2 * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "kadmin_locl.h"
35 #include "kadmin-commands.h"
38 add_tl(kadm5_principal_ent_rec
*princ
, int type
, krb5_data
*data
)
40 krb5_tl_data
*tl
, **ptl
;
42 tl
= ecalloc(1, sizeof(*tl
));
43 tl
->tl_data_next
= NULL
;
44 tl
->tl_data_type
= type
;
45 tl
->tl_data_length
= data
->length
;
46 tl
->tl_data_contents
= data
->data
;
49 ptl
= &princ
->tl_data
;
51 ptl
= &(*ptl
)->tl_data_next
;
58 add_constrained_delegation(krb5_context contextp
,
59 kadm5_principal_ent_rec
*princ
,
60 struct getarg_strings
*strings
)
67 memset(&ext
, 0, sizeof(ext
));
68 ext
.mandatory
= FALSE
;
69 ext
.data
.element
= choice_HDB_extension_data_allowed_to_delegate_to
;
71 if (strings
->num_strings
== 1 && strings
->strings
[0][0] == '\0') {
72 ext
.data
.u
.allowed_to_delegate_to
.val
= NULL
;
73 ext
.data
.u
.allowed_to_delegate_to
.len
= 0;
78 ext
.data
.u
.allowed_to_delegate_to
.val
=
79 calloc(strings
->num_strings
,
80 sizeof(ext
.data
.u
.allowed_to_delegate_to
.val
[0]));
81 ext
.data
.u
.allowed_to_delegate_to
.len
= strings
->num_strings
;
83 for (i
= 0; i
< strings
->num_strings
; i
++) {
84 ret
= krb5_parse_name(contextp
, strings
->strings
[i
], &p
);
87 ret
= copy_Principal(p
, &ext
.data
.u
.allowed_to_delegate_to
.val
[i
]);
90 krb5_free_principal(contextp
, p
);
94 ASN1_MALLOC_ENCODE(HDB_extension
, buf
.data
, buf
.length
,
96 free_HDB_extension(&ext
);
99 if (buf
.length
!= size
)
102 add_tl(princ
, KRB5_TL_EXTENSION
, &buf
);
106 add_aliases(krb5_context contextp
, kadm5_principal_ent_rec
*princ
,
107 struct getarg_strings
*strings
)
116 memset(&ext
, 0, sizeof(ext
));
117 ext
.mandatory
= FALSE
;
118 ext
.data
.element
= choice_HDB_extension_data_aliases
;
119 ext
.data
.u
.aliases
.case_insensitive
= 0;
121 if (strings
->num_strings
== 1 && strings
->strings
[0][0] == '\0') {
122 ext
.data
.u
.aliases
.aliases
.val
= NULL
;
123 ext
.data
.u
.aliases
.aliases
.len
= 0;
125 ext
.data
.u
.aliases
.aliases
.val
=
126 calloc(strings
->num_strings
,
127 sizeof(ext
.data
.u
.aliases
.aliases
.val
[0]));
128 ext
.data
.u
.aliases
.aliases
.len
= strings
->num_strings
;
130 for (i
= 0; i
< strings
->num_strings
; i
++) {
131 ret
= krb5_parse_name(contextp
, strings
->strings
[i
], &p
);
132 ret
= copy_Principal(p
, &ext
.data
.u
.aliases
.aliases
.val
[i
]);
133 krb5_free_principal(contextp
, p
);
137 ASN1_MALLOC_ENCODE(HDB_extension
, buf
.data
, buf
.length
,
139 free_HDB_extension(&ext
);
142 if (buf
.length
!= size
)
145 add_tl(princ
, KRB5_TL_EXTENSION
, &buf
);
149 add_pkinit_acl(krb5_context contextp
, kadm5_principal_ent_rec
*princ
,
150 struct getarg_strings
*strings
)
158 memset(&ext
, 0, sizeof(ext
));
159 ext
.mandatory
= FALSE
;
160 ext
.data
.element
= choice_HDB_extension_data_pkinit_acl
;
161 ext
.data
.u
.aliases
.case_insensitive
= 0;
163 if (strings
->num_strings
== 1 && strings
->strings
[0][0] == '\0') {
164 ext
.data
.u
.pkinit_acl
.val
= NULL
;
165 ext
.data
.u
.pkinit_acl
.len
= 0;
167 ext
.data
.u
.pkinit_acl
.val
=
168 calloc(strings
->num_strings
,
169 sizeof(ext
.data
.u
.pkinit_acl
.val
[0]));
170 ext
.data
.u
.pkinit_acl
.len
= strings
->num_strings
;
172 for (i
= 0; i
< strings
->num_strings
; i
++) {
173 ext
.data
.u
.pkinit_acl
.val
[i
].subject
= estrdup(strings
->strings
[i
]);
177 ASN1_MALLOC_ENCODE(HDB_extension
, buf
.data
, buf
.length
,
179 free_HDB_extension(&ext
);
182 if (buf
.length
!= size
)
185 add_tl(princ
, KRB5_TL_EXTENSION
, &buf
);
189 add_kvno_diff(krb5_context contextp
, kadm5_principal_ent_rec
*princ
,
190 int is_svc_diff
, krb5_kvno kvno_diff
)
199 if (kvno_diff
> 2048)
203 ext
.data
.element
= choice_HDB_extension_data_hist_kvno_diff_svc
;
204 ext
.data
.u
.hist_kvno_diff_svc
= (unsigned int)kvno_diff
;
206 ext
.data
.element
= choice_HDB_extension_data_hist_kvno_diff_clnt
;
207 ext
.data
.u
.hist_kvno_diff_clnt
= (unsigned int)kvno_diff
;
209 ASN1_MALLOC_ENCODE(HDB_extension
, buf
.data
, buf
.length
,
213 if (buf
.length
!= size
)
216 add_tl(princ
, KRB5_TL_EXTENSION
, &buf
);
220 do_mod_entry(krb5_principal principal
, void *data
)
223 kadm5_principal_ent_rec princ
;
225 struct modify_options
*e
= data
;
227 memset (&princ
, 0, sizeof(princ
));
228 ret
= kadm5_get_principal(kadm_handle
, principal
, &princ
,
229 KADM5_PRINCIPAL
| KADM5_ATTRIBUTES
|
230 KADM5_MAX_LIFE
| KADM5_MAX_RLIFE
|
231 KADM5_PRINC_EXPIRE_TIME
|
232 KADM5_PW_EXPIRATION
);
236 if(e
->max_ticket_life_string
||
237 e
->max_renewable_life_string
||
238 e
->expiration_time_string
||
239 e
->pw_expiration_time_string
||
240 e
->attributes_string
||
242 e
->kvno_integer
!= -1 ||
243 e
->constrained_delegation_strings
.num_strings
||
244 e
->alias_strings
.num_strings
||
245 e
->pkinit_acl_strings
.num_strings
||
246 e
->hist_kvno_diff_clnt_integer
!= -1 ||
247 e
->hist_kvno_diff_svc_integer
!= -1) {
248 ret
= set_entry(context
, &princ
, &mask
,
249 e
->max_ticket_life_string
,
250 e
->max_renewable_life_string
,
251 e
->expiration_time_string
,
252 e
->pw_expiration_time_string
,
253 e
->attributes_string
,
255 if(e
->kvno_integer
!= -1) {
256 princ
.kvno
= e
->kvno_integer
;
259 if (e
->constrained_delegation_strings
.num_strings
) {
260 add_constrained_delegation(context
, &princ
,
261 &e
->constrained_delegation_strings
);
262 mask
|= KADM5_TL_DATA
;
264 if (e
->alias_strings
.num_strings
) {
265 add_aliases(context
, &princ
, &e
->alias_strings
);
266 mask
|= KADM5_TL_DATA
;
268 if (e
->pkinit_acl_strings
.num_strings
) {
269 add_pkinit_acl(context
, &princ
, &e
->pkinit_acl_strings
);
270 mask
|= KADM5_TL_DATA
;
272 if (e
->hist_kvno_diff_clnt_integer
!= -1) {
273 add_kvno_diff(context
, &princ
, 0, e
->hist_kvno_diff_clnt_integer
);
274 mask
|= KADM5_TL_DATA
;
276 if (e
->hist_kvno_diff_svc_integer
!= -1) {
277 add_kvno_diff(context
, &princ
, 1, e
->hist_kvno_diff_clnt_integer
);
278 mask
|= KADM5_TL_DATA
;
281 ret
= edit_entry(&princ
, &mask
, NULL
, 0);
283 ret
= kadm5_modify_principal(kadm_handle
, &princ
, mask
);
285 krb5_warn(context
, ret
, "kadm5_modify_principal");
288 kadm5_free_principal_ent(kadm_handle
, &princ
);
293 mod_entry(struct modify_options
*opt
, int argc
, char **argv
)
295 krb5_error_code ret
= 0;
298 for(i
= 0; i
< argc
; i
++) {
299 ret
= foreach_principal(argv
[i
], do_mod_entry
, "mod", opt
);