Serialize requests of the same user in the krb5 provider

4 files changed, 239 insertions, 0 deletions

diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index a0ac0e92f..ce3dea761 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -1093,6 +1093,7 @@ void krb5_pam_handler(struct be_req *be_req)
     struct pam_data *pd;
     struct krb5_ctx *krb5_ctx;
     int dp_err = DP_ERR_FATAL;
+    int ret;
 
     pd = talloc_get_type(be_req->req_data, struct pam_data);
     pd->pam_status = PAM_SYSTEM_ERR;
@@ -1108,6 +1109,19 @@ void krb5_pam_handler(struct be_req *be_req)
         case SSS_CMD_RENEW:
         case SSS_PAM_CHAUTHTOK_PRELIM:
         case SSS_PAM_CHAUTHTOK:
+            ret = add_to_wait_queue(be_req, pd, krb5_ctx);
+            if (ret == EOK) {
+                DEBUG(7, ("Request successfully added to wait queue "
+                          "of user [%s].\n", pd->user));
+                return;
+            } else if (ret == ENOENT) {
+                DEBUG(7, ("Wait queue of user [%s] is empty, "
+                          "running request immediately.\n", pd->user));
+            } else {
+                DEBUG(7, ("Failed to add request to wait queue of user [%s], "
+                          "running request immediately.\n", pd->user));
+            }
+
             req = krb5_auth_send(be_req, be_req->be_ctx->ev, be_req->be_ctx, pd,
                                  krb5_ctx);
             if (req == NULL) {
@@ -1154,6 +1168,7 @@ void krb5_auth_done(struct tevent_req *req)
     int pam_status;
     int dp_err;
     struct pam_data *pd;
+    struct krb5_ctx *krb5_ctx;
 
     pd = talloc_get_type(be_req->req_data, struct pam_data);
 
@@ -1166,6 +1181,13 @@ void krb5_auth_done(struct tevent_req *req)
         pd->pam_status = pam_status;
     }
 
+    krb5_ctx = get_krb5_ctx(be_req);
+    if (krb5_ctx == NULL) {
+        DEBUG(1, ("Kerberos context not available.\n"));
+    }
+
+    check_wait_queue(krb5_ctx, pd->user);
+
     krb_reply(be_req, dp_err, pd->pam_status);
 }
 
diff --git a/src/providers/krb5/krb5_auth.h b/src/providers/krb5/krb5_auth.h
index 2f08ad9cf..0d6318d12 100644
--- a/src/providers/krb5/krb5_auth.h
+++ b/src/providers/krb5/krb5_auth.h
@@ -66,6 +66,7 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
                                   struct pam_data *pd,
                                   struct krb5_ctx *krb5_ctx);
 int krb5_auth_recv(struct tevent_req *req, int *pam_status, int *dp_err);
+void krb5_auth_done(struct tevent_req *req);
 
 struct tevent_req *handle_child_send(TALLOC_CTX *mem_ctx,
                                      struct tevent_context *ev,
@@ -93,4 +94,9 @@ struct tevent_req *krb5_access_send(TALLOC_CTX *mem_ctx,
                                     struct pam_data *pd,
                                     struct krb5_ctx *krb5_ctx);
 int krb5_access_recv(struct tevent_req *req, bool *access_allowed);
+
+/* krb5_wait_queue.c */
+errno_t add_to_wait_queue(struct be_req *be_req, struct pam_data *pd,
+                          struct krb5_ctx *krb5_ctx);
+void check_wait_queue(struct krb5_ctx *krb5_ctx, char *username);
 #endif /* __KRB5_AUTH_H__ */
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index a6fdd8b82..c65ff74bb 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -117,6 +117,8 @@ struct krb5_ctx {
     struct deferred_auth_ctx *deferred_auth_ctx;
     struct renew_tgt_ctx *renew_tgt_ctx;
     bool use_fast;
+
+    hash_table_t *wait_queue_hash;
 };
 
 struct remove_info_files_ctx {
diff --git a/src/providers/krb5/krb5_wait_queue.c b/src/providers/krb5/krb5_wait_queue.c
new file mode 100644
index 000000000..3863b1bdc
--- /dev/null
+++ b/src/providers/krb5/krb5_wait_queue.c
@@ -0,0 +1,209 @@
+/*
+    SSSD
+
+    Kerberos 5 Backend Module - Serialize the request of a user
+
+    Authors:
+        Sumit Bose <sbose@redhat.com>
+
+    Copyright (C) 2010 Red Hat
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <tevent.h>
+#include <dhash.h>
+
+#include "src/providers/krb5/krb5_auth.h"
+
+#define INIT_HASH_SIZE 5
+
+struct queue_entry {
+    struct queue_entry *prev;
+    struct queue_entry *next;
+
+    struct be_req *be_req;
+    struct pam_data *pd;
+    struct krb5_ctx *krb5_ctx;
+};
+
+static void wait_queue_auth(struct tevent_context *ev, struct tevent_timer *te,
+                             struct timeval current_time, void *private_data)
+{
+    struct queue_entry *queue_entry = talloc_get_type(private_data,
+                                                      struct queue_entry);
+    struct tevent_req *req;
+
+    req = krb5_auth_send(queue_entry->be_req, queue_entry->be_req->be_ctx->ev,
+                         queue_entry->be_req->be_ctx, queue_entry->pd,
+                         queue_entry->krb5_ctx);
+    if (req == NULL) {
+        DEBUG(1, ("krb5_auth_send failed.\n"));
+    } else {
+        tevent_req_set_callback(req, krb5_auth_done, queue_entry->be_req);
+    }
+
+    talloc_zfree(queue_entry);
+}
+
+static void wait_queue_del_cb(hash_entry_t *entry, hash_destroy_enum type,
+                              void *pvt)
+{
+    struct queue_entry *head;
+
+    if (entry->value.type == HASH_VALUE_PTR) {
+        head = talloc_get_type(entry->value.ptr, struct queue_entry);
+        talloc_zfree(head);
+        return;
+    }
+
+    DEBUG(1, ("Unexpected value type [%d].\n", entry->value.type));
+}
+
+errno_t add_to_wait_queue(struct be_req *be_req, struct pam_data *pd,
+                          struct krb5_ctx *krb5_ctx)
+{
+    int ret;
+    hash_key_t key;
+    hash_value_t value;
+    struct queue_entry *head;
+    struct queue_entry *queue_entry;
+
+    if (krb5_ctx->wait_queue_hash == NULL) {
+        ret = sss_hash_create_ex(krb5_ctx, INIT_HASH_SIZE,
+                                 &krb5_ctx->wait_queue_hash, 0, 0, 0, 0,
+                                 wait_queue_del_cb, NULL);
+        if (ret != EOK) {
+            DEBUG(1, ("sss_hash_create failed"));
+            return ret;
+        }
+    }
+
+    key.type = HASH_KEY_STRING;
+    key.str = pd->user;
+
+    ret = hash_lookup(krb5_ctx->wait_queue_hash, &key, &value);
+    switch (ret) {
+        case HASH_SUCCESS:
+            if (value.type != HASH_VALUE_PTR) {
+                DEBUG(1, ("Unexpected hash value type.\n"));
+                return EINVAL;
+            }
+
+            head = talloc_get_type(value.ptr, struct queue_entry);
+
+            queue_entry = talloc_zero(head, struct queue_entry);
+            if (queue_entry == NULL) {
+                DEBUG(1, ("talloc_zero failed.\n"));
+                return ENOMEM;
+            }
+
+            queue_entry->be_req = be_req;
+            queue_entry->pd = pd;
+            queue_entry->krb5_ctx = krb5_ctx;
+
+            DLIST_ADD_END(head, queue_entry, struct queue_entry *);
+
+            break;
+        case HASH_ERROR_KEY_NOT_FOUND:
+            value.type = HASH_VALUE_PTR;
+            head = talloc_zero(krb5_ctx->wait_queue_hash, struct queue_entry);
+            if (head == NULL) {
+                DEBUG(1, ("talloc_zero failed.\n"));
+                return ENOMEM;
+            }
+            value.ptr = head;
+
+            ret = hash_enter(krb5_ctx->wait_queue_hash, &key, &value);
+            if (ret != HASH_SUCCESS) {
+                DEBUG(1, ("hash_enter failed.\n"));
+                talloc_free(head);
+                return EIO;
+            }
+
+            break;
+        default:
+            DEBUG(1, ("hash_lookup failed.\n"));
+            return EIO;
+    }
+
+    if (head->next == NULL) {
+        return ENOENT;
+    } else {
+        return EOK;
+    }
+}
+
+void check_wait_queue(struct krb5_ctx *krb5_ctx, char *username)
+{
+    int ret;
+    hash_key_t key;
+    hash_value_t value;
+    struct queue_entry *head;
+    struct queue_entry *queue_entry;
+    struct tevent_timer *te;
+
+    if (krb5_ctx->wait_queue_hash == NULL) {
+        DEBUG(1, ("No wait queue available.\n"));
+        return;
+    }
+
+    key.type = HASH_KEY_STRING;
+    key.str = username;
+
+    ret = hash_lookup(krb5_ctx->wait_queue_hash, &key, &value);
+
+    switch (ret) {
+        case HASH_SUCCESS:
+            if (value.type != HASH_VALUE_PTR) {
+                DEBUG(1, ("Unexpected hash value type.\n"));
+                return;
+            }
+
+            head = talloc_get_type(value.ptr, struct queue_entry);
+
+            if (head->next == NULL) {
+                DEBUG(7, ("Wait queue for user [%s] is empty.\n", username));
+            } else {
+                queue_entry = head->next;
+
+                DLIST_REMOVE(head, queue_entry);
+
+                te = tevent_add_timer(queue_entry->be_req->be_ctx->ev, krb5_ctx,
+                                      tevent_timeval_current(), wait_queue_auth,
+                                      queue_entry);
+                if (te == NULL) {
+                    DEBUG(1, ("tevent_add_timer failed.\n"));
+                } else {
+                    return;
+                }
+            }
+
+            ret = hash_delete(krb5_ctx->wait_queue_hash, &key);
+            if (ret != HASH_SUCCESS) {
+                DEBUG(1, ("Failed to remove wait queue for user [%s].\n",
+                          username));
+            }
+
+            break;
+        case HASH_ERROR_KEY_NOT_FOUND:
+            DEBUG(1, ("No wait queue for user [%s] found.\n", username));
+            break;
+        default:
+            DEBUG(1, ("hash_lookup failed.\n"));
+    }
+
+    return;
+}
+