2 * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #include "kuser_locl.h"
37 #include "parse_units.h"
38 #include "heimtools-commands.h"
39 #undef HC_DEPRECATED_CRYPTO
42 printable_time_internal(time_t t
, int x
)
47 if ((p
= ctime(&t
)) == NULL
)
48 strlcpy(s
, "?", sizeof(s
));
50 strlcpy(s
, p
+ 4, sizeof(s
));
56 printable_time(time_t t
)
58 return printable_time_internal(t
, 20);
62 printable_time_long(time_t t
)
64 return printable_time_internal(t
, 20);
67 #define COL_ISSUED NP_(" Issued","")
68 #define COL_EXPIRES NP_(" Expires", "")
69 #define COL_FLAGS NP_("Flags", "")
70 #define COL_NAME NP_(" Name", "")
71 #define COL_PRINCIPAL NP_(" Principal", "in klist output")
72 #define COL_PRINCIPAL_KVNO NP_(" Principal (kvno)", "in klist output")
73 #define COL_CACHENAME NP_(" Cache name", "name in klist output")
74 #define COL_DEFCACHE NP_("", "")
77 print_cred(krb5_context context
, krb5_creds
*cred
, rtbl_t ct
, int do_flags
)
83 krb5_timeofday (context
, &sec
);
86 if(cred
->times
.starttime
)
87 rtbl_add_column_entry(ct
, COL_ISSUED
,
88 printable_time(cred
->times
.starttime
));
90 rtbl_add_column_entry(ct
, COL_ISSUED
,
91 printable_time(cred
->times
.authtime
));
93 if(cred
->times
.endtime
> sec
)
94 rtbl_add_column_entry(ct
, COL_EXPIRES
,
95 printable_time(cred
->times
.endtime
));
97 rtbl_add_column_entry(ct
, COL_EXPIRES
, N_(">>>Expired<<<", ""));
98 ret
= krb5_unparse_name (context
, cred
->server
, &str
);
100 krb5_err(context
, 1, ret
, "krb5_unparse_name");
101 rtbl_add_column_entry(ct
, COL_PRINCIPAL
, str
);
104 if(cred
->flags
.b
.forwardable
)
106 if(cred
->flags
.b
.forwarded
)
108 if(cred
->flags
.b
.proxiable
)
110 if(cred
->flags
.b
.proxy
)
112 if(cred
->flags
.b
.may_postdate
)
114 if(cred
->flags
.b
.postdated
)
116 if(cred
->flags
.b
.renewable
)
118 if(cred
->flags
.b
.initial
)
120 if(cred
->flags
.b
.invalid
)
122 if(cred
->flags
.b
.pre_authent
)
124 if(cred
->flags
.b
.hw_authent
)
126 if(cred
->flags
.b
.transited_policy_checked
)
128 if(cred
->flags
.b
.ok_as_delegate
)
130 if(cred
->flags
.b
.anonymous
)
133 rtbl_add_column_entry(ct
, COL_FLAGS
, s
);
139 print_cred_verbose(krb5_context context
, krb5_creds
*cred
, int do_json
)
146 if (do_json
) { /* XXX support more json formating later */
147 printf("{ \"verbose-supported\" : false }");
151 krb5_timeofday (context
, &sec
);
153 ret
= krb5_unparse_name(context
, cred
->server
, &str
);
156 printf(N_("Server: %s\n", ""), str
);
159 ret
= krb5_unparse_name(context
, cred
->client
, &str
);
162 printf(N_("Client: %s\n", ""), str
);
165 if (krb5_is_config_principal(context
, cred
->server
)) {
166 if (krb5_principal_get_num_comp(context
, cred
->server
) > 1) {
169 /* If the payload is text and not secret/sensitive, print it */
170 s
= krb5_principal_get_comp_string(context
, cred
->server
, 1);
171 if (strcmp(s
, "start_realm") == 0 ||
172 strcmp(s
, "anon_pkinit_realm") == 0 ||
173 strcmp(s
, "default-ntlm-domain") == 0 ||
174 strcmp(s
, "FriendlyName") == 0 ||
175 strcmp(s
, "fast_avail") == 0 ||
176 strcmp(s
, "kx509store") == 0 ||
177 strcmp(s
, "kx509_service_realm") == 0 ||
178 strcmp(s
, "kx509_service_status") == 0)
179 printf(N_("Configuration item payload: %.*s\n", ""),
180 (int)cred
->ticket
.length
,
181 (const char *)cred
->ticket
.data
);
183 printf(N_("Configuration item payload length: %lu\n", ""),
184 (unsigned long)cred
->ticket
.length
);
185 } /* else... this is a meaningless entry; nothing would create it */
191 decode_Ticket(cred
->ticket
.data
, cred
->ticket
.length
, &t
, &len
);
192 ret
= krb5_enctype_to_string(context
, t
.enc_part
.etype
, &s
);
193 printf(N_("Ticket etype: ", ""));
198 printf(N_("unknown-enctype(%d)", ""), t
.enc_part
.etype
);
201 printf(N_(", kvno %d", ""), *t
.enc_part
.kvno
);
203 if(cred
->session
.keytype
!= t
.enc_part
.etype
) {
204 ret
= krb5_enctype_to_string(context
, cred
->session
.keytype
, &str
);
206 krb5_warn(context
, ret
, "session keytype");
208 printf(N_("Session key: %s\n", "enctype"), str
);
213 printf(N_("Ticket length: %lu\n", ""),
214 (unsigned long)cred
->ticket
.length
);
215 printf(N_("Auth time: %s\n", ""),
216 printable_time_long(cred
->times
.authtime
));
217 if(cred
->times
.authtime
!= cred
->times
.starttime
)
218 printf(N_("Start time: %s\n", ""),
219 printable_time_long(cred
->times
.starttime
));
220 printf(N_("End time: %s", ""),
221 printable_time_long(cred
->times
.endtime
));
222 if(sec
> cred
->times
.endtime
)
223 printf(N_(" (expired)", ""));
225 if(cred
->flags
.b
.renewable
)
226 printf(N_("Renew till: %s\n", ""),
227 printable_time_long(cred
->times
.renew_till
));
230 int result
= unparse_flags(TicketFlags2int(cred
->flags
.b
),
231 asn1_TicketFlags_units(),
232 flags
, sizeof(flags
));
234 printf(N_("Ticket flags: %s\n", ""), flags
);
237 printf(N_("Addresses: ", ""));
238 if (cred
->addresses
.len
!= 0) {
239 for(j
= 0; j
< cred
->addresses
.len
; j
++){
242 ret
= krb5_print_address(&cred
->addresses
.val
[j
],
243 buf
, sizeof(buf
), &len
);
249 printf(N_("addressless", ""));
256 * Print all tickets in `ccache' on stdout, verbosely if do_verbose.
260 print_tickets(krb5_context context
,
262 krb5_principal principal
,
268 char *str
, *name
, *fullname
;
270 krb5_cc_cursor cursor
;
276 ret
= krb5_unparse_name (context
, principal
, &str
);
278 krb5_err (context
, 1, ret
, "krb5_unparse_name");
280 ret
= krb5_cc_get_full_name(context
, ccache
, &fullname
);
282 krb5_err (context
, 1, ret
, "krb5_cc_get_full_name");
285 printf ("%17s: %s\n", N_("Credentials cache", ""), fullname
);
286 printf ("%17s: %s\n", N_("Principal", ""), str
);
288 ret
= krb5_cc_get_friendly_name(context
, ccache
, &name
);
290 if (strcmp(name
, str
) != 0)
291 printf ("%17s: %s\n", N_("Friendly name", ""), name
);
296 printf ("%17s: %d\n", N_("Cache version", ""),
297 krb5_cc_get_version(context
, ccache
));
299 krb5_cc_set_flags(context
, ccache
, KRB5_TC_NOTICKET
);
302 ret
= krb5_cc_get_kdc_offset(context
, ccache
, &sec
);
304 if (ret
== 0 && do_verbose
&& sec
!= 0) {
316 unparse_time (val
, buf
, sizeof(buf
));
318 printf ("%17s: %s%s\n", N_("KDC time offset", ""),
319 sig
== -1 ? "-" : "", buf
);
323 printf ("{ \"cache\" : \"%s\", \"principal\" : \"%s\", ", fullname
, str
);
327 ret
= krb5_cc_start_seq_get (context
, ccache
, &cursor
);
329 krb5_err(context
, 1, ret
, "krb5_cc_start_seq_get");
333 rtbl_add_column(ct
, COL_ISSUED
, 0);
334 rtbl_add_column(ct
, COL_EXPIRES
, 0);
336 rtbl_add_column(ct
, COL_FLAGS
, 0);
337 rtbl_add_column(ct
, COL_PRINCIPAL
, 0);
338 rtbl_set_separator(ct
, " ");
340 rtbl_set_flags(ct
, RTBL_JSON
);
341 printf("\"tickets\" : ");
344 if (do_verbose
&& do_json
)
345 printf("\"tickets\" : [");
346 while ((ret
= krb5_cc_next_cred(context
, ccache
, &cursor
, &creds
)) == 0) {
347 if (!do_hidden
&& krb5_is_config_principal(context
, creds
.server
)) {
349 } else if (do_verbose
) {
350 if (do_json
&& print_comma
)
352 print_cred_verbose(context
, &creds
, do_json
);
355 print_cred(context
, &creds
, ct
, do_flags
);
357 krb5_free_cred_contents(context
, &creds
);
359 if (ret
!= KRB5_CC_END
)
360 krb5_err(context
, 1, ret
, "krb5_cc_get_next");
361 ret
= krb5_cc_end_seq_get (context
, ccache
, &cursor
);
363 krb5_err(context
, 1, ret
, "krb5_cc_end_seq_get");
366 rtbl_format(ct
, stdout
);
378 * Check if there's a tgt for the realm of `principal' and ccache and
379 * if so return 0, else 1
383 check_expiration(krb5_context context
,
390 ret
= krb5_cc_get_lifetime(context
, ccache
, &t
);
395 *expiration
= time(NULL
) + t
;
401 * Print a list of all AFS tokens
407 display_tokens(int do_verbose
)
410 unsigned char t
[4096];
411 struct ViceIoctl parms
;
413 parms
.in
= (void *)&i
;
414 parms
.in_size
= sizeof(i
);
415 parms
.out
= (void *)t
;
416 parms
.out_size
= sizeof(t
);
419 int32_t size_secret_tok
, size_public_tok
;
421 struct ClearToken ct
;
422 unsigned char *r
= t
;
424 char buf1
[20], buf2
[20];
426 if(k_pioctl(NULL
, VIOCGETTOK
, &parms
, 0) < 0) {
431 if(parms
.out_size
> sizeof(t
))
433 if(parms
.out_size
< sizeof(size_secret_tok
))
435 t
[min(parms
.out_size
,sizeof(t
)-1)] = 0;
436 memcpy(&size_secret_tok
, r
, sizeof(size_secret_tok
));
437 /* don't bother about the secret token */
438 r
+= size_secret_tok
+ sizeof(size_secret_tok
);
439 if (parms
.out_size
< (r
- t
) + sizeof(size_public_tok
))
441 memcpy(&size_public_tok
, r
, sizeof(size_public_tok
));
442 r
+= sizeof(size_public_tok
);
443 if (parms
.out_size
< (r
- t
) + size_public_tok
+ sizeof(int32_t))
445 memcpy(&ct
, r
, size_public_tok
);
446 r
+= size_public_tok
;
447 /* there is a int32_t with length of cellname, but we don't read it */
448 r
+= sizeof(int32_t);
451 gettimeofday (&tv
, NULL
);
452 strlcpy (buf1
, printable_time(ct
.BeginTimestamp
),
454 if (do_verbose
|| tv
.tv_sec
< ct
.EndTimestamp
)
455 strlcpy (buf2
, printable_time(ct
.EndTimestamp
),
458 strlcpy (buf2
, N_(">>> Expired <<<", ""), sizeof(buf2
));
460 printf("%s %s ", buf1
, buf2
);
462 if ((ct
.EndTimestamp
- ct
.BeginTimestamp
) & 1)
463 printf(N_("User's (AFS ID %d) tokens for %s", ""), ct
.ViceId
, cell
);
465 printf(N_("Tokens for %s", ""), cell
);
467 printf(" (%d)", ct
.AuthHandle
);
474 * display the ccache in `cred_cache'
478 display_v5_ccache (krb5_context context
, krb5_ccache ccache
,
479 int do_test
, int do_verbose
,
480 int do_flags
, int do_hidden
,
484 krb5_principal principal
;
488 ret
= krb5_cc_get_principal (context
, ccache
, &principal
);
496 krb5_warnx(context
, N_("No ticket file: %s", ""),
497 krb5_cc_get_name(context
, ccache
));
500 krb5_err (context
, 1, ret
, "krb5_cc_get_principal");
503 exit_status
= check_expiration(context
, ccache
, NULL
);
505 print_tickets (context
, ccache
, principal
, do_verbose
,
506 do_flags
, do_hidden
, do_json
);
508 ret
= krb5_cc_close (context
, ccache
);
510 krb5_err (context
, 1, ret
, "krb5_cc_close");
512 krb5_free_principal (context
, principal
);
522 list_caches(krb5_context context
, struct klist_options
*opt
)
524 krb5_cccol_cursor cursor
;
525 const char *cdef_name
= krb5_cc_default_name(context
);
531 if ((def_name
= krb5_cccol_get_default_ccname(context
)) == NULL
)
532 cdef_name
= krb5_cc_default_name(context
);
533 if (!def_name
&& cdef_name
&& (def_name
= strdup(cdef_name
)) == NULL
)
534 krb5_err(context
, 1, ENOMEM
, "Out of memory");
536 ret
= krb5_cccol_cursor_new(context
, &cursor
);
537 if (ret
== KRB5_CC_NOSUPP
) {
542 krb5_err (context
, 1, ret
, "krb5_cc_cache_get_first");
545 rtbl_add_column(ct
, COL_DEFCACHE
, 0);
546 rtbl_add_column(ct
, COL_NAME
, 0);
547 rtbl_add_column(ct
, COL_CACHENAME
, 0);
548 rtbl_add_column(ct
, COL_EXPIRES
, 0);
549 rtbl_add_column(ct
, COL_DEFCACHE
, 0);
550 rtbl_set_prefix(ct
, " ");
551 rtbl_set_column_prefix(ct
, COL_DEFCACHE
, "");
552 rtbl_set_column_prefix(ct
, COL_NAME
, " ");
554 rtbl_set_flags(ct
, RTBL_JSON
);
556 while (krb5_cccol_cursor_next(context
, cursor
, &id
) == 0 && id
!= NULL
) {
561 expired
= check_expiration(context
, id
, &t
);
563 ret
= krb5_cc_get_friendly_name(context
, id
, &name
);
568 rtbl_add_column_entry(ct
, COL_NAME
, name
);
572 str
= N_(">>> Expired <<<", "");
574 str
= printable_time(t
);
575 rtbl_add_column_entry(ct
, COL_EXPIRES
, str
);
577 ret
= krb5_cc_get_full_name(context
, id
, &fname
);
579 krb5_err (context
, 1, ret
, "krb5_cc_get_full_name");
581 rtbl_add_column_entry(ct
, COL_CACHENAME
, fname
);
584 else if (def_name
&& strcmp(fname
, def_name
) == 0)
585 rtbl_add_column_entry(ct
, COL_DEFCACHE
, "*");
587 rtbl_add_column_entry(ct
, COL_DEFCACHE
, "");
591 krb5_cc_close(context
, id
);
594 krb5_cccol_cursor_free(context
, &cursor
);
597 rtbl_format(ct
, stdout
);
611 klist(struct klist_options
*opt
, int argc
, char **argv
)
624 if(opt
->version_flag
) {
629 if (opt
->list_all_flag
) {
630 exit_status
= list_caches(heimtools_context
, opt
);
637 if (opt
->all_content_flag
) {
638 krb5_cc_cache_cursor cursor
;
641 ret
= krb5_cc_cache_get_first(heimtools_context
, NULL
, &cursor
);
643 krb5_err(heimtools_context
, 1, ret
, "krb5_cc_cache_get_first");
647 while (krb5_cc_cache_next(heimtools_context
, cursor
, &id
) == 0) {
648 if (opt
->json_flag
&& !first
)
651 exit_status
|= display_v5_ccache(heimtools_context
, id
, do_test
,
652 do_verbose
, opt
->flags_flag
,
660 krb5_cc_cache_end_seq_get(heimtools_context
, cursor
);
664 if(opt
->cache_string
) {
665 ret
= krb5_cc_resolve(heimtools_context
, opt
->cache_string
, &id
);
667 krb5_err(heimtools_context
, 1, ret
, "%s", opt
->cache_string
);
669 ret
= krb5_cc_default(heimtools_context
, &id
);
671 krb5_err(heimtools_context
, 1, ret
, "krb5_cc_resolve");
673 exit_status
= display_v5_ccache(heimtools_context
, id
, do_test
,
674 do_verbose
, opt
->flags_flag
,
675 opt
->hidden_flag
, opt
->json_flag
);
681 if (opt
->tokens_flag
&& k_hasafs()) {
684 display_tokens(opt
->verbose_flag
);