rpms / adcli

Clone
Source Code
GIT

Blame SOURCES/0003-adenroll-add-adcli_enroll_get_permitted_keytab_encty.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   48b328b15ee2fe80ee037e06013c45bbcd9b4a73
  2.   SOURCES
  3.   0003-adenroll-add-adcli_enroll_get_permitted_keytab_encty.patch
Blob History Raw
48b328 
From 0c09070e8beec734e3f0c70e14b0a04788077b73 Mon Sep 17 00:00:00 2001
48b328 
From: Sumit Bose <sbose@redhat.com>
48b328 
Date: Thu, 13 Jun 2019 17:25:52 +0200
48b328 
Subject: [PATCH 3/4] adenroll: add adcli_enroll_get_permitted_keytab_enctypes
48b328 
 with tests
48b328
48b328 
The new call does not only return the current encryption types set in AD
48b328 
or a default list but filters them with the list of permitted encryption
48b328 
types on the client. This makes sure the client can create and use the
48b328 
keys.
48b328
48b328 
Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3
48b328 
---
48b328 
 library/Makefile.am |   5 ++
48b328 
 library/adenroll.c  | 124 ++++++++++++++++++++++++++++++++++++++++++++
48b328 
 library/adenroll.h  |   2 +
48b328 
 3 files changed, 131 insertions(+)
48b328
48b328 
diff --git a/library/Makefile.am b/library/Makefile.am
48b328 
index 39e8fd1..4829555 100644
48b328 
--- a/library/Makefile.am
48b328 
+++ b/library/Makefile.am
48b328 
@@ -40,6 +40,7 @@ check_PROGRAMS = \
48b328 
 	test-util \
48b328 
 	test-ldap \
48b328 
 	test-attrs \
48b328 
+	test-adenroll \
48b328 
 	$(NULL)
48b328
48b328 
 test_seq_SOURCES = seq.c test.c test.h
48b328 
@@ -56,6 +57,10 @@ test_attrs_SOURCES = adattrs.c $(test_ldap_SOURCES)
48b328 
 test_attrs_CFLAGS = -DATTRS_TESTS
48b328 
 test_attrs_LDADD = $(test_ldap_LDADD)
48b328
48b328 
+test_adenroll_SOURCES = adenroll.c $(test_ldap_SOURCES)
48b328 
+test_adenroll_CFLAGS = -DADENROLL_TESTS
48b328 
+test_adenroll_LDADD = $(KRB5_LIBS)
48b328 
+
48b328 
 TESTS = $(check_PROGRAMS)
48b328
48b328 
 MEMCHECK_ENV = $(TEST_RUNNER) valgrind --error-exitcode=80 --quiet --trace-children=yes
48b328 
diff --git a/library/adenroll.c b/library/adenroll.c
48b328 
index f617f28..95c07cd 100644
48b328 
--- a/library/adenroll.c
48b328 
+++ b/library/adenroll.c
48b328 
@@ -2641,6 +2641,50 @@ adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)
48b328 
 		return v51_earlier_enctypes;
48b328 
 }
48b328
48b328 
+krb5_enctype *
48b328 
+adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll)
48b328 
+{
48b328 
+	krb5_enctype *cur_enctypes;
48b328 
+	krb5_enctype *permitted_enctypes;
48b328 
+	krb5_enctype *new_enctypes;
48b328 
+	krb5_error_code code;
48b328 
+	krb5_context k5;
48b328 
+	size_t c;
48b328 
+	size_t p;
48b328 
+	size_t n;
48b328 
+
48b328 
+	return_val_if_fail (enroll != NULL, NULL);
48b328 
+	cur_enctypes = adcli_enroll_get_keytab_enctypes (enroll);
48b328 
+
48b328 
+	k5 = adcli_conn_get_krb5_context (enroll->conn);
48b328 
+	return_val_if_fail (k5 != NULL, NULL);
48b328 
+
48b328 
+	code = krb5_get_permitted_enctypes (k5, &permitted_enctypes);
48b328 
+	return_val_if_fail (code == 0, NULL);
48b328 
+
48b328 
+	for (c = 0; cur_enctypes[c] != 0; c++);
48b328 
+
48b328 
+	new_enctypes = calloc (c + 1, sizeof (krb5_enctype));
48b328 
+	return_val_if_fail (new_enctypes != NULL, NULL);
48b328 
+
48b328 
+	n = 0;
48b328 
+	for (c = 0; cur_enctypes[c] != 0; c++) {
48b328 
+		for (p = 0; permitted_enctypes[p] != 0; p++) {
48b328 
+			if (cur_enctypes[c] == permitted_enctypes[p]) {
48b328 
+				new_enctypes[n++] = cur_enctypes[c];
48b328 
+				break;
48b328 
+			}
48b328 
+		}
48b328 
+		if (permitted_enctypes[p] == 0) {
48b328 
+			_adcli_info ("Encryption type [%d] not permitted.", cur_enctypes[c]);
48b328 
+		}
48b328 
+	}
48b328 
+
48b328 
+	krb5_free_enctypes (k5, permitted_enctypes);
48b328 
+
48b328 
+	return new_enctypes;
48b328 
+}
48b328 
+
48b328 
 void
48b328 
 adcli_enroll_set_keytab_enctypes (adcli_enroll *enroll,
48b328 
                                   krb5_enctype *value)
48b328 
@@ -2833,3 +2877,83 @@ adcli_enroll_add_service_principal_to_remove (adcli_enroll *enroll,
48b328 
 							    strdup (value), NULL);
48b328 
 	return_if_fail (enroll->service_principals_to_remove != NULL);
48b328 
 }
48b328 
+
48b328 
+#ifdef ADENROLL_TESTS
48b328 
+
48b328 
+#include "test.h"
48b328 
+
48b328 
+static void
48b328 
+test_adcli_enroll_get_permitted_keytab_enctypes (void)
48b328 
+{
48b328 
+	krb5_enctype *enctypes;
48b328 
+	krb5_error_code code;
48b328 
+	krb5_enctype *permitted_enctypes;
48b328 
+	krb5_enctype check_enctypes[3] = { 0 };
48b328 
+	adcli_conn *conn;
48b328 
+	adcli_enroll *enroll;
48b328 
+	adcli_result res;
48b328 
+	krb5_context k5;
48b328 
+	size_t c;
48b328 
+
48b328 
+	conn = adcli_conn_new ("test.dom");
48b328 
+	assert_ptr_not_null (conn);
48b328 
+
48b328 
+	enroll = adcli_enroll_new (conn);
48b328 
+	assert_ptr_not_null (enroll);
48b328 
+
48b328 
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (NULL);
48b328 
+	assert_ptr_eq (enctypes, NULL);
48b328 
+
48b328 
+	/* krb5 context missing */
48b328 
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
48b328 
+	assert_ptr_eq (enctypes, NULL);
48b328 
+
48b328 
+	/* check that all permitted enctypes can pass */
48b328 
+	res = _adcli_krb5_init_context (&k5;;
48b328 
+	assert_num_eq (res, ADCLI_SUCCESS);
48b328 
+
48b328 
+	adcli_conn_set_krb5_context (conn, k5);
48b328 
+
48b328 
+	code = krb5_get_permitted_enctypes (k5, &permitted_enctypes);
48b328 
+	assert_num_eq (code, 0);
48b328 
+	assert_ptr_not_null (permitted_enctypes);
48b328 
+	assert_num_cmp (permitted_enctypes[0], !=, 0);
48b328 
+
48b328 
+	adcli_enroll_set_keytab_enctypes (enroll, permitted_enctypes);
48b328 
+
48b328 
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
48b328 
+	assert_ptr_not_null (enctypes);
48b328 
+	for (c = 0; permitted_enctypes[c] != 0; c++) {
48b328 
+		assert_num_eq (enctypes[c], permitted_enctypes[c]);
48b328 
+	}
48b328 
+	assert_num_eq (enctypes[c], 0);
48b328 
+	krb5_free_enctypes (k5, enctypes);
48b328 
+
48b328 
+	/* check that ENCTYPE_UNKNOWN is filtered out */
48b328 
+	check_enctypes[0] = permitted_enctypes[0];
48b328 
+	check_enctypes[1] = ENCTYPE_UNKNOWN;
48b328 
+	check_enctypes[2] = 0;
48b328 
+	adcli_enroll_set_keytab_enctypes (enroll, check_enctypes);
48b328 
+
48b328 
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
48b328 
+	assert_ptr_not_null (enctypes);
48b328 
+	assert_num_eq (enctypes[0], permitted_enctypes[0]);
48b328 
+	assert_num_eq (enctypes[1], 0);
48b328 
+	krb5_free_enctypes (k5, enctypes);
48b328 
+
48b328 
+	krb5_free_enctypes (k5, permitted_enctypes);
48b328 
+
48b328 
+	adcli_enroll_unref (enroll);
48b328 
+	adcli_conn_unref (conn);
48b328 
+}
48b328 
+
48b328 
+int
48b328 
+main (int argc,
48b328 
+      char *argv[])
48b328 
+{
48b328 
+	test_func (test_adcli_enroll_get_permitted_keytab_enctypes,
48b328 
+	           "/attrs/adcli_enroll_get_permitted_keytab_enctypes");
48b328 
+	return test_run (argc, argv);
48b328 
+}
48b328 
+
48b328 
+#endif /* ADENROLL_TESTS */
48b328 
diff --git a/library/adenroll.h b/library/adenroll.h
48b328 
index abbbfd4..1d5d00d 100644
48b328 
--- a/library/adenroll.h
48b328 
+++ b/library/adenroll.h
48b328 
@@ -138,6 +138,8 @@ krb5_enctype *     adcli_enroll_get_keytab_enctypes     (adcli_enroll *enroll);
48b328 
 void               adcli_enroll_set_keytab_enctypes     (adcli_enroll *enroll,
48b328 
                                                          krb5_enctype *enctypes);
48b328
48b328 
+krb5_enctype *     adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll);
48b328 
+
48b328 
 const char *       adcli_enroll_get_os_name             (adcli_enroll *enroll);
48b328
48b328 
 void               adcli_enroll_set_os_name             (adcli_enroll *enroll,
48b328 
--
48b328 
2.21.0
48b328

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation