From 6e52969c0dc8ac0dfb81e800bd2ef5228b8fea29 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 7 Jan 2010 10:26:50 +0100
Subject: Add sysdb request to authenticate against a cached password

The code for authentication against a cached password is moved from the
pam responder to a generic sysdb tevent request. The new code can be
used by other components of sssd to verify passwords on their own.

Tests for the sysdb_cache_password and sysdb_cache_auth request are
added and some unneeded or unused code and variables are removed.
---
 server/responder/pam/pamsrv_cmd.c | 62 ++++++++++++++++++++++++++++++++-------
 1 file changed, 51 insertions(+), 11 deletions(-)

(limited to 'server/responder/pam/pamsrv_cmd.c')

diff --git a/server/responder/pam/pamsrv_cmd.c b/server/responder/pam/pamsrv_cmd.c
index 69cbf55d8..ca41d6419 100644
--- a/server/responder/pam/pamsrv_cmd.c
+++ b/server/responder/pam/pamsrv_cmd.c
@@ -465,13 +465,14 @@ static void pam_reply_delay(struct tevent_context *ev, struct tevent_timer *te,
     pam_reply(preq);
 }
 
+static void pam_cache_auth_done(struct tevent_req *req);
+
 static void pam_reply(struct pam_auth_req *preq)
 {
     struct cli_ctx *cctx;
     uint8_t *body;
     size_t blen;
     int ret;
-    int err = EOK;
     int32_t resp_c;
     int32_t resp_size;
     struct response_data *resp;
@@ -479,6 +480,9 @@ static void pam_reply(struct pam_auth_req *preq)
     struct timeval tv;
     struct tevent_timer *te;
     struct pam_data *pd;
+    struct tevent_req *req;
+    struct sysdb_ctx *sysdb;
+    struct pam_ctx *pctx;
 
     pd = preq->pd;
 
@@ -492,14 +496,25 @@ static void pam_reply(struct pam_auth_req *preq)
         if (pd->pam_status == PAM_AUTHINFO_UNAVAIL) {
             /* do auth with offline credentials */
             pd->offline_auth = true;
-            preq->callback = pam_reply;
-            ret = pam_cache_auth(preq);
-            if (ret == EOK) {
-                return;
+
+            ret = sysdb_get_ctx_from_list(preq->cctx->rctx->db_list,
+                                          preq->domain, &sysdb);
+            if (ret != EOK) {
+                DEBUG(0, ("Fatal: Sysdb CTX not found for this domain!\n"));
+                goto done;
             }
-            else {
+
+            pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
+
+            req = sysdb_cache_auth_send(preq, preq->cctx->ev, sysdb,
+                                        preq->domain, pd->user, pd->authtok,
+                                        pd->authtok_size, pctx->rctx->cdb);
+            if (req == NULL) {
                 DEBUG(1, ("Failed to setup offline auth"));
                 /* this error is not fatal, continue */
+            } else {
+                tevent_req_set_callback(req, pam_cache_auth_done, preq);
+                return;
             }
         }
     }
@@ -521,7 +536,6 @@ static void pam_reply(struct pam_auth_req *preq)
         if (ret != EOK) {
             DEBUG(1, ("gettimeofday failed [%d][%s].\n",
                       errno, strerror(errno)));
-            err = ret;
             goto done;
         }
         tv.tv_sec += pd->response_delay;
@@ -531,7 +545,6 @@ static void pam_reply(struct pam_auth_req *preq)
         te = tevent_add_timer(cctx->ev, cctx, tv, pam_reply_delay, preq);
         if (te == NULL) {
             DEBUG(1, ("Failed to add event pam_reply_delay.\n"));
-            err = ENOMEM;
             goto done;
         }
 
@@ -547,7 +560,6 @@ static void pam_reply(struct pam_auth_req *preq)
         NEED_CHECK_PROVIDER(preq->domain->provider)) {
         ret = set_last_login(preq);
         if (ret != EOK) {
-            err = ret;
             goto done;
         }
 
@@ -557,7 +569,6 @@ static void pam_reply(struct pam_auth_req *preq)
     ret = sss_packet_new(cctx->creq, 0, sss_packet_get_cmd(cctx->creq->in),
                          &cctx->creq->out);
     if (ret != EOK) {
-        err = ret;
         goto done;
     }
 
@@ -580,7 +591,6 @@ static void pam_reply(struct pam_auth_req *preq)
                                            resp_c * 2* sizeof(int32_t) +
                                            resp_size);
     if (ret != EOK) {
-        err = ret;
         goto done;
     }
 
@@ -610,6 +620,36 @@ done:
     sss_cmd_done(cctx, preq);
 }
 
+static void pam_cache_auth_done(struct tevent_req *req)
+{
+    int ret;
+    struct pam_auth_req *preq = tevent_req_callback_data(req,
+                                                         struct pam_auth_req);
+
+    ret = sysdb_cache_auth_recv(req);
+    talloc_zfree(req);
+
+    switch (ret) {
+        case EOK:
+            preq->pd->pam_status = PAM_SUCCESS;
+            break;
+        case ENOENT:
+            preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
+            break;
+        case EINVAL:
+            preq->pd->pam_status = PAM_AUTH_ERR;
+            break;
+        case EACCES:
+            preq->pd->pam_status = PAM_PERM_DENIED;
+            break;
+        default:
+            preq->pd->pam_status = PAM_SYSTEM_ERR;
+    }
+
+    pam_reply(preq);
+    return;
+}
+
 static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min,
                                        const char *err_msg, void *ptr);
 static void pam_check_user_callback(void *ptr, int status,
-- 
cgit