + goto error; + } + state->getent_ctx = nctx->pctx; + + /* Add a callback reference for ourselves */ + setent_add_ref(state->client, state->nctx->pctx, req); + + /* ok, start the searches */ + step_ctx = talloc_zero(state->getent_ctx, struct setent_step_ctx); + if (!step_ctx) { + ret = ENOMEM; + goto error; + } + + /* Steal the dom_ctx onto the step_ctx so it doesn't go out of scope if + * this request is canceled while other requests are in-progress. + */ + step_ctx->dctx = talloc_steal(step_ctx, state->dctx); + step_ctx->nctx = state->nctx; + step_ctx->getent_ctx = state->getent_ctx; + step_ctx->rctx = client->rctx; + step_ctx->enum_cached = enum_cached; + + ret = nss_cmd_setpwent_step(step_ctx); + if (ret != EOK) goto error; + + return req; + + error: + tevent_req_error(req, ret); + tevent_req_post(req, client->rctx->ev); + return req; +} + +static void nss_cmd_setpwent_dp_callback(uint16_t err_maj, uint32_t err_min, + const char *err_msg, void *ptr); +static void setpwent_result_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval current_time, + void *pvt); +static errno_t nss_cmd_setpwent_step(struct setent_step_ctx *step_ctx) +{ + errno_t ret; + struct sss_domain_info *dom = step_ctx->dctx->domain; + struct resp_ctx *rctx = step_ctx->rctx; + struct nss_dom_ctx *dctx = step_ctx->dctx; + struct getent_ctx *pctx = step_ctx->getent_ctx; + struct nss_ctx *nctx = step_ctx->nctx; + struct sysdb_ctx *sysdb; + struct ldb_result *res; + struct setent_req_list *req; + struct timeval tv; + struct tevent_timer *te; + int timeout; + while (dom) { while (dom && dom->enumerate == 0) { dom = dom->next; @@ -980,7 +1183,7 @@ static int nss_cmd_getpwent_search(struct nss_dom_ctx *dctx) if (dom != dctx->domain) { /* make sure we reset the check_provider flag when we check * a new domain */ - if (cmdctx->enum_cached) { + if (step_ctx->enum_cached) { dctx->check_provider = false; } else { dctx->check_provider = NEED_CHECK_PROVIDER(dom->provider); @@ -990,9 +1193,9 @@ static int nss_cmd_getpwent_search(struct nss_dom_ctx *dctx) /* make sure to update the dctx if we changed domain */ dctx->domain = dom; - DEBUG(4, ("Requesting info for domain [%s]\n", dom->name)); + DEBUG(6, ("Requesting info for domain [%s]\n", dom->name)); - ret = sysdb_get_ctx_from_list(cctx->rctx->db_list, dom, &sysdb); + ret = sysdb_get_ctx_from_list(rctx->db_list, dom, &sysdb); if (ret != EOK) { DEBUG(0, ("Fatal: Sysdb CTX not found for this domain!\n")); return EIO; @@ -1001,10 +1204,12 @@ static int nss_cmd_getpwent_search(struct nss_dom_ctx *dctx) /* if this is a caching provider (or if we haven't checked the cache * yet) then verify that the cache is uptodate */ if (dctx->check_provider) { + /* Only do this once per provider */ dctx->check_provider = false; timeout = SSS_CLI_SOCKET_TIMEOUT; - ret = sss_dp_send_acct_req(cctx->rctx, cmdctx, - nss_cmd_getpwent_dp_callback, dctx, + + ret = sss_dp_send_acct_req(rctx, step_ctx, + nss_cmd_setpwent_dp_callback, step_ctx, timeout, dom->name, true, SSS_DP_USER, NULL, 0); if (ret == EOK) { @@ -1030,7 +1235,7 @@ static int nss_cmd_getpwent_search(struct nss_dom_ctx *dctx) continue; } - pctx->doms = talloc_realloc(pctx, pctx->doms, + nctx->pctx->doms = talloc_realloc(pctx, pctx->doms, struct dom_ctx, pctx->num +1); if (!pctx->doms) { talloc_free(pctx); @@ -1038,41 +1243,65 @@ static int nss_cmd_getpwent_search(struct nss_dom_ctx *dctx) return ENOMEM; } - pctx->doms[pctx->num].domain = dctx->domain; - pctx->doms[pctx->num].res = talloc_steal(pctx->doms, res); - pctx->doms[pctx->num].cur = 0; + nctx->pctx->doms[pctx->num].domain = dctx->domain; + nctx->pctx->doms[pctx->num].res = talloc_steal(pctx->doms, res); - pctx->num++; + nctx->pctx->num++; /* do not reply until all domain searches are done */ dom = dom->next; } - /* set cache mark */ - nctx->last_user_enum = time(NULL); + /* We've finished all our lookups + * The result object is now safe to read. + */ + nctx->pctx->ready = true; - if (cmdctx->immediate) { - /* this was a getpwent call w/o setpwent, - * return immediately one result */ - return nss_cmd_getpwent_immediate(cmdctx); + /* Set up a lifetime timer for this result object + * We don't want this result object to outlive the + * enum cache refresh timeout + */ + tv = tevent_timeval_current_ofs(nctx->enum_cache_timeout, 0); + te = tevent_add_timer(rctx->ev, nctx->pctx, tv, + setpwent_result_timeout, nctx); + if (!te) { + DEBUG(0, ("Could not set up life timer for setpwent result object. " + "Entries may become stale.\n")); } - /* create response packet */ - ret = sss_packet_new(cctx->creq, 0, - sss_packet_get_cmd(cctx->creq->in), - &cctx->creq->out); - if (ret == EOK) { - sss_cmd_done(cctx, cmdctx); + /* Notify the waiting clients */ + while (nctx->pctx->reqs) { + tevent_req_done(nctx->pctx->reqs->req); + /* Freeing each entry in the list removes it from the dlist */ + req = nctx->pctx->reqs; + nctx->pctx->reqs = nctx->pctx->reqs->next; + talloc_free(req); } - return ret; + return EOK; } -static void nss_cmd_getpwent_dp_callback(uint16_t err_maj, uint32_t err_min, +static void setpwent_result_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval current_time, + void *pvt) +{ + struct nss_ctx *nctx = talloc_get_type(pvt, struct nss_ctx); + + DEBUG(1, ("setpwent result object has expired. Cleaning up.\n")); + + /* Free the passwd enumeration context. + * If additional getpwent requests come in, they will invoke + * an implicit setpwent and refresh the result object. + */ + talloc_zfree(nctx->pctx); +} + +static void nss_cmd_setpwent_dp_callback(uint16_t err_maj, uint32_t err_min, const char *err_msg, void *ptr) { - struct nss_dom_ctx *dctx = talloc_get_type(ptr, struct nss_dom_ctx); - struct nss_cmd_ctx *cmdctx = dctx->cmdctx; - struct cli_ctx *cctx = cmdctx->cctx; + struct setent_step_ctx *step_ctx = + talloc_get_type(ptr, struct setent_step_ctx); + struct getent_ctx *pctx = step_ctx->nctx->pctx; int ret; if (err_maj) { @@ -1082,84 +1311,117 @@ static void nss_cmd_getpwent_dp_callback(uint16_t err_maj, uint32_t err_min, (unsigned int)err_maj, (unsigned int)err_min, err_msg)); } - ret = nss_cmd_getpwent_search(dctx); - + ret = nss_cmd_setpwent_step(step_ctx); if (ret) { - NSS_CMD_FATAL_ERROR(cctx); + /* Notify any waiting processes of failure */ + while(step_ctx->nctx->pctx->reqs) { + tevent_req_error(pctx->reqs->req, ret); + /* Freeing each entry in the list removes it from the dlist */ + talloc_free(pctx->reqs); + } } } -static int nss_cmd_setpwent_ext(struct cli_ctx *cctx, bool immediate) +static errno_t nss_cmd_setpwent_recv(struct tevent_req *req) { - struct sss_domain_info *dom; - struct nss_cmd_ctx *cmdctx; - struct nss_dom_ctx *dctx; - struct nss_ctx *nctx; - time_t now = time(NULL); - int ret; + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} - DEBUG(4, ("Requesting info for all users\n")); +static void nss_cmd_setpwent_done(struct tevent_req *req) +{ + errno_t ret; + struct nss_cmd_ctx *cmdctx = + tevent_req_callback_data(req, struct nss_cmd_ctx); - nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx); - talloc_free(nctx->pctx); - nctx->pctx = NULL; + ret = nss_cmd_setpwent_recv(req); + talloc_zfree(req); + if (ret == EOK || ret == ENOENT) { + /* Either we succeeded or no domains were eligible */ + ret = sss_packet_new(cmdctx->cctx->creq, 0, + sss_packet_get_cmd(cmdctx->cctx->creq->in), + &cmdctx->cctx->creq->out); + if (ret == EOK) { + sss_cmd_done(cmdctx->cctx, cmdctx); + return; + } + } - cmdctx = talloc_zero(cctx, struct nss_cmd_ctx); + /* Something bad happened */ + nss_cmd_done(cmdctx, ret); +} + +static void nss_cmd_implicit_setpwent_done(struct tevent_req *req); +static int nss_cmd_getpwent(struct cli_ctx *cctx) +{ + struct nss_ctx *nctx; + struct nss_cmd_ctx *cmdctx; + struct tevent_req *req; + + DEBUG(4, ("Requesting info for all accounts\n")); + + cmdctx = talloc(cctx, struct nss_cmd_ctx); if (!cmdctx) { return ENOMEM; } cmdctx->cctx = cctx; - cmdctx->immediate = immediate; - dctx = talloc_zero(cmdctx, struct nss_dom_ctx); - if (!dctx) { - ret = ENOMEM; - goto done; - } - dctx->cmdctx = cmdctx; + /* Save the current index and cursor locations + * If we end up calling setpwent implicitly, because the response object + * expired and has to be recreated, we want to resume from the same + * location. + */ + cmdctx->saved_dom_idx = cctx->pwent_dom_idx; + cmdctx->saved_cur = cctx->pwent_cur; - /* do not query backends if we have a recent enumeration */ - if (nctx->enum_cache_timeout) { - if (nctx->last_user_enum + nctx->enum_cache_timeout > now) { - cmdctx->enum_cached = true; + nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx); + if(!nctx->pctx || !nctx->pctx->ready) { + /* Make sure we invoke setpwent if it hasn't been run or is still + * processing from another client + */ + req = nss_cmd_setpwent_send(cctx, cctx); + if (!req) { + return EIO; } + tevent_req_set_callback(req, nss_cmd_implicit_setpwent_done, cmdctx); + return EOK; } - /* check if enumeration is enabled in any domain */ - for (dom = cctx->rctx->domains; dom; dom = dom->next) { - if (dom->enumerate != 0) break; + return nss_cmd_getpwent_immediate(cmdctx); +} + +static int nss_cmd_retpwent(struct cli_ctx *cctx, int num); +static int nss_cmd_getpwent_immediate(struct nss_cmd_ctx *cmdctx) +{ + struct cli_ctx *cctx = cmdctx->cctx; + uint8_t *body; + size_t blen; + uint32_t num; + int ret; + + /* get max num of entries to return in one call */ + sss_packet_get_body(cctx->creq->in, &body, &blen); + if (blen != sizeof(uint32_t)) { + return EINVAL; } - dctx->domain = dom; + num = *((uint32_t *)body); - if (dctx->domain == NULL) { - DEBUG(2, ("Enumeration disabled on all domains!\n")); - if (cmdctx->immediate) { - ret = ENOENT; - } else { - ret = sss_packet_new(cctx->creq, 0, - sss_packet_get_cmd(cctx->creq->in), - &cctx->creq->out); - if (ret == EOK) { - sss_cmd_done(cctx, cmdctx); - } - } - goto done; + /* create response packet */ + ret = sss_packet_new(cctx->creq, 0, + sss_packet_get_cmd(cctx->creq->in), + &cctx->creq->out); + if (ret != EOK) { + return ret; } - dctx->check_provider = NEED_CHECK_PROVIDER(dctx->domain->provider); + ret = nss_cmd_retpwent(cctx, num); - /* ok, start the searches */ - ret = nss_cmd_getpwent_search(dctx); -done: - return nss_cmd_done(cmdctx, ret); -} + sss_packet_set_error(cctx->creq->out, ret); + sss_cmd_done(cctx, cmdctx); -static int nss_cmd_setpwent(struct cli_ctx *cctx) -{ - return nss_cmd_setpwent_ext(cctx, false); + return EOK; } - static int nss_cmd_retpwent(struct cli_ctx *cctx, int num) { struct nss_ctx *nctx; @@ -1175,26 +1437,26 @@ static int nss_cmd_retpwent(struct cli_ctx *cctx, int num) pctx = nctx->pctx; while (ret == ENOENT) { - if (pctx->cur >= pctx->num) break; + if (cctx->pwent_dom_idx >= pctx->num) break; - pdom = &pctx->doms[pctx->cur]; + pdom = &pctx->doms[cctx->pwent_dom_idx]; - n = pdom->res->count - pdom->cur; - if (n == 0 && (pctx->cur+1 < pctx->num)) { - pctx->cur++; - pdom = &pctx->doms[pctx->cur]; - n = pdom->res->count - pdom->cur; + n = pdom->res->count - cctx->pwent_cur; + if (n <= 0 && (cctx->pwent_dom_idx+1 < pctx->num)) { + cctx->pwent_dom_idx++; + pdom = &pctx->doms[cctx->pwent_dom_idx]; + n = pdom->res->count - cctx->pwent_cur; } if (!n) break; if (n > num) n = num; - msgs = &(pdom->res->msgs[pdom->cur]); + msgs = &(pdom->res->msgs[cctx->pwent_cur]); ret = fill_pwent(cctx->creq->out, pdom->domain, nctx, true, msgs, &n); - pdom->cur += n; + cctx->pwent_cur += n; } none: @@ -1204,58 +1466,35 @@ none: return ret; } -static int nss_cmd_getpwent_immediate(struct nss_cmd_ctx *cmdctx) +static void nss_cmd_implicit_setpwent_done(struct tevent_req *req) { - struct cli_ctx *cctx = cmdctx->cctx; - uint8_t *body; - size_t blen; - uint32_t num; - int ret; + errno_t ret; + struct nss_cmd_ctx *cmdctx = + tevent_req_callback_data(req, struct nss_cmd_ctx); - /* get max num of entries to return in one call */ - sss_packet_get_body(cctx->creq->in, &body, &blen); - if (blen != sizeof(uint32_t)) { - return EINVAL; - } - num = *((uint32_t *)body); + ret = nss_cmd_setpwent_recv(req); + talloc_zfree(req); - /* create response packet */ - ret = sss_packet_new(cctx->creq, 0, - sss_packet_get_cmd(cctx->creq->in), - &cctx->creq->out); - if (ret != EOK) { - return ret; + /* ENOENT is acceptable, as it just means that there were no entries + * to be returned. This will be handled gracefully in nss_cmd_retpwent + * later. + */ + if (ret != EOK && ret != ENOENT) { + DEBUG(0, ("Implicit setpwent failed with unexpected error [%d][%s]\n", + ret, strerror(ret))); + NSS_CMD_FATAL_ERROR(cmdctx); } - ret = nss_cmd_retpwent(cctx, num); - - sss_packet_set_error(cctx->creq->out, ret); - sss_cmd_done(cctx, cmdctx); + /* Restore the saved index and cursor locations */ + cmdctx->cctx->pwent_dom_idx = cmdctx->saved_dom_idx; + cmdctx->cctx->pwent_cur = cmdctx->saved_cur; - return EOK; -} - -static int nss_cmd_getpwent(struct cli_ctx *cctx) -{ - struct nss_ctx *nctx; - struct nss_cmd_ctx *cmdctx; - - DEBUG(4, ("Requesting info for all accounts\n")); - - nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx); - - /* see if we need to trigger an implicit setpwent() */ - if (nctx->pctx == NULL) { - return nss_cmd_setpwent_ext(cctx, true); - } - - cmdctx = talloc(cctx, struct nss_cmd_ctx); - if (!cmdctx) { - return ENOMEM; + ret = nss_cmd_getpwent_immediate(cmdctx); + if (ret != EOK) { + DEBUG(0, ("Immediate retrieval failed with unexpected error " + "[%d][%s]\n", ret, strerror(ret))); + NSS_CMD_FATAL_ERROR(cmdctx); } - cmdctx->cctx = cctx; - - return nss_cmd_getpwent_immediate(cmdctx); } static int nss_cmd_endpwent(struct cli_ctx *cctx) @@ -1277,9 +1516,9 @@ static int nss_cmd_endpwent(struct cli_ctx *cctx) } if (nctx->pctx == NULL) goto done; - /* free results and reset */ - talloc_free(nctx->pctx); - nctx->pctx = NULL; + /* Reset the indices so that subsequent requests start at zero */ + cctx->pwent_dom_idx = 0; + cctx->pwent_cur = 0; done: sss_cmd_done(cctx, NULL); @@ -2014,33 +2253,176 @@ done: * even if the data is still being fetched * - make getgrent() wait on the mutex */ -static int nss_cmd_getgrent_immediate(struct nss_cmd_ctx *cmdctx); +struct tevent_req *nss_cmd_setgrent_send(TALLOC_CTX *mem_ctx, + struct cli_ctx *client); +static void nss_cmd_setgrent_done(struct tevent_req *req); +static int nss_cmd_setgrent(struct cli_ctx *cctx) +{ + struct nss_cmd_ctx *cmdctx; + struct tevent_req *req; + errno_t ret = EOK; -static void nss_cmd_getgrent_dp_callback(uint16_t err_maj, uint32_t err_min, - const char *err_msg, void *ptr); + cmdctx = talloc_zero(cctx, struct nss_cmd_ctx); + if (!cmdctx) { + return ENOMEM; + } + cmdctx->cctx = cctx; + + req = nss_cmd_setgrent_send(cmdctx, cctx); + if (!req) { + DEBUG(0, ("Fatal error calling nss_cmd_setgrent_send\n")); + ret = EIO; + goto done; + } + tevent_req_set_callback(req, nss_cmd_setgrent_done, cmdctx); + +done: + return nss_cmd_done(cmdctx, ret); +} -static int nss_cmd_getgrent_search(struct nss_dom_ctx *dctx) +static errno_t nss_cmd_setgrent_step(struct setent_step_ctx *step_ctx); +struct tevent_req *nss_cmd_setgrent_send(TALLOC_CTX *mem_ctx, + struct cli_ctx *client) { - struct nss_cmd_ctx *cmdctx = dctx->cmdctx; - struct sss_domain_info *dom = dctx->domain; - struct cli_ctx *cctx = cmdctx->cctx; - struct sysdb_ctx *sysdb; - struct ldb_result *res; - struct getent_ctx *gctx; + errno_t ret; struct nss_ctx *nctx; - int timeout; - int ret; + struct tevent_req *req; + struct setent_ctx *state; + struct sss_domain_info *dom; + struct setent_step_ctx *step_ctx; + bool enum_cached = false; + time_t now = time(NULL); - nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx); - gctx = nctx->gctx; - if (gctx == NULL) { - gctx = talloc_zero(nctx, struct getent_ctx); - if (!gctx) { - return ENOMEM; + DEBUG(4, ("Received setgrent request\n")); + nctx = talloc_get_type(client->rctx->pvt_ctx, struct nss_ctx); + + /* Reset the read pointers */ + client->grent_dom_idx = 0; + client->grent_cur = 0; + + req = tevent_req_create(mem_ctx, &state, struct setent_ctx); + if (!req) { + DEBUG(0, ("Could not create tevent request for setgrent\n")); + return NULL; + } + + state->nctx = nctx; + state->client = client; + + /* do not query backends if we have a recent enumeration */ + if (nctx->enum_cache_timeout) { + if (nctx->last_user_enum + nctx->enum_cache_timeout > now) { + enum_cached = true; } - nctx->gctx = gctx; } + state->dctx = talloc_zero(state, struct nss_dom_ctx); + if (!state->dctx) { + ret = ENOMEM; + goto error; + } + + /* check if enumeration is enabled in any domain */ + for (dom = client->rctx->domains; dom; dom = dom->next) { + if (dom->enumerate != 0) break; + } + state->dctx->domain = dom; + + if (state->dctx->domain == NULL) { + DEBUG(2, ("Enumeration disabled on all domains!\n")); + ret = ENOENT; + goto error; + } + + state->dctx->check_provider = + NEED_CHECK_PROVIDER(state->dctx->domain->provider); + + /* Is the result context already available */ + if (state->nctx->gctx) { + if (state->nctx->gctx->ready) { + /* All of the necessary data is in place + * We can return now, getgrent requests will work at this point + */ + tevent_req_done(req); + tevent_req_post(req, state->nctx->rctx->ev); + } + else { + /* Object is still being constructed + * Register for notification when it's + * ready. + */ + ret = setent_add_ref(state->client, state->nctx->gctx, req); + if (ret != EOK) { + talloc_free(req); + return NULL; + } + } + return req; + } + + /* Create a new result context + * We are creating it on the nss_ctx so that it doesn't + * go away if the original request does. We will delete + * it when the refcount goes to zero; + */ + state->nctx->gctx = talloc_zero(nctx, struct getent_ctx); + if (!state->nctx->gctx) { + ret = ENOMEM; + goto error; + } + state->getent_ctx = nctx->gctx; + + /* Add a callback reference for ourselves */ + setent_add_ref(state->client, state->nctx->gctx, req); + + /* ok, start the searches */ + step_ctx = talloc_zero(state->getent_ctx, struct setent_step_ctx); + if (!step_ctx) { + ret = ENOMEM; + goto error; + } + + /* Steal the dom_ctx onto the step_ctx so it doesn't go out of scope if + * this request is canceled while other requests are in-progress. + */ + step_ctx->dctx = talloc_steal(step_ctx, state->dctx); + step_ctx->nctx = state->nctx; + step_ctx->getent_ctx = state->getent_ctx; + step_ctx->rctx = client->rctx; + step_ctx->enum_cached = enum_cached; + + ret = nss_cmd_setgrent_step(step_ctx); + if (ret != EOK) goto error; + + return req; + + error: + tevent_req_error(req, ret); + tevent_req_post(req, client->rctx->ev); + return req; +} + +static void nss_cmd_setgrent_dp_callback(uint16_t err_maj, uint32_t err_min, + const char *err_msg, void *ptr); +static void setgrent_result_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval current_time, + void *pvt); +static errno_t nss_cmd_setgrent_step(struct setent_step_ctx *step_ctx) +{ + errno_t ret; + struct sss_domain_info *dom = step_ctx->dctx->domain; + struct resp_ctx *rctx = step_ctx->rctx; + struct nss_dom_ctx *dctx = step_ctx->dctx; + struct getent_ctx *gctx = step_ctx->getent_ctx; + struct nss_ctx *nctx = step_ctx->nctx; + struct sysdb_ctx *sysdb; + struct ldb_result *res; + struct setent_req_list *req; + struct timeval tv; + struct tevent_timer *te; + int timeout; + while (dom) { while (dom && dom->enumerate == 0) { dom = dom->next; @@ -2051,7 +2433,7 @@ static int nss_cmd_getgrent_search(struct nss_dom_ctx *dctx) if (dom != dctx->domain) { /* make sure we reset the check_provider flag when we check * a new domain */ - if (cmdctx->enum_cached) { + if (step_ctx->enum_cached) { dctx->check_provider = false; } else { dctx->check_provider = NEED_CHECK_PROVIDER(dom->provider); @@ -2061,9 +2443,9 @@ static int nss_cmd_getgrent_search(struct nss_dom_ctx *dctx) /* make sure to update the dctx if we changed domain */ dctx->domain = dom; - DEBUG(4, ("Requesting info for domain [%s]\n", dom->name)); + DEBUG(6, ("Requesting info for domain [%s]\n", dom->name)); - ret = sysdb_get_ctx_from_list(cctx->rctx->db_list, dom, &sysdb); + ret = sysdb_get_ctx_from_list(rctx->db_list, dom, &sysdb); if (ret != EOK) { DEBUG(0, ("Fatal: Sysdb CTX not found for this domain!\n")); return EIO; @@ -2072,10 +2454,12 @@ static int nss_cmd_getgrent_search(struct nss_dom_ctx *dctx) /* if this is a caching provider (or if we haven't checked the cache * yet) then verify that the cache is uptodate */ if (dctx->check_provider) { + /* Only do this once per provider */ dctx->check_provider = false; timeout = SSS_CLI_SOCKET_TIMEOUT; - ret = sss_dp_send_acct_req(cctx->rctx, cmdctx, - nss_cmd_getgrent_dp_callback, dctx, + + ret = sss_dp_send_acct_req(rctx, step_ctx, + nss_cmd_setgrent_dp_callback, step_ctx, timeout, dom->name, true, SSS_DP_GROUP, NULL, 0); if (ret == EOK) { @@ -2101,8 +2485,7 @@ static int nss_cmd_getgrent_search(struct nss_dom_ctx *dctx) continue; } - - gctx->doms = talloc_realloc(gctx, gctx->doms, + nctx->gctx->doms = talloc_realloc(gctx, gctx->doms, struct dom_ctx, gctx->num +1); if (!gctx->doms) { talloc_free(gctx); @@ -2110,41 +2493,65 @@ static int nss_cmd_getgrent_search(struct nss_dom_ctx *dctx) return ENOMEM; } - gctx->doms[gctx->num].domain = dctx->domain; - gctx->doms[gctx->num].res = talloc_steal(gctx->doms, res); - gctx->doms[gctx->num].cur = 0; + nctx->gctx->doms[gctx->num].domain = dctx->domain; + nctx->gctx->doms[gctx->num].res = talloc_steal(gctx->doms, res); - gctx->num++; + nctx->gctx->num++; /* do not reply until all domain searches are done */ dom = dom->next; } - /* set cache mark */ - nctx->last_group_enum = time(NULL); + /* We've finished all our lookups + * The result object is now safe to read. + */ + nctx->gctx->ready = true; - if (cmdctx->immediate) { - /* this was a getgrent call w/o setgrent, - * return immediately one result */ - return nss_cmd_getgrent_immediate(cmdctx); + /* Set up a lifetime timer for this result object + * We don't want this result object to outlive the + * enum cache refresh timeout + */ + tv = tevent_timeval_current_ofs(nctx->enum_cache_timeout, 0); + te = tevent_add_timer(rctx->ev, nctx->gctx, tv, + setgrent_result_timeout, nctx); + if (!te) { + DEBUG(0, ("Could not set up life timer for setgrent result object. " + "Entries may become stale.\n")); } - /* create response packet */ - ret = sss_packet_new(cctx->creq, 0, - sss_packet_get_cmd(cctx->creq->in), - &cctx->creq->out); - if (ret == EOK) { - sss_cmd_done(cctx, cmdctx); + /* Notify the waiting clients */ + while (nctx->gctx->reqs) { + tevent_req_done(nctx->gctx->reqs->req); + /* Freeing each entry in the list removes it from the dlist */ + req = nctx->gctx->reqs; + nctx->gctx->reqs = nctx->gctx->reqs->next; + talloc_free(req); } - return ret; + return EOK; } -static void nss_cmd_getgrent_dp_callback(uint16_t err_maj, uint32_t err_min, +static void setgrent_result_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval current_time, + void *pvt) +{ + struct nss_ctx *nctx = talloc_get_type(pvt, struct nss_ctx); + + DEBUG(1, ("setgrent result object has expired. Cleaning up.\n")); + + /* Free the group enumeration context. + * If additional getgrent requests come in, they will invoke + * an implicit setgrent and refresh the result object. + */ + talloc_zfree(nctx->gctx); +} + +static void nss_cmd_setgrent_dp_callback(uint16_t err_maj, uint32_t err_min, const char *err_msg, void *ptr) { - struct nss_dom_ctx *dctx = talloc_get_type(ptr, struct nss_dom_ctx); - struct nss_cmd_ctx *cmdctx = dctx->cmdctx; - struct cli_ctx *cctx = cmdctx->cctx; + struct setent_step_ctx *step_ctx = + talloc_get_type(ptr, struct setent_step_ctx); + struct getent_ctx *gctx = step_ctx->nctx->gctx; int ret; if (err_maj) { @@ -2154,81 +2561,44 @@ static void nss_cmd_getgrent_dp_callback(uint16_t err_maj, uint32_t err_min, (unsigned int)err_maj, (unsigned int)err_min, err_msg)); } - ret = nss_cmd_getgrent_search(dctx); - + ret = nss_cmd_setgrent_step(step_ctx); if (ret) { - NSS_CMD_FATAL_ERROR(cctx); + /* Notify any waiting processes of failure */ + while(step_ctx->nctx->gctx->reqs) { + tevent_req_error(gctx->reqs->req, ret); + /* Freeing each entry in the list removes it from the dlist */ + talloc_free(gctx->reqs); + } } } -static int nss_cmd_setgrent_ext(struct cli_ctx *cctx, bool immediate) +static errno_t nss_cmd_setgrent_recv(struct tevent_req *req) { - struct sss_domain_info *dom; - struct nss_cmd_ctx *cmdctx; - struct nss_dom_ctx *dctx; - struct nss_ctx *nctx; - time_t now = time(NULL); - int ret; - - DEBUG(4, ("Requesting info for all groups\n")); - - nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx); - talloc_free(nctx->gctx); - nctx->gctx = NULL; - - cmdctx = talloc_zero(cctx, struct nss_cmd_ctx); - if (!cmdctx) { - return ENOMEM; - } - cmdctx->cctx = cctx; - cmdctx->immediate = immediate; - - dctx = talloc_zero(cmdctx, struct nss_dom_ctx); - if (!dctx) { - ret = ENOMEM; - goto done; - } - dctx->cmdctx = cmdctx; - - /* do not query backends if we have a recent enumeration */ - if (nctx->enum_cache_timeout) { - if (nctx->last_group_enum + nctx->enum_cache_timeout > now) { - cmdctx->enum_cached = true; - } - } + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} - /* check if enumeration is enabled in any domain */ - for (dom = cctx->rctx->domains; dom; dom = dom->next) { - if (dom->enumerate != 0) break; - } - dctx->domain = dom; +static void nss_cmd_setgrent_done(struct tevent_req *req) +{ + errno_t ret; + struct nss_cmd_ctx *cmdctx = + tevent_req_callback_data(req, struct nss_cmd_ctx); - if (dctx->domain == NULL) { - DEBUG(2, ("Enumeration disabled on all domains!\n")); - if (cmdctx->immediate) { - ret = ENOENT; - } else { - ret = sss_packet_new(cctx->creq, 0, - sss_packet_get_cmd(cctx->creq->in), - &cctx->creq->out); - if (ret == EOK) { - sss_cmd_done(cctx, cmdctx); - } + ret = nss_cmd_setgrent_recv(req); + talloc_zfree(req); + if (ret == EOK || ret == ENOENT) { + /* Either we succeeded or no domains were eligible */ + ret = sss_packet_new(cmdctx->cctx->creq, 0, + sss_packet_get_cmd(cmdctx->cctx->creq->in), + &cmdctx->cctx->creq->out); + if (ret == EOK) { + sss_cmd_done(cmdctx->cctx, cmdctx); + return; } - goto done; } - dctx->check_provider = NEED_CHECK_PROVIDER(dctx->domain->provider); - - /* ok, start the searches */ - ret = nss_cmd_getgrent_search(dctx); -done: - return nss_cmd_done(cmdctx, ret); -} - -static int nss_cmd_setgrent(struct cli_ctx *cctx) -{ - return nss_cmd_setgrent_ext(cctx, false); + /* Something bad happened */ + nss_cmd_done(cmdctx, ret); } static int nss_cmd_retgrent(struct cli_ctx *cctx, int num) @@ -2246,28 +2616,28 @@ static int nss_cmd_retgrent(struct cli_ctx *cctx, int num) gctx = nctx->gctx; while (ret == ENOENT) { - if (gctx->cur >= gctx->num) break; + if (cctx->grent_dom_idx >= gctx->num) break; - gdom = &gctx->doms[gctx->cur]; + gdom = &gctx->doms[cctx->grent_dom_idx]; - n = gdom->res->count - gdom->cur; - if (n == 0 && (gctx->cur+1 < gctx->num)) { - gctx->cur++; - gdom = &gctx->doms[gctx->cur]; - n = gdom->res->count - gdom->cur; + n = gdom->res->count - cctx->grent_cur; + if (n <= 0 && (cctx->grent_cur+1 < gctx->num)) { + cctx->grent_dom_idx++; + gdom = &gctx->doms[cctx->grent_dom_idx]; + n = gdom->res->count - cctx->grent_cur; } if (!n) break; if (n > num) n = num; - msgs = &(gdom->res->msgs[gdom->cur]); + msgs = &(gdom->res->msgs[cctx->grent_cur]); ret = fill_grent(cctx->creq->out, gdom->domain, nctx, true, msgs, &n); - gdom->cur += n; + cctx->grent_cur += n; } none: @@ -2308,29 +2678,77 @@ static int nss_cmd_getgrent_immediate(struct nss_cmd_ctx *cmdctx) return EOK; } +static void nss_cmd_implicit_setgrent_done(struct tevent_req *req); static int nss_cmd_getgrent(struct cli_ctx *cctx) { struct nss_ctx *nctx; struct nss_cmd_ctx *cmdctx; + struct tevent_req *req; DEBUG(4, ("Requesting info for all groups\n")); - nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx); - - /* see if we need to trigger an implicit setpwent() */ - if (nctx->gctx == NULL) { - return nss_cmd_setgrent_ext(cctx, true); - } - cmdctx = talloc(cctx, struct nss_cmd_ctx); if (!cmdctx) { return ENOMEM; } cmdctx->cctx = cctx; + /* Save the current index and cursor locations + * If we end up calling setgrent implicitly, because the response object + * expired and has to be recreated, we want to resume from the same + * location. + */ + cmdctx->saved_dom_idx = cctx->grent_dom_idx; + cmdctx->saved_cur = cctx->grent_cur; + + nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx); + if(!nctx->gctx || !nctx->gctx->ready) { + /* Make sure we invoke setgrent if it hasn't been run or is still + * processing from another client + */ + req = nss_cmd_setgrent_send(cctx, cctx); + if (!req) { + return EIO; + } + tevent_req_set_callback(req, nss_cmd_implicit_setgrent_done, cmdctx); + return EOK; + } + return nss_cmd_getgrent_immediate(cmdctx); } +static errno_t nss_cmd_setgrent_recv(struct tevent_req *req); +static void nss_cmd_implicit_setgrent_done(struct tevent_req *req) +{ + errno_t ret; + struct nss_cmd_ctx *cmdctx = + tevent_req_callback_data(req, struct nss_cmd_ctx); + + ret = nss_cmd_setgrent_recv(req); + talloc_zfree(req); + + /* ENOENT is acceptable, as it just means that there were no entries + * to be returned. This will be handled gracefully in nss_cmd_retpwent + * later. + */ + if (ret != EOK && ret != ENOENT) { + DEBUG(0, ("Implicit setgrent failed with unexpected error [%d][%s]\n", + ret, strerror(ret))); + NSS_CMD_FATAL_ERROR(cmdctx); + } + + /* Restore the saved index and cursor locations */ + cmdctx->cctx->grent_dom_idx = cmdctx->saved_dom_idx; + cmdctx->cctx->grent_cur = cmdctx->saved_cur; + + ret = nss_cmd_getgrent_immediate(cmdctx); + if (ret != EOK) { + DEBUG(0, ("Immediate retrieval failed with unexpected error " + "[%d][%s]\n", ret, strerror(ret))); + NSS_CMD_FATAL_ERROR(cmdctx); + } +} + static int nss_cmd_endgrent(struct cli_ctx *cctx) { struct nss_ctx *nctx; @@ -2350,9 +2768,9 @@ static int nss_cmd_endgrent(struct cli_ctx *cctx) } if (nctx->gctx == NULL) goto done; - /* free results and reset */ - talloc_free(nctx->gctx); - nctx->gctx = NULL; + /* Reset the indices so that subsequent requests start at zero */ + cctx->grent_dom_idx = 0; + cctx->grent_cur = 0; done: sss_cmd_done(cctx, NULL); @@ -2674,4 +3092,3 @@ int nss_cmd_execute(struct cli_ctx *cctx) return EINVAL; } - |