From 0ba5ccd7bb3ea15e44a87f84ca6feed8890f657d Mon Sep 17 00:00:00 2001
From: Sam Hartman <hartmans@mit.edu>
Date: Sat, 3 Jan 2009 23:19:42 +0000
Subject: Merge mskrb-integ onto trunk

The mskrb-integ branch includes support for the following projects:
Projects/Aliases
* Projects/PAC and principal APIs
* Projects/AEAD encryption API
* Projects/GSSAPI DCE
* Projects/RFC 3244

In addition, it includes support for enctype negotiation, and a variety of GSS-API extensions.
In the KDC it includes support for protocol transition, constrained delegation
and a new authorization data interface.
The old authorization data interface is also supported.

This commit merges the mskrb-integ branch on to the trunk.
Additional review and testing is required.

Merge commit 'mskrb-integ' into trunk

ticket: new
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21690 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/kadmin/server/misc.c | 59 +++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 51 insertions(+), 8 deletions(-)

(limited to 'src/kadmin/server/misc.c')

diff --git a/src/kadmin/server/misc.c b/src/kadmin/server/misc.c
index 06e3cdb615..1725fbf7d7 100644
--- a/src/kadmin/server/misc.c
+++ b/src/kadmin/server/misc.c
@@ -6,6 +6,7 @@
 #include    <k5-int.h>
 #include    <kdb.h>
 #include    <kadm5/server_internal.h>
+#include    <kadm5/server_acl.h>
 #include    "misc.h"
 
 /*
@@ -95,19 +96,61 @@ randkey_principal_wrapper_3(void *server_handle,
 }
 
 kadm5_ret_t
-schpw_util_wrapper(void *server_handle, krb5_principal princ,
+schpw_util_wrapper(void *server_handle,
+		   krb5_principal client,
+		   krb5_principal target,
+		   krb5_boolean initial_flag,
 		   char *new_pw, char **ret_pw,
 		   char *msg_ret, unsigned int msg_len)
 {
-    kadm5_ret_t ret;
+    kadm5_ret_t			ret;
+    kadm5_server_handle_t	handle = server_handle;
+    krb5_boolean		access_granted;
+    krb5_boolean		self;
+
+    /*
+     * If no target is explicitly provided, then the target principal
+     * is the client principal.
+     */
+    if (target == NULL)
+	target = client;
+
+    /*
+     * A principal can always change its own password, as long as it
+     * has an initial ticket and meets the minimum password lifetime
+     * requirement.
+     */
+    self = krb5_principal_compare(handle->context, client, target);
+    if (self) {
+	ret = check_min_life(server_handle, target, msg_ret, msg_len);
+	if (ret != 0)
+	    return ret;
 
-    ret = check_min_life(server_handle, princ, msg_ret, msg_len);
-    if (ret)
-	return ret;
+	access_granted = initial_flag;
+    } else
+	access_granted = FALSE;
+
+    if (!access_granted &&
+	kadm5int_acl_check_krb(handle->context, client,
+			       ACL_CHANGEPW, target, NULL)) {
+	/*
+	 * Otherwise, principals with appropriate privileges can change
+	 * any password
+	 */
+	access_granted = TRUE;
+    }
+
+    if (access_granted) {
+	ret = kadm5_chpass_principal_util(server_handle,
+					  target,
+					  new_pw, ret_pw,
+					  msg_ret, msg_len);
+    } else {
+	ret = KADM5_AUTH_CHANGEPW;
+	strlcpy(msg_ret, "Unauthorized request", msg_len);
+    }
 
-    return kadm5_chpass_principal_util(server_handle, princ,
-				       new_pw, ret_pw,
-				       msg_ret, msg_len);
+    return ret;
 }
 
 kadm5_ret_t
-- 
cgit