/*
* Build a list of tokens, delete the bad ones (the ones to remove from the
* permissions list,) destroy all tokens, and then re-register the good ones.
* Ugly, but it works.
*/
int
uss_fs_UnlogToken(char *celln)
{
int count = 0, index, index2;
afs_int32 code = 0, cnt = 0;
struct ktc_principal serviceName;
struct tokenInfo *tokenInfoP, *tp;
do {
code = ktc_ListTokens(count, &count, &serviceName);
cnt++;
} while (!code);
count = cnt - 1;
tokenInfoP = malloc((sizeof(struct tokenInfo) * count));
for (code = index = index2 = 0; (!code) && (index < count); index++) {
tp = tokenInfoP + index;
code = ktc_ListTokens(index2, &index2, &tp->service);
if (!code) {
code =
ktc_GetToken(&tp->service, &tp->token,
sizeof(struct ktc_token), &tp->client);
if (!code) {
tp->deleted = (!strcmp(celln, tp->client.cell) ? 1 : 0);
if (tp->deleted)
cnt = 1;
}
}
}
if ((code = ktc_ForgetAllTokens())) {
printf("uss_fs_UnlogToken: could not discard tickets, code %d\n",
code);
exit(1);
}
for (code = index = 0; index < count; index++) {
tp = tokenInfoP + index;
if (!(tp->deleted)) {
code = ktc_SetToken(&tp->service, &tp->token, &tp->client, 0);
if (code) {
printf
("uss_fs_UnlogToken: Couldn't re-register token, code = %d\n",
code);
}
}
}
return 0;
}
static int
unlog_ForgetCertainTokens(char **list, int listSize)
{
int index, index2;
int count;
afs_int32 code;
struct ktc_principal serviceName;
struct tokenInfo *tokenInfoP;
/* normalize all the names in the list */
unlog_NormalizeCellNames(list, listSize);
/* figure out how many tokens exist */
count = 0;
do {
code = ktc_ListTokens(count, &count, &serviceName);
} while (!code);
tokenInfoP =
(struct tokenInfo *)malloc((sizeof(struct tokenInfo) * count));
if (!tokenInfoP) {
perror("unlog_ForgetCertainTokens -- osi_Alloc failed");
exit(1);
}
for (code = index = index2 = 0; (!code) && (index < count); index++) {
code =
ktc_ListTokens(index2, &index2, &(tokenInfoP + index)->service);
if (!code) {
code =
ktc_GetToken(&(tokenInfoP + index)->service,
&(tokenInfoP + index)->token,
sizeof(struct ktc_token),
&(tokenInfoP + index)->client);
if (!code)
(tokenInfoP + index)->deleted =
unlog_CheckUnlogList(list, listSize,
&(tokenInfoP + index)->client);
}
}
unlog_VerifyUnlog(list, listSize, tokenInfoP, count);
code = ktc_ForgetAllTokens();
if (code) {
printf("unlog: could not discard tickets, code %d\n", code);
exit(1);
}
for (code = index = 0; index < count; index++) {
if (!((tokenInfoP + index)->deleted)) {
code =
ktc_SetToken(&(tokenInfoP + index)->service,
&(tokenInfoP + index)->token,
&(tokenInfoP + index)->client, 0);
if (code) {
fprintf(stderr, "Couldn't re-register token, code = %d\n",
code);
}
}
}
return 0;
}
int
main(void)
{
struct ktc_principal oldServer[MAXCELLS], newServer[MAXCELLS];
struct ktc_principal oldClient[MAXCELLS], newClient[MAXCELLS];
struct ktc_token oldToken[MAXCELLS], newToken[MAXCELLS];
int cellCount, cellIndex;
int i, code;
#ifdef AFS_NT40_ENV
/* Initialize winsock; required by NT pioctl() */
if (afs_winsockInit()) {
printf("\nUnable to initialize winsock (required by NT pioctl()).\n");
exit(1);
}
#endif
/* Get original tokens */
printf("\nFetching original tokens.\n");
cellIndex = 0;
for (i = 0; i < MAXCELLS; i++) {
/* fetch server principal */
code = ktc_ListTokens(cellIndex, &cellIndex, &oldServer[i]);
if (code) {
if (code == KTC_NOENT) {
/* no more tokens */
break;
} else {
/* some error occured */
perror("ktc_ListTokens failed fetching original tokens");
exit(1);
}
}
/* fetch token and client identity w.r.t. server */
code =
ktc_GetToken(&oldServer[i], &oldToken[i],
sizeof(struct ktc_token), &oldClient[i]);
if (code) {
/* some unexpected error occured */
perror("ktc_GetToken failed fetching original tokens");
exit(1);
}
}
cellCount = i;
if (cellCount == 0) {
printf("Obtain one or more tokens prior to executing test.\n");
exit(0);
} else if (cellCount == MAXCELLS) {
printf("Only first %d tokens utilized by test; rest will be lost.\n",
MAXCELLS);
}
for (i = 0; i < cellCount; i++) {
printf("Token[%d]: server = %s@%s, client = %s@%s\n", i,
oldServer[i].name, oldServer[i].cell, oldClient[i].name,
oldClient[i].cell);
}
/* Forget original tokens */
printf("\nClearing original tokens and verifying disposal.\n");
code = ktc_ForgetAllTokens();
if (code) {
perror("ktc_ForgetAllTokens failed on original tokens");
exit(1);
}
for (i = 0; i < cellCount; i++) {
struct ktc_principal dummyPrincipal;
struct ktc_token dummyToken;
code =
ktc_GetToken(&oldServer[i], &dummyToken, sizeof(struct ktc_token),
&dummyPrincipal);
if (code != KTC_NOENT) {
printf("ktc_ForgetAllTokens did not eliminate all tokens.\n");
exit(1);
}
cellIndex = 0;
code = ktc_ListTokens(cellIndex, &cellIndex, &dummyPrincipal);
if (code != KTC_NOENT) {
printf("ktc_ForgetAllTokens did not eliminate all tokens.\n");
exit(1);
}
}
/* Reinstall tokens */
printf("\nReinstalling original tokens.\n");
for (i = 0; i < cellCount; i++) {
code = ktc_SetToken(&oldServer[i], &oldToken[i], &oldClient[i], 0);
if (code) {
perror("ktc_SetToken failed reinstalling tokens");
exit(1);
}
}
/* Get reinstalled tokens */
printf("\nFetching reinstalled tokens.\n");
cellIndex = 0;
for (i = 0; i < MAXCELLS; i++) {
/* fetch server principal */
code = ktc_ListTokens(cellIndex, &cellIndex, &newServer[i]);
if (code) {
if (code == KTC_NOENT) {
/* no more tokens */
break;
} else {
/* some error occured */
perror("ktc_ListTokens failed fetching reinstalled tokens");
exit(1);
}
}
/* fetch token and client identity w.r.t. server */
code =
ktc_GetToken(&newServer[i], &newToken[i],
sizeof(struct ktc_token), &newClient[i]);
if (code) {
/* some unexpected error occured */
perror("ktc_GetToken failed fetching reinstalled tokens");
exit(1);
}
}
/* Verify content of reinstalled tokens */
printf("\nVerifying reinstalled tokens against original tokens.\n");
if (i != cellCount) {
printf("Reinstalled token count does not match original count.\n");
exit(1);
}
for (i = 0; i < cellCount; i++) {
int k, found;
found = 0;
for (k = 0; k < cellCount; k++) {
if (SamePrincipal(&oldServer[i], &newServer[k])
&& SamePrincipal(&oldClient[i], &newClient[k])
&& SameToken(&oldToken[i], &newToken[k])) {
/* found a matching token */
found = 1;
break;
}
}
if (!found) {
printf("Reinstalled token does not match any original token.\n");
exit(1);
}
}
/* Test passes */
printf("\nTest completed without error.\n");
return 0;
}
static int
GetTokens(afs_int32 ahost, afs_int32 auid)
{
struct ViceIoctl iob;
afs_int32 pheader[6];
char tbuffer[1024];
afs_int32 code = 0;
int index, newIndex;
char *stp; /* secret token ptr */
struct ClearToken ct;
char *tp;
afs_int32 temp, gotit = 0;
int maxLen; /* biggest ticket we can copy */
int tktLen; /* server ticket length */
time_t tokenExpireTime;
char UserName[MAXKTCNAMELEN + MAXKTCNAMELEN];
struct ktc_token token;
struct ktc_principal clientName;
time_t current_time;
char *expireString;
current_time = time(0);
/* otherwise we've got the token, now prepare to build the pioctl args */
pheader[0] = ahost;
pheader[1] = auid;
pheader[2] = 0; /* group low */
pheader[3] = 0; /* group high */
pheader[4] = 8; /* gettoken pioctl index */
pheader[5] = 1; /* NFS protocol exporter # */
for (index = 0; index < 200; index++) { /* sanity check in case pioctl fails */
code = ktc_ListTokens(index, &newIndex, &clientName);
if (code) {
if (code == KTC_NOENT) {
/* all done */
if (!gotit)
printf("knfs: there are no tokens here.\n");
code = 0;
}
break; /* done, but failed */
}
if (strcmp(clientName.name, "afs") != 0)
continue; /* wrong ticket service */
/* copy stuff in */
memcpy(tbuffer, pheader, sizeof(pheader));
tp = tbuffer + sizeof(pheader);
memcpy(tp, &index, sizeof(afs_int32));
tp += sizeof(afs_int32);
iob.in = tbuffer;
iob.in_size = sizeof(afs_int32) + sizeof(pheader);
iob.out = tbuffer;
iob.out_size = sizeof(tbuffer);
code = pioctl(NULL, _VICEIOCTL(99), &iob, 0);
if (code < 0 && errno == EDOM)
return KTC_NOENT;
else if (code == 0) {
/* check to see if this is the right cell/realm */
tp = tbuffer;
memcpy(&temp, tp, sizeof(afs_int32)); /* get size of secret token */
tktLen = temp; /* remember size of ticket */
tp += sizeof(afs_int32);
stp = tp; /* remember where ticket is, for later */
tp += temp; /* skip ticket for now */
memcpy(&temp, tp, sizeof(afs_int32)); /* get size of clear token */
if (temp != sizeof(struct ClearToken))
return KTC_ERROR;
tp += sizeof(afs_int32); /* skip length */
memcpy(&ct, tp, temp); /* copy token for later use */
tp += temp; /* skip clear token itself */
tp += sizeof(afs_int32); /* skip primary flag */
/* tp now points to the cell name */
if (strcmp(tp, clientName.cell) == 0) {
/* closing in now, we've got the right cell */
gotit = 1;
maxLen =
sizeof(token) - sizeof(struct ktc_token) +
MAXKTCTICKETLEN;
if (maxLen < tktLen)
return KTC_TOOBIG;
memcpy(token.ticket, stp, tktLen);
token.startTime = ct.BeginTimestamp;
token.endTime = ct.EndTimestamp;
if (ct.AuthHandle == -1)
ct.AuthHandle = 999;
token.kvno = ct.AuthHandle;
memcpy(&token.sessionKey, ct.HandShakeKey,
sizeof(struct ktc_encryptionKey));
token.ticketLen = tktLen;
if ((token.kvno == 999) || /* old style bcrypt ticket */
(ct.BeginTimestamp && /* new w/ prserver lookup */
(((ct.EndTimestamp - ct.BeginTimestamp) & 1) == 1))) {
sprintf(clientName.name, "AFS ID %d", ct.ViceId);
clientName.instance[0] = 0;
} else {
sprintf(clientName.name, "Unix UID %d", ct.ViceId);
clientName.instance[0] = 0;
}
strlcpy(clientName.cell, tp, sizeof(clientName.cell));
tokenExpireTime = token.endTime;
strlcpy(UserName, clientName.name, sizeof(UserName));
if (clientName.instance[0] != 0) {
strlcat(UserName, ".", sizeof(UserName));
strlcat(UserName, clientName.instance, sizeof(UserName));
}
if (UserName[0] == 0)
printf("Tokens");
else if (strncmp(UserName, "AFS ID", 6) == 0) {
printf("User's (%s) tokens", UserName);
} else if (strncmp(UserName, "Unix UID", 8) == 0) {
printf("Tokens");
} else
printf("User %s's tokens", UserName);
printf(" for %s%s%s@%s ", clientName.name,
clientName.instance[0] ? "." : "", clientName.instance,
clientName.cell);
if (tokenExpireTime <= current_time)
printf("[>> Expired <<]\n");
else {
expireString = ctime(&tokenExpireTime);
expireString += 4; /*Move past the day of week */
expireString[12] = '\0';
printf("[Expires %s]\n", expireString);
}
}
}
}
return code;
}
/* Copy the AFS service token into the kernel for a particular host and user */
static int
NFSCopyToken(afs_int32 ahost, afs_int32 auid)
{
struct ktc_principal client, server;
struct ktc_token theTicket;
afs_int32 code;
afs_int32 pheader[6];
char space[1200];
struct ClearToken ct;
afs_int32 index, newIndex;
afs_int32 temp; /* for bcopy */
char *tp;
struct ViceIoctl blob;
for (index = 0;; index = newIndex) {
code = ktc_ListTokens(index, &newIndex, &server);
if (code) {
if (code == KTC_NOENT) {
/* all done */
code = 0;
}
break; /* done, but failed */
}
if (strcmp(server.name, "afs") != 0)
continue; /* wrong ticket service */
code = ktc_GetToken(&server, &theTicket, sizeof(theTicket), &client);
if (code)
return code;
/* otherwise we've got the token, now prepare to build the pioctl args */
pheader[0] = ahost;
pheader[1] = auid;
pheader[2] = 0; /* group low */
pheader[3] = 0; /* group high */
pheader[4] = 3; /* set token pioctl index */
pheader[5] = 1; /* NFS protocol exporter # */
/* copy in the header */
memcpy(space, pheader, sizeof(pheader));
tp = space + sizeof(pheader);
/* copy in the size of the encrypted part */
memcpy(tp, &theTicket.ticketLen, sizeof(afs_int32));
tp += sizeof(afs_int32);
/* copy in the ticket itself */
memcpy(tp, theTicket.ticket, theTicket.ticketLen);
tp += theTicket.ticketLen;
/* copy in "clear token"'s size */
temp = sizeof(struct ClearToken);
memcpy(tp, &temp, sizeof(afs_int32));
tp += sizeof(afs_int32);
/* create the clear token and copy *it* in */
ct.AuthHandle = theTicket.kvno; /* where we hide the key version # */
memcpy(ct.HandShakeKey, &theTicket.sessionKey,
sizeof(ct.HandShakeKey));
ct.ViceId = auid;
ct.BeginTimestamp = theTicket.startTime;
ct.EndTimestamp = theTicket.endTime;
memcpy(tp, &ct, sizeof(ct));
tp += sizeof(ct);
/* copy in obsolete primary flag */
temp = 0;
memcpy(tp, &temp, sizeof(afs_int32));
tp += sizeof(afs_int32);
/* copy in cell name, null terminated */
strcpy(tp, server.cell);
tp += strlen(server.cell) + 1;
/* finally setup the pioctl call's parameters */
blob.in_size = tp - space;
blob.in = space;
blob.out_size = 0;
blob.out = NULL;
code = pioctl(NULL, _VICEIOCTL(99), &blob, 0);
if (code) {
code = errno;
break;
}
}
return code;
}
int
not_an_API_LeashAFSGetToken(
TICKETINFO * ticketinfo,
TicketList** ticketList,
char * kerberosPrincipal
)
{
#ifdef NO_AFS
return(0);
#else
struct ktc_principal aserver;
struct ktc_principal aclient;
struct ktc_token atoken;
int EndMonth;
int EndDay;
int cellNum;
int BreakAtEnd;
char UserName[64];
char CellName[64];
char ServiceName[64];
char InstanceName[64];
char EndTime[16];
char Buffer[256];
char Months[12][4] = {"Jan\0", "Feb\0", "Mar\0", "Apr\0", "May\0", "Jun\0", "Jul\0", "Aug\0", "Sep\0", "Oct\0", "Nov\0", "Dec\0"};
char TokenStatus[16];
time_t CurrentTime;
struct tm *newtime;
DWORD CurrentState;
DWORD rc;
char HostName[64];
TicketList* list = NULL;
if ( ticketinfo ) {
ticketinfo->btickets = NO_TICKETS;
ticketinfo->principal[0] = '\0';
}
if ( !kerberosPrincipal )
kerberosPrincipal = "";
if (!AfsAvailable || GetAfsStatus(&AfsOnLine) && !AfsOnLine)
return(0);
CurrentState = 0;
memset(HostName, '\0', sizeof(HostName));
gethostname(HostName, sizeof(HostName));
if (GetServiceStatus(HostName, TRANSARCAFSDAEMON, &CurrentState) != NOERROR)
return(0);
if (CurrentState != SERVICE_RUNNING)
return(0);
BreakAtEnd = 0;
cellNum = 0;
while (1)
{
if (rc = ktc_ListTokens(cellNum, &cellNum, &aserver))
{
if (rc != KTC_NOENT)
return(0);
if (BreakAtEnd == 1)
break;
}
BreakAtEnd = 1;
memset(&atoken, '\0', sizeof(atoken));
if (rc = ktc_GetToken(&aserver, &atoken, sizeof(atoken), &aclient))
{
if (rc == KTC_ERROR)
return(0);
continue;
}
if (!list)
{
list = (TicketList*) calloc(1, sizeof(TicketList));
(*ticketList) = list;
}
else
{
list->next = (struct TicketList*) calloc(1, sizeof(TicketList));
list = (TicketList*) list->next;
}
CurrentTime = time(NULL);
newtime = localtime(&atoken.endTime);
memset(UserName, '\0', sizeof(UserName));
strcpy(UserName, aclient.name);
memset(CellName, '\0', sizeof(CellName));
strcpy(CellName, aclient.cell);
memset(InstanceName, '\0', sizeof(InstanceName));
strcpy(InstanceName, aclient.instance);
memset(ServiceName, '\0', sizeof(ServiceName));
strcpy(ServiceName, aserver.name);
memset(TokenStatus, '\0', sizeof(TokenStatus));
EndDay = newtime->tm_mday;
EndMonth = newtime->tm_mon + 1;;
sprintf(EndTime, "%02d:%02d:%02d", newtime->tm_hour, newtime->tm_min, newtime->tm_sec);
sprintf(Buffer," %s %02d %s %s%s%s@%s %s",
Months[EndMonth - 1], EndDay, EndTime,
UserName,
InstanceName[0] ? "." : "",
InstanceName,
CellName,
TokenStatus);
list->theTicket = (char*) calloc(1, sizeof(Buffer));
if (!list->theTicket)
{
#ifdef USE_MESSAGE_BOX
MessageBox(NULL, "Memory Error", "Error", MB_OK);
#endif /* USE_MESSAGE_BOX */
return ENOMEM;
}
strcpy(list->theTicket, Buffer);
list->name = strdup(aclient.name);
list->inst = aclient.instance[0] ? strdup(aclient.instance) : NULL;
list->realm = strdup(aclient.cell);
list->encTypes = NULL;
list->addrCount = 0;
list->addrList = NULL;
if ( ticketinfo ) {
sprintf(Buffer,"%s@%s",UserName,CellName);
if (!ticketinfo->principal[0] || !stricmp(Buffer,kerberosPrincipal)) {
strcpy(ticketinfo->principal, Buffer);
ticketinfo->issue_date = 0;
ticketinfo->lifetime = atoken.endTime;
ticketinfo->renew_till = 0;
_tzset();
if ( ticketinfo->lifetime - time(0) <= 0L )
ticketinfo->btickets = EXPD_TICKETS;
else
ticketinfo->btickets = GOOD_TICKETS;
}
}
}
return(0);
#endif
}
int
main(int argc, char **argv)
{ /*Main program */
int cellNum; /*Cell entry number */
int rc; /*Return value from U_CellGetLocalTokens */
time_t current_time; /*Current time of day */
time_t tokenExpireTime; /*When token expires */
char *expireString; /*Char string of expiration time */
char UserName[MAXKTCNAMELEN * 2 + 2]; /*Printable user name */
struct ktc_principal serviceName, clientName; /* service name for ticket */
struct ktc_token token; /* the token we're printing */
#ifdef AFS_AIX32_ENV
/*
* The following signal action for AIX is necessary so that in case of a
* crash (i.e. core is generated) we can include the user's data section
* in the core dump. Unfortunately, by default, only a partial core is
* generated which, in many cases, isn't too useful.
*/
struct sigaction nsa;
sigemptyset(&nsa.sa_mask);
nsa.sa_handler = SIG_DFL;
nsa.sa_flags = SA_FULLDUMP;
sigaction(SIGSEGV, &nsa, NULL);
#endif
/* has no args ... support for help flag */
if (argc > 1) {
/* syntax from AFS Com Ref Man p9-39 */
printf("Usage: tokens [-help]\n");
fflush(stdout);
exit(0);
}
printf("\nTokens held by the Cache Manager:\n\n");
cellNum = 0;
current_time = time(0);
while (1) {
rc = ktc_ListTokens(cellNum, &cellNum, &serviceName);
if (rc) {
/* only error is now end of list */
printf(" --End of list--\n");
break;
} else {
/* get the ticket info itself */
rc = ktc_GetToken(&serviceName, &token, sizeof(token),
&clientName);
if (rc) {
printf
("tokens: failed to get token info for service %s.%s.%s (code %d)\n",
serviceName.name, serviceName.instance, serviceName.cell,
rc);
continue;
}
tokenExpireTime = token.endTime;
strcpy(UserName, clientName.name);
if (clientName.instance[0] != 0) {
strcat(UserName, ".");
strcat(UserName, clientName.instance);
}
if (UserName[0] == 0)
printf("Tokens");
else if (strncmp(UserName, "AFS ID", 6) == 0) {
printf("User's (%s) tokens", UserName);
} else if (strncmp(UserName, "Unix UID", 8) == 0) {
printf("Tokens");
} else
printf("User %s's tokens", UserName);
printf(" for %s%s%s@%s ", serviceName.name,
serviceName.instance[0] ? "." : "", serviceName.instance,
serviceName.cell);
if (tokenExpireTime <= current_time)
printf("[>> Expired <<]\n");
else {
expireString = ctime(&tokenExpireTime);
expireString += 4; /*Move past the day of week */
expireString[12] = '\0';
printf("[Expires %s]\n", expireString);
}
}
}
exit(0);
} /*Main program */
