xref: /freebsd/crypto/krb5/src/kadmin/server/auth_self.c (revision 7f2fe78b9dd5f51c821d771b63d2e096f6fd49e9) 
1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /* kadmin/server/auth_self.c - self-service kadm5_auth module */
3 /*
4  * Copyright (C) 2017 by the Massachusetts Institute of Technology.
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  * * Redistributions of source code must retain the above copyright
12  *   notice, this list of conditions and the following disclaimer.
13  *
14  * * Redistributions in binary form must reproduce the above copyright
15  *   notice, this list of conditions and the following disclaimer in
16  *   the documentation and/or other materials provided with the
17  *   distribution.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
22  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23  * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
24  * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
25  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26  * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
28  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
30  * OF THE POSSIBILITY OF SUCH DAMAGE.
31  */
32 
33 #include "k5-int.h"
34 #include <kadm5/admin.h>
35 #include <krb5/kadm5_auth_plugin.h>
36 #include "auth.h"
37 
38 /* Authorize a principal to operate on itself.  Applies to cpw, chrand,
39  * purgekeys, getprinc, and getstrs. */
40 static krb5_error_code
self_compare(krb5_context context,kadm5_auth_moddata data,krb5_const_principal client,krb5_const_principal target)41 self_compare(krb5_context context, kadm5_auth_moddata data,
42              krb5_const_principal client, krb5_const_principal target)
43 {
44     if (krb5_principal_compare(context, client, target))
45         return 0;
46     return KRB5_PLUGIN_NO_HANDLE;
47 }
48 
49 /* Authorize a principal to get the policy record for its own policy. */
50 static krb5_error_code
self_getpol(krb5_context context,kadm5_auth_moddata data,krb5_const_principal client,const char * policy,const char * client_policy)51 self_getpol(krb5_context context, kadm5_auth_moddata data,
52             krb5_const_principal client, const char *policy,
53             const char *client_policy)
54 {
55     if (client_policy != NULL && strcmp(policy, client_policy) == 0)
56         return 0;
57     return KRB5_PLUGIN_NO_HANDLE;
58 }
59 
60 krb5_error_code
kadm5_auth_self_initvt(krb5_context context,int maj_ver,int min_ver,krb5_plugin_vtable vtable)61 kadm5_auth_self_initvt(krb5_context context, int maj_ver, int min_ver,
62                        krb5_plugin_vtable vtable)
63 {
64     kadm5_auth_vtable vt;
65 
66     if (maj_ver != 1)
67         return KRB5_PLUGIN_VER_NOTSUPP;
68     vt = (kadm5_auth_vtable)vtable;
69     vt->name = "self";
70     vt->cpw = self_compare;
71     vt->chrand = self_compare;
72     vt->purgekeys = self_compare;
73     vt->getprinc = self_compare;
74     vt->getstrs = self_compare;
75     vt->getpol = self_getpol;
76     return 0;
77 }
78