From 8b6c25fac519043ffdc5c179a6717095d452168e Mon Sep 17 00:00:00 2001 From: Firstyear Date: Mon, 17 Oct 2022 16:50:11 +1000 Subject: [PATCH] Fix pam unix sock timeouts (#1132) --- kanidm_unix_int/nss_kanidm/src/lib.rs | 12 ++++++------ kanidm_unix_int/pam_kanidm/src/lib.rs | 6 +++--- kanidm_unix_int/src/client_sync.rs | 18 +++++------------- kanidm_unix_int/src/daemon.rs | 2 +- kanidm_unix_int/src/daemon_status.rs | 2 +- kanidm_unix_int/src/unix_config.rs | 4 ++++ 6 files changed, 20 insertions(+), 24 deletions(-) diff --git a/kanidm_unix_int/nss_kanidm/src/lib.rs b/kanidm_unix_int/nss_kanidm/src/lib.rs index 84cea4273..896500d48 100644 --- a/kanidm_unix_int/nss_kanidm/src/lib.rs +++ b/kanidm_unix_int/nss_kanidm/src/lib.rs @@ -36,7 +36,7 @@ impl PasswdHooks for KanidmPasswd { } }; let req = ClientRequest::NssAccounts; - call_daemon_blocking(cfg.sock_path.as_str(), &req) + call_daemon_blocking(cfg.sock_path.as_str(), &req, cfg.unix_sock_timeout) .map(|r| match r { ClientResponse::NssAccounts(l) => l.into_iter().map(passwd_from_nssuser).collect(), _ => Vec::new(), @@ -54,7 +54,7 @@ impl PasswdHooks for KanidmPasswd { } }; let req = ClientRequest::NssAccountByUid(uid); - call_daemon_blocking(cfg.sock_path.as_str(), &req) + call_daemon_blocking(cfg.sock_path.as_str(), &req, cfg.unix_sock_timeout) .map(|r| match r { ClientResponse::NssAccount(opt) => opt .map(passwd_from_nssuser) @@ -74,7 +74,7 @@ impl PasswdHooks for KanidmPasswd { } }; let req = ClientRequest::NssAccountByName(name); - call_daemon_blocking(cfg.sock_path.as_str(), &req) + call_daemon_blocking(cfg.sock_path.as_str(), &req, cfg.unix_sock_timeout) .map(|r| match r { ClientResponse::NssAccount(opt) => opt .map(passwd_from_nssuser) @@ -99,7 +99,7 @@ impl GroupHooks for KanidmGroup { } }; let req = ClientRequest::NssGroups; - call_daemon_blocking(cfg.sock_path.as_str(), &req) + call_daemon_blocking(cfg.sock_path.as_str(), &req, cfg.unix_sock_timeout) .map(|r| match r { ClientResponse::NssGroups(l) => l.into_iter().map(group_from_nssgroup).collect(), _ => Vec::new(), @@ -117,7 +117,7 @@ impl GroupHooks for KanidmGroup { } }; let req = ClientRequest::NssGroupByGid(gid); - call_daemon_blocking(cfg.sock_path.as_str(), &req) + call_daemon_blocking(cfg.sock_path.as_str(), &req, cfg.unix_sock_timeout) .map(|r| match r { ClientResponse::NssGroup(opt) => opt .map(group_from_nssgroup) @@ -137,7 +137,7 @@ impl GroupHooks for KanidmGroup { } }; let req = ClientRequest::NssGroupByName(name); - call_daemon_blocking(cfg.sock_path.as_str(), &req) + call_daemon_blocking(cfg.sock_path.as_str(), &req, cfg.unix_sock_timeout) .map(|r| match r { ClientResponse::NssGroup(opt) => opt .map(group_from_nssgroup) diff --git a/kanidm_unix_int/pam_kanidm/src/lib.rs b/kanidm_unix_int/pam_kanidm/src/lib.rs index f473e51ca..4e4e9e826 100644 --- a/kanidm_unix_int/pam_kanidm/src/lib.rs +++ b/kanidm_unix_int/pam_kanidm/src/lib.rs @@ -95,7 +95,7 @@ impl PamHooks for PamKanidm { let req = ClientRequest::PamAccountAllowed(account_id); // PamResultCode::PAM_IGNORE - match call_daemon_blocking(cfg.sock_path.as_str(), &req) { + match call_daemon_blocking(cfg.sock_path.as_str(), &req, cfg.unix_sock_timeout) { Ok(r) => match r { ClientResponse::PamStatus(Some(true)) => { if opts.debug { @@ -215,7 +215,7 @@ impl PamHooks for PamKanidm { }; let req = ClientRequest::PamAuthenticate(account_id, authtok); - match call_daemon_blocking(cfg.sock_path.as_str(), &req) { + match call_daemon_blocking(cfg.sock_path.as_str(), &req, cfg.unix_sock_timeout) { Ok(r) => match r { ClientResponse::PamStatus(Some(true)) => { // println!("PAM_SUCCESS"); @@ -306,7 +306,7 @@ impl PamHooks for PamKanidm { }; let req = ClientRequest::PamAccountBeginSession(account_id); - match call_daemon_blocking(cfg.sock_path.as_str(), &req) { + match call_daemon_blocking(cfg.sock_path.as_str(), &req, cfg.unix_sock_timeout) { Ok(ClientResponse::Ok) => { // println!("PAM_SUCCESS"); PamResultCode::PAM_SUCCESS diff --git a/kanidm_unix_int/src/client_sync.rs b/kanidm_unix_int/src/client_sync.rs index 42d2261e6..5557a636e 100644 --- a/kanidm_unix_int/src/client_sync.rs +++ b/kanidm_unix_int/src/client_sync.rs @@ -5,23 +5,16 @@ use std::time::{Duration, SystemTime}; use crate::unix_proto::{ClientRequest, ClientResponse}; -const TIMEOUT: u64 = 2000; - pub fn call_daemon_blocking( path: &str, req: &ClientRequest, + timeout: u64, ) -> Result> { + let timeout = Duration::from_secs(timeout); + let mut stream = UnixStream::connect(path) - .and_then(|socket| { - socket - .set_read_timeout(Some(Duration::from_millis(TIMEOUT))) - .map(|_| socket) - }) - .and_then(|socket| { - socket - .set_write_timeout(Some(Duration::from_millis(TIMEOUT))) - .map(|_| socket) - }) + .and_then(|socket| socket.set_read_timeout(Some(timeout)).map(|_| socket)) + .and_then(|socket| socket.set_write_timeout(Some(timeout)).map(|_| socket)) .map_err(|e| { error!("stream setup error -> {:?}", e); e @@ -45,7 +38,6 @@ pub fn call_daemon_blocking( // Now wait on the response. let start = SystemTime::now(); - let timeout = Duration::from_millis(TIMEOUT); let mut read_started = false; let mut data = Vec::with_capacity(1024); let mut counter = 0; diff --git a/kanidm_unix_int/src/daemon.rs b/kanidm_unix_int/src/daemon.rs index 1290e2aaa..f6d05fa70 100644 --- a/kanidm_unix_int/src/daemon.rs +++ b/kanidm_unix_int/src/daemon.rs @@ -727,7 +727,7 @@ async fn main() { tokio::spawn(async move { if let Err(e) = handle_client(socket, cachelayer_ref.clone(), &tc_tx).await { - error!("an error occured; error = {:?}", e); + error!("handle_client error occured; error = {:?}", e); } }); } diff --git a/kanidm_unix_int/src/daemon_status.rs b/kanidm_unix_int/src/daemon_status.rs index b8370b85e..4f626a720 100644 --- a/kanidm_unix_int/src/daemon_status.rs +++ b/kanidm_unix_int/src/daemon_status.rs @@ -51,7 +51,7 @@ fn main() { cfg.sock_path ) } else { - match call_daemon_blocking(cfg.sock_path.as_str(), &req) { + match call_daemon_blocking(cfg.sock_path.as_str(), &req, cfg.unix_sock_timeout) { Ok(r) => match r { ClientResponse::Ok => println!("working!"), _ => { diff --git a/kanidm_unix_int/src/unix_config.rs b/kanidm_unix_int/src/unix_config.rs index aca10cd3d..3a57868c2 100644 --- a/kanidm_unix_int/src/unix_config.rs +++ b/kanidm_unix_int/src/unix_config.rs @@ -75,6 +75,7 @@ pub struct KanidmUnixdConfig { pub task_sock_path: String, pub conn_timeout: u64, pub cache_timeout: u64, + pub unix_sock_timeout: u64, pub pam_allowed_login_groups: Vec, pub default_shell: String, pub home_prefix: String, @@ -96,6 +97,7 @@ impl Display for KanidmUnixdConfig { writeln!(f, "sock_path: {}", self.sock_path)?; writeln!(f, "task_sock_path: {}", self.task_sock_path)?; writeln!(f, "conn_timeout: {}", self.conn_timeout)?; + writeln!(f, "unix_sock_timeout: {}", self.unix_sock_timeout)?; writeln!(f, "cache_timeout: {}", self.cache_timeout)?; writeln!( f, @@ -126,6 +128,7 @@ impl KanidmUnixdConfig { sock_path: DEFAULT_SOCK_PATH.to_string(), task_sock_path: DEFAULT_TASK_SOCK_PATH.to_string(), conn_timeout: DEFAULT_CONN_TIMEOUT, + unix_sock_timeout: DEFAULT_CONN_TIMEOUT * 2, cache_timeout: DEFAULT_CACHE_TIMEOUT, pam_allowed_login_groups: Vec::new(), default_shell: DEFAULT_SHELL.to_string(), @@ -185,6 +188,7 @@ impl KanidmUnixdConfig { sock_path: config.sock_path.unwrap_or(self.sock_path), task_sock_path: config.task_sock_path.unwrap_or(self.task_sock_path), conn_timeout: config.conn_timeout.unwrap_or(self.conn_timeout), + unix_sock_timeout: config.conn_timeout.unwrap_or(self.conn_timeout) * 2, cache_timeout: config.cache_timeout.unwrap_or(self.cache_timeout), pam_allowed_login_groups: config .pam_allowed_login_groups