From c3e99be519ec0b991ad23006fd3a92d47eb05404 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Fri, 14 Aug 2020 18:33:00 -0500
Subject: [PATCH] kdc: Get KDC config out of CSR authorizer API

Part of refactoring to split out bx509/bnegotiate, add a kadmin REST service,
and move all of that out of kdc/.
---
 kdc/csr_authorizer.c        |  8 ++++----
 kdc/csr_authorizer_plugin.h |  6 +++---
 kdc/ipc_csr_authorizer.c    |  9 ++++-----
 kdc/kx509.c                 |  3 ++-
 kdc/simple_csr_authorizer.c |  2 +-
 kdc/test_csr_authorizer.c   | 14 ++++----------
 kdc/test_token_validator.c  |  4 ----
 7 files changed, 18 insertions(+), 28 deletions(-)

diff --git a/kdc/csr_authorizer.c b/kdc/csr_authorizer.c
index 4d930f01a..fa20519d7 100644
--- a/kdc/csr_authorizer.c
+++ b/kdc/csr_authorizer.c
@@ -35,7 +35,7 @@
 #include "csr_authorizer_plugin.h"
 
 struct plctx {
-    krb5_kdc_configuration  *config;
+    const char              *app;
     hx509_request           csr;
     krb5_const_principal    client;
     krb5_boolean            result;
@@ -47,7 +47,7 @@ plcallback(krb5_context context, const void *plug, void *plugctx, void *userctx)
     const krb5plugin_csr_authorizer_ftable *authorizer = plug;
     struct plctx *plctx = userctx;
 
-    return authorizer->authorize(plugctx, context, plctx->config, plctx->csr,
+    return authorizer->authorize(plugctx, context, plctx->app, plctx->csr,
                                  plctx->client, &plctx->result);
 }
 
@@ -67,14 +67,14 @@ static struct heim_plugin_data csr_authorizer_data = {
  */
 krb5_error_code
 kdc_authorize_csr(krb5_context context,
-                  krb5_kdc_configuration *config,
+                  const char *app,
                   hx509_request csr,
                   krb5_const_principal client)
 {
     krb5_error_code ret;
     struct plctx ctx;
 
-    ctx.config = config;
+    ctx.app = app;
     ctx.csr = csr;
     ctx.client = client;
     ctx.result = FALSE;
diff --git a/kdc/csr_authorizer_plugin.h b/kdc/csr_authorizer_plugin.h
index 3f9b0651b..45f42014b 100644
--- a/kdc/csr_authorizer_plugin.h
+++ b/kdc/csr_authorizer_plugin.h
@@ -54,7 +54,7 @@
  *
  * -# plug_ctx, the context value output by the plugin's init function
  * -# context, a krb5_context
- * -# config, a krb5_kdc_configuration *
+ * -# app, the name of the application
  * -# csr, a hx509_request
  * -# client, a krb5_const_principal
  * -# authorization_result, a pointer to a krb5_boolean
@@ -66,8 +66,8 @@ typedef struct krb5plugin_csr_authorizer_ftable_desc {
     krb5_error_code	(KRB5_LIB_CALL *init)(krb5_context, void **);
     void		(KRB5_LIB_CALL *fini)(void *);
     krb5_error_code	(KRB5_LIB_CALL *authorize)(void *,              /*plug_ctx*/
-                                                   krb5_context,
-                                                   krb5_kdc_configuration *,
+                                                   krb5_context,        /*context*/
+                                                   const char *,        /*app*/
                                                    hx509_request,       /*CSR*/
                                                    krb5_const_principal,/*client*/
                                                    krb5_boolean *);     /*authorized*/
diff --git a/kdc/ipc_csr_authorizer.c b/kdc/ipc_csr_authorizer.c
index 654084f4e..fad3919a2 100644
--- a/kdc/ipc_csr_authorizer.c
+++ b/kdc/ipc_csr_authorizer.c
@@ -269,7 +269,7 @@ mark_authorized(hx509_request csr)
 static KRB5_LIB_CALL krb5_error_code
 authorize(void *ctx,
           krb5_context context,
-          krb5_kdc_configuration *config,
+          const char *app,
           hx509_request csr,
           krb5_const_principal client,
           krb5_boolean *result)
@@ -285,10 +285,9 @@ authorize(void *ctx,
     char *s = NULL;
     int do_check = 0;
 
-    if ((svc = krb5_config_get_string(context, NULL,
-                                      config->app ? config->app : "kdc",
-                                      "ipc_csr_authorizer", "service",
-                                      NULL)) == NULL)
+    if ((svc = krb5_config_get_string(context, NULL, app ? app : "kdc",
+                                      "ipc_csr_authorizer", "service", NULL))
+        == NULL)
         return KRB5_PLUGIN_NO_HANDLE;
 
     if ((ret = heim_ipc_init_context(svc, &ipc))) {
diff --git a/kdc/kx509.c b/kdc/kx509.c
index 3851b242e..5ab34e954 100644
--- a/kdc/kx509.c
+++ b/kdc/kx509.c
@@ -665,7 +665,8 @@ check_authz(krb5_context context,
      */
     if (!reqctx->have_csr)
         return 0;
-    ret = kdc_authorize_csr(context, reqctx->config, reqctx->csr, cprincipal);
+    ret = kdc_authorize_csr(context, reqctx->config->app, reqctx->csr,
+                            cprincipal);
     if (ret == 0) {
         _kdc_audit_addkv((kdc_request_t)reqctx, 0, "authorized", "true");
 
diff --git a/kdc/simple_csr_authorizer.c b/kdc/simple_csr_authorizer.c
index 412389100..882d03b8f 100644
--- a/kdc/simple_csr_authorizer.c
+++ b/kdc/simple_csr_authorizer.c
@@ -160,7 +160,7 @@ string_encode(const char *in)
 static KRB5_LIB_CALL krb5_error_code
 authorize(void *ctx,
           krb5_context context,
-          krb5_kdc_configuration *config,
+          const char *app,
           hx509_request csr,
           krb5_const_principal client,
           krb5_boolean *result)
diff --git a/kdc/test_csr_authorizer.c b/kdc/test_csr_authorizer.c
index 8de75000b..f491c8115 100644
--- a/kdc/test_csr_authorizer.c
+++ b/kdc/test_csr_authorizer.c
@@ -30,7 +30,7 @@ usage(int e)
 int
 main(int argc, char **argv)
 {
-    krb5_kdc_configuration *config;
+    krb5_log_facility *logf;
     krb5_error_code ret;
     krb5_context context;
     hx509_request csr;
@@ -56,25 +56,19 @@ main(int argc, char **argv)
 
     if ((errno = krb5_init_context(&context)))
         err(1, "Could not initialize krb5_context");
-    if ((ret = krb5_kdc_get_config(context, &config)))
-        krb5_err(context, 1, ret, "Could not get KDC configuration");
-    config->app = app_string;
-    if ((ret = krb5_initlog(context, argv0, &config->logf)) ||
-        (ret = krb5_addlog_dest(context, config->logf, "0-5/STDERR")))
+    if ((ret = krb5_initlog(context, argv0, &logf)) ||
+        (ret = krb5_addlog_dest(context, logf, "0-5/STDERR")))
         krb5_err(context, 1, ret, "Could not set up logging to stderr");
-    if ((ret = krb5_kdc_set_dbinfo(context, config)))
-        krb5_err(context, 1, ret, "Could not get KDC configuration (HDB)");
     if ((ret = hx509_request_parse(context->hx509ctx, argv[0], &csr)))
         krb5_err(context, 1, ret, "Could not parse PKCS#10 CSR from %s", argv[0]);
     if ((ret = krb5_parse_name(context, argv[1], &princ)))
         krb5_err(context, 1, ret, "Could not parse principal %s", argv[1]);
-    if ((ret = kdc_authorize_csr(context, config, csr, princ)))
+    if ((ret = kdc_authorize_csr(context, app_string, csr, princ)))
         krb5_err(context, 1, ret, "Authorization failed");
     printf("Authorized!\n");
     krb5_free_principal(context, princ);
     _krb5_unload_plugins(context, "kdc");
     krb5_free_context(context);
     hx509_request_free(&csr);
-    /* FIXME There's no free function for config yet */
     return 0;
 }
diff --git a/kdc/test_token_validator.c b/kdc/test_token_validator.c
index 3288fe4b0..bf71537f0 100644
--- a/kdc/test_token_validator.c
+++ b/kdc/test_token_validator.c
@@ -30,7 +30,6 @@ usage(int e)
 int
 main(int argc, char **argv)
 {
-    krb5_kdc_configuration *config;
     krb5_error_code ret;
     krb5_context context;
     krb5_data token;
@@ -60,9 +59,6 @@ main(int argc, char **argv)
 
     if ((ret = krb5_init_context(&context)))
         err(1, "Could not initialize krb5_context");
-    if ((ret = krb5_kdc_get_config(context, &config)))
-        krb5_err(context, 1, ret, "Could not get KDC configuration");
-    config->app = app;
 
     token_type = argv[0];
     token.data = argv[1];