From 5654903a0be960a2ec5be5bfb77cc3263e11e58c Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Thu, 30 Jul 2015 16:52:42 +0200

Subject: [PATCH 48/57] krb5 utils: add sss_krb5_realm_has_proxy()

Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

---

 Makefile.am                               |  1 +

 src/tests/krb5_proxy_check_test_data.conf |  8 +++++

 src/tests/krb5_utils-tests.c              | 17 +++++++++

 src/util/sss_krb5.c                       | 57 +++++++++++++++++++++++++++++++

 src/util/sss_krb5.h                       |  2 ++

 5 files changed, 85 insertions(+)

 create mode 100644 src/tests/krb5_proxy_check_test_data.conf

diff --git a/Makefile.am b/Makefile.am

index 5345d90d22cd285a5268ac50a6b527645acdb351..8b64317d6dce9a1ee8614916395b9afd9f11f382 100644

--- a/Makefile.am

+++ b/Makefile.am

@@ -366,6 +366,7 @@ dist_noinst_SCRIPTS = \

     src/tests/pysss_murmur-test.py2.sh \

     src/tests/pysss_murmur-test.py3.sh \

     src/tests/python-test.py \

+    src/tests/krb5_proxy_check_test_data.conf \

     $(NULL)

 dist_noinst_DATA = \

diff --git a/src/tests/krb5_proxy_check_test_data.conf b/src/tests/krb5_proxy_check_test_data.conf

new file mode 100644

index 0000000000000000000000000000000000000000..eb74dbfa47d643668688d5c789b5962698c3d17c

--- /dev/null

+++ b/src/tests/krb5_proxy_check_test_data.conf

@@ -0,0 +1,8 @@

+[realms]

+  REALM = {

+    kdc = hello

+  }

+

+  REALM_PROXY = {

+    kdc = https://hello

+  }

diff --git a/src/tests/krb5_utils-tests.c b/src/tests/krb5_utils-tests.c

index 650ed48592768c214156d5274e654a447be98e36..9a25b09cdc136651a7117327036dd51b8ff23606 100644

--- a/src/tests/krb5_utils-tests.c

+++ b/src/tests/krb5_utils-tests.c

@@ -684,6 +684,22 @@ START_TEST(test_parse_krb5_map_user)

 }

 END_TEST

+START_TEST(test_sss_krb5_realm_has_proxy)

+{

+    krb5_error_code kerr;

+    long perr;

+

+    fail_unless(sss_krb5_realm_has_proxy(NULL) == false);

+

+    setenv("KRB5_CONFIG", "/dev/null", 1);

+    fail_unless(sss_krb5_realm_has_proxy("REALM") == false);

+

+    setenv("KRB5_CONFIG", ABS_SRC_DIR"/src/tests/krb5_proxy_check_test_data.conf", 1);

+    fail_unless(sss_krb5_realm_has_proxy("REALM") == false);

+    fail_unless(sss_krb5_realm_has_proxy("REALM_PROXY") == true);

+}

+END_TEST

+

 Suite *krb5_utils_suite (void)

 {

     Suite *s = suite_create ("krb5_utils");

@@ -723,6 +739,7 @@ Suite *krb5_utils_suite (void)

     TCase *tc_krb5_helpers = tcase_create("Helper functions");

     tcase_add_test(tc_krb5_helpers, test_compare_principal_realm);

     tcase_add_test(tc_krb5_helpers, test_parse_krb5_map_user);

+    tcase_add_test(tc_krb5_helpers, test_sss_krb5_realm_has_proxy);

     suite_add_tcase(s, tc_krb5_helpers);

     return s;

diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c

index e5c2121da575b174c8b6a9a90835f2c97f807f37..2e128db3c9fcb0dfa88cab1ed799abd714ad8ba6 100644

--- a/src/util/sss_krb5.c

+++ b/src/util/sss_krb5.c

@@ -20,6 +20,7 @@

 #include <stdio.h>

 #include <errno.h>

 #include <talloc.h>

+#include <profile.h>

 #include "config.h"

@@ -1069,3 +1070,59 @@ krb5_error_code sss_krb5_kt_have_content(krb5_context context,

     return 0;

 #endif

 }

+

+#define KDC_PROXY_INDICATOR "https://"

+#define KDC_PROXY_INDICATOR_LEN (sizeof(KDC_PROXY_INDICATOR) - 1)

+

+bool sss_krb5_realm_has_proxy(const char *realm)

+{

+    krb5_context context = NULL;

+    krb5_error_code kerr;

+    struct _profile_t *profile = NULL;

+    const char  *profile_path[4] = {"realms", NULL, "kdc", NULL};

+    char **list = NULL;

+    bool res = false;

+    size_t c;

+

+    if (realm == NULL) {

+        return false;

+    }

+

+    kerr = krb5_init_context(&context);

+    if (kerr != 0) {

+        DEBUG(SSSDBG_OP_FAILURE, "krb5_init_context failed.\n");

+        return false;

+    }

+

+    kerr = krb5_get_profile(context, &profile);

+    if (kerr != 0) {

+        DEBUG(SSSDBG_OP_FAILURE, "krb5_get_profile failed.\n");

+        goto done;

+    }

+

+    profile_path[1] = realm;

+

+    kerr = profile_get_values(profile, profile_path, &list);

+    if (kerr != 0) {

+        DEBUG(SSSDBG_OP_FAILURE, "profile_get_values failed.\n");

+        goto done;

+    }

+

+    for (c = 0; list[c] != NULL; c++) {

+        if (strncasecmp(KDC_PROXY_INDICATOR, list[c],

+                        KDC_PROXY_INDICATOR_LEN) == 0) {

+            DEBUG(SSSDBG_TRACE_ALL,

+                  "Found KDC Proxy indicator [%s] in [%s].\n",

+                  KDC_PROXY_INDICATOR, list[c]);

+            res = true;

+            break;

+        }

+    }

+

+done:

+    profile_free_list(list);

+    profile_release(profile);

+    krb5_free_context(context);

+

+    return res;

+}

diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h

index 462dbbe0bda8969432c8ac2f062a0123c1f098f0..fdaeb49314764e096448f342a054dc6938f0c248 100644

--- a/src/util/sss_krb5.h

+++ b/src/util/sss_krb5.h

@@ -189,4 +189,6 @@ sss_krb5_get_primary(TALLOC_CTX *mem_ctx,

 krb5_error_code sss_krb5_kt_have_content(krb5_context context,

                                          krb5_keytab keytab);

+

+bool sss_krb5_realm_has_proxy(const char *realm);

 #endif /* __SSS_KRB5_H__ */

-- 

2.4.3