From: Greg Hudson Date: Tue, 13 Jul 2010 15:53:23 +0000 (+0000) Subject: Add audit_as_req to the DAL with a corresponding libkdb5 API, X-Git-Tag: krb5-1.9-beta1~147 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=bc45e6ec043183dded03744c3f36531464353e78;p=krb5.git Add audit_as_req to the DAL with a corresponding libkdb5 API, replacing the AUDIT_AS_REQ method of db_invoke. Remove the AUDIT_TGS_REQ method of db_invoke without adding a replacement, as there was no KDC support for it. (It can be added at a later time if necessary.) ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24185 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/include/kdb.h b/src/include/kdb.h index 53a4e24e7..a359f9095 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -323,29 +323,9 @@ extern char *krb5_mkey_pwd_prompt2; #define KRB5_DB_LOCKMODE_PERMANENT 0x0008 /* db_invoke methods */ -#define KRB5_KDB_METHOD_AUDIT_AS 0x00000050 -#define KRB5_KDB_METHOD_AUDIT_TGS 0x00000060 #define KRB5_KDB_METHOD_REFRESH_POLICY 0x00000070 #define KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE 0x00000080 -typedef struct _kdb_audit_as_req { - krb5_magic magic; - krb5_kdc_req *request; - krb5_db_entry *client; - krb5_db_entry *server; - krb5_timestamp authtime; - krb5_error_code error_code; -} kdb_audit_as_req; - -typedef struct _kdb_audit_tgs_req { - krb5_magic magic; - krb5_kdc_req *request; - krb5_const_principal client; - krb5_db_entry *server; - krb5_timestamp authtime; - krb5_error_code error_code; -} kdb_audit_tgs_req; - typedef struct _kdb_check_allowed_to_delegate_req { krb5_magic magic; const krb5_db_entry *server; @@ -635,6 +615,13 @@ krb5_error_code krb5_db_check_policy_tgs(krb5_context kcontext, const char **status, krb5_data *e_data); +krb5_error_code krb5_db_audit_as_req(krb5_context kcontext, + krb5_kdc_req *request, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_timestamp authtime, + krb5_error_code error_code); + krb5_error_code krb5_db_invoke ( krb5_context kcontext, unsigned int method, const krb5_data *req, @@ -771,7 +758,7 @@ krb5_dbe_free_tl_data(krb5_context, krb5_tl_data *); * DAL. It is passed to init_library to allow KDB modules to detect when * they are being loaded by an incompatible version of the KDC. */ -#define KRB5_KDB_DAL_VERSION 20100712 +#define KRB5_KDB_DAL_VERSION 20100713 /* * A krb5_context can hold one database object. Modules should use @@ -1282,18 +1269,24 @@ typedef struct _kdb_vftabl { const char **status, krb5_data *e_data); + /* + * Optional: This method informs the module of a successful or unsuccessful + * AS request. The resulting error code is currently ignored by the KDC. + */ + krb5_error_code (*audit_as_req)(krb5_context kcontext, + krb5_kdc_req *request, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_timestamp authtime, + krb5_error_code error_code); + + /* Note: there is currently no method for auditing TGS requests. */ + /* * Optional: Perform an operation on input data req with output stored in * rep. Return KRB5_PLUGIN_OP_NOTSUPP if the module does not implement the * method. Defined methods are: * - * KRB5_KDB_METHOD_AUDIT_AS: req contains a kdb_audit_as_req structure. - * Informs the module of a successful or unsuccessful AS request. Do - * not place any data in rep. - * - * KRB5_KDB_METHOD_AUDIT_TGS: Same as above, except req contains a - * kdb_audit_tgs_req structure. - * * KRB5_KDB_METHOD_REFRESH_POLICY: req and rep are NULL. Informs the * module that the KDC received a request to reload configuration * (that is, a SIGHUP). diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index b892a2748..88f3f1f5d 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -2356,6 +2356,8 @@ log_as_req(const krb5_fulladdr *from, ktypestr, fromstring, status, cname2, sname2, emsg ? ", " : "", emsg ? emsg : ""); } + (void) krb5_db_audit_as_req(kdc_context, request, client, server, + authtime, errcode); #if 0 /* Sun (OpenSolaris) version would probably something like this. The client and server names passed can be null, unlike in the @@ -2364,33 +2366,6 @@ log_as_req(const krb5_fulladdr *from, audit_krb5kdc_as_req(some in_addr *, (in_port_t)from->port, 0, cname, sname, errcode); #endif -#if 1 - { - kdb_audit_as_req req; - krb5_data req_data; - krb5_data rep_data; - - memset(&req, 0, sizeof(req)); - - req.request = request; - req.client = client; - req.server = server; - req.authtime = authtime; - req.error_code = errcode; - - req_data.data = (void *)&req; - req_data.length = sizeof(req); - - rep_data.data = NULL; - rep_data.length = 0; - - (void) krb5_db_invoke(kdc_context, - KRB5_KDB_METHOD_AUDIT_AS, - &req_data, - &rep_data); - assert(rep_data.length == 0); - } -#endif } /* Here "status" must be non-null. Error code diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c index 521bbb40b..5d73828c7 100644 --- a/src/lib/kdb/kdb5.c +++ b/src/lib/kdb/kdb5.c @@ -2303,6 +2303,23 @@ krb5_db_check_policy_tgs(krb5_context kcontext, krb5_kdc_req *request, e_data); } +krb5_error_code +krb5_db_audit_as_req(krb5_context kcontext, krb5_kdc_req *request, + krb5_db_entry *client, krb5_db_entry *server, + krb5_timestamp authtime, krb5_error_code error_code) +{ + krb5_error_code status; + kdb_vftabl *v; + + status = get_vftabl(kcontext, &v); + if (status) + return status; + if (v->audit_as_req == NULL) + return KRB5_PLUGIN_OP_NOTSUPP; + return v->audit_as_req(kcontext, request, client, server, authtime, + error_code); +} + krb5_error_code krb5_db_invoke(krb5_context kcontext, unsigned int method, diff --git a/src/lib/kdb/libkdb5.exports b/src/lib/kdb/libkdb5.exports index f83532d15..530b47190 100644 --- a/src/lib/kdb/libkdb5.exports +++ b/src/lib/kdb/libkdb5.exports @@ -3,6 +3,7 @@ krb5_db_open krb5_db_inited krb5_db_alloc krb5_db_free +krb5_db_audit_as_req krb5_db_check_policy_as krb5_db_check_policy_tgs krb5_db_check_transited_realms diff --git a/src/plugins/kdb/db2/db2_exp.c b/src/plugins/kdb/db2/db2_exp.c index a95d47dfc..80c55b24f 100644 --- a/src/plugins/kdb/db2/db2_exp.c +++ b/src/plugins/kdb/db2/db2_exp.c @@ -186,6 +186,12 @@ WRAP_K (krb5_db2_check_policy_as, krb5_data *e_data), (kcontext, request, client, server, kdc_time, status, e_data)); +WRAP_K (krb5_db2_audit_as_req, + (krb5_context kcontext, krb5_kdc_req *request, krb5_db_entry *client, + krb5_db_entry *server, krb5_timestamp authtime, + krb5_error_code error_code), + (kcontext, request, client, server, authtime, error_code)); + WRAP_K (krb5_db2_invoke, (krb5_context kcontext, unsigned int method, @@ -251,5 +257,6 @@ kdb_vftabl PLUGIN_SYMBOL_NAME(krb5_db2, kdb_function_table) = { 0, 0, 0, 0, /* check_policy_as */ wrap_krb5_db2_check_policy_as, 0, + /* audit_as_req */ wrap_krb5_db2_audit_as_req, /* invoke */ wrap_krb5_db2_invoke }; diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c index a53e26258..8c6c97afc 100644 --- a/src/plugins/kdb/db2/kdb_db2.c +++ b/src/plugins/kdb/db2/kdb_db2.c @@ -1649,3 +1649,11 @@ krb5_db2_check_policy_as(krb5_context kcontext, krb5_kdc_req *request, *status = "LOCKED_OUT"; return retval; } + +krb5_error_code +krb5_db2_audit_as_req(krb5_context kcontext, krb5_kdc_req *request, + krb5_db_entry *client, krb5_db_entry *server, + krb5_timestamp authtime, krb5_error_code error_code) +{ + return krb5_db2_lockout_audit(kcontext, client, authtime, error_code); +} diff --git a/src/plugins/kdb/db2/kdb_db2.h b/src/plugins/kdb/db2/kdb_db2.h index 0bddcf4a5..0c8095a93 100644 --- a/src/plugins/kdb/db2/kdb_db2.h +++ b/src/plugins/kdb/db2/kdb_db2.h @@ -152,6 +152,11 @@ krb5_db2_check_policy_as(krb5_context kcontext, krb5_kdc_req *request, krb5_timestamp kdc_time, const char **status, krb5_data *e_data); +krb5_error_code +krb5_db2_audit_as_req(krb5_context kcontext, krb5_kdc_req *request, + krb5_db_entry *client, krb5_db_entry *server, + krb5_timestamp authtime, krb5_error_code error_code); + /* methods */ krb5_error_code krb5_db2_invoke(krb5_context context, diff --git a/src/plugins/kdb/db2/kdb_ext.c b/src/plugins/kdb/db2/kdb_ext.c index 8f7ad9427..a27aa2ca7 100644 --- a/src/plugins/kdb/db2/kdb_ext.c +++ b/src/plugins/kdb/db2/kdb_ext.c @@ -34,38 +34,11 @@ #include #include "kdb_db2.h" -static krb5_error_code -krb5_db2_audit_as(krb5_context context, - unsigned int method, - const krb5_data *request, - krb5_data *response) -{ - const kdb_audit_as_req *req; - krb5_error_code code; - - req = (const kdb_audit_as_req *)request->data; - - code = krb5_db2_lockout_audit(context, req->client, - req->authtime, req->error_code); - - return code; -} - krb5_error_code krb5_db2_invoke(krb5_context context, unsigned int method, const krb5_data *req, krb5_data *rep) { - krb5_error_code code = KRB5_PLUGIN_OP_NOTSUPP; - - switch (method) { - case KRB5_KDB_METHOD_AUDIT_AS: - code = krb5_db2_audit_as(context, method, req, rep); - break; - default: - break; - } - - return code; + return KRB5_PLUGIN_OP_NOTSUPP; } diff --git a/src/plugins/kdb/ldap/ldap_exp.c b/src/plugins/kdb/ldap/ldap_exp.c index 8236406c2..3bd6c6750 100644 --- a/src/plugins/kdb/ldap/ldap_exp.c +++ b/src/plugins/kdb/ldap/ldap_exp.c @@ -86,6 +86,7 @@ kdb_vftabl PLUGIN_SYMBOL_NAME(krb5_ldap, kdb_function_table) = { /* check_transited_realms */ NULL, /* check_policy_as */ krb5_ldap_check_policy_as, /* check_policy_tgs */ NULL, + /* audit_as_req */ krb5_ldap_audit_as_req, /* invoke */ krb5_ldap_invoke, }; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c index 0330e15e8..75b454334 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c @@ -34,23 +34,6 @@ #include #include "kdb_ldap.h" -static krb5_error_code -krb5_ldap_audit_as(krb5_context context, - unsigned int method, - const krb5_data *request, - krb5_data *response) -{ - const kdb_audit_as_req *req; - krb5_error_code code; - - req = (const kdb_audit_as_req *)request->data; - - code = krb5_ldap_lockout_audit(context, req->client, - req->authtime, req->error_code); - - return code; -} - static krb5_error_code krb5_ldap_check_allowed_to_delegate(krb5_context context, unsigned int method, @@ -94,9 +77,6 @@ krb5_ldap_invoke(krb5_context context, krb5_error_code code = KRB5_PLUGIN_OP_NOTSUPP; switch (method) { - case KRB5_KDB_METHOD_AUDIT_AS: - code = krb5_ldap_audit_as(context, method, req, rep); - break; case KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE: code = krb5_ldap_check_allowed_to_delegate(context, method, req, rep); break; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c index 7127ce4a0..185e1f330 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c @@ -541,3 +541,11 @@ krb5_ldap_check_policy_as(krb5_context kcontext, krb5_kdc_req *request, *status = "LOCKED_OUT"; return retval; } + +krb5_error_code +krb5_ldap_audit_as_req(krb5_context kcontext, krb5_kdc_req *request, + krb5_db_entry *client, krb5_db_entry *server, + krb5_timestamp authtime, krb5_error_code error_code) +{ + return krb5_ldap_lockout_audit(kcontext, client, authtime, error_code); +} diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h index 8e935e193..6c795d656 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h @@ -302,6 +302,11 @@ krb5_ldap_check_policy_as(krb5_context kcontext, krb5_kdc_req *request, krb5_timestamp kdc_time, const char **status, krb5_data *e_data); +krb5_error_code +krb5_ldap_audit_as_req(krb5_context kcontext, krb5_kdc_req *request, + krb5_db_entry *client, krb5_db_entry *server, + krb5_timestamp authtime, krb5_error_code error_code); + /* DAL functions */ diff --git a/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports b/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports index affdb38bb..6692c7169 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports +++ b/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports @@ -45,4 +45,5 @@ krb5_ldap_create krb5_ldap_set_mkey_list krb5_ldap_get_mkey_list krb5_ldap_check_policy_as +krb5_ldap_audit_as_req krb5_ldap_invoke