svn rev #24184: trunk/src/ include/ kdc/ lib/kdb/ plugins/kdb/db2/ plugins/kdb/ldap/ ...
ghudson@MIT.EDU
ghudson at MIT.EDU
Mon Jul 12 20:53:46 EDT 2010
http://src.mit.edu/fisheye/changelog/krb5/?cs=24184
Commit By: ghudson
Log Message:
ticket: 6749
status: open
Add check_policy_as and check_policy_tgs to the DAL table with
corresponding libkdb5 APIs, replacing the CHECK_POLICY_AS and
CHECK_POLICY_TGS methods of db_invoke.
Changed Files:
U trunk/src/include/kdb.h
U trunk/src/kdc/kdc_util.c
U trunk/src/kdc/policy.c
U trunk/src/lib/kdb/kdb5.c
U trunk/src/lib/kdb/libkdb5.exports
U trunk/src/plugins/kdb/db2/db2_exp.c
U trunk/src/plugins/kdb/db2/kdb_db2.c
U trunk/src/plugins/kdb/db2/kdb_db2.h
U trunk/src/plugins/kdb/db2/kdb_ext.c
U trunk/src/plugins/kdb/ldap/ldap_exp.c
U trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c
U trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
U trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
U trunk/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports
Modified: trunk/src/include/kdb.h
===================================================================
--- trunk/src/include/kdb.h 2010-07-12 18:53:54 UTC (rev 24183)
+++ trunk/src/include/kdb.h 2010-07-13 00:53:46 UTC (rev 24184)
@@ -323,40 +323,11 @@
#define KRB5_DB_LOCKMODE_PERMANENT 0x0008
/* db_invoke methods */
-#define KRB5_KDB_METHOD_CHECK_POLICY_AS 0x00000030
-#define KRB5_KDB_METHOD_CHECK_POLICY_TGS 0x00000040
#define KRB5_KDB_METHOD_AUDIT_AS 0x00000050
#define KRB5_KDB_METHOD_AUDIT_TGS 0x00000060
#define KRB5_KDB_METHOD_REFRESH_POLICY 0x00000070
#define KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE 0x00000080
-typedef struct _kdb_check_policy_as_req {
- krb5_magic magic;
- krb5_kdc_req *request;
- krb5_db_entry *client;
- krb5_db_entry *server;
- krb5_timestamp kdc_time;
-} kdb_check_policy_as_req;
-
-typedef struct _kdb_check_policy_as_rep {
- krb5_magic magic;
- const char *status;
- krb5_data e_data;
-} kdb_check_policy_as_rep;
-
-typedef struct _kdb_check_policy_tgs_req {
- krb5_magic magic;
- krb5_kdc_req *request;
- krb5_db_entry *server;
- krb5_ticket *ticket;
-} kdb_check_policy_tgs_req;
-
-typedef struct _kdb_check_policy_tgs_rep {
- krb5_magic magic;
- const char *status;
- krb5_data e_data;
-} kdb_check_policy_tgs_rep;
-
typedef struct _kdb_audit_as_req {
krb5_magic magic;
krb5_kdc_req *request;
@@ -649,6 +620,21 @@
const krb5_data *client_realm,
const krb5_data *server_realm);
+krb5_error_code krb5_db_check_policy_as(krb5_context kcontext,
+ krb5_kdc_req *request,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_timestamp kdc_time,
+ const char **status,
+ krb5_data *e_data);
+
+krb5_error_code krb5_db_check_policy_tgs(krb5_context kcontext,
+ krb5_kdc_req *request,
+ krb5_db_entry *server,
+ krb5_ticket *ticket,
+ const char **status,
+ krb5_data *e_data);
+
krb5_error_code krb5_db_invoke ( krb5_context kcontext,
unsigned int method,
const krb5_data *req,
@@ -1263,24 +1249,44 @@
const krb5_data *server_realm);
/*
+ * Optional: Perform a policy check on an AS request, in addition to the
+ * standard policy checks. Return 0 if the AS request is allowed. If the
+ * AS request is not allowed:
+ * - Place a short string literal into *status.
+ * - If desired, place data into e_data. Any data placed here will be
+ * freed by the caller using the standard free function.
+ * - Return an appropriate error (such as KDC_ERR_POLICY).
+ */
+ krb5_error_code (*check_policy_as)(krb5_context kcontext,
+ krb5_kdc_req *request,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_timestamp kdc_time,
+ const char **status,
+ krb5_data *e_data);
+
+ /*
+ * Optional: Perform a policy check on a TGS request, in addition to the
+ * standard policy checks. Return 0 if the TGS request is allowed. If the
+ * TGS request is not allowed:
+ * - Place a short string literal into *status.
+ * - If desired, place data into e_data. Any data placed here will be
+ * freed by the caller using the standard free function.
+ * - Return an appropriate error (such as KDC_ERR_POLICY).
+ * The input parameter ticket contains the TGT used in the TGS request.
+ */
+ krb5_error_code (*check_policy_tgs)(krb5_context kcontext,
+ krb5_kdc_req *request,
+ krb5_db_entry *server,
+ krb5_ticket *ticket,
+ const char **status,
+ krb5_data *e_data);
+
+ /*
* Optional: Perform an operation on input data req with output stored in
* rep. Return KRB5_PLUGIN_OP_NOTSUPP if the module does not implement the
* method. Defined methods are:
*
- * KRB5_KDB_METHOD_CHECK_POLICY_AS: req contains a kdb_check_policy_as_req
- * structure. Perform a policy check on an AS request, in addition to
- * the standard policy checks. Return 0 if the AS request is allowed
- * or an appropriate error (such as KDC_ERR_POLICY) if it is
- * disallowed. Place in rep a kdb_check_policy_as_rep structure
- * containing a status string and e_data value to return to the client
- * if the policy check fails. The status string may be NULL, but must
- * not contain allocated data as it will not be freed. The e_data
- * structure may be empty; if not, it will be freed by the caller using
- * the standard free function.
- *
- * KRB5_KDB_METHOD_CHECK_POLICY_TGS: Same as above, except the structures
- * are kdb_check_policy_tgs_req and kdb_check_policy_tgs_rep.
- *
* KRB5_KDB_METHOD_AUDIT_AS: req contains a kdb_audit_as_req structure.
* Informs the module of a successful or unsuccessful AS request. Do
* not place any data in rep.
Modified: trunk/src/kdc/kdc_util.c
===================================================================
--- trunk/src/kdc/kdc_util.c 2010-07-12 18:53:54 UTC (rev 24183)
+++ trunk/src/kdc/kdc_util.c 2010-07-13 00:53:46 UTC (rev 24184)
@@ -1051,9 +1051,13 @@
return(KDC_ERR_MUST_USE_USER2USER);
}
- /*
- * Check against local policy
- */
+ /* Perform KDB module policy checks. */
+ errcode = krb5_db_check_policy_as(kdc_context, request, &client, &server,
+ kdc_time, status, e_data);
+ if (errcode && errcode != KRB5_PLUGIN_OP_NOTSUPP)
+ return errcode;
+
+ /* Check against local policy. */
errcode = against_local_policy_as(request, client, server,
kdc_time, status, e_data);
if (errcode)
@@ -1468,9 +1472,13 @@
return KRB_ERR_GENERIC;
}
- /*
- * Check local policy
- */
+ /* Perform KDB module policy checks. */
+ errcode = krb5_db_check_policy_tgs(kdc_context, request, &server,
+ ticket, status, e_data);
+ if (errcode && errcode != KRB5_PLUGIN_OP_NOTSUPP)
+ return errcode;
+
+ /* Check local policy. */
errcode = against_local_policy_tgs(request, server, ticket,
status, e_data);
if (errcode)
Modified: trunk/src/kdc/policy.c
===================================================================
--- trunk/src/kdc/policy.c 2010-07-12 18:53:54 UTC (rev 24183)
+++ trunk/src/kdc/policy.c 2010-07-13 00:53:46 UTC (rev 24184)
@@ -63,12 +63,6 @@
krb5_db_entry server, krb5_timestamp kdc_time,
const char **status, krb5_data *e_data)
{
- krb5_error_code code;
- kdb_check_policy_as_req req;
- kdb_check_policy_as_rep rep;
- krb5_data req_data;
- krb5_data rep_data;
-
#if 0
/* An AS request must include the addresses field */
if (request->addresses == 0) {
@@ -77,37 +71,7 @@
}
#endif
- memset(&req, 0, sizeof(req));
- memset(&rep, 0, sizeof(rep));
-
- req.request = request;
- req.client = &client;
- req.server = &server;
- req.kdc_time = kdc_time;
-
- req_data.data = (void *)&req;
- req_data.length = sizeof(req);
-
- rep_data.data = (void *)&rep;
- rep_data.length = sizeof(rep);
-
- code = krb5_db_invoke(kdc_context,
- KRB5_KDB_METHOD_CHECK_POLICY_AS,
- &req_data,
- &rep_data);
- if (code == KRB5_PLUGIN_OP_NOTSUPP)
- return 0;
-
- *status = rep.status;
- *e_data = rep.e_data;
-
- if (code != 0) {
- code -= ERROR_TABLE_BASE_krb5;
- if (code < 0 || code > 128)
- code = KRB_ERR_GENERIC;
- }
-
- return code;
+ return 0; /* not against policy */
}
/*
@@ -118,12 +82,6 @@
krb5_ticket *ticket, const char **status,
krb5_data *e_data)
{
- krb5_error_code code;
- kdb_check_policy_tgs_req req;
- kdb_check_policy_tgs_rep rep;
- krb5_data req_data;
- krb5_data rep_data;
-
#if 0
/*
* For example, if your site wants to disallow ticket forwarding,
@@ -136,34 +94,5 @@
}
#endif
- memset(&req, 0, sizeof(req));
- memset(&rep, 0, sizeof(rep));
-
- req.request = request;
- req.server = &server;
- req.ticket = ticket;
-
- req_data.data = (void *)&req;
- req_data.length = sizeof(req);
-
- rep_data.data = (void *)&rep;
- rep_data.length = sizeof(rep);
-
- code = krb5_db_invoke(kdc_context,
- KRB5_KDB_METHOD_CHECK_POLICY_TGS,
- &req_data,
- &rep_data);
- if (code == KRB5_PLUGIN_OP_NOTSUPP)
- return 0;
-
- *status = rep.status;
- *e_data = rep.e_data;
-
- if (code != 0) {
- code -= ERROR_TABLE_BASE_krb5;
- if (code < 0 || code > 128)
- code = KRB_ERR_GENERIC;
- }
-
- return code;
+ return 0; /* not against policy */
}
Modified: trunk/src/lib/kdb/kdb5.c
===================================================================
--- trunk/src/lib/kdb/kdb5.c 2010-07-12 18:53:54 UTC (rev 24183)
+++ trunk/src/lib/kdb/kdb5.c 2010-07-13 00:53:46 UTC (rev 24184)
@@ -2265,6 +2265,45 @@
}
krb5_error_code
+krb5_db_check_policy_as(krb5_context kcontext, krb5_kdc_req *request,
+ krb5_db_entry *client, krb5_db_entry *server,
+ krb5_timestamp kdc_time, const char **status,
+ krb5_data *e_data)
+{
+ krb5_error_code ret;
+ kdb_vftabl *v;
+
+ *status = NULL;
+ *e_data = empty_data();
+ ret = get_vftabl(kcontext, &v);
+ if (ret)
+ return ret;
+ if (v->check_policy_as == NULL)
+ return KRB5_PLUGIN_OP_NOTSUPP;
+ return v->check_policy_as(kcontext, request, client, server, kdc_time,
+ status, e_data);
+}
+
+krb5_error_code
+krb5_db_check_policy_tgs(krb5_context kcontext, krb5_kdc_req *request,
+ krb5_db_entry *server, krb5_ticket *ticket,
+ const char **status, krb5_data *e_data)
+{
+ krb5_error_code ret;
+ kdb_vftabl *v;
+
+ *status = NULL;
+ *e_data = empty_data();
+ ret = get_vftabl(kcontext, &v);
+ if (ret)
+ return ret;
+ if (v->check_policy_tgs == NULL)
+ return KRB5_PLUGIN_OP_NOTSUPP;
+ return v->check_policy_tgs(kcontext, request, server, ticket, status,
+ e_data);
+}
+
+krb5_error_code
krb5_db_invoke(krb5_context kcontext,
unsigned int method,
const krb5_data *req,
Modified: trunk/src/lib/kdb/libkdb5.exports
===================================================================
--- trunk/src/lib/kdb/libkdb5.exports 2010-07-12 18:53:54 UTC (rev 24183)
+++ trunk/src/lib/kdb/libkdb5.exports 2010-07-13 00:53:46 UTC (rev 24184)
@@ -3,6 +3,8 @@
krb5_db_inited
krb5_db_alloc
krb5_db_free
+krb5_db_check_policy_as
+krb5_db_check_policy_tgs
krb5_db_check_transited_realms
krb5_db_create
krb5_db_delete_principal
Modified: trunk/src/plugins/kdb/db2/db2_exp.c
===================================================================
--- trunk/src/plugins/kdb/db2/db2_exp.c 2010-07-12 18:53:54 UTC (rev 24183)
+++ trunk/src/plugins/kdb/db2/db2_exp.c 2010-07-13 00:53:46 UTC (rev 24184)
@@ -180,6 +180,12 @@
( krb5_context kcontext, char *conf_section, char **db_args ),
(kcontext, conf_section, db_args));
+WRAP_K (krb5_db2_check_policy_as,
+ (krb5_context kcontext, krb5_kdc_req *request, krb5_db_entry *client,
+ krb5_db_entry *server, krb5_timestamp kdc_time, const char **status,
+ krb5_data *e_data),
+ (kcontext, request, client, server, kdc_time, status, e_data));
+
WRAP_K (krb5_db2_invoke,
(krb5_context kcontext,
unsigned int method,
@@ -243,5 +249,7 @@
/* blah blah blah */ 0,0,0,0,0,
/* promote_db */ wrap_krb5_db2_promote_db,
0, 0, 0, 0,
+ /* check_policy_as */ wrap_krb5_db2_check_policy_as,
+ 0,
/* invoke */ wrap_krb5_db2_invoke
};
Modified: trunk/src/plugins/kdb/db2/kdb_db2.c
===================================================================
--- trunk/src/plugins/kdb/db2/kdb_db2.c 2010-07-12 18:53:54 UTC (rev 24183)
+++ trunk/src/plugins/kdb/db2/kdb_db2.c 2010-07-13 00:53:46 UTC (rev 24184)
@@ -1635,3 +1635,17 @@
return retval;
}
+
+krb5_error_code
+krb5_db2_check_policy_as(krb5_context kcontext, krb5_kdc_req *request,
+ krb5_db_entry *client, krb5_db_entry *server,
+ krb5_timestamp kdc_time, const char **status,
+ krb5_data *e_data)
+{
+ krb5_error_code retval;
+
+ retval = krb5_db2_lockout_check_policy(kcontext, client, kdc_time);
+ if (retval == KRB5KDC_ERR_CLIENT_REVOKED)
+ *status = "LOCKED_OUT";
+ return retval;
+}
Modified: trunk/src/plugins/kdb/db2/kdb_db2.h
===================================================================
--- trunk/src/plugins/kdb/db2/kdb_db2.h 2010-07-12 18:53:54 UTC (rev 24183)
+++ trunk/src/plugins/kdb/db2/kdb_db2.h 2010-07-13 00:53:46 UTC (rev 24184)
@@ -146,6 +146,12 @@
krb5_timestamp stamp,
krb5_error_code status);
+krb5_error_code
+krb5_db2_check_policy_as(krb5_context kcontext, krb5_kdc_req *request,
+ krb5_db_entry *client, krb5_db_entry *server,
+ krb5_timestamp kdc_time, const char **status,
+ krb5_data *e_data);
+
/* methods */
krb5_error_code
krb5_db2_invoke(krb5_context context,
Modified: trunk/src/plugins/kdb/db2/kdb_ext.c
===================================================================
--- trunk/src/plugins/kdb/db2/kdb_ext.c 2010-07-12 18:53:54 UTC (rev 24183)
+++ trunk/src/plugins/kdb/db2/kdb_ext.c 2010-07-13 00:53:46 UTC (rev 24184)
@@ -35,29 +35,6 @@
#include "kdb_db2.h"
static krb5_error_code
-krb5_db2_check_policy_as(krb5_context context,
- unsigned int method,
- const krb5_data *request,
- krb5_data *response)
-{
- const kdb_check_policy_as_req *req;
- kdb_check_policy_as_rep *rep;
- krb5_error_code code;
-
- req = (const kdb_check_policy_as_req *)request->data;
- rep = (kdb_check_policy_as_rep *)response->data;
-
- rep->status = NULL;
-
- code = krb5_db2_lockout_check_policy(context, req->client,
- req->kdc_time);
- if (code == KRB5KDC_ERR_CLIENT_REVOKED)
- rep->status = "LOCKED_OUT";
-
- return code;
-}
-
-static krb5_error_code
krb5_db2_audit_as(krb5_context context,
unsigned int method,
const krb5_data *request,
@@ -83,9 +60,6 @@
krb5_error_code code = KRB5_PLUGIN_OP_NOTSUPP;
switch (method) {
- case KRB5_KDB_METHOD_CHECK_POLICY_AS:
- code = krb5_db2_check_policy_as(context, method, req, rep);
- break;
case KRB5_KDB_METHOD_AUDIT_AS:
code = krb5_db2_audit_as(context, method, req, rep);
break;
Modified: trunk/src/plugins/kdb/ldap/ldap_exp.c
===================================================================
--- trunk/src/plugins/kdb/ldap/ldap_exp.c 2010-07-12 18:53:54 UTC (rev 24183)
+++ trunk/src/plugins/kdb/ldap/ldap_exp.c 2010-07-13 00:53:46 UTC (rev 24184)
@@ -84,6 +84,8 @@
/* encrypt_key_data */ NULL,
/* sign_authdata */ NULL,
/* check_transited_realms */ NULL,
+ /* check_policy_as */ krb5_ldap_check_policy_as,
+ /* check_policy_tgs */ NULL,
/* invoke */ krb5_ldap_invoke,
};
Modified: trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c
===================================================================
--- trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c 2010-07-12 18:53:54 UTC (rev 24183)
+++ trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c 2010-07-13 00:53:46 UTC (rev 24184)
@@ -35,29 +35,6 @@
#include "kdb_ldap.h"
static krb5_error_code
-krb5_ldap_check_policy_as(krb5_context context,
- unsigned int method,
- const krb5_data *request,
- krb5_data *response)
-{
- const kdb_check_policy_as_req *req;
- kdb_check_policy_as_rep *rep;
- krb5_error_code code;
-
- req = (const kdb_check_policy_as_req *)request->data;
- rep = (kdb_check_policy_as_rep *)response->data;
-
- rep->status = NULL;
-
- code = krb5_ldap_lockout_check_policy(context, req->client,
- req->kdc_time);
- if (code == KRB5KDC_ERR_CLIENT_REVOKED)
- rep->status = "LOCKED_OUT";
-
- return code;
-}
-
-static krb5_error_code
krb5_ldap_audit_as(krb5_context context,
unsigned int method,
const krb5_data *request,
@@ -117,9 +94,6 @@
krb5_error_code code = KRB5_PLUGIN_OP_NOTSUPP;
switch (method) {
- case KRB5_KDB_METHOD_CHECK_POLICY_AS:
- code = krb5_ldap_check_policy_as(context, method, req, rep);
- break;
case KRB5_KDB_METHOD_AUDIT_AS:
code = krb5_ldap_audit_as(context, method, req, rep);
break;
Modified: trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
===================================================================
--- trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c 2010-07-12 18:53:54 UTC (rev 24183)
+++ trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c 2010-07-13 00:53:46 UTC (rev 24184)
@@ -527,3 +527,17 @@
{
return CALL_INIT_FUNCTION (kldap_init_fn);
}
+
+krb5_error_code
+krb5_ldap_check_policy_as(krb5_context kcontext, krb5_kdc_req *request,
+ krb5_db_entry *client, krb5_db_entry *server,
+ krb5_timestamp kdc_time, const char **status,
+ krb5_data *e_data)
+{
+ krb5_error_code retval;
+
+ retval = krb5_ldap_lockout_check_policy(kcontext, client, kdc_time);
+ if (retval == KRB5KDC_ERR_CLIENT_REVOKED)
+ *status = "LOCKED_OUT";
+ return retval;
+}
Modified: trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
===================================================================
--- trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h 2010-07-12 18:53:54 UTC (rev 24183)
+++ trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h 2010-07-13 00:53:46 UTC (rev 24184)
@@ -296,6 +296,11 @@
krb5_error_code
krb5_ldap_free_server_context_params(krb5_ldap_context *ldap_context);
+krb5_error_code
+krb5_ldap_check_policy_as(krb5_context kcontext, krb5_kdc_req *request,
+ krb5_db_entry *client, krb5_db_entry *server,
+ krb5_timestamp kdc_time, const char **status,
+ krb5_data *e_data);
/* DAL functions */
Modified: trunk/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports
===================================================================
--- trunk/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports 2010-07-12 18:53:54 UTC (rev 24183)
+++ trunk/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports 2010-07-13 00:53:46 UTC (rev 24184)
@@ -44,4 +44,5 @@
krb5_ldap_create
krb5_ldap_set_mkey_list
krb5_ldap_get_mkey_list
+krb5_ldap_check_policy_as
krb5_ldap_invoke
More information about the cvs-krb5
mailing list