diff options
Diffstat (limited to 'src/modules/UserConfigBackendKrb5/UserConfigBackendKrb5.cpp')
| -rw-r--r-- | src/modules/UserConfigBackendKrb5/UserConfigBackendKrb5.cpp | 189 |
1 files changed, 189 insertions, 0 deletions
diff --git a/src/modules/UserConfigBackendKrb5/UserConfigBackendKrb5.cpp b/src/modules/UserConfigBackendKrb5/UserConfigBackendKrb5.cpp new file mode 100644 index 0000000..5a577ad --- /dev/null +++ b/src/modules/UserConfigBackendKrb5/UserConfigBackendKrb5.cpp @@ -0,0 +1,189 @@ +/* + * UserConfigBackendKrb5.cpp + * + * Copyright (C) 2009 Matthias Schiffer <matthias@gamezock.de> + * + * This program is free software: you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published by the + * Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * See the GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License along + * with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +#include "UserConfigBackendKrb5.h" +#include <Core/ConfigEntry.h> + +#include <cstring> + +namespace Mad { +namespace Modules { +namespace UserConfigBackendKrb5 { + +bool UserConfigBackendKrb5::connect() { + if(principal.empty()) { + application->log(Core::LoggerBase::USER, Core::LoggerBase::ERROR, "UserConfigBackendKrb5: no principal given"); + return false; + } + + if(realm.empty()) { + application->log(Core::LoggerBase::USER, Core::LoggerBase::ERROR, "UserConfigBackendKrb5: no realm given and no default realm available"); + return false; + } + + if(handle) { + kadm5_destroy(handle); + handle = 0; + } + + kadm5_config_params params; + params.realm = const_cast<char*>(realm.c_str()); + params.mask = KADM5_CONFIG_REALM; + + if(!server.empty()) { + params.admin_server = const_cast<char*>(server.c_str()); + params.mask |= KADM5_CONFIG_ADMIN_SERVER; + } + + std::string princ = principal; + if(princ.find('@') == std::string::npos) + princ += "@" + realm; + + if(!password.empty() && keytab.empty()) { + krb5_error_code err = kadm5_init_with_password(const_cast<char*>(princ.c_str()), const_cast<char*>(password.c_str()), + const_cast<char*>(KADM5_ADMIN_SERVICE), ¶ms, KADM5_STRUCT_VERSION, KADM5_API_VERSION_2, 0, &handle); + + if(err) { + application->logf(Core::LoggerBase::USER, Core::LoggerBase::ERROR, "kadm5_init_with_password: %s", std::strerror(err)); + return false; + } + } + else { + char *keytabName = 0; + if(!keytab.empty()) + keytabName = const_cast<char*>(keytab.c_str()); + + krb5_error_code err = kadm5_init_with_skey(const_cast<char*>(princ.c_str()), keytabName, + const_cast<char*>(KADM5_ADMIN_SERVICE), ¶ms, KADM5_STRUCT_VERSION, KADM5_API_VERSION_2, 0, &handle); + + if(err) { + application->logf(Core::LoggerBase::USER, Core::LoggerBase::ERROR, "kadm5_init_with_skey: %s", std::strerror(err)); + return false; + } + } + + application->log(Core::LoggerBase::USER, Core::LoggerBase::VERBOSE, "Connected to kerberos admin server."); + return true; +} + +bool UserConfigBackendKrb5::handleConfigEntry(const Core::ConfigEntry &entry, bool /*handled*/) { + if(!entry[0].getKey().matches("UserManager")) + return false; + + if(entry[1].empty()) + return true; + + if(!entry[1].getKey().matches("Krb5")) + return false; + + if(entry[2].getKey().matches("Realm")) { + if(entry[3].empty()) + realm = entry[2][0]; + } + else if(entry[2].getKey().matches("Principal")) { + if(entry[3].empty()) + principal = entry[2][0]; + } + else if(entry[2].getKey().matches("Server")) { + if(entry[3].empty()) + server = entry[2][0]; + } + else if(entry[2].getKey().matches("Password")) { + if(entry[3].empty()) + password = entry[2][0]; + } + else if(entry[2].getKey().matches("Keytab")) { + if(entry[3].empty()) + keytab = entry[2][0]; + } + else if(!entry[2].empty()) + return false; + + return true; +} + + +void UserConfigBackendKrb5::checkUserInfo(const Common::UserInfo &userInfo) throw(Core::Exception) { + if(std::strcspn(userInfo.getUsername().c_str(), "/@") != userInfo.getUsername().length()) + throw Core::Exception(Core::Exception::INVALID_INPUT); +} + +void UserConfigBackendKrb5::addUser(const Common::UserInfo &userInfo) throw(Core::Exception) { + std::string princStr = userInfo.getUsername() + "@" + realm; + + kadm5_principal_ent_rec princ; + + krb5_error_code err = krb5_parse_name(context, princStr.c_str(), &princ.principal); + if(err) + throw Core::Exception("krb5_parse_name", Core::Exception::INTERNAL_ERRNO, err); + + princ.attributes = KRB5_KDB_DISALLOW_ALL_TIX; + + char dummybuf[128]; + for(int i = 0; i < 128; ++i) + dummybuf[i] = (i+1)%128; + + err = kadm5_create_principal(handle, &princ, KADM5_PRINCIPAL|KADM5_ATTRIBUTES, dummybuf); + if(err) { + krb5_free_principal(context, princ.principal); + throw Core::Exception("kadm5_create_principal", Core::Exception::INTERNAL_ERRNO, err); + } + + err = kadm5_randkey_principal(handle, princ.principal, 0, 0); + if(err) { + krb5_free_principal(context, princ.principal); + throw Core::Exception("kadm5_randkey_principal", Core::Exception::INTERNAL_ERRNO, err); + } + + princ.attributes = 0; + err = kadm5_modify_principal(handle, &princ, KADM5_ATTRIBUTES); + + krb5_free_principal(context, princ.principal); + + if(err) + throw Core::Exception("kadm5_modify_principal", Core::Exception::INTERNAL_ERRNO, err); +} + +void UserConfigBackendKrb5::updateUser(const Common::UserInfo &oldUserInfo, const Common::UserInfo &userInfo) throw(Core::Exception) { + if(oldUserInfo.getUsername() == userInfo.getUsername()) + return; + + deleteUser(oldUserInfo); + addUser(userInfo); +} + +void UserConfigBackendKrb5::deleteUser(const Common::UserInfo &userInfo) throw(Core::Exception) { + std::string princStr = userInfo.getUsername() + "@" + realm; + krb5_principal princ; + + krb5_error_code err = krb5_parse_name(context, princStr.c_str(), &princ); + if(err) + throw Core::Exception("krb5_parse_name", Core::Exception::INTERNAL_ERRNO, err); + + /*err = */kadm5_delete_principal(handle, princ); + + krb5_free_principal(context, princ); + + //if(err) + // throw Core::Exception("kadm5_delete_principal", Core::Exception::INTERNAL_ERRNO, err); +} + +} +} +} |