krb5, kadm5: refactor plugin API
Refactor plugin framework to use a single list of loaded plugins; add a new plugin API where DSOs export a load function that can declare dependencies and export multiple plugins; refactor kadm5 hook API to use krb5 plugin framework. More information in krb5-plugin(7).
This commit is contained in:

committed by
Nico Williams

parent
e9b3b2326d
commit
803efebca5
46
kdc/windc.c
46
kdc/windc.c
@@ -39,6 +39,21 @@ static int have_plugin = 0;
|
||||
* Pick the first WINDC module that we find.
|
||||
*/
|
||||
|
||||
static const char *windc_plugin_deps[] = {
|
||||
"kdc",
|
||||
"krb5",
|
||||
"hdb",
|
||||
NULL
|
||||
};
|
||||
|
||||
static struct krb5_plugin_data windc_plugin_data = {
|
||||
"krb5",
|
||||
"windc",
|
||||
KRB5_WINDC_PLUGIN_MINOR,
|
||||
windc_plugin_deps,
|
||||
kdc_get_instance
|
||||
};
|
||||
|
||||
static krb5_error_code KRB5_LIB_CALL
|
||||
load(krb5_context context, const void *plug, void *plugctx, void *userctx)
|
||||
{
|
||||
@@ -49,8 +64,8 @@ load(krb5_context context, const void *plug, void *plugctx, void *userctx)
|
||||
krb5_error_code
|
||||
krb5_kdc_windc_init(krb5_context context)
|
||||
{
|
||||
(void)_krb5_plugin_run_f(context, "krb5", "windc",
|
||||
KRB5_WINDC_PLUGIN_MINOR, 0, NULL, load);
|
||||
(void)_krb5_plugin_run_f(context, &windc_plugin_data, 0, NULL, load);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -84,8 +99,8 @@ _kdc_pac_generate(krb5_context context,
|
||||
uc.client = client;
|
||||
uc.pac = pac;
|
||||
|
||||
(void)_krb5_plugin_run_f(context, "krb5", "windc",
|
||||
KRB5_WINDC_PLUGIN_MINOR, 0, &uc, generate);
|
||||
(void)_krb5_plugin_run_f(context, &windc_plugin_data,
|
||||
0, &uc, generate);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -141,8 +156,8 @@ _kdc_pac_verify(krb5_context context,
|
||||
uc.pac = pac;
|
||||
uc.verified = verified;
|
||||
|
||||
(void)_krb5_plugin_run_f(context, "krb5", "windc",
|
||||
KRB5_WINDC_PLUGIN_MINOR, 0, &uc, verify);
|
||||
(void)_krb5_plugin_run_f(context, &windc_plugin_data,
|
||||
0, &uc, verify);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -191,8 +206,8 @@ _kdc_check_access(krb5_context context,
|
||||
uc.req = req;
|
||||
uc.method_data = method_data;
|
||||
|
||||
ret = _krb5_plugin_run_f(context, "krb5", "windc",
|
||||
KRB5_WINDC_PLUGIN_MINOR, 0, &uc, check);
|
||||
ret = _krb5_plugin_run_f(context, &windc_plugin_data,
|
||||
0, &uc, check);
|
||||
}
|
||||
|
||||
if (ret == KRB5_PLUGIN_NO_HANDLE)
|
||||
@@ -202,3 +217,18 @@ _kdc_check_access(krb5_context context,
|
||||
req->msg_type == krb_as_req);
|
||||
return ret;
|
||||
}
|
||||
|
||||
uintptr_t
|
||||
kdc_get_instance(const char *libname)
|
||||
{
|
||||
static const char *instance = "libkdc";
|
||||
|
||||
if (strcmp(libname, "kdc") == 0)
|
||||
return (uintptr_t)instance;
|
||||
else if (strcmp(libname, "hdb") == 0)
|
||||
return hdb_get_instance(libname);
|
||||
else if (strcmp(libname, "krb5") == 0)
|
||||
return krb5_get_instance(libname);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
@@ -390,6 +390,8 @@ make_sym(const char *prefix)
|
||||
return sym;
|
||||
}
|
||||
|
||||
static const char *hdb_plugin_deps[] = { "hdb", "krb5", NULL };
|
||||
|
||||
krb5_error_code
|
||||
hdb_list_builtin(krb5_context context, char **list)
|
||||
{
|
||||
@@ -414,12 +416,17 @@ hdb_list_builtin(krb5_context context, char **list)
|
||||
if (h->create == NULL) {
|
||||
struct cb_s cb_ctx;
|
||||
char *f;
|
||||
char *sym;
|
||||
struct krb5_plugin_data hdb_plugin_data;
|
||||
|
||||
hdb_plugin_data.module = "krb5";
|
||||
hdb_plugin_data.min_version = HDB_INTERFACE_VERSION;
|
||||
hdb_plugin_data.deps = hdb_plugin_deps;
|
||||
hdb_plugin_data.get_instance = hdb_get_instance;
|
||||
|
||||
/* Try loading the plugin */
|
||||
if (asprintf(&f, "%sfoo", h->prefix) == -1)
|
||||
f = NULL;
|
||||
if ((sym = make_sym(h->prefix)) == NULL) {
|
||||
if ((hdb_plugin_data.name = make_sym(h->prefix)) == NULL) {
|
||||
free(buf);
|
||||
free(f);
|
||||
return krb5_enomem(context);
|
||||
@@ -427,11 +434,10 @@ hdb_list_builtin(krb5_context context, char **list)
|
||||
cb_ctx.filename = f;
|
||||
cb_ctx.residual = NULL;
|
||||
cb_ctx.h = NULL;
|
||||
(void)_krb5_plugin_run_f(context, "krb5", sym,
|
||||
HDB_INTERFACE_VERSION, 0, &cb_ctx,
|
||||
callback);
|
||||
(void)_krb5_plugin_run_f(context, &hdb_plugin_data, 0,
|
||||
&cb_ctx, callback);
|
||||
free(f);
|
||||
free(sym);
|
||||
free(rk_UNCONST(hdb_plugin_data.name));
|
||||
if (cb_ctx.h == NULL || cb_ctx.h->create == NULL)
|
||||
continue;
|
||||
}
|
||||
@@ -483,17 +489,35 @@ hdb_create(krb5_context context, HDB **db, const char *filename)
|
||||
cb_ctx.filename = filename;
|
||||
|
||||
if (cb_ctx.h == NULL || cb_ctx.h->create == NULL) {
|
||||
char *sym;
|
||||
struct krb5_plugin_data hdb_plugin_data;
|
||||
|
||||
if ((sym = make_sym(filename)) == NULL)
|
||||
hdb_plugin_data.module = "krb5";
|
||||
hdb_plugin_data.min_version = HDB_INTERFACE_VERSION;
|
||||
hdb_plugin_data.deps = hdb_plugin_deps;
|
||||
hdb_plugin_data.get_instance = hdb_get_instance;
|
||||
|
||||
if ((hdb_plugin_data.name = make_sym(filename)) == NULL)
|
||||
return krb5_enomem(context);
|
||||
|
||||
(void)_krb5_plugin_run_f(context, "krb5", sym, HDB_INTERFACE_VERSION,
|
||||
(void)_krb5_plugin_run_f(context, &hdb_plugin_data,
|
||||
0, &cb_ctx, callback);
|
||||
|
||||
free(sym);
|
||||
free(rk_UNCONST(hdb_plugin_data.name));
|
||||
}
|
||||
if (cb_ctx.h == NULL)
|
||||
krb5_errx(context, 1, "No database support for %s", cb_ctx.filename);
|
||||
return (*cb_ctx.h->create)(context, db, cb_ctx.residual);
|
||||
}
|
||||
|
||||
uintptr_t
|
||||
hdb_get_instance(const char *libname)
|
||||
{
|
||||
static const char *instance = "libhdb";
|
||||
|
||||
if (strcmp(libname, "hdb") == 0)
|
||||
return (uintptr_t)instance;
|
||||
else if (strcmp(libname, "krb5") == 0)
|
||||
return krb5_get_instance(libname);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
@@ -31,6 +31,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "krb5_locl.h"
|
||||
#include "hdb_locl.h"
|
||||
|
||||
struct hx509_certs_data;
|
||||
@@ -45,7 +46,6 @@ struct _krb5_key_data;
|
||||
struct _krb5_encryption_type;
|
||||
struct _krb5_key_type;
|
||||
#include <pkinit_asn1.h>
|
||||
#include <krb5-private.h>
|
||||
#include <base64.h>
|
||||
|
||||
/*
|
||||
|
@@ -43,6 +43,7 @@ EXPORTS
|
||||
hdb_generate_key_set_password
|
||||
hdb_generate_key_set_password_with_ks_tuple
|
||||
hdb_get_dbinfo
|
||||
hdb_get_instance
|
||||
hdb_init_db
|
||||
hdb_interface_version DATA
|
||||
hdb_key2principal
|
||||
|
@@ -46,6 +46,7 @@ HEIMDAL_HDB_1.0 {
|
||||
hdb_generate_key_set_password;
|
||||
hdb_generate_key_set_password_with_ks_tuple;
|
||||
hdb_get_dbinfo;
|
||||
hdb_get_instance;
|
||||
hdb_init_db;
|
||||
hdb_key2principal;
|
||||
hdb_kvno2keys;
|
||||
|
@@ -3,6 +3,7 @@
|
||||
include $(top_srcdir)/Makefile.am.common
|
||||
|
||||
libkadm5srv_la_CPPFLAGS = -I$(srcdir)/../krb5
|
||||
libkadm5clnt_la_CPPFLAGS = -I$(srcdir)/../krb5
|
||||
|
||||
lib_LTLIBRARIES = libkadm5srv.la libkadm5clnt.la
|
||||
libkadm5srv_la_LDFLAGS = -version-info 8:1:0
|
||||
@@ -34,6 +35,7 @@ libkadm5clnt_la_LIBADD = \
|
||||
libexec_PROGRAMS = ipropd-master ipropd-slave
|
||||
|
||||
default_keys_SOURCES = default_keys.c
|
||||
default_keys_CPPFLAGS = -I$(srcdir)/../krb5
|
||||
|
||||
kadm5includedir = $(includedir)/kadm5
|
||||
buildkadm5include = $(buildinclude)/kadm5
|
||||
@@ -130,8 +132,10 @@ dist_iprop_log_SOURCES = iprop-log.c
|
||||
nodist_iprop_log_SOURCES = iprop-commands.c
|
||||
|
||||
ipropd_master_SOURCES = ipropd_master.c ipropd_common.c iprop.h kadm5_locl.h
|
||||
ipropd_master_CPPFLAGS = -I$(srcdir)/../krb5
|
||||
|
||||
ipropd_slave_SOURCES = ipropd_slave.c ipropd_common.c iprop.h kadm5_locl.h
|
||||
ipropd_slave_CPPFLAGS = -I$(srcdir)/../krb5
|
||||
|
||||
man_MANS = kadm5_pwcheck.3 iprop.8 iprop-log.8
|
||||
|
||||
@@ -146,6 +150,7 @@ LDADD = \
|
||||
$(LIB_dlopen) \
|
||||
$(LIB_pidfile)
|
||||
|
||||
|
||||
iprop_log_LDADD = \
|
||||
libkadm5srv.la \
|
||||
$(top_builddir)/lib/hdb/libhdb.la \
|
||||
@@ -159,6 +164,7 @@ iprop_log_LDADD = \
|
||||
$(LIB_dlopen) \
|
||||
$(LIB_pidfile)
|
||||
|
||||
iprop_log_CPPFLAGS = -I$(srcdir)/../krb5
|
||||
|
||||
iprop-commands.c iprop-commands.h: iprop-commands.in
|
||||
$(SLC) $(srcdir)/iprop-commands.in
|
||||
@@ -182,6 +188,7 @@ ALL_OBJECTS += $(ipropd_slave_OBJECTS)
|
||||
ALL_OBJECTS += $(iprop_log_OBJECTS)
|
||||
ALL_OBJECTS += $(test_pw_quality_OBJECTS)
|
||||
ALL_OBJECTS += $(sample_passwd_check_la_OBJECTS)
|
||||
ALL_OBJECTS += $(sample_hook_la_OBJECTS)
|
||||
ALL_OBJECTS += $(default_keys_OBJECTS)
|
||||
|
||||
$(ALL_OBJECTS): $(srcdir)/kadm5-protos.h $(srcdir)/kadm5-private.h
|
||||
|
@@ -268,10 +268,10 @@ EXPORTS
|
||||
<<
|
||||
$(DLLPREP_NODIST)
|
||||
|
||||
$(OBJ)\sample_hook.dll: $(OBJ)\sample_hook.obj $(LIBHEIMDAL)
|
||||
$(OBJ)\sample_hook.dll: $(OBJ)\sample_hook.obj $(LIBKADM5SRV) $(LIBHEIMDAL)
|
||||
$(DLLGUILINK) /DEF:<<
|
||||
EXPORTS
|
||||
kadm5_hook_init
|
||||
kadm5_hook_plugin_load
|
||||
<<
|
||||
$(DLLPREP_NODIST)
|
||||
|
||||
|
@@ -35,6 +35,42 @@
|
||||
|
||||
RCSID("$Id$");
|
||||
|
||||
struct chpass_principal_hook_ctx {
|
||||
kadm5_server_context *context;
|
||||
enum kadm5_hook_stage stage;
|
||||
krb5_error_code code;
|
||||
krb5_const_principal princ;
|
||||
uint32_t flags;
|
||||
size_t n_ks_tuple;
|
||||
krb5_key_salt_tuple *ks_tuple;
|
||||
const char *password;
|
||||
};
|
||||
|
||||
static krb5_error_code
|
||||
chpass_principal_hook_cb(krb5_context context,
|
||||
const void *hook,
|
||||
void *hookctx,
|
||||
void *userctx)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
const struct kadm5_hook_ftable *ftable = hook;
|
||||
struct chpass_principal_hook_ctx *ctx = userctx;
|
||||
|
||||
ret = ftable->chpass(context, hookctx,
|
||||
ctx->stage, ctx->code, ctx->princ,
|
||||
ctx->flags, ctx->n_ks_tuple, ctx->ks_tuple,
|
||||
ctx->password);
|
||||
if (ret != 0 && ret != KRB5_PLUGIN_NO_HANDLE)
|
||||
_kadm5_s_set_hook_error_message(ctx->context, ret, "chpass",
|
||||
hook, ctx->stage);
|
||||
|
||||
/* only pre-commit plugins can abort */
|
||||
if (ret == 0 || ctx->stage == KADM5_HOOK_STAGE_POSTCOMMIT)
|
||||
ret = KRB5_PLUGIN_NO_HANDLE;
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static kadm5_ret_t
|
||||
chpass_principal_hook(kadm5_server_context *context,
|
||||
enum kadm5_hook_stage stage,
|
||||
@@ -45,24 +81,22 @@ chpass_principal_hook(kadm5_server_context *context,
|
||||
krb5_key_salt_tuple *ks_tuple,
|
||||
const char *password)
|
||||
{
|
||||
krb5_error_code ret = 0;
|
||||
size_t i;
|
||||
krb5_error_code ret;
|
||||
struct chpass_principal_hook_ctx ctx;
|
||||
|
||||
for (i = 0; i < context->num_hooks; i++) {
|
||||
kadm5_hook_context *hook = context->hooks[i];
|
||||
ctx.context = context;
|
||||
ctx.stage = stage;
|
||||
ctx.code = code;
|
||||
ctx.princ = princ;
|
||||
ctx.flags = flags;
|
||||
ctx.n_ks_tuple = n_ks_tuple;
|
||||
ctx.ks_tuple = ks_tuple;
|
||||
ctx.password = password;
|
||||
|
||||
if (hook->hook->chpass != NULL) {
|
||||
ret = hook->hook->chpass(context->context, hook->data,
|
||||
stage, code, princ, flags,
|
||||
n_ks_tuple, ks_tuple, password);
|
||||
if (ret != 0) {
|
||||
_kadm5_s_set_hook_error_message(context, ret, "chpass",
|
||||
hook->hook, stage);
|
||||
if (stage == KADM5_HOOK_STAGE_PRECOMMIT)
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
ret = _krb5_plugin_run_f(context->context, &kadm5_hook_plugin_data,
|
||||
0, &ctx, chpass_principal_hook_cb);
|
||||
if (ret == KRB5_PLUGIN_NO_HANDLE)
|
||||
ret = 0;
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
@@ -102,6 +102,39 @@ create_principal(kadm5_server_context *context,
|
||||
&ent->entry.created_by.principal);
|
||||
}
|
||||
|
||||
struct create_principal_hook_ctx {
|
||||
kadm5_server_context *context;
|
||||
enum kadm5_hook_stage stage;
|
||||
krb5_error_code code;
|
||||
kadm5_principal_ent_t princ;
|
||||
uint32_t mask;
|
||||
const char *password;
|
||||
};
|
||||
|
||||
static krb5_error_code
|
||||
create_principal_hook_cb(krb5_context context,
|
||||
const void *hook,
|
||||
void *hookctx,
|
||||
void *userctx)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
const struct kadm5_hook_ftable *ftable = hook;
|
||||
struct create_principal_hook_ctx *ctx = userctx;
|
||||
|
||||
ret = ftable->create(context, hookctx,
|
||||
ctx->stage, ctx->code, ctx->princ,
|
||||
ctx->mask, ctx->password);
|
||||
if (ret != 0 && ret != KRB5_PLUGIN_NO_HANDLE)
|
||||
_kadm5_s_set_hook_error_message(ctx->context, ret, "create",
|
||||
hook, ctx->stage);
|
||||
|
||||
/* only pre-commit plugins can abort */
|
||||
if (ret == 0 || ctx->stage == KADM5_HOOK_STAGE_POSTCOMMIT)
|
||||
ret = KRB5_PLUGIN_NO_HANDLE;
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static kadm5_ret_t
|
||||
create_principal_hook(kadm5_server_context *context,
|
||||
enum kadm5_hook_stage stage,
|
||||
@@ -110,23 +143,20 @@ create_principal_hook(kadm5_server_context *context,
|
||||
uint32_t mask,
|
||||
const char *password)
|
||||
{
|
||||
krb5_error_code ret = 0;
|
||||
size_t i;
|
||||
krb5_error_code ret;
|
||||
struct create_principal_hook_ctx ctx;
|
||||
|
||||
for (i = 0; i < context->num_hooks; i++) {
|
||||
kadm5_hook_context *hook = context->hooks[i];
|
||||
ctx.context = context;
|
||||
ctx.stage = stage;
|
||||
ctx.code = code;
|
||||
ctx.princ = princ;
|
||||
ctx.mask = mask;
|
||||
ctx.password = password;
|
||||
|
||||
if (hook->hook->create != NULL) {
|
||||
ret = hook->hook->create(context->context, hook->data,
|
||||
stage, code, princ, mask, password);
|
||||
if (ret != 0) {
|
||||
_kadm5_s_set_hook_error_message(context, ret, "create",
|
||||
hook->hook, stage);
|
||||
if (stage == KADM5_HOOK_STAGE_PRECOMMIT)
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
ret = _krb5_plugin_run_f(context->context, &kadm5_hook_plugin_data,
|
||||
0, &ctx, create_principal_hook_cb);
|
||||
if (ret == KRB5_PLUGIN_NO_HANDLE)
|
||||
ret = 0;
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
@@ -35,29 +35,54 @@
|
||||
|
||||
RCSID("$Id$");
|
||||
|
||||
struct delete_principal_hook_ctx {
|
||||
kadm5_server_context *context;
|
||||
enum kadm5_hook_stage stage;
|
||||
krb5_error_code code;
|
||||
krb5_const_principal princ;
|
||||
};
|
||||
|
||||
static krb5_error_code
|
||||
delete_principal_hook_cb(krb5_context context,
|
||||
const void *hook,
|
||||
void *hookctx,
|
||||
void *userctx)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
const struct kadm5_hook_ftable *ftable = hook;
|
||||
struct delete_principal_hook_ctx *ctx = userctx;
|
||||
|
||||
ret = ftable->delete(context, hookctx,
|
||||
ctx->stage, ctx->code, ctx->princ);
|
||||
if (ret != 0 && ret != KRB5_PLUGIN_NO_HANDLE)
|
||||
_kadm5_s_set_hook_error_message(ctx->context, ret, "delete",
|
||||
hook, ctx->stage);
|
||||
|
||||
/* only pre-commit plugins can abort */
|
||||
if (ret == 0 || ctx->stage == KADM5_HOOK_STAGE_POSTCOMMIT)
|
||||
ret = KRB5_PLUGIN_NO_HANDLE;
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static kadm5_ret_t
|
||||
delete_principal_hook(kadm5_server_context *context,
|
||||
enum kadm5_hook_stage stage,
|
||||
krb5_error_code code,
|
||||
krb5_const_principal princ)
|
||||
{
|
||||
krb5_error_code ret = 0;
|
||||
size_t i;
|
||||
krb5_error_code ret;
|
||||
struct delete_principal_hook_ctx ctx;
|
||||
|
||||
for (i = 0; i < context->num_hooks; i++) {
|
||||
kadm5_hook_context *hook = context->hooks[i];
|
||||
ctx.context = context;
|
||||
ctx.stage = stage;
|
||||
ctx.code = code;
|
||||
ctx.princ = princ;
|
||||
|
||||
if (hook->hook->delete != NULL) {
|
||||
ret = hook->hook->delete(context->context, hook->data,
|
||||
stage, code, princ);
|
||||
if (ret != 0) {
|
||||
_kadm5_s_set_hook_error_message(context, ret, "delete",
|
||||
hook->hook, stage);
|
||||
if (stage == KADM5_HOOK_STAGE_PRECOMMIT)
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
ret = _krb5_plugin_run_f(context->context, &kadm5_hook_plugin_data,
|
||||
0, &ctx, delete_principal_hook_cb);
|
||||
if (ret == KRB5_PLUGIN_NO_HANDLE)
|
||||
ret = 0;
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
@@ -37,9 +37,12 @@
|
||||
|
||||
/*
|
||||
* Each hook is called before the operation using KADM5_STAGE_PRECOMMIT and
|
||||
* then after the operation using KADM5_STAGE_POSTCOMMIT. If the hook returns
|
||||
* then after the operation using KADM5_STAGE_POSTCOMMIT. If the hook returns
|
||||
* failure during precommit, the operation is aborted without changes to the
|
||||
* database.
|
||||
* database. All post-commit hook are invoked if the operation was attempted.
|
||||
*
|
||||
* Note that unlike libkrb5 plugins, returning success does not prevent other
|
||||
* plugins being called (i.e. it is equivalent to KRB5_PLUGIN_NO_HANDLE).
|
||||
*/
|
||||
enum kadm5_hook_stage {
|
||||
KADM5_HOOK_STAGE_PRECOMMIT,
|
||||
@@ -49,25 +52,14 @@ enum kadm5_hook_stage {
|
||||
#define KADM5_HOOK_FLAG_KEEPOLD 0x1 /* keep old password */
|
||||
#define KADM5_HOOK_FLAG_CONDITIONAL 0x2 /* only change password if different */
|
||||
|
||||
/*
|
||||
* libkadm5srv expects a symbol named kadm5_hook_init that must be a function
|
||||
* of type kadm5_hook_init_t. The function will be called with the maximum
|
||||
* version of the hook API supported by libkadm5; the plugin may return an
|
||||
* earlier version.
|
||||
*/
|
||||
typedef struct kadm5_hook {
|
||||
typedef struct kadm5_hook_ftable {
|
||||
int version;
|
||||
krb5_error_code (KRB5_CALLCONV *init)(krb5_context, void **data);
|
||||
void (KRB5_CALLCONV *fini)(void *data);
|
||||
|
||||
const char *name;
|
||||
uint32_t version;
|
||||
const char *vendor;
|
||||
|
||||
/*
|
||||
* Set this to krb5_init_context(): kadmin will use this to verify
|
||||
* that we are linked against the same libkrb5.
|
||||
*/
|
||||
krb5_error_code (KRB5_CALLCONV *init_context)(krb5_context *);
|
||||
|
||||
void (KRB5_CALLCONV *fini)(krb5_context, void *data);
|
||||
|
||||
/*
|
||||
* Hook functions; NULL functions are ignored. code is only valid on
|
||||
* post-commit hooks and represents the result of the commit. Post-
|
||||
@@ -128,12 +120,23 @@ typedef struct kadm5_hook {
|
||||
size_t n_keys,
|
||||
krb5_keyblock *keyblocks);
|
||||
|
||||
} kadm5_hook;
|
||||
krb5_error_code (KRB5_CALLCONV *prune)(krb5_context context,
|
||||
void *data,
|
||||
enum kadm5_hook_stage stage,
|
||||
krb5_error_code code,
|
||||
krb5_const_principal princ,
|
||||
int kvno);
|
||||
|
||||
} kadm5_hook_ftable;
|
||||
|
||||
/*
|
||||
* libkadm5srv expects a symbol named kadm5_hook_plugin_load that must be a
|
||||
* function of type kadm5_hook_plugin_load_t.
|
||||
*/
|
||||
typedef krb5_error_code
|
||||
(KRB5_CALLCONV *kadm5_hook_init_t)(krb5_context context,
|
||||
uint32_t kadm5_version_max,
|
||||
const kadm5_hook **hook,
|
||||
void **data);
|
||||
(KRB5_CALLCONV *kadm5_hook_plugin_load_t)(krb5_context context,
|
||||
krb5_get_instance_func_t *func,
|
||||
size_t *n_hooks,
|
||||
const kadm5_hook_ftable *const **hooks);
|
||||
|
||||
#endif /* !KADM5_HOOK_H */
|
||||
|
@@ -74,6 +74,7 @@
|
||||
#include <netdb.h>
|
||||
#endif
|
||||
#include <fnmatch.h>
|
||||
#include <krb5_locl.h>
|
||||
#include "admin.h"
|
||||
#include "kadm5_err.h"
|
||||
#include <hdb.h>
|
||||
|
@@ -20,6 +20,7 @@ EXPORTS
|
||||
kadm5_free_name_list
|
||||
kadm5_free_policy_ent
|
||||
kadm5_free_principal_ent
|
||||
kadm5_get_instance
|
||||
kadm5_get_policies
|
||||
kadm5_get_policy
|
||||
kadm5_get_principal
|
||||
|
@@ -35,6 +35,37 @@
|
||||
|
||||
RCSID("$Id$");
|
||||
|
||||
struct modify_principal_hook_ctx {
|
||||
kadm5_server_context *context;
|
||||
enum kadm5_hook_stage stage;
|
||||
krb5_error_code code;
|
||||
kadm5_principal_ent_t princ;
|
||||
uint32_t mask;
|
||||
};
|
||||
|
||||
static krb5_error_code
|
||||
modify_principal_hook_cb(krb5_context context,
|
||||
const void *hook,
|
||||
void *hookctx,
|
||||
void *userctx)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
const struct kadm5_hook_ftable *ftable = hook;
|
||||
struct modify_principal_hook_ctx *ctx = userctx;
|
||||
|
||||
ret = ftable->modify(context, hookctx, ctx->stage,
|
||||
ctx->code, ctx->princ, ctx->mask);
|
||||
if (ret != 0 && ret != KRB5_PLUGIN_NO_HANDLE)
|
||||
_kadm5_s_set_hook_error_message(ctx->context, ret, "modify",
|
||||
hook, ctx->stage);
|
||||
|
||||
/* only pre-commit plugins can abort */
|
||||
if (ret == 0 || ctx->stage == KADM5_HOOK_STAGE_POSTCOMMIT)
|
||||
ret = KRB5_PLUGIN_NO_HANDLE;
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static kadm5_ret_t
|
||||
modify_principal_hook(kadm5_server_context *context,
|
||||
enum kadm5_hook_stage stage,
|
||||
@@ -42,23 +73,19 @@ modify_principal_hook(kadm5_server_context *context,
|
||||
kadm5_principal_ent_t princ,
|
||||
uint32_t mask)
|
||||
{
|
||||
krb5_error_code ret = 0;
|
||||
size_t i;
|
||||
krb5_error_code ret;
|
||||
struct modify_principal_hook_ctx ctx;
|
||||
|
||||
for (i = 0; i < context->num_hooks; i++) {
|
||||
kadm5_hook_context *hook = context->hooks[i];
|
||||
ctx.context = context;
|
||||
ctx.stage = stage;
|
||||
ctx.code = code;
|
||||
ctx.princ = princ;
|
||||
ctx.mask = mask;
|
||||
|
||||
if (hook->hook->modify != NULL) {
|
||||
ret = hook->hook->modify(context->context, hook->data,
|
||||
stage, code, princ, mask);
|
||||
if (ret != 0) {
|
||||
_kadm5_s_set_hook_error_message(context, ret, "modify",
|
||||
hook->hook, stage);
|
||||
if (stage == KADM5_HOOK_STAGE_PRECOMMIT)
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
ret = _krb5_plugin_run_f(context->context, &kadm5_hook_plugin_data,
|
||||
0, &ctx, modify_principal_hook_cb);
|
||||
if (ret == KRB5_PLUGIN_NO_HANDLE)
|
||||
ret = 0;
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
@@ -71,8 +71,8 @@ struct kadm_func {
|
||||
};
|
||||
|
||||
typedef struct kadm5_hook_context {
|
||||
void *handle;
|
||||
const kadm5_hook *hook;
|
||||
void *dsohandle;
|
||||
const kadm5_hook_ftable *hook;
|
||||
void *data;
|
||||
} kadm5_hook_context;
|
||||
|
||||
@@ -197,6 +197,8 @@ enum kadm_recover_mode {
|
||||
#define KADMIN_APPL_VERSION "KADM0.1"
|
||||
#define KADMIN_OLD_APPL_VERSION "KADM0.0"
|
||||
|
||||
extern struct krb5_plugin_data kadm5_hook_plugin_data;
|
||||
|
||||
#include "kadm5-private.h"
|
||||
|
||||
#endif /* __kadm5_privatex_h__ */
|
||||
|
@@ -34,6 +34,61 @@
|
||||
|
||||
RCSID("$Id$");
|
||||
|
||||
struct prune_principal_hook_ctx {
|
||||
kadm5_server_context *context;
|
||||
enum kadm5_hook_stage stage;
|
||||
krb5_error_code code;
|
||||
krb5_const_principal princ;
|
||||
int kvno;
|
||||
};
|
||||
|
||||
static krb5_error_code
|
||||
prune_principal_hook_cb(krb5_context context,
|
||||
const void *hook,
|
||||
void *hookctx,
|
||||
void *userctx)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
const struct kadm5_hook_ftable *ftable = hook;
|
||||
struct prune_principal_hook_ctx *ctx = userctx;
|
||||
|
||||
ret = ftable->prune(context, hookctx,
|
||||
ctx->stage, ctx->code, ctx->princ, ctx->kvno);
|
||||
if (ret != 0 && ret != KRB5_PLUGIN_NO_HANDLE)
|
||||
_kadm5_s_set_hook_error_message(ctx->context, ret, "prune",
|
||||
hook, ctx->stage);
|
||||
|
||||
/* only pre-commit plugins can abort */
|
||||
if (ret == 0 || ctx->stage == KADM5_HOOK_STAGE_POSTCOMMIT)
|
||||
ret = KRB5_PLUGIN_NO_HANDLE;
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static kadm5_ret_t
|
||||
prune_principal_hook(kadm5_server_context *context,
|
||||
enum kadm5_hook_stage stage,
|
||||
krb5_error_code code,
|
||||
krb5_const_principal princ,
|
||||
int kvno)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
struct prune_principal_hook_ctx ctx;
|
||||
|
||||
ctx.context = context;
|
||||
ctx.stage = stage;
|
||||
ctx.code = code;
|
||||
ctx.princ = princ;
|
||||
ctx.kvno = kvno;
|
||||
|
||||
ret = _krb5_plugin_run_f(context->context, &kadm5_hook_plugin_data,
|
||||
0, &ctx, prune_principal_hook_cb);
|
||||
if (ret == KRB5_PLUGIN_NO_HANDLE)
|
||||
ret = 0;
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
kadm5_ret_t
|
||||
kadm5_s_prune_principal(void *server_handle,
|
||||
krb5_principal princ,
|
||||
@@ -59,6 +114,11 @@ kadm5_s_prune_principal(void *server_handle,
|
||||
if (ret)
|
||||
goto out2;
|
||||
|
||||
ret = prune_principal_hook(context, KADM5_HOOK_STAGE_PRECOMMIT,
|
||||
0, princ, kvno);
|
||||
if (ret)
|
||||
goto out3;
|
||||
|
||||
ret = hdb_prune_keys_kvno(context->context, &ent.entry, kvno);
|
||||
if (ret)
|
||||
goto out3;
|
||||
@@ -69,6 +129,9 @@ kadm5_s_prune_principal(void *server_handle,
|
||||
|
||||
ret = kadm5_log_modify(context, &ent.entry, KADM5_KEY_DATA);
|
||||
|
||||
(void) prune_principal_hook(context, KADM5_HOOK_STAGE_POSTCOMMIT,
|
||||
ret, princ, kvno);
|
||||
|
||||
out3:
|
||||
hdb_free_entry(context->context, &ent);
|
||||
out2:
|
||||
|
@@ -35,29 +35,54 @@
|
||||
|
||||
RCSID("$Id$");
|
||||
|
||||
struct randkey_principal_hook_ctx {
|
||||
kadm5_server_context *context;
|
||||
enum kadm5_hook_stage stage;
|
||||
krb5_error_code code;
|
||||
krb5_const_principal princ;
|
||||
};
|
||||
|
||||
static krb5_error_code
|
||||
randkey_principal_hook_cb(krb5_context context,
|
||||
const void *hook,
|
||||
void *hookctx,
|
||||
void *userctx)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
const struct kadm5_hook_ftable *ftable = hook;
|
||||
struct randkey_principal_hook_ctx *ctx = userctx;
|
||||
|
||||
ret = ftable->randkey(context, hookctx,
|
||||
ctx->stage, ctx->code, ctx->princ);
|
||||
if (ret != 0 && ret != KRB5_PLUGIN_NO_HANDLE)
|
||||
_kadm5_s_set_hook_error_message(ctx->context, ret, "randkey",
|
||||
hook, ctx->stage);
|
||||
|
||||
/* only pre-commit plugins can abort */
|
||||
if (ret == 0 || ctx->stage == KADM5_HOOK_STAGE_POSTCOMMIT)
|
||||
ret = KRB5_PLUGIN_NO_HANDLE;
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static kadm5_ret_t
|
||||
randkey_principal_hook(kadm5_server_context *context,
|
||||
enum kadm5_hook_stage stage,
|
||||
krb5_error_code code,
|
||||
krb5_const_principal princ)
|
||||
enum kadm5_hook_stage stage,
|
||||
krb5_error_code code,
|
||||
krb5_const_principal princ)
|
||||
{
|
||||
krb5_error_code ret = 0;
|
||||
size_t i;
|
||||
krb5_error_code ret;
|
||||
struct randkey_principal_hook_ctx ctx;
|
||||
|
||||
for (i = 0; i < context->num_hooks; i++) {
|
||||
kadm5_hook_context *hook = context->hooks[i];
|
||||
ctx.context = context;
|
||||
ctx.stage = stage;
|
||||
ctx.code = code;
|
||||
ctx.princ = princ;
|
||||
|
||||
if (hook->hook->randkey != NULL) {
|
||||
ret = hook->hook->randkey(context->context, hook->data,
|
||||
stage, code, princ);
|
||||
if (ret != 0) {
|
||||
_kadm5_s_set_hook_error_message(context, ret, "randkey",
|
||||
hook->hook, stage);
|
||||
if (stage == KADM5_HOOK_STAGE_PRECOMMIT)
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
ret = _krb5_plugin_run_f(context->context, &kadm5_hook_plugin_data,
|
||||
0, &ctx, randkey_principal_hook_cb);
|
||||
if (ret == KRB5_PLUGIN_NO_HANDLE)
|
||||
ret = 0;
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
@@ -35,6 +35,37 @@
|
||||
|
||||
RCSID("$Id$");
|
||||
|
||||
struct rename_principal_hook_ctx {
|
||||
kadm5_server_context *context;
|
||||
enum kadm5_hook_stage stage;
|
||||
krb5_error_code code;
|
||||
krb5_const_principal source, target;
|
||||
};
|
||||
|
||||
static krb5_error_code
|
||||
rename_principal_hook_cb(krb5_context context,
|
||||
const void *hook,
|
||||
void *hookctx,
|
||||
void *userctx)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
const struct kadm5_hook_ftable *ftable = hook;
|
||||
struct rename_principal_hook_ctx *ctx = userctx;
|
||||
|
||||
ret = ftable->rename(context, hookctx,
|
||||
ctx->stage, ctx->code,
|
||||
ctx->source, ctx->target);
|
||||
if (ret != 0 && ret != KRB5_PLUGIN_NO_HANDLE)
|
||||
_kadm5_s_set_hook_error_message(ctx->context, ret, "rename",
|
||||
hook, ctx->stage);
|
||||
|
||||
/* only pre-commit plugins can abort */
|
||||
if (ret == 0 || ctx->stage == KADM5_HOOK_STAGE_POSTCOMMIT)
|
||||
ret = KRB5_PLUGIN_NO_HANDLE;
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static kadm5_ret_t
|
||||
rename_principal_hook(kadm5_server_context *context,
|
||||
enum kadm5_hook_stage stage,
|
||||
@@ -42,23 +73,19 @@ rename_principal_hook(kadm5_server_context *context,
|
||||
krb5_const_principal source,
|
||||
krb5_const_principal target)
|
||||
{
|
||||
krb5_error_code ret = 0;
|
||||
size_t i;
|
||||
krb5_error_code ret;
|
||||
struct rename_principal_hook_ctx ctx;
|
||||
|
||||
for (i = 0; i < context->num_hooks; i++) {
|
||||
kadm5_hook_context *hook = context->hooks[i];
|
||||
ctx.context = context;
|
||||
ctx.stage = stage;
|
||||
ctx.code = code;
|
||||
ctx.source = source;
|
||||
ctx.target = target;
|
||||
|
||||
if (hook->hook->rename != NULL) {
|
||||
ret = hook->hook->rename(context->context, hook->data,
|
||||
stage, code, source, target);
|
||||
if (ret != 0) {
|
||||
_kadm5_s_set_hook_error_message(context, ret, "rename",
|
||||
hook->hook, stage);
|
||||
if (stage == KADM5_HOOK_STAGE_PRECOMMIT)
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
ret = _krb5_plugin_run_f(context->context, &kadm5_hook_plugin_data,
|
||||
0, &ctx, rename_principal_hook_cb);
|
||||
if (ret == KRB5_PLUGIN_NO_HANDLE)
|
||||
ret = 0;
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2018, AuriStor Inc.
|
||||
* Copyright (c) 2018, AuriStor, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
@@ -29,9 +29,26 @@
|
||||
*
|
||||
*/
|
||||
|
||||
#include "kadm5_locl.h"
|
||||
#include <assert.h>
|
||||
|
||||
static char sample_data[1];
|
||||
#include <krb5.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "admin.h"
|
||||
#include "kadm5-hook.h"
|
||||
|
||||
/*
|
||||
* Sample kadm5 hook plugin that just logs when it is called. Install it
|
||||
* somewhere and configure the path in the [kadmin] section of krb5.conf.
|
||||
* e.g.
|
||||
*
|
||||
* [kadmin]
|
||||
* plugin_dir = /usr/local/heimdal/lib/plugin/kadm5
|
||||
*
|
||||
*/
|
||||
|
||||
static char sample_data_1, sample_data_2;
|
||||
|
||||
static krb5_error_code
|
||||
sample_log(krb5_context context,
|
||||
@@ -43,28 +60,52 @@ sample_log(krb5_context context,
|
||||
{
|
||||
char *p = NULL;
|
||||
krb5_error_code ret;
|
||||
int which = 0;
|
||||
|
||||
if (data != sample_data)
|
||||
return EINVAL;
|
||||
if (code != 0 && stage == KADM5_HOOK_STAGE_PRECOMMIT)
|
||||
return EINVAL;
|
||||
/* verify we get called with the right contex tpointer */
|
||||
if (data == &sample_data_1)
|
||||
which = 1;
|
||||
else if (data == &sample_data_2)
|
||||
which = 2;
|
||||
|
||||
assert(which != 0);
|
||||
|
||||
/* code should always be zero on pre-commit */
|
||||
assert(code == 0 || stage == KADM5_HOOK_STAGE_POSTCOMMIT);
|
||||
|
||||
if (princ)
|
||||
ret = krb5_unparse_name(context, princ, &p);
|
||||
|
||||
krb5_warn(context, code, "sample_hook: %s %s hook princ '%s'", tag,
|
||||
krb5_warn(context, code, "sample_hook_%d: %s %s hook princ '%s'", which, tag,
|
||||
stage == KADM5_HOOK_STAGE_PRECOMMIT ? "pre-commit" : "post-commit",
|
||||
p != NULL ? p : "<unknown>");
|
||||
|
||||
krb5_xfree(p);
|
||||
|
||||
/* returning zero and KRB5_PLUGIN_NO_HANDLE are the same for hook plugins */
|
||||
return 0;
|
||||
}
|
||||
|
||||
static krb5_error_code KRB5_CALLCONV
|
||||
sample_init_1(krb5_context context, void **data)
|
||||
{
|
||||
*data = &sample_data_1;
|
||||
krb5_warn(context, 0, "sample_hook_1: initializing");
|
||||
return 0;
|
||||
}
|
||||
|
||||
static krb5_error_code KRB5_CALLCONV
|
||||
sample_init_2(krb5_context context, void **data)
|
||||
{
|
||||
*data = &sample_data_2;
|
||||
krb5_warn(context, 0, "sample_hook_2: initializing");
|
||||
return 0;
|
||||
}
|
||||
|
||||
static void KRB5_CALLCONV
|
||||
sample_fini(krb5_context context, void *data)
|
||||
sample_fini(void *data)
|
||||
{
|
||||
krb5_warn(context, 0, "sample_hook: shutting down\n");
|
||||
krb5_warn(NULL, 0, "sample_fini: finalizing");
|
||||
}
|
||||
|
||||
static krb5_error_code KRB5_CALLCONV
|
||||
@@ -150,36 +191,82 @@ sample_set_keys_hook(krb5_context context,
|
||||
return sample_log(context, data, stage, "set_keys", code, princ);
|
||||
}
|
||||
|
||||
static struct kadm5_hook sample_hook = {
|
||||
"sample-hook",
|
||||
static krb5_error_code KRB5_CALLCONV
|
||||
sample_prune_hook(krb5_context context,
|
||||
void *data,
|
||||
enum kadm5_hook_stage stage,
|
||||
krb5_error_code code,
|
||||
krb5_const_principal princ,
|
||||
int kvno)
|
||||
{
|
||||
return sample_log(context, data, stage, "prune", code, princ);
|
||||
}
|
||||
|
||||
|
||||
static const kadm5_hook_ftable sample_hook_1 = {
|
||||
KADM5_HOOK_VERSION_V1,
|
||||
"Heimdal",
|
||||
krb5_init_context,
|
||||
sample_init_1,
|
||||
sample_fini,
|
||||
"sample_hook_1",
|
||||
"Heimdal",
|
||||
sample_chpass_hook,
|
||||
sample_create_hook,
|
||||
sample_modify_hook,
|
||||
sample_delete_hook,
|
||||
sample_randkey_hook,
|
||||
sample_rename_hook,
|
||||
sample_set_keys_hook
|
||||
sample_set_keys_hook,
|
||||
sample_prune_hook,
|
||||
};
|
||||
|
||||
static const kadm5_hook_ftable sample_hook_2 = {
|
||||
KADM5_HOOK_VERSION_V1,
|
||||
sample_init_2,
|
||||
sample_fini,
|
||||
"sample_hook_2",
|
||||
"Heimdal",
|
||||
sample_chpass_hook,
|
||||
sample_create_hook,
|
||||
sample_modify_hook,
|
||||
sample_delete_hook,
|
||||
sample_randkey_hook,
|
||||
sample_rename_hook,
|
||||
sample_set_keys_hook,
|
||||
sample_prune_hook,
|
||||
};
|
||||
|
||||
/* Arrays of pointers, because hooks may be different versions/sizes */
|
||||
static const kadm5_hook_ftable *const sample_hooks[] = {
|
||||
&sample_hook_1,
|
||||
&sample_hook_2,
|
||||
};
|
||||
|
||||
krb5_error_code
|
||||
kadm5_hook_init(krb5_context context, uint32_t vers_max,
|
||||
const kadm5_hook **hook, void **data);
|
||||
kadm5_hook_plugin_load(krb5_context context,
|
||||
krb5_get_instance_func_t *get_instance,
|
||||
size_t *num_hooks,
|
||||
const kadm5_hook_ftable *const **hooks);
|
||||
|
||||
krb5_error_code
|
||||
kadm5_hook_init(krb5_context context, uint32_t vers_max,
|
||||
const kadm5_hook **hook, void **data)
|
||||
static uintptr_t
|
||||
sample_hook_get_instance(const char *libname)
|
||||
{
|
||||
if (vers_max < KADM5_HOOK_VERSION_V1)
|
||||
return EINVAL;
|
||||
|
||||
krb5_warn(context, 0, "sample_hook: init version %u\n", vers_max);
|
||||
|
||||
*hook = &sample_hook;
|
||||
*data = sample_data;
|
||||
if (strcmp(libname, "kadm5") == 0)
|
||||
return kadm5_get_instance(libname);
|
||||
else if (strcmp(libname, "krb5") == 0)
|
||||
return krb5_get_instance(libname);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
krb5_error_code
|
||||
kadm5_hook_plugin_load(krb5_context context,
|
||||
krb5_get_instance_func_t *get_instance,
|
||||
size_t *num_hooks,
|
||||
const kadm5_hook_ftable *const **hooks)
|
||||
{
|
||||
*get_instance = sample_hook_get_instance;
|
||||
*num_hooks = sizeof(sample_hooks) / sizeof(sample_hooks[0]);
|
||||
*hooks = sample_hooks;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
@@ -1,58 +1,55 @@
|
||||
/*
|
||||
* Copyright 2010
|
||||
* The Board of Trustees of the Leland Stanford Junior University
|
||||
* Copyright (c) 2018, AuriStor, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* - Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* - Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in
|
||||
* the documentation and/or other materials provided with the
|
||||
* distribution.
|
||||
*
|
||||
* 3. Neither the name of the Institute nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
||||
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
||||
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
|
||||
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "kadm5_locl.h"
|
||||
|
||||
#ifdef HAVE_DLFCN_H
|
||||
#include <dlfcn.h>
|
||||
|
||||
#ifndef RTLD_NOW
|
||||
# define RTLD_NOW 0
|
||||
#endif
|
||||
|
||||
#ifndef RTLD_LOCAL
|
||||
#define RTLD_LOCAL 0
|
||||
#endif
|
||||
|
||||
#ifndef RTLD_GROUP
|
||||
#define RTLD_GROUP 0
|
||||
#endif
|
||||
#endif /* HAVE_DLFCN_H */
|
||||
static const char *kadm5_hook_plugin_deps[] = {
|
||||
"kadm5",
|
||||
"krb5",
|
||||
NULL
|
||||
};
|
||||
|
||||
struct krb5_plugin_data kadm5_hook_plugin_data = {
|
||||
"kadm5",
|
||||
"kadm5_hook",
|
||||
KADM5_HOOK_VERSION_V1,
|
||||
kadm5_hook_plugin_deps,
|
||||
kadm5_get_instance
|
||||
};
|
||||
|
||||
void
|
||||
_kadm5_s_set_hook_error_message(kadm5_server_context *context,
|
||||
krb5_error_code ret,
|
||||
const char *op,
|
||||
const struct kadm5_hook *hook,
|
||||
const struct kadm5_hook_ftable *hook,
|
||||
enum kadm5_hook_stage stage)
|
||||
{
|
||||
assert(ret != 0);
|
||||
@@ -63,137 +60,38 @@ _kadm5_s_set_hook_error_message(kadm5_server_context *context,
|
||||
stage == KADM5_HOOK_STAGE_PRECOMMIT ? "pre" : "post");
|
||||
}
|
||||
|
||||
/*
|
||||
* Load kadmin server hooks.
|
||||
*/
|
||||
kadm5_ret_t
|
||||
_kadm5_s_init_hooks(kadm5_server_context *ctx)
|
||||
{
|
||||
krb5_context context = ctx->context;
|
||||
char **hooks;
|
||||
void *handle = NULL;
|
||||
struct kadm5_hook_context *hook_context = NULL;
|
||||
#ifdef HAVE_DLOPEN
|
||||
struct kadm5_hook_context **tmp;
|
||||
size_t i;
|
||||
#endif
|
||||
kadm5_ret_t ret = KADM5_BAD_SERVER_HOOK;
|
||||
char **dirs;
|
||||
|
||||
hooks = krb5_config_get_strings(context, NULL,
|
||||
"kadmin", "hooks", NULL);
|
||||
if (hooks == NULL)
|
||||
dirs = krb5_config_get_strings(context, NULL, "kadmin",
|
||||
"plugin_dir", NULL);
|
||||
if (dirs == NULL)
|
||||
return 0;
|
||||
|
||||
#ifdef HAVE_DLOPEN
|
||||
for (i = 0; hooks[i] != NULL; i++) {
|
||||
const char *hookpath = hooks[i];
|
||||
kadm5_hook_init_t hook_init;
|
||||
const struct kadm5_hook *hook = NULL;
|
||||
void *data = NULL;
|
||||
_krb5_load_plugins(context, "kadm5", (const char **)dirs);
|
||||
krb5_config_free_strings(dirs);
|
||||
|
||||
handle = dlopen(hookpath, RTLD_NOW | RTLD_LOCAL | RTLD_GROUP);
|
||||
if (handle == NULL) {
|
||||
krb5_warnx(context, "failed to open `%s': %s", hookpath, dlerror());
|
||||
ret = KADM5_SERVER_HOOK_NOT_FOUND;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
hook_init = dlsym(handle, "kadm5_hook_init");
|
||||
if (hook_init == NULL) {
|
||||
krb5_warnx(context, "didn't find kadm5_hook_init symbol in `%s': %s",
|
||||
hookpath, dlerror());
|
||||
ret = KADM5_BAD_SERVER_HOOK;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
ret = hook_init(context, KADM5_HOOK_VERSION_V1, &hook, &data);
|
||||
if (ret == 0 && hook == NULL)
|
||||
ret = KADM5_BAD_SERVER_HOOK;
|
||||
if (ret) {
|
||||
krb5_warn(context, ret, "initialization of hook `%s' failed", hookpath);
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (hook->version < KADM5_HOOK_VERSION_V1)
|
||||
ret = KADM5_OLD_SERVER_HOOK_VERSION;
|
||||
else if (hook->version > KADM5_HOOK_VERSION_V1)
|
||||
ret = KADM5_NEW_SERVER_HOOK_VERSION;
|
||||
if (ret) {
|
||||
krb5_warnx(context, "%s: version of loaded hook `%s' by vendor `%s' is %u"
|
||||
" (supported versions are %u to %u)",
|
||||
hookpath, hook->name, hook->vendor, hook->version,
|
||||
KADM5_HOOK_VERSION_V1, KADM5_HOOK_VERSION_V1);
|
||||
hook->fini(context, data);
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (hook->init_context != krb5_init_context) {
|
||||
krb5_warnx(context, "%s: loaded hook `%s' by vendor `%s' (API version %u)"
|
||||
"is not linked against this version of Heimdal",
|
||||
hookpath, hook->name, hook->vendor, hook->version);
|
||||
hook->fini(context, data);
|
||||
goto fail;
|
||||
}
|
||||
|
||||
hook_context = calloc(1, sizeof(*hook_context));
|
||||
if (hook_context == NULL) {
|
||||
ret = krb5_enomem(context);
|
||||
hook->fini(context, data);
|
||||
goto fail;
|
||||
}
|
||||
|
||||
hook_context->handle = handle;
|
||||
hook_context->hook = hook;
|
||||
hook_context->data = data;
|
||||
|
||||
tmp = realloc(ctx->hooks, (ctx->num_hooks + 1) * sizeof(*tmp));
|
||||
if (tmp == NULL) {
|
||||
ret = krb5_enomem(context);
|
||||
hook->fini(context, data);
|
||||
goto fail;
|
||||
}
|
||||
ctx->hooks = tmp;
|
||||
ctx->hooks[ctx->num_hooks] = hook_context;
|
||||
hook_context = NULL;
|
||||
ctx->num_hooks++;
|
||||
|
||||
krb5_warnx(context, "Loaded kadm5 hook `%s' by vendor `%s' (API version %u)",
|
||||
hook->name, hook->vendor, hook->version);
|
||||
}
|
||||
krb5_config_free_strings(hooks);
|
||||
return 0;
|
||||
#else
|
||||
krb5_warnx(context, "kadm5 hooks configured, but platform "
|
||||
"does not support dynamic loading");
|
||||
ret = KADM5_BAD_SERVER_HOOK;
|
||||
goto fail;
|
||||
#endif /* HAVE_DLOPEN */
|
||||
|
||||
fail:
|
||||
_kadm5_s_free_hooks(ctx);
|
||||
if (hook_context != NULL)
|
||||
free(hook_context);
|
||||
if (handle != NULL)
|
||||
dlclose(handle);
|
||||
krb5_config_free_strings(hooks);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
void
|
||||
_kadm5_s_free_hooks(kadm5_server_context *ctx)
|
||||
{
|
||||
#ifdef HAVE_DLOPEN
|
||||
size_t i;
|
||||
|
||||
for (i = 0; i < ctx->num_hooks; i++) {
|
||||
if (ctx->hooks[i]->hook->fini != NULL)
|
||||
ctx->hooks[i]->hook->fini(ctx->context, ctx->hooks[i]->data);
|
||||
dlclose(ctx->hooks[i]->handle);
|
||||
free(ctx->hooks[i]);
|
||||
}
|
||||
free(ctx->hooks);
|
||||
ctx->hooks = NULL;
|
||||
ctx->num_hooks = 0;
|
||||
#endif /* HAVE_DLOPEN */
|
||||
_krb5_unload_plugins(ctx->context, "kadm5");
|
||||
}
|
||||
|
||||
uintptr_t
|
||||
kadm5_get_instance(const char *libname)
|
||||
{
|
||||
static const char *instance = "libkadm5";
|
||||
|
||||
if (strcmp(libname, "kadm5") == 0)
|
||||
return (uintptr_t)instance;
|
||||
else if (strcmp(libname, "krb5") == 0)
|
||||
return krb5_get_instance(libname);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
@@ -33,6 +33,44 @@
|
||||
|
||||
#include "kadm5_locl.h"
|
||||
|
||||
struct setkey_principal_hook_ctx {
|
||||
kadm5_server_context *context;
|
||||
enum kadm5_hook_stage stage;
|
||||
krb5_error_code code;
|
||||
krb5_const_principal princ;
|
||||
uint32_t flags;
|
||||
size_t n_ks_tuple;
|
||||
krb5_key_salt_tuple *ks_tuple;
|
||||
size_t n_keys;
|
||||
krb5_keyblock *keys;
|
||||
};
|
||||
|
||||
static krb5_error_code
|
||||
setkey_principal_hook_cb(krb5_context context,
|
||||
const void *hook,
|
||||
void *hookctx,
|
||||
void *userctx)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
const struct kadm5_hook_ftable *ftable = hook;
|
||||
struct setkey_principal_hook_ctx *ctx = userctx;
|
||||
|
||||
ret = ftable->set_keys(context, hookctx,
|
||||
ctx->stage, ctx->code,
|
||||
ctx->princ, ctx->flags,
|
||||
ctx->n_ks_tuple, ctx->ks_tuple,
|
||||
ctx->n_keys, ctx->keys);
|
||||
if (ret != 0 && ret != KRB5_PLUGIN_NO_HANDLE)
|
||||
_kadm5_s_set_hook_error_message(ctx->context, ret, "setkey",
|
||||
hook, ctx->stage);
|
||||
|
||||
/* only pre-commit plugins can abort */
|
||||
if (ret == 0 || ctx->stage == KADM5_HOOK_STAGE_POSTCOMMIT)
|
||||
ret = KRB5_PLUGIN_NO_HANDLE;
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static kadm5_ret_t
|
||||
setkey_principal_hook(kadm5_server_context *context,
|
||||
enum kadm5_hook_stage stage,
|
||||
@@ -44,25 +82,23 @@ setkey_principal_hook(kadm5_server_context *context,
|
||||
size_t n_keys,
|
||||
krb5_keyblock *keyblocks)
|
||||
{
|
||||
krb5_error_code ret = 0;
|
||||
size_t i;
|
||||
krb5_error_code ret;
|
||||
struct setkey_principal_hook_ctx ctx;
|
||||
|
||||
for (i = 0; i < context->num_hooks; i++) {
|
||||
kadm5_hook_context *hook = context->hooks[i];
|
||||
ctx.context = context;
|
||||
ctx.stage = stage;
|
||||
ctx.code = code;
|
||||
ctx.princ = princ;
|
||||
ctx.flags = flags;
|
||||
ctx.n_ks_tuple = n_ks_tuple;
|
||||
ctx.ks_tuple = ks_tuple;
|
||||
ctx.n_keys = n_keys;
|
||||
ctx.keys = keyblocks;
|
||||
|
||||
if (hook->hook->set_keys != NULL) {
|
||||
ret = hook->hook->set_keys(context->context, hook->data,
|
||||
stage, code, princ,
|
||||
flags, n_ks_tuple, ks_tuple,
|
||||
n_keys, keyblocks);
|
||||
if (ret != 0) {
|
||||
_kadm5_s_set_hook_error_message(context, ret, "setkey",
|
||||
hook->hook, stage);
|
||||
if (stage == KADM5_HOOK_STAGE_PRECOMMIT)
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
ret = _krb5_plugin_run_f(context->context, &kadm5_hook_plugin_data,
|
||||
0, &ctx, setkey_principal_hook_cb);
|
||||
if (ret == KRB5_PLUGIN_NO_HANDLE)
|
||||
ret = 0;
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
@@ -31,10 +31,14 @@
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "kadm5_locl.h"
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include <getarg.h>
|
||||
|
||||
RCSID("$Id$");
|
||||
#include <roken.h>
|
||||
#include <krb5.h>
|
||||
|
||||
#include "admin.h"
|
||||
|
||||
static int version_flag;
|
||||
static int help_flag;
|
||||
|
@@ -23,6 +23,7 @@ HEIMDAL_KAMD5_SERVER_1.0 {
|
||||
kadm5_free_name_list;
|
||||
kadm5_free_policy_ent;
|
||||
kadm5_free_principal_ent;
|
||||
kadm5_get_instance;
|
||||
kadm5_get_policy;
|
||||
kadm5_get_policies;
|
||||
kadm5_get_principal;
|
||||
|
@@ -80,6 +80,17 @@ plcallback(krb5_context context,
|
||||
return locate->an2ln(plugctx, context, plctx->rule, plctx->aname, set_res, plctx);
|
||||
}
|
||||
|
||||
static const char *an2ln_plugin_deps[] = { "krb5", NULL };
|
||||
|
||||
static struct krb5_plugin_data
|
||||
an2ln_plugin_data = {
|
||||
"krb5",
|
||||
KRB5_PLUGIN_AN2LN,
|
||||
KRB5_PLUGIN_AN2LN_VERSION_0,
|
||||
an2ln_plugin_deps,
|
||||
krb5_get_instance
|
||||
};
|
||||
|
||||
static krb5_error_code
|
||||
an2ln_plugin(krb5_context context, const char *rule, krb5_const_principal aname,
|
||||
size_t lnsize, char *lname)
|
||||
@@ -96,8 +107,8 @@ an2ln_plugin(krb5_context context, const char *rule, krb5_const_principal aname,
|
||||
* really be no more than one plugin that can handle any given kind
|
||||
* rule, so the effect should be deterministic anyways.
|
||||
*/
|
||||
ret = _krb5_plugin_run_f(context, "krb5", KRB5_PLUGIN_AN2LN,
|
||||
KRB5_PLUGIN_AN2LN_VERSION_0, 0, &ctx, plcallback);
|
||||
ret = _krb5_plugin_run_f(context, &an2ln_plugin_data,
|
||||
0, &ctx, plcallback);
|
||||
if (ret != 0) {
|
||||
heim_release(ctx.luser);
|
||||
return ret;
|
||||
|
@@ -1589,3 +1589,4 @@ krb5_set_home_dir_access(krb5_context context, krb5_boolean allow)
|
||||
|
||||
return old;
|
||||
}
|
||||
|
||||
|
@@ -14,12 +14,22 @@ db_plugins_plcallback(krb5_context context, const void *plug, void *plugctx,
|
||||
return 0;
|
||||
}
|
||||
|
||||
static const char *db_plugin_deps[] = { "krb5", NULL };
|
||||
|
||||
static struct krb5_plugin_data
|
||||
db_plugin_data = {
|
||||
"krb5",
|
||||
KRB5_PLUGIN_DB,
|
||||
KRB5_PLUGIN_DB_VERSION_0,
|
||||
db_plugin_deps,
|
||||
krb5_get_instance
|
||||
};
|
||||
|
||||
static void
|
||||
db_plugins_init(void *arg)
|
||||
{
|
||||
krb5_context context = arg;
|
||||
(void)_krb5_plugin_run_f(context, "krb5", KRB5_PLUGIN_DB,
|
||||
KRB5_PLUGIN_DB_VERSION_0, 0, NULL,
|
||||
(void)_krb5_plugin_run_f(context, &db_plugin_data, 0, NULL,
|
||||
db_plugins_plcallback);
|
||||
}
|
||||
|
||||
|
@@ -57,11 +57,26 @@ associated header file, such as, for example,
|
||||
.Va krb5plugin_kuserok_ftable
|
||||
and a pointer to which is either registered via
|
||||
.Xr krb5_plugin_register 3
|
||||
or found in a shared object via a symbol lookup for the symbol name
|
||||
defined in the associated header file (e.g., "kuserok" for the
|
||||
or via a plugin load function exported by a shared object. Plugin load
|
||||
functions should be named by concatenating the name defined in the associated
|
||||
header file with the string "plugin_load" (e.g. "kuserok_plugin_load" for the
|
||||
plugin for
|
||||
.Xr krb5_kuserok 3
|
||||
).
|
||||
The plugin load function has the following signature:
|
||||
.Bd -literal -offset indent
|
||||
krb5_error_code
|
||||
kuserok_plugin_load(krb5_context context,
|
||||
krb5_get_instance_func_t *get_instance,
|
||||
size_t *n_plugins,
|
||||
const common_plugin_ftable *const **plugins);
|
||||
.Ed
|
||||
.Pp
|
||||
The plugin should set the get_instance output parameter to the a function
|
||||
that will return the instances of its library dependencies. The output
|
||||
parameters n_plugins and plugins specify the number of plugins, and an array of
|
||||
pointers to function tables, respectively.
|
||||
.Ed
|
||||
.Pp
|
||||
The plugin structs for all plugin types always begin with the same three
|
||||
common fields:
|
||||
@@ -200,6 +215,31 @@ krb5plugin_an2ln_ftable an2ln = {
|
||||
nouser_plug_fini,
|
||||
nouser_plug_an2ln,
|
||||
};
|
||||
|
||||
static const krb5plugin_an2ln_ftable *const plugins[] = {
|
||||
&an2ln
|
||||
};
|
||||
|
||||
static uintptr_t
|
||||
an2ln_get_instance(const char *libname)
|
||||
{
|
||||
if (strcmp(libname, "krb5") == 0)
|
||||
return krb5_get_instance(libname);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
krb5_error_code
|
||||
an2ln_plugin_load(krb5_context context,
|
||||
krb5_get_instance_func_t *get_instance,
|
||||
size_t *num_plugins,
|
||||
const krb5plugin_an2ln_ftable * const **pplugins)
|
||||
{
|
||||
*get_instance = an2ln_get_instance;
|
||||
*num_plugins = sizeof(plugins) / sizeof(plugins[0]);
|
||||
*pplugins = plugins;
|
||||
return 0;
|
||||
}
|
||||
.Ed
|
||||
.Pp
|
||||
An example kuserok plugin that rejects all requests follows. (Note that
|
||||
@@ -232,12 +272,38 @@ reject_plug_kuserok(void *plug_ctx, krb5_context context, const char *rule,
|
||||
return 0;
|
||||
}
|
||||
|
||||
krb5plugin_kuserok_ftable kuserok = {
|
||||
static krb5plugin_kuserok_ftable kuserok = {
|
||||
KRB5_PLUGIN_KUSEROK_VERSION_0,
|
||||
reject_plug_init,
|
||||
reject_plug_fini,
|
||||
reject_plug_kuserok,
|
||||
};
|
||||
|
||||
static const krb5plugin_kuserok_ftable *const plugins[] = {
|
||||
&kuserok
|
||||
};
|
||||
|
||||
static uintptr_t
|
||||
kuserok_get_instance(const char *libname)
|
||||
{
|
||||
if (strcmp(libname, "krb5") == 0)
|
||||
return krb5_get_instance(libname);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
krb5_error_code
|
||||
kuserok_plugin_load(krb5_context context,
|
||||
krb5_get_instance_func_t *get_instance,
|
||||
size_t *num_plugins,
|
||||
const krb5plugin_kuserok_ftable * const **pplugins)
|
||||
{
|
||||
*krb5_instance = kuserok_get_instance;
|
||||
*num_plugins = sizeof(plugins) / sizeof(plugins[0]);
|
||||
*pplugins = plugins;
|
||||
return 0;
|
||||
}
|
||||
|
||||
.Ed
|
||||
.Sh SEE ALSO
|
||||
.Xr krb5_plugin_register 3
|
||||
|
@@ -873,14 +873,16 @@ typedef krb5_error_code
|
||||
(KRB5_CALLCONV * krb5_sendto_ctx_func)(krb5_context, krb5_sendto_ctx, void *,
|
||||
const krb5_data *, int *);
|
||||
|
||||
struct krb5_plugin;
|
||||
enum krb5_plugin_type {
|
||||
PLUGIN_TYPE_DATA = 1,
|
||||
PLUGIN_TYPE_FUNC
|
||||
PLUGIN_TYPE_FUNC /* no longer supported */
|
||||
};
|
||||
|
||||
#define KRB5_PLUGIN_INVOKE_ALL 1
|
||||
|
||||
typedef uintptr_t
|
||||
(KRB5_CALLCONV *krb5_get_instance_func_t)(const char *);
|
||||
|
||||
struct credentials; /* this is to keep the compiler happy */
|
||||
struct getargs;
|
||||
struct sockaddr;
|
||||
|
@@ -134,6 +134,7 @@ struct ContentInfo;
|
||||
struct AlgorithmIdentifier;
|
||||
typedef struct krb5_pk_init_ctx_data *krb5_pk_init_ctx;
|
||||
struct krb5_dh_moduli;
|
||||
struct krb5_plugin_data;
|
||||
|
||||
/* v4 glue */
|
||||
struct _krb5_krb_auth_data;
|
||||
@@ -393,4 +394,12 @@ struct krb5_pk_init_ctx_data {
|
||||
# define ISPATHSEP(x) (x == '/')
|
||||
#endif
|
||||
|
||||
struct krb5_plugin_data {
|
||||
const char *module;
|
||||
const char *name;
|
||||
int min_version;
|
||||
const char **deps;
|
||||
krb5_get_instance_func_t get_instance;
|
||||
};
|
||||
|
||||
#endif /* __KRB5_LOCL_H__ */
|
||||
|
@@ -674,6 +674,17 @@ plcallback(krb5_context context,
|
||||
return KRB5_PLUGIN_NO_HANDLE;
|
||||
}
|
||||
|
||||
static const char *locate_plugin_deps[] = { "krb5", NULL };
|
||||
|
||||
static struct krb5_plugin_data
|
||||
locate_plugin_data = {
|
||||
"krb5",
|
||||
KRB5_PLUGIN_LOCATE,
|
||||
KRB5_PLUGIN_LOCATE_VERSION_0,
|
||||
locate_plugin_deps,
|
||||
krb5_get_instance
|
||||
};
|
||||
|
||||
static void
|
||||
plugin_get_hosts(krb5_context context,
|
||||
struct krb5_krbhst_data *kd,
|
||||
@@ -684,8 +695,7 @@ plugin_get_hosts(krb5_context context,
|
||||
if (_krb5_homedir_access(context))
|
||||
ctx.flags |= KRB5_PLF_ALLOW_HOMEDIR;
|
||||
|
||||
_krb5_plugin_run_f(context, "krb5", KRB5_PLUGIN_LOCATE,
|
||||
KRB5_PLUGIN_LOCATE_VERSION_0,
|
||||
_krb5_plugin_run_f(context, &locate_plugin_data,
|
||||
0, &ctx, plcallback);
|
||||
}
|
||||
|
||||
|
@@ -455,6 +455,17 @@ krb5_kuserok(krb5_context context,
|
||||
}
|
||||
|
||||
|
||||
static const char *kuserok_plugin_deps[] = { "krb5", NULL };
|
||||
|
||||
static struct krb5_plugin_data
|
||||
kuserok_plugin_data = {
|
||||
"krb5",
|
||||
KRB5_PLUGIN_KUSEROK,
|
||||
KRB5_PLUGIN_KUSEROK_VERSION_0,
|
||||
kuserok_plugin_deps,
|
||||
krb5_get_instance
|
||||
};
|
||||
|
||||
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
|
||||
_krb5_kuserok(krb5_context context,
|
||||
krb5_principal principal,
|
||||
@@ -515,9 +526,8 @@ _krb5_kuserok(krb5_context context,
|
||||
for (n = 0; rules[n]; n++) {
|
||||
ctx.rule = rules[n];
|
||||
|
||||
ret = _krb5_plugin_run_f(context, "krb5", KRB5_PLUGIN_KUSEROK,
|
||||
KRB5_PLUGIN_KUSEROK_VERSION_0, 0,
|
||||
&ctx, plcallback);
|
||||
ret = _krb5_plugin_run_f(context, &kuserok_plugin_data,
|
||||
0, &ctx, plcallback);
|
||||
if (ret != KRB5_PLUGIN_NO_HANDLE)
|
||||
goto out;
|
||||
}
|
||||
|
@@ -366,6 +366,7 @@ EXPORTS
|
||||
krb5_get_init_creds_opt_set_tkt_life
|
||||
krb5_get_init_creds_opt_set_win2k
|
||||
krb5_get_init_creds_password
|
||||
krb5_get_instance
|
||||
krb5_get_kdc_cred
|
||||
krb5_get_kdc_sec_offset
|
||||
krb5_get_krb524hst
|
||||
@@ -756,6 +757,10 @@ EXPORTS
|
||||
_krb5_build_authenticator
|
||||
_krb5_kt_client_default_name
|
||||
|
||||
; Shared with libkadm5
|
||||
_krb5_load_plugins
|
||||
_krb5_unload_plugins
|
||||
|
||||
; Shared with libkdc
|
||||
_krb5_AES_SHA1_string_to_default_iterator
|
||||
_krb5_AES_SHA2_string_to_default_iterator
|
||||
@@ -806,8 +811,6 @@ EXPORTS
|
||||
; Recent additions
|
||||
krb5_cc_type_dcc;
|
||||
krb5_dcc_ops;
|
||||
_krb5_plugin_find;
|
||||
_krb5_plugin_free;
|
||||
_krb5_expand_path_tokensv;
|
||||
_krb5_find_capath;
|
||||
_krb5_free_capath;
|
||||
|
@@ -58,13 +58,24 @@ cc_plugin_register_to_context(krb5_context context, const void *plug, void *plug
|
||||
return KRB5_PLUGIN_NO_HANDLE;
|
||||
}
|
||||
|
||||
static const char *ccache_plugin_deps[] = { "krb5", NULL };
|
||||
|
||||
static struct krb5_plugin_data
|
||||
ccache_plugin_data = {
|
||||
"krb5",
|
||||
KRB5_PLUGIN_CCACHE,
|
||||
0,
|
||||
ccache_plugin_deps,
|
||||
krb5_get_instance
|
||||
};
|
||||
|
||||
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
|
||||
_krb5_load_ccache_plugins(krb5_context context)
|
||||
{
|
||||
krb5_error_code userctx = 0;
|
||||
|
||||
(void)_krb5_plugin_run_f(context, "krb5", KRB5_PLUGIN_CCACHE,
|
||||
0, 0, &userctx, cc_plugin_register_to_context);
|
||||
(void)_krb5_plugin_run_f(context, &ccache_plugin_data, 0,
|
||||
&userctx, cc_plugin_register_to_context);
|
||||
|
||||
return userctx;
|
||||
}
|
||||
|
@@ -3,6 +3,8 @@
|
||||
* (Royal Institute of Technology, Stockholm, Sweden).
|
||||
* All rights reserved.
|
||||
*
|
||||
* Portions Copyright (c) 2018 AuriStor, Inc.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
@@ -38,29 +40,159 @@
|
||||
#endif
|
||||
#include <dirent.h>
|
||||
|
||||
/*
|
||||
* Definitions:
|
||||
*
|
||||
* module - a category of plugin module, identified by subsystem
|
||||
* (typically "krb5")
|
||||
* dso - a library for a module containing a map of plugin
|
||||
* types to plugins (e.g. "service_locator")
|
||||
* plugin - a set of callbacks and state that follows the
|
||||
* common plugin module definition (version, init, fini)
|
||||
*
|
||||
* Obviously it would have been clearer to use the term "module" rather than
|
||||
* "DSO" given there is an internal "DSO", but "module" was already taken...
|
||||
*
|
||||
* modules := { module: dsos }
|
||||
* dsos := { path, dsohandle, plugins-by-name }
|
||||
* plugins-by-name := { plugin-name: [plug] }
|
||||
* plug := { ftable, ctx }
|
||||
*
|
||||
* Some existing plugin consumers outside libkrb5 use the "krb5" module
|
||||
* namespace, but going forward the module should match the consumer library
|
||||
* name (e.g. libhdb should use the "hdb" module rather than "krb5").
|
||||
*/
|
||||
|
||||
/* global module use, use copy_modules() accessor to access */
|
||||
static heim_dict_t __modules;
|
||||
|
||||
static HEIMDAL_MUTEX modules_mutex = HEIMDAL_MUTEX_INITIALIZER;
|
||||
|
||||
static void
|
||||
copy_modules_once(void *context)
|
||||
{
|
||||
heim_dict_t *modules = (heim_dict_t *)context;
|
||||
|
||||
*modules = heim_dict_create(11);
|
||||
heim_assert(*modules, "plugin modules array allocation failure");
|
||||
}
|
||||
|
||||
/* returns global modules list, refcount +1 */
|
||||
static heim_dict_t
|
||||
copy_modules(void)
|
||||
{
|
||||
static heim_base_once_t modules_once = HEIM_BASE_ONCE_INIT;
|
||||
|
||||
heim_base_once_f(&modules_once, &__modules, copy_modules_once);
|
||||
|
||||
return heim_retain(__modules);
|
||||
}
|
||||
|
||||
/* returns named module, refcount +1 */
|
||||
static heim_dict_t
|
||||
copy_module(const char *name)
|
||||
{
|
||||
heim_string_t module_name = heim_string_create(name);
|
||||
heim_dict_t modules = copy_modules();
|
||||
heim_dict_t module;
|
||||
|
||||
module = heim_dict_copy_value(modules, module_name);
|
||||
if (module == NULL) {
|
||||
module = heim_dict_create(11);
|
||||
heim_dict_set_value(modules, module_name, module);
|
||||
}
|
||||
|
||||
heim_release(modules);
|
||||
heim_release(module_name);
|
||||
|
||||
return module;
|
||||
}
|
||||
|
||||
/* DSO helpers */
|
||||
struct krb5_dso {
|
||||
heim_string_t path;
|
||||
heim_dict_t plugins_by_name;
|
||||
void *dsohandle;
|
||||
};
|
||||
|
||||
static void
|
||||
dso_dealloc(void *ptr)
|
||||
{
|
||||
struct krb5_dso *p = ptr;
|
||||
|
||||
heim_release(p->path);
|
||||
heim_release(p->plugins_by_name);
|
||||
#ifdef HAVE_DLOPEN
|
||||
if (p->dsohandle)
|
||||
dlclose(p->dsohandle);
|
||||
#endif
|
||||
}
|
||||
|
||||
/* returns internal "DSO" for name, refcount +1 */
|
||||
static struct krb5_dso *
|
||||
copy_internal_dso(const char *name)
|
||||
{
|
||||
heim_string_t dso_name = HSTR("__HEIMDAL_INTERNAL_DSO__");
|
||||
heim_dict_t module = copy_module(name);
|
||||
struct krb5_dso *dso;
|
||||
|
||||
if (module == NULL)
|
||||
return NULL;
|
||||
|
||||
dso = heim_dict_copy_value(module, dso_name);
|
||||
if (dso == NULL) {
|
||||
dso = heim_alloc(sizeof(*dso), "krb5-dso", dso_dealloc);
|
||||
|
||||
dso->path = dso_name;
|
||||
dso->plugins_by_name = heim_dict_create(11);
|
||||
|
||||
heim_dict_set_value(module, dso_name, dso);
|
||||
}
|
||||
|
||||
heim_release(module);
|
||||
|
||||
return dso;
|
||||
}
|
||||
|
||||
/*
|
||||
* All plugin function tables extend the following structure.
|
||||
*/
|
||||
typedef struct common_plugin_ftable_desc {
|
||||
int version;
|
||||
krb5_error_code (*init)(krb5_context, void **);
|
||||
void (*fini)(void *);
|
||||
} common_plugin_ftable;
|
||||
|
||||
struct krb5_plugin {
|
||||
common_plugin_ftable *ftable;
|
||||
void *ctx;
|
||||
};
|
||||
|
||||
static void
|
||||
plugin_free(void *ptr)
|
||||
{
|
||||
struct krb5_plugin *pl = ptr;
|
||||
|
||||
if (pl->ftable && pl->ftable->fini)
|
||||
pl->ftable->fini(pl->ctx);
|
||||
}
|
||||
|
||||
struct krb5_plugin_register_ctx {
|
||||
void *symbol;
|
||||
struct krb5_plugin *next;
|
||||
int is_dup;
|
||||
};
|
||||
|
||||
struct plugin {
|
||||
enum { DSO, SYMBOL } type;
|
||||
union {
|
||||
struct {
|
||||
char *path;
|
||||
void *dsohandle;
|
||||
} dso;
|
||||
struct {
|
||||
enum krb5_plugin_type type;
|
||||
char *name;
|
||||
char *symbol;
|
||||
} symbol;
|
||||
} u;
|
||||
struct plugin *next;
|
||||
};
|
||||
static void
|
||||
plugin_register_check_dup(heim_object_t value, void *ctx, int *stop)
|
||||
{
|
||||
struct krb5_plugin_register_ctx *pc = ctx;
|
||||
struct krb5_plugin *pl = value;
|
||||
|
||||
static HEIMDAL_MUTEX plugin_mutex = HEIMDAL_MUTEX_INITIALIZER;
|
||||
static struct plugin *registered = NULL;
|
||||
if (pl->ftable == pc->symbol) {
|
||||
pc->is_dup = 1;
|
||||
*stop = 1;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Register a plugin symbol name of specific type.
|
||||
@@ -80,147 +212,67 @@ krb5_plugin_register(krb5_context context,
|
||||
const char *name,
|
||||
void *symbol)
|
||||
{
|
||||
struct plugin *e;
|
||||
|
||||
HEIMDAL_MUTEX_lock(&plugin_mutex);
|
||||
|
||||
/* check for duplicates */
|
||||
for (e = registered; e != NULL; e = e->next) {
|
||||
if (e->type == SYMBOL &&
|
||||
strcmp(e->u.symbol.name, name) == 0 &&
|
||||
e->u.symbol.type == type && e->u.symbol.symbol == symbol) {
|
||||
HEIMDAL_MUTEX_unlock(&plugin_mutex);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
e = calloc(1, sizeof(*e));
|
||||
if (e == NULL) {
|
||||
HEIMDAL_MUTEX_unlock(&plugin_mutex);
|
||||
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
|
||||
return ENOMEM;
|
||||
}
|
||||
e->type = SYMBOL;
|
||||
e->u.symbol.type = type;
|
||||
e->u.symbol.name = strdup(name);
|
||||
if (e->u.symbol.name == NULL) {
|
||||
HEIMDAL_MUTEX_unlock(&plugin_mutex);
|
||||
free(e);
|
||||
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
|
||||
return ENOMEM;
|
||||
}
|
||||
e->u.symbol.symbol = symbol;
|
||||
|
||||
e->next = registered;
|
||||
registered = e;
|
||||
HEIMDAL_MUTEX_unlock(&plugin_mutex);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static krb5_error_code
|
||||
add_symbol(krb5_context context, struct krb5_plugin **list, void *symbol)
|
||||
{
|
||||
struct krb5_plugin *e;
|
||||
|
||||
e = calloc(1, sizeof(*e));
|
||||
if (e == NULL) {
|
||||
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
|
||||
return ENOMEM;
|
||||
}
|
||||
e->symbol = symbol;
|
||||
e->next = *list;
|
||||
*list = e;
|
||||
return 0;
|
||||
}
|
||||
|
||||
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
|
||||
_krb5_plugin_find(krb5_context context,
|
||||
enum krb5_plugin_type type,
|
||||
const char *name,
|
||||
struct krb5_plugin **list)
|
||||
{
|
||||
struct plugin *e;
|
||||
krb5_error_code ret;
|
||||
heim_array_t plugins;
|
||||
heim_string_t hname;
|
||||
struct krb5_dso *dso;
|
||||
struct krb5_plugin_register_ctx ctx;
|
||||
|
||||
*list = NULL;
|
||||
ctx.symbol = symbol;
|
||||
ctx.is_dup = 0;
|
||||
|
||||
HEIMDAL_MUTEX_lock(&plugin_mutex);
|
||||
|
||||
for (ret = 0, e = registered; e != NULL; e = e->next) {
|
||||
switch(e->type) {
|
||||
case DSO: {
|
||||
void *sym;
|
||||
if (e->u.dso.dsohandle == NULL)
|
||||
continue;
|
||||
sym = dlsym(e->u.dso.dsohandle, name);
|
||||
if (sym)
|
||||
ret = add_symbol(context, list, sym);
|
||||
break;
|
||||
}
|
||||
case SYMBOL:
|
||||
if (strcmp(e->u.symbol.name, name) == 0 && e->u.symbol.type == type)
|
||||
ret = add_symbol(context, list, e->u.symbol.symbol);
|
||||
break;
|
||||
}
|
||||
if (ret) {
|
||||
_krb5_plugin_free(*list);
|
||||
*list = NULL;
|
||||
}
|
||||
/*
|
||||
* It's not clear that PLUGIN_TYPE_FUNC was ever used or supported. It likely
|
||||
* would have caused _krb5_plugin_run_f() to crash as the previous implementation
|
||||
* assumed PLUGIN_TYPE_DATA.
|
||||
*/
|
||||
if (type != PLUGIN_TYPE_DATA) {
|
||||
krb5_warnx(context, "krb5_plugin_register: PLUGIN_TYPE_DATA no longer supported");
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
HEIMDAL_MUTEX_unlock(&plugin_mutex);
|
||||
if (ret)
|
||||
return ret;
|
||||
HEIMDAL_MUTEX_lock(&modules_mutex);
|
||||
|
||||
if (*list == NULL) {
|
||||
krb5_set_error_message(context, ENOENT, "Did not find a plugin for %s", name);
|
||||
return ENOENT;
|
||||
dso = copy_internal_dso("krb5");
|
||||
hname = heim_string_create(name);
|
||||
plugins = heim_dict_copy_value(dso->plugins_by_name, hname);
|
||||
if (plugins != NULL)
|
||||
heim_array_iterate_f(plugins, &ctx, plugin_register_check_dup);
|
||||
else {
|
||||
plugins = heim_array_create();
|
||||
heim_dict_set_value(dso->plugins_by_name, hname, plugins);
|
||||
}
|
||||
|
||||
return 0;
|
||||
if (!ctx.is_dup) {
|
||||
/* Note: refactored plugin API only supports common plugin layout */
|
||||
struct krb5_plugin *pl;
|
||||
|
||||
pl = heim_alloc(sizeof(*pl), "krb5-plugin", plugin_free);
|
||||
if (pl == NULL) {
|
||||
ret = krb5_enomem(context);
|
||||
} else {
|
||||
pl->ftable = symbol;
|
||||
ret = pl->ftable->init(context, &pl->ctx);
|
||||
if (ret == 0) {
|
||||
heim_array_append_value(plugins, pl);
|
||||
_krb5_debug(context, 5, "Registered %s plugin", name);
|
||||
}
|
||||
heim_release(pl);
|
||||
}
|
||||
} else
|
||||
ret = 0; /* ignore duplicates to match previous behavior */
|
||||
|
||||
HEIMDAL_MUTEX_unlock(&modules_mutex);
|
||||
|
||||
heim_release(dso);
|
||||
heim_release(hname);
|
||||
heim_release(plugins);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
|
||||
_krb5_plugin_free(struct krb5_plugin *list)
|
||||
{
|
||||
struct krb5_plugin *next;
|
||||
while (list) {
|
||||
next = list->next;
|
||||
free(list);
|
||||
list = next;
|
||||
}
|
||||
}
|
||||
/*
|
||||
* module - dict of {
|
||||
* ModuleName = [
|
||||
* plugin = object{
|
||||
* array = { ptr, ctx }
|
||||
* }
|
||||
* ]
|
||||
* }
|
||||
*/
|
||||
|
||||
static heim_dict_t modules;
|
||||
|
||||
struct plugin2 {
|
||||
heim_string_t path;
|
||||
void *dsohandle;
|
||||
heim_dict_t names;
|
||||
};
|
||||
|
||||
#ifdef HAVE_DLOPEN
|
||||
|
||||
static void
|
||||
plug_dealloc(void *ptr)
|
||||
{
|
||||
struct plugin2 *p = ptr;
|
||||
heim_release(p->path);
|
||||
heim_release(p->names);
|
||||
if (p->dsohandle)
|
||||
dlclose(p->dsohandle);
|
||||
}
|
||||
|
||||
static char *
|
||||
resolve_origin(const char *di)
|
||||
{
|
||||
@@ -277,7 +329,7 @@ _krb5_load_plugins(krb5_context context, const char *name, const char **paths)
|
||||
{
|
||||
#ifdef HAVE_DLOPEN
|
||||
heim_string_t s = heim_string_create(name);
|
||||
heim_dict_t module;
|
||||
heim_dict_t module, modules;
|
||||
struct dirent *entry;
|
||||
krb5_error_code ret;
|
||||
const char **di;
|
||||
@@ -292,27 +344,23 @@ _krb5_load_plugins(krb5_context context, const char *name, const char **paths)
|
||||
plugin_prefix_len = (plugin_prefix ? strlen(plugin_prefix) : 0);
|
||||
#endif
|
||||
|
||||
HEIMDAL_MUTEX_lock(&plugin_mutex);
|
||||
HEIMDAL_MUTEX_lock(&modules_mutex);
|
||||
|
||||
if (modules == NULL) {
|
||||
modules = heim_dict_create(11);
|
||||
if (modules == NULL) {
|
||||
HEIMDAL_MUTEX_unlock(&plugin_mutex);
|
||||
return;
|
||||
}
|
||||
}
|
||||
modules = copy_modules();
|
||||
|
||||
module = heim_dict_copy_value(modules, s);
|
||||
if (module == NULL) {
|
||||
module = heim_dict_create(11);
|
||||
if (module == NULL) {
|
||||
HEIMDAL_MUTEX_unlock(&plugin_mutex);
|
||||
HEIMDAL_MUTEX_unlock(&modules_mutex);
|
||||
heim_release(s);
|
||||
heim_release(modules);
|
||||
return;
|
||||
}
|
||||
heim_dict_set_value(modules, s, module);
|
||||
}
|
||||
heim_release(s);
|
||||
heim_release(modules);
|
||||
|
||||
for (di = paths; *di != NULL; di++) {
|
||||
free(dirname);
|
||||
@@ -328,7 +376,7 @@ _krb5_load_plugins(krb5_context context, const char *name, const char **paths)
|
||||
char *n = entry->d_name;
|
||||
char *path = NULL;
|
||||
heim_string_t spath;
|
||||
struct plugin2 *p;
|
||||
struct krb5_dso *p;
|
||||
|
||||
/* skip . and .. */
|
||||
if (n[0] == '.' && (n[1] == '\0' || (n[1] == '.' && n[2] == '\0')))
|
||||
@@ -377,13 +425,12 @@ _krb5_load_plugins(krb5_context context, const char *name, const char **paths)
|
||||
/* check if already cached */
|
||||
p = heim_dict_copy_value(module, spath);
|
||||
if (p == NULL) {
|
||||
p = heim_alloc(sizeof(*p), "krb5-plugin", plug_dealloc);
|
||||
p = heim_alloc(sizeof(*p), "krb5-dso", dso_dealloc);
|
||||
if (p)
|
||||
p->dsohandle = dlopen(path, RTLD_LOCAL|RTLD_LAZY);
|
||||
|
||||
p->dsohandle = dlopen(path, RTLD_LOCAL|RTLD_LAZY|RTLD_GROUP);
|
||||
if (p && p->dsohandle) {
|
||||
p->path = heim_retain(spath);
|
||||
p->names = heim_dict_create(11);
|
||||
p->plugins_by_name = heim_dict_create(11);
|
||||
heim_dict_set_value(module, spath, p);
|
||||
}
|
||||
}
|
||||
@@ -394,7 +441,7 @@ _krb5_load_plugins(krb5_context context, const char *name, const char **paths)
|
||||
closedir(d);
|
||||
}
|
||||
free(dirname);
|
||||
HEIMDAL_MUTEX_unlock(&plugin_mutex);
|
||||
HEIMDAL_MUTEX_unlock(&modules_mutex);
|
||||
heim_release(module);
|
||||
#ifdef _WIN32
|
||||
if (plugin_prefix)
|
||||
@@ -409,42 +456,24 @@ _krb5_load_plugins(krb5_context context, const char *name, const char **paths)
|
||||
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
|
||||
_krb5_unload_plugins(krb5_context context, const char *name)
|
||||
{
|
||||
HEIMDAL_MUTEX_lock(&plugin_mutex);
|
||||
heim_string_t sname = heim_string_create(name);
|
||||
heim_dict_t modules;
|
||||
|
||||
HEIMDAL_MUTEX_lock(&modules_mutex);
|
||||
|
||||
modules = copy_modules();
|
||||
heim_dict_delete_key(modules, sname);
|
||||
|
||||
HEIMDAL_MUTEX_unlock(&modules_mutex);
|
||||
|
||||
heim_release(modules);
|
||||
modules = NULL;
|
||||
HEIMDAL_MUTEX_unlock(&plugin_mutex);
|
||||
}
|
||||
|
||||
/*
|
||||
*
|
||||
*/
|
||||
|
||||
struct common_plugin_method {
|
||||
int version;
|
||||
krb5_error_code (*init)(krb5_context, void **);
|
||||
void (*fini)(void *);
|
||||
};
|
||||
|
||||
struct plug {
|
||||
void *dataptr;
|
||||
void *ctx;
|
||||
};
|
||||
|
||||
static void
|
||||
plug_free(void *ptr)
|
||||
{
|
||||
struct plug *pl = ptr;
|
||||
if (pl->dataptr) {
|
||||
struct common_plugin_method *cpm = pl->dataptr;
|
||||
cpm->fini(pl->ctx);
|
||||
}
|
||||
heim_release(sname);
|
||||
}
|
||||
|
||||
struct iter_ctx {
|
||||
krb5_context context;
|
||||
heim_string_t n;
|
||||
const char *name;
|
||||
int min_version;
|
||||
struct krb5_plugin_data *caller;
|
||||
int flags;
|
||||
heim_array_t result;
|
||||
krb5_error_code (KRB5_LIB_CALL *func)(krb5_context, const void *, void *, void *);
|
||||
@@ -452,48 +481,213 @@ struct iter_ctx {
|
||||
krb5_error_code ret;
|
||||
};
|
||||
|
||||
#ifdef HAVE_DLOPEN
|
||||
/*
|
||||
* Add plugin from a DSO that exports the plugin structure directly. This is
|
||||
* provided for backwards compatibility with prior versions of Heimdal, but it
|
||||
* does not allow a module to export multiple plugins, nor does it allow
|
||||
* instance validation.
|
||||
*/
|
||||
static heim_array_t
|
||||
add_dso_plugin_struct(krb5_context context,
|
||||
const char *dsopath,
|
||||
void *dsohandle,
|
||||
const char *name)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
common_plugin_ftable *cpm;
|
||||
struct krb5_plugin *pl;
|
||||
heim_array_t plugins;
|
||||
|
||||
if (dsohandle == NULL)
|
||||
return NULL;
|
||||
|
||||
/* suppress error here because we may be looking for a different plugin type */
|
||||
cpm = dlsym(dsohandle, name);
|
||||
if (cpm == NULL)
|
||||
return NULL;
|
||||
|
||||
krb5_warnx(context, "plugin %s uses deprecated loading mechanism", dsopath);
|
||||
|
||||
pl = heim_alloc(sizeof(*pl), "krb5-plugin", plugin_free);
|
||||
|
||||
ret = cpm->init(context, &pl->ctx);
|
||||
if (ret) {
|
||||
krb5_warn(context, ret, "plugin %s failed to initialize", dsopath);
|
||||
heim_release(pl);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
pl->ftable = cpm;
|
||||
|
||||
plugins = heim_array_create();
|
||||
heim_array_append_value(plugins, pl);
|
||||
heim_release(pl);
|
||||
|
||||
return plugins;
|
||||
}
|
||||
|
||||
typedef krb5_error_code
|
||||
(KRB5_CALLCONV *krb5_plugin_load_t)(krb5_context context,
|
||||
krb5_get_instance_func_t *func,
|
||||
size_t *n_ftables,
|
||||
const common_plugin_ftable *const **ftables);
|
||||
|
||||
static krb5_boolean
|
||||
validate_plugin_deps(krb5_context context,
|
||||
struct krb5_plugin_data *caller,
|
||||
const char *dsopath,
|
||||
krb5_get_instance_func_t get_instance)
|
||||
{
|
||||
size_t i;
|
||||
|
||||
if (get_instance == NULL) {
|
||||
krb5_warnx(context, "plugin %s omitted instance callback",
|
||||
dsopath);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
for (i = 0; caller->deps[i] != NULL; i++) {
|
||||
uintptr_t heim_instance, plugin_instance;
|
||||
|
||||
heim_instance = caller->get_instance(caller->deps[i]);
|
||||
plugin_instance = get_instance(caller->deps[i]);
|
||||
|
||||
if (heim_instance == 0 || plugin_instance == 0)
|
||||
continue;
|
||||
|
||||
if (heim_instance != plugin_instance) {
|
||||
krb5_warnx(context, "plugin %s library %s linked against different "
|
||||
"version of Heimdal (got %zu, us %zu)",
|
||||
dsopath, caller->deps[i],
|
||||
plugin_instance, heim_instance);
|
||||
return FALSE;
|
||||
}
|
||||
_krb5_debug(context, 10, "Validated plugin library dependency %s for %s",
|
||||
caller->deps[i], dsopath);
|
||||
}
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
/*
|
||||
* New interface from Heimdal 8 where a DSO can export a load function
|
||||
* that can return both a libkrb5 instance identifier along with an array
|
||||
* of plugins.
|
||||
*/
|
||||
static heim_array_t
|
||||
add_dso_plugins_load_fn(krb5_context context,
|
||||
struct krb5_plugin_data *caller,
|
||||
const char *dsopath,
|
||||
void *dsohandle)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
heim_array_t plugins;
|
||||
krb5_plugin_load_t load_fn;
|
||||
char *sym;
|
||||
size_t i;
|
||||
krb5_get_instance_func_t get_instance;
|
||||
size_t n_ftables;
|
||||
const common_plugin_ftable *const *ftables;
|
||||
|
||||
if (asprintf(&sym, "%s_plugin_load", caller->name) == -1)
|
||||
return NULL;
|
||||
|
||||
/* suppress error here because we may be looking for a different plugin type */
|
||||
load_fn = dlsym(dsohandle, sym);
|
||||
free(sym);
|
||||
if (load_fn == NULL)
|
||||
return NULL;
|
||||
|
||||
ret = load_fn(context, &get_instance, &n_ftables, &ftables);
|
||||
if (ret) {
|
||||
krb5_warn(context, ret, "plugin %s failed to load", dsopath);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (!validate_plugin_deps(context, caller, dsopath, get_instance))
|
||||
return NULL;
|
||||
|
||||
plugins = heim_array_create();
|
||||
|
||||
for (i = 0; i < n_ftables; i++) {
|
||||
const common_plugin_ftable *const cpm = ftables[i];
|
||||
struct krb5_plugin *pl;
|
||||
|
||||
pl = heim_alloc(sizeof(*pl), "krb5-plugin", plugin_free);
|
||||
|
||||
ret = cpm->init(context, &pl->ctx);
|
||||
if (ret) {
|
||||
krb5_warn(context, ret, "plugin %s[%zu] failed to initialize",
|
||||
dsopath, i);
|
||||
} else {
|
||||
pl->ftable = rk_UNCONST(cpm);
|
||||
heim_array_append_value(plugins, pl);
|
||||
}
|
||||
heim_release(pl);
|
||||
}
|
||||
|
||||
return plugins;
|
||||
}
|
||||
#endif /* HAVE_DLOPEN */
|
||||
|
||||
static void
|
||||
reduce_by_version(heim_object_t value, void *ctx, int *stop)
|
||||
{
|
||||
struct iter_ctx *s = ctx;
|
||||
struct krb5_plugin *pl = value;
|
||||
|
||||
if (pl->ftable && pl->ftable->version >= s->caller->min_version)
|
||||
heim_array_append_value(s->result, pl);
|
||||
}
|
||||
|
||||
static void
|
||||
search_modules(heim_object_t key, heim_object_t value, void *ctx)
|
||||
{
|
||||
struct iter_ctx *s = ctx;
|
||||
struct plugin2 *p = value;
|
||||
struct plug *pl = heim_dict_copy_value(p->names, s->n);
|
||||
struct common_plugin_method *cpm;
|
||||
struct krb5_dso *p = value;
|
||||
heim_array_t plugins = heim_dict_copy_value(p->plugins_by_name, s->n);
|
||||
|
||||
if (pl == NULL) {
|
||||
if (p->dsohandle == NULL)
|
||||
return;
|
||||
#ifdef HAVE_DLOPEN
|
||||
if (plugins == NULL && p->dsohandle) {
|
||||
const char *path = heim_string_get_utf8(p->path);
|
||||
|
||||
pl = heim_alloc(sizeof(*pl), "struct-plug", plug_free);
|
||||
|
||||
cpm = pl->dataptr = dlsym(p->dsohandle, s->name);
|
||||
if (cpm) {
|
||||
int ret;
|
||||
|
||||
ret = cpm->init(s->context, &pl->ctx);
|
||||
if (ret)
|
||||
cpm = pl->dataptr = NULL;
|
||||
plugins = add_dso_plugins_load_fn(s->context,
|
||||
s->caller,
|
||||
path,
|
||||
p->dsohandle);
|
||||
if (plugins == NULL) {
|
||||
/* fallback to loading structure directly */
|
||||
plugins = add_dso_plugin_struct(s->context, path,
|
||||
p->dsohandle, s->caller->name);
|
||||
}
|
||||
if (plugins) {
|
||||
heim_dict_set_value(p->plugins_by_name, s->n, plugins);
|
||||
_krb5_debug(s->context, 5, "Loaded %zu %s %s plugin%s from %s",
|
||||
heim_array_get_length(plugins),
|
||||
s->caller->module, s->caller->name,
|
||||
heim_array_get_length(plugins) > 1 ? "s" : "",
|
||||
path);
|
||||
}
|
||||
heim_dict_set_value(p->names, s->n, pl);
|
||||
} else {
|
||||
cpm = pl->dataptr;
|
||||
}
|
||||
#endif /* HAVE_DLOPEN */
|
||||
|
||||
if (cpm && cpm->version >= s->min_version)
|
||||
heim_array_append_value(s->result, pl);
|
||||
heim_release(pl);
|
||||
if (plugins) {
|
||||
heim_array_iterate_f(plugins, s, reduce_by_version);
|
||||
heim_release(plugins);
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
eval_results(heim_object_t value, void *ctx, int *stop)
|
||||
{
|
||||
struct plug *pl = value;
|
||||
struct krb5_plugin *pl = value;
|
||||
struct iter_ctx *s = ctx;
|
||||
|
||||
if (s->ret != KRB5_PLUGIN_NO_HANDLE)
|
||||
return;
|
||||
|
||||
s->ret = s->func(s->context, pl->dataptr, pl->ctx, s->userctx);
|
||||
s->ret = s->func(s->context, pl->ftable, pl->ctx, s->userctx);
|
||||
if (s->ret != KRB5_PLUGIN_NO_HANDLE
|
||||
&& !(s->flags & KRB5_PLUGIN_INVOKE_ALL))
|
||||
*stop = 1;
|
||||
@@ -503,7 +697,7 @@ eval_results(heim_object_t value, void *ctx, int *stop)
|
||||
* Run plugins for the given @module (e.g., "krb5") and @name (e.g.,
|
||||
* "kuserok"). Specifically, the @func is invoked once per-plugin with
|
||||
* four arguments: the @context, the plugin symbol value (a pointer to a
|
||||
* struct whose first three fields are the same as struct common_plugin_method),
|
||||
* struct whose first three fields are the same as common_plugin_ftable),
|
||||
* a context value produced by the plugin's init method, and @userctx.
|
||||
*
|
||||
* @func should unpack arguments for a plugin function and invoke it
|
||||
@@ -530,83 +724,69 @@ eval_results(heim_object_t value, void *ctx, int *stop)
|
||||
*/
|
||||
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
|
||||
_krb5_plugin_run_f(krb5_context context,
|
||||
const char *module,
|
||||
const char *name,
|
||||
int min_version,
|
||||
struct krb5_plugin_data *caller,
|
||||
int flags,
|
||||
void *userctx,
|
||||
krb5_error_code (KRB5_LIB_CALL *func)(krb5_context, const void *, void *, void *))
|
||||
{
|
||||
heim_string_t m = heim_string_create(module);
|
||||
heim_dict_t dict = NULL;
|
||||
void *plug_ctx;
|
||||
struct common_plugin_method *cpm;
|
||||
heim_string_t m = heim_string_create(caller->module);
|
||||
heim_dict_t modules, dict = NULL;
|
||||
struct iter_ctx s;
|
||||
struct krb5_plugin *registered_plugins = NULL;
|
||||
struct krb5_plugin *p;
|
||||
|
||||
/* Get registered plugins */
|
||||
(void) _krb5_plugin_find(context, SYMBOL, name, ®istered_plugins);
|
||||
|
||||
HEIMDAL_MUTEX_lock(&plugin_mutex);
|
||||
|
||||
s.context = context;
|
||||
s.name = name;
|
||||
s.n = heim_string_create(name);
|
||||
s.caller = caller;
|
||||
s.n = heim_string_create(caller->name);
|
||||
s.flags = flags;
|
||||
s.min_version = min_version;
|
||||
s.result = heim_array_create();
|
||||
s.func = func;
|
||||
s.userctx = userctx;
|
||||
s.ret = KRB5_PLUGIN_NO_HANDLE;
|
||||
|
||||
/* Get loaded plugins */
|
||||
if (modules)
|
||||
dict = heim_dict_copy_value(modules, m);
|
||||
HEIMDAL_MUTEX_lock(&modules_mutex);
|
||||
|
||||
heim_release(m);
|
||||
/* Get loaded plugins */
|
||||
modules = copy_modules();
|
||||
dict = heim_dict_copy_value(modules, m);
|
||||
|
||||
/* Add loaded plugins to s.result array */
|
||||
if (dict)
|
||||
heim_dict_iterate_f(dict, &s, search_modules);
|
||||
|
||||
/* We don't need to hold plugin_mutex during plugin invocation */
|
||||
HEIMDAL_MUTEX_unlock(&plugin_mutex);
|
||||
/* We don't need to hold modules_mutex during plugin invocation */
|
||||
HEIMDAL_MUTEX_unlock(&modules_mutex);
|
||||
|
||||
/* Invoke registered plugins (old system) */
|
||||
for (p = registered_plugins; p; p = p->next) {
|
||||
/*
|
||||
* XXX This is the wrong way to handle registered plugins, as we
|
||||
* call init/fini on each invocation! We do this because we
|
||||
* have nowhere in the struct plugin registered list to store
|
||||
* the context allocated by the plugin's init function. (But at
|
||||
* least we do call init/fini!)
|
||||
*
|
||||
* What we should do is adapt the old plugin system to the new
|
||||
* one and change how we register plugins so that we use the new
|
||||
* struct plug to keep track of their context structures, that
|
||||
* way we can init once, invoke many times, then fini.
|
||||
*/
|
||||
cpm = (struct common_plugin_method *)p->symbol;
|
||||
s.ret = cpm->init(context, &plug_ctx);
|
||||
if (s.ret)
|
||||
continue;
|
||||
s.ret = s.func(s.context, p->symbol, plug_ctx, s.userctx);
|
||||
cpm->fini(plug_ctx);
|
||||
if (s.ret != KRB5_PLUGIN_NO_HANDLE &&
|
||||
!(flags & KRB5_PLUGIN_INVOKE_ALL))
|
||||
break;
|
||||
}
|
||||
_krb5_plugin_free(registered_plugins);
|
||||
|
||||
/* Invoke loaded plugins (new system) */
|
||||
if (s.ret == KRB5_PLUGIN_NO_HANDLE)
|
||||
heim_array_iterate_f(s.result, &s, eval_results);
|
||||
/* Invoke loaded plugins */
|
||||
heim_array_iterate_f(s.result, &s, eval_results);
|
||||
|
||||
heim_release(s.result);
|
||||
heim_release(s.n);
|
||||
if (dict)
|
||||
heim_release(dict);
|
||||
heim_release(dict);
|
||||
heim_release(m);
|
||||
heim_release(modules);
|
||||
|
||||
return s.ret;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return a cookie identifying this instance of a library.
|
||||
*
|
||||
* Inputs:
|
||||
*
|
||||
* @context A krb5_context
|
||||
* @module Our library name or a library we depend on
|
||||
*
|
||||
* Outputs: The instance cookie
|
||||
*
|
||||
* @ingroup krb5_support
|
||||
*/
|
||||
|
||||
KRB5_LIB_FUNCTION uintptr_t KRB5_LIB_CALL
|
||||
krb5_get_instance(const char *libname)
|
||||
{
|
||||
static const char *instance = "libkrb5";
|
||||
|
||||
if (strcmp(libname, "krb5") == 0)
|
||||
return (uintptr_t)instance;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
@@ -96,6 +96,17 @@ realmcallback(krb5_context context, const void *plug, void *plugctx, void *userc
|
||||
ctx->send_data, ctx->receive);
|
||||
}
|
||||
|
||||
static const char *send_to_kdc_plugin_deps[] = { "krb5", NULL };
|
||||
|
||||
static struct krb5_plugin_data
|
||||
send_to_kdc_plugin_data = {
|
||||
"krb5",
|
||||
KRB5_PLUGIN_SEND_TO_KDC,
|
||||
KRB5_PLUGIN_SEND_TO_KDC_VERSION_0,
|
||||
send_to_kdc_plugin_deps,
|
||||
krb5_get_instance
|
||||
};
|
||||
|
||||
static krb5_error_code
|
||||
kdc_via_plugin(krb5_context context,
|
||||
krb5_krbhst_info *hi,
|
||||
@@ -111,8 +122,7 @@ kdc_via_plugin(krb5_context context,
|
||||
userctx.send_data = send_data;
|
||||
userctx.receive = receive;
|
||||
|
||||
return _krb5_plugin_run_f(context, "krb5", KRB5_PLUGIN_SEND_TO_KDC,
|
||||
KRB5_PLUGIN_SEND_TO_KDC_VERSION_0, 0,
|
||||
return _krb5_plugin_run_f(context, &send_to_kdc_plugin_data, 0,
|
||||
&userctx, kdccallback);
|
||||
}
|
||||
|
||||
@@ -131,8 +141,7 @@ realm_via_plugin(krb5_context context,
|
||||
userctx.send_data = send_data;
|
||||
userctx.receive = receive;
|
||||
|
||||
return _krb5_plugin_run_f(context, "krb5", KRB5_PLUGIN_SEND_TO_KDC,
|
||||
KRB5_PLUGIN_SEND_TO_KDC_VERSION_2, 0,
|
||||
return _krb5_plugin_run_f(context, &send_to_kdc_plugin_data, 0,
|
||||
&userctx, realmcallback);
|
||||
}
|
||||
|
||||
|
@@ -66,10 +66,12 @@ resolve_lookup(void *ctx,
|
||||
s.sin_port = htons(88);
|
||||
s.sin_addr.s_addr = htonl(0x7f000002);
|
||||
|
||||
if (strcmp(realm, "NOTHERE.H5L.SE") == 0)
|
||||
if (strcmp(realm, "NOTHERE.H5L.SE") == 0) {
|
||||
(*add)(addctx, type, (struct sockaddr *)&s);
|
||||
return 0;
|
||||
}
|
||||
|
||||
return 0;
|
||||
return KRB5_PLUGIN_NO_HANDLE;
|
||||
}
|
||||
|
||||
|
||||
|
@@ -362,6 +362,7 @@ HEIMDAL_KRB5_2.0 {
|
||||
krb5_get_init_creds_opt_set_tkt_life;
|
||||
krb5_get_init_creds_opt_set_win2k;
|
||||
krb5_get_init_creds_password;
|
||||
krb5_get_instance;
|
||||
krb5_get_kdc_cred;
|
||||
krb5_get_kdc_sec_offset;
|
||||
krb5_get_krb524hst;
|
||||
@@ -748,6 +749,10 @@ HEIMDAL_KRB5_2.0 {
|
||||
_krb5_build_authenticator;
|
||||
_krb5_kt_client_default_name;
|
||||
|
||||
# Shared with libkadm5
|
||||
_krb5_load_plugins;
|
||||
_krb5_unload_plugins;
|
||||
|
||||
# Shared with libkdc
|
||||
_krb5_AES_SHA1_string_to_default_iterator;
|
||||
_krb5_AES_SHA2_string_to_default_iterator;
|
||||
@@ -761,8 +766,6 @@ HEIMDAL_KRB5_2.0 {
|
||||
_krb5_pk_load_id;
|
||||
_krb5_pk_mk_ContentInfo;
|
||||
_krb5_pk_octetstring2key;
|
||||
_krb5_plugin_find;
|
||||
_krb5_plugin_free;
|
||||
_krb5_plugin_run_f;
|
||||
_krb5_principal2principalname;
|
||||
_krb5_principalname2krb5_principal;
|
||||
|
Reference in New Issue
Block a user