From 7d20cb5098c5521cf41e97d8b90d80f9f25b1ea2 Mon Sep 17 00:00:00 2001
From: Russ Allbery <eagle@eyrie.org>
Date: Sun, 15 Jun 2014 22:22:33 -0700
Subject: Handle additional krb5_aname_to_localname failure codes

MIT Kerberos returns a different "no translation" error code than
Heimdal.  Handle both without an error message and without aborting
the ACL check.

Also constify a parameter to the ACL functions to aid with the
test suite.

Change-Id: I56096d98fe8475eeaec40affb42f8f8afab87ef0
Reviewed-on: https://gerrit.stanford.edu/1504
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
---
 server/config.c   | 22 ++++++++++++++++------
 server/internal.h |  2 +-
 2 files changed, 17 insertions(+), 7 deletions(-)

(limited to 'server')

diff --git a/server/config.c b/server/config.c
index 91c06ca..a1b5b6a 100644
--- a/server/config.c
+++ b/server/config.c
@@ -9,6 +9,7 @@
  * Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2012, 2014
  *     The Board of Trustees of the Leland Stanford Junior University
  * Copyright 2008 Carnegie Mellon University
+ * Copyright 2014 IN2P3 Computing Centre - CNRS
  *
  * See LICENSE for licensing terms.
  */
@@ -935,14 +936,23 @@ user_to_localname(const char *user, char **localname)
         goto fail;
     }
     code = krb5_aname_to_localname(ctx, princ, sizeof(buffer), buffer);
-    if (code != 0 && code != KRB5_LNAME_NOTRANS) {
+
+    /*
+     * Distinguish between no result with no error, a result (where we want to
+     * make a copy), and an error.  Then free memory and return.
+     */
+    switch (code) {
+    case KRB5_LNAME_NOTRANS:
+    case KRB5_NO_LOCALNAME:
+        /* No result.  Do nothing. */
+        break;
+    case 0:
+        *localname = xstrdup(buffer);
+        break;
+    default:
         warn_krb5(ctx, code, "conversion of %s to local name failed", user);
         goto fail;
     }
-
-    /* If there was a result, make a copy.  Then clean up and return. */
-    if (code == 0)
-        *localname = xstrdup(buffer);
     krb5_free_principal(ctx, princ);
     krb5_free_context(ctx);
     return true;
@@ -1207,7 +1217,7 @@ server_config_free(struct config *config)
  * otherwise.
  */
 bool
-server_config_acl_permit(struct rule *rule, const char *user)
+server_config_acl_permit(const struct rule *rule, const char *user)
 {
     char **acls = rule->acls;
     size_t i;
diff --git a/server/internal.h b/server/internal.h
index 0db8582..622fc8d 100644
--- a/server/internal.h
+++ b/server/internal.h
@@ -129,7 +129,7 @@ void server_log_command(struct iovec **, struct rule *, const char *user);
 /* Configuration file functions. */
 struct config *server_config_load(const char *file);
 void server_config_free(struct config *);
-bool server_config_acl_permit(struct rule *, const char *user);
+bool server_config_acl_permit(const struct rule *, const char *user);
 void server_config_set_gput_file(char *file);
 
 /* Running commands. */
-- 
cgit v1.2.3