1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ 2 /* include/krb5/kdcpolicy_plugin.h - KDC policy plugin interface */ 3 /* 4 * Copyright (C) 2017 by Red Hat, Inc. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * * Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 14 * * Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in 16 * the documentation and/or other materials provided with the 17 * distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 22 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 23 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 24 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 25 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 28 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 30 * OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include "k5-int.h" 34 #include "kdb.h" 35 #include <krb5/kdcpolicy_plugin.h> 36 37 static krb5_error_code 38 output_from_indicator(const char *const *auth_indicators, int divisor, 39 krb5_deltat *lifetime_out, 40 krb5_deltat *renew_lifetime_out, 41 const char **status) 42 { 43 if (auth_indicators[0] == NULL) { 44 *status = NULL; 45 return 0; 46 } 47 48 if (strcmp(auth_indicators[0], "ONE_HOUR") == 0) { 49 *lifetime_out = 3600 / divisor; 50 *renew_lifetime_out = *lifetime_out * 2; 51 return 0; 52 } else if (strcmp(auth_indicators[0], "SEVEN_HOURS") == 0) { 53 *lifetime_out = 7 * 3600 / divisor; 54 *renew_lifetime_out = *lifetime_out * 2; 55 return 0; 56 } 57 58 *status = "LOCAL_POLICY"; 59 return KRB5KDC_ERR_POLICY; 60 } 61 62 static krb5_error_code 63 test_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata, 64 const krb5_kdc_req *request, const krb5_db_entry *client, 65 const krb5_db_entry *server, const char *const *auth_indicators, 66 const char **status, krb5_deltat *lifetime_out, 67 krb5_deltat *renew_lifetime_out) 68 { 69 if (request->client != NULL && request->client->length >= 1 && 70 data_eq_string(request->client->data[0], "fail")) { 71 *status = "LOCAL_POLICY"; 72 return KRB5KDC_ERR_POLICY; 73 } 74 return output_from_indicator(auth_indicators, 1, lifetime_out, 75 renew_lifetime_out, status); 76 } 77 78 static krb5_error_code 79 test_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata, 80 const krb5_kdc_req *request, const krb5_db_entry *server, 81 const krb5_ticket *ticket, const char *const *auth_indicators, 82 const char **status, krb5_deltat *lifetime_out, 83 krb5_deltat *renew_lifetime_out) 84 { 85 if (request->server != NULL && request->server->length >= 1 && 86 data_eq_string(request->server->data[0], "fail")) { 87 *status = "LOCAL_POLICY"; 88 return KRB5KDC_ERR_POLICY; 89 } 90 return output_from_indicator(auth_indicators, 2, lifetime_out, 91 renew_lifetime_out, status); 92 } 93 94 krb5_error_code 95 kdcpolicy_test_initvt(krb5_context context, int maj_ver, int min_ver, 96 krb5_plugin_vtable vtable); 97 krb5_error_code 98 kdcpolicy_test_initvt(krb5_context context, int maj_ver, int min_ver, 99 krb5_plugin_vtable vtable) 100 { 101 krb5_kdcpolicy_vtable vt; 102 103 if (maj_ver != 1) 104 return KRB5_PLUGIN_VER_NOTSUPP; 105 106 vt = (krb5_kdcpolicy_vtable)vtable; 107 vt->name = "test"; 108 vt->check_as = test_check_as; 109 vt->check_tgs = test_check_tgs; 110 return 0; 111 } 112