387014f928
required for building freeipa-4.5.x in rawhide
406 lines
14 KiB
Diff
406 lines
14 KiB
Diff
From 8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1 Mon Sep 17 00:00:00 2001
|
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
Date: Tue, 3 Jan 2017 16:00:38 +0100
|
|
Subject: [PATCH 31/97] SECRETS: Create DB path before the operation itself
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
This is a refactoring where instead of creating the ldb path in the
|
|
operation itself, we create the ldb path when creating the local db request
|
|
and pass the path to the operation.
|
|
|
|
This would allow us to store different kind of objects in the secrets
|
|
storage later.
|
|
|
|
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
---
|
|
src/responder/secrets/local.c | 170 +++++++++++++++++++++---------------------
|
|
1 file changed, 84 insertions(+), 86 deletions(-)
|
|
|
|
diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c
|
|
index ed70193bcb27d84eaf449f6f7571c94f466c9896..9dcdd9925e542499d3a962b4998103b07c26a5ab 100644
|
|
--- a/src/responder/secrets/local.c
|
|
+++ b/src/responder/secrets/local.c
|
|
@@ -199,39 +199,36 @@ static char *local_dn_to_path(TALLOC_CTX *mem_ctx,
|
|
return path;
|
|
}
|
|
|
|
+struct local_db_req {
|
|
+ char *path;
|
|
+ struct ldb_dn *basedn;
|
|
+};
|
|
+
|
|
#define LOCAL_SIMPLE_FILTER "(type=simple)"
|
|
#define LOCAL_CONTAINER_FILTER "(type=container)"
|
|
|
|
static int local_db_get_simple(TALLOC_CTX *mem_ctx,
|
|
struct local_context *lctx,
|
|
- const char *req_path,
|
|
+ struct local_db_req *lc_req,
|
|
char **secret)
|
|
{
|
|
TALLOC_CTX *tmp_ctx;
|
|
static const char *attrs[] = { "secret", "enctype", NULL };
|
|
struct ldb_result *res;
|
|
- struct ldb_dn *dn;
|
|
const char *attr_secret;
|
|
const char *attr_enctype;
|
|
int ret;
|
|
|
|
- DEBUG(SSSDBG_TRACE_FUNC, "Retrieving a secret from [%s]\n", req_path);
|
|
+ DEBUG(SSSDBG_TRACE_FUNC, "Retrieving a secret from [%s]\n", lc_req->path);
|
|
|
|
tmp_ctx = talloc_new(mem_ctx);
|
|
if (!tmp_ctx) return ENOMEM;
|
|
|
|
- ret = local_db_dn(tmp_ctx, lctx->ldb, req_path, &dn);
|
|
- if (ret != EOK) {
|
|
- DEBUG(SSSDBG_OP_FAILURE,
|
|
- "local_db_dn failed [%d]: %s\n", ret, sss_strerror(ret));
|
|
- goto done;
|
|
- }
|
|
-
|
|
DEBUG(SSSDBG_TRACE_INTERNAL,
|
|
"Searching for [%s] at [%s] with scope=base\n",
|
|
- LOCAL_SIMPLE_FILTER, ldb_dn_get_linearized(dn));
|
|
+ LOCAL_SIMPLE_FILTER, ldb_dn_get_linearized(lc_req->basedn));
|
|
|
|
- ret = ldb_search(lctx->ldb, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
|
|
+ ret = ldb_search(lctx->ldb, tmp_ctx, &res, lc_req->basedn, LDB_SCOPE_BASE,
|
|
attrs, "%s", LOCAL_SIMPLE_FILTER);
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_TRACE_LIBS,
|
|
@@ -278,34 +275,26 @@ done:
|
|
|
|
static int local_db_list_keys(TALLOC_CTX *mem_ctx,
|
|
struct local_context *lctx,
|
|
- const char *req_path,
|
|
+ struct local_db_req *lc_req,
|
|
char ***_keys,
|
|
int *num_keys)
|
|
{
|
|
TALLOC_CTX *tmp_ctx;
|
|
static const char *attrs[] = { "secret", NULL };
|
|
struct ldb_result *res;
|
|
- struct ldb_dn *dn;
|
|
char **keys;
|
|
int ret;
|
|
|
|
tmp_ctx = talloc_new(mem_ctx);
|
|
if (!tmp_ctx) return ENOMEM;
|
|
|
|
- DEBUG(SSSDBG_TRACE_FUNC, "Listing keys at [%s]\n", req_path);
|
|
-
|
|
- ret = local_db_dn(tmp_ctx, lctx->ldb, req_path, &dn);
|
|
- if (ret != EOK) {
|
|
- DEBUG(SSSDBG_OP_FAILURE,
|
|
- "local_db_dn failed [%d]: %s\n", ret, sss_strerror(ret));
|
|
- goto done;
|
|
- }
|
|
+ DEBUG(SSSDBG_TRACE_FUNC, "Listing keys at [%s]\n", lc_req->path);
|
|
|
|
DEBUG(SSSDBG_TRACE_INTERNAL,
|
|
"Searching for [%s] at [%s] with scope=subtree\n",
|
|
- LOCAL_SIMPLE_FILTER, ldb_dn_get_linearized(dn));
|
|
+ LOCAL_SIMPLE_FILTER, ldb_dn_get_linearized(lc_req->basedn));
|
|
|
|
- ret = ldb_search(lctx->ldb, tmp_ctx, &res, dn, LDB_SCOPE_SUBTREE,
|
|
+ ret = ldb_search(lctx->ldb, tmp_ctx, &res, lc_req->basedn, LDB_SCOPE_SUBTREE,
|
|
attrs, "%s", LOCAL_SIMPLE_FILTER);
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_TRACE_LIBS,
|
|
@@ -327,7 +316,7 @@ static int local_db_list_keys(TALLOC_CTX *mem_ctx,
|
|
}
|
|
|
|
for (unsigned i = 0; i < res->count; i++) {
|
|
- keys[i] = local_dn_to_path(keys, dn, res->msgs[i]->dn);
|
|
+ keys[i] = local_dn_to_path(keys, lc_req->basedn, res->msgs[i]->dn);
|
|
if (!keys[i]) {
|
|
ret = ENOMEM;
|
|
goto done;
|
|
@@ -474,7 +463,7 @@ static int local_check_max_payload_size(struct local_context *lctx,
|
|
|
|
static int local_db_put_simple(TALLOC_CTX *mem_ctx,
|
|
struct local_context *lctx,
|
|
- const char *req_path,
|
|
+ struct local_db_req *lc_req,
|
|
const char *secret)
|
|
{
|
|
struct ldb_message *msg;
|
|
@@ -482,20 +471,14 @@ static int local_db_put_simple(TALLOC_CTX *mem_ctx,
|
|
char *enc_secret;
|
|
int ret;
|
|
|
|
+ DEBUG(SSSDBG_TRACE_FUNC, "Adding a secret to [%s]\n", lc_req->path);
|
|
+
|
|
msg = ldb_msg_new(mem_ctx);
|
|
if (!msg) {
|
|
ret = ENOMEM;
|
|
goto done;
|
|
}
|
|
-
|
|
- DEBUG(SSSDBG_TRACE_FUNC, "Adding a secret to [%s]\n", req_path);
|
|
-
|
|
- ret = local_db_dn(msg, lctx->ldb, req_path, &msg->dn);
|
|
- if (ret != EOK) {
|
|
- DEBUG(SSSDBG_OP_FAILURE,
|
|
- "local_db_dn failed [%d]: %s\n", ret, sss_strerror(ret));
|
|
- goto done;
|
|
- }
|
|
+ msg->dn = lc_req->basedn;
|
|
|
|
/* make sure containers exist */
|
|
ret = local_db_check_containers(msg, lctx, msg->dn);
|
|
@@ -585,32 +568,24 @@ done:
|
|
|
|
static int local_db_delete(TALLOC_CTX *mem_ctx,
|
|
struct local_context *lctx,
|
|
- const char *req_path)
|
|
+ struct local_db_req *lc_req)
|
|
{
|
|
TALLOC_CTX *tmp_ctx;
|
|
- struct ldb_dn *dn;
|
|
static const char *attrs[] = { NULL };
|
|
struct ldb_result *res;
|
|
int ret;
|
|
|
|
- DEBUG(SSSDBG_TRACE_FUNC, "Removing a secret from [%s]\n", req_path);
|
|
+ DEBUG(SSSDBG_TRACE_FUNC, "Removing a secret from [%s]\n", lc_req->path);
|
|
|
|
tmp_ctx = talloc_new(mem_ctx);
|
|
if (!tmp_ctx) return ENOMEM;
|
|
|
|
- ret = local_db_dn(mem_ctx, lctx->ldb, req_path, &dn);
|
|
- if (ret != EOK) {
|
|
- DEBUG(SSSDBG_OP_FAILURE,
|
|
- "local_db_dn failed [%d]: %s\n", ret, sss_strerror(ret));
|
|
- goto done;
|
|
- }
|
|
-
|
|
DEBUG(SSSDBG_TRACE_INTERNAL,
|
|
"Searching for [%s] at [%s] with scope=base\n",
|
|
- LOCAL_CONTAINER_FILTER, ldb_dn_get_linearized(dn));
|
|
+ LOCAL_CONTAINER_FILTER, ldb_dn_get_linearized(lc_req->basedn));
|
|
|
|
- ret = ldb_search(lctx->ldb, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
|
|
- attrs, LOCAL_CONTAINER_FILTER);
|
|
+ ret = ldb_search(lctx->ldb, tmp_ctx, &res, lc_req->basedn, LDB_SCOPE_BASE,
|
|
+ attrs, LOCAL_CONTAINER_FILTER);
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_TRACE_LIBS,
|
|
"ldb_search returned %d: %s\n", ret, ldb_strerror(ret));
|
|
@@ -619,8 +594,8 @@ static int local_db_delete(TALLOC_CTX *mem_ctx,
|
|
|
|
if (res->count == 1) {
|
|
DEBUG(SSSDBG_TRACE_INTERNAL,
|
|
- "Searching for children of [%s]\n", ldb_dn_get_linearized(dn));
|
|
- ret = ldb_search(lctx->ldb, tmp_ctx, &res, dn, LDB_SCOPE_ONELEVEL,
|
|
+ "Searching for children of [%s]\n", ldb_dn_get_linearized(lc_req->basedn));
|
|
+ ret = ldb_search(lctx->ldb, tmp_ctx, &res, lc_req->basedn, LDB_SCOPE_ONELEVEL,
|
|
attrs, NULL);
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_TRACE_LIBS,
|
|
@@ -632,13 +607,13 @@ static int local_db_delete(TALLOC_CTX *mem_ctx,
|
|
ret = EEXIST;
|
|
DEBUG(SSSDBG_OP_FAILURE,
|
|
"Failed to remove '%s': Container is not empty\n",
|
|
- ldb_dn_get_linearized(dn));
|
|
+ ldb_dn_get_linearized(lc_req->basedn));
|
|
|
|
goto done;
|
|
}
|
|
}
|
|
|
|
- ret = ldb_delete(lctx->ldb, dn);
|
|
+ ret = ldb_delete(lctx->ldb, lc_req->basedn);
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_TRACE_LIBS,
|
|
"ldb_delete returned %d: %s\n", ret, ldb_strerror(ret));
|
|
@@ -653,25 +628,19 @@ done:
|
|
|
|
static int local_db_create(TALLOC_CTX *mem_ctx,
|
|
struct local_context *lctx,
|
|
- const char *req_path)
|
|
+ struct local_db_req *lc_req)
|
|
{
|
|
struct ldb_message *msg;
|
|
int ret;
|
|
|
|
+ DEBUG(SSSDBG_TRACE_FUNC, "Creating a container at [%s]\n", lc_req->path);
|
|
+
|
|
msg = ldb_msg_new(mem_ctx);
|
|
if (!msg) {
|
|
ret = ENOMEM;
|
|
goto done;
|
|
}
|
|
-
|
|
- DEBUG(SSSDBG_TRACE_FUNC, "Creating a container at [%s]\n", req_path);
|
|
-
|
|
- ret = local_db_dn(msg, lctx->ldb, req_path, &msg->dn);
|
|
- if (ret != EOK) {
|
|
- DEBUG(SSSDBG_OP_FAILURE,
|
|
- "local_db_dn failed [%d]: %s\n", ret, sss_strerror(ret));
|
|
- goto done;
|
|
- }
|
|
+ msg->dn = lc_req->basedn;
|
|
|
|
/* make sure containers exist */
|
|
ret = local_db_check_containers(msg, lctx, msg->dn);
|
|
@@ -724,10 +693,13 @@ done:
|
|
}
|
|
|
|
static int local_secrets_map_path(TALLOC_CTX *mem_ctx,
|
|
+ struct ldb_context *ldb,
|
|
struct sec_req_ctx *secreq,
|
|
- char **local_db_path)
|
|
+ struct local_db_req **_lc_req)
|
|
{
|
|
int ret;
|
|
+ struct local_db_req *lc_req;
|
|
+ const char *basedn;
|
|
|
|
/* be strict for now */
|
|
if (secreq->parsed_url.fragment != NULL) {
|
|
@@ -755,20 +727,46 @@ static int local_secrets_map_path(TALLOC_CTX *mem_ctx,
|
|
}
|
|
}
|
|
|
|
- /* drop SEC_BASEPATH prefix */
|
|
- *local_db_path =
|
|
- talloc_strdup(mem_ctx, &secreq->mapped_path[sizeof(SEC_BASEPATH) - 1]);
|
|
- if (!*local_db_path) {
|
|
- DEBUG(SSSDBG_CRIT_FAILURE,
|
|
- "Failed to map request to local db path\n");
|
|
+ lc_req = talloc(mem_ctx, struct local_db_req);
|
|
+ if (lc_req == NULL) {
|
|
return ENOMEM;
|
|
}
|
|
|
|
- DEBUG(SSSDBG_TRACE_LIBS, "Local DB path is %s\n", *local_db_path);
|
|
- return EOK;
|
|
+ /* drop the prefix and select a basedn instead */
|
|
+ if (strncmp(secreq->mapped_path,
|
|
+ SEC_BASEPATH, sizeof(SEC_BASEPATH) - 1) == 0) {
|
|
+ lc_req->path = talloc_strdup(lc_req,
|
|
+ secreq->mapped_path + (sizeof(SEC_BASEPATH) - 1));
|
|
+ basedn = SECRETS_BASEDN;
|
|
+ } else {
|
|
+ ret = EINVAL;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ if (lc_req->path == NULL) {
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
+ "Failed to map request to local db path\n");
|
|
+ ret = ENOMEM;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ ret = local_db_dn(mem_ctx, ldb, basedn, lc_req->path, &lc_req->basedn);
|
|
+ if (ret != EOK) {
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
+ "Failed to map request to local db DN\n");
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ DEBUG(SSSDBG_TRACE_LIBS, "Local DB path is %s\n", lc_req->path);
|
|
+ ret = EOK;
|
|
+ *_lc_req = lc_req;
|
|
+done:
|
|
+ if (ret != EOK) {
|
|
+ talloc_free(lc_req);
|
|
+ }
|
|
+ return ret;
|
|
}
|
|
|
|
-
|
|
struct local_secret_state {
|
|
struct tevent_context *ev;
|
|
struct sec_req_ctx *secreq;
|
|
@@ -785,7 +783,7 @@ static struct tevent_req *local_secret_req(TALLOC_CTX *mem_ctx,
|
|
struct sec_data body = { 0 };
|
|
const char *content_type;
|
|
bool body_is_json;
|
|
- char *req_path;
|
|
+ struct local_db_req *lc_req;
|
|
char *secret;
|
|
char **keys;
|
|
int nkeys;
|
|
@@ -821,14 +819,14 @@ static struct tevent_req *local_secret_req(TALLOC_CTX *mem_ctx,
|
|
}
|
|
DEBUG(SSSDBG_TRACE_LIBS, "Content-Type: %s\n", content_type);
|
|
|
|
- ret = local_secrets_map_path(state, secreq, &req_path);
|
|
+ ret = local_secrets_map_path(state, lctx->ldb, secreq, &lc_req);
|
|
if (ret) goto done;
|
|
|
|
switch (secreq->method) {
|
|
case HTTP_GET:
|
|
- DEBUG(SSSDBG_TRACE_LIBS, "Processing HTTP GET at [%s]\n", req_path);
|
|
- if (req_path[strlen(req_path) - 1] == '/') {
|
|
- ret = local_db_list_keys(state, lctx, req_path, &keys, &nkeys);
|
|
+ DEBUG(SSSDBG_TRACE_LIBS, "Processing HTTP GET at [%s]\n", lc_req->path);
|
|
+ if (lc_req->path[strlen(lc_req->path) - 1] == '/') {
|
|
+ ret = local_db_list_keys(state, lctx, lc_req, &keys, &nkeys);
|
|
if (ret) goto done;
|
|
|
|
ret = sec_array_to_json(state, keys, nkeys, &body.data);
|
|
@@ -838,7 +836,7 @@ static struct tevent_req *local_secret_req(TALLOC_CTX *mem_ctx,
|
|
break;
|
|
}
|
|
|
|
- ret = local_db_get_simple(state, lctx, req_path, &secret);
|
|
+ ret = local_db_get_simple(state, lctx, lc_req, &secret);
|
|
if (ret) goto done;
|
|
|
|
if (body_is_json) {
|
|
@@ -855,7 +853,7 @@ static struct tevent_req *local_secret_req(TALLOC_CTX *mem_ctx,
|
|
break;
|
|
|
|
case HTTP_PUT:
|
|
- DEBUG(SSSDBG_TRACE_LIBS, "Processing HTTP PUT at [%s]\n", req_path);
|
|
+ DEBUG(SSSDBG_TRACE_LIBS, "Processing HTTP PUT at [%s]\n", lc_req->path);
|
|
if (body_is_json) {
|
|
ret = sec_json_to_simple_secret(state, secreq->body.data,
|
|
&secret);
|
|
@@ -866,27 +864,27 @@ static struct tevent_req *local_secret_req(TALLOC_CTX *mem_ctx,
|
|
}
|
|
if (ret) goto done;
|
|
|
|
- ret = local_db_put_simple(state, lctx, req_path, secret);
|
|
+ ret = local_db_put_simple(state, lctx, lc_req, secret);
|
|
if (ret) goto done;
|
|
break;
|
|
|
|
case HTTP_DELETE:
|
|
- ret = local_db_delete(state, lctx, req_path);
|
|
+ ret = local_db_delete(state, lctx, lc_req);
|
|
if (ret) goto done;
|
|
break;
|
|
|
|
case HTTP_POST:
|
|
- DEBUG(SSSDBG_TRACE_LIBS, "Processing HTTP POST at [%s]\n", req_path);
|
|
- plen = strlen(req_path);
|
|
+ DEBUG(SSSDBG_TRACE_LIBS, "Processing HTTP POST at [%s]\n", lc_req->path);
|
|
+ plen = strlen(lc_req->path);
|
|
|
|
- if (req_path[plen - 1] != '/') {
|
|
+ if (lc_req->path[plen - 1] != '/') {
|
|
ret = EINVAL;
|
|
goto done;
|
|
}
|
|
|
|
- req_path[plen - 1] = '\0';
|
|
+ lc_req->path[plen - 1] = '\0';
|
|
|
|
- ret = local_db_create(state, lctx, req_path);
|
|
+ ret = local_db_create(state, lctx, lc_req);
|
|
if (ret) goto done;
|
|
break;
|
|
|
|
--
|
|
2.12.2
|
|
|