From 154d886c35318cabfb174e6791d3361ce760cdcd Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>

Date: Wed, 16 Dec 2015 14:42:04 +0100

Subject: [PATCH 16/49] SUDO: make sudo sysdb interface more reusable

Reviewed-by: Sumit Bose <sbose@redhat.com>

(cherry picked from commit 68abbe716bed7c8d6790d9bec168ef44469306a1)

---

 Makefile.am                          |   2 -

 src/db/sysdb.c                       |  98 ++++++++++++

 src/db/sysdb.h                       |   7 +

 src/db/sysdb_sudo.c                  | 286 +++++++++++++++++++++++++++--------

 src/db/sysdb_sudo.h                  |  17 +--

 src/providers/ldap/sdap_async_sudo.c | 121 ++-------------

 src/providers/ldap/sdap_sudo.c       |   1 -

 src/providers/ldap/sdap_sudo_cache.c | 183 ----------------------

 src/providers/ldap/sdap_sudo_cache.h |  37 -----

 9 files changed, 354 insertions(+), 398 deletions(-)

 delete mode 100644 src/providers/ldap/sdap_sudo_cache.c

 delete mode 100644 src/providers/ldap/sdap_sudo_cache.h

diff --git a/Makefile.am b/Makefile.am

index 095b1cfd62f49d266df278e1736d48ed5ef4fa7a..29dd73edf3e6770e4280945f69c9d266f3d8c4c4 100644

--- a/Makefile.am

+++ b/Makefile.am

@@ -618,7 +618,6 @@ dist_noinst_HEADERS = \

     src/providers/ldap/sdap_access.h \

     src/providers/ldap/sdap_async.h \

     src/providers/ldap/sdap_async_private.h \

-    src/providers/ldap/sdap_sudo_cache.h \

     src/providers/ldap/sdap_sudo.h \

     src/providers/ldap/sdap_autofs.h \

     src/providers/ldap/sdap_id_op.h \

@@ -2859,7 +2858,6 @@ libsss_ldap_common_la_LDFLAGS = \

 if BUILD_SUDO

 libsss_ldap_common_la_SOURCES += \

-    src/providers/ldap/sdap_sudo_cache.c \

     src/providers/ldap/sdap_async_sudo.c \

     src/providers/ldap/sdap_async_sudo_hostinfo.c \

     src/providers/ldap/sdap_sudo_refresh.c \

diff --git a/src/db/sysdb.c b/src/db/sysdb.c

index a71364d7c4b600eafd10fafa6641eac7b2292764..d4366a3c76f114bf113567754a1e0417afe664e3 100644

--- a/src/db/sysdb.c

+++ b/src/db/sysdb.c

@@ -2013,3 +2013,101 @@ errno_t sysdb_msg2attrs(TALLOC_CTX *mem_ctx, size_t count,

     return EOK;

 }

+

+int sysdb_compare_usn(const char *a, const char *b)

+{

+    size_t len_a;

+    size_t len_b;

+

+    if (a == NULL) {

+        return -1;

+    }

+

+    if (b == NULL) {

+        return 1;

+    }

+

+    len_a = strlen(a);

+    len_b = strlen(b);

+

+    /* trim leading zeros */

+    while (len_a > 0 && *a == '0') {

+        a++;

+        len_a--;

+    }

+

+    while (len_b > 0 && *b == '0') {

+        b++;

+        len_b--;

+    }

+

+    /* less digits means lower number */

+    if (len_a < len_b) {

+        return -1;

+    }

+

+    /* more digits means bigger number */

+    if (len_a > len_b) {

+        return 1;

+    }

+

+    /* now we can compare digits since alphabetical order is the same

+     * as numeric order */

+    return strcmp(a, b);

+}

+

+errno_t sysdb_get_highest_usn(TALLOC_CTX *mem_ctx,

+                              struct sysdb_attrs **attrs,

+                              size_t num_attrs,

+                              char **_usn)

+{

+    const char *highest = NULL;

+    const char *current = NULL;

+    char *usn;

+    errno_t ret;

+    size_t i;

+

+    if (num_attrs == 0 || attrs == NULL) {

+        goto done;

+    }

+

+    for (i = 0; i < num_attrs; i++) {

+        ret = sysdb_attrs_get_string(attrs[i], SYSDB_USN, ¤t;;

+        if (ret == ENOENT) {

+            /* USN value is not present, assuming zero. */

+            current = "0";

+        } else if (ret != EOK) {

+            DEBUG(SSSDBG_MINOR_FAILURE, "Failed to retrieve USN value "

+                  "[%d]: %s\n", ret, sss_strerror(ret));

+

+            return ret;

+        }

+

+        if (current == NULL) {

+            continue;

+        }

+

+        if (highest == NULL) {

+            highest = current;

+            continue;

+        }

+

+        if (sysdb_compare_usn(current, highest) > 0 ) {

+            highest = current;

+        }

+    }

+

+done:

+    if (highest == NULL) {

+        usn = talloc_strdup(mem_ctx, "0");

+    } else {

+        usn = talloc_strdup(mem_ctx, highest);

+    }

+

+    if (usn == NULL) {

+        return ENOMEM;

+    }

+

+    *_usn = usn;

+    return EOK;

+}

diff --git a/src/db/sysdb.h b/src/db/sysdb.h

index ad1bf75b7437730af4a56d97e8f9868073e678aa..2e797fd7fa39163c2ab6a10e51228e0f1af3f9e3 100644

--- a/src/db/sysdb.h

+++ b/src/db/sysdb.h

@@ -386,6 +386,13 @@ errno_t sysdb_msg2attrs(TALLOC_CTX *mem_ctx, size_t count,

                         struct ldb_message **msgs,

                         struct sysdb_attrs ***attrs);

+int sysdb_compare_usn(const char *a, const char *b);

+

+errno_t sysdb_get_highest_usn(TALLOC_CTX *mem_ctx,

+                              struct sysdb_attrs **attrs,

+                              size_t num_attrs,

+                              char **_usn);

+

 /* convert an ldb error into an errno error */

 int sysdb_error_to_errno(int ldberr);

diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c

index 784ac8af3ae5cb08f30eb9631c7ffa4aa92bde23..76116abacb20219f0c1dcdde755e8268e10fd293 100644

--- a/src/db/sysdb_sudo.c

+++ b/src/db/sysdb_sudo.c

@@ -27,6 +27,8 @@

 #include "db/sysdb_private.h"

 #include "db/sysdb_sudo.h"

+#define SUDO_ALL_FILTER "(" SYSDB_OBJECTCLASS "=" SYSDB_SUDO_CACHE_OC ")"

+

 #define NULL_CHECK(val, rval, label) do { \

     if (!val) {                           \

         rval = ENOMEM;                    \

@@ -427,41 +429,6 @@ done:

     return ret;

 }

-errno_t

-sysdb_save_sudorule(struct sss_domain_info *domain,

-                    const char *rule_name,

-                    struct sysdb_attrs *attrs)

-{

-    errno_t ret;

-

-    DEBUG(SSSDBG_TRACE_FUNC, "Adding sudo rule %s\n", rule_name);

-

-    ret = sysdb_attrs_add_string(attrs, SYSDB_OBJECTCLASS,

-                                 SYSDB_SUDO_CACHE_OC);

-    if (ret != EOK) {

-        DEBUG(SSSDBG_OP_FAILURE, "Could not set rule object class [%d]: %s\n",

-              ret, strerror(ret));

-        return ret;

-    }

-

-    ret = sysdb_attrs_add_string(attrs, SYSDB_NAME, rule_name);

-    if (ret != EOK) {

-        DEBUG(SSSDBG_OP_FAILURE, "Could not set name attribute [%d]: %s\n",

-              ret, strerror(ret));

-        return ret;

-    }

-

-    ret = sysdb_store_custom(domain, rule_name,

-                             SUDORULE_SUBDIR, attrs);

-    if (ret != EOK) {

-        DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_custom failed [%d]: %s\n",

-              ret, strerror(ret));

-        return ret;

-    }

-

-    return EOK;

-}

-

 static errno_t sysdb_sudo_set_refresh_time(struct sss_domain_info *domain,

                                            const char *attr_name,

                                            time_t value)

@@ -615,6 +582,26 @@ errno_t sysdb_sudo_get_last_full_refresh(struct sss_domain_info *domain,

 /* ====================  Purge functions ==================== */

+static const char *

+sysdb_sudo_get_rule_name(struct sysdb_attrs *rule)

+{

+    const char *name;

+    errno_t ret;

+

+    ret = sysdb_attrs_get_string(rule, SYSDB_SUDO_CACHE_AT_CN, &name);

+    if (ret == ERANGE) {

+        DEBUG(SSSDBG_MINOR_FAILURE, "Warning: found rule that contains none "

+              "or multiple CN values. It will be skipped.\n");

+        return NULL;

+    } else if (ret != EOK) {

+        DEBUG(SSSDBG_OP_FAILURE, "Unable to obtain rule name [%d]: %s\n",

+              ret, strerror(ret));

+        return NULL;

+    }

+

+    return name;

+}

+

 static errno_t sysdb_sudo_purge_all(struct sss_domain_info *domain)

 {

     struct ldb_dn *base_dn = NULL;

@@ -627,6 +614,8 @@ static errno_t sysdb_sudo_purge_all(struct sss_domain_info *domain)

     base_dn = sysdb_custom_subtree_dn(tmp_ctx, domain, SUDORULE_SUBDIR);

     NULL_CHECK(base_dn, ret, done);

+    DEBUG(SSSDBG_TRACE_FUNC, "Deleting all cached sudo rules\n");

+

     ret = sysdb_delete_recursive(domain->sysdb, base_dn, true);

     if (ret != EOK) {

         DEBUG(SSSDBG_OP_FAILURE, "sysdb_delete_recursive failed.\n");

@@ -639,42 +628,74 @@ done:

     return ret;

 }

-errno_t sysdb_sudo_purge_byname(struct sss_domain_info *domain,

-                                const char *name)

+static errno_t

+sysdb_sudo_purge_byname(struct sss_domain_info *domain,

+                        const char *name)

 {

     DEBUG(SSSDBG_TRACE_INTERNAL, "Deleting sudo rule %s\n", name);

     return sysdb_delete_custom(domain, name, SUDORULE_SUBDIR);

 }

-errno_t sysdb_sudo_purge_byfilter(struct sss_domain_info *domain,

-                                  const char *filter)

+static errno_t

+sysdb_sudo_purge_byrules(struct sss_domain_info *dom,

+                         struct sysdb_attrs **rules,

+                         size_t num_rules)

+{

+    const char *name;

+    errno_t ret;

+    size_t i;

+

+    DEBUG(SSSDBG_TRACE_FUNC, "About to remove rules from sudo cache\n");

+

+    if (num_rules == 0 || rules == NULL) {

+        return EOK;

+    }

+

+    for (i = 0; i < num_rules; i++) {

+        name = sysdb_sudo_get_rule_name(rules[i]);

+        if (name == NULL) {

+            continue;

+        }

+

+        ret = sysdb_sudo_purge_byname(dom, name);

+        if (ret != EOK) {

+            DEBUG(SSSDBG_MINOR_FAILURE, "Failed to delete rule "

+                  "%s [%d]: %s\n", name, ret, sss_strerror(ret));

+            continue;

+        }

+    }

+

+    return EOK;

+}

+

+static errno_t

+sysdb_sudo_purge_byfilter(struct sss_domain_info *domain,

+                          const char *filter)

 {

     TALLOC_CTX *tmp_ctx;

-    size_t count;

+    struct sysdb_attrs **rules;

     struct ldb_message **msgs;

-    const char *name;

-    int i;

+    size_t count;

     errno_t ret;

-    errno_t sret;

-    bool in_transaction = false;

     const char *attrs[] = { SYSDB_OBJECTCLASS,

                             SYSDB_NAME,

                             SYSDB_SUDO_CACHE_AT_CN,

                             NULL };

-    /* just purge all if there's no filter */

-    if (!filter) {

+    if (filter == NULL || strcmp(filter, SUDO_ALL_FILTER) == 0) {

         return sysdb_sudo_purge_all(domain);

     }

     tmp_ctx = talloc_new(NULL);

-    NULL_CHECK(tmp_ctx, ret, done);

+    if (tmp_ctx == NULL) {

+        ret = ENOMEM;

+        goto done;

+    }

-    /* match entries based on the filter and remove them one by one */

     ret = sysdb_search_custom(tmp_ctx, domain, filter,

                               SUDORULE_SUBDIR, attrs,

                               &count, &msgs);

-    if (ret == ENOENT) {

+    if (ret == ENOENT || count == 0) {

         DEBUG(SSSDBG_TRACE_FUNC, "No rules matched\n");

         ret = EOK;

         goto done;

@@ -683,24 +704,165 @@ errno_t sysdb_sudo_purge_byfilter(struct sss_domain_info *domain,

         goto done;

     }

+    ret = sysdb_msg2attrs(tmp_ctx, count, msgs, &rules);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_OP_FAILURE, "Unable to convert ldb message to "

+              "sysdb attrs [%d]: %s\n", ret, sss_strerror(ret));

+        goto done;

+    }

+

+    ret = sysdb_sudo_purge_byrules(domain, rules, count);

+

+done:

+    talloc_free(tmp_ctx);

+    return ret;

+}

+

+errno_t sysdb_sudo_purge(struct sss_domain_info *domain,

+                         const char *delete_filter,

+                         struct sysdb_attrs **rules,

+                         size_t num_rules)

+{

+    bool in_transaction = false;

+    errno_t sret;

+    errno_t ret;

+

     ret = sysdb_transaction_start(domain->sysdb);

     if (ret != EOK) {

         DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");

+        return ret;

+    }

+    in_transaction = true;

+

+    if (delete_filter) {

+        ret = sysdb_sudo_purge_byfilter(domain, delete_filter);

+    } else {

+        ret = sysdb_sudo_purge_byrules(domain, rules, num_rules);

+    }

+

+    if (ret != EOK) {

         goto done;

     }

+

+    ret = sysdb_transaction_commit(domain->sysdb);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n");

+        goto done;

+    }

+    in_transaction = false;

+

+done:

+    if (in_transaction) {

+        sret = sysdb_transaction_cancel(domain->sysdb);

+        if (sret != EOK) {

+            DEBUG(SSSDBG_OP_FAILURE, "Could not cancel transaction\n");

+        }

+    }

+

+    if (ret != EOK) {

+        DEBUG(SSSDBG_OP_FAILURE, "Unable to purge sudo cache [%d]: %s\n",

+              ret, sss_strerror(ret));

+    }

+

+    return ret;

+}

+

+static errno_t

+sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule,

+                         const char *name,

+                         int cache_timeout,

+                         time_t now)

+{

+    time_t expire;

+    errno_t ret;

+

+    ret = sysdb_attrs_add_string(rule, SYSDB_OBJECTCLASS, SYSDB_SUDO_CACHE_OC);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_OP_FAILURE, "Unable to add %s attribute [%d]: %s\n",

+                SYSDB_OBJECTCLASS, ret, strerror(ret));

+        return ret;

+    }

+

+    ret = sysdb_attrs_add_string(rule, SYSDB_NAME, name);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_OP_FAILURE, "Unable to add %s attribute [%d]: %s\n",

+                SYSDB_OBJECTCLASS, ret, strerror(ret));

+        return ret;

+    }

+

+    expire = cache_timeout > 0 ? now + cache_timeout : 0;

+    ret = sysdb_attrs_add_time_t(rule, SYSDB_CACHE_EXPIRE, expire);

+    if (ret) {

+        DEBUG(SSSDBG_OP_FAILURE, "Unable to add %s attribute [%d]: %s\n",

+              SYSDB_CACHE_EXPIRE, ret, strerror(ret));

+        return ret;

+    }

+

+    return EOK;

+}

+

+static errno_t

+sysdb_sudo_store_rule(struct sss_domain_info *domain,

+                      struct sysdb_attrs *rule,

+                      int cache_timeout,

+                      time_t now)

+{

+    const char *name;

+    errno_t ret;

+

+    name = sysdb_sudo_get_rule_name(rule);

+    if (name == NULL) {

+        return EINVAL;

+    }

+

+    DEBUG(SSSDBG_TRACE_FUNC, "Adding sudo rule %s\n", name);

+

+    ret = sysdb_sudo_add_sss_attrs(rule, name, cache_timeout, now);

+    if (ret != EOK) {

+        return ret;

+    }

+

+    ret = sysdb_store_custom(domain, name, SUDORULE_SUBDIR, rule);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_OP_FAILURE, "Unable to store rule %s [%d]: %s\n",

+              name, ret, strerror(ret));

+        return ret;

+    }

+

+    return EOK;

+}

+

+errno_t

+sysdb_sudo_store(struct sss_domain_info *domain,

+                 struct sysdb_attrs **rules,

+                 size_t num_rules)

+{

+    bool in_transaction = false;

+    errno_t sret;

+    errno_t ret;

+    time_t now;

+    size_t i;

+

+    if (num_rules == 0 || rules == NULL) {

+        return EOK;

+    }

+

+    ret = sysdb_transaction_start(domain->sysdb);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");

+        return ret;

+    }

     in_transaction = true;

-    for (i = 0; i < count; i++) {

-        name = ldb_msg_find_attr_as_string(msgs[i], SYSDB_NAME, NULL);

-        if (name == NULL) {

-            DEBUG(SSSDBG_OP_FAILURE, "A rule without a name?\n");

-            /* skip this one but still delete other entries */

+    now = time(NULL);

+    for (i = 0; i < num_rules; i++) {

+        ret = sysdb_sudo_store_rule(domain, rules[i],

+                                    domain->sudo_timeout, now);

+        if (ret == EINVAL) {

+            /* Multiple CNs are error on server side, we can just ignore this

+             * rule and save the others. Loud debug message is in logs. */

             continue;

-        }

-

-        ret = sysdb_sudo_purge_byname(domain, name);

-        if (ret != EOK) {

-            DEBUG(SSSDBG_OP_FAILURE, "Could not delete rule %s\n", name);

+        } else if (ret != EOK) {

             goto done;

         }

     }

@@ -720,6 +882,10 @@ done:

         }

     }

-    talloc_free(tmp_ctx);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_OP_FAILURE, "Unable to store sudo rules [%d]: %s\n",

+              ret, sss_strerror(ret));

+    }

+

     return ret;

 }

diff --git a/src/db/sysdb_sudo.h b/src/db/sysdb_sudo.h

index fc896c385c6fa71e735b3db763ccee4a0354d007..6dd9ea7bb8ec947f5beceb89fd27bde156c27c36 100644

--- a/src/db/sysdb_sudo.h

+++ b/src/db/sysdb_sudo.h

@@ -78,20 +78,19 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,

                          const char *username, uid_t *_uid,

                          char ***groupnames);

-errno_t

-sysdb_save_sudorule(struct sss_domain_info *domain,

-                    const char *rule_name,

-                    struct sysdb_attrs *attrs);

-

 errno_t sysdb_sudo_set_last_full_refresh(struct sss_domain_info *domain,

                                          time_t value);

 errno_t sysdb_sudo_get_last_full_refresh(struct sss_domain_info *domain,

                                          time_t *value);

-errno_t sysdb_sudo_purge_byname(struct sss_domain_info *domain,

-                                const char *name);

+errno_t sysdb_sudo_purge(struct sss_domain_info *domain,

+                         const char *delete_filter,

+                         struct sysdb_attrs **rules,

+                         size_t num_rules);

-errno_t sysdb_sudo_purge_byfilter(struct sss_domain_info *domain,

-                                  const char *filter);

+errno_t

+sysdb_sudo_store(struct sss_domain_info *domain,

+                 struct sysdb_attrs **rules,

+                 size_t num_rules);

 #endif /* _SYSDB_SUDO_H_ */

diff --git a/src/providers/ldap/sdap_async_sudo.c b/src/providers/ldap/sdap_async_sudo.c

index d7780d38405a2705e25a9c983aca2736548a624e..2fcfa4aec5d4d53f26d40395e99bdce1b41710d4 100644

--- a/src/providers/ldap/sdap_async_sudo.c

+++ b/src/providers/ldap/sdap_async_sudo.c

@@ -31,7 +31,6 @@

 #include "providers/ldap/sdap.h"

 #include "providers/ldap/sdap_ops.h"

 #include "providers/ldap/sdap_sudo.h"

-#include "providers/ldap/sdap_sudo_cache.h"

 #include "db/sysdb_sudo.h"

 struct sdap_sudo_load_sudoers_state {

@@ -136,89 +135,6 @@ static int sdap_sudo_load_sudoers_recv(struct tevent_req *req,

     return EOK;

 }

-static int sdap_sudo_purge_sudoers(struct sss_domain_info *dom,

-                                   const char *filter,

-                                   struct sdap_attr_map *map,

-                                   size_t rules_count,

-                                   struct sysdb_attrs **rules)

-{

-    const char *name;

-    size_t i;

-    errno_t ret;

-

-    if (filter == NULL) {

-        /* removes downloaded rules from the cache */

-        if (rules_count == 0 || rules == NULL) {

-            return EOK;

-        }

-

-        for (i = 0; i < rules_count; i++) {

-            ret = sysdb_attrs_get_string(rules[i],

-                                         map[SDAP_AT_SUDO_NAME].sys_name,

-                                         &name);

-            if (ret != EOK) {

-                DEBUG(SSSDBG_MINOR_FAILURE,

-                      "Failed to retrieve rule name: [%s]\n", strerror(ret));

-                continue;

-            }

-

-            ret = sysdb_sudo_purge_byname(dom, name);

-            if (ret != EOK) {

-                DEBUG(SSSDBG_MINOR_FAILURE,

-                      "Failed to delete rule %s: [%s]\n",

-                      name, strerror(ret));

-                continue;

-            }

-        }

-

-        ret = EOK;

-    } else {

-        /* purge cache by provided filter */

-        ret = sysdb_sudo_purge_byfilter(dom, filter);

-        if (ret != EOK) {

-            goto done;

-        }

-    }

-

-done:

-    if (ret != EOK) {

-        DEBUG(SSSDBG_OP_FAILURE, "failed to purge sudo rules [%d]: %s\n",

-                                 ret, strerror(ret));

-    }

-

-    return ret;

-}

-

-static int sdap_sudo_store_sudoers(TALLOC_CTX *mem_ctx,

-                                   struct sss_domain_info *domain,

-                                   struct sdap_options *opts,

-                                   size_t rules_count,

-                                   struct sysdb_attrs **rules,

-                                   int cache_timeout,

-                                   time_t now,

-                                   char **_usn)

-{

-    errno_t ret;

-

-    /* Empty sudoers? Done. */

-    if (rules_count == 0 || rules == NULL) {

-        *_usn = NULL;

-        return EOK;

-    }

-

-    ret = sdap_save_native_sudorule_list(mem_ctx, domain,

-                                         opts->sudorule_map, rules,

-                                         rules_count, cache_timeout, now,

-                                         _usn);

-    if (ret != EOK) {

-        DEBUG(SSSDBG_OP_FAILURE, "failed to save sudo rules [%d]: %s\n",

-              ret, strerror(ret));

-        return ret;

-    }

-

-    return EOK;

-}

-

 static void sdap_sudo_set_usn(struct sdap_server_opts *srv_opts, char *usn)

 {

     unsigned int usn_number;

@@ -230,23 +146,14 @@ static void sdap_sudo_set_usn(struct sdap_server_opts *srv_opts, char *usn)

     }

     if (usn == NULL) {

-        /* If the USN value is unknown and we don't have max_sudo_value set

-         * (possibly first full refresh which did not find any rule) we will

-         * set zero so smart refresh can pick up. */

-        if (srv_opts->max_sudo_value == NULL) {

-            srv_opts->max_sudo_value = talloc_strdup(srv_opts, "0");

-            if (srv_opts->max_sudo_value == NULL) {

-                DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup() failed\n");

-            }

-            return;

-        }

-

-        DEBUG(SSSDBG_TRACE_FUNC, "Empty USN, ignoring\n");

+        DEBUG(SSSDBG_TRACE_FUNC, "Bug: usn is NULL\n");

         return;

     }

-    talloc_zfree(srv_opts->max_sudo_value);

-    srv_opts->max_sudo_value = talloc_steal(srv_opts, usn);

+    if (sysdb_compare_usn(usn, srv_opts->max_sudo_value) > 0) {

+        talloc_zfree(srv_opts->max_sudo_value);

+        srv_opts->max_sudo_value = talloc_steal(srv_opts, usn);

+    }

     usn_number = strtoul(usn, &endptr, 10);

     if ((endptr == NULL || (*endptr == '\0' && endptr != usn))

@@ -625,7 +532,6 @@ static void sdap_sudo_refresh_done(struct tevent_req *subreq)

     int ret;

     errno_t sret;

     bool in_transaction = false;

-    time_t now;

     req = tevent_req_callback_data(subreq, struct tevent_req);

     state = tevent_req_data(req, struct sdap_sudo_refresh_state);

@@ -654,17 +560,14 @@ static void sdap_sudo_refresh_done(struct tevent_req *subreq)

     in_transaction = true;

     /* purge cache */

-    ret = sdap_sudo_purge_sudoers(state->domain, state->delete_filter,

-                                  state->opts->sudorule_map, rules_count, rules);

+    ret = sysdb_sudo_purge(state->domain, state->delete_filter,

+                           rules, rules_count);

     if (ret != EOK) {

         goto done;

     }