2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
10 /* These routines provide an interface to the token cache maintained by the
11 kernel. Principally it handles cache misses by requesting the desired token
12 from the AuthServer. */
14 #include <afsconfig.h>
15 #include <afs/param.h>
22 # include "afsincludes.h"
26 #include <afs/pthread_glock.h>
27 #include <afs/cellconfig.h>
37 ka_GetAuthToken(char *name, char *instance, char *cell,
38 struct ktc_encryptionKey * key, afs_int32 lifetime,
39 afs_int32 * pwexpires)
42 struct ubik_client *conn;
43 afs_int32 now = time(0);
44 struct ktc_token token;
45 char cellname[MAXKTCREALMLEN];
46 char realm[MAXKTCREALMLEN];
47 struct ktc_principal client, server;
50 code = ka_ExpandCell(cell, cellname, 0 /*local */ );
57 /* get an unauthenticated connection to desired cell */
58 code = ka_AuthServerConn(cell, KA_AUTHENTICATION_SERVICE, 0, &conn);
64 ka_Authenticate(name, instance, cell, conn,
65 KA_TICKET_GRANTING_SERVICE, key, now, now + lifetime,
71 code = ubik_ClientDestroy(conn);
77 code = ka_CellToRealm(cell, realm, 0 /*local */ );
82 strcpy(client.name, name);
83 strcpy(client.instance, instance);
84 strncpy(client.cell, cell, sizeof(client.cell));
85 strcpy(server.name, KA_TGS_NAME);
86 strcpy(server.instance, realm);
87 strcpy(server.cell, cell);
88 code = ktc_SetToken(&server, &token, &client, 0);
94 ka_GetServerToken(char *name, char *instance, char *cell, Date lifetime,
95 struct ktc_token * token, int new, int dosetpag)
98 struct ubik_client *conn;
99 afs_int32 now = time(0);
100 struct ktc_token auth_token;
101 struct ktc_token cell_token;
102 struct ktc_principal server, auth_server, client;
103 char *localCell = ka_LocalCell();
104 char cellname[MAXKTCREALMLEN];
105 char realm[MAXKTCREALMLEN];
106 char authDomain[MAXKTCREALMLEN];
110 code = ka_ExpandCell(cell, cellname, 0 /*local */ );
117 strcpy(server.name, name);
118 strcpy(server.instance, instance);
119 lcstring(server.cell, cell, sizeof(server.cell));
122 ktc_GetToken(&server, token, sizeof(struct ktc_token), &client);
129 code = ka_CellToRealm(cell, realm, &local);
135 /* get TGS ticket for proper realm */
136 strcpy(auth_server.name, KA_TGS_NAME);
137 strcpy(auth_server.instance, realm);
138 lcstring(auth_server.cell, realm, sizeof(auth_server.cell));
139 strcpy(authDomain, realm);
141 ktc_GetToken(&auth_server, &auth_token, sizeof(auth_token), &client);
142 if (code && !local) { /* try for remotely authenticated ticket */
143 strcpy(auth_server.cell, localCell);
144 strcpy(authDomain, "");
146 ktc_GetToken(&auth_server, &auth_token, sizeof(auth_token),
154 /* here we invoke the inter-cell mechanism */
156 /* get local auth ticket */
157 ucstring(auth_server.instance, localCell,
158 sizeof(auth_server.instance));
159 strcpy(auth_server.cell, localCell);
161 ktc_GetToken(&auth_server, &cell_token, sizeof(cell_token),
167 /* get a connection to the local cell */
169 ka_AuthServerConn(localCell, KA_TICKET_GRANTING_SERVICE, 0,
174 /* get foreign auth ticket */
176 ka_GetToken(KA_TGS_NAME, realm, localCell, client.name,
177 client.instance, conn, now, now + lifetime,
178 &cell_token, "" /* local auth domain */ ,
183 code = ubik_ClientDestroy(conn);
190 /* save foreign auth ticket */
191 strcpy(auth_server.instance, realm);
192 lcstring(auth_server.cell, localCell, sizeof(auth_server.cell));
193 ucstring(authDomain, localCell, sizeof(authDomain));
194 if ((code = ktc_SetToken(&auth_server, &auth_token, &client, 0))) {
201 ka_AuthServerConn(cell, KA_TICKET_GRANTING_SERVICE, 0, &conn))) {
206 ka_GetToken(name, instance, cell, client.name, client.instance, conn,
207 now, now + lifetime, &auth_token, authDomain, token))) {
211 code = ubik_ClientDestroy(conn);
218 ktc_SetToken(&server, token, &client,
219 dosetpag ? AFS_SETTOK_SETPAG : 0))) {
228 ka_GetAdminToken(char *name, char *instance, char *cell,
229 struct ktc_encryptionKey * key, afs_int32 lifetime,
230 struct ktc_token * token, int new)
233 struct ubik_client *conn;
234 afs_int32 now = time(0);
235 struct ktc_principal server, client;
236 struct ktc_token localToken;
237 char cellname[MAXKTCREALMLEN];
240 code = ka_ExpandCell(cell, cellname, 0 /*local */ );
248 token = &localToken; /* in case caller doesn't want token */
250 strcpy(server.name, KA_ADMIN_NAME);
251 strcpy(server.instance, KA_ADMIN_INST);
252 strncpy(server.cell, cell, sizeof(server.cell));
255 ktc_GetToken(&server, token, sizeof(struct ktc_token), &client);
262 if ((name == 0) || (key == 0)) {
263 /* just lookup in cache don't get new one */
268 /* get an unauthenticated connection to desired cell */
269 code = ka_AuthServerConn(cell, KA_AUTHENTICATION_SERVICE, 0, &conn);
275 ka_Authenticate(name, instance, cell, conn, KA_MAINTENANCE_SERVICE,
276 key, now, now + lifetime, token, 0);
277 (void)ubik_ClientDestroy(conn);
283 strcpy(client.name, name);
284 strcpy(client.instance, instance);
285 strncpy(client.cell, cell, sizeof(client.cell));
286 code = ktc_SetToken(&server, token, &client, 0);
293 ka_VerifyUserToken(char *name, char *instance, char *cell,
294 struct ktc_encryptionKey * key)
297 struct ubik_client *conn;
298 afs_int32 now = time(0);
299 struct ktc_token token;
300 char cellname[MAXKTCREALMLEN];
304 code = ka_ExpandCell(cell, cellname, 0 /*local */ );
312 /* get an unauthenticated connection to desired cell */
313 code = ka_AuthServerConn(cell, KA_AUTHENTICATION_SERVICE, 0, &conn);
320 ka_Authenticate(name, instance, cell, conn,
321 KA_TICKET_GRANTING_SERVICE, key, now,
322 now + MAXKTCTICKETLIFETIME, &token, &pwexpires);
327 code = ubik_ClientDestroy(conn);