/* * Build a list of tokens, delete the bad ones (the ones to remove from the * permissions list,) destroy all tokens, and then re-register the good ones. * Ugly, but it works. */ int uss_fs_UnlogToken(char *celln) { int count = 0, index, index2; afs_int32 code = 0, cnt = 0; struct ktc_principal serviceName; struct tokenInfo *tokenInfoP, *tp; do { code = ktc_ListTokens(count, &count, &serviceName); cnt++; } while (!code); count = cnt - 1; tokenInfoP = malloc((sizeof(struct tokenInfo) * count)); for (code = index = index2 = 0; (!code) && (index < count); index++) { tp = tokenInfoP + index; code = ktc_ListTokens(index2, &index2, &tp->service); if (!code) { code = ktc_GetToken(&tp->service, &tp->token, sizeof(struct ktc_token), &tp->client); if (!code) { tp->deleted = (!strcmp(celln, tp->client.cell) ? 1 : 0); if (tp->deleted) cnt = 1; } } } if ((code = ktc_ForgetAllTokens())) { printf("uss_fs_UnlogToken: could not discard tickets, code %d\n", code); exit(1); } for (code = index = 0; index < count; index++) { tp = tokenInfoP + index; if (!(tp->deleted)) { code = ktc_SetToken(&tp->service, &tp->token, &tp->client, 0); if (code) { printf ("uss_fs_UnlogToken: Couldn't re-register token, code = %d\n", code); } } } return 0; }
static int unlog_ForgetCertainTokens(char **list, int listSize) { int index, index2; int count; afs_int32 code; struct ktc_principal serviceName; struct tokenInfo *tokenInfoP; /* normalize all the names in the list */ unlog_NormalizeCellNames(list, listSize); /* figure out how many tokens exist */ count = 0; do { code = ktc_ListTokens(count, &count, &serviceName); } while (!code); tokenInfoP = (struct tokenInfo *)malloc((sizeof(struct tokenInfo) * count)); if (!tokenInfoP) { perror("unlog_ForgetCertainTokens -- osi_Alloc failed"); exit(1); } for (code = index = index2 = 0; (!code) && (index < count); index++) { code = ktc_ListTokens(index2, &index2, &(tokenInfoP + index)->service); if (!code) { code = ktc_GetToken(&(tokenInfoP + index)->service, &(tokenInfoP + index)->token, sizeof(struct ktc_token), &(tokenInfoP + index)->client); if (!code) (tokenInfoP + index)->deleted = unlog_CheckUnlogList(list, listSize, &(tokenInfoP + index)->client); } } unlog_VerifyUnlog(list, listSize, tokenInfoP, count); code = ktc_ForgetAllTokens(); if (code) { printf("unlog: could not discard tickets, code %d\n", code); exit(1); } for (code = index = 0; index < count; index++) { if (!((tokenInfoP + index)->deleted)) { code = ktc_SetToken(&(tokenInfoP + index)->service, &(tokenInfoP + index)->token, &(tokenInfoP + index)->client, 0); if (code) { fprintf(stderr, "Couldn't re-register token, code = %d\n", code); } } } return 0; }
int main(void) { struct ktc_principal oldServer[MAXCELLS], newServer[MAXCELLS]; struct ktc_principal oldClient[MAXCELLS], newClient[MAXCELLS]; struct ktc_token oldToken[MAXCELLS], newToken[MAXCELLS]; int cellCount, cellIndex; int i, code; #ifdef AFS_NT40_ENV /* Initialize winsock; required by NT pioctl() */ if (afs_winsockInit()) { printf("\nUnable to initialize winsock (required by NT pioctl()).\n"); exit(1); } #endif /* Get original tokens */ printf("\nFetching original tokens.\n"); cellIndex = 0; for (i = 0; i < MAXCELLS; i++) { /* fetch server principal */ code = ktc_ListTokens(cellIndex, &cellIndex, &oldServer[i]); if (code) { if (code == KTC_NOENT) { /* no more tokens */ break; } else { /* some error occured */ perror("ktc_ListTokens failed fetching original tokens"); exit(1); } } /* fetch token and client identity w.r.t. server */ code = ktc_GetToken(&oldServer[i], &oldToken[i], sizeof(struct ktc_token), &oldClient[i]); if (code) { /* some unexpected error occured */ perror("ktc_GetToken failed fetching original tokens"); exit(1); } } cellCount = i; if (cellCount == 0) { printf("Obtain one or more tokens prior to executing test.\n"); exit(0); } else if (cellCount == MAXCELLS) { printf("Only first %d tokens utilized by test; rest will be lost.\n", MAXCELLS); } for (i = 0; i < cellCount; i++) { printf("Token[%d]: server = %s@%s, client = %s@%s\n", i, oldServer[i].name, oldServer[i].cell, oldClient[i].name, oldClient[i].cell); } /* Forget original tokens */ printf("\nClearing original tokens and verifying disposal.\n"); code = ktc_ForgetAllTokens(); if (code) { perror("ktc_ForgetAllTokens failed on original tokens"); exit(1); } for (i = 0; i < cellCount; i++) { struct ktc_principal dummyPrincipal; struct ktc_token dummyToken; code = ktc_GetToken(&oldServer[i], &dummyToken, sizeof(struct ktc_token), &dummyPrincipal); if (code != KTC_NOENT) { printf("ktc_ForgetAllTokens did not eliminate all tokens.\n"); exit(1); } cellIndex = 0; code = ktc_ListTokens(cellIndex, &cellIndex, &dummyPrincipal); if (code != KTC_NOENT) { printf("ktc_ForgetAllTokens did not eliminate all tokens.\n"); exit(1); } } /* Reinstall tokens */ printf("\nReinstalling original tokens.\n"); for (i = 0; i < cellCount; i++) { code = ktc_SetToken(&oldServer[i], &oldToken[i], &oldClient[i], 0); if (code) { perror("ktc_SetToken failed reinstalling tokens"); exit(1); } } /* Get reinstalled tokens */ printf("\nFetching reinstalled tokens.\n"); cellIndex = 0; for (i = 0; i < MAXCELLS; i++) { /* fetch server principal */ code = ktc_ListTokens(cellIndex, &cellIndex, &newServer[i]); if (code) { if (code == KTC_NOENT) { /* no more tokens */ break; } else { /* some error occured */ perror("ktc_ListTokens failed fetching reinstalled tokens"); exit(1); } } /* fetch token and client identity w.r.t. server */ code = ktc_GetToken(&newServer[i], &newToken[i], sizeof(struct ktc_token), &newClient[i]); if (code) { /* some unexpected error occured */ perror("ktc_GetToken failed fetching reinstalled tokens"); exit(1); } } /* Verify content of reinstalled tokens */ printf("\nVerifying reinstalled tokens against original tokens.\n"); if (i != cellCount) { printf("Reinstalled token count does not match original count.\n"); exit(1); } for (i = 0; i < cellCount; i++) { int k, found; found = 0; for (k = 0; k < cellCount; k++) { if (SamePrincipal(&oldServer[i], &newServer[k]) && SamePrincipal(&oldClient[i], &newClient[k]) && SameToken(&oldToken[i], &newToken[k])) { /* found a matching token */ found = 1; break; } } if (!found) { printf("Reinstalled token does not match any original token.\n"); exit(1); } } /* Test passes */ printf("\nTest completed without error.\n"); return 0; }
static int GetTokens(afs_int32 ahost, afs_int32 auid) { struct ViceIoctl iob; afs_int32 pheader[6]; char tbuffer[1024]; afs_int32 code = 0; int index, newIndex; char *stp; /* secret token ptr */ struct ClearToken ct; char *tp; afs_int32 temp, gotit = 0; int maxLen; /* biggest ticket we can copy */ int tktLen; /* server ticket length */ time_t tokenExpireTime; char UserName[MAXKTCNAMELEN + MAXKTCNAMELEN]; struct ktc_token token; struct ktc_principal clientName; time_t current_time; char *expireString; current_time = time(0); /* otherwise we've got the token, now prepare to build the pioctl args */ pheader[0] = ahost; pheader[1] = auid; pheader[2] = 0; /* group low */ pheader[3] = 0; /* group high */ pheader[4] = 8; /* gettoken pioctl index */ pheader[5] = 1; /* NFS protocol exporter # */ for (index = 0; index < 200; index++) { /* sanity check in case pioctl fails */ code = ktc_ListTokens(index, &newIndex, &clientName); if (code) { if (code == KTC_NOENT) { /* all done */ if (!gotit) printf("knfs: there are no tokens here.\n"); code = 0; } break; /* done, but failed */ } if (strcmp(clientName.name, "afs") != 0) continue; /* wrong ticket service */ /* copy stuff in */ memcpy(tbuffer, pheader, sizeof(pheader)); tp = tbuffer + sizeof(pheader); memcpy(tp, &index, sizeof(afs_int32)); tp += sizeof(afs_int32); iob.in = tbuffer; iob.in_size = sizeof(afs_int32) + sizeof(pheader); iob.out = tbuffer; iob.out_size = sizeof(tbuffer); code = pioctl(NULL, _VICEIOCTL(99), &iob, 0); if (code < 0 && errno == EDOM) return KTC_NOENT; else if (code == 0) { /* check to see if this is the right cell/realm */ tp = tbuffer; memcpy(&temp, tp, sizeof(afs_int32)); /* get size of secret token */ tktLen = temp; /* remember size of ticket */ tp += sizeof(afs_int32); stp = tp; /* remember where ticket is, for later */ tp += temp; /* skip ticket for now */ memcpy(&temp, tp, sizeof(afs_int32)); /* get size of clear token */ if (temp != sizeof(struct ClearToken)) return KTC_ERROR; tp += sizeof(afs_int32); /* skip length */ memcpy(&ct, tp, temp); /* copy token for later use */ tp += temp; /* skip clear token itself */ tp += sizeof(afs_int32); /* skip primary flag */ /* tp now points to the cell name */ if (strcmp(tp, clientName.cell) == 0) { /* closing in now, we've got the right cell */ gotit = 1; maxLen = sizeof(token) - sizeof(struct ktc_token) + MAXKTCTICKETLEN; if (maxLen < tktLen) return KTC_TOOBIG; memcpy(token.ticket, stp, tktLen); token.startTime = ct.BeginTimestamp; token.endTime = ct.EndTimestamp; if (ct.AuthHandle == -1) ct.AuthHandle = 999; token.kvno = ct.AuthHandle; memcpy(&token.sessionKey, ct.HandShakeKey, sizeof(struct ktc_encryptionKey)); token.ticketLen = tktLen; if ((token.kvno == 999) || /* old style bcrypt ticket */ (ct.BeginTimestamp && /* new w/ prserver lookup */ (((ct.EndTimestamp - ct.BeginTimestamp) & 1) == 1))) { sprintf(clientName.name, "AFS ID %d", ct.ViceId); clientName.instance[0] = 0; } else { sprintf(clientName.name, "Unix UID %d", ct.ViceId); clientName.instance[0] = 0; } strlcpy(clientName.cell, tp, sizeof(clientName.cell)); tokenExpireTime = token.endTime; strlcpy(UserName, clientName.name, sizeof(UserName)); if (clientName.instance[0] != 0) { strlcat(UserName, ".", sizeof(UserName)); strlcat(UserName, clientName.instance, sizeof(UserName)); } if (UserName[0] == 0) printf("Tokens"); else if (strncmp(UserName, "AFS ID", 6) == 0) { printf("User's (%s) tokens", UserName); } else if (strncmp(UserName, "Unix UID", 8) == 0) { printf("Tokens"); } else printf("User %s's tokens", UserName); printf(" for %s%s%s@%s ", clientName.name, clientName.instance[0] ? "." : "", clientName.instance, clientName.cell); if (tokenExpireTime <= current_time) printf("[>> Expired <<]\n"); else { expireString = ctime(&tokenExpireTime); expireString += 4; /*Move past the day of week */ expireString[12] = '\0'; printf("[Expires %s]\n", expireString); } } } } return code; }
/* Copy the AFS service token into the kernel for a particular host and user */ static int NFSCopyToken(afs_int32 ahost, afs_int32 auid) { struct ktc_principal client, server; struct ktc_token theTicket; afs_int32 code; afs_int32 pheader[6]; char space[1200]; struct ClearToken ct; afs_int32 index, newIndex; afs_int32 temp; /* for bcopy */ char *tp; struct ViceIoctl blob; for (index = 0;; index = newIndex) { code = ktc_ListTokens(index, &newIndex, &server); if (code) { if (code == KTC_NOENT) { /* all done */ code = 0; } break; /* done, but failed */ } if (strcmp(server.name, "afs") != 0) continue; /* wrong ticket service */ code = ktc_GetToken(&server, &theTicket, sizeof(theTicket), &client); if (code) return code; /* otherwise we've got the token, now prepare to build the pioctl args */ pheader[0] = ahost; pheader[1] = auid; pheader[2] = 0; /* group low */ pheader[3] = 0; /* group high */ pheader[4] = 3; /* set token pioctl index */ pheader[5] = 1; /* NFS protocol exporter # */ /* copy in the header */ memcpy(space, pheader, sizeof(pheader)); tp = space + sizeof(pheader); /* copy in the size of the encrypted part */ memcpy(tp, &theTicket.ticketLen, sizeof(afs_int32)); tp += sizeof(afs_int32); /* copy in the ticket itself */ memcpy(tp, theTicket.ticket, theTicket.ticketLen); tp += theTicket.ticketLen; /* copy in "clear token"'s size */ temp = sizeof(struct ClearToken); memcpy(tp, &temp, sizeof(afs_int32)); tp += sizeof(afs_int32); /* create the clear token and copy *it* in */ ct.AuthHandle = theTicket.kvno; /* where we hide the key version # */ memcpy(ct.HandShakeKey, &theTicket.sessionKey, sizeof(ct.HandShakeKey)); ct.ViceId = auid; ct.BeginTimestamp = theTicket.startTime; ct.EndTimestamp = theTicket.endTime; memcpy(tp, &ct, sizeof(ct)); tp += sizeof(ct); /* copy in obsolete primary flag */ temp = 0; memcpy(tp, &temp, sizeof(afs_int32)); tp += sizeof(afs_int32); /* copy in cell name, null terminated */ strcpy(tp, server.cell); tp += strlen(server.cell) + 1; /* finally setup the pioctl call's parameters */ blob.in_size = tp - space; blob.in = space; blob.out_size = 0; blob.out = NULL; code = pioctl(NULL, _VICEIOCTL(99), &blob, 0); if (code) { code = errno; break; } } return code; }
int not_an_API_LeashAFSGetToken( TICKETINFO * ticketinfo, TicketList** ticketList, char * kerberosPrincipal ) { #ifdef NO_AFS return(0); #else struct ktc_principal aserver; struct ktc_principal aclient; struct ktc_token atoken; int EndMonth; int EndDay; int cellNum; int BreakAtEnd; char UserName[64]; char CellName[64]; char ServiceName[64]; char InstanceName[64]; char EndTime[16]; char Buffer[256]; char Months[12][4] = {"Jan\0", "Feb\0", "Mar\0", "Apr\0", "May\0", "Jun\0", "Jul\0", "Aug\0", "Sep\0", "Oct\0", "Nov\0", "Dec\0"}; char TokenStatus[16]; time_t CurrentTime; struct tm *newtime; DWORD CurrentState; DWORD rc; char HostName[64]; TicketList* list = NULL; if ( ticketinfo ) { ticketinfo->btickets = NO_TICKETS; ticketinfo->principal[0] = '\0'; } if ( !kerberosPrincipal ) kerberosPrincipal = ""; if (!AfsAvailable || GetAfsStatus(&AfsOnLine) && !AfsOnLine) return(0); CurrentState = 0; memset(HostName, '\0', sizeof(HostName)); gethostname(HostName, sizeof(HostName)); if (GetServiceStatus(HostName, TRANSARCAFSDAEMON, &CurrentState) != NOERROR) return(0); if (CurrentState != SERVICE_RUNNING) return(0); BreakAtEnd = 0; cellNum = 0; while (1) { if (rc = ktc_ListTokens(cellNum, &cellNum, &aserver)) { if (rc != KTC_NOENT) return(0); if (BreakAtEnd == 1) break; } BreakAtEnd = 1; memset(&atoken, '\0', sizeof(atoken)); if (rc = ktc_GetToken(&aserver, &atoken, sizeof(atoken), &aclient)) { if (rc == KTC_ERROR) return(0); continue; } if (!list) { list = (TicketList*) calloc(1, sizeof(TicketList)); (*ticketList) = list; } else { list->next = (struct TicketList*) calloc(1, sizeof(TicketList)); list = (TicketList*) list->next; } CurrentTime = time(NULL); newtime = localtime(&atoken.endTime); memset(UserName, '\0', sizeof(UserName)); strcpy(UserName, aclient.name); memset(CellName, '\0', sizeof(CellName)); strcpy(CellName, aclient.cell); memset(InstanceName, '\0', sizeof(InstanceName)); strcpy(InstanceName, aclient.instance); memset(ServiceName, '\0', sizeof(ServiceName)); strcpy(ServiceName, aserver.name); memset(TokenStatus, '\0', sizeof(TokenStatus)); EndDay = newtime->tm_mday; EndMonth = newtime->tm_mon + 1;; sprintf(EndTime, "%02d:%02d:%02d", newtime->tm_hour, newtime->tm_min, newtime->tm_sec); sprintf(Buffer," %s %02d %s %s%s%s@%s %s", Months[EndMonth - 1], EndDay, EndTime, UserName, InstanceName[0] ? "." : "", InstanceName, CellName, TokenStatus); list->theTicket = (char*) calloc(1, sizeof(Buffer)); if (!list->theTicket) { #ifdef USE_MESSAGE_BOX MessageBox(NULL, "Memory Error", "Error", MB_OK); #endif /* USE_MESSAGE_BOX */ return ENOMEM; } strcpy(list->theTicket, Buffer); list->name = strdup(aclient.name); list->inst = aclient.instance[0] ? strdup(aclient.instance) : NULL; list->realm = strdup(aclient.cell); list->encTypes = NULL; list->addrCount = 0; list->addrList = NULL; if ( ticketinfo ) { sprintf(Buffer,"%s@%s",UserName,CellName); if (!ticketinfo->principal[0] || !stricmp(Buffer,kerberosPrincipal)) { strcpy(ticketinfo->principal, Buffer); ticketinfo->issue_date = 0; ticketinfo->lifetime = atoken.endTime; ticketinfo->renew_till = 0; _tzset(); if ( ticketinfo->lifetime - time(0) <= 0L ) ticketinfo->btickets = EXPD_TICKETS; else ticketinfo->btickets = GOOD_TICKETS; } } } return(0); #endif }
int main(int argc, char **argv) { /*Main program */ int cellNum; /*Cell entry number */ int rc; /*Return value from U_CellGetLocalTokens */ time_t current_time; /*Current time of day */ time_t tokenExpireTime; /*When token expires */ char *expireString; /*Char string of expiration time */ char UserName[MAXKTCNAMELEN * 2 + 2]; /*Printable user name */ struct ktc_principal serviceName, clientName; /* service name for ticket */ struct ktc_token token; /* the token we're printing */ #ifdef AFS_AIX32_ENV /* * The following signal action for AIX is necessary so that in case of a * crash (i.e. core is generated) we can include the user's data section * in the core dump. Unfortunately, by default, only a partial core is * generated which, in many cases, isn't too useful. */ struct sigaction nsa; sigemptyset(&nsa.sa_mask); nsa.sa_handler = SIG_DFL; nsa.sa_flags = SA_FULLDUMP; sigaction(SIGSEGV, &nsa, NULL); #endif /* has no args ... support for help flag */ if (argc > 1) { /* syntax from AFS Com Ref Man p9-39 */ printf("Usage: tokens [-help]\n"); fflush(stdout); exit(0); } printf("\nTokens held by the Cache Manager:\n\n"); cellNum = 0; current_time = time(0); while (1) { rc = ktc_ListTokens(cellNum, &cellNum, &serviceName); if (rc) { /* only error is now end of list */ printf(" --End of list--\n"); break; } else { /* get the ticket info itself */ rc = ktc_GetToken(&serviceName, &token, sizeof(token), &clientName); if (rc) { printf ("tokens: failed to get token info for service %s.%s.%s (code %d)\n", serviceName.name, serviceName.instance, serviceName.cell, rc); continue; } tokenExpireTime = token.endTime; strcpy(UserName, clientName.name); if (clientName.instance[0] != 0) { strcat(UserName, "."); strcat(UserName, clientName.instance); } if (UserName[0] == 0) printf("Tokens"); else if (strncmp(UserName, "AFS ID", 6) == 0) { printf("User's (%s) tokens", UserName); } else if (strncmp(UserName, "Unix UID", 8) == 0) { printf("Tokens"); } else printf("User %s's tokens", UserName); printf(" for %s%s%s@%s ", serviceName.name, serviceName.instance[0] ? "." : "", serviceName.instance, serviceName.cell); if (tokenExpireTime <= current_time) printf("[>> Expired <<]\n"); else { expireString = ctime(&tokenExpireTime); expireString += 4; /*Move past the day of week */ expireString[12] = '\0'; printf("[Expires %s]\n", expireString); } } } exit(0); } /*Main program */