From b442b82b4a4c80b9e7992b33eb008f4f0dea44e2 Mon Sep 17 00:00:00 2001 From: Tomas Halman Date: Sep 12 2019 09:16:34 +0000 Subject: extdom: plugin doesn't use timeout in blocking call Expose nss timeout parameter. Use sss_nss_getorigbyname_timeout instead of sss_nss_getorigbyname Reviewed-By: Alexander Bokovoy --- diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom.h index d2937c8..05292cf 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom.h +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom.h @@ -35,6 +35,9 @@ enum nss_status { NSS_STATUS_RETURN }; +/* default NSS operation timeout 10s (ipaExtdomMaxNssTimeout) */ +#define DEFAULT_MAX_NSS_TIMEOUT (10*1000) + /* NSS backend operations implemented using either nss_sss.so.2 or libsss_nss_idmap API */ struct nss_ops_ctx; @@ -42,6 +45,7 @@ int back_extdom_init_context(struct nss_ops_ctx **nss_context); void back_extdom_free_context(struct nss_ops_ctx **nss_context); void back_extdom_set_timeout(struct nss_ops_ctx *nss_context, unsigned int timeout); +unsigned int back_extdom_get_timeout(struct nss_ops_ctx *nss_context); void back_extdom_evict_user(struct nss_ops_ctx *nss_context, const char *name); void back_extdom_evict_group(struct nss_ops_ctx *nss_context, diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_nss_sss.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_nss_sss.c index 55b1030..c29dc99 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_nss_sss.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_nss_sss.c @@ -135,7 +135,7 @@ fail: } -/* Following three functions cannot be implemented with nss_sss.so.2 +/* Following four functions cannot be implemented with nss_sss.so.2 * As result, we simply do nothing here */ void back_extdom_set_timeout(struct nss_ops_ctx *nss_context, @@ -143,6 +143,10 @@ void back_extdom_set_timeout(struct nss_ops_ctx *nss_context, /* no operation */ } +unsigned int back_extdom_get_timeout(struct nss_ops_ctx *nss_context) { + return DEFAULT_MAX_NSS_TIMEOUT; +} + void back_extdom_evict_user(struct nss_ops_ctx *nss_context, const char *name) { /* no operation */ @@ -288,4 +292,3 @@ enum nss_status back_extdom_getgrouplist(struct nss_ops_ctx *nss_context, return ret; } - diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c index 163e8e1..8064f87 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c @@ -111,6 +111,14 @@ void back_extdom_set_timeout(struct nss_ops_ctx *nss_context, nss_context->timeout = timeout; } +unsigned int back_extdom_get_timeout(struct nss_ops_ctx *nss_context) { + if (nss_context == NULL) { + return DEFAULT_MAX_NSS_TIMEOUT; + } + + return nss_context->timeout; +} + void back_extdom_evict_user(struct nss_ops_ctx *nss_context, const char *name) { if (nss_context == NULL) { @@ -272,4 +280,3 @@ enum nss_status back_extdom_getgrouplist(struct nss_ops_ctx *nss_context, } return __convert_sss_nss2nss_status(ret); } - diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h index 81691ca..beb4eed 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h @@ -59,6 +59,7 @@ #include #include +#define IPA_389DS_PLUGIN_HELPER_CALLS #include #define EXOP_EXTDOM_OID "2.16.840.1.113730.3.8.10.4" diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index 92a7bea..853f49f 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -114,6 +114,13 @@ int __nss_to_err(enum nss_status errcode) } } +static int get_timeout(struct ipa_extdom_ctx *ctx) { + if (ctx == NULL || ctx->nss_ctx == NULL) { + return DEFAULT_MAX_NSS_TIMEOUT; + } + return back_extdom_get_timeout(ctx->nss_ctx); +} + int getpwnam_r_wrapper(struct ipa_extdom_ctx *ctx, const char *name, struct passwd *pwd, char **buf, size_t *buf_len) { @@ -1245,7 +1252,9 @@ static int handle_username_request(struct ipa_extdom_ctx *ctx, switch(ret) { case 0: if (request_type == REQ_FULL_WITH_GROUPS) { - ret = sss_nss_getorigbyname(pwd.pw_name, &kv_list, &id_type); + ret = sss_nss_getorigbyname_timeout(pwd.pw_name, + get_timeout(ctx), + &kv_list, &id_type); if (ret != 0 || !(id_type == SSS_ID_TYPE_UID || id_type == SSS_ID_TYPE_BOTH)) { set_err_msg(req, "Failed to read original data"); @@ -1334,7 +1343,10 @@ static int handle_groupname_request(struct ipa_extdom_ctx *ctx, } if (request_type == REQ_FULL_WITH_GROUPS) { - ret = sss_nss_getorigbyname(grp.gr_name, &kv_list, &id_type); + ret = sss_nss_getorigbyname_timeout(grp.gr_name, + get_timeout(ctx), + &kv_list, + &id_type); if (ret != 0 || !(id_type == SSS_ID_TYPE_GID || id_type == SSS_ID_TYPE_BOTH)) { if (ret == ENOENT) { diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c index 5f9714f..5d22f9f 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c @@ -42,7 +42,6 @@ #include "util.h" #define DEFAULT_MAX_NSS_BUFFER (128*1024*1024) -#define DEFAULT_MAX_NSS_TIMEOUT (10*1000) Slapi_PluginDesc ipa_extdom_plugin_desc = { IPA_EXTDOM_FEATURE_DESC,