kdc: Get KDC config out of CSR authorizer API

Part of refactoring to split out bx509/bnegotiate, add a kadmin REST service, and move all of that out of kdc/.
2020-08-14 18:33:00 -05:00
parent a12fe376ae
commit c3e99be519
7 changed files with 18 additions and 28 deletions
--- a/kdc/csr_authorizer.c
+++ b/kdc/csr_authorizer.c
@@ -35,7 +35,7 @@
 #include "csr_authorizer_plugin.h"

 struct plctx {
-    krb5_kdc_configuration  *config;
+    const char              *app;
    hx509_request           csr;
    krb5_const_principal    client;
    krb5_boolean            result;
@@ -47,7 +47,7 @@ plcallback(krb5_context context, const void *plug, void *plugctx, void *userctx)
    const krb5plugin_csr_authorizer_ftable *authorizer = plug;
    struct plctx *plctx = userctx;

-    return authorizer->authorize(plugctx, context, plctx->config, plctx->csr,
+    return authorizer->authorize(plugctx, context, plctx->app, plctx->csr,
                                 plctx->client, &plctx->result);
 }

@@ -67,14 +67,14 @@ static struct heim_plugin_data csr_authorizer_data = {
 */
 krb5_error_code
 kdc_authorize_csr(krb5_context context,
-                  krb5_kdc_configuration *config,
+                  const char *app,
                  hx509_request csr,
                  krb5_const_principal client)
 {
    krb5_error_code ret;
    struct plctx ctx;

-    ctx.config = config;
+    ctx.app = app;
    ctx.csr = csr;
    ctx.client = client;
    ctx.result = FALSE;
--- a/kdc/csr_authorizer_plugin.h
+++ b/kdc/csr_authorizer_plugin.h
@@ -54,7 +54,7 @@
 *
 * -# plug_ctx, the context value output by the plugin's init function
 * -# context, a krb5_context
- * -# config, a krb5_kdc_configuration *
+ * -# app, the name of the application
 * -# csr, a hx509_request
 * -# client, a krb5_const_principal
 * -# authorization_result, a pointer to a krb5_boolean
@@ -66,8 +66,8 @@ typedef struct krb5plugin_csr_authorizer_ftable_desc {
    krb5_error_code	(KRB5_LIB_CALL *init)(krb5_context, void **);
    void		(KRB5_LIB_CALL *fini)(void *);
    krb5_error_code	(KRB5_LIB_CALL *authorize)(void *,              /*plug_ctx*/
-                                                   krb5_context,
-                                                   krb5_kdc_configuration *,
+                                                   krb5_context,        /*context*/
+                                                   const char *,        /*app*/
                                                   hx509_request,       /*CSR*/
                                                   krb5_const_principal,/*client*/
                                                   krb5_boolean *);     /*authorized*/
--- a/kdc/ipc_csr_authorizer.c
+++ b/kdc/ipc_csr_authorizer.c
@@ -269,7 +269,7 @@ mark_authorized(hx509_request csr)
 static KRB5_LIB_CALL krb5_error_code
 authorize(void *ctx,
          krb5_context context,
-          krb5_kdc_configuration *config,
+          const char *app,
          hx509_request csr,
          krb5_const_principal client,
          krb5_boolean *result)
@@ -285,10 +285,9 @@ authorize(void *ctx,
    char *s = NULL;
    int do_check = 0;

-    if ((svc = krb5_config_get_string(context, NULL,
-                                      config->app ? config->app : "kdc",
-                                      "ipc_csr_authorizer", "service",
-                                      NULL)) == NULL)
+    if ((svc = krb5_config_get_string(context, NULL, app ? app : "kdc",
+                                      "ipc_csr_authorizer", "service", NULL))
+        == NULL)
        return KRB5_PLUGIN_NO_HANDLE;

    if ((ret = heim_ipc_init_context(svc, &ipc))) {
--- a/kdc/kx509.c
+++ b/kdc/kx509.c
@@ -665,7 +665,8 @@ check_authz(krb5_context context,
     */
    if (!reqctx->have_csr)
        return 0;
-    ret = kdc_authorize_csr(context, reqctx->config, reqctx->csr, cprincipal);
+    ret = kdc_authorize_csr(context, reqctx->config->app, reqctx->csr,
+                            cprincipal);
    if (ret == 0) {
        _kdc_audit_addkv((kdc_request_t)reqctx, 0, "authorized", "true");

--- a/kdc/simple_csr_authorizer.c
+++ b/kdc/simple_csr_authorizer.c
@@ -160,7 +160,7 @@ string_encode(const char *in)
 static KRB5_LIB_CALL krb5_error_code
 authorize(void *ctx,
          krb5_context context,
-          krb5_kdc_configuration *config,
+          const char *app,
          hx509_request csr,
          krb5_const_principal client,
          krb5_boolean *result)
--- a/kdc/test_csr_authorizer.c
+++ b/kdc/test_csr_authorizer.c
@@ -30,7 +30,7 @@ usage(int e)
 int
 main(int argc, char **argv)
 {
-    krb5_kdc_configuration *config;
+    krb5_log_facility *logf;
    krb5_error_code ret;
    krb5_context context;
    hx509_request csr;
@@ -56,25 +56,19 @@ main(int argc, char **argv)

    if ((errno = krb5_init_context(&context)))
        err(1, "Could not initialize krb5_context");
-    if ((ret = krb5_kdc_get_config(context, &config)))
-        krb5_err(context, 1, ret, "Could not get KDC configuration");
-    config->app = app_string;
-    if ((ret = krb5_initlog(context, argv0, &config->logf)) ||
-        (ret = krb5_addlog_dest(context, config->logf, "0-5/STDERR")))
+    if ((ret = krb5_initlog(context, argv0, &logf)) ||
+        (ret = krb5_addlog_dest(context, logf, "0-5/STDERR")))
        krb5_err(context, 1, ret, "Could not set up logging to stderr");
-    if ((ret = krb5_kdc_set_dbinfo(context, config)))
-        krb5_err(context, 1, ret, "Could not get KDC configuration (HDB)");
    if ((ret = hx509_request_parse(context->hx509ctx, argv[0], &csr)))
        krb5_err(context, 1, ret, "Could not parse PKCS#10 CSR from %s", argv[0]);
    if ((ret = krb5_parse_name(context, argv[1], &princ)))
        krb5_err(context, 1, ret, "Could not parse principal %s", argv[1]);
-    if ((ret = kdc_authorize_csr(context, config, csr, princ)))
+    if ((ret = kdc_authorize_csr(context, app_string, csr, princ)))
        krb5_err(context, 1, ret, "Authorization failed");
    printf("Authorized!\n");
    krb5_free_principal(context, princ);
    _krb5_unload_plugins(context, "kdc");
    krb5_free_context(context);
    hx509_request_free(&csr);
-    /* FIXME There's no free function for config yet */
    return 0;
 }
--- a/kdc/test_token_validator.c
+++ b/kdc/test_token_validator.c
@@ -30,7 +30,6 @@ usage(int e)
 int
 main(int argc, char **argv)
 {
-    krb5_kdc_configuration *config;
    krb5_error_code ret;
    krb5_context context;
    krb5_data token;
@@ -60,9 +59,6 @@ main(int argc, char **argv)

    if ((ret = krb5_init_context(&context)))
        err(1, "Could not initialize krb5_context");
-    if ((ret = krb5_kdc_get_config(context, &config)))
-        krb5_err(context, 1, ret, "Could not get KDC configuration");
-    config->app = app;

    token_type = argv[0];
    token.data = argv[1];