159 lines
6.1 KiB
Diff
159 lines
6.1 KiB
Diff
From 7a162ca3ea0bf8ef6b13795a00baa28d17f6131d Mon Sep 17 00:00:00 2001
|
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
Date: Tue, 30 May 2017 12:31:57 +0200
|
|
Subject: [PATCH 87/93] SECRETS: Store quotas in a per-hive configuration
|
|
structure
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Adds two new structures to hold the quotas and associate a quota with a hive.
|
|
|
|
This is just an internal change for now, but will allow us to read quota
|
|
configuration from per-hive sections later.
|
|
|
|
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
---
|
|
src/responder/secrets/local.c | 21 +++++++++------------
|
|
src/responder/secrets/secsrv.c | 6 +++---
|
|
src/responder/secrets/secsrv.h | 17 ++++++++++++++---
|
|
3 files changed, 26 insertions(+), 18 deletions(-)
|
|
|
|
diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c
|
|
index 66401ef50d9114a9ab493f0e46d1ad38dd854365..0b879939f25487b0275d5144f5e27b2873b3fbae 100644
|
|
--- a/src/responder/secrets/local.c
|
|
+++ b/src/responder/secrets/local.c
|
|
@@ -34,9 +34,8 @@
|
|
struct local_context {
|
|
struct ldb_context *ldb;
|
|
struct sec_data master_key;
|
|
- int containers_nest_level;
|
|
- int max_secrets;
|
|
- int max_payload_size;
|
|
+
|
|
+ struct sec_quota *quota_secrets;
|
|
};
|
|
|
|
static int local_decrypt(struct local_context *lctx, TALLOC_CTX *mem_ctx,
|
|
@@ -398,11 +397,11 @@ static int local_db_check_containers_nest_level(struct local_context *lctx,
|
|
/* We need do not care for the synthetic containers that constitute the
|
|
* base path (cn=<uidnumber>,cn=user,cn=secrets). */
|
|
nest_level = ldb_dn_get_comp_num(leaf_dn) - 3;
|
|
- if (nest_level > lctx->containers_nest_level) {
|
|
+ if (nest_level > lctx->quota_secrets->containers_nest_level) {
|
|
DEBUG(SSSDBG_OP_FAILURE,
|
|
"Cannot create a nested container of depth %d as the maximum"
|
|
"allowed number of nested containers is %d.\n",
|
|
- nest_level, lctx->containers_nest_level);
|
|
+ nest_level, lctx->quota_secrets->containers_nest_level);
|
|
|
|
return ERR_SEC_INVALID_CONTAINERS_NEST_LEVEL;
|
|
}
|
|
@@ -430,10 +429,10 @@ static int local_db_check_number_of_secrets(TALLOC_CTX *mem_ctx,
|
|
|
|
ret = ldb_search(lctx->ldb, tmp_ctx, &res, dn, LDB_SCOPE_SUBTREE,
|
|
attrs, LOCAL_SIMPLE_FILTER);
|
|
- if (res->count >= lctx->max_secrets) {
|
|
+ if (res->count >= lctx->quota_secrets->max_secrets) {
|
|
DEBUG(SSSDBG_OP_FAILURE,
|
|
"Cannot store any more secrets as the maximum allowed limit (%d) "
|
|
- "has been reached\n", lctx->max_secrets);
|
|
+ "has been reached\n", lctx->quota_secrets->max_secrets);
|
|
|
|
ret = ERR_SEC_INVALID_TOO_MANY_SECRETS;
|
|
goto done;
|
|
@@ -451,14 +450,14 @@ static int local_check_max_payload_size(struct local_context *lctx,
|
|
{
|
|
int max_payload_size;
|
|
|
|
- max_payload_size = lctx->max_payload_size * 1024; /* kb */
|
|
+ max_payload_size = lctx->quota_secrets->max_payload_size * 1024; /* kb */
|
|
if (payload_size > max_payload_size) {
|
|
DEBUG(SSSDBG_OP_FAILURE,
|
|
"Secrets' payload size [%d kb (%d)] exceeds the maximum allowed "
|
|
"payload size [%d kb (%d)]\n",
|
|
payload_size * 1024, /* kb */
|
|
payload_size,
|
|
- lctx->max_payload_size, /* kb */
|
|
+ lctx->quota_secrets->max_payload_size, /* kb */
|
|
max_payload_size);
|
|
|
|
return ERR_SEC_PAYLOAD_SIZE_IS_TOO_LARGE;
|
|
@@ -1019,9 +1018,7 @@ int local_secrets_provider_handle(struct sec_ctx *sctx,
|
|
return EIO;
|
|
}
|
|
|
|
- lctx->containers_nest_level = sctx->containers_nest_level;
|
|
- lctx->max_secrets = sctx->max_secrets;
|
|
- lctx->max_payload_size = sctx->max_payload_size;
|
|
+ lctx->quota_secrets = &sctx->sec_config.quota;
|
|
|
|
lctx->master_key.data = talloc_size(lctx, MKEY_SIZE);
|
|
if (!lctx->master_key.data) return ENOMEM;
|
|
diff --git a/src/responder/secrets/secsrv.c b/src/responder/secrets/secsrv.c
|
|
index ae2a658ae131e742466796cc47892a234e46f7d3..e3a8c1476af8d9c2c8b87a11ca930e12f381ef94 100644
|
|
--- a/src/responder/secrets/secsrv.c
|
|
+++ b/src/responder/secrets/secsrv.c
|
|
@@ -52,7 +52,7 @@ static int sec_get_config(struct sec_ctx *sctx)
|
|
sctx->rctx->confdb_service_path,
|
|
CONFDB_SEC_CONTAINERS_NEST_LEVEL,
|
|
DEFAULT_SEC_CONTAINERS_NEST_LEVEL,
|
|
- &sctx->containers_nest_level);
|
|
+ &sctx->sec_config.quota.containers_nest_level);
|
|
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_FATAL_FAILURE,
|
|
@@ -64,7 +64,7 @@ static int sec_get_config(struct sec_ctx *sctx)
|
|
sctx->rctx->confdb_service_path,
|
|
CONFDB_SEC_MAX_SECRETS,
|
|
DEFAULT_SEC_MAX_SECRETS,
|
|
- &sctx->max_secrets);
|
|
+ &sctx->sec_config.quota.max_secrets);
|
|
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_FATAL_FAILURE,
|
|
@@ -76,7 +76,7 @@ static int sec_get_config(struct sec_ctx *sctx)
|
|
sctx->rctx->confdb_service_path,
|
|
CONFDB_SEC_MAX_PAYLOAD_SIZE,
|
|
DEFAULT_SEC_MAX_PAYLOAD_SIZE,
|
|
- &sctx->max_payload_size);
|
|
+ &sctx->sec_config.quota.max_payload_size);
|
|
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_FATAL_FAILURE,
|
|
diff --git a/src/responder/secrets/secsrv.h b/src/responder/secrets/secsrv.h
|
|
index 1aad272da3ded1a2b3d2d8475ff3f2422c893483..629b027f6966dd221d21d16ccfc75c99881935f8 100644
|
|
--- a/src/responder/secrets/secsrv.h
|
|
+++ b/src/responder/secrets/secsrv.h
|
|
@@ -30,12 +30,23 @@
|
|
#include <tevent.h>
|
|
#include <ldb.h>
|
|
|
|
+struct sec_quota {
|
|
+ int max_secrets;
|
|
+ int max_payload_size;
|
|
+ int containers_nest_level;
|
|
+};
|
|
+
|
|
+struct sec_hive_config {
|
|
+ const char *confdb_section;
|
|
+
|
|
+ struct sec_quota quota;
|
|
+};
|
|
+
|
|
struct sec_ctx {
|
|
struct resp_ctx *rctx;
|
|
int fd_limit;
|
|
- int containers_nest_level;
|
|
- int max_secrets;
|
|
- int max_payload_size;
|
|
+
|
|
+ struct sec_hive_config sec_config;
|
|
|
|
struct provider_handle **providers;
|
|
};
|
|
--
|
|
2.14.1
|
|
|