ac7d03
From 5e052107dcb70630c1cccee191ae5317a43ec2cf Mon Sep 17 00:00:00 2001
ac7d03
From: Alexander Bokovoy <abokovoy@redhat.com>
ac7d03
Date: Sun, 4 Jun 2017 22:49:13 +0300
ac7d03
Subject: [PATCH] ipa-kdb: add pkinit authentication indicator in case of a
ac7d03
 successful certauth
ac7d03
ac7d03
We automatically add 'otp' and 'radius' authentication indicators when
ac7d03
pre-authentication with OTP or RADIUS did succeed. Do the same for
ac7d03
certauth-based pre-authentication (PKINIT).
ac7d03
ac7d03
A default PKINIT configuration does not add any authentication
ac7d03
indicators unless 'pkinit_indicator = pkinit' is set in kdc.conf.
ac7d03
Unfortunately, modifying kdc.conf automatically is a bit more
ac7d03
complicated than modifying krb5.conf. Given that we have 'otp' and
ac7d03
'radius' authentication indicators also defined in the code not in the
ac7d03
kdc.conf, this change is following an established trend.
ac7d03
ac7d03
SSSD certauth interface does not provide additional information about
ac7d03
which rule(s) succeeded in matching the incoming certificate. Thus,
ac7d03
there is not much information we can automatically provide in the
ac7d03
indicator. It would be good to generate indicators that include some
ac7d03
information from the certmapping rules in future but for now a single
ac7d03
'pkinit' indicator is enough.
ac7d03
ac7d03
Fixes https://pagure.io/freeipa/issue/6736
ac7d03
ac7d03
Reviewed-By: Simo Sorce <ssorce@redhat.com>
ac7d03
---
ac7d03
 daemons/ipa-kdb/ipa_kdb_certauth.c | 36 ++++++++++++++++++++++++++++++++++--
ac7d03
 1 file changed, 34 insertions(+), 2 deletions(-)
ac7d03
ac7d03
diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c
ac7d03
index dbe7a0443700784d2b8dbb1fb9196d6249e5522a..da9a9cb87feca68ee591da70a3239dc86749bae5 100644
ac7d03
--- a/daemons/ipa-kdb/ipa_kdb_certauth.c
ac7d03
+++ b/daemons/ipa-kdb/ipa_kdb_certauth.c
ac7d03
@@ -267,6 +267,7 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
ac7d03
     int ret;
ac7d03
     size_t c;
ac7d03
     char *principal = NULL;
ac7d03
+    char **auth_inds = NULL;
ac7d03
     LDAPMessage *res = NULL;
ac7d03
     krb5_error_code kerr;
ac7d03
     LDAPMessage *lentry;
ac7d03
@@ -350,6 +351,20 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
ac7d03
         goto done;
ac7d03
     }
ac7d03
 
ac7d03
+    /* Associate authentication indicator "pkinit" with the successful match.
ac7d03
+     * SSSD interface doesn't give us a clue which rule did match
ac7d03
+     * so there is nothing more to add here. */
ac7d03
+    auth_inds = calloc(2, sizeof(char *));
ac7d03
+    if (auth_inds != NULL) {
ac7d03
+	ret = asprintf(&auth_inds[0], "pkinit");
ac7d03
+	if (ret != -1) {
ac7d03
+            auth_inds[1] = NULL;
ac7d03
+            *authinds_out = auth_inds;
ac7d03
+	} else {
ac7d03
+	    free(auth_inds);
ac7d03
+        }
ac7d03
+    }
ac7d03
+
ac7d03
     /* TODO: add more tests ? */
ac7d03
 
ac7d03
     ret = 0;
ac7d03
@@ -384,6 +399,24 @@ static void ipa_certauth_fini(krb5_context context,
ac7d03
     return;
ac7d03
 }
ac7d03
 
ac7d03
+static void ipa_certauth_free_indicator(krb5_context context,
ac7d03
+                                        krb5_certauth_moddata moddata,
ac7d03
+                                        char **authinds)
ac7d03
+{
ac7d03
+    size_t i = 0;
ac7d03
+
ac7d03
+    if ((authinds == NULL) || (moddata == NULL)) {
ac7d03
+	return;
ac7d03
+    }
ac7d03
+
ac7d03
+    for(i=0; authinds[i]; i++) {
ac7d03
+	free(authinds[i]);
ac7d03
+	authinds[i] = NULL;
ac7d03
+    }
ac7d03
+
ac7d03
+    free(authinds);
ac7d03
+}
ac7d03
+
ac7d03
 
ac7d03
 krb5_error_code certauth_ipakdb_initvt(krb5_context context,
ac7d03
                                           int maj_ver, int min_ver,
ac7d03
@@ -401,7 +434,6 @@ krb5_error_code certauth_ipakdb_initvt(krb5_context context,
ac7d03
     vt->authorize = ipa_certauth_authorize;
ac7d03
     vt->init = ipa_certauth_init;
ac7d03
     vt->fini = ipa_certauth_fini;
ac7d03
-    /* currently we do not return authentication indicators */
ac7d03
-    vt->free_ind = NULL;
ac7d03
+    vt->free_ind = ipa_certauth_free_indicator;
ac7d03
     return 0;
ac7d03
 }
ac7d03
-- 
ac7d03
2.9.4
ac7d03