static kadm5_ret_t
modify_principal(void *server_handle,
kadm5_principal_ent_t princ,
uint32_t mask,
uint32_t forbidden_mask)
{
kadm5_server_context *context = server_handle;
hdb_entry_ex ent;
kadm5_ret_t ret;
if((mask & forbidden_mask))
return KADM5_BAD_MASK;
if((mask & KADM5_POLICY) && strcmp(princ->policy, "default"))
return KADM5_UNK_POLICY;
memset(&ent, 0, sizeof(ent));
ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0);
if(ret)
return ret;
ret = context->db->hdb_fetch(context->context, context->db,
princ->principal, HDB_F_GET_ANY, &ent);
if(ret)
goto out;
ret = _kadm5_setup_entry(context, &ent, mask, princ, mask, NULL, 0);
if(ret)
goto out2;
ret = _kadm5_set_modifier(context, &ent.entry);
if(ret)
goto out2;
ret = hdb_seal_keys(context->context, context->db, &ent.entry);
if (ret)
goto out2;
ret = context->db->hdb_store(context->context, context->db,
HDB_F_REPLACE, &ent);
if (ret)
goto out2;
kadm5_log_modify (context,
&ent.entry,
mask | KADM5_MOD_NAME | KADM5_MOD_TIME);
out2:
hdb_free_entry(context->context, &ent);
out:
context->db->hdb_close(context->context, context->db);
return _kadm5_error_code(ret);
}
static kadm5_ret_t
create_principal(kadm5_server_context *context,
kadm5_principal_ent_t princ,
uint32_t mask,
hdb_entry_ex *ent,
uint32_t required_mask,
uint32_t forbidden_mask)
{
kadm5_ret_t ret;
kadm5_principal_ent_rec defrec, *defent;
uint32_t def_mask;
memset(ent, 0, sizeof(*ent));
if((mask & required_mask) != required_mask)
return KADM5_BAD_MASK;
if((mask & forbidden_mask))
return KADM5_BAD_MASK;
if((mask & KADM5_POLICY) && strcmp(princ->policy, "default"))
/* XXX no real policies for now */
return KADM5_UNK_POLICY;
ret = krb5_copy_principal(context->context, princ->principal,
&ent->entry.principal);
if(ret)
return ret;
defent = &defrec;
ret = get_default(context, princ->principal, defent);
if(ret) {
defent = NULL;
def_mask = 0;
} else {
def_mask = KADM5_ATTRIBUTES | KADM5_MAX_LIFE | KADM5_MAX_RLIFE;
}
ret = _kadm5_setup_entry(context,
ent, mask | def_mask,
princ, mask,
defent, def_mask);
if(defent)
kadm5_free_principal_ent(context, defent);
if (ret)
return ret;
ent->entry.created_by.time = time(NULL);
return krb5_copy_principal(context->context, context->caller,
&ent->entry.created_by.principal);
}
static kadm5_ret_t
modify_principal(void *server_handle,
kadm5_principal_ent_t princ,
uint32_t mask,
uint32_t forbidden_mask)
{
kadm5_server_context *context = server_handle;
hdb_entry_ex ent;
kadm5_ret_t ret;
memset(&ent, 0, sizeof(ent));
if((mask & forbidden_mask))
return KADM5_BAD_MASK;
if((mask & KADM5_POLICY) && strcmp(princ->policy, "default"))
return KADM5_UNK_POLICY;
if (!context->keep_open) {
ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0);
if(ret)
return ret;
}
ret = kadm5_log_init(context);
if (ret)
goto out;
ret = context->db->hdb_fetch_kvno(context->context, context->db,
princ->principal, HDB_F_GET_ANY|HDB_F_ADMIN_DATA, 0, &ent);
if(ret)
goto out;
ret = _kadm5_setup_entry(context, &ent, mask, princ, mask, NULL, 0);
if(ret)
goto out2;
ret = _kadm5_set_modifier(context, &ent.entry);
if(ret)
goto out2;
/*
* If any keys are bogus, disallow the modify. If the keys were
* bogus as stored in the HDB we could allow those through, but
* distinguishing that case from a pre-1.6 client using add_enctype
* without the get-keys privilege requires more work (mainly: checking that
* the bogus keys in princ->key_data[] have corresponding bogus keys in ent
* before calling _kadm5_setup_entry()).
*/
if ((mask & KADM5_KEY_DATA) &&
kadm5_some_keys_are_bogus(princ->n_key_data, princ->key_data)) {
ret = KADM5_AUTH_GET_KEYS; /* Not quite appropriate, but it'll do */
goto out2;
}
ret = hdb_seal_keys(context->context, context->db, &ent.entry);
if (ret)
goto out2;
if ((mask & KADM5_POLICY)) {
HDB_extension ext;
memset(&ext, 0, sizeof(ext));
/* XXX should be TRUE, but we don't yet support policies */
ext.mandatory = FALSE;
ext.data.element = choice_HDB_extension_data_policy;
ext.data.u.policy = strdup(princ->policy);
if (ext.data.u.policy == NULL) {
ret = ENOMEM;
goto out2;
}
/* This calls free_HDB_extension(), freeing ext.data.u.policy */
ret = hdb_replace_extension(context->context, &ent.entry, &ext);
free(ext.data.u.policy);
if (ret)
goto out2;
}
/* This logs the change for iprop and writes to the HDB */
ret = kadm5_log_modify(context, &ent.entry,
mask | KADM5_MOD_NAME | KADM5_MOD_TIME);
out2:
hdb_free_entry(context->context, &ent);
out:
(void) kadm5_log_end(context);
if (!context->keep_open) {
kadm5_ret_t ret2;
ret2 = context->db->hdb_close(context->context, context->db);
if (ret == 0 && ret2 != 0)
ret = ret2;
}
return _kadm5_error_code(ret);
}
