sssd/0062-DESKPROFILE-Add-ipa_deskprofile_request_interval.patch

From 4a311702045b065a97a0c0fc0ccc7a1fc84b38cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Thu, 17 Aug 2017 19:49:22 +0200
Subject: [PATCH 62/93] DESKPROFILE: Add ipa_deskprofile_request_interval
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This option has been added to avoid contacting the Data Provider when no
rules were found in the previous request.

By adding this configurable option we avoid contacting the Data Provider
too often in the case described above and also when the server doesn't
support Desktop Profile's integration.

Resolves: https://pagure.io/SSSD/sssd/issue/3482

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/config/SSSDConfig/__init__.py.in    |  1 +
 src/config/cfg_rules.ini                |  1 +
 src/config/etc/sssd.api.d/sssd-ipa.conf |  1 +
 src/man/sssd-ipa.5.xml                  | 14 ++++++++++++++
 src/providers/ipa/ipa_common.h          |  1 +
 src/providers/ipa/ipa_opts.c            |  1 +
 src/providers/ipa/ipa_session.c         | 33 ++++++++++++++++++++++++++++++++-
 src/providers/ipa/ipa_session.h         |  2 ++
 8 files changed, 53 insertions(+), 1 deletion(-)

diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 2a19b60a987c5f2c5c59ac2466f8f6821803e146..8c56e4efa4ae7c648f670bb6a67290b6e835f581 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -220,6 +220,7 @@ option_strings = {
     'ipa_group_override_object_class': _("Objectclass for group override objects"),
     'ipa_deskprofile_search_base': _("Search base for Desktop Profile related objects"),
     'ipa_deskprofile_refresh': _("The amount of time in seconds between lookups of the Desktop Profile rules against the IPA server"),
+    'ipa_deskprofile_request_interval': _("The amount of time in minutes between lookups of Desktop Profiles rules against the IPA server when the last request did not find any rule"),
 
     # [provider/ad]
     'ad_domain' : _('Active Directory domain'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 3ebd39e93cec6d1ddf547d7ebdb49884e637f8c7..ae60c73c871e1ac18a26124232e1f9f7c9f8fabb 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -440,6 +440,7 @@ option = ipa_anchor_uuid
 option = ipa_automount_location
 option = ipa_backup_server
 option = ipa_deskprofile_refresh
+option = ipa_deskprofile_request_interval
 option = ipa_deskprofile_search_base
 option = ipa_domain
 option = ipa_dyndns_iface
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index 8178b123e3b42cb92029db8b879d26f1fd16cf3e..ab9634c7a69026099fcc8f59aa26a89a43671f0a 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -195,6 +195,7 @@ ldap_autofs_search_base = str, None, false
 
 [provider/ipa/session]
 ipa_deskprofile_refresh = int, None, false
+ipa_deskprofile_request_interval = int, None, false
 ipa_host_object_class = str, None, false
 ipa_host_name = str, None, false
 ipa_host_fqdn = str, None, false
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
index 4d1c3c8a11dea956c31be690f5bdceea94252fd2..4cf07142c53798ea154032bdc560a8160e1c585a 100644
--- a/src/man/sssd-ipa.5.xml
+++ b/src/man/sssd-ipa.5.xml
@@ -476,6 +476,20 @@
                     </listitem>
                 </varlistentry>
 
+                <varlistentry>
+                    <term>ipa_deskprofile_request_interval (integer)</term>
+                    <listitem>
+                        <para>
+                            The amount of time between lookups of the Desktop
+                            Profile rules against the IPA server in case the
+                            last request did not return any rule.
+                        </para>
+                        <para>
+                            Default: 60 (minutes)
+                        </para>
+                    </listitem>
+                </varlistentry>
+
                 <varlistentry>
                     <term>ipa_hbac_refresh (integer)</term>
                     <listitem>
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 5b3507cd47aab75a4a7bbc16a8146d82411f2d16..5197a9af08f86e042244c495cc37e728fae63cc5 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -58,6 +58,7 @@ enum ipa_basic_opt {
     IPA_KRB5_CONFD_PATH,
     IPA_DESKPROFILE_SEARCH_BASE,
     IPA_DESKPROFILE_REFRESH,
+    IPA_DESKPROFILE_REQUEST_INTERVAL,
 
     IPA_OPTS_BASIC /* opts counter */
 };
diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c
index 4836445dad82c4d3ecaecc32d22cb6f9730f0fcb..09b78f726caa4efa4106ad741066018565f1ace1 100644
--- a/src/providers/ipa/ipa_opts.c
+++ b/src/providers/ipa/ipa_opts.c
@@ -50,6 +50,7 @@ struct dp_option ipa_basic_opts[] = {
     { "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING },
     { "ipa_deskprofile_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ipa_deskprofile_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
+    { "ipa_deskprofile_request_interval", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER },
     DP_OPTION_TERMINATOR
 };
 
diff --git a/src/providers/ipa/ipa_session.c b/src/providers/ipa/ipa_session.c
index 7adf8b6d7dfef9b2c29c1ee42f47842131773e90..8559284c9b453129400626e0cf93e70275e80301 100644
--- a/src/providers/ipa/ipa_session.c
+++ b/src/providers/ipa/ipa_session.c
@@ -42,6 +42,8 @@
 #define SSS_FLEETCOMMANDERCLIENT_PATH "/org/freedesktop/FleetCommanderClient"
 #define SSS_FLEETCOMMANDERCLIENT_IFACE "org.freedesktop.FleetCommanderClient"
 
+#define MINUTE_IN_SECONDS 60
+
 struct ipa_fetch_deskprofile_state {
     struct tevent_context *ev;
     struct be_ctx *be_ctx;
@@ -80,6 +82,8 @@ ipa_fetch_deskprofile_send(TALLOC_CTX *mem_ctx,
     struct tevent_req *req;
     time_t now;
     time_t refresh_interval;
+    time_t request_interval;
+    time_t next_request;
     bool offline;
     errno_t ret;
 
@@ -122,13 +126,34 @@ ipa_fetch_deskprofile_send(TALLOC_CTX *mem_ctx,
         goto immediately;
     }
 
+    now = time(NULL);
+
+    request_interval = dp_opt_get_int(state->ipa_options,
+                                      IPA_DESKPROFILE_REQUEST_INTERVAL);
+    /* This value is in minutes ... */
+    request_interval *= MINUTE_IN_SECONDS;
+
+    if (state->session_ctx->no_rules_found &&
+        now < session_ctx->last_request + request_interval) {
+        next_request = (session_ctx->last_request + request_interval - now);
+        /* This value is in seconds ... */
+        next_request /= 60;
+        DEBUG(SSSDBG_TRACE_FUNC,
+              "No rules were found in the last request.\n"
+              "Next request will happen in any login after %"PRIu64" minutes\n",
+              next_request);
+        ret = ENOENT;
+        goto immediately;
+    }
+
+    state->session_ctx->no_rules_found = false;
+
     offline = be_is_offline(be_ctx);
     DEBUG(SSSDBG_TRACE_ALL, "Connection status is [%s].\n",
           offline ? "offline" : "online");
 
     refresh_interval = dp_opt_get_int(state->ipa_options,
                                       IPA_DESKPROFILE_REFRESH);
-    now = time(NULL);
 
     if (offline || now < session_ctx->last_update + refresh_interval) {
         DEBUG(SSSDBG_TRACE_FUNC,
@@ -540,6 +565,10 @@ ipa_pam_session_handler_done(struct tevent_req *subreq)
 
     if (ret == ENOENT) {
         DEBUG(SSSDBG_IMPORTANT_INFO, "No Desktop Profile rules found\n");
+        if (!state->session_ctx->no_rules_found) {
+            state->session_ctx->no_rules_found = true;
+            state->session_ctx->last_request = time(NULL);
+        }
         state->pd->pam_status = PAM_SUCCESS;
         goto done;
     } else if (ret != EOK) {
@@ -550,6 +579,8 @@ ipa_pam_session_handler_done(struct tevent_req *subreq)
         goto done;
     }
 
+    state->session_ctx->last_request = time(NULL);
+
     hostname = dp_opt_get_string(state->session_ctx->ipa_options, IPA_HOSTNAME);
     ret = ipa_pam_session_handler_save_deskprofile_rules(state->be_ctx,
                                                          state->be_ctx->domain,
diff --git a/src/providers/ipa/ipa_session.h b/src/providers/ipa/ipa_session.h
index aac99844df0c0d158b63ad67bd89896611891551..0c4d54f8555dd1eeaca43299500b12b1d81b872f 100644
--- a/src/providers/ipa/ipa_session.h
+++ b/src/providers/ipa/ipa_session.h
@@ -31,6 +31,8 @@ struct ipa_session_ctx {
     struct sdap_id_ctx *sdap_ctx;
     struct dp_option *ipa_options;
     time_t last_update;
+    time_t last_request;
+    bool no_rules_found;
 
     struct sdap_attr_map *host_map;
     struct sdap_attr_map *hostgroup_map;
-- 
2.14.1
Backport few upstream patches/fixes (cherry picked from commit fa4807ec456a6e246d387bcadc4a1f237a3065b9) (cherry picked from commit 323dbdee02385eee933a04c0e86db88d00351f24) (cherry picked from commit 7e532024f07845d03735f64dbf10fcc285967722) 2017-09-01 18:52:07 +00:00			`From 4a311702045b065a97a0c0fc0ccc7a1fc84b38cf Mon Sep 17 00:00:00 2001`
			`From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>`
			`Date: Thu, 17 Aug 2017 19:49:22 +0200`
			`Subject: [PATCH 62/93] DESKPROFILE: Add ipa_deskprofile_request_interval`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`This option has been added to avoid contacting the Data Provider when no`
			`rules were found in the previous request.`

			`By adding this configurable option we avoid contacting the Data Provider`
			`too often in the case described above and also when the server doesn't`
			`support Desktop Profile's integration.`

			`Resolves: https://pagure.io/SSSD/sssd/issue/3482`

			`Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>`

			`Reviewed-by: Pavel Březina <pbrezina@redhat.com>`
			`Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>`
			`---`
			`src/config/SSSDConfig/__init__.py.in \| 1 +`
			`src/config/cfg_rules.ini \| 1 +`
			`src/config/etc/sssd.api.d/sssd-ipa.conf \| 1 +`
			`src/man/sssd-ipa.5.xml \| 14 ++++++++++++++`
			`src/providers/ipa/ipa_common.h \| 1 +`
			`src/providers/ipa/ipa_opts.c \| 1 +`
			`src/providers/ipa/ipa_session.c \| 33 ++++++++++++++++++++++++++++++++-`
			`src/providers/ipa/ipa_session.h \| 2 ++`
			`8 files changed, 53 insertions(+), 1 deletion(-)`

			`diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in`
			`index 2a19b60a987c5f2c5c59ac2466f8f6821803e146..8c56e4efa4ae7c648f670bb6a67290b6e835f581 100644`
			`--- a/src/config/SSSDConfig/__init__.py.in`
			`+++ b/src/config/SSSDConfig/__init__.py.in`
			`@@ -220,6 +220,7 @@ option_strings = {`
			`'ipa_group_override_object_class': _("Objectclass for group override objects"),`
			`'ipa_deskprofile_search_base': _("Search base for Desktop Profile related objects"),`
			`'ipa_deskprofile_refresh': _("The amount of time in seconds between lookups of the Desktop Profile rules against the IPA server"),`
			`+ 'ipa_deskprofile_request_interval': _("The amount of time in minutes between lookups of Desktop Profiles rules against the IPA server when the last request did not find any rule"),`

			`# [provider/ad]`
			`'ad_domain' : _('Active Directory domain'),`
			`diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini`
			`index 3ebd39e93cec6d1ddf547d7ebdb49884e637f8c7..ae60c73c871e1ac18a26124232e1f9f7c9f8fabb 100644`
			`--- a/src/config/cfg_rules.ini`
			`+++ b/src/config/cfg_rules.ini`
			`@@ -440,6 +440,7 @@ option = ipa_anchor_uuid`
			`option = ipa_automount_location`
			`option = ipa_backup_server`
			`option = ipa_deskprofile_refresh`
			`+option = ipa_deskprofile_request_interval`
			`option = ipa_deskprofile_search_base`
			`option = ipa_domain`
			`option = ipa_dyndns_iface`
			`diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf`
			`index 8178b123e3b42cb92029db8b879d26f1fd16cf3e..ab9634c7a69026099fcc8f59aa26a89a43671f0a 100644`
			`--- a/src/config/etc/sssd.api.d/sssd-ipa.conf`
			`+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf`
			`@@ -195,6 +195,7 @@ ldap_autofs_search_base = str, None, false`

			`[provider/ipa/session]`
			`ipa_deskprofile_refresh = int, None, false`
			`+ipa_deskprofile_request_interval = int, None, false`
			`ipa_host_object_class = str, None, false`
			`ipa_host_name = str, None, false`
			`ipa_host_fqdn = str, None, false`
			`diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml`
			`index 4d1c3c8a11dea956c31be690f5bdceea94252fd2..4cf07142c53798ea154032bdc560a8160e1c585a 100644`
			`--- a/src/man/sssd-ipa.5.xml`
			`+++ b/src/man/sssd-ipa.5.xml`
			`@@ -476,6 +476,20 @@`
			`</listitem>`
			`</varlistentry>`

			`+ <varlistentry>`
			`+ <term>ipa_deskprofile_request_interval (integer)</term>`
			`+ <listitem>`
			`+ <para>`
			`+ The amount of time between lookups of the Desktop`
			`+ Profile rules against the IPA server in case the`
			`+ last request did not return any rule.`
			`+ </para>`
			`+ <para>`
			`+ Default: 60 (minutes)`
			`+ </para>`
			`+ </listitem>`
			`+ </varlistentry>`
			`+`
			`<varlistentry>`
			`<term>ipa_hbac_refresh (integer)</term>`
			`<listitem>`
			`diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h`
			`index 5b3507cd47aab75a4a7bbc16a8146d82411f2d16..5197a9af08f86e042244c495cc37e728fae63cc5 100644`
			`--- a/src/providers/ipa/ipa_common.h`
			`+++ b/src/providers/ipa/ipa_common.h`
			`@@ -58,6 +58,7 @@ enum ipa_basic_opt {`
			`IPA_KRB5_CONFD_PATH,`
			`IPA_DESKPROFILE_SEARCH_BASE,`
			`IPA_DESKPROFILE_REFRESH,`
			`+ IPA_DESKPROFILE_REQUEST_INTERVAL,`

			`IPA_OPTS_BASIC /* opts counter */`
			`};`
			`diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c`
			`index 4836445dad82c4d3ecaecc32d22cb6f9730f0fcb..09b78f726caa4efa4106ad741066018565f1ace1 100644`
			`--- a/src/providers/ipa/ipa_opts.c`
			`+++ b/src/providers/ipa/ipa_opts.c`
			`@@ -50,6 +50,7 @@ struct dp_option ipa_basic_opts[] = {`
			`{ "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING },`
			`{ "ipa_deskprofile_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },`
			`{ "ipa_deskprofile_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },`
			`+ { "ipa_deskprofile_request_interval", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER },`
			`DP_OPTION_TERMINATOR`
			`};`

			`diff --git a/src/providers/ipa/ipa_session.c b/src/providers/ipa/ipa_session.c`
			`index 7adf8b6d7dfef9b2c29c1ee42f47842131773e90..8559284c9b453129400626e0cf93e70275e80301 100644`
			`--- a/src/providers/ipa/ipa_session.c`
			`+++ b/src/providers/ipa/ipa_session.c`
			`@@ -42,6 +42,8 @@`
			`#define SSS_FLEETCOMMANDERCLIENT_PATH "/org/freedesktop/FleetCommanderClient"`
			`#define SSS_FLEETCOMMANDERCLIENT_IFACE "org.freedesktop.FleetCommanderClient"`

			`+#define MINUTE_IN_SECONDS 60`
			`+`
			`struct ipa_fetch_deskprofile_state {`
			`struct tevent_context *ev;`
			`struct be_ctx *be_ctx;`
			`@@ -80,6 +82,8 @@ ipa_fetch_deskprofile_send(TALLOC_CTX *mem_ctx,`
			`struct tevent_req *req;`
			`time_t now;`
			`time_t refresh_interval;`
			`+ time_t request_interval;`
			`+ time_t next_request;`
			`bool offline;`
			`errno_t ret;`

			`@@ -122,13 +126,34 @@ ipa_fetch_deskprofile_send(TALLOC_CTX *mem_ctx,`
			`goto immediately;`
			`}`

			`+ now = time(NULL);`
			`+`
			`+ request_interval = dp_opt_get_int(state->ipa_options,`
			`+ IPA_DESKPROFILE_REQUEST_INTERVAL);`
			`+ /* This value is in minutes ... */`
			`+ request_interval *= MINUTE_IN_SECONDS;`
			`+`
			`+ if (state->session_ctx->no_rules_found &&`
			`+ now < session_ctx->last_request + request_interval) {`
			`+ next_request = (session_ctx->last_request + request_interval - now);`
			`+ /* This value is in seconds ... */`
			`+ next_request /= 60;`
			`+ DEBUG(SSSDBG_TRACE_FUNC,`
			`+ "No rules were found in the last request.\n"`
			`+ "Next request will happen in any login after %"PRIu64" minutes\n",`
			`+ next_request);`
			`+ ret = ENOENT;`
			`+ goto immediately;`
			`+ }`
			`+`
			`+ state->session_ctx->no_rules_found = false;`
			`+`
			`offline = be_is_offline(be_ctx);`
			`DEBUG(SSSDBG_TRACE_ALL, "Connection status is [%s].\n",`
			`offline ? "offline" : "online");`

			`refresh_interval = dp_opt_get_int(state->ipa_options,`
			`IPA_DESKPROFILE_REFRESH);`
			`- now = time(NULL);`

			`if (offline \|\| now < session_ctx->last_update + refresh_interval) {`
			`DEBUG(SSSDBG_TRACE_FUNC,`
			`@@ -540,6 +565,10 @@ ipa_pam_session_handler_done(struct tevent_req *subreq)`

			`if (ret == ENOENT) {`
			`DEBUG(SSSDBG_IMPORTANT_INFO, "No Desktop Profile rules found\n");`
			`+ if (!state->session_ctx->no_rules_found) {`
			`+ state->session_ctx->no_rules_found = true;`
			`+ state->session_ctx->last_request = time(NULL);`
			`+ }`
			`state->pd->pam_status = PAM_SUCCESS;`
			`goto done;`
			`} else if (ret != EOK) {`
			`@@ -550,6 +579,8 @@ ipa_pam_session_handler_done(struct tevent_req *subreq)`
			`goto done;`
			`}`

			`+ state->session_ctx->last_request = time(NULL);`
			`+`
			`hostname = dp_opt_get_string(state->session_ctx->ipa_options, IPA_HOSTNAME);`
			`ret = ipa_pam_session_handler_save_deskprofile_rules(state->be_ctx,`
			`state->be_ctx->domain,`
			`diff --git a/src/providers/ipa/ipa_session.h b/src/providers/ipa/ipa_session.h`
			`index aac99844df0c0d158b63ad67bd89896611891551..0c4d54f8555dd1eeaca43299500b12b1d81b872f 100644`
			`--- a/src/providers/ipa/ipa_session.h`
			`+++ b/src/providers/ipa/ipa_session.h`
			`@@ -31,6 +31,8 @@ struct ipa_session_ctx {`
			`struct sdap_id_ctx *sdap_ctx;`
			`struct dp_option *ipa_options;`
			`time_t last_update;`
			`+ time_t last_request;`
			`+ bool no_rules_found;`

			`struct sdap_attr_map *host_map;`
			`struct sdap_attr_map *hostgroup_map;`
			`--`
			`2.14.1`