[Freeipa-devel] [RFC] Reload trust data in ipadb

Simo Sorce simo at redhat.com
Fri Oct 5 12:44:41 UTC 2012 

On Fri, 2012-10-05 at 13:32 +0200, Sumit Bose wrote:
> From f8726fe1c4a2ab71ada1297003e3dbe6068e4207 Mon Sep 17 00:00:00 2001
> From: Sumit Bose <sbose at redhat.com>
> Date: Fri, 5 Oct 2012 12:06:24 +0200
> Subject: [PATCH] ipadb: reload trust information if domain is not know
> 
> Currently the data about trusted domains is read once at startup. If a
> new trust is added the KDC must be restarted to know about the new
> trust. This patch reloads the trust data if there is a request from an
> unknown domain. To make DOS attacks a bit harder the data can be
> updated
> only once in a minute.
> ---
>  daemons/ipa-kdb/ipa_kdb_mspac.c | 44
> ++++++++++++++++++++++++++++++++---------
>  1 Datei geändert, 35 Zeilen hinzugefügt(+), 9 Zeilen entfernt(-)
> 
> diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c
> b/daemons/ipa-kdb/ipa_kdb_mspac.c
> index
> b5346fed1230d02a88c94ab913507112990a1651..f0bd3bfe913705abd44efb08325f54521533637e 100644
> --- a/daemons/ipa-kdb/ipa_kdb_mspac.c
> +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
> @@ -40,6 +40,7 @@ struct ipadb_mspac {
>  
>      int num_trusts;
>      struct ipadb_adtrusts *trusts;
> +    time_t last_update;
>  };
>  
>  
> @@ -983,6 +984,8 @@ static struct ipadb_adtrusts
> *get_domain_from_realm(krb5_context context,
>      struct ipadb_context *ipactx;
>      struct ipadb_adtrusts *domain;
>      int i;
> +    krb5_error_code kerr;
> +    bool updated = false;

The name of this variable sounds backwards, should be called need_update
or similar.

>      ipactx = ipadb_get_context(context);
>      if (!ipactx) {
> @@ -993,17 +996,28 @@ static struct ipadb_adtrusts
> *get_domain_from_realm(krb5_context context,
>          return NULL;
>      }
>  
> -    for (i = 0; i < ipactx->mspac->num_trusts; i++) {
> -        domain = &ipactx->mspac->trusts[i];
> -        if (strlen(domain->domain_name) != realm.length) {
> -            continue;
> +    do {
> +        for (i = 0; i < ipactx->mspac->num_trusts; i++) {
> +            domain = &ipactx->mspac->trusts[i];
> +            if (strlen(domain->domain_name) != realm.length) {
> +                continue;
> +            }
> +            if (strncasecmp(domain->domain_name, realm.data,
> +                            realm.length) == 0) {
> +                return domain;
> +            }
>          }
> -        if (strncasecmp(domain->domain_name, realm.data,
> realm.length) == 0) {
> -            return domain;
> -        }
> -    }
>  
> -    return NULL;
> +        if (updated) {
> +            return NULL;
> +        } else {
> +            kerr = ipadb_reinit_mspac(ipactx);
> +            if (kerr != 0) {
> +                return NULL;
> +            }
> +            updated = true;
> +        }
> +    } while(1);
>  }

I do not think I like the do/while loop here, I would rather have
another function that wraps the current get_domain_from_realm() like:

static struct ipadb_adtrusts *get_domain_from_realm_update()
{
	dom = get_domain_from_realm();
	if (dom == NULL) {
		/* no dom, try to see if a new trust appeared */
		kerr = ipadb_reinit_mspac(ipactx);
		dom = get_domain_from_realm();
	}
	return dom;
}

This is clearer imo, and allows you to decide if you really want to
update or if you want to call the non-updating function later on, should
we need it.

>  static krb5_error_code filter_logon_info(krb5_context context,
> @@ -1550,6 +1564,16 @@ krb5_error_code ipadb_reinit_mspac(struct
> ipadb_context *ipactx)
>      struct dom_sid gsid;
>      char *resstr;
>      int ret;
> +    time_t now;
> +
> +    /* Do not update the mspac struct more than once a minute. This
> would
> +     * avoid heavy load on the directory server if there are lots of
> requests
> +     * from domains which we do not trust. */
> +    now = time(NULL);
> +    if (ipactx->mspac != NULL && now > ipactx->mspac->last_update &&
> +        (now - ipactx->mspac->last_update) < 60) {
> +        return 0;
> +    }
>  
>      /* clean up in case we had old values around */
>      ipadb_mspac_struct_free(&ipactx->mspac);
> @@ -1560,6 +1584,8 @@ krb5_error_code ipadb_reinit_mspac(struct
> ipadb_context *ipactx)
>          goto done;
>      }
>  
> +    ipactx->mspac->last_update = now;
> +
>      kerr = ipadb_simple_search(ipactx, ipactx->base,
> LDAP_SCOPE_SUBTREE,
>                                 "(objectclass=ipaNTDomainAttrs)",
> dom_attrs,
>                                  &result);

This part look fine, I wonder if we shouldn't make it even longer than 1
min.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list