oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Check for dup aliases before overwriting, pointed out by Johanna Mannung

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@22691 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2008-03-18 10:14:02 +00:00
parent 3a7287955f
commit 23895f4fb9
3 changed files with 167 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
lib/hdb/common.c
View File

@@ -219,12 +219,58 @@ hdb_add_aliases(krb5_context context, HDB *db,
return 0; return 0;
} }
static krb5_error_code
hdb_check_aliases(krb5_context context, HDB *db, hdb_entry_ex *entry)
{
const HDB_Ext_Aliases *aliases;
int code, i;
/* check if new aliases already is used */
code = hdb_entry_get_aliases(&entry->entry, &aliases);
if (code)
return code;
for (i = 0; aliases && i < aliases->aliases.len; i++) {
hdb_entry_alias alias;
krb5_data akey, value;
hdb_principal2key(context, &aliases->aliases.val[i], &akey);
code = db->hdb__get(context, db, akey, &value);
krb5_data_free(&akey);
if (code == HDB_ERR_NOENTRY)
continue;
else if (code)
return code;
code = hdb_value2entry_alias(context, &value, &alias);
krb5_data_free(&value);
if (code == ASN1_BAD_ID)
return HDB_ERR_EXISTS;
else if (code)
return code;
code = krb5_principal_compare(context, alias.principal,
entry->entry.principal);
free_hdb_entry_alias(&alias);
if (code == 0)
return HDB_ERR_EXISTS;
}
return 0;
}
krb5_error_code krb5_error_code
_hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) _hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
{ {
krb5_data key, value; krb5_data key, value;
int code; int code;
/* check if new aliases already is used */
code = hdb_check_aliases(context, db, entry);
if (code)
return code;
if(entry->entry.generation == NULL) { if(entry->entry.generation == NULL) {
struct timeval t; struct timeval t;
entry->entry.generation = malloc(sizeof(*entry->entry.generation)); entry->entry.generation = malloc(sizeof(*entry->entry.generation));
@@ -238,12 +284,12 @@ _hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
entry->entry.generation->gen = 0; entry->entry.generation->gen = 0;
} else } else
entry->entry.generation->gen++; entry->entry.generation->gen++;
hdb_principal2key(context, entry->entry.principal, &key);
code = hdb_seal_keys(context, db, &entry->entry); code = hdb_seal_keys(context, db, &entry->entry);
if (code) { if (code)
krb5_data_free(&key);
return code; return code;
}
hdb_principal2key(context, entry->entry.principal, &key);
/* remove aliases */ /* remove aliases */
code = hdb_remove_aliases(context, db, &key); code = hdb_remove_aliases(context, db, &key);

8
tests/db/Makefile.am
View File

@@ -6,7 +6,7 @@ noinst_DATA = krb5.conf
noinst_SCRIPTS = have-db noinst_SCRIPTS = have-db
check_SCRIPTS = loaddump-db add-modify-delete check-dbinfo check_SCRIPTS = loaddump-db add-modify-delete check-dbinfo check-aliases
TESTS = $(check_SCRIPTS) TESTS = $(check_SCRIPTS)
@@ -29,6 +29,11 @@ check-dbinfo: check-dbinfo.in Makefile
chmod +x check-dbinfo.tmp chmod +x check-dbinfo.tmp
mv check-dbinfo.tmp check-dbinfo mv check-dbinfo.tmp check-dbinfo
check-aliases: check-aliases.in Makefile
$(do_subst) < $(srcdir)/check-aliases.in > check-aliases.tmp
chmod +x check-aliases.tmp
mv check-aliases.tmp check-aliases
have-db: have-db.in Makefile have-db: have-db.in Makefile
$(do_subst) < $(srcdir)/have-db.in > have-db.tmp $(do_subst) < $(srcdir)/have-db.in > have-db.tmp
chmod +x have-db.tmp chmod +x have-db.tmp
@@ -54,6 +59,7 @@ CLEANFILES= \
messages.log messages.log
EXTRA_DIST = \ EXTRA_DIST = \
check-aliases.in \
check-dbinfo.in \ check-dbinfo.in \
loaddump-db.in \ loaddump-db.in \
add-modify-delete.in \ add-modify-delete.in \

110
tests/db/check-aliases.in Normal file
View File

@@ -0,0 +1,110 @@
#!/bin/sh
#
# Copyright (c) 2008 Kungliga Tekniska H<>gskolan
# (Royal Institute of Technology, Stockholm, Sweden).
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# 3. Neither the name of the Institute nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
srcdir="@srcdir@"
objdir="@objdir@"
EGREP="@EGREP@"
testfailed="echo test failed; cat messages.log; exit 1"
# If there is no useful db support compile in, disable test
../db/have-db || exit 77
R=TEST.H5L.SE
kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l"
KRB5_CONFIG="${objdir}/krb5.conf"
export KRB5_CONFIG
rm -f current-db*
rm -f out-*
rm -f mkey.file*
> messages.log
echo Creating database
${kadmin} \
init \
--realm-max-ticket-life=1day \
--realm-max-renewable-life=1month \
${R} || exit 1
echo "Adding foo"
${kadmin} add -p foo --use-defaults foo@${R} || exit 1
${kadmin} modify --alias=foo-alias1@${R} --alias=foo-alias2@${R} foo@${R} || exit 1
echo "Adding bar"
${kadmin} add -p foo --use-defaults bar@${R} || exit 1
${kadmin} modify --alias=bar-alias1@${R} bar@${R} || exit 1
echo "Baz does not exists"
echo "Checking dup keys"
${kadmin} modify --alias=foo-alias1@${R} bar@${R} 2>/dev/null && exit 1
${kadmin} modify --alias=foo@${R} bar@${R} 2>/dev/null && exit 1
${kadmin} modify --alias=foo@${R} baz@${R} 2>/dev/null && exit 1
echo "Rename over dup key"
${kadmin} rename bar${R} foo-alias1${R} 2>/dev/null && exit 1
${kadmin} rename bar${R} foo${R} 2>/dev/null && exit 1
${kadmin} rename baz${R} foo-alias1${R} 2>/dev/null && exit 1
${kadmin} rename baz${R} foo${R} 2>/dev/null && exit 1
echo "Delete alias"
${kadmin} delete foo-alias1${R} 2>/dev/null && exit 1
${kadmin} delete bar-alias1${R} 2>/dev/null && exit 1
${kadmin} delete baz-alias1${R} 2>/dev/null && exit 1
echo "Delete"
${kadmin} delete bar@${R} || exit 1
${kadmin} delete bar@${R} 2>/dev/null && exit 1
${kadmin} delete baz@${R} 2>/dev/null && exit 1
echo "Add alias to deleted name"
${kadmin} modify --alias=bar-alias1@${R} foo@${R} || exit 1
${kadmin} modify --alias=bar@${R} foo@${R} || exit 1
${kadmin} modify --alias=bar@${R} --alias=baz@${R} foo@${R} || exit 1
echo "Rename over self alias key"
${kadmin} rename foo@${R} foo-alias1@${R} 2>/dev/null && exit 1
${kadmin} modify --alias= foo@${R} || exit 1
${kadmin} rename foo@${R} foo-alias1@${R} || exit 1
${kadmin} modify --alias=foo foo-alias1@${R} || exit 1
echo "Doing database check"
${kadmin} check ${R} || exit 1
exit $ec