226 lines
8.2 KiB
Diff
226 lines
8.2 KiB
Diff
From e05dfeca855986cd11674a64ef6333c2d67e9bc7 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
Date: Thu, 22 Oct 2020 11:18:12 +0200
|
|
Subject: [PATCH 05/19] secrets: allow to specify secret's data format
|
|
|
|
Currently, both KCM and secrets responders store JSON formatted string
|
|
in the secrets database. One of the next commits makes KCM to store
|
|
binary format instead of JSON string to improve performance. We need
|
|
to be able to distinguish the formats to keep KCM update compatible
|
|
with existing ccache and also to keep secrets responder working.
|
|
---
|
|
src/responder/kcm/kcmsrv_ccache_secdb.c | 8 ++--
|
|
src/responder/secrets/local.c | 4 +-
|
|
src/util/secrets/secrets.c | 57 ++++++++++++++++++++-----
|
|
src/util/secrets/secrets.h | 9 ++--
|
|
4 files changed, 59 insertions(+), 19 deletions(-)
|
|
|
|
diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c
|
|
index f3b9af840381881e99bbead70ea7edabf945a8e2..8e5bd4f7376173fd075c1a64785a597bcf2f97ba 100644
|
|
--- a/src/responder/kcm/kcmsrv_ccache_secdb.c
|
|
+++ b/src/responder/kcm/kcmsrv_ccache_secdb.c
|
|
@@ -49,7 +49,7 @@ static errno_t sec_get(TALLOC_CTX *mem_ctx,
|
|
return ENOMEM;
|
|
}
|
|
|
|
- ret = sss_sec_get(tmp_ctx, req, &secret);
|
|
+ ret = sss_sec_get(tmp_ctx, req, &secret, NULL);
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_OP_FAILURE,
|
|
"Cannot retrieve the secret [%d]: %s\n", ret, sss_strerror(ret));
|
|
@@ -78,7 +78,7 @@ static errno_t sec_put(TALLOC_CTX *mem_ctx,
|
|
errno_t ret;
|
|
|
|
ret = sss_sec_put(req, (const char *)sss_iobuf_get_data(buf),
|
|
- SSS_SEC_PLAINTEXT);
|
|
+ SSS_SEC_PLAINTEXT, "simple");
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_OP_FAILURE,
|
|
"Cannot write the secret [%d]: %s\n", ret, sss_strerror(ret));
|
|
@@ -94,7 +94,7 @@ static errno_t sec_update(TALLOC_CTX *mem_ctx,
|
|
errno_t ret;
|
|
|
|
ret = sss_sec_update(req, (const char *)sss_iobuf_get_data(buf),
|
|
- SSS_SEC_PLAINTEXT);
|
|
+ SSS_SEC_PLAINTEXT, "simple");
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_OP_FAILURE,
|
|
"Cannot write the secret [%d]: %s\n", ret, sss_strerror(ret));
|
|
@@ -700,7 +700,7 @@ static struct tevent_req *ccdb_secdb_set_default_send(TALLOC_CTX *mem_ctx,
|
|
goto immediate;
|
|
}
|
|
|
|
- ret = sss_sec_get(state, sreq, &cur_default);
|
|
+ ret = sss_sec_get(state, sreq, &cur_default, NULL);
|
|
if (ret == ENOENT) {
|
|
ret = sec_put(state, sreq, iobuf);
|
|
} else if (ret == EOK) {
|
|
diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c
|
|
index 815e7507ba6b3e210891c26dd243a2a67d8920f0..fee52674d73f6f8071b4d66ac91bed3b210c8e23 100644
|
|
--- a/src/responder/secrets/local.c
|
|
+++ b/src/responder/secrets/local.c
|
|
@@ -134,7 +134,7 @@ static struct tevent_req *local_secret_req(TALLOC_CTX *mem_ctx,
|
|
break;
|
|
}
|
|
|
|
- ret = sss_sec_get(state, ssec_req, &secret);
|
|
+ ret = sss_sec_get(state, ssec_req, &secret, NULL);
|
|
if (ret) goto done;
|
|
|
|
if (body_is_json) {
|
|
@@ -168,7 +168,7 @@ static struct tevent_req *local_secret_req(TALLOC_CTX *mem_ctx,
|
|
}
|
|
if (ret) goto done;
|
|
|
|
- ret = sss_sec_put(ssec_req, secret, SSS_SEC_MASTERKEY);
|
|
+ ret = sss_sec_put(ssec_req, secret, SSS_SEC_MASTERKEY, "simple");
|
|
if (ret) goto done;
|
|
break;
|
|
|
|
diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c
|
|
index b3d40fdcb4bc2aeeb6aae4e17654ae06b00db876..51fc85fb09934c25290c625fe2a2d8090285117d 100644
|
|
--- a/src/util/secrets/secrets.c
|
|
+++ b/src/util/secrets/secrets.c
|
|
@@ -1000,14 +1000,18 @@ done:
|
|
|
|
errno_t sss_sec_get(TALLOC_CTX *mem_ctx,
|
|
struct sss_sec_req *req,
|
|
- char **_secret)
|
|
+ char **_secret,
|
|
+ char **_datatype)
|
|
{
|
|
TALLOC_CTX *tmp_ctx;
|
|
- static const char *attrs[] = { "secret", "enctype", NULL };
|
|
+ static const char *attrs[] = { "secret", "enctype", "type", NULL };
|
|
struct ldb_result *res;
|
|
const char *attr_secret;
|
|
const char *attr_enctype;
|
|
+ const char *attr_datatype;
|
|
enum sss_sec_enctype enctype;
|
|
+ char *datatype;
|
|
+ char *secret;
|
|
int ret;
|
|
|
|
if (req == NULL || _secret == NULL) {
|
|
@@ -1057,15 +1061,30 @@ errno_t sss_sec_get(TALLOC_CTX *mem_ctx,
|
|
|
|
if (attr_enctype) {
|
|
enctype = sss_sec_str_to_enctype(attr_enctype);
|
|
- ret = local_decrypt(req->sctx, mem_ctx, attr_secret, enctype, _secret);
|
|
+ ret = local_decrypt(req->sctx, tmp_ctx, attr_secret, enctype, &secret);
|
|
if (ret) goto done;
|
|
} else {
|
|
- *_secret = talloc_strdup(mem_ctx, attr_secret);
|
|
- if (*_secret == NULL) {
|
|
+ secret = talloc_strdup(tmp_ctx, attr_secret);
|
|
+ if (secret == NULL) {
|
|
ret = ENOMEM;
|
|
goto done;
|
|
}
|
|
}
|
|
+
|
|
+ if (_datatype != NULL) {
|
|
+ attr_datatype = ldb_msg_find_attr_as_string(res->msgs[0], "type",
|
|
+ "simple");
|
|
+ datatype = talloc_strdup(tmp_ctx, attr_datatype);
|
|
+ if (datatype == NULL) {
|
|
+ ret = ENOMEM;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ *_datatype = talloc_steal(mem_ctx, datatype);
|
|
+ }
|
|
+
|
|
+ *_secret = talloc_steal(mem_ctx, secret);
|
|
+
|
|
ret = EOK;
|
|
|
|
done:
|
|
@@ -1075,7 +1094,8 @@ done:
|
|
|
|
errno_t sss_sec_put(struct sss_sec_req *req,
|
|
const char *secret,
|
|
- enum sss_sec_enctype enctype)
|
|
+ enum sss_sec_enctype enctype,
|
|
+ const char *datatype)
|
|
{
|
|
struct ldb_message *msg;
|
|
char *enc_secret;
|
|
@@ -1134,11 +1154,11 @@ errno_t sss_sec_put(struct sss_sec_req *req,
|
|
goto done;
|
|
}
|
|
|
|
- ret = ldb_msg_add_string(msg, "type", "simple");
|
|
+ ret = ldb_msg_add_string(msg, "type", datatype);
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_OP_FAILURE,
|
|
- "ldb_msg_add_string failed adding type:simple [%d]: %s\n",
|
|
- ret, sss_strerror(ret));
|
|
+ "ldb_msg_add_string failed adding type:%s [%d]: %s\n",
|
|
+ datatype, ret, sss_strerror(ret));
|
|
goto done;
|
|
}
|
|
|
|
@@ -1188,7 +1208,8 @@ done:
|
|
|
|
errno_t sss_sec_update(struct sss_sec_req *req,
|
|
const char *secret,
|
|
- enum sss_sec_enctype enctype)
|
|
+ enum sss_sec_enctype enctype,
|
|
+ const char *datatype)
|
|
{
|
|
struct ldb_message *msg;
|
|
char *enc_secret;
|
|
@@ -1263,6 +1284,22 @@ errno_t sss_sec_update(struct sss_sec_req *req,
|
|
goto done;
|
|
}
|
|
|
|
+ ret = ldb_msg_add_empty(msg, "type", LDB_FLAG_MOD_REPLACE, NULL);
|
|
+ if (ret != LDB_SUCCESS) {
|
|
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
|
+ "ldb_msg_add_empty failed: [%s]\n", ldb_strerror(ret));
|
|
+ ret = EIO;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ ret = ldb_msg_add_string(msg, "type", datatype);
|
|
+ if (ret != EOK) {
|
|
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
+ "ldb_msg_add_string failed adding type:%s [%d]: %s\n",
|
|
+ datatype, ret, sss_strerror(ret));
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
/* FIXME - should we have a lastUpdate timestamp? */
|
|
ret = ldb_msg_add_empty(msg, "secret", LDB_FLAG_MOD_REPLACE, NULL);
|
|
if (ret != LDB_SUCCESS) {
|
|
diff --git a/src/util/secrets/secrets.h b/src/util/secrets/secrets.h
|
|
index 73f40f7eb620904cec8f1cb7891765323ada08ad..f73657629f1a0bb614ccd96728852da66cc18791 100644
|
|
--- a/src/util/secrets/secrets.h
|
|
+++ b/src/util/secrets/secrets.h
|
|
@@ -95,15 +95,18 @@ errno_t sss_sec_list(TALLOC_CTX *mem_ctx,
|
|
|
|
errno_t sss_sec_get(TALLOC_CTX *mem_ctx,
|
|
struct sss_sec_req *req,
|
|
- char **_secret);
|
|
+ char **_secret,
|
|
+ char **_datatype);
|
|
|
|
errno_t sss_sec_put(struct sss_sec_req *req,
|
|
const char *secret,
|
|
- enum sss_sec_enctype enctype);
|
|
+ enum sss_sec_enctype enctype,
|
|
+ const char *datatype);
|
|
|
|
errno_t sss_sec_update(struct sss_sec_req *req,
|
|
const char *secret,
|
|
- enum sss_sec_enctype enctype);
|
|
+ enum sss_sec_enctype enctype,
|
|
+ const char *datatype);
|
|
|
|
errno_t sss_sec_create_container(struct sss_sec_req *req);
|
|
|
|
--
|
|
2.25.4
|
|
|