diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2017-05-30 12:31:57 +0200 |
---|---|---|
committer | Lukas Slebodnik <lslebodn@redhat.com> | 2017-09-01 20:25:52 +0200 |
commit | 7a162ca3ea0bf8ef6b13795a00baa28d17f6131d (patch) | |
tree | 885f80ddf4624612e7dd474c197769f8acce0a5c /src/responder | |
parent | 9ef185255126b9ed415fa334f585a11c5be4fb1a (diff) | |
download | sssd-7a162ca3ea0bf8ef6b13795a00baa28d17f6131d.tar.gz sssd-7a162ca3ea0bf8ef6b13795a00baa28d17f6131d.tar.xz sssd-7a162ca3ea0bf8ef6b13795a00baa28d17f6131d.zip |
SECRETS: Store quotas in a per-hive configuration structure
Adds two new structures to hold the quotas and associate a quota with a hive.
This is just an internal change for now, but will allow us to read quota
configuration from per-hive sections later.
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
Diffstat (limited to 'src/responder')
-rw-r--r-- | src/responder/secrets/local.c | 21 | ||||
-rw-r--r-- | src/responder/secrets/secsrv.c | 6 | ||||
-rw-r--r-- | src/responder/secrets/secsrv.h | 17 |
3 files changed, 26 insertions, 18 deletions
diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c index 66401ef50..0b879939f 100644 --- a/src/responder/secrets/local.c +++ b/src/responder/secrets/local.c @@ -34,9 +34,8 @@ struct local_context { struct ldb_context *ldb; struct sec_data master_key; - int containers_nest_level; - int max_secrets; - int max_payload_size; + + struct sec_quota *quota_secrets; }; static int local_decrypt(struct local_context *lctx, TALLOC_CTX *mem_ctx, @@ -398,11 +397,11 @@ static int local_db_check_containers_nest_level(struct local_context *lctx, /* We need do not care for the synthetic containers that constitute the * base path (cn=<uidnumber>,cn=user,cn=secrets). */ nest_level = ldb_dn_get_comp_num(leaf_dn) - 3; - if (nest_level > lctx->containers_nest_level) { + if (nest_level > lctx->quota_secrets->containers_nest_level) { DEBUG(SSSDBG_OP_FAILURE, "Cannot create a nested container of depth %d as the maximum" "allowed number of nested containers is %d.\n", - nest_level, lctx->containers_nest_level); + nest_level, lctx->quota_secrets->containers_nest_level); return ERR_SEC_INVALID_CONTAINERS_NEST_LEVEL; } @@ -430,10 +429,10 @@ static int local_db_check_number_of_secrets(TALLOC_CTX *mem_ctx, ret = ldb_search(lctx->ldb, tmp_ctx, &res, dn, LDB_SCOPE_SUBTREE, attrs, LOCAL_SIMPLE_FILTER); - if (res->count >= lctx->max_secrets) { + if (res->count >= lctx->quota_secrets->max_secrets) { DEBUG(SSSDBG_OP_FAILURE, "Cannot store any more secrets as the maximum allowed limit (%d) " - "has been reached\n", lctx->max_secrets); + "has been reached\n", lctx->quota_secrets->max_secrets); ret = ERR_SEC_INVALID_TOO_MANY_SECRETS; goto done; @@ -451,14 +450,14 @@ static int local_check_max_payload_size(struct local_context *lctx, { int max_payload_size; - max_payload_size = lctx->max_payload_size * 1024; /* kb */ + max_payload_size = lctx->quota_secrets->max_payload_size * 1024; /* kb */ if (payload_size > max_payload_size) { DEBUG(SSSDBG_OP_FAILURE, "Secrets' payload size [%d kb (%d)] exceeds the maximum allowed " "payload size [%d kb (%d)]\n", payload_size * 1024, /* kb */ payload_size, - lctx->max_payload_size, /* kb */ + lctx->quota_secrets->max_payload_size, /* kb */ max_payload_size); return ERR_SEC_PAYLOAD_SIZE_IS_TOO_LARGE; @@ -1019,9 +1018,7 @@ int local_secrets_provider_handle(struct sec_ctx *sctx, return EIO; } - lctx->containers_nest_level = sctx->containers_nest_level; - lctx->max_secrets = sctx->max_secrets; - lctx->max_payload_size = sctx->max_payload_size; + lctx->quota_secrets = &sctx->sec_config.quota; lctx->master_key.data = talloc_size(lctx, MKEY_SIZE); if (!lctx->master_key.data) return ENOMEM; diff --git a/src/responder/secrets/secsrv.c b/src/responder/secrets/secsrv.c index ae2a658ae..e3a8c1476 100644 --- a/src/responder/secrets/secsrv.c +++ b/src/responder/secrets/secsrv.c @@ -52,7 +52,7 @@ static int sec_get_config(struct sec_ctx *sctx) sctx->rctx->confdb_service_path, CONFDB_SEC_CONTAINERS_NEST_LEVEL, DEFAULT_SEC_CONTAINERS_NEST_LEVEL, - &sctx->containers_nest_level); + &sctx->sec_config.quota.containers_nest_level); if (ret != EOK) { DEBUG(SSSDBG_FATAL_FAILURE, @@ -64,7 +64,7 @@ static int sec_get_config(struct sec_ctx *sctx) sctx->rctx->confdb_service_path, CONFDB_SEC_MAX_SECRETS, DEFAULT_SEC_MAX_SECRETS, - &sctx->max_secrets); + &sctx->sec_config.quota.max_secrets); if (ret != EOK) { DEBUG(SSSDBG_FATAL_FAILURE, @@ -76,7 +76,7 @@ static int sec_get_config(struct sec_ctx *sctx) sctx->rctx->confdb_service_path, CONFDB_SEC_MAX_PAYLOAD_SIZE, DEFAULT_SEC_MAX_PAYLOAD_SIZE, - &sctx->max_payload_size); + &sctx->sec_config.quota.max_payload_size); if (ret != EOK) { DEBUG(SSSDBG_FATAL_FAILURE, diff --git a/src/responder/secrets/secsrv.h b/src/responder/secrets/secsrv.h index 1aad272da..629b027f6 100644 --- a/src/responder/secrets/secsrv.h +++ b/src/responder/secrets/secsrv.h @@ -30,12 +30,23 @@ #include <tevent.h> #include <ldb.h> +struct sec_quota { + int max_secrets; + int max_payload_size; + int containers_nest_level; +}; + +struct sec_hive_config { + const char *confdb_section; + + struct sec_quota quota; +}; + struct sec_ctx { struct resp_ctx *rctx; int fd_limit; - int containers_nest_level; - int max_secrets; - int max_payload_size; + + struct sec_hive_config sec_config; struct provider_handle **providers; }; |