kdc: add wrappers for heimbase object accessors

Add libkdc wrappers for heimbase object accessors so plugins can use audit and
request attribute APIs without consuming libheimbase. Exposed API surface is
minimal and is limited to reading array collections, and reading/creating base
and custom types.
This commit is contained in:
Luke Howard
2022-01-29 09:56:34 +11:00
committed by Nico Williams
parent 917e16049a
commit 144caf67fa
9 changed files with 181 additions and 22 deletions

View File

@@ -272,7 +272,7 @@ ad_lookup(krb5_context context,
gss_const_name_t initiator_name,
gss_const_OID mech_type,
krb5_principal *canon_principal,
heim_data_t *requestor_sid)
kdc_data_t *requestor_sid)
{
krb5_error_code ret;
OM_uint32 minor;
@@ -354,7 +354,7 @@ ad_lookup(krb5_context context,
ldap_count_values_len(values) == 0)
goto out;
*requestor_sid = heim_data_create(values[0]->bv_val, values[0]->bv_len);
*requestor_sid = kdc_data_create(values[0]->bv_val, values[0]->bv_len);
if (*requestor_sid == NULL)
goto enomem;
}
@@ -371,7 +371,7 @@ out:
*canon_principal = NULL;
if (requestor_sid) {
heim_release(*requestor_sid);
kdc_object_release(*requestor_sid);
*requestor_sid = NULL;
}
}
@@ -403,7 +403,7 @@ authorize(void *ctx,
krb5_const_realm realm = krb5_principal_get_realm(context, client->principal);
krb5_boolean reconnect_p = FALSE;
krb5_boolean is_tgs;
heim_data_t requestor_sid = NULL;
kdc_data_t requestor_sid = NULL;
*authorized = FALSE;
*mapped_name = NULL;
@@ -457,7 +457,7 @@ authorize(void *ctx,
if (requestor_sid) {
kdc_request_set_attribute((kdc_request_t)r,
HSTR("org.h5l.gss-pa-requestor-sid"), requestor_sid);
heim_release(requestor_sid);
kdc_object_release(requestor_sid);
}
return ret;
@@ -466,7 +466,7 @@ authorize(void *ctx,
static KRB5_LIB_CALL krb5_error_code
finalize_pac(void *ctx, astgs_request_t r)
{
heim_data_t requestor_sid;
kdc_data_t requestor_sid;
requestor_sid = kdc_request_get_attribute((kdc_request_t)r,
HSTR("org.h5l.gss-pa-requestor-sid"));
@@ -476,7 +476,7 @@ finalize_pac(void *ctx, astgs_request_t r)
kdc_audit_setkv_object((kdc_request_t)r, "gss_requestor_sid", requestor_sid);
return kdc_request_add_pac_buffer(r, PAC_REQUESTOR_SID,
heim_data_get_data(requestor_sid));
kdc_data_get_data(requestor_sid));
}
static KRB5_LIB_CALL krb5_error_code

View File

@@ -426,7 +426,7 @@ _kdc_gss_rd_padata(astgs_request_t r,
goto out;
}
gcp = heim_alloc(sizeof(*gcp), "pa-gss-client-params", pa_gss_dealloc_client_params);
gcp = kdc_object_alloc(sizeof(*gcp), "pa-gss-client-params", pa_gss_dealloc_client_params);
if (gcp == NULL) {
ret = krb5_enomem(r->context);
goto out;
@@ -476,7 +476,7 @@ out:
if (gcp && gcp->major != GSS_S_NO_CONTEXT)
*pgcp = gcp;
else
heim_release(gcp);
kdc_object_release(gcp);
return ret;
}

View File

@@ -36,8 +36,6 @@
#ifndef HEIMDAL_KDC_KDC_AUDIT_H
#define HEIMDAL_KDC_KDC_AUDIT_H 1
#include <heimbase.h>
/*
* KDC auditing
*/
@@ -55,7 +53,7 @@
#define KDC_AUTH_EVENT_PREAUTH_SUCCEEDED 9 /* generic (non-long term key) PA success */
/*
* Audit keys to be queried using heim_audit_getkv(). There are other keys
* Audit keys to be queried using kdc_audit_getkv(). There are other keys
* intended for logging that are not defined below; the constants below are
* there to ease migration from the older auth_status HDB API.
*/

View File

@@ -308,6 +308,124 @@ kdc_get_instance(const char *libname)
return 0;
}
/*
* Minimum API surface wrapper for libheimbase object types so it
* may remain a private interface, yet plugins can interact with
* objects.
*/
KDC_LIB_FUNCTION kdc_object_t KDC_LIB_CALL
kdc_object_alloc(size_t size, const char *name, kdc_type_dealloc dealloc)
{
return heim_alloc(size, name, dealloc);
}
KDC_LIB_FUNCTION kdc_object_t KDC_LIB_CALL
kdc_object_retain(kdc_object_t o)
{
return heim_retain(o);
}
KDC_LIB_FUNCTION void KDC_LIB_CALL
kdc_object_release(kdc_object_t o)
{
heim_release(o);
}
KDC_LIB_FUNCTION kdc_object_t KDC_LIB_CALL
kdc_bool_create(krb5_boolean v)
{
return heim_bool_create(v);
}
KDC_LIB_FUNCTION krb5_boolean KDC_LIB_CALL
kdc_bool_get_value(kdc_object_t o)
{
return heim_bool_val(o);
}
struct kdc_array_iterator_trampoline_data {
kdc_array_iterator_t iter;
void *data;
};
/*
* Calling convention shim to avoid needing to update all internal
* consumers of heim_array_iterate_f()
*/
static void
_kdc_array_iterator_trampoline(kdc_object_t o, void *data, int *stop)
{
struct kdc_array_iterator_trampoline_data *t = data;
t->iter(o, t->data, stop);
}
KDC_LIB_FUNCTION void KDC_LIB_CALL
kdc_array_iterate(kdc_array_t a, void *d, kdc_array_iterator_t iter)
{
struct kdc_array_iterator_trampoline_data t;
t.iter = iter;
t.data = d;
return heim_array_iterate_f((heim_array_t)a, &t, _kdc_array_iterator_trampoline);
}
KDC_LIB_FUNCTION size_t KDC_LIB_CALL
kdc_array_get_length(kdc_array_t a)
{
return heim_array_get_length((heim_array_t)a);
}
KDC_LIB_FUNCTION kdc_object_t KDC_LIB_CALL
kdc_array_get_value(heim_array_t a, size_t i)
{
return heim_array_get_value((heim_array_t)a, i);
}
KDC_LIB_FUNCTION kdc_object_t KDC_LIB_CALL
kdc_array_copy_value(heim_array_t a, size_t i)
{
return heim_array_copy_value((heim_array_t)a, i);
}
KDC_LIB_FUNCTION kdc_string_t KDC_LIB_CALL
kdc_string_create(const char *s)
{
return (kdc_string_t)heim_string_create(s);
}
KDC_LIB_FUNCTION const char * KDC_LIB_CALL
kdc_string_get_utf8(kdc_string_t s)
{
return heim_string_get_utf8((heim_string_t)s);
}
KDC_LIB_FUNCTION kdc_data_t
kdc_data_create(const void *d, size_t len)
{
return (kdc_data_t)heim_data_create(d, len);
}
KDC_LIB_FUNCTION const krb5_data * KDC_LIB_CALL
kdc_data_get_data(kdc_data_t d)
{
return heim_data_get_data((heim_data_t)d);
}
KDC_LIB_FUNCTION kdc_number_t KDC_LIB_CALL
kdc_number_create(int64_t v)
{
return (kdc_number_t)heim_number_create(v);
}
KDC_LIB_FUNCTION int64_t KDC_LIB_CALL
kdc_number_get_value(kdc_number_t n)
{
return heim_number_get_long((heim_number_t)n);
}
/*
* Plugin accessors
*/

View File

@@ -98,6 +98,17 @@ struct krb5_kdc_configuration {
};
#endif
typedef void *kdc_object_t;
typedef struct kdc_array_data *kdc_array_t;
typedef struct kdc_dict_data *kdc_dict_t;
typedef struct kdc_string_data *kdc_string_t;
typedef struct kdc_data_data *kdc_data_t;
typedef struct kdc_number_data *kdc_number_t;
typedef void (KRB5_CALLCONV *kdc_array_iterator_t)(kdc_object_t, void *, int *);
typedef void (KRB5_CALLCONV *kdc_type_dealloc)(kdc_object_t);
#include <kdc-protos.h>
#endif /* __KDC_H__ */

View File

@@ -601,7 +601,7 @@ pa_gss_validate(astgs_request_t r, const PA_DATA *pa)
goto out;
out:
heim_release(gcp);
kdc_object_release(gcp);
free(client_name);
return ret;

View File

@@ -74,6 +74,22 @@ EXPORTS
kdc_audit_vaddreason
_kdc_audit_trail
kdc_object_alloc
kdc_object_retain
kdc_object_release
kdc_bool_create
kdc_bool_get_value
kdc_array_iterate
kdc_array_get_length
kdc_array_get_value
kdc_array_copy_value
kdc_string_create
kdc_string_get_utf8
kdc_data_create
kdc_data_get_data
kdc_number_create
kdc_number_get_value
; needed for digest-service
_kdc_db_fetch
_kdc_free_ent

View File

@@ -113,18 +113,18 @@ kdc_audit_setkv_number(kdc_request_t r, const char *k, int64_t v)
}
KDC_LIB_FUNCTION void KDC_LIB_CALL
kdc_audit_addkv_object(kdc_request_t r, const char *k, heim_object_t obj)
kdc_audit_addkv_object(kdc_request_t r, const char *k, kdc_object_t obj)
{
heim_audit_addkv_object((heim_svc_req_desc)r, k, obj);
}
KDC_LIB_FUNCTION void KDC_LIB_CALL
kdc_audit_setkv_object(kdc_request_t r, const char *k, heim_object_t obj)
kdc_audit_setkv_object(kdc_request_t r, const char *k, kdc_object_t obj)
{
heim_audit_setkv_object((heim_svc_req_desc)r, k, obj);
}
KDC_LIB_FUNCTION heim_object_t KDC_LIB_CALL
KDC_LIB_FUNCTION kdc_object_t KDC_LIB_CALL
kdc_audit_getkv(kdc_request_t r, const char *k)
{
return heim_audit_getkv((heim_svc_req_desc)r, k);
@@ -553,25 +553,25 @@ krb5_kdc_save_request(krb5_context context,
}
KDC_LIB_FUNCTION krb5_error_code KDC_LIB_CALL
kdc_request_set_attribute(kdc_request_t r, heim_object_t key, heim_object_t value)
kdc_request_set_attribute(kdc_request_t r, kdc_object_t key, kdc_object_t value)
{
return heim_dict_set_value(r->attributes, key, value);
}
KDC_LIB_FUNCTION heim_object_t KDC_LIB_CALL
kdc_request_get_attribute(kdc_request_t r, heim_object_t key)
KDC_LIB_FUNCTION kdc_object_t KDC_LIB_CALL
kdc_request_get_attribute(kdc_request_t r, kdc_object_t key)
{
return heim_dict_get_value(r->attributes, key);
}
KDC_LIB_FUNCTION heim_object_t KDC_LIB_CALL
kdc_request_copy_attribute(kdc_request_t r, heim_object_t key)
KDC_LIB_FUNCTION kdc_object_t KDC_LIB_CALL
kdc_request_copy_attribute(kdc_request_t r, kdc_object_t key)
{
return heim_dict_copy_value(r->attributes, key);
}
KDC_LIB_FUNCTION void KDC_LIB_CALL
kdc_request_delete_attribute(kdc_request_t r, heim_object_t key)
kdc_request_delete_attribute(kdc_request_t r, kdc_object_t key)
{
heim_dict_delete_key(r->attributes, key);
}

View File

@@ -77,6 +77,22 @@ HEIMDAL_KDC_1.0 {
kdc_audit_vaddreason;
_kdc_audit_trail;
kdc_object_alloc;
kdc_object_retain;
kdc_object_release;
kdc_bool_create;
kdc_bool_get_value;
kdc_array_iterate;
kdc_array_get_length;
kdc_array_get_value;
kdc_array_copy_value;
kdc_string_create;
kdc_string_get_utf8;
kdc_data_create;
kdc_data_get_data;
kdc_number_create;
kdc_number_get_value;
# needed for digest-service
_kdc_db_fetch;
_kdc_free_ent;