source-git / krb5

Clone
Source Code
GIT

Blame src/kadmin/server/auth.c

c8 c8s master
  1.   c8
  2.   src
  3.   kadmin
  4.   server
  5.   auth.c
Blob History Raw
Packit Service 99d1c0 
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
Packit Service 99d1c0 
/* kadmin/server/auth.c - kadm5_auth pluggable interface consumer */
Packit Service 99d1c0 
/*
Packit Service 99d1c0 
 * Copyright (C) 2017 by the Massachusetts Institute of Technology.
Packit Service 99d1c0 
 * All rights reserved.
Packit Service 99d1c0 
 *
Packit Service 99d1c0 
 * Redistribution and use in source and binary forms, with or without
Packit Service 99d1c0 
 * modification, are permitted provided that the following conditions
Packit Service 99d1c0 
 * are met:
Packit Service 99d1c0 
 *
Packit Service 99d1c0 
 * * Redistributions of source code must retain the above copyright
Packit Service 99d1c0 
 *   notice, this list of conditions and the following disclaimer.
Packit Service 99d1c0 
 *
Packit Service 99d1c0 
 * * Redistributions in binary form must reproduce the above copyright
Packit Service 99d1c0 
 *   notice, this list of conditions and the following disclaimer in
Packit Service 99d1c0 
 *   the documentation and/or other materials provided with the
Packit Service 99d1c0 
 *   distribution.
Packit Service 99d1c0 
 *
Packit Service 99d1c0 
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
Packit Service 99d1c0 
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
Packit Service 99d1c0 
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
Packit Service 99d1c0 
 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
Packit Service 99d1c0 
 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
Packit Service 99d1c0 
 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
Packit Service 99d1c0 
 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
Packit Service 99d1c0 
 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
Packit Service 99d1c0 
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
Packit Service 99d1c0 
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
Packit Service 99d1c0 
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
Packit Service 99d1c0 
 * OF THE POSSIBILITY OF SUCH DAMAGE.
Packit Service 99d1c0 
 */
Packit Service 99d1c0
Packit Service 99d1c0 
#include "k5-int.h"
Packit Service 99d1c0 
#include <kadm5/admin.h>
Packit Service 99d1c0 
#include <krb5/kadm5_auth_plugin.h>
Packit Service 99d1c0 
#include "auth.h"
Packit Service 99d1c0
Packit Service 99d1c0 
typedef struct {
Packit Service 99d1c0 
    struct kadm5_auth_vtable_st vt;
Packit Service 99d1c0 
    kadm5_auth_moddata data;
Packit Service 99d1c0 
} *auth_handle;
Packit Service 99d1c0
Packit Service 99d1c0 
static auth_handle *handles;
Packit Service 99d1c0
Packit Service 99d1c0 
void
Packit Service 99d1c0 
auth_fini(krb5_context context)
Packit Service 99d1c0 
{
Packit Service 99d1c0 
    auth_handle *hp, h;
Packit Service 99d1c0
Packit Service 99d1c0 
    if (handles == NULL)
Packit Service 99d1c0 
        return;
Packit Service 99d1c0 
    for (hp = handles; *hp != NULL; hp++) {
Packit Service 99d1c0 
        h = *hp;
Packit Service 99d1c0 
        if (h->vt.fini != NULL)
Packit Service 99d1c0 
            h->vt.fini(context, h->data);
Packit Service 99d1c0 
        free(h);
Packit Service 99d1c0 
    }
Packit Service 99d1c0 
    free(handles);
Packit Service 99d1c0 
    handles = NULL;
Packit Service 99d1c0 
}
Packit Service 99d1c0
Packit Service 99d1c0 
krb5_error_code
Packit Service 99d1c0 
auth_init(krb5_context context, const char *acl_file)
Packit Service 99d1c0 
{
Packit Service 99d1c0 
    krb5_error_code ret;
Packit Service 99d1c0 
    krb5_plugin_initvt_fn *modules = NULL, *mod;
Packit Service 99d1c0 
    size_t count;
Packit Service 99d1c0 
    auth_handle h = NULL;
Packit Service 99d1c0 
    const int intf = PLUGIN_INTERFACE_KADM5_AUTH;
Packit Service 99d1c0
Packit Service 99d1c0 
    ret = k5_plugin_register(context, intf, "acl", kadm5_auth_acl_initvt);
Packit Service 99d1c0 
    if (ret)
Packit Service 99d1c0 
        goto cleanup;
Packit Service 99d1c0 
    ret = k5_plugin_register(context, intf, "self", kadm5_auth_self_initvt);
Packit Service 99d1c0 
    if (ret)
Packit Service 99d1c0 
        goto cleanup;
Packit Service 99d1c0 
    ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_KADM5_AUTH, &modules);
Packit Service 99d1c0 
    if (ret)
Packit Service 99d1c0 
        goto cleanup;
Packit Service 99d1c0
Packit Service 99d1c0 
    /* Allocate a large enough list of handles. */
Packit Service 99d1c0 
    for (count = 0; modules[count] != NULL; count++);
Packit Service 99d1c0 
    handles = k5calloc(count + 1, sizeof(*handles), &ret;;
Packit Service 99d1c0 
    if (handles == NULL)
Packit Service 99d1c0 
        goto cleanup;
Packit Service 99d1c0
Packit Service 99d1c0 
    /* For each module, allocate a handle, initialize its vtable, and
Packit Service 99d1c0 
     * initialize its module data. */
Packit Service 99d1c0 
    count = 0;
Packit Service 99d1c0 
    for (mod = modules; *mod != NULL; mod++) {
Packit Service 99d1c0 
        h = k5alloc(sizeof(*h), &ret;;
Packit Service 99d1c0 
        if (h == NULL)
Packit Service 99d1c0 
            goto cleanup;
Packit Service 99d1c0 
        ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&h->vt);
Packit Service 99d1c0 
        if (ret) {              /* Failed vtable init is non-fatal. */
Packit Service 99d1c0 
            TRACE_KADM5_AUTH_VTINIT_FAIL(context, ret);
Packit Service 99d1c0 
            free(h);
Packit Service 99d1c0 
            h = NULL;
Packit Service 99d1c0 
            continue;
Packit Service 99d1c0 
        }
Packit Service 99d1c0 
        h->data = NULL;
Packit Service 99d1c0 
        if (h->vt.init != NULL) {
Packit Service 99d1c0 
            ret = h->vt.init(context, acl_file, &h->data);
Packit Service 99d1c0 
            if (ret == KRB5_PLUGIN_NO_HANDLE) {
Packit Service 99d1c0 
                TRACE_KADM5_AUTH_INIT_SKIP(context, h->vt.name);
Packit Service 99d1c0 
                free(h);
Packit Service 99d1c0 
                h = NULL;
Packit Service 99d1c0 
                continue;
Packit Service 99d1c0 
            }
Packit Service 99d1c0 
            if (ret) {
Packit Service 99d1c0 
                TRACE_KADM5_AUTH_INIT_FAIL(context, h->vt.name, ret);
Packit Service 99d1c0 
                goto cleanup;
Packit Service 99d1c0 
            }
Packit Service 99d1c0 
        }
Packit Service 99d1c0 
        handles[count++] = h;
Packit Service 99d1c0 
        handles[count] = NULL;
Packit Service 99d1c0 
        h = NULL;
Packit Service 99d1c0 
    }
Packit Service 99d1c0
Packit Service 99d1c0 
    ret = 0;
Packit Service 99d1c0
Packit Service 99d1c0 
cleanup:
Packit Service 99d1c0 
    if (ret)
Packit Service 99d1c0 
        auth_fini(context);
Packit Service 99d1c0 
    free(h);
Packit Service 99d1c0 
    k5_plugin_free_modules(context, modules);
Packit Service 99d1c0 
    return ret;
Packit Service 99d1c0 
}
Packit Service 99d1c0
Packit Service 99d1c0 
/* Invoke the appropriate method from h->vt for opcode, passing client and the
Packit Service 99d1c0 
 * correct subset of p1, p2, s1, s2, polent, and mask for the method. */
Packit Service 99d1c0 
static krb5_error_code
Packit Service 99d1c0 
call_module(krb5_context context, auth_handle h, int opcode,
Packit Service 99d1c0 
            krb5_const_principal client, krb5_const_principal p1,
Packit Service 99d1c0 
            krb5_const_principal p2, const char *s1, const char *s2,
Packit Service 99d1c0 
            const kadm5_policy_ent_rec *polent, long mask)
Packit Service 99d1c0 
{
Packit Service 99d1c0 
    /* addprinc and modprinc are handled through auth_restrict(). */
Packit Service 99d1c0 
    assert(opcode != OP_ADDPRINC && opcode != OP_MODPRINC);
Packit Service 99d1c0
Packit Service 99d1c0 
    if (opcode == OP_SETSTR && h->vt.setstr != NULL)
Packit Service 99d1c0 
        return h->vt.setstr(context, h->data, client, p1, s1, s2);
Packit Service 99d1c0 
    else if (opcode == OP_CPW && h->vt.cpw != NULL)
Packit Service 99d1c0 
        return h->vt.cpw(context, h->data, client, p1);
Packit Service 99d1c0 
    else if (opcode == OP_CHRAND && h->vt.chrand != NULL)
Packit Service 99d1c0 
        return h->vt.chrand(context, h->data, client, p1);
Packit Service 99d1c0 
    else if (opcode == OP_SETKEY && h->vt.setkey != NULL)
Packit Service 99d1c0 
        return h->vt.setkey(context, h->data, client, p1);
Packit Service 99d1c0 
    else if (opcode == OP_PURGEKEYS && h->vt.purgekeys != NULL)
Packit Service 99d1c0 
        return h->vt.purgekeys(context, h->data, client, p1);
Packit Service 99d1c0 
    else if (opcode == OP_DELPRINC && h->vt.delprinc != NULL)
Packit Service 99d1c0 
        return h->vt.delprinc(context, h->data, client, p1);
Packit Service 99d1c0 
    else if (opcode == OP_RENPRINC && h->vt.renprinc != NULL)
Packit Service 99d1c0 
        return h->vt.renprinc(context, h->data, client, p1, p2);
Packit Service 99d1c0 
    else if (opcode == OP_GETPRINC && h->vt.getprinc != NULL)
Packit Service 99d1c0 
        return h->vt.getprinc(context, h->data, client, p1);
Packit Service 99d1c0 
    else if (opcode == OP_GETSTRS && h->vt.getstrs != NULL)
Packit Service 99d1c0 
        return h->vt.getstrs(context, h->data, client, p1);
Packit Service 99d1c0 
    else if (opcode == OP_EXTRACT && h->vt.extract != NULL)
Packit Service 99d1c0 
        return h->vt.extract(context, h->data, client, p1);
Packit Service 99d1c0 
    else if (opcode == OP_LISTPRINCS && h->vt.listprincs != NULL)
Packit Service 99d1c0 
        return h->vt.listprincs(context, h->data, client);
Packit Service 99d1c0 
    else if (opcode == OP_ADDPOL && h->vt.addpol != NULL)
Packit Service 99d1c0 
        return h->vt.addpol(context, h->data, client, s1, polent, mask);
Packit Service 99d1c0 
    else if (opcode == OP_MODPOL && h->vt.modpol != NULL)
Packit Service 99d1c0 
        return h->vt.modpol(context, h->data, client, s1, polent, mask);
Packit Service 99d1c0 
    else if (opcode == OP_DELPOL && h->vt.delpol != NULL)
Packit Service 99d1c0 
        return h->vt.delpol(context, h->data, client, s1);
Packit Service 99d1c0 
    else if (opcode == OP_GETPOL && h->vt.getpol != NULL)
Packit Service 99d1c0 
        return h->vt.getpol(context, h->data, client, s1, s2);
Packit Service 99d1c0 
    else if (opcode == OP_LISTPOLS && h->vt.listpols != NULL)
Packit Service 99d1c0 
        return h->vt.listpols(context, h->data, client);
Packit Service 99d1c0 
    else if (opcode == OP_IPROP && h->vt.iprop != NULL)
Packit Service 99d1c0 
        return h->vt.iprop(context, h->data, client);
Packit Service 99d1c0
Packit Service 99d1c0 
    return KRB5_PLUGIN_NO_HANDLE;
Packit Service 99d1c0 
}
Packit Service 99d1c0
Packit Service 99d1c0 
krb5_boolean
Packit Service 99d1c0 
auth(krb5_context context, int opcode, krb5_const_principal client,
Packit Service 99d1c0 
     krb5_const_principal p1, krb5_const_principal p2, const char *s1,
Packit Service 99d1c0 
     const char *s2, const kadm5_policy_ent_rec *polent, long mask)
Packit Service 99d1c0 
{
Packit Service 99d1c0 
    krb5_error_code ret;
Packit Service 99d1c0 
    krb5_boolean authorized = FALSE;
Packit Service 99d1c0 
    auth_handle *hp, h;
Packit Service 99d1c0
Packit Service 99d1c0 
    for (hp = handles; *hp != NULL; hp++) {
Packit Service 99d1c0 
        h = *hp;
Packit Service 99d1c0
Packit Service 99d1c0 
        ret = call_module(context, h, opcode, client, p1, p2, s1, s2,
Packit Service 99d1c0 
                          polent, mask);
Packit Service 99d1c0 
        if (!ret)
Packit Service 99d1c0 
            authorized = TRUE;
Packit Service 99d1c0 
        else if (ret != KRB5_PLUGIN_NO_HANDLE)
Packit Service 99d1c0 
            return FALSE;
Packit Service 99d1c0 
    }
Packit Service 99d1c0
Packit Service 99d1c0 
    return authorized;
Packit Service 99d1c0 
}
Packit Service 99d1c0
Packit Service 99d1c0 
/* Impose restrictions, modifying *ent and *mask. */
Packit Service 99d1c0 
static krb5_error_code
Packit Service 99d1c0 
impose_restrictions(krb5_context context,
Packit Service 99d1c0 
                    const struct kadm5_auth_restrictions *rs,
Packit Service 99d1c0 
                    kadm5_principal_ent_t ent, long *mask)
Packit Service 99d1c0 
{
Packit Service 99d1c0 
    krb5_error_code ret;
Packit Service 99d1c0 
    krb5_timestamp now;
Packit Service 99d1c0
Packit Service 99d1c0 
    if (rs == NULL)
Packit Service 99d1c0 
        return 0;
Packit Service 99d1c0 
    if (rs->mask & (KADM5_PRINC_EXPIRE_TIME | KADM5_PW_EXPIRATION)) {
Packit Service 99d1c0 
        ret = krb5_timeofday(context, &now;;
Packit Service 99d1c0 
        if (ret)
Packit Service 99d1c0 
            return ret;
Packit Service 99d1c0 
    }
Packit Service 99d1c0
Packit Service 99d1c0 
    if (rs->mask & KADM5_ATTRIBUTES) {
Packit Service 99d1c0 
        ent->attributes |= rs->require_attrs;
Packit Service 99d1c0 
        ent->attributes &= rs->forbid_attrs;
Packit Service 99d1c0 
        *mask |= KADM5_ATTRIBUTES;
Packit Service 99d1c0 
    }
Packit Service 99d1c0 
    if (rs->mask & KADM5_POLICY_CLR) {
Packit Service 99d1c0 
        *mask &= ~KADM5_POLICY;
Packit Service 99d1c0 
        *mask |= KADM5_POLICY_CLR;
Packit Service 99d1c0 
    } else if (rs->mask & KADM5_POLICY) {
Packit Service 99d1c0 
        if (ent->policy != NULL && strcmp(ent->policy, rs->policy) != 0) {
Packit Service 99d1c0 
            free(ent->policy);
Packit Service 99d1c0 
            ent->policy = NULL;
Packit Service 99d1c0 
        }
Packit Service 99d1c0 
        if (ent->policy == NULL) {
Packit Service 99d1c0 
            ent->policy = strdup(rs->policy);
Packit Service 99d1c0 
            if (ent->policy == NULL)
Packit Service 99d1c0 
                return ENOMEM;
Packit Service 99d1c0 
        }
Packit Service 99d1c0 
        *mask |= KADM5_POLICY;
Packit Service 99d1c0 
    }
Packit Service 99d1c0 
    if (rs->mask & KADM5_PRINC_EXPIRE_TIME) {
Packit Service 99d1c0 
        if (!(*mask & KADM5_PRINC_EXPIRE_TIME) ||
Packit Service 99d1c0 
            ts_after(ent->princ_expire_time, ts_incr(now, rs->princ_lifetime)))
Packit Service 99d1c0 
            ent->princ_expire_time = now + rs->princ_lifetime;
Packit Service 99d1c0 
        *mask |= KADM5_PRINC_EXPIRE_TIME;
Packit Service 99d1c0 
    }
Packit Service 99d1c0 
    if (rs->mask & KADM5_PW_EXPIRATION) {
Packit Service 99d1c0 
        if (!(*mask & KADM5_PW_EXPIRATION) ||
Packit Service 99d1c0 
            ts_after(ent->pw_expiration, ts_incr(now, rs->pw_lifetime)))
Packit Service 99d1c0 
            ent->pw_expiration = now + rs->pw_lifetime;
Packit Service 99d1c0 
        *mask |= KADM5_PW_EXPIRATION;
Packit Service 99d1c0 
    }
Packit Service 99d1c0 
    if (rs->mask & KADM5_MAX_LIFE) {
Packit Service 99d1c0 
        if (!(*mask & KADM5_MAX_LIFE) || ent->max_life > rs->max_life)
Packit Service 99d1c0 
            ent->max_life = rs->max_life;
Packit Service 99d1c0 
        *mask |= KADM5_MAX_LIFE;
Packit Service 99d1c0 
    }
Packit Service 99d1c0 
    if (rs->mask & KADM5_MAX_RLIFE) {
Packit Service 99d1c0 
        if (!(*mask & KADM5_MAX_RLIFE) ||
Packit Service 99d1c0 
            ent->max_renewable_life > rs->max_renewable_life)
Packit Service 99d1c0 
            ent->max_renewable_life = rs->max_renewable_life;
Packit Service 99d1c0 
        *mask |= KADM5_MAX_RLIFE;
Packit Service 99d1c0 
    }
Packit Service 99d1c0 
    return 0;
Packit Service 99d1c0 
}
Packit Service 99d1c0
Packit Service 99d1c0 
krb5_boolean
Packit Service 99d1c0 
auth_restrict(krb5_context context, int opcode, krb5_const_principal client,
Packit Service 99d1c0 
              kadm5_principal_ent_t ent, long *mask)
Packit Service 99d1c0 
{
Packit Service 99d1c0 
    auth_handle *hp, h;
Packit Service 99d1c0 
    krb5_boolean authorized = FALSE;
Packit Service 99d1c0 
    krb5_error_code ret, rs_ret;
Packit Service 99d1c0 
    krb5_const_principal target = ent->principal;
Packit Service 99d1c0 
    struct kadm5_auth_restrictions *rs;
Packit Service 99d1c0
Packit Service 99d1c0 
    assert(opcode == OP_ADDPRINC || opcode == OP_MODPRINC);
Packit Service 99d1c0 
    for (hp = handles; *hp != NULL; hp++) {
Packit Service 99d1c0 
        h = *hp;
Packit Service 99d1c0
Packit Service 99d1c0 
        ret = KRB5_PLUGIN_NO_HANDLE;
Packit Service 99d1c0 
        rs = NULL;
Packit Service 99d1c0 
        if (opcode == OP_ADDPRINC && h->vt.addprinc != NULL) {
Packit Service 99d1c0 
            ret = h->vt.addprinc(context, h->data, client, target, ent, *mask,
Packit Service 99d1c0 
                                 &rs);
Packit Service 99d1c0 
        } else if (opcode == OP_MODPRINC && h->vt.modprinc != NULL) {
Packit Service 99d1c0 
            ret = h->vt.modprinc(context, h->data, client, target, ent, *mask,
Packit Service 99d1c0 
                                 &rs);
Packit Service 99d1c0 
        }
Packit Service 99d1c0 
        if (rs != NULL) {
Packit Service 99d1c0 
            rs_ret = impose_restrictions(context, rs, ent, mask);
Packit Service 99d1c0 
            if (h->vt.free_restrictions != NULL)
Packit Service 99d1c0 
                h->vt.free_restrictions(context, h->data, rs);
Packit Service 99d1c0 
            if (rs_ret)
Packit Service 99d1c0 
                return FALSE;
Packit Service 99d1c0 
        }
Packit Service 99d1c0 
        if (!ret)
Packit Service 99d1c0 
            authorized = TRUE;
Packit Service 99d1c0 
        else if (ret != KRB5_PLUGIN_NO_HANDLE)
Packit Service 99d1c0 
            return FALSE;
Packit Service 99d1c0 
    }
Packit Service 99d1c0
Packit Service 99d1c0 
    return authorized;
Packit Service 99d1c0 
}
Packit Service 99d1c0
Packit Service 99d1c0 
void
Packit Service 99d1c0 
auth_end(krb5_context context)
Packit Service 99d1c0 
{
Packit Service 99d1c0 
    auth_handle *hp, h;
Packit Service 99d1c0
Packit Service 99d1c0 
    for (hp = handles; *hp != NULL; hp++) {
Packit Service 99d1c0 
        h = *hp;
Packit Service 99d1c0 
        if (h->vt.end != NULL)
Packit Service 99d1c0 
            h->vt.end(context, h->data);
Packit Service 99d1c0 
    }
Packit Service 99d1c0 
}

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation