Move actual password caching into sysdb

Convert auth modules to do the caching themselves

4 files changed, 2 insertions, 126 deletions

diff --git a/server/responder/pam/pam_LOCAL_domain.c b/server/responder/pam/pam_LOCAL_domain.c
index 614d640e6..010bd8d4b 100644
--- a/server/responder/pam/pam_LOCAL_domain.c
+++ b/server/responder/pam/pam_LOCAL_domain.c
@@ -115,7 +115,7 @@ static void set_user_attr_req(struct sysdb_req *req, void *pvt)
 
     lreq->sysdb_req = req;
 
-    ret = sysdb_set_user_attr(req, lreq->dbctx, lreq->preq->domain,
+    ret = sysdb_set_user_attr(req, lreq->preq->domain,
                               lreq->preq->pd->user, lreq->mod_attrs,
                               set_user_attr_callback, lreq);
     if (ret != EOK)
diff --git a/server/responder/pam/pamsrv.h b/server/responder/pam/pamsrv.h
index d95df169f..fa688fe16 100644
--- a/server/responder/pam/pamsrv.h
+++ b/server/responder/pam/pamsrv.h
@@ -27,7 +27,6 @@ struct sss_cmd_table *register_sss_cmds(void);
 
 int pam_dp_send_req(struct pam_auth_req *preq, int timeout);
 
-int pam_cache_credentials(struct pam_auth_req *preq);
 int pam_cache_auth(struct pam_auth_req *preq);
 
 int LOCAL_pam_handler(struct pam_auth_req *preq);
diff --git a/server/responder/pam/pamsrv_cache.c b/server/responder/pam/pamsrv_cache.c
index ed18f6a1b..d1c34e5f6 100644
--- a/server/responder/pam/pamsrv_cache.c
+++ b/server/responder/pam/pamsrv_cache.c
@@ -53,120 +53,10 @@ static int authtok2str(const void *mem_ctx,
 
 struct set_attrs_ctx {
     struct pam_auth_req *preq;
-    struct sysdb_attrs *attrs;
     struct sysdb_req *sysreq;
+    char *password;
 };
 
-static void pc_set_user_attr_callback(void *pvt,
-                                      int ldb_status,
-                                      struct ldb_result *res)
-{
-    struct set_attrs_ctx *ctx;
-    int error;
-
-    ctx = talloc_get_type(pvt, struct set_attrs_ctx);
-    error = sysdb_error_to_errno(ldb_status);
-
-    sysdb_transaction_done(ctx->sysreq, error);
-
-    if (ldb_status != LDB_SUCCESS) {
-        DEBUG(2, ("Failed to cache credentials for user [%s] (%d)!\n",
-                  ctx->preq->pd->user, error, strerror(error)));
-    }
-
-    ctx->preq->callback(ctx->preq);
-}
-
-static void pc_set_user_attr_req(struct sysdb_req *req, void *pvt)
-{
-    struct set_attrs_ctx *ctx;
-    int ret;
-
-    DEBUG(4, ("entering pc_set_user_attr_req\n"));
-
-    ctx = talloc_get_type(pvt, struct set_attrs_ctx);
-
-    ctx->sysreq = req;
-
-    ret = sysdb_set_user_attr(req, ctx->preq->cctx->rctx->sysdb,
-                              ctx->preq->domain,
-                              ctx->preq->pd->user,
-                              ctx->attrs,
-                              pc_set_user_attr_callback, ctx);
-    if (ret != EOK) {
-        sysdb_transaction_done(ctx->sysreq, ret);
-    }
-
-    if (ret != EOK) {
-        DEBUG(2, ("Failed to cache credentials for user [%s] (%d)!\n",
-                  ctx->preq->pd->user, ret, strerror(ret)));
-        ctx->preq->callback(ctx->preq);
-    }
-}
-
-int pam_cache_credentials(struct pam_auth_req *preq)
-{
-    struct set_attrs_ctx *ctx;
-    struct pam_data *pd;
-    char *password = NULL;
-    char *comphash = NULL;
-    char *salt;
-    int i, ret;
-
-    pd = preq->pd;
-
-    ret = authtok2str(preq, pd->authtok, pd->authtok_size, &password);
-    if (ret) {
-        DEBUG(4, ("Invalid auth token.\n"));
-        ret = EINVAL;
-        goto done;
-    }
-
-    ret = s3crypt_gen_salt(preq, &salt);
-    if (ret) {
-        DEBUG(4, ("Failed to generate random salt.\n"));
-        goto done;
-    }
-
-    ret = s3crypt_sha512(preq, password, salt, &comphash);
-    if (ret) {
-        DEBUG(4, ("Failed to create password hash.\n"));
-        goto done;
-    }
-
-    ctx = talloc_zero(preq, struct set_attrs_ctx);
-    if (!ctx) {
-        ret = ENOMEM;
-        goto done;
-    }
-    ctx->preq = preq;
-
-    ctx->attrs = sysdb_new_attrs(ctx);
-    if (!ctx->attrs) {
-        ret = ENOMEM;
-        goto done;
-    }
-
-    ret = sysdb_attrs_add_string(ctx->attrs, SYSDB_CACHEDPWD, comphash);
-    if (ret) goto done;
-
-    /* FIXME: should we use a different attribute for chache passwords ?? */
-    ret = sysdb_attrs_add_long(ctx->attrs, "lastCachedPasswordChange",
-                               (long)time(NULL));
-    if (ret) goto done;
-
-    ret = sysdb_transaction(ctx, preq->cctx->rctx->sysdb,
-                            pc_set_user_attr_req, ctx);
-
-done:
-    if (password) for (i = 0; password[i]; i++) password[i] = 0;
-    if (ret != EOK) {
-        DEBUG(2, ("Failed to cache credentials for user [%s] (%d)!\n",
-                  pd->user, ret, strerror(ret)));
-    }
-    return ret;
-}
-
 static void pam_cache_auth_return(struct pam_auth_req *preq, int error)
 {
     preq->pd->pam_status = error;
diff --git a/server/responder/pam/pamsrv_cmd.c b/server/responder/pam/pamsrv_cmd.c
index 00765d47c..40cccffb6 100644
--- a/server/responder/pam/pamsrv_cmd.c
+++ b/server/responder/pam/pamsrv_cmd.c
@@ -263,19 +263,6 @@ static void pam_reply(struct pam_auth_req *preq)
         (preq->domain->cache_credentials == true) &&
         (pd->offline_auth == false)) {
 
-        if (pd->pam_status == PAM_SUCCESS) {
-            pd->offline_auth = true;
-            preq->callback = pam_reply;
-            ret = pam_cache_credentials(preq);
-            if (ret == EOK) {
-                return;
-            }
-            else {
-                DEBUG(0, ("Failed to cache credentials"));
-                /* this error is not fatal, continue */
-            }
-        }
-
         if (pd->pam_status == PAM_AUTHINFO_UNAVAIL) {
             /* do auth with offline credentials */
             pd->offline_auth = true;