diff options
| author | Greg Hudson <ghudson@mit.edu> | 2009-08-13 21:25:54 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2009-08-13 21:25:54 +0000 |
| commit | 1ddf7efda0fa665d86431dfc2a57e90e892b81ab (patch) | |
| tree | 141ed4abf608f1143e4344aaae0f244dc62d578b /src/kadmin | |
| parent | 45eefd6a6fa51ccf67aaf073c0237bbbd142ae81 (diff) | |
| download | krb5-1ddf7efda0fa665d86431dfc2a57e90e892b81ab.tar.gz krb5-1ddf7efda0fa665d86431dfc2a57e90e892b81ab.tar.xz krb5-1ddf7efda0fa665d86431dfc2a57e90e892b81ab.zip | |
Remove kadmin v1 API support
The kadmin v1 API and the even older ovsec_kadm_* API were legacy when
kadmin was first incorporated in 1996, and compatibility with them is
no longer believed to be necessary.
The uninstalled kadmin/passwd has been removed (since it used the ovsec
API). The test suite has been updated to use the v2 API where
appropriate, and the parts specifically designed to test the old API
have been excised.
ticket: 6544
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22521 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kadmin')
34 files changed, 103 insertions, 3977 deletions
diff --git a/src/kadmin/Makefile.in b/src/kadmin/Makefile.in index e5b7810843..f47be7295c 100644 --- a/src/kadmin/Makefile.in +++ b/src/kadmin/Makefile.in @@ -2,7 +2,7 @@ thisconfigdir=.. myfulldir=kadmin mydir=kadmin BUILDTOP=$(REL).. -SUBDIRS = cli dbutil passwd ktutil server testing +SUBDIRS = cli dbutil ktutil server testing all:: diff --git a/src/kadmin/passwd/Kpasswd.res b/src/kadmin/passwd/Kpasswd.res deleted file mode 100644 index a7ec03161a..0000000000 --- a/src/kadmin/passwd/Kpasswd.res +++ /dev/null @@ -1,46 +0,0 @@ -*xm_ovpasswd.title: PW-CHG-GUI -*form.shadowThickness: 2 - -*foreground: black -*background: grey80 -*topShadowColor: grey95 -*bottomShadowColor: grey20 -*fontList: -*-helvetica-medium-r-*-*-14-* -*main_lbl.fontList: -*-helvetica-bold-r-*-*-14-* -*XmForm.Spacing: 5 - -*main_lbl.labelString: Changing password. -*old_lbl.labelString: Old password: -*new_lbl.labelString: New password: -*again_lbl.labelString: New password (again): -*sep.leftOffset: 0 -*sep.rightOffset: 0 -*Quit.labelString: Quit -*Help.labelString: Help - -*main_lbl.alignment: ALIGNMENT_CENTER -*lbl_form*alignment: ALIGNMENT_END -*scroll_win.shadowThickness: 0 - -*scroll_text.value: \ -Enter your old password below, and press return. You will not be able to see what you\n\ -are typing. After correctly entering your old password, you will be prompted twice for\n\ -your new password. Other messages and directions will appear in this space as necessary. -*scroll_text.rows: 5 -*scroll_text.columns: 66 -*scroll_text.scrollHorizontal: FALSE -*scroll_text.cursorPositionVisible: FALSE - -*help_dlg_popup.title: PW-CHG-GUI Help -*help_dlg.messageString: \ -Welcome to the Kerberos password changing GUI.\n\ -\n\ -In the main window, enter your old password when prompted. After verifying\n\ -your old password, the policy governing your password will be displayed, and\n\ -you will be prompted for a new password. You will then be asked to enter it\n\ -a second time, to make sure you have not made any typos. Assuming that\n\ -your new password complies with your password policy, you should receive\n\ -an acknowledgement that your password has been changed.\n\ -\n\ -If an error occurs, the process will start over from the beginning. You may\n\ -exit the application at any time by pressing the "Quit" button. diff --git a/src/kadmin/passwd/Makefile.in b/src/kadmin/passwd/Makefile.in deleted file mode 100644 index 19854c96b3..0000000000 --- a/src/kadmin/passwd/Makefile.in +++ /dev/null @@ -1,28 +0,0 @@ -thisconfigdir=../.. -myfulldir=kadmin/passwd -mydir=kadmin/passwd -BUILDTOP=$(REL)..$(S).. -LOCALINCLUDES = -I. -DEFINES = -DUSE_KADM5_API_VERSION=1 -DEFS= -PROG_LIBPATH=-L$(TOPLIBD) -PROG_RPATH=$(KRB5_LIBDIR) -SUBDIRS = unit-test - -PROG = kpasswd -OBJS = tty_kpasswd.o kpasswd.o kpasswd_strings.o -SRCS = tty_kpasswd.c kpasswd.c kpasswd_strings.c - -all:: $(PROG) - -kpasswd_strings.c kpasswd_strings.h: $(srcdir)/kpasswd_strings.et - -$(OBJS): kpasswd_strings.h - -$(PROG): $(OBJS) $(KADMCLNT_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $(PROG) $(OBJS) $(KADMCLNT_LIBS) $(KRB5_BASE_LIBS) - -clean:: - $(RM) kpasswd_strings.c kpasswd_strings.h $(PROG) $(OBJS) - -depend:: kpasswd_strings.h diff --git a/src/kadmin/passwd/deps b/src/kadmin/passwd/deps deleted file mode 100644 index ff09f598f5..0000000000 --- a/src/kadmin/passwd/deps +++ /dev/null @@ -1,26 +0,0 @@ -# -# Generated makefile dependencies follow. -# -$(OUTPRE)tty_kpasswd.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \ - $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \ - $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \ - $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h \ - $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \ - $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \ - $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \ - $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \ - $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/kdb.h \ - $(SRCTOP)/include/krb5.h kpasswd.h kpasswd_strings.h \ - tty_kpasswd.c -$(OUTPRE)kpasswd.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \ - $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \ - $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \ - $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h \ - $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \ - $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \ - $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \ - $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \ - $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/kdb.h \ - $(SRCTOP)/include/krb5.h kpasswd.c kpasswd.h kpasswd_strings.h -$(OUTPRE)kpasswd_strings.$(OBJEXT): $(COM_ERR_DEPS) \ - kpasswd_strings.c diff --git a/src/kadmin/passwd/kpasswd.M b/src/kadmin/passwd/kpasswd.M deleted file mode 100644 index 185c1f5950..0000000000 --- a/src/kadmin/passwd/kpasswd.M +++ /dev/null @@ -1,70 +0,0 @@ -.\" kadmin/kpasswd/kpasswd.M -.\" -.\" Copyright 1995 by the Massachusetts Institute of Technology. -.\" -.\" Export of this software from the United States of America may -.\" require a specific license from the United States Government. -.\" It is the responsibility of any person or organization contemplating -.\" export to obtain such a license before exporting. -.\" -.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\" distribute this software and its documentation for any purpose and -.\" without fee is hereby granted, provided that the above copyright -.\" notice appear in all copies and that both that copyright notice and -.\" this permission notice appear in supporting documentation, and that -.\" the name of M.I.T. not be used in advertising or publicity pertaining -.\" to distribution of the software without specific, written prior -.\" permission. Furthermore if you modify this software you must label -.\" your software as modified software and not distribute it in such a -.\" fashion that it might be confused with the original M.I.T. software. -.\" M.I.T. makes no representations about the suitability of -.\" this software for any purpose. It is provided "as is" without express -.\" or implied warranty. -.\" " -.TH KPASSWD 1 -.SH NAME -kpasswd \- change a user's Kerberos password -.SH SYNOPSIS -.B kpasswd -[\fIprincipal\fP] -.SH DESCRIPTION -.PP -The -.I kpasswd -command is used to change a Kerberos principal's password. -.I Kpasswd -prompts for the current Kerberos password, which is used to obtain a -.B changepw -ticket from the -.SM KDC -for the user's Kerberos realm. If -.B kpasswd -successfully obtains the -.B changepw -ticket, the user is prompted twice for the new password, and the -password is changed. -.PP -If the principal is governed by a policy that specifies the length and/or -number of character classes required in the new password, the new -password must conform to the policy. (The five character classes are -lower case, upper case, numbers, punctuation, and all other characters.) -.SH OPTIONS -.TP -.I principal -change the password for the Kerberos principal -.IR principal . -Otherwise, the principal is derived from the identity of the user -invoking the -.I kpasswd -command. -.SH FILES -.TP "\w'/tmp/tkt_kadm_[pid]'u" -/tmp/tkt_kadm_[pid] -temporary credentials cache for the lifetime of the password changing -operation. ([pid] is the process-ID of the kpasswd process.) -.SH SEE ALSO -kadmin(8), kadmind(8) -.SH BUGS -If -.B kpasswd -is suspended, the changepw tickets may not be destroyed. diff --git a/src/kadmin/passwd/kpasswd.c b/src/kadmin/passwd/kpasswd.c deleted file mode 100644 index ca47fca5b6..0000000000 --- a/src/kadmin/passwd/kpasswd.c +++ /dev/null @@ -1,281 +0,0 @@ -/* - * Copyright 1993-1994 OpenVision Technologies, Inc., All Rights Reserved. - * - * $Header$ - * - * - */ - -static char rcsid[] = "$Id$"; - -#include <kadm5/admin.h> -#include <krb5.h> - -#include "kpasswd_strings.h" -#define string_text error_message - -#include "kpasswd.h" - -#include <stdio.h> -#include <pwd.h> -#include <string.h> - -extern char *whoami; - - -#define MISC_EXIT_STATUS 6 - -/* - * Function: kpasswd - * - * Purpose: Initialize and call lower level routines to change a password - * - * Arguments: - * - * context (r) krb5_context to use - * argc/argv (r) principal name to use, optional - * read_old_password (f) function to read old password - * read_new_password (f) function to read new and change password - * display_intro_message (f) function to display intro message - * whoami (extern) argv[0] - * - * Returns: - * exit status of 0 for success - * 1 principal unknown - * 2 old password wrong - * 3 cannot initialize admin server session - * 4 new passwd mismatch or error trying to change pw - * 5 password not typed - * 6 misc error - * 7 incorrect usage - * - * Requires: - * Passwords cannot be more than 255 characters long. - * - * Effects: - * - * If argc is 2, the password for the principal specified in argv[1] - * is changed; otherwise, the principal of the default credential - * cache or username is used. display_intro_message is called with - * the arguments KPW_STR_CHANGING_PW_FOR and the principal name. - * read_old_password is then called to prompt for the old password. - * The admin system is then initialized, the principal's policy - * retrieved and explained, if appropriate, and finally - * read_new_password is called to read the new password and change the - * principal's password (presumably ovsec_kadm_chpass_principal). - * admin system is de-initialized before the function returns. - * - * Modifies: - * - * Changes the principal's password. - * - */ -int -kpasswd(context, argc, argv) - krb5_context context; - int argc; - char *argv[]; -{ - int code; - krb5_ccache ccache = NULL; - krb5_principal princ = 0; - char *princ_str; - struct passwd *pw = 0; - unsigned int pwsize; - char password[255]; /* I don't really like 255 but that's what kinit uses */ - char msg_ret[1024], admin_realm[1024]; - ovsec_kadm_principal_ent_t principal_entry = NULL; - ovsec_kadm_policy_ent_t policy_entry = NULL; - void *server_handle; - - if (argc > 2) { - com_err(whoami, KPW_STR_USAGE, 0); - return(7); - /*NOTREACHED*/ - } - - /************************************ - * Get principal name to change * - ************************************/ - - /* Look on the command line first, followed by the default credential - cache, followed by defaulting to the Unix user name */ - - if (argc == 2) - princ_str = strdup(argv[1]); - else { - code = krb5_cc_default(context, &ccache); - /* If we succeed, find who is in the credential cache */ - if (code == 0) { - /* Get default principal from cache if one exists */ - code = krb5_cc_get_principal(context, ccache, &princ); - /* if we got a principal, unparse it, otherwise get out of the if - with an error code */ - (void) krb5_cc_close(context, ccache); - if (code == 0) { - code = krb5_unparse_name(context, princ, &princ_str); - if (code != 0) { - com_err(whoami, code, string_text(KPW_STR_UNPARSE_NAME)); - return(MISC_EXIT_STATUS); - } - } - } - - /* this is a crock.. we want to compare against */ - /* "KRB5_CC_DOESNOTEXIST" but there is no such error code, and */ - /* both the file and stdio types return FCC_NOFILE. If there is */ - /* ever another ccache type (or if the error codes are ever */ - /* fixed), this code will have to be updated. */ - if (code && code != KRB5_FCC_NOFILE) { - com_err(whoami, code, string_text(KPW_STR_WHILE_LOOKING_AT_CC)); - return(MISC_EXIT_STATUS); - } - - /* if either krb5_cc failed check the passwd file */ - if (code != 0) { - pw = getpwuid( getuid()); - if (pw == NULL) { - com_err(whoami, 0, string_text(KPW_STR_NOT_IN_PASSWD_FILE)); - return(MISC_EXIT_STATUS); - } - princ_str = strdup(pw->pw_name); - } - } - - display_intro_message(string_text(KPW_STR_CHANGING_PW_FOR), princ_str); - - /* Need to get a krb5_principal, unless we started from with one from - the credential cache */ - - if (! princ) { - code = krb5_parse_name (context, princ_str, &princ); - if (code != 0) { - com_err(whoami, code, string_text(KPW_STR_PARSE_NAME), princ_str); - free(princ_str); - return(MISC_EXIT_STATUS); - } - } - - pwsize = sizeof(password); - code = read_old_password(context, password, &pwsize); - - if (code != 0) { - memset(password, 0, sizeof(password)); - com_err(whoami, code, string_text(KPW_STR_WHILE_READING_PASSWORD)); - krb5_free_principal(context, princ); - free(princ_str); - return(MISC_EXIT_STATUS); - } - if (pwsize == 0) { - memset(password, 0, sizeof(password)); - com_err(whoami, 0, string_text(KPW_STR_NO_PASSWORD_READ)); - krb5_free_principal(context, princ); - free(princ_str); - return(5); - } - - admin_realm[0] = '\0'; - strncat(admin_realm, krb5_princ_realm(context, princ)->data, - krb5_princ_realm(context, princ)->length); - - code = ovsec_kadm_init(princ_str, password, KADM5_CHANGEPW_SERVICE, - admin_realm /* we probably should take a -r */ - /* someday */, - OVSEC_KADM_STRUCT_VERSION, - OVSEC_KADM_API_VERSION_1, - NULL, - &server_handle); - if (code != 0) { - if (code == OVSEC_KADM_BAD_PASSWORD) - com_err(whoami, 0, string_text(KPW_STR_OLD_PASSWORD_INCORRECT)); - else - com_err(whoami, 0, string_text(KPW_STR_CANT_OPEN_ADMIN_SERVER), admin_realm, - error_message(code)); - krb5_free_principal(context, princ); - free(princ_str); - return((code == OVSEC_KADM_BAD_PASSWORD)?2:3); - } - - /* Explain policy restrictions on new password if any. */ - /* Note: copy of this exists in login (kverify.c/get_verified_in_tkt). */ - - code = ovsec_kadm_get_principal(server_handle, princ, &principal_entry); - if (code != 0) { - com_err(whoami, 0, - string_text((code == OVSEC_KADM_UNK_PRINC) - ? KPW_STR_PRIN_UNKNOWN : KPW_STR_CANT_GET_POLICY_INFO), - princ_str); - krb5_free_principal(context, princ); - free(princ_str); - (void) ovsec_kadm_destroy(server_handle); - return((code == OVSEC_KADM_UNK_PRINC) ? 1 : MISC_EXIT_STATUS); - } - if ((principal_entry->aux_attributes & OVSEC_KADM_POLICY) != 0) { - code = ovsec_kadm_get_policy(server_handle, - principal_entry->policy, &policy_entry); - if (code != 0) { - /* doesn't matter which error comes back, there's no nice recovery - or need to differentiate to the user */ - com_err(whoami, 0, - string_text(KPW_STR_CANT_GET_POLICY_INFO), princ_str); - (void) ovsec_kadm_free_principal_ent(server_handle, principal_entry); - krb5_free_principal(context, princ); - free(princ_str); - (void) ovsec_kadm_destroy(server_handle); - return(MISC_EXIT_STATUS); - } - com_err(whoami, 0, string_text(KPW_STR_POLICY_EXPLANATION), - princ_str, principal_entry->policy, - policy_entry->pw_min_length, policy_entry->pw_min_classes); - - code = ovsec_kadm_free_principal_ent(server_handle, principal_entry); - if (code) { - (void) ovsec_kadm_free_policy_ent(server_handle, policy_entry); - krb5_free_principal(context, princ); - free(princ_str); - com_err(whoami, code, string_text(KPW_STR_WHILE_FREEING_PRINCIPAL)); - (void) ovsec_kadm_destroy(server_handle); - return(MISC_EXIT_STATUS); - } - - code = ovsec_kadm_free_policy_ent(server_handle, policy_entry); - if (code) { - krb5_free_principal(context, princ); - free(princ_str); - com_err(whoami, code, string_text(KPW_STR_WHILE_FREEING_POLICY)); - (void) ovsec_kadm_destroy(server_handle); - return(MISC_EXIT_STATUS); - } - } - else { - /* kpasswd *COULD* output something here to encourage the choice - of good passwords, in the absence of an enforced policy. */ - code = ovsec_kadm_free_principal_ent(server_handle, principal_entry); - if (code) { - krb5_free_principal(context, princ); - free(princ_str); - com_err(whoami, code, string_text(KPW_STR_WHILE_FREEING_PRINCIPAL)); - (void) ovsec_kadm_destroy(server_handle); - return(MISC_EXIT_STATUS); - } - } - - pwsize = sizeof(password); - code = read_new_password(server_handle, password, &pwsize, msg_ret, princ); - memset(password, 0, sizeof(password)); - - if (code) - com_err(whoami, 0, msg_ret); - - krb5_free_principal(context, princ); - free(princ_str); - - (void) ovsec_kadm_destroy(server_handle); - - if (code == KRB5_LIBOS_CANTREADPWD) - return(5); - else if (code) - return(4); - else - return(0); -} diff --git a/src/kadmin/passwd/kpasswd.h b/src/kadmin/passwd/kpasswd.h deleted file mode 100644 index 577ab386fa..0000000000 --- a/src/kadmin/passwd/kpasswd.h +++ /dev/null @@ -1,46 +0,0 @@ -/* - * kadmin/passwd/kpasswd.h - * - * Copyright 2001 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - * Prototypes for the kpasswd program callback functions. - */ - -#ifndef __KPASSWD_H__ -#define __KPASSWD_H__ - -int kpasswd(krb5_context context, int argc, char *argv[]); - -long read_old_password(krb5_context context, char *password, - unsigned int *pwsize); - -long read_new_password(void *server_handle, char *password, - unsigned int *pwsize, char *msg_ret, - krb5_principal princ); - -void display_intro_message(const char *fmt_string, const char *arg_string); - -#endif /* __KPASSWD_H__ */ - - diff --git a/src/kadmin/passwd/kpasswd_strings.et b/src/kadmin/passwd/kpasswd_strings.et deleted file mode 100644 index 7e826d270f..0000000000 --- a/src/kadmin/passwd/kpasswd_strings.et +++ /dev/null @@ -1,76 +0,0 @@ -# -# Copyright 1993-1994 OpenVision Technologies, Inc., All Rights Reserved. -# -# String table of messages for kpasswd - - -error_table kpws - -# /* M1 */ -error_code KPW_STR_USAGE, "Usage: kpasswd [principal_name]." - -error_code KPW_STR_PRIN_UNKNOWN, - "Kerberos principal name %s is not recognized." -# /* <name> */ - -# /* M2 */ -error_code KPW_STR_WHILE_LOOKING_AT_CC, - "while reading principal name from credential cache." - -# /* M4 */ -error_code KPW_STR_OLD_PASSWORD_INCORRECT, - "Old Kerberos password is incorrect. Please try again." - -# /* M5 */ -error_code KPW_STR_CANT_OPEN_ADMIN_SERVER, -"Cannot establish a session with the Kerberos administrative server for\n\ -realm %s. %s." -# /* <realm-name>, <Specific error message from admin server library>. */ - -# /* M6 */ -error_code KPW_STR_NEW_PASSWORD_MISMATCH, - "New passwords do not match - password not changed.\n" - -# /* M7 */ -error_code KPW_STR_PASSWORD_CHANGED, "Kerberos password changed.\n" - -# /* M13 */ -error_code KPW_STR_PASSWORD_NOT_CHANGED, "Password not changed." - -error_code KPW_STR_PARSE_NAME, "when parsing name %s." -error_code KPW_STR_UNPARSE_NAME, "when unparsing name." -error_code KPW_STR_NOT_IN_PASSWD_FILE, "Unable to identify user from password file." - -# /* M3 */ -error_code KPW_STR_CHANGING_PW_FOR, "Changing password for %s." -# /* principal@realm */ - -error_code KPW_STR_OLD_PASSWORD_PROMPT, "Old password" -error_code KPW_STR_WHILE_READING_PASSWORD, "while reading new password." - -# /* M4 */ -error_code KPW_STR_NO_PASSWORD_READ, -"You must type a password. Passwords must be at least one character long." - -# /* M14 */ -error_code KPW_STR_WHILE_TRYING_TO_CHANGE, "while trying to change password." - -error_code KPW_STR_WHILE_DESTROYING_ADMIN_SESSION, -"while closing session with admin server and destroying tickets." - -error_code KPW_STR_WHILE_FREEING_PRINCIPAL, -"while freeing admin principal entry" - -error_code KPW_STR_WHILE_FREEING_POLICY, -"while freeing admin policy entry" - -error_code KPW_STR_CANT_GET_POLICY_INFO, -"Could not get password policy information for principal %s." -# /* principal@realm */ - -error_code KPW_STR_POLICY_EXPLANATION, -"%s's password is controlled by the policy %s, which\nrequires a minimum of %u characters from at least %u classes (the five classes\nare lowercase, uppercase, numbers, punctuation, and all other characters)." -# /* principal_name policy_name min_length min_classes */ - -end - diff --git a/src/kadmin/passwd/tty_kpasswd.c b/src/kadmin/passwd/tty_kpasswd.c deleted file mode 100644 index 1894091409..0000000000 --- a/src/kadmin/passwd/tty_kpasswd.c +++ /dev/null @@ -1,81 +0,0 @@ -/* - * Copyright 1993-1994 OpenVision Technologies, Inc., All Rights Reserved. - * - * $Header$ - * - * - */ - -static char rcsid[] = "$Id$"; - -#include <kadm5/admin.h> -#include <krb5.h> - -#include "kpasswd_strings.h" -#define string_text error_message - -#include "kpasswd.h" -#include <stdio.h> -#include <pwd.h> -#include <string.h> - -char *whoami; - -void display_intro_message(fmt_string, arg_string) - const char *fmt_string; - const char *arg_string; -{ - com_err(whoami, 0, fmt_string, arg_string); -} - -long read_old_password(context, password, pwsize) - krb5_context context; - char *password; - unsigned int *pwsize; -{ - long code = krb5_read_password(context, - string_text(KPW_STR_OLD_PASSWORD_PROMPT), - 0, password, pwsize); - return code; -} - -long read_new_password(server_handle, password, pwsize, msg_ret, princ) - void *server_handle; - char *password; - unsigned int *pwsize; - char *msg_ret; - krb5_principal princ; -{ - return (ovsec_kadm_chpass_principal_util(server_handle, princ, NULL, - NULL /* don't need new pw back */, - msg_ret)); -} - - -/* - * main() for tty version of kpasswd.c - */ -int -main(argc, argv) - int argc; - char *argv[]; -{ - krb5_context context; - int retval; - - whoami = (whoami = strrchr(argv[0], '/')) ? whoami + 1 : argv[0]; - - retval = krb5_init_context(&context); - if (retval) { - com_err(whoami, retval, "initializing krb5 context"); - exit(retval); - } - initialize_kpws_error_table(); - - retval = kpasswd(context, argc, argv); - - if (!retval) - printf(string_text(KPW_STR_PASSWORD_CHANGED)); - - exit(retval); -} diff --git a/src/kadmin/passwd/unit-test/Makefile.in b/src/kadmin/passwd/unit-test/Makefile.in deleted file mode 100644 index 37dfaca33f..0000000000 --- a/src/kadmin/passwd/unit-test/Makefile.in +++ /dev/null @@ -1,27 +0,0 @@ -thisconfigdir=../../.. -myfulldir=kadmin/passwd/unit-test -mydir=kadmin/passwd/unit-test -BUILDTOP=$(REL)..$(S)..$(S).. -check unit-test:: unit-test-@DO_TEST@ - -unit-test-: - @echo "+++" - @echo "+++ WARNING: kpasswd unit tests not run." - @echo "+++ Either tcl, runtest, or Perl is unavailable." - @echo "+++" - -unit-test-ok:: unit-test-setup unit-test-body unit-test-cleanup - -unit-test-body:: - $(ENV_SETUP) $(RUNTEST) --tool kpasswd KPASSWD=../kpasswd \ - KINIT=$(BUILDTOP)/clients/kinit/kinit \ - KDESTROY=$(BUILDTOP)/clients/kdestroy/kdestroy \ - PRIOCNTL_HACK=@PRIOCNTL_HACK@ VALGRIND="$(VALGRIND)" - -unit-test-setup:: - $(ENV_SETUP) $(VALGRIND) $(START_SERVERS) - -unit-test-cleanup:: - $(ENV_SETUP) $(STOP_SERVERS) -clean:: - $(RM) dbg.log kpasswd.sum kpasswd.log diff --git a/src/kadmin/passwd/unit-test/config/unix.exp b/src/kadmin/passwd/unit-test/config/unix.exp deleted file mode 100644 index 479d772437..0000000000 --- a/src/kadmin/passwd/unit-test/config/unix.exp +++ /dev/null @@ -1,115 +0,0 @@ -if { [string length $VALGRIND] } { - rename spawn valgrind_aux_spawn - proc spawn { args } { - global VALGRIND - upvar 1 spawn_id spawn_id - set newargs {} - set inflags 1 - set eatnext 0 - foreach arg $args { - if { $arg == "-ignore" \ - || $arg == "-open" \ - || $arg == "-leaveopen" } { - lappend newargs $arg - set eatnext 1 - continue - } - if [string match "-*" $arg] { - lappend newargs $arg - continue - } - if { $eatnext } { - set eatnext 0 - lappend newargs $arg - continue - } - if { $inflags } { - set inflags 0 - # Only run valgrind for local programs, not - # system ones. -#&&![string match "/bin/sh" $arg] sh is used to start kadmind! - if [string match "/" [string index $arg 0]]&&![string match "/bin/ls" $arg]&&![regexp {/kshd$} $arg] { - set newargs [concat $newargs $VALGRIND] - } - } - lappend newargs $arg - } - set pid [eval valgrind_aux_spawn $newargs] - return $pid - } -} - -# Hack around Solaris 9 kernel race condition that causes last output -# from a pty to get dropped. -if { $PRIOCNTL_HACK } { - catch {exec priocntl -s -c FX -m 30 -p 30 -i pid [getpid]} - rename spawn oldspawn - proc spawn { args } { - upvar 1 spawn_id spawn_id - set newargs {} - set inflags 1 - set eatnext 0 - foreach arg $args { - if { $arg == "-ignore" \ - || $arg == "-open" \ - || $arg == "-leaveopen" } { - lappend newargs $arg - set eatnext 1 - continue - } - if [string match "-*" $arg] { - lappend newargs $arg - continue - } - if { $eatnext } { - set eatnext 0 - lappend newargs $arg - continue - } - if { $inflags } { - set inflags 0 - set newargs [concat $newargs {priocntl -e -c FX -p 0}] - } - lappend newargs $arg - } - set pid [eval oldspawn $newargs] - return $pid - } -} - -# -# kpasswd_version -- extract and print the version number of kpasswd -# - -proc kpasswd_version {} { - global KPASSWD - catch "exec ident $KPASSWD" tmp - if [regexp {Id: kpasswd.c,v ([0-9]+\.[0-9]+)} $tmp \ - dummy version] then { - clone_output "$KPASSWD version $version\n" - } else { - clone_output "$KPASSWD version <unknown>\n" - } -} -# -# kpasswd_load -- loads the program -# -proc kpasswd_load {} { - # -} - -# kpasswd_exit -- clean up and exit -proc kpasswd_exit {} { - # -} - -# -# kpasswd_start -- start kpasswd running -# -proc kpasswd_start { args } { - global KPASSWD - global spawn_id - - verbose "% $KPASSWD $args" 1 - eval spawn $KPASSWD $args -} diff --git a/src/kadmin/passwd/unit-test/deps b/src/kadmin/passwd/unit-test/deps deleted file mode 100644 index 2feac3c9d3..0000000000 --- a/src/kadmin/passwd/unit-test/deps +++ /dev/null @@ -1 +0,0 @@ -# No dependencies here. diff --git a/src/kadmin/passwd/unit-test/kpasswd.0/changing.exp b/src/kadmin/passwd/unit-test/kpasswd.0/changing.exp deleted file mode 100644 index 3d7dc4bfd3..0000000000 --- a/src/kadmin/passwd/unit-test/kpasswd.0/changing.exp +++ /dev/null @@ -1,113 +0,0 @@ -# -# $Id$ -# - -set timeout 15 - -load_lib "helpers.exp" - -if [info exist env(DEBUG)] { debug 1 } - -# -# Here are the tests -# - -set pol2_time [timestamp] - -test_3pass {test2} {D.5: different new passwords} test2 test2 test2 foobar \ - 4 {New passwords do not match - password not changed.} - -test_3pass {test2} {D.7.5: empty/empty} test2 test2 {} {} \ - 5 {You must type a password. Passwords must be at least one character long.} - -test_3pass {test2} {D.6: empty/non-empty} test2 test2 {} test2 \ - 4 {New passwords do not match - password not changed.} - -test_3pass {test2} {D.7: non-empty/empty} test2 test2 test2 {} \ - 4 {New passwords do not match - password not changed.} - - -test_win {test1} {D.8: change password} test1 test1 newpass - -test_win {test1} {D.9: test changed password} test1 newpass test1 - -mytest "D.22: No policy description was shown" test1 4 { - -re "Changing password for test1.*\\.$s+Old password:\[^\n\]*$" - { send "test1\n" } -} { - -re "$s+.*$s+.*$s+.*char.*classes.*" - { myfail "policy description displayed" } - timeout { mypass } -} { - -re "^$s+New password:\[^\n\]*$" - { send "newpass\n" } -} { - -re "^$s+New password \\(again\\):\[^\n\]*\$" - { send "ssapwen\n" } -} { - -re "$s+New passwords do not match - password not changed." - { mypass } -} - -test_3pass {pol1} {D.10: new password too short} pol1 pol111111 que que \ - 4 {New password is too short. Please choose a password which is at least [0-9]+ characters long.} - -test_3pass {pol1} {D.13: too few char classes in new password} pol1 \ - pol111111 123456789 123456789 \ - 4 {New password does not have enough character classes. The character classes are: - lower-case letters, - upper-case letters, - digits, - punctuation, and - all other characters \(e.g., control characters\). Please choose a password with at least [0-9]+ character classes.} - -test_3pass {pol1} {D.14: new password in dictionary} pol1 \ - pol111111 Discordianism Discordianism \ - 4 {New password was found in a dictionary of possible passwords and therefore may be easily guessed. Please choose another password. See the kpasswd man page for help in choosing a good password.} - -test_win {pol1} {successful change} pol1 pol111111 polAAAAAA -# fail "successful change: XXXX password history is majorly broken" - -test_3pass {pol1} {D.11: new password same as old} pol1 \ - polAAAAAA polAAAAAA polAAAAAA \ - 4 {New password was used previously. Please choose a different password.} - -test_3pass {pol1} {D.12: new password in history} pol1 \ - polAAAAAA pol111111 pol111111 \ - 4 {New password was used previously. Please choose a different password.} - -mytest "D.18: Policy description was shown" pol1 4 { - -re "Changing password for pol1.*\\.$s+Old password:\[^\n\]*$" - { send "polAAAAAA\n" } -} { - -re "$s+.*$s+.*$s+.*8 char.*2 classes.*$s+New password:\[^\n\]*$" - { send "newpass1234\n" } -} { - -re "^$s+New password \\(again\\):\[^\n\]*$" - { send "newpass4321\n" } -} { - -re "$s+New passwords do not match - password not changed." - { mypass } -} - -# restore pol1's password to its initial value; see discussion in -# secure-kpasswd/2204 about secure-releng/2191 if you are confused -test_win {pol1} {successful change} pol1 polAAAAAA polBBBBBB -test_win {pol1} {successful change} pol1 polBBBBBB polCCCCCC -test_win {pol1} {successful change} pol1 polCCCCCC pol111111 - -# Under "make check", init_db will just have been run and we could -# jump right into the too-soon test. But if someone is working with -# the test suite manually, init_db may have been run a while ago. -# So, force some known state, first. -set delay [expr $pol2_time + 11 - [timestamp]] -verbose "(sleeping $delay seconds so pol2 password can be changed)" -sleep $delay - -test_win {pol2} {successful change} pol2 pol222222 polbbbbbb - -test_3pass {pol2} {D.15: too soon to change password} pol2 \ - polbbbbbb pol222222 pol222222 \ - 4 {Password cannot be changed because it was changed too recently. Please wait until .*[12][0-9][0-9][0-9] before you change it. If you need to change your password before then, contact your system security administrator.} - -# Now delay a little longer (if needed) and try changing pol2's -# password again. -verbose "(sleeping 10 seconds)" -sleep 10 - -test_win {pol2} {password min life passed} pol2 polbbbbbb pol222222 diff --git a/src/kadmin/passwd/unit-test/kpasswd.0/connecting.exp b/src/kadmin/passwd/unit-test/kpasswd.0/connecting.exp deleted file mode 100644 index 2cda17a6a3..0000000000 --- a/src/kadmin/passwd/unit-test/kpasswd.0/connecting.exp +++ /dev/null @@ -1,29 +0,0 @@ -# -# $Id$ -# - -set timeout 15 - -load_lib "helpers.exp" - -if [info exist env(DEBUG)] { debug 1 } - -# -# Here are the tests -# - -test_initerr {test2} {C.4: empty old password (XXXX)} test2 {} \ - 5 {You must type a password. Passwords must be at least one character long.} - -test_initerr {test2} {C.5: incorrect old password} test2 foobar \ - 2 "Old Kerberos password is incorrect. Please try again." - -# set timeout 60 -# -#test_initerr {test2@SECURE-TEST-DEAD.OV.COM} {C.8: server up, daemon down} \ -# test2 test2 \ -# 3 "" -# -#test_initerr {test2@SECURE-TEST-DOWN.OV.COM} {C.8.5: server down} \ -# test2 test2 \ -# 3 "${initerr_str}Cannot contact any KDC for requested realm" diff --git a/src/kadmin/passwd/unit-test/kpasswd.0/principal.exp b/src/kadmin/passwd/unit-test/kpasswd.0/principal.exp deleted file mode 100644 index 01b2296fc8..0000000000 --- a/src/kadmin/passwd/unit-test/kpasswd.0/principal.exp +++ /dev/null @@ -1,87 +0,0 @@ -# -# $Id$ -# - -set timeout 15 - -load_lib "helpers.exp" - -if [info exist env(DEBUG)] { debug 1 } - -# -# Here are the tests -# - -if {[info exists env(KRB5CCNAME)]} { - unset env(KRB5CCNAME) -} - -# Apple (in Mac OS X 10.5.4) is shipping a tcl in which -# unsetting env-array values seems not to work! -if {[info exists env(KRB5CCNAME)]} { - untested {B.7: default nonexisting ccache(1) (unset failed, tcl defective!)} - untested {B.7: default nonexisting ccache(2)} - untested {B.4: default existing cache containing existing principal} - set test2pass test2 - -} else { - - -kdestroy - - -#### no principal specified - -if {[info exists env(USER)]} { - set whoami $env(USER) -} else { - set whoami [exec whoami] -} - - test_win {} {B.7: default nonexisting ccache(1)} $whoami $whoami newpass - test_win {} {B.7: default nonexisting ccache(2)} $whoami newpass $whoami - - kinit test2 test2 - test_win {} {B.4: default existing cache containing existing principal} \ - test2 test2 newpass - kdestroy - set test2pass newpass -} - -set env(KRB5CCNAME) FILE:/tmp/ovsec_adm_test_ccache -kinit test2 $test2pass -test_win {} {B.3: specified existing cache containing existing principal} \ - test2 $test2pass test2 -kdestroy -unset env(KRB5CCNAME) - -# Apple (in Mac OS X 10.5.4) is shipping a tcl in which -# unsetting env-array values seems not to work! -if {[info exists env(KRB5CCNAME)]} { - untested {B.14: existing principal, no realm} - untested {B.15, C.6: non-existent principal, no realm} - untested {B.16: existing principal, with realm} - untested {B.17: non-existent principal, with realm} - -} else { - -#### principal on command line - -# -test_win {test2} {B.14: existing principal, no realm} test2 test2 newpass - -# -test_initerr {bogus} {B.15, C.6: non-existent principal, no realm} bogus bogus \ - 3 "${initerr_str}Client not found in Kerberos database" - -# -test_win {test2@SECURE-TEST.OV.COM} {B.16: existing principal, with realm} \ - test2 newpass test2 - -# -test_initerr {bogus@SECURE-TEST.OV.COM} \ - {B.17: non-existent principal, with realm} \ - bogus bogus \ - 3 "${initerr_str}Client not found in Kerberos database" - -} diff --git a/src/kadmin/passwd/unit-test/kpasswd.0/usage.exp b/src/kadmin/passwd/unit-test/kpasswd.0/usage.exp deleted file mode 100644 index e132bab2f8..0000000000 --- a/src/kadmin/passwd/unit-test/kpasswd.0/usage.exp +++ /dev/null @@ -1,26 +0,0 @@ -# -# $Id$ -# - -set timeout 15 - -load_lib "helpers.exp" - -# -# Here are the tests -# - -mytest {A.1: two args} {foo bar} 7 { - -re {[a-z./]+passwd: Usage: [a-z./]+passwd \[principal_name\]} { mypass } -} - -mytest {A.2: three args} {foo bar baz} 7 { - -re {[a-z./]+passwd: Usage: [a-z./]+passwd \[principal_name\]} { mypass } -} - -set env(KRB5CCNAME) bogus_type:bogus_ccname -mytest {B.5: malformed ccache name} {} 6 { - -re {[a-z./]+passwd: Unknown credential cache type while reading principal name from credential cache} { mypass } -} -unset env(KRB5CCNAME) - diff --git a/src/kadmin/passwd/unit-test/lib/helpers.exp b/src/kadmin/passwd/unit-test/lib/helpers.exp deleted file mode 100644 index 25b71a20e0..0000000000 --- a/src/kadmin/passwd/unit-test/lib/helpers.exp +++ /dev/null @@ -1,217 +0,0 @@ -# -# $Id$ -# - -global s -set s "\[\r\n\t\ \]" - -if {[info commands exp_version] != {}} { - set exp_version_4 [regexp {^4} [exp_version]] -} else { - set exp_version_4 [regexp {^4} [expect_version]] -} - -# Backward compatibility until we're using expect 5 everywhere -if {$exp_version_4} { - global wait_error_index wait_errno_index wait_status_index - set wait_error_index 0 - set wait_errno_index 1 - set wait_status_index 1 -} else { - set wait_error_index 2 - set wait_errno_index 3 - set wait_status_index 3 -} - -proc myfail { comment } { - global mytest_name - global mytest_status - wait - fail "$mytest_name: $comment" - set mytest_status 1 -} - -proc mypass {} { -} - -## -## When you expect on an id, and eof is detected, the spawn_id is closed. -## It may be waited for, but calling expect or close on this id is an ERROR! -## - -proc mytest { name kpargs status args } { - global spawn_id - global timeout - global mytest_name - global mytest_status - global wait_error_index wait_errno_index wait_status_index - - verbose "starting test: $name" - - set mytest_name "$name" - - eval kpasswd_start $kpargs - - # at the end, eof is success - - lappend args { eof { if {[regexp "\[\r\n\]$" $expect_out(buffer)] == 0} { myfail "final status message not newline-terminated" } } } - - # for each test argument.... - # rep invariant: when this foreach ends, the id is close'd, but - # not wait'ed. - - foreach test $args { - set mytest_status 0 - - # treat the arg as an expect parameter - # if failure, the process will be closed and waited. - - uplevel 1 "expect { - $test - timeout { close; myfail \"timeout\"} - eof { myfail \"eof read before expected message string\" } - }" - - if {$mytest_status == 1} { return } - } - - # at this point, the id is closed and we can wait on it. - - set ret [wait] - verbose "% Exit $ret" 1 - if {[lindex $ret $wait_error_index] == -1} { - fail "$name: wait returned error [lindex $ret $wait_errno_index]" - } else { - if { [lindex $ret $wait_status_index] == $status || - (($status<0) && ([lindex $ret $wait_status_index] == ($status+256))) } { - pass "$name" - } else { - fail "$name: unexpected return status [lindex $ret $wait_status_index], should be $status" - } - } -} - -proc kinit { princ pass } { - global env; - global KINIT - spawn -noecho $KINIT -5 $princ; - - expect { - -re "Password for .*:\[^\n\]*$" - {send "$pass\n"} - timeout {puts "Timeout waiting for prompt" ; close } - } - - # this necessary so close(1) in the child will not sleep waiting for - # the parent, which is us, to read pending data. - - expect { - eof {} - } - wait -} - -proc kdestroy {} { - global KDESTROY - global errorCode errorInfo - global env - - if {[info exists errorCode]} { - set saveErrorCode $errorCode - } - if {[info exists errorInfo]} { - set saveErrorInfo $errorInfo - } - catch "system $KDESTROY -5 2>/dev/null" - if {[info exists saveErrorCode]} { - set errorCode $saveErrorCode - } elseif {[info exists errorCode]} { - unset errorCode - } - if {[info exists saveErrorInfo]} { - set errorInfo $saveErrorInfo - } elseif {[info exists errorInfo]} { - unset errorInfo - } -} - -global initerr_str -global initerr_regexp -set initerr_str "Cannot establish a session with the Kerberos administrative server for realm \[^\r\n\]*\\. " -set initerr_regexp "Cannot establish a session with the Kerberos administrative server for$s+realm \[^\r\n\]*\\.$s+" - -proc test_win { args name princ pass1 { pass2 "\001\001" } } { - global s - global initerr_regexp - - if { $pass2 == "\001\001" } { set pass2 "$pass1" } - - mytest "$name" $args 0 { - -re "Changing password for $princ.*\\.$s+Old password:\[^\n\]*$" - { send "$pass1\n" } - } { - -re "Old Kerberos password is incorrect. Please try again." - { close; myfail "Old password incorrect" } - -re "${initerr_regexp}(.+\[^\r\n\t\ \])\r\n" - { close; myfail "init error: $expect_out(1,string)" } - -re "$s+New password:\[^\n\]*$" - { send "$pass2\n" } - -re "$s+.*$s+.*$s+.*$s+New password:\[^\n\]*$" - { send "$pass2\n" } - } { - -re "$s+New password \\(again\\):\[^\n\]*$" - { send "$pass2\n" } - } { - -re "$s+Kerberos password changed." - { mypass } - -re "$s+Password changed." - { close; myfail "Wrong message on success." } - } -} - -proc test_initerr { args name princ pass status err } { - global s - global initerr_regexp - - regsub -all "$s+" $err "$s+" err2 - - mytest "$name" $args $status { - -re "Changing password for $princ.*\\.$s+Old password:\[^\n\]*$" - { send "$pass\n" } - } { - -re "$err2" - { mypass } - -re "Old Kerberos password is incorrect. Please try again." - { close; myfail "Old password incorrect" } - -re "${initerr_regexp}(.+)\r\n" - { close; myfail "init error: $expect_out(1,string)" } - } -} - -proc test_3pass { args name princ pass1 pass2 pass3 status err } { - global s - global initerr_regexp - - regsub -all "$s+" $err "$s+" err2 - - mytest "$name" $args $status { - -re "Changing password for $princ.*\\.$s+Old password:\[^\n\]*$" - { send "$pass1\n" } - } { - -re "Old Kerberos password is incorrect. Please try again." - { close; myfail "Old password incorrect" } - -re "${initerr_regexp}(.+)\r\n" - { close; myfail "init error: $expect_out(1,string)" } - -re "$s+New password:\[^\n\]*$" - { send "$pass2\n" } - -re "$s+.*$s+.*$s+.*$s+New password:\[^\n\]*$" - { send "$pass2\n" } - } { - -re "$s+New password \\(again\\):\[^\n\]*$" - { send "$pass3\n" } - } { - -re "$s+$err2" - { mypass } - } -} - diff --git a/src/kadmin/passwd/xm_kpasswd.c b/src/kadmin/passwd/xm_kpasswd.c deleted file mode 100644 index 2f0bdf9c22..0000000000 --- a/src/kadmin/passwd/xm_kpasswd.c +++ /dev/null @@ -1,445 +0,0 @@ -/* - * Copyright 1993-1994 OpenVision Technologies, Inc., All Rights Reserved. - * - * $Header$ - * - * - */ - -static char rcsid_2[] = "$Id$"; - -#include <kadm5/admin.h> -#include <krb5.h> - -#include "kpasswd_strings.h" -#define string_text error_message -#define initialize_kpasswd_strings initialize_kpws_error_table - -#include <stdio.h> -#include <pwd.h> -#include <string.h> - -char *whoami; - -#include <Xm/Xm.h> -#include <Xm/MessageB.h> -#include <Xm/ScrolledW.h> -#include <Xm/Form.h> -#include <Xm/Text.h> -#include <Xm/PushB.h> -#include <Xm/Label.h> -#include <Xm/Separator.h> -#include <X11/cursorfont.h> -#include <X11/Shell.h> - -Widget toplevel, scroll_text, prompt_text; -Widget quit_btn, help_btn, old_lbl, new_lbl, again_lbl, main_lbl; -XtAppContext app_con; -int looping; -int retval=0; - - -/*************************************************************************** - * - * A few utility functions for setting/unsetting the busy cursor - * (i.e. the watch cursor). - */ -static void -SetCursor(w,c) - Widget w; - Cursor c; -{ - while (XtIsSubclass(w, shellWidgetClass) != True) - w = XtParent(w); - - XDefineCursor(XtDisplay(w), XtWindow(w), c); - XFlush(XtDisplay(w)); -} - - -static void -SetStandardCursor() -{ - static Cursor ArrowCursor = (Cursor)NULL; - - if (ArrowCursor == (Cursor)NULL) - ArrowCursor = XCreateFontCursor(XtDisplay(toplevel), XC_top_left_arrow); - SetCursor(toplevel, ArrowCursor); -} - - -static void -SetWatchCursor() -{ - static Cursor WatchCursor = (Cursor)NULL; - - if (WatchCursor == (Cursor)NULL) - WatchCursor = XCreateFontCursor(XtDisplay(toplevel), XC_watch); - SetCursor(toplevel, WatchCursor); -} - - -/*************************************************************************** - * - * Set up a com_err hook, for displaying to a motif scrolling widget. - */ - -#include <stdarg.h> - -static void -#ifdef __STDC__ -motif_com_err (const char *whoami, long code, const char *fmt, va_list args) -#else -motif_com_err (whoami, code, fmt, args) - const char *whoami; - long code; - const char *fmt; - va_list args; -#endif -{ - XEvent event; - char buf[2048]; - - buf[0] = '\0'; - - if (whoami) - { - strncpy(buf, whoami, sizeof(buf) - 1); - buf[sizeof(buf) - 1] = '\0'; - strncat(buf, ": ", sizeof(buf) - 1 - strlen(buf)); - } - if (code) - { - buf[sizeof(buf) - 1] = '\0'; - strncat(buf, error_message(code), sizeof(buf) - 1 - strlen(buf)); - strncat(buf, " ", sizeof(buf) - 1 - strlen(buf)); - } - if (fmt) - { - vsnprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), fmt, args); - } - - XtVaSetValues(scroll_text, XmNvalue, buf, NULL); - - for (; XtAppPending(app_con); ) - { - XtAppNextEvent(app_con, &event); - XtDispatchEvent(&event); - } -} - - -/*************************************************************************** - * - * Function to display help widget. - */ -static void -help() -{ - static Widget help_dlg = NULL; - - if (!help_dlg) - { - help_dlg = XmCreateInformationDialog(toplevel, "help_dlg", NULL, - 0); - XtUnmanageChild(XmMessageBoxGetChild(help_dlg, XmDIALOG_CANCEL_BUTTON)); - XtUnmanageChild(XmMessageBoxGetChild(help_dlg, XmDIALOG_HELP_BUTTON)); - } - XtManageChild(help_dlg); -} - - -/*************************************************************************** - * - * Unset the global "looping" when we want to get out of reading a - * password. - */ -static void -unset_looping() -{ - looping = 0; -} - - -/*************************************************************************** - * - * Function to exit the gui. Callback on the "Exit" button. - */ -static void -quit() -{ - exit(retval); -} - - -/*************************************************************************** - * - * Set up motif widgets, callbacks, etc. - */ -static void -create_widgets(argc, argv) - int *argc; - char *argv[]; -{ - Widget form, lbl_form, - sep, - scroll_win; - Pixel bg; - - toplevel = XtAppInitialize(&app_con, "Kpasswd", NULL, 0, argc, argv, - NULL, NULL, 0); - form = XtCreateManagedWidget("form", xmFormWidgetClass, toplevel, NULL, 0); - quit_btn = XtVaCreateManagedWidget("Quit", xmPushButtonWidgetClass, - form, - XmNleftAttachment, XmATTACH_FORM, - XmNbottomAttachment, XmATTACH_FORM, - NULL); - XtAddCallback(quit_btn, XmNactivateCallback, quit, 0); - help_btn = XtVaCreateManagedWidget("Help", xmPushButtonWidgetClass, - form, - XmNrightAttachment, XmATTACH_FORM, - XmNbottomAttachment, XmATTACH_FORM, - /* XmNshowAsDefault, TRUE, */ - NULL); - XtAddCallback(help_btn, XmNactivateCallback, help, 0); - sep = XtVaCreateManagedWidget("sep", xmSeparatorWidgetClass, - form, - XmNleftAttachment, XmATTACH_FORM, - XmNrightAttachment, XmATTACH_FORM, - XmNbottomAttachment, XmATTACH_WIDGET, - XmNbottomWidget, quit_btn, - NULL); - lbl_form = XtVaCreateManagedWidget("lbl_form", xmFormWidgetClass, - form, - XmNspacing, 0, - XmNleftAttachment, XmATTACH_FORM, - XmNbottomAttachment, XmATTACH_WIDGET, - XmNbottomWidget, sep, - NULL); - old_lbl = XtVaCreateManagedWidget("old_lbl", xmLabelWidgetClass, - lbl_form, - XmNtopAttachment, XmATTACH_FORM, - XmNleftAttachment, XmATTACH_FORM, - XmNrightAttachment, XmATTACH_FORM, - XmNbottomAttachment, XmATTACH_FORM, - NULL); - new_lbl = XtVaCreateManagedWidget("new_lbl", xmLabelWidgetClass, - lbl_form, - XmNtopAttachment, XmATTACH_FORM, - XmNleftAttachment, XmATTACH_FORM, - XmNrightAttachment, XmATTACH_FORM, - XmNbottomAttachment, XmATTACH_FORM, - NULL); - again_lbl = XtVaCreateManagedWidget("again_lbl", xmLabelWidgetClass, - lbl_form, - XmNtopAttachment, XmATTACH_FORM, - XmNleftAttachment, XmATTACH_FORM, - XmNrightAttachment, XmATTACH_FORM, - XmNbottomAttachment, XmATTACH_FORM, - NULL); - prompt_text = XtVaCreateManagedWidget("prompt_text", xmTextWidgetClass, - form, - XmNeditMode, XmSINGLE_LINE_EDIT, - XmNleftAttachment, XmATTACH_WIDGET, - XmNleftWidget, lbl_form, - XmNrightAttachment, XmATTACH_FORM, - XmNbottomAttachment, XmATTACH_WIDGET, - XmNbottomWidget, sep, - NULL); - XtAddCallback(prompt_text, XmNactivateCallback, unset_looping, 0); - XtVaGetValues(prompt_text, XmNbackground, &bg, NULL); - XtVaSetValues(prompt_text, XmNforeground, bg, NULL); - - main_lbl = XtVaCreateWidget("main_lbl", xmLabelWidgetClass, - form, - XmNtopAttachment, XmATTACH_FORM, - XmNleftAttachment, XmATTACH_FORM, - XmNrightAttachment, XmATTACH_FORM, - NULL); - scroll_win = XtVaCreateManagedWidget("scroll_win", - xmScrolledWindowWidgetClass, - form, - XmNscrollingPolicy, XmAPPLICATION_DEFINED, - XmNscrollBarDisplayPolicy, XmSTATIC, - XmNtopAttachment, XmATTACH_WIDGET, - XmNtopWidget, main_lbl, - XmNleftAttachment, XmATTACH_FORM, - XmNrightAttachment, XmATTACH_FORM, - XmNbottomAttachment, XmATTACH_WIDGET, - XmNbottomWidget, prompt_text, - NULL); - scroll_text = XtVaCreateManagedWidget("scroll_text", xmTextWidgetClass, - scroll_win, - XmNeditMode, XmMULTI_LINE_EDIT, - XmNeditable, FALSE, - NULL); - XtRealizeWidget(toplevel); -} - - -/*************************************************************************** - * - * - */ -static long -read_password(password, pwsize) - char *password; - int *pwsize; -{ - XEvent event; - char *text_val; - - /* OK, this next part is gross... but this is due to the fact that */ - /* this is not your traditional X program, which would be event */ - /* driven. Instead, this program is more 'CLI' in nature, so we */ - /* handle the dialogs synchronously... */ - - XtVaSetValues(prompt_text, XmNmaxLength, *pwsize, XmNvalue, "", NULL); - for (looping=1; looping; ) - { - XtAppNextEvent(app_con, &event); - XtDispatchEvent(&event); - } - XtVaGetValues(prompt_text, XmNvalue, &text_val, NULL); - *pwsize = strlen(text_val); - strcpy(password, text_val); - memset(text_val, 0, *pwsize); - XtVaSetValues(prompt_text, XmNvalue, text_val, NULL); - return(0); -} - - -/*************************************************************************** - * - * - */ -void -display_intro_message(fmt_string, arg_string) - const char *fmt_string; - const char *arg_string; -{ - XmString xmstr; - char buf[1024]; - - snprintf(buf, sizeof(buf), fmt_string, arg_string); - - xmstr = XmStringCreateLtoR(buf, XmSTRING_DEFAULT_CHARSET); - XtVaSetValues(main_lbl, XmNlabelString, xmstr, NULL); - XmStringFree(xmstr); - XtManageChild(main_lbl); -} - - -long -read_old_password(context, password, pwsize) - krb5_context context; - char *password; - unsigned int *pwsize; -{ - long code; - - XtManageChild(old_lbl); - code = read_password(password, pwsize); - SetWatchCursor(); - return code; -} - -long -read_new_password(server_handle, password, pwsize, msg_ret, princ) - void *server_handle; - char *password; - unsigned int *pwsize; - char *msg_ret; - krb5_principal princ; -{ - char *password2 = (char *) malloc(*pwsize * sizeof(char)); - int pwsize2 = *pwsize; - - SetStandardCursor(); - - if (password2 == NULL) - { - strcpy(msg_ret, error_message(ENOMEM)); - SetWatchCursor(); - return(ENOMEM); - } - - XtManageChild(new_lbl); XtUnmanageChild(old_lbl); - read_password(password, pwsize); - XtManageChild(again_lbl); XtUnmanageChild(new_lbl); - read_password(password2, &pwsize2); - - if (strcmp(password, password2)) - { - memset(password, 0, *pwsize); - - memset(password2, 0, pwsize2); - free(password2); - - strcpy(msg_ret, string_text(CHPASS_UTIL_NEW_PASSWORD_MISMATCH)); - SetWatchCursor(); - return(KRB5_LIBOS_BADPWDMATCH); - } - - memset(password2, 0, pwsize2); - free(password2); - - SetWatchCursor(); - return (ovsec_kadm_chpass_principal_util(server_handle, princ, password, - NULL /* don't need new pw back */, - msg_ret)); -} - - -/*************************************************************************** - * - * - */ -void -main(argc, argv) - int argc; - char *argv[]; -{ - krb5_context context; - int code; - - initialize_kpasswd_strings(); - - whoami = (whoami = strrchr(argv[0], '/')) ? whoami + 1 : argv[0]; - - (void) set_com_err_hook(motif_com_err); - - create_widgets(&argc, argv); - XmProcessTraversal(prompt_text, XmTRAVERSE_CURRENT); - - if (retval = krb5_init_context(&context)) { - com_err(whoami, retval, "initializing krb5 context"); - exit(retval); - } - - while (1) - { - retval = kpasswd(context, argc, argv); - SetStandardCursor(); - - if (!retval) - com_err(0, 0, string_text(KPW_STR_PASSWORD_CHANGED)); - - if (retval == 0) /* 0 is success, so presumably the user */ - /* is done. */ - XmProcessTraversal(quit_btn, XmTRAVERSE_CURRENT); - - if ((retval == 1) || /* the rest are "fatal", so we should */ - (retval == 3) || /* "force" the user to quit... */ - (retval == 6) || - (retval == 7)) - { - XtSetSensitive(prompt_text, FALSE); - XmProcessTraversal(quit_btn, XmTRAVERSE_CURRENT); - XtAppMainLoop(app_con); - } - } - - /* NOTREACHED */ - exit(retval); -} diff --git a/src/kadmin/server/Makefile.in b/src/kadmin/server/Makefile.in index 21f3e7aeac..67f6ba8f7d 100644 --- a/src/kadmin/server/Makefile.in +++ b/src/kadmin/server/Makefile.in @@ -13,8 +13,8 @@ PROG_LIBPATH=-L$(TOPLIBD) PROG_RPATH=$(KRB5_LIBDIR) PROG = kadmind -OBJS = kadm_rpc_svc.o server_stubs.o ovsec_kadmd.o schpw.o misc.o server_glue_v1.o ipropd_svc.o network.o -SRCS = kadm_rpc_svc.c server_stubs.c ovsec_kadmd.c schpw.c misc.c server_glue_v1.c ipropd_svc.c network.c +OBJS = kadm_rpc_svc.o server_stubs.o ovsec_kadmd.o schpw.o misc.o ipropd_svc.o network.o +SRCS = kadm_rpc_svc.c server_stubs.c ovsec_kadmd.c schpw.c misc.c ipropd_svc.c network.c all:: $(PROG) diff --git a/src/kadmin/server/misc.h b/src/kadmin/server/misc.h index b8aef57f10..073f6ff105 100644 --- a/src/kadmin/server/misc.h +++ b/src/kadmin/server/misc.h @@ -45,14 +45,6 @@ schpw_util_wrapper(void *server_handle, krb5_principal client, kadm5_ret_t check_min_life(void *server_handle, krb5_principal principal, char *msg_ret, unsigned int msg_len); -kadm5_ret_t kadm5_get_principal_v1(void *server_handle, - krb5_principal principal, - kadm5_principal_ent_t_v1 *ent); - -kadm5_ret_t kadm5_get_policy_v1(void *server_handle, kadm5_policy_t name, - kadm5_policy_ent_t *ent); - - krb5_error_code process_chpw_request(krb5_context context, void *server_handle, char *realm, diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c index 82ce716347..d2451f8ad3 100644 --- a/src/kadmin/server/ovsec_kadmd.c +++ b/src/kadmin/server/ovsec_kadmd.c @@ -89,14 +89,6 @@ gss_name_t gss_changepw_name = NULL, gss_oldchangepw_name = NULL; gss_name_t gss_kadmin_name = NULL; void *global_server_handle; -/* - * This is a kludge, but the server needs these constants to be - * compatible with old clients. They are defined in <kadm5/admin.h>, - * but only if USE_KADM5_API_VERSION == 1. - */ -#define OVSEC_KADM_ADMIN_SERVICE "ovsec_adm/admin" -#define OVSEC_KADM_CHANGEPW_SERVICE "ovsec_adm/changepw" - extern krb5_keyblock master_keyblock; extern krb5_keylist_node *master_keylist; @@ -210,7 +202,7 @@ int main(int argc, char *argv[]) { extern char *optarg; extern int optind, opterr; - int ret, oldnames = 0; + int ret; OM_uint32 OMret, major_status, minor_status; char *whoami; gss_buffer_desc in_buf; @@ -365,11 +357,7 @@ int main(int argc, char *argv[]) names[0].name = build_princ_name(KADM5_ADMIN_SERVICE, params.realm); names[1].name = build_princ_name(KADM5_CHANGEPW_SERVICE, params.realm); - names[2].name = build_princ_name(OVSEC_KADM_ADMIN_SERVICE, params.realm); - names[3].name = build_princ_name(OVSEC_KADM_CHANGEPW_SERVICE, - params.realm); - if (names[0].name == NULL || names[1].name == NULL || - names[2].name == NULL || names[3].name == NULL) { + if (names[0].name == NULL || names[1].name == NULL) { krb5_klog_syslog(LOG_ERR, "Cannot build GSS-API authentication names, " "failing."); @@ -424,13 +412,7 @@ kterr: exit(1); } - /* - * Try to acquire creds for the old OV services as well as the - * new names, but if that fails just fall back on the new names. - */ - if (svcauth_gssapi_set_names(names, 4) == TRUE) - oldnames++; - if (!oldnames && svcauth_gssapi_set_names(names, 2) == FALSE) { + if (svcauth_gssapi_set_names(names, 2) == FALSE) { krb5_klog_syslog(LOG_ERR, "Cannot set GSS-API authentication names (keytab not present?), " "failing."); @@ -447,12 +429,6 @@ kterr: in_buf.length = strlen(names[1].name) + 1; (void) gss_import_name(&OMret, &in_buf, nt_krb5_name_oid, &gss_changepw_name); - if (oldnames) { - in_buf.value = names[3].name; - in_buf.length = strlen(names[3].name) + 1; - (void) gss_import_name(&OMret, &in_buf, nt_krb5_name_oid, - &gss_oldchangepw_name); - } svcauth_gssapi_set_log_badauth_func(log_badauth, NULL); svcauth_gssapi_set_log_badverf_func(log_badverf, NULL); diff --git a/src/kadmin/server/server_glue_v1.c b/src/kadmin/server/server_glue_v1.c deleted file mode 100644 index dfd6430f13..0000000000 --- a/src/kadmin/server/server_glue_v1.c +++ /dev/null @@ -1,32 +0,0 @@ -#define USE_KADM5_API_VERSION 1 -#include <kadm5/admin.h> -#include "misc.h" - -/* - * In server_stubs.c, kadmind has to be able to call kadm5 functions - * with the arguments appropriate for any api version. Because of the - * prototypes in admin.h, however, the compiler will only allow one - * set of arguments to be passed. This file exports the old api - * definitions with a different name, so they can be called from - * server_stubs.c, and just passes on the call to the real api - * function; it uses the old api version, however, so it can actually - * call the real api functions whereas server_stubs.c cannot. - * - * This is most useful for functions like kadm5_get_principal that - * take a different number of arguments based on API version. For - * kadm5_get_policy, the same thing could be accomplished with - * typecasts instead. - */ - -kadm5_ret_t kadm5_get_principal_v1(void *server_handle, - krb5_principal principal, - kadm5_principal_ent_t_v1 *ent) -{ - return kadm5_get_principal(server_handle, principal, ent); -} - -kadm5_ret_t kadm5_get_policy_v1(void *server_handle, kadm5_policy_t name, - kadm5_policy_ent_t *ent) -{ - return kadm5_get_policy(server_handle, name, ent); -} diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c index 038a4a73ff..ebef752aec 100644 --- a/src/kadmin/server/server_stubs.c +++ b/src/kadmin/server/server_stubs.c @@ -641,7 +641,6 @@ gprinc_ret * get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp) { static gprinc_ret ret; - kadm5_principal_ent_t_v1 e; char *prime_arg, *funcname; gss_buffer_desc client_name, service_name; @@ -659,8 +658,7 @@ get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp) ret.api_version = handle->api_version; - funcname = handle->api_version == KADM5_API_VERSION_1 ? - "kadm5_get_principal (V1)" : "kadm5_get_principal"; + funcname = "kadm5_get_principal"; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { ret.code = KADM5_FAILURE; @@ -681,18 +679,8 @@ get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp) log_unauth(funcname, prime_arg, &client_name, &service_name, rqstp); } else { - if (handle->api_version == KADM5_API_VERSION_1) { - ret.code = kadm5_get_principal_v1((void *)handle, - arg->princ, &e); - if(ret.code == KADM5_OK) { - memcpy(&ret.rec, e, sizeof(kadm5_principal_ent_rec_v1)); - free(e); - } - } else { - ret.code = kadm5_get_principal((void *)handle, - arg->princ, &ret.rec, - arg->mask); - } + ret.code = kadm5_get_principal(handle, arg->princ, &ret.rec, + arg->mask); if( ret.code != 0 ) errmsg = krb5_get_error_message(handle->context, ret.code); @@ -1114,8 +1102,7 @@ chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp) ret.api_version = handle->api_version; - funcname = handle->api_version == KADM5_API_VERSION_1 ? - "kadm5_randkey_principal (V1)" : "kadm5_randkey_principal"; + funcname = "kadm5_randkey_principal"; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { ret.code = KADM5_FAILURE; @@ -1141,13 +1128,8 @@ chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp) } if(ret.code == KADM5_OK) { - if (handle->api_version == KADM5_API_VERSION_1) { - krb5_copy_keyblock_contents(handle->context, k, &ret.key); - krb5_free_keyblock(handle->context, k); - } else { - ret.keys = k; - ret.n_keys = nkeys; - } + ret.keys = k; + ret.n_keys = nkeys; } if(ret.code != KADM5_AUTH_CHANGEPW) { @@ -1191,8 +1173,7 @@ chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp) ret.api_version = handle->api_version; - funcname = handle->api_version == KADM5_API_VERSION_1 ? - "kadm5_randkey_principal (V1)" : "kadm5_randkey_principal"; + funcname = "kadm5_randkey_principal"; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { ret.code = KADM5_FAILURE; @@ -1224,13 +1205,8 @@ chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp) } if(ret.code == KADM5_OK) { - if (handle->api_version == KADM5_API_VERSION_1) { - krb5_copy_keyblock_contents(handle->context, k, &ret.key); - krb5_free_keyblock(handle->context, k); - } else { - ret.keys = k; - ret.n_keys = nkeys; - } + ret.keys = k; + ret.n_keys = nkeys; } if(ret.code != KADM5_AUTH_CHANGEPW) { @@ -1437,8 +1413,7 @@ get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp) ret.api_version = handle->api_version; - funcname = handle->api_version == KADM5_API_VERSION_1 ? - "kadm5_get_policy (V1)" : "kadm5_get_policy"; + funcname = "kadm5_get_policy"; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { ret.code = KADM5_FAILURE; @@ -1468,16 +1443,7 @@ get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp) } if (ret.code == KADM5_OK) { - if (handle->api_version == KADM5_API_VERSION_1) { - ret.code = kadm5_get_policy_v1((void *)handle, arg->name, &e); - if(ret.code == KADM5_OK) { - memcpy(&ret.rec, e, sizeof(kadm5_policy_ent_rec)); - free(e); - } - } else { - ret.code = kadm5_get_policy((void *)handle, arg->name, - &ret.rec); - } + ret.code = kadm5_get_policy(handle, arg->name, &ret.rec); if( ret.code != 0 ) errmsg = krb5_get_error_message(handle->context, ret.code); @@ -1632,10 +1598,8 @@ generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) slen = service_name.length; trunc_name(&slen, &sdots); /* okay to cast lengths to int because trunc_name limits max value */ - krb5_klog_syslog(LOG_NOTICE, "Request: %s, %.*s%s, %s, " + krb5_klog_syslog(LOG_NOTICE, "Request: kadm5_init, %.*s%s, %s, " "client=%.*s%s, service=%.*s%s, addr=%s, flavor=%d", - (ret.api_version == KADM5_API_VERSION_1 ? - "kadm5_init (V1)" : "kadm5_init"), (int)clen, (char *)client_name.value, cdots, errmsg ? errmsg : "success", (int)clen, (char *)client_name.value, cdots, diff --git a/src/kadmin/testing/scripts/env-setup.shin b/src/kadmin/testing/scripts/env-setup.shin index 7750e52725..519b9864e1 100755 --- a/src/kadmin/testing/scripts/env-setup.shin +++ b/src/kadmin/testing/scripts/env-setup.shin @@ -74,8 +74,8 @@ SIMPLE_DUMP=$TESTDIR/scripts/simple_dump.pl; export SIMPLE_DUMP QUALNAME=$TESTDIR/scripts/qualname.pl; export QUALNAME TCLUTIL=$STESTDIR/tcl/util.t; export TCLUTIL BSDDB_DUMP=$TESTDIR/util/bsddb_dump; export BSDDB_DUMP -CLNTTCL=$TESTDIR/util/ovsec_kadm_clnt_tcl; export CLNTTCL -SRVTCL=$TESTDIR/util/ovsec_kadm_srv_tcl; export SRVTCL +CLNTTCL=$TESTDIR/util/kadm5_clnt_tcl; export CLNTTCL +SRVTCL=$TESTDIR/util/kadm5_srv_tcl; export SRVTCL KRB5_CONFIG=$K5ROOT/krb5.conf; export KRB5_CONFIG KRB5_KDC_PROFILE=$K5ROOT/kdc.conf; export KRB5_KDC_PROFILE diff --git a/src/kadmin/testing/scripts/init_db b/src/kadmin/testing/scripts/init_db index 7296e1f9b0..1cb96f843c 100755 --- a/src/kadmin/testing/scripts/init_db +++ b/src/kadmin/testing/scripts/init_db @@ -42,7 +42,7 @@ fi DUMMY=${TESTDIR=$TOP/testing}; export TESTDIR DUMMY=${STESTDIR=$STOP/testing} -DUMMY=${SRVTCL=$TESTDIR/util/ovsec_kadm_srv_tcl}; export SRVTCL +DUMMY=${SRVTCL=$TESTDIR/util/kadm5_srv_tcl}; export SRVTCL DUMMY=${TCLUTIL=$STESTDIR/tcl/util.t}; export TCLUTIL DUMMY=${LOCAL_MAKE_KEYTAB=$TESTDIR/scripts/make-host-keytab.pl} @@ -101,81 +101,82 @@ if {[info exists env(USER)]} { } set cmds { - {ovsec_kadm_init $env(SRVTCL) mrroot null $r $OVSEC_KADM_STRUCT_VERSION \ - $OVSEC_KADM_API_VERSION_1 server_handle} - - {ovsec_kadm_create_policy $server_handle "test-pol 0 10000 8 2 3 0" \ - {OVSEC_KADM_POLICY OVSEC_KADM_PW_MIN_LENGTH OVSEC_KADM_PW_MIN_CLASSES OVSEC_KADM_PW_MAX_LIFE OVSEC_KADM_PW_HISTORY_NUM}} - {ovsec_kadm_create_policy $server_handle "once-a-min 10 0 0 0 0 0" \ - {OVSEC_KADM_POLICY OVSEC_KADM_PW_MIN_LIFE}} - {ovsec_kadm_create_policy $server_handle "dict-only 0 0 0 0 0 0" \ - {OVSEC_KADM_POLICY}} - {ovsec_kadm_create_policy $server_handle [simple_policy test-pol-nopw] \ - {OVSEC_KADM_POLICY}} - - {ovsec_kadm_create_principal $server_handle \ - [simple_principal testuser@$r] {OVSEC_KADM_PRINCIPAL} notathena} - {ovsec_kadm_create_principal $server_handle \ - [simple_principal test1@$r] {OVSEC_KADM_PRINCIPAL} test1} - {ovsec_kadm_create_principal $server_handle \ - [simple_principal test2@$r] {OVSEC_KADM_PRINCIPAL} test2} - {ovsec_kadm_create_principal $server_handle \ - [simple_principal test3@$r] {OVSEC_KADM_PRINCIPAL} test3} - {ovsec_kadm_create_principal $server_handle \ - [simple_principal admin@$r] {OVSEC_KADM_PRINCIPAL} admin} - {ovsec_kadm_create_principal $server_handle \ - [simple_principal admin/get@$r] {OVSEC_KADM_PRINCIPAL} admin} - {ovsec_kadm_create_principal $server_handle \ - [simple_principal admin/modify@$r] {OVSEC_KADM_PRINCIPAL} admin} - {ovsec_kadm_create_principal $server_handle \ - [simple_principal admin/delete@$r] {OVSEC_KADM_PRINCIPAL} admin} - {ovsec_kadm_create_principal $server_handle \ - [simple_principal admin/add@$r] {OVSEC_KADM_PRINCIPAL} admin} - {ovsec_kadm_create_principal $server_handle \ - [simple_principal admin/none@$r] {OVSEC_KADM_PRINCIPAL} admin} - {ovsec_kadm_create_principal $server_handle \ - [simple_principal admin/rename@$r] {OVSEC_KADM_PRINCIPAL} admin} - {ovsec_kadm_create_principal $server_handle \ - [simple_principal admin/mod-add@$r] {OVSEC_KADM_PRINCIPAL} admin} - {ovsec_kadm_create_principal $server_handle \ - [simple_principal admin/mod-delete@$r] {OVSEC_KADM_PRINCIPAL} \ + {kadm5_init $env(SRVTCL) mrroot null \ + [config_params {KADM5_CONFIG_REALM} $r] $KADM5_STRUCT_VERSION \ + $KADM5_API_VERSION_2 server_handle} + + {kadm5_create_policy $server_handle "test-pol 0 10000 8 2 3 0" \ + {KADM5_POLICY KADM5_PW_MIN_LENGTH KADM5_PW_MIN_CLASSES KADM5_PW_MAX_LIFE KADM5_PW_HISTORY_NUM}} + {kadm5_create_policy $server_handle "once-a-min 10 0 0 0 0 0" \ + {KADM5_POLICY KADM5_PW_MIN_LIFE}} + {kadm5_create_policy $server_handle "dict-only 0 0 0 0 0 0" \ + {KADM5_POLICY}} + {kadm5_create_policy $server_handle [simple_policy test-pol-nopw] \ + {KADM5_POLICY}} + + {kadm5_create_principal $server_handle \ + [simple_principal testuser@$r] {KADM5_PRINCIPAL} notathena} + {kadm5_create_principal $server_handle \ + [simple_principal test1@$r] {KADM5_PRINCIPAL} test1} + {kadm5_create_principal $server_handle \ + [simple_principal test2@$r] {KADM5_PRINCIPAL} test2} + {kadm5_create_principal $server_handle \ + [simple_principal test3@$r] {KADM5_PRINCIPAL} test3} + {kadm5_create_principal $server_handle \ + [simple_principal admin@$r] {KADM5_PRINCIPAL} admin} + {kadm5_create_principal $server_handle \ + [simple_principal admin/get@$r] {KADM5_PRINCIPAL} admin} + {kadm5_create_principal $server_handle \ + [simple_principal admin/modify@$r] {KADM5_PRINCIPAL} admin} + {kadm5_create_principal $server_handle \ + [simple_principal admin/delete@$r] {KADM5_PRINCIPAL} admin} + {kadm5_create_principal $server_handle \ + [simple_principal admin/add@$r] {KADM5_PRINCIPAL} admin} + {kadm5_create_principal $server_handle \ + [simple_principal admin/none@$r] {KADM5_PRINCIPAL} admin} + {kadm5_create_principal $server_handle \ + [simple_principal admin/rename@$r] {KADM5_PRINCIPAL} admin} + {kadm5_create_principal $server_handle \ + [simple_principal admin/mod-add@$r] {KADM5_PRINCIPAL} admin} + {kadm5_create_principal $server_handle \ + [simple_principal admin/mod-delete@$r] {KADM5_PRINCIPAL} \ admin} - {ovsec_kadm_create_principal $server_handle \ - [simple_principal admin/get-add@$r] {OVSEC_KADM_PRINCIPAL} admin} - {ovsec_kadm_create_principal $server_handle \ - [simple_principal admin/get-delete@$r] {OVSEC_KADM_PRINCIPAL} \ + {kadm5_create_principal $server_handle \ + [simple_principal admin/get-add@$r] {KADM5_PRINCIPAL} admin} + {kadm5_create_principal $server_handle \ + [simple_principal admin/get-delete@$r] {KADM5_PRINCIPAL} \ admin} - {ovsec_kadm_create_principal $server_handle \ - [simple_principal admin/get-mod@$r] {OVSEC_KADM_PRINCIPAL} admin} - {ovsec_kadm_create_principal $server_handle \ - [simple_principal admin/no-add@$r] {OVSEC_KADM_PRINCIPAL} admin} - {ovsec_kadm_create_principal $server_handle \ - [simple_principal admin/no-delete@$r] {OVSEC_KADM_PRINCIPAL} admin} - {ovsec_kadm_create_principal $server_handle \ - [princ_w_pol pol1@$r test-pol] {OVSEC_KADM_PRINCIPAL \ - OVSEC_KADM_POLICY} pol111111} - {ovsec_kadm_create_principal $server_handle \ - [princ_w_pol pol2@$r once-a-min] {OVSEC_KADM_PRINCIPAL \ - OVSEC_KADM_POLICY} pol222222} - {ovsec_kadm_create_principal $server_handle \ - [princ_w_pol pol3@$r dict-only] {OVSEC_KADM_PRINCIPAL \ - OVSEC_KADM_POLICY} pol333333} - {ovsec_kadm_create_principal $server_handle \ + {kadm5_create_principal $server_handle \ + [simple_principal admin/get-mod@$r] {KADM5_PRINCIPAL} admin} + {kadm5_create_principal $server_handle \ + [simple_principal admin/no-add@$r] {KADM5_PRINCIPAL} admin} + {kadm5_create_principal $server_handle \ + [simple_principal admin/no-delete@$r] {KADM5_PRINCIPAL} admin} + {kadm5_create_principal $server_handle \ + [princ_w_pol pol1@$r test-pol] {KADM5_PRINCIPAL \ + KADM5_POLICY} pol111111} + {kadm5_create_principal $server_handle \ + [princ_w_pol pol2@$r once-a-min] {KADM5_PRINCIPAL \ + KADM5_POLICY} pol222222} + {kadm5_create_principal $server_handle \ + [princ_w_pol pol3@$r dict-only] {KADM5_PRINCIPAL \ + KADM5_POLICY} pol333333} + {kadm5_create_principal $server_handle \ [princ_w_pol admin/get-pol@$r test-pol-nopw] \ - {OVSEC_KADM_PRINCIPAL OVSEC_KADM_POLICY} StupidAdmin} - {ovsec_kadm_create_principal $server_handle \ - [princ_w_pol admin/pol@$r test-pol-nopw] {OVSEC_KADM_PRINCIPAL \ - OVSEC_KADM_POLICY} StupidAdmin} + {KADM5_PRINCIPAL KADM5_POLICY} StupidAdmin} + {kadm5_create_principal $server_handle \ + [princ_w_pol admin/pol@$r test-pol-nopw] {KADM5_PRINCIPAL \ + KADM5_POLICY} StupidAdmin} - {ovsec_kadm_create_principal $server_handle \ + {kadm5_create_principal $server_handle \ [simple_principal changepw/kerberos] \ - {OVSEC_KADM_PRINCIPAL} {XXX THIS IS WRONG}} + {KADM5_PRINCIPAL} {XXX THIS IS WRONG}} - {ovsec_kadm_create_principal $server_handle \ + {kadm5_create_principal $server_handle \ [simple_principal $whoami] \ - {OVSEC_KADM_PRINCIPAL} $whoami} + {KADM5_PRINCIPAL} $whoami} - {ovsec_kadm_destroy $server_handle} + {kadm5_destroy $server_handle} } foreach cmd $cmds { diff --git a/src/kadmin/testing/scripts/make-host-keytab.plin b/src/kadmin/testing/scripts/make-host-keytab.plin index ad509c35c9..cf62ae7971 100755 --- a/src/kadmin/testing/scripts/make-host-keytab.plin +++ b/src/kadmin/testing/scripts/make-host-keytab.plin @@ -67,7 +67,7 @@ die "Neither \$TOP nor \$TESTDIR is set, and -top not specified.\n" $top = $ENV{'TOP'} if (! $top); $TESTDIR = ($ENV{'TESTDIR'} || "$top/testing"); $MAKE_KEYTAB = ($ENV{'MAKE_KEYTAB'} || "$TESTDIR/scripts/$whoami"); -$SRVTCL = ($ENV{'SRVTCL'} || "$TESTDIR/util/ovsec_kadm_srv_tcl"); +$SRVTCL = ($ENV{'SRVTCL'} || "$TESTDIR/util/kadm5_srv_tcl"); $TCLUTIL = ($ENV{'TCLUTIL'} || "$TESTDIR/tcl/util.t"); # This'll be wrong sometimes $RSH_CMD = ($ENV{'RSH_CMD'} || '/usr/ucb/rsh'); diff --git a/src/kadmin/testing/scripts/start_servers_local b/src/kadmin/testing/scripts/start_servers_local index ec4dab6d9e..8cd0f3a61d 100755 --- a/src/kadmin/testing/scripts/start_servers_local +++ b/src/kadmin/testing/scripts/start_servers_local @@ -3,7 +3,7 @@ DUMMY=${TESTDIR=$TOP/testing} DUMMY=${STESTDIR=$STOP/testing} DUMMY=${INITDB=$STESTDIR/scripts/init_db} -DUMMY=${SRVTCL=$TESTDIR/util/ovsec_kadm_srv_tcl}; export SRVTCL +DUMMY=${SRVTCL=$TESTDIR/util/kadm5_srv_tcl}; export SRVTCL DUMMY=${LOCAL_MAKE_KEYTAB=$TESTDIR/scripts/make-host-keytab.pl} DUMMY=${STOP_SERVERS_LOCAL=$STESTDIR/scripts/stop_servers_local} DUMMY=${KRB5RCACHEDIR=$TESTDIR} ; export KRB5RCACHEDIR @@ -81,11 +81,12 @@ if { [catch { source $env(STOP)/testing/tcl/util.t set r $env(REALM) set q $env(QUALNAME) - puts stdout [ovsec_kadm_init $env(SRVTCL) mrroot null $r \ - $OVSEC_KADM_STRUCT_VERSION $OVSEC_KADM_API_VERSION_1 server_handle] - puts stdout [ovsec_kadm_create_principal $server_handle \ - [simple_principal host/$q@$r] {OVSEC_KADM_PRINCIPAL} notathena] - puts stdout [ovsec_kadm_destroy $server_handle] + puts stdout [kadm5_init $env(SRVTCL) mrroot null \ + [config_params {KADM5_CONFIG_REALM} $r] \ + $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 server_handle] + puts stdout [kadm5_create_principal $server_handle \ + [simple_principal host/$q@$r] {KADM5_PRINCIPAL} notathena] + puts stdout [kadm5_destroy $server_handle] } err]} { puts stderr "initialization error: $err" exit 1 diff --git a/src/kadmin/testing/util/Makefile.in b/src/kadmin/testing/util/Makefile.in index ec09047cbb..b1b61d9983 100644 --- a/src/kadmin/testing/util/Makefile.in +++ b/src/kadmin/testing/util/Makefile.in @@ -12,11 +12,11 @@ KRB5_PTHREAD_LIB=$(THREAD_LINKOPTS) PROG_LIBPATH=-L$(TOPLIBD) $(TCL_LIBPATH) PROG_RPATH=$(KRB5_LIBDIR)$(TCL_RPATH) -SRCS = $(srcdir)/tcl_ovsec_kadm.c $(srcdir)/tcl_kadm5.c $(srcdir)/test.c -OBJS = tcl_ovsec_kadm.o tcl_kadm5.o test.o +SRCS = $(srcdir)/tcl_kadm5.c $(srcdir)/test.c +OBJS = tcl_kadm5.o test.o -CLNTPROG= ovsec_kadm_clnt_tcl -SRVPROG = ovsec_kadm_srv_tcl +CLNTPROG= kadm5_clnt_tcl +SRVPROG = kadm5_srv_tcl DO_ALL=@DO_ALL@ diff --git a/src/kadmin/testing/util/deps b/src/kadmin/testing/util/deps index c822ad27bb..d4491623d6 100644 --- a/src/kadmin/testing/util/deps +++ b/src/kadmin/testing/util/deps @@ -1,17 +1,6 @@ # # Generated makefile dependencies follow. # -$(OUTPRE)tcl_ovsec_kadm.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ - $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ - $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/lib/kdb/adb_err.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h \ - $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \ - $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \ - $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \ - $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \ - $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/kdb.h \ - $(SRCTOP)/include/krb5.h tcl_kadm5.h tcl_ovsec_kadm.c $(OUTPRE)tcl_kadm5.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ diff --git a/src/kadmin/testing/util/tcl_kadm5.c b/src/kadmin/testing/util/tcl_kadm5.c index aeffdb167b..8de05e5e5a 100644 --- a/src/kadmin/testing/util/tcl_kadm5.c +++ b/src/kadmin/testing/util/tcl_kadm5.c @@ -123,13 +123,6 @@ static int put_server_handle(Tcl_Interp *interp, void *handle, char **name) } do { - /* - * Handles from ovsec_kadm_init() and kadm5_init() should not - * be mixed during unit tests, but the API would happily - * accept them. Making the hash entry names different in - * tcl_kadm.c and tcl_ovsec_kadm.c ensures that GET_HANDLE - * will fail if presented a handle from the other API. - */ sprintf(buf, "kadm5_handle%d", i); entry = Tcl_CreateHashEntry(struct_table, buf, &newPtr); i++; @@ -152,11 +145,7 @@ static int get_server_handle(Tcl_Interp *interp, const char *name, else { if (! (struct_table && (entry = Tcl_FindHashEntry(struct_table, name)))) { - if (strncmp(name, "ovsec_kadm_handle", 17) == 0) - Tcl_AppendResult(interp, "ovsec_kadm handle " - "specified for kadm5 api: ", name, 0); - else - Tcl_AppendResult(interp, "unknown server handle ", name, 0); + Tcl_AppendResult(interp, "unknown server handle ", name, 0); return TCL_ERROR; } *handle = (void *) Tcl_GetHashValue(entry); @@ -2497,8 +2486,6 @@ void Tcl_kadm5_init(Tcl_Interp *interp) KADM5_CHANGEPW_SERVICE, TCL_GLOBAL_ONLY); (void) sprintf(buf, "%d", KADM5_STRUCT_VERSION); Tcl_SetVar(interp, "KADM5_STRUCT_VERSION", buf, TCL_GLOBAL_ONLY); - (void) sprintf(buf, "%d", KADM5_API_VERSION_1); - Tcl_SetVar(interp, "KADM5_API_VERSION_1", buf, TCL_GLOBAL_ONLY); (void) sprintf(buf, "%d", KADM5_API_VERSION_2); Tcl_SetVar(interp, "KADM5_API_VERSION_2", buf, TCL_GLOBAL_ONLY); (void) sprintf(buf, "%d", KADM5_API_VERSION_MASK); diff --git a/src/kadmin/testing/util/tcl_kadm5.h b/src/kadmin/testing/util/tcl_kadm5.h index 7e237753a0..d2fdd1d03d 100644 --- a/src/kadmin/testing/util/tcl_kadm5.h +++ b/src/kadmin/testing/util/tcl_kadm5.h @@ -1,4 +1,3 @@ void Tcl_kadm5_init(Tcl_Interp *interp); -void Tcl_ovsec_kadm_init(Tcl_Interp *interp); diff --git a/src/kadmin/testing/util/tcl_ovsec_kadm_syntax b/src/kadmin/testing/util/tcl_kadm5_syntax index 3fc77fbcbf..5f16e58e0d 100644 --- a/src/kadmin/testing/util/tcl_ovsec_kadm_syntax +++ b/src/kadmin/testing/util/tcl_kadm5_syntax @@ -1,5 +1,5 @@ Here's a brief summary of the syntax of the tcl versions of the -ovsec_kadm commands: +kadm5 functions: string Can be a string or "null" which will turn into a null pointer principal_ent A 12-field list in the order of the principal_ent diff --git a/src/kadmin/testing/util/tcl_ovsec_kadm.c b/src/kadmin/testing/util/tcl_ovsec_kadm.c deleted file mode 100644 index 936e028f50..0000000000 --- a/src/kadmin/testing/util/tcl_ovsec_kadm.c +++ /dev/null @@ -1,2036 +0,0 @@ -#include "autoconf.h" -#include <stdio.h> -#include <string.h> -#if HAVE_TCL_H -#include <tcl.h> -#elif HAVE_TCL_TCL_H -#include <tcl/tcl.h> -#endif -#define USE_KADM5_API_VERSION 1 -#include <kadm5/admin.h> -#include <com_err.h> -#include <errno.h> -#include <stdlib.h> -#include "tcl_kadm5.h" -#include <adb_err.h> - -struct flagval { - char *name; - krb5_flags val; -}; - -/* XXX This should probably be in the hash table like server_handle */ -static krb5_context context; - -struct flagval krb5_flags_array[] = { - {"KRB5_KDB_DISALLOW_POSTDATED", KRB5_KDB_DISALLOW_POSTDATED}, - {"KRB5_KDB_DISALLOW_FORWARDABLE", KRB5_KDB_DISALLOW_FORWARDABLE}, - {"KRB5_KDB_DISALLOW_TGT_BASED", KRB5_KDB_DISALLOW_TGT_BASED}, - {"KRB5_KDB_DISALLOW_RENEWABLE", KRB5_KDB_DISALLOW_RENEWABLE}, - {"KRB5_KDB_DISALLOW_PROXIABLE", KRB5_KDB_DISALLOW_PROXIABLE}, - {"KRB5_KDB_DISALLOW_DUP_SKEY", KRB5_KDB_DISALLOW_DUP_SKEY}, - {"KRB5_KDB_DISALLOW_ALL_TIX", KRB5_KDB_DISALLOW_ALL_TIX}, - {"KRB5_KDB_REQUIRES_PRE_AUTH", KRB5_KDB_REQUIRES_PRE_AUTH}, - {"KRB5_KDB_REQUIRES_HW_AUTH", KRB5_KDB_REQUIRES_HW_AUTH}, - {"KRB5_KDB_REQUIRES_PWCHANGE", KRB5_KDB_REQUIRES_PWCHANGE}, - {"KRB5_KDB_DISALLOW_SVR", KRB5_KDB_DISALLOW_SVR}, - {"KRB5_KDB_PWCHANGE_SERVICE", KRB5_KDB_PWCHANGE_SERVICE} -}; - -struct flagval aux_attributes[] = { - {"OVSEC_KADM_POLICY", OVSEC_KADM_POLICY} -}; - -struct flagval principal_mask_flags[] = { - {"OVSEC_KADM_PRINCIPAL", OVSEC_KADM_PRINCIPAL}, - {"OVSEC_KADM_PRINC_EXPIRE_TIME", OVSEC_KADM_PRINC_EXPIRE_TIME}, - {"OVSEC_KADM_PW_EXPIRATION", OVSEC_KADM_PW_EXPIRATION}, - {"OVSEC_KADM_LAST_PWD_CHANGE", OVSEC_KADM_LAST_PWD_CHANGE}, - {"OVSEC_KADM_ATTRIBUTES", OVSEC_KADM_ATTRIBUTES}, - {"OVSEC_KADM_MAX_LIFE", OVSEC_KADM_MAX_LIFE}, - {"OVSEC_KADM_MOD_TIME", OVSEC_KADM_MOD_TIME}, - {"OVSEC_KADM_MOD_NAME", OVSEC_KADM_MOD_NAME}, - {"OVSEC_KADM_KVNO", OVSEC_KADM_KVNO}, - {"OVSEC_KADM_MKVNO", OVSEC_KADM_MKVNO}, - {"OVSEC_KADM_AUX_ATTRIBUTES", OVSEC_KADM_AUX_ATTRIBUTES}, - {"OVSEC_KADM_POLICY", OVSEC_KADM_POLICY}, - {"OVSEC_KADM_POLICY_CLR", OVSEC_KADM_POLICY_CLR} -}; - -struct flagval policy_mask_flags[] = { - {"OVSEC_KADM_POLICY", OVSEC_KADM_POLICY}, - {"OVSEC_KADM_PW_MAX_LIFE", OVSEC_KADM_PW_MAX_LIFE}, - {"OVSEC_KADM_PW_MIN_LIFE", OVSEC_KADM_PW_MIN_LIFE}, - {"OVSEC_KADM_PW_MIN_LENGTH", OVSEC_KADM_PW_MIN_LENGTH}, - {"OVSEC_KADM_PW_MIN_CLASSES", OVSEC_KADM_PW_MIN_CLASSES}, - {"OVSEC_KADM_PW_HISTORY_NUM", OVSEC_KADM_PW_HISTORY_NUM}, - {"OVSEC_KADM_REF_COUNT", OVSEC_KADM_REF_COUNT} -}; - -struct flagval priv_flags[] = { - {"OVSEC_KADM_PRIV_GET", OVSEC_KADM_PRIV_GET}, - {"OVSEC_KADM_PRIV_ADD", OVSEC_KADM_PRIV_ADD}, - {"OVSEC_KADM_PRIV_MODIFY", OVSEC_KADM_PRIV_MODIFY}, - {"OVSEC_KADM_PRIV_DELETE", OVSEC_KADM_PRIV_DELETE} -}; - - -static char *arg_error = "wrong # args"; - -static Tcl_HashTable *struct_table = 0; - -static int put_server_handle(Tcl_Interp *interp, void *handle, char **name) -{ - int i = 1, newPtr = 0; - static char buf[20]; - Tcl_HashEntry *entry; - - if (! struct_table) { - if (! (struct_table = - malloc(sizeof(*struct_table)))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - Tcl_InitHashTable(struct_table, TCL_STRING_KEYS); - } - - do { - /* - * Handles from ovsec_kadm_init() and kadm5_init() should not - * be mixed during unit tests, but the API would happily - * accept them. Making the hash entry names different in - * tcl_kadm.c and tcl_ovsec_kadm.c ensures that GET_HANDLE - * will fail if presented a handle from the other API. - */ - sprintf(buf, "ovsec_kadm_handle%d", i); - entry = Tcl_CreateHashEntry(struct_table, buf, &newPtr); - i++; - } while (! newPtr); - - Tcl_SetHashValue(entry, handle); - - *name = buf; - - return TCL_OK; -} - -static int get_server_handle(Tcl_Interp *interp, const char *name, - void **handle) -{ - Tcl_HashEntry *entry; - - if(!strcasecmp(name, "null")) - *handle = 0; - else { - if (! (struct_table && - (entry = Tcl_FindHashEntry(struct_table, name)))) { - if (strncmp(name, "kadm5_handle", 12) == 0) - Tcl_AppendResult(interp, "kadm5 handle specified " - "for ovsec_kadm api: ", name, 0); - else - Tcl_AppendResult(interp, "unknown server handle ", name, 0); - return TCL_ERROR; - } - *handle = (void *) Tcl_GetHashValue(entry); - } - return TCL_OK; -} - -static int remove_server_handle(Tcl_Interp *interp, const char *name) -{ - Tcl_HashEntry *entry; - - if (! (struct_table && - (entry = Tcl_FindHashEntry(struct_table, name)))) { - Tcl_AppendResult(interp, "unknown server handle ", name, 0); - return TCL_ERROR; - } - - Tcl_DeleteHashEntry(entry); - return TCL_OK; -} - -#define GET_HANDLE(num_args, do_dostruct) \ - void *server_handle; \ - int dostruct = 0; \ - const char *whoami = argv[0]; \ - argv++, argc--; \ - if ((argc > 0) && (! strcmp(argv[0], "-struct"))) { \ - if (! do_dostruct) { \ - Tcl_AppendResult(interp, "-struct isn't a valid option for ", \ - whoami, 0); \ - return TCL_ERROR; \ - } \ - dostruct++; \ - argv++, argc--; \ - } \ - if (argc != num_args + 1) { \ - Tcl_AppendResult(interp, whoami, ": ", arg_error, 0); \ - return TCL_ERROR; \ - } \ - { \ - int htcl_ret; \ - if ((htcl_ret = get_server_handle(interp, argv[0], &server_handle)) \ - != TCL_OK) { \ - return htcl_ret; \ - } \ - } \ - argv++, argc--; - -static Tcl_HashTable *create_flag_table(struct flagval *flags, int size) -{ - Tcl_HashTable *table; - Tcl_HashEntry *entry; - int i; - - if (! (table = (Tcl_HashTable *) malloc(sizeof(Tcl_HashTable)))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - - Tcl_InitHashTable(table, TCL_STRING_KEYS); - - for (i = 0; i < size; i++) { - int newPtr; - - if (! (entry = Tcl_CreateHashEntry(table, flags[i].name, &newPtr))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - - Tcl_SetHashValue(entry, &flags[i].val); - } - - return table; -} - - -static Tcl_DString *unparse_str(char *in_str) -{ - Tcl_DString *str; - - if (! (str = malloc(sizeof(*str)))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - - Tcl_DStringInit(str); - - if (! in_str) { - Tcl_DStringAppend(str, "null", -1); - } - else { - Tcl_DStringAppend(str, in_str, -1); - } - - return str; -} - - - -static int parse_str(Tcl_Interp *interp, const char *in_str, - char **out_str) -{ - if (! in_str) { - *out_str = 0; - } - else if (! strcasecmp(in_str, "null")) { - *out_str = 0; - } - else { - *out_str = (char *) in_str; - } - return TCL_OK; -} - - -static void set_ok(Tcl_Interp *interp, char *string) -{ - Tcl_SetResult(interp, "OK", TCL_STATIC); - Tcl_AppendElement(interp, "OVSEC_KADM_OK"); - Tcl_AppendElement(interp, string); -} - - - -static Tcl_DString *unparse_err(ovsec_kadm_ret_t code) -{ - char *code_string; - const char *error_string; - Tcl_DString *dstring; - - switch (code) { - case OVSEC_KADM_FAILURE: code_string = "OVSEC_KADM_FAILURE"; break; - case OVSEC_KADM_AUTH_GET: code_string = "OVSEC_KADM_AUTH_GET"; break; - case OVSEC_KADM_AUTH_ADD: code_string = "OVSEC_KADM_AUTH_ADD"; break; - case OVSEC_KADM_AUTH_MODIFY: - code_string = "OVSEC_KADM_AUTH_MODIFY"; break; - case OVSEC_KADM_AUTH_DELETE: - code_string = "OVSEC_KADM_AUTH_DELETE"; break; - case OVSEC_KADM_AUTH_INSUFFICIENT: - code_string = "OVSEC_KADM_AUTH_INSUFFICIENT"; break; - case OVSEC_KADM_BAD_DB: code_string = "OVSEC_KADM_BAD_DB"; break; - case OVSEC_KADM_DUP: code_string = "OVSEC_KADM_DUP"; break; - case OVSEC_KADM_RPC_ERROR: code_string = "OVSEC_KADM_RPC_ERROR"; break; - case OVSEC_KADM_NO_SRV: code_string = "OVSEC_KADM_NO_SRV"; break; - case OVSEC_KADM_BAD_HIST_KEY: - code_string = "OVSEC_KADM_BAD_HIST_KEY"; break; - case OVSEC_KADM_NOT_INIT: code_string = "OVSEC_KADM_NOT_INIT"; break; - case OVSEC_KADM_INIT: code_string = "OVSEC_KADM_INIT"; break; - case OVSEC_KADM_BAD_PASSWORD: - code_string = "OVSEC_KADM_BAD_PASSWORD"; break; - case OVSEC_KADM_UNK_PRINC: code_string = "OVSEC_KADM_UNK_PRINC"; break; - case OVSEC_KADM_UNK_POLICY: code_string = "OVSEC_KADM_UNK_POLICY"; break; - case OVSEC_KADM_BAD_MASK: code_string = "OVSEC_KADM_BAD_MASK"; break; - case OVSEC_KADM_BAD_CLASS: code_string = "OVSEC_KADM_BAD_CLASS"; break; - case OVSEC_KADM_BAD_LENGTH: code_string = "OVSEC_KADM_BAD_LENGTH"; break; - case OVSEC_KADM_BAD_POLICY: code_string = "OVSEC_KADM_BAD_POLICY"; break; - case OVSEC_KADM_BAD_HISTORY: code_string = "OVSEC_KADM_BAD_HISTORY"; break; - case OVSEC_KADM_BAD_PRINCIPAL: - code_string = "OVSEC_KADM_BAD_PRINCIPAL"; break; - case OVSEC_KADM_BAD_AUX_ATTR: - code_string = "OVSEC_KADM_BAD_AUX_ATTR"; break; - case OVSEC_KADM_PASS_Q_TOOSHORT: - code_string = "OVSEC_KADM_PASS_Q_TOOSHORT"; break; - case OVSEC_KADM_PASS_Q_CLASS: - code_string = "OVSEC_KADM_PASS_Q_CLASS"; break; - case OVSEC_KADM_PASS_Q_DICT: - code_string = "OVSEC_KADM_PASS_Q_DICT"; break; - case OVSEC_KADM_PASS_REUSE: code_string = "OVSEC_KADM_PASS_REUSE"; break; - case OVSEC_KADM_PASS_TOOSOON: - code_string = "OVSEC_KADM_PASS_TOOSOON"; break; - case OVSEC_KADM_POLICY_REF: - code_string = "OVSEC_KADM_POLICY_REF"; break; - case OVSEC_KADM_PROTECT_PRINCIPAL: - code_string = "OVSEC_KADM_PROTECT_PRINCIPAL"; break; - case OVSEC_KADM_BAD_SERVER_HANDLE: - code_string = "OVSEC_KADM_BAD_SERVER_HANDLE"; break; - case OVSEC_KADM_BAD_STRUCT_VERSION: - code_string = "OVSEC_KADM_BAD_STRUCT_VERSION"; break; - case OVSEC_KADM_OLD_STRUCT_VERSION: - code_string = "OVSEC_KADM_OLD_STRUCT_VERSION"; break; - case OVSEC_KADM_NEW_STRUCT_VERSION: - code_string = "OVSEC_KADM_NEW_STRUCT_VERSION"; break; - case OVSEC_KADM_BAD_API_VERSION: - code_string = "OVSEC_KADM_BAD_API_VERSION"; break; - case OVSEC_KADM_OLD_LIB_API_VERSION: - code_string = "OVSEC_KADM_OLD_LIB_API_VERSION"; break; - case OVSEC_KADM_OLD_SERVER_API_VERSION: - code_string = "OVSEC_KADM_OLD_SERVER_API_VERSION"; break; - case OVSEC_KADM_NEW_LIB_API_VERSION: - code_string = "OVSEC_KADM_NEW_LIB_API_VERSION"; break; - case OVSEC_KADM_NEW_SERVER_API_VERSION: - code_string = "OVSEC_KADM_NEW_SERVER_API_VERSION"; break; - case OVSEC_KADM_SECURE_PRINC_MISSING: - code_string = "OVSEC_KADM_SECURE_PRINC_MISSING"; break; - case KADM5_NO_RENAME_SALT: - code_string = "KADM5_NO_RENAME_SALT"; break; - case KADM5_BAD_CLIENT_PARAMS: - code_string = "KADM5_BAD_CLIENT_PARAMS"; break; - case KADM5_BAD_SERVER_PARAMS: - code_string = "KADM5_BAD_SERVER_PARAMS"; break; - case KADM5_AUTH_LIST: - code_string = "KADM5_AUTH_LIST"; break; - case KADM5_AUTH_CHANGEPW: - code_string = "KADM5_AUTH_CHANGEPW"; break; - case OSA_ADB_DUP: code_string = "OSA_ADB_DUP"; break; - case OSA_ADB_NOENT: code_string = "ENOENT"; break; - case OSA_ADB_DBINIT: code_string = "OSA_ADB_DBINIT"; break; - case OSA_ADB_BAD_POLICY: code_string = "Bad policy name"; break; - case OSA_ADB_BAD_PRINC: code_string = "Bad principal name"; break; - case OSA_ADB_BAD_DB: code_string = "Invalid database."; break; - case OSA_ADB_XDR_FAILURE: code_string = "OSA_ADB_XDR_FAILURE"; break; - case KRB5_KDB_INUSE: code_string = "KRB5_KDB_INUSE"; break; - case KRB5_KDB_UK_SERROR: code_string = "KRB5_KDB_UK_SERROR"; break; - case KRB5_KDB_UK_RERROR: code_string = "KRB5_KDB_UK_RERROR"; break; - case KRB5_KDB_UNAUTH: code_string = "KRB5_KDB_UNAUTH"; break; - case KRB5_KDB_NOENTRY: code_string = "KRB5_KDB_NOENTRY"; break; - case KRB5_KDB_ILL_WILDCARD: code_string = "KRB5_KDB_ILL_WILDCARD"; break; - case KRB5_KDB_DB_INUSE: code_string = "KRB5_KDB_DB_INUSE"; break; - case KRB5_KDB_DB_CHANGED: code_string = "KRB5_KDB_DB_CHANGED"; break; - case KRB5_KDB_TRUNCATED_RECORD: - code_string = "KRB5_KDB_TRUNCATED_RECORD"; break; - case KRB5_KDB_RECURSIVELOCK: - code_string = "KRB5_KDB_RECURSIVELOCK"; break; - case KRB5_KDB_NOTLOCKED: code_string = "KRB5_KDB_NOTLOCKED"; break; - case KRB5_KDB_BADLOCKMODE: code_string = "KRB5_KDB_BADLOCKMODE"; break; - case KRB5_KDB_DBNOTINITED: code_string = "KRB5_KDB_DBNOTINITED"; break; - case KRB5_KDB_DBINITED: code_string = "KRB5_KDB_DBINITED"; break; - case KRB5_KDB_ILLDIRECTION: code_string = "KRB5_KDB_ILLDIRECTION"; break; - case KRB5_KDB_NOMASTERKEY: code_string = "KRB5_KDB_NOMASTERKEY"; break; - case KRB5_KDB_BADMASTERKEY: code_string = "KRB5_KDB_BADMASTERKEY"; break; - case KRB5_KDB_INVALIDKEYSIZE: - code_string = "KRB5_KDB_INVALIDKEYSIZE"; break; - case KRB5_KDB_CANTREAD_STORED: - code_string = "KRB5_KDB_CANTREAD_STORED"; break; - case KRB5_KDB_BADSTORED_MKEY: - code_string = "KRB5_KDB_BADSTORED_MKEY"; break; - case KRB5_KDB_CANTLOCK_DB: code_string = "KRB5_KDB_CANTLOCK_DB"; break; - case KRB5_KDB_DB_CORRUPT: code_string = "KRB5_KDB_DB_CORRUPT"; break; - case KRB5_PARSE_ILLCHAR: code_string = "KRB5_PARSE_ILLCHAR"; break; - case KRB5_PARSE_MALFORMED: code_string = "KRB5_PARSE_MALFORMED"; break; - case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: code_string = "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN"; break; - case KRB5_REALM_UNKNOWN: code_string = "KRB5_REALM_UNKNOWN"; break; - case KRB5_KDC_UNREACH: code_string = "KRB5_KDC_UNREACH"; break; - case KRB5_KDCREP_MODIFIED: code_string = "KRB5_KDCREP_MODIFIED"; break; - case KRB5KRB_AP_ERR_BAD_INTEGRITY: code_string = "KRB5KRB_AP_ERR_BAD_INTEGRITY"; break; - case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN: code_string = "KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN"; break; - case EINVAL: code_string = "EINVAL"; break; - case ENOENT: code_string = "ENOENT"; break; - default: - fprintf(stderr, "**** CODE %ld (%s) ***\n", (long) code, - error_message (code)); - code_string = "UNKNOWN"; - break; - } - - error_string = error_message(code); - - if (! (dstring = (Tcl_DString *) malloc(sizeof(Tcl_DString)))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX Do we really want to exit? Ok if this is */ - /* just a test program, but what about if it gets */ - /* used for other things later? */ - } - - Tcl_DStringInit(dstring); - - if (! (Tcl_DStringAppendElement(dstring, "ERROR") && - Tcl_DStringAppendElement(dstring, code_string) && - Tcl_DStringAppendElement(dstring, error_string))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - - return dstring; -} - - - -static void stash_error(Tcl_Interp *interp, krb5_error_code code) -{ - Tcl_DString *dstring = unparse_err(code); - Tcl_DStringResult(interp, dstring); - Tcl_DStringFree(dstring); - free(dstring); -} - - - -static Tcl_DString *unparse_flags(struct flagval *array, int size, - krb5_int32 flags) -{ - int i; - Tcl_DString *str; - - if (! (str = malloc(sizeof(*str)))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - - Tcl_DStringInit(str); - - for (i = 0; i < size; i++) { - if (flags & array[i].val) { - Tcl_DStringAppendElement(str, array[i].name); - } - } - - return str; -} - - -static int parse_flags(Tcl_Interp *interp, Tcl_HashTable *table, - struct flagval *array, int size, const char *str, - krb5_flags *flags) -{ - int tmp, argc, i, retcode = TCL_OK; - const char **argv; - Tcl_HashEntry *entry; - - if (Tcl_GetInt(interp, str, &tmp) == TCL_OK) { - *flags = tmp; - return TCL_OK; - } - Tcl_ResetResult(interp); - - if (Tcl_SplitList(interp, str, &argc, &argv) != TCL_OK) { - return TCL_ERROR; - } - - if (! table) { - table = create_flag_table(array, size); - } - - *flags = 0; - - for (i = 0; i < argc; i++) { - if (! (entry = Tcl_FindHashEntry(table, argv[i]))) { - Tcl_AppendResult(interp, "unknown krb5 flag ", argv[i], 0); - retcode = TCL_ERROR; - break; - } - *flags |= *(krb5_flags *) Tcl_GetHashValue(entry); - } - - Tcl_Free((char *) argv); - return(retcode); -} - -static Tcl_DString *unparse_privs(krb5_flags flags) -{ - return unparse_flags(priv_flags, sizeof(priv_flags) / - sizeof(struct flagval), flags); -} - - -static Tcl_DString *unparse_krb5_flags(krb5_flags flags) -{ - return unparse_flags(krb5_flags_array, sizeof(krb5_flags_array) / - sizeof(struct flagval), flags); -} - -static int parse_krb5_flags(Tcl_Interp *interp, const char *str, - krb5_flags *flags) -{ - krb5_flags tmp; - static Tcl_HashTable *table = 0; - int tcl_ret; - - if ((tcl_ret = parse_flags(interp, table, krb5_flags_array, - sizeof(krb5_flags_array) / - sizeof(struct flagval), - str, &tmp)) != TCL_OK) { - return tcl_ret; - } - - *flags = tmp; - return TCL_OK; -} - -static Tcl_DString *unparse_aux_attributes(krb5_int32 flags) -{ - return unparse_flags(aux_attributes, sizeof(aux_attributes) / - sizeof(struct flagval), flags); -} - - -static int parse_aux_attributes(Tcl_Interp *interp, const char *str, - long *flags) -{ - krb5_flags tmp; - static Tcl_HashTable *table = 0; - int tcl_ret; - - if ((tcl_ret = parse_flags(interp, table, aux_attributes, - sizeof(aux_attributes) / - sizeof(struct flagval), - str, &tmp)) != TCL_OK) { - return tcl_ret; - } - - *flags = tmp; - return TCL_OK; -} - -static int parse_principal_mask(Tcl_Interp *interp, const char *str, - krb5_int32 *flags) -{ - krb5_flags tmp; - static Tcl_HashTable *table = 0; - int tcl_ret; - - if ((tcl_ret = parse_flags(interp, table, principal_mask_flags, - sizeof(principal_mask_flags) / - sizeof(struct flagval), - str, &tmp)) != TCL_OK) { - return tcl_ret; - } - - *flags = tmp; - return TCL_OK; -} - - -static int parse_policy_mask(Tcl_Interp *interp, const char *str, - krb5_int32 *flags) -{ - krb5_flags tmp; - static Tcl_HashTable *table = 0; - int tcl_ret; - - if ((tcl_ret = parse_flags(interp, table, policy_mask_flags, - sizeof(policy_mask_flags) / - sizeof(struct flagval), - str, &tmp)) != TCL_OK) { - return tcl_ret; - } - - *flags = tmp; - return TCL_OK; -} - - -static Tcl_DString *unparse_principal_ent(ovsec_kadm_principal_ent_t princ) -{ - Tcl_DString *str, *tmp_dstring; - char *tmp; - char buf[20]; - krb5_error_code krb5_ret; - - if (! (str = malloc(sizeof(*str)))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - - Tcl_DStringInit(str); - - tmp = 0; /* It looks to me from looking at the library source */ - /* code for krb5_parse_name that the pointer passed into */ - /* it should be initialized to 0 if I want it do be */ - /* allocated automatically. */ - krb5_ret = krb5_unparse_name(context, princ->principal, &tmp); - if (krb5_ret) { - /* XXX Do we want to return an error? Not sure. */ - Tcl_DStringAppendElement(str, "[unparseable principal]"); - } - else { - Tcl_DStringAppendElement(str, tmp); - free(tmp); - } - - sprintf(buf, "%d", princ->princ_expire_time); - Tcl_DStringAppendElement(str, buf); - - sprintf(buf, "%d", princ->last_pwd_change); - Tcl_DStringAppendElement(str, buf); - - sprintf(buf, "%d", princ->pw_expiration); - Tcl_DStringAppendElement(str, buf); - - sprintf(buf, "%d", princ->max_life); - Tcl_DStringAppendElement(str, buf); - - tmp = 0; - krb5_ret = krb5_unparse_name(context, princ->mod_name, &tmp); - if (krb5_ret) { - /* XXX */ - Tcl_DStringAppendElement(str, "[unparseable principal]"); - } - else { - Tcl_DStringAppendElement(str, tmp); - free(tmp); - } - - sprintf(buf, "%d", princ->mod_date); - Tcl_DStringAppendElement(str, buf); - - tmp_dstring = unparse_krb5_flags(princ->attributes); - Tcl_DStringAppendElement(str, tmp_dstring->string); - Tcl_DStringFree(tmp_dstring); - free(tmp_dstring); - - sprintf(buf, "%d", princ->kvno); - Tcl_DStringAppendElement(str, buf); - - sprintf(buf, "%d", princ->mkvno); - Tcl_DStringAppendElement(str, buf); - - /* XXX This may be dangerous, because the contents of the policy */ - /* field are undefined if the POLICY bit isn't set. However, I */ - /* think it's a bug for the field not to be null in that case */ - /* anyway, so we should assume that it will be null so that we'll */ - /* catch it if it isn't. */ - - tmp_dstring = unparse_str(princ->policy); - Tcl_DStringAppendElement(str, tmp_dstring->string); - Tcl_DStringFree(tmp_dstring); - free(tmp_dstring); - - tmp_dstring = unparse_aux_attributes(princ->aux_attributes); - Tcl_DStringAppendElement(str, tmp_dstring->string); - Tcl_DStringFree(tmp_dstring); - free(tmp_dstring); - - return str; -} - - - -static int parse_principal_ent(Tcl_Interp *interp, const char *list, - ovsec_kadm_principal_ent_t *out_princ) -{ - ovsec_kadm_principal_ent_t princ = 0; - krb5_error_code krb5_ret; - int tcl_ret; - int argc; - const char **argv; - int tmp; - int retcode = TCL_OK; - - if ((tcl_ret = Tcl_SplitList(interp, list, &argc, &argv)) != TCL_OK) { - return tcl_ret; - } - - if (argc != 12) { - sprintf(interp->result, "wrong # args in principal structure (%d should be 12)", - argc); - retcode = TCL_ERROR; - goto finished; - } - - if (! (princ = malloc(sizeof *princ))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - - if ((krb5_ret = krb5_parse_name(context, argv[0], &princ->principal)) != 0) { - stash_error(interp, krb5_ret); - Tcl_AppendElement(interp, "while parsing principal"); - retcode = TCL_ERROR; - goto finished; - } - - /* - * All of the numerical values parsed here are parsed into an - * "int" and then assigned into the structure in case the actual - * width of the field in the Kerberos structure is different from - * the width of an integer. - */ - - if ((tcl_ret = Tcl_GetInt(interp, argv[1], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing princ_expire_time"); - retcode = TCL_ERROR; - goto finished; - } - princ->princ_expire_time = tmp; - - if ((tcl_ret = Tcl_GetInt(interp, argv[2], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing last_pwd_change"); - retcode = TCL_ERROR; - goto finished; - } - princ->last_pwd_change = tmp; - - if ((tcl_ret = Tcl_GetInt(interp, argv[3], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing pw_expiration"); - retcode = TCL_ERROR; - goto finished; - } - princ->pw_expiration = tmp; - - if ((tcl_ret = Tcl_GetInt(interp, argv[4], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing max_life"); - retcode = TCL_ERROR; - goto finished; - } - princ->max_life = tmp; - - if ((krb5_ret = krb5_parse_name(context, argv[5], &princ->mod_name)) != 0) { - stash_error(interp, krb5_ret); - Tcl_AppendElement(interp, "while parsing mod_name"); - retcode = TCL_ERROR; - goto finished; - } - - if ((tcl_ret = Tcl_GetInt(interp, argv[6], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing mod_date"); - retcode = TCL_ERROR; - goto finished; - } - princ->mod_date = tmp; - - if ((tcl_ret = parse_krb5_flags(interp, argv[7], &princ->attributes)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing attributes"); - retcode = TCL_ERROR; - goto finished; - } - - if ((tcl_ret = Tcl_GetInt(interp, argv[8], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing kvno"); - retcode = TCL_ERROR; - goto finished; - } - princ->kvno = tmp; - - if ((tcl_ret = Tcl_GetInt(interp, argv[9], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing mkvno"); - retcode = TCL_ERROR; - goto finished; - } - princ->mkvno = tmp; - - if ((tcl_ret = parse_str(interp, argv[10], &princ->policy)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing policy"); - retcode = TCL_ERROR; - goto finished; - } - if(princ->policy != NULL) { - if(!(princ->policy = strdup(princ->policy))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); - } - } - - if ((tcl_ret = parse_aux_attributes(interp, argv[11], - &princ->aux_attributes)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing aux_attributes"); - retcode = TCL_ERROR; - goto finished; - } - -finished: - Tcl_Free((char *) argv); - *out_princ = princ; - return retcode; -} - - -static void free_principal_ent(ovsec_kadm_principal_ent_t *princ) -{ - krb5_free_principal(context, (*princ)->principal); - krb5_free_principal(context, (*princ)->mod_name); - free(*princ); - *princ = 0; -} - -static Tcl_DString *unparse_policy_ent(ovsec_kadm_policy_ent_t policy) -{ - Tcl_DString *str, *tmp_dstring; - char buf[20]; - - if (! (str = malloc(sizeof(*str)))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - - Tcl_DStringInit(str); - - tmp_dstring = unparse_str(policy->policy); - Tcl_DStringAppendElement(str, tmp_dstring->string); - Tcl_DStringFree(tmp_dstring); - free(tmp_dstring); - - sprintf(buf, "%ld", policy->pw_min_life); - Tcl_DStringAppendElement(str, buf); - - sprintf(buf, "%ld", policy->pw_max_life); - Tcl_DStringAppendElement(str, buf); - - sprintf(buf, "%ld", policy->pw_min_length); - Tcl_DStringAppendElement(str, buf); - - sprintf(buf, "%ld", policy->pw_min_classes); - Tcl_DStringAppendElement(str, buf); - - sprintf(buf, "%ld", policy->pw_history_num); - Tcl_DStringAppendElement(str, buf); - - sprintf(buf, "%ld", policy->policy_refcnt); - Tcl_DStringAppendElement(str, buf); - - return str; -} - - - -static int parse_policy_ent(Tcl_Interp *interp, char *list, - ovsec_kadm_policy_ent_t *out_policy) -{ - ovsec_kadm_policy_ent_t policy = 0; - int tcl_ret; - int argc; - const char **argv; - int tmp; - int retcode = TCL_OK; - - if ((tcl_ret = Tcl_SplitList(interp, list, &argc, &argv)) != TCL_OK) { - return tcl_ret; - } - - if (argc != 7) { - sprintf(interp->result, "wrong # args in policy structure (%d should be 7)", - argc); - retcode = TCL_ERROR; - goto finished; - } - - if (! (policy = malloc(sizeof *policy))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - - if ((tcl_ret = parse_str(interp, argv[0], &policy->policy)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing policy name"); - retcode = TCL_ERROR; - goto finished; - } - - if(policy->policy != NULL) { - if (! (policy->policy = strdup(policy->policy))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - } - - /* - * All of the numerical values parsed here are parsed into an - * "int" and then assigned into the structure in case the actual - * width of the field in the Kerberos structure is different from - * the width of an integer. - */ - - if ((tcl_ret = Tcl_GetInt(interp, argv[1], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing pw_min_life"); - retcode = TCL_ERROR; - goto finished; - } - policy->pw_min_life = tmp; - - if ((tcl_ret = Tcl_GetInt(interp, argv[2], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing pw_max_life"); - retcode = TCL_ERROR; - goto finished; - } - policy->pw_max_life = tmp; - - if ((tcl_ret = Tcl_GetInt(interp, argv[3], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing pw_min_length"); - retcode = TCL_ERROR; - goto finished; - } - policy->pw_min_length = tmp; - - if ((tcl_ret = Tcl_GetInt(interp, argv[4], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing pw_min_classes"); - retcode = TCL_ERROR; - goto finished; - } - policy->pw_min_classes = tmp; - - if ((tcl_ret = Tcl_GetInt(interp, argv[5], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing pw_history_num"); - retcode = TCL_ERROR; - goto finished; - } - policy->pw_history_num = tmp; - - if ((tcl_ret = Tcl_GetInt(interp, argv[6], &tmp)) - != TCL_OK) { - Tcl_AppendElement(interp, "while parsing policy_refcnt"); - retcode = TCL_ERROR; - goto finished; - } - policy->policy_refcnt = tmp; - -finished: - Tcl_Free((char *) argv); - *out_policy = policy; - return retcode; -} - - -static void free_policy_ent(ovsec_kadm_policy_ent_t *policy) -{ - free(*policy); - *policy = 0; -} - -static Tcl_DString *unparse_keytype(krb5_enctype enctype) -{ - Tcl_DString *str; - char buf[50]; - - if (! (str = malloc(sizeof(*str)))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - - Tcl_DStringInit(str); - - switch (enctype) { - /* XXX is this right? */ - case ENCTYPE_NULL: Tcl_DStringAppend(str, "ENCTYPE_NULL", -1); break; - case ENCTYPE_DES_CBC_CRC: - Tcl_DStringAppend(str, "ENCTYPE_DES_CBC_CRC", -1); break; - default: - sprintf(buf, "UNKNOWN KEYTYPE (0x%x)", enctype); - Tcl_DStringAppend(str, buf, -1); - break; - } - - return str; -} - - -static Tcl_DString *unparse_keyblock(krb5_keyblock *keyblock) -{ - Tcl_DString *str; - Tcl_DString *keytype; - int i; - - if (! (str = malloc(sizeof(*str)))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - - Tcl_DStringInit(str); - - keytype = unparse_keytype(keyblock->enctype); - Tcl_DStringAppendElement(str, keytype->string); - Tcl_DStringFree(keytype); - free(keytype); - if (keyblock->length == 0) { - Tcl_DStringAppendElement(str, "0x00"); - } - else { - Tcl_DStringAppendElement(str, "0x"); - for (i = 0; i < keyblock->length; i++) { - char buf[3]; - sprintf(buf, "%02x", (int) keyblock->contents[i]); - Tcl_DStringAppend(str, buf, -1); - } - } - - return str; -} - - - -static int tcl_ovsec_kadm_init(ClientData clientData, Tcl_Interp *interp, - int argc, const char *argv[]) -{ - ovsec_kadm_ret_t ret; - char *client_name, *pass, *service_name, *realm; - int tcl_ret; - krb5_ui_4 struct_version, api_version; - const char *handle_var; - void *server_handle; - char *handle_name; - const char *whoami = argv[0]; - - argv++, argc--; - - kadm5_init_krb5_context(&context); - - if (argc != 7) { - Tcl_AppendResult(interp, whoami, ": ", arg_error, 0); - return TCL_ERROR; - } - - if (((tcl_ret = parse_str(interp, argv[0], &client_name)) != TCL_OK) || - ((tcl_ret = parse_str(interp, argv[1], &pass)) != TCL_OK) || - ((tcl_ret = parse_str(interp, argv[2], &service_name)) != TCL_OK) || - ((tcl_ret = parse_str(interp, argv[3], &realm)) != TCL_OK) || - ((tcl_ret = Tcl_GetInt(interp, argv[4], (int *) &struct_version)) != - TCL_OK) || - ((tcl_ret = Tcl_GetInt(interp, argv[5], (int *) &api_version)) != - TCL_OK)) { - return tcl_ret; - } - - handle_var = argv[6]; - - if (! (handle_var && *handle_var)) { - Tcl_SetResult(interp, "must specify server handle variable name", - TCL_STATIC); - return TCL_ERROR; - } - - ret = ovsec_kadm_init(client_name, pass, service_name, realm, - struct_version, api_version, NULL, &server_handle); - - if (ret != OVSEC_KADM_OK) { - stash_error(interp, ret); - return TCL_ERROR; - } - - if ((tcl_ret = put_server_handle(interp, server_handle, &handle_name)) - != TCL_OK) { - return tcl_ret; - } - - if (! Tcl_SetVar(interp, handle_var, handle_name, TCL_LEAVE_ERR_MSG)) { - return TCL_ERROR; - } - - set_ok(interp, "OV Admin system initialized."); - return TCL_OK; -} - - - -static int tcl_ovsec_kadm_destroy(ClientData clientData, Tcl_Interp *interp, - int argc, const char *argv[]) -{ - ovsec_kadm_ret_t ret; - int tcl_ret; - - GET_HANDLE(0, 0); - - ret = ovsec_kadm_destroy(server_handle); - - if (ret != OVSEC_KADM_OK) { - stash_error(interp, ret); - return TCL_ERROR; - } - - if ((tcl_ret = remove_server_handle(interp, argv[-1])) != TCL_OK) { - return tcl_ret; - } - - set_ok(interp, "OV Admin system deinitialized."); - return TCL_OK; -} - -static int tcl_ovsec_kadm_create_principal(ClientData clientData, - Tcl_Interp *interp, - int argc, const char *argv[]) -{ - int tcl_ret; - ovsec_kadm_ret_t ret; - int retcode = TCL_OK; - char *princ_string; - ovsec_kadm_principal_ent_t princ = 0; - krb5_int32 mask; - char *pw; -#ifdef OVERRIDE - int override_qual; -#endif - - GET_HANDLE(3, 0); - - if ((tcl_ret = parse_str(interp, argv[0], &princ_string)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing principal"); - return tcl_ret; - } - - if (princ_string && - ((tcl_ret = parse_principal_ent(interp, princ_string, &princ)) - != TCL_OK)) { - return tcl_ret; - } - - if ((tcl_ret = parse_principal_mask(interp, argv[1], &mask)) != TCL_OK) { - retcode = tcl_ret; - goto finished; - } - - if ((tcl_ret = parse_str(interp, argv[2], &pw)) != TCL_OK) { - retcode = tcl_ret; - goto finished; - } -#ifdef OVERRIDE - if ((tcl_ret = Tcl_GetBoolean(interp, argv[3], &override_qual)) != - TCL_OK) { - retcode = tcl_ret; - goto finished; - } -#endif - -#ifdef OVERRIDE - ret = ovsec_kadm_create_principal(server_handle, princ, mask, pw, - override_qual); -#else - ret = ovsec_kadm_create_principal(server_handle, princ, mask, pw); -#endif - - if (ret != OVSEC_KADM_OK) { - stash_error(interp, ret); - retcode = TCL_ERROR; - goto finished; - } - else { - set_ok(interp, "Principal created."); - } - -finished: - if (princ) { - free_principal_ent(&princ); - } - return retcode; -} - - - -static int tcl_ovsec_kadm_delete_principal(ClientData clientData, - Tcl_Interp *interp, - int argc, const char *argv[]) -{ - krb5_principal princ; - krb5_error_code krb5_ret; - ovsec_kadm_ret_t ret; - int tcl_ret; - char *name; - - GET_HANDLE(1, 0); - - if((tcl_ret = parse_str(interp, argv[0], &name)) != TCL_OK) - return tcl_ret; - if(name != NULL) { - krb5_ret = krb5_parse_name(context, name, &princ); - if (krb5_ret) { - stash_error(interp, krb5_ret); - Tcl_AppendElement(interp, "while parsing principal"); - return TCL_ERROR; - } - } else princ = NULL; - ret = ovsec_kadm_delete_principal(server_handle, princ); - - if(princ != NULL) - krb5_free_principal(context, princ); - - if (ret != OVSEC_KADM_OK) { - stash_error(interp, ret); - return TCL_ERROR; - } - else { - set_ok(interp, "Principal deleted."); - return TCL_OK; - } -} - - - -static int tcl_ovsec_kadm_modify_principal(ClientData clientData, - Tcl_Interp *interp, - int argc, const char *argv[]) -{ - char *princ_string; - ovsec_kadm_principal_ent_t princ = 0; - int tcl_ret; - krb5_int32 mask; - int retcode = TCL_OK; - ovsec_kadm_ret_t ret; - - GET_HANDLE(2, 0); - - if ((tcl_ret = parse_str(interp, argv[0], &princ_string)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing principal"); - return tcl_ret; - } - - if (princ_string && - ((tcl_ret = parse_principal_ent(interp, princ_string, &princ)) - != TCL_OK)) { - return tcl_ret; - } - - if ((tcl_ret = parse_principal_mask(interp, argv[1], &mask)) != TCL_OK) { - retcode = TCL_ERROR; - goto finished; - } - - ret = ovsec_kadm_modify_principal(server_handle, princ, mask); - - if (ret != OVSEC_KADM_OK) { - stash_error(interp, ret); - retcode = TCL_ERROR; - } - else { - set_ok(interp, "Principal modified."); - } - -finished: - if (princ) { - free_principal_ent(&princ); - } - return retcode; -} - - -static int tcl_ovsec_kadm_rename_principal(ClientData clientData, - Tcl_Interp *interp, - int argc, const char *argv[]) -{ - krb5_principal source, target; - krb5_error_code krb5_ret; - ovsec_kadm_ret_t ret; - int retcode = TCL_OK; - - GET_HANDLE(2, 0); - - krb5_ret = krb5_parse_name(context, argv[0], &source); - if (krb5_ret) { - stash_error(interp, krb5_ret); - Tcl_AppendElement(interp, "while parsing source"); - return TCL_ERROR; - } - - krb5_ret = krb5_parse_name(context, argv[1], &target); - if (krb5_ret) { - stash_error(interp, krb5_ret); - Tcl_AppendElement(interp, "while parsing target"); - krb5_free_principal(context, source); - return TCL_ERROR; - } - - ret = ovsec_kadm_rename_principal(server_handle, source, target); - - if (ret == OVSEC_KADM_OK) { - set_ok(interp, "Principal renamed."); - } - else { - stash_error(interp, ret); - retcode = TCL_ERROR; - } - - krb5_free_principal(context, source); - krb5_free_principal(context, target); - return retcode; -} - - - -static int tcl_ovsec_kadm_chpass_principal(ClientData clientData, - Tcl_Interp *interp, - int argc, const char *argv[]) -{ - krb5_principal princ; - char *pw; -#ifdef OVERRIDE - int override_qual; -#endif - krb5_error_code krb5_ret; - int retcode = TCL_OK; - ovsec_kadm_ret_t ret; - - GET_HANDLE(2, 0); - - krb5_ret = krb5_parse_name(context, argv[0], &princ); - if (krb5_ret) { - stash_error(interp, krb5_ret); - Tcl_AppendElement(interp, "while parsing principal name"); - return TCL_ERROR; - } - - if (parse_str(interp, argv[1], &pw) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing password"); - retcode = TCL_ERROR; - goto finished; - } - -#ifdef OVERRIDE - if (Tcl_GetBoolean(interp, argv[2], &override_qual) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing override_qual"); - retcode = TCL_ERROR; - goto finished; - } - - ret = ovsec_kadm_chpass_principal(server_handle, - princ, pw, override_qual); -#else - ret = ovsec_kadm_chpass_principal(server_handle, princ, pw); -#endif - - if (ret == OVSEC_KADM_OK) { - set_ok(interp, "Password changed."); - goto finished; - } - else { - stash_error(interp, ret); - retcode = TCL_ERROR; - } - -finished: - krb5_free_principal(context, princ); - return retcode; -} - - - -static int tcl_ovsec_kadm_chpass_principal_util(ClientData clientData, - Tcl_Interp *interp, - int argc, const char *argv[]) -{ - krb5_principal princ; - char *new_pw; -#ifdef OVERRIDE - int override_qual; -#endif - char *pw_ret, *pw_ret_var; - char msg_ret[1024], *msg_ret_var; - krb5_error_code krb5_ret; - ovsec_kadm_ret_t ret; - int retcode = TCL_OK; - - GET_HANDLE(4, 0); - - if ((krb5_ret = krb5_parse_name(context, argv[0], &princ))) { - stash_error(interp, krb5_ret); - Tcl_AppendElement(interp, "while parsing principal name"); - return TCL_ERROR; - } - - if (parse_str(interp, argv[1], &new_pw) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing new password"); - retcode = TCL_ERROR; - goto finished; - } -#ifdef OVERRIDE - if (Tcl_GetBoolean(interp, argv[2], &override_qual) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing override_qual"); - retcode = TCL_ERROR; - goto finished; - } -#endif - if (parse_str(interp, argv[3], &pw_ret_var) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing pw_ret variable name"); - retcode = TCL_ERROR; - goto finished; - } - - if (parse_str(interp, argv[4], &msg_ret_var) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing msg_ret variable name"); - retcode = TCL_ERROR; - goto finished; - } - - ret = ovsec_kadm_chpass_principal_util(server_handle, princ, new_pw, -#ifdef OVERRIDE - override_qual, -#endif - pw_ret_var ? &pw_ret : 0, - msg_ret_var ? msg_ret : 0); - - if (ret == OVSEC_KADM_OK) { - if (pw_ret_var && - (! Tcl_SetVar(interp, pw_ret_var, pw_ret, - TCL_LEAVE_ERR_MSG))) { - Tcl_AppendElement(interp, "while setting pw_ret variable"); - retcode = TCL_ERROR; - goto finished; - } - if (msg_ret_var && - (! Tcl_SetVar(interp, msg_ret_var, msg_ret, - TCL_LEAVE_ERR_MSG))) { - Tcl_AppendElement(interp, - "while setting msg_ret variable"); - retcode = TCL_ERROR; - goto finished; - } - set_ok(interp, "Password changed."); - } - else { - stash_error(interp, ret); - retcode = TCL_ERROR; - } - -finished: - krb5_free_principal(context, princ); - return retcode; -} - - - -static int tcl_ovsec_kadm_randkey_principal(ClientData clientData, - Tcl_Interp *interp, - int argc, const char *argv[]) -{ - krb5_principal princ; - krb5_keyblock *keyblock; - char *keyblock_var; - Tcl_DString *keyblock_dstring = 0; -#ifdef OVERRIDE - int override_qual; -#endif - krb5_error_code krb5_ret; - ovsec_kadm_ret_t ret; - int retcode = TCL_OK; - - GET_HANDLE(2, 0); - - if ((krb5_ret = krb5_parse_name(context, argv[0], &princ))) { - stash_error(interp, krb5_ret); - Tcl_AppendElement(interp, "while parsing principal name"); - return TCL_ERROR; - } - - if (parse_str(interp, argv[1], &keyblock_var) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing keyblock variable name"); - retcode = TCL_ERROR; - goto finished; - } -#ifdef OVERRIDE - if (Tcl_GetBoolean(interp, argv[2], &override_qual) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing override_qual"); - retcode = TCL_ERROR; - goto finished; - } - - ret = ovsec_kadm_randkey_principal(server_handle, - princ, keyblock_var ? &keyblock : 0, - override_qual); -#else - ret = ovsec_kadm_randkey_principal(server_handle, - princ, keyblock_var ? &keyblock : 0); -#endif - - if (ret == OVSEC_KADM_OK) { - if (keyblock_var) { - keyblock_dstring = unparse_keyblock(keyblock); - if (! Tcl_SetVar(interp, keyblock_var, - keyblock_dstring->string, - TCL_LEAVE_ERR_MSG)) { - Tcl_AppendElement(interp, - "while setting keyblock variable"); - retcode = TCL_ERROR; - goto finished; - } - } - set_ok(interp, "Key randomized."); - - } - else { - stash_error(interp, ret); - retcode = TCL_ERROR; - } - -finished: - krb5_free_principal(context, princ); - if (keyblock_dstring) { - Tcl_DStringFree(keyblock_dstring); - free(keyblock_dstring); - } - return retcode; -} - - - -static int tcl_ovsec_kadm_get_principal(ClientData clientData, - Tcl_Interp *interp, - int argc, const char *argv[]) -{ - krb5_principal princ; - ovsec_kadm_principal_ent_t ent; - Tcl_DString *ent_dstring = 0; - char *ent_var; - char *name; - krb5_error_code krb5_ret; - int tcl_ret; - ovsec_kadm_ret_t ret; - int retcode = TCL_OK; - - GET_HANDLE(2, 1); - - if((tcl_ret = parse_str(interp, argv[0], &name)) != TCL_OK) - return tcl_ret; - if(name != NULL) { - if ((krb5_ret = krb5_parse_name(context, name, &princ))) { - stash_error(interp, krb5_ret); - Tcl_AppendElement(interp, "while parsing principal name"); - return TCL_ERROR; - } - } else princ = NULL; - - if ((tcl_ret = parse_str(interp, argv[1], &ent_var)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing entry variable name"); - retcode = TCL_ERROR; - goto finished; - } - - ret = ovsec_kadm_get_principal(server_handle, princ, ent_var ? &ent : 0); - - if (ret == OVSEC_KADM_OK) { - if (ent_var) { - if (dostruct) { - char buf[20]; - int i = 1, newPtr = 0; - Tcl_HashEntry *entry; - - if (! struct_table) { - if (! (struct_table = - malloc(sizeof(*struct_table)))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - Tcl_InitHashTable(struct_table, TCL_STRING_KEYS); - } - - do { - sprintf(buf, "principal%d", i); - entry = Tcl_CreateHashEntry(struct_table, buf, - &newPtr); - i++; - } while (! newPtr); - - Tcl_SetHashValue(entry, ent); - if (! Tcl_SetVar(interp, ent_var, buf, - TCL_LEAVE_ERR_MSG)) { - Tcl_AppendElement(interp, - "while setting entry variable"); - Tcl_DeleteHashEntry(entry); - retcode = TCL_ERROR; - goto finished; - } - set_ok(interp, "Principal structure retrieved."); - } - else { - ent_dstring = unparse_principal_ent(ent); - if (! Tcl_SetVar(interp, ent_var, ent_dstring->string, - TCL_LEAVE_ERR_MSG)) { - Tcl_AppendElement(interp, - "while setting entry variable"); - retcode = TCL_ERROR; - goto finished; - } - set_ok(interp, "Principal retrieved."); - } - } - } - else { - ent = 0; - stash_error(interp, ret); - retcode = TCL_ERROR; - } - -finished: - if (ent_dstring) { - Tcl_DStringFree(ent_dstring); - free(ent_dstring); - } - if(princ != NULL) - krb5_free_principal(context, princ); - if (ent && ((! dostruct) || (retcode != TCL_OK))) { - if ((ret = ovsec_kadm_free_principal_ent(server_handle, ent)) && - (retcode == TCL_OK)) { - stash_error(interp, ret); - retcode = TCL_ERROR; - } - } - return retcode; -} - -static int tcl_ovsec_kadm_create_policy(ClientData clientData, - Tcl_Interp *interp, - int argc, const char *argv[]) -{ - int tcl_ret; - ovsec_kadm_ret_t ret; - int retcode = TCL_OK; - char *policy_string; - ovsec_kadm_policy_ent_t policy = 0; - krb5_int32 mask; - - GET_HANDLE(2, 0); - - if ((tcl_ret = parse_str(interp, argv[0], &policy_string)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing policy"); - return tcl_ret; - } - - if (policy_string && - ((tcl_ret = parse_policy_ent(interp, policy_string, &policy)) - != TCL_OK)) { - return tcl_ret; - } - - if ((tcl_ret = parse_policy_mask(interp, argv[1], &mask)) != TCL_OK) { - retcode = tcl_ret; - goto finished; - } - - ret = ovsec_kadm_create_policy(server_handle, policy, mask); - - if (ret != OVSEC_KADM_OK) { - stash_error(interp, ret); - retcode = TCL_ERROR; - goto finished; - } - else { - set_ok(interp, "Policy created."); - } - -finished: - if (policy) { - free_policy_ent(&policy); - } - return retcode; -} - - - -static int tcl_ovsec_kadm_delete_policy(ClientData clientData, - Tcl_Interp *interp, - int argc, const char *argv[]) -{ - ovsec_kadm_ret_t ret; - char *policy; - - GET_HANDLE(1, 0); - - if (parse_str(interp, argv[0], &policy) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing policy name"); - return TCL_ERROR; - } - - ret = ovsec_kadm_delete_policy(server_handle, policy); - - if (ret != OVSEC_KADM_OK) { - stash_error(interp, ret); - return TCL_ERROR; - } - else { - set_ok(interp, "Policy deleted."); - return TCL_OK; - } -} - - - -static int tcl_ovsec_kadm_modify_policy(ClientData clientData, - Tcl_Interp *interp, - int argc, const char *argv[]) -{ - char *policy_string; - ovsec_kadm_policy_ent_t policy = 0; - int tcl_ret; - krb5_int32 mask; - int retcode = TCL_OK; - ovsec_kadm_ret_t ret; - - GET_HANDLE(2, 0); - - if ((tcl_ret = parse_str(interp, argv[0], &policy_string)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing policy"); - return tcl_ret; - } - - if (policy_string && - ((tcl_ret = parse_policy_ent(interp, policy_string, &policy)) - != TCL_OK)) { - return tcl_ret; - } - - if ((tcl_ret = parse_policy_mask(interp, argv[1], &mask)) != TCL_OK) { - retcode = TCL_ERROR; - goto finished; - } - - ret = ovsec_kadm_modify_policy(server_handle, policy, mask); - - if (ret != OVSEC_KADM_OK) { - stash_error(interp, ret); - retcode = TCL_ERROR; - } - else { - set_ok(interp, "Policy modified."); - } - -finished: - if (policy) { - free_policy_ent(&policy); - } - return retcode; -} - - -static int tcl_ovsec_kadm_get_policy(ClientData clientData, - Tcl_Interp *interp, - int argc, const char *argv[]) -{ - ovsec_kadm_policy_ent_t ent = NULL; - Tcl_DString *ent_dstring = 0; - char *policy; - char *ent_var; - ovsec_kadm_ret_t ret; - int retcode = TCL_OK; - - GET_HANDLE(2, 1); - - if (parse_str(interp, argv[0], &policy) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing policy name"); - return TCL_ERROR; - } - - if (parse_str(interp, argv[1], &ent_var) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing entry variable name"); - return TCL_ERROR; - } - - ret = ovsec_kadm_get_policy(server_handle, policy, ent_var ? &ent : 0); - - if (ret == OVSEC_KADM_OK) { - if (ent_var) { - if (dostruct) { - char buf[20]; - int i = 1, newPtr = 0; - Tcl_HashEntry *entry; - - if (! struct_table) { - if (! (struct_table = - malloc(sizeof(*struct_table)))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - Tcl_InitHashTable(struct_table, TCL_STRING_KEYS); - } - - do { - sprintf(buf, "policy%d", i); - entry = Tcl_CreateHashEntry(struct_table, buf, - &newPtr); - i++; - } while (! newPtr); - - Tcl_SetHashValue(entry, ent); - if (! Tcl_SetVar(interp, ent_var, buf, - TCL_LEAVE_ERR_MSG)) { - Tcl_AppendElement(interp, - "while setting entry variable"); - Tcl_DeleteHashEntry(entry); - retcode = TCL_ERROR; - goto finished; - } - set_ok(interp, "Policy structure retrieved."); - } - else { - ent_dstring = unparse_policy_ent(ent); - if (! Tcl_SetVar(interp, ent_var, ent_dstring->string, - TCL_LEAVE_ERR_MSG)) { - Tcl_AppendElement(interp, - "while setting entry variable"); - retcode = TCL_ERROR; - goto finished; - } - set_ok(interp, "Policy retrieved."); - } - } - } - else { - ent = 0; - stash_error(interp, ret); - retcode = TCL_ERROR; - } - -finished: - if (ent_dstring) { - Tcl_DStringFree(ent_dstring); - free(ent_dstring); - } - if (ent && ((! dostruct) || (retcode != TCL_OK))) { - if ((ret = ovsec_kadm_free_policy_ent(server_handle, ent)) && - (retcode == TCL_OK)) { - stash_error(interp, ret); - retcode = TCL_ERROR; - } - } - return retcode; -} - - - -static int tcl_ovsec_kadm_free_principal_ent(ClientData clientData, - Tcl_Interp *interp, - int argc, const char *argv[]) -{ - char *ent_name; - ovsec_kadm_principal_ent_t ent; - ovsec_kadm_ret_t ret; - - GET_HANDLE(1, 0); - - if (parse_str(interp, argv[0], &ent_name) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing entry name"); - return TCL_ERROR; - } - - if ((! ent_name) && - (ret = ovsec_kadm_free_principal_ent(server_handle, 0))) { - stash_error(interp, ret); - return TCL_ERROR; - } - else { - Tcl_HashEntry *entry; - - if (strncmp(ent_name, "principal", sizeof("principal")-1)) { - Tcl_AppendResult(interp, "invalid principal handle \"", - ent_name, "\"", 0); - return TCL_ERROR; - } - if (! struct_table) { - if (! (struct_table = malloc(sizeof(*struct_table)))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - Tcl_InitHashTable(struct_table, TCL_STRING_KEYS); - } - - if (! (entry = Tcl_FindHashEntry(struct_table, ent_name))) { - Tcl_AppendResult(interp, "principal handle \"", ent_name, - "\" not found", 0); - return TCL_ERROR; - } - - ent = (ovsec_kadm_principal_ent_t) Tcl_GetHashValue(entry); - - if ((ret = ovsec_kadm_free_principal_ent(server_handle, ent))) { - stash_error(interp, ret); - return TCL_ERROR; - } - Tcl_DeleteHashEntry(entry); - } - set_ok(interp, "Principal freed."); - return TCL_OK; -} - - -static int tcl_ovsec_kadm_free_policy_ent(ClientData clientData, - Tcl_Interp *interp, - int argc, const char *argv[]) -{ - char *ent_name; - ovsec_kadm_policy_ent_t ent; - ovsec_kadm_ret_t ret; - - GET_HANDLE(1, 0); - - if (parse_str(interp, argv[0], &ent_name) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing entry name"); - return TCL_ERROR; - } - - if ((! ent_name) && - (ret = ovsec_kadm_free_policy_ent(server_handle, 0))) { - stash_error(interp, ret); - return TCL_ERROR; - } - else { - Tcl_HashEntry *entry; - - if (strncmp(ent_name, "policy", sizeof("policy")-1)) { - Tcl_AppendResult(interp, "invalid principal handle \"", - ent_name, "\"", 0); - return TCL_ERROR; - } - if (! struct_table) { - if (! (struct_table = malloc(sizeof(*struct_table)))) { - fprintf(stderr, "Out of memory!\n"); - exit(1); /* XXX */ - } - Tcl_InitHashTable(struct_table, TCL_STRING_KEYS); - } - - if (! (entry = Tcl_FindHashEntry(struct_table, ent_name))) { - Tcl_AppendResult(interp, "policy handle \"", ent_name, - "\" not found", 0); - return TCL_ERROR; - } - - ent = (ovsec_kadm_policy_ent_t) Tcl_GetHashValue(entry); - - if ((ret = ovsec_kadm_free_policy_ent(server_handle, ent))) { - stash_error(interp, ret); - return TCL_ERROR; - } - Tcl_DeleteHashEntry(entry); - } - set_ok(interp, "Policy freed."); - return TCL_OK; -} - - -static int tcl_ovsec_kadm_get_privs(ClientData clientData, Tcl_Interp *interp, - int argc, const char *argv[]) -{ - const char *set_ret; - ovsec_kadm_ret_t ret; - char *priv_var; - long privs; - - GET_HANDLE(1, 0); - - if (parse_str(interp, argv[0], &priv_var) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing privs variable name"); - return TCL_ERROR; - } - - ret = ovsec_kadm_get_privs(server_handle, priv_var ? &privs : 0); - - if (ret == OVSEC_KADM_OK) { - if (priv_var) { - Tcl_DString *str = unparse_privs(privs); - set_ret = Tcl_SetVar(interp, priv_var, str->string, - TCL_LEAVE_ERR_MSG); - Tcl_DStringFree(str); - free(str); - if (! set_ret) { - Tcl_AppendElement(interp, "while setting priv variable"); - return TCL_ERROR; - } - } - set_ok(interp, "Privileges retrieved."); - return TCL_OK; - } - else { - stash_error(interp, ret); - return TCL_ERROR; - } -} - - -void Tcl_ovsec_kadm_init(Tcl_Interp *interp) -{ - char buf[20]; - - Tcl_SetVar(interp, "OVSEC_KADM_ADMIN_SERVICE", - OVSEC_KADM_ADMIN_SERVICE, TCL_GLOBAL_ONLY); - Tcl_SetVar(interp, "OVSEC_KADM_CHANGEPW_SERVICE", - OVSEC_KADM_CHANGEPW_SERVICE, TCL_GLOBAL_ONLY); - (void) sprintf(buf, "%d", OVSEC_KADM_STRUCT_VERSION); - Tcl_SetVar(interp, "OVSEC_KADM_STRUCT_VERSION", buf, TCL_GLOBAL_ONLY); - (void) sprintf(buf, "%d", OVSEC_KADM_API_VERSION_1); - Tcl_SetVar(interp, "OVSEC_KADM_API_VERSION_1", buf, TCL_GLOBAL_ONLY); - (void) sprintf(buf, "%d", OVSEC_KADM_API_VERSION_MASK); - Tcl_SetVar(interp, "OVSEC_KADM_API_VERSION_MASK", buf, TCL_GLOBAL_ONLY); - (void) sprintf(buf, "%d", OVSEC_KADM_STRUCT_VERSION_MASK); - Tcl_SetVar(interp, "OVSEC_KADM_STRUCT_VERSION_MASK", buf, - TCL_GLOBAL_ONLY); - - Tcl_CreateCommand(interp, "ovsec_kadm_init", tcl_ovsec_kadm_init, 0, 0); - Tcl_CreateCommand(interp, "ovsec_kadm_destroy", tcl_ovsec_kadm_destroy, 0, - 0); - Tcl_CreateCommand(interp, "ovsec_kadm_create_principal", - tcl_ovsec_kadm_create_principal, 0, 0); - Tcl_CreateCommand(interp, "ovsec_kadm_delete_principal", - tcl_ovsec_kadm_delete_principal, 0, 0); - Tcl_CreateCommand(interp, "ovsec_kadm_modify_principal", - tcl_ovsec_kadm_modify_principal, 0, 0); - Tcl_CreateCommand(interp, "ovsec_kadm_rename_principal", - tcl_ovsec_kadm_rename_principal, 0, 0); - Tcl_CreateCommand(interp, "ovsec_kadm_chpass_principal", - tcl_ovsec_kadm_chpass_principal, 0, 0); - Tcl_CreateCommand(interp, "ovsec_kadm_chpass_principal_util", - tcl_ovsec_kadm_chpass_principal_util, 0, 0); - Tcl_CreateCommand(interp, "ovsec_kadm_randkey_principal", - tcl_ovsec_kadm_randkey_principal, 0, 0); - Tcl_CreateCommand(interp, "ovsec_kadm_get_principal", - tcl_ovsec_kadm_get_principal, 0, 0); - Tcl_CreateCommand(interp, "ovsec_kadm_create_policy", - tcl_ovsec_kadm_create_policy, 0, 0); - Tcl_CreateCommand(interp, "ovsec_kadm_delete_policy", - tcl_ovsec_kadm_delete_policy, 0, 0); - Tcl_CreateCommand(interp, "ovsec_kadm_modify_policy", - tcl_ovsec_kadm_modify_policy, 0, 0); - Tcl_CreateCommand(interp, "ovsec_kadm_get_policy", - tcl_ovsec_kadm_get_policy, 0, 0); - Tcl_CreateCommand(interp, "ovsec_kadm_free_principal_ent", - tcl_ovsec_kadm_free_principal_ent, 0, 0); - Tcl_CreateCommand(interp, "ovsec_kadm_free_policy_ent", - tcl_ovsec_kadm_free_policy_ent, 0, 0); - Tcl_CreateCommand(interp, "ovsec_kadm_get_privs", - tcl_ovsec_kadm_get_privs, 0, 0); -} diff --git a/src/kadmin/testing/util/test.c b/src/kadmin/testing/util/test.c index ef8546debe..7f93eb4603 100644 --- a/src/kadmin/testing/util/test.c +++ b/src/kadmin/testing/util/test.c @@ -31,7 +31,6 @@ int *tclDummyMainPtr = (int *) main; int Tcl_AppInit(Tcl_Interp *interp) { - Tcl_ovsec_kadm_init(interp); Tcl_kadm5_init(interp); return(TCL_OK); |