sssd/0087-SECRETS-Store-quotas-in-a-per-hive-configuration-str.patch
2017-09-01 21:34:35 +02:00

159 lines
6.1 KiB
Diff

From 7a162ca3ea0bf8ef6b13795a00baa28d17f6131d Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 30 May 2017 12:31:57 +0200
Subject: [PATCH 87/93] SECRETS: Store quotas in a per-hive configuration
structure
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Adds two new structures to hold the quotas and associate a quota with a hive.
This is just an internal change for now, but will allow us to read quota
configuration from per-hive sections later.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/responder/secrets/local.c | 21 +++++++++------------
src/responder/secrets/secsrv.c | 6 +++---
src/responder/secrets/secsrv.h | 17 ++++++++++++++---
3 files changed, 26 insertions(+), 18 deletions(-)
diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c
index 66401ef50d9114a9ab493f0e46d1ad38dd854365..0b879939f25487b0275d5144f5e27b2873b3fbae 100644
--- a/src/responder/secrets/local.c
+++ b/src/responder/secrets/local.c
@@ -34,9 +34,8 @@
struct local_context {
struct ldb_context *ldb;
struct sec_data master_key;
- int containers_nest_level;
- int max_secrets;
- int max_payload_size;
+
+ struct sec_quota *quota_secrets;
};
static int local_decrypt(struct local_context *lctx, TALLOC_CTX *mem_ctx,
@@ -398,11 +397,11 @@ static int local_db_check_containers_nest_level(struct local_context *lctx,
/* We need do not care for the synthetic containers that constitute the
* base path (cn=<uidnumber>,cn=user,cn=secrets). */
nest_level = ldb_dn_get_comp_num(leaf_dn) - 3;
- if (nest_level > lctx->containers_nest_level) {
+ if (nest_level > lctx->quota_secrets->containers_nest_level) {
DEBUG(SSSDBG_OP_FAILURE,
"Cannot create a nested container of depth %d as the maximum"
"allowed number of nested containers is %d.\n",
- nest_level, lctx->containers_nest_level);
+ nest_level, lctx->quota_secrets->containers_nest_level);
return ERR_SEC_INVALID_CONTAINERS_NEST_LEVEL;
}
@@ -430,10 +429,10 @@ static int local_db_check_number_of_secrets(TALLOC_CTX *mem_ctx,
ret = ldb_search(lctx->ldb, tmp_ctx, &res, dn, LDB_SCOPE_SUBTREE,
attrs, LOCAL_SIMPLE_FILTER);
- if (res->count >= lctx->max_secrets) {
+ if (res->count >= lctx->quota_secrets->max_secrets) {
DEBUG(SSSDBG_OP_FAILURE,
"Cannot store any more secrets as the maximum allowed limit (%d) "
- "has been reached\n", lctx->max_secrets);
+ "has been reached\n", lctx->quota_secrets->max_secrets);
ret = ERR_SEC_INVALID_TOO_MANY_SECRETS;
goto done;
@@ -451,14 +450,14 @@ static int local_check_max_payload_size(struct local_context *lctx,
{
int max_payload_size;
- max_payload_size = lctx->max_payload_size * 1024; /* kb */
+ max_payload_size = lctx->quota_secrets->max_payload_size * 1024; /* kb */
if (payload_size > max_payload_size) {
DEBUG(SSSDBG_OP_FAILURE,
"Secrets' payload size [%d kb (%d)] exceeds the maximum allowed "
"payload size [%d kb (%d)]\n",
payload_size * 1024, /* kb */
payload_size,
- lctx->max_payload_size, /* kb */
+ lctx->quota_secrets->max_payload_size, /* kb */
max_payload_size);
return ERR_SEC_PAYLOAD_SIZE_IS_TOO_LARGE;
@@ -1019,9 +1018,7 @@ int local_secrets_provider_handle(struct sec_ctx *sctx,
return EIO;
}
- lctx->containers_nest_level = sctx->containers_nest_level;
- lctx->max_secrets = sctx->max_secrets;
- lctx->max_payload_size = sctx->max_payload_size;
+ lctx->quota_secrets = &sctx->sec_config.quota;
lctx->master_key.data = talloc_size(lctx, MKEY_SIZE);
if (!lctx->master_key.data) return ENOMEM;
diff --git a/src/responder/secrets/secsrv.c b/src/responder/secrets/secsrv.c
index ae2a658ae131e742466796cc47892a234e46f7d3..e3a8c1476af8d9c2c8b87a11ca930e12f381ef94 100644
--- a/src/responder/secrets/secsrv.c
+++ b/src/responder/secrets/secsrv.c
@@ -52,7 +52,7 @@ static int sec_get_config(struct sec_ctx *sctx)
sctx->rctx->confdb_service_path,
CONFDB_SEC_CONTAINERS_NEST_LEVEL,
DEFAULT_SEC_CONTAINERS_NEST_LEVEL,
- &sctx->containers_nest_level);
+ &sctx->sec_config.quota.containers_nest_level);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
@@ -64,7 +64,7 @@ static int sec_get_config(struct sec_ctx *sctx)
sctx->rctx->confdb_service_path,
CONFDB_SEC_MAX_SECRETS,
DEFAULT_SEC_MAX_SECRETS,
- &sctx->max_secrets);
+ &sctx->sec_config.quota.max_secrets);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
@@ -76,7 +76,7 @@ static int sec_get_config(struct sec_ctx *sctx)
sctx->rctx->confdb_service_path,
CONFDB_SEC_MAX_PAYLOAD_SIZE,
DEFAULT_SEC_MAX_PAYLOAD_SIZE,
- &sctx->max_payload_size);
+ &sctx->sec_config.quota.max_payload_size);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
diff --git a/src/responder/secrets/secsrv.h b/src/responder/secrets/secsrv.h
index 1aad272da3ded1a2b3d2d8475ff3f2422c893483..629b027f6966dd221d21d16ccfc75c99881935f8 100644
--- a/src/responder/secrets/secsrv.h
+++ b/src/responder/secrets/secsrv.h
@@ -30,12 +30,23 @@
#include <tevent.h>
#include <ldb.h>
+struct sec_quota {
+ int max_secrets;
+ int max_payload_size;
+ int containers_nest_level;
+};
+
+struct sec_hive_config {
+ const char *confdb_section;
+
+ struct sec_quota quota;
+};
+
struct sec_ctx {
struct resp_ctx *rctx;
int fd_limit;
- int containers_nest_level;
- int max_secrets;
- int max_payload_size;
+
+ struct sec_hive_config sec_config;
struct provider_handle **providers;
};
--
2.14.1