Add audit_as_req to the DAL with a corresponding libkdb5 API,
authorGreg Hudson <ghudson@mit.edu>
Tue, 13 Jul 2010 15:53:23 +0000 (15:53 +0000)
committerGreg Hudson <ghudson@mit.edu>
Tue, 13 Jul 2010 15:53:23 +0000 (15:53 +0000)
replacing the AUDIT_AS_REQ method of db_invoke.  Remove the
AUDIT_TGS_REQ method of db_invoke without adding a replacement, as
there was no KDC support for it.  (It can be added at a later time if
necessary.)

ticket: 6749
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24185 dc483132-0cff-0310-8789-dd5450dbe970

13 files changed:
src/include/kdb.h
src/kdc/kdc_util.c
src/lib/kdb/kdb5.c
src/lib/kdb/libkdb5.exports
src/plugins/kdb/db2/db2_exp.c
src/plugins/kdb/db2/kdb_db2.c
src/plugins/kdb/db2/kdb_db2.h
src/plugins/kdb/db2/kdb_ext.c
src/plugins/kdb/ldap/ldap_exp.c
src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c
src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports

index 53a4e24e7a16df5834edd1da0d21c9c357678e73..a359f90953fe8abc9befececec9c9ab1d34271d4 100644 (file)
@@ -323,29 +323,9 @@ extern char *krb5_mkey_pwd_prompt2;
 #define KRB5_DB_LOCKMODE_PERMANENT    0x0008
 
 /* db_invoke methods */
-#define KRB5_KDB_METHOD_AUDIT_AS                        0x00000050
-#define KRB5_KDB_METHOD_AUDIT_TGS                       0x00000060
 #define KRB5_KDB_METHOD_REFRESH_POLICY                  0x00000070
 #define KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE       0x00000080
 
-typedef struct _kdb_audit_as_req {
-    krb5_magic magic;
-    krb5_kdc_req *request;
-    krb5_db_entry *client;
-    krb5_db_entry *server;
-    krb5_timestamp authtime;
-    krb5_error_code error_code;
-} kdb_audit_as_req;
-
-typedef struct _kdb_audit_tgs_req {
-    krb5_magic magic;
-    krb5_kdc_req *request;
-    krb5_const_principal client;
-    krb5_db_entry *server;
-    krb5_timestamp authtime;
-    krb5_error_code error_code;
-} kdb_audit_tgs_req;
-
 typedef struct _kdb_check_allowed_to_delegate_req {
     krb5_magic magic;
     const krb5_db_entry *server;
@@ -635,6 +615,13 @@ krb5_error_code krb5_db_check_policy_tgs(krb5_context kcontext,
                                          const char **status,
                                          krb5_data *e_data);
 
+krb5_error_code krb5_db_audit_as_req(krb5_context kcontext,
+                                     krb5_kdc_req *request,
+                                     krb5_db_entry *client,
+                                     krb5_db_entry *server,
+                                     krb5_timestamp authtime,
+                                     krb5_error_code error_code);
+
 krb5_error_code krb5_db_invoke ( krb5_context kcontext,
                                  unsigned int method,
                                  const krb5_data *req,
@@ -771,7 +758,7 @@ krb5_dbe_free_tl_data(krb5_context, krb5_tl_data *);
  * DAL.  It is passed to init_library to allow KDB modules to detect when
  * they are being loaded by an incompatible version of the KDC.
  */
-#define KRB5_KDB_DAL_VERSION 20100712
+#define KRB5_KDB_DAL_VERSION 20100713
 
 /*
  * A krb5_context can hold one database object.  Modules should use
@@ -1282,18 +1269,24 @@ typedef struct _kdb_vftabl {
                                         const char **status,
                                         krb5_data *e_data);
 
+    /*
+     * Optional: This method informs the module of a successful or unsuccessful
+     * AS request.  The resulting error code is currently ignored by the KDC.
+     */
+    krb5_error_code (*audit_as_req)(krb5_context kcontext,
+                                    krb5_kdc_req *request,
+                                    krb5_db_entry *client,
+                                    krb5_db_entry *server,
+                                    krb5_timestamp authtime,
+                                    krb5_error_code error_code);
+
+    /* Note: there is currently no method for auditing TGS requests. */
+
     /*
      * Optional: Perform an operation on input data req with output stored in
      * rep.  Return KRB5_PLUGIN_OP_NOTSUPP if the module does not implement the
      * method.  Defined methods are:
      *
-     * KRB5_KDB_METHOD_AUDIT_AS: req contains a kdb_audit_as_req structure.
-     *     Informs the module of a successful or unsuccessful AS request.  Do
-     *     not place any data in rep.
-     *
-     * KRB5_KDB_METHOD_AUDIT_TGS: Same as above, except req contains a
-     *     kdb_audit_tgs_req structure.
-     *
      * KRB5_KDB_METHOD_REFRESH_POLICY: req and rep are NULL.  Informs the
      *     module that the KDC received a request to reload configuration
      *     (that is, a SIGHUP).
index b892a2748579835b729ff103cd97c8c51d6a7b53..88f3f1f5d9916f7a48f0df7697c83e1cb51ea233 100644 (file)
@@ -2356,6 +2356,8 @@ log_as_req(const krb5_fulladdr *from,
                          ktypestr, fromstring, status,
                          cname2, sname2, emsg ? ", " : "", emsg ? emsg : "");
     }
+    (void) krb5_db_audit_as_req(kdc_context, request, client, server,
+                                authtime, errcode);
 #if 0
     /* Sun (OpenSolaris) version would probably something like this.
        The client and server names passed can be null, unlike in the
@@ -2364,33 +2366,6 @@ log_as_req(const krb5_fulladdr *from,
     audit_krb5kdc_as_req(some in_addr *, (in_port_t)from->port, 0,
                          cname, sname, errcode);
 #endif
-#if 1
-    {
-        kdb_audit_as_req        req;
-        krb5_data               req_data;
-        krb5_data               rep_data;
-
-        memset(&req, 0, sizeof(req));
-
-        req.request             = request;
-        req.client              = client;
-        req.server              = server;
-        req.authtime            = authtime;
-        req.error_code          = errcode;
-
-        req_data.data = (void *)&req;
-        req_data.length = sizeof(req);
-
-        rep_data.data = NULL;
-        rep_data.length = 0;
-
-        (void) krb5_db_invoke(kdc_context,
-                              KRB5_KDB_METHOD_AUDIT_AS,
-                              &req_data,
-                              &rep_data);
-        assert(rep_data.length == 0);
-    }
-#endif
 }
 
 /* Here "status" must be non-null.  Error code
index 521bbb40b380ece9448302830fd74c7cc4d9c430..5d73828c752aa2e71df9eefc12f6b9086cf8c4d0 100644 (file)
@@ -2303,6 +2303,23 @@ krb5_db_check_policy_tgs(krb5_context kcontext, krb5_kdc_req *request,
                                e_data);
 }
 
+krb5_error_code
+krb5_db_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
+                     krb5_db_entry *client, krb5_db_entry *server,
+                     krb5_timestamp authtime, krb5_error_code error_code)
+{
+    krb5_error_code status;
+    kdb_vftabl *v;
+
+    status = get_vftabl(kcontext, &v);
+    if (status)
+        return status;
+    if (v->audit_as_req == NULL)
+        return KRB5_PLUGIN_OP_NOTSUPP;
+    return v->audit_as_req(kcontext, request, client, server, authtime,
+                           error_code);
+}
+
 krb5_error_code
 krb5_db_invoke(krb5_context kcontext,
                unsigned int method,
index f83532d15f00da1db95ef22f558964dee952e97b..530b4719059f639a269910f38427d960e5027eb3 100644 (file)
@@ -3,6 +3,7 @@ krb5_db_open
 krb5_db_inited
 krb5_db_alloc
 krb5_db_free
+krb5_db_audit_as_req
 krb5_db_check_policy_as
 krb5_db_check_policy_tgs
 krb5_db_check_transited_realms
index a95d47dfcb86847816db469c0471bd3957cf25b2..80c55b24f9f1a8e097861b5417b5eaca301f8ecc 100644 (file)
@@ -186,6 +186,12 @@ WRAP_K (krb5_db2_check_policy_as,
          krb5_data *e_data),
         (kcontext, request, client, server, kdc_time, status, e_data));
 
+WRAP_K (krb5_db2_audit_as_req,
+        (krb5_context kcontext, krb5_kdc_req *request, krb5_db_entry *client,
+         krb5_db_entry *server, krb5_timestamp authtime,
+         krb5_error_code error_code),
+        (kcontext, request, client, server, authtime, error_code));
+
 WRAP_K (krb5_db2_invoke,
         (krb5_context kcontext,
          unsigned int method,
@@ -251,5 +257,6 @@ kdb_vftabl PLUGIN_SYMBOL_NAME(krb5_db2, kdb_function_table) = {
     0, 0, 0, 0,
     /* check_policy_as */               wrap_krb5_db2_check_policy_as,
     0,
+    /* audit_as_req */                  wrap_krb5_db2_audit_as_req,
     /* invoke */                        wrap_krb5_db2_invoke
 };
index a53e26258a1f0246677c20543096ae206f625930..8c6c97afc3503f0017d5007b2d5f8cdef45d8ed7 100644 (file)
@@ -1649,3 +1649,11 @@ krb5_db2_check_policy_as(krb5_context kcontext, krb5_kdc_req *request,
         *status = "LOCKED_OUT";
     return retval;
 }
+
+krb5_error_code
+krb5_db2_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
+                      krb5_db_entry *client, krb5_db_entry *server,
+                      krb5_timestamp authtime, krb5_error_code error_code)
+{
+    return krb5_db2_lockout_audit(kcontext, client, authtime, error_code);
+}
index 0bddcf4a59b9002087c5b3764e33acca0efdbb98..0c8095a9369cb6a07056bbbe4dc0d6151fb0adf6 100644 (file)
@@ -152,6 +152,11 @@ krb5_db2_check_policy_as(krb5_context kcontext, krb5_kdc_req *request,
                          krb5_timestamp kdc_time, const char **status,
                          krb5_data *e_data);
 
+krb5_error_code
+krb5_db2_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
+                      krb5_db_entry *client, krb5_db_entry *server,
+                      krb5_timestamp authtime, krb5_error_code error_code);
+
 /* methods */
 krb5_error_code
 krb5_db2_invoke(krb5_context context,
index 8f7ad942788c02e996c1da345340520346a8cfc3..a27aa2ca7c602b9aa00a685d363ef46987280f2c 100644 (file)
 #include <errno.h>
 #include "kdb_db2.h"
 
-static krb5_error_code
-krb5_db2_audit_as(krb5_context context,
-                  unsigned int method,
-                  const krb5_data *request,
-                  krb5_data *response)
-{
-    const kdb_audit_as_req *req;
-    krb5_error_code code;
-
-    req = (const kdb_audit_as_req *)request->data;
-
-    code = krb5_db2_lockout_audit(context, req->client,
-                                  req->authtime, req->error_code);
-
-    return code;
-}
-
 krb5_error_code
 krb5_db2_invoke(krb5_context context,
                 unsigned int method,
                 const krb5_data *req,
                 krb5_data *rep)
 {
-    krb5_error_code code = KRB5_PLUGIN_OP_NOTSUPP;
-
-    switch (method) {
-    case KRB5_KDB_METHOD_AUDIT_AS:
-        code = krb5_db2_audit_as(context, method, req, rep);
-        break;
-    default:
-        break;
-    }
-
-    return code;
+    return KRB5_PLUGIN_OP_NOTSUPP;
 }
index 8236406c2f6f4ef81252afde887c46022fa365c7..3bd6c6750178471855af3b96ec04207bbd9fcdca 100644 (file)
@@ -86,6 +86,7 @@ kdb_vftabl PLUGIN_SYMBOL_NAME(krb5_ldap, kdb_function_table) = {
     /* check_transited_realms */            NULL,
     /* check_policy_as */                   krb5_ldap_check_policy_as,
     /* check_policy_tgs */                  NULL,
+    /* audit_as_req */                      krb5_ldap_audit_as_req,
     /* invoke */                            krb5_ldap_invoke,
 
 };
index 0330e15e8afcedc1ceff05bc2f9e3fadf2a038f9..75b4543347c51fe24bc29bb8aac1687da056f7a8 100644 (file)
 #include <errno.h>
 #include "kdb_ldap.h"
 
-static krb5_error_code
-krb5_ldap_audit_as(krb5_context context,
-                   unsigned int method,
-                   const krb5_data *request,
-                   krb5_data *response)
-{
-    const kdb_audit_as_req *req;
-    krb5_error_code code;
-
-    req = (const kdb_audit_as_req *)request->data;
-
-    code = krb5_ldap_lockout_audit(context, req->client,
-                                   req->authtime, req->error_code);
-
-    return code;
-}
-
 static krb5_error_code
 krb5_ldap_check_allowed_to_delegate(krb5_context context,
                                     unsigned int method,
@@ -94,9 +77,6 @@ krb5_ldap_invoke(krb5_context context,
     krb5_error_code code = KRB5_PLUGIN_OP_NOTSUPP;
 
     switch (method) {
-    case KRB5_KDB_METHOD_AUDIT_AS:
-        code = krb5_ldap_audit_as(context, method, req, rep);
-        break;
     case KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE:
         code = krb5_ldap_check_allowed_to_delegate(context, method, req, rep);
         break;
index 7127ce4a03122961d8226283ddef954f1b6229a8..185e1f330012f24d9115fdca048447757c60b3c9 100644 (file)
@@ -541,3 +541,11 @@ krb5_ldap_check_policy_as(krb5_context kcontext, krb5_kdc_req *request,
         *status = "LOCKED_OUT";
     return retval;
 }
+
+krb5_error_code
+krb5_ldap_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
+                       krb5_db_entry *client, krb5_db_entry *server,
+                       krb5_timestamp authtime, krb5_error_code error_code)
+{
+    return krb5_ldap_lockout_audit(kcontext, client, authtime, error_code);
+}
index 8e935e193785d49f47276c5133806e68ed31d8f7..6c795d6564b204658b4e26a6d1498270335af45f 100644 (file)
@@ -302,6 +302,11 @@ krb5_ldap_check_policy_as(krb5_context kcontext, krb5_kdc_req *request,
                           krb5_timestamp kdc_time, const char **status,
                           krb5_data *e_data);
 
+krb5_error_code
+krb5_ldap_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
+                       krb5_db_entry *client, krb5_db_entry *server,
+                       krb5_timestamp authtime, krb5_error_code error_code);
+
 /* DAL functions */
 
 
index affdb38bb921557870d80114397a7ba5fdc5a09b..6692c71699b1ce34f621073373a97dd99e3f0bd7 100644 (file)
@@ -45,4 +45,5 @@ krb5_ldap_create
 krb5_ldap_set_mkey_list
 krb5_ldap_get_mkey_list
 krb5_ldap_check_policy_as
+krb5_ldap_audit_as_req
 krb5_ldap_invoke