Add a kadm5 RPC for purging old keys from the KDB (e.g., from

change_password -keepold), and add a kadmin CLI command for it.

Keeping ticket open because an automated test needs to be added.

Long-term future work includes start/expire dates on keys, or
not-yet-valid flags.

ticket: 1219
status: open
target_version: 1.9

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24442 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 47 insertions, 0 deletions

diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c
index ff6eeca6b..bf37bbedb 100644
--- a/src/kadmin/cli/kadmin.c
+++ b/src/kadmin/cli/kadmin.c
@@ -1742,3 +1742,50 @@ kadmin_getprivs(int argc, char *argv[])
     }
     printf("\n");
 }
+
+void
+kadmin_purgekeys(int argc, char *argv[])
+{
+    kadm5_ret_t retval;
+    int keepkvno = -1;
+    char *pname = NULL, *canon = NULL;
+    krb5_principal princ;
+
+    if (argc == 4 && strcmp(argv[1], "-keepkvno") == 0) {
+        keepkvno = atoi(argv[2]);
+        pname = argv[3];
+    }
+    if (argc == 2) {
+        pname = argv[1];
+    }
+    if (pname == NULL) {
+        fprintf(stderr, "usage: purgekeys [-keepkvno oldest_kvno_to_keep] "
+                "principal\n");
+        return;
+    }
+
+    retval = kadmin_parse_name(pname, &princ);
+    if (retval) {
+        com_err("purgekeys", retval, "while parsing principal");
+        return;
+    }
+
+    retval = krb5_unparse_name(context, princ, &canon);
+    if (retval) {
+        com_err("purgekeys", retval, "while canonicalizing principal");
+        goto cleanup;
+    }
+
+    retval = kadm5_purgekeys(handle, princ, keepkvno);
+    if (retval) {
+        com_err("purgekeys", retval,
+                "while purging keys for principal \"%s\"", canon);
+        goto cleanup;
+    }
+
+    printf("Old keys for principal \"%s\" purged.\n", canon);
+cleanup:
+    krb5_free_principal(context, princ);
+    free(canon);
+    return;
+}