From 0ca6cb46f6b312f09fd4b6cff9abaecb4f134588 Mon Sep 17 00:00:00 2001
From: Pavel Reichl <preichl@redhat.com>
Date: Thu, 9 Apr 2015 10:08:51 -0400
Subject: [PATCH 02/12] PAM: refac. pam_reply: extract
 add_warning_about_expiration

Extracting add_warning_about_expiration() reduces length of
pam_reply() and simplifies it by removing 2 local variables.

Also move add_warning_about_expiration to more logical place
(previously it was called after packet creation but before its setting).

Resolves:
https://fedorahosted.org/sssd/ticket/2615
---
 src/responder/pam/pamsrv_cmd.c | 86 +++++++++++++++++++++++++-----------------
 1 file changed, 52 insertions(+), 34 deletions(-)

diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 3ac743e3316263990ce3a80ed8e0ef8fdb6c8ae8..32152a02f95d7d520f3fc1f60350c9b610b946fa 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -299,6 +299,49 @@ static errno_t get_password_for_cache_auth(struct sss_auth_token *authtok,
     return EOK;
 }
 
+static errno_t add_warning_about_expiration(struct pam_data *pd,
+                                            struct confdb_ctx *cdb)
+{
+    char* pam_account_expired_message;
+    int pam_verbosity;
+    errno_t ret;
+
+    ret = confdb_get_int(cdb, CONFDB_PAM_CONF_ENTRY,
+                         CONFDB_PAM_VERBOSITY, DEFAULT_PAM_VERBOSITY,
+                         &pam_verbosity);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Failed to read PAM verbosity, not fatal.\n");
+        pam_verbosity = DEFAULT_PAM_VERBOSITY;
+    }
+
+    /* Account expiration warning is printed for sshd. If pam_verbosity
+     * is equal or above PAM_VERBOSITY_INFO then all services are informed
+     * about account expiration.
+     */
+    if (pd->pam_status == PAM_ACCT_EXPIRED &&
+        ((pd->service != NULL && strcasecmp(pd->service, "sshd") == 0) ||
+         pam_verbosity >= PAM_VERBOSITY_INFO)) {
+
+        ret = confdb_get_string(cdb, pd, CONFDB_PAM_CONF_ENTRY,
+                                CONFDB_PAM_ACCOUNT_EXPIRED_MESSAGE, "",
+                                &pam_account_expired_message);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_MINOR_FAILURE,
+                  "Failed to get expiration message: %d:[%s].\n",
+                  ret, sss_strerror(ret));
+            goto done;
+        }
+
+        inform_user(pd, pam_account_expired_message);
+    }
+
+    ret = EOK;
+
+done:
+    return ret;
+}
+
 static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd);
 static void pam_handle_cached_login(struct pam_auth_req *preq, int ret,
                                     time_t expire_date, time_t delayed_until, bool cached_auth);
@@ -321,24 +364,13 @@ static void pam_reply(struct pam_auth_req *preq)
     uint32_t user_info_type;
     time_t exp_date = -1;
     time_t delay_until = -1;
-    char* pam_account_expired_message;
     char* pam_account_locked_message;
-    int pam_verbosity;
 
     pd = preq->pd;
     cctx = preq->cctx;
     pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
     prctx = talloc_get_type(cctx->protocol_ctx, struct cli_protocol);
 
-    ret = confdb_get_int(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY,
-                         CONFDB_PAM_VERBOSITY, DEFAULT_PAM_VERBOSITY,
-                         &pam_verbosity);
-    if (ret != EOK) {
-        DEBUG(SSSDBG_CRIT_FAILURE,
-              "Failed to read PAM verbosity, not fatal.\n");
-        pam_verbosity = DEFAULT_PAM_VERBOSITY;
-    }
-
     DEBUG(SSSDBG_FUNC_DATA,
           "pam_reply called with result [%d]: %s.\n",
           pd->pam_status, pam_strerror(NULL, pd->pam_status));
@@ -461,33 +493,13 @@ static void pam_reply(struct pam_auth_req *preq)
         return;
     }
 
-    ret = sss_packet_new(prctx->creq, 0, sss_packet_get_cmd(prctx->creq->in),
-                         &prctx->creq->out);
+    ret = add_warning_about_expiration(pd, pctx->rctx->cdb);
     if (ret != EOK) {
+        DEBUG(SSSDBG_MINOR_FAILURE, "warn_about_expiration failed: %d:[%s]\n",
+              ret, sss_strerror(ret));
         goto done;
     }
 
-    /* Account expiration warning is printed for sshd. If pam_verbosity
-     * is equal or above PAM_VERBOSITY_INFO then all services are informed
-     * about account expiration.
-     */
-    if (pd->pam_status == PAM_ACCT_EXPIRED &&
-        ((pd->service != NULL && strcasecmp(pd->service, "sshd") == 0) ||
-         pam_verbosity >= PAM_VERBOSITY_INFO)) {
-
-        ret = confdb_get_string(pctx->rctx->cdb, pd, CONFDB_PAM_CONF_ENTRY,
-                                CONFDB_PAM_ACCOUNT_EXPIRED_MESSAGE, "",
-                                &pam_account_expired_message);
-        if (ret != EOK) {
-            DEBUG(SSSDBG_MINOR_FAILURE,
-                  "Failed to get expiration message: %d:[%s].\n",
-                  ret, sss_strerror(ret));
-            goto done;
-        }
-
-        inform_user(pd, pam_account_expired_message);
-    }
-
     if (pd->account_locked) {
 
         ret = confdb_get_string(pctx->rctx->cdb, pd, CONFDB_PAM_CONF_ENTRY,
@@ -503,6 +515,12 @@ static void pam_reply(struct pam_auth_req *preq)
         inform_user(pd, pam_account_locked_message);
     }
 
+    ret = sss_packet_new(prctx->creq, 0, sss_packet_get_cmd(prctx->creq->in),
+                         &prctx->creq->out);
+    if (ret != EOK) {
+        goto done;
+    }
+
     ret = filter_responses(pctx->rctx->cdb, pd->resp_list);
     if (ret != EOK) {
         DEBUG(SSSDBG_CRIT_FAILURE, "filter_responses failed, not fatal.\n");
-- 
2.7.4