1 files changed, 223 insertions, 44 deletions

diff --git a/src/kdc/policy.c b/src/kdc/policy.c
index 6cba4303f81d..26c16f97cb53 100644
--- a/src/kdc/policy.c
+++ b/src/kdc/policy.c
@@ -1,67 +1,246 @@
 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
 /* kdc/policy.c - Policy decision routines for KDC */
 /*
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright (C) 2017 by Red Hat, Inc.
+ * All rights reserved.
  *
- * Export of this software from the United States of America may
- *   require a specific license from the United States Government.
- *   It is the responsibility of any person or organization contemplating
- *   export to obtain such a license before exporting.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission.  Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose.  It is provided "as is" without express
- * or implied warranty.
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
 #include "k5-int.h"
 #include "kdc_util.h"
 #include "extern.h"
+#include "policy.h"
+#include "adm_proto.h"
+#include <krb5/kdcpolicy_plugin.h>
+#include <syslog.h>
+
+typedef struct kdcpolicy_handle_st {
+    struct krb5_kdcpolicy_vtable_st vt;
+    krb5_kdcpolicy_moddata moddata;
+} *kdcpolicy_handle;
+
+static kdcpolicy_handle *handles;
+
+static void
+free_indicators(char **ais)
+{
+    size_t i;
 
-int
-against_local_policy_as(register krb5_kdc_req *request, krb5_db_entry client,
-                        krb5_db_entry server, krb5_timestamp kdc_time,
-                        const char **status, krb5_pa_data ***e_data)
+    if (ais == NULL)
+        return;
+    for (i = 0; ais[i] != NULL; i++)
+        free(ais[i]);
+    free(ais);
+}
+
+/* Convert inds to a null-terminated list of C strings. */
+static krb5_error_code
+authind_strings(krb5_data *const *inds, char ***strs_out)
 {
-#if 0
-    /* An AS request must include the addresses field */
-    if (request->addresses == 0) {
-        *status = "NO ADDRESS";
-        return KRB5KDC_ERR_POLICY;
+    krb5_error_code ret;
+    char **list = NULL;
+    size_t i, count;
+
+    *strs_out = NULL;
+
+    for (count = 0; inds != NULL && inds[count] != NULL; count++);
+    list = k5calloc(count + 1, sizeof(*list), &ret);
+    if (list == NULL)
+        goto error;
+
+    for (i = 0; i < count; i++) {
+        list[i] = k5memdup0(inds[i]->data, inds[i]->length, &ret);
+        if (list[i] == NULL)
+            goto error;
     }
-#endif
 
-    return 0;                   /* not against policy */
+    *strs_out = list;
+    return 0;
+
+error:
+    free_indicators(list);
+    return ret;
+}
+
+/* Constrain times->endtime to life and times->renew_till to rlife, relative to
+ * now. */
+static void
+update_ticket_times(krb5_ticket_times *times, krb5_timestamp now,
+                    krb5_deltat life, krb5_deltat rlife)
+{
+    if (life)
+        times->endtime = ts_min(ts_incr(now, life), times->endtime);
+    if (rlife)
+        times->renew_till = ts_min(ts_incr(now, rlife), times->renew_till);
+}
+
+/* Check an AS request against kdcpolicy modules, updating times with any
+ * module endtime constraints.  Set an appropriate status string on error. */
+krb5_error_code
+check_kdcpolicy_as(krb5_context context, const krb5_kdc_req *request,
+                   const krb5_db_entry *client, const krb5_db_entry *server,
+                   krb5_data *const *auth_indicators, krb5_timestamp kdc_time,
+                   krb5_ticket_times *times, const char **status)
+{
+    krb5_deltat life, rlife;
+    krb5_error_code ret;
+    kdcpolicy_handle *hp, h;
+    char **ais = NULL;
+
+    *status = NULL;
+
+    ret = authind_strings(auth_indicators, &ais);
+    if (ret)
+        goto done;
+
+    for (hp = handles; *hp != NULL; hp++) {
+        h = *hp;
+        if (h->vt.check_as == NULL)
+            continue;
+
+        ret = h->vt.check_as(context, h->moddata, request, client, server,
+                             (const char **)ais, status, &life, &rlife);
+        if (ret)
+            goto done;
+
+        update_ticket_times(times, kdc_time, life, rlife);
+    }
+
+done:
+    free_indicators(ais);
+    return ret;
 }
 
 /*
- * This is where local policy restrictions for the TGS should placed.
+ * Check the TGS request against the local TGS policy.  Accepts an
+ * authentication indicator for the module policy decisions.  Returns 0 and a
+ * NULL status string on success.
  */
 krb5_error_code
-against_local_policy_tgs(register krb5_kdc_req *request, krb5_db_entry server,
-                         krb5_ticket *ticket, const char **status,
-                         krb5_pa_data ***e_data)
+check_kdcpolicy_tgs(krb5_context context, const krb5_kdc_req *request,
+                    const krb5_db_entry *server, const krb5_ticket *ticket,
+                    krb5_data *const *auth_indicators, krb5_timestamp kdc_time,
+                    krb5_ticket_times *times, const char **status)
 {
-#if 0
-    /*
-     * For example, if your site wants to disallow ticket forwarding,
-     * you might do something like this:
-     */
-
-    if (isflagset(request->kdc_options, KDC_OPT_FORWARDED)) {
-        *status = "FORWARD POLICY";
-        return KRB5KDC_ERR_POLICY;
+    krb5_deltat life, rlife;
+    krb5_error_code ret;
+    kdcpolicy_handle *hp, h;
+    char **ais = NULL;
+
+    *status = NULL;
+
+    ret = authind_strings(auth_indicators, &ais);
+    if (ret)
+        goto done;
+
+    for (hp = handles; *hp != NULL; hp++) {
+        h = *hp;
+        if (h->vt.check_tgs == NULL)
+            continue;
+
+        ret = h->vt.check_tgs(context, h->moddata, request, server, ticket,
+                              (const char **)ais, status, &life, &rlife);
+        if (ret)
+            goto done;
+
+        update_ticket_times(times, kdc_time, life, rlife);
     }
-#endif
 
-    return 0;                           /* not against policy */
+done:
+    free_indicators(ais);
+    return ret;
+}
+
+void
+unload_kdcpolicy_plugins(krb5_context context)
+{
+    kdcpolicy_handle *hp, h;
+
+    for (hp = handles; *hp != NULL; hp++) {
+        h = *hp;
+        if (h->vt.fini != NULL)
+            h->vt.fini(context, h->moddata);
+        free(h);
+    }
+    free(handles);
+    handles = NULL;
+}
+
+krb5_error_code
+load_kdcpolicy_plugins(krb5_context context)
+{
+    krb5_error_code ret;
+    krb5_plugin_initvt_fn *modules = NULL, *mod;
+    kdcpolicy_handle h;
+    size_t count;
+
+    ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_KDCPOLICY, &modules);
+    if (ret)
+        goto cleanup;
+
+    for (count = 0; modules[count] != NULL; count++);
+    handles = k5calloc(count + 1, sizeof(*handles), &ret);
+    if (handles == NULL)
+        goto cleanup;
+
+    count = 0;
+    for (mod = modules; *mod != NULL; mod++) {
+        h = k5calloc(1, sizeof(*h), &ret);
+        if (h == NULL)
+            goto cleanup;
+
+        ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&h->vt);
+        if (ret) {              /* Version mismatch. */
+            TRACE_KDCPOLICY_VTINIT_FAIL(context, ret);
+            free(h);
+            continue;
+        }
+        if (h->vt.init != NULL) {
+            ret = h->vt.init(context, &h->moddata);
+            if (ret == KRB5_PLUGIN_NO_HANDLE) {
+                TRACE_KDCPOLICY_INIT_SKIP(context, h->vt.name);
+                free(h);
+                continue;
+            }
+            if (ret) {
+                kdc_err(context, ret, _("while loading policy module %s"),
+                        h->vt.name);
+                free(h);
+                goto cleanup;
+            }
+        }
+        handles[count++] = h;
+    }
+
+    ret = 0;
+
+cleanup:
+    if (ret)
+        unload_kdcpolicy_plugins(context);
+    k5_plugin_free_modules(context, modules);
+    return ret;
 }