SECRETS: Add a new option to control per-UID limits

Adds a new option max_uid_secrets that allows to set a limit of secrets
for this particular client so that the user cannot starve other users.

Resolves:
https://pagure.io/SSSD/sssd/issue/3363

Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

1 files changed, 46 insertions, 0 deletions

diff --git a/src/tests/intg/test_secrets.py b/src/tests/intg/test_secrets.py
index bb94ffb47..957a0a8ff 100644
--- a/src/tests/intg/test_secrets.py
+++ b/src/tests/intg/test_secrets.py
@@ -499,3 +499,49 @@ def test_sec_quota(setup_for_secrets_quota, secrets_cli):
     # Don't allow storing more secrets after reaching the max
     # number of entries.
     run_quota_test(cli, 10, 2)
+
+
+@pytest.fixture
+def setup_for_uid_limit(request):
+    conf = unindent("""\
+        [sssd]
+        domains = local
+        services = nss
+
+        [domain/local]
+        id_provider = local
+
+        [secrets]
+
+        [secrets/secrets]
+        max_secrets = 10
+        max_uid_secrets = 5
+    """).format(**locals())
+
+    create_conf_fixture(request, conf)
+    create_sssd_secrets_fixture(request)
+    return None
+
+
+def test_per_uid_limit(setup_for_uid_limit, secrets_cli):
+    """
+    Test that per-UID limits are enforced even if the global limit would still
+    allow to store more secrets
+    """
+    cli = secrets_cli
+
+    # Don't allow storing more secrets after reaching the max
+    # number of entries.
+    MAX_UID_SECRETS = 5
+
+    sec_value = "value"
+    for i in range(MAX_UID_SECRETS):
+        cli.set_secret(str(i), sec_value)
+
+    with pytest.raises(HTTPError) as err507:
+        cli.set_secret(str(MAX_UID_SECRETS), sec_value)
+    assert str(err507.value).startswith("507")
+
+    # FIXME - at this point, it would be nice to test that another UID can
+    # still store secrets, but sadly socket_wrapper doesn't allow us to fake
+    # UIDs yet