usr/src/lib/krb5/kadm5/srv/svr_policy.c

root/usr/src/lib/krb5/kadm5/srv/svr_policy.c
/*
 * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
 *
 *      Openvision retains the copyright to derivative works of
 *      this source code.  Do *NOT* create a derivative of this
 *      source code before consulting with your legal department.
 *      Do *NOT* integrate *ANY* of this source code into another
 *      product before consulting with your legal department.
 *
 *      For further information, read the top-level Openvision
 *      copyright which is contained in the top-level MIT Kerberos
 *      copyright.
 *
 * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
 *
 */


/*
 * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
 *
 * $Header$
 */

#if !defined(lint) && !defined(__CODECENTER__)
static char *rcsid = "$Header$";
#endif

#include        "server_internal.h"
#include        <sys/types.h>
#include        <kadm5/admin.h>
#include        <stdlib.h>
#include        <errno.h>

#define MAX_PW_HISTORY  10
#define MIN_PW_HISTORY  1
#define MIN_PW_CLASSES  1
#define MAX_PW_CLASSES  5
#define MIN_PW_LENGTH   1

/*
 * Function: kadm5_create_policy
 *
 * Purpose: Create Policies in the policy DB.
 *
 * Arguments:
 *      entry   (input) The policy entry to be written out to the DB.
 *      mask    (input) Specifies which fields in entry are to ge written out
 *                      and which get default values.
 *      <return value> 0 if successful otherwise an error code is returned.
 *
 * Requires:
 *      Entry must be a valid principal entry, and mask have a valid value.
 *
 * Effects:
 *      Verifies that mask does not specify that the refcount should
 *      be set as part of the creation, and calls
 *      kadm5_create_policy_internal.  If the refcount *is*
 *      specified, returns KADM5_BAD_MASK.
 */

kadm5_ret_t
kadm5_create_policy(void *server_handle,
                         kadm5_policy_ent_t entry, long mask)
{
    CHECK_HANDLE(server_handle);

    krb5_clear_error_message(((kadm5_server_handle_t)server_handle)->context);

    if (mask & KADM5_REF_COUNT)
        return KADM5_BAD_MASK;
    else
        return kadm5_create_policy_internal(server_handle, entry, mask);
}

/*
 * Function: kadm5_create_policy_internal
 *
 * Purpose: Create Policies in the policy DB.
 *
 * Arguments:
 *      entry   (input) The policy entry to be written out to the DB.
 *      mask    (input) Specifies which fields in entry are to ge written out
 *                      and which get default values.
 *      <return value> 0 if successful otherwise an error code is returned.
 *
 * Requires:
 *      Entry must be a valid principal entry, and mask have a valid value.
 *
 * Effects:
 *      Writes the data to the database, and does a database sync if
 *      successful.
 *
 */

kadm5_ret_t
kadm5_create_policy_internal(void *server_handle,
                                  kadm5_policy_ent_t entry, long mask)
{
    kadm5_server_handle_t handle = server_handle;
    osa_policy_ent_rec  pent;
    int                 ret;
    char                *p;

    CHECK_HANDLE(server_handle);

    if ((entry == (kadm5_policy_ent_t) NULL) || (entry->policy == NULL))
        return EINVAL;
    if(strlen(entry->policy) == 0)
        return KADM5_BAD_POLICY;
    if (!(mask & KADM5_POLICY))
        return KADM5_BAD_MASK;

    pent.name = entry->policy;
    p = entry->policy;
    while(*p != '\0') {
        if(*p < ' ' || *p > '~')
            return KADM5_BAD_POLICY;
        else
            p++;
    }
    if (!(mask & KADM5_PW_MAX_LIFE))
        pent.pw_max_life = 0;
    else
        pent.pw_max_life = entry->pw_max_life;
    if (!(mask & KADM5_PW_MIN_LIFE))
        pent.pw_min_life = 0;
    else {
        if((mask & KADM5_PW_MAX_LIFE)) {
            if(entry->pw_min_life > entry->pw_max_life && entry->pw_max_life != 0)
                return KADM5_BAD_MIN_PASS_LIFE;
        }
        pent.pw_min_life = entry->pw_min_life;
    }
    if (!(mask & KADM5_PW_MIN_LENGTH))
        pent.pw_min_length = MIN_PW_LENGTH;
    else {
        if(entry->pw_min_length < MIN_PW_LENGTH)
            return KADM5_BAD_LENGTH;
        pent.pw_min_length = entry->pw_min_length;
    }
    if (!(mask & KADM5_PW_MIN_CLASSES))
        pent.pw_min_classes = MIN_PW_CLASSES;
    else {
        if(entry->pw_min_classes > MAX_PW_CLASSES || entry->pw_min_classes < MIN_PW_CLASSES)
            return KADM5_BAD_CLASS;
        pent.pw_min_classes = entry->pw_min_classes;
    }
    if (!(mask & KADM5_PW_HISTORY_NUM))
        pent.pw_history_num = MIN_PW_HISTORY;
    else {
        if(entry->pw_history_num < MIN_PW_HISTORY ||
           entry->pw_history_num > MAX_PW_HISTORY)
            return KADM5_BAD_HISTORY;
        else
            pent.pw_history_num = entry->pw_history_num;
    }
    if (!(mask & KADM5_REF_COUNT))
        pent.policy_refcnt = 0;
    else
        pent.policy_refcnt = entry->policy_refcnt;
    if ((ret = krb5_db_create_policy(handle->context, &pent)))
        return ret;
    else
        return KADM5_OK;
}

kadm5_ret_t
kadm5_delete_policy(void *server_handle, kadm5_policy_t name)
{
    kadm5_server_handle_t handle = server_handle;
    osa_policy_ent_t            entry;
    int                         ret;
    int                         cnt=1;

    CHECK_HANDLE(server_handle);

    krb5_clear_error_message(handle->context);

    if(name == (kadm5_policy_t) NULL)
        return EINVAL;
    if(strlen(name) == 0)
        return KADM5_BAD_POLICY;
    if((ret = krb5_db_get_policy(handle->context, name, &entry,&cnt)))
        return ret;
    if( cnt != 1 )
        return KADM5_UNK_POLICY;

    if(entry->policy_refcnt != 0) {
        krb5_db_free_policy(handle->context, entry);
        return KADM5_POLICY_REF;
    }
    krb5_db_free_policy(handle->context, entry);
    if ((ret = krb5_db_delete_policy(handle->context, name)))
        return ret;
    else
        return KADM5_OK;
}

kadm5_ret_t
kadm5_modify_policy(void *server_handle,
                         kadm5_policy_ent_t entry, long mask)
{
    CHECK_HANDLE(server_handle);

    krb5_clear_error_message(((kadm5_server_handle_t)server_handle)->context);

    if (mask & KADM5_REF_COUNT)
        return KADM5_BAD_MASK;
    else
        return kadm5_modify_policy_internal(server_handle, entry, mask);
}

kadm5_ret_t
kadm5_modify_policy_internal(void *server_handle,
                                  kadm5_policy_ent_t entry, long mask)
{
    kadm5_server_handle_t handle = server_handle;
    osa_policy_ent_t    p;
    int                 ret;
    int                 cnt=1;

    CHECK_HANDLE(server_handle);

    if((entry == (kadm5_policy_ent_t) NULL) || (entry->policy == NULL))
        return EINVAL;
    if(strlen(entry->policy) == 0)
        return KADM5_BAD_POLICY;
    if((mask & KADM5_POLICY))
        return KADM5_BAD_MASK;

    if ((ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt)))
        return ret;
    if (cnt != 1)
        return KADM5_UNK_POLICY;

    if ((mask & KADM5_PW_MAX_LIFE))
        p->pw_max_life = entry->pw_max_life;
    if ((mask & KADM5_PW_MIN_LIFE)) {
        if(entry->pw_min_life > p->pw_max_life && p->pw_max_life != 0)  {
             krb5_db_free_policy(handle->context, p);
             return KADM5_BAD_MIN_PASS_LIFE;
        }
        p->pw_min_life = entry->pw_min_life;
    }
    if ((mask & KADM5_PW_MIN_LENGTH)) {
        if(entry->pw_min_length < MIN_PW_LENGTH) {
              krb5_db_free_policy(handle->context, p);
              return KADM5_BAD_LENGTH;
         }
        p->pw_min_length = entry->pw_min_length;
    }
    if ((mask & KADM5_PW_MIN_CLASSES)) {
        if(entry->pw_min_classes > MAX_PW_CLASSES ||
           entry->pw_min_classes < MIN_PW_CLASSES) {
             krb5_db_free_policy(handle->context, p);
             return KADM5_BAD_CLASS;
        }
        p->pw_min_classes = entry->pw_min_classes;
    }
    if ((mask & KADM5_PW_HISTORY_NUM)) {
        if(entry->pw_history_num < MIN_PW_HISTORY ||
           entry->pw_history_num > MAX_PW_HISTORY) {
             krb5_db_free_policy(handle->context, p);
             return KADM5_BAD_HISTORY;
        }
        p->pw_history_num = entry->pw_history_num;
    }
    if ((mask & KADM5_REF_COUNT))
        p->policy_refcnt = entry->policy_refcnt;
    ret = krb5_db_put_policy(handle->context, p);
    krb5_db_free_policy(handle->context, p);
    return ret;
}

kadm5_ret_t
kadm5_get_policy(void *server_handle, kadm5_policy_t name,
                 kadm5_policy_ent_t entry)
{
    osa_policy_ent_t            t;
    kadm5_policy_ent_rec        entry_local, **entry_orig, *new;
    int                         ret;
    kadm5_server_handle_t handle = server_handle;
    int                         cnt=1;

    CHECK_HANDLE(server_handle);

    krb5_clear_error_message(handle->context);

    /*
     * In version 1, entry is a pointer to a kadm5_policy_ent_t that
     * should be filled with allocated memory.
     */
    if (handle->api_version == KADM5_API_VERSION_1) {
         entry_orig = (kadm5_policy_ent_rec **) entry;
         *entry_orig = NULL;
         entry = &entry_local;
    }

    if (name == (kadm5_policy_t) NULL)
        return EINVAL;
    if(strlen(name) == 0)
        return KADM5_BAD_POLICY;
    if((ret = krb5_db_get_policy(handle->context, name, &t, &cnt)))
        return ret;

    if( cnt != 1 )
        return KADM5_UNK_POLICY;

    if ((entry->policy = (char *) malloc(strlen(t->name) + 1)) == NULL) {
         krb5_db_free_policy(handle->context, t);
         return ENOMEM;
    }
    strcpy(entry->policy, t->name);
    entry->pw_min_life = t->pw_min_life;
    entry->pw_max_life = t->pw_max_life;
    entry->pw_min_length = t->pw_min_length;
    entry->pw_min_classes = t->pw_min_classes;
    entry->pw_history_num = t->pw_history_num;
    entry->policy_refcnt = t->policy_refcnt;
    krb5_db_free_policy(handle->context, t);

    if (handle->api_version == KADM5_API_VERSION_1) {
         new = (kadm5_policy_ent_t) malloc(sizeof(kadm5_policy_ent_rec));
         if (new == NULL) {
              free(entry->policy);
              krb5_db_free_policy(handle->context, t);
              return ENOMEM;
         }
         *new = *entry;
         *entry_orig = new;
    }

    return KADM5_OK;
}
Illumos
