URL: https://github.com/SSSD/sssd/pull/5863
Author: justin-stephenson
Title: #5863: Responder and Child process tevent chain id improvements
Action: opened
PR body:
"""
This PR adds the following tevent chain ID functionality:
* Add tevent chain ID logic into responders (log messages with tag [CID #])
* Add ability to parse child log files by passing the backend request ID into
child processes and setting the chain ID inside the child.
sss_chain_id getter/setter functions moved into their own source file (remove
dependency to tevent), and some small changes to analyzer are needed.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5863/head:pr5863
git checkout pr5863
From 6a437178de902fd7070ce293ac750fb1a89238a2 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstep...@redhat.com>
Date: Wed, 3 Nov 2021 15:19:16 +0000
Subject: [PATCH 01/11] util: Move chain ID getter/setter functions
---
Makefile.am | 4 ++-
src/providers/data_provider/dp_request.c | 2 +-
src/providers/ldap/sdap_async.c | 2 +-
src/providers/ldap/sdap_fd_events.c | 2 +-
src/providers/ldap/sdap_id_op.c | 2 +-
src/sbus/router/sbus_router_handler.c | 2 +-
src/util/dbg_chain_id.c | 34 ++++++++++++++++++++++++
src/util/dbg_chain_id.h | 34 ++++++++++++++++++++++++
src/util/sss_chain_id.c | 25 +----------------
src/util/sss_chain_id.h | 6 -----
10 files changed, 77 insertions(+), 36 deletions(-)
create mode 100644 src/util/dbg_chain_id.c
create mode 100644 src/util/dbg_chain_id.h
diff --git a/Makefile.am b/Makefile.am
index f6bc9414d0..65c4693acc 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -685,6 +685,7 @@ dist_noinst_HEADERS = \
src/util/strtonum.h \
src/util/sss_cli_cmd.h \
src/util/sss_chain_id.h \
+ src/util/dbg_chain_id.h \
src/util/sss_ptr_hash.h \
src/util/sss_ptr_list.h \
src/util/sss_endian.h \
@@ -1051,7 +1052,7 @@ libsss_sbus_la_SOURCES = \
src/util/check_and_open.c \
src/util/debug.c \
src/util/debug_backtrace.c \
- src/util/sss_chain_id.c \
+ src/util/dbg_chain_id.c \
src/util/sss_ptr_hash.c \
src/util/sss_ptr_list.c \
src/util/sss_utf8.c \
@@ -1265,6 +1266,7 @@ libsss_util_la_SOURCES = \
src/util/selinux.c \
src/util/sss_regexp.c \
src/util/sss_chain_id.c \
+ src/util/dbg_chain_id.c \
$(NULL)
libsss_util_la_CFLAGS = \
$(AM_CFLAGS) \
diff --git a/src/providers/data_provider/dp_request.c b/src/providers/data_provider/dp_request.c
index 3cbd55c1ec..29a941807e 100644
--- a/src/providers/data_provider/dp_request.c
+++ b/src/providers/data_provider/dp_request.c
@@ -27,7 +27,7 @@
#include "util/dlinklist.h"
#include "util/util.h"
#include "util/probes.h"
-#include "util/sss_chain_id.h"
+#include "util/dbg_chain_id.h"
struct dp_req {
struct data_provider *provider;
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index da54705496..abf58db9f3 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -24,7 +24,7 @@
#include "util/util.h"
#include "util/strtonum.h"
#include "util/probes.h"
-#include "util/sss_chain_id.h"
+#include "util/dbg_chain_id.h"
#include "providers/ldap/sdap_async_private.h"
#define REPLY_REALLOC_INCREMENT 10
diff --git a/src/providers/ldap/sdap_fd_events.c b/src/providers/ldap/sdap_fd_events.c
index 42b2efe260..40b101e47d 100644
--- a/src/providers/ldap/sdap_fd_events.c
+++ b/src/providers/ldap/sdap_fd_events.c
@@ -24,7 +24,7 @@
#include "util/util.h"
#include "util/sss_sockets.h"
-#include "util/sss_chain_id.h"
+#include "util/dbg_chain_id.h"
#include "providers/ldap/sdap_async_private.h"
struct sdap_fd_events {
diff --git a/src/providers/ldap/sdap_id_op.c b/src/providers/ldap/sdap_id_op.c
index 55524707fe..d1012d61b0 100644
--- a/src/providers/ldap/sdap_id_op.c
+++ b/src/providers/ldap/sdap_id_op.c
@@ -25,7 +25,7 @@
#include "providers/ldap/ldap_common.h"
#include "providers/ldap/sdap_async.h"
#include "providers/ldap/sdap_id_op.h"
-#include "util/sss_chain_id.h"
+#include "util/dbg_chain_id.h"
/* LDAP async connection cache */
struct sdap_id_conn_cache {
diff --git a/src/sbus/router/sbus_router_handler.c b/src/sbus/router/sbus_router_handler.c
index d9a374b414..870dc5b0a6 100644
--- a/src/sbus/router/sbus_router_handler.c
+++ b/src/sbus/router/sbus_router_handler.c
@@ -26,7 +26,7 @@
#include "util/util.h"
#include "util/dlinklist.h"
-#include "util/sss_chain_id.h"
+#include "util/dbg_chain_id.h"
#include "sbus/sbus_private.h"
struct sbus_message_meta {
diff --git a/src/util/dbg_chain_id.c b/src/util/dbg_chain_id.c
new file mode 100644
index 0000000000..3260b7bf6f
--- /dev/null
+++ b/src/util/dbg_chain_id.c
@@ -0,0 +1,34 @@
+/*
+ Authors:
+ Justin Stephenson <jstep...@redhat.com>
+
+ Copyright (C) 2021 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <stdint.h>
+#include "util/dbg_chain_id.h"
+
+uint64_t sss_chain_id_set(uint64_t id)
+{
+ uint64_t old_id = debug_chain_id;
+ debug_chain_id = id;
+ return old_id;
+}
+
+uint64_t sss_chain_id_get(void)
+{
+ return debug_chain_id;
+}
diff --git a/src/util/dbg_chain_id.h b/src/util/dbg_chain_id.h
new file mode 100644
index 0000000000..a71789f6c0
--- /dev/null
+++ b/src/util/dbg_chain_id.h
@@ -0,0 +1,34 @@
+/*
+ Authors:
+ Justin Stephenson <jstep...@redhat.com>
+
+ Copyright (C) 2021 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _DBG_CHAIN_ID_
+#define _DBG_CHAIN_ID_
+
+#include <stdint.h>
+
+extern uint64_t debug_chain_id;
+
+/* Explicitly set new chain id. The old id is returned. */
+uint64_t sss_chain_id_set(uint64_t id);
+
+/* Get the current chain id. */
+uint64_t sss_chain_id_get(void);
+
+#endif /* _DBG_CHAIN_ID_ */
diff --git a/src/util/sss_chain_id.c b/src/util/sss_chain_id.c
index f892e2eb78..c528b52937 100644
--- a/src/util/sss_chain_id.c
+++ b/src/util/sss_chain_id.c
@@ -19,12 +19,11 @@
*/
#include "config.h"
+#include "util/dbg_chain_id.h"
#include <tevent.h>
#ifdef BUILD_CHAIN_ID
-extern uint64_t debug_chain_id;
-
static void sss_chain_id_trace_fde(struct tevent_fd *fde,
enum tevent_event_trace_point point,
void *private_data)
@@ -128,18 +127,6 @@ void sss_chain_id_setup(struct tevent_context *ev)
tevent_set_trace_immediate_callback(ev, sss_chain_id_trace_immediate, NULL);
}
-uint64_t sss_chain_id_set(uint64_t id)
-{
- uint64_t old_id = debug_chain_id;
- debug_chain_id = id;
- return old_id;
-}
-
-uint64_t sss_chain_id_get(void)
-{
- return debug_chain_id;
-}
-
#else /* BUILD_CHAIN_ID not defined */
void sss_chain_id_setup(struct tevent_context *ev)
@@ -147,14 +134,4 @@ void sss_chain_id_setup(struct tevent_context *ev)
return;
}
-uint64_t sss_chain_id_set(uint64_t id)
-{
- return 0;
-}
-
-uint64_t sss_chain_id_get(void)
-{
- return 0;
-}
-
#endif /* BUILD_CHAIN_ID */
diff --git a/src/util/sss_chain_id.h b/src/util/sss_chain_id.h
index b29fad0cb1..675ba93899 100644
--- a/src/util/sss_chain_id.h
+++ b/src/util/sss_chain_id.h
@@ -26,10 +26,4 @@
/* Setup chain id tracking on tevent context. */
void sss_chain_id_setup(struct tevent_context *ev);
-/* Explicitly set new chain id. The old id is returned. */
-uint64_t sss_chain_id_set(uint64_t id);
-
-/* Get the current chain id. */
-uint64_t sss_chain_id_get(void);
-
#endif /* _SSS_CHAIN_ID_ */
From 7f0755f2e3264dd4d62ced9731880b2b69ea278e Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstep...@redhat.com>
Date: Thu, 28 Oct 2021 13:48:24 +0000
Subject: [PATCH 02/11] RESPONDER: Remove extraneous client ID logging
Prevent duplicate ID logging. ID will be logged in separate commit
with added tevent chain ID support in responders.
---
src/responder/common/responder_common.c | 4 ++--
src/responder/nss/nss_get_object.c | 5 ++---
src/responder/pam/pamsrv_cmd.c | 4 ++--
src/responder/pam/pamsrv_dp.c | 9 ++++----
src/util/sss_pam_data.c | 28 ++++++++++++-------------
5 files changed, 23 insertions(+), 27 deletions(-)
diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
index 7e145aa9b2..bc4ef4e4f6 100644
--- a/src/responder/common/responder_common.c
+++ b/src/responder/common/responder_common.c
@@ -640,8 +640,8 @@ static void accept_fd_handler(struct tevent_context *ev,
rctx->client_id_num++;
DEBUG(SSSDBG_TRACE_FUNC,
- "Client [CID #%u][cmd %s][uid %u][%p][%d] connected%s!\n",
- rctx->client_id_num, cctx->cmd_line, cli_creds_get_uid(cctx->creds),
+ "Client [cmd %s][uid %u][%p][%d] connected%s!\n",
+ cctx->cmd_line, cli_creds_get_uid(cctx->creds),
cctx, cctx->cfd, accept_ctx->is_private ? " to privileged pipe" : "");
return;
diff --git a/src/responder/nss/nss_get_object.c b/src/responder/nss/nss_get_object.c
index 9d53f070c9..30d8cb7e15 100644
--- a/src/responder/nss/nss_get_object.c
+++ b/src/responder/nss/nss_get_object.c
@@ -309,9 +309,8 @@ nss_get_object_send(TALLOC_CTX *mem_ctx,
goto done;
}
- DEBUG(SSSDBG_TRACE_FUNC, "Client [%p][%d][CID #%u]: sent cache request #%u\n",
- cli_ctx, cli_ctx->cfd, cli_ctx->rctx->client_id_num,
- cache_req_get_reqid(subreq));
+ DEBUG(SSSDBG_TRACE_FUNC, "Client [%p][%d]: sent cache request #%u\n",
+ cli_ctx, cli_ctx->cfd, cache_req_get_reqid(subreq));
tevent_req_set_callback(subreq, nss_get_object_done, req);
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 20c332b1a4..ad64ca7d20 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1154,8 +1154,8 @@ static void pam_reply(struct pam_auth_req *preq)
}
done:
- DEBUG(SSSDBG_FUNC_DATA, "Returning [%d]: %s to the client [CID #%u]\n",
- pd->pam_status, pam_strerror(NULL, pd->pam_status), pd->client_id_num);
+ DEBUG(SSSDBG_FUNC_DATA, "[CID #%u] Returning [%d]: %s to the client\n",
+ pd->client_id_num, pd->pam_status, pam_strerror(NULL, pd->pam_status));
sss_cmd_done(cctx, preq);
}
diff --git a/src/responder/pam/pamsrv_dp.c b/src/responder/pam/pamsrv_dp.c
index b3900e17e9..24bda2c658 100644
--- a/src/responder/pam/pamsrv_dp.c
+++ b/src/responder/pam/pamsrv_dp.c
@@ -47,8 +47,7 @@ pam_dp_send_req(struct pam_auth_req *preq)
return EIO;
}
- DEBUG(SSSDBG_CONF_SETTINGS, "Sending request [CID #%u] with the following data:\n",
- preq->client_id_num);
+ DEBUG(SSSDBG_CONF_SETTINGS, "Sending request with the following data:\n");
DEBUG_PAM_DATA(SSSDBG_CONF_SETTINGS, preq->pd);
subreq = sbus_call_dp_dp_pamHandler_send(preq, be_conn->conn,
@@ -85,11 +84,11 @@ pam_dp_send_req_done(struct tevent_req *subreq)
preq->pd->pam_status = pam_response->pam_status;
preq->pd->account_locked = pam_response->account_locked;
- DEBUG(SSSDBG_FUNC_DATA, "received: [%d (%s)][%s][CID #%u]\n",
+ DEBUG(SSSDBG_FUNC_DATA, "[CID #%u] received: [%d (%s)][%s]\n",
+ preq->pd->client_id_num,
pam_response->pam_status,
pam_strerror(NULL, pam_response->pam_status),
- preq->pd->domain,
- preq->pd->client_id_num);
+ preq->pd->domain);
for (resp = pam_response->resp_list; resp != NULL; resp = resp->next) {
talloc_steal(preq->pd, resp);
diff --git a/src/util/sss_pam_data.c b/src/util/sss_pam_data.c
index ebea11ea59..3eda598c68 100644
--- a/src/util/sss_pam_data.c
+++ b/src/util/sss_pam_data.c
@@ -165,25 +165,23 @@ errno_t copy_pam_data(TALLOC_CTX *mem_ctx, struct pam_data *src,
void pam_print_data(int l, struct pam_data *pd)
{
- DEBUG(l, "[CID #%u] command: %s\n", pd->client_id_num, sss_cmd2str(pd->cmd));
- DEBUG(l, "[CID #%u] domain: %s\n", pd->client_id_num, PAM_SAFE_ITEM(pd->domain));
- DEBUG(l, "[CID #%u] user: %s\n", pd->client_id_num, PAM_SAFE_ITEM(pd->user));
- DEBUG(l, "[CID #%u] service: %s\n", pd->client_id_num, PAM_SAFE_ITEM(pd->service));
- DEBUG(l, "[CID #%u] tty: %s\n", pd->client_id_num, PAM_SAFE_ITEM(pd->tty));
- DEBUG(l, "[CID #%u] ruser: %s\n", pd->client_id_num, PAM_SAFE_ITEM(pd->ruser));
- DEBUG(l, "[CID #%u] rhost: %s\n", pd->client_id_num, PAM_SAFE_ITEM(pd->rhost));
- DEBUG(l, "[CID #%u] authtok type: %d (%s)\n",
- pd->client_id_num,
+ DEBUG(l, "command: %s\n", sss_cmd2str(pd->cmd));
+ DEBUG(l, "domain: %s\n", PAM_SAFE_ITEM(pd->domain));
+ DEBUG(l, "user: %s\n", PAM_SAFE_ITEM(pd->user));
+ DEBUG(l, "service: %s\n", PAM_SAFE_ITEM(pd->service));
+ DEBUG(l, "tty: %s\n", PAM_SAFE_ITEM(pd->tty));
+ DEBUG(l, "ruser: %s\n", PAM_SAFE_ITEM(pd->ruser));
+ DEBUG(l, "rhost: %s\n", PAM_SAFE_ITEM(pd->rhost));
+ DEBUG(l, "authtok type: %d (%s)\n",
sss_authtok_get_type(pd->authtok),
sss_authtok_type_to_str(sss_authtok_get_type(pd->authtok)));
- DEBUG(l, "[CID #%u] newauthtok type: %d (%s)\n",
- pd->client_id_num,
+ DEBUG(l, "newauthtok type: %d (%s)\n",
sss_authtok_get_type(pd->newauthtok),
sss_authtok_type_to_str(sss_authtok_get_type(pd->newauthtok)));
- DEBUG(l, "[CID #%u] priv: %d\n", pd->client_id_num, pd->priv);
- DEBUG(l, "[CID #%u] cli_pid: %d\n", pd->client_id_num, pd->cli_pid);
- DEBUG(l, "[CID #%u] logon name: %s\n", pd->client_id_num, PAM_SAFE_ITEM(pd->logon_name));
- DEBUG(l, "[CID #%u] flags: %d\n", pd->client_id_num, pd->cli_flags);
+ DEBUG(l, "priv: %d\n", pd->priv);
+ DEBUG(l, "cli_pid: %d\n", pd->cli_pid);
+ DEBUG(l, "logon name: %s\n", PAM_SAFE_ITEM(pd->logon_name));
+ DEBUG(l, "flags: %d\n", pd->cli_flags);
}
int pam_add_response(struct pam_data *pd, enum response_type type,
From 5cbff383e11f99cadf3ac3b9a6146ac2cf82bcc1 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstep...@redhat.com>
Date: Mon, 25 Oct 2021 16:19:04 +0000
Subject: [PATCH 03/11] RESPONDER: Support chain ID logging
---
.../common/cache_req/cache_req_search.c | 16 ++++++++++++++++
src/responder/common/responder.h | 1 +
src/responder/common/responder_common.c | 12 +++++++++++-
3 files changed, 28 insertions(+), 1 deletion(-)
diff --git a/src/responder/common/cache_req/cache_req_search.c b/src/responder/common/cache_req/cache_req_search.c
index a3e25adbd2..40e614a331 100644
--- a/src/responder/common/cache_req/cache_req_search.c
+++ b/src/responder/common/cache_req/cache_req_search.c
@@ -26,6 +26,7 @@
#include "responder/common/cache_req/cache_req_private.h"
#include "responder/common/cache_req/cache_req_plugin.h"
#include "db/sysdb.h"
+#include "util/dbg_chain_id.h"
static errno_t cache_req_search_ncache(struct cache_req *cr)
{
@@ -282,6 +283,7 @@ cache_req_expiration_status(struct cache_req *cr,
}
struct cache_req_search_state {
+ uint64_t chain_id;
/* input data */
struct tevent_context *ev;
struct resp_ctx *rctx;
@@ -420,6 +422,11 @@ static errno_t cache_req_search_dp(struct tevent_req *req,
state = tevent_req_data(req, struct cache_req_search_state);
+ /* store the global chain ID and set it back in callback.
+ * Otherwise we lose the chain ID when dp_send_fn is called
+ * (chain ID is set to 0 in sbus_issue_request_done). */
+ state->chain_id = sss_chain_id_get();
+
switch (status) {
case CACHE_OBJECT_MIDPOINT:
/* Out of band update. The calling function will return the cached
@@ -495,6 +502,8 @@ static void cache_req_search_done(struct tevent_req *subreq)
state->dp_success = state->cr->plugin->dp_recv_fn(subreq, state->cr);
talloc_zfree(subreq);
+ sss_chain_id_set(state->chain_id);
+
/* Do not try to read from cache if the domain is inconsistent */
if (sss_domain_get_state(state->cr->domain) == DOM_INCONSISTENT) {
CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, state->cr, "Domain inconsistent, "
@@ -557,6 +566,7 @@ struct cache_req_locate_domain_state {
struct cache_req *cr;
char *found_domain;
+ uint64_t chain_id;
};
static void cache_req_locate_domain_done(struct tevent_req *subreq);
@@ -578,6 +588,11 @@ struct tevent_req *cache_req_locate_domain_send(TALLOC_CTX *mem_ctx,
}
state->cr = cr;
+ /* store the global chain ID and set it back in callback.
+ * Otherwise we lose the chain ID when dp_get_domain_check_fn is called
+ * (chain ID is set to 0 in sbus_issue_request_done). */
+ state->chain_id = sss_chain_id_get();
+
should_run = cr->plugin->dp_get_domain_check_fn(cr->rctx,
get_domains_head(cr->domain),
cr->data);
@@ -624,6 +639,7 @@ static void cache_req_locate_domain_done(struct tevent_req *subreq)
state->cr,
&state->found_domain);
talloc_zfree(subreq);
+ sss_chain_id_set(state->chain_id);
if (ret != EOK) {
tevent_req_error(req, ret);
return;
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
index 90575b89e7..5cb79e3e63 100644
--- a/src/responder/common/responder.h
+++ b/src/responder/common/responder.h
@@ -165,6 +165,7 @@ struct cli_ctx {
struct cli_creds *creds;
char *cmd_line;
+ uint64_t old_chain_id;
void *protocol_ctx;
void *state_ctx;
diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
index bc4ef4e4f6..64c1ba9586 100644
--- a/src/responder/common/responder_common.c
+++ b/src/responder/common/responder_common.c
@@ -42,6 +42,8 @@
#include "providers/data_provider.h"
#include "util/util_creds.h"
#include "sss_iface/sss_iface_async.h"
+#include "util/sss_chain_id.h"
+#include "util/dbg_chain_id.h"
#ifdef HAVE_SYSTEMD
#include <systemd/sd-daemon.h>
@@ -85,6 +87,8 @@ static void client_close_fn(struct tevent_context *ev,
"Failed to close fd [%d]: [%s]\n",
ctx->cfd, strerror(ret));
}
+ /* Restore the original chain id */
+ sss_chain_id_set(ctx->old_chain_id);
DEBUG(SSSDBG_TRACE_INTERNAL,
"Terminated client [%p][%d]\n",
@@ -522,6 +526,8 @@ static void accept_fd_handler(struct tevent_context *ev,
int ret;
int fd = accept_ctx->is_private ? rctx->priv_lfd : rctx->lfd;
+ rctx->client_id_num++;
+
if (accept_ctx->is_private) {
ret = stat(rctx->priv_sock_name, &stat_buf);
if (ret == -1) {
@@ -550,6 +556,9 @@ static void accept_fd_handler(struct tevent_context *ev,
return;
}
+ /* Set the chain id */
+ cctx->old_chain_id = sss_chain_id_set(rctx->client_id_num);
+
talloc_set_destructor(cctx, cli_ctx_destructor);
len = sizeof(cctx->addr);
@@ -638,7 +647,6 @@ static void accept_fd_handler(struct tevent_context *ev,
/* Non-fatal, continue */
}
- rctx->client_id_num++;
DEBUG(SSSDBG_TRACE_FUNC,
"Client [cmd %s][uid %u][%p][%d] connected%s!\n",
cctx->cmd_line, cli_creds_get_uid(cctx->creds),
@@ -1312,6 +1320,8 @@ int sss_process_init(TALLOC_CTX *mem_ctx,
goto fail;
}
+ sss_chain_id_setup(rctx->ev);
+
/* Ensure that the client timeout is at least ten seconds */
if (rctx->client_idle_timeout < 10) {
rctx->client_idle_timeout = 10;
From 8524b45db522b04107a414b9cb084636d1d8e331 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstep...@redhat.com>
Date: Wed, 3 Nov 2021 19:33:17 +0000
Subject: [PATCH 04/11] DEBUG: Log chain ID messages with [CID#X] tag
Inform the debug module when a responder process is sending debug
log messages, use the [CID #] tag in responder code and [RID #]
tag in backend/child process code.
---
src/util/debug.c | 14 ++++++++++----
src/util/debug.h | 1 +
src/util/server.c | 17 +++++++++++++++++
3 files changed, 28 insertions(+), 4 deletions(-)
diff --git a/src/util/debug.c b/src/util/debug.c
index 7c03fb7dff..a29715f291 100644
--- a/src/util/debug.c
+++ b/src/util/debug.c
@@ -36,7 +36,8 @@
#include "util/util.h"
-#define DEBUG_CHAIN_ID_FMT "[RID#%lu] "
+#define DEBUG_CHAIN_ID_FMT_RID "[RID#%lu] "
+#define DEBUG_CHAIN_ID_FMT_CID "[CID#%lu] "
/* from debug_backtrace.h */
void sss_debug_backtrace_init(void);
@@ -45,6 +46,7 @@ void sss_debug_backtrace_printf(int level, const char *format, ...);
void sss_debug_backtrace_endmsg(int level);
const char *debug_prg_name = "sssd";
+bool debug_from_responder;
int debug_level = SSSDBG_UNRESOLVED;
int debug_timestamps = SSSDBG_TIMESTAMP_UNRESOLVED;
@@ -295,12 +297,12 @@ void sss_vdebug_fn(const char *file,
if (debug_chain_id > 0) {
result_fmt = chain_id_fmt_fixed;
ret = snprintf(chain_id_fmt_fixed, sizeof(chain_id_fmt_fixed),
- DEBUG_CHAIN_ID_FMT"%s", debug_chain_id, format);
+ DEBUG_CHAIN_ID_FMT_RID"%s", debug_chain_id, format);
if (ret < 0) {
va_end(ap_fallback);
return;
} else if (ret >= sizeof(chain_id_fmt_fixed)) {
- ret = asprintf(&chain_id_fmt_dyn, DEBUG_CHAIN_ID_FMT"%s",
+ ret = asprintf(&chain_id_fmt_dyn, DEBUG_CHAIN_ID_FMT_RID"%s",
debug_chain_id, format);
if (ret < 0) {
va_end(ap_fallback);
@@ -351,7 +353,11 @@ void sss_vdebug_fn(const char *file,
debug_prg_name, function, level);
if (debug_chain_id > 0) {
- sss_debug_backtrace_printf(level, DEBUG_CHAIN_ID_FMT, debug_chain_id);
+ if (debug_from_responder) {
+ sss_debug_backtrace_printf(level, DEBUG_CHAIN_ID_FMT_CID, debug_chain_id);
+ } else {
+ sss_debug_backtrace_printf(level, DEBUG_CHAIN_ID_FMT_RID, debug_chain_id);
+ }
}
sss_debug_backtrace_vprintf(level, format, ap);
diff --git a/src/util/debug.h b/src/util/debug.h
index 01713cb35b..735c2b2a12 100644
--- a/src/util/debug.h
+++ b/src/util/debug.h
@@ -50,6 +50,7 @@ enum sss_logger_t {
extern const char *sss_logger_str[]; /* mapping: sss_logger_t -> string */
extern const char *debug_prg_name;
+extern bool debug_from_responder;
extern int debug_level;
extern int debug_timestamps;
extern int debug_microseconds;
diff --git a/src/util/server.c b/src/util/server.c
index e3133a61dd..6043aec475 100644
--- a/src/util/server.c
+++ b/src/util/server.c
@@ -425,6 +425,21 @@ errno_t server_common_rotate_logs(struct confdb_ctx *confdb,
return EOK;
}
+static bool prg_name_is_responder(const char *prg_name)
+{
+ bool is_resp = true;
+
+ /* Special case, responder */
+ if (strstr(prg_name, "p11") != NULL) {
+ /* Continue */
+ } else if ((strstr(prg_name, "be") != NULL) ||
+ (strstr(prg_name, "child") != NULL)) {
+ is_resp = false;
+ }
+
+ return is_resp;
+}
+
static const char *get_db_path(void)
{
#ifdef UNIT_TESTING
@@ -484,6 +499,8 @@ int server_setup(const char *name, int flags,
return ENOMEM;
}
+ debug_from_responder = prg_name_is_responder(name);
+
my_pid = getpid();
ret = setpgid(my_pid, my_pid);
if (ret != EOK) {
From 063f2c6187c72afe200e643ae585490374f19763 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstep...@redhat.com>
Date: Wed, 20 Oct 2021 12:11:49 -0400
Subject: [PATCH 05/11] krb5_child: Add chain ID logging support
---
Makefile.am | 1 +
src/providers/krb5/krb5_child.c | 10 ++++++++++
src/providers/krb5/krb5_child_handler.c | 7 ++++++-
3 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/Makefile.am b/Makefile.am
index 65c4693acc..8dd3c9f052 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4509,6 +4509,7 @@ krb5_child_SOURCES = \
src/util/util.c \
src/util/util_ext.c \
src/util/signal.c \
+ src/util/dbg_chain_id.c \
src/util/strtonum.c \
src/util/become_user.c \
src/util/util_errors.c \
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 594c86bf61..af3ccf1c05 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -41,6 +41,7 @@
#include "providers/krb5/krb5_auth.h"
#include "providers/krb5/krb5_utils.h"
#include "sss_cli.h"
+#include "src/util/dbg_chain_id.h"
#define SSSD_KRB5_CHANGEPW_PRINCIPAL "kadmin/changepw"
@@ -95,6 +96,8 @@ struct krb5_req {
bool posix_domain;
bool send_pac;
bool use_enterprise_princ;
+ uint64_t old_chain_id;
+ uint64_t chain_id;
char *fast_ccname;
const char *upn;
@@ -2468,12 +2471,16 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size,
kr->send_pac = (send_pac == 0) ? false : true;
SAFEALIGN_COPY_UINT32_CHECK(&use_enterprise_princ, buf + p, size, &p);
kr->use_enterprise_princ = (use_enterprise_princ == 0) ? false : true;
+ safealign_memcpy(&kr->chain_id, buf + p, sizeof(uint64_t), &p);
SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
if (len > size - p) return EINVAL;
kr->upn = talloc_strndup(pd, (char *)(buf + p), len);
if (kr->upn == NULL) return ENOMEM;
p += len;
+ /* Set the chain id */
+ kr->old_chain_id = sss_chain_id_set(kr->chain_id);
+
DEBUG(SSSDBG_CONF_SETTINGS,
"cmd [%d (%s)] uid [%llu] gid [%llu] validate [%s] "
"enterprise principal [%s] offline [%s] UPN [%s]\n",
@@ -3502,6 +3509,9 @@ int main(int argc, const char *argv[])
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to send reply\n");
}
+ /* Restore the chain id */
+ sss_chain_id_set(kr->old_chain_id);
+
done:
if (ret == EOK) {
DEBUG(SSSDBG_TRACE_FUNC, "krb5_child completed successfully\n");
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
index 778e38fc8e..2fcc5182ec 100644
--- a/src/providers/krb5/krb5_child_handler.c
+++ b/src/providers/krb5/krb5_child_handler.c
@@ -29,6 +29,7 @@
#include "providers/krb5/krb5_common.h"
#include "providers/krb5/krb5_auth.h"
#include "src/providers/krb5/krb5_utils.h"
+#include "util/dbg_chain_id.h"
#ifndef KRB5_CHILD_DIR
#ifndef SSSD_LIBEXEC_PATH
@@ -115,8 +116,11 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
uint32_t use_enterprise_principal;
uint32_t posix_domain = 0;
size_t username_len = 0;
+ uint64_t chain_id;
errno_t ret;
+ chain_id = sss_chain_id_get();
+
keytab = dp_opt_get_cstring(kr->krb5_ctx->opts, KRB5_KEYTAB);
if (keytab == NULL) {
DEBUG(SSSDBG_TRACE_FUNC, "krb5_keytab not set for domain in sssd.conf\n");
@@ -159,7 +163,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
return ENOMEM;
}
- buf->size = 9*sizeof(uint32_t) + strlen(kr->upn);
+ buf->size = 9*sizeof(uint32_t) + sizeof(uint64_t) + strlen(kr->upn);
if (kr->pd->cmd == SSS_PAM_AUTHENTICATE ||
kr->pd->cmd == SSS_PAM_PREAUTH ||
@@ -201,6 +205,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
SAFEALIGN_COPY_UINT32(&buf->data[rp], &kr->is_offline, &rp);
SAFEALIGN_COPY_UINT32(&buf->data[rp], &send_pac, &rp);
SAFEALIGN_COPY_UINT32(&buf->data[rp], &use_enterprise_principal, &rp);
+ safealign_memcpy(&buf->data[rp], &chain_id, sizeof(uint64_t), &rp);
SAFEALIGN_SET_UINT32(&buf->data[rp], strlen(kr->upn), &rp);
safealign_memcpy(&buf->data[rp], kr->upn, strlen(kr->upn), &rp);
From e84692f328d67c41f6f7512e7ba8b13e3f9da5bb Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstep...@redhat.com>
Date: Thu, 21 Oct 2021 15:25:27 +0000
Subject: [PATCH 06/11] gpo: Add chain ID logging support
---
Makefile.am | 1 +
src/providers/ad/ad_gpo.c | 9 ++++++++-
src/providers/ad/ad_gpo_child.c | 15 +++++++++++++--
3 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 8dd3c9f052..e1cb68b20a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4585,6 +4585,7 @@ gpo_child_SOURCES = \
src/util/atomic_io.c \
src/util/util.c \
src/util/util_ext.c \
+ src/util/dbg_chain_id.c \
src/util/signal.c
gpo_child_CFLAGS = \
$(AM_CFLAGS) \
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index f3452176af..1ec80d5379 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -49,6 +49,7 @@
#include "providers/ldap/sdap.h"
#include "providers/ldap/sdap_idmap.h"
#include "util/util_sss_idmap.h"
+#include "util/dbg_chain_id.h"
#include <ndr.h>
#include <gen_ndr/security.h>
#include <db/sysdb_computer.h>
@@ -4501,19 +4502,22 @@ create_cse_send_buffer(TALLOC_CTX *mem_ctx,
int smb_share_length;
int smb_path_length;
int smb_cse_suffix_length;
+ uint64_t chain_id;
smb_server_length = strlen(smb_server);
smb_share_length = strlen(smb_share);
smb_path_length = strlen(smb_path);
smb_cse_suffix_length = strlen(smb_cse_suffix);
+ chain_id = sss_chain_id_get();
+
buf = talloc(mem_ctx, struct io_buffer);
if (buf == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n");
return ENOMEM;
}
- buf->size = 5 * sizeof(uint32_t);
+ buf->size = 5 * sizeof(uint32_t) + sizeof(uint64_t);
buf->size += smb_server_length + smb_share_length + smb_path_length +
smb_cse_suffix_length;
@@ -4527,6 +4531,9 @@ create_cse_send_buffer(TALLOC_CTX *mem_ctx,
}
rp = 0;
+ /* cache id */
+ safealign_memcpy(&buf->data[rp], &chain_id, sizeof(uint64_t), &rp);
+
/* cached_gpt_version */
SAFEALIGN_SET_UINT32(&buf->data[rp], cached_gpt_version, &rp);
diff --git a/src/providers/ad/ad_gpo_child.c b/src/providers/ad/ad_gpo_child.c
index 8a3a87195b..9247da79b4 100644
--- a/src/providers/ad/ad_gpo_child.c
+++ b/src/providers/ad/ad_gpo_child.c
@@ -36,6 +36,7 @@
#include "providers/backend.h"
#include "providers/ad/ad_gpo.h"
#include "sss_cli.h"
+#include "util/dbg_chain_id.h"
#define SMB_BUFFER_SIZE 65536
#define GPT_INI "/GPT.INI"
@@ -53,11 +54,17 @@ struct input_buffer {
static errno_t
unpack_buffer(uint8_t *buf,
size_t size,
- struct input_buffer *ibuf)
+ struct input_buffer *ibuf,
+ uint64_t *_old_chain_id)
{
size_t p = 0;
uint32_t len;
uint32_t cached_gpt_version;
+ uint64_t chain_id;
+
+ /* chain ID */
+ safealign_memcpy(&chain_id, buf + p, sizeof(uint64_t), &p);
+ *_old_chain_id = sss_chain_id_set(chain_id);
/* cached_gpt_version */
SAFEALIGN_COPY_UINT32_CHECK(&cached_gpt_version, buf + p, size, &p);
@@ -732,6 +739,7 @@ main(int argc, const char *argv[])
uint8_t *buf = NULL;
ssize_t len = 0;
struct input_buffer *ibuf = NULL;
+ uint64_t old_chain_id;
struct response *resp = NULL;
ssize_t written;
@@ -811,7 +819,7 @@ main(int argc, const char *argv[])
close(STDIN_FILENO);
- ret = unpack_buffer(buf, len, ibuf);
+ ret = unpack_buffer(buf, len, ibuf, &old_chain_id);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"unpack_buffer failed.[%d][%s].\n", ret, strerror(ret));
@@ -856,6 +864,9 @@ main(int argc, const char *argv[])
goto fail;
}
+ /* Restore the chain id */
+ sss_chain_id_set(old_chain_id);
+
DEBUG(SSSDBG_TRACE_FUNC, "gpo_child completed successfully\n");
close(AD_GPO_CHILD_OUT_FILENO);
talloc_free(main_ctx);
From 94858e8620a9e85821e97a6f76d3003a0a12379c Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstep...@redhat.com>
Date: Thu, 21 Oct 2021 15:39:37 +0000
Subject: [PATCH 07/11] ipa_selinux: Add chain ID logging support
---
Makefile.am | 1 +
src/providers/ipa/ipa_selinux.c | 8 +++++++-
src/providers/ipa/selinux_child.c | 15 +++++++++++++--
3 files changed, 21 insertions(+), 3 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index e1cb68b20a..3d08436ae2 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4561,6 +4561,7 @@ if BUILD_SEMANAGE
selinux_child_SOURCES = \
src/providers/ipa/selinux_child.c \
src/util/sss_semanage.c \
+ src/util/dbg_chain_id.c \
src/util/atomic_io.c \
src/util/util.c \
src/util/util_ext.c \
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
index 7603491342..69c61c9a7b 100644
--- a/src/providers/ipa/ipa_selinux.c
+++ b/src/providers/ipa/ipa_selinux.c
@@ -26,6 +26,7 @@
#include "db/sysdb_selinux.h"
#include "util/child_common.h"
#include "util/sss_selinux.h"
+#include "util/dbg_chain_id.h"
#include "providers/ldap/sdap_async.h"
#include "providers/ipa/ipa_common.h"
#include "providers/ipa/ipa_config.h"
@@ -634,12 +635,13 @@ static errno_t selinux_child_create_buffer(struct selinux_child_state *state)
size_t seuser_len;
size_t mls_range_len;
size_t username_len;
+ uint64_t chain_id;
seuser_len = strlen(state->sci->seuser);
mls_range_len = strlen(state->sci->mls_range);
username_len = strlen(state->sci->username);
- state->buf->size = 3 * sizeof(uint32_t);
+ state->buf->size = 3 * sizeof(uint32_t) + sizeof(uint64_t);
state->buf->size += seuser_len + mls_range_len + username_len;
DEBUG(SSSDBG_TRACE_ALL, "buffer size: %zu\n", state->buf->size);
@@ -652,6 +654,10 @@ static errno_t selinux_child_create_buffer(struct selinux_child_state *state)
rp = 0;
+ /* chain id */
+ chain_id = sss_chain_id_get();
+ safealign_memcpy(&state->buf->data[rp], &chain_id, sizeof(uint64_t), &rp);
+
/* seuser */
SAFEALIGN_SET_UINT32(&state->buf->data[rp], seuser_len, &rp);
safealign_memcpy(&state->buf->data[rp], state->sci->seuser,
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
index d9b6e15c93..cdf7e23002 100644
--- a/src/providers/ipa/selinux_child.c
+++ b/src/providers/ipa/selinux_child.c
@@ -30,6 +30,7 @@
#include "util/util.h"
#include "util/child_common.h"
+#include "util/dbg_chain_id.h"
#include "providers/backend.h"
struct input_buffer {
@@ -40,10 +41,16 @@ struct input_buffer {
static errno_t unpack_buffer(uint8_t *buf,
size_t size,
- struct input_buffer *ibuf)
+ struct input_buffer *ibuf,
+ uint64_t *_old_chain_id)
{
size_t p = 0;
uint32_t len;
+ uint64_t chain_id;
+
+ /* chain id */
+ safealign_memcpy(&chain_id, buf + p, sizeof(uint64_t), &p);
+ *_old_chain_id = sss_chain_id_set(chain_id);
/* seuser */
SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
@@ -211,6 +218,7 @@ int main(int argc, const char *argv[])
uint8_t *buf = NULL;
ssize_t len = 0;
struct input_buffer *ibuf = NULL;
+ uint64_t old_chain_id;
struct response *resp = NULL;
struct passwd *passwd = NULL;
ssize_t written;
@@ -338,7 +346,7 @@ int main(int argc, const char *argv[])
close(STDIN_FILENO);
- ret = unpack_buffer(buf, len, ibuf);
+ ret = unpack_buffer(buf, len, ibuf, &old_chain_id);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"unpack_buffer failed.[%d][%s].\n", ret, strerror(ret));
@@ -397,6 +405,9 @@ int main(int argc, const char *argv[])
goto fail;
}
+ /* Restore the chain id */
+ sss_chain_id_set(old_chain_id);
+
DEBUG(SSSDBG_TRACE_FUNC, "selinux_child completed successfully\n");
close(STDOUT_FILENO);
talloc_free(main_ctx);
From 5d8e8f93ffe8dcb4c9ca08e951e1b9d416fc06f0 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstep...@redhat.com>
Date: Thu, 21 Oct 2021 19:31:07 +0000
Subject: [PATCH 08/11] p11_child: Add chain ID logging support
---
Makefile.am | 1 +
src/p11_child/p11_child_common.c | 23 +++++++++++++++++++----
src/responder/pam/pamsrv_p11.c | 13 +++++++++++--
3 files changed, 31 insertions(+), 6 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 3d08436ae2..a7767a4f7e 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4623,6 +4623,7 @@ p11_child_SOURCES = \
src/util/atomic_io.c \
src/util/util.c \
src/util/util_ext.c \
+ src/util/dbg_chain_id.c \
$(NULL)
p11_child_SOURCES += src/p11_child/p11_child_openssl.c
diff --git a/src/p11_child/p11_child_common.c b/src/p11_child/p11_child_common.c
index 7c8259479d..48010c65ec 100644
--- a/src/p11_child/p11_child_common.c
+++ b/src/p11_child/p11_child_common.c
@@ -32,6 +32,7 @@
#include "util/child_common.h"
#include "providers/backend.h"
#include "util/crypto/sss_crypto.h"
+#include "util/dbg_chain_id.h"
#include "util/cert.h"
#include "p11_child/p11_child.h"
@@ -101,11 +102,14 @@ static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db,
return ret;
}
-static errno_t p11c_recv_data(TALLOC_CTX *mem_ctx, int fd, char **pin)
+static errno_t p11c_recv_data(TALLOC_CTX *mem_ctx, int fd, char **pin,
+ uint64_t *_old_chain_id)
{
uint8_t buf[IN_BUF_SIZE];
ssize_t len;
+ size_t p = 0;
errno_t ret;
+ uint64_t chain_id;
char *str;
errno = 0;
@@ -123,7 +127,8 @@ static errno_t p11c_recv_data(TALLOC_CTX *mem_ctx, int fd, char **pin)
return EINVAL;
}
- str = talloc_strndup(mem_ctx, (char *) buf, len);
+ len -= sizeof(uint64_t);
+ str = talloc_strndup(mem_ctx, (char *) buf + p, len);
if (str == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strndup failed.\n");
return ENOMEM;
@@ -131,11 +136,14 @@ static errno_t p11c_recv_data(TALLOC_CTX *mem_ctx, int fd, char **pin)
if (strlen(str) != len) {
DEBUG(SSSDBG_CRIT_FAILURE,
- "Input contains additional data, only PIN expected.\n");
+ "PIN does not match expected size.\n");
talloc_free(str);
return EINVAL;
}
+ safealign_memcpy(&chain_id, buf + len, sizeof(uint64_t), NULL);
+
+ *_old_chain_id = sss_chain_id_set(chain_id);
*pin = str;
return EOK;
@@ -163,6 +171,7 @@ int main(int argc, const char *argv[])
char *cert_b64 = NULL;
bool wait_for_card = false;
char *uri = NULL;
+ uint64_t old_chain_id = -1;
struct poptOption long_options[] = {
POPT_AUTOHELP
@@ -357,7 +366,7 @@ int main(int argc, const char *argv[])
}
if (mode == OP_AUTH && pin_mode == PIN_STDIN) {
- ret = p11c_recv_data(main_ctx, STDIN_FILENO, &pin);
+ ret = p11c_recv_data(main_ctx, STDIN_FILENO, &pin, &old_chain_id);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "Failed to read PIN.\n");
goto fail;
@@ -376,10 +385,16 @@ int main(int argc, const char *argv[])
fprintf(stdout, "%s", multi);
}
+ /* Restore the chain id */
+ sss_chain_id_set(old_chain_id);
+
talloc_free(main_ctx);
return EXIT_SUCCESS;
fail:
DEBUG(SSSDBG_CRIT_FAILURE, "p11_child failed!\n");
+ if (old_chain_id != -1) {
+ sss_chain_id_set(old_chain_id);
+ }
close(STDOUT_FILENO);
talloc_free(main_ctx);
return EXIT_FAILURE;
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
index 3b21332db9..58afff7702 100644
--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
@@ -29,6 +29,7 @@
#include "responder/pam/pam_helpers.h"
#include "lib/certmap/sss_certmap.h"
#include "util/crypto/sss_crypto.h"
+#include "util/dbg_chain_id.h"
#include "db/sysdb.h"
@@ -439,6 +440,8 @@ static errno_t get_p11_child_write_buffer(TALLOC_CTX *mem_ctx,
int ret;
uint8_t *buf;
size_t len;
+ size_t rp;
+ uint64_t chain_id;
const char *pin = NULL;
if (pd == NULL || pd->authtok == NULL) {
@@ -446,6 +449,9 @@ static errno_t get_p11_child_write_buffer(TALLOC_CTX *mem_ctx,
return EINVAL;
}
+ chain_id = sss_chain_id_get();
+ rp = 0;
+
switch (sss_authtok_get_type(pd->authtok)) {
case SSS_AUTHTOK_TYPE_SC_PIN:
ret = sss_authtok_get_sc_pin(pd->authtok, &pin, &len);
@@ -458,13 +464,16 @@ static errno_t get_p11_child_write_buffer(TALLOC_CTX *mem_ctx,
return EINVAL;
}
- buf = talloc_size(mem_ctx, len);
+ buf = talloc_size(mem_ctx, len + sizeof(uint64_t));
if (buf == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n");
return ENOMEM;
}
- safealign_memcpy(buf, pin, len, NULL);
+ safealign_memcpy(&buf[rp], pin, len, &rp);
+ safealign_memcpy(&buf[rp], &chain_id, sizeof(uint64_t), &rp);
+
+ len += sizeof(uint64_t);
break;
case SSS_AUTHTOK_TYPE_SC_KEYPAD:
From 1575a9fadfde9496c641bf6742829406cea49177 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstep...@redhat.com>
Date: Thu, 28 Oct 2021 17:41:47 +0000
Subject: [PATCH 09/11] proxy_child: Add chain ID logging support
---
src/providers/proxy/proxy_auth.c | 6 ++++--
src/providers/proxy/proxy_child.c | 8 ++++++++
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/src/providers/proxy/proxy_auth.c b/src/providers/proxy/proxy_auth.c
index 0e6fc8ea84..a5502788bc 100644
--- a/src/providers/proxy/proxy_auth.c
+++ b/src/providers/proxy/proxy_auth.c
@@ -26,6 +26,7 @@
#include "providers/proxy/proxy.h"
#include "sss_iface/sss_iface_async.h"
+#include "util/dbg_chain_id.h"
struct pc_init_ctx;
@@ -178,11 +179,12 @@ static struct tevent_req *proxy_child_init_send(TALLOC_CTX *mem_ctx,
state->command = talloc_asprintf(req,
"%s/proxy_child -d %#.4x --debug-timestamps=%d "
- "--debug-microseconds=%d --logger=%s --domain %s --id %d",
+ "--debug-microseconds=%d --logger=%s --domain %s --id %d "
+ "--chain-id=%lu",
SSSD_LIBEXEC_PATH, debug_level, debug_timestamps,
debug_microseconds, sss_logger_str[sss_logger],
auth_ctx->be->domain->name,
- child_ctx->id);
+ child_ctx->id, sss_chain_id_get());
if (state->command == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
return NULL;
diff --git a/src/providers/proxy/proxy_child.c b/src/providers/proxy/proxy_child.c
index d9e3d0d874..82c8c79c72 100644
--- a/src/providers/proxy/proxy_child.c
+++ b/src/providers/proxy/proxy_child.c
@@ -43,6 +43,7 @@
#include "confdb/confdb.h"
#include "providers/proxy/proxy.h"
#include "sss_iface/sss_iface_async.h"
+#include "util/dbg_chain_id.h"
#include "providers/backend.h"
@@ -480,6 +481,7 @@ int main(int argc, const char *argv[])
struct main_context *main_ctx;
int ret;
long id = 0;
+ long chain_id;
char *pam_target = NULL;
uid_t uid;
gid_t gid;
@@ -493,6 +495,8 @@ int main(int argc, const char *argv[])
_("Domain of the information provider (mandatory)"), NULL },
{"id", 0, POPT_ARG_LONG, &id, 0,
_("Child identifier (mandatory)"), NULL },
+ {"chain-id", 0, POPT_ARG_LONG, &chain_id, 0,
+ _("Tevent chain ID"), NULL },
POPT_TABLEEND
};
@@ -556,6 +560,10 @@ int main(int argc, const char *argv[])
conf_entry = talloc_asprintf(NULL, CONFDB_DOMAIN_PATH_TMPL, domain);
if (!conf_entry) return 2;
+ if (chain_id > 0) {
+ sss_chain_id_set(chain_id);
+ }
+
ret = server_setup(srv_name, 0, 0, 0, conf_entry, &main_ctx);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "Could not set up mainloop [%d]\n", ret);
From 8aba36e4e4db4ed6f8103689c397a5a85d54c667 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstep...@redhat.com>
Date: Fri, 29 Oct 2021 14:37:49 +0000
Subject: [PATCH 10/11] Analyzer: Parse the responder request ID
This is needed to parse out the responder request ID field properly. Due
to Responder tevent chain ID support, the Request ID is in a
different part of the log message.
---
src/tools/analyzer/modules/request.py | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
index 098a9197bb..d05fb57254 100644
--- a/src/tools/analyzer/modules/request.py
+++ b/src/tools/analyzer/modules/request.py
@@ -147,8 +147,8 @@ def print_formatted(self, line, verbose):
if line.startswith(' * '):
return
fields = line.split("[")
- cr_field = fields[2].split(":")[1]
- cr = cr_field[5:]
+ cr_field = fields[3][7:]
+ cr = cr_field.split(":")[0][4:]
if "refreshed" in line:
return
# CR Plugin name
@@ -165,7 +165,7 @@ def print_formatted(self, line, verbose):
ts = line.split(")")[0]
ts = ts[1:]
fields = line.split("[")
- cid = fields[3][5:-1]
+ cid = fields[3][4:-9]
cmd = fields[4][4:-1]
uid = fields[5][4:-1]
if not uid.isnumeric():
@@ -198,10 +198,11 @@ def list_requests(self, source, verbose, pam):
"""
component = source.Component.NSS
resp = "nss"
+ # Log messages matching the following regex patterns contain
+ # the useful info we need to produce list output
patterns = ['\[cmd']
patterns.append("(cache_req_send|cache_req_process_input|"
"cache_req_search_send)")
- consume = True
if pam:
component = source.Component.PAM
resp = "pam"
@@ -209,7 +210,6 @@ def list_requests(self, source, verbose, pam):
logger.info(f"******** Listing {resp} client requests ********")
source.set_component(component)
self.done = ""
- # For each CID
for line in self.matched_line(source, patterns):
if isinstance(source, Journald):
print(line)
From f31a4d70e3418d036e37bde69d22c7a0d80395c6 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstep...@redhat.com>
Date: Thu, 4 Nov 2021 00:05:20 +0000
Subject: [PATCH 11/11] Analyzer: Include child log files in request tracking
When 'request show' is run, check each child log files for
RID# messages to include in output.
---
src/tools/analyzer/source_files.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tools/analyzer/source_files.py b/src/tools/analyzer/source_files.py
index df87f92fbd..05c14c4c6e 100644
--- a/src/tools/analyzer/source_files.py
+++ b/src/tools/analyzer/source_files.py
@@ -51,7 +51,7 @@ def get_domain_logfiles(self):
domain_files = []
exclude_list = ["ifp", "nss", "pam", "sudo", "autofs",
"ssh", "pac", "kcm", ".gz"]
- file_list = glob.glob(self.path + "sssd_*")
+ file_list = glob.glob(self.path + "*.log")
for file in file_list:
if not any(s in file for s in exclude_list):
domain_files.append(file)
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
