diff options
-rw-r--r-- | src/lib/kadm5/srv/libkadm5srv.exports | 1 | ||||
-rw-r--r-- | src/lib/kadm5/srv/server_acl.c | 65 | ||||
-rw-r--r-- | src/lib/kadm5/srv/server_acl.h | 6 |
3 files changed, 49 insertions, 23 deletions
diff --git a/src/lib/kadm5/srv/libkadm5srv.exports b/src/lib/kadm5/srv/libkadm5srv.exports index a4d2156..1205580 100644 --- a/src/lib/kadm5/srv/libkadm5srv.exports +++ b/src/lib/kadm5/srv/libkadm5srv.exports @@ -1,6 +1,7 @@ _kadm5_check_handle _kadm5_chpass_principal_util kadm5int_acl_check +kadm5int_acl_check_krb kadm5int_acl_finish kadm5int_acl_impose_restrictions kadm5int_acl_init diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c index f3172e4..9471d0a 100644 --- a/src/lib/kadm5/srv/server_acl.c +++ b/src/lib/kadm5/srv/server_acl.c @@ -736,6 +736,42 @@ kadm5int_acl_finish(kcontext, debug_level) } /* + * kadm5int_acl_check_krb() - Is this operation permitted for this principal? + */ +krb5_boolean +kadm5int_acl_check_krb(kcontext, caller_princ, opmask, principal, restrictions) + krb5_context kcontext; + krb5_const_principal caller_princ; + krb5_int32 opmask; + krb5_const_principal principal; + restriction_t **restrictions; +{ + krb5_boolean retval; + aent_t *aentry; + + DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_op_permitted()\n")); + + retval = FALSE; + + aentry = kadm5int_acl_find_entry(kcontext, caller_princ, principal); + if (aentry) { + if ((aentry->ae_op_allowed & opmask) == opmask) { + retval = TRUE; + if (restrictions) { + *restrictions = + (aentry->ae_restrictions && aentry->ae_restrictions->mask) + ? aentry->ae_restrictions + : (restriction_t *) NULL; + } + } + } + + DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_op_permitted()=%d\n", + retval)); + return retval; +} + +/* * kadm5int_acl_check() - Is this operation permitted for this principal? * this code used not to be based on gssapi. In order * to minimize porting hassles, I've put all the @@ -752,47 +788,30 @@ kadm5int_acl_check(kcontext, caller, opmask, principal, restrictions) restriction_t **restrictions; { krb5_boolean retval; - aent_t *aentry; gss_buffer_desc caller_buf; gss_OID caller_oid; OM_uint32 emaj, emin; krb5_error_code code; krb5_principal caller_princ; - DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_op_permitted()\n")); - if (GSS_ERROR(emaj = gss_display_name(&emin, caller, &caller_buf, &caller_oid))) - return(0); + return FALSE; code = krb5_parse_name(kcontext, (char *) caller_buf.value, &caller_princ); gss_release_buffer(&emin, &caller_buf); - if (code) - return(code); + if (code != 0) + return FALSE; - retval = 0; - - aentry = kadm5int_acl_find_entry(kcontext, caller_princ, principal); - if (aentry) { - if ((aentry->ae_op_allowed & opmask) == opmask) { - retval = 1; - if (restrictions) { - *restrictions = - (aentry->ae_restrictions && aentry->ae_restrictions->mask) - ? aentry->ae_restrictions - : (restriction_t *) NULL; - } - } - } + retval = kadm5int_acl_check_krb(kcontext, caller_princ, + opmask, principal, restrictions); krb5_free_principal(kcontext, caller_princ); - DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_op_permitted()=%d\n", - retval)); - return(retval); + return retval; } kadm5_ret_t diff --git a/src/lib/kadm5/srv/server_acl.h b/src/lib/kadm5/srv/server_acl.h index b0ed0bf..c4c4789 100644 --- a/src/lib/kadm5/srv/server_acl.h +++ b/src/lib/kadm5/srv/server_acl.h @@ -95,6 +95,12 @@ krb5_boolean kadm5int_acl_check krb5_int32, krb5_principal, restriction_t **); +krb5_boolean kadm5int_acl_check_krb + (krb5_context, + krb5_const_principal, + krb5_int32, + krb5_const_principal, + restriction_t **); krb5_error_code kadm5int_acl_impose_restrictions (krb5_context, kadm5_principal_ent_rec *, |