Blob Blame History Raw
From a1f38973435b60c7f147abfca12b95c6a0a64406 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 17 Jun 2020 20:48:38 -0400
Subject: [PATCH] Add three kvno options from Heimdal kgetcred

Add the flags --cached-only and --no-store, which pass the
corresponding options to krb5_get_credentials().  Add the option
--out-cache to write the retrieved credentials to a specified output
cache.

Add a Python test script for kvno command-line options, including
tests for the new options.

ticket: 8917 (new)
---
 doc/user/user_commands/kvno.rst |  13 ++++
 src/clients/kvno/Makefile.in    |   3 +
 src/clients/kvno/kvno.c         | 115 +++++++++++++++++++++++---------
 src/clients/kvno/t_kvno.py      |  75 +++++++++++++++++++++
 src/man/kvno.man                |  13 ++++
 5 files changed, 187 insertions(+), 32 deletions(-)
 create mode 100644 src/clients/kvno/t_kvno.py

diff --git a/doc/user/user_commands/kvno.rst b/doc/user/user_commands/kvno.rst
index 3892f0ca5..718313576 100644
--- a/doc/user/user_commands/kvno.rst
+++ b/doc/user/user_commands/kvno.rst
@@ -74,6 +74,19 @@ OPTIONS
     client principal with the X.509 certificate in *cert_file*.  The
     certificate file must be in PEM format.
 
+**--cached-only**
+    Only retrieve credentials already present in the cache, not from
+    the KDC.
+
+**--no-store**
+    Do not store retrieved credentials in the cache.  If
+    **--out-cache** is also specified, credentials will still be
+    stored into the output credential cache.
+
+**--out-cache** *ccache*
+    Initialize *ccache* and store all retrieved credentials into it.
+    Do not store acquired credentials in the input cache.
+
 **--u2u** *ccache*
     Requests a user-to-user ticket.  *ccache* must contain a local
     krbtgt ticket for the server principal.  The reported version
diff --git a/src/clients/kvno/Makefile.in b/src/clients/kvno/Makefile.in
index 1c3f79392..5ba877271 100644
--- a/src/clients/kvno/Makefile.in
+++ b/src/clients/kvno/Makefile.in
@@ -26,6 +26,9 @@ kvno: kvno.o $(KRB5_BASE_DEPLIBS)
 ##WIN32##	link $(EXE_LINKOPTS) /out:$@ $**
 ##WIN32##	$(_VC_MANIFEST_EMBED_EXE)
 
+check-pytests: kvno
+	$(RUNPYTEST) $(srcdir)/t_kvno.py $(PYTESTFLAGS)
+
 clean-unix::
 	$(RM) kvno.o kvno
 
diff --git a/src/clients/kvno/kvno.c b/src/clients/kvno/kvno.c
index 2472c0cfe..9d85864f6 100644
--- a/src/clients/kvno/kvno.c
+++ b/src/clients/kvno/kvno.c
@@ -44,14 +44,17 @@ xusage()
     fprintf(stderr, _("usage: %s [-C] [-u] [-c ccache] [-e etype]\n"), prog);
     fprintf(stderr, _("\t[-k keytab] [-S sname] [{-I | -U} for_user | "
                       "[-F cert_file] [-P]]\n"));
-    fprintf(stderr, _("\t[--u2u ccache] service1 service2 ...\n"));
+    fprintf(stderr, _("\t[--cached-only] [--no-store] [--out-cache ccache] "
+                      "[--u2u ccache]\n"));
+    fprintf(stderr, _("\tservice1 service2 ...\n"));
     exit(1);
 }
 
 static void do_v5_kvno(int argc, char *argv[], char *ccachestr, char *etypestr,
-                       char *keytab_name, char *sname, int canon, int unknown,
-                       char *for_user, int for_user_enterprise,
-                       char *for_user_cert_file, int proxy,
+                       char *keytab_name, char *sname, int cached_only,
+                       int canon, int no_store, int unknown, char *for_user,
+                       int for_user_enterprise, char *for_user_cert_file,
+                       int proxy, const char *out_ccname,
                        const char *u2u_ccname);
 
 #include <com_err.h>
@@ -61,18 +64,21 @@ static void extended_com_err_fn(const char *myprog, errcode_t code,
 int
 main(int argc, char *argv[])
 {
-    enum { OPTION_U2U = 256 };
-    struct option lopts[] = {
-        { "u2u", 1, NULL, OPTION_U2U },
-        { NULL, 0, NULL, 0 }
-    };
+    enum { OPTION_U2U = 256, OPTION_OUT_CACHE = 257 };
     const char *shopts = "uCc:e:hk:qPS:I:U:F:";
     int option;
     char *etypestr = NULL, *ccachestr = NULL, *keytab_name = NULL;
     char *sname = NULL, *for_user = NULL, *u2u_ccname = NULL;
-    char *for_user_cert_file = NULL;
+    char *for_user_cert_file = NULL, *out_ccname = NULL;
     int canon = 0, unknown = 0, proxy = 0, for_user_enterprise = 0;
-    int impersonate = 0;
+    int impersonate = 0, cached_only = 0, no_store = 0;
+    struct option lopts[] = {
+        { "cached-only", 0, &cached_only, 1 },
+        { "no-store", 0, &no_store, 1 },
+        { "out-cache", 1, NULL, OPTION_OUT_CACHE },
+        { "u2u", 1, NULL, OPTION_U2U },
+        { NULL, 0, NULL, 0 }
+    };
 
     setlocale(LC_ALL, "");
     set_com_err_hook(extended_com_err_fn);
@@ -135,6 +141,12 @@ main(int argc, char *argv[])
         case OPTION_U2U:
             u2u_ccname = optarg;
             break;
+        case OPTION_OUT_CACHE:
+            out_ccname = optarg;
+            break;
+        case 0:
+            /* If this option set a flag, do nothing else now. */
+            break;
         default:
             xusage();
             break;
@@ -159,8 +171,9 @@ main(int argc, char *argv[])
         xusage();
 
     do_v5_kvno(argc - optind, argv + optind, ccachestr, etypestr, keytab_name,
-               sname, canon, unknown, for_user, for_user_enterprise,
-               for_user_cert_file, proxy, u2u_ccname);
+               sname, cached_only, canon, no_store, unknown, for_user,
+               for_user_enterprise, for_user_cert_file, proxy, out_ccname,
+               u2u_ccname);
     return 0;
 }
 
@@ -274,14 +287,16 @@ static krb5_error_code
 kvno(const char *name, krb5_ccache ccache, krb5_principal me,
      krb5_enctype etype, krb5_keytab keytab, const char *sname,
      krb5_flags options, int unknown, krb5_principal for_user_princ,
-     krb5_data *for_user_cert, int proxy, krb5_data *u2u_ticket)
+     krb5_data *for_user_cert, int proxy, krb5_data *u2u_ticket,
+     krb5_creds **creds_out)
 {
     krb5_error_code ret;
     krb5_principal server = NULL;
     krb5_ticket *ticket = NULL;
-    krb5_creds in_creds, *out_creds = NULL;
+    krb5_creds in_creds, *creds = NULL;
     char *princ = NULL;
 
+    *creds_out = NULL;
     memset(&in_creds, 0, sizeof(in_creds));
 
     if (sname != NULL) {
@@ -321,13 +336,12 @@ kvno(const char *name, krb5_ccache ccache, krb5_principal me,
         in_creds.client = for_user_princ;
         in_creds.server = me;
         ret = krb5_get_credentials_for_user(context, options, ccache,
-                                            &in_creds, for_user_cert,
-                                            &out_creds);
+                                            &in_creds, for_user_cert, &creds);
     } else {
         in_creds.client = me;
         in_creds.server = server;
         ret = krb5_get_credentials(context, options, ccache, &in_creds,
-                                   &out_creds);
+                                   &creds);
     }
 
     if (ret) {
@@ -336,7 +350,7 @@ kvno(const char *name, krb5_ccache ccache, krb5_principal me,
     }
 
     /* We need a native ticket. */
-    ret = krb5_decode_ticket(&out_creds->ticket, &ticket);
+    ret = krb5_decode_ticket(&creds->ticket, &ticket);
     if (ret) {
         com_err(prog, ret, _("while decoding ticket for %s"), princ);
         goto cleanup;
@@ -362,15 +376,15 @@ kvno(const char *name, krb5_ccache ccache, krb5_principal me,
     }
 
     if (proxy) {
-        in_creds.client = out_creds->client;
-        out_creds->client = NULL;
-        krb5_free_creds(context, out_creds);
-        out_creds = NULL;
+        in_creds.client = creds->client;
+        creds->client = NULL;
+        krb5_free_creds(context, creds);
+        creds = NULL;
         in_creds.server = server;
 
         ret = krb5_get_credentials_for_proxy(context, KRB5_GC_CANONICALIZE,
                                              ccache, &in_creds, ticket,
-                                             &out_creds);
+                                             &creds);
         krb5_free_principal(context, in_creds.client);
         if (ret) {
             com_err(prog, ret, _("%s: constrained delegation failed"),
@@ -379,10 +393,13 @@ kvno(const char *name, krb5_ccache ccache, krb5_principal me,
         }
     }
 
+    *creds_out = creds;
+    creds = NULL;
+
 cleanup:
     krb5_free_principal(context, server);
     krb5_free_ticket(context, ticket);
-    krb5_free_creds(context, out_creds);
+    krb5_free_creds(context, creds);
     krb5_free_unparsed_name(context, princ);
     return ret;
 }
@@ -428,19 +445,28 @@ cleanup:
 
 static void
 do_v5_kvno(int count, char *names[], char * ccachestr, char *etypestr,
-           char *keytab_name, char *sname, int canon, int unknown,
-           char *for_user, int for_user_enterprise,
-           char *for_user_cert_file, int proxy, const char *u2u_ccname)
+           char *keytab_name, char *sname, int cached_only, int canon,
+           int no_store, int unknown, char *for_user, int for_user_enterprise,
+           char *for_user_cert_file, int proxy, const char *out_ccname,
+           const char *u2u_ccname)
 {
     krb5_error_code ret;
-    int i, errors, flags;
+    int i, errors, flags, initialized = 0;
     krb5_enctype etype;
-    krb5_ccache ccache;
+    krb5_ccache ccache, out_ccache = NULL;
     krb5_principal me;
     krb5_keytab keytab = NULL;
     krb5_principal for_user_princ = NULL;
-    krb5_flags options = canon ? KRB5_GC_CANONICALIZE : 0;
+    krb5_flags options = 0;
     krb5_data cert_data = empty_data(), *user_cert = NULL, *u2u_ticket = NULL;
+    krb5_creds *creds;
+
+    if (canon)
+        options |= KRB5_GC_CANONICALIZE;
+    if (cached_only)
+        options |= KRB5_GC_CACHED;
+    if (no_store || out_ccname != NULL)
+        options |= KRB5_GC_NO_STORE;
 
     ret = krb5_init_context(&context);
     if (ret) {
@@ -467,6 +493,14 @@ do_v5_kvno(int count, char *names[], char * ccachestr, char *etypestr,
         exit(1);
     }
 
+    if (out_ccname != NULL) {
+        ret = krb5_cc_resolve(context, out_ccname, &out_ccache);
+        if (ret) {
+            com_err(prog, ret, _("while resolving output ccache"));
+            exit(1);
+        }
+    }
+
     if (keytab_name != NULL) {
         ret = krb5_kt_resolve(context, keytab_name, &keytab);
         if (ret) {
@@ -513,8 +547,25 @@ do_v5_kvno(int count, char *names[], char * ccachestr, char *etypestr,
     errors = 0;
     for (i = 0; i < count; i++) {
         if (kvno(names[i], ccache, me, etype, keytab, sname, options, unknown,
-                 for_user_princ, user_cert, proxy, u2u_ticket) != 0)
+                 for_user_princ, user_cert, proxy, u2u_ticket, &creds) != 0) {
             errors++;
+        } else if (out_ccache != NULL) {
+            if (!initialized) {
+                ret = krb5_cc_initialize(context, out_ccache, creds->client);
+                if (ret) {
+                    com_err(prog, ret, _("while initializing output ccache"));
+                    exit(1);
+                }
+                initialized = 1;
+            }
+            ret = krb5_cc_store_cred(context, out_ccache, creds);
+            if (ret) {
+                com_err(prog, ret, _("while storing creds in output ccache"));
+                exit(1);
+            }
+        }
+
+        krb5_free_creds(context, creds);
     }
 
     if (keytab != NULL)
diff --git a/src/clients/kvno/t_kvno.py b/src/clients/kvno/t_kvno.py
new file mode 100644
index 000000000..e98b90e8a
--- /dev/null
+++ b/src/clients/kvno/t_kvno.py
@@ -0,0 +1,75 @@
+from k5test import *
+
+realm = K5Realm()
+
+def check_cache(ccache, expected_services):
+    # Fetch the klist output and skip past the header.
+    lines = realm.run([klist, '-c', ccache]).splitlines()
+    lines = lines[4:]
+
+    # For each line not beginning with an indent, match against the
+    # expected service principals.
+    svcs = {x: True for x in expected_services}
+    for l in lines:
+        if not l.startswith('\t'):
+            svcprinc = l.split()[4]
+            if svcprinc in svcs:
+                del svcs[svcprinc]
+            else:
+                fail('unexpected service princ ' + svcprinc)
+
+    if svcs:
+        fail('services not found in klist output: ' + ' '.join(svcs.keys()))
+
+
+mark('no options')
+realm.run([kvno, realm.user_princ], expected_msg='user@KRBTEST.COM: kvno = 1')
+check_cache(realm.ccache, [realm.krbtgt_princ, realm.user_princ])
+
+mark('-e')
+msgs = ('etypes requested in TGS request: camellia128-cts',
+        '/KDC has no support for encryption type')
+realm.run([kvno, '-e', 'camellia128-cts', realm.host_princ],
+          expected_code=1, expected_trace=msgs)
+
+mark('--cached-only')
+realm.run([kvno, '--cached-only', realm.user_princ], expected_msg='kvno = 1')
+realm.run([kvno, '--cached-only', realm.host_princ],
+          expected_code=1, expected_msg='Matching credential not found')
+check_cache(realm.ccache, [realm.krbtgt_princ, realm.user_princ])
+
+mark('--no-store')
+realm.run([kvno, '--no-store', realm.host_princ], expected_msg='kvno = 1')
+check_cache(realm.ccache, [realm.krbtgt_princ, realm.user_princ])
+
+mark('--out-cache') # and multiple services
+out_ccache = os.path.join(realm.testdir, 'ccache.out')
+realm.run([kvno, '--out-cache', out_ccache,
+           realm.host_princ, realm.admin_princ])
+check_cache(realm.ccache, [realm.krbtgt_princ, realm.user_princ])
+check_cache(out_ccache, [realm.host_princ, realm.admin_princ])
+
+mark('--out-cache --cached-only') # tests out-cache overwriting, and -q
+realm.run([kvno, '--out-cache', out_ccache, '--cached-only', realm.host_princ],
+          expected_code=1, expected_msg='Matching credential not found')
+out = realm.run([kvno, '-q', '--out-cache', out_ccache, '--cached-only',
+                 realm.user_princ])
+if out:
+    fail('unexpected kvno output with -q')
+check_cache(out_ccache, [realm.user_princ])
+
+mark('-U') # and -c
+svc_ccache = os.path.join(realm.testdir, 'ccache.svc')
+realm.run([kinit, '-k', '-c', svc_ccache, realm.host_princ])
+realm.run([kvno, '-c', svc_ccache, '-U', 'user', realm.host_princ])
+realm.run([klist, '-c', svc_ccache], expected_msg='for client user@')
+realm.run([kvno, '-c', svc_ccache, '-U', 'user', '--out-cache', out_ccache,
+           realm.host_princ])
+out = realm.run([klist, '-c', out_ccache])
+if ('Default principal: user@KRBTEST.COM' not in out):
+    fail('wrong default principal in klist output')
+
+# More S4U options are tested in tests/gssapi/t_s4u.py.
+# --u2u is tested in tests/t_u2u.py.
+
+success('kvno tests')
diff --git a/src/man/kvno.man b/src/man/kvno.man
index 005a2ec97..b9f6739eb 100644
--- a/src/man/kvno.man
+++ b/src/man/kvno.man
@@ -95,6 +95,19 @@ Specifies that protocol transition is to be used, identifying the
 client principal with the X.509 certificate in \fIcert_file\fP\&.  The
 certificate file must be in PEM format.
 .TP
+\fB\-\-cached\-only\fP
+Only retrieve credentials already present in the cache, not from
+the KDC.
+.TP
+\fB\-\-no\-store\fP
+Do not store retrieved credentials in the cache.  If
+\fB\-\-out\-cache\fP is also specified, credentials will still be
+stored into the output credential cache.
+.TP
+\fB\-\-out\-cache\fP \fIccache\fP
+Initialize \fIccache\fP and store all retrieved credentials into it.
+Do not store acquired credentials in the input cache.
+.TP
 \fB\-\-u2u\fP \fIccache\fP
 Requests a user\-to\-user ticket.  \fIccache\fP must contain a local
 krbtgt ticket for the server principal.  The reported version