Allow principals to refer to nonexistent policies

Stop using and maintaining the policy_refcnt field, and do not try to
prevent deletion of a policy which is still referenced by principals.
Instead, allow principals to refer to policy names which do not exist
as policy objects; treat those principals as having no associated
policy.

In the kadmin client, warn if addprinc or modprinc tries to reference
a policy which doesn't exist, since the server will no longer error
out in this case.

ticket: 7385

2 files changed, 49 insertions, 29 deletions

diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c
index 649bbc17e4..151f3165a9 100644
--- a/src/kadmin/cli/kadmin.c
+++ b/src/kadmin/cli/kadmin.c
@@ -232,6 +232,17 @@ randkey_princ(krb5_principal princ, krb5_boolean keepold, int n_ks,
         return kadm5_randkey_principal(handle, princ, NULL, NULL);
 }
 
+static krb5_boolean
+policy_exists(const char *name)
+{
+    kadm5_policy_ent_rec pol;
+
+    if (kadm5_get_policy(handle, (char *)name, &pol) != 0)
+        return FALSE;
+    kadm5_free_policy_ent(handle, &pol);
+    return TRUE;
+}
+
 char *
 kadmin_startup(int argc, char *argv[])
 {
@@ -1158,7 +1169,6 @@ void
 kadmin_addprinc(int argc, char *argv[])
 {
     kadm5_principal_ent_rec princ;
-    kadm5_policy_ent_rec defpol;
     long mask;
     krb5_boolean randkey = FALSE, old_style_randkey = FALSE;
     int n_ks_tuple;
@@ -1184,23 +1194,24 @@ kadmin_addprinc(int argc, char *argv[])
         goto cleanup;
     }
 
-    /*
-     * If -policy was not specified, and -clearpolicy was not
-     * specified, and the policy "default" exists, assign it.  If
-     * -clearpolicy was specified, then KADM5_POLICY_CLR should be
-     * unset, since it is never valid for kadm5_create_principal.
-     */
-    if (!(mask & KADM5_POLICY) && !(mask & KADM5_POLICY_CLR)) {
-        if (!kadm5_get_policy(handle, "default", &defpol)) {
+    if (mask & KADM5_POLICY) {
+        /* Warn if the specified policy does not exist. */
+        if (!policy_exists(princ.policy)) {
+            fprintf(stderr, _("WARNING: policy \"%s\" does not exist\n"),
+                    princ.policy);
+        }
+    } else if (!(mask & KADM5_POLICY_CLR)) {
+        /* If the policy "default" exists, assign it. */
+        if (policy_exists("default")) {
             fprintf(stderr, _("NOTICE: no policy specified for %s; "
                               "assigning \"default\"\n"), canon);
             princ.policy = "default";
             mask |= KADM5_POLICY;
-            kadm5_free_policy_ent(handle, &defpol);
         } else
             fprintf(stderr, _("WARNING: no policy specified for %s; "
                               "defaulting to no policy\n"), canon);
     }
+    /* Don't send KADM5_POLICY_CLR to the server. */
     mask &= ~KADM5_POLICY_CLR;
 
     if (randkey) {
@@ -1312,6 +1323,13 @@ kadmin_modprinc(int argc, char *argv[])
         kadmin_modprinc_usage();
         goto cleanup;
     }
+    if (mask & KADM5_POLICY) {
+        /* Warn if the specified policy does not exist. */
+        if (!policy_exists(princ.policy)) {
+            fprintf(stderr, _("WARNING: policy \"%s\" does not exist\n"),
+                    princ.policy);
+        }
+    }
     if (mask) {
         /* Skip this if all we're doing is setting certhash. */
         retval = kadm5_modify_principal(handle, &princ, mask);
@@ -1336,6 +1354,7 @@ kadmin_getprinc(int argc, char *argv[])
     kadm5_principal_ent_rec dprinc;
     krb5_principal princ = NULL;
     krb5_error_code retval;
+    const char *polname, *noexist;
     char *canon = NULL, *princstr = NULL, *modprincstr = NULL;
     int i;
     size_t j;
@@ -1422,7 +1441,10 @@ kadmin_getprinc(int argc, char *argv[])
                 printf(" %s", prflags[j]);
         }
         printf("\n");
-        printf(_("Policy: %s\n"), dprinc.policy ? dprinc.policy : _("[none]"));
+        polname = (dprinc.policy != NULL) ? dprinc.policy : _("[none]");
+        noexist = (dprinc.policy != NULL && !policy_exists(dprinc.policy)) ?
+            _(" [does not exist]") : "";
+        printf(_("Policy: %s%s\n"), polname, noexist);
     } else {
         printf("\"%s\"\t%d\t%d\t%d\t%d\t\"%s\"\t%d\t%d\t%d\t%d\t\"%s\""
                "\t%d\t%d\t%d\t%d\t%d",
@@ -1699,7 +1721,6 @@ kadmin_getpol(int argc, char *argv[])
         printf(_("Minimum number of password character classes: %ld\n"),
                policy.pw_min_classes);
         printf(_("Number of old keys kept: %ld\n"), policy.pw_history_num);
-        printf(_("Reference count: %ld\n"), policy.policy_refcnt);
         printf(_("Maximum password failures before lockout: %lu\n"),
                (unsigned long)policy.pw_max_fail);
         printf(_("Password failure count reset interval: %s\n"),
@@ -1709,11 +1730,11 @@ kadmin_getpol(int argc, char *argv[])
         if (policy.allowed_keysalts != NULL)
             printf(_("Allowed key/salt types: %s\n"), policy.allowed_keysalts);
     } else {
+        /* Output 0 where we used to output policy_refcnt. */
         printf("\"%s\"\t%ld\t%ld\t%ld\t%ld\t%ld\t%ld\t%lu\t%ld\t%ld\t%s\n",
                policy.policy, policy.pw_max_life, policy.pw_min_life,
                policy.pw_min_length, policy.pw_min_classes,
-               policy.pw_history_num, policy.policy_refcnt,
-               (unsigned long)policy.pw_max_fail,
+               policy.pw_history_num, 0, (unsigned long)policy.pw_max_fail,
                (long)policy.pw_failcnt_interval,
                (long)policy.pw_lockout_duration,
                (policy.allowed_keysalts == NULL) ? "-" :
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
index 7b515bd702..af10c9cd49 100644
--- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c
@@ -1112,8 +1112,7 @@ void dump_k5beta7_policy(void *data, osa_policy_ent_t entry)
     arg = (struct dump_args *) data;
     fprintf(arg->ofile, "policy\t%s\t%d\t%d\t%d\t%d\t%d\t%d\n", entry->name,
             entry->pw_min_life, entry->pw_max_life, entry->pw_min_length,
-            entry->pw_min_classes, entry->pw_history_num,
-            entry->policy_refcnt);
+            entry->pw_min_classes, entry->pw_history_num, 0);
 }
 
 void dump_r1_8_policy(void *data, osa_policy_ent_t entry)
@@ -1124,9 +1123,9 @@ void dump_r1_8_policy(void *data, osa_policy_ent_t entry)
     fprintf(arg->ofile, "policy\t%s\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\n",
             entry->name,
             entry->pw_min_life, entry->pw_max_life, entry->pw_min_length,
-            entry->pw_min_classes, entry->pw_history_num,
-            entry->policy_refcnt, entry->pw_max_fail,
-            entry->pw_failcnt_interval, entry->pw_lockout_duration);
+            entry->pw_min_classes, entry->pw_history_num, 0,
+            entry->pw_max_fail, entry->pw_failcnt_interval,
+            entry->pw_lockout_duration);
 }
 
 void
@@ -1140,10 +1139,10 @@ dump_r1_11_policy(void *data, osa_policy_ent_t entry)
             "%d\t%d\t%d\t%s\t%d",
             entry->name,
             entry->pw_min_life, entry->pw_max_life, entry->pw_min_length,
-            entry->pw_min_classes, entry->pw_history_num,
-            entry->policy_refcnt, entry->pw_max_fail,
-            entry->pw_failcnt_interval, entry->pw_lockout_duration,
-            entry->attributes, entry->max_life, entry->max_renewable_life,
+            entry->pw_min_classes, entry->pw_history_num, 0,
+            entry->pw_max_fail, entry->pw_failcnt_interval,
+            entry->pw_lockout_duration, entry->attributes, entry->max_life,
+            entry->max_renewable_life,
             entry->allowed_keysalts ? entry->allowed_keysalts : "-",
             entry->n_tl_data);
 
@@ -2301,7 +2300,7 @@ process_k5beta7_policy(fname, kcontext, filep, flags, linenop)
 {
     osa_policy_ent_rec rec;
     char namebuf[1024];
-    int nread, ret;
+    int nread, refcnt, ret;
 
     memset(&rec, 0, sizeof(rec));
 
@@ -2311,7 +2310,7 @@ process_k5beta7_policy(fname, kcontext, filep, flags, linenop)
     nread = fscanf(filep, "%1023s\t%d\t%d\t%d\t%d\t%d\t%d", rec.name,
                    &rec.pw_min_life, &rec.pw_max_life,
                    &rec.pw_min_length, &rec.pw_min_classes,
-                   &rec.pw_history_num, &rec.policy_refcnt);
+                   &rec.pw_history_num, &refcnt);
     if (nread == EOF)
         return -1;
     else if (nread != 7) {
@@ -2344,7 +2343,7 @@ process_r1_8_policy(fname, kcontext, filep, flags, linenop)
 {
     osa_policy_ent_rec rec;
     char namebuf[1024];
-    int nread, ret;
+    int nread, refcnt, ret;
 
     memset(&rec, 0, sizeof(rec));
 
@@ -2355,7 +2354,7 @@ process_r1_8_policy(fname, kcontext, filep, flags, linenop)
                    rec.name,
                    &rec.pw_min_life, &rec.pw_max_life,
                    &rec.pw_min_length, &rec.pw_min_classes,
-                   &rec.pw_history_num, &rec.policy_refcnt,
+                   &rec.pw_history_num, &refcnt,
                    &rec.pw_max_fail, &rec.pw_failcnt_interval,
                    &rec.pw_lockout_duration);
     if (nread == EOF)
@@ -2388,7 +2387,7 @@ process_r1_11_policy(char *fname, krb5_context kcontext, FILE *filep,
     krb5_tl_data         *tl, *tl_next;
     char                  namebuf[1024];
     char                  keysaltbuf[KRB5_KDB_MAX_ALLOWED_KS_LEN + 1];
-    int                   nread;
+    int                   nread, refcnt;
     int                   ret = 0;
     const char           *try2read = NULL;
 
@@ -2406,7 +2405,7 @@ process_r1_11_policy(char *fname, krb5_context kcontext, FILE *filep,
                    rec.name,
                    &rec.pw_min_life, &rec.pw_max_life,
                    &rec.pw_min_length, &rec.pw_min_classes,
-                   &rec.pw_history_num, &rec.policy_refcnt,
+                   &rec.pw_history_num, &refcnt,
                    &rec.pw_max_fail, &rec.pw_failcnt_interval,
                    &rec.pw_lockout_duration,
                    &rec.attributes, &rec.max_life, &rec.max_renewable_life,