oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kdc: Get KDC config out of CSR authorizer API

Browse Source 
Part of refactoring to split out bx509/bnegotiate, add a kadmin REST service,
and move all of that out of kdc/.
This commit is contained in:
Nicolas Williams
2020-08-14 18:33:00 -05:00
parent a12fe376ae
commit c3e99be519
7 changed files with 18 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
kdc/csr_authorizer.c
View File

@@ -35,7 +35,7 @@
#include "csr_authorizer_plugin.h" #include "csr_authorizer_plugin.h"
struct plctx { struct plctx {
krb5_kdc_configuration *config; const char *app;
hx509_request csr; hx509_request csr;
krb5_const_principal client; krb5_const_principal client;
krb5_boolean result; krb5_boolean result;
@@ -47,7 +47,7 @@ plcallback(krb5_context context, const void *plug, void *plugctx, void *userctx)
const krb5plugin_csr_authorizer_ftable *authorizer = plug; const krb5plugin_csr_authorizer_ftable *authorizer = plug;
struct plctx *plctx = userctx; struct plctx *plctx = userctx;
return authorizer->authorize(plugctx, context, plctx->config, plctx->csr, return authorizer->authorize(plugctx, context, plctx->app, plctx->csr,
plctx->client, &plctx->result); plctx->client, &plctx->result);
} }
@@ -67,14 +67,14 @@ static struct heim_plugin_data csr_authorizer_data = {
*/ */
krb5_error_code krb5_error_code
kdc_authorize_csr(krb5_context context, kdc_authorize_csr(krb5_context context,
krb5_kdc_configuration *config, const char *app,
hx509_request csr, hx509_request csr,
krb5_const_principal client) krb5_const_principal client)
{ {
krb5_error_code ret; krb5_error_code ret;
struct plctx ctx; struct plctx ctx;
ctx.config = config; ctx.app = app;
ctx.csr = csr; ctx.csr = csr;
ctx.client = client; ctx.client = client;
ctx.result = FALSE; ctx.result = FALSE;

6
kdc/csr_authorizer_plugin.h
View File

@@ -54,7 +54,7 @@
* *
* -# plug_ctx, the context value output by the plugin's init function * -# plug_ctx, the context value output by the plugin's init function
* -# context, a krb5_context * -# context, a krb5_context
* -# config, a krb5_kdc_configuration * * -# app, the name of the application
* -# csr, a hx509_request * -# csr, a hx509_request
* -# client, a krb5_const_principal * -# client, a krb5_const_principal
* -# authorization_result, a pointer to a krb5_boolean * -# authorization_result, a pointer to a krb5_boolean
@@ -66,8 +66,8 @@ typedef struct krb5plugin_csr_authorizer_ftable_desc {
krb5_error_code (KRB5_LIB_CALL *init)(krb5_context, void **); krb5_error_code (KRB5_LIB_CALL *init)(krb5_context, void **);
void (KRB5_LIB_CALL *fini)(void *); void (KRB5_LIB_CALL *fini)(void *);
krb5_error_code (KRB5_LIB_CALL *authorize)(void *, /*plug_ctx*/ krb5_error_code (KRB5_LIB_CALL *authorize)(void *, /*plug_ctx*/
krb5_context, krb5_context, /*context*/
krb5_kdc_configuration *, const char *, /*app*/
hx509_request, /*CSR*/ hx509_request, /*CSR*/
krb5_const_principal,/*client*/ krb5_const_principal,/*client*/
krb5_boolean *); /*authorized*/ krb5_boolean *); /*authorized*/

9
kdc/ipc_csr_authorizer.c
View File

@@ -269,7 +269,7 @@ mark_authorized(hx509_request csr)
static KRB5_LIB_CALL krb5_error_code static KRB5_LIB_CALL krb5_error_code
authorize(void *ctx, authorize(void *ctx,
krb5_context context, krb5_context context,
krb5_kdc_configuration *config, const char *app,
hx509_request csr, hx509_request csr,
krb5_const_principal client, krb5_const_principal client,
krb5_boolean *result) krb5_boolean *result)
@@ -285,10 +285,9 @@ authorize(void *ctx,
char *s = NULL; char *s = NULL;
int do_check = 0; int do_check = 0;
if ((svc = krb5_config_get_string(context, NULL, if ((svc = krb5_config_get_string(context, NULL, app ? app : "kdc",
config->app ? config->app : "kdc", "ipc_csr_authorizer", "service", NULL))
"ipc_csr_authorizer", "service", == NULL)
NULL)) == NULL)
return KRB5_PLUGIN_NO_HANDLE; return KRB5_PLUGIN_NO_HANDLE;
if ((ret = heim_ipc_init_context(svc, &ipc))) { if ((ret = heim_ipc_init_context(svc, &ipc))) {

3
kdc/kx509.c
View File

@@ -665,7 +665,8 @@ check_authz(krb5_context context,
*/ */
if (!reqctx->have_csr) if (!reqctx->have_csr)
return 0; return 0;
ret = kdc_authorize_csr(context, reqctx->config, reqctx->csr, cprincipal); ret = kdc_authorize_csr(context, reqctx->config->app, reqctx->csr,
cprincipal);
if (ret == 0) { if (ret == 0) {
_kdc_audit_addkv((kdc_request_t)reqctx, 0, "authorized", "true"); _kdc_audit_addkv((kdc_request_t)reqctx, 0, "authorized", "true");

2
kdc/simple_csr_authorizer.c
View File

@@ -160,7 +160,7 @@ string_encode(const char *in)
static KRB5_LIB_CALL krb5_error_code static KRB5_LIB_CALL krb5_error_code
authorize(void *ctx, authorize(void *ctx,
krb5_context context, krb5_context context,
krb5_kdc_configuration *config, const char *app,
hx509_request csr, hx509_request csr,
krb5_const_principal client, krb5_const_principal client,
krb5_boolean *result) krb5_boolean *result)

14
kdc/test_csr_authorizer.c
View File

@@ -30,7 +30,7 @@ usage(int e)
int int
main(int argc, char **argv) main(int argc, char **argv)
{ {
krb5_kdc_configuration *config; krb5_log_facility *logf;
krb5_error_code ret; krb5_error_code ret;
krb5_context context; krb5_context context;
hx509_request csr; hx509_request csr;
@@ -56,25 +56,19 @@ main(int argc, char **argv)
if ((errno = krb5_init_context(&context))) if ((errno = krb5_init_context(&context)))
err(1, "Could not initialize krb5_context"); err(1, "Could not initialize krb5_context");
if ((ret = krb5_kdc_get_config(context, &config))) if ((ret = krb5_initlog(context, argv0, &logf)) ||
krb5_err(context, 1, ret, "Could not get KDC configuration"); (ret = krb5_addlog_dest(context, logf, "0-5/STDERR")))
config->app = app_string;
if ((ret = krb5_initlog(context, argv0, &config->logf)) ||
(ret = krb5_addlog_dest(context, config->logf, "0-5/STDERR")))
krb5_err(context, 1, ret, "Could not set up logging to stderr"); krb5_err(context, 1, ret, "Could not set up logging to stderr");
if ((ret = krb5_kdc_set_dbinfo(context, config)))
krb5_err(context, 1, ret, "Could not get KDC configuration (HDB)");
if ((ret = hx509_request_parse(context->hx509ctx, argv[0], &csr))) if ((ret = hx509_request_parse(context->hx509ctx, argv[0], &csr)))
krb5_err(context, 1, ret, "Could not parse PKCS#10 CSR from %s", argv[0]); krb5_err(context, 1, ret, "Could not parse PKCS#10 CSR from %s", argv[0]);
if ((ret = krb5_parse_name(context, argv[1], &princ))) if ((ret = krb5_parse_name(context, argv[1], &princ)))
krb5_err(context, 1, ret, "Could not parse principal %s", argv[1]); krb5_err(context, 1, ret, "Could not parse principal %s", argv[1]);
if ((ret = kdc_authorize_csr(context, config, csr, princ))) if ((ret = kdc_authorize_csr(context, app_string, csr, princ)))
krb5_err(context, 1, ret, "Authorization failed"); krb5_err(context, 1, ret, "Authorization failed");
printf("Authorized!\n"); printf("Authorized!\n");
krb5_free_principal(context, princ); krb5_free_principal(context, princ);
_krb5_unload_plugins(context, "kdc"); _krb5_unload_plugins(context, "kdc");
krb5_free_context(context); krb5_free_context(context);
hx509_request_free(&csr); hx509_request_free(&csr);
/* FIXME There's no free function for config yet */
return 0; return 0;
} }

4
kdc/test_token_validator.c
View File

@@ -30,7 +30,6 @@ usage(int e)
int int
main(int argc, char **argv) main(int argc, char **argv)
{ {
krb5_kdc_configuration *config;
krb5_error_code ret; krb5_error_code ret;
krb5_context context; krb5_context context;
krb5_data token; krb5_data token;
@@ -60,9 +59,6 @@ main(int argc, char **argv)
if ((ret = krb5_init_context(&context))) if ((ret = krb5_init_context(&context)))
err(1, "Could not initialize krb5_context"); err(1, "Could not initialize krb5_context");
if ((ret = krb5_kdc_get_config(context, &config)))
krb5_err(context, 1, ret, "Could not get KDC configuration");
config->app = app;
token_type = argv[0]; token_type = argv[0];
token.data = argv[1]; token.data = argv[1];