|
 |
d6181b |
From 436cf4c15b7659b21205affd6743aa6159c55b5c Mon Sep 17 00:00:00 2001
|
|
|
d6181b |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
d6181b |
Date: Wed, 28 Aug 2019 14:22:49 +0200
|
|
|
d6181b |
Subject: [PATCH 54/55] KCM: Allow modifications of ccache's principal
|
|
|
d6181b |
MIME-Version: 1.0
|
|
|
d6181b |
Content-Type: text/plain; charset=UTF-8
|
|
|
d6181b |
Content-Transfer-Encoding: 8bit
|
|
|
d6181b |
|
|
|
d6181b |
Related:
|
|
|
d6181b |
https://pagure.io/SSSD/sssd/issue/4017
|
|
|
d6181b |
|
|
|
d6181b |
This patch will be useful to fix credential delegation.
|
|
|
d6181b |
|
|
|
d6181b |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
d6181b |
---
|
|
|
d6181b |
src/responder/kcm/kcmsrv_ccache.c | 37 +++++++++++++++++++++--
|
|
|
d6181b |
src/responder/kcm/kcmsrv_ccache.h | 5 +--
|
|
|
d6181b |
src/responder/kcm/kcmsrv_ccache_mem.c | 8 ++++-
|
|
|
d6181b |
src/responder/kcm/kcmsrv_ccache_secdb.c | 8 ++++-
|
|
|
d6181b |
src/responder/kcm/kcmsrv_ccache_secrets.c | 9 +++++-
|
|
|
d6181b |
src/responder/kcm/kcmsrv_ops.c | 4 +--
|
|
|
d6181b |
6 files changed, 60 insertions(+), 11 deletions(-)
|
|
|
d6181b |
|
|
|
d6181b |
diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c
|
|
|
d6181b |
index 085cc4464..e24da9aa2 100644
|
|
|
d6181b |
--- a/src/responder/kcm/kcmsrv_ccache.c
|
|
|
d6181b |
+++ b/src/responder/kcm/kcmsrv_ccache.c
|
|
|
d6181b |
@@ -1089,25 +1089,56 @@ errno_t kcm_ccdb_create_cc_recv(struct tevent_req *req)
|
|
|
d6181b |
return EOK;
|
|
|
d6181b |
}
|
|
|
d6181b |
|
|
|
d6181b |
-void kcm_mod_ctx_clear(struct kcm_mod_ctx *mod_ctx)
|
|
|
d6181b |
+static void kcm_mod_ctx_clear(struct kcm_mod_ctx *mod_ctx)
|
|
|
d6181b |
{
|
|
|
d6181b |
if (mod_ctx == NULL) {
|
|
|
d6181b |
return;
|
|
|
d6181b |
}
|
|
|
d6181b |
|
|
|
d6181b |
mod_ctx->kdc_offset = INT32_MAX;
|
|
|
d6181b |
+ if (mod_ctx->client != NULL) {
|
|
|
d6181b |
+ krb5_free_principal(NULL, mod_ctx->client);
|
|
|
d6181b |
+ mod_ctx->client = NULL;
|
|
|
d6181b |
+ }
|
|
|
d6181b |
+
|
|
|
d6181b |
+ return;
|
|
|
d6181b |
+}
|
|
|
d6181b |
+
|
|
|
d6181b |
+struct kcm_mod_ctx *kcm_mod_ctx_new(TALLOC_CTX *mem_ctx)
|
|
|
d6181b |
+{
|
|
|
d6181b |
+ struct kcm_mod_ctx *mod_ctx;
|
|
|
d6181b |
+
|
|
|
d6181b |
+ mod_ctx = talloc_zero(mem_ctx, struct kcm_mod_ctx);
|
|
|
d6181b |
+ if (mod_ctx == NULL) {
|
|
|
d6181b |
+ return NULL;
|
|
|
d6181b |
+ }
|
|
|
d6181b |
+
|
|
|
d6181b |
+ kcm_mod_ctx_clear(mod_ctx);
|
|
|
d6181b |
+ return mod_ctx;
|
|
|
d6181b |
}
|
|
|
d6181b |
|
|
|
d6181b |
-void kcm_mod_cc(struct kcm_ccache *cc, struct kcm_mod_ctx *mod_ctx)
|
|
|
d6181b |
+errno_t kcm_mod_cc(struct kcm_ccache *cc, struct kcm_mod_ctx *mod_ctx)
|
|
|
d6181b |
{
|
|
|
d6181b |
if (cc == NULL || mod_ctx == NULL) {
|
|
|
d6181b |
- return;
|
|
|
d6181b |
+ return EINVAL;
|
|
|
d6181b |
}
|
|
|
d6181b |
|
|
|
d6181b |
if (mod_ctx->kdc_offset != INT32_MAX) {
|
|
|
d6181b |
cc->kdc_offset = mod_ctx->kdc_offset;
|
|
|
d6181b |
}
|
|
|
d6181b |
|
|
|
d6181b |
+ if (mod_ctx->client != NULL) {
|
|
|
d6181b |
+ krb5_error_code kret;
|
|
|
d6181b |
+
|
|
|
d6181b |
+ kret = krb5_copy_principal(NULL, mod_ctx->client, &cc->client);
|
|
|
d6181b |
+ if (kret != 0) {
|
|
|
d6181b |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
d6181b |
+ "krb5_copy_principal failed: %d\n", kret);
|
|
|
d6181b |
+ return ERR_INTERNAL;
|
|
|
d6181b |
+ }
|
|
|
d6181b |
+ }
|
|
|
d6181b |
+
|
|
|
d6181b |
+ return EOK;
|
|
|
d6181b |
}
|
|
|
d6181b |
|
|
|
d6181b |
struct kcm_ccdb_mod_cc_state {
|
|
|
d6181b |
diff --git a/src/responder/kcm/kcmsrv_ccache.h b/src/responder/kcm/kcmsrv_ccache.h
|
|
|
d6181b |
index 199b75b16..220220ca9 100644
|
|
|
d6181b |
--- a/src/responder/kcm/kcmsrv_ccache.h
|
|
|
d6181b |
+++ b/src/responder/kcm/kcmsrv_ccache.h
|
|
|
d6181b |
@@ -257,13 +257,14 @@ errno_t kcm_ccdb_create_cc_recv(struct tevent_req *req);
|
|
|
d6181b |
*/
|
|
|
d6181b |
struct kcm_mod_ctx {
|
|
|
d6181b |
int32_t kdc_offset;
|
|
|
d6181b |
+ krb5_principal client;
|
|
|
d6181b |
/* More settable properties (like name, when we support renames
|
|
|
d6181b |
* will be added later
|
|
|
d6181b |
*/
|
|
|
d6181b |
};
|
|
|
d6181b |
|
|
|
d6181b |
-void kcm_mod_ctx_clear(struct kcm_mod_ctx *mod_ctx);
|
|
|
d6181b |
-void kcm_mod_cc(struct kcm_ccache *cc, struct kcm_mod_ctx *mod_ctx);
|
|
|
d6181b |
+struct kcm_mod_ctx *kcm_mod_ctx_new(TALLOC_CTX *mem_ctx);
|
|
|
d6181b |
+errno_t kcm_mod_cc(struct kcm_ccache *cc, struct kcm_mod_ctx *mod_ctx);
|
|
|
d6181b |
|
|
|
d6181b |
struct tevent_req *kcm_ccdb_mod_cc_send(TALLOC_CTX *mem_ctx,
|
|
|
d6181b |
struct tevent_context *ev,
|
|
|
d6181b |
diff --git a/src/responder/kcm/kcmsrv_ccache_mem.c b/src/responder/kcm/kcmsrv_ccache_mem.c
|
|
|
d6181b |
index 35955b2f4..18c3878ad 100644
|
|
|
d6181b |
--- a/src/responder/kcm/kcmsrv_ccache_mem.c
|
|
|
d6181b |
+++ b/src/responder/kcm/kcmsrv_ccache_mem.c
|
|
|
d6181b |
@@ -676,7 +676,13 @@ static struct tevent_req *ccdb_mem_mod_send(TALLOC_CTX *mem_ctx,
|
|
|
d6181b |
goto immediate;
|
|
|
d6181b |
}
|
|
|
d6181b |
|
|
|
d6181b |
- kcm_mod_cc(ccwrap->cc, mod_cc);
|
|
|
d6181b |
+ ret = kcm_mod_cc(ccwrap->cc, mod_cc);
|
|
|
d6181b |
+ if (ret != EOK) {
|
|
|
d6181b |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
d6181b |
+ "Cannot modify ccache [%d]: %s\n",
|
|
|
d6181b |
+ ret, sss_strerror(ret));
|
|
|
d6181b |
+ goto immediate;
|
|
|
d6181b |
+ }
|
|
|
d6181b |
|
|
|
d6181b |
ret = EOK;
|
|
|
d6181b |
immediate:
|
|
|
d6181b |
diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c
|
|
|
d6181b |
index 26ee1032d..32137a66e 100644
|
|
|
d6181b |
--- a/src/responder/kcm/kcmsrv_ccache_secdb.c
|
|
|
d6181b |
+++ b/src/responder/kcm/kcmsrv_ccache_secdb.c
|
|
|
d6181b |
@@ -1290,7 +1290,13 @@ static struct tevent_req *ccdb_secdb_mod_send(TALLOC_CTX *mem_ctx,
|
|
|
d6181b |
goto immediate;
|
|
|
d6181b |
}
|
|
|
d6181b |
|
|
|
d6181b |
- kcm_mod_cc(cc, mod_cc);
|
|
|
d6181b |
+ ret = kcm_mod_cc(cc, mod_cc);
|
|
|
d6181b |
+ if (ret != EOK) {
|
|
|
d6181b |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
d6181b |
+ "Cannot modify ccache [%d]: %s\n",
|
|
|
d6181b |
+ ret, sss_strerror(ret));
|
|
|
d6181b |
+ goto immediate;
|
|
|
d6181b |
+ }
|
|
|
d6181b |
|
|
|
d6181b |
ret = kcm_ccache_to_sec_input(state, cc, client, &payload);
|
|
|
d6181b |
if (ret != EOK) {
|
|
|
d6181b |
diff --git a/src/responder/kcm/kcmsrv_ccache_secrets.c b/src/responder/kcm/kcmsrv_ccache_secrets.c
|
|
|
d6181b |
index 7b019fded..83c16974d 100644
|
|
|
d6181b |
--- a/src/responder/kcm/kcmsrv_ccache_secrets.c
|
|
|
d6181b |
+++ b/src/responder/kcm/kcmsrv_ccache_secrets.c
|
|
|
d6181b |
@@ -1846,7 +1846,14 @@ static void ccdb_sec_mod_cred_get_done(struct tevent_req *subreq)
|
|
|
d6181b |
return;
|
|
|
d6181b |
}
|
|
|
d6181b |
|
|
|
d6181b |
- kcm_mod_cc(cc, state->mod_cc);
|
|
|
d6181b |
+ ret = kcm_mod_cc(cc, state->mod_cc);
|
|
|
d6181b |
+ if (ret != EOK) {
|
|
|
d6181b |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
d6181b |
+ "Cannot modify ccache [%d]: %s\n",
|
|
|
d6181b |
+ ret, sss_strerror(ret));
|
|
|
d6181b |
+ tevent_req_error(req, ret);
|
|
|
d6181b |
+ return;
|
|
|
d6181b |
+ }
|
|
|
d6181b |
|
|
|
d6181b |
ret = kcm_ccache_to_sec_kv(state, cc, state->client, &url, &payload);
|
|
|
d6181b |
if (ret != EOK) {
|
|
|
d6181b |
diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c
|
|
|
d6181b |
index d8a7b03c5..8bd63165b 100644
|
|
|
d6181b |
--- a/src/responder/kcm/kcmsrv_ops.c
|
|
|
d6181b |
+++ b/src/responder/kcm/kcmsrv_ops.c
|
|
|
d6181b |
@@ -1990,13 +1990,11 @@ static void kcm_op_set_kdc_offset_getbyname_done(struct tevent_req *subreq)
|
|
|
d6181b |
return;
|
|
|
d6181b |
}
|
|
|
d6181b |
|
|
|
d6181b |
- mod_ctx = talloc(state, struct kcm_mod_ctx);
|
|
|
d6181b |
+ mod_ctx = kcm_mod_ctx_new(state);
|
|
|
d6181b |
if (mod_ctx == NULL) {
|
|
|
d6181b |
tevent_req_error(req, ENOMEM);
|
|
|
d6181b |
return;
|
|
|
d6181b |
}
|
|
|
d6181b |
-
|
|
|
d6181b |
- kcm_mod_ctx_clear(mod_ctx);
|
|
|
d6181b |
mod_ctx->kdc_offset = be32toh(offset_be);
|
|
|
d6181b |
|
|
|
d6181b |
subreq = kcm_ccdb_mod_cc_send(state,
|
|
|
d6181b |
--
|
|
|
d6181b |
2.20.1
|
|
|
d6181b |
|