From: Paul Park <pjpark@mit.edu>
Date: Thu, 31 Aug 1995 20:11:27 +0000 (+0000)
Subject: Provide object for ACL decision
X-Git-Tag: krb5-1.0-beta6~1213
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=f78607774771d23ae84b5528d488099e9ec36e6f;p=krb5.git

Provide object for ACL decision

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6643 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/kadmin/v5server/admin.c b/src/kadmin/v5server/admin.c
index e8cb854cf..916a01c05 100644
--- a/src/kadmin/v5server/admin.c
+++ b/src/kadmin/v5server/admin.c
@@ -46,7 +46,7 @@ struct inq_context {
 
 static krb5_db_entry admin_def_dbent;
 
-static const char *admin_perm_denied_fmt = "\004ACL entry prevents %s operation by %s";
+static const char *admin_perm_denied_fmt = "\004ACL entry prevents %s operation on %s by %s";
 static const char *admin_db_write_err_fmt = "\004database write failed during %s operation by %s";
 static const char *admin_db_success_fmt = "\007%s operation for %s successfully issued by %s";
 static const char *admin_db_read_err_fmt = "\004database read failed during %s operation by %s";
@@ -67,6 +67,8 @@ static const char *admin_extract_key_text = "Extract Key";
 static const char *admin_add_key_text = "Add Keytype";
 static const char *admin_delete_key_text = "Delete Keytype";
 
+static const char *admin_fentry_text = "first entry";
+
 extern char *programname;
 
 /*
@@ -559,7 +561,7 @@ admin_add_modify(kcontext, debug_level, ticket, nargs, arglist,
 				       &client_name))) {
 
 	/* See if this client can perform this operation. */
-	if (acl_op_permitted(kcontext, client, operation)) {
+	if (acl_op_permitted(kcontext, client, operation, arglist[0].data)) {
 
 	    /* Parse the specified principal name */
 	    if (!(kret = krb5_parse_name(kcontext,
@@ -836,7 +838,7 @@ admin_add_modify(kcontext, debug_level, ticket, nargs, arglist,
 	else {
 	    /* ACL check failed */
 	    com_err(programname, 0, admin_perm_denied_fmt,
-		    op_msg, client_name);
+		    op_msg, arglist[0].data, client_name);
 	    retval = KRB5_ADM_NOT_AUTHORIZED;
 	}
 
@@ -894,7 +896,7 @@ admin_delete_rename(kcontext, debug_level, ticket, original, new)
 				       &client_name))) {
 
 	/* See if this client can perform this operation. */
-	if (acl_op_permitted(kcontext, client, operation)) {
+	if (acl_op_permitted(kcontext, client, operation, original)) {
 
 	    /* Parse the specified principal name */
 	    if (!(kret = krb5_parse_name(kcontext,
@@ -1051,7 +1053,7 @@ admin_delete_rename(kcontext, debug_level, ticket, original, new)
 	else {
 	    /* ACL check failed */
 	    com_err(programname, 0, admin_perm_denied_fmt,
-		    op_msg, client_name);
+		    op_msg, original, client_name);
 	    retval = KRB5_ADM_NOT_AUTHORIZED;
 	}
 
@@ -1379,7 +1381,7 @@ admin_key_op(kcontext, debug_level, ticket, nargs, arglist, is_delete)
 				       &client_name))) {
 
 	/* See if this client can perform this operation. */
-	if (acl_op_permitted(kcontext, client, operation)) {
+	if (acl_op_permitted(kcontext, client, operation, arglist[0].data)) {
 
 	    /* Parse the specified principal name */
 	    if (!(kret = krb5_parse_name(kcontext,
@@ -1492,7 +1494,7 @@ admin_key_op(kcontext, debug_level, ticket, nargs, arglist, is_delete)
 	else {
 	    /* ACL check failed */
 	    com_err(programname, 0, admin_perm_denied_fmt,
-		    op_msg, client_name);
+		    op_msg, arglist[0].data, client_name);
 	    retval = KRB5_ADM_NOT_AUTHORIZED;
 	}
 
@@ -1783,7 +1785,7 @@ admin_inquire(kcontext, debug_level, ticket, principal, ncompp, complistp)
 				       &client_name))) {
 
 	/* See if this client can perform this operation. */
-	if (acl_op_permitted(kcontext, client, ACL_INQUIRE)) {
+	if (acl_op_permitted(kcontext, client, ACL_INQUIRE, principal->data)) {
 
 	    /* Parse the specified principal name */
 	    if (!principal->length ||
@@ -1873,7 +1875,9 @@ admin_inquire(kcontext, debug_level, ticket, principal, ncompp, complistp)
 	else {
 	    /* Not authorized to perform this function */
 	    com_err(programname, 0, admin_perm_denied_fmt,
-		    admin_inquire_text, client_name);
+		    admin_inquire_text,
+		    (principal->length) ? principal->data : admin_fentry_text,
+		    client_name);
 	    retval = KRB5_ADM_NOT_AUTHORIZED;
 	}
 
@@ -1929,22 +1933,23 @@ admin_extract_key(kcontext, debug_level, ticket,
 				       &client,
 				       &client_name))) {
 
-	/* See if this client can perform this operation. */
-	if (acl_op_permitted(kcontext, client, ACL_EXTRACT)) {
-
-	    realm = key_master_realm();
-	    if (princname = (char *) malloc((size_t) name->length + 1 +
-					    instance->length + 1 +
-					    strlen(realm) + 1)) {
+	realm = key_master_realm();
+	if (princname = (char *) malloc((size_t) name->length + 1 +
+					instance->length + 1 +
+					strlen(realm) + 1)) {
 
-		/* Formulate the name of our target */
-		sprintf(princname, "%s/%s@%s", name->data,
-			instance->data, realm);
+	    /* Formulate the name of our target */
+	    sprintf(princname, "%s/%s@%s", name->data,
+		    instance->data, realm);
 		
-		/* See if it's a valid name */
-		if (!(kret = krb5_parse_name(kcontext,
-					     princname,
-					     &principal))) {
+	    /* See if it's a valid name */
+	    if (!(kret = krb5_parse_name(kcontext,
+					 princname,
+					 &principal))) {
+
+		/* See if this client can perform this operation. */
+		if (acl_op_permitted(kcontext, client, ACL_EXTRACT,
+				     princname)) {
 
 		    /* Get the database entry */
 		    nentries = 1;
@@ -2030,25 +2035,25 @@ admin_extract_key(kcontext, debug_level, ticket,
 		    krb5_free_principal(kcontext, principal);
 		}
 		else {
-		    /* Name parse failed */
-		    DPRINT(DEBUG_OPERATION, debug_level,
-			   ("> bad principal string \"%s\"\n", princname));
-		    retval = KRB5_ADM_P_DOES_NOT_EXIST;
+		    /* Not authorized to perform this operation */
+		    com_err(programname, 0, admin_perm_denied_fmt,
+			    admin_extract_key_text, princname, client_name);
+		    retval = KRB5_ADM_NOT_AUTHORIZED;
 		}
-		free(princname);
 	    }
 	    else {
-		/* No memory. */
+		/* Name parse failed */
 		DPRINT(DEBUG_OPERATION, debug_level,
-		       ("> no memory for principal name\n"));
-		retval = KRB5_ADM_SYSTEM_ERROR;
+		       ("> bad principal string \"%s\"\n", princname));
+		retval = KRB5_ADM_P_DOES_NOT_EXIST;
 	    }
+	    free(princname);
 	}
 	else {
-	    /* Not authorized to perform this operation */
-	    com_err(programname, 0, admin_perm_denied_fmt,
-		    admin_extract_key_text, client_name);
-	    retval = KRB5_ADM_NOT_AUTHORIZED;
+	    /* No memory. */
+	    DPRINT(DEBUG_OPERATION, debug_level,
+		   ("> no memory for principal name\n"));
+	    retval = KRB5_ADM_SYSTEM_ERROR;
 	}
 
 	/* Clean up */
diff --git a/src/kadmin/v5server/passwd.c b/src/kadmin/v5server/passwd.c
index 7686a2317..c239442e4 100644
--- a/src/kadmin/v5server/passwd.c
+++ b/src/kadmin/v5server/passwd.c
@@ -460,7 +460,8 @@ passwd_change(kcontext, debug_level, auth_context, ticket,
     /*
      * Check if we're restricted by an ACL from changing our own password.
      */
-    if (!acl_op_permitted(kcontext, client, ACL_CHANGE_OWN_PW)) {
+    if (!acl_op_permitted(kcontext, client, ACL_CHANGE_OWN_PW,
+			  (char *) NULL)) {
 	com_err(programname, 0, pwd_perm_denied, canon_name);
 	pwret = KRB5_ADM_CANT_CHANGE;
 	*supp = KADM_NOT_ALLOWED;