From 4a311702045b065a97a0c0fc0ccc7a1fc84b38cf Mon Sep 17 00:00:00 2001
From: Fabiano Fidêncio <fidencio@redhat.com>
Date: Aug 28 2017 18:42:27 +0000
Subject: DESKPROFILE: Add ipa_deskprofile_request_interval


This option has been added to avoid contacting the Data Provider when no
rules were found in the previous request.

By adding this configurable option we avoid contacting the Data Provider
too often in the case described above and also when the server doesn't
support Desktop Profile's integration.

Resolves: https://pagure.io/SSSD/sssd/issue/3482

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

---

diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 2a19b60..8c56e4e 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -220,6 +220,7 @@ option_strings = {
     'ipa_group_override_object_class': _("Objectclass for group override objects"),
     'ipa_deskprofile_search_base': _("Search base for Desktop Profile related objects"),
     'ipa_deskprofile_refresh': _("The amount of time in seconds between lookups of the Desktop Profile rules against the IPA server"),
+    'ipa_deskprofile_request_interval': _("The amount of time in minutes between lookups of Desktop Profiles rules against the IPA server when the last request did not find any rule"),
 
     # [provider/ad]
     'ad_domain' : _('Active Directory domain'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 3ebd39e..ae60c73 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -440,6 +440,7 @@ option = ipa_anchor_uuid
 option = ipa_automount_location
 option = ipa_backup_server
 option = ipa_deskprofile_refresh
+option = ipa_deskprofile_request_interval
 option = ipa_deskprofile_search_base
 option = ipa_domain
 option = ipa_dyndns_iface
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index 8178b12..ab9634c 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -195,6 +195,7 @@ ldap_autofs_search_base = str, None, false
 
 [provider/ipa/session]
 ipa_deskprofile_refresh = int, None, false
+ipa_deskprofile_request_interval = int, None, false
 ipa_host_object_class = str, None, false
 ipa_host_name = str, None, false
 ipa_host_fqdn = str, None, false
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
index 4d1c3c8..4cf0714 100644
--- a/src/man/sssd-ipa.5.xml
+++ b/src/man/sssd-ipa.5.xml
@@ -477,6 +477,20 @@
                 </varlistentry>
 
                 <varlistentry>
+                    <term>ipa_deskprofile_request_interval (integer)</term>
+                    <listitem>
+                        <para>
+                            The amount of time between lookups of the Desktop
+                            Profile rules against the IPA server in case the
+                            last request did not return any rule.
+                        </para>
+                        <para>
+                            Default: 60 (minutes)
+                        </para>
+                    </listitem>
+                </varlistentry>
+
+                <varlistentry>
                     <term>ipa_hbac_refresh (integer)</term>
                     <listitem>
                         <para>
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 5b3507c..5197a9a 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -58,6 +58,7 @@ enum ipa_basic_opt {
     IPA_KRB5_CONFD_PATH,
     IPA_DESKPROFILE_SEARCH_BASE,
     IPA_DESKPROFILE_REFRESH,
+    IPA_DESKPROFILE_REQUEST_INTERVAL,
 
     IPA_OPTS_BASIC /* opts counter */
 };
diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c
index 4836445..09b78f7 100644
--- a/src/providers/ipa/ipa_opts.c
+++ b/src/providers/ipa/ipa_opts.c
@@ -50,6 +50,7 @@ struct dp_option ipa_basic_opts[] = {
     { "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING },
     { "ipa_deskprofile_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ipa_deskprofile_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
+    { "ipa_deskprofile_request_interval", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER },
     DP_OPTION_TERMINATOR
 };
 
diff --git a/src/providers/ipa/ipa_session.c b/src/providers/ipa/ipa_session.c
index 7adf8b6..8559284 100644
--- a/src/providers/ipa/ipa_session.c
+++ b/src/providers/ipa/ipa_session.c
@@ -42,6 +42,8 @@
 #define SSS_FLEETCOMMANDERCLIENT_PATH "/org/freedesktop/FleetCommanderClient"
 #define SSS_FLEETCOMMANDERCLIENT_IFACE "org.freedesktop.FleetCommanderClient"
 
+#define MINUTE_IN_SECONDS 60
+
 struct ipa_fetch_deskprofile_state {
     struct tevent_context *ev;
     struct be_ctx *be_ctx;
@@ -80,6 +82,8 @@ ipa_fetch_deskprofile_send(TALLOC_CTX *mem_ctx,
     struct tevent_req *req;
     time_t now;
     time_t refresh_interval;
+    time_t request_interval;
+    time_t next_request;
     bool offline;
     errno_t ret;
 
@@ -122,13 +126,34 @@ ipa_fetch_deskprofile_send(TALLOC_CTX *mem_ctx,
         goto immediately;
     }
 
+    now = time(NULL);
+
+    request_interval = dp_opt_get_int(state->ipa_options,
+                                      IPA_DESKPROFILE_REQUEST_INTERVAL);
+    /* This value is in minutes ... */
+    request_interval *= MINUTE_IN_SECONDS;
+
+    if (state->session_ctx->no_rules_found &&
+        now < session_ctx->last_request + request_interval) {
+        next_request = (session_ctx->last_request + request_interval - now);
+        /* This value is in seconds ... */
+        next_request /= 60;
+        DEBUG(SSSDBG_TRACE_FUNC,
+              "No rules were found in the last request.\n"
+              "Next request will happen in any login after %"PRIu64" minutes\n",
+              next_request);
+        ret = ENOENT;
+        goto immediately;
+    }
+
+    state->session_ctx->no_rules_found = false;
+
     offline = be_is_offline(be_ctx);
     DEBUG(SSSDBG_TRACE_ALL, "Connection status is [%s].\n",
           offline ? "offline" : "online");
 
     refresh_interval = dp_opt_get_int(state->ipa_options,
                                       IPA_DESKPROFILE_REFRESH);
-    now = time(NULL);
 
     if (offline || now < session_ctx->last_update + refresh_interval) {
         DEBUG(SSSDBG_TRACE_FUNC,
@@ -540,6 +565,10 @@ ipa_pam_session_handler_done(struct tevent_req *subreq)
 
     if (ret == ENOENT) {
         DEBUG(SSSDBG_IMPORTANT_INFO, "No Desktop Profile rules found\n");
+        if (!state->session_ctx->no_rules_found) {
+            state->session_ctx->no_rules_found = true;
+            state->session_ctx->last_request = time(NULL);
+        }
         state->pd->pam_status = PAM_SUCCESS;
         goto done;
     } else if (ret != EOK) {
@@ -550,6 +579,8 @@ ipa_pam_session_handler_done(struct tevent_req *subreq)
         goto done;
     }
 
+    state->session_ctx->last_request = time(NULL);
+
     hostname = dp_opt_get_string(state->session_ctx->ipa_options, IPA_HOSTNAME);
     ret = ipa_pam_session_handler_save_deskprofile_rules(state->be_ctx,
                                                          state->be_ctx->domain,
diff --git a/src/providers/ipa/ipa_session.h b/src/providers/ipa/ipa_session.h
index aac9984..0c4d54f 100644
--- a/src/providers/ipa/ipa_session.h
+++ b/src/providers/ipa/ipa_session.h
@@ -31,6 +31,8 @@ struct ipa_session_ctx {
     struct sdap_id_ctx *sdap_ctx;
     struct dp_option *ipa_options;
     time_t last_update;
+    time_t last_request;
+    bool no_rules_found;
 
     struct sdap_attr_map *host_map;
     struct sdap_attr_map *hostgroup_map;