From 90de65f2bee5b27e9b2c19d9ab8a04604ef9b9f6 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Fri, 3 Jul 2009 04:26:39 +0000
Subject: [PATCH] If backend implements ->hdb_check_constrained_delegation, use
 it for processing.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25303 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kdc/krb5tgs.c | 36 +++++++++++++++++++++++-------------
 1 file changed, 23 insertions(+), 13 deletions(-)

diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 358b11276b0..53a4784e402 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -492,6 +492,7 @@ check_tgs_flags(krb5_context context,
 static krb5_error_code
 check_constrained_delegation(krb5_context context,
 			     krb5_kdc_configuration *config,
+			     HDB *clientdb,
 			     hdb_entry_ex *client,
 			     krb5_const_principal server)
 {
@@ -499,21 +500,28 @@ check_constrained_delegation(krb5_context context,
     krb5_error_code ret;
     int i;
 
-    ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
-    if (ret) {
-	krb5_clear_error_message(context);
-	return ret;
-    }
-
-    if (acl) {
-	for (i = 0; i < acl->len; i++) {
-	    if (krb5_principal_compare(context, server, &acl->val[i]) == TRUE)
-		return 0;
+    if (clientdb->hdb_check_constrained_delegation) {
+	ret = clientdb->hdb_check_constrained_delegation(context, clientdb, client, server);
+	if (ret == 0)
+	    return 0;
+    } else {
+	ret = hdb_entry_get_ConstrainedDelegACL(&client->entry, &acl);
+	if (ret) {
+	    krb5_clear_error_message(context);
+	    return ret;
+	}
+	
+	if (acl) {
+	    for (i = 0; i < acl->len; i++) {
+		if (krb5_principal_compare(context, server, &acl->val[i]) == TRUE)
+		    return 0;
+	    }
 	}
+	ret = KRB5KDC_ERR_BADOPTION;
     }
     kdc_log(context, config, 0,
 	    "Bad request for constrained delegation");
-    return KRB5KDC_ERR_BADOPTION;
+    return ret;
 }
 
 /*
@@ -1369,6 +1377,7 @@ tgs_build_reply(krb5_context context,
     krb5_principal client_principal = NULL;
     char *spn = NULL, *cpn = NULL;
     hdb_entry_ex *server = NULL, *client = NULL;
+    HDB *clientdb;
     krb5_realm ref_realm = NULL;
     EncTicketPart *tgt = &ticket->ticket;
     krb5_principals spp = NULL;
@@ -1531,7 +1540,7 @@ server_lookup:
     }
 
     ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON,
-			NULL, &client);
+			&clientdb, &client);
     if(ret) {
 	const char *krbtgt_realm;
 
@@ -1805,7 +1814,8 @@ server_lookup:
 	    goto out;
 	}
 
-	ret = check_constrained_delegation(context, config, client, sp);
+	ret = check_constrained_delegation(context, config, clientdb, 
+					   client, sp);
 	if (ret) {
 	    kdc_log(context, config, 0,
 		    "constrained delegation from %s to %s not allowed",
-- 
2.11.4.GIT