From 35c9dfe9ba78d3a635cd1af0fb6349ba44344623 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Tue, 14 Mar 2017 11:17:05 +0100 Subject: [PATCH 36/97] KCM: Make the secrets ccache back end configurable, make secrets the default MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds a new option 'ccache_storage' that allows to select either the memory back end or the secrets back end. The secrets back end is the default one and this option is even undocumented. Reviewed-by: Michal Židek Reviewed-by: Simo Sorce --- src/confdb/confdb.h | 1 + src/config/cfg_rules.ini | 1 + src/responder/kcm/kcm.c | 49 ++++++++++++++++++++++++++++++++---- src/responder/kcm/kcmsrv_ccache.c | 2 +- src/responder/kcm/kcmsrv_ccache.h | 6 +---- src/responder/kcm/kcmsrv_ccache_be.h | 1 + src/responder/kcm/kcmsrv_pvt.h | 7 ++++++ 7 files changed, 56 insertions(+), 11 deletions(-) diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index c443e869a7a6782265b42c4ad122867c4e3dd8e0..fb60675ca8beb2c2a157bf021ed9cad362742988 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -234,6 +234,7 @@ /* KCM Service */ #define CONFDB_KCM_CONF_ENTRY "config/kcm" #define CONFDB_KCM_SOCKET "socket_path" +#define CONFDB_KCM_DB "ccache_storage" /* Undocumented on purpose */ struct confdb_ctx; struct config_file_ctx; diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 5e789c51658c51c0af1338d23d6c0f30f40bf119..67a5d1f5ad447a942b437ffd04a7f5d7cfe77d7f 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -280,6 +280,7 @@ option = fd_limit option = client_idle_timeout option = description option = socket_path +option = ccache_storage [rule/allowed_domain_options] validator = ini_allowed_options diff --git a/src/responder/kcm/kcm.c b/src/responder/kcm/kcm.c index 2c12ef215ce3967df183e51c20590c5f439d278f..063c27b915b4b92f6259496feee891aa94a498b6 100644 --- a/src/responder/kcm/kcm.c +++ b/src/responder/kcm/kcm.c @@ -47,6 +47,37 @@ static int kcm_responder_ctx_destructor(void *ptr) return 0; } +static errno_t kcm_get_ccdb_be(struct kcm_ctx *kctx) +{ + errno_t ret; + char *str_db; + + ret = confdb_get_string(kctx->rctx->cdb, + kctx->rctx, + kctx->rctx->confdb_service_path, + CONFDB_KCM_DB, + "secrets", + &str_db); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get the KCM database type [%d]: %s\n", + ret, strerror(ret)); + return ret; + } + + DEBUG(SSSDBG_CONF_SETTINGS, "KCM database type: %s\n", str_db); + if (strcasecmp(str_db, "memory") == 0) { + kctx->cc_be = CCDB_BE_MEMORY; + return EOK; + } else if (strcasecmp(str_db, "secrets") == 0) { + kctx->cc_be = CCDB_BE_SECRETS; + return EOK; + } + + DEBUG(SSSDBG_FATAL_FAILURE, "Unexpected KCM database type %s\n", str_db); + return EOK; +} + static int kcm_get_config(struct kcm_ctx *kctx) { int ret; @@ -88,14 +119,21 @@ static int kcm_get_config(struct kcm_ctx *kctx) &sock_name); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, - "Cannot get the client idle timeout [%d]: %s\n", + "Cannot get KCM socket path [%d]: %s\n", ret, strerror(ret)); goto done; } kctx->rctx->sock_name = sock_name; + ret = kcm_get_ccdb_be(kctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get KCM ccache DB [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + ret = EOK; - done: return ret; } @@ -111,7 +149,8 @@ static int kcm_data_destructor(void *ptr) } static struct kcm_resp_ctx *kcm_data_setup(TALLOC_CTX *mem_ctx, - struct tevent_context *ev) + struct tevent_context *ev, + enum kcm_ccdb_be cc_be) { struct kcm_resp_ctx *kcm_data; krb5_error_code kret; @@ -122,7 +161,7 @@ static struct kcm_resp_ctx *kcm_data_setup(TALLOC_CTX *mem_ctx, return NULL; } - kcm_data->db = kcm_ccdb_init(kcm_data, ev, CCDB_BE_MEMORY); + kcm_data->db = kcm_ccdb_init(kcm_data, ev, cc_be); if (kcm_data->db == NULL) { talloc_free(kcm_data); return NULL; @@ -176,7 +215,7 @@ static int kcm_process_init(TALLOC_CTX *mem_ctx, goto fail; } - kctx->kcm_data = kcm_data_setup(kctx, ev); + kctx->kcm_data = kcm_data_setup(kctx, ev, kctx->cc_be); if (kctx->kcm_data == NULL) { DEBUG(SSSDBG_FATAL_FAILURE, "fatal error initializing responder data\n"); diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c index 2ae120269b0c62275ba2acdff6d6daa8b7077708..a22184e0f2b1300f3678bb343b6a110bf144a36b 100644 --- a/src/responder/kcm/kcmsrv_ccache.c +++ b/src/responder/kcm/kcmsrv_ccache.c @@ -244,7 +244,7 @@ struct kcm_ccdb *kcm_ccdb_init(TALLOC_CTX *mem_ctx, break; case CCDB_BE_SECRETS: DEBUG(SSSDBG_FUNC_DATA, "KCM back end: sssd-secrets\n"); - /* Not implemented yet */ + ccdb->ops = &ccdb_sec_ops; break; default: DEBUG(SSSDBG_CRIT_FAILURE, "Unknown ccache database\n"); diff --git a/src/responder/kcm/kcmsrv_ccache.h b/src/responder/kcm/kcmsrv_ccache.h index 18c8c47ad4ecb24521a85a1833b239c7a2a8bb45..36c481c5335d557318f0ed0204d93e533b4b6c41 100644 --- a/src/responder/kcm/kcmsrv_ccache.h +++ b/src/responder/kcm/kcmsrv_ccache.h @@ -29,6 +29,7 @@ #include "util/util.h" #include "util/sss_iobuf.h" #include "util/util_creds.h" +#include "responder/kcm/kcmsrv_pvt.h" #define UUID_BYTES 16 #define UUID_STR_SIZE 37 @@ -113,11 +114,6 @@ errno_t kcm_cc_store_cred_blob(struct kcm_ccache *cc, struct kcm_cred *kcm_cc_get_cred(struct kcm_ccache *cc); struct kcm_cred *kcm_cc_next_cred(struct kcm_cred *crd); -enum kcm_ccdb_be { - CCDB_BE_MEMORY, - CCDB_BE_SECRETS, -}; - /* An opaque database that contains all the ccaches */ struct kcm_ccdb; diff --git a/src/responder/kcm/kcmsrv_ccache_be.h b/src/responder/kcm/kcmsrv_ccache_be.h index 1bd2b6981e227675866e82e0a5389445cac4df66..a0796c298bae15a01adf612a6195a494ba6b4d23 100644 --- a/src/responder/kcm/kcmsrv_ccache_be.h +++ b/src/responder/kcm/kcmsrv_ccache_be.h @@ -200,5 +200,6 @@ struct kcm_ccdb_ops { }; extern const struct kcm_ccdb_ops ccdb_mem_ops; +extern const struct kcm_ccdb_ops ccdb_sec_ops; #endif /* _KCMSRV_CCACHE_BE_ */ diff --git a/src/responder/kcm/kcmsrv_pvt.h b/src/responder/kcm/kcmsrv_pvt.h index a29680246c1e616da75e1bbff951ce2fad66fb65..74f30c00014105ed533744779b02c5d42523722d 100644 --- a/src/responder/kcm/kcmsrv_pvt.h +++ b/src/responder/kcm/kcmsrv_pvt.h @@ -49,6 +49,12 @@ struct kcm_resp_ctx { struct kcm_ccdb *db; }; +/* Supported ccache back ends */ +enum kcm_ccdb_be { + CCDB_BE_MEMORY, + CCDB_BE_SECRETS, +}; + /* * responder context that contains both the responder data, * like the ccaches and the sssd-specific stuff like the @@ -58,6 +64,7 @@ struct kcm_ctx { struct resp_ctx *rctx; int fd_limit; char *socket_path; + enum kcm_ccdb_be cc_be; struct kcm_resp_ctx *kcm_data; }; -- 2.12.2