extdom: plugin doesn't use timeout in blocking call

Expose nss timeout parameter. Use sss_nss_getorigbyname_timeout instead of sss_nss_getorigbyname Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
freeipa · Sep 12, 2019 · 20612db · 20612db
1 parent b182a96
commit 20612db
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 6 deletions.
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom.h
@@ -35,13 +35,17 @@ enum nss_status {
     NSS_STATUS_RETURN
 };
 
+/* default NSS operation timeout 10s (ipaExtdomMaxNssTimeout) */
+#define DEFAULT_MAX_NSS_TIMEOUT (10*1000)
+
 /* NSS backend operations implemented using either nss_sss.so.2 or libsss_nss_idmap API */
 struct nss_ops_ctx;
 
 int back_extdom_init_context(struct nss_ops_ctx **nss_context);
 void back_extdom_free_context(struct nss_ops_ctx **nss_context);
 void back_extdom_set_timeout(struct nss_ops_ctx *nss_context,
                              unsigned int timeout);
+unsigned int back_extdom_get_timeout(struct nss_ops_ctx *nss_context);
 void back_extdom_evict_user(struct nss_ops_ctx *nss_context,
                             const char *name);
 void back_extdom_evict_group(struct nss_ops_ctx *nss_context,

diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_nss_sss.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_nss_sss.c
@@ -120,14 +120,18 @@ int back_extdom_init_context(struct nss_ops_ctx **nss_context)
 }
 
 
-/* Following three functions cannot be implemented with nss_sss.so.2
+/* Following four functions cannot be implemented with nss_sss.so.2
  * As result, we simply do nothing here */
 
 void back_extdom_set_timeout(struct nss_ops_ctx *nss_context,
                              unsigned int timeout) {
         /* no operation */
 }
 
+unsigned int back_extdom_get_timeout(struct nss_ops_ctx *nss_context) {
+    return DEFAULT_MAX_NSS_TIMEOUT;
+}
+
 void back_extdom_evict_user(struct nss_ops_ctx *nss_context,
                             const char *name) {
         /* no operation */
@@ -273,4 +277,3 @@ enum nss_status back_extdom_getgrouplist(struct nss_ops_ctx *nss_context,
 
     return ret;
 }
-
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c
@@ -96,6 +96,14 @@ void back_extdom_set_timeout(struct nss_ops_ctx *nss_context,
     nss_context->timeout = timeout;
 }
 
+unsigned int back_extdom_get_timeout(struct nss_ops_ctx *nss_context) {
+    if (nss_context == NULL) {
+        return DEFAULT_MAX_NSS_TIMEOUT;
+    }
+
+    return nss_context->timeout;
+}
+
 void back_extdom_evict_user(struct nss_ops_ctx *nss_context,
                             const char *name) {
     if (nss_context == NULL) {
@@ -257,4 +265,3 @@ enum nss_status back_extdom_getgrouplist(struct nss_ops_ctx *nss_context,
     }
     return __convert_sss_nss2nss_status(ret);
 }
-
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
@@ -59,6 +59,7 @@
 #include <lber.h>
 #include <time.h>
 
+#define IPA_389DS_PLUGIN_HELPER_CALLS
 #include <sss_nss_idmap.h>
 
 #define EXOP_EXTDOM_OID "2.16.840.1.113730.3.8.10.4"

diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -114,6 +114,13 @@ int __nss_to_err(enum nss_status errcode)
     return -1;
 }
 
+static int get_timeout(struct ipa_extdom_ctx *ctx) {
+    if (ctx == NULL || ctx->nss_ctx == NULL) {
+        return DEFAULT_MAX_NSS_TIMEOUT;
+    }
+    return back_extdom_get_timeout(ctx->nss_ctx);
+}
+
 int getpwnam_r_wrapper(struct ipa_extdom_ctx *ctx, const char *name,
                        struct passwd *pwd, char **buf, size_t *buf_len)
 {
@@ -1245,7 +1252,9 @@ static int handle_username_request(struct ipa_extdom_ctx *ctx,
     switch(ret) {
     case 0:
         if (request_type == REQ_FULL_WITH_GROUPS) {
-            ret = sss_nss_getorigbyname(pwd.pw_name, &kv_list, &id_type);
+            ret = sss_nss_getorigbyname_timeout(pwd.pw_name,
+                                                get_timeout(ctx),
+                                                &kv_list, &id_type);
             if (ret != 0 || !(id_type == SSS_ID_TYPE_UID
                               || id_type == SSS_ID_TYPE_BOTH)) {
                 set_err_msg(req, "Failed to read original data");
@@ -1334,7 +1343,10 @@ static int handle_groupname_request(struct ipa_extdom_ctx *ctx,
     }
 
     if (request_type == REQ_FULL_WITH_GROUPS) {
-        ret = sss_nss_getorigbyname(grp.gr_name, &kv_list, &id_type);
+        ret = sss_nss_getorigbyname_timeout(grp.gr_name,
+                                            get_timeout(ctx),
+                                            &kv_list,
+                                            &id_type);
         if (ret != 0 || !(id_type == SSS_ID_TYPE_GID
                           || id_type == SSS_ID_TYPE_BOTH)) {
             if (ret == ENOENT) {

diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
@@ -42,7 +42,6 @@
 #include "util.h"
 
 #define DEFAULT_MAX_NSS_BUFFER (128*1024*1024)
-#define DEFAULT_MAX_NSS_TIMEOUT (10*1000)
 
 Slapi_PluginDesc ipa_extdom_plugin_desc = {
     IPA_EXTDOM_FEATURE_DESC,