From 3882325ff60f89d0c312e9519bdfd1351978fd73 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 25 Sep 2012 04:29:29 -0400 Subject: SSH: Expire hosts in known_hosts --- src/db/sysdb.c | 7 ++++ src/db/sysdb_private.h | 5 ++- src/db/sysdb_ssh.c | 72 ++++++++++++++++++++++++++++++++++++++-- src/db/sysdb_ssh.h | 9 +++++ src/db/sysdb_upgrade.c | 89 ++++++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 179 insertions(+), 3 deletions(-) (limited to 'src/db') diff --git a/src/db/sysdb.c b/src/db/sysdb.c index 1e5e8ada1..25ff67506 100644 --- a/src/db/sysdb.c +++ b/src/db/sysdb.c @@ -1103,6 +1103,13 @@ int sysdb_domain_init_internal(TALLOC_CTX *mem_ctx, } } + if (strcmp(version, SYSDB_VERSION_0_12) == 0) { + ret = sysdb_upgrade_12(sysdb, &version); + if (ret != EOK) { + goto done; + } + } + /* The version should now match SYSDB_VERSION. * If not, it means we didn't match any of the * known older versions. The DB might be diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h index 8c9aea5bf..bde4c6038 100644 --- a/src/db/sysdb_private.h +++ b/src/db/sysdb_private.h @@ -23,6 +23,7 @@ #ifndef __INT_SYS_DB_H__ #define __INT_SYS_DB_H__ +#define SYSDB_VERSION_0_13 "0.13" #define SYSDB_VERSION_0_12 "0.12" #define SYSDB_VERSION_0_11 "0.11" #define SYSDB_VERSION_0_10 "0.10" @@ -36,7 +37,7 @@ #define SYSDB_VERSION_0_2 "0.2" #define SYSDB_VERSION_0_1 "0.1" -#define SYSDB_VERSION SYSDB_VERSION_0_12 +#define SYSDB_VERSION SYSDB_VERSION_0_13 #define SYSDB_BASE_LDIF \ "dn: @ATTRIBUTES\n" \ @@ -62,6 +63,7 @@ "@IDXATTR: servicePort\n" \ "@IDXATTR: serviceProtocol\n" \ "@IDXATTR: sudoUser\n" \ + "@IDXATTR: sshKnownHostsExpire\n" \ "@IDXONE: 1\n" \ "\n" \ "dn: @MODULES\n" \ @@ -108,6 +110,7 @@ int sysdb_upgrade_08(struct sysdb_ctx *sysdb, const char **ver); int sysdb_upgrade_09(struct sysdb_ctx *sysdb, const char **ver); int sysdb_upgrade_10(struct sysdb_ctx *sysdb, const char **ver); int sysdb_upgrade_11(struct sysdb_ctx *sysdb, const char **ver); +int sysdb_upgrade_12(struct sysdb_ctx *sysdb, const char **ver); int add_string(struct ldb_message *msg, int flags, const char *attr, const char *value); diff --git a/src/db/sysdb_ssh.c b/src/db/sysdb_ssh.c index 48d54a44a..47969bb58 100644 --- a/src/db/sysdb_ssh.c +++ b/src/db/sysdb_ssh.c @@ -176,6 +176,52 @@ done: return ret; } +errno_t +sysdb_update_ssh_known_host_expire(struct sysdb_ctx *sysdb, + const char *name, + time_t now, + int known_hosts_timeout) +{ + TALLOC_CTX *tmp_ctx; + errno_t ret; + struct sysdb_attrs *attrs; + + DEBUG(SSSDBG_TRACE_FUNC, + ("Updating known_hosts expire time of host %s\n", name)); + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + attrs = sysdb_new_attrs(tmp_ctx); + if (!attrs) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_add_time_t(attrs, SYSDB_SSH_KNOWN_HOSTS_EXPIRE, + now + known_hosts_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + ("Could not set known_hosts expire time [%d]: %s\n", + ret, strerror(ret))); + goto done; + } + + ret = sysdb_update_ssh_host(sysdb, name, attrs); + if (ret != EOK) { + goto done; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + errno_t sysdb_delete_ssh_host(struct sysdb_ctx *sysdb, const char *name) @@ -275,10 +321,32 @@ done: errno_t sysdb_get_ssh_known_hosts(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, + time_t now, const char **attrs, struct ldb_message ***hosts, size_t *num_hosts) { - return sysdb_search_ssh_hosts(mem_ctx, sysdb, NULL, attrs, - hosts, num_hosts); + TALLOC_CTX *tmp_ctx; + errno_t ret; + const char *filter; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + filter = talloc_asprintf(tmp_ctx, "(%s>=%ld)", + SYSDB_SSH_KNOWN_HOSTS_EXPIRE, (long)now); + if (!filter) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_search_ssh_hosts(mem_ctx, sysdb, filter, attrs, + hosts, num_hosts); + +done: + talloc_free(tmp_ctx); + + return ret; } diff --git a/src/db/sysdb_ssh.h b/src/db/sysdb_ssh.h index 49de66ec5..9a5159e18 100644 --- a/src/db/sysdb_ssh.h +++ b/src/db/sysdb_ssh.h @@ -27,6 +27,8 @@ #define SYSDB_SSH_HOST_OC "sshHost" +#define SYSDB_SSH_KNOWN_HOSTS_EXPIRE "sshKnownHostsExpire" + errno_t sysdb_store_ssh_host(struct sysdb_ctx *sysdb, const char *name, @@ -34,6 +36,12 @@ sysdb_store_ssh_host(struct sysdb_ctx *sysdb, time_t now, struct sysdb_attrs *attrs); +errno_t +sysdb_update_ssh_known_host_expire(struct sysdb_ctx *sysdb, + const char *name, + time_t now, + int known_hosts_timeout); + errno_t sysdb_delete_ssh_host(struct sysdb_ctx *sysdb, const char *name); @@ -48,6 +56,7 @@ sysdb_get_ssh_host(TALLOC_CTX *mem_ctx, errno_t sysdb_get_ssh_known_hosts(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, + time_t now, const char **attrs, struct ldb_message ***hosts, size_t *num_hosts); diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c index 87abd3505..83ef83d3c 100644 --- a/src/db/sysdb_upgrade.c +++ b/src/db/sysdb_upgrade.c @@ -1450,3 +1450,92 @@ done: talloc_free(tmp_ctx); return ret; } + +int sysdb_upgrade_12(struct sysdb_ctx *sysdb, const char **ver) +{ + TALLOC_CTX *tmp_ctx; + int ret; + struct ldb_message *msg; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + DEBUG(SSSDBG_CRIT_FAILURE, + ("UPGRADING DB TO VERSION %s\n", SYSDB_VERSION_0_13)); + + ret = ldb_transaction_start(sysdb->ldb); + if (ret != LDB_SUCCESS) { + ret = EIO; + goto done; + } + + /* add new indexes */ + msg = ldb_msg_new(tmp_ctx); + if (!msg) { + ret = ENOMEM; + goto done; + } + msg->dn = ldb_dn_new(tmp_ctx, sysdb->ldb, "@INDEXLIST"); + if (!msg->dn) { + ret = ENOMEM; + goto done; + } + + /* add index for sshKnownHostsExpire */ + ret = ldb_msg_add_empty(msg, "@IDXATTR", LDB_FLAG_MOD_ADD, NULL); + if (ret != LDB_SUCCESS) { + ret = ENOMEM; + goto done; + } + + ret = ldb_msg_add_string(msg, "@IDXATTR", "sshKnownHostsExpire"); + if (ret != LDB_SUCCESS) { + ret = ENOMEM; + goto done; + } + + ret = ldb_modify(sysdb->ldb, msg); + if (ret != LDB_SUCCESS) { + ret = sysdb_error_to_errno(ret); + goto done; + } + + /* conversion done, upgrade version number */ + msg = ldb_msg_new(tmp_ctx); + if (!msg) { + ret = ENOMEM; + goto done; + } + msg->dn = ldb_dn_new(tmp_ctx, sysdb->ldb, SYSDB_BASE); + if (!msg->dn) { + ret = ENOMEM; + goto done; + } + + ret = ldb_msg_add_empty(msg, "version", LDB_FLAG_MOD_REPLACE, NULL); + if (ret != LDB_SUCCESS) { + ret = ENOMEM; + goto done; + } + + ret = ldb_msg_add_string(msg, "version", SYSDB_VERSION_0_13); + if (ret != LDB_SUCCESS) { + ret = ENOMEM; + goto done; + } + + ret = ldb_modify(sysdb->ldb, msg); + if (ret != LDB_SUCCESS) { + ret = sysdb_error_to_errno(ret); + goto done; + } + + ret = EOK; + +done: + ret = finish_upgrade(ret, sysdb->ldb, SYSDB_VERSION_0_13, ver); + talloc_free(tmp_ctx); + return ret; +} -- cgit