/// Queries an optional string from a statement.
///
/// \param stmt The statement from which to get the column.
/// \param column The name of the column holding the value.
///
/// \return The parsed value if all goes well.
///
/// \throw integrity_error If the value in the specified column is invalid.
std::string
store::column_optional_string(sqlite::statement& stmt, const char* column)
{
const int id = stmt.column_id(column);
switch (stmt.column_type(id)) {
case sqlite::type_text:
return stmt.column_text(id);
case sqlite::type_null:
return "";
default:
throw integrity_error(F("Invalid string type in column %s") % column);
}
}
/// Constructor.
///
/// \param database_ The SQLite database instance.
/// \param metadata_ The metadata for the loaded database. This must match
/// the schema version we implement in this module; otherwise, a
/// migration is necessary.
///
/// \throw integrity_error If the schema in the database is too modern,
/// which might indicate some form of corruption or an old binary.
/// \throw old_schema_error If the schema in the database is older than our
/// currently-implemented version and needs an upgrade. The caller can
/// use migrate_schema() to fix this problem.
impl(sqlite::database& database_, const metadata& metadata_) :
database(database_)
{
const int database_version = metadata_.schema_version();
if (database_version == detail::current_schema_version) {
// OK.
} else if (database_version < detail::current_schema_version) {
throw old_schema_error(database_version);
} else if (database_version > detail::current_schema_version) {
throw integrity_error(
F("Database at schema version %s, which is newer than the "
"supported version %s")
% database_version % detail::current_schema_version);
}
}
/* Decrypt the ticket in req using a principal looked up from keytab.
* explicit_server should be true if this is the only usable principal. */
static krb5_error_code
try_one_princ(krb5_context context, const krb5_ap_req *req,
krb5_const_principal princ, krb5_keytab keytab,
krb5_boolean explicit_server, krb5_keyblock *keyblock_out)
{
krb5_error_code ret;
krb5_keytab_entry ent;
krb5_kvno tkt_kvno = req->ticket->enc_part.kvno;
krb5_enctype tkt_etype = req->ticket->enc_part.enctype;
krb5_principal tkt_server = req->ticket->server;
ret = krb5_kt_get_entry(context, keytab, princ, tkt_kvno, tkt_etype, &ent);
if (ret) {
return keytab_fetch_error(context, ret, princ, tkt_server, tkt_kvno,
explicit_server);
}
ret = try_one_entry(context, req, &ent, keyblock_out);
if (ret == 0)
TRACE_RD_REQ_DECRYPT_SPECIFIC(context, ent.principal, &ent.key);
(void)krb5_free_keytab_entry_contents(context, &ent);
if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY)
return integrity_error(context, princ, req->ticket->server);
return ret;
}