1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /* kadmin/server/auth.c - kadm5_auth pluggable interface consumer */
3 /*
4 * Copyright (C) 2017 by the Massachusetts Institute of Technology.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 * * Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 *
14 * * Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in
16 * the documentation and/or other materials provided with the
17 * distribution.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
22 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
24 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
25 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
28 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
30 * OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include "k5-int.h"
34 #include <kadm5/admin.h>
35 #include <krb5/kadm5_auth_plugin.h>
36 #include "auth.h"
37
38 typedef struct {
39 struct kadm5_auth_vtable_st vt;
40 kadm5_auth_moddata data;
41 } *auth_handle;
42
43 static auth_handle *handles;
44
45 void
auth_fini(krb5_context context)46 auth_fini(krb5_context context)
47 {
48 auth_handle *hp, h;
49
50 if (handles == NULL)
51 return;
52 for (hp = handles; *hp != NULL; hp++) {
53 h = *hp;
54 if (h->vt.fini != NULL)
55 h->vt.fini(context, h->data);
56 free(h);
57 }
58 free(handles);
59 handles = NULL;
60 }
61
62 krb5_error_code
auth_init(krb5_context context,const char * acl_file)63 auth_init(krb5_context context, const char *acl_file)
64 {
65 krb5_error_code ret;
66 krb5_plugin_initvt_fn *modules = NULL, *mod;
67 size_t count;
68 auth_handle h = NULL;
69 const int intf = PLUGIN_INTERFACE_KADM5_AUTH;
70
71 ret = k5_plugin_register(context, intf, "acl", kadm5_auth_acl_initvt);
72 if (ret)
73 goto cleanup;
74 ret = k5_plugin_register(context, intf, "self", kadm5_auth_self_initvt);
75 if (ret)
76 goto cleanup;
77 ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_KADM5_AUTH, &modules);
78 if (ret)
79 goto cleanup;
80
81 /* Allocate a large enough list of handles. */
82 for (count = 0; modules[count] != NULL; count++);
83 handles = k5calloc(count + 1, sizeof(*handles), &ret);
84 if (handles == NULL)
85 goto cleanup;
86
87 /* For each module, allocate a handle, initialize its vtable, and
88 * initialize its module data. */
89 count = 0;
90 for (mod = modules; *mod != NULL; mod++) {
91 h = k5alloc(sizeof(*h), &ret);
92 if (h == NULL)
93 goto cleanup;
94 ret = (*mod)(context, 1, 2, (krb5_plugin_vtable)&h->vt);
95 if (ret) { /* Failed vtable init is non-fatal. */
96 TRACE_KADM5_AUTH_VTINIT_FAIL(context, ret);
97 free(h);
98 h = NULL;
99 continue;
100 }
101 h->data = NULL;
102 if (h->vt.init != NULL) {
103 ret = h->vt.init(context, acl_file, &h->data);
104 if (ret == KRB5_PLUGIN_NO_HANDLE) {
105 TRACE_KADM5_AUTH_INIT_SKIP(context, h->vt.name);
106 free(h);
107 h = NULL;
108 continue;
109 }
110 if (ret) {
111 TRACE_KADM5_AUTH_INIT_FAIL(context, h->vt.name, ret);
112 goto cleanup;
113 }
114 }
115 handles[count++] = h;
116 handles[count] = NULL;
117 h = NULL;
118 }
119
120 ret = 0;
121
122 cleanup:
123 if (ret)
124 auth_fini(context);
125 free(h);
126 k5_plugin_free_modules(context, modules);
127 return ret;
128 }
129
130 /* Invoke the appropriate method from h->vt for opcode, passing client and the
131 * correct subset of p1, p2, s1, s2, polent, and mask for the method. */
132 static krb5_error_code
call_module(krb5_context context,auth_handle h,int opcode,krb5_const_principal client,krb5_const_principal p1,krb5_const_principal p2,const char * s1,const char * s2,const kadm5_policy_ent_rec * polent,long mask)133 call_module(krb5_context context, auth_handle h, int opcode,
134 krb5_const_principal client, krb5_const_principal p1,
135 krb5_const_principal p2, const char *s1, const char *s2,
136 const kadm5_policy_ent_rec *polent, long mask)
137 {
138 /* addprinc and modprinc are handled through auth_restrict(). */
139 assert(opcode != OP_ADDPRINC && opcode != OP_MODPRINC);
140
141 if (opcode == OP_SETSTR && h->vt.setstr != NULL)
142 return h->vt.setstr(context, h->data, client, p1, s1, s2);
143 else if (opcode == OP_CPW && h->vt.cpw != NULL)
144 return h->vt.cpw(context, h->data, client, p1);
145 else if (opcode == OP_CHRAND && h->vt.chrand != NULL)
146 return h->vt.chrand(context, h->data, client, p1);
147 else if (opcode == OP_SETKEY && h->vt.setkey != NULL)
148 return h->vt.setkey(context, h->data, client, p1);
149 else if (opcode == OP_PURGEKEYS && h->vt.purgekeys != NULL)
150 return h->vt.purgekeys(context, h->data, client, p1);
151 else if (opcode == OP_DELPRINC && h->vt.delprinc != NULL)
152 return h->vt.delprinc(context, h->data, client, p1);
153 else if (opcode == OP_RENPRINC && h->vt.renprinc != NULL)
154 return h->vt.renprinc(context, h->data, client, p1, p2);
155 else if (opcode == OP_GETPRINC && h->vt.getprinc != NULL)
156 return h->vt.getprinc(context, h->data, client, p1);
157 else if (opcode == OP_GETSTRS && h->vt.getstrs != NULL)
158 return h->vt.getstrs(context, h->data, client, p1);
159 else if (opcode == OP_EXTRACT && h->vt.extract != NULL)
160 return h->vt.extract(context, h->data, client, p1);
161 else if (opcode == OP_LISTPRINCS && h->vt.listprincs != NULL)
162 return h->vt.listprincs(context, h->data, client);
163 else if (opcode == OP_ADDPOL && h->vt.addpol != NULL)
164 return h->vt.addpol(context, h->data, client, s1, polent, mask);
165 else if (opcode == OP_MODPOL && h->vt.modpol != NULL)
166 return h->vt.modpol(context, h->data, client, s1, polent, mask);
167 else if (opcode == OP_DELPOL && h->vt.delpol != NULL)
168 return h->vt.delpol(context, h->data, client, s1);
169 else if (opcode == OP_GETPOL && h->vt.getpol != NULL)
170 return h->vt.getpol(context, h->data, client, s1, s2);
171 else if (opcode == OP_LISTPOLS && h->vt.listpols != NULL)
172 return h->vt.listpols(context, h->data, client);
173 else if (opcode == OP_IPROP && h->vt.iprop != NULL)
174 return h->vt.iprop(context, h->data, client);
175 else if (opcode == OP_ADDALIAS && h->vt.addalias != NULL)
176 return h->vt.addalias(context, h->data, client, p1, p2);
177
178 return KRB5_PLUGIN_NO_HANDLE;
179 }
180
181 krb5_boolean
auth(krb5_context context,int opcode,krb5_const_principal client,krb5_const_principal p1,krb5_const_principal p2,const char * s1,const char * s2,const kadm5_policy_ent_rec * polent,long mask)182 auth(krb5_context context, int opcode, krb5_const_principal client,
183 krb5_const_principal p1, krb5_const_principal p2, const char *s1,
184 const char *s2, const kadm5_policy_ent_rec *polent, long mask)
185 {
186 krb5_error_code ret;
187 krb5_boolean authorized = FALSE;
188 auth_handle *hp, h;
189
190 for (hp = handles; *hp != NULL; hp++) {
191 h = *hp;
192
193 ret = call_module(context, h, opcode, client, p1, p2, s1, s2,
194 polent, mask);
195 if (!ret)
196 authorized = TRUE;
197 else if (ret != KRB5_PLUGIN_NO_HANDLE)
198 return FALSE;
199 }
200
201 return authorized;
202 }
203
204 /* Impose restrictions, modifying *ent and *mask. */
205 static krb5_error_code
impose_restrictions(krb5_context context,const struct kadm5_auth_restrictions * rs,kadm5_principal_ent_t ent,long * mask)206 impose_restrictions(krb5_context context,
207 const struct kadm5_auth_restrictions *rs,
208 kadm5_principal_ent_t ent, long *mask)
209 {
210 krb5_error_code ret;
211 krb5_timestamp now;
212
213 if (rs == NULL)
214 return 0;
215 if (rs->mask & (KADM5_PRINC_EXPIRE_TIME | KADM5_PW_EXPIRATION)) {
216 ret = krb5_timeofday(context, &now);
217 if (ret)
218 return ret;
219 }
220
221 if (rs->mask & KADM5_ATTRIBUTES) {
222 ent->attributes |= rs->require_attrs;
223 ent->attributes &= rs->forbid_attrs;
224 *mask |= KADM5_ATTRIBUTES;
225 }
226 if (rs->mask & KADM5_POLICY_CLR) {
227 *mask &= ~KADM5_POLICY;
228 *mask |= KADM5_POLICY_CLR;
229 } else if (rs->mask & KADM5_POLICY) {
230 if (ent->policy != NULL && strcmp(ent->policy, rs->policy) != 0) {
231 free(ent->policy);
232 ent->policy = NULL;
233 }
234 if (ent->policy == NULL) {
235 ent->policy = strdup(rs->policy);
236 if (ent->policy == NULL)
237 return ENOMEM;
238 }
239 *mask |= KADM5_POLICY;
240 }
241 if (rs->mask & KADM5_PRINC_EXPIRE_TIME) {
242 if (!(*mask & KADM5_PRINC_EXPIRE_TIME) ||
243 ts_after(ent->princ_expire_time, ts_incr(now, rs->princ_lifetime)))
244 ent->princ_expire_time = now + rs->princ_lifetime;
245 *mask |= KADM5_PRINC_EXPIRE_TIME;
246 }
247 if (rs->mask & KADM5_PW_EXPIRATION) {
248 if (!(*mask & KADM5_PW_EXPIRATION) ||
249 ts_after(ent->pw_expiration, ts_incr(now, rs->pw_lifetime)))
250 ent->pw_expiration = now + rs->pw_lifetime;
251 *mask |= KADM5_PW_EXPIRATION;
252 }
253 if (rs->mask & KADM5_MAX_LIFE) {
254 if (!(*mask & KADM5_MAX_LIFE) || ent->max_life > rs->max_life)
255 ent->max_life = rs->max_life;
256 *mask |= KADM5_MAX_LIFE;
257 }
258 if (rs->mask & KADM5_MAX_RLIFE) {
259 if (!(*mask & KADM5_MAX_RLIFE) ||
260 ent->max_renewable_life > rs->max_renewable_life)
261 ent->max_renewable_life = rs->max_renewable_life;
262 *mask |= KADM5_MAX_RLIFE;
263 }
264 return 0;
265 }
266
267 krb5_boolean
auth_restrict(krb5_context context,int opcode,krb5_const_principal client,krb5_const_principal target,kadm5_principal_ent_t ent,long * mask)268 auth_restrict(krb5_context context, int opcode, krb5_const_principal client,
269 krb5_const_principal target, kadm5_principal_ent_t ent,
270 long *mask)
271 {
272 auth_handle *hp, h;
273 krb5_boolean authorized = FALSE;
274 krb5_error_code ret, rs_ret;
275 struct kadm5_auth_restrictions *rs;
276
277 assert(opcode == OP_ADDPRINC || opcode == OP_MODPRINC);
278 for (hp = handles; *hp != NULL; hp++) {
279 h = *hp;
280
281 ret = KRB5_PLUGIN_NO_HANDLE;
282 rs = NULL;
283 if (opcode == OP_ADDPRINC && h->vt.addprinc != NULL) {
284 ret = h->vt.addprinc(context, h->data, client, target, ent, *mask,
285 &rs);
286 } else if (opcode == OP_MODPRINC && h->vt.modprinc != NULL) {
287 ret = h->vt.modprinc(context, h->data, client, target, ent, *mask,
288 &rs);
289 }
290 if (rs != NULL) {
291 rs_ret = impose_restrictions(context, rs, ent, mask);
292 if (h->vt.free_restrictions != NULL)
293 h->vt.free_restrictions(context, h->data, rs);
294 if (rs_ret)
295 return FALSE;
296 }
297 if (!ret)
298 authorized = TRUE;
299 else if (ret != KRB5_PLUGIN_NO_HANDLE)
300 return FALSE;
301 }
302
303 return authorized;
304 }
305
306 void
auth_end(krb5_context context)307 auth_end(krb5_context context)
308 {
309 auth_handle *hp, h;
310
311 for (hp = handles; *hp != NULL; hp++) {
312 h = *hp;
313 if (h->vt.end != NULL)
314 h->vt.end(context, h->data);
315 }
316 }
317