Allow self-service for kadmin purgekeys RPC

Make the purgekeys RPC allow self-service, like the chpass and chrand
RPCs.

ticket: 7681 (new)

2 files changed, 7 insertions, 3 deletions

diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c
index 0de627f47..eb50c2f7b 100644
--- a/src/kadmin/server/server_stubs.c
+++ b/src/kadmin/server/server_stubs.c
@@ -1579,9 +1579,10 @@ purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp)
         goto exit_func;
     }
 
-    if (CHANGEPW_SERVICE(rqstp)
-        || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY,
-                               arg->princ, NULL)) {
+    if (!cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ) &&
+        (CHANGEPW_SERVICE(rqstp)
+         || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY,
+                                arg->princ, NULL))) {
         ret.code = KADM5_AUTH_MODIFY;
         log_unauth(funcname, prime_arg, &client_name, &service_name, rqstp);
     } else {
diff --git a/src/tests/t_kadmin_acl.py b/src/tests/t_kadmin_acl.py
index 1d7b1d098..32e57b896 100644
--- a/src/tests/t_kadmin_acl.py
+++ b/src/tests/t_kadmin_acl.py
@@ -260,6 +260,9 @@ if 'Operation requires ``modify\'\' privilege' not in out:
 out = kadmin_as(some_modify, 'purgekeys unselected')
 if 'Operation requires ``modify\'\' privilege' not in out:
     fail('purgekeys failure (target)')
+out = kadmin_as(none, 'purgekeys none')
+if 'Old keys for principal "none@KRBTEST.COM" purged' not in out:
+    fail('purgekeys success (self exemption)')
 delprinc('selected')
 delprinc('unselected')