2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
10 /* These routines provide an interface to the token cache maintained by the
11 kernel. Principally it handles cache misses by requesting the desired token
12 from the AuthServer. */
14 #include <afsconfig.h>
15 #include <afs/param.h>
22 #include <afs/pthread_glock.h>
23 #include <afs/cellconfig.h>
33 ka_GetAuthToken(char *name, char *instance, char *cell,
34 struct ktc_encryptionKey * key, afs_int32 lifetime,
35 afs_int32 * pwexpires)
38 struct ubik_client *conn;
39 afs_int32 now = time(0);
40 struct ktc_token token;
41 char cellname[MAXKTCREALMLEN];
42 char realm[MAXKTCREALMLEN];
43 struct ktc_principal client, server;
46 code = ka_ExpandCell(cell, cellname, 0 /*local */ );
53 /* get an unauthenticated connection to desired cell */
54 code = ka_AuthServerConn(cell, KA_AUTHENTICATION_SERVICE, 0, &conn);
60 ka_Authenticate(name, instance, cell, conn,
61 KA_TICKET_GRANTING_SERVICE, key, now, now + lifetime,
67 code = ubik_ClientDestroy(conn);
73 code = ka_CellToRealm(cell, realm, 0 /*local */ );
78 strcpy(client.name, name);
79 strcpy(client.instance, instance);
80 strncpy(client.cell, cell, sizeof(client.cell));
81 strcpy(server.name, KA_TGS_NAME);
82 strcpy(server.instance, realm);
83 strcpy(server.cell, cell);
84 code = ktc_SetToken(&server, &token, &client, 0);
90 ka_GetServerToken(char *name, char *instance, char *cell, Date lifetime,
91 struct ktc_token * token, int new, int dosetpag)
94 struct ubik_client *conn;
95 afs_int32 now = time(0);
96 struct ktc_token auth_token;
97 struct ktc_token cell_token;
98 struct ktc_principal server, auth_server, client;
99 char *localCell = ka_LocalCell();
100 char cellname[MAXKTCREALMLEN];
101 char realm[MAXKTCREALMLEN];
102 char authDomain[MAXKTCREALMLEN];
106 code = ka_ExpandCell(cell, cellname, 0 /*local */ );
113 strcpy(server.name, name);
114 strcpy(server.instance, instance);
115 lcstring(server.cell, cell, sizeof(server.cell));
118 ktc_GetToken(&server, token, sizeof(struct ktc_token), &client);
125 code = ka_CellToRealm(cell, realm, &local);
131 /* get TGS ticket for proper realm */
132 strcpy(auth_server.name, KA_TGS_NAME);
133 strcpy(auth_server.instance, realm);
134 lcstring(auth_server.cell, realm, sizeof(auth_server.cell));
135 strcpy(authDomain, realm);
137 ktc_GetToken(&auth_server, &auth_token, sizeof(auth_token), &client);
138 if (code && !local) { /* try for remotely authenticated ticket */
139 strcpy(auth_server.cell, localCell);
140 strcpy(authDomain, "");
142 ktc_GetToken(&auth_server, &auth_token, sizeof(auth_token),
150 /* here we invoke the inter-cell mechanism */
152 /* get local auth ticket */
153 ucstring(auth_server.instance, localCell,
154 sizeof(auth_server.instance));
155 strcpy(auth_server.cell, localCell);
157 ktc_GetToken(&auth_server, &cell_token, sizeof(cell_token),
163 /* get a connection to the local cell */
165 ka_AuthServerConn(localCell, KA_TICKET_GRANTING_SERVICE, 0,
170 /* get foreign auth ticket */
172 ka_GetToken(KA_TGS_NAME, realm, localCell, client.name,
173 client.instance, conn, now, now + lifetime,
174 &cell_token, "" /* local auth domain */ ,
179 code = ubik_ClientDestroy(conn);
186 /* save foreign auth ticket */
187 strcpy(auth_server.instance, realm);
188 lcstring(auth_server.cell, localCell, sizeof(auth_server.cell));
189 ucstring(authDomain, localCell, sizeof(authDomain));
190 if ((code = ktc_SetToken(&auth_server, &auth_token, &client, 0))) {
197 ka_AuthServerConn(cell, KA_TICKET_GRANTING_SERVICE, 0, &conn))) {
202 ka_GetToken(name, instance, cell, client.name, client.instance, conn,
203 now, now + lifetime, &auth_token, authDomain, token))) {
207 code = ubik_ClientDestroy(conn);
214 ktc_SetToken(&server, token, &client,
215 dosetpag ? AFS_SETTOK_SETPAG : 0))) {
224 ka_GetAdminToken(char *name, char *instance, char *cell,
225 struct ktc_encryptionKey * key, afs_int32 lifetime,
226 struct ktc_token * token, int new)
229 struct ubik_client *conn;
230 afs_int32 now = time(0);
231 struct ktc_principal server, client;
232 struct ktc_token localToken;
233 char cellname[MAXKTCREALMLEN];
236 code = ka_ExpandCell(cell, cellname, 0 /*local */ );
244 token = &localToken; /* in case caller doesn't want token */
246 strcpy(server.name, KA_ADMIN_NAME);
247 strcpy(server.instance, KA_ADMIN_INST);
248 strncpy(server.cell, cell, sizeof(server.cell));
251 ktc_GetToken(&server, token, sizeof(struct ktc_token), &client);
258 if ((name == 0) || (key == 0)) {
259 /* just lookup in cache don't get new one */
264 /* get an unauthenticated connection to desired cell */
265 code = ka_AuthServerConn(cell, KA_AUTHENTICATION_SERVICE, 0, &conn);
271 ka_Authenticate(name, instance, cell, conn, KA_MAINTENANCE_SERVICE,
272 key, now, now + lifetime, token, 0);
273 (void)ubik_ClientDestroy(conn);
279 strcpy(client.name, name);
280 strcpy(client.instance, instance);
281 strncpy(client.cell, cell, sizeof(client.cell));
282 code = ktc_SetToken(&server, token, &client, 0);
289 ka_VerifyUserToken(char *name, char *instance, char *cell,
290 struct ktc_encryptionKey * key)
293 struct ubik_client *conn;
294 afs_int32 now = time(0);
295 struct ktc_token token;
296 char cellname[MAXKTCREALMLEN];
300 code = ka_ExpandCell(cell, cellname, 0 /*local */ );
308 /* get an unauthenticated connection to desired cell */
309 code = ka_AuthServerConn(cell, KA_AUTHENTICATION_SERVICE, 0, &conn);
316 ka_Authenticate(name, instance, cell, conn,
317 KA_TICKET_GRANTING_SERVICE, key, now,
318 now + MAXKTCTICKETLIFETIME, &token, &pwexpires);
323 code = ubik_ClientDestroy(conn);