oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

add support for patterns of principals

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@8350 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Assar Westerlund
2000-06-07 11:11:44 +00:00
parent 30fcaa8cc4
commit 46f0769f2d
1 changed files with 106 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

133
lib/kadm5/acl.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright (c) 1997, 1999 Kungliga Tekniska H<>gskolan * Copyright (c) 1997 - 2000 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden). * (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved. * All rights reserved.
* *
@@ -68,58 +68,110 @@ _kadm5_privs_to_string(u_int32_t privs, char *string, size_t len)
return 0; return 0;
} }
kadm5_ret_t /*
_kadm5_acl_init(kadm5_server_context *context) * retrieve the right for the current caller on `princ' (NULL means all)
* and store them in `flags'
* return 0 or an error.
*/
static kadm5_ret_t
fetch_acl (kadm5_server_context *context,
krb5_const_principal princ,
unsigned *ret_flags)
{ {
FILE *f; unsigned flags = -1;
char buf[128]; FILE *f = fopen(context->config.acl_file, "r");
krb5_principal princ; krb5_error_code ret = 0;
int flags;
krb5_error_code ret;
krb5_parse_name(context->context, KADM5_ADMIN_SERVICE, &princ); if(f != NULL){
ret = krb5_principal_compare(context->context, context->caller, princ); char buf[256];
krb5_free_principal(context->context, princ); char princ_name[256];
if(ret != 0){
context->acl_flags = KADM5_PRIV_ALL;
return 0;
}
flags = -1; if (princ != NULL)
f = fopen(context->config.acl_file, "r"); krb5_unparse_name_fixed (context->context, princ,
if(f){ princ_name, sizeof(princ_name));
while(fgets(buf, sizeof(buf), f)){
while(fgets(buf, sizeof(buf), f) != NULL){
char *foo = NULL, *p; char *foo = NULL, *p;
krb5_principal this_princ;
p = strtok_r(buf, " \t\n", &foo); p = strtok_r(buf, " \t\n", &foo);
if(p == NULL) if(p == NULL)
continue; continue;
ret = krb5_parse_name(context->context, p, &princ); ret = krb5_parse_name(context->context, p, &this_princ);
if(ret) if(ret)
continue; continue;
if(!krb5_principal_compare(context->context, if(!krb5_principal_compare(context->context,
context->caller, princ)){ context->caller, this_princ)) {
krb5_free_principal(context->context, princ); krb5_free_principal(context->context, this_princ);
continue; continue;
} }
krb5_free_principal(context->context, princ); krb5_free_principal(context->context, this_princ);
p = strtok_r(NULL, "\n", &foo); p = strtok_r(NULL, " \t\n", &foo);
if(p == NULL) if(p == NULL)
continue; continue;
ret = _kadm5_string_to_privs(p, &flags); ret = _kadm5_string_to_privs(p, &flags);
break; if (ret)
break;
p = strtok_r(NULL, "\n", &foo);
if (p == NULL) {
if (princ == NULL) {
ret = 0;
break;
} else {
continue;
}
}
if(princ != NULL
&& fnmatch (p, princ_name, FNM_PATHNAME) == 0) {
ret = _kadm5_string_to_privs(p, &flags);
break;
}
} }
fclose(f); fclose(f);
} }
if(flags == -1) if(flags == -1)
flags = 0; flags = 0;
context->acl_flags = flags; if (ret == 0)
return 0; *ret_flags = flags;
return ret;
} }
/*
* set global acl flags in `context' for the current caller.
* return 0 on success or an error
*/
kadm5_ret_t kadm5_ret_t
_kadm5_acl_check_permission(kadm5_server_context *context, unsigned op) _kadm5_acl_init(kadm5_server_context *context)
{ {
unsigned res = ~context->acl_flags & op; krb5_principal princ;
krb5_error_code ret;
ret = krb5_parse_name(context->context, KADM5_ADMIN_SERVICE, &princ);
if (ret)
return ret;
ret = krb5_principal_compare(context->context, context->caller, princ);
krb5_free_principal(context->context, princ);
if(ret != 0) {
context->acl_flags = KADM5_PRIV_ALL;
return 0;
}
return fetch_acl (context, NULL, &context->acl_flags);
}
/*
* check if `flags' allows `op'
* return 0 if OK or an error
*/
static kadm5_ret_t
check_flags (unsigned op,
unsigned flags)
{
unsigned res = ~flags & op;
if(res & KADM5_PRIV_GET) if(res & KADM5_PRIV_GET)
return KADM5_AUTH_GET; return KADM5_AUTH_GET;
if(res & KADM5_PRIV_ADD) if(res & KADM5_PRIV_ADD)
@@ -136,3 +188,26 @@ _kadm5_acl_check_permission(kadm5_server_context *context, unsigned op)
return KADM5_AUTH_INSUFFICIENT; return KADM5_AUTH_INSUFFICIENT;
return 0; return 0;
} }
/*
* return 0 if the current caller in `context' is allowed to perform
* `op' on `princ' and otherwise an error
* princ == NULL if it's not relevant.
*/
kadm5_ret_t
_kadm5_acl_check_permission(kadm5_server_context *context,
unsigned op,
krb5_const_principal princ)
{
kadm5_ret_t ret;
unsigned princ_flags;
ret = check_flags (op, context->acl_flags);
if (ret == 0)
return ret;
ret = fetch_acl (context, princ, &princ_flags);
if (ret)
return ret;
return check_flags (op, princ_flags);
}