/* * UserConfigBackendKrb5.cpp * * Copyright (C) 2009 Matthias Schiffer * * This program is free software: you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published by the * Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the GNU Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License along * with this program. If not, see . */ #include "UserConfigBackendKrb5.h" #include #include #include #include namespace Mad { namespace Modules { namespace UserConfigBackendKrb5 { void UserConfigBackendKrb5::_connect() { if(principal.empty()) { application->log(Core::Logger::LOG_USER, Core::Logger::LOG_ERROR, "UserConfigBackendKrb5: no principal given"); return; } if(realm.empty()) { application->log(Core::Logger::LOG_USER, Core::Logger::LOG_ERROR, "UserConfigBackendKrb5: no realm given and no default realm available"); return; } if(!context) return; if(handle) { kadm5_destroy(handle); handle = 0; } kadm5_config_params params; params.realm = const_cast(realm.c_str()); params.mask = KADM5_CONFIG_REALM; if(!server.empty()) { params.admin_server = const_cast(server.c_str()); params.mask |= KADM5_CONFIG_ADMIN_SERVER; } std::string princ = principal; if(princ.find('@') == std::string::npos) princ += "@" + realm; if(!password.empty() && keytab.empty()) { krb5_error_code err = kadm5_init_with_password(const_cast(princ.c_str()), const_cast(password.c_str()), const_cast(KADM5_ADMIN_SERVICE), ¶ms, KADM5_STRUCT_VERSION, KADM5_API_VERSION_2, 0, &handle); if(err) { application->logf(Core::Logger::LOG_USER, Core::Logger::LOG_ERROR, "kadm5_init_with_password: %s", krb5_get_error_message(context, err)); return; } } else { char *keytabName = 0; if(!keytab.empty()) keytabName = const_cast(keytab.c_str()); krb5_error_code err = kadm5_init_with_skey(const_cast(princ.c_str()), keytabName, const_cast(KADM5_ADMIN_SERVICE), ¶ms, KADM5_STRUCT_VERSION, KADM5_API_VERSION_2, 0, &handle); if(err) { application->logf(Core::Logger::LOG_USER, Core::Logger::LOG_ERROR, "kadm5_init_with_skey: %s", krb5_get_error_message(context, err)); return; } } application->log(Core::Logger::LOG_USER, Core::Logger::LOG_VERBOSE, "Connected to kerberos admin server."); return; } bool UserConfigBackendKrb5::handleConfigEntry(const Core::ConfigEntry &entry, bool /*handled*/) { if(!entry[0].getKey().matches("UserManager")) return false; if(entry[1].isEmpty()) return true; if(!entry[1].getKey().matches("Krb5")) return false; boost::lock_guard lock(mutex); if(entry[2].getKey().matches("Realm")) { if(entry[3].isEmpty()) realm = entry[2][0].extract(); } else if(entry[2].getKey().matches("Principal")) { if(entry[3].isEmpty()) principal = entry[2][0].extract(); } else if(entry[2].getKey().matches("Server")) { if(entry[3].isEmpty()) server = entry[2][0].extract(); } else if(entry[2].getKey().matches("Password")) { if(entry[3].isEmpty()) password = entry[2][0].extract(); } else if(entry[2].getKey().matches("Keytab")) { if(entry[3].isEmpty()) keytab = entry[2][0].extract(); } else if(!entry[2].isEmpty()) return false; return true; } void UserConfigBackendKrb5::configFinished() { boost::lock_guard lock(mutex); _connect(); } void UserConfigBackendKrb5::checkUserInfo(const Common::UserInfo &userInfo) throw(Core::Exception) { if(std::strcspn(userInfo.getUsername().c_str(), "/@") != userInfo.getUsername().length()) throw Core::Exception(Core::Exception::INVALID_INPUT); } void UserConfigBackendKrb5::addUser(const Common::UserInfo &userInfo) throw(Core::Exception) { application->getThreadManager()->detach(); boost::lock_guard lock(mutex); if(!context || !handle) throw Core::Exception(Core::Exception::NOT_AVAILABLE); std::string princStr = userInfo.getUsername() + "@" + realm; kadm5_principal_ent_rec princ; krb5_error_code err = krb5_parse_name(context, princStr.c_str(), &princ.principal); if(err) throw Core::Exception("krb5_parse_name", Core::Exception::INTERNAL_ERRNO, err); princ.attributes = KRB5_KDB_DISALLOW_ALL_TIX; char dummybuf[128]; for(int i = 0; i < 128; ++i) dummybuf[i] = (i+1)%128; int retryCount = 3; do { err = kadm5_create_principal(handle, &princ, KADM5_PRINCIPAL|KADM5_ATTRIBUTES, dummybuf); if(err == KADM5_RPC_ERROR && retryCount > 0) { application->log(Core::Logger::LOG_USER, Core::Logger::LOG_VERBOSE, "Connection to kerberos admin server lost. Reconnecting..."); _connect(); --retryCount; } } while(err == KADM5_RPC_ERROR && retryCount >= 0); if(err) { krb5_free_principal(context, princ.principal); throw Core::Exception("kadm5_create_principal", Core::Exception::INTERNAL_ERRNO, err); } do { err = kadm5_randkey_principal(handle, princ.principal, 0, 0); if(err == KADM5_RPC_ERROR && retryCount > 0) { application->log(Core::Logger::LOG_USER, Core::Logger::LOG_VERBOSE, "Connection to kerberos admin server lost. Reconnecting..."); _connect(); --retryCount; } } while(err == KADM5_RPC_ERROR && retryCount >= 0); if(err) { krb5_free_principal(context, princ.principal); throw Core::Exception("kadm5_randkey_principal", Core::Exception::INTERNAL_ERRNO, err); } princ.attributes = 0; do { err = kadm5_modify_principal(handle, &princ, KADM5_ATTRIBUTES); if(err == KADM5_RPC_ERROR && retryCount > 0) { application->log(Core::Logger::LOG_USER, Core::Logger::LOG_VERBOSE, "Connection to kerberos admin server lost. Reconnecting..."); _connect(); --retryCount; } } while(err == KADM5_RPC_ERROR && retryCount >= 0); krb5_free_principal(context, princ.principal); if(err) throw Core::Exception("kadm5_modify_principal", Core::Exception::INTERNAL_ERRNO, err); } void UserConfigBackendKrb5::updateUser(const Common::UserInfo &oldUserInfo, const Common::UserInfo &userInfo) throw(Core::Exception) { application->getThreadManager()->detach(); { boost::lock_guard lock(mutex); if(!context || !handle) throw Core::Exception(Core::Exception::NOT_AVAILABLE); if(oldUserInfo.getUsername() == userInfo.getUsername()) return; } deleteUser(oldUserInfo); addUser(userInfo); } void UserConfigBackendKrb5::deleteUser(const Common::UserInfo &userInfo) throw(Core::Exception) { application->getThreadManager()->detach(); boost::lock_guard lock(mutex); if(!context || !handle) throw Core::Exception(Core::Exception::NOT_AVAILABLE); std::string princStr = userInfo.getUsername() + "@" + realm; krb5_principal princ; krb5_error_code err = krb5_parse_name(context, princStr.c_str(), &princ); if(err) throw Core::Exception("krb5_parse_name", Core::Exception::INTERNAL_ERRNO, err); int retryCount = 3; do { err = kadm5_delete_principal(handle, princ); if(err == KADM5_RPC_ERROR && retryCount > 0) { application->log(Core::Logger::LOG_USER, Core::Logger::LOG_VERBOSE, "Connection to kerberos admin server lost. Reconnecting..."); _connect(); --retryCount; } } while(err == KADM5_RPC_ERROR && retryCount >= 0); krb5_free_principal(context, princ); if(err) application->logf(Core::Logger::LOG_USER, Core::Logger::LOG_WARNING, "kadm5_delete_principal: %s", krb5_get_error_message(context, err)); } void UserConfigBackendKrb5::setPassword(const Common::UserInfo &userInfo, const std::string &password) throw(Core::Exception) { application->getThreadManager()->detach(); boost::lock_guard lock(mutex); if(!context || !handle) throw Core::Exception(Core::Exception::NOT_AVAILABLE); std::string princStr = userInfo.getUsername() + "@" + realm; krb5_principal princ; krb5_error_code err = krb5_parse_name(context, princStr.c_str(), &princ); if(err) throw Core::Exception("krb5_parse_name", Core::Exception::INTERNAL_ERRNO, err); int retryCount = 3; do { err = kadm5_chpass_principal(handle, princ, const_cast(password.c_str())); if(err == KADM5_RPC_ERROR && retryCount > 0) { application->log(Core::Logger::LOG_USER, Core::Logger::LOG_VERBOSE, "Connection to kerberos admin server lost. Reconnecting..."); _connect(); --retryCount; } } while(err == KADM5_RPC_ERROR && retryCount >= 0); krb5_free_principal(context, princ); if(err) throw Core::Exception("kadm5_chpass_principal", Core::Exception::INTERNAL_ERRNO, err); } } } }