From 1f349a6aba482826202d372a1cd35af59c0f232e Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Fri, 15 Jul 2011 16:30:37 -0500 Subject: [PATCH] kadmin support for policies. --- kadmin/ank.c | 4 ++- kadmin/kadmin-commands.in | 12 +++++++ kadmin/kadmin_locl.h | 5 ++- kadmin/mod.c | 4 ++- kadmin/util.c | 67 ++++++++++++++++++++++++++++++++++++++- 5 files changed, 88 insertions(+), 4 deletions(-) diff --git a/kadmin/ank.c b/kadmin/ank.c index 0b7ebc027..1b7bab7b5 100644 --- a/kadmin/ank.c +++ b/kadmin/ank.c @@ -68,6 +68,7 @@ add_one_principal (const char *name, int rand_password, int use_defaults, char *password, + char *policy, krb5_key_data *key_data, const char *max_ticket_life, const char *max_renewable_life, @@ -94,7 +95,7 @@ add_one_principal (const char *name, ret = set_entry(context, &princ, &mask, max_ticket_life, max_renewable_life, - expiration, pw_expiration, attributes); + expiration, pw_expiration, attributes, policy); if (ret) goto out; @@ -245,6 +246,7 @@ add_new_key(struct add_options *opt, int argc, char **argv) opt->random_password_flag, opt->use_defaults_flag, opt->password_string, + opt->policy_string, kdp, opt->max_ticket_life_string, opt->max_renewable_life_string, diff --git a/kadmin/kadmin-commands.in b/kadmin/kadmin-commands.in index 4396ff800..dece8ea35 100644 --- a/kadmin/kadmin-commands.in +++ b/kadmin/kadmin-commands.in @@ -179,6 +179,12 @@ command = { type = "flag" help = "use default values" } + option = { + long = "policy" + type = "string" + argument = "policy" + help = "policy name" + } argument = "principal..." min_args = "1" help = "Adds a principal to the database." @@ -353,6 +359,12 @@ command = { argument = "subject dn" help = "aliases" } + option = { + long = "policy" + type = "string" + argument = "policy" + help = "policy name" + } argument = "principal" min_args = "1" max_args = "1" diff --git a/kadmin/kadmin_locl.h b/kadmin/kadmin_locl.h index bd92d9fbe..924af78dc 100644 --- a/kadmin/kadmin_locl.h +++ b/kadmin/kadmin_locl.h @@ -109,6 +109,9 @@ int str2attributes(const char *, krb5_flags *); int parse_attributes (const char *, krb5_flags *, int *, int); int edit_attributes (const char *, krb5_flags *, int *, int); +int parse_policy (const char *, char **, int *, int); +int edit_policy (const char *, char **, int *, int); + void time_t2str(time_t, char *, size_t, int); int str2time_t (const char *, time_t *); int parse_timet (const char *, krb5_timestamp *, int *, int); @@ -124,7 +127,7 @@ int edit_entry(kadm5_principal_ent_t, int *, kadm5_principal_ent_t, int); void set_defaults(kadm5_principal_ent_t, int *, kadm5_principal_ent_t, int); int set_entry(krb5_context, kadm5_principal_ent_t, int *, const char *, const char *, const char *, - const char *, const char *); + const char *, const char *, const char *); int foreach_principal(const char *, int (*)(krb5_principal, void*), const char *, void *); diff --git a/kadmin/mod.c b/kadmin/mod.c index 940425f2a..017e4ac84 100644 --- a/kadmin/mod.c +++ b/kadmin/mod.c @@ -207,6 +207,7 @@ do_mod_entry(krb5_principal principal, void *data) e->expiration_time_string || e->pw_expiration_time_string || e->attributes_string || + e->policy_string || e->kvno_integer != -1 || e->constrained_delegation_strings.num_strings || e->alias_strings.num_strings || @@ -216,7 +217,8 @@ do_mod_entry(krb5_principal principal, void *data) e->max_renewable_life_string, e->expiration_time_string, e->pw_expiration_time_string, - e->attributes_string); + e->attributes_string, + e->policy_string); if(e->kvno_integer != -1) { princ.kvno = e->kvno_integer; mask |= KADM5_KVNO; diff --git a/kadmin/util.c b/kadmin/util.c index 480c82e7d..515f77fdd 100644 --- a/kadmin/util.c +++ b/kadmin/util.c @@ -145,6 +145,59 @@ edit_attributes (const char *prompt, krb5_flags *attr, int *mask, int bit) return 0; } +/* + * try to parse the string `resp' into policy in `attr', also + * setting the `bit' in `mask' if attributes are given and valid. + */ + +#define VALID_POLICY_NAME_CHARS \ + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_" + +int +parse_policy (const char *resp, char **policy, int *mask, int bit) +{ + if (strspn(resp, VALID_POLICY_NAME_CHARS) == strlen(resp) && + *resp != '\0') { + + *policy = strdup(resp); + if (*policy == NULL) { + fprintf (stderr, "Out of memory"); + return -1; + } + if (mask) + *mask |= bit; + } else if(*resp == '?') { + print_flags_table (kdb_attrs, stderr); + } else { + fprintf (stderr, "Unable to parse \"%s\"\n", resp); + } + return -1; +} + +/* + * allow the user to edit the attributes in `attr', prompting with `prompt' + */ + +int +edit_policy (const char *prompt, char **policy, int *mask, int bit) +{ + char buf[1024], resp[1024]; + + if (mask && (*mask & bit)) + return 0; + + strlcpy(buf, *policy, sizeof (buf)); + for (;;) { + if(get_response("Policy", buf, resp, sizeof(resp)) != 0) + return 1; + if (resp[0] == '\0') + break; + if (parse_policy (resp, policy, mask, bit) == 0) + break; + } + return 0; +} + /* * time_t * the special value 0 means ``never'' @@ -420,6 +473,10 @@ edit_entry(kadm5_principal_ent_t ent, int *mask, KADM5_ATTRIBUTES) != 0) return 1; + if(edit_policy ("Policy", &ent->policy, mask, + KADM5_POLICY) != 0) + return 1; + return 0; } @@ -437,7 +494,8 @@ set_entry(krb5_context contextp, const char *max_renewable_life, const char *expiration, const char *pw_expiration, - const char *attributes) + const char *attributes, + const char *policy) { if (max_ticket_life != NULL) { if (parse_deltat (max_ticket_life, &ent->max_life, @@ -475,6 +533,13 @@ set_entry(krb5_context contextp, return 1; } } + if (policy != NULL) { + if (parse_policy (policy, &ent->policy, + mask, KADM5_POLICY)) { + krb5_warnx (contextp, "unable to parse `%s'", attributes); + return 1; + } + } return 0; }