krb5_utils.c revision 26ce47cc3e2003c30bae8206c3085f0814c9a842
/*
SSSD
Kerberos 5 Backend Module -- Utilities
Authors:
Sumit Bose <sbose@redhat.com>
Copyright (C) 2009 Red Hat
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <string.h>
#include <stdlib.h>
#include <libgen.h>
#include "providers/krb5/krb5_utils.h"
#include "providers/krb5/krb5_auth.h"
#include "src/util/find_uid.h"
{
int ret;
return EINVAL;
}
goto done;
}
goto done;
}
}
return ret;
}
done:
return ENOMEM;
}
}
return ret;
}
struct sss_domain_info *domain,
const char *user,
const char *upn)
{
int ret;
int sret;
struct sysdb_attrs *new_attrs;
struct ldb_result *res;
bool in_transaction = false;
const char *cached_upn;
const char *cached_canonical_upn;
return EINVAL;
}
return ENOMEM;
}
goto done;
}
goto done;
}
"nothing to do.\n");
goto done;
}
NULL);
if (cached_canonical_upn != NULL
"nothing to do.\n");
goto done;
}
"for user [%s].\n",
cached_canonical_upn == NULL ?
"empty" : cached_canonical_upn,
goto done;
}
goto done;
}
goto done;
}
in_transaction = true;
goto done;
}
goto done;
}
in_transaction = false;
done:
if (in_transaction) {
}
}
return ret;
}
#define S_EXP_UID "{uid}"
#define S_EXP_USERID "{USERID}"
#define S_EXP_EUID "{euid}"
#define S_EXP_USERNAME "{username}"
bool case_sensitive)
{
char *copy;
char *p;
char *n;
char *dummy;
char *name;
const char *cache_dir_tmpl;
char action;
bool rerun;
return NULL;
}
goto done;
}
goto done;
}
p = copy;
*n = '\0';
n++;
if ( *n == '\0' ) {
"format error, single %% at the end of the template.\n");
goto done;
}
rerun = true;
action = *n;
while (rerun) {
rerun = false;
switch (action) {
case 'u':
"Cannot expand user name template "
"because user name is empty.\n");
goto done;
}
if (!name) {
"sss_get_cased_name failed\n");
goto done;
}
name);
break;
case 'U':
"because uid is invalid.\n");
goto done;
}
break;
case 'p':
"Cannot expand user principal name template "
"because upn is empty.\n");
goto done;
}
break;
case '%':
break;
case 'r':
goto done;
}
break;
case 'h':
"Cannot expand home directory template "
"because the path is not available.\n");
goto done;
}
break;
case 'd':
if (file_mode) {
if (cache_dir_tmpl == NULL) {
"Missing credential cache directory.\n");
goto done;
}
false, case_sensitive);
"Expanding credential cache directory "
"template failed.\n");
goto done;
}
} else {
"'%%d' is not allowed in this template.\n");
goto done;
}
break;
case 'P':
if (!file_mode) {
"'%%P' is not allowed in this template.\n");
goto done;
}
"because PID is not available.\n");
goto done;
}
break;
/* Additional syntax from krb5.conf default_ccache_name */
case '{':
action = 'U';
n += L_EXP_UID - 1;
rerun = true;
continue;
action = 'U';
n += L_EXP_USERID - 1;
rerun = true;
continue;
/* SSSD does not distinguish betwen uid and euid,
* so we treat both the same way */
action = 'U';
n += L_EXP_EUID - 1;
rerun = true;
continue;
action = 'u';
n += L_EXP_USERNAME - 1;
rerun = true;
continue;
} else {
/* ignore any expansion variable we do not understand and
* let libkrb5 hndle it or fail */
name = n;
if (!n) {
"Invalid substitution sequence in cache "
"template. Missing closing '}' in [%s].\n",
template);
goto done;
}
}
break;
default:
"format error, unknown template [%%%c].\n", *n);
goto done;
}
}
goto done;
}
p = n + 1;
}
goto done;
}
done:
return res;
}
{
"Private directory can only be created below a directory "
return EINVAL;
}
"Parent directory does not have the search bit set for "
"the owner.\n");
return EINVAL;
}
} else {
"Parent directory does not have the search bit set for "
"others.\n");
return EINVAL;
}
}
return EOK;
}
struct string_list {
struct string_list *next;
struct string_list *prev;
char *s;
};
const char *ccdirname,
struct stat *parent_stat,
struct string_list **missing_parents)
{
char *end;
struct string_list *li;
"[%s] is not a directory.\n", ccdirname);
return EINVAL;
}
return EOK;
} else {
return ret;
}
}
"talloc_zero failed.\n");
return ENOMEM;
}
"talloc_strdup failed.\n");
return ENOMEM;
}
"talloc_strdup failed.\n");
return ENOMEM;
}
/* We'll remove all trailing slashes from the back so that
do {
"Cannot find parent directory of [%s], / is not allowed.\n",
goto done;
}
*end = '\0';
done:
return ret;
}
static errno_t
{
0, 0, NULL, 0);
if (ret == 0) {
"Illegal pattern in ccache directory name [%s].\n", filename);
return EINVAL;
} else if (ret == PCRE_ERROR_NOMATCH) {
"Ccache directory name [%s] does not contain "
"illegal patterns.\n", filename);
return EOK;
}
return EFAULT;
}
{
struct stat parent_stat;
"talloc_new failed.\n");
return ENOMEM;
}
if (*ccdirname != '/') {
"Only absolute paths are allowed, not [%s] .\n", ccdirname);
goto done;
}
if (illegal_re != NULL) {
goto done;
}
}
"find_ccdir_parent_data failed.\n");
goto done;
}
"Check the ownership and permissions of krb5_ccachedir: [%s].\n",
goto done;
}
"Creating directory [%s].\n", li->s);
new_dir_mode = 0700;
goto done;
}
goto done;
}
}
done:
return ret;
}
{
char *server_name;
const char *realm_name;
int realm_length;
if (kerr != 0) {
goto done;
}
if (kerr != 0) {
goto done;
}
if (server_name == NULL) {
goto done;
}
if (kerr != 0) {
goto done;
}
if (kerr != 0) {
goto done;
}
if (kerr != 0) {
goto done;
}
if (kerr != 0) {
goto done;
}
kerr = 0;
done:
}
if (client_princ != NULL) {
}
if (server_princ != NULL) {
}
}
if (kerr != 0) {
return EIO;
}
return EOK;
}
{
const char *filename;
char *ccdirname;
char *end;
if (ccname[0] == '/') {
} else {
/* only FILE and DIR types need precreation so far, we ignore any
* other type */
return EOK;
}
goto done;
}
/* We'll remove all trailing slashes from the back so that
do {
"/ is not allowed.\n", ccdirname);
goto done;
}
*end = '\0';
done:
return ret;
}
struct sss_krb5_ccache {
};
static int sss_free_krb5_ccache(void *mem)
{
}
return 0;
}
const char *ccname,
struct sss_krb5_ccache **ccache)
{
struct sss_krb5_ccache *cc;
if (!cc) {
return ENOMEM;
}
if (ret) {
goto done;
}
if (kerr) {
goto done;
}
ret = ERR_NOT_FOUND;
goto done;
} else if (kerr != 0) {
ret = ERR_INTERNAL;
goto done;
}
done:
if (ret) {
} else {
}
return ret;
}
{
if (kerr) {
} else {
}
/* krb5_cc_destroy frees cc->ccache in all events */
return ret;
}
{
return ENOMEM;
}
if (ret) {
goto done;
}
done:
return ret;
}
/* This function is called only as a way to validate that we have the
* right cache */
{
const char *cc_type;
return ENOMEM;
}
if (ret) {
goto done;
}
if (kerr != 0) {
ret = ERR_INTERNAL;
goto done;
}
if (kerr != 0) {
}
if (ccprinc) {
/* found in the primary ccache */
goto done;
}
}
#ifdef HAVE_KRB5_CC_COLLECTION
if (kerr != 0) {
/* try to continue despite failure */
}
if (kerr == 0) {
goto done;
}
}
#endif /* HAVE_KRB5_CC_COLLECTION */
ret = ERR_NOT_FOUND;
done:
if (cc) {
}
return ret;
}
{
const char *filename;
int ret;
if (ccname[0] == '/') {
} else {
/* only FILE and DIR types need file checks so far, we ignore any
* other type */
return EOK;
}
return EOK;
}
{
char *tgt_name;
krb5_creds mcred = { 0 };
krb5_creds cred = { 0 };
* exists bail out immediately otherwise a following krb5_cc_resolve()
* call may actually create paths and files we do not want to have
* around */
if (ret) {
return ret;
}
return ENOMEM;
}
if (ret) {
goto done;
}
if (!tgt_name) {
goto done;
}
if (kerr) {
else ret = ERR_INTERNAL;
goto done;
}
if (kerr) {
else ret = ERR_INTERNAL;
goto done;
}
if (kerr) {
} else {
ret = ERR_INTERNAL;
}
}
done:
return ret;
}
char *domain_name,
struct sss_domain_info **dom)
{
if (domain_name != NULL &&
return ENOMEM;
}
} else {
}
return EOK;
}