mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 12:37:00 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix pam unix sock timeouts (#1132)

Browse source
This commit is contained in:
Firstyear 2022-10-17 16:50:11 +10:00 committed by GitHub
parent ad2f3965d0
commit 8b6c25fac5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 20 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
kanidm_unix_int/nss_kanidm/src/lib.rs
View file

@ -36,7 +36,7 @@ impl PasswdHooks for KanidmPasswd {
} }
}; };
let req = ClientRequest::NssAccounts; let req = ClientRequest::NssAccounts;
call_daemon_blocking(cfg.sock_path.as_str(), &req) call_daemon_blocking(cfg.sock_path.as_str(), &req, cfg.unix_sock_timeout)
.map(|r| match r { .map(|r| match r {
ClientResponse::NssAccounts(l) => l.into_iter().map(passwd_from_nssuser).collect(), ClientResponse::NssAccounts(l) => l.into_iter().map(passwd_from_nssuser).collect(),
_ => Vec::new(), _ => Vec::new(),
@ -54,7 +54,7 @@ impl PasswdHooks for KanidmPasswd {
} }
}; };
let req = ClientRequest::NssAccountByUid(uid); let req = ClientRequest::NssAccountByUid(uid);
call_daemon_blocking(cfg.sock_path.as_str(), &req) call_daemon_blocking(cfg.sock_path.as_str(), &req, cfg.unix_sock_timeout)
.map(|r| match r { .map(|r| match r {
ClientResponse::NssAccount(opt) => opt ClientResponse::NssAccount(opt) => opt
.map(passwd_from_nssuser) .map(passwd_from_nssuser)
@ -74,7 +74,7 @@ impl PasswdHooks for KanidmPasswd {
} }
}; };
let req = ClientRequest::NssAccountByName(name); let req = ClientRequest::NssAccountByName(name);
call_daemon_blocking(cfg.sock_path.as_str(), &req) call_daemon_blocking(cfg.sock_path.as_str(), &req, cfg.unix_sock_timeout)
.map(|r| match r { .map(|r| match r {
ClientResponse::NssAccount(opt) => opt ClientResponse::NssAccount(opt) => opt
.map(passwd_from_nssuser) .map(passwd_from_nssuser)
@ -99,7 +99,7 @@ impl GroupHooks for KanidmGroup {
} }
}; };
let req = ClientRequest::NssGroups; let req = ClientRequest::NssGroups;
call_daemon_blocking(cfg.sock_path.as_str(), &req) call_daemon_blocking(cfg.sock_path.as_str(), &req, cfg.unix_sock_timeout)
.map(|r| match r { .map(|r| match r {
ClientResponse::NssGroups(l) => l.into_iter().map(group_from_nssgroup).collect(), ClientResponse::NssGroups(l) => l.into_iter().map(group_from_nssgroup).collect(),
_ => Vec::new(), _ => Vec::new(),
@ -117,7 +117,7 @@ impl GroupHooks for KanidmGroup {
} }
}; };
let req = ClientRequest::NssGroupByGid(gid); let req = ClientRequest::NssGroupByGid(gid);
call_daemon_blocking(cfg.sock_path.as_str(), &req) call_daemon_blocking(cfg.sock_path.as_str(), &req, cfg.unix_sock_timeout)
.map(|r| match r { .map(|r| match r {
ClientResponse::NssGroup(opt) => opt ClientResponse::NssGroup(opt) => opt
.map(group_from_nssgroup) .map(group_from_nssgroup)
@ -137,7 +137,7 @@ impl GroupHooks for KanidmGroup {
} }
}; };
let req = ClientRequest::NssGroupByName(name); let req = ClientRequest::NssGroupByName(name);
call_daemon_blocking(cfg.sock_path.as_str(), &req) call_daemon_blocking(cfg.sock_path.as_str(), &req, cfg.unix_sock_timeout)
.map(|r| match r { .map(|r| match r {
ClientResponse::NssGroup(opt) => opt ClientResponse::NssGroup(opt) => opt
.map(group_from_nssgroup) .map(group_from_nssgroup)

6
kanidm_unix_int/pam_kanidm/src/lib.rs
View file

@ -95,7 +95,7 @@ impl PamHooks for PamKanidm {
let req = ClientRequest::PamAccountAllowed(account_id); let req = ClientRequest::PamAccountAllowed(account_id);
// PamResultCode::PAM_IGNORE // PamResultCode::PAM_IGNORE
match call_daemon_blocking(cfg.sock_path.as_str(), &req) { match call_daemon_blocking(cfg.sock_path.as_str(), &req, cfg.unix_sock_timeout) {
Ok(r) => match r { Ok(r) => match r {
ClientResponse::PamStatus(Some(true)) => { ClientResponse::PamStatus(Some(true)) => {
if opts.debug { if opts.debug {
@ -215,7 +215,7 @@ impl PamHooks for PamKanidm {
}; };
let req = ClientRequest::PamAuthenticate(account_id, authtok); let req = ClientRequest::PamAuthenticate(account_id, authtok);
match call_daemon_blocking(cfg.sock_path.as_str(), &req) { match call_daemon_blocking(cfg.sock_path.as_str(), &req, cfg.unix_sock_timeout) {
Ok(r) => match r { Ok(r) => match r {
ClientResponse::PamStatus(Some(true)) => { ClientResponse::PamStatus(Some(true)) => {
// println!("PAM_SUCCESS"); // println!("PAM_SUCCESS");
@ -306,7 +306,7 @@ impl PamHooks for PamKanidm {
}; };
let req = ClientRequest::PamAccountBeginSession(account_id); let req = ClientRequest::PamAccountBeginSession(account_id);
match call_daemon_blocking(cfg.sock_path.as_str(), &req) { match call_daemon_blocking(cfg.sock_path.as_str(), &req, cfg.unix_sock_timeout) {
Ok(ClientResponse::Ok) => { Ok(ClientResponse::Ok) => {
// println!("PAM_SUCCESS"); // println!("PAM_SUCCESS");
PamResultCode::PAM_SUCCESS PamResultCode::PAM_SUCCESS

18
kanidm_unix_int/src/client_sync.rs
View file

@ -5,23 +5,16 @@ use std::time::{Duration, SystemTime};
use crate::unix_proto::{ClientRequest, ClientResponse}; use crate::unix_proto::{ClientRequest, ClientResponse};
const TIMEOUT: u64 = 2000;
pub fn call_daemon_blocking( pub fn call_daemon_blocking(
path: &str, path: &str,
req: &ClientRequest, req: &ClientRequest,
timeout: u64,
) -> Result<ClientResponse, Box<dyn Error>> { ) -> Result<ClientResponse, Box<dyn Error>> {
let timeout = Duration::from_secs(timeout);
let mut stream = UnixStream::connect(path) let mut stream = UnixStream::connect(path)
.and_then(|socket| { .and_then(|socket| socket.set_read_timeout(Some(timeout)).map(|_| socket))
socket .and_then(|socket| socket.set_write_timeout(Some(timeout)).map(|_| socket))
.set_read_timeout(Some(Duration::from_millis(TIMEOUT)))
.map(|_| socket)
})
.and_then(|socket| {
socket
.set_write_timeout(Some(Duration::from_millis(TIMEOUT)))
.map(|_| socket)
})
.map_err(|e| { .map_err(|e| {
error!("stream setup error -> {:?}", e); error!("stream setup error -> {:?}", e);
e e
@ -45,7 +38,6 @@ pub fn call_daemon_blocking(
// Now wait on the response. // Now wait on the response.
let start = SystemTime::now(); let start = SystemTime::now();
let timeout = Duration::from_millis(TIMEOUT);
let mut read_started = false; let mut read_started = false;
let mut data = Vec::with_capacity(1024); let mut data = Vec::with_capacity(1024);
let mut counter = 0; let mut counter = 0;

2
kanidm_unix_int/src/daemon.rs
View file

@ -727,7 +727,7 @@ async fn main() {
tokio::spawn(async move { tokio::spawn(async move {
if let Err(e) = handle_client(socket, cachelayer_ref.clone(), &tc_tx).await if let Err(e) = handle_client(socket, cachelayer_ref.clone(), &tc_tx).await
{ {
error!("an error occured; error = {:?}", e); error!("handle_client error occured; error = {:?}", e);
} }
}); });
} }

2
kanidm_unix_int/src/daemon_status.rs
View file

@ -51,7 +51,7 @@ fn main() {
cfg.sock_path cfg.sock_path
) )
} else { } else {
match call_daemon_blocking(cfg.sock_path.as_str(), &req) { match call_daemon_blocking(cfg.sock_path.as_str(), &req, cfg.unix_sock_timeout) {
Ok(r) => match r { Ok(r) => match r {
ClientResponse::Ok => println!("working!"), ClientResponse::Ok => println!("working!"),
_ => { _ => {

4
kanidm_unix_int/src/unix_config.rs
View file

@ -75,6 +75,7 @@ pub struct KanidmUnixdConfig {
pub task_sock_path: String, pub task_sock_path: String,
pub conn_timeout: u64, pub conn_timeout: u64,
pub cache_timeout: u64, pub cache_timeout: u64,
pub unix_sock_timeout: u64,
pub pam_allowed_login_groups: Vec<String>, pub pam_allowed_login_groups: Vec<String>,
pub default_shell: String, pub default_shell: String,
pub home_prefix: String, pub home_prefix: String,
@ -96,6 +97,7 @@ impl Display for KanidmUnixdConfig {
writeln!(f, "sock_path: {}", self.sock_path)?; writeln!(f, "sock_path: {}", self.sock_path)?;
writeln!(f, "task_sock_path: {}", self.task_sock_path)?; writeln!(f, "task_sock_path: {}", self.task_sock_path)?;
writeln!(f, "conn_timeout: {}", self.conn_timeout)?; writeln!(f, "conn_timeout: {}", self.conn_timeout)?;
writeln!(f, "unix_sock_timeout: {}", self.unix_sock_timeout)?;
writeln!(f, "cache_timeout: {}", self.cache_timeout)?; writeln!(f, "cache_timeout: {}", self.cache_timeout)?;
writeln!( writeln!(
f, f,
@ -126,6 +128,7 @@ impl KanidmUnixdConfig {
sock_path: DEFAULT_SOCK_PATH.to_string(), sock_path: DEFAULT_SOCK_PATH.to_string(),
task_sock_path: DEFAULT_TASK_SOCK_PATH.to_string(), task_sock_path: DEFAULT_TASK_SOCK_PATH.to_string(),
conn_timeout: DEFAULT_CONN_TIMEOUT, conn_timeout: DEFAULT_CONN_TIMEOUT,
unix_sock_timeout: DEFAULT_CONN_TIMEOUT * 2,
cache_timeout: DEFAULT_CACHE_TIMEOUT, cache_timeout: DEFAULT_CACHE_TIMEOUT,
pam_allowed_login_groups: Vec::new(), pam_allowed_login_groups: Vec::new(),
default_shell: DEFAULT_SHELL.to_string(), default_shell: DEFAULT_SHELL.to_string(),
@ -185,6 +188,7 @@ impl KanidmUnixdConfig {
sock_path: config.sock_path.unwrap_or(self.sock_path), sock_path: config.sock_path.unwrap_or(self.sock_path),
task_sock_path: config.task_sock_path.unwrap_or(self.task_sock_path), task_sock_path: config.task_sock_path.unwrap_or(self.task_sock_path),
conn_timeout: config.conn_timeout.unwrap_or(self.conn_timeout), conn_timeout: config.conn_timeout.unwrap_or(self.conn_timeout),
unix_sock_timeout: config.conn_timeout.unwrap_or(self.conn_timeout) * 2,
cache_timeout: config.cache_timeout.unwrap_or(self.cache_timeout), cache_timeout: config.cache_timeout.unwrap_or(self.cache_timeout),
pam_allowed_login_groups: config pam_allowed_login_groups: config
.pam_allowed_login_groups .pam_allowed_login_groups