diff options
author | Luke Howard <lukeh@padl.com> | 2008-11-23 00:24:03 +0000 |
---|---|---|
committer | Luke Howard <lukeh@padl.com> | 2008-11-23 00:24:03 +0000 |
commit | cf5d699d6f6a4c1414a118c41e99947cdc7a4598 (patch) | |
tree | 9b0e8041803d5c41a1b9d2827b4dbb160bce5e26 | |
parent | ec6161a6727246f0844438ec8f635d8528bbcf0c (diff) | |
download | krb5-cf5d699d6f6a4c1414a118c41e99947cdc7a4598.zip krb5-cf5d699d6f6a4c1414a118c41e99947cdc7a4598.tar.gz krb5-cf5d699d6f6a4c1414a118c41e99947cdc7a4598.tar.bz2 |
Add kadm5int_acl_check_krb() variant
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21174 dc483132-0cff-0310-8789-dd5450dbe970
-rw-r--r-- | src/lib/kadm5/srv/libkadm5srv.exports | 1 | ||||
-rw-r--r-- | src/lib/kadm5/srv/server_acl.c | 65 | ||||
-rw-r--r-- | src/lib/kadm5/srv/server_acl.h | 6 |
3 files changed, 49 insertions, 23 deletions
diff --git a/src/lib/kadm5/srv/libkadm5srv.exports b/src/lib/kadm5/srv/libkadm5srv.exports index a4d2156..1205580 100644 --- a/src/lib/kadm5/srv/libkadm5srv.exports +++ b/src/lib/kadm5/srv/libkadm5srv.exports @@ -1,6 +1,7 @@ _kadm5_check_handle _kadm5_chpass_principal_util kadm5int_acl_check +kadm5int_acl_check_krb kadm5int_acl_finish kadm5int_acl_impose_restrictions kadm5int_acl_init diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c index f3172e4..9471d0a 100644 --- a/src/lib/kadm5/srv/server_acl.c +++ b/src/lib/kadm5/srv/server_acl.c @@ -736,6 +736,42 @@ kadm5int_acl_finish(kcontext, debug_level) } /* + * kadm5int_acl_check_krb() - Is this operation permitted for this principal? + */ +krb5_boolean +kadm5int_acl_check_krb(kcontext, caller_princ, opmask, principal, restrictions) + krb5_context kcontext; + krb5_const_principal caller_princ; + krb5_int32 opmask; + krb5_const_principal principal; + restriction_t **restrictions; +{ + krb5_boolean retval; + aent_t *aentry; + + DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_op_permitted()\n")); + + retval = FALSE; + + aentry = kadm5int_acl_find_entry(kcontext, caller_princ, principal); + if (aentry) { + if ((aentry->ae_op_allowed & opmask) == opmask) { + retval = TRUE; + if (restrictions) { + *restrictions = + (aentry->ae_restrictions && aentry->ae_restrictions->mask) + ? aentry->ae_restrictions + : (restriction_t *) NULL; + } + } + } + + DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_op_permitted()=%d\n", + retval)); + return retval; +} + +/* * kadm5int_acl_check() - Is this operation permitted for this principal? * this code used not to be based on gssapi. In order * to minimize porting hassles, I've put all the @@ -752,47 +788,30 @@ kadm5int_acl_check(kcontext, caller, opmask, principal, restrictions) restriction_t **restrictions; { krb5_boolean retval; - aent_t *aentry; gss_buffer_desc caller_buf; gss_OID caller_oid; OM_uint32 emaj, emin; krb5_error_code code; krb5_principal caller_princ; - DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_op_permitted()\n")); - if (GSS_ERROR(emaj = gss_display_name(&emin, caller, &caller_buf, &caller_oid))) - return(0); + return FALSE; code = krb5_parse_name(kcontext, (char *) caller_buf.value, &caller_princ); gss_release_buffer(&emin, &caller_buf); - if (code) - return(code); + if (code != 0) + return FALSE; - retval = 0; - - aentry = kadm5int_acl_find_entry(kcontext, caller_princ, principal); - if (aentry) { - if ((aentry->ae_op_allowed & opmask) == opmask) { - retval = 1; - if (restrictions) { - *restrictions = - (aentry->ae_restrictions && aentry->ae_restrictions->mask) - ? aentry->ae_restrictions - : (restriction_t *) NULL; - } - } - } + retval = kadm5int_acl_check_krb(kcontext, caller_princ, + opmask, principal, restrictions); krb5_free_principal(kcontext, caller_princ); - DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_op_permitted()=%d\n", - retval)); - return(retval); + return retval; } kadm5_ret_t diff --git a/src/lib/kadm5/srv/server_acl.h b/src/lib/kadm5/srv/server_acl.h index b0ed0bf..c4c4789 100644 --- a/src/lib/kadm5/srv/server_acl.h +++ b/src/lib/kadm5/srv/server_acl.h @@ -95,6 +95,12 @@ krb5_boolean kadm5int_acl_check krb5_int32, krb5_principal, restriction_t **); +krb5_boolean kadm5int_acl_check_krb + (krb5_context, + krb5_const_principal, + krb5_int32, + krb5_const_principal, + restriction_t **); krb5_error_code kadm5int_acl_impose_restrictions (krb5_context, kadm5_principal_ent_rec *, |