Blob Blame History Raw
From f74b97860ec7c66df01ed2b719d29a138c958081 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 26 Nov 2018 13:44:08 +0100
Subject: [PATCH 19/23] SECRETS: Use different option names from secrets and
 KCM for quota options
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Related:
https://pagure.io/SSSD/sssd/issue/3386

With the separate secrets responder, the quotas for the /secrets and
/kcm hives were configurable in a sub-section of the [secrets] sssd.conf
section using the same option -- the /secrets vs. /kcm distinction was
made using the subsection name.

With the standalone KCM responder writing directly to the database, it
makes sense to have options with more descriptive names better suitable
for the KCM usage. For that we need the options for secrets quotas and
kcm quotas to be named differently.

For now, the patch only passes the option name to sss_sec_get_quota()
and sss_sec_get_hive_config() together with the default value in an
instance of a new structure sss_sec_quota_opt. The secrets responder
still uses the same option names for backwards compatibility.

Reviewed-by: Michal Židek <mzidek@redhat.com>
---
 src/responder/secrets/secsrv.c | 70 ++++++++++++++++++++++++++--------
 src/util/secrets/config.c      | 40 +++++++++----------
 src/util/secrets/secrets.h     | 21 ++++++----
 3 files changed, 88 insertions(+), 43 deletions(-)

diff --git a/src/responder/secrets/secsrv.c b/src/responder/secrets/secsrv.c
index 2de93dedc..e783e231d 100644
--- a/src/responder/secrets/secsrv.c
+++ b/src/responder/secrets/secsrv.c
@@ -47,6 +47,39 @@ static void adjust_global_quota(struct sec_ctx *sctx,
 static int sec_get_config(struct sec_ctx *sctx)
 {
     int ret;
+    struct sss_sec_quota_opt dfl_sec_nest_level = {
+        .opt_name = CONFDB_SEC_CONTAINERS_NEST_LEVEL,
+        .default_value = DEFAULT_SEC_CONTAINERS_NEST_LEVEL,
+    };
+    struct sss_sec_quota_opt dfl_sec_max_secrets = {
+        .opt_name = CONFDB_SEC_MAX_SECRETS,
+        .default_value = DEFAULT_SEC_MAX_SECRETS,
+    };
+    struct sss_sec_quota_opt dfl_sec_max_uid_secrets = {
+        .opt_name = CONFDB_SEC_MAX_UID_SECRETS,
+        .default_value = DEFAULT_SEC_MAX_UID_SECRETS,
+    };
+    struct sss_sec_quota_opt dfl_sec_max_payload_size = {
+        .opt_name = CONFDB_SEC_MAX_PAYLOAD_SIZE,
+        .default_value = DEFAULT_SEC_MAX_PAYLOAD_SIZE,
+    };
+
+    struct sss_sec_quota_opt dfl_kcm_nest_level = {
+        .opt_name = CONFDB_SEC_CONTAINERS_NEST_LEVEL,
+        .default_value = DEFAULT_SEC_CONTAINERS_NEST_LEVEL,
+    };
+    struct sss_sec_quota_opt dfl_kcm_max_secrets = {
+        .opt_name = CONFDB_SEC_MAX_SECRETS,
+        .default_value = DEFAULT_SEC_KCM_MAX_SECRETS,
+    };
+    struct sss_sec_quota_opt dfl_kcm_max_uid_secrets = {
+        .opt_name = CONFDB_SEC_MAX_UID_SECRETS,
+        .default_value = DEFAULT_SEC_KCM_MAX_UID_SECRETS,
+    };
+    struct sss_sec_quota_opt dfl_kcm_max_payload_size = {
+        .opt_name = CONFDB_SEC_MAX_PAYLOAD_SIZE,
+        .default_value = DEFAULT_SEC_KCM_MAX_PAYLOAD_SIZE,
+    };
 
     ret = confdb_get_int(sctx->rctx->cdb,
                          sctx->rctx->confdb_service_path,
@@ -65,15 +98,12 @@ static int sec_get_config(struct sec_ctx *sctx)
     sctx->max_payload_size = 1;
 
     /* Read the global quota first -- this should be removed in a future release */
-    /* Note that this sets the defaults for the sec_config quota to be used
-     * in sec_get_hive_config()
-     */
     ret = sss_sec_get_quota(sctx->rctx->cdb,
                             sctx->rctx->confdb_service_path,
-                            DEFAULT_SEC_CONTAINERS_NEST_LEVEL,
-                            DEFAULT_SEC_MAX_SECRETS,
-                            DEFAULT_SEC_MAX_UID_SECRETS,
-                            DEFAULT_SEC_MAX_PAYLOAD_SIZE,
+                            &dfl_sec_nest_level,
+                            &dfl_sec_max_secrets,
+                            &dfl_sec_max_uid_secrets,
+                            &dfl_sec_max_payload_size,
                             &sctx->sec_config.quota);
     if (ret != EOK) {
         DEBUG(SSSDBG_FATAL_FAILURE,
@@ -81,13 +111,23 @@ static int sec_get_config(struct sec_ctx *sctx)
         goto fail;
     }
 
+    /* Use the global quota values as defaults for the secrets/secrets section */
+    dfl_sec_nest_level.default_value = \
+                                sctx->sec_config.quota.containers_nest_level;
+    dfl_sec_max_secrets.default_value = \
+                                sctx->sec_config.quota.max_secrets;
+    dfl_sec_max_uid_secrets.default_value = \
+                                sctx->sec_config.quota.max_uid_secrets;
+    dfl_sec_max_payload_size.default_value = \
+                                sctx->sec_config.quota.max_payload_size;
+
     /* Read the per-hive configuration */
     ret = sss_sec_get_hive_config(sctx->rctx->cdb,
                                  "secrets",
-                                 sctx->sec_config.quota.containers_nest_level,
-                                 sctx->sec_config.quota.max_secrets,
-                                 sctx->sec_config.quota.max_uid_secrets,
-                                 sctx->sec_config.quota.max_payload_size,
+                                 &dfl_sec_nest_level,
+                                 &dfl_sec_max_secrets,
+                                 &dfl_sec_max_uid_secrets,
+                                 &dfl_sec_max_payload_size,
                                  &sctx->sec_config);
     if (ret != EOK) {
         DEBUG(SSSDBG_FATAL_FAILURE,
@@ -98,10 +138,10 @@ static int sec_get_config(struct sec_ctx *sctx)
 
     ret = sss_sec_get_hive_config(sctx->rctx->cdb,
                                   "kcm",
-                                  DEFAULT_SEC_CONTAINERS_NEST_LEVEL,
-                                  DEFAULT_SEC_KCM_MAX_SECRETS,
-                                  DEFAULT_SEC_KCM_MAX_UID_SECRETS,
-                                  DEFAULT_SEC_KCM_MAX_PAYLOAD_SIZE,
+                                  &dfl_kcm_nest_level,
+                                  &dfl_kcm_max_secrets,
+                                  &dfl_kcm_max_uid_secrets,
+                                  &dfl_kcm_max_payload_size,
                                   &sctx->kcm_config);
     if (ret != EOK) {
         DEBUG(SSSDBG_FATAL_FAILURE,
diff --git a/src/util/secrets/config.c b/src/util/secrets/config.c
index cb286121f..f5dac0b21 100644
--- a/src/util/secrets/config.c
+++ b/src/util/secrets/config.c
@@ -24,10 +24,10 @@
 
 errno_t sss_sec_get_quota(struct confdb_ctx *cdb,
                           const char *section_config_path,
-                          int default_max_containers_nest_level,
-                          int default_max_num_secrets,
-                          int default_max_num_uid_secrets,
-                          int default_max_payload,
+                          struct sss_sec_quota_opt *dfl_max_containers_nest_level,
+                          struct sss_sec_quota_opt *dfl_max_num_secrets,
+                          struct sss_sec_quota_opt *dfl_max_num_uid_secrets,
+                          struct sss_sec_quota_opt *dfl_max_payload,
                           struct sss_sec_quota *quota)
 {
     int ret;
@@ -38,8 +38,8 @@ errno_t sss_sec_get_quota(struct confdb_ctx *cdb,
 
     ret = confdb_get_int(cdb,
                          section_config_path,
-                         CONFDB_SEC_CONTAINERS_NEST_LEVEL,
-                         default_max_containers_nest_level,
+                         dfl_max_containers_nest_level->opt_name,
+                         dfl_max_containers_nest_level->default_value,
                          &quota->containers_nest_level);
 
     if (ret != EOK) {
@@ -51,8 +51,8 @@ errno_t sss_sec_get_quota(struct confdb_ctx *cdb,
 
     ret = confdb_get_int(cdb,
                          section_config_path,
-                         CONFDB_SEC_MAX_SECRETS,
-                         default_max_num_secrets,
+                         dfl_max_num_secrets->opt_name,
+                         dfl_max_num_secrets->default_value,
                          &quota->max_secrets);
 
     if (ret != EOK) {
@@ -64,8 +64,8 @@ errno_t sss_sec_get_quota(struct confdb_ctx *cdb,
 
     ret = confdb_get_int(cdb,
                          section_config_path,
-                         CONFDB_SEC_MAX_UID_SECRETS,
-                         default_max_num_uid_secrets,
+                         dfl_max_num_uid_secrets->opt_name,
+                         dfl_max_num_uid_secrets->default_value,
                          &quota->max_uid_secrets);
 
     if (ret != EOK) {
@@ -77,8 +77,8 @@ errno_t sss_sec_get_quota(struct confdb_ctx *cdb,
 
     ret = confdb_get_int(cdb,
                          section_config_path,
-                         CONFDB_SEC_MAX_PAYLOAD_SIZE,
-                         default_max_payload,
+                         dfl_max_payload->opt_name,
+                         dfl_max_payload->default_value,
                          &quota->max_payload_size);
 
     if (ret != EOK) {
@@ -93,10 +93,10 @@ errno_t sss_sec_get_quota(struct confdb_ctx *cdb,
 
 errno_t sss_sec_get_hive_config(struct confdb_ctx *cdb,
                                 const char *hive_name,
-                                int default_max_containers_nest_level,
-                                int default_max_num_secrets,
-                                int default_max_num_uid_secrets,
-                                int default_max_payload,
+                                struct sss_sec_quota_opt *dfl_max_containers_nest_level,
+                                struct sss_sec_quota_opt *dfl_max_num_secrets,
+                                struct sss_sec_quota_opt *dfl_max_num_uid_secrets,
+                                struct sss_sec_quota_opt *dfl_max_payload,
                                 struct sss_sec_hive_config *hive_config)
 {
     int ret;
@@ -122,10 +122,10 @@ errno_t sss_sec_get_hive_config(struct confdb_ctx *cdb,
 
     ret = sss_sec_get_quota(cdb,
                             confdb_section,
-                            default_max_containers_nest_level,
-                            default_max_num_secrets,
-                            default_max_num_uid_secrets,
-                            default_max_payload,
+                            dfl_max_containers_nest_level,
+                            dfl_max_num_secrets,
+                            dfl_max_num_uid_secrets,
+                            dfl_max_payload,
                             &hive_config->quota);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE,
diff --git a/src/util/secrets/secrets.h b/src/util/secrets/secrets.h
index 01abfe542..31164bd86 100644
--- a/src/util/secrets/secrets.h
+++ b/src/util/secrets/secrets.h
@@ -47,6 +47,11 @@ struct sss_sec_ctx;
 
 struct sss_sec_req;
 
+struct sss_sec_quota_opt {
+    const char *opt_name;
+    int default_value;
+};
+
 struct sss_sec_quota {
     int max_secrets;
     int max_uid_secrets;
@@ -98,18 +103,18 @@ bool sss_sec_req_is_list(struct sss_sec_req *req);
 
 errno_t sss_sec_get_quota(struct confdb_ctx *cdb,
                           const char *section_config_path,
-                          int default_max_containers_nest_level,
-                          int default_max_num_secrets,
-                          int default_max_num_uid_secrets,
-                          int default_max_payload,
+                          struct sss_sec_quota_opt *dfl_max_containers_nest_level,
+                          struct sss_sec_quota_opt *dfl_max_num_secrets,
+                          struct sss_sec_quota_opt *dfl_max_num_uid_secrets,
+                          struct sss_sec_quota_opt *dfl_max_payload,
                           struct sss_sec_quota *quota);
 
 errno_t sss_sec_get_hive_config(struct confdb_ctx *cdb,
                                 const char *hive_name,
-                                int default_max_containers_nest_level,
-                                int default_max_num_secrets,
-                                int default_max_num_uid_secrets,
-                                int default_max_payload,
+                                struct sss_sec_quota_opt *dfl_max_containers_nest_level,
+                                struct sss_sec_quota_opt *dfl_max_num_secrets,
+                                struct sss_sec_quota_opt *dfl_max_num_uid_secrets,
+                                struct sss_sec_quota_opt *dfl_max_payload,
                                 struct sss_sec_hive_config *hive_config);
 
 #endif /* __SECRETS_H_ */
-- 
2.20.1