svn rev #24185: trunk/src/ include/ kdc/ lib/kdb/ plugins/kdb/db2/ plugins/kdb/ldap/ ...
ghudson@MIT.EDU
ghudson at MIT.EDU
Tue Jul 13 11:53:23 EDT 2010
http://src.mit.edu/fisheye/changelog/krb5/?cs=24185
Commit By: ghudson
Log Message:
ticket: 6749
status: open
Add audit_as_req to the DAL with a corresponding libkdb5 API,
replacing the AUDIT_AS_REQ method of db_invoke. Remove the
AUDIT_TGS_REQ method of db_invoke without adding a replacement, as
there was no KDC support for it. (It can be added at a later time if
necessary.)
Changed Files:
U trunk/src/include/kdb.h
U trunk/src/kdc/kdc_util.c
U trunk/src/lib/kdb/kdb5.c
U trunk/src/lib/kdb/libkdb5.exports
U trunk/src/plugins/kdb/db2/db2_exp.c
U trunk/src/plugins/kdb/db2/kdb_db2.c
U trunk/src/plugins/kdb/db2/kdb_db2.h
U trunk/src/plugins/kdb/db2/kdb_ext.c
U trunk/src/plugins/kdb/ldap/ldap_exp.c
U trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c
U trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
U trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
U trunk/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports
Modified: trunk/src/include/kdb.h
===================================================================
--- trunk/src/include/kdb.h 2010-07-13 00:53:46 UTC (rev 24184)
+++ trunk/src/include/kdb.h 2010-07-13 15:53:23 UTC (rev 24185)
@@ -323,29 +323,9 @@
#define KRB5_DB_LOCKMODE_PERMANENT 0x0008
/* db_invoke methods */
-#define KRB5_KDB_METHOD_AUDIT_AS 0x00000050
-#define KRB5_KDB_METHOD_AUDIT_TGS 0x00000060
#define KRB5_KDB_METHOD_REFRESH_POLICY 0x00000070
#define KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE 0x00000080
-typedef struct _kdb_audit_as_req {
- krb5_magic magic;
- krb5_kdc_req *request;
- krb5_db_entry *client;
- krb5_db_entry *server;
- krb5_timestamp authtime;
- krb5_error_code error_code;
-} kdb_audit_as_req;
-
-typedef struct _kdb_audit_tgs_req {
- krb5_magic magic;
- krb5_kdc_req *request;
- krb5_const_principal client;
- krb5_db_entry *server;
- krb5_timestamp authtime;
- krb5_error_code error_code;
-} kdb_audit_tgs_req;
-
typedef struct _kdb_check_allowed_to_delegate_req {
krb5_magic magic;
const krb5_db_entry *server;
@@ -635,6 +615,13 @@
const char **status,
krb5_data *e_data);
+krb5_error_code krb5_db_audit_as_req(krb5_context kcontext,
+ krb5_kdc_req *request,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_timestamp authtime,
+ krb5_error_code error_code);
+
krb5_error_code krb5_db_invoke ( krb5_context kcontext,
unsigned int method,
const krb5_data *req,
@@ -771,7 +758,7 @@
* DAL. It is passed to init_library to allow KDB modules to detect when
* they are being loaded by an incompatible version of the KDC.
*/
-#define KRB5_KDB_DAL_VERSION 20100712
+#define KRB5_KDB_DAL_VERSION 20100713
/*
* A krb5_context can hold one database object. Modules should use
@@ -1283,17 +1270,23 @@
krb5_data *e_data);
/*
+ * Optional: This method informs the module of a successful or unsuccessful
+ * AS request. The resulting error code is currently ignored by the KDC.
+ */
+ krb5_error_code (*audit_as_req)(krb5_context kcontext,
+ krb5_kdc_req *request,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_timestamp authtime,
+ krb5_error_code error_code);
+
+ /* Note: there is currently no method for auditing TGS requests. */
+
+ /*
* Optional: Perform an operation on input data req with output stored in
* rep. Return KRB5_PLUGIN_OP_NOTSUPP if the module does not implement the
* method. Defined methods are:
*
- * KRB5_KDB_METHOD_AUDIT_AS: req contains a kdb_audit_as_req structure.
- * Informs the module of a successful or unsuccessful AS request. Do
- * not place any data in rep.
- *
- * KRB5_KDB_METHOD_AUDIT_TGS: Same as above, except req contains a
- * kdb_audit_tgs_req structure.
- *
* KRB5_KDB_METHOD_REFRESH_POLICY: req and rep are NULL. Informs the
* module that the KDC received a request to reload configuration
* (that is, a SIGHUP).
Modified: trunk/src/kdc/kdc_util.c
===================================================================
--- trunk/src/kdc/kdc_util.c 2010-07-13 00:53:46 UTC (rev 24184)
+++ trunk/src/kdc/kdc_util.c 2010-07-13 15:53:23 UTC (rev 24185)
@@ -2356,6 +2356,8 @@
ktypestr, fromstring, status,
cname2, sname2, emsg ? ", " : "", emsg ? emsg : "");
}
+ (void) krb5_db_audit_as_req(kdc_context, request, client, server,
+ authtime, errcode);
#if 0
/* Sun (OpenSolaris) version would probably something like this.
The client and server names passed can be null, unlike in the
@@ -2364,33 +2366,6 @@
audit_krb5kdc_as_req(some in_addr *, (in_port_t)from->port, 0,
cname, sname, errcode);
#endif
-#if 1
- {
- kdb_audit_as_req req;
- krb5_data req_data;
- krb5_data rep_data;
-
- memset(&req, 0, sizeof(req));
-
- req.request = request;
- req.client = client;
- req.server = server;
- req.authtime = authtime;
- req.error_code = errcode;
-
- req_data.data = (void *)&req;
- req_data.length = sizeof(req);
-
- rep_data.data = NULL;
- rep_data.length = 0;
-
- (void) krb5_db_invoke(kdc_context,
- KRB5_KDB_METHOD_AUDIT_AS,
- &req_data,
- &rep_data);
- assert(rep_data.length == 0);
- }
-#endif
}
/* Here "status" must be non-null. Error code
Modified: trunk/src/lib/kdb/kdb5.c
===================================================================
--- trunk/src/lib/kdb/kdb5.c 2010-07-13 00:53:46 UTC (rev 24184)
+++ trunk/src/lib/kdb/kdb5.c 2010-07-13 15:53:23 UTC (rev 24185)
@@ -2304,6 +2304,23 @@
}
krb5_error_code
+krb5_db_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
+ krb5_db_entry *client, krb5_db_entry *server,
+ krb5_timestamp authtime, krb5_error_code error_code)
+{
+ krb5_error_code status;
+ kdb_vftabl *v;
+
+ status = get_vftabl(kcontext, &v);
+ if (status)
+ return status;
+ if (v->audit_as_req == NULL)
+ return KRB5_PLUGIN_OP_NOTSUPP;
+ return v->audit_as_req(kcontext, request, client, server, authtime,
+ error_code);
+}
+
+krb5_error_code
krb5_db_invoke(krb5_context kcontext,
unsigned int method,
const krb5_data *req,
Modified: trunk/src/lib/kdb/libkdb5.exports
===================================================================
--- trunk/src/lib/kdb/libkdb5.exports 2010-07-13 00:53:46 UTC (rev 24184)
+++ trunk/src/lib/kdb/libkdb5.exports 2010-07-13 15:53:23 UTC (rev 24185)
@@ -3,6 +3,7 @@
krb5_db_inited
krb5_db_alloc
krb5_db_free
+krb5_db_audit_as_req
krb5_db_check_policy_as
krb5_db_check_policy_tgs
krb5_db_check_transited_realms
Modified: trunk/src/plugins/kdb/db2/db2_exp.c
===================================================================
--- trunk/src/plugins/kdb/db2/db2_exp.c 2010-07-13 00:53:46 UTC (rev 24184)
+++ trunk/src/plugins/kdb/db2/db2_exp.c 2010-07-13 15:53:23 UTC (rev 24185)
@@ -186,6 +186,12 @@
krb5_data *e_data),
(kcontext, request, client, server, kdc_time, status, e_data));
+WRAP_K (krb5_db2_audit_as_req,
+ (krb5_context kcontext, krb5_kdc_req *request, krb5_db_entry *client,
+ krb5_db_entry *server, krb5_timestamp authtime,
+ krb5_error_code error_code),
+ (kcontext, request, client, server, authtime, error_code));
+
WRAP_K (krb5_db2_invoke,
(krb5_context kcontext,
unsigned int method,
@@ -251,5 +257,6 @@
0, 0, 0, 0,
/* check_policy_as */ wrap_krb5_db2_check_policy_as,
0,
+ /* audit_as_req */ wrap_krb5_db2_audit_as_req,
/* invoke */ wrap_krb5_db2_invoke
};
Modified: trunk/src/plugins/kdb/db2/kdb_db2.c
===================================================================
--- trunk/src/plugins/kdb/db2/kdb_db2.c 2010-07-13 00:53:46 UTC (rev 24184)
+++ trunk/src/plugins/kdb/db2/kdb_db2.c 2010-07-13 15:53:23 UTC (rev 24185)
@@ -1649,3 +1649,11 @@
*status = "LOCKED_OUT";
return retval;
}
+
+krb5_error_code
+krb5_db2_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
+ krb5_db_entry *client, krb5_db_entry *server,
+ krb5_timestamp authtime, krb5_error_code error_code)
+{
+ return krb5_db2_lockout_audit(kcontext, client, authtime, error_code);
+}
Modified: trunk/src/plugins/kdb/db2/kdb_db2.h
===================================================================
--- trunk/src/plugins/kdb/db2/kdb_db2.h 2010-07-13 00:53:46 UTC (rev 24184)
+++ trunk/src/plugins/kdb/db2/kdb_db2.h 2010-07-13 15:53:23 UTC (rev 24185)
@@ -152,6 +152,11 @@
krb5_timestamp kdc_time, const char **status,
krb5_data *e_data);
+krb5_error_code
+krb5_db2_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
+ krb5_db_entry *client, krb5_db_entry *server,
+ krb5_timestamp authtime, krb5_error_code error_code);
+
/* methods */
krb5_error_code
krb5_db2_invoke(krb5_context context,
Modified: trunk/src/plugins/kdb/db2/kdb_ext.c
===================================================================
--- trunk/src/plugins/kdb/db2/kdb_ext.c 2010-07-13 00:53:46 UTC (rev 24184)
+++ trunk/src/plugins/kdb/db2/kdb_ext.c 2010-07-13 15:53:23 UTC (rev 24185)
@@ -34,38 +34,11 @@
#include <errno.h>
#include "kdb_db2.h"
-static krb5_error_code
-krb5_db2_audit_as(krb5_context context,
- unsigned int method,
- const krb5_data *request,
- krb5_data *response)
-{
- const kdb_audit_as_req *req;
- krb5_error_code code;
-
- req = (const kdb_audit_as_req *)request->data;
-
- code = krb5_db2_lockout_audit(context, req->client,
- req->authtime, req->error_code);
-
- return code;
-}
-
krb5_error_code
krb5_db2_invoke(krb5_context context,
unsigned int method,
const krb5_data *req,
krb5_data *rep)
{
- krb5_error_code code = KRB5_PLUGIN_OP_NOTSUPP;
-
- switch (method) {
- case KRB5_KDB_METHOD_AUDIT_AS:
- code = krb5_db2_audit_as(context, method, req, rep);
- break;
- default:
- break;
- }
-
- return code;
+ return KRB5_PLUGIN_OP_NOTSUPP;
}
Modified: trunk/src/plugins/kdb/ldap/ldap_exp.c
===================================================================
--- trunk/src/plugins/kdb/ldap/ldap_exp.c 2010-07-13 00:53:46 UTC (rev 24184)
+++ trunk/src/plugins/kdb/ldap/ldap_exp.c 2010-07-13 15:53:23 UTC (rev 24185)
@@ -86,6 +86,7 @@
/* check_transited_realms */ NULL,
/* check_policy_as */ krb5_ldap_check_policy_as,
/* check_policy_tgs */ NULL,
+ /* audit_as_req */ krb5_ldap_audit_as_req,
/* invoke */ krb5_ldap_invoke,
};
Modified: trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c
===================================================================
--- trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c 2010-07-13 00:53:46 UTC (rev 24184)
+++ trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c 2010-07-13 15:53:23 UTC (rev 24185)
@@ -35,23 +35,6 @@
#include "kdb_ldap.h"
static krb5_error_code
-krb5_ldap_audit_as(krb5_context context,
- unsigned int method,
- const krb5_data *request,
- krb5_data *response)
-{
- const kdb_audit_as_req *req;
- krb5_error_code code;
-
- req = (const kdb_audit_as_req *)request->data;
-
- code = krb5_ldap_lockout_audit(context, req->client,
- req->authtime, req->error_code);
-
- return code;
-}
-
-static krb5_error_code
krb5_ldap_check_allowed_to_delegate(krb5_context context,
unsigned int method,
const krb5_data *request,
@@ -94,9 +77,6 @@
krb5_error_code code = KRB5_PLUGIN_OP_NOTSUPP;
switch (method) {
- case KRB5_KDB_METHOD_AUDIT_AS:
- code = krb5_ldap_audit_as(context, method, req, rep);
- break;
case KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE:
code = krb5_ldap_check_allowed_to_delegate(context, method, req, rep);
break;
Modified: trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c
===================================================================
--- trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c 2010-07-13 00:53:46 UTC (rev 24184)
+++ trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c 2010-07-13 15:53:23 UTC (rev 24185)
@@ -541,3 +541,11 @@
*status = "LOCKED_OUT";
return retval;
}
+
+krb5_error_code
+krb5_ldap_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
+ krb5_db_entry *client, krb5_db_entry *server,
+ krb5_timestamp authtime, krb5_error_code error_code)
+{
+ return krb5_ldap_lockout_audit(kcontext, client, authtime, error_code);
+}
Modified: trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
===================================================================
--- trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h 2010-07-13 00:53:46 UTC (rev 24184)
+++ trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h 2010-07-13 15:53:23 UTC (rev 24185)
@@ -302,6 +302,11 @@
krb5_timestamp kdc_time, const char **status,
krb5_data *e_data);
+krb5_error_code
+krb5_ldap_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
+ krb5_db_entry *client, krb5_db_entry *server,
+ krb5_timestamp authtime, krb5_error_code error_code);
+
/* DAL functions */
Modified: trunk/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports
===================================================================
--- trunk/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports 2010-07-13 00:53:46 UTC (rev 24184)
+++ trunk/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports 2010-07-13 15:53:23 UTC (rev 24185)
@@ -45,4 +45,5 @@
krb5_ldap_set_mkey_list
krb5_ldap_get_mkey_list
krb5_ldap_check_policy_as
+krb5_ldap_audit_as_req
krb5_ldap_invoke
More information about the cvs-krb5
mailing list