Skip Menu |
 

From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 2.1KiB

Add KDC policy pluggable interface

Add the header include/krb5/kdcpolicy_plugin.h, defining a pluggable
interface for modules to deny AS and TGS requests and set maximum
ticket lifetimes. This interface replaces the policy.c stub functions.

Add check_kdcpolicy_as() and check_kdcpolicy_tgs() as entry functions.
Call them after auth indicators and ticket lifetimes have been
determined.

Add a test module and a test script with basic kdcpolicy tests. Add
plugin interface documentation in doc/plugindev/policy.rst.

Also authored by Matt Rogers <mrogers@redhat.com>.

https://github.com/krb5/krb5/commit/d0969f6a8170344031ef58fd2a161190f1edfb96
Author: Robbie Harwood <rharwood@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: d0969f6a8170344031ef58fd2a161190f1edfb96
Branch: master
doc/plugindev/index.rst | 1 +
doc/plugindev/kdcpolicy.rst | 24 ++
src/Makefile.in | 1 +
src/configure.in | 1 +
src/include/Makefile.in | 1 +
src/include/k5-int.h | 3 +-
src/include/k5-trace.h | 5 +
src/include/krb5/kdcpolicy_plugin.h | 128 +++++++++++
src/kdc/do_as_req.c | 7 +
src/kdc/do_tgs_req.c | 6 +
src/kdc/kdc_util.c | 7 -
src/kdc/kdc_util.h | 11 -
src/kdc/main.c | 8 +
src/kdc/policy.c | 267 ++++++++++++++++++++----
src/kdc/policy.h | 19 ++-
src/kdc/tgs_policy.c | 6 -
src/lib/krb5/krb/plugin.c | 3 +-
src/plugins/kdcpolicy/test/Makefile.in | 20 ++
src/plugins/kdcpolicy/test/main.c | 111 ++++++++++
src/plugins/kdcpolicy/test/policy_test.exports | 1 +
src/tests/Makefile.in | 1 +
src/tests/t_kdcpolicy.py | 57 +++++
22 files changed, 614 insertions(+), 74 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Fix bugs in kdcpolicy commit

Commit d0969f6a8170344031ef58fd2a161190f1edfb96 added tests using
"klist ccachname -e", which does not work with a POSIX-conformant
getopt() implementation such as the one in Solaris. Fix
t_kdcpolicy.py to use "klist -e ccachename" instead.

The tests could fail if the clock second rolled over between kinit and
kvno. Divide service ticket maximum lifetimes by 2 in the test module
to correctly exercise TGS policy restrictions and ensure that service
tickets are not constrained by the TGT end time.

Also use the correct trace macro when a kdcpolicy module declines to
initialize (my mistake when revising the commit, noted by rharwood).

https://github.com/krb5/krb5/commit/09acbd91efc6df54e1572285ffc94c6acb3a9113
Author: Greg Hudson <ghudson@mit.edu>
Commit: 09acbd91efc6df54e1572285ffc94c6acb3a9113
Branch: master
src/kdc/policy.c | 2 +-
src/plugins/kdcpolicy/test/main.c | 10 +++++-----
src/tests/t_kdcpolicy.py | 13 +++++++++----
3 files changed, 15 insertions(+), 10 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Fix kdcpolicy build issues

Fix mydir in plugins/kdcpolicy/test/Makefile.in so that the Makefile
can be rebuilt correctly. Also change the name of the shared object
from "policy_test.so" to "kdcpolicy_test.so" for consistency.

https://github.com/krb5/krb5/commit/33d52a367f7ddaa843eec3a79f36adfbca6033a2
Author: Greg Hudson <ghudson@mit.edu>
Commit: 33d52a367f7ddaa843eec3a79f36adfbca6033a2
Branch: master
src/plugins/kdcpolicy/test/Makefile.in | 4 ++--
...{policy_test.exports => kdcpolicy_test.exports} | 0
src/tests/t_kdcpolicy.py | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)