sssd/0016-SUDO-make-sudo-sysdb-interface-more-reusable.patch
2016-01-19 18:23:34 +01:00

989 lines
31 KiB
Diff

From 154d886c35318cabfb174e6791d3361ce760cdcd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 16 Dec 2015 14:42:04 +0100
Subject: [PATCH 16/49] SUDO: make sudo sysdb interface more reusable
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 68abbe716bed7c8d6790d9bec168ef44469306a1)
---
Makefile.am | 2 -
src/db/sysdb.c | 98 ++++++++++++
src/db/sysdb.h | 7 +
src/db/sysdb_sudo.c | 286 +++++++++++++++++++++++++++--------
src/db/sysdb_sudo.h | 17 +--
src/providers/ldap/sdap_async_sudo.c | 121 ++-------------
src/providers/ldap/sdap_sudo.c | 1 -
src/providers/ldap/sdap_sudo_cache.c | 183 ----------------------
src/providers/ldap/sdap_sudo_cache.h | 37 -----
9 files changed, 354 insertions(+), 398 deletions(-)
delete mode 100644 src/providers/ldap/sdap_sudo_cache.c
delete mode 100644 src/providers/ldap/sdap_sudo_cache.h
diff --git a/Makefile.am b/Makefile.am
index 095b1cfd62f49d266df278e1736d48ed5ef4fa7a..29dd73edf3e6770e4280945f69c9d266f3d8c4c4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -618,7 +618,6 @@ dist_noinst_HEADERS = \
src/providers/ldap/sdap_access.h \
src/providers/ldap/sdap_async.h \
src/providers/ldap/sdap_async_private.h \
- src/providers/ldap/sdap_sudo_cache.h \
src/providers/ldap/sdap_sudo.h \
src/providers/ldap/sdap_autofs.h \
src/providers/ldap/sdap_id_op.h \
@@ -2859,7 +2858,6 @@ libsss_ldap_common_la_LDFLAGS = \
if BUILD_SUDO
libsss_ldap_common_la_SOURCES += \
- src/providers/ldap/sdap_sudo_cache.c \
src/providers/ldap/sdap_async_sudo.c \
src/providers/ldap/sdap_async_sudo_hostinfo.c \
src/providers/ldap/sdap_sudo_refresh.c \
diff --git a/src/db/sysdb.c b/src/db/sysdb.c
index a71364d7c4b600eafd10fafa6641eac7b2292764..d4366a3c76f114bf113567754a1e0417afe664e3 100644
--- a/src/db/sysdb.c
+++ b/src/db/sysdb.c
@@ -2013,3 +2013,101 @@ errno_t sysdb_msg2attrs(TALLOC_CTX *mem_ctx, size_t count,
return EOK;
}
+
+int sysdb_compare_usn(const char *a, const char *b)
+{
+ size_t len_a;
+ size_t len_b;
+
+ if (a == NULL) {
+ return -1;
+ }
+
+ if (b == NULL) {
+ return 1;
+ }
+
+ len_a = strlen(a);
+ len_b = strlen(b);
+
+ /* trim leading zeros */
+ while (len_a > 0 && *a == '0') {
+ a++;
+ len_a--;
+ }
+
+ while (len_b > 0 && *b == '0') {
+ b++;
+ len_b--;
+ }
+
+ /* less digits means lower number */
+ if (len_a < len_b) {
+ return -1;
+ }
+
+ /* more digits means bigger number */
+ if (len_a > len_b) {
+ return 1;
+ }
+
+ /* now we can compare digits since alphabetical order is the same
+ * as numeric order */
+ return strcmp(a, b);
+}
+
+errno_t sysdb_get_highest_usn(TALLOC_CTX *mem_ctx,
+ struct sysdb_attrs **attrs,
+ size_t num_attrs,
+ char **_usn)
+{
+ const char *highest = NULL;
+ const char *current = NULL;
+ char *usn;
+ errno_t ret;
+ size_t i;
+
+ if (num_attrs == 0 || attrs == NULL) {
+ goto done;
+ }
+
+ for (i = 0; i < num_attrs; i++) {
+ ret = sysdb_attrs_get_string(attrs[i], SYSDB_USN, &current);
+ if (ret == ENOENT) {
+ /* USN value is not present, assuming zero. */
+ current = "0";
+ } else if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE, "Failed to retrieve USN value "
+ "[%d]: %s\n", ret, sss_strerror(ret));
+
+ return ret;
+ }
+
+ if (current == NULL) {
+ continue;
+ }
+
+ if (highest == NULL) {
+ highest = current;
+ continue;
+ }
+
+ if (sysdb_compare_usn(current, highest) > 0 ) {
+ highest = current;
+ }
+ }
+
+done:
+ if (highest == NULL) {
+ usn = talloc_strdup(mem_ctx, "0");
+ } else {
+ usn = talloc_strdup(mem_ctx, highest);
+ }
+
+ if (usn == NULL) {
+ return ENOMEM;
+ }
+
+ *_usn = usn;
+ return EOK;
+}
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index ad1bf75b7437730af4a56d97e8f9868073e678aa..2e797fd7fa39163c2ab6a10e51228e0f1af3f9e3 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -386,6 +386,13 @@ errno_t sysdb_msg2attrs(TALLOC_CTX *mem_ctx, size_t count,
struct ldb_message **msgs,
struct sysdb_attrs ***attrs);
+int sysdb_compare_usn(const char *a, const char *b);
+
+errno_t sysdb_get_highest_usn(TALLOC_CTX *mem_ctx,
+ struct sysdb_attrs **attrs,
+ size_t num_attrs,
+ char **_usn);
+
/* convert an ldb error into an errno error */
int sysdb_error_to_errno(int ldberr);
diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
index 784ac8af3ae5cb08f30eb9631c7ffa4aa92bde23..76116abacb20219f0c1dcdde755e8268e10fd293 100644
--- a/src/db/sysdb_sudo.c
+++ b/src/db/sysdb_sudo.c
@@ -27,6 +27,8 @@
#include "db/sysdb_private.h"
#include "db/sysdb_sudo.h"
+#define SUDO_ALL_FILTER "(" SYSDB_OBJECTCLASS "=" SYSDB_SUDO_CACHE_OC ")"
+
#define NULL_CHECK(val, rval, label) do { \
if (!val) { \
rval = ENOMEM; \
@@ -427,41 +429,6 @@ done:
return ret;
}
-errno_t
-sysdb_save_sudorule(struct sss_domain_info *domain,
- const char *rule_name,
- struct sysdb_attrs *attrs)
-{
- errno_t ret;
-
- DEBUG(SSSDBG_TRACE_FUNC, "Adding sudo rule %s\n", rule_name);
-
- ret = sysdb_attrs_add_string(attrs, SYSDB_OBJECTCLASS,
- SYSDB_SUDO_CACHE_OC);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "Could not set rule object class [%d]: %s\n",
- ret, strerror(ret));
- return ret;
- }
-
- ret = sysdb_attrs_add_string(attrs, SYSDB_NAME, rule_name);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "Could not set name attribute [%d]: %s\n",
- ret, strerror(ret));
- return ret;
- }
-
- ret = sysdb_store_custom(domain, rule_name,
- SUDORULE_SUBDIR, attrs);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_custom failed [%d]: %s\n",
- ret, strerror(ret));
- return ret;
- }
-
- return EOK;
-}
-
static errno_t sysdb_sudo_set_refresh_time(struct sss_domain_info *domain,
const char *attr_name,
time_t value)
@@ -615,6 +582,26 @@ errno_t sysdb_sudo_get_last_full_refresh(struct sss_domain_info *domain,
/* ==================== Purge functions ==================== */
+static const char *
+sysdb_sudo_get_rule_name(struct sysdb_attrs *rule)
+{
+ const char *name;
+ errno_t ret;
+
+ ret = sysdb_attrs_get_string(rule, SYSDB_SUDO_CACHE_AT_CN, &name);
+ if (ret == ERANGE) {
+ DEBUG(SSSDBG_MINOR_FAILURE, "Warning: found rule that contains none "
+ "or multiple CN values. It will be skipped.\n");
+ return NULL;
+ } else if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Unable to obtain rule name [%d]: %s\n",
+ ret, strerror(ret));
+ return NULL;
+ }
+
+ return name;
+}
+
static errno_t sysdb_sudo_purge_all(struct sss_domain_info *domain)
{
struct ldb_dn *base_dn = NULL;
@@ -627,6 +614,8 @@ static errno_t sysdb_sudo_purge_all(struct sss_domain_info *domain)
base_dn = sysdb_custom_subtree_dn(tmp_ctx, domain, SUDORULE_SUBDIR);
NULL_CHECK(base_dn, ret, done);
+ DEBUG(SSSDBG_TRACE_FUNC, "Deleting all cached sudo rules\n");
+
ret = sysdb_delete_recursive(domain->sysdb, base_dn, true);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "sysdb_delete_recursive failed.\n");
@@ -639,42 +628,74 @@ done:
return ret;
}
-errno_t sysdb_sudo_purge_byname(struct sss_domain_info *domain,
- const char *name)
+static errno_t
+sysdb_sudo_purge_byname(struct sss_domain_info *domain,
+ const char *name)
{
DEBUG(SSSDBG_TRACE_INTERNAL, "Deleting sudo rule %s\n", name);
return sysdb_delete_custom(domain, name, SUDORULE_SUBDIR);
}
-errno_t sysdb_sudo_purge_byfilter(struct sss_domain_info *domain,
- const char *filter)
+static errno_t
+sysdb_sudo_purge_byrules(struct sss_domain_info *dom,
+ struct sysdb_attrs **rules,
+ size_t num_rules)
+{
+ const char *name;
+ errno_t ret;
+ size_t i;
+
+ DEBUG(SSSDBG_TRACE_FUNC, "About to remove rules from sudo cache\n");
+
+ if (num_rules == 0 || rules == NULL) {
+ return EOK;
+ }
+
+ for (i = 0; i < num_rules; i++) {
+ name = sysdb_sudo_get_rule_name(rules[i]);
+ if (name == NULL) {
+ continue;
+ }
+
+ ret = sysdb_sudo_purge_byname(dom, name);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE, "Failed to delete rule "
+ "%s [%d]: %s\n", name, ret, sss_strerror(ret));
+ continue;
+ }
+ }
+
+ return EOK;
+}
+
+static errno_t
+sysdb_sudo_purge_byfilter(struct sss_domain_info *domain,
+ const char *filter)
{
TALLOC_CTX *tmp_ctx;
- size_t count;
+ struct sysdb_attrs **rules;
struct ldb_message **msgs;
- const char *name;
- int i;
+ size_t count;
errno_t ret;
- errno_t sret;
- bool in_transaction = false;
const char *attrs[] = { SYSDB_OBJECTCLASS,
SYSDB_NAME,
SYSDB_SUDO_CACHE_AT_CN,
NULL };
- /* just purge all if there's no filter */
- if (!filter) {
+ if (filter == NULL || strcmp(filter, SUDO_ALL_FILTER) == 0) {
return sysdb_sudo_purge_all(domain);
}
tmp_ctx = talloc_new(NULL);
- NULL_CHECK(tmp_ctx, ret, done);
+ if (tmp_ctx == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
- /* match entries based on the filter and remove them one by one */
ret = sysdb_search_custom(tmp_ctx, domain, filter,
SUDORULE_SUBDIR, attrs,
&count, &msgs);
- if (ret == ENOENT) {
+ if (ret == ENOENT || count == 0) {
DEBUG(SSSDBG_TRACE_FUNC, "No rules matched\n");
ret = EOK;
goto done;
@@ -683,24 +704,165 @@ errno_t sysdb_sudo_purge_byfilter(struct sss_domain_info *domain,
goto done;
}
+ ret = sysdb_msg2attrs(tmp_ctx, count, msgs, &rules);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Unable to convert ldb message to "
+ "sysdb attrs [%d]: %s\n", ret, sss_strerror(ret));
+ goto done;
+ }
+
+ ret = sysdb_sudo_purge_byrules(domain, rules, count);
+
+done:
+ talloc_free(tmp_ctx);
+ return ret;
+}
+
+errno_t sysdb_sudo_purge(struct sss_domain_info *domain,
+ const char *delete_filter,
+ struct sysdb_attrs **rules,
+ size_t num_rules)
+{
+ bool in_transaction = false;
+ errno_t sret;
+ errno_t ret;
+
ret = sysdb_transaction_start(domain->sysdb);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
+ return ret;
+ }
+ in_transaction = true;
+
+ if (delete_filter) {
+ ret = sysdb_sudo_purge_byfilter(domain, delete_filter);
+ } else {
+ ret = sysdb_sudo_purge_byrules(domain, rules, num_rules);
+ }
+
+ if (ret != EOK) {
goto done;
}
+
+ ret = sysdb_transaction_commit(domain->sysdb);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n");
+ goto done;
+ }
+ in_transaction = false;
+
+done:
+ if (in_transaction) {
+ sret = sysdb_transaction_cancel(domain->sysdb);
+ if (sret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Could not cancel transaction\n");
+ }
+ }
+
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Unable to purge sudo cache [%d]: %s\n",
+ ret, sss_strerror(ret));
+ }
+
+ return ret;
+}
+
+static errno_t
+sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule,
+ const char *name,
+ int cache_timeout,
+ time_t now)
+{
+ time_t expire;
+ errno_t ret;
+
+ ret = sysdb_attrs_add_string(rule, SYSDB_OBJECTCLASS, SYSDB_SUDO_CACHE_OC);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Unable to add %s attribute [%d]: %s\n",
+ SYSDB_OBJECTCLASS, ret, strerror(ret));
+ return ret;
+ }
+
+ ret = sysdb_attrs_add_string(rule, SYSDB_NAME, name);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Unable to add %s attribute [%d]: %s\n",
+ SYSDB_OBJECTCLASS, ret, strerror(ret));
+ return ret;
+ }
+
+ expire = cache_timeout > 0 ? now + cache_timeout : 0;
+ ret = sysdb_attrs_add_time_t(rule, SYSDB_CACHE_EXPIRE, expire);
+ if (ret) {
+ DEBUG(SSSDBG_OP_FAILURE, "Unable to add %s attribute [%d]: %s\n",
+ SYSDB_CACHE_EXPIRE, ret, strerror(ret));
+ return ret;
+ }
+
+ return EOK;
+}
+
+static errno_t
+sysdb_sudo_store_rule(struct sss_domain_info *domain,
+ struct sysdb_attrs *rule,
+ int cache_timeout,
+ time_t now)
+{
+ const char *name;
+ errno_t ret;
+
+ name = sysdb_sudo_get_rule_name(rule);
+ if (name == NULL) {
+ return EINVAL;
+ }
+
+ DEBUG(SSSDBG_TRACE_FUNC, "Adding sudo rule %s\n", name);
+
+ ret = sysdb_sudo_add_sss_attrs(rule, name, cache_timeout, now);
+ if (ret != EOK) {
+ return ret;
+ }
+
+ ret = sysdb_store_custom(domain, name, SUDORULE_SUBDIR, rule);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Unable to store rule %s [%d]: %s\n",
+ name, ret, strerror(ret));
+ return ret;
+ }
+
+ return EOK;
+}
+
+errno_t
+sysdb_sudo_store(struct sss_domain_info *domain,
+ struct sysdb_attrs **rules,
+ size_t num_rules)
+{
+ bool in_transaction = false;
+ errno_t sret;
+ errno_t ret;
+ time_t now;
+ size_t i;
+
+ if (num_rules == 0 || rules == NULL) {
+ return EOK;
+ }
+
+ ret = sysdb_transaction_start(domain->sysdb);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
+ return ret;
+ }
in_transaction = true;
- for (i = 0; i < count; i++) {
- name = ldb_msg_find_attr_as_string(msgs[i], SYSDB_NAME, NULL);
- if (name == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "A rule without a name?\n");
- /* skip this one but still delete other entries */
+ now = time(NULL);
+ for (i = 0; i < num_rules; i++) {
+ ret = sysdb_sudo_store_rule(domain, rules[i],
+ domain->sudo_timeout, now);
+ if (ret == EINVAL) {
+ /* Multiple CNs are error on server side, we can just ignore this
+ * rule and save the others. Loud debug message is in logs. */
continue;
- }
-
- ret = sysdb_sudo_purge_byname(domain, name);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "Could not delete rule %s\n", name);
+ } else if (ret != EOK) {
goto done;
}
}
@@ -720,6 +882,10 @@ done:
}
}
- talloc_free(tmp_ctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Unable to store sudo rules [%d]: %s\n",
+ ret, sss_strerror(ret));
+ }
+
return ret;
}
diff --git a/src/db/sysdb_sudo.h b/src/db/sysdb_sudo.h
index fc896c385c6fa71e735b3db763ccee4a0354d007..6dd9ea7bb8ec947f5beceb89fd27bde156c27c36 100644
--- a/src/db/sysdb_sudo.h
+++ b/src/db/sysdb_sudo.h
@@ -78,20 +78,19 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
const char *username, uid_t *_uid,
char ***groupnames);
-errno_t
-sysdb_save_sudorule(struct sss_domain_info *domain,
- const char *rule_name,
- struct sysdb_attrs *attrs);
-
errno_t sysdb_sudo_set_last_full_refresh(struct sss_domain_info *domain,
time_t value);
errno_t sysdb_sudo_get_last_full_refresh(struct sss_domain_info *domain,
time_t *value);
-errno_t sysdb_sudo_purge_byname(struct sss_domain_info *domain,
- const char *name);
+errno_t sysdb_sudo_purge(struct sss_domain_info *domain,
+ const char *delete_filter,
+ struct sysdb_attrs **rules,
+ size_t num_rules);
-errno_t sysdb_sudo_purge_byfilter(struct sss_domain_info *domain,
- const char *filter);
+errno_t
+sysdb_sudo_store(struct sss_domain_info *domain,
+ struct sysdb_attrs **rules,
+ size_t num_rules);
#endif /* _SYSDB_SUDO_H_ */
diff --git a/src/providers/ldap/sdap_async_sudo.c b/src/providers/ldap/sdap_async_sudo.c
index d7780d38405a2705e25a9c983aca2736548a624e..2fcfa4aec5d4d53f26d40395e99bdce1b41710d4 100644
--- a/src/providers/ldap/sdap_async_sudo.c
+++ b/src/providers/ldap/sdap_async_sudo.c
@@ -31,7 +31,6 @@
#include "providers/ldap/sdap.h"
#include "providers/ldap/sdap_ops.h"
#include "providers/ldap/sdap_sudo.h"
-#include "providers/ldap/sdap_sudo_cache.h"
#include "db/sysdb_sudo.h"
struct sdap_sudo_load_sudoers_state {
@@ -136,89 +135,6 @@ static int sdap_sudo_load_sudoers_recv(struct tevent_req *req,
return EOK;
}
-static int sdap_sudo_purge_sudoers(struct sss_domain_info *dom,
- const char *filter,
- struct sdap_attr_map *map,
- size_t rules_count,
- struct sysdb_attrs **rules)
-{
- const char *name;
- size_t i;
- errno_t ret;
-
- if (filter == NULL) {
- /* removes downloaded rules from the cache */
- if (rules_count == 0 || rules == NULL) {
- return EOK;
- }
-
- for (i = 0; i < rules_count; i++) {
- ret = sysdb_attrs_get_string(rules[i],
- map[SDAP_AT_SUDO_NAME].sys_name,
- &name);
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "Failed to retrieve rule name: [%s]\n", strerror(ret));
- continue;
- }
-
- ret = sysdb_sudo_purge_byname(dom, name);
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "Failed to delete rule %s: [%s]\n",
- name, strerror(ret));
- continue;
- }
- }
-
- ret = EOK;
- } else {
- /* purge cache by provided filter */
- ret = sysdb_sudo_purge_byfilter(dom, filter);
- if (ret != EOK) {
- goto done;
- }
- }
-
-done:
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "failed to purge sudo rules [%d]: %s\n",
- ret, strerror(ret));
- }
-
- return ret;
-}
-
-static int sdap_sudo_store_sudoers(TALLOC_CTX *mem_ctx,
- struct sss_domain_info *domain,
- struct sdap_options *opts,
- size_t rules_count,
- struct sysdb_attrs **rules,
- int cache_timeout,
- time_t now,
- char **_usn)
-{
- errno_t ret;
-
- /* Empty sudoers? Done. */
- if (rules_count == 0 || rules == NULL) {
- *_usn = NULL;
- return EOK;
- }
-
- ret = sdap_save_native_sudorule_list(mem_ctx, domain,
- opts->sudorule_map, rules,
- rules_count, cache_timeout, now,
- _usn);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "failed to save sudo rules [%d]: %s\n",
- ret, strerror(ret));
- return ret;
- }
-
- return EOK;
-}
-
static void sdap_sudo_set_usn(struct sdap_server_opts *srv_opts, char *usn)
{
unsigned int usn_number;
@@ -230,23 +146,14 @@ static void sdap_sudo_set_usn(struct sdap_server_opts *srv_opts, char *usn)
}
if (usn == NULL) {
- /* If the USN value is unknown and we don't have max_sudo_value set
- * (possibly first full refresh which did not find any rule) we will
- * set zero so smart refresh can pick up. */
- if (srv_opts->max_sudo_value == NULL) {
- srv_opts->max_sudo_value = talloc_strdup(srv_opts, "0");
- if (srv_opts->max_sudo_value == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup() failed\n");
- }
- return;
- }
-
- DEBUG(SSSDBG_TRACE_FUNC, "Empty USN, ignoring\n");
+ DEBUG(SSSDBG_TRACE_FUNC, "Bug: usn is NULL\n");
return;
}
- talloc_zfree(srv_opts->max_sudo_value);
- srv_opts->max_sudo_value = talloc_steal(srv_opts, usn);
+ if (sysdb_compare_usn(usn, srv_opts->max_sudo_value) > 0) {
+ talloc_zfree(srv_opts->max_sudo_value);
+ srv_opts->max_sudo_value = talloc_steal(srv_opts, usn);
+ }
usn_number = strtoul(usn, &endptr, 10);
if ((endptr == NULL || (*endptr == '\0' && endptr != usn))
@@ -625,7 +532,6 @@ static void sdap_sudo_refresh_done(struct tevent_req *subreq)
int ret;
errno_t sret;
bool in_transaction = false;
- time_t now;
req = tevent_req_callback_data(subreq, struct tevent_req);
state = tevent_req_data(req, struct sdap_sudo_refresh_state);
@@ -654,17 +560,14 @@ static void sdap_sudo_refresh_done(struct tevent_req *subreq)
in_transaction = true;
/* purge cache */
- ret = sdap_sudo_purge_sudoers(state->domain, state->delete_filter,
- state->opts->sudorule_map, rules_count, rules);
+ ret = sysdb_sudo_purge(state->domain, state->delete_filter,
+ rules, rules_count);
if (ret != EOK) {
goto done;
}
/* store rules */
- now = time(NULL);
- ret = sdap_sudo_store_sudoers(state, state->domain,
- state->opts, rules_count, rules,
- state->domain->sudo_timeout, now, &usn);
+ ret = sysdb_sudo_store(state->domain, rules, rules_count);
if (ret != EOK) {
goto done;
}
@@ -680,7 +583,13 @@ static void sdap_sudo_refresh_done(struct tevent_req *subreq)
DEBUG(SSSDBG_TRACE_FUNC, "Sudoers is successfuly stored in cache\n");
/* remember new usn */
- sdap_sudo_set_usn(state->srv_opts, usn);
+ ret = sysdb_get_highest_usn(state, rules, rules_count, &usn);
+ if (ret == EOK) {
+ sdap_sudo_set_usn(state->srv_opts, usn);
+ } else {
+ DEBUG(SSSDBG_MINOR_FAILURE, "Unable to get highest USN [%d]: %s\n",
+ ret, sss_strerror(ret));
+ }
ret = EOK;
state->num_rules = rules_count;
diff --git a/src/providers/ldap/sdap_sudo.c b/src/providers/ldap/sdap_sudo.c
index 550784842c6e6162d153785940c1e37a51b5dc1f..10067e9ba779b5224bf21dd7a705c45e7f4e0f99 100644
--- a/src/providers/ldap/sdap_sudo.c
+++ b/src/providers/ldap/sdap_sudo.c
@@ -27,7 +27,6 @@
#include "providers/ldap/sdap.h"
#include "providers/ldap/sdap_async.h"
#include "providers/ldap/sdap_sudo.h"
-#include "providers/ldap/sdap_sudo_cache.h"
#include "db/sysdb_sudo.h"
static void sdap_sudo_handler(struct be_req *breq);
diff --git a/src/providers/ldap/sdap_sudo_cache.c b/src/providers/ldap/sdap_sudo_cache.c
deleted file mode 100644
index 56e84ce8f26338ea5856eb5c76627641eee93df1..0000000000000000000000000000000000000000
--- a/src/providers/ldap/sdap_sudo_cache.c
+++ /dev/null
@@ -1,183 +0,0 @@
-/*
- Authors:
- Jakub Hrozek <jhrozek@redhat.com>
-
- Copyright (C) 2011 Red Hat
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include <talloc.h>
-
-#include "db/sysdb.h"
-#include "db/sysdb_sudo.h"
-#include "providers/ldap/sdap_sudo_cache.h"
-
-/* ========== Functions specific for the native sudo LDAP schema ========== */
-static errno_t sdap_sudo_get_usn(TALLOC_CTX *mem_ctx,
- struct sysdb_attrs *attrs,
- struct sdap_attr_map *map,
- char **_usn)
-{
- const char *usn;
- errno_t ret;
-
- if (_usn == NULL) {
- return EINVAL;
- }
-
- ret = sysdb_attrs_get_string(attrs, map[SDAP_AT_SUDO_USN].sys_name, &usn);
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "Failed to retrieve USN value: [%s]\n", strerror(ret));
-
- return ret;
- }
-
- *_usn = talloc_strdup(mem_ctx, usn);
- if (*_usn == NULL) {
- return ENOMEM;
- }
-
- return EOK;
-}
-
-static errno_t
-sdap_save_native_sudorule(TALLOC_CTX *mem_ctx,
- struct sss_domain_info *domain,
- struct sdap_attr_map *map,
- struct sysdb_attrs *attrs,
- int cache_timeout,
- time_t now,
- char **_usn)
-{
- errno_t ret;
- const char *rule_name;
-
- ret = sysdb_attrs_get_string(attrs, map[SDAP_AT_SUDO_NAME].sys_name,
- &rule_name);
- if (ret == ERANGE) {
- DEBUG(SSSDBG_OP_FAILURE, "Warning: found rule that contains none "
- "or multiple CN values. It will be skipped.\n");
- return ret;
- } else if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "Could not get rule name [%d]: %s\n",
- ret, strerror(ret));
- return ret;
- }
-
- ret = sysdb_attrs_add_time_t(attrs, SYSDB_CACHE_EXPIRE,
- (cache_timeout ? (now + cache_timeout) : 0));
- if (ret) {
- DEBUG(SSSDBG_OP_FAILURE, "Could not set sysdb cache expire [%d]: %s\n",
- ret, strerror(ret));
- return ret;
- }
-
- ret = sdap_sudo_get_usn(mem_ctx, attrs, map, _usn);
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE, "Could not read USN from %s\n", rule_name);
- *_usn = NULL;
- /* but we will store the rule anyway */
- }
-
- ret = sysdb_save_sudorule(domain, rule_name, attrs);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "Could not save sudorule %s\n", rule_name);
- return ret;
- }
-
- return ret;
-}
-
-errno_t
-sdap_save_native_sudorule_list(TALLOC_CTX *mem_ctx,
- struct sss_domain_info *domain,
- struct sdap_attr_map *map,
- struct sysdb_attrs **replies,
- size_t replies_count,
- int cache_timeout,
- time_t now,
- char **_usn)
-{
- TALLOC_CTX *tmp_ctx = NULL;
- char *higher_usn = NULL;
- char *usn_value = NULL;
- errno_t ret, tret;
- bool in_transaction = false;
- size_t i;
-
- tmp_ctx = talloc_new(NULL);
- if (tmp_ctx == NULL) {
- DEBUG(SSSDBG_FATAL_FAILURE, "talloc_new() failed\n");
- return ENOMEM;
- }
-
- ret = sysdb_transaction_start(domain->sysdb);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Could not start transaction\n");
- goto fail;
- }
- in_transaction = true;
-
- for (i=0; i < replies_count; i++) {
- usn_value = NULL;
- ret = sdap_save_native_sudorule(tmp_ctx, domain, map, replies[i],
- cache_timeout, now, &usn_value);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to save sudo rule, "
- "will continue with next...\n");
- continue;
- }
-
- /* find highest usn */
- if (usn_value) {
- if (higher_usn) {
- if ((strlen(usn_value) > strlen(higher_usn)) ||
- (strcmp(usn_value, higher_usn) > 0)) {
- talloc_zfree(higher_usn);
- higher_usn = usn_value;
- } else {
- talloc_zfree(usn_value);
- }
- } else {
- higher_usn = usn_value;
- }
- }
- }
-
- ret = sysdb_transaction_commit(domain->sysdb);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n");
- goto fail;
- }
- in_transaction = false;
-
- if (higher_usn != NULL) {
- *_usn = talloc_steal(mem_ctx, higher_usn);
- }
-
- ret = EOK;
-fail:
- if (in_transaction) {
- tret = sysdb_transaction_cancel(domain->sysdb);
- if (tret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Could not cancel transaction\n");
- }
- }
-
- talloc_free(tmp_ctx);
-
- return ret;
-}
diff --git a/src/providers/ldap/sdap_sudo_cache.h b/src/providers/ldap/sdap_sudo_cache.h
deleted file mode 100644
index 5a756bf313831267cf34676b392973a1a8e740ec..0000000000000000000000000000000000000000
--- a/src/providers/ldap/sdap_sudo_cache.h
+++ /dev/null
@@ -1,37 +0,0 @@
-/*
- Authors:
- Jakub Hrozek <jhrozek@redhat.com>
-
- Copyright (C) 2011 Red Hat
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#ifndef _SDAP_SUDO_CACHE_H_
-#define _SDAP_SUDO_CACHE_H_
-
-#include "src/providers/ldap/sdap.h"
-
-/* Cache functions specific for the native sudo LDAP schema */
-errno_t
-sdap_save_native_sudorule_list(TALLOC_CTX *mem_ctx,
- struct sss_domain_info *domain,
- struct sdap_attr_map *map,
- struct sysdb_attrs **replies,
- size_t replies_count,
- int cache_timeout,
- time_t now,
- char **_usn);
-
-#endif /* _SDAP_SUDO_CACHE_H_ */
--
2.5.0