/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/* tests/s4u2proxy.c - S4U2Proxy test harness */
/*
 * Copyright (C) 2015 by the Massachusetts Institute of Technology.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * * Redistributions of source code must retain the above copyright
 *   notice, this list of conditions and the following disclaimer.
 *
 * * Redistributions in binary form must reproduce the above copyright
 *   notice, this list of conditions and the following disclaimer in
 *   the documentation and/or other materials provided with the
 *   distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 */

/*
 * Usage: s4u2proxy evccname targetname [ad-type ad-contents]
 *
 * evccname contains an evidence ticket.  The default ccache contains a TGT for
 * the intermediate service.  The default keytab contains a key for the
 * intermediate service.  An S4U2Proxy request is made to get a ticket from
 * evccname's default principal to the target service.  The resulting cred is
 * stored in the default ccache.
 */

#include <k5-int.h>

static krb5_context ctx;

static void
check(krb5_error_code code)
{
    const char *errmsg;

    if (code) {
        errmsg = krb5_get_error_message(ctx, code);
        fprintf(stderr, "%s\n", errmsg);
        krb5_free_error_message(ctx, errmsg);
        exit(1);
    }
}

static krb5_authdata **
make_request_authdata(int type, const char *contents)
{
    krb5_authdata *ad;
    krb5_authdata **req_authdata;

    ad = malloc(sizeof(*ad));
    assert(ad != NULL);
    ad->magic = KV5M_AUTHDATA;
    ad->ad_type = type;
    ad->length = strlen(contents);
    ad->contents = (unsigned char *)strdup(contents);
    assert(ad->contents != NULL);

    req_authdata = malloc(2 * sizeof(*req_authdata));
    assert(req_authdata != NULL);
    req_authdata[0] = ad;
    req_authdata[1] = NULL;

    return req_authdata;
}

int
main(int argc, char **argv)
{
    krb5_context context;
    krb5_ccache defcc, evcc;
    krb5_principal client_name, int_name, target_name;
    krb5_keytab defkt;
    krb5_creds mcred, ev_cred, *new_cred;
    krb5_ticket *ev_ticket;
    krb5_authdata **req_authdata = NULL;

    if (argc == 5) {
        req_authdata = make_request_authdata(atoi(argv[3]), argv[4]);
        argc -= 2;
    }

    assert(argc == 3);
    check(krb5_init_context(&context));

    /* Open the default ccache, evidence ticket ccache, and default keytab. */
    check(krb5_cc_default(context, &defcc));
    check(krb5_cc_resolve(context, argv[1], &evcc));
    check(krb5_kt_default(context, &defkt));

    /* Determine the client name, intermediate name, and target name. */
    check(krb5_cc_get_principal(context, evcc, &client_name));
    check(krb5_cc_get_principal(context, defcc, &int_name));
    check(krb5_parse_name(context, argv[2], &target_name));

    /* Retrieve and decrypt the evidence ticket. */
    memset(&mcred, 0, sizeof(mcred));
    mcred.client = client_name;
    mcred.server = int_name;
    check(krb5_cc_retrieve_cred(context, evcc, 0, &mcred, &ev_cred));
    check(krb5_decode_ticket(&ev_cred.ticket, &ev_ticket));
    check(krb5_server_decrypt_ticket_keytab(context, defkt, ev_ticket));

    /* Make an S4U2Proxy request for the target service. */
    mcred.client = client_name;
    mcred.server = target_name;
    mcred.authdata = req_authdata;
    check(krb5_get_credentials_for_proxy(context, KRB5_GC_NO_STORE |
                                         KRB5_GC_CANONICALIZE, defcc,
                                         &mcred, ev_ticket, &new_cred));

    /* Store the new cred in the default ccache. */
    check(krb5_cc_store_cred(context, defcc, new_cred));

    assert(req_authdata == NULL || new_cred->authdata != NULL);

    krb5_cc_close(context, defcc);
    krb5_cc_close(context, evcc);
    krb5_kt_close(context, defkt);
    krb5_free_principal(context, client_name);
    krb5_free_principal(context, int_name);
    krb5_free_principal(context, target_name);
    krb5_free_cred_contents(context, &ev_cred);
    krb5_free_ticket(context, ev_ticket);
    krb5_free_creds(context, new_cred);
    krb5_free_authdata(context, req_authdata);
    krb5_free_context(context);
    return 0;
}