From 7a162ca3ea0bf8ef6b13795a00baa28d17f6131d Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Tue, 30 May 2017 12:31:57 +0200 Subject: [PATCH 87/93] SECRETS: Store quotas in a per-hive configuration structure MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds two new structures to hold the quotas and associate a quota with a hive. This is just an internal change for now, but will allow us to read quota configuration from per-hive sections later. Reviewed-by: Simo Sorce Reviewed-by: Fabiano FidĂȘncio --- src/responder/secrets/local.c | 21 +++++++++------------ src/responder/secrets/secsrv.c | 6 +++--- src/responder/secrets/secsrv.h | 17 ++++++++++++++--- 3 files changed, 26 insertions(+), 18 deletions(-) diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c index 66401ef50d9114a9ab493f0e46d1ad38dd854365..0b879939f25487b0275d5144f5e27b2873b3fbae 100644 --- a/src/responder/secrets/local.c +++ b/src/responder/secrets/local.c @@ -34,9 +34,8 @@ struct local_context { struct ldb_context *ldb; struct sec_data master_key; - int containers_nest_level; - int max_secrets; - int max_payload_size; + + struct sec_quota *quota_secrets; }; static int local_decrypt(struct local_context *lctx, TALLOC_CTX *mem_ctx, @@ -398,11 +397,11 @@ static int local_db_check_containers_nest_level(struct local_context *lctx, /* We need do not care for the synthetic containers that constitute the * base path (cn=,cn=user,cn=secrets). */ nest_level = ldb_dn_get_comp_num(leaf_dn) - 3; - if (nest_level > lctx->containers_nest_level) { + if (nest_level > lctx->quota_secrets->containers_nest_level) { DEBUG(SSSDBG_OP_FAILURE, "Cannot create a nested container of depth %d as the maximum" "allowed number of nested containers is %d.\n", - nest_level, lctx->containers_nest_level); + nest_level, lctx->quota_secrets->containers_nest_level); return ERR_SEC_INVALID_CONTAINERS_NEST_LEVEL; } @@ -430,10 +429,10 @@ static int local_db_check_number_of_secrets(TALLOC_CTX *mem_ctx, ret = ldb_search(lctx->ldb, tmp_ctx, &res, dn, LDB_SCOPE_SUBTREE, attrs, LOCAL_SIMPLE_FILTER); - if (res->count >= lctx->max_secrets) { + if (res->count >= lctx->quota_secrets->max_secrets) { DEBUG(SSSDBG_OP_FAILURE, "Cannot store any more secrets as the maximum allowed limit (%d) " - "has been reached\n", lctx->max_secrets); + "has been reached\n", lctx->quota_secrets->max_secrets); ret = ERR_SEC_INVALID_TOO_MANY_SECRETS; goto done; @@ -451,14 +450,14 @@ static int local_check_max_payload_size(struct local_context *lctx, { int max_payload_size; - max_payload_size = lctx->max_payload_size * 1024; /* kb */ + max_payload_size = lctx->quota_secrets->max_payload_size * 1024; /* kb */ if (payload_size > max_payload_size) { DEBUG(SSSDBG_OP_FAILURE, "Secrets' payload size [%d kb (%d)] exceeds the maximum allowed " "payload size [%d kb (%d)]\n", payload_size * 1024, /* kb */ payload_size, - lctx->max_payload_size, /* kb */ + lctx->quota_secrets->max_payload_size, /* kb */ max_payload_size); return ERR_SEC_PAYLOAD_SIZE_IS_TOO_LARGE; @@ -1019,9 +1018,7 @@ int local_secrets_provider_handle(struct sec_ctx *sctx, return EIO; } - lctx->containers_nest_level = sctx->containers_nest_level; - lctx->max_secrets = sctx->max_secrets; - lctx->max_payload_size = sctx->max_payload_size; + lctx->quota_secrets = &sctx->sec_config.quota; lctx->master_key.data = talloc_size(lctx, MKEY_SIZE); if (!lctx->master_key.data) return ENOMEM; diff --git a/src/responder/secrets/secsrv.c b/src/responder/secrets/secsrv.c index ae2a658ae131e742466796cc47892a234e46f7d3..e3a8c1476af8d9c2c8b87a11ca930e12f381ef94 100644 --- a/src/responder/secrets/secsrv.c +++ b/src/responder/secrets/secsrv.c @@ -52,7 +52,7 @@ static int sec_get_config(struct sec_ctx *sctx) sctx->rctx->confdb_service_path, CONFDB_SEC_CONTAINERS_NEST_LEVEL, DEFAULT_SEC_CONTAINERS_NEST_LEVEL, - &sctx->containers_nest_level); + &sctx->sec_config.quota.containers_nest_level); if (ret != EOK) { DEBUG(SSSDBG_FATAL_FAILURE, @@ -64,7 +64,7 @@ static int sec_get_config(struct sec_ctx *sctx) sctx->rctx->confdb_service_path, CONFDB_SEC_MAX_SECRETS, DEFAULT_SEC_MAX_SECRETS, - &sctx->max_secrets); + &sctx->sec_config.quota.max_secrets); if (ret != EOK) { DEBUG(SSSDBG_FATAL_FAILURE, @@ -76,7 +76,7 @@ static int sec_get_config(struct sec_ctx *sctx) sctx->rctx->confdb_service_path, CONFDB_SEC_MAX_PAYLOAD_SIZE, DEFAULT_SEC_MAX_PAYLOAD_SIZE, - &sctx->max_payload_size); + &sctx->sec_config.quota.max_payload_size); if (ret != EOK) { DEBUG(SSSDBG_FATAL_FAILURE, diff --git a/src/responder/secrets/secsrv.h b/src/responder/secrets/secsrv.h index 1aad272da3ded1a2b3d2d8475ff3f2422c893483..629b027f6966dd221d21d16ccfc75c99881935f8 100644 --- a/src/responder/secrets/secsrv.h +++ b/src/responder/secrets/secsrv.h @@ -30,12 +30,23 @@ #include #include +struct sec_quota { + int max_secrets; + int max_payload_size; + int containers_nest_level; +}; + +struct sec_hive_config { + const char *confdb_section; + + struct sec_quota quota; +}; + struct sec_ctx { struct resp_ctx *rctx; int fd_limit; - int containers_nest_level; - int max_secrets; - int max_payload_size; + + struct sec_hive_config sec_config; struct provider_handle **providers; }; -- 2.14.1