SQ: Add me to previous commit

4 files changed, 125 insertions, 74 deletions

diff --git a/Makefile.am b/Makefile.am
index 1ab57c480..a9ff93b66 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1109,6 +1109,7 @@ sssd_pam_SOURCES = \
     src/responder/pam/pamsrv.c \
     src/responder/pam/pamsrv_cmd.c \
     src/responder/pam/pamsrv_extract.c \
+    src/responder/pam/pamsrv_reply.c \
     src/responder/pam/pamsrv_p11.c \
     src/responder/pam/pamsrv_dp.c \
     src/responder/pam/pam_helpers.c \
@@ -1905,6 +1906,7 @@ pam_srv_tests_SOURCES = \
     src/sss_client/pam_message.c \
     src/responder/pam/pamsrv_cmd.c \
     src/responder/pam/pamsrv_extract.c \
+    src/responder/pam/pamsrv_reply.c \
     src/responder/pam/pamsrv_p11.c \
     src/responder/pam/pam_helpers.c \
     src/responder/pam/pamsrv_dp.c \
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 89d9f057d..bd9e20874 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -96,6 +96,18 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *user,
 
 bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd);
 
+enum pam_verbosity {
+    PAM_VERBOSITY_NO_MESSAGES = 0,
+    PAM_VERBOSITY_IMPORTANT,
+    PAM_VERBOSITY_INFO,
+    PAM_VERBOSITY_DEBUG
+};
+
 errno_t pam_forwarder_parse_data(struct cli_ctx *cctx, struct pam_data *pd);
 
+/* PAM responder output API */
+errno_t pamsrv_exp_warn(struct pam_data *pd,
+                        int pam_verbosity,
+                        const char *pam_account_expired_message);
+
 #endif /* __PAMSRV_H__ */
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 2c503582b..942a966a6 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -34,13 +34,6 @@
 #include "responder/common/responder_cache_req.h"
 #include "db/sysdb.h"
 
-enum pam_verbosity {
-    PAM_VERBOSITY_NO_MESSAGES = 0,
-    PAM_VERBOSITY_IMPORTANT,
-    PAM_VERBOSITY_INFO,
-    PAM_VERBOSITY_DEBUG
-};
-
 #define DEFAULT_PAM_VERBOSITY PAM_VERBOSITY_IMPORTANT
 
 static errno_t
@@ -53,55 +46,6 @@ pam_get_last_online_auth_with_curr_token(struct sss_domain_info *domain,
 
 static void pam_reply(struct pam_auth_req *preq);
 
-static errno_t pack_user_info_account_expired(TALLOC_CTX *mem_ctx,
-                                              const char *user_error_message,
-                                              size_t *resp_len,
-                                              uint8_t **_resp)
-{
-    uint32_t resp_type = SSS_PAM_USER_INFO_ACCOUNT_EXPIRED;
-    size_t err_len;
-    uint8_t *resp;
-    size_t p;
-
-    err_len = strlen(user_error_message);
-    *resp_len = 2 * sizeof(uint32_t) + err_len;
-    resp = talloc_size(mem_ctx, *resp_len);
-    if (resp == NULL) {
-        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n");
-        return ENOMEM;
-    }
-
-    p = 0;
-    SAFEALIGN_SET_UINT32(&resp[p], resp_type, &p);
-    SAFEALIGN_SET_UINT32(&resp[p], err_len, &p);
-    safealign_memcpy(&resp[p], user_error_message, err_len, &p);
-    if (p != *resp_len) {
-        DEBUG(SSSDBG_FATAL_FAILURE, "Size mismatch\n");
-    }
-
-    *_resp = resp;
-    return EOK;
-}
-
-static void inform_account_expired(struct pam_data* pd,
-                                   const char *pam_message)
-{
-    size_t msg_len;
-    uint8_t *msg;
-    errno_t ret;
-
-    ret = pack_user_info_account_expired(pd, pam_message, &msg_len, &msg);
-    if (ret != EOK) {
-        DEBUG(SSSDBG_CRIT_FAILURE,
-              "pack_user_info_account_expired failed.\n");
-    } else {
-        ret = pam_add_response(pd, SSS_PAM_USER_INFO, msg_len, msg);
-        if (ret != EOK) {
-            DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
-        }
-    }
-}
-
 static bool is_domain_requested(struct pam_data *pd, const char *domain_name)
 {
     int i;
@@ -303,7 +247,7 @@ static errno_t get_password_for_cache_auth(struct sss_auth_token *authtok,
 static errno_t add_warning_about_expiration(struct pam_data *pd,
                                             struct confdb_ctx *cdb)
 {
-    char* pam_account_expired_message;
+    char *pam_account_expired_message;
     int pam_verbosity;
     errno_t ret;
 
@@ -316,25 +260,28 @@ static errno_t add_warning_about_expiration(struct pam_data *pd,
         pam_verbosity = DEFAULT_PAM_VERBOSITY;
     }
 
-    /* Account expiration warning is printed for sshd. If pam_verbosity
-     * is equal or above PAM_VERBOSITY_INFO then all services are informed
-     * about account expiration.
-     */
-    if (pd->pam_status == PAM_ACCT_EXPIRED &&
-        ((pd->service != NULL && strcasecmp(pd->service, "sshd") == 0) ||
-         pam_verbosity >= PAM_VERBOSITY_INFO)) {
+    if (pd->pam_status != PAM_ACCT_EXPIRED ||
+        ((pd->service == NULL || strcasecmp(pd->service, "sshd") != 0) ||
+         pam_verbosity < PAM_VERBOSITY_INFO)) {
+        return EOK;
+    }
 
-        ret = confdb_get_string(cdb, pd, CONFDB_PAM_CONF_ENTRY,
-                                CONFDB_PAM_ACCOUNT_EXPIRED_MESSAGE, "",
-                                &pam_account_expired_message);
-        if (ret != EOK) {
-            DEBUG(SSSDBG_MINOR_FAILURE,
-                  "Failed to get expiration message: %d:[%s].\n",
-                  ret, sss_strerror(ret));
-            goto done;
-        }
+    ret = confdb_get_string(cdb, pd, CONFDB_PAM_CONF_ENTRY,
+                            CONFDB_PAM_ACCOUNT_EXPIRED_MESSAGE, "",
+                            &pam_account_expired_message);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_MINOR_FAILURE,
+                "Failed to get expiration message: %d:[%s].\n",
+                ret, sss_strerror(ret));
+        goto done;
+    }
 
-        inform_account_expired(pd, pam_account_expired_message);
+    ret = pamsrv_exp_warn(pd, pam_verbosity, pam_account_expired_message);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_MINOR_FAILURE,
+                "Failed to add password expiration warning: %d: %s\n",
+                ret, sss_strerror(ret));
+        goto done;
     }
 
     ret = EOK;
diff --git a/src/responder/pam/pamsrv_reply.c b/src/responder/pam/pamsrv_reply.c
new file mode 100644
index 000000000..9cd1c88f2
--- /dev/null
+++ b/src/responder/pam/pamsrv_reply.c
@@ -0,0 +1,90 @@
+/*
+   SSSD
+
+   PAM Responder
+
+   Copyright (C) Red Hat 2015
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "util/util.h"
+#include "providers/data_provider.h"
+#include "responder/pam/pamsrv.h"
+#include "responder/common/responder_packet.h"
+
+static errno_t pack_user_info_account_expired(TALLOC_CTX *mem_ctx,
+                                              const char *user_error_message,
+                                              size_t *resp_len,
+                                              uint8_t **_resp);
+
+errno_t pamsrv_exp_warn(struct pam_data *pd,
+                        int pam_verbosity,
+                        const char *exp_msg)
+{
+    size_t msg_len;
+    uint8_t *msg;
+    errno_t ret;
+
+    if (pd->pam_status == PAM_ACCT_EXPIRED &&
+        ((pd->service != NULL && strcasecmp(pd->service, "sshd") == 0) ||
+         pam_verbosity >= PAM_VERBOSITY_INFO)) {
+
+        ret = pack_user_info_account_expired(pd, exp_msg, &msg_len, &msg);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                "pack_user_info_account_expired failed.\n");
+            return ret;
+        } else {
+            ret = pam_add_response(pd, SSS_PAM_USER_INFO, msg_len, msg);
+            if (ret != EOK) {
+                DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
+                return ret;
+            }
+        }
+    }
+
+    return EOK;
+}
+
+static errno_t pack_user_info_account_expired(TALLOC_CTX *mem_ctx,
+                                              const char *user_error_message,
+                                              size_t *resp_len,
+                                              uint8_t **_resp)
+{
+    uint32_t resp_type = SSS_PAM_USER_INFO_ACCOUNT_EXPIRED;
+    size_t err_len;
+    uint8_t *resp;
+    size_t p;
+
+    err_len = strlen(user_error_message);
+    *resp_len = 2 * sizeof(uint32_t) + err_len;
+    resp = talloc_size(mem_ctx, *resp_len);
+    if (resp == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n");
+        return ENOMEM;
+    }
+
+    p = 0;
+    SAFEALIGN_SET_UINT32(&resp[p], resp_type, &p);
+    SAFEALIGN_SET_UINT32(&resp[p], err_len, &p);
+    safealign_memcpy(&resp[p], user_error_message, err_len, &p);
+    if (p != *resp_len) {
+        DEBUG(SSSDBG_FATAL_FAILURE, "Size mismatch\n");
+    }
+
+    *_resp = resp;
+    return EOK;
+}
+