From 2b11199d50c84f4d92c3eb3061ea76ef3f1ed08a Mon Sep 17 00:00:00 2001 From: Pavel Reichl Date: Thu, 9 Apr 2015 10:08:51 -0400 Subject: [PATCH 02/11] PAM: refac. pam_reply: extract add_warning_about_expiration Extracting add_warning_about_expiration() reduces length of pam_reply() and simplifies it by removing 2 local variables. Also move add_warning_about_expiration to more logical place (previously it was called after packet creation but before its setting). Resolves: https://fedorahosted.org/sssd/ticket/2615 --- src/responder/pam/pamsrv_cmd.c | 86 +++++++++++++++++++++++++----------------- 1 file changed, 52 insertions(+), 34 deletions(-) diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index a6d7c12fa001c38c7e6ee8be4ab7ed57d2274161..b1454af0224b816df3d7c751b10ed18b2cd6b403 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -299,6 +299,49 @@ static errno_t get_password_for_cache_auth(struct sss_auth_token *authtok, return EOK; } +static errno_t add_warning_about_expiration(struct pam_data *pd, + struct confdb_ctx *cdb) +{ + char* pam_account_expired_message; + int pam_verbosity; + errno_t ret; + + ret = confdb_get_int(cdb, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_VERBOSITY, DEFAULT_PAM_VERBOSITY, + &pam_verbosity); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to read PAM verbosity, not fatal.\n"); + pam_verbosity = DEFAULT_PAM_VERBOSITY; + } + + /* Account expiration warning is printed for sshd. If pam_verbosity + * is equal or above PAM_VERBOSITY_INFO then all services are informed + * about account expiration. + */ + if (pd->pam_status == PAM_ACCT_EXPIRED && + ((pd->service != NULL && strcasecmp(pd->service, "sshd") == 0) || + pam_verbosity >= PAM_VERBOSITY_INFO)) { + + ret = confdb_get_string(cdb, pd, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_ACCOUNT_EXPIRED_MESSAGE, "", + &pam_account_expired_message); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to get expiration message: %d:[%s].\n", + ret, sss_strerror(ret)); + goto done; + } + + inform_user(pd, pam_account_expired_message); + } + + ret = EOK; + +done: + return ret; +} + static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd); static void pam_handle_cached_login(struct pam_auth_req *preq, int ret, time_t expire_date, time_t delayed_until, bool cached_auth); @@ -320,23 +363,12 @@ static void pam_reply(struct pam_auth_req *preq) uint32_t user_info_type; time_t exp_date = -1; time_t delay_until = -1; - char* pam_account_expired_message; char* pam_account_locked_message; - int pam_verbosity; pd = preq->pd; cctx = preq->cctx; pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx); - ret = confdb_get_int(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY, - CONFDB_PAM_VERBOSITY, DEFAULT_PAM_VERBOSITY, - &pam_verbosity); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Failed to read PAM verbosity, not fatal.\n"); - pam_verbosity = DEFAULT_PAM_VERBOSITY; - } - DEBUG(SSSDBG_FUNC_DATA, "pam_reply called with result [%d]: %s.\n", pd->pam_status, pam_strerror(NULL, pd->pam_status)); @@ -459,33 +491,13 @@ static void pam_reply(struct pam_auth_req *preq) return; } - ret = sss_packet_new(cctx->creq, 0, sss_packet_get_cmd(cctx->creq->in), - &cctx->creq->out); + ret = add_warning_about_expiration(pd, pctx->rctx->cdb); if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "warn_about_expiration failed: %d:[%s]\n", + ret, sss_strerror(ret)); goto done; } - /* Account expiration warning is printed for sshd. If pam_verbosity - * is equal or above PAM_VERBOSITY_INFO then all services are informed - * about account expiration. - */ - if (pd->pam_status == PAM_ACCT_EXPIRED && - ((pd->service != NULL && strcasecmp(pd->service, "sshd") == 0) || - pam_verbosity >= PAM_VERBOSITY_INFO)) { - - ret = confdb_get_string(pctx->rctx->cdb, pd, CONFDB_PAM_CONF_ENTRY, - CONFDB_PAM_ACCOUNT_EXPIRED_MESSAGE, "", - &pam_account_expired_message); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - "Failed to get expiration message: %d:[%s].\n", - ret, sss_strerror(ret)); - goto done; - } - - inform_user(pd, pam_account_expired_message); - } - if (pd->account_locked) { ret = confdb_get_string(pctx->rctx->cdb, pd, CONFDB_PAM_CONF_ENTRY, @@ -501,6 +513,12 @@ static void pam_reply(struct pam_auth_req *preq) inform_user(pd, pam_account_locked_message); } + ret = sss_packet_new(cctx->creq, 0, sss_packet_get_cmd(cctx->creq->in), + &cctx->creq->out); + if (ret != EOK) { + goto done; + } + ret = filter_responses(pctx->rctx->cdb, pd->resp_list); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "filter_responses failed, not fatal.\n"); -- 2.4.11