Blame SOURCES/0003-adenroll-add-adcli_enroll_get_permitted_keytab_encty.patch

f441eb
From 0c09070e8beec734e3f0c70e14b0a04788077b73 Mon Sep 17 00:00:00 2001
f441eb
From: Sumit Bose <sbose@redhat.com>
f441eb
Date: Thu, 13 Jun 2019 17:25:52 +0200
f441eb
Subject: [PATCH 3/4] adenroll: add adcli_enroll_get_permitted_keytab_enctypes
f441eb
 with tests
f441eb
f441eb
The new call does not only return the current encryption types set in AD
f441eb
or a default list but filters them with the list of permitted encryption
f441eb
types on the client. This makes sure the client can create and use the
f441eb
keys.
f441eb
f441eb
Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3
f441eb
---
f441eb
 library/Makefile.am |   5 ++
f441eb
 library/adenroll.c  | 124 ++++++++++++++++++++++++++++++++++++++++++++
f441eb
 library/adenroll.h  |   2 +
f441eb
 3 files changed, 131 insertions(+)
f441eb
f441eb
diff --git a/library/Makefile.am b/library/Makefile.am
f441eb
index 39e8fd1..4829555 100644
f441eb
--- a/library/Makefile.am
f441eb
+++ b/library/Makefile.am
f441eb
@@ -40,6 +40,7 @@ check_PROGRAMS = \
f441eb
 	test-util \
f441eb
 	test-ldap \
f441eb
 	test-attrs \
f441eb
+	test-adenroll \
f441eb
 	$(NULL)
f441eb
 
f441eb
 test_seq_SOURCES = seq.c test.c test.h
f441eb
@@ -56,6 +57,10 @@ test_attrs_SOURCES = adattrs.c $(test_ldap_SOURCES)
f441eb
 test_attrs_CFLAGS = -DATTRS_TESTS
f441eb
 test_attrs_LDADD = $(test_ldap_LDADD)
f441eb
 
f441eb
+test_adenroll_SOURCES = adenroll.c $(test_ldap_SOURCES)
f441eb
+test_adenroll_CFLAGS = -DADENROLL_TESTS
f441eb
+test_adenroll_LDADD = $(KRB5_LIBS)
f441eb
+
f441eb
 TESTS = $(check_PROGRAMS)
f441eb
 
f441eb
 MEMCHECK_ENV = $(TEST_RUNNER) valgrind --error-exitcode=80 --quiet --trace-children=yes
f441eb
diff --git a/library/adenroll.c b/library/adenroll.c
f441eb
index f617f28..95c07cd 100644
f441eb
--- a/library/adenroll.c
f441eb
+++ b/library/adenroll.c
f441eb
@@ -2641,6 +2641,50 @@ adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)
f441eb
 		return v51_earlier_enctypes;
f441eb
 }
f441eb
 
f441eb
+krb5_enctype *
f441eb
+adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll)
f441eb
+{
f441eb
+	krb5_enctype *cur_enctypes;
f441eb
+	krb5_enctype *permitted_enctypes;
f441eb
+	krb5_enctype *new_enctypes;
f441eb
+	krb5_error_code code;
f441eb
+	krb5_context k5;
f441eb
+	size_t c;
f441eb
+	size_t p;
f441eb
+	size_t n;
f441eb
+
f441eb
+	return_val_if_fail (enroll != NULL, NULL);
f441eb
+	cur_enctypes = adcli_enroll_get_keytab_enctypes (enroll);
f441eb
+
f441eb
+	k5 = adcli_conn_get_krb5_context (enroll->conn);
f441eb
+	return_val_if_fail (k5 != NULL, NULL);
f441eb
+
f441eb
+	code = krb5_get_permitted_enctypes (k5, &permitted_enctypes);
f441eb
+	return_val_if_fail (code == 0, NULL);
f441eb
+
f441eb
+	for (c = 0; cur_enctypes[c] != 0; c++);
f441eb
+
f441eb
+	new_enctypes = calloc (c + 1, sizeof (krb5_enctype));
f441eb
+	return_val_if_fail (new_enctypes != NULL, NULL);
f441eb
+
f441eb
+	n = 0;
f441eb
+	for (c = 0; cur_enctypes[c] != 0; c++) {
f441eb
+		for (p = 0; permitted_enctypes[p] != 0; p++) {
f441eb
+			if (cur_enctypes[c] == permitted_enctypes[p]) {
f441eb
+				new_enctypes[n++] = cur_enctypes[c];
f441eb
+				break;
f441eb
+			}
f441eb
+		}
f441eb
+		if (permitted_enctypes[p] == 0) {
f441eb
+			_adcli_info ("Encryption type [%d] not permitted.", cur_enctypes[c]);
f441eb
+		}
f441eb
+	}
f441eb
+
f441eb
+	krb5_free_enctypes (k5, permitted_enctypes);
f441eb
+
f441eb
+	return new_enctypes;
f441eb
+}
f441eb
+
f441eb
 void
f441eb
 adcli_enroll_set_keytab_enctypes (adcli_enroll *enroll,
f441eb
                                   krb5_enctype *value)
f441eb
@@ -2833,3 +2877,83 @@ adcli_enroll_add_service_principal_to_remove (adcli_enroll *enroll,
f441eb
 							    strdup (value), NULL);
f441eb
 	return_if_fail (enroll->service_principals_to_remove != NULL);
f441eb
 }
f441eb
+
f441eb
+#ifdef ADENROLL_TESTS
f441eb
+
f441eb
+#include "test.h"
f441eb
+
f441eb
+static void
f441eb
+test_adcli_enroll_get_permitted_keytab_enctypes (void)
f441eb
+{
f441eb
+	krb5_enctype *enctypes;
f441eb
+	krb5_error_code code;
f441eb
+	krb5_enctype *permitted_enctypes;
f441eb
+	krb5_enctype check_enctypes[3] = { 0 };
f441eb
+	adcli_conn *conn;
f441eb
+	adcli_enroll *enroll;
f441eb
+	adcli_result res;
f441eb
+	krb5_context k5;
f441eb
+	size_t c;
f441eb
+
f441eb
+	conn = adcli_conn_new ("test.dom");
f441eb
+	assert_ptr_not_null (conn);
f441eb
+
f441eb
+	enroll = adcli_enroll_new (conn);
f441eb
+	assert_ptr_not_null (enroll);
f441eb
+
f441eb
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (NULL);
f441eb
+	assert_ptr_eq (enctypes, NULL);
f441eb
+
f441eb
+	/* krb5 context missing */
f441eb
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
f441eb
+	assert_ptr_eq (enctypes, NULL);
f441eb
+
f441eb
+	/* check that all permitted enctypes can pass */
f441eb
+	res = _adcli_krb5_init_context (&k5;;
f441eb
+	assert_num_eq (res, ADCLI_SUCCESS);
f441eb
+
f441eb
+	adcli_conn_set_krb5_context (conn, k5);
f441eb
+
f441eb
+	code = krb5_get_permitted_enctypes (k5, &permitted_enctypes);
f441eb
+	assert_num_eq (code, 0);
f441eb
+	assert_ptr_not_null (permitted_enctypes);
f441eb
+	assert_num_cmp (permitted_enctypes[0], !=, 0);
f441eb
+
f441eb
+	adcli_enroll_set_keytab_enctypes (enroll, permitted_enctypes);
f441eb
+
f441eb
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
f441eb
+	assert_ptr_not_null (enctypes);
f441eb
+	for (c = 0; permitted_enctypes[c] != 0; c++) {
f441eb
+		assert_num_eq (enctypes[c], permitted_enctypes[c]);
f441eb
+	}
f441eb
+	assert_num_eq (enctypes[c], 0);
f441eb
+	krb5_free_enctypes (k5, enctypes);
f441eb
+
f441eb
+	/* check that ENCTYPE_UNKNOWN is filtered out */
f441eb
+	check_enctypes[0] = permitted_enctypes[0];
f441eb
+	check_enctypes[1] = ENCTYPE_UNKNOWN;
f441eb
+	check_enctypes[2] = 0;
f441eb
+	adcli_enroll_set_keytab_enctypes (enroll, check_enctypes);
f441eb
+
f441eb
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
f441eb
+	assert_ptr_not_null (enctypes);
f441eb
+	assert_num_eq (enctypes[0], permitted_enctypes[0]);
f441eb
+	assert_num_eq (enctypes[1], 0);
f441eb
+	krb5_free_enctypes (k5, enctypes);
f441eb
+
f441eb
+	krb5_free_enctypes (k5, permitted_enctypes);
f441eb
+
f441eb
+	adcli_enroll_unref (enroll);
f441eb
+	adcli_conn_unref (conn);
f441eb
+}
f441eb
+
f441eb
+int
f441eb
+main (int argc,
f441eb
+      char *argv[])
f441eb
+{
f441eb
+	test_func (test_adcli_enroll_get_permitted_keytab_enctypes,
f441eb
+	           "/attrs/adcli_enroll_get_permitted_keytab_enctypes");
f441eb
+	return test_run (argc, argv);
f441eb
+}
f441eb
+
f441eb
+#endif /* ADENROLL_TESTS */
f441eb
diff --git a/library/adenroll.h b/library/adenroll.h
f441eb
index abbbfd4..1d5d00d 100644
f441eb
--- a/library/adenroll.h
f441eb
+++ b/library/adenroll.h
f441eb
@@ -138,6 +138,8 @@ krb5_enctype *     adcli_enroll_get_keytab_enctypes     (adcli_enroll *enroll);
f441eb
 void               adcli_enroll_set_keytab_enctypes     (adcli_enroll *enroll,
f441eb
                                                          krb5_enctype *enctypes);
f441eb
 
f441eb
+krb5_enctype *     adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll);
f441eb
+
f441eb
 const char *       adcli_enroll_get_os_name             (adcli_enroll *enroll);
f441eb
 
f441eb
 void               adcli_enroll_set_os_name             (adcli_enroll *enroll,
f441eb
-- 
f441eb
2.21.0
f441eb