Blame 0004-adenroll-add-adcli_enroll_get_permitted_keytab_encty.patch

c2be30f
From 0c09070e8beec734e3f0c70e14b0a04788077b73 Mon Sep 17 00:00:00 2001
c2be30f
From: Sumit Bose <sbose@redhat.com>
c2be30f
Date: Thu, 13 Jun 2019 17:25:52 +0200
c2be30f
Subject: [PATCH 2/3] adenroll: add adcli_enroll_get_permitted_keytab_enctypes
c2be30f
 with tests
c2be30f
c2be30f
The new call does not only return the current encryption types set in AD
c2be30f
or a default list but filters them with the list of permitted encryption
c2be30f
types on the client. This makes sure the client can create and use the
c2be30f
keys.
c2be30f
c2be30f
Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3
c2be30f
---
c2be30f
 library/Makefile.am |   5 ++
c2be30f
 library/adenroll.c  | 124 ++++++++++++++++++++++++++++++++++++++++++++
c2be30f
 library/adenroll.h  |   2 +
c2be30f
 3 files changed, 131 insertions(+)
c2be30f
c2be30f
diff --git a/library/Makefile.am b/library/Makefile.am
c2be30f
index 39e8fd1..4829555 100644
c2be30f
--- a/library/Makefile.am
c2be30f
+++ b/library/Makefile.am
c2be30f
@@ -40,6 +40,7 @@ check_PROGRAMS = \
c2be30f
 	test-util \
c2be30f
 	test-ldap \
c2be30f
 	test-attrs \
c2be30f
+	test-adenroll \
c2be30f
 	$(NULL)
c2be30f
 
c2be30f
 test_seq_SOURCES = seq.c test.c test.h
c2be30f
@@ -56,6 +57,10 @@ test_attrs_SOURCES = adattrs.c $(test_ldap_SOURCES)
c2be30f
 test_attrs_CFLAGS = -DATTRS_TESTS
c2be30f
 test_attrs_LDADD = $(test_ldap_LDADD)
c2be30f
 
c2be30f
+test_adenroll_SOURCES = adenroll.c $(test_ldap_SOURCES)
c2be30f
+test_adenroll_CFLAGS = -DADENROLL_TESTS
c2be30f
+test_adenroll_LDADD = $(KRB5_LIBS)
c2be30f
+
c2be30f
 TESTS = $(check_PROGRAMS)
c2be30f
 
c2be30f
 MEMCHECK_ENV = $(TEST_RUNNER) valgrind --error-exitcode=80 --quiet --trace-children=yes
c2be30f
diff --git a/library/adenroll.c b/library/adenroll.c
c2be30f
index f617f28..95c07cd 100644
c2be30f
--- a/library/adenroll.c
c2be30f
+++ b/library/adenroll.c
c2be30f
@@ -2641,6 +2641,50 @@ adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)
c2be30f
 		return v51_earlier_enctypes;
c2be30f
 }
c2be30f
 
c2be30f
+krb5_enctype *
c2be30f
+adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll)
c2be30f
+{
c2be30f
+	krb5_enctype *cur_enctypes;
c2be30f
+	krb5_enctype *permitted_enctypes;
c2be30f
+	krb5_enctype *new_enctypes;
c2be30f
+	krb5_error_code code;
c2be30f
+	krb5_context k5;
c2be30f
+	size_t c;
c2be30f
+	size_t p;
c2be30f
+	size_t n;
c2be30f
+
c2be30f
+	return_val_if_fail (enroll != NULL, NULL);
c2be30f
+	cur_enctypes = adcli_enroll_get_keytab_enctypes (enroll);
c2be30f
+
c2be30f
+	k5 = adcli_conn_get_krb5_context (enroll->conn);
c2be30f
+	return_val_if_fail (k5 != NULL, NULL);
c2be30f
+
c2be30f
+	code = krb5_get_permitted_enctypes (k5, &permitted_enctypes);
c2be30f
+	return_val_if_fail (code == 0, NULL);
c2be30f
+
c2be30f
+	for (c = 0; cur_enctypes[c] != 0; c++);
c2be30f
+
c2be30f
+	new_enctypes = calloc (c + 1, sizeof (krb5_enctype));
c2be30f
+	return_val_if_fail (new_enctypes != NULL, NULL);
c2be30f
+
c2be30f
+	n = 0;
c2be30f
+	for (c = 0; cur_enctypes[c] != 0; c++) {
c2be30f
+		for (p = 0; permitted_enctypes[p] != 0; p++) {
c2be30f
+			if (cur_enctypes[c] == permitted_enctypes[p]) {
c2be30f
+				new_enctypes[n++] = cur_enctypes[c];
c2be30f
+				break;
c2be30f
+			}
c2be30f
+		}
c2be30f
+		if (permitted_enctypes[p] == 0) {
c2be30f
+			_adcli_info ("Encryption type [%d] not permitted.", cur_enctypes[c]);
c2be30f
+		}
c2be30f
+	}
c2be30f
+
c2be30f
+	krb5_free_enctypes (k5, permitted_enctypes);
c2be30f
+
c2be30f
+	return new_enctypes;
c2be30f
+}
c2be30f
+
c2be30f
 void
c2be30f
 adcli_enroll_set_keytab_enctypes (adcli_enroll *enroll,
c2be30f
                                   krb5_enctype *value)
c2be30f
@@ -2833,3 +2877,83 @@ adcli_enroll_add_service_principal_to_remove (adcli_enroll *enroll,
c2be30f
 							    strdup (value), NULL);
c2be30f
 	return_if_fail (enroll->service_principals_to_remove != NULL);
c2be30f
 }
c2be30f
+
c2be30f
+#ifdef ADENROLL_TESTS
c2be30f
+
c2be30f
+#include "test.h"
c2be30f
+
c2be30f
+static void
c2be30f
+test_adcli_enroll_get_permitted_keytab_enctypes (void)
c2be30f
+{
c2be30f
+	krb5_enctype *enctypes;
c2be30f
+	krb5_error_code code;
c2be30f
+	krb5_enctype *permitted_enctypes;
c2be30f
+	krb5_enctype check_enctypes[3] = { 0 };
c2be30f
+	adcli_conn *conn;
c2be30f
+	adcli_enroll *enroll;
c2be30f
+	adcli_result res;
c2be30f
+	krb5_context k5;
c2be30f
+	size_t c;
c2be30f
+
c2be30f
+	conn = adcli_conn_new ("test.dom");
c2be30f
+	assert_ptr_not_null (conn);
c2be30f
+
c2be30f
+	enroll = adcli_enroll_new (conn);
c2be30f
+	assert_ptr_not_null (enroll);
c2be30f
+
c2be30f
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (NULL);
c2be30f
+	assert_ptr_eq (enctypes, NULL);
c2be30f
+
c2be30f
+	/* krb5 context missing */
c2be30f
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
c2be30f
+	assert_ptr_eq (enctypes, NULL);
c2be30f
+
c2be30f
+	/* check that all permitted enctypes can pass */
c2be30f
+	res = _adcli_krb5_init_context (&k5;;
c2be30f
+	assert_num_eq (res, ADCLI_SUCCESS);
c2be30f
+
c2be30f
+	adcli_conn_set_krb5_context (conn, k5);
c2be30f
+
c2be30f
+	code = krb5_get_permitted_enctypes (k5, &permitted_enctypes);
c2be30f
+	assert_num_eq (code, 0);
c2be30f
+	assert_ptr_not_null (permitted_enctypes);
c2be30f
+	assert_num_cmp (permitted_enctypes[0], !=, 0);
c2be30f
+
c2be30f
+	adcli_enroll_set_keytab_enctypes (enroll, permitted_enctypes);
c2be30f
+
c2be30f
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
c2be30f
+	assert_ptr_not_null (enctypes);
c2be30f
+	for (c = 0; permitted_enctypes[c] != 0; c++) {
c2be30f
+		assert_num_eq (enctypes[c], permitted_enctypes[c]);
c2be30f
+	}
c2be30f
+	assert_num_eq (enctypes[c], 0);
c2be30f
+	krb5_free_enctypes (k5, enctypes);
c2be30f
+
c2be30f
+	/* check that ENCTYPE_UNKNOWN is filtered out */
c2be30f
+	check_enctypes[0] = permitted_enctypes[0];
c2be30f
+	check_enctypes[1] = ENCTYPE_UNKNOWN;
c2be30f
+	check_enctypes[2] = 0;
c2be30f
+	adcli_enroll_set_keytab_enctypes (enroll, check_enctypes);
c2be30f
+
c2be30f
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
c2be30f
+	assert_ptr_not_null (enctypes);
c2be30f
+	assert_num_eq (enctypes[0], permitted_enctypes[0]);
c2be30f
+	assert_num_eq (enctypes[1], 0);
c2be30f
+	krb5_free_enctypes (k5, enctypes);
c2be30f
+
c2be30f
+	krb5_free_enctypes (k5, permitted_enctypes);
c2be30f
+
c2be30f
+	adcli_enroll_unref (enroll);
c2be30f
+	adcli_conn_unref (conn);
c2be30f
+}
c2be30f
+
c2be30f
+int
c2be30f
+main (int argc,
c2be30f
+      char *argv[])
c2be30f
+{
c2be30f
+	test_func (test_adcli_enroll_get_permitted_keytab_enctypes,
c2be30f
+	           "/attrs/adcli_enroll_get_permitted_keytab_enctypes");
c2be30f
+	return test_run (argc, argv);
c2be30f
+}
c2be30f
+
c2be30f
+#endif /* ADENROLL_TESTS */
c2be30f
diff --git a/library/adenroll.h b/library/adenroll.h
c2be30f
index abbbfd4..1d5d00d 100644
c2be30f
--- a/library/adenroll.h
c2be30f
+++ b/library/adenroll.h
c2be30f
@@ -138,6 +138,8 @@ krb5_enctype *     adcli_enroll_get_keytab_enctypes     (adcli_enroll *enroll);
c2be30f
 void               adcli_enroll_set_keytab_enctypes     (adcli_enroll *enroll,
c2be30f
                                                          krb5_enctype *enctypes);
c2be30f
 
c2be30f
+krb5_enctype *     adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll);
c2be30f
+
c2be30f
 const char *       adcli_enroll_get_os_name             (adcli_enroll *enroll);
c2be30f
 
c2be30f
 void               adcli_enroll_set_os_name             (adcli_enroll *enroll,
c2be30f
-- 
c2be30f
2.20.1
c2be30f