2 * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #include "kuser_locl.h"
37 #include "parse_units.h"
38 #include "heimtools-commands.h"
41 printable_time_internal(time_t t
, int x
)
46 if ((p
= ctime(&t
)) == NULL
)
47 strlcpy(s
, "?", sizeof(s
));
49 strlcpy(s
, p
+ 4, sizeof(s
));
55 printable_time(time_t t
)
57 return printable_time_internal(t
, 20);
61 printable_time_long(time_t t
)
63 return printable_time_internal(t
, 20);
66 #define COL_ISSUED NP_(" Issued","")
67 #define COL_EXPIRES NP_(" Expires", "")
68 #define COL_FLAGS NP_("Flags", "")
69 #define COL_NAME NP_(" Name", "")
70 #define COL_PRINCIPAL NP_(" Principal", "in klist output")
71 #define COL_PRINCIPAL_KVNO NP_(" Principal (kvno)", "in klist output")
72 #define COL_CACHENAME NP_(" Cache name", "name in klist output")
73 #define COL_DEFCACHE NP_("", "")
76 print_cred(krb5_context context
, krb5_creds
*cred
, rtbl_t ct
, int do_flags
)
82 krb5_timeofday (context
, &sec
);
85 if(cred
->times
.starttime
)
86 rtbl_add_column_entry(ct
, COL_ISSUED
,
87 printable_time(cred
->times
.starttime
));
89 rtbl_add_column_entry(ct
, COL_ISSUED
,
90 printable_time(cred
->times
.authtime
));
92 if(cred
->times
.endtime
> sec
)
93 rtbl_add_column_entry(ct
, COL_EXPIRES
,
94 printable_time(cred
->times
.endtime
));
96 rtbl_add_column_entry(ct
, COL_EXPIRES
, N_(">>>Expired<<<", ""));
97 ret
= krb5_unparse_name (context
, cred
->server
, &str
);
99 krb5_err(context
, 1, ret
, "krb5_unparse_name");
100 rtbl_add_column_entry(ct
, COL_PRINCIPAL
, str
);
103 if(cred
->flags
.b
.forwardable
)
105 if(cred
->flags
.b
.forwarded
)
107 if(cred
->flags
.b
.proxiable
)
109 if(cred
->flags
.b
.proxy
)
111 if(cred
->flags
.b
.may_postdate
)
113 if(cred
->flags
.b
.postdated
)
115 if(cred
->flags
.b
.renewable
)
117 if(cred
->flags
.b
.initial
)
119 if(cred
->flags
.b
.invalid
)
121 if(cred
->flags
.b
.pre_authent
)
123 if(cred
->flags
.b
.hw_authent
)
126 rtbl_add_column_entry(ct
, COL_FLAGS
, s
);
132 print_cred_verbose(krb5_context context
, krb5_creds
*cred
, int do_json
)
139 if (do_json
) { /* XXX support more json formating later */
140 printf("{ \"verbose-supported\" : false }");
144 krb5_timeofday (context
, &sec
);
146 ret
= krb5_unparse_name(context
, cred
->server
, &str
);
149 printf(N_("Server: %s\n", ""), str
);
152 ret
= krb5_unparse_name(context
, cred
->client
, &str
);
155 printf(N_("Client: %s\n", ""), str
);
158 if (!krb5_is_config_principal(context
, cred
->client
)) {
163 decode_Ticket(cred
->ticket
.data
, cred
->ticket
.length
, &t
, &len
);
164 ret
= krb5_enctype_to_string(context
, t
.enc_part
.etype
, &s
);
165 printf(N_("Ticket etype: ", ""));
170 printf(N_("unknown-enctype(%d)", ""), t
.enc_part
.etype
);
173 printf(N_(", kvno %d", ""), *t
.enc_part
.kvno
);
175 if(cred
->session
.keytype
!= t
.enc_part
.etype
) {
176 ret
= krb5_enctype_to_string(context
, cred
->session
.keytype
, &str
);
178 krb5_warn(context
, ret
, "session keytype");
180 printf(N_("Session key: %s\n", "enctype"), str
);
185 printf(N_("Ticket length: %lu\n", ""),
186 (unsigned long)cred
->ticket
.length
);
188 printf(N_("Auth time: %s\n", ""),
189 printable_time_long(cred
->times
.authtime
));
190 if(cred
->times
.authtime
!= cred
->times
.starttime
)
191 printf(N_("Start time: %s\n", ""),
192 printable_time_long(cred
->times
.starttime
));
193 printf(N_("End time: %s", ""),
194 printable_time_long(cred
->times
.endtime
));
195 if(sec
> cred
->times
.endtime
)
196 printf(N_(" (expired)", ""));
198 if(cred
->flags
.b
.renewable
)
199 printf(N_("Renew till: %s\n", ""),
200 printable_time_long(cred
->times
.renew_till
));
203 unparse_flags(TicketFlags2int(cred
->flags
.b
),
204 asn1_TicketFlags_units(),
205 flags
, sizeof(flags
));
206 printf(N_("Ticket flags: %s\n", ""), flags
);
208 printf(N_("Addresses: ", ""));
209 if (cred
->addresses
.len
!= 0) {
210 for(j
= 0; j
< cred
->addresses
.len
; j
++){
214 ret
= krb5_print_address(&cred
->addresses
.val
[j
],
215 buf
, sizeof(buf
), &len
);
221 printf(N_("addressless", ""));
227 * Print all tickets in `ccache' on stdout, verbosily iff do_verbose.
231 print_tickets (krb5_context context
,
233 krb5_principal principal
,
239 char *str
, *name
, *fullname
;
241 krb5_cc_cursor cursor
;
247 ret
= krb5_unparse_name (context
, principal
, &str
);
249 krb5_err (context
, 1, ret
, "krb5_unparse_name");
251 ret
= krb5_cc_get_full_name(context
, ccache
, &fullname
);
253 krb5_err (context
, 1, ret
, "krb5_cc_get_full_name");
256 printf ("%17s: %s\n", N_("Credentials cache", ""), fullname
);
257 printf ("%17s: %s\n", N_("Principal", ""), str
);
259 ret
= krb5_cc_get_friendly_name(context
, ccache
, &name
);
261 if (strcmp(name
, str
) != 0)
262 printf ("%17s: %s\n", N_("Friendly name", ""), name
);
268 printf ("%17s: %d\n", N_("Cache version", ""),
269 krb5_cc_get_version(context
, ccache
));
271 krb5_cc_set_flags(context
, ccache
, KRB5_TC_NOTICKET
);
274 ret
= krb5_cc_get_kdc_offset(context
, ccache
, &sec
);
276 if (ret
== 0 && do_verbose
&& sec
!= 0) {
288 unparse_time (val
, buf
, sizeof(buf
));
290 printf ("%17s: %s%s\n", N_("KDC time offset", ""),
291 sig
== -1 ? "-" : "", buf
);
295 printf ("{ \"cache\" : \"%s\", \"principal\" : \"%s\", ", fullname
, str
);
298 ret
= krb5_cc_start_seq_get (context
, ccache
, &cursor
);
300 krb5_err(context
, 1, ret
, "krb5_cc_start_seq_get");
304 rtbl_add_column(ct
, COL_ISSUED
, 0);
305 rtbl_add_column(ct
, COL_EXPIRES
, 0);
307 rtbl_add_column(ct
, COL_FLAGS
, 0);
308 rtbl_add_column(ct
, COL_PRINCIPAL
, 0);
309 rtbl_set_separator(ct
, " ");
311 rtbl_set_flags(ct
, RTBL_JSON
);
312 printf("\"tickets\" : ");
315 if (do_verbose
&& do_json
)
316 printf("\"tickets\" : [");
317 while ((ret
= krb5_cc_next_cred (context
,
321 if (!do_hidden
&& krb5_is_config_principal(context
, creds
.server
)) {
323 }else if(do_verbose
){
324 print_cred_verbose(context
, &creds
, do_json
);
326 print_cred(context
, &creds
, ct
, do_flags
);
328 krb5_free_cred_contents (context
, &creds
);
330 if(ret
!= KRB5_CC_END
)
331 krb5_err(context
, 1, ret
, "krb5_cc_get_next");
332 ret
= krb5_cc_end_seq_get (context
, ccache
, &cursor
);
334 krb5_err (context
, 1, ret
, "krb5_cc_end_seq_get");
336 rtbl_format(ct
, stdout
);
347 * Check if there's a tgt for the realm of `principal' and ccache and
348 * if so return 0, else 1
352 check_expiration(krb5_context context
,
359 ret
= krb5_cc_get_lifetime(context
, ccache
, &t
);
364 *expiration
= time(NULL
) + t
;
370 * Print a list of all AFS tokens
376 display_tokens(int do_verbose
)
379 unsigned char t
[4096];
380 struct ViceIoctl parms
;
382 parms
.in
= (void *)&i
;
383 parms
.in_size
= sizeof(i
);
384 parms
.out
= (void *)t
;
385 parms
.out_size
= sizeof(t
);
388 int32_t size_secret_tok
, size_public_tok
;
390 struct ClearToken ct
;
391 unsigned char *r
= t
;
393 char buf1
[20], buf2
[20];
395 if(k_pioctl(NULL
, VIOCGETTOK
, &parms
, 0) < 0) {
400 if(parms
.out_size
> sizeof(t
))
402 if(parms
.out_size
< sizeof(size_secret_tok
))
404 t
[min(parms
.out_size
,sizeof(t
)-1)] = 0;
405 memcpy(&size_secret_tok
, r
, sizeof(size_secret_tok
));
406 /* dont bother about the secret token */
407 r
+= size_secret_tok
+ sizeof(size_secret_tok
);
408 if (parms
.out_size
< (r
- t
) + sizeof(size_public_tok
))
410 memcpy(&size_public_tok
, r
, sizeof(size_public_tok
));
411 r
+= sizeof(size_public_tok
);
412 if (parms
.out_size
< (r
- t
) + size_public_tok
+ sizeof(int32_t))
414 memcpy(&ct
, r
, size_public_tok
);
415 r
+= size_public_tok
;
416 /* there is a int32_t with length of cellname, but we dont read it */
417 r
+= sizeof(int32_t);
420 gettimeofday (&tv
, NULL
);
421 strlcpy (buf1
, printable_time(ct
.BeginTimestamp
),
423 if (do_verbose
|| tv
.tv_sec
< ct
.EndTimestamp
)
424 strlcpy (buf2
, printable_time(ct
.EndTimestamp
),
427 strlcpy (buf2
, N_(">>> Expired <<<", ""), sizeof(buf2
));
429 printf("%s %s ", buf1
, buf2
);
431 if ((ct
.EndTimestamp
- ct
.BeginTimestamp
) & 1)
432 printf(N_("User's (AFS ID %d) tokens for %s", ""), ct
.ViceId
, cell
);
434 printf(N_("Tokens for %s", ""), cell
);
436 printf(" (%d)", ct
.AuthHandle
);
443 * display the ccache in `cred_cache'
447 display_v5_ccache (krb5_context context
, krb5_ccache ccache
,
448 int do_test
, int do_verbose
,
449 int do_flags
, int do_hidden
,
453 krb5_principal principal
;
457 ret
= krb5_cc_get_principal (context
, ccache
, &principal
);
465 krb5_warnx(context
, N_("No ticket file: %s", ""),
466 krb5_cc_get_name(context
, ccache
));
469 krb5_err (context
, 1, ret
, "krb5_cc_get_principal");
472 exit_status
= check_expiration(context
, ccache
, NULL
);
474 print_tickets (context
, ccache
, principal
, do_verbose
,
475 do_flags
, do_hidden
, do_json
);
477 ret
= krb5_cc_close (context
, ccache
);
479 krb5_err (context
, 1, ret
, "krb5_cc_close");
481 krb5_free_principal (context
, principal
);
491 list_caches(krb5_context context
, struct klist_options
*opt
)
493 krb5_cccol_cursor cursor
;
494 const char *cdef_name
;
500 cdef_name
= krb5_cc_default_name(context
);
501 if (cdef_name
== NULL
)
502 krb5_errx(context
, 1, "krb5_cc_default_name");
503 def_name
= strdup(cdef_name
);
505 ret
= krb5_cccol_cursor_new(context
, &cursor
);
506 if (ret
== KRB5_CC_NOSUPP
)
509 krb5_err (context
, 1, ret
, "krb5_cc_cache_get_first");
512 rtbl_add_column(ct
, COL_DEFCACHE
, 0);
513 rtbl_add_column(ct
, COL_NAME
, 0);
514 rtbl_add_column(ct
, COL_CACHENAME
, 0);
515 rtbl_add_column(ct
, COL_EXPIRES
, 0);
516 rtbl_add_column(ct
, COL_DEFCACHE
, 0);
517 rtbl_set_prefix(ct
, " ");
518 rtbl_set_column_prefix(ct
, COL_DEFCACHE
, "");
519 rtbl_set_column_prefix(ct
, COL_NAME
, " ");
521 rtbl_set_flags(ct
, RTBL_JSON
);
523 while (krb5_cccol_cursor_next(context
, cursor
, &id
) == 0) {
528 expired
= check_expiration(context
, id
, &t
);
530 ret
= krb5_cc_get_friendly_name(context
, id
, &name
);
535 rtbl_add_column_entry(ct
, COL_NAME
, name
);
539 str
= N_(">>> Expired <<<", "");
541 str
= printable_time(t
);
542 rtbl_add_column_entry(ct
, COL_EXPIRES
, str
);
544 ret
= krb5_cc_get_full_name(context
, id
, &fname
);
546 krb5_err (context
, 1, ret
, "krb5_cc_get_full_name");
548 rtbl_add_column_entry(ct
, COL_CACHENAME
, fname
);
551 else if (strcmp(fname
, def_name
) == 0)
552 rtbl_add_column_entry(ct
, COL_DEFCACHE
, "*");
554 rtbl_add_column_entry(ct
, COL_DEFCACHE
, "");
558 krb5_cc_close(context
, id
);
561 krb5_cccol_cursor_free(context
, &cursor
);
564 rtbl_format(ct
, stdout
);
578 klist(struct klist_options
*opt
, int argc
, char **argv
)
591 if(opt
->version_flag
) {
596 if (opt
->list_all_flag
) {
597 exit_status
= list_caches(heimtools_context
, opt
);
604 if (opt
->all_content_flag
) {
605 krb5_cc_cache_cursor cursor
;
608 ret
= krb5_cc_cache_get_first(heimtools_context
, NULL
, &cursor
);
610 krb5_err(heimtools_context
, 1, ret
, "krb5_cc_cache_get_first");
614 while (krb5_cc_cache_next(heimtools_context
, cursor
, &id
) == 0) {
615 if (opt
->json_flag
&& !first
)
618 exit_status
|= display_v5_ccache(heimtools_context
, id
, do_test
,
619 do_verbose
, opt
->flags_flag
,
620 opt
->hidden_flag
, opt
->json_flag
);
626 krb5_cc_cache_end_seq_get(heimtools_context
, cursor
);
630 if(opt
->cache_string
) {
631 ret
= krb5_cc_resolve(heimtools_context
, opt
->cache_string
, &id
);
633 krb5_err(heimtools_context
, 1, ret
, "%s", opt
->cache_string
);
635 ret
= krb5_cc_default(heimtools_context
, &id
);
637 krb5_err(heimtools_context
, 1, ret
, "krb5_cc_resolve");
639 exit_status
= display_v5_ccache(heimtools_context
, id
, do_test
,
640 do_verbose
, opt
->flags_flag
,
641 opt
->hidden_flag
, opt
->json_flag
);
647 if (opt
->tokens_flag
&& k_hasafs()) {
650 display_tokens(opt
->verbose_flag
);