From c0000a8cc9eccdf5cd8dd72fd6e9bc09d8c7cf00 Mon Sep 17 00:00:00 2001 From: Pavel Březina Date: Tue, 10 Nov 2015 11:34:14 +0100 Subject: SUDO: do not imitate full refresh if usn is unknown in smart refresh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit USN value should be always known now if at least one full refresh was successful. Reviewed-by: Jakub Hrozek Reviewed-by: Lukáš Slebodník --- src/providers/ldap/sdap_async_sudo.c | 23 ++++++++++++++++------- src/providers/ldap/sdap_sudo_refresh.c | 20 +++++++------------- 2 files changed, 23 insertions(+), 20 deletions(-) diff --git a/src/providers/ldap/sdap_async_sudo.c b/src/providers/ldap/sdap_async_sudo.c index bbc55a9ac..b8310275b 100644 --- a/src/providers/ldap/sdap_async_sudo.c +++ b/src/providers/ldap/sdap_async_sudo.c @@ -305,13 +305,24 @@ static void sdap_sudo_set_usn(struct sdap_server_opts *srv_opts, char *usn) unsigned int usn_number; char *endptr = NULL; - if (usn == NULL) { - DEBUG(SSSDBG_TRACE_FUNC, "Empty USN, ignoring\n"); + if (srv_opts == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, "Bug: srv_opts is NULL\n"); return; } - if (srv_opts == NULL) { - DEBUG(SSSDBG_TRACE_FUNC, "Bug: srv_opts is NULL\n"); + if (usn == NULL) { + /* If the USN value is unknown and we don't have max_sudo_value set + * (possibly first full refresh which did not find any rule) we will + * set zero so smart refresh can pick up. */ + if (srv_opts->max_sudo_value == NULL) { + srv_opts->max_sudo_value = talloc_strdup(srv_opts, "0"); + if (srv_opts->max_sudo_value == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup() failed\n"); + } + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Empty USN, ignoring\n"); return; } @@ -689,9 +700,7 @@ static void sdap_sudo_refresh_done(struct tevent_req *subreq) DEBUG(SSSDBG_TRACE_FUNC, "Sudoers is successfuly stored in cache\n"); /* remember new usn */ - if (usn != NULL) { - sdap_sudo_set_usn(state->srv_opts, usn); - } + sdap_sudo_set_usn(state->srv_opts, usn); ret = EOK; state->num_rules = rules_count; diff --git a/src/providers/ldap/sdap_sudo_refresh.c b/src/providers/ldap/sdap_sudo_refresh.c index 8c1323831..e3df8f1c5 100644 --- a/src/providers/ldap/sdap_sudo_refresh.c +++ b/src/providers/ldap/sdap_sudo_refresh.c @@ -182,7 +182,7 @@ struct tevent_req *sdap_sudo_smart_refresh_send(TALLOC_CTX *mem_ctx, } if (!sudo_ctx->full_refresh_done - && (srv_opts == NULL || srv_opts->max_sudo_value == 0)) { + || srv_opts == NULL || srv_opts->max_sudo_value == NULL) { /* Perform full refresh first */ DEBUG(SSSDBG_TRACE_FUNC, "USN value is unknown, " "waiting for full refresh!\n"); @@ -195,17 +195,11 @@ struct tevent_req *sdap_sudo_smart_refresh_send(TALLOC_CTX *mem_ctx, /* Download all rules from LDAP that are newer than usn */ usn = srv_opts->max_sudo_value; - if (usn != NULL) { - search_filter = talloc_asprintf(state, - "(&(objectclass=%s)(%s>=%s)(!(%s=%s)))", - map[SDAP_OC_SUDORULE].name, - map[SDAP_AT_SUDO_USN].name, usn, - map[SDAP_AT_SUDO_USN].name, usn); - } else { - /* no valid USN value known */ - search_filter = talloc_asprintf(state, SDAP_SUDO_FILTER_CLASS, - map[SDAP_OC_SUDORULE].name); - } + search_filter = talloc_asprintf(state, + "(&(objectclass=%s)(%s>=%s)(!(%s=%s)))", + map[SDAP_OC_SUDORULE].name, + map[SDAP_AT_SUDO_USN].name, usn, + map[SDAP_AT_SUDO_USN].name, usn); if (search_filter == NULL) { ret = ENOMEM; goto immediately; @@ -215,7 +209,7 @@ struct tevent_req *sdap_sudo_smart_refresh_send(TALLOC_CTX *mem_ctx, * sysdb_filter = NULL; */ DEBUG(SSSDBG_TRACE_FUNC, "Issuing a smart refresh of sudo rules " - "(USN > %s)\n", (usn == NULL ? "0" : usn)); + "(USN > %s)\n", usn); subreq = sdap_sudo_refresh_send(state, sudo_ctx, search_filter, NULL); if (subreq == NULL) { -- cgit