summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2012-10-18 16:14:40 +0200
committerJakub Hrozek <jhrozek@redhat.com>2012-11-05 00:14:05 +0100
commitc0680269167475aa9172b20d13ec3ace721a37ff (patch)
treeee3034c1e7a3479e59963c0fc5c5b4bccf00eda0 /src
parent74254ab3c4d6b9ca63488245bc88db7cf7689084 (diff)
downloadsssd-c0680269167475aa9172b20d13ec3ace721a37ff.tar.gz
sssd-c0680269167475aa9172b20d13ec3ace721a37ff.tar.xz
sssd-c0680269167475aa9172b20d13ec3ace721a37ff.zip
krb5_auth: check if principal belongs to a different realm
Add a flag if the principal used for authentication does not belong to our realm. This can be used to act differently for users from other realms.
Diffstat (limited to 'src')
-rw-r--r--src/providers/krb5/krb5_auth.c7
-rw-r--r--src/providers/krb5/krb5_auth.h1
-rw-r--r--src/providers/krb5/krb5_common.c31
-rw-r--r--src/providers/krb5/krb5_common.h4
-rw-r--r--src/tests/krb5_utils-tests.c45
5 files changed, 88 insertions, 0 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index c98535b1d..72f0711eb 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -427,6 +427,13 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
DEBUG(1, ("krb5_get_simple_upn failed.\n"));
goto done;
}
+ } else {
+ ret = compare_principal_realm(kr->upn, realm,
+ &kr->upn_from_different_realm);
+ if (ret != 0) {
+ DEBUG(SSSDBG_OP_FAILURE, ("compare_principal_realm failed.\n"));
+ goto done;
+ }
}
kr->homedir = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_HOMEDIR,
diff --git a/src/providers/krb5/krb5_auth.h b/src/providers/krb5/krb5_auth.h
index cc079ba93..a23b8b47d 100644
--- a/src/providers/krb5/krb5_auth.h
+++ b/src/providers/krb5/krb5_auth.h
@@ -54,6 +54,7 @@ struct krb5child_req {
bool active_ccache_present;
bool valid_tgt_present;
bool run_as_user;
+ bool upn_from_different_realm;
};
errno_t krb5_setup(TALLOC_CTX *mem_ctx, struct pam_data *pd,
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index 006dac1ce..45f126f7b 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -881,3 +881,34 @@ errno_t krb5_get_simple_upn(TALLOC_CTX *mem_ctx, struct krb5_ctx *krb5_ctx,
*_upn = upn;
return EOK;
}
+
+errno_t compare_principal_realm(const char *upn, const char *realm,
+ bool *different_realm)
+{
+ size_t upn_len;
+ size_t realm_len;
+ char *at_sign;
+
+ if (upn == NULL || realm == NULL || different_realm == NULL) {
+ return EINVAL;
+ }
+
+ upn_len = strlen(upn);
+ realm_len = strlen(realm);
+ at_sign = strchr(upn, '@');
+
+ /* if coming from the same realm the upn must be at least the size of the
+ * realm plus 1 for the '@' char. */
+ if (upn_len == 0 || realm_len == 0 || upn_len <= realm_len + 1 ||
+ at_sign == NULL) {
+ return EINVAL;
+ }
+
+ if (strcmp(realm, at_sign + 1) == 0) {
+ *different_realm = false;
+ } else {
+ *different_realm = true;
+ }
+
+ return EOK;
+}
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index 51bd26773..bc63bf983 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -177,6 +177,10 @@ errno_t remove_krb5_info_files(TALLOC_CTX *mem_ctx, const char *realm);
errno_t krb5_get_simple_upn(TALLOC_CTX *mem_ctx, struct krb5_ctx *krb5_ctx,
const char *username, const char **_upn);
+errno_t compare_principal_realm(const char *upn, const char *realm,
+ bool *different_realm);
+
+
int sssm_krb5_auth_init(struct be_ctx *bectx,
struct bet_ops **ops,
void **pvt_auth_data);
diff --git a/src/tests/krb5_utils-tests.c b/src/tests/krb5_utils-tests.c
index 5fee4544b..636bcd403 100644
--- a/src/tests/krb5_utils-tests.c
+++ b/src/tests/krb5_utils-tests.c
@@ -673,6 +673,47 @@ START_TEST(test_no_substitution)
}
END_TEST
+START_TEST(test_compare_principal_realm)
+{
+ int ret;
+ bool different_realm;
+
+ ret = compare_principal_realm(NULL, "a", &different_realm);
+ fail_unless(ret == EINVAL, "NULL upn does not cause EINVAL.");
+
+ ret = compare_principal_realm("a", NULL, &different_realm);
+ fail_unless(ret == EINVAL, "NULL realm does not cause EINVAL.");
+
+ ret = compare_principal_realm("a", "b", NULL);
+ fail_unless(ret == EINVAL, "NULL different_realmbool " \
+ "does not cause EINVAL.");
+
+ ret = compare_principal_realm("", "a", &different_realm);
+ fail_unless(ret == EINVAL, "Empty upn does not cause EINVAL.");
+
+ ret = compare_principal_realm("a", "", &different_realm);
+ fail_unless(ret == EINVAL, "Empty realm does not cause EINVAL.");
+
+ ret = compare_principal_realm("ABC", "ABC", &different_realm);
+ fail_unless(ret == EINVAL, "Short UPN does not cause EINVAL.");
+
+ ret = compare_principal_realm("userABC", "ABC", &different_realm);
+ fail_unless(ret == EINVAL, "Missing '@' does not cause EINVAL.");
+
+ fail_unless(different_realm == false, "Same realm but " \
+ "different_realm is not false.");
+ ret = compare_principal_realm("user@ABC", "ABC", &different_realm);
+ fail_unless(ret == EOK, "Failure with same realm");
+ fail_unless(different_realm == false, "Same realm but " \
+ "different_realm is not false.");
+
+ ret = compare_principal_realm("user@ABC", "DEF", &different_realm);
+ fail_unless(ret == EOK, "Failure with different realm");
+ fail_unless(different_realm == true, "Different realm but " \
+ "different_realm is not true.");
+}
+END_TEST
+
Suite *krb5_utils_suite (void)
{
Suite *s = suite_create ("krb5_utils");
@@ -713,6 +754,10 @@ Suite *krb5_utils_suite (void)
}
suite_add_tcase (s, tc_create_dir);
+ TCase *tc_krb5_helpers = tcase_create("Helper functions");
+ tcase_add_test(tc_krb5_helpers, test_compare_principal_realm);
+ suite_add_tcase(s, tc_krb5_helpers);
+
return s;
}