13 files changed, 83 insertions, 0 deletions

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 2a1e58184..12beaabf8 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -226,6 +226,7 @@
 #define CONFDB_SEC_CONF_ENTRY "config/secrets"
 #define CONFDB_SEC_CONTAINERS_NEST_LEVEL "containers_nest_level"
 #define CONFDB_SEC_MAX_SECRETS "max_secrets"
+#define CONFDB_SEC_MAX_PAYLOAD_SIZE "max_payload_size"
 
 
 struct confdb_ctx;
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 381ff9596..be09e8fbc 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -123,6 +123,7 @@ option_strings = {
     'provider': _('The provider where the secrets will be stored in'),
     'containers_nest_level': _('The maximum allowed number of nested containers'),
     'max_secrets': _('The maximum number of secrets that can be stored'),
+    'max_payload_size': _('The maximum payload size of a secret in kilobytes'),
     # secrets - proxy
     'proxy_url': _('The URL Custodia server is listening on'),
     'auth_type': _('The method to use when authenticating to a Custodia server'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 882a185d8..ec44bffdf 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -230,6 +230,7 @@ option = client_idle_timeout
 option = description
 option = containers_nest_level
 option = max_secrets
+option = max_payload_size
 
 [rule/allowed_sec_users_options]
 validator = ini_allowed_options
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index be24bcea0..d59122896 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -100,6 +100,7 @@ user_attributes = str, None, false
 provider = str, None, false
 containers_nest_level = int, None, false
 max_secrets = int, None, false
+max_payload_size = int, None, false
 # Secrets service - proxy
 proxy_url = str, None, false
 auth_type = str, None, false
diff --git a/src/man/sssd-secrets.5.xml b/src/man/sssd-secrets.5.xml
index 7ec54c267..80e9c4059 100644
--- a/src/man/sssd-secrets.5.xml
+++ b/src/man/sssd-secrets.5.xml
@@ -168,6 +168,18 @@ systemctl enable sssd-secrets.service
                 </para>
                 </listitem>
             </varlistentry>
+            <varlistentry>
+                <term>max_payload_size (integer)</term>
+                <listitem>
+                <para>
+                    This option specifies the maximum payload size allowed for
+                    a secret payload in kilobytes.
+                </para>
+                <para>
+                    Default: 16
+                </para>
+                </listitem>
+            </varlistentry>
         </variablelist>
         <para>
             The following options are only applicable for configurations that
diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c
index f6c936f81..ed70193bc 100644
--- a/src/responder/secrets/local.c
+++ b/src/responder/secrets/local.c
@@ -31,6 +31,7 @@ struct local_context {
     struct sec_data master_key;
     int containers_nest_level;
     int max_secrets;
+    int max_payload_size;
 };
 
 static int local_decrypt(struct local_context *lctx, TALLOC_CTX *mem_ctx,
@@ -450,6 +451,27 @@ done:
     return ret;
 }
 
+static int local_check_max_payload_size(struct local_context *lctx,
+                                        int payload_size)
+{
+    int max_payload_size;
+
+    max_payload_size = lctx->max_payload_size * 1024; /* kb */
+    if (payload_size > max_payload_size) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              "Secrets' payload size [%d kb (%d)] exceeds the maximum allowed "
+              "payload size [%d kb (%d)]\n",
+              payload_size * 1024, /* kb */
+              payload_size,
+              lctx->max_payload_size, /* kb */
+              max_payload_size);
+
+        return ERR_SEC_PAYLOAD_SIZE_IS_TOO_LARGE;
+    }
+
+    return EOK;
+}
+
 static int local_db_put_simple(TALLOC_CTX *mem_ctx,
                                struct local_context *lctx,
                                const char *req_path,
@@ -492,6 +514,14 @@ static int local_db_put_simple(TALLOC_CTX *mem_ctx,
         goto done;
     }
 
+    ret = local_check_max_payload_size(lctx, strlen(secret));
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              "local_check_max_payload_size failed [%d]: %s\n",
+              ret, sss_strerror(ret));
+        goto done;
+    }
+
     ret = local_encrypt(lctx, msg, secret, enctype, &enc_secret);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE,
@@ -973,6 +1003,7 @@ int local_secrets_provider_handle(struct sec_ctx *sctx,
 
     lctx->containers_nest_level = sctx->containers_nest_level;
     lctx->max_secrets = sctx->max_secrets;
+    lctx->max_payload_size = sctx->max_payload_size;
 
     lctx->master_key.data = talloc_size(lctx, MKEY_SIZE);
     if (!lctx->master_key.data) return ENOMEM;
diff --git a/src/responder/secrets/providers.c b/src/responder/secrets/providers.c
index 5f4b0fcc8..eba555d2e 100644
--- a/src/responder/secrets/providers.c
+++ b/src/responder/secrets/providers.c
@@ -178,6 +178,8 @@ static struct sec_http_status_format_table {
       "The request cannot be accepted." },
     { 409, "Conflict",
       "The requested resource already exists." },
+    { 413, "Payload Too Large",
+      "The secret payload is too large." },
     { 500, "Internal Server Error",
       "The server encountered an internal error." },
     { 504, "Gateway timeout",
@@ -352,6 +354,8 @@ enum sec_http_status_codes sec_errno_to_http_status(errno_t err)
         return STATUS_406;
     case EEXIST:
         return STATUS_409;
+    case ERR_SEC_PAYLOAD_SIZE_IS_TOO_LARGE:
+        return STATUS_413;
     case ERR_SEC_NO_PROXY:
         return STATUS_504;
     case ERR_SEC_INVALID_TOO_MANY_SECRETS:
diff --git a/src/responder/secrets/secsrv.c b/src/responder/secrets/secsrv.c
index 4c0824bb5..09b0d2251 100644
--- a/src/responder/secrets/secsrv.c
+++ b/src/responder/secrets/secsrv.c
@@ -31,6 +31,7 @@
 #define DEFAULT_SEC_FD_LIMIT 2048
 #define DEFAULT_SEC_CONTAINERS_NEST_LEVEL 4
 #define DEFAULT_SEC_MAX_SECRETS 1024
+#define DEFAULT_SEC_MAX_PAYLOAD_SIZE 16
 
 static int sec_get_config(struct sec_ctx *sctx)
 {
@@ -71,6 +72,18 @@ static int sec_get_config(struct sec_ctx *sctx)
         goto fail;
     }
 
+    ret = confdb_get_int(sctx->rctx->cdb,
+                         sctx->rctx->confdb_service_path,
+                         CONFDB_SEC_MAX_PAYLOAD_SIZE,
+                         DEFAULT_SEC_MAX_PAYLOAD_SIZE,
+                         &sctx->max_payload_size);
+
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE,
+              "Failed to get payload's maximum size for an entry\n");
+        goto fail;
+    }
+
     ret = confdb_get_int(sctx->rctx->cdb, sctx->rctx->confdb_service_path,
                          CONFDB_RESPONDER_CLI_IDLE_TIMEOUT,
                          CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT,
diff --git a/src/responder/secrets/secsrv.h b/src/responder/secrets/secsrv.h
index 972d34265..3d23c405b 100644
--- a/src/responder/secrets/secsrv.h
+++ b/src/responder/secrets/secsrv.h
@@ -40,6 +40,7 @@ struct sec_ctx {
     int fd_limit;
     int containers_nest_level;
     int max_secrets;
+    int max_payload_size;
 
     struct provider_handle **providers;
 };
diff --git a/src/responder/secrets/secsrv_private.h b/src/responder/secrets/secsrv_private.h
index 4129fe60b..1c3fbd8ea 100644
--- a/src/responder/secrets/secsrv_private.h
+++ b/src/responder/secrets/secsrv_private.h
@@ -46,6 +46,7 @@ enum sec_http_status_codes {
     STATUS_405,
     STATUS_406,
     STATUS_409,
+    STATUS_413,
     STATUS_500,
     STATUS_504,
     STATUS_507,
diff --git a/src/tests/intg/test_secrets.py b/src/tests/intg/test_secrets.py
index 09a91e073..7a9de1aec 100644
--- a/src/tests/intg/test_secrets.py
+++ b/src/tests/intg/test_secrets.py
@@ -87,6 +87,7 @@ def setup_for_secrets(request):
 
         [secrets]
         max_secrets = 10
+        max_payload_size = 2
     """).format(**locals())
 
     create_conf_fixture(request, conf)
@@ -155,6 +156,20 @@ def test_crd_ops(setup_for_secrets, secrets_cli):
     for x in xrange(MAX_SECRETS):
         cli.del_secret(str(x))
 
+    # Don't allow storing a secrets which has a payload larger
+    # than max_payload_size
+    KILOBYTE = 1024
+    MAX_PAYLOAD_SIZE = 2 * KILOBYTE
+
+    sec_value = "x" * MAX_PAYLOAD_SIZE
+
+    cli.set_secret("foo", sec_value)
+
+    sec_value += "x"
+    with pytest.raises(HTTPError) as err413:
+        cli.set_secret("bar", sec_value)
+    assert str(err413.value).startswith("413")
+
 
 def test_containers(setup_for_secrets, secrets_cli):
     """
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
index db5130ca4..88ebf4e30 100644
--- a/src/util/util_errors.c
+++ b/src/util/util_errors.c
@@ -101,6 +101,7 @@ struct err_string error_to_str[] = {
     { "The maximum level of nested containers has been reached" }, /* ERR_SEC_INVALID_CONTAINERS_NEST_LEVEL */
     { "No proxy server for secrets available"}, /* ERR_SEC_NO_PROXY */
     { "The maximum number of stored secrets has been reached" }, /* ERR_SEC_INVALID_TOO_MANY_SECRETS */
+    { "The secret payload size is too large" }, /* ERR_SEC_PAYLOAD_SIZE_IS_TOO_LARGE */
     { "ERR_LAST" } /* ERR_LAST */
 };
 
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
index 3690b7e72..525983f21 100644
--- a/src/util/util_errors.h
+++ b/src/util/util_errors.h
@@ -123,6 +123,7 @@ enum sssd_errors {
     ERR_SEC_INVALID_CONTAINERS_NEST_LEVEL,
     ERR_SEC_NO_PROXY,
     ERR_SEC_INVALID_TOO_MANY_SECRETS,
+    ERR_SEC_PAYLOAD_SIZE_IS_TOO_LARGE,
     ERR_LAST            /* ALWAYS LAST */
 };