Add kadm5int_acl_check_krb() variant

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21174 dc483132-0cff-0310-8789-dd5450dbe970

3 files changed, 49 insertions, 23 deletions

diff --git a/src/lib/kadm5/srv/libkadm5srv.exports b/src/lib/kadm5/srv/libkadm5srv.exports
index a4d2156..1205580 100644
--- a/src/lib/kadm5/srv/libkadm5srv.exports
+++ b/src/lib/kadm5/srv/libkadm5srv.exports
@@ -1,6 +1,7 @@
 _kadm5_check_handle
 _kadm5_chpass_principal_util
 kadm5int_acl_check
+kadm5int_acl_check_krb
 kadm5int_acl_finish
 kadm5int_acl_impose_restrictions
 kadm5int_acl_init
diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c
index f3172e4..9471d0a 100644
--- a/src/lib/kadm5/srv/server_acl.c
+++ b/src/lib/kadm5/srv/server_acl.c
@@ -736,6 +736,42 @@ kadm5int_acl_finish(kcontext, debug_level)
 }
 
 /*
+ * kadm5int_acl_check_krb()	- Is this operation permitted for this principal?
+ */
+krb5_boolean
+kadm5int_acl_check_krb(kcontext, caller_princ, opmask, principal, restrictions)
+    krb5_context	 kcontext;
+    krb5_const_principal caller_princ;
+    krb5_int32		 opmask;
+    krb5_const_principal principal;
+    restriction_t	 **restrictions;
+{
+    krb5_boolean	retval;
+    aent_t		*aentry;
+
+    DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_op_permitted()\n"));
+
+    retval = FALSE;
+
+    aentry = kadm5int_acl_find_entry(kcontext, caller_princ, principal);
+    if (aentry) {
+	if ((aentry->ae_op_allowed & opmask) == opmask) {
+	    retval = TRUE;
+	    if (restrictions) {
+		*restrictions =
+		    (aentry->ae_restrictions && aentry->ae_restrictions->mask)
+		    ? aentry->ae_restrictions
+		    : (restriction_t *) NULL;
+	    }
+	}
+    }
+
+    DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_op_permitted()=%d\n",
+					  retval));
+    return retval;
+}
+
+/*
  * kadm5int_acl_check()	- Is this operation permitted for this principal?
  *			this code used not to be based on gssapi.  In order
  *			to minimize porting hassles, I've put all the
@@ -752,47 +788,30 @@ kadm5int_acl_check(kcontext, caller, opmask, principal, restrictions)
     restriction_t	**restrictions;
 {
     krb5_boolean	retval;
-    aent_t		*aentry;
     gss_buffer_desc	caller_buf;
     gss_OID		caller_oid;
     OM_uint32		emaj, emin;
     krb5_error_code	code;
     krb5_principal	caller_princ;
 
-    DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_op_permitted()\n"));
-
     if (GSS_ERROR(emaj = gss_display_name(&emin, caller, &caller_buf,
 					  &caller_oid)))
-       return(0);
+       return FALSE;
 
     code = krb5_parse_name(kcontext, (char *) caller_buf.value,
 			   &caller_princ);
 
     gss_release_buffer(&emin, &caller_buf);
 
-    if (code)
-       return(code);
+    if (code != 0)
+       return FALSE;
 
-    retval = 0;
-
-    aentry = kadm5int_acl_find_entry(kcontext, caller_princ, principal);
-    if (aentry) {
-	if ((aentry->ae_op_allowed & opmask) == opmask) {
-	    retval = 1;
-	    if (restrictions) {
-		*restrictions =
-		    (aentry->ae_restrictions && aentry->ae_restrictions->mask)
-		    ? aentry->ae_restrictions
-		    : (restriction_t *) NULL;
-	    }
-	}
-    }
+    retval = kadm5int_acl_check_krb(kcontext, caller_princ,
+				    opmask, principal, restrictions);
 
     krb5_free_principal(kcontext, caller_princ);
 
-    DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_op_permitted()=%d\n",
-					  retval));
-    return(retval);
+    return retval;
 }
 
 kadm5_ret_t
diff --git a/src/lib/kadm5/srv/server_acl.h b/src/lib/kadm5/srv/server_acl.h
index b0ed0bf..c4c4789 100644
--- a/src/lib/kadm5/srv/server_acl.h
+++ b/src/lib/kadm5/srv/server_acl.h
@@ -95,6 +95,12 @@ krb5_boolean kadm5int_acl_check
 		   krb5_int32,
 		   krb5_principal,
 		   restriction_t **);
+krb5_boolean kadm5int_acl_check_krb
+	(krb5_context,
+		   krb5_const_principal,
+		   krb5_int32,
+		   krb5_const_principal,
+		   restriction_t **);
 krb5_error_code kadm5int_acl_impose_restrictions
 	(krb5_context,
 		   kadm5_principal_ent_rec *,