kdc: add wrappers for heimbase object accessors

Add libkdc wrappers for heimbase object accessors so plugins can use audit and
request attribute APIs without consuming libheimbase. Exposed API surface is
minimal and is limited to reading array collections, and reading/creating base
and custom types.

kdc/altsecid_gss_preauth_authorizer.c

@@ -272,7 +272,7 @@ ad_lookup(krb5_context context,
           gss_const_name_t initiator_name,
           gss_const_OID mech_type,
           krb5_principal *canon_principal,
-          heim_data_t *requestor_sid)
+          kdc_data_t *requestor_sid)
 {
     krb5_error_code ret;
     OM_uint32 minor;
@@ -354,7 +354,7 @@ ad_lookup(krb5_context context,
 	    ldap_count_values_len(values) == 0)
 	    goto out;
 
-	*requestor_sid = heim_data_create(values[0]->bv_val, values[0]->bv_len);
+	*requestor_sid = kdc_data_create(values[0]->bv_val, values[0]->bv_len);
 	if (*requestor_sid == NULL)
 	    goto enomem;
     }
@@ -371,7 +371,7 @@ out:
 	*canon_principal = NULL;
 
 	if (requestor_sid) {
-	    heim_release(*requestor_sid);
+	    kdc_object_release(*requestor_sid);
 	    *requestor_sid = NULL;
 	}
     }
@@ -403,7 +403,7 @@ authorize(void *ctx,
     krb5_const_realm realm = krb5_principal_get_realm(context, client->principal);
     krb5_boolean reconnect_p = FALSE;
     krb5_boolean is_tgs;
-    heim_data_t requestor_sid = NULL;
+    kdc_data_t requestor_sid = NULL;
 
     *authorized = FALSE;
     *mapped_name = NULL;
@@ -457,7 +457,7 @@ authorize(void *ctx,
     if (requestor_sid) {
 	kdc_request_set_attribute((kdc_request_t)r,
 				  HSTR("org.h5l.gss-pa-requestor-sid"), requestor_sid);
-	heim_release(requestor_sid);
+	kdc_object_release(requestor_sid);
     }
 
     return ret;
@@ -466,7 +466,7 @@ authorize(void *ctx,
 static KRB5_LIB_CALL krb5_error_code
 finalize_pac(void *ctx, astgs_request_t r)
 {
-    heim_data_t requestor_sid;
+    kdc_data_t requestor_sid;
 
     requestor_sid = kdc_request_get_attribute((kdc_request_t)r,
 					      HSTR("org.h5l.gss-pa-requestor-sid"));
@@ -476,7 +476,7 @@ finalize_pac(void *ctx, astgs_request_t r)
     kdc_audit_setkv_object((kdc_request_t)r, "gss_requestor_sid", requestor_sid);
 
     return kdc_request_add_pac_buffer(r, PAC_REQUESTOR_SID,
-				      heim_data_get_data(requestor_sid));
+				      kdc_data_get_data(requestor_sid));
 }
 
 static KRB5_LIB_CALL krb5_error_code

kdc/gss_preauth.c

@@ -426,7 +426,7 @@ _kdc_gss_rd_padata(astgs_request_t r,
         goto out;
     }
 
-    gcp = heim_alloc(sizeof(*gcp), "pa-gss-client-params", pa_gss_dealloc_client_params);
+    gcp = kdc_object_alloc(sizeof(*gcp), "pa-gss-client-params", pa_gss_dealloc_client_params);
     if (gcp == NULL) {
         ret = krb5_enomem(r->context);
         goto out;
@@ -476,7 +476,7 @@ out:
     if (gcp && gcp->major != GSS_S_NO_CONTEXT)
         *pgcp = gcp;
     else
-        heim_release(gcp);
+        kdc_object_release(gcp);
 
     return ret;
 }

kdc/kdc-audit.h

@@ -36,8 +36,6 @@
 #ifndef HEIMDAL_KDC_KDC_AUDIT_H
 #define HEIMDAL_KDC_KDC_AUDIT_H 1
 
-#include <heimbase.h>
-
 /*
  * KDC auditing
  */
@@ -55,7 +53,7 @@
 #define KDC_AUTH_EVENT_PREAUTH_SUCCEEDED	9   /* generic (non-long term key) PA success */
 
 /*
- * Audit keys to be queried using heim_audit_getkv(). There are other keys
+ * Audit keys to be queried using kdc_audit_getkv(). There are other keys
  * intended for logging that are not defined below; the constants below are
  * there to ease migration from the older auth_status HDB API.
  */

kdc/kdc-plugin.c

@@ -308,6 +308,124 @@ kdc_get_instance(const char *libname)
     return 0;
 }
 
+/*
+ * Minimum API surface wrapper for libheimbase object types so it
+ * may remain a private interface, yet plugins can interact with
+ * objects.
+ */
+
+KDC_LIB_FUNCTION kdc_object_t KDC_LIB_CALL
+kdc_object_alloc(size_t size, const char *name, kdc_type_dealloc dealloc)
+{
+    return heim_alloc(size, name, dealloc);
+}
+
+KDC_LIB_FUNCTION kdc_object_t KDC_LIB_CALL
+kdc_object_retain(kdc_object_t o)
+{
+    return heim_retain(o);
+}
+
+KDC_LIB_FUNCTION void KDC_LIB_CALL
+kdc_object_release(kdc_object_t o)
+{
+    heim_release(o);
+}
+
+KDC_LIB_FUNCTION kdc_object_t KDC_LIB_CALL
+kdc_bool_create(krb5_boolean v)
+{
+    return heim_bool_create(v);
+}
+
+KDC_LIB_FUNCTION krb5_boolean KDC_LIB_CALL
+kdc_bool_get_value(kdc_object_t o)
+{
+    return heim_bool_val(o);
+}
+
+struct kdc_array_iterator_trampoline_data {
+    kdc_array_iterator_t iter;
+    void *data;
+};
+
+/*
+ * Calling convention shim to avoid needing to update all internal
+ * consumers of heim_array_iterate_f()
+ */
+static void
+_kdc_array_iterator_trampoline(kdc_object_t o, void *data, int *stop)
+{
+    struct kdc_array_iterator_trampoline_data *t = data;
+
+    t->iter(o, t->data, stop);
+}
+
+KDC_LIB_FUNCTION void KDC_LIB_CALL
+kdc_array_iterate(kdc_array_t a, void *d, kdc_array_iterator_t iter)
+{
+    struct kdc_array_iterator_trampoline_data t;
+
+    t.iter = iter;
+    t.data = d;
+
+    return heim_array_iterate_f((heim_array_t)a, &t, _kdc_array_iterator_trampoline);
+}
+
+KDC_LIB_FUNCTION size_t KDC_LIB_CALL
+kdc_array_get_length(kdc_array_t a)
+{
+    return heim_array_get_length((heim_array_t)a);
+}
+
+KDC_LIB_FUNCTION kdc_object_t KDC_LIB_CALL
+kdc_array_get_value(heim_array_t a, size_t i)
+{
+    return heim_array_get_value((heim_array_t)a, i);
+}
+
+KDC_LIB_FUNCTION kdc_object_t KDC_LIB_CALL
+kdc_array_copy_value(heim_array_t a, size_t i)
+{
+    return heim_array_copy_value((heim_array_t)a, i);
+}
+
+KDC_LIB_FUNCTION kdc_string_t KDC_LIB_CALL
+kdc_string_create(const char *s)
+{
+    return (kdc_string_t)heim_string_create(s);
+}
+
+KDC_LIB_FUNCTION const char * KDC_LIB_CALL
+kdc_string_get_utf8(kdc_string_t s)
+{
+    return heim_string_get_utf8((heim_string_t)s);
+}
+
+KDC_LIB_FUNCTION kdc_data_t
+kdc_data_create(const void *d, size_t len)
+{
+    return (kdc_data_t)heim_data_create(d, len);
+}
+
+KDC_LIB_FUNCTION const krb5_data * KDC_LIB_CALL
+kdc_data_get_data(kdc_data_t d)
+{
+    return heim_data_get_data((heim_data_t)d);
+}
+
+KDC_LIB_FUNCTION kdc_number_t KDC_LIB_CALL
+kdc_number_create(int64_t v)
+{
+    return (kdc_number_t)heim_number_create(v);
+}
+
+KDC_LIB_FUNCTION int64_t KDC_LIB_CALL
+kdc_number_get_value(kdc_number_t n)
+{
+    return heim_number_get_long((heim_number_t)n);
+}
+
 /*
  * Plugin accessors
  */

kdc/kdc.h

@@ -98,6 +98,17 @@ struct krb5_kdc_configuration {
 };
 #endif
 
+typedef void *kdc_object_t;
+typedef struct kdc_array_data *kdc_array_t;
+typedef struct kdc_dict_data *kdc_dict_t;
+typedef struct kdc_string_data *kdc_string_t;
+typedef struct kdc_data_data *kdc_data_t;
+typedef struct kdc_number_data *kdc_number_t;
+
+typedef void (KRB5_CALLCONV *kdc_array_iterator_t)(kdc_object_t, void *, int *);
+
+typedef void (KRB5_CALLCONV *kdc_type_dealloc)(kdc_object_t);
+
 #include <kdc-protos.h>
 
 #endif /* __KDC_H__ */

kdc/kerberos5.c

@@ -601,7 +601,7 @@ pa_gss_validate(astgs_request_t r, const PA_DATA *pa)
 	goto out;
 
 out:
-    heim_release(gcp);
+    kdc_object_release(gcp);
     free(client_name);
 
     return ret;

kdc/libkdc-exports.def

@@ -74,6 +74,22 @@ EXPORTS
 	kdc_audit_vaddreason
 	_kdc_audit_trail
 
+	kdc_object_alloc
+	kdc_object_retain
+	kdc_object_release
+	kdc_bool_create
+	kdc_bool_get_value
+	kdc_array_iterate
+	kdc_array_get_length
+	kdc_array_get_value
+	kdc_array_copy_value
+	kdc_string_create
+	kdc_string_get_utf8
+	kdc_data_create
+	kdc_data_get_data
+	kdc_number_create
+	kdc_number_get_value
+
 	; needed for digest-service
 	_kdc_db_fetch
 	_kdc_free_ent

kdc/process.c

@@ -113,18 +113,18 @@ kdc_audit_setkv_number(kdc_request_t r, const char *k, int64_t v)
 }
 
 KDC_LIB_FUNCTION void KDC_LIB_CALL
-kdc_audit_addkv_object(kdc_request_t r, const char *k, heim_object_t obj)
+kdc_audit_addkv_object(kdc_request_t r, const char *k, kdc_object_t obj)
 {
     heim_audit_addkv_object((heim_svc_req_desc)r, k, obj);
 }
 
 KDC_LIB_FUNCTION void KDC_LIB_CALL
-kdc_audit_setkv_object(kdc_request_t r, const char *k, heim_object_t obj)
+kdc_audit_setkv_object(kdc_request_t r, const char *k, kdc_object_t obj)
 {
     heim_audit_setkv_object((heim_svc_req_desc)r, k, obj);
 }
 
-KDC_LIB_FUNCTION heim_object_t KDC_LIB_CALL
+KDC_LIB_FUNCTION kdc_object_t KDC_LIB_CALL
 kdc_audit_getkv(kdc_request_t r, const char *k)
 {
     return heim_audit_getkv((heim_svc_req_desc)r, k);
@@ -553,25 +553,25 @@ krb5_kdc_save_request(krb5_context context,
 }
 
 KDC_LIB_FUNCTION krb5_error_code KDC_LIB_CALL
-kdc_request_set_attribute(kdc_request_t r, heim_object_t key, heim_object_t value)
+kdc_request_set_attribute(kdc_request_t r, kdc_object_t key, kdc_object_t value)
 {
     return heim_dict_set_value(r->attributes, key, value);
 }
 
-KDC_LIB_FUNCTION heim_object_t KDC_LIB_CALL
-kdc_request_get_attribute(kdc_request_t r, heim_object_t key)
+KDC_LIB_FUNCTION kdc_object_t KDC_LIB_CALL
+kdc_request_get_attribute(kdc_request_t r, kdc_object_t key)
 {
     return heim_dict_get_value(r->attributes, key);
 }
 
-KDC_LIB_FUNCTION heim_object_t KDC_LIB_CALL
-kdc_request_copy_attribute(kdc_request_t r, heim_object_t key)
+KDC_LIB_FUNCTION kdc_object_t KDC_LIB_CALL
+kdc_request_copy_attribute(kdc_request_t r, kdc_object_t key)
 {
     return heim_dict_copy_value(r->attributes, key);
 }
 
 KDC_LIB_FUNCTION void KDC_LIB_CALL
-kdc_request_delete_attribute(kdc_request_t r, heim_object_t key)
+kdc_request_delete_attribute(kdc_request_t r, kdc_object_t key)
 {
     heim_dict_delete_key(r->attributes, key);
 }

kdc/version-script.map

@@ -77,6 +77,22 @@ HEIMDAL_KDC_1.0 {
 		kdc_audit_vaddreason;
 		_kdc_audit_trail;
 
+		kdc_object_alloc;
+		kdc_object_retain;
+		kdc_object_release;
+		kdc_bool_create;
+		kdc_bool_get_value;
+		kdc_array_iterate;
+		kdc_array_get_length;
+		kdc_array_get_value;
+		kdc_array_copy_value;
+		kdc_string_create;
+		kdc_string_get_utf8;
+		kdc_data_create;
+		kdc_data_get_data;
+		kdc_number_create;
+		kdc_number_get_value;
+
 		# needed for digest-service
 		_kdc_db_fetch;
 		_kdc_free_ent;