rpms / sssd

Clone
Source Code
GIT

Blame SOURCES/0034-KCM-Make-the-secrets-ccache-back-end-configurable-ma.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   ecf7095b458fd37aa15bb4b2037d5dc9a7979e1c
  2.   SOURCES
  3.   0034-KCM-Make-the-secrets-ccache-back-end-configurable-ma.patch
Blob History Raw
ecf709 
From 6236b14d20151053f5ccad1fc8ee9b669d4b0ffb Mon Sep 17 00:00:00 2001
ecf709 
From: Jakub Hrozek <jhrozek@redhat.com>
ecf709 
Date: Tue, 14 Mar 2017 11:17:05 +0100
ecf709 
Subject: [PATCH 34/36] KCM: Make the secrets ccache back end configurable,
ecf709 
 make secrets the default
ecf709 
MIME-Version: 1.0
ecf709 
Content-Type: text/plain; charset=UTF-8
ecf709 
Content-Transfer-Encoding: 8bit
ecf709
ecf709 
Adds a new option 'ccache_storage' that allows to select either the
ecf709 
memory back end or the secrets back end. The secrets back end is the
ecf709 
default one and this option is even undocumented.
ecf709
ecf709 
Reviewed-by: Michal Židek <mzidek@redhat.com>
ecf709 
Reviewed-by: Simo Sorce <simo@redhat.com>
ecf709 
---
ecf709 
 src/confdb/confdb.h                  |  1 +
ecf709 
 src/config/cfg_rules.ini             |  1 +
ecf709 
 src/responder/kcm/kcm.c              | 49 ++++++++++++++++++++++++++++++++----
ecf709 
 src/responder/kcm/kcmsrv_ccache.c    |  2 +-
ecf709 
 src/responder/kcm/kcmsrv_ccache.h    |  6 +----
ecf709 
 src/responder/kcm/kcmsrv_ccache_be.h |  1 +
ecf709 
 src/responder/kcm/kcmsrv_pvt.h       |  7 ++++++
ecf709 
 7 files changed, 56 insertions(+), 11 deletions(-)
ecf709
ecf709 
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
ecf709 
index c443e869a7a6782265b42c4ad122867c4e3dd8e0..fb60675ca8beb2c2a157bf021ed9cad362742988 100644
ecf709 
--- a/src/confdb/confdb.h
ecf709 
+++ b/src/confdb/confdb.h
ecf709 
@@ -234,6 +234,7 @@
ecf709 
 /* KCM Service */
ecf709 
 #define CONFDB_KCM_CONF_ENTRY "config/kcm"
ecf709 
 #define CONFDB_KCM_SOCKET "socket_path"
ecf709 
+#define CONFDB_KCM_DB "ccache_storage" /* Undocumented on purpose */
ecf709
ecf709 
 struct confdb_ctx;
ecf709 
 struct config_file_ctx;
ecf709 
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
ecf709 
index 5e789c51658c51c0af1338d23d6c0f30f40bf119..67a5d1f5ad447a942b437ffd04a7f5d7cfe77d7f 100644
ecf709 
--- a/src/config/cfg_rules.ini
ecf709 
+++ b/src/config/cfg_rules.ini
ecf709 
@@ -280,6 +280,7 @@ option = fd_limit
ecf709 
 option = client_idle_timeout
ecf709 
 option = description
ecf709 
 option = socket_path
ecf709 
+option = ccache_storage
ecf709
ecf709 
 [rule/allowed_domain_options]
ecf709 
 validator = ini_allowed_options
ecf709 
diff --git a/src/responder/kcm/kcm.c b/src/responder/kcm/kcm.c
ecf709 
index 2c12ef215ce3967df183e51c20590c5f439d278f..063c27b915b4b92f6259496feee891aa94a498b6 100644
ecf709 
--- a/src/responder/kcm/kcm.c
ecf709 
+++ b/src/responder/kcm/kcm.c
ecf709 
@@ -47,6 +47,37 @@ static int kcm_responder_ctx_destructor(void *ptr)
ecf709 
     return 0;
ecf709 
 }
ecf709
ecf709 
+static errno_t kcm_get_ccdb_be(struct kcm_ctx *kctx)
ecf709 
+{
ecf709 
+    errno_t ret;
ecf709 
+    char *str_db;
ecf709 
+
ecf709 
+    ret = confdb_get_string(kctx->rctx->cdb,
ecf709 
+                            kctx->rctx,
ecf709 
+                            kctx->rctx->confdb_service_path,
ecf709 
+                            CONFDB_KCM_DB,
ecf709 
+                            "secrets",
ecf709 
+                            &str_db);
ecf709 
+    if (ret != EOK) {
ecf709 
+        DEBUG(SSSDBG_OP_FAILURE,
ecf709 
+              "Cannot get the KCM database type [%d]: %s\n",
ecf709 
+               ret, strerror(ret));
ecf709 
+        return ret;
ecf709 
+    }
ecf709 
+
ecf709 
+    DEBUG(SSSDBG_CONF_SETTINGS, "KCM database type: %s\n", str_db);
ecf709 
+    if (strcasecmp(str_db, "memory") == 0) {
ecf709 
+        kctx->cc_be = CCDB_BE_MEMORY;
ecf709 
+        return EOK;
ecf709 
+    } else if (strcasecmp(str_db, "secrets") == 0) {
ecf709 
+        kctx->cc_be = CCDB_BE_SECRETS;
ecf709 
+        return EOK;
ecf709 
+    }
ecf709 
+
ecf709 
+    DEBUG(SSSDBG_FATAL_FAILURE, "Unexpected KCM database type %s\n", str_db);
ecf709 
+    return EOK;
ecf709 
+}
ecf709 
+
ecf709 
 static int kcm_get_config(struct kcm_ctx *kctx)
ecf709 
 {
ecf709 
     int ret;
ecf709 
@@ -88,14 +119,21 @@ static int kcm_get_config(struct kcm_ctx *kctx)
ecf709 
                             &sock_name);
ecf709 
     if (ret != EOK) {
ecf709 
         DEBUG(SSSDBG_OP_FAILURE,
ecf709 
-              "Cannot get the client idle timeout [%d]: %s\n",
ecf709 
+              "Cannot get KCM socket path [%d]: %s\n",
ecf709 
                ret, strerror(ret));
ecf709 
         goto done;
ecf709 
     }
ecf709 
     kctx->rctx->sock_name = sock_name;
ecf709
ecf709 
+    ret = kcm_get_ccdb_be(kctx);
ecf709 
+    if (ret != EOK) {
ecf709 
+        DEBUG(SSSDBG_OP_FAILURE,
ecf709 
+              "Cannot get KCM ccache DB [%d]: %s\n",
ecf709 
+               ret, strerror(ret));
ecf709 
+        goto done;
ecf709 
+    }
ecf709 
+
ecf709 
     ret = EOK;
ecf709 
-
ecf709 
 done:
ecf709 
     return ret;
ecf709 
 }
ecf709 
@@ -111,7 +149,8 @@ static int kcm_data_destructor(void *ptr)
ecf709 
 }
ecf709
ecf709 
 static struct kcm_resp_ctx *kcm_data_setup(TALLOC_CTX *mem_ctx,
ecf709 
-                                           struct tevent_context *ev)
ecf709 
+                                           struct tevent_context *ev,
ecf709 
+                                           enum kcm_ccdb_be cc_be)
ecf709 
 {
ecf709 
     struct kcm_resp_ctx *kcm_data;
ecf709 
     krb5_error_code kret;
ecf709 
@@ -122,7 +161,7 @@ static struct kcm_resp_ctx *kcm_data_setup(TALLOC_CTX *mem_ctx,
ecf709 
         return NULL;
ecf709 
     }
ecf709
ecf709 
-    kcm_data->db = kcm_ccdb_init(kcm_data, ev, CCDB_BE_MEMORY);
ecf709 
+    kcm_data->db = kcm_ccdb_init(kcm_data, ev, cc_be);
ecf709 
     if (kcm_data->db == NULL) {
ecf709 
         talloc_free(kcm_data);
ecf709 
         return NULL;
ecf709 
@@ -176,7 +215,7 @@ static int kcm_process_init(TALLOC_CTX *mem_ctx,
ecf709 
         goto fail;
ecf709 
     }
ecf709
ecf709 
-    kctx->kcm_data = kcm_data_setup(kctx, ev);
ecf709 
+    kctx->kcm_data = kcm_data_setup(kctx, ev, kctx->cc_be);
ecf709 
     if (kctx->kcm_data == NULL) {
ecf709 
         DEBUG(SSSDBG_FATAL_FAILURE,
ecf709 
               "fatal error initializing responder data\n");
ecf709 
diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c
ecf709 
index 2ae120269b0c62275ba2acdff6d6daa8b7077708..a22184e0f2b1300f3678bb343b6a110bf144a36b 100644
ecf709 
--- a/src/responder/kcm/kcmsrv_ccache.c
ecf709 
+++ b/src/responder/kcm/kcmsrv_ccache.c
ecf709 
@@ -244,7 +244,7 @@ struct kcm_ccdb *kcm_ccdb_init(TALLOC_CTX *mem_ctx,
ecf709 
         break;
ecf709 
     case CCDB_BE_SECRETS:
ecf709 
         DEBUG(SSSDBG_FUNC_DATA, "KCM back end: sssd-secrets\n");
ecf709 
-        /* Not implemented yet */
ecf709 
+        ccdb->ops = &ccdb_sec_ops;
ecf709 
         break;
ecf709 
     default:
ecf709 
         DEBUG(SSSDBG_CRIT_FAILURE, "Unknown ccache database\n");
ecf709 
diff --git a/src/responder/kcm/kcmsrv_ccache.h b/src/responder/kcm/kcmsrv_ccache.h
ecf709 
index 18c8c47ad4ecb24521a85a1833b239c7a2a8bb45..36c481c5335d557318f0ed0204d93e533b4b6c41 100644
ecf709 
--- a/src/responder/kcm/kcmsrv_ccache.h
ecf709 
+++ b/src/responder/kcm/kcmsrv_ccache.h
ecf709 
@@ -29,6 +29,7 @@
ecf709 
 #include "util/util.h"
ecf709 
 #include "util/sss_iobuf.h"
ecf709 
 #include "util/util_creds.h"
ecf709 
+#include "responder/kcm/kcmsrv_pvt.h"
ecf709
ecf709 
 #define UUID_BYTES    16
ecf709 
 #define UUID_STR_SIZE 37
ecf709 
@@ -113,11 +114,6 @@ errno_t kcm_cc_store_cred_blob(struct kcm_ccache *cc,
ecf709 
 struct kcm_cred *kcm_cc_get_cred(struct kcm_ccache *cc);
ecf709 
 struct kcm_cred *kcm_cc_next_cred(struct kcm_cred *crd);
ecf709
ecf709 
-enum kcm_ccdb_be {
ecf709 
-    CCDB_BE_MEMORY,
ecf709 
-    CCDB_BE_SECRETS,
ecf709 
-};
ecf709 
-
ecf709 
 /* An opaque database that contains all the ccaches */
ecf709 
 struct kcm_ccdb;
ecf709
ecf709 
diff --git a/src/responder/kcm/kcmsrv_ccache_be.h b/src/responder/kcm/kcmsrv_ccache_be.h
ecf709 
index 1bd2b6981e227675866e82e0a5389445cac4df66..a0796c298bae15a01adf612a6195a494ba6b4d23 100644
ecf709 
--- a/src/responder/kcm/kcmsrv_ccache_be.h
ecf709 
+++ b/src/responder/kcm/kcmsrv_ccache_be.h
ecf709 
@@ -200,5 +200,6 @@ struct kcm_ccdb_ops {
ecf709 
 };
ecf709
ecf709 
 extern const struct kcm_ccdb_ops ccdb_mem_ops;
ecf709 
+extern const struct kcm_ccdb_ops ccdb_sec_ops;
ecf709
ecf709 
 #endif /* _KCMSRV_CCACHE_BE_ */
ecf709 
diff --git a/src/responder/kcm/kcmsrv_pvt.h b/src/responder/kcm/kcmsrv_pvt.h
ecf709 
index a29680246c1e616da75e1bbff951ce2fad66fb65..74f30c00014105ed533744779b02c5d42523722d 100644
ecf709 
--- a/src/responder/kcm/kcmsrv_pvt.h
ecf709 
+++ b/src/responder/kcm/kcmsrv_pvt.h
ecf709 
@@ -49,6 +49,12 @@ struct kcm_resp_ctx {
ecf709 
     struct kcm_ccdb *db;
ecf709 
 };
ecf709
ecf709 
+/* Supported ccache back ends */
ecf709 
+enum kcm_ccdb_be {
ecf709 
+    CCDB_BE_MEMORY,
ecf709 
+    CCDB_BE_SECRETS,
ecf709 
+};
ecf709 
+
ecf709 
 /*
ecf709 
  * responder context that contains both the responder data,
ecf709 
  * like the ccaches and the sssd-specific stuff like the
ecf709 
@@ -58,6 +64,7 @@ struct kcm_ctx {
ecf709 
     struct resp_ctx *rctx;
ecf709 
     int fd_limit;
ecf709 
     char *socket_path;
ecf709 
+    enum kcm_ccdb_be cc_be;
ecf709
ecf709 
     struct kcm_resp_ctx *kcm_data;
ecf709 
 };
ecf709 
--
ecf709 
2.9.3
ecf709

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation