From ce1d58d003f7dc0f7d66c218a90c075fab733702 Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Fri, 20 Feb 2015 22:05:32 +0100 Subject: [PATCH] service: Refactor to support per domain supported cred types This is so specific domains can be configured to support things like automatic authentication. https://bugs.freedesktop.org/show_bug.cgi?id=89205 --- service/realm-example.c | 38 ++++++++++++++-------- service/realm-kerberos-membership.h | 4 +-- service/realm-kerberos.c | 23 +++++++------ service/realm-samba.c | 50 ++++++++++++++++------------- service/realm-sssd-ad.c | 64 ++++++++++++++++++++++--------------- service/realm-sssd-ipa.c | 48 +++++++++++++++++----------- 6 files changed, 137 insertions(+), 90 deletions(-) diff --git a/service/realm-example.c b/service/realm-example.c index 37a7dd5..2a8d4aa 100644 --- a/service/realm-example.c +++ b/service/realm-example.c @@ -186,6 +186,17 @@ realm_example_join_async (RealmKerberosMembership *membership, g_object_unref (task); } +static const RealmCredential * +realm_example_join_creds (RealmKerberosMembership *membership) +{ + static const RealmCredential creds[] = { + { REALM_CREDENTIAL_PASSWORD, REALM_CREDENTIAL_OWNER_ADMIN }, + { 0, } + }; + + return creds; +} + static void on_leave_sleep_done (GObject *source, GAsyncResult *res, @@ -319,6 +330,18 @@ realm_example_leave_async (RealmKerberosMembership *membership, } } +static const RealmCredential * +realm_example_leave_creds (RealmKerberosMembership *membership) +{ + static const RealmCredential creds[] = { + { REALM_CREDENTIAL_PASSWORD, REALM_CREDENTIAL_OWNER_ADMIN }, + { REALM_CREDENTIAL_AUTOMATIC, REALM_CREDENTIAL_OWNER_NONE }, + { 0, } + }; + + return creds; +} + static void realm_example_logins_async (RealmKerberos *realm, GDBusMethodInvocation *invocation, @@ -496,24 +519,13 @@ realm_example_class_init (RealmExampleClass *klass) static void realm_example_kerberos_membership_iface (RealmKerberosMembershipIface *iface) { - static const RealmCredential join_creds[] = { - { REALM_CREDENTIAL_PASSWORD, REALM_CREDENTIAL_OWNER_ADMIN }, - { 0, } - }; - - static const RealmCredential leave_creds[] = { - { REALM_CREDENTIAL_PASSWORD, REALM_CREDENTIAL_OWNER_ADMIN }, - { REALM_CREDENTIAL_AUTOMATIC, REALM_CREDENTIAL_OWNER_NONE }, - { 0, } - }; - iface->join_async = realm_example_join_async; iface->join_finish = realm_example_membership_generic_finish; - iface->join_creds_supported = join_creds; + iface->join_creds = realm_example_join_creds; iface->leave_async = realm_example_leave_async; iface->leave_finish = realm_example_membership_generic_finish; - iface->leave_creds_supported = leave_creds; + iface->leave_creds = realm_example_leave_creds; } RealmKerberos * diff --git a/service/realm-kerberos-membership.h b/service/realm-kerberos-membership.h index 9b1e395..50eea53 100644 --- a/service/realm-kerberos-membership.h +++ b/service/realm-kerberos-membership.h @@ -48,7 +48,7 @@ struct _RealmKerberosMembershipIface { GAsyncResult *result, GError **error); - const RealmCredential *join_creds_supported; + const RealmCredential * (* join_creds) (RealmKerberosMembership *realm); void (* leave_async) (RealmKerberosMembership *realm, RealmCredential *cred, @@ -61,7 +61,7 @@ struct _RealmKerberosMembershipIface { GAsyncResult *result, GError **error); - const RealmCredential *leave_creds_supported; + const RealmCredential * (* leave_creds) (RealmKerberosMembership *realm); }; GType realm_kerberos_membership_get_type (void) G_GNUC_CONST; diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c index e7f2f20..54d1ed7 100644 --- a/service/realm-kerberos.c +++ b/service/realm-kerberos.c @@ -241,6 +241,7 @@ on_unenroll_complete (GObject *source, static gboolean is_credential_supported (RealmKerberosMembershipIface *iface, + RealmKerberosMembership *membership, RealmCredential *cred, gboolean join, GError **error) @@ -250,7 +251,10 @@ is_credential_supported (RealmKerberosMembershipIface *iface, gboolean found = FALSE; gint i; - supported = join ? iface->join_creds_supported : iface->leave_creds_supported; + g_assert (iface->join_creds != NULL); + g_assert (iface->leave_creds != NULL); + + supported = (join ? iface->join_creds (membership) : iface->leave_creds (membership)); if (supported) { for (i = 0; supported[i].type != 0; i++) { if (cred->type == supported[i].type) { @@ -294,6 +298,7 @@ join_or_leave (RealmKerberos *self, gboolean join) { RealmKerberosMembershipIface *iface = REALM_KERBEROS_MEMBERSHIP_GET_IFACE (self); + RealmKerberosMembership *membership = REALM_KERBEROS_MEMBERSHIP (self); RealmCredential *cred; MethodClosure *method; GError *error = NULL; @@ -315,7 +320,7 @@ join_or_leave (RealmKerberos *self, return; } - if (!is_credential_supported (iface, cred, join, &error)) { + if (!is_credential_supported (iface, membership, cred, join, &error)) { g_dbus_method_invocation_return_gerror (invocation, error); realm_credential_unref (cred); g_error_free (error); @@ -333,12 +338,10 @@ join_or_leave (RealmKerberos *self, if (join) { g_return_if_fail (iface->join_finish != NULL); - (iface->join_async) (REALM_KERBEROS_MEMBERSHIP (self), cred, - options, invocation, on_enroll_complete, method); + (iface->join_async) (membership, cred, options, invocation, on_enroll_complete, method); } else { g_return_if_fail (iface->leave_finish != NULL); - (iface->leave_async) (REALM_KERBEROS_MEMBERSHIP (self), cred, - options, invocation, on_unenroll_complete, method); + (iface->leave_async) (membership, cred, options, invocation, on_unenroll_complete, method); } } @@ -543,6 +546,7 @@ static void realm_kerberos_constructed (GObject *obj) { RealmKerberosMembershipIface *iface; + RealmKerberosMembership *membership; RealmKerberos *self = REALM_KERBEROS (obj); const gchar *supported_interfaces[3]; GVariant *supported; @@ -561,11 +565,12 @@ realm_kerberos_constructed (GObject *obj) G_DBUS_INTERFACE_SKELETON (self->pv->membership_iface)); iface = REALM_KERBEROS_MEMBERSHIP_GET_IFACE (self); - supported = realm_credential_build_supported (iface->join_creds_supported); + membership = REALM_KERBEROS_MEMBERSHIP (self); + + supported = realm_credential_build_supported (iface->join_creds (membership)); realm_dbus_kerberos_membership_set_supported_join_credentials (self->pv->membership_iface, supported); - iface = REALM_KERBEROS_MEMBERSHIP_GET_IFACE (self); - supported = realm_credential_build_supported (iface->leave_creds_supported); + supported = realm_credential_build_supported (iface->leave_creds (membership)); realm_dbus_kerberos_membership_set_supported_leave_credentials (self->pv->membership_iface, supported); } diff --git a/service/realm-samba.c b/service/realm-samba.c index 3a8ce87..9bf7872 100644 --- a/service/realm-samba.c +++ b/service/realm-samba.c @@ -293,6 +293,19 @@ realm_samba_join_async (RealmKerberosMembership *membership, g_object_unref (task); } +static const RealmCredential * +realm_samba_join_creds (RealmKerberosMembership *self) +{ + static const RealmCredential creds[] = { + { REALM_CREDENTIAL_PASSWORD, REALM_CREDENTIAL_OWNER_ADMIN }, + { REALM_CREDENTIAL_PASSWORD, REALM_CREDENTIAL_OWNER_USER }, + { REALM_CREDENTIAL_CCACHE, REALM_CREDENTIAL_OWNER_ADMIN }, + { 0, }, + }; + + return creds; +} + typedef struct { GDBusMethodInvocation *invocation; RealmDisco *disco; @@ -425,6 +438,19 @@ realm_samba_leave_async (RealmKerberosMembership *membership, g_object_unref (task); } +static const RealmCredential * +realm_samba_leave_creds (RealmKerberosMembership *self) +{ + static const RealmCredential creds[] = { + { REALM_CREDENTIAL_PASSWORD, REALM_CREDENTIAL_OWNER_ADMIN }, + { REALM_CREDENTIAL_PASSWORD, REALM_CREDENTIAL_OWNER_USER }, + { REALM_CREDENTIAL_AUTOMATIC, REALM_CREDENTIAL_OWNER_NONE }, + { 0, }, + }; + + return creds; +} + static gboolean realm_samba_change_logins (RealmKerberos *realm, GDBusMethodInvocation *invocation, @@ -674,33 +700,13 @@ realm_samba_class_init (RealmSambaClass *klass) static void realm_samba_kerberos_membership_iface (RealmKerberosMembershipIface *iface) { - /* - * Each line is a combination of owner and what kind of credentials are supported, - * same for enroll/leave. We can't accept a ccache, because samba3 needs - * to have credentials limited to RC4. - */ - - static const RealmCredential join_supported[] = { - { REALM_CREDENTIAL_PASSWORD, REALM_CREDENTIAL_OWNER_ADMIN }, - { REALM_CREDENTIAL_PASSWORD, REALM_CREDENTIAL_OWNER_USER }, - { REALM_CREDENTIAL_CCACHE, REALM_CREDENTIAL_OWNER_ADMIN }, - { 0, }, - }; - - static const RealmCredential leave_supported[] = { - { REALM_CREDENTIAL_PASSWORD, REALM_CREDENTIAL_OWNER_ADMIN }, - { REALM_CREDENTIAL_PASSWORD, REALM_CREDENTIAL_OWNER_USER }, - { REALM_CREDENTIAL_AUTOMATIC, REALM_CREDENTIAL_OWNER_NONE }, - { 0, }, - }; - iface->join_async = realm_samba_join_async; iface->join_finish = realm_samba_membership_generic_finish; - iface->join_creds_supported = join_supported; + iface->join_creds = realm_samba_join_creds; iface->leave_async = realm_samba_leave_async; iface->leave_finish = realm_samba_membership_generic_finish; - iface->leave_creds_supported = leave_supported; + iface->leave_creds = realm_samba_leave_creds; } RealmKerberos * diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c index cc488fc..c5e4b35 100644 --- a/service/realm-sssd-ad.c +++ b/service/realm-sssd-ad.c @@ -426,6 +426,28 @@ realm_sssd_ad_join_async (RealmKerberosMembership *membership, g_object_unref (task); } +static const RealmCredential * +realm_sssd_ad_join_creds (RealmKerberosMembership *membership) +{ + /* + * Each line is a combination of owner and what kind of credentials are supported, + * same for enroll/leave. We can't accept a ccache with samba because of certain + * corner cases. However we do accept ccache for an admin user, and then we use + * adcli with that ccache. + */ + + static const RealmCredential creds[] = { + { REALM_CREDENTIAL_PASSWORD, REALM_CREDENTIAL_OWNER_ADMIN, }, + { REALM_CREDENTIAL_PASSWORD, REALM_CREDENTIAL_OWNER_USER, }, + { REALM_CREDENTIAL_CCACHE, REALM_CREDENTIAL_OWNER_ADMIN, }, + { REALM_CREDENTIAL_AUTOMATIC, REALM_CREDENTIAL_OWNER_NONE, }, + { REALM_CREDENTIAL_SECRET, REALM_CREDENTIAL_OWNER_NONE, }, + { 0, }, + }; + + return creds; +} + typedef struct { GDBusMethodInvocation *invocation; gchar *realm_name; @@ -527,6 +549,20 @@ realm_sssd_ad_leave_async (RealmKerberosMembership *membership, g_object_unref (task); } +static const RealmCredential * +realm_sssd_ad_leave_creds (RealmKerberosMembership *membership) +{ + /* For leave, we don't support one-time-password (ie: secret/none) */ + static const RealmCredential creds[] = { + { REALM_CREDENTIAL_PASSWORD, REALM_CREDENTIAL_OWNER_ADMIN, }, + { REALM_CREDENTIAL_CCACHE, REALM_CREDENTIAL_OWNER_ADMIN, }, + { REALM_CREDENTIAL_AUTOMATIC, REALM_CREDENTIAL_OWNER_NONE, }, + { 0, }, + }; + + return creds; +} + static gboolean realm_sssd_ad_generic_finish (RealmKerberosMembership *realm, GAsyncResult *result, @@ -594,35 +630,11 @@ realm_sssd_ad_class_init (RealmSssdAdClass *klass) static void realm_sssd_ad_kerberos_membership_iface (RealmKerberosMembershipIface *iface) { - /* - * Each line is a combination of owner and what kind of credentials are supported, - * same for enroll/leave. We can't accept a ccache with samba because of certain - * corner cases. However we do accept ccache for an admin user, and then we use - * adcli with that ccache. - */ - - static const RealmCredential join_supported[] = { - { REALM_CREDENTIAL_PASSWORD, REALM_CREDENTIAL_OWNER_ADMIN, }, - { REALM_CREDENTIAL_PASSWORD, REALM_CREDENTIAL_OWNER_USER, }, - { REALM_CREDENTIAL_CCACHE, REALM_CREDENTIAL_OWNER_ADMIN, }, - { REALM_CREDENTIAL_AUTOMATIC, REALM_CREDENTIAL_OWNER_NONE, }, - { REALM_CREDENTIAL_SECRET, REALM_CREDENTIAL_OWNER_NONE, }, - { 0, }, - }; - - /* For leave, we don't support one-time-password (ie: secret/none) */ - static const RealmCredential leave_supported[] = { - { REALM_CREDENTIAL_PASSWORD, REALM_CREDENTIAL_OWNER_ADMIN, }, - { REALM_CREDENTIAL_CCACHE, REALM_CREDENTIAL_OWNER_ADMIN, }, - { REALM_CREDENTIAL_AUTOMATIC, REALM_CREDENTIAL_OWNER_NONE, }, - { 0, }, - }; - iface->join_async = realm_sssd_ad_join_async; iface->join_finish = realm_sssd_ad_generic_finish; - iface->join_creds_supported = join_supported; + iface->join_creds = realm_sssd_ad_join_creds; iface->leave_async = realm_sssd_ad_leave_async; iface->leave_finish = realm_sssd_ad_generic_finish; - iface->leave_creds_supported = leave_supported; + iface->leave_creds = realm_sssd_ad_leave_creds; } diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c index ecf5026..a697223 100644 --- a/service/realm-sssd-ipa.c +++ b/service/realm-sssd-ipa.c @@ -390,6 +390,22 @@ realm_sssd_ipa_join_async (RealmKerberosMembership *membership, g_object_unref (task); } +static const RealmCredential * +realm_sssd_ipa_join_creds (RealmKerberosMembership *membership) +{ + /* + * NOTE: The ipa-client-install service requires that we pass a password directly + * to the process, and not a ccache. It also accepts a one time password. + */ + static const RealmCredential creds[] = { + { REALM_CREDENTIAL_PASSWORD, REALM_CREDENTIAL_OWNER_ADMIN }, + { REALM_CREDENTIAL_SECRET, REALM_CREDENTIAL_OWNER_NONE, }, + { 0, } + }; + + return creds; +} + static void on_ipa_client_do_disable (GObject *source, GAsyncResult *result, @@ -489,6 +505,18 @@ realm_sssd_ipa_leave_async (RealmKerberosMembership *membership, g_object_unref (task); } +static const RealmCredential * +realm_sssd_ipa_leave_creds (RealmKerberosMembership *membership) +{ + static const RealmCredential creds[] = { + { REALM_CREDENTIAL_PASSWORD, REALM_CREDENTIAL_OWNER_ADMIN, }, + { REALM_CREDENTIAL_AUTOMATIC, REALM_CREDENTIAL_OWNER_NONE, }, + { 0, } + }; + + return creds; +} + static gboolean realm_sssd_ipa_generic_finish (RealmKerberosMembership *realm, GAsyncResult *result, @@ -501,27 +529,11 @@ static void realm_sssd_ipa_kerberos_membership_iface (RealmKerberosMembershipIface *iface) { - /* - * NOTE: The ipa-client-install service requires that we pass a password directly - * to the process, and not a ccache. It also accepts a one time password. - */ - static const RealmCredential join_supported[] = { - { REALM_CREDENTIAL_PASSWORD, REALM_CREDENTIAL_OWNER_ADMIN }, - { REALM_CREDENTIAL_SECRET, REALM_CREDENTIAL_OWNER_NONE, }, - { 0, } - }; - - static const RealmCredential leave_supported[] = { - { REALM_CREDENTIAL_PASSWORD, REALM_CREDENTIAL_OWNER_ADMIN, }, - { REALM_CREDENTIAL_AUTOMATIC, REALM_CREDENTIAL_OWNER_NONE, }, - { 0, } - }; - iface->join_async = realm_sssd_ipa_join_async; iface->join_finish = realm_sssd_ipa_generic_finish; - iface->join_creds_supported = join_supported; + iface->join_creds = realm_sssd_ipa_join_creds; iface->leave_async = realm_sssd_ipa_leave_async; iface->leave_finish = realm_sssd_ipa_generic_finish; - iface->leave_creds_supported = leave_supported; + iface->leave_creds = realm_sssd_ipa_leave_creds; } -- 2.1.0