From 0c09070e8beec734e3f0c70e14b0a04788077b73 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 13 Jun 2019 17:25:52 +0200
Subject: [PATCH 2/3] adenroll: add adcli_enroll_get_permitted_keytab_enctypes
 with tests

The new call does not only return the current encryption types set in AD
or a default list but filters them with the list of permitted encryption
types on the client. This makes sure the client can create and use the
keys.

Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3
---
 library/Makefile.am |   5 ++
 library/adenroll.c  | 124 ++++++++++++++++++++++++++++++++++++++++++++
 library/adenroll.h  |   2 +
 3 files changed, 131 insertions(+)

diff --git a/library/Makefile.am b/library/Makefile.am
index 39e8fd1..4829555 100644
--- a/library/Makefile.am
+++ b/library/Makefile.am
@@ -40,6 +40,7 @@ check_PROGRAMS = \
 	test-util \
 	test-ldap \
 	test-attrs \
+	test-adenroll \
 	$(NULL)
 
 test_seq_SOURCES = seq.c test.c test.h
@@ -56,6 +57,10 @@ test_attrs_SOURCES = adattrs.c $(test_ldap_SOURCES)
 test_attrs_CFLAGS = -DATTRS_TESTS
 test_attrs_LDADD = $(test_ldap_LDADD)
 
+test_adenroll_SOURCES = adenroll.c $(test_ldap_SOURCES)
+test_adenroll_CFLAGS = -DADENROLL_TESTS
+test_adenroll_LDADD = $(KRB5_LIBS)
+
 TESTS = $(check_PROGRAMS)
 
 MEMCHECK_ENV = $(TEST_RUNNER) valgrind --error-exitcode=80 --quiet --trace-children=yes
diff --git a/library/adenroll.c b/library/adenroll.c
index f617f28..95c07cd 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -2641,6 +2641,50 @@ adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)
 		return v51_earlier_enctypes;
 }
 
+krb5_enctype *
+adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll)
+{
+	krb5_enctype *cur_enctypes;
+	krb5_enctype *permitted_enctypes;
+	krb5_enctype *new_enctypes;
+	krb5_error_code code;
+	krb5_context k5;
+	size_t c;
+	size_t p;
+	size_t n;
+
+	return_val_if_fail (enroll != NULL, NULL);
+	cur_enctypes = adcli_enroll_get_keytab_enctypes (enroll);
+
+	k5 = adcli_conn_get_krb5_context (enroll->conn);
+	return_val_if_fail (k5 != NULL, NULL);
+
+	code = krb5_get_permitted_enctypes (k5, &permitted_enctypes);
+	return_val_if_fail (code == 0, NULL);
+
+	for (c = 0; cur_enctypes[c] != 0; c++);
+
+	new_enctypes = calloc (c + 1, sizeof (krb5_enctype));
+	return_val_if_fail (new_enctypes != NULL, NULL);
+
+	n = 0;
+	for (c = 0; cur_enctypes[c] != 0; c++) {
+		for (p = 0; permitted_enctypes[p] != 0; p++) {
+			if (cur_enctypes[c] == permitted_enctypes[p]) {
+				new_enctypes[n++] = cur_enctypes[c];
+				break;
+			}
+		}
+		if (permitted_enctypes[p] == 0) {
+			_adcli_info ("Encryption type [%d] not permitted.", cur_enctypes[c]);
+		}
+	}
+
+	krb5_free_enctypes (k5, permitted_enctypes);
+
+	return new_enctypes;
+}
+
 void
 adcli_enroll_set_keytab_enctypes (adcli_enroll *enroll,
                                   krb5_enctype *value)
@@ -2833,3 +2877,83 @@ adcli_enroll_add_service_principal_to_remove (adcli_enroll *enroll,
 							    strdup (value), NULL);
 	return_if_fail (enroll->service_principals_to_remove != NULL);
 }
+
+#ifdef ADENROLL_TESTS
+
+#include "test.h"
+
+static void
+test_adcli_enroll_get_permitted_keytab_enctypes (void)
+{
+	krb5_enctype *enctypes;
+	krb5_error_code code;
+	krb5_enctype *permitted_enctypes;
+	krb5_enctype check_enctypes[3] = { 0 };
+	adcli_conn *conn;
+	adcli_enroll *enroll;
+	adcli_result res;
+	krb5_context k5;
+	size_t c;
+
+	conn = adcli_conn_new ("test.dom");
+	assert_ptr_not_null (conn);
+
+	enroll = adcli_enroll_new (conn);
+	assert_ptr_not_null (enroll);
+
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (NULL);
+	assert_ptr_eq (enctypes, NULL);
+
+	/* krb5 context missing */
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
+	assert_ptr_eq (enctypes, NULL);
+
+	/* check that all permitted enctypes can pass */
+	res = _adcli_krb5_init_context (&k5);
+	assert_num_eq (res, ADCLI_SUCCESS);
+
+	adcli_conn_set_krb5_context (conn, k5);
+
+	code = krb5_get_permitted_enctypes (k5, &permitted_enctypes);
+	assert_num_eq (code, 0);
+	assert_ptr_not_null (permitted_enctypes);
+	assert_num_cmp (permitted_enctypes[0], !=, 0);
+
+	adcli_enroll_set_keytab_enctypes (enroll, permitted_enctypes);
+
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
+	assert_ptr_not_null (enctypes);
+	for (c = 0; permitted_enctypes[c] != 0; c++) {
+		assert_num_eq (enctypes[c], permitted_enctypes[c]);
+	}
+	assert_num_eq (enctypes[c], 0);
+	krb5_free_enctypes (k5, enctypes);
+
+	/* check that ENCTYPE_UNKNOWN is filtered out */
+	check_enctypes[0] = permitted_enctypes[0];
+	check_enctypes[1] = ENCTYPE_UNKNOWN;
+	check_enctypes[2] = 0;
+	adcli_enroll_set_keytab_enctypes (enroll, check_enctypes);
+
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
+	assert_ptr_not_null (enctypes);
+	assert_num_eq (enctypes[0], permitted_enctypes[0]);
+	assert_num_eq (enctypes[1], 0);
+	krb5_free_enctypes (k5, enctypes);
+
+	krb5_free_enctypes (k5, permitted_enctypes);
+
+	adcli_enroll_unref (enroll);
+	adcli_conn_unref (conn);
+}
+
+int
+main (int argc,
+      char *argv[])
+{
+	test_func (test_adcli_enroll_get_permitted_keytab_enctypes,
+	           "/attrs/adcli_enroll_get_permitted_keytab_enctypes");
+	return test_run (argc, argv);
+}
+
+#endif /* ADENROLL_TESTS */
diff --git a/library/adenroll.h b/library/adenroll.h
index abbbfd4..1d5d00d 100644
--- a/library/adenroll.h
+++ b/library/adenroll.h
@@ -138,6 +138,8 @@ krb5_enctype *     adcli_enroll_get_keytab_enctypes     (adcli_enroll *enroll);
 void               adcli_enroll_set_keytab_enctypes     (adcli_enroll *enroll,
                                                          krb5_enctype *enctypes);
 
+krb5_enctype *     adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll);
+
 const char *       adcli_enroll_get_os_name             (adcli_enroll *enroll);
 
 void               adcli_enroll_set_os_name             (adcli_enroll *enroll,
-- 
2.20.1