More kadmin support for kvno diff policy.
This commit is contained in:
Nicolas Williams
committed by
Nicolas Williams
Nicolas Williams
parent
3794d8b37b
commit
fac34871be
@@ -176,15 +176,17 @@ command = {
|
|||||||
}
|
}
|
||||||
option = {
|
option = {
|
||||||
long = "hist-kvno-diff-clnt"
|
long = "hist-kvno-diff-clnt"
|
||||||
type = "string"
|
type = "integer"
|
||||||
argument = "kvno diff"
|
argument = "kvno diff"
|
||||||
help = "historic keys allowed for client"
|
help = "historic keys allowed for client"
|
||||||
|
default = "-1"
|
||||||
}
|
}
|
||||||
option = {
|
option = {
|
||||||
long = "hist-kvno-diff-svc"
|
long = "hist-kvno-diff-svc"
|
||||||
type = "string"
|
type = "integer"
|
||||||
argument = "kvno diff"
|
argument = "kvno diff"
|
||||||
help = "historic keys allowed for service"
|
help = "historic keys allowed for service"
|
||||||
|
default = "-1"
|
||||||
}
|
}
|
||||||
option = {
|
option = {
|
||||||
long = "use-defaults"
|
long = "use-defaults"
|
||||||
@@ -379,15 +381,17 @@ command = {
|
|||||||
}
|
}
|
||||||
option = {
|
option = {
|
||||||
long = "hist-kvno-diff-clnt"
|
long = "hist-kvno-diff-clnt"
|
||||||
type = "string"
|
type = "integer"
|
||||||
argument = "kvno diff"
|
argument = "kvno diff"
|
||||||
help = "historic keys allowed for client"
|
help = "historic keys allowed for client"
|
||||||
|
default = "-1"
|
||||||
}
|
}
|
||||||
option = {
|
option = {
|
||||||
long = "hist-kvno-diff-svc"
|
long = "hist-kvno-diff-svc"
|
||||||
type = "string"
|
type = "integer"
|
||||||
argument = "kvno diff"
|
argument = "kvno diff"
|
||||||
help = "historic keys allowed for service"
|
help = "historic keys allowed for service"
|
||||||
|
default = "-1"
|
||||||
}
|
}
|
||||||
argument = "principal"
|
argument = "principal"
|
||||||
min_args = "1"
|
min_args = "1"
|
||||||
|
|||||||
55
kadmin/mod.c
55
kadmin/mod.c
@@ -41,7 +41,7 @@ add_tl(kadm5_principal_ent_rec *princ, int type, krb5_data *data)
|
|||||||
|
|
||||||
tl = ecalloc(1, sizeof(*tl));
|
tl = ecalloc(1, sizeof(*tl));
|
||||||
tl->tl_data_next = NULL;
|
tl->tl_data_next = NULL;
|
||||||
tl->tl_data_type = KRB5_TL_EXTENSION;
|
tl->tl_data_type = type;
|
||||||
tl->tl_data_length = data->length;
|
tl->tl_data_length = data->length;
|
||||||
tl->tl_data_contents = data->data;
|
tl->tl_data_contents = data->data;
|
||||||
|
|
||||||
@@ -99,7 +99,7 @@ add_constrained_delegation(krb5_context contextp,
|
|||||||
if (buf.length != size)
|
if (buf.length != size)
|
||||||
abort();
|
abort();
|
||||||
|
|
||||||
add_tl(princ, KRB5_TL_EXTENSION, &buf);
|
add_tl(princ, KRB5_TL_EXTENSION, &buf); /* XXX wrong type */
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
@@ -142,7 +142,7 @@ add_aliases(krb5_context contextp, kadm5_principal_ent_rec *princ,
|
|||||||
if (buf.length != size)
|
if (buf.length != size)
|
||||||
abort();
|
abort();
|
||||||
|
|
||||||
add_tl(princ, KRB5_TL_EXTENSION, &buf);
|
add_tl(princ, KRB5_TL_ALIASES, &buf);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
@@ -182,7 +182,41 @@ add_pkinit_acl(krb5_context contextp, kadm5_principal_ent_rec *princ,
|
|||||||
if (buf.length != size)
|
if (buf.length != size)
|
||||||
abort();
|
abort();
|
||||||
|
|
||||||
add_tl(princ, KRB5_TL_EXTENSION, &buf);
|
add_tl(princ, KRB5_TL_PKINIT_ACL, &buf);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
add_kvno_diff(krb5_context context, kadm5_principal_ent_rec *princ,
|
||||||
|
int is_svc_diff, krb5_kvno kvno_diff)
|
||||||
|
{
|
||||||
|
krb5_error_code ret;
|
||||||
|
HDB_extension ext;
|
||||||
|
krb5_data buf;
|
||||||
|
size_t size = 0;
|
||||||
|
int type;
|
||||||
|
|
||||||
|
if (kvno_diff < 0)
|
||||||
|
return;
|
||||||
|
if (kvno_diff > 2048)
|
||||||
|
kvno_diff = 2048;
|
||||||
|
|
||||||
|
if (is_svc_diff) {
|
||||||
|
ext.data.element = choice_HDB_extension_data_hist_kvno_diff_svc;
|
||||||
|
ext.data.u.hist_kvno_diff_svc = (unsigned int)kvno_diff;
|
||||||
|
type = KRB5_TL_HIST_KVNO_DIFF_SVC;
|
||||||
|
} else {
|
||||||
|
ext.data.element = choice_HDB_extension_data_hist_kvno_diff_clnt;
|
||||||
|
ext.data.u.hist_kvno_diff_clnt = (unsigned int)kvno_diff;
|
||||||
|
type = KRB5_TL_HIST_KVNO_DIFF_CLNT;
|
||||||
|
}
|
||||||
|
ASN1_MALLOC_ENCODE(HDB_extension, buf.data, buf.length,
|
||||||
|
&ext, &size, ret);
|
||||||
|
if (ret)
|
||||||
|
abort();
|
||||||
|
if (buf.length != size)
|
||||||
|
abort();
|
||||||
|
|
||||||
|
add_tl(princ, type, &buf);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
@@ -211,7 +245,9 @@ do_mod_entry(krb5_principal principal, void *data)
|
|||||||
e->kvno_integer != -1 ||
|
e->kvno_integer != -1 ||
|
||||||
e->constrained_delegation_strings.num_strings ||
|
e->constrained_delegation_strings.num_strings ||
|
||||||
e->alias_strings.num_strings ||
|
e->alias_strings.num_strings ||
|
||||||
e->pkinit_acl_strings.num_strings) {
|
e->pkinit_acl_strings.num_strings ||
|
||||||
|
e->hist_kvno_diff_clnt_integer != -1 ||
|
||||||
|
e->hist_kvno_diff_svc_integer != -1) {
|
||||||
ret = set_entry(context, &princ, &mask,
|
ret = set_entry(context, &princ, &mask,
|
||||||
e->max_ticket_life_string,
|
e->max_ticket_life_string,
|
||||||
e->max_renewable_life_string,
|
e->max_renewable_life_string,
|
||||||
@@ -236,7 +272,14 @@ do_mod_entry(krb5_principal principal, void *data)
|
|||||||
add_pkinit_acl(context, &princ, &e->pkinit_acl_strings);
|
add_pkinit_acl(context, &princ, &e->pkinit_acl_strings);
|
||||||
mask |= KADM5_TL_DATA;
|
mask |= KADM5_TL_DATA;
|
||||||
}
|
}
|
||||||
|
if (e->hist_kvno_diff_clnt_integer != -1) {
|
||||||
|
add_kvno_diff(context, &princ, 0, e->hist_kvno_diff_clnt_integer);
|
||||||
|
mask |= KADM5_TL_DATA;
|
||||||
|
}
|
||||||
|
if (e->hist_kvno_diff_svc_integer != -1) {
|
||||||
|
add_kvno_diff(context, &princ, 1, e->hist_kvno_diff_clnt_integer);
|
||||||
|
mask |= KADM5_TL_DATA;
|
||||||
|
}
|
||||||
} else
|
} else
|
||||||
ret = edit_entry(&princ, &mask, NULL, 0);
|
ret = edit_entry(&princ, &mask, NULL, 0);
|
||||||
if(ret == 0) {
|
if(ret == 0) {
|
||||||
|
|||||||
Reference in New Issue
Block a user