From 0bc31d0cba884ff4103f254dd9daf678e2a9a6c5 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 15 Jul 2010 04:18:00 +0000 Subject: [PATCH] Add check_allowed_to_delegate to the DAL with a corresponding libkdb5 API, replacing the last method (CHECK_ALLOWED_TO_DELEGATE) of db_invoke. Remove db_invoke since it no longer has any methods. ticket: 6749 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24189 dc483132-0cff-0310-8789-dd5450dbe970 --- src/include/kdb.h | 48 ++++------ src/kdc/kdc_util.c | 37 +------- src/lib/kdb/kdb5.c | 20 ++--- src/lib/kdb/libkdb5.exports | 2 +- src/plugins/kdb/db2/Makefile.in | 2 - src/plugins/kdb/db2/db2_exp.c | 10 +-- src/plugins/kdb/db2/kdb_db2.h | 7 -- src/plugins/kdb/db2/kdb_ext.c | 44 ---------- src/plugins/kdb/ldap/ldap_exp.c | 2 +- src/plugins/kdb/ldap/libkdb_ldap/Makefile.in | 2 - src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c | 88 ------------------- src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c | 31 +++++++ src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h | 13 ++- .../kdb/ldap/libkdb_ldap/libkdb_ldap.exports | 2 +- 14 files changed, 72 insertions(+), 236 deletions(-) delete mode 100644 src/plugins/kdb/db2/kdb_ext.c delete mode 100644 src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c diff --git a/src/include/kdb.h b/src/include/kdb.h index 5b5c13221..c572f8b56 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -322,16 +322,6 @@ extern char *krb5_mkey_pwd_prompt2; #define KRB5_DB_LOCKMODE_DONTBLOCK 0x0004 #define KRB5_DB_LOCKMODE_PERMANENT 0x0008 -/* db_invoke methods */ -#define KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE 0x00000080 - -typedef struct _kdb_check_allowed_to_delegate_req { - krb5_magic magic; - const krb5_db_entry *server; - krb5_const_principal proxy; - krb5_const_principal client; -} kdb_check_allowed_to_delegate_req; - /* libkdb.spec */ krb5_error_code krb5_db_setup_lib_handle(krb5_context kcontext); krb5_error_code krb5_db_open( krb5_context kcontext, char **db_args, int mode ); @@ -620,10 +610,10 @@ void krb5_db_audit_as_req(krb5_context kcontext, krb5_kdc_req *request, void krb5_db_refresh_config(krb5_context kcontext); -krb5_error_code krb5_db_invoke ( krb5_context kcontext, - unsigned int method, - const krb5_data *req, - krb5_data *rep ); +krb5_error_code krb5_db_check_allowed_to_delegate(krb5_context kcontext, + krb5_const_principal client, + const krb5_db_entry *server, + krb5_const_principal proxy); /* default functions. Should not be directly called */ /* @@ -1282,24 +1272,20 @@ typedef struct _kdb_vftabl { void (*refresh_config)(krb5_context kcontext); /* - * Optional: Perform an operation on input data req with output stored in - * rep. Return KRB5_PLUGIN_OP_NOTSUPP if the module does not implement the - * method. Defined methods are: - * - * KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE: req contains a - * kdb_check_allowed_to_delegate_req structure. Perform a policy check - * on server being allowed to obtain tickets from client to proxy. - * (Note that proxy is the target of the delegation, not the delegating - * service; the term "proxy" is from the viewpoint of the delegating - * service asking another service to perform some of its work in the - * authentication context of the client. This terminology comes from - * the Microsoft S4U protocol documentation.) Return 0 if policy - * allows it, or an appropriate error (such as KRB5KDC_ERR_POLICY) if - * not. If this method is not implemented, all S4U2Proxy delegation - * requests will be rejected. Do not place any data in rep. + * Optional: Perform a policy check on server being allowed to obtain + * tickets from client to proxy. (Note that proxy is the target of the + * delegation, not the delegating service; the term "proxy" is from the + * viewpoint of the delegating service asking another service to perform + * some of its work in the authentication context of the client. This + * terminology comes from the Microsoft S4U protocol documentation.) + * Return 0 if policy allows it, or an appropriate error (such as + * KRB5KDC_ERR_POLICY) if not. If this method is not implemented, all + * S4U2Proxy delegation requests will be rejected. */ - krb5_error_code (*invoke)(krb5_context context, unsigned int method, - const krb5_data *req, krb5_data *rep); + krb5_error_code (*check_allowed_to_delegate)(krb5_context context, + krb5_const_principal client, + const krb5_db_entry *server, + krb5_const_principal proxy); } kdb_vftabl; #endif /* !defined(_WIN32) */ diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index c0b22ce69..1e79273bc 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -2180,47 +2180,19 @@ kdc_process_s4u2self_req(krb5_context context, } static krb5_error_code -check_allowed_to_delegate_to(krb5_context context, - krb5_const_principal client, +check_allowed_to_delegate_to(krb5_context context, krb5_const_principal client, const krb5_db_entry *server, krb5_const_principal proxy) { - kdb_check_allowed_to_delegate_req req; - krb5_data req_data; - krb5_data rep_data; - krb5_error_code code; - /* Can't get a TGT (otherwise it would be unconstrained delegation) */ - if (krb5_is_tgs_principal(proxy)) { + if (krb5_is_tgs_principal(proxy)) return KRB5KDC_ERR_POLICY; - } /* Must be in same realm */ - if (!krb5_realm_compare(context, server->princ, proxy)) { + if (!krb5_realm_compare(context, server->princ, proxy)) return KRB5KDC_ERR_POLICY; - } - - req.server = server; - req.proxy = proxy; - req.client = client; - req_data.data = (void *)&req; - req_data.length = sizeof(req); - - rep_data.data = NULL; - rep_data.length = 0; - - code = krb5_db_invoke(context, - KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE, - &req_data, - &rep_data); - if (code == KRB5_PLUGIN_OP_NOTSUPP) { - code = KRB5KDC_ERR_POLICY; - } - - assert(rep_data.length == 0); - - return code; + return krb5_db_check_allowed_to_delegate(context, client, server, proxy); } krb5_error_code @@ -2432,7 +2404,6 @@ log_tgs_req(const krb5_fulladdr *from, /* OpenSolaris: audit_krb5kdc_tgs_req(...) or audit_krb5kdc_tgs_req_2ndtktmm(...) */ - /* ... krb5_db_invoke ... */ } void diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c index 8118872c5..7d0b84ca2 100644 --- a/src/lib/kdb/kdb5.c +++ b/src/lib/kdb/kdb5.c @@ -2330,18 +2330,18 @@ krb5_db_refresh_config(krb5_context kcontext) } krb5_error_code -krb5_db_invoke(krb5_context kcontext, - unsigned int method, - const krb5_data *req, - krb5_data *rep) +krb5_db_check_allowed_to_delegate(krb5_context kcontext, + krb5_const_principal client, + const krb5_db_entry *server, + krb5_const_principal proxy) { - krb5_error_code status = 0; + krb5_error_code ret; kdb_vftabl *v; - status = get_vftabl(kcontext, &v); - if (status) - return status; - if (v->invoke == NULL) + ret = get_vftabl(kcontext, &v); + if (ret) + return ret; + if (v->check_allowed_to_delegate == NULL) return KRB5_PLUGIN_OP_NOTSUPP; - return v->invoke(kcontext, method, req, rep); + return v->check_allowed_to_delegate(kcontext, client, server, proxy); } diff --git a/src/lib/kdb/libkdb5.exports b/src/lib/kdb/libkdb5.exports index 1d7ab7b39..6e890478d 100644 --- a/src/lib/kdb/libkdb5.exports +++ b/src/lib/kdb/libkdb5.exports @@ -4,6 +4,7 @@ krb5_db_inited krb5_db_alloc krb5_db_free krb5_db_audit_as_req +krb5_db_check_allowed_to_delegate krb5_db_check_policy_as krb5_db_check_policy_tgs krb5_db_check_transited_realms @@ -20,7 +21,6 @@ krb5_db_get_key_data_kvno krb5_db_get_mkey_list krb5_db_get_context krb5_db_get_principal -krb5_db_invoke krb5_db_iterate krb5_db_lock krb5_db_put_principal diff --git a/src/plugins/kdb/db2/Makefile.in b/src/plugins/kdb/db2/Makefile.in index fb176f4a4..db570d706 100644 --- a/src/plugins/kdb/db2/Makefile.in +++ b/src/plugins/kdb/db2/Makefile.in @@ -54,7 +54,6 @@ SRCS= \ $(srcdir)/adb_openclose.c \ $(srcdir)/adb_policy.c \ $(srcdir)/kdb_db2.c \ - $(srcdir)/kdb_ext.c \ $(srcdir)/pol_xdr.c \ $(srcdir)/db2_exp.c \ $(srcdir)/lockout.c @@ -65,7 +64,6 @@ STLIBOBJS= \ adb_openclose.o \ adb_policy.o \ kdb_db2.o \ - kdb_ext.o \ pol_xdr.o \ db2_exp.o \ lockout.o diff --git a/src/plugins/kdb/db2/db2_exp.c b/src/plugins/kdb/db2/db2_exp.c index 24c62a434..2de4bbcac 100644 --- a/src/plugins/kdb/db2/db2_exp.c +++ b/src/plugins/kdb/db2/db2_exp.c @@ -192,13 +192,6 @@ WRAP_VOID (krb5_db2_audit_as_req, krb5_timestamp authtime, krb5_error_code error_code), (kcontext, request, client, server, authtime, error_code)); -WRAP_K (krb5_db2_invoke, - (krb5_context kcontext, - unsigned int method, - const krb5_data *request, - krb5_data *response), - (kcontext, method, request, response)); - static krb5_error_code hack_init (int dal_version) { @@ -258,6 +251,5 @@ kdb_vftabl PLUGIN_SYMBOL_NAME(krb5_db2, kdb_function_table) = { /* check_policy_as */ wrap_krb5_db2_check_policy_as, 0, /* audit_as_req */ wrap_krb5_db2_audit_as_req, - 0, - /* invoke */ wrap_krb5_db2_invoke + 0, 0 }; diff --git a/src/plugins/kdb/db2/kdb_db2.h b/src/plugins/kdb/db2/kdb_db2.h index a1d0d1976..f7c68bc91 100644 --- a/src/plugins/kdb/db2/kdb_db2.h +++ b/src/plugins/kdb/db2/kdb_db2.h @@ -157,11 +157,4 @@ krb5_db2_audit_as_req(krb5_context kcontext, krb5_kdc_req *request, krb5_db_entry *client, krb5_db_entry *server, krb5_timestamp authtime, krb5_error_code error_code); -/* methods */ -krb5_error_code -krb5_db2_invoke(krb5_context context, - unsigned int method, - const krb5_data *req, - krb5_data *rep); - #endif /* KRB5_KDB_DB2_H */ diff --git a/src/plugins/kdb/db2/kdb_ext.c b/src/plugins/kdb/db2/kdb_ext.c deleted file mode 100644 index a27aa2ca7..000000000 --- a/src/plugins/kdb/db2/kdb_ext.c +++ /dev/null @@ -1,44 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * plugins/kdb/db2/kdb_ext.c - * - * Copyright (C) 2009 by the Massachusetts Institute of Technology. - * All rights reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - * - */ - -#include "k5-int.h" -#include "kdb.h" -#include -#include -#include "kdb_db2.h" - -krb5_error_code -krb5_db2_invoke(krb5_context context, - unsigned int method, - const krb5_data *req, - krb5_data *rep) -{ - return KRB5_PLUGIN_OP_NOTSUPP; -} diff --git a/src/plugins/kdb/ldap/ldap_exp.c b/src/plugins/kdb/ldap/ldap_exp.c index 76786fca4..55f10d9b6 100644 --- a/src/plugins/kdb/ldap/ldap_exp.c +++ b/src/plugins/kdb/ldap/ldap_exp.c @@ -88,6 +88,6 @@ kdb_vftabl PLUGIN_SYMBOL_NAME(krb5_ldap, kdb_function_table) = { /* check_policy_tgs */ NULL, /* audit_as_req */ krb5_ldap_audit_as_req, /* refresh_config */ NULL, - /* invoke */ krb5_ldap_invoke, + /* check_allowed_to_delegate */ krb5_ldap_check_allowed_to_delegate }; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in b/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in index bc6c27acf..8331650fc 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in +++ b/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in @@ -52,7 +52,6 @@ SRCS= $(srcdir)/kdb_ldap.c \ $(srcdir)/princ_xdr.c \ $(srcdir)/ldap_fetch_mkey.c \ $(srcdir)/ldap_service_stash.c \ - $(srcdir)/kdb_ext.c \ $(srcdir)/kdb_xdr.c \ $(srcdir)/ldap_err.c \ $(srcdir)/lockout.c \ @@ -74,7 +73,6 @@ STLIBOBJS= kdb_ldap.o \ princ_xdr.o \ ldap_fetch_mkey.o \ ldap_service_stash.o \ - kdb_ext.o \ kdb_xdr.o \ ldap_err.o \ lockout.o diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c deleted file mode 100644 index 75b454334..000000000 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c +++ /dev/null @@ -1,88 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * plugins/kdb/ldap/kdb_ext.c - * - * Copyright (C) 2009 by the Massachusetts Institute of Technology. - * All rights reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - * - */ - -#include "k5-int.h" -#include "kdb.h" -#include -#include -#include "kdb_ldap.h" - -static krb5_error_code -krb5_ldap_check_allowed_to_delegate(krb5_context context, - unsigned int method, - const krb5_data *request, - krb5_data *response) -{ - const kdb_check_allowed_to_delegate_req *req; - krb5_error_code code; - krb5_tl_data *tlp; - - req = (const kdb_check_allowed_to_delegate_req *)request->data; - - code = KRB5KDC_ERR_POLICY; - - for (tlp = req->server->tl_data; tlp != NULL; tlp = tlp->tl_data_next) { - krb5_principal acl; - - if (tlp->tl_data_type != KRB5_TL_CONSTRAINED_DELEGATION_ACL) - continue; - - if (krb5_parse_name(context, (char *)tlp->tl_data_contents, &acl) != 0) - continue; - - if (krb5_principal_compare(context, req->proxy, acl)) { - code = 0; - krb5_free_principal(context, acl); - break; - } - krb5_free_principal(context, acl); - } - - return code; -} - -krb5_error_code -krb5_ldap_invoke(krb5_context context, - unsigned int method, - const krb5_data *req, - krb5_data *rep) -{ - krb5_error_code code = KRB5_PLUGIN_OP_NOTSUPP; - - switch (method) { - case KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE: - code = krb5_ldap_check_allowed_to_delegate(context, method, req, rep); - break; - default: - break; - } - - return code; -} diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c index eaf10cf2e..5e055116b 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c @@ -549,3 +549,34 @@ krb5_ldap_audit_as_req(krb5_context kcontext, krb5_kdc_req *request, { (void) krb5_ldap_lockout_audit(kcontext, client, authtime, error_code); } + +krb5_error_code +krb5_ldap_check_allowed_to_delegate(krb5_context context, + krb5_const_principal client, + const krb5_db_entry *server, + krb5_const_principal proxy) +{ + krb5_error_code code; + krb5_tl_data *tlp; + + code = KRB5KDC_ERR_POLICY; + + for (tlp = server->tl_data; tlp != NULL; tlp = tlp->tl_data_next) { + krb5_principal acl; + + if (tlp->tl_data_type != KRB5_TL_CONSTRAINED_DELEGATION_ACL) + continue; + + if (krb5_parse_name(context, (char *)tlp->tl_data_contents, &acl) != 0) + continue; + + if (krb5_principal_compare(context, proxy, acl)) { + code = 0; + krb5_free_principal(context, acl); + break; + } + krb5_free_principal(context, acl); + } + + return code; +} diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h index 939defb76..8531b8cc6 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h @@ -307,6 +307,12 @@ krb5_ldap_audit_as_req(krb5_context kcontext, krb5_kdc_req *request, krb5_db_entry *client, krb5_db_entry *server, krb5_timestamp authtime, krb5_error_code error_code); +krb5_error_code +krb5_ldap_check_allowed_to_delegate(krb5_context context, + krb5_const_principal client, + const krb5_db_entry *server, + krb5_const_principal proxy); + /* DAL functions */ @@ -337,11 +343,4 @@ krb5_ldap_lockout_audit(krb5_context context, krb5_timestamp stamp, krb5_error_code status); -/* kdb_ext.c */ -krb5_error_code -krb5_ldap_invoke(krb5_context context, - unsigned int method, - const krb5_data *req, - krb5_data *rep); - #endif diff --git a/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports b/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports index 6692c7169..c10700fc4 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports +++ b/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports @@ -46,4 +46,4 @@ krb5_ldap_set_mkey_list krb5_ldap_get_mkey_list krb5_ldap_check_policy_as krb5_ldap_audit_as_req -krb5_ldap_invoke +krb5_ldap_check_allowed_to_delegate -- 2.26.2