2015-06-12 12:14:35 +00:00
|
|
|
From fd92f2270544489149c4dae2aed513e506813c04 Mon Sep 17 00:00:00 2001
|
2015-05-08 12:53:58 +00:00
|
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
Date: Tue, 24 Mar 2015 15:35:01 +0100
|
2015-06-12 12:14:35 +00:00
|
|
|
Subject: [PATCH 25/30] sysdb: add sysdb_cache_password_ex()
|
2015-05-08 12:53:58 +00:00
|
|
|
MIME-Version: 1.0
|
|
|
|
|
Content-Type: text/plain; charset=UTF-8
|
|
|
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
|
|
|
|
|
|
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
(cherry picked from commit 55b7fdd837a780ab0f71cbfaa2403f4626993922)
|
|
|
|
|
---
|
|
|
|
|
src/db/sysdb.h | 9 +++++++++
|
|
|
|
|
src/db/sysdb_ops.c | 25 ++++++++++++++++++++---
|
|
|
|
|
src/tests/sysdb-tests.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++++
|
|
|
|
|
3 files changed, 84 insertions(+), 3 deletions(-)
|
|
|
|
|
|
|
|
|
|
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
|
|
|
|
|
index a1b6f207399555c85c14c8decf89edc498deb871..63d6d3cdc0baf49dff86a1aa62f61a4eacee7465 100644
|
|
|
|
|
--- a/src/db/sysdb.h
|
|
|
|
|
+++ b/src/db/sysdb.h
|
|
|
|
|
@@ -24,6 +24,7 @@
|
|
|
|
|
|
|
|
|
|
#include "util/util.h"
|
|
|
|
|
#include "confdb/confdb.h"
|
|
|
|
|
+#include "sss_client/sss_cli.h"
|
|
|
|
|
#include <tevent.h>
|
|
|
|
|
|
|
|
|
|
#define CACHE_SYSDB_FILE "cache_%s.ldb"
|
|
|
|
|
@@ -105,6 +106,8 @@
|
|
|
|
|
#define SYSDB_SERVERHOSTNAME "serverHostname"
|
|
|
|
|
|
|
|
|
|
#define SYSDB_CACHEDPWD "cachedPassword"
|
|
|
|
|
+#define SYSDB_CACHEDPWD_TYPE "cachedPasswordType"
|
|
|
|
|
+#define SYSDB_CACHEDPWD_FA2_LEN "cachedPasswordSecondFactorLen"
|
|
|
|
|
|
|
|
|
|
#define SYSDB_UUID "uniqueID"
|
|
|
|
|
#define SYSDB_SID "objectSID"
|
|
|
|
|
@@ -888,6 +891,12 @@ int sysdb_cache_password(struct sss_domain_info *domain,
|
|
|
|
|
const char *username,
|
|
|
|
|
const char *password);
|
|
|
|
|
|
|
|
|
|
+int sysdb_cache_password_ex(struct sss_domain_info *domain,
|
|
|
|
|
+ const char *username,
|
|
|
|
|
+ const char *password,
|
|
|
|
|
+ enum sss_authtok_type authtok_type,
|
|
|
|
|
+ size_t second_factor_size);
|
|
|
|
|
+
|
|
|
|
|
errno_t check_failed_login_attempts(struct confdb_ctx *cdb,
|
|
|
|
|
struct ldb_message *ldb_msg,
|
|
|
|
|
uint32_t *failed_login_attempts,
|
|
|
|
|
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
|
|
|
|
|
index ea786d59158eb8a82952c7e457ea83286abbf2c4..083d2778c97fe4d6149e4fc030885c482c511105 100644
|
|
|
|
|
--- a/src/db/sysdb_ops.c
|
|
|
|
|
+++ b/src/db/sysdb_ops.c
|
|
|
|
|
@@ -2226,9 +2226,11 @@ int sysdb_remove_group_member(struct sss_domain_info *domain,
|
|
|
|
|
|
|
|
|
|
/* =Password-Caching====================================================== */
|
|
|
|
|
|
|
|
|
|
-int sysdb_cache_password(struct sss_domain_info *domain,
|
|
|
|
|
- const char *username,
|
|
|
|
|
- const char *password)
|
|
|
|
|
+int sysdb_cache_password_ex(struct sss_domain_info *domain,
|
|
|
|
|
+ const char *username,
|
|
|
|
|
+ const char *password,
|
|
|
|
|
+ enum sss_authtok_type authtok_type,
|
|
|
|
|
+ size_t second_factor_len)
|
|
|
|
|
{
|
|
|
|
|
TALLOC_CTX *tmp_ctx;
|
|
|
|
|
struct sysdb_attrs *attrs;
|
|
|
|
|
@@ -2261,6 +2263,15 @@ int sysdb_cache_password(struct sss_domain_info *domain,
|
|
|
|
|
ret = sysdb_attrs_add_string(attrs, SYSDB_CACHEDPWD, hash);
|
|
|
|
|
if (ret) goto fail;
|
|
|
|
|
|
|
|
|
|
+ ret = sysdb_attrs_add_long(attrs, SYSDB_CACHEDPWD_TYPE, authtok_type);
|
|
|
|
|
+ if (ret) goto fail;
|
|
|
|
|
+
|
|
|
|
|
+ if (authtok_type == SSS_AUTHTOK_TYPE_2FA && second_factor_len > 0) {
|
|
|
|
|
+ ret = sysdb_attrs_add_long(attrs, SYSDB_CACHEDPWD_FA2_LEN,
|
|
|
|
|
+ second_factor_len);
|
|
|
|
|
+ if (ret) goto fail;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
/* FIXME: should we use a different attribute for chache passwords ?? */
|
|
|
|
|
ret = sysdb_attrs_add_long(attrs, "lastCachedPasswordChange",
|
|
|
|
|
(long)time(NULL));
|
|
|
|
|
@@ -2285,6 +2296,14 @@ fail:
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
+int sysdb_cache_password(struct sss_domain_info *domain,
|
|
|
|
|
+ const char *username,
|
|
|
|
|
+ const char *password)
|
|
|
|
|
+{
|
|
|
|
|
+ return sysdb_cache_password_ex(domain, username, password,
|
|
|
|
|
+ SSS_AUTHTOK_TYPE_PASSWORD, 0);
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
|
/* =Custom Search================== */
|
|
|
|
|
|
|
|
|
|
int sysdb_search_custom(TALLOC_CTX *mem_ctx,
|
|
|
|
|
diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
|
|
|
|
|
index 450a9d1d693135c296f3433d905d1aba115548b8..3d5e97afbfaa5441281ef193d072122204db0514 100644
|
|
|
|
|
--- a/src/tests/sysdb-tests.c
|
|
|
|
|
+++ b/src/tests/sysdb-tests.c
|
|
|
|
|
@@ -1808,6 +1808,57 @@ START_TEST (test_sysdb_cache_password)
|
|
|
|
|
}
|
|
|
|
|
END_TEST
|
|
|
|
|
|
|
|
|
|
+START_TEST (test_sysdb_cache_password_ex)
|
|
|
|
|
+{
|
|
|
|
|
+ struct sysdb_test_ctx *test_ctx;
|
|
|
|
|
+ struct test_data *data;
|
|
|
|
|
+ int ret;
|
|
|
|
|
+ struct ldb_result *res;
|
|
|
|
|
+ const char *attrs[] = { SYSDB_CACHEDPWD_TYPE, SYSDB_CACHEDPWD_FA2_LEN,
|
|
|
|
|
+ NULL };
|
|
|
|
|
+ int val;
|
|
|
|
|
+
|
|
|
|
|
+ /* Setup */
|
|
|
|
|
+ ret = setup_sysdb_tests(&test_ctx);
|
|
|
|
|
+ fail_unless(ret == EOK, "Could not set up the test");
|
|
|
|
|
+
|
|
|
|
|
+ data = talloc_zero(test_ctx, struct test_data);
|
|
|
|
|
+ data->ctx = test_ctx;
|
|
|
|
|
+ data->ev = test_ctx->ev;
|
|
|
|
|
+ data->username = talloc_asprintf(data, "testuser%d", _i);
|
|
|
|
|
+
|
|
|
|
|
+ ret = sysdb_get_user_attr(test_ctx, test_ctx->domain, data->username,
|
|
|
|
|
+ attrs, &res);
|
|
|
|
|
+ fail_unless(ret == EOK, "sysdb_get_user_attr request failed [%d].", ret);
|
|
|
|
|
+
|
|
|
|
|
+ val = ldb_msg_find_attr_as_int(res->msgs[0], SYSDB_CACHEDPWD_TYPE, 0);
|
|
|
|
|
+ fail_unless(val == SSS_AUTHTOK_TYPE_PASSWORD,
|
|
|
|
|
+ "Unexptected authtok type, found [%d], expected [%d].",
|
|
|
|
|
+ val, SSS_AUTHTOK_TYPE_PASSWORD);
|
|
|
|
|
+
|
|
|
|
|
+ ret = sysdb_cache_password_ex(test_ctx->domain, data->username,
|
|
|
|
|
+ data->username, SSS_AUTHTOK_TYPE_2FA, 12);
|
|
|
|
|
+
|
|
|
|
|
+ fail_unless(ret == EOK, "sysdb_cache_password request failed [%d].", ret);
|
|
|
|
|
+
|
|
|
|
|
+ ret = sysdb_get_user_attr(test_ctx, test_ctx->domain, data->username,
|
|
|
|
|
+ attrs, &res);
|
|
|
|
|
+ fail_unless(ret == EOK, "sysdb_get_user_attr request failed [%d].", ret);
|
|
|
|
|
+
|
|
|
|
|
+ val = ldb_msg_find_attr_as_int(res->msgs[0], SYSDB_CACHEDPWD_TYPE, 0);
|
|
|
|
|
+ fail_unless(val == SSS_AUTHTOK_TYPE_2FA,
|
|
|
|
|
+ "Unexptected authtok type, found [%d], expected [%d].",
|
|
|
|
|
+ val, SSS_AUTHTOK_TYPE_2FA);
|
|
|
|
|
+
|
|
|
|
|
+ val = ldb_msg_find_attr_as_int(res->msgs[0], SYSDB_CACHEDPWD_FA2_LEN, 0);
|
|
|
|
|
+ fail_unless(val == 12,
|
|
|
|
|
+ "Unexptected second factor lenght, found [%d], expected [%d].",
|
|
|
|
|
+ val, 12);
|
|
|
|
|
+
|
|
|
|
|
+ talloc_free(test_ctx);
|
|
|
|
|
+}
|
|
|
|
|
+END_TEST
|
|
|
|
|
+
|
|
|
|
|
static void cached_authentication_without_expiration(const char *username,
|
|
|
|
|
const char *password,
|
|
|
|
|
int expected_result)
|
|
|
|
|
@@ -6256,6 +6307,8 @@ Suite *create_sysdb_suite(void)
|
|
|
|
|
27010, 27011);
|
|
|
|
|
tcase_add_loop_test(tc_sysdb, test_sysdb_cached_authentication, 27010, 27011);
|
|
|
|
|
|
|
|
|
|
+ tcase_add_loop_test(tc_sysdb, test_sysdb_cache_password_ex, 27010, 27011);
|
|
|
|
|
+
|
|
|
|
|
/* ASQ search test */
|
|
|
|
|
tcase_add_loop_test(tc_sysdb, test_sysdb_prepare_asq_test_user, 28011, 28020);
|
|
|
|
|
tcase_add_test(tc_sysdb, test_sysdb_asq_search);
|
|
|
|
|
--
|
2015-06-12 12:14:35 +00:00
|
|
|
2.4.3
|
2015-05-08 12:53:58 +00:00
|
|
|
|
